12:47 PM

LulzSec's Sabu Was Identity Thief, Not Robin Hood

Federal indictment accuses Sabu of crossing a clear line between political expression and criminal activity.

Anonymous: 10 Facts About The Hacktivist Group
Anonymous: 10 Facts About The Hacktivist Group
(click image for larger view and for slideshow)

The hacktivist group LulzSec made a name for itself by cracking databases and servers sporting poor security, then publicizing what they'd been able to do and find. Groups as diverse as the Atlanta InfraGard chapter, Sony Pictures Entertainment, the U.S. Senate, and PBS saw their websites hacked and defaced, and sensitive information leaked.

The group portrayed itself as being a group devoted to "lulz," which is Internet slang that can be interpreted as "laughs, humor, or amusement." That definition comes from a 12-count federal indictment unsealed in federal court Tuesday against four men authorities said comprised part of the core of LulzSec: Ryan Ackroyd (aka kayla, lol, lolspoon), Jake Davis (aka topiary, atopiary), Darren Martyn (aka pwnsauce, raepsauce, networkkitten), and Donncha O'Cearrbhail (aka Palladium).

But a related 12-count indictment, also unsealed Tuesday, singled out 28-year-old Hector Xavier Monsegur (aka Sabu, Xavier DeLeon, Leon) as the LulzSec leader, in addition to being an ongoing participant in the hacktivist collective known as Anonymous. He reportedly pled guilty to all the charges leveled against him, which collectively carry a maximum prison sentence of 124 years and six months.

A post from Sabu's Twitter account Monday struck a seeming note of defiance: "The federal government is run by a bunch of [obscenity removed] cowards. Don't give in to these people. Fight back. Stay strong."

[ Learn about the newest trends and practices to help keep your company's data secure. Read 10 Lessons From RSA Security Conference. ]

The 27-page indictment against Monsegur details a striking number of exploits, some overtly political, some riffing on pop culture, and others seemingly just random. Notably, the indictment accused Monsegur of having participated in Operation Payback, which involved launching distributed denial of service (DDoS) attacks in retaliation for MasterCard, PayPal, Visa, and other payment providers cutting off funds to WikiLeaks. It also accuses him of hacking attacks against Tunisian, Zimbabwean, Algerian, and Yemini government servers. In cooperation with hacking group "Internet Feds"--of which Ackroyd, Davis, Martyn, and O'Cearrbhail were allegedly core members--Monsegur was also accused of hacking into HBGary and releasing thousands of emails.

Then there's the LulzSec band, which hacked into numerous sites and became famous for bragging about it. "Although the members of LulzSec and their co-conspirators claimed to have engaged in these attacks for humorous purposes ... LulzSec's criminal acts included, among other things, the theft of confidential information, including sensitive personal information for thousands of individuals, from their victims' computer systems; the public disclosure of that confidential information on the Internet; the defacement of Internet websites; and overwhelming victims' computers with bogus requests for information"--meaning DDoS attacks--according to the indictment.

If LulzSec built its reputation on merry pranks--such as releasing contact details for 73,000 X-Factor contestants--the indictment also accused Monsegur of outright fraud and other criminal activity.

For starters, Monsegur was accused of hacking into an automotive parts site and shipping himself four engines, worth a total of $3,450. Authorities also accused Monsegur of using stolen credit card numbers to pay off at least $1,000 in debts and sharing people's bank account, routing number, and personal information with others, meaning he engaged in identity theft.

"Those who suggest Sabu's actions were just hacktivism or 'for the lulz' need to recognize that Sabu wasn't a Robin Hood who nobly gave voice to a cause, but a thief who admitted to lining his own pockets," said Chester Wisniewski, a senior security advisor at Sophos Canada, in a blog post.

Would the dollar values attached to those crimes, had they been conducted using a stolen credit card, have even merited an investigation by local police? Regardless, when you add in illegally accessing and defacing government websites and numerous hacks of private businesses' sites, you can expect the FBI to start investigating.

On a related note, after a 50-day hacking spree, LulzSec--without warning--bid adieu in June 2011. At the time, the group's unexpected retirement appeared to mark yet another random move from the chaos-craving band.

Thanks to the federal indictments unsealed Tuesday, however, it's now clear that Monsegur had been busted that month, after which he began cooperating with the FBI. The cooperation even went so far as using FBI-provided servers to unpack stolen information, including emails stolen from Stratfor, which were then shared with WikiLeaks.

Accordingly to the indictment, he also helped the bureau to amass evidence against other LulzSec and Anonymous participants. For example, he lured O'Cearrbhail, on an anonymous chat, into revealing which VPN service he used to obscure his identity. Investigators were then able to correlate login times with O'Cearrbhail's IP address, which they used to help positively identify the Irish citizen, who’s accused of leaking a transatlantic law enforcement conference call discussing ongoing investigations into LulzSec and Anonymous.

To protect company and customer data, we need to determine what makes it so vulnerable and appealing. We also need to understand how hackers operate, and what tools and processes they rely on. In our How (And Why) Attackers Choose Their Targets report, we explain how to ensure the best defense by thinking like an attacker and identifying the weakest link in your own corporate data chain. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/7/2012 | 6:21:00 PM
re: LulzSec's Sabu Was Identity Thief, Not Robin Hood
I believe the VPN service Sabu used was although was also used in many other attacks according to reports last September. It will be interesting to see how these VPN service providers privacy polices hold up to the law in which countries they are registered in.
Register for Dark Reading Newsletters
White Papers
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
According to industry estimates, about a million new IT security jobs will be created in the next two years but there aren't enough skilled professionals to fill them. On top of that, there isn't necessarily a clear path to a career in security. Dark Reading Executive Editor Kelly Jackson Higgins hosts guests Carson Sweet, co-founder and CTO of CloudPassage, which published a shocking study of the security gap in top US undergrad computer science programs, and Rodney Petersen, head of NIST's new National Initiative for Cybersecurity Education.