Attacks/Breaches
3/7/2012
12:47 PM
50%
50%

LulzSec's Sabu Was Identity Thief, Not Robin Hood

Federal indictment accuses Sabu of crossing a clear line between political expression and criminal activity.

Anonymous: 10 Facts About The Hacktivist Group
Anonymous: 10 Facts About The Hacktivist Group
(click image for larger view and for slideshow)

The hacktivist group LulzSec made a name for itself by cracking databases and servers sporting poor security, then publicizing what they'd been able to do and find. Groups as diverse as the Atlanta InfraGard chapter, Sony Pictures Entertainment, the U.S. Senate, and PBS saw their websites hacked and defaced, and sensitive information leaked.

The group portrayed itself as being a group devoted to "lulz," which is Internet slang that can be interpreted as "laughs, humor, or amusement." That definition comes from a 12-count federal indictment unsealed in federal court Tuesday against four men authorities said comprised part of the core of LulzSec: Ryan Ackroyd (aka kayla, lol, lolspoon), Jake Davis (aka topiary, atopiary), Darren Martyn (aka pwnsauce, raepsauce, networkkitten), and Donncha O'Cearrbhail (aka Palladium).

But a related 12-count indictment, also unsealed Tuesday, singled out 28-year-old Hector Xavier Monsegur (aka Sabu, Xavier DeLeon, Leon) as the LulzSec leader, in addition to being an ongoing participant in the hacktivist collective known as Anonymous. He reportedly pled guilty to all the charges leveled against him, which collectively carry a maximum prison sentence of 124 years and six months.

A post from Sabu's Twitter account Monday struck a seeming note of defiance: "The federal government is run by a bunch of [obscenity removed] cowards. Don't give in to these people. Fight back. Stay strong."

[ Learn about the newest trends and practices to help keep your company's data secure. Read 10 Lessons From RSA Security Conference. ]

The 27-page indictment against Monsegur details a striking number of exploits, some overtly political, some riffing on pop culture, and others seemingly just random. Notably, the indictment accused Monsegur of having participated in Operation Payback, which involved launching distributed denial of service (DDoS) attacks in retaliation for MasterCard, PayPal, Visa, and other payment providers cutting off funds to WikiLeaks. It also accuses him of hacking attacks against Tunisian, Zimbabwean, Algerian, and Yemini government servers. In cooperation with hacking group "Internet Feds"--of which Ackroyd, Davis, Martyn, and O'Cearrbhail were allegedly core members--Monsegur was also accused of hacking into HBGary and releasing thousands of emails.

Then there's the LulzSec band, which hacked into numerous sites and became famous for bragging about it. "Although the members of LulzSec and their co-conspirators claimed to have engaged in these attacks for humorous purposes ... LulzSec's criminal acts included, among other things, the theft of confidential information, including sensitive personal information for thousands of individuals, from their victims' computer systems; the public disclosure of that confidential information on the Internet; the defacement of Internet websites; and overwhelming victims' computers with bogus requests for information"--meaning DDoS attacks--according to the indictment.

If LulzSec built its reputation on merry pranks--such as releasing contact details for 73,000 X-Factor contestants--the indictment also accused Monsegur of outright fraud and other criminal activity.

For starters, Monsegur was accused of hacking into an automotive parts site and shipping himself four engines, worth a total of $3,450. Authorities also accused Monsegur of using stolen credit card numbers to pay off at least $1,000 in debts and sharing people's bank account, routing number, and personal information with others, meaning he engaged in identity theft.

"Those who suggest Sabu's actions were just hacktivism or 'for the lulz' need to recognize that Sabu wasn't a Robin Hood who nobly gave voice to a cause, but a thief who admitted to lining his own pockets," said Chester Wisniewski, a senior security advisor at Sophos Canada, in a blog post.

Would the dollar values attached to those crimes, had they been conducted using a stolen credit card, have even merited an investigation by local police? Regardless, when you add in illegally accessing and defacing government websites and numerous hacks of private businesses' sites, you can expect the FBI to start investigating.

On a related note, after a 50-day hacking spree, LulzSec--without warning--bid adieu in June 2011. At the time, the group's unexpected retirement appeared to mark yet another random move from the chaos-craving band.

Thanks to the federal indictments unsealed Tuesday, however, it's now clear that Monsegur had been busted that month, after which he began cooperating with the FBI. The cooperation even went so far as using FBI-provided servers to unpack stolen information, including emails stolen from Stratfor, which were then shared with WikiLeaks.

Accordingly to the indictment, he also helped the bureau to amass evidence against other LulzSec and Anonymous participants. For example, he lured O'Cearrbhail, on an anonymous chat, into revealing which VPN service he used to obscure his identity. Investigators were then able to correlate login times with O'Cearrbhail's IP address, which they used to help positively identify the Irish citizen, who’s accused of leaking a transatlantic law enforcement conference call discussing ongoing investigations into LulzSec and Anonymous.

To protect company and customer data, we need to determine what makes it so vulnerable and appealing. We also need to understand how hackers operate, and what tools and processes they rely on. In our How (And Why) Attackers Choose Their Targets report, we explain how to ensure the best defense by thinking like an attacker and identifying the weakest link in your own corporate data chain. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ryan_in_NYC
50%
50%
Ryan_in_NYC,
User Rank: Apprentice
3/7/2012 | 6:21:00 PM
re: LulzSec's Sabu Was Identity Thief, Not Robin Hood
I believe the VPN service Sabu used was http://www.ivpn.net although hidemyass.com was also used in many other attacks according to reports last September. It will be interesting to see how these VPN service providers privacy polices hold up to the law in which countries they are registered in.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

CVE-2014-7880
Published: 2014-12-17
Multiple unspecified vulnerabilities in the POP implementation in HP OpenVMS TCP/IP 5.7 before ECO5 allow remote attackers to cause a denial of service via unspecified vectors.

CVE-2014-8133
Published: 2014-12-17
arch/x86/kernel/tls.c in the Thread Local Storage (TLS) implementation in the Linux kernel through 3.18.1 allows local users to bypass the espfix protection mechanism, and consequently makes it easier for local users to bypass the ASLR protection mechanism, via a crafted application that makes a set...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.