Risk
8/27/2013
10:41 AM
50%
50%

Anonymous Hacker Claims FBI Directed LulzSec Hacks

Admitted hacker Jeremy Hammond alleges FBI used informer Sabu to persuade LulzSec and Anonymous to hack into foreign governments' networks.

Sentencing for former LulzSec leader Hector Xavier Monsegur, better known as Sabu, has again been delayed.

Monsegur was scheduled to be sentenced Friday morning in New York federal court. But in a letter to the court, the U.S. attorney general's office requested that Monsegur's sentencing be delayed "in light of the defendant's ongoing cooperation with the government." His sentencing has now been rescheduled for Oct. 25.

The requested delay has become a pattern, reflecting Monsegur's continued cooperation with the FBI since he was arrested in June 2011 and turned informer. "Since literally the day he was arrested, the defendant has been cooperating with the government proactively," U.S. district attorney James Pastore, the prosecuting lawyer, told a judge presiding over a secret August 2011 hearing into the 12 charges filed against Monsegur. "He has been staying up sometimes all night engaging in conversations with co-conspirators that are helping the government to build cases against those co-conspirators," Pastore added.

Monsegur, who faces up to 122.5 years in prison, avoided a trial by pleading guilty to all of the charges filed against him in federal court. Some of those charges relate to launching distributed denial of service (DDoS) attacks against PayPal, MasterCard and Visa, as well as accessing servers belonging to Fox, InfraGard Atlanta and PBS.

[ After two breaches this year, do you think the DOE is serious about cybersecurity? See Department Of Energy Cyberattack: 5 Takeaways. ]

On the eve of Sabu's scheduled sentencing last week, one of the hackers he helped bust -- Jeremy Hammond, who in May pleaded guilty to hacking intelligence service Stratfor, and who now faces up to 10 years in jail and $2.5 million in restitution -- alleged that the FBI used LulzSec and Anonymous as a private hacker army.

"Sabu was used to build cases against a number of hackers, including myself. What many do not know is that Sabu was also used by his handlers to facilitate the hacking of targets of the government's choosing -- including numerous websites belonging to foreign governments," claimed Hammond, who's himself due to be sentenced next month, and who offered no evidence to support his assertions. "What the United States could not accomplish legally, it used Sabu, and by extension, me and my co-defendants, to accomplish illegally."

The FBI didn't immediately respond to a request for comment on Hammond's allegations, but the bureau has previously been criticized for its failure to stop the Stratfor hacks and resulting data dump, which occurred after Sabu turned informer. Timing-wise, Hammond -- using the hacker handle "Sup_g" -- gave Sabu a heads-up on the planned intrusion on Dec. 6, 2011, then hacked into Stratfor on December 13. The next day, he informed Sabu about what he'd done, and Sabu, at the direction of the FBI, told him to upload the stolen data onto a server that was secretly controlled by the FBI. On Dec. 24, the hackers defaced the Stratfor site and published the stolen data. Two days later, Sabu tied Sup_g to another alias, "Anarchaos," that the bureau knew that Hammond used. But the FBI didn't arrest Hammond until three months later, which has led some conspiracy theorists to posit that the bureau had another agenda, such as building Sabu's bona fides to try to ensnare WikiLeaks chief Julian Assange.

The bureau has previously denied suggestions that it looked the other way during the Stratfor hack, perhaps as part of some larger agenda. "That's "patently false," an FBI official, speaking on condition of anonymity, told The New York Times last year. "We would not have let this attack happen for the purpose of collecting more evidence."

By some accounts, the FBI may have been overwhelmed with hacking-related intelligence, as Sabu received daily updates on multiple planned and executed attacks, as well as information on dozens of vulnerabilities that hackers reported to him directly. In addition, one legal expert told the Times that the paperwork required to arrest someone on hacking charges could easily take six months to prepare.

The ongoing legal drama involving Monsegur and Hammond stands in sharp contrast to the fate of LulzSec and Anonymous members in Britain that Sabu, after he turned snitch, apparently helped authorities identify and arrest. For example, Jake Davis, the former LulzSec spokesman Topiary, has now served his time and been released.

Davis, who as part of his parole is allowed to go online but not contact any of his former LulzSec or Anonymous comprades, recently said in an ongoing Ask.fm question-and-answer session that he pleaded guilty to charges against him so that he could move on with his life. Likewise, he said that when six plainclothes officers showed up in Scotland's remote Shetland Islands, where he lived, and announced that they were there to seize his computer equipment and arrest him on charges that he'd launched a DDoS attack against Britain's Serious Organized Crime Agency, he knew the jig was up. So that morning, when an officer requested the password to his encrypted drive, which contained evidence of his attacks, he divulged it.

"Why did you turn over your encryption keys to Scotland Yard?" asked one Ask.fm questioner. Davis defended his decision in no uncertain terms. "What, and be hunted/monitored mercilessly for the rest of my life by begrudging authorities with the power to flip the tables on your life with a few pieces of paper at any given turn?" he said.

"No thanks, I'll play ball with the encryption keys and say, 'you caught me, I wasn't good enough, fair play, let's get this over with.' And now it's over -- for me. Perhaps not for others. Probably the snitches," he said. "Ironic, isn't it?"

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Michael Endler
50%
50%
Michael Endler,
User Rank: Apprentice
8/27/2013 | 8:48:39 PM
re: Anonymous Hacker Claims FBI Directed LulzSec Hacks
"who faces up to 122.5 years in prison" ... I must've forgotten that detail from when this story broke. I remember that his cooperation was also compelled out of concern for the welfare of his family, or something similar, but with potential prison penalties of that magnitude, it's no wonder he's become so cooperative.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2009-5027
Published: 2014-12-26
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2010-2062. Reason: This candidate is a reservation duplicate of CVE-2010-2062. Notes: All CVE users should reference CVE-2010-2062 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2010-1441
Published: 2014-12-26
Multiple heap-based buffer overflows in VideoLAN VLC media player before 1.0.6 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted byte stream to the (1) A/52, (2) DTS, or (3) MPEG Audio decoder.

CVE-2010-1442
Published: 2014-12-26
VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly execute arbitrary code via a crafted byte stream to the (1) AVI, (2) ASF, or (3) Matroska (aka MKV) demuxer.

CVE-2010-1443
Published: 2014-12-26
The parse_track_node function in modules/demux/playlist/xspf.c in the XSPF playlist parser in VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty location element in an XML Shareable Playlist Format...

CVE-2010-1444
Published: 2014-12-26
The ZIP archive decompressor in VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly execute arbitrary code via a crafted archive.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.