Risk
8/27/2013
10:41 AM
50%
50%

Anonymous Hacker Claims FBI Directed LulzSec Hacks

Admitted hacker Jeremy Hammond alleges FBI used informer Sabu to persuade LulzSec and Anonymous to hack into foreign governments' networks.

Sentencing for former LulzSec leader Hector Xavier Monsegur, better known as Sabu, has again been delayed.

Monsegur was scheduled to be sentenced Friday morning in New York federal court. But in a letter to the court, the U.S. attorney general's office requested that Monsegur's sentencing be delayed "in light of the defendant's ongoing cooperation with the government." His sentencing has now been rescheduled for Oct. 25.

The requested delay has become a pattern, reflecting Monsegur's continued cooperation with the FBI since he was arrested in June 2011 and turned informer. "Since literally the day he was arrested, the defendant has been cooperating with the government proactively," U.S. district attorney James Pastore, the prosecuting lawyer, told a judge presiding over a secret August 2011 hearing into the 12 charges filed against Monsegur. "He has been staying up sometimes all night engaging in conversations with co-conspirators that are helping the government to build cases against those co-conspirators," Pastore added.

Monsegur, who faces up to 122.5 years in prison, avoided a trial by pleading guilty to all of the charges filed against him in federal court. Some of those charges relate to launching distributed denial of service (DDoS) attacks against PayPal, MasterCard and Visa, as well as accessing servers belonging to Fox, InfraGard Atlanta and PBS.

[ After two breaches this year, do you think the DOE is serious about cybersecurity? See Department Of Energy Cyberattack: 5 Takeaways. ]

On the eve of Sabu's scheduled sentencing last week, one of the hackers he helped bust -- Jeremy Hammond, who in May pleaded guilty to hacking intelligence service Stratfor, and who now faces up to 10 years in jail and $2.5 million in restitution -- alleged that the FBI used LulzSec and Anonymous as a private hacker army.

"Sabu was used to build cases against a number of hackers, including myself. What many do not know is that Sabu was also used by his handlers to facilitate the hacking of targets of the government's choosing -- including numerous websites belonging to foreign governments," claimed Hammond, who's himself due to be sentenced next month, and who offered no evidence to support his assertions. "What the United States could not accomplish legally, it used Sabu, and by extension, me and my co-defendants, to accomplish illegally."

The FBI didn't immediately respond to a request for comment on Hammond's allegations, but the bureau has previously been criticized for its failure to stop the Stratfor hacks and resulting data dump, which occurred after Sabu turned informer. Timing-wise, Hammond -- using the hacker handle "Sup_g" -- gave Sabu a heads-up on the planned intrusion on Dec. 6, 2011, then hacked into Stratfor on December 13. The next day, he informed Sabu about what he'd done, and Sabu, at the direction of the FBI, told him to upload the stolen data onto a server that was secretly controlled by the FBI. On Dec. 24, the hackers defaced the Stratfor site and published the stolen data. Two days later, Sabu tied Sup_g to another alias, "Anarchaos," that the bureau knew that Hammond used. But the FBI didn't arrest Hammond until three months later, which has led some conspiracy theorists to posit that the bureau had another agenda, such as building Sabu's bona fides to try to ensnare WikiLeaks chief Julian Assange.

The bureau has previously denied suggestions that it looked the other way during the Stratfor hack, perhaps as part of some larger agenda. "That's "patently false," an FBI official, speaking on condition of anonymity, told The New York Times last year. "We would not have let this attack happen for the purpose of collecting more evidence."

By some accounts, the FBI may have been overwhelmed with hacking-related intelligence, as Sabu received daily updates on multiple planned and executed attacks, as well as information on dozens of vulnerabilities that hackers reported to him directly. In addition, one legal expert told the Times that the paperwork required to arrest someone on hacking charges could easily take six months to prepare.

The ongoing legal drama involving Monsegur and Hammond stands in sharp contrast to the fate of LulzSec and Anonymous members in Britain that Sabu, after he turned snitch, apparently helped authorities identify and arrest. For example, Jake Davis, the former LulzSec spokesman Topiary, has now served his time and been released.

Davis, who as part of his parole is allowed to go online but not contact any of his former LulzSec or Anonymous comprades, recently said in an ongoing Ask.fm question-and-answer session that he pleaded guilty to charges against him so that he could move on with his life. Likewise, he said that when six plainclothes officers showed up in Scotland's remote Shetland Islands, where he lived, and announced that they were there to seize his computer equipment and arrest him on charges that he'd launched a DDoS attack against Britain's Serious Organized Crime Agency, he knew the jig was up. So that morning, when an officer requested the password to his encrypted drive, which contained evidence of his attacks, he divulged it.

"Why did you turn over your encryption keys to Scotland Yard?" asked one Ask.fm questioner. Davis defended his decision in no uncertain terms. "What, and be hunted/monitored mercilessly for the rest of my life by begrudging authorities with the power to flip the tables on your life with a few pieces of paper at any given turn?" he said.

"No thanks, I'll play ball with the encryption keys and say, 'you caught me, I wasn't good enough, fair play, let's get this over with.' And now it's over -- for me. Perhaps not for others. Probably the snitches," he said. "Ironic, isn't it?"

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Michael Endler
50%
50%
Michael Endler,
User Rank: Apprentice
8/27/2013 | 8:48:39 PM
re: Anonymous Hacker Claims FBI Directed LulzSec Hacks
"who faces up to 122.5 years in prison" ... I must've forgotten that detail from when this story broke. I remember that his cooperation was also compelled out of concern for the welfare of his family, or something similar, but with potential prison penalties of that magnitude, it's no wonder he's become so cooperative.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2208
Published: 2014-12-28
CRLF injection vulnerability in the LightProcess protocol implementation in hphp/util/light-process.cpp in Facebook HipHop Virtual Machine (HHVM) before 2.4.2 allows remote attackers to execute arbitrary commands by entering a \n (newline) character before the end of a string.

CVE-2014-2209
Published: 2014-12-28
Facebook HipHop Virtual Machine (HHVM) before 3.1.0 does not drop supplemental group memberships within hphp/util/capability.cpp and hphp/util/light-process.cpp, which allows remote attackers to bypass intended access restrictions by leveraging group permissions for a file or directory.

CVE-2014-5386
Published: 2014-12-28
The mcrypt_create_iv function in hphp/runtime/ext/mcrypt/ext_mcrypt.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 does not seed the random number generator, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging the use of a single initial...

CVE-2014-6228
Published: 2014-12-28
Integer overflow in the string_chunk_split function in hphp/runtime/base/zend-string.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted arguments to the chunk_split ...

CVE-2014-6229
Published: 2014-12-28
The HashContext class in hphp/runtime/ext/ext_hash.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 incorrectly expects that a certain key string uses '\0' for termination, which allows remote attackers to obtain sensitive information by leveraging read access beyond the end of the string,...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.