Vulnerabilities / Threats
3/9/2012
12:16 PM
Connect Directly
RSS
E-Mail
50%
50%

Hacker Sabu Worked Nonstop As Government Informer

Fascinating details continue to emerge about Hector Xavier Monsegur, aka LulzSec and Anonymous leader Sabu. Court documents show he worked around the clock to help investigators.

Anonymous: 10 Facts About The Hacktivist Group
Anonymous: 10 Facts About The Hacktivist Group
(click image for larger view and for slideshow)
According to court transcripts unsealed Thursday, Hector Xavier Monsegur, 28, better known as the hacktivist group LulzSec's leader Sabu, quickly turned model informant after being busted by two FBI agents.

"The defendant has literally worked around the clock with federal agents. He has been staying up sometimes all night engaging in conversations with co-conspirators that are helping the government to build cases against those co-conspirators," Assistant U.S. Attorney James Pastore told U.S. District Judge Loretta Preska at a court hearing on August 5, according to news reports.

Federal indictments unsealed Tuesday show what Monsegur helped achieve: charges against five other hackers, who prosecutors said served as the de facto leaders of hacktivist groups Anonymous and LulzSec, and before that, Internet Feds.

Monsegur admitted to participating in attacks against numerous websites, including exploits of Tunisian, Zimbabwean, Algerian, and Yemini government servers and the hack of HBGary, which was revealed in February 2011. He also admitted to participating in the December 2010 Operation Payback against MasterCard, PayPal, Visa, and other payment card processors, protesting their cutting off of funds to whistle-blowing website WikiLeaks. In an interview published last year in New Scientist, Sabu had said that while he'd been hacking since the age of 16, the WikiLeaks episode had politicized a number of hackers, giving birth to Anonymous in its full hacktivist incarnation.

But Monsegur's hacking exploits under the LulzSec and Anonymous banners would be short-lived. Court documents show that he was arrested at 10:15 pm on June 7, 2011, by two FBI agents. According to news reports, the agents used classic "good cop, bad cop" tactics, with one threatening to separate Monsegur from his two nieces, aged 5 and 7, for whom he was serving as a foster parent. The other, meanwhile, offered a shot at redemption, should Monsegur work with the bureau.

[ Today's changing IT environment make security more challenging than ever. Here's what you should keep in mind when it comes to bolstering the security of your data. 10 Lessons From RSA Security Conference. ]

Monsegur agreed to cooperate. After an initial appearance in court the next day, during which federal prosecutors recommended he be remanded on bail, the judge released him on a $50,000 bond, and ordered him to submit to FBI supervision. By June 8, meanwhile, a court filing by federal prosecutor Pastore argued that the case should be sealed, owing to the danger Monsegur faced from other hackers should his cooperation be discovered. "The defendant's information is also helping the government close in on several prominent cybercriminals," he said. All the while, the FBI monitored Monsegur using tracking software installed on his computer, as well as video cameras installed in his home.

Court documents unsealed Tuesday reveal that Monsegur ultimately helped the FBI and other authorities amass enough evidence to arrest five alleged hackers in the United States and abroad, including Jake Davis, 19, in Scotland; Ryan Ackroyd, 23, in England; and Donncha O'Cearrbhail, 19, and Darren Martyn, 25, in Ireland. A fifth man, Jeremy Hammond, was also arrested on hacking charges this week in Chicago. Authorities said Hammond operated under the hacker name "Anarchaos," and is accused of having hacked into global intelligence firm Stratfor in December 2011.

It was quite a turn for Monsegur, who as Sabu had cultivated an international reputation and group of comrades in arms. But Monsegur apparently hadn't been living the good life, having been unemployed since April 2010. "At the time of his arrest in June, Monsegur was unmarried and collecting a $400 unemployment check every month," Reuters reported. "He had been living in a small apartment on the sixth floor of a 14-story brick housing project on Manhattan's Lower East Side, overlooking a busy highway."

But the New York Times, after speaking with his neighbors, built a picture of Monsegur that suggested he was also "party boy of the projects," with music blaring late into the night and marijuana fumes occasionally wafting from under his apartment door. Yet he'd also built a reputation for generosity, using his skills upon occasion to improve neighbors' credit ratings.

The FBI had reportedly been on to Monsegur since February 2011, after he slipped up by logging into a chat room without anonymizing his IP addresses. Independently, that same month researchers at Backtrace Security had compiled a list of the most likely people to have been involved in the HBGary hack, and they suspected Monsegur was Sabu. The clue that led to his real identity started with a LulzSec log file, which "contained a domain that led to a subdomain that had a mirror to a page where Monsegur posted photos and video of his beloved Toyota AE86 on a car enthusiast social-networking site," reported CNET. That, in turn, led to a YouTube video that contained information which, after a Google search, led to Monsegur's Facebook page.

Public information suggesting that Monsegur was Sabu appeared in an online anonymous post to Pastebin in June 2011. While the post also misidentified a supposed LulzSec member, the public disclosure led federal investigators to arrest Monsegur more quickly than they'd intended.

Besides helping authorities bust other hackers, Monsegur provided cutting-edge vulnerability information to the bureau, which ultimately helped it stop numerous hack attacks. In court documents, Assistant U.S. Attorney Pastore said that Monsegur had "helped identify and 'patch' or notify potential targets about more than 150 cyber-security vulnerabilities," even enabling the FBI--in some cases--"to alert the would-be victim of an attack before it occurred," reported Bloomberg. According to Pastore, Monsegur's "efforts have involved cooperation against targets of national and international interest."

On August 15, just a few days after a bail hearing, Monsegur pled guilty to 12 charges against him--most involving hacking--that were filed by federal prosecutors in five districts across four states. The charges collectively carry a maximum prison sentence of 124 years, although prosecutors have said it's unlikely he'd serve consecutive terms. Furthermore, according to news reports, Monsegur's cooperation agreement stipulated that prosecutors would recommend a more lenient sentence, provided he offered "substantial assistance" to the government.

It's no longer a matter of if you get hacked, but when. In this special retrospective of news coverage, Monitoring Tools And Logs Make All The Difference, Dark Reading takes a look at ways to measure your security posture and the challenges that lie ahead with the emerging threat landscape. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SSCOOBY722
50%
50%
SSCOOBY722,
User Rank: Apprentice
3/10/2012 | 8:35:21 PM
re: Hacker Sabu Worked Nonstop As Government Informer
Obviously this is an attempt to scare the anons... FYI, the general public has lost faith and trust in the mainstream press; therefore, we do not believe a word of this story, other than the fact sabu was arrested. good luck pushing this story.

Mathew
50%
50%
Mathew,
User Rank: Apprentice
3/10/2012 | 12:31:28 PM
re: Hacker Sabu Worked Nonstop As Government Informer
Thanks for the catch, JFlanigan. You're correct; we'll make that change.
DirtMcGirt
50%
50%
DirtMcGirt,
User Rank: Apprentice
3/9/2012 | 6:44:48 PM
re: Hacker Sabu Worked Nonstop As Government Informer
He'll learn about rats in jail.
JFlanigan
50%
50%
JFlanigan,
User Rank: Apprentice
3/9/2012 | 6:41:49 PM
re: Hacker Sabu Worked Nonstop As Government Informer
"The charges collectively carry a maximum prison sentence of 124 years, although prosecutors have said it's unlikely he'd serve concurrent terms. "

The author probably meant to say "consecutive" not "concurrent."
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0485
Published: 2014-09-02
S3QL 1.18.1 and earlier uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object in (1) common.py or (2) local.py in backends/.

CVE-2014-3861
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted reference element within a nonXMLBody element.

CVE-2014-3862
Published: 2014-09-02
CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to discover potentially sensitive URLs via a crafted reference element that triggers creation of an IMG element with an arbitrary URL in its SRC attribute, leading to information disclosure in a Referer log.

CVE-2014-5076
Published: 2014-09-02
The La Banque Postale application before 3.2.6 for Android does not prevent the launching of an activity by a component of another application, which allows attackers to obtain sensitive cached banking information via crafted intents, as demonstrated by the drozer framework.

CVE-2014-5136
Published: 2014-09-02
Cross-site scripting (XSS) vulnerability in Innovative Interfaces Sierra Library Services Platform 1.2_3 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.