Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

How U.K. Police Busted Anonymous Suspect

Operation Payback operators' identities unearthed largely through "social leakage" -- highlighting differences between U.S. and British hacker investigations.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
Are U.S. authorities focusing too much on busting low-level hacktivist operators, at the expense of taking down the leading lights?

The difference in style can be seen in the approach that U.K. investigators have taken to prosecuting the ringleaders of Operation Payback, which was the Anonymous-branded attack campaign that targeted businesses, including PayPal and MasterCard, with distributed denial of service (DDoS) attacks for their having blocked payments to WikiLeaks. PayPal said the attacks resulted in losses of £3.5 million ($5.6 million).

According to Ray Massie, a freelance computer forensic and open source training consultant who led Britain's Operation Payback investigation as a detective sergeant with London's Metropolitan Police Service, his team focused on the people who organized the attacks and picked the targets, rather than low-level operators. "We went after organizers and facilitators rather than foot soldiers. U.S. authorities went after a mix," Massie told The Register.

[ For more about busting bad guys based on digital tracks, read How Digital Forensics Detects Insider Theft. ]

By comparison, U.S. authorities have ended up prosecuting a large number of people who downloaded a DDoS tool promoted by some of the leaders of Anonymous, and which attacked targets selected not by the downloader, but by leaders of Anonymous. The DDoS tool in question was known as the Low Orbit Ion Cannon (LOIC), and less advanced LOIC users didn't seem to realize that the tool often coded their IP address into the packets it generated. Many of the attacked organizations recorded these packets and shared them with authorities, who used service providers' subscriber records to identify LOIC users' real identities, then began making arrests.

Of course, U.S. authorities have also busted multiple alleged leaders of the supposedly leaderless Anonymous hacktivist collective, including Sabu -- real name: Hector Xavier Monsegur -- who also served as the leader of LulzSec.

But British authorities have limited their efforts to prosecuting the organizers behind Operation Payback, as highlighted by the case of Northampton, England-based Christopher Wetherhead (aka "Nerdo"), 22. Last week, he was found guilty in Southwark Crown Court of one count of conspiracy to commit unauthorized acts with intent to impair the operation of a computer, in violation of the U.K.'s 1990 Computer Misuse Act.

In his defense, Wetherhead maintained that he only moderated the AnonOps IRC channel. But Scotland Yard's Police Central eCrime Unit had studied numerous Anonymous IRC logs and found nickname (NIC) clues that helped them identify the British leaders of Operation Payback

"In a nutshell we identified Weatherhead via the IRC network," former detective constable Trevor Dickey, who now works in the private sector, told The Register.

"We identified their IRC channels and captured several weeks of chat. During that time we looked at the status of NICs such as admins and operators," he said. "We then did some keyword searching and spent a lot of time looking [at] social leakage. Combining all these elements we then identified the NICs of interest and did open source research on them. Weatherhead was easy to identify as he had been using the NIC of 'Nerdo' for quite some time."

The other suspects likewise were also identified in large part via social-network leakage. "We were able to tie their digital identities to real life identities," Massie told The Register. "Now that the suspects are in their 20s, they are security conscious, but they were using the same nick when they were a kid on gaming forums or elsewhere. They made mistakes."

Prosecutors also found evidence that Wetherhead had contracted for services with bulletproof hosting provider Heihachi in Russia, on behalf of Anonymous. The prosecutor described Heihachi as providing a "safe haven" for cybercriminals.

Thanks to that police digital forensic work, a jury of six men and five women took just two hours to return a guilty verdict against Weatherhead, saying he'd had an "integral role" in the attacks, reported The Guardian.

Three other men -- Jake Alexander Birchall, 18, of Little Neston, Cheshire; Ashley Rhodes, 27, of Bolton Crescent, London; and Peter David Gibson, 24, of Hartlepool, Cleveland -- earlier this year pled guilty to the same charge.

Judge Peter Testar told Wetherhead that he and his co-conspirators might do jail time as a result. All four men are due back in Southwark Crown Court in January 2013 for pre-sentence reports.

Stay ahead of the eCommerce technology curve. Watch our webcast, Next Generation e-Commerce Strategies for B2B Sales and Marketing, to learn the strategies and tactics you can use to more efficiently give your clients what they want, keep them happy and increase sales. Register now.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11844
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
CVE-2020-6937
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
CVE-2020-7648
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
CVE-2020-7650
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
CVE-2020-7654
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.