Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


LulzSec's Sabu Was Identity Thief, Not Robin Hood

Federal indictment accuses Sabu of crossing a clear line between political expression and criminal activity.

Anonymous: 10 Facts About The Hacktivist Group
Anonymous: 10 Facts About The Hacktivist Group
(click image for larger view and for slideshow)

The hacktivist group LulzSec made a name for itself by cracking databases and servers sporting poor security, then publicizing what they'd been able to do and find. Groups as diverse as the Atlanta InfraGard chapter, Sony Pictures Entertainment, the U.S. Senate, and PBS saw their websites hacked and defaced, and sensitive information leaked.

The group portrayed itself as being a group devoted to "lulz," which is Internet slang that can be interpreted as "laughs, humor, or amusement." That definition comes from a 12-count federal indictment unsealed in federal court Tuesday against four men authorities said comprised part of the core of LulzSec: Ryan Ackroyd (aka kayla, lol, lolspoon), Jake Davis (aka topiary, atopiary), Darren Martyn (aka pwnsauce, raepsauce, networkkitten), and Donncha O'Cearrbhail (aka Palladium).

But a related 12-count indictment, also unsealed Tuesday, singled out 28-year-old Hector Xavier Monsegur (aka Sabu, Xavier DeLeon, Leon) as the LulzSec leader, in addition to being an ongoing participant in the hacktivist collective known as Anonymous. He reportedly pled guilty to all the charges leveled against him, which collectively carry a maximum prison sentence of 124 years and six months.

A post from Sabu's Twitter account Monday struck a seeming note of defiance: "The federal government is run by a bunch of [obscenity removed] cowards. Don't give in to these people. Fight back. Stay strong."

[ Learn about the newest trends and practices to help keep your company's data secure. Read 10 Lessons From RSA Security Conference. ]

The 27-page indictment against Monsegur details a striking number of exploits, some overtly political, some riffing on pop culture, and others seemingly just random. Notably, the indictment accused Monsegur of having participated in Operation Payback, which involved launching distributed denial of service (DDoS) attacks in retaliation for MasterCard, PayPal, Visa, and other payment providers cutting off funds to WikiLeaks. It also accuses him of hacking attacks against Tunisian, Zimbabwean, Algerian, and Yemini government servers. In cooperation with hacking group "Internet Feds"--of which Ackroyd, Davis, Martyn, and O'Cearrbhail were allegedly core members--Monsegur was also accused of hacking into HBGary and releasing thousands of emails.

Then there's the LulzSec band, which hacked into numerous sites and became famous for bragging about it. "Although the members of LulzSec and their co-conspirators claimed to have engaged in these attacks for humorous purposes ... LulzSec's criminal acts included, among other things, the theft of confidential information, including sensitive personal information for thousands of individuals, from their victims' computer systems; the public disclosure of that confidential information on the Internet; the defacement of Internet websites; and overwhelming victims' computers with bogus requests for information"--meaning DDoS attacks--according to the indictment.

If LulzSec built its reputation on merry pranks--such as releasing contact details for 73,000 X-Factor contestants--the indictment also accused Monsegur of outright fraud and other criminal activity.

For starters, Monsegur was accused of hacking into an automotive parts site and shipping himself four engines, worth a total of $3,450. Authorities also accused Monsegur of using stolen credit card numbers to pay off at least $1,000 in debts and sharing people's bank account, routing number, and personal information with others, meaning he engaged in identity theft.

"Those who suggest Sabu's actions were just hacktivism or 'for the lulz' need to recognize that Sabu wasn't a Robin Hood who nobly gave voice to a cause, but a thief who admitted to lining his own pockets," said Chester Wisniewski, a senior security advisor at Sophos Canada, in a blog post.

Would the dollar values attached to those crimes, had they been conducted using a stolen credit card, have even merited an investigation by local police? Regardless, when you add in illegally accessing and defacing government websites and numerous hacks of private businesses' sites, you can expect the FBI to start investigating.

On a related note, after a 50-day hacking spree, LulzSec--without warning--bid adieu in June 2011. At the time, the group's unexpected retirement appeared to mark yet another random move from the chaos-craving band.

Thanks to the federal indictments unsealed Tuesday, however, it's now clear that Monsegur had been busted that month, after which he began cooperating with the FBI. The cooperation even went so far as using FBI-provided servers to unpack stolen information, including emails stolen from Stratfor, which were then shared with WikiLeaks.

Accordingly to the indictment, he also helped the bureau to amass evidence against other LulzSec and Anonymous participants. For example, he lured O'Cearrbhail, on an anonymous chat, into revealing which VPN service he used to obscure his identity. Investigators were then able to correlate login times with O'Cearrbhail's IP address, which they used to help positively identify the Irish citizen, who’s accused of leaking a transatlantic law enforcement conference call discussing ongoing investigations into LulzSec and Anonymous.

To protect company and customer data, we need to determine what makes it so vulnerable and appealing. We also need to understand how hackers operate, and what tools and processes they rely on. In our How (And Why) Attackers Choose Their Targets report, we explain how to ensure the best defense by thinking like an attacker and identifying the weakest link in your own corporate data chain. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/7/2012 | 6:21:00 PM
re: LulzSec's Sabu Was Identity Thief, Not Robin Hood
I believe the VPN service Sabu used was http://www.ivpn.net although hidemyass.com was also used in many other attacks according to reports last September. It will be interesting to see how these VPN service providers privacy polices hold up to the law in which countries they are registered in.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.