FBI Informant Sabu Tied To Foreign Attacks

Report triggers questions about FBI's apparent use of a zero-day vulnerability, and whether campaign was designed to amass intelligence on foreign targets.

to remove some of those redactions, and new versions were submitted to the court last week.

According to an allegedly uncensored version of Hammond's testimony that was posted to Pastebin on the day of his sentencing, "These intrusions took place in January/February of 2012 and affected over 2,000 domains, including numerous foreign government websites in Brazil, Turkey, Syria, Puerto Rico, Colombia, Nigeria, Iran, Slovenia, Greece, Pakistan, and others."

"All of this happened under the control and supervision of the FBI and can be easily confirmed by chat logs the government provided to us pursuant to the government's discovery obligations in the case against me," according to Hammond's alleged courtroom testimony.

He has long questioned why the government was using hackers that it was trying to entrap to also hack into foreign websites, which, according to the document, included the website for the governor of Puerto Rico, the Polish Embassy in Britain, and the Iranian Academic Center for Education and Cultural Research. "I believe the documents will show that the government's actions go way beyond catching hackers and stopping computer crimes," according to his alleged courtroom testimony.

One potential explanation is that the Sabu-organized campaign was being used to amass intelligence for the FBI, and perhaps other government agencies. If true, that raises larger questions about the government's intelligence-gathering techniques. "It's not only hypocritical but troubling if indeed the FBI is loaning its sting operations out to other three-letter agencies," Gabriella Coleman, a professor at McGill University and an expert on Anonymous, told the NYT.

Reached via email, Coleman emphasized that the intelligence-gathering possibility is only a what-if scenario. Another potential scenario was that the campaign was organized primarily to burnish Sabu's bad-guy bona fides and entrap people like Hammond. "It could have been just a way to make Sabu look credible -- since he was otherwise not hacking," she said.

The hacks also appear to shed light on the government's use of zero-day vulnerabilities. The Plesk bug exploited by Hammond throughout January and February 2012 seems to refer to a SQL injection vulnerability that wasn't patched by Plesk developer Parallels until Feb. 24, 2012. According to Australia's CERT, the bug was being exploited in the wild by attackers "to gain root access to servers running this software." One of the reported victims was a Federal Trade Commission website hosted by Rackspace.

That raises questions about whether the FBI's use of a zero-day vulnerability was justified. "They knew about this vulnerability/zero day and clearly did not move to have it patched up, which apparently they did in many other instances," said Coleman, referring to reports from some participants in AntiSec -- with which Sabu also worked -- that vulnerabilities they found and used to infiltrate websites often seemed to get rapidly patched, thus ending their intrusion. "This seems to follow a different arc."