Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:19 PM
Connect Directly

LulzSec Leader Turns Informant As Feds Arrest Key Members Of Hacking Group

Arrests of 'Sabu' and five others connected with major hacking attacks, including that of Sony, Fox, PBS, HBGary Federal, is big news -- but security experts warn that it's no time to let down your guard for this brand of threat

Remember back last summer when LulzSec leader "Sabu" suddenly dropped off the grid after the arrest of several members of the Anonymous splinter group? Speculation at the time centered around whether he, too, had been swept up in the arrests. Turns out he indeed was nabbed by the feds, ultimately pleading guilty to hacking charges in August 2011 and serving as an informant on his fellow LulzSec members, according to information released today by the FBI.

Sabu, 28, who was identified by the FBI as Hector Xavier Monsegur, a.k.a. Sabu, Xavier DeLeon, and Leon, pled guilty to 12 counts of computing hacking conspiracies and other crimes, including the infamous hacks of HBGary Federal, HBGary, Sony, Fox, and PBS. An indictment filed with the Southern District of New York and released today identifies Monsegur as a so-called "rooter", or hacker, who finds vulnerabilities in victims' systems in order to hack them. The indictment says that from around December 2010 until June 7, 2011, he both exploited them himself or passed them to others to do the same. In addition, he provided "infrastructure" to other hackers for launching attacks on victim networks -- and also allegedly performed financial fraud.

The other members of the loosely affiliated hacking group named in the FBI charges were Ryan Ackroyd, a.k.a. Kayla, lool, and lolspoon; Jake Davis, a.k.a. Topiary and Atopiary; Darren Martyn, a.k.a. pwnsauce, raepsauce, and networkkitten; and Donncha O'Cearrbhail, a.k.a. Palladium. Palladium appears to allegedly have been behind the leaked law enforcement conference call earlier this year that was intercepted by Anonymous, and was also charged in a separate complaint with "intentionally disclosing an unlawfully intercepted wire communication," according to the FBI. Ackroyd and Davis were arrested last year.

Also arrested was Jeremy Hammond, aka "Anarchaos, "sup_g," "burn," "yohoho," "POW,""tylerknowsthis," and "crediblethreat."

Kroyd/Kayla, Davis/Topiary, Martyn/Pwnsauce, and O'Cearrbhail were all charged with hacking conspiracy in the Fox, Sony, and PBS breaches. Hammond/Anarchaos was charged with hacking crimes related to the Stratfor breach.

According to one source with information on the FBI investigation, Sabu is just one informant the FBI has secured inside the LulzSec/Anonymous collective. There will be more arrests as a result of members flipping on the group, the source says.

Perhaps most intriguing and significant about today's developments is that it took LulzSec's leader turning into an FBI informant to do the most significant damage to the hacking confab yet. While the arrests won't end Anonymous or the type of hacking LulzSec perpetrated -- some experts are anticipating retaliatory hacks soon -- it did make the first real dent on the group responsible for "doxing" and encouraging the distributed denial-of-service attacks against some major corporations and federal agencies, including law enforcement and the CIA.

These developments don't mean this type of threat is now over. "This is not a time to let down your guard if you're an enterprise security person. If you're running infosec, it's not time to take a deep breath. There are still a lot of attackers out there," says Josh Shaul, chief technology officer for Application Security Inc. "We've got to keep our guard up and remember what these people [who were arrested] did was expose the reality of our poorly secured world."

Shaul says the arrests do provide a narrow window for locking down security. "We have an opportunity while the hackers are regrouping to better secure ourselves," he says.

Historically, these type of turncoat scenarios tend to wreak havoc on these types of groups, experts say. "Sabu was, if not a leader, at least a cheerleader for Anonymous in many ways. I'm quite certain there is tons of paranoia inside Anonymous. If they can't trust Sabu, who can they trust?" says Mikko Hypponen, chief research officer at F-Secure. "What [these arrests] are going to do in reality, I don't know. But all active members will be looking right and left and assuming everyone is a snitch."

Meanwhile, calls for revenge are already being heard: YamaTough, the hacker who took credit for stealing Symantec's source code for pcAnywhere, already appears to be planning a response to the arrests. "Brother, we shall retaliate immediatelly with fury =) we aint done with symanted yet =) expect us FBI bitches very soon," he tweeted today. And AnonymousIRC apparently hacked and doxed the Delaware Correctional Officer's Forum emails and passwords in apparent retaliation for today's news, using the hashtags #DontBeSnitch, #Anonymous, and #AntiSec.

[UPDATE: And last night, members of LulzSec hacked into a Panda Security Web server that hosted the company's marketing campaigns and some of its blogs in retaliation for the arrests of the hacker group's compatriots. "Neither the main website www.pandasecurity.com nor www.cloudantivirus.com were affected in the attack. The attack did not breach Panda Security's internal network and neither source code, update servers nor customer data was accessed. The only information accessed was related to marketing campaigns such as landing pages and some obsolete credentials, including supposed credentials for employees that have not been working at Panda for over five years," said Pedro Bustamante, senior research advisor in the office of the CTO at Panda Security.]

The FBI outfitted Sabu, an unemployed father of two, with a special laptop and allowed to work from his home in New York City, according to a FoxNews.com report. Not surprisingly, he tweeted misinformation to throw off reporters and his underlings. He was watched and monitored around the clock by FBI agents, and reported any vulnerabilities that were sent to him to the feds. According to the report, LulzSec's attack on 70 law enforcement agencies in August 2011 would have been far worse without information gathered with Sabu's help from chat rooms and other sources, according to the FoxNews.com report.

[Anonymous dumped online what appeared to be incriminating emails, personal information of Texas law enforcement officers even while members were being arrested. See Two Alleged High-Profile Members Of Anonymous Arrested. ]

One FBI official told FoxNews.com that the agency was able to give 300 U.S. government, financial, and other businesses a heads up on holes in their networks discovered by hackers and known by Sabu that could have been used against them. He even stopped the DDoS attack on the CIA under the urging of the feds.

Ultimately, Sabu's kids swayed him to cooperate with the FBI as an informant. "He didn't go easy,” a law enforcement official told FoxNews.com. "It was because of his kids. He didn’t want to go away to prison and leave them. That’s how we got him."

Next Page: Hints that something wasn't quite right in LulzLand. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-09-14
In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory, a different vulnerabi...
PUBLISHED: 2019-09-14
In Pimcore before 5.7.1, an attacker with limited privileges can bypass file-extension restrictions via a 256-character filename, as demonstrated by the failure of automatic renaming of .php to .php.txt for long filenames, a different vulnerability than CVE-2019-10867 and CVE-2019-16317.
PUBLISHED: 2019-09-14
A Reflected Cross-Site Scripting (XSS) vulnerability in the webEx module in webExMeetingLogin.jsp and deleteWebExMeetingCheck.jsp in Fuji Xerox DocuShare through 7.0.0.C1.609 allows remote attackers to inject arbitrary web script or HTML via the handle parameter (webExMeetingLogin.jsp) and meetingKe...
PUBLISHED: 2019-09-14
SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote code execution or denial of service via Unicode characters in a crafted .ml file.
PUBLISHED: 2019-09-14
FlameCMS 3.3.5 has SQL injection in account/login.php via accountName.