Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:19 PM
Connect Directly

LulzSec Leader Turns Informant As Feds Arrest Key Members Of Hacking Group

Arrests of 'Sabu' and five others connected with major hacking attacks, including that of Sony, Fox, PBS, HBGary Federal, is big news -- but security experts warn that it's no time to let down your guard for this brand of threat

Remember back last summer when LulzSec leader "Sabu" suddenly dropped off the grid after the arrest of several members of the Anonymous splinter group? Speculation at the time centered around whether he, too, had been swept up in the arrests. Turns out he indeed was nabbed by the feds, ultimately pleading guilty to hacking charges in August 2011 and serving as an informant on his fellow LulzSec members, according to information released today by the FBI.

Sabu, 28, who was identified by the FBI as Hector Xavier Monsegur, a.k.a. Sabu, Xavier DeLeon, and Leon, pled guilty to 12 counts of computing hacking conspiracies and other crimes, including the infamous hacks of HBGary Federal, HBGary, Sony, Fox, and PBS. An indictment filed with the Southern District of New York and released today identifies Monsegur as a so-called "rooter", or hacker, who finds vulnerabilities in victims' systems in order to hack them. The indictment says that from around December 2010 until June 7, 2011, he both exploited them himself or passed them to others to do the same. In addition, he provided "infrastructure" to other hackers for launching attacks on victim networks -- and also allegedly performed financial fraud.

The other members of the loosely affiliated hacking group named in the FBI charges were Ryan Ackroyd, a.k.a. Kayla, lool, and lolspoon; Jake Davis, a.k.a. Topiary and Atopiary; Darren Martyn, a.k.a. pwnsauce, raepsauce, and networkkitten; and Donncha O'Cearrbhail, a.k.a. Palladium. Palladium appears to allegedly have been behind the leaked law enforcement conference call earlier this year that was intercepted by Anonymous, and was also charged in a separate complaint with "intentionally disclosing an unlawfully intercepted wire communication," according to the FBI. Ackroyd and Davis were arrested last year.

Also arrested was Jeremy Hammond, aka "Anarchaos, "sup_g," "burn," "yohoho," "POW,""tylerknowsthis," and "crediblethreat."

Kroyd/Kayla, Davis/Topiary, Martyn/Pwnsauce, and O'Cearrbhail were all charged with hacking conspiracy in the Fox, Sony, and PBS breaches. Hammond/Anarchaos was charged with hacking crimes related to the Stratfor breach.

According to one source with information on the FBI investigation, Sabu is just one informant the FBI has secured inside the LulzSec/Anonymous collective. There will be more arrests as a result of members flipping on the group, the source says.

Perhaps most intriguing and significant about today's developments is that it took LulzSec's leader turning into an FBI informant to do the most significant damage to the hacking confab yet. While the arrests won't end Anonymous or the type of hacking LulzSec perpetrated -- some experts are anticipating retaliatory hacks soon -- it did make the first real dent on the group responsible for "doxing" and encouraging the distributed denial-of-service attacks against some major corporations and federal agencies, including law enforcement and the CIA.

These developments don't mean this type of threat is now over. "This is not a time to let down your guard if you're an enterprise security person. If you're running infosec, it's not time to take a deep breath. There are still a lot of attackers out there," says Josh Shaul, chief technology officer for Application Security Inc. "We've got to keep our guard up and remember what these people [who were arrested] did was expose the reality of our poorly secured world."

Shaul says the arrests do provide a narrow window for locking down security. "We have an opportunity while the hackers are regrouping to better secure ourselves," he says.

Historically, these type of turncoat scenarios tend to wreak havoc on these types of groups, experts say. "Sabu was, if not a leader, at least a cheerleader for Anonymous in many ways. I'm quite certain there is tons of paranoia inside Anonymous. If they can't trust Sabu, who can they trust?" says Mikko Hypponen, chief research officer at F-Secure. "What [these arrests] are going to do in reality, I don't know. But all active members will be looking right and left and assuming everyone is a snitch."

Meanwhile, calls for revenge are already being heard: YamaTough, the hacker who took credit for stealing Symantec's source code for pcAnywhere, already appears to be planning a response to the arrests. "Brother, we shall retaliate immediatelly with fury =) we aint done with symanted yet =) expect us FBI bitches very soon," he tweeted today. And AnonymousIRC apparently hacked and doxed the Delaware Correctional Officer's Forum emails and passwords in apparent retaliation for today's news, using the hashtags #DontBeSnitch, #Anonymous, and #AntiSec.

[UPDATE: And last night, members of LulzSec hacked into a Panda Security Web server that hosted the company's marketing campaigns and some of its blogs in retaliation for the arrests of the hacker group's compatriots. "Neither the main website www.pandasecurity.com nor www.cloudantivirus.com were affected in the attack. The attack did not breach Panda Security's internal network and neither source code, update servers nor customer data was accessed. The only information accessed was related to marketing campaigns such as landing pages and some obsolete credentials, including supposed credentials for employees that have not been working at Panda for over five years," said Pedro Bustamante, senior research advisor in the office of the CTO at Panda Security.]

The FBI outfitted Sabu, an unemployed father of two, with a special laptop and allowed to work from his home in New York City, according to a FoxNews.com report. Not surprisingly, he tweeted misinformation to throw off reporters and his underlings. He was watched and monitored around the clock by FBI agents, and reported any vulnerabilities that were sent to him to the feds. According to the report, LulzSec's attack on 70 law enforcement agencies in August 2011 would have been far worse without information gathered with Sabu's help from chat rooms and other sources, according to the FoxNews.com report.

[Anonymous dumped online what appeared to be incriminating emails, personal information of Texas law enforcement officers even while members were being arrested. See Two Alleged High-Profile Members Of Anonymous Arrested. ]

One FBI official told FoxNews.com that the agency was able to give 300 U.S. government, financial, and other businesses a heads up on holes in their networks discovered by hackers and known by Sabu that could have been used against them. He even stopped the DDoS attack on the CIA under the urging of the feds.

Ultimately, Sabu's kids swayed him to cooperate with the FBI as an informant. "He didn't go easy,” a law enforcement official told FoxNews.com. "It was because of his kids. He didn’t want to go away to prison and leave them. That’s how we got him."

Next Page: Hints that something wasn't quite right in LulzLand. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.