Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:19 PM
Connect Directly

LulzSec Leader Turns Informant As Feds Arrest Key Members Of Hacking Group

Arrests of 'Sabu' and five others connected with major hacking attacks, including that of Sony, Fox, PBS, HBGary Federal, is big news -- but security experts warn that it's no time to let down your guard for this brand of threat

Remember back last summer when LulzSec leader "Sabu" suddenly dropped off the grid after the arrest of several members of the Anonymous splinter group? Speculation at the time centered around whether he, too, had been swept up in the arrests. Turns out he indeed was nabbed by the feds, ultimately pleading guilty to hacking charges in August 2011 and serving as an informant on his fellow LulzSec members, according to information released today by the FBI.

Sabu, 28, who was identified by the FBI as Hector Xavier Monsegur, a.k.a. Sabu, Xavier DeLeon, and Leon, pled guilty to 12 counts of computing hacking conspiracies and other crimes, including the infamous hacks of HBGary Federal, HBGary, Sony, Fox, and PBS. An indictment filed with the Southern District of New York and released today identifies Monsegur as a so-called "rooter", or hacker, who finds vulnerabilities in victims' systems in order to hack them. The indictment says that from around December 2010 until June 7, 2011, he both exploited them himself or passed them to others to do the same. In addition, he provided "infrastructure" to other hackers for launching attacks on victim networks -- and also allegedly performed financial fraud.

The other members of the loosely affiliated hacking group named in the FBI charges were Ryan Ackroyd, a.k.a. Kayla, lool, and lolspoon; Jake Davis, a.k.a. Topiary and Atopiary; Darren Martyn, a.k.a. pwnsauce, raepsauce, and networkkitten; and Donncha O'Cearrbhail, a.k.a. Palladium. Palladium appears to allegedly have been behind the leaked law enforcement conference call earlier this year that was intercepted by Anonymous, and was also charged in a separate complaint with "intentionally disclosing an unlawfully intercepted wire communication," according to the FBI. Ackroyd and Davis were arrested last year.

Also arrested was Jeremy Hammond, aka "Anarchaos, "sup_g," "burn," "yohoho," "POW,""tylerknowsthis," and "crediblethreat."

Kroyd/Kayla, Davis/Topiary, Martyn/Pwnsauce, and O'Cearrbhail were all charged with hacking conspiracy in the Fox, Sony, and PBS breaches. Hammond/Anarchaos was charged with hacking crimes related to the Stratfor breach.

According to one source with information on the FBI investigation, Sabu is just one informant the FBI has secured inside the LulzSec/Anonymous collective. There will be more arrests as a result of members flipping on the group, the source says.

Perhaps most intriguing and significant about today's developments is that it took LulzSec's leader turning into an FBI informant to do the most significant damage to the hacking confab yet. While the arrests won't end Anonymous or the type of hacking LulzSec perpetrated -- some experts are anticipating retaliatory hacks soon -- it did make the first real dent on the group responsible for "doxing" and encouraging the distributed denial-of-service attacks against some major corporations and federal agencies, including law enforcement and the CIA.

These developments don't mean this type of threat is now over. "This is not a time to let down your guard if you're an enterprise security person. If you're running infosec, it's not time to take a deep breath. There are still a lot of attackers out there," says Josh Shaul, chief technology officer for Application Security Inc. "We've got to keep our guard up and remember what these people [who were arrested] did was expose the reality of our poorly secured world."

Shaul says the arrests do provide a narrow window for locking down security. "We have an opportunity while the hackers are regrouping to better secure ourselves," he says.

Historically, these type of turncoat scenarios tend to wreak havoc on these types of groups, experts say. "Sabu was, if not a leader, at least a cheerleader for Anonymous in many ways. I'm quite certain there is tons of paranoia inside Anonymous. If they can't trust Sabu, who can they trust?" says Mikko Hypponen, chief research officer at F-Secure. "What [these arrests] are going to do in reality, I don't know. But all active members will be looking right and left and assuming everyone is a snitch."

Meanwhile, calls for revenge are already being heard: YamaTough, the hacker who took credit for stealing Symantec's source code for pcAnywhere, already appears to be planning a response to the arrests. "Brother, we shall retaliate immediatelly with fury =) we aint done with symanted yet =) expect us FBI bitches very soon," he tweeted today. And AnonymousIRC apparently hacked and doxed the Delaware Correctional Officer's Forum emails and passwords in apparent retaliation for today's news, using the hashtags #DontBeSnitch, #Anonymous, and #AntiSec.

[UPDATE: And last night, members of LulzSec hacked into a Panda Security Web server that hosted the company's marketing campaigns and some of its blogs in retaliation for the arrests of the hacker group's compatriots. "Neither the main website www.pandasecurity.com nor www.cloudantivirus.com were affected in the attack. The attack did not breach Panda Security's internal network and neither source code, update servers nor customer data was accessed. The only information accessed was related to marketing campaigns such as landing pages and some obsolete credentials, including supposed credentials for employees that have not been working at Panda for over five years," said Pedro Bustamante, senior research advisor in the office of the CTO at Panda Security.]

The FBI outfitted Sabu, an unemployed father of two, with a special laptop and allowed to work from his home in New York City, according to a FoxNews.com report. Not surprisingly, he tweeted misinformation to throw off reporters and his underlings. He was watched and monitored around the clock by FBI agents, and reported any vulnerabilities that were sent to him to the feds. According to the report, LulzSec's attack on 70 law enforcement agencies in August 2011 would have been far worse without information gathered with Sabu's help from chat rooms and other sources, according to the FoxNews.com report.

[Anonymous dumped online what appeared to be incriminating emails, personal information of Texas law enforcement officers even while members were being arrested. See Two Alleged High-Profile Members Of Anonymous Arrested. ]

One FBI official told FoxNews.com that the agency was able to give 300 U.S. government, financial, and other businesses a heads up on holes in their networks discovered by hackers and known by Sabu that could have been used against them. He even stopped the DDoS attack on the CIA under the urging of the feds.

Ultimately, Sabu's kids swayed him to cooperate with the FBI as an informant. "He didn't go easy,” a law enforcement official told FoxNews.com. "It was because of his kids. He didn’t want to go away to prison and leave them. That’s how we got him."

Next Page: Hints that something wasn't quite right in LulzLand. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-23
** UNSUPPORTED WHEN ASSIGNED ** peg-markdown 0.4.14 has a NULL pointer dereference in process_raw_blocks in markdown_lib.c. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
PUBLISHED: 2020-09-23
A vulnerability in the web management interface of Cisco Unity Connection could allow an authenticated remote attacker to overwrite files on the underlying filesystem. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending a crafted HTTP re...
PUBLISHED: 2020-09-23
A vulnerability in the email message scanning of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass configured filters on the device. The vulnerability is due to improper validation of incoming emails. An attacker could exploit t...
PUBLISHED: 2020-09-23
A vulnerability in the web-based management interface of Cisco Unified Communications Manager (UCM) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based...
PUBLISHED: 2020-09-23
A vulnerability in the web-based management interface of Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability exists because th...