9 Notorious Hackers Of 2013
This year's hacking hall of shame includes members of Anonymous and the Blackhole cybercrime gang, plus state-sponsored groups.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt2b7f580b4ab600a9/64f0dc7ef6f80ef9264faf01/01-Peggy-Hacker.jpg?width=700&auto=webp&quality=80&disable=upscale)
From DDoS attacks to NSA hacks
Who should make the list of the world's most notorious hackers in 2013?
If recent years are any guide, crime-committing hacktivists should loom large. In 2011, LulzSec stormed on to the scene, pulling off 50 days of hacks that mixed technical savvy with PR acumen. But by 2012, the leaders of LulzSec had been arrested, as had many participants in high-profile Anonymous operations, thanks to a concerted effort by the FBI and its counterparts overseas. By the end of 2013, some of the best-known domestic hackers with political aims either were in jail or, in the case of some people arrested in Britain, had already served time and were on parole.
Policing hacks launched from non-allied countries has always been a different story, given the Department of Justice's inability to arrest, extradite, or sometimes even identify suspects operating from certain countries. For example, many crimeware toolkit-driven campaigns that use bots to steal personal financial details and then remove millions of dollars from banks are run from Russia or former Soviet satellites that have no extradition treaty with the United States.
Foreign attackers who hold a political grudge against the United States likewise remain tough to stop. Last year, a group of foreign attackers -- backed by the Iranian government, US government officials have alleged -- launched Operation Ababil, a series of distributed denial-of-service (DDoS) attacks against US banks. Those attacks continued into their fourth wave in 2013, making them the longest-running series of online attacks in history. Despite the timing and the targets being revealed in advance, targeted banks often had difficulty blunting the DDoS attacks.
Also on the overseas tip, US officials increased their denunciation of state-sponsored Chinese hackers in 2013. Though China had long been suspected of hacking businesses and government agencies, government officials began publicly pointing the hack-attack finger after the security firm Mandiant published evidence of what it said was an elite PLA military online hacking team, which it had linked to the theft of intellectual property from US businesses, as well as the theft of US military secrets.
Hacking has long been defined -- loosely, anyway -- in terms of white, black, and gray hats, referring to hackers who pursue ethical computer security research (white hats), people who hack solely for their own gain or at the expense of others (black hats), and people who fall somewhere in the middle (gray hats). Clearly, Chinese APT attacks, crimeware toolkits, bank DDoS exploits, and other leading hack attacks were evidence of black-hat behavior.
But the world turned a lot more gray beginning in the middle of 2013, after Edward Snowden, a National Security Agency contractor, fled to China and began leaking 1.7 million secret NSA documents. Those disclosures, which are ongoing, have begun to pull back the curtain on America's massive online surveillance apparatus. For example, we've learned that the agency hacked into tens of thousands of PCs abroad, as well as hacking into Internet backbone communications or technology giants' datacenters directly, to allow the agency to eavesdrop on foreign and domestic communications.
Who are the good guys and bad guys now? Click the image above for this year's list of the most notorious hackers.
(Source: Feral78)
Is there any group of hackers more outspoken online than Anonymous? The group started the year with a legal bang by backing a White House "We the People" petition arguing that DDoS attacks should be protected as a form of free speech, so that they could be used to protest injustice. However, that attempt to hack the Constitution failed to garner the number of signatures required for a White House response.
But that didn't stop the collective from protesting perceived injustices. Its Operation Last Resort included hacking the US Sentencing Commission website -- which establishes sentencing policies and practices for the federal courts -- to include a game of Asteroids, to protest federal prosecutors having threatened Reddit co-founder Aaron Swartz with a 35-year prison sentence for downloading millions of documents from the JSTOR archive, which helped drive Swartz to commit suicide. The group also defaced a Massachusetts Institute of Technology website to denounce the institution's failure to protest Swartz's prosecution.
As the year progressed, the campaigns continued, with Anonymous channeling mass anger over the 2008 economic crash -- as well as the fact that no Wall Street executives were ever charged with crimes related to it -- by leaking what it said were passwords for 4,000 financial executives. Rebranded as Operation Wall Street, the effort continued, with the hacktivist collective calling on the public to dox (release sensitive documents on) bank executives.
Anonymous continued with attacks against North Korean websites after the country's leadership threatened to restart a nuclear reactor; OpIsrae" attacks against Israeli websites -- taking sides in the Israeli-Palestinian conflict -- that reportedly fizzled; an OpUSA attack against banks and government agencies that likewise fizzled; and a threatened Guantanamo Bay Naval Base attack that led authorities there to deactivate WiFi and social media.
Meanwhile, Anonymous earned widespread praise in October when its members launched Operation Maryville to highlight the case of two Missouri girls, ages 13 and 14, who were both allegedly raped last year, only to see prosecutors drop charges against one of the girl's alleged attackers. The outcry helped draw attention to the case, leading the state's lieutenant governor to demand that a grand jury investigate.
(Source: Jim Newberry, FreeHammond.com)
Anonymous-allied Jeremy Hammond hacked into the private intelligence contractor Strategic Forecasting (known as Stratfor) in late 2011 and then posted the stolen files to a server that now appears to have been owned by the FBI. He also distributed the stolen information to WikiLeaks, which published it as part of its Global Intelligence Files program.
Hammond was indicted in 2012. In May 2013, he pleaded guilty to one count of conspiracy to engage in computer hacking. He admitted to masterminding the Stratfor hack, compromising account information for approximately 860,000 Stratfor users, and publishing stolen data pertaining to 60,000 credit cards. Anonymous later used the cards to make $700,000 in unauthorized donations to nonprofit groups. In addition, Hammond admitted to hacking numerous other organizations, ranging from the FBI's Virtual Academy and the Arizona Department of Public Safety to the Jefferson County Sheriff's Office in Alabama and the Boston Police Patrolmen's Association. Thanks to the hacking count, Hammond faced up to 10 years in prison and up to $2.5 million in restitution.
After Hammond pleaded guilty, but before Judge Loretta Preska sentenced him in November, Hammond's supporters launched a letter-writing campaign in pursuit of leniency, arguing in part that Hammond had been entrapped by the former LulzSec leader Sabu, who'd become an FBI informant six months before Hammond hacked Stratfor, and who was being monitored around the clock by handlers at the bureau.
At the sentencing hearing, Hammond read a statement saying that Sabu had provided him with passwords and root access information for 2,000 different websites. "These intrusions, all of which were suggested by Sabu while cooperating with the FBI, affected thousands of domain names and consisted largely of foreign government websites, including those of Turkey, Iran..." Hammond said, before being cut off by the judge, who told him that the list of target names was to be redacted.
Preska sentenced Hammond to 10 years in prison, to be followed by three years of supervised release.
Looming over Hammond's trial was the specter of Sabu (real name: Hector Xavier Monsegur), the former Anonymous participant and ex-leader of LulzSec, who was quietly arrested by the FBI on June 7, 2011. Monsegur immediately turned informant and has apparently been helping the bureau ever since. That assistance has included gathering evidence -- and in some cases entrapping -- members of Anonymous and LulzSec, as well as helping the FBI identify system vulnerabilities and exploits.
But Monsegur hasn't been seen in public since. Despite pleading guilty in August 2011 to all the charges filed against him -- 10 counts of hacking, one of identify theft, and one of bank fraud -- with a maximum potential prison term of 124 years, he has yet to be sentenced. His sentencing has repeatedly been delayed by Department of Justice prosecutors, "in light of the defendant's ongoing cooperation," according to court documents.
All the men who were arrested for hacking by the FBI, using evidence gathered in part by Monsegur, have pleaded guilty to one or more of the charges filed against them. As a result, none of their cases have gone to trial, and none have called Monsegur to testify.
In a statement released this year, Hammond suggested that the FBI didn't want to see Monsegur take the stand. "It is widely known that Sabu was used to build cases against a number of hackers, including myself. What many do not know is that Sabu was also used by his handlers to facilitate the hacking of targets of the government's choosing -- including numerous websites belonging to foreign governments."
Hammond added: "What the United States could not accomplish legally, it used Sabu, and by extension, me and my co-defendants, to accomplish illegally." But because he pleaded guilty and his case never went to trial, those allegations have yet to be proven or disproven in a court of law.
Monsegur's sentencing is currently scheduled for Jan. 13, 2014. But, of course, it could be postponed yet again.
(Source: futureatlas.com)
Warning: Chinese state-sponsored hackers are infiltrating US government and defense contractor systems.
That alert was sounded in February when the security firm Mandiant published a report into a group operating from China it called APT1 (also known as the Comment Crew), which it said had used spear phishing attacks to compromise 141 businesses in 20 different industries. Rather than being contract or state-sponsored hackers, Mandiant said, APT1 was actually part of the People's Liberation Army Unit 61398, which it characterized as an elite military hacking unit.
Was China really behind the attacks? Officials there issued denials, but many US information security experts concurred, though opinions varied as to what should be done in response. Some legislators wanted to authorize businesses to strike back and retrieve stolen intellectual property. Some security experts said businesses (especially defense contractors) should stop blaming China and spend more time securing their systems, so that the Chinese or anyone else couldn't launch low-cost APT attacks and easily comprise their systems.
(Source: Watchsmart)
The Syrian Electronic Army (SEA) is another band of state-affiliated -- if not state-sponsored -- attackers. This one is allied with Syrian President Bashar al-Assad. Syria, of course, is in the midst of a bloody civil war. Estimates of the number of people killed during the conflict exceed 100,000, and millions of people have been left homeless.
Serving as an online propaganda wing for Assad, the SEA hacked a number of sites in 2013 -- ranging from National Public Radio and Reuters to the BBC and the Onion -- to protest perceived reporting accuracies or slights against Assad. In April, the group hacked an Associated Press Twitter feed and issued a hoax tweet to 1.9 million followers: "Breaking: Two Explosions in the White House and Barack Obama is injured." Cue stock market panic, with the value of US stock markets briefly plunging by $200 billion.
Twitter faced criticism for lacking any type of two-factor authentication system that might have helped prevent the AP account from being taken over. It quickly added one.
Another one of the SEA's most brazen hacks involved its disruption of the domain name system (DNS) settings for The New York Times and Twitter websites. Twitter quickly restored service, but the NYT website was still inaccessible from many parts of the world 48 hours later.
Many information security experts, while decrying the attacks, also said they were quite technically sophisticated, in part by virtue of their simplicity. "They exposed some world-class exposures in some world-class environments," said Carl Herberger, vice president of security solutions at Radware. "To take down The New York Times website? Pretty impressive. To expose some security problems in Twitter, even if the rest of the world didn't know they were there? Very impressive."
(Source: Group-IB)
There's an unwritten rule for black-hat hackers operating from inside Russia: If you don't attack other Russians, and do occasionally lend a hand to the country's security services, then authorities will likely turn a blind eye to your cybercrime activities.
Cue the case of 27-year-old Paunch, identified in news reports as Dmitry Fedotov (pictured), who was arrested by police in the Russian city of Togliatti in October, together with 12 of his alleged cohorts. They've been charged with building and operating -- and in Paunch's case, masterminding -- the notorious Blackhole crimeware toolkit, which first appeared in the summer of 2010. It was so successful at launching financial malware attacks that in October 2012, the Blackhole gang began offering a new, zero-day-vulnerability-targeting exploit pack called the Cool Exploit Kit for $10,000 per month. Together, those two exploit kits reportedly accounted for 40% of all exploit-kit-driven infections in the world.
The toolkits offered crimeware syndicates value for their money. "Blackhole Exploit Kit is rented on the seller's server for $500 per month. The price of renting the software itself for installation on your own server was $700 for three months," according to a statement released by the cybersecurity firm Group-IB, which said it helped Russian authorities investigate the case. "At present, there are reports that Blackhole kingpin, 'Paunch' has more than a thousand customers. It is known that 'Paunch' was earning $50,000 per month from his illegal activity."
Of course, Blackhole users could earn much more. According to Russian authorities, the Blackhole financial malware Trojan -- which specializes in procuring people's usernames, passwords, bank account numbers, and other banking credentials -- was used to steal $2.1 million from Russian banks. Meanwhile, it has reportedly been used to steal an estimated $866 million from banks outside Russia.
(Source: David Paul Ohmer)
Remember Operation Ababil? The series of DDoS attacks against US financial institutions was launched in September 2012 by a group calling itself the Cyber Fighters of Izz ad-Din al-Qassam. Those attacks have continued, with the group announcing the fourth wave of attacks in July 2013.
At the end of 2013, the attacks against Wall Street websites remain ongoing, which has earned the hacking group an accolade of sorts. "It's the longest ever continuously run cyberattack in history," Radware's Herberger, told us. "It's still on its fourth wave," though the volume of related attacks seems to have vastly diminished. "It's kind of like an Iraq situation. The main fighting is over, but there's still residual stuff out there."
Those attacks began as a supposed protest against the posting to YouTube of a clip from Innocence of Muslims, a film that mocks the founder of Islam. But US government officials, speaking on background, have long asserted that the attack campaign was being sponsored and run by the Iranian government and likely launched in reprisal for Stuxnet, which was reportedly created by a joint US-Israeli cyberweapons program.
(Source: **RCB**)
When it comes to hacking prowess, it would be tough not to rate the FBI's cracking of the Tor onion-routing system this summer, as part of a year-long investigation into a child pornography distribution ring.
The anonymizing Tor network is beloved by privacy aficionados and activists, because it can be used to hide not only data flowing over the Internet, but also who's communicating with whom. In addition, Tor's hidden services -- denoted by a dot-onion (.onion) domain name that's always randomly generated -- can make a website reachable only via the Tor network.
But those services can also be abused. The FBI has accused Eric Eoin Marques, who was arrested in Dublin in August 2013, of child pornography distribution through his operation of Freedom Hosting. An FBI agent told an Irish court that Freedom Hosting, which offered Tor hidden services -- but which wasn't affiliated with the Tor Project, which develops the Tor software -- was hosting more than 100 child porn Tor sites, which collectively counted "thousands of members" who posted "millions of images" that involved the abuse of children.
To identify Marques, the bureau reportedly hacked into the Freedom Hosting site in July and used the site to distribute a simple piece of malware that infected anyone using the Tor Browser Bundle (TBB), a version of Firefox customized by the Tor project to use the anonymizing Tor network. The FBI's malware was simple. It was designed to record the Mac address or Windows hostname of the computer it had infected and then send that data via HTTP to the FBI. Using that information, the bureau could unmask and track any individual Tor user.
The TBB browser vulnerability was patched by the Tor Project on June 26.
(Source: frederic.jacobs)
Who were the most notorious hackers of all in 2013? It would be tough not to give that award to the NSA. According to documents leaked by Snowden, the agency's Tailored Access Operations division (responsible for offensive hacking operations) had used malware to hack into 50,000 PCs for surveillance purposes by 2012.
According to those documents, the agency's Special Source Operations division has been hacking into Internet backbones as part of the digital dragnet. The surveillance operation appears to have been built to record massive quantities of information flowing across the Internet. That includes the Prism program, which captures the metadata (tracking information) associated with every mobile phone call made in the United States. The underlying thinking appears to be that, if the agency technically can grab a copy of those communications, why not go ahead and do so, in case they're ever of interest in future terrorism investigations?
Cue privacy, legal, and constitutional questions, not least over revelations that, if the NSA surveillance apparatus turns up any signs of criminal activity, agency analysts are authorized to share that information with law enforcement agencies.
In 2014, might the NSA's hacking and other information-grabbing operations be curtailed? That's not clear, though a presidential commission submitted a related list of recommendations this month to President Obama. The commission recommended that the NSA get a civilian -- not military -- leader for the first time in its history. Obama reportedly plans to detail next month how the government's intelligence gathering and surveillance operations will be restructured.
The NSA's activities face continuing scrutiny from legislators and judges. On Dec. 16, in the case of Klayman v. Obama, Judge Richard Leon found that the NSA's bulk metadata collection program was "almost Orwellian" in its scope and violated the Fourth Amendment. He ruled that the NSA must cease collecting data -- and destroy all collected data -- related to the two people who had filed the lawsuit. "However, in light of the significant national security interests at stake in this case and the novelty of the constitutional issues, I will stay my order pending appeal" by the government. In other words, stay tuned.
(Source: frederic.jacobs)
Who were the most notorious hackers of all in 2013? It would be tough not to give that award to the NSA. According to documents leaked by Snowden, the agency's Tailored Access Operations division (responsible for offensive hacking operations) had used malware to hack into 50,000 PCs for surveillance purposes by 2012.
According to those documents, the agency's Special Source Operations division has been hacking into Internet backbones as part of the digital dragnet. The surveillance operation appears to have been built to record massive quantities of information flowing across the Internet. That includes the Prism program, which captures the metadata (tracking information) associated with every mobile phone call made in the United States. The underlying thinking appears to be that, if the agency technically can grab a copy of those communications, why not go ahead and do so, in case they're ever of interest in future terrorism investigations?
Cue privacy, legal, and constitutional questions, not least over revelations that, if the NSA surveillance apparatus turns up any signs of criminal activity, agency analysts are authorized to share that information with law enforcement agencies.
In 2014, might the NSA's hacking and other information-grabbing operations be curtailed? That's not clear, though a presidential commission submitted a related list of recommendations this month to President Obama. The commission recommended that the NSA get a civilian -- not military -- leader for the first time in its history. Obama reportedly plans to detail next month how the government's intelligence gathering and surveillance operations will be restructured.
The NSA's activities face continuing scrutiny from legislators and judges. On Dec. 16, in the case of Klayman v. Obama, Judge Richard Leon found that the NSA's bulk metadata collection program was "almost Orwellian" in its scope and violated the Fourth Amendment. He ruled that the NSA must cease collecting data -- and destroy all collected data -- related to the two people who had filed the lawsuit. "However, in light of the significant national security interests at stake in this case and the novelty of the constitutional issues, I will stay my order pending appeal" by the government. In other words, stay tuned.
From DDoS attacks to NSA hacks
Who should make the list of the world's most notorious hackers in 2013?
If recent years are any guide, crime-committing hacktivists should loom large. In 2011, LulzSec stormed on to the scene, pulling off 50 days of hacks that mixed technical savvy with PR acumen. But by 2012, the leaders of LulzSec had been arrested, as had many participants in high-profile Anonymous operations, thanks to a concerted effort by the FBI and its counterparts overseas. By the end of 2013, some of the best-known domestic hackers with political aims either were in jail or, in the case of some people arrested in Britain, had already served time and were on parole.
Policing hacks launched from non-allied countries has always been a different story, given the Department of Justice's inability to arrest, extradite, or sometimes even identify suspects operating from certain countries. For example, many crimeware toolkit-driven campaigns that use bots to steal personal financial details and then remove millions of dollars from banks are run from Russia or former Soviet satellites that have no extradition treaty with the United States.
Foreign attackers who hold a political grudge against the United States likewise remain tough to stop. Last year, a group of foreign attackers -- backed by the Iranian government, US government officials have alleged -- launched Operation Ababil, a series of distributed denial-of-service (DDoS) attacks against US banks. Those attacks continued into their fourth wave in 2013, making them the longest-running series of online attacks in history. Despite the timing and the targets being revealed in advance, targeted banks often had difficulty blunting the DDoS attacks.
Also on the overseas tip, US officials increased their denunciation of state-sponsored Chinese hackers in 2013. Though China had long been suspected of hacking businesses and government agencies, government officials began publicly pointing the hack-attack finger after the security firm Mandiant published evidence of what it said was an elite PLA military online hacking team, which it had linked to the theft of intellectual property from US businesses, as well as the theft of US military secrets.
Hacking has long been defined -- loosely, anyway -- in terms of white, black, and gray hats, referring to hackers who pursue ethical computer security research (white hats), people who hack solely for their own gain or at the expense of others (black hats), and people who fall somewhere in the middle (gray hats). Clearly, Chinese APT attacks, crimeware toolkits, bank DDoS exploits, and other leading hack attacks were evidence of black-hat behavior.
But the world turned a lot more gray beginning in the middle of 2013, after Edward Snowden, a National Security Agency contractor, fled to China and began leaking 1.7 million secret NSA documents. Those disclosures, which are ongoing, have begun to pull back the curtain on America's massive online surveillance apparatus. For example, we've learned that the agency hacked into tens of thousands of PCs abroad, as well as hacking into Internet backbone communications or technology giants' datacenters directly, to allow the agency to eavesdrop on foreign and domestic communications.
Who are the good guys and bad guys now? Click the image above for this year's list of the most notorious hackers.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024