The legal attack against Anonymous and LulzSec

Introduction

The March 6, 2012 arrest of six Anonymous/LulzSec members included a public release of the sworn affidavits and indictments.  These are posted below.  The following is a synopsis of the facts obtained from those released documents and is an excellent example of how the FBI conducts criminal computer investigations (and how they utilize informants).

Claims against Hector Xavier Monsegur (aka Sabu)

The arrest of Hector Xavier Monsegur was the most significant as many surmised that Monsegur turned informant to assist the FBI in the investigation against the other hackers.  The documents filed against Monsegur claim that Hector Xavier Monsegur (known as “Sabu” in Anonymous circles) acted as the rooter and assisted the groups in gaining unauthorized access to the systems by identifying vulnerabilities and providing infrastructure support (servers and routers) which could be used to launch the attacks. Whether the “infrastructure support” mentioned in the documents was unauthorized use of his company’s hardware, the purchase of hardware using stolen credit cards, or simply acting as a LIOC client/agent or Tor exit node is not specified. Oddly, the indictment specifically mentions that the group supported Wikileaks and its founder, Julian Assange, a stab at Wikileaks that seems much out of place.

Specific attacks that Sabu allegedly participated in included the December 2010 DDOS attacks against Visa, MasterCard, and PayPal, the early 2011 attacks against the governments of Tunisia, Algeria, Yemeni, and Zimbabwe, and attacks against HBGary Federal, Fox Broadcasting Company, ACS Law, PBS, Nintendo, and Sony PlayStation Network.

One interesting accusation included a 2010 hack of an automobile parts company (no specific company name given in the document) whereby Sabu “fraudulently caused” the shipment of four automobile engines to his New York, New York home. This one falls outside the lines of the other supposed attacks and if true, could have been the undoing of Sabu given how easy it would have been to tie the shipment, and therefore the system intrusion, directly to Monsegur himself.

The document also claims that credit card numbers and bank account numbers were obtained by Sabu and used to purchase items and pay bills. The kicker – the document reveals their objective of forcing Monsegur to forfeit his own property to pay for these items.

Nowhere in the case against Monsegur does it mention that he may have turned state evidence against his fellow hackers.  But, there are many clues that Sabu was pressured into turning including a Summer arrest and an obvious change in behavior (some fellow hackers noted that in retrospect, it seemed as if Sabu was covertly hinting that the other members should not trust him).

Claims against Ryan Ackroyd (United Kingdom), Jake Davis (United Kingdom), Darren Martyn (Ireland), and Donncha O’Cearrbhail (Ireland)

The indictment claims against Ryan Ackroyd, Jake Davis, Darren Martyn, and Donncha O’Cearrbhail hint that all were members of Anonymous and/or the Internet Feds hacking groups.  The document claims that they carried out a campaign of “online destruction, intimidation, and criminality”. Specific attacks mentioned parallel the claims against Monsegur and include the hacks against HBGary and Fox Broadcasting Company. The supposed cyber attacks involved deleting data, stealing confidential information, decrypting confidential information (or “de-encrypting” as the Feds put it) including passwords, publicly disclosing the stolen information by dumping the data on public websites, hijacking email and Twitter accounts, defacing websites, doxing personal information (publishing private, personal details about a person), installing backdoors on the penetrated systems, intimidating the victim, and subjecting the victim to harassment. The document pointedly mentions their association with “Sabu” (aka Hector Xavier Monsegur), and other hackers identified as “Tflow”, and “Avunit”.

The documents notes the specific roles of each defendant claiming that Ryan Ackroyd identified and penetrated systems while Jake Davis acted as the “spokesman” for the group. The hack on Fox Networks notes that personal information, including names, birth dates, telephone numbers, email addresses, and home addresses, of 70,000 X-Factor contestants was stolen.

Logs of IRC discussions are playing a critical role too – especially logs of conversations that were purposefully initiated and led by the FBI and/or FBI informant(s).  Screen names and subtle personal information the hackers revealed in the chats were used to tie the screennames to the real person (although the feds specifically point out the obvious – that they used proxy servers to cloak their IP addresses).  Davis, the “spokesman”, told Avunit on IRC channel #hq, “I’m happy to talk to press on IRC/Skype, have done so for months.  Have talked to maybe 150 journalists.”  This one statement alone was likely considered justification for tagging Davis as the “spokesman” for the groups.

It is also interesting to note that Ryan Ackroyd and Jake Davis had been charged previously for alleged participation in a hacking spree during the Spring of 2011.  The claims mentioned above lead to further charges against the two.

The Sealed Complaint against Jeremy Hammond

Jeremy Hammond of Chicago was already a noted activist and hacker who had previous brushes with the law.  Hammond is also known to have given a Defcon speech on electronic civil disobedience and has even been profiled by Chicago Magazine.  His reputation precedes him.

The case against Jeremy Hammond, aka Anarchaos, sup_g, burn, yohoho, POW, tylerknowsthis, crediblethreat) comes from a deposition of Milan Patel (an eight-year FBI Special Agent veteran) where he notes that in December 2011, Hammond sent stolen credit card information to “a computer located in the Southern District of New York (supposedly the computer of Hector Xavier Monsegur).  The credit card information was stolen from the comprised network of Strategic Forecasting Inc., an Austin, Texas based company (known as Stratfor).  The deposition claims that one “co-conspirator” received a chat message from Hammond stating that he had broken into the network of Strategic Forecasting and that the stolen data had been uploaded to a server in the “southern district of New York” to a second “co-conspirator”. 

The affidavit notes that the credit card information stolen from Strategic Forecasting was used to purchase at least $700,000 worth of goods.  On December 29, 2011, a document titled “antisec teaser 12/29 (legit)” was posted on pastebin.  It said:

It’s time to dump the full 75,000 names, addresses, CCs and md5 hashed passwords to every customer that has ever paid Stratfor.  But that’s not all: we’re also dumping ~860,000 usernames, email addresses, and md5 hashed passwords for everyone who’s ever registered on Stratfor’s site.  We call upon all allied battleships, all armies from darkness, to use and abuse these password lists and credit card information to wreak unholy havoc upon the systems and personal email accounts of these rich and powerful oppressors.

The deposition reveals little specifics since it is intended only to prove probable cause.  It does mention specific technologies though which gleans some insight into how Anonymous operated and hid their identities.  Technological terms such as ip address and MAC address hint that log files and pentraps were used to gather evidence in the cases.  IRC and Jabber are described hinting that chat logs were used.  The affidavit goes into a lengthy description of TOR (the Onion Router) which implies that the TOR network was used by Anonymous and LulzSec in an attempt to hide their true IP addresses (it also describes files “found on a .onion server”).

In addition to the technical details listed, simple personal details that the hackers revealed were strung together to narrow down the list of suspects.  The affidavit notes that in one chat log, the defendant stated, “some comrades of mine were arrested in st louis a few weeks ago… for midwest rising tar sands work” (a protest held in St. Louis, Missouri on August 15, 2011).  Arrest reports were pulled and the list of arrestees included Hammond’s twin brother and another good friend of Hammond’s.  In another chat log, sup_g states that he was arrested in 2004 during the Republican National Convent in New York City.  A list of people arrested during the convention included “Jeremy Hammond”.  These details (and many more examples that were provide din the affidavit), combined with the fact that Hammond had previously been arrested for computer intrusion, led the FBI to set up surveillance on him and on March 1, 2012, to install a pen trap to collect addressing and signal information from his home.  The pen trap further revealed that Hammond was sending a significant amount of data through the TOR network and combined with the personal surveillance, was used to tie Hammond to specific screen names (they could tell that certain chat sessions conducted under certain screen names ended each time Hammond left his home).

The amended complaint against Donncha O’Cearrbhail

Aliases used by O’Cearrbhail included palladium, polonium, and anonsacco.  The affidavit claims that in early 2012, the personal GMail accounts of two National Police Service (Ireland) officers was compromised by a hacker.  Via this hacked email account, messages were obtained by the hackers that gave the telephone number and passcode of a scheduled police conference call discussing the Anonymous investigation.  Anonsacco, via a private chatrom, chatted with the informant about the information he had obtained. 

Hi mate.  Could I ask you for help?  I need to intercept a conference call wich would be a very good leak.  I have acquired info abou the time, phone number, and pin number for the conference call.  I just don’t have a good VOIP setup for actually calling in to record it.  If you could help me, I am happy to leak the call to you solely.  I guarantee it will be of interest!

The conference call recording was later posted online and tied to one of the screen names.

The anonsacco screen name was then cleverly tied to other aliaes (primarily via personal details revealed during the conversation), including palladium, which linked O’Cearrbhail with other hacks.  O’Cearrbhail was arrested for another computer intrusion and released.  His later conversations regarding the first arrest were also used to tie him to other screen names and hacking activity.  It also appears as if O’Cearrbhail’s IP address was easily tied to some of the breakins.  In addition, his cloaked IRC login ID was tied to several screen names.

 

The snitch

As far as I can tell, the names of the accomplices are not listed but there are hints in the documents that one or two co-conspirators assisted the FBI in the investigation.  Later news leaked that a 124 year sentence was threatened if the informant did not cooperate with the FBI (a sentence which struck many as out of proportion to the alleged crimes).

One particular statement in the affidavit notes that the informant, with encouragement from the FBI, provided an upload bin on a server in the southern district of New York.  This is the only notable fact and could hint that the unnamed co-conspirator was Hector Xavier Monsegur.  But nowhere is Monsegur specifically labeled an informant. The affidavit does note that one of the members of LulzSec was arrested (during the Summer of 2011) and agreed to cooperate in return for receiving a reduced sentence. The affidavit also points out that this person was located in New York, New York while he was working for the FBI and that this person has already plead guilty to various charges.  In retrospect, many Anonymous members noted a marked change in Monsegur’s behavior (oh how a “safe word” used in the chats could have saved the day).

The affidavit describes how the FBI used the informant to further trap other Anonymous members.  For instance, the FBI directed the snitch to provide storage space for the attackers.  During the Stratfor hack, the informant provided Hammond and the others a computer server in New York, New York which they could use to store data.  This was used to gather additional evidence against the other Anonymous members. 

In addition, the snitch recorded chat logs that were used to derive the attackers various aliases and tie them to other crimes.  Here’s a sample of a logged conversation:

sup_g: I was thinking we order some servers with them stolen credit card numbers.  Lots of servers with big hard drives and make four of five mirror .onions with them.  A few will go down right away, a few might not.

informant: can you get an offshore server with one of those verified credit cards?  I’ll try it too.

sup_g: since web/onion is really the most practical way to browse the mails and clearspace.  Torrent is damn impractical, no one will download.  We might want to offer it anyway but even so, focus on web viewing.

And in this exchange, notice how the informant refers to the hacker by different aliases to ensure he responds in kind to each one.

informant: yo you

sup_g: hey homeboii

sup_g: It’s all real good = )

informant: took a na

informant: *nap*

sup_g: hooking it up with custom script to parse them things as we speak.

informant: how’s the news looking?

sup_g: I been going hard all night.

informant: I heard we’re all over the newspapers.  You mother fuckers are going to get me raided.

sup_g: we put out 30k cards, the it.stratfor.com dump, and another statement.  Dude, it’s big…

informant: if I get raided anarchaos your job is to cause havok in my honor.

sup_g: it shall be so

The documents

The Anonymous and LulzSec (Lulz Security) indictment documents are available for download on scribd.  See embedded versions below.

 

Indictment against Hector Xavier Monsegur filed in the United States District Court Southern District of New York:

 

Indictments filed in the United States District Court Southern District of New York against Ryan Ackroyd, Jake Davis, Darrent Martyn, and Donncha O’Cearrbhail.

 

Sealed complaint against Jeremy Hammond.

 

Amended complaint against Donncha O’Cearrbhail.

 

Hector Xavier Monsegur Waiver of indictment in return for cooperating with the government

You may also like...

%d bloggers like this: