News

FBI nets cyber informants with hacktivist sting

The FBI increasingly is recruiting hacker activists to become moles, says a former hacktivist who advises the government. Many of the recruits have grown uneasy with alleged plans to disrupt industrial systems or have come to believe the government may not be as computer illiterate as they once perceived, said Jennifer Emick, who became a security consultant after exiting the loose-knit hacker collective Anonymous.

The about-face predates this week's revelation that Hector Xavier Monsegu -- a one-time cyber ringleader -- reportedly went undercover to help the FBI indict several of his former associates.

"Some of them have just had a change of heart about the whole thing," Emick said. "I've helped funnel some of them through," she said of other informants.

But allies of Anonymous say the tactics the FBI used to net six hackers on Tuesday were elementary and subsequently have revitalized many dormant activists. The night of the government's announcement, hacktivists claimed responsibility for defacing websites run by the antivirus software company Panda Security and publishing more than 100 employee email usernames and passwords. The apprehended cyber marauders hailed from one or more hacktivist outlets, including AntiSec, LulzSec and Internet Feds.

Pointing to the crackdown's aftermath, Gregg Housh, a computer engineer affiliated with Anonymous, said, "It seems to be a better recruiting tool for AntiSec and the Anons."

Emick, however, said some of the younger Anonymous enthusiasts are now turned off by the collective's political leanings. A purported Anonymous member recently claimed to have posted sensitive information about Israel's supervisory control and data acquisition, or SCADA, systems on a public message board. "When they start talking about SCADA, and power plants and a lot of anti-sematic rhetoric . . . Some of these guys are Jewish and say, 'Hey, I didn't sign up for this,'" she said.

The Justice Department this week unsealed documents charging the suspects, including a guilty plea from Monsegur, aka Sabu, and divulged that he had been cooperating with detectives since summer 2011. The complaints against the others frequently refer to a "cooperating witness" but do not identify that person as Monsegur. He was an influential instigator within Anonymous, which for several years has allegedly breached government and corporate websites to embarrass its adversaries, highlight security weaknesses and, sometimes, just have fun. Spinoff LulzSec derives its name from the Internet slang words for "laughs" and "security."

Defendant Jeremy Hammond allegedly masterminded the Christmas 2011 disclosure of confidential subscriber records belonging to geopolitical analysis publisher Stratfor, including government and military client data. Prosecutors claim he and co-conspirators stole about 60,000 credit card numbers from Stratfor customers and used some of them to rake in at least $700,000.

Court papers reveal the electronic surveillance techniques agents used to confirm that Hammond was the man behind the anarchy.

The FBI detected public signals broadcasting from a wireless router inside a Chicago building known to be Hammond's residence, according to the documents. Through other public signals, agents determined the media access control, or MAC, address of the computer connecting to that router. A MAC address is the unique serial number for hardware attached to a network that often denotes the device's manufacturer, which in this case was Apple. Monsegur and Hammond had discussed the fact that he used a MacBook. Monsegur reported to the feds that Hammond was online at the time they identified his device's signals.

The authorities also obtained a court order to tap Hammond's wireless transmissions, including dialing and Web address information. They could tell he was connecting to Tor -- a Web navigation system that allows users to remain anonymous while surfing and instant messaging. An FBI computer specialist was able to bypass the Tor system Hammond was using and uncover his computer's IP address, the numbers that identify a computer's location. The FBI official could see that the MacBook was linked to Tor. The MacBook was active at the times detectives observed Hammond at home and when he was communicating with Monsegur. The activity stopped or diminished whenever he left the building.

Emick said the FBI likely took the unusual step of detailing its operations to prove that authorities had the right guy. Hackers in the past have scoffed at agents for mistakenly arresting an Anonymous follower who had the same username as a nefarious programmer.

"I think coming out, and disclosing just how technologically capable they are, is a really good thing," she said.

Housh dismissed the monitoring as child's play. "A first year [computer science] student could have done what they did," he said, adding that the tools they applied are freely available online. "That's the same stuff they've been doing since the early '90s. That's so unbelievably nontechnical and rudimentary. It would be like applauding someone because they knew that a hammer is something you use to put a nail in a piece of wood."

According to Fox News, which first reported Monsegur's role as an informant, the feds found Monsegur when he entered a chat room with other plotters and neglected to conceal his IP address.

The suspects allegedly orchestrated high-profile strikes on, among other major organizations, Sony, Fox, PBS, MasterCard, and security contractor HBGary Federal. They typically took credit for publishing the private credentials of their targets -- passwords and phone numbers -- in an attempt to expose wrongdoing or blackmail adversaries. Another major entity they began to target was the government.

Donncha O-Cearrbhail of Ireland allegedly intercepted a Jan. 17 telephone conference between the FBI and United Kingdom authorities about an FBI investigation into Anonymous. He didn't have to hack into phone lines or even FBI computers to do this. According to U.S. investigators, an Ireland National Police Service officer routinely forwarded work emails to his personal Gmail account, including a message containing the phone number and passcode for the scheduled call. His Gmail account had been hacked in December or January, the court papers showed. O-Cearrbhail asked Monsegur for help taping the teleconference during an online exchange in a private chat room that Monsegur recorded for the feds.

The filings relate parts of the chat transcript: "I need to intercept a conference call which would be a very good leak. I have acquired info about the time, phone number and PIN number for the conference call. I just don't have a good VOIP set-up for actually calling in to record it," O-Cearrbhail allegedly wrote. "If you could help me, I am happy to leak the call to you solely."

After successfully taping the call, O-Cearrbhail told Monsegur, "I think we need to hype it up. Let the feds think we have been recording their calls. They will be paranoid that none of their communications methods are safe or secure from Anon." He then transferred the audio file to Monsegur over the Internet. Anons later uploaded a copy to the media sharing site YouTube.

The court papers do not state whether FBI officials on the call knew an eavesdropper was present. But the American agents were relatively quiet on the phone, Emick noted.

"During the call, they seemed to be sort of self-conscious," she said. "They knew someone was there. If you notice, the Met cop does all the talking," Emick added, referring to a London Metropolitan Police officer who dominated much of the discussion.

Stratfor officials have acknowledged they knew their computers had been compromised before the hackers spilled the evidence online -- but kept silent.

"If they had tipped their hand to stop it, it would have happened anyway," Emick said. "I think they probably made the right call," she said of the company's decision not to publicize the hack.

As for what happens next in the cat-and-mouse game of feds versus hackers, she predicts radicals like Hammond and attention-seekers will remain undeterred while the idealists grow rightfully fearful. They will wonder if their wireless router is being tapped, their MAC address is broadcasting their whereabouts, or "did Sabu slip them a Trojan" spyware file, Emick said. "I think they're ready to go back to their PlayStations maybe."

Housh said hackers always have assumed there are spies and FBI agents snooping around chat rooms. All the men accused this week outwitted the feds with their programming skills, except for Monsegur, he said.

"Sabu made a mistake," Housh said. "Their only mistake was trusting the snitch."

Threatwatch Alert

Network intrusion / Social engineering / Man-in-the-middle attack

China-based Hackers Set Sights on NGO Sites and Their Visitors

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
// 5:00 AM ET
X CLOSE Don't show again

Like us on Facebook