Indictment sheets made public by the FBI yesterday have revealed how the US agency turned a hacker centrally involved in the operations of LulzSec and used him to build cases against five other LulzSec hackers arrested yesterday in the US, the UK and Ireland. The documents, unsealed in a New York court, include details of how the FBI allowed attacks, such as the hack of the security company Stratfor, to happen, and even provided servers for the hackers to store information gained from hacks.
A 19 year old Irish student, Donncha O’Cearbhaill, accused of hacking the phone call between FBI and Scotland Yard investigators in January, was caught when he turned to Hector Xavier Monsegur, known online as Sabu, for technical advice. He now faces up to 15 years in prison.
“We have cut off the head of LulzSec,” an unnamed FBI official declared on Tuesday. Monsegur was arrested on June 7, 2011, having apparently failed to conceal his IP address while logging into an online chat room just a single time. According to the indictment sheet, on August 15 he pled guilty to 12 charges including aggravated identity theft, conspiracy to commit bank fraud, computer hacking in furtherance of fraud, theft of confidential information and criminal damage. The crimes carry a maximum jail sentence of more than 124 years.
Having apparently cut a deal to avoid prison time, he was then issued with an FBI computer, released, and instructed to carry on his daily online life as normal, under 24 hour surveillance. From August onward he continued to encourage his followers on Twitter to carry out hacks, and appeared in online chatrooms giving advice on proposed operations.
19 year old Donncha O’Cearbhaill, known online as palladium, is accused of hacking, recording and disseminating a conference call between the FBI and Scotland Yard in which they discussed ongoing operations against Anonymous and LulzSec members. According to the indictment sheet, the defendant gained access to the telephone number and pass code that would be used to access the conference call after hacking the personal email of an Irish police officer. The officer “routinely sent email messages from an official Garda (Irish police) email account” to the compromised Gmail account.
In an online chat on January 14, 2012 between Sabu and O’Cearbhaill, which was being recorded by the FBI, the defendant allegedly asked Sabu for technical advice on accessing and recording the call.
Hi mate, Could I ask you for help? I need to intercept a conference call which would be a very good leak. I have acquired info about the time, phone number, and pin number for the conference call….If you could help me, I am happy to leak the call to you solely. I guarantee it will be of interest!!
O’Cearbhaill subsequently gave a recording of the hacked call to Sabu, which was later posted to YouTube by the user ‘TheDigitalFolklore’.
O’Cearbhaill is also accused of hacking into and defacing the website of Irish political party Fine Gael. The FBI uncovered evidence of that hack after receiving a search warrant to search the Facebook account of another “co-conspirator”, believed to be Darren Martyn, known online as pwnsauce.
A Twitter account allegedly belonging to the defendant includes a picture of him with the former President of Ireland. Amongst tweets “favourited” by O’Cearbhaill is one from Sabu, his alleged betrayer.
The indictment sheets detail the operations that Sabu is alleged to have taken part in prior to his arrest. Investigators accuse him of planning and carrying out DDoS attacks against sites belonging to the governments of Algeria and Tunisia, and of infiltrating Yemeni and Zimbabwean government servers. With other members of the collective known as Internet Feds, he participated in hacks of the security company HBGary Federal, as well as The Tribune and Fox media companies. Fox were the first news site to break the story on Tuesday.
Operating under the banner of LulzSec, Monsegur and others are accused of attacking the US Senate, PBS, Sony, Nintendo, Bethesda Softworks and Infragard-Atlanta, the local branch of an American company with links to the FBI.
I know that one of the members of LulzSec (“CW-1”) was arrested by law enforcement, and agreed to cooperate with the Government in the hope of receiving a reduced sentence. CW-1 has pleaded guilty to various charges, including charges relating to computer hacking, pursuant to a cooperation agreement with the Government. I have found that the information provided by CW-1 has been accurate and reliable, and corroborated by other information developed in this investigation.
This statement, which refers to Sabu without naming him, was provided by FBI special agent Milan Patel in the complaint against Jeremy Hammond, another of those arrested. Hammond is accused of masterminding the hack of Stratfor, the private intelligence company whose internal emails WikiLeaks began publishing last month. The hack was carried out by AntiSec, a subgroup of hackers supportive of Anonymous created in June 2011, made up of “various members of LulzSec” according to Special Agent Patel.
Via Sabu, the FBI were able to surveil the planning and aftermath of the Stratfor hack. The hackers used secure protocols to carry out encrypted conversations and exchange documents securely. They stored the stolen data on hidden servers (.onion) accessible only using Tor, software that allows users to access the Internet anonymously.
Following the hack, the FBI ordered Sabu to provide the AntiSec hackers with a server to store the data, presumably allowing them to analyse the five million emails. The FBI also had full access to encrypted discussions between Sabu and Jeremy Hammond. On December 6, Hammond announced that he had settled on a new target, Stratfor. On December 19, he stated that all of the emails had been copied.
In November 2011, four months after his initial arrest, a user claiming to be Sabu went on Reddit’s popular Ask-Me-Anything thread, answering questions. Asked if he was afraid of getting caught, he wrote:
I’m at the point of no return. Not trying to sound like a bad ass, however, its the truth.
Another user asks if he has any advice for young hackers. His reply:
Stick to yourselves…Friends will try to take you down if they have to.
Image: Karat CC BY-NC-SA, remixed by Owni