Feeds

UK cops: How we sniffed out convicted AnonOps admin 'Nerdo'

Hint: Sometimes gamer tags give the game away

The Essential Guide to IT Transformation

Analysis of IRC logs and open source intelligence played a key role in the successful police prosecution that led up the conviction of a member of Anonymous for conspiracy to launch denial of service attacks against PayPal and other firms.

Christopher "Nerdo" Weatherhead, 22, was convicted on one count of conspiracy to impair the operation of computers following a guilty verdict by a jury at Southwark Crown court last week.

Weatherhead, 22, was studying at Northampton University when he allegedly took part in "Operation Payback", the DDoS campaign launched by the hacktivists in defence of whistle-blowing site WikiLeaks. Targets included the entertainment industry and later financial services firms that had suspended payment processing of donations to WikiLeaks after it controversially published leaked US diplomatic cables in late 2010.

Ashley Rhodes, 27, from Camberwell, south London; Peter Gibson, 24, from Hartlepool; and an 18-year-old male had already pleaded guilty to the same charge, relating to offences that took place between August 2010 and January 2011.

Payback's a bitch

Sandip Patel, prosecuting, said that attacks by various Anonymous hacktivists had cost PayPal £3.5m ($5.5m) and forced it to call in 100 staff from parent firm eBay in order to keep its website up and running over the course of a series of DDoS assaults that spanned several weeks.

The attacks were launched using the Low Orbit Ion Canon (LOIC) packet-flooding tool widely used by Anonymous at the time. LOIC spills the IP addresses of those taking part in attacks. However evidence from IRC channels where the hacktivists hung out and planned attacks was the more important evidence in the police investigation.

Operation Payback attacks began against firms known to oppose copyright piracy (such as those of the Ministry of Sound nightclub, the British Recorded Music Industry and the International Federation of the Phonographic Industry) before the hacktivists switched targets to concentrate packet-slamming assaults on payment-processing firms including PayPal and MasterCard - which had angered Anonymous by choking off a source of income to WikiLeaks.

Sniffing around in AnonOps' channel

Weatherhead (Nerdo) was a network administrator and among a small group of leaders on an AnonOps IRC channel that became the focus of a police investigation, spearheaded by members of Scotland Yard's Police Central eCrime Unit.

Former Detective Constable Trevor Dickey, who has left the Met and found work in the private sector since the successful conclusion of the investigation, explained: "In a nutshell we identified Weatherhead via the IRC network."

"We identified their IRC channels and captured several weeks of chat. During that time we looked at the status of nicks such as admins and operators," he added.

"We then did some keyword searching and spent a lot of time looking social leakage. Combining all these elements we then identified the nicks of interest and did open source research on them. Weatherhead was easy to identify as he had been using the nick of 'Nerdo' for quite some time," he concluded.

Ray Massie, a self-employed computer forensic and open-source training consultant who served as a detective sergeant with the Met Police and led the investigation, explained that UK police decided to target the administrators of Anonymous-run channels, focusing on instigators of attacks rather than Anonymous "foot soldiers" otherwise involved in DDoS assaults. This is contrast to US law enforcement clampdowns, which also targeted simple participants in hacktivist actions who had played no part in selecting targets or planning attacks.

"We went after organisers and facilitators rather than foot soldiers. US authorities went after a mix," Massie explained.

The police operation began in October 2010 with attacks on the Ministry of Sound and the BPI. "It was quickly clear that Anonymous was running similar attacks against different anti-piracy organisations in the USA, Germany, France, Spain and elsewhere. They would select a target, post the named of a target online along with dates and times of an attack and, in some cases, a countdown clock. Everything from signposted from IRC channels."

Massie explained that over time, hacktivists made more use of Facebook and Twitter but this was mainly for promotion and propaganda. "Would-be participants were directed to IRC channels, where plans were all laid out," he said. Links provided on IRC provided advice on how to use LOIC (the favoured DDoS attack tool of Anonymous at the time), how to cover their tracks, and other hacker trade-craft tips.

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.