Original URL: http://www.theregister.co.uk/2012/03/07/lulzsec_takedown_analysis/

The one tiny slip that put LulzSec chief Sabu in the FBI's pocket

IRC relays 'infiltrated by the feds'

By John Leyden

Posted in Security, 7th March 2012 17:33 GMT

Analysis The man named by the FBI as infamous hacktivist Sabu was undone by an embarrassing security blunder, it has emerged.

The alleged LulzSec kingpin eventually copped to a battery of hacking charges last August and was reported to have been "co-operating" with the FBI in the months leading up to yesterday's arrests.

Police locked onto Hector Xavier Monsegur, an unemployed 28-year-old from New York – allegedly LulzSec hacktivist supremo Sabu – after he apparently made the mistake of logging into an IRC chat server without using the Tor anonymisation service1.

According to Robert Graham of Errata Security Monsegur exposed his IP address, which allowed federal investigators to request records from ISPs and track down his location to a flat shared with his two sons on Manhattan's Lower East Side.

"They caught him because just once, he logged onto IRC without going through Tor, revealing to the FBI his IP address," Graham claims. "This reveals a little bit about the FBI, namely that they've infiltrated enough of the popular IRC relays to be able to get people's IP addresses. We've always suspected they could, now we know."

It's unclear precisely when investigators identified Monsegur as a prime suspect in the case. However by early June separate digital sleuthing by various parties – most notably @backtracesec and purported ex-military anti-WikiLeaks hacker The Jester (th3j35t3r) – led to the public fingering of Monsegur as Sabu.

Monsegur was NOT the only person named as Sabu2. The Jester previously named (he later apologised for his error) an innocent Portuguese web designer as a suspect, for example. Pastebin has been full of various documents giving multiple "identities" and background details for supposed members of LulzSec and Anonymous for months.

However the fact that Monsegur was named at all caused investigators to fear he would destroy evidence if they failed to act quickly. The Puerto Rican immigrant's flat was raided on 7 June last year.

Fox News reports that agents had already obtained a warrant to pull Monsegur's Facebook file, and said they found evidence that the suspect had traded credit card numbers with other hackers. This was enough to execute a warrant to seize equipment and arrest Monsegur.

The report said investigators had coerced the unemployed dad into co-operating by threatening him with two years in prison away from his children on the easy-to-prove ID theft charges alone if he failed to turn informant on the rest of the LulzSec crew. The feds also persuaded him to turn over the encryption keys on his battered laptop, allowing them to obtain evidence of Monsegur's "hacking activities".

“It was because of his kids,” an FBI source told Fox News. “He’d do anything for his kids. He didn’t want to go away to prison and leave them. That’s how we got him.”

Monsegur was bailed on the identity theft charges and returned home after agreeing to act as an informant against his erstwhile hacktivist colleagues, officials told Fox News. Neither his family nor his "brothers" in Anonymous and LulzSec were left any the wiser that he was then working as a co-operating witness, his "handlers" said.

Sabu's anti-capitalist rants and brazen boasts continued after Monsegur's changed status, they said. But a minority – most notably a hacktivist using the handle Virus – suspected he might have been acting as a federal informant around this time.

Virus was suspicious when Sabu disappeared offline for about a week and by his later alleged inducement to hack into Backtrace Security (an outfit tracing members of LulzSec) for money – an offer Virus declined. Virus confronted Sabu with his suspicions that he might be a snitch in a heated exchange, recorded on PasteBin here.

Just a normal New Yorker

These suspicions were isolated and the vast remainder of LulzSec and legions of members of hacktivist collective Anonymous continued to follow Sabu's lead.

What they didn't know was that for the last eight months or so, and certainly from the time in mid-August when Monsegur secretly pleaded guilty to a slew of hacking offences, was that the feds had been monitoring exchanges and gathering evidence against them as well as passing on information that was used to minimise the damage caused by some of the planned operations. From mid-August onwards, sources told Fox News, Monsegur allegedly worked almost out of the FBI's New York City offices almost every day.

Later his handlers allowed him to work using a laptop provided by the FBI while under close 24-hour monitoring and supervision.1

Monsegur was watched by his federal handlers while maintaining the same habits and online presence, spending between eight and 16 hours a day at his computer and often working through the night. His FBI handlers orchestrated an elaborate disinformation campaign, using the AnonymousSabu Twitter account and interviews with journalists to spread disinformation.

Ironically, the man alleged to be the frontman and chief rabble-rouser for #FuckFBIFridays – a weekly event in the Anonymous calendar – had been cheering on attacks against law enforcement systems from behind an FBI desk, while at the same time working to minimise any damage, the G-men said.

Monsegur reportedly worked with his handlers to mitigate the damage caused by the hack on 70 law enforcement websites in July 2011, minimising the amount of information that came out a month later. The suspect worked with the FBI to inform 300 government, financial and corporate entities in the US and elsewhere of problems of their systems that had come to the attention of hackers, his handlers said.

He also apparently fact-checked boastful claims frequently made by hacktivists who, as before, continued to come to Sabu with plans for operations, the FBI said.

On one occasion, at the behest of his FBI handlers, Monsegur successfully ordered the end of a DDoS attack against the CIA. “You’re knocking over a bee’s nest,” he warned his associates. “Stop.”

He then allegedly helped the FBI track down and gather evidence against his hacking associates, information that only became public with the unsealing of his indictment [PDF] and the arrest of suspected hacktivists in the US, Ireland and the UK on Tuesday.

Monsegur adapted to his new status to the point that he reportedly attempted to pass himself off as a federal agent when he was collared by New York city cops last month, Gawker reports.

How Monsegur's role became public

Police detained five men largely based on information supplied by Monsegur. Following these arrests the indictment against Monsegur was unsealed on Tuesday and his admission to a string of computer hacking, conspiracy and fraud charges – as well as his role as an informant – became public knowledge for the first time. According to the indictment, Monsegur's role was to look for vulnerabilities in websites that were then exploited either by himself or other alleged hackers in LulzSec or Anonymous.

In the unsealed indictment, Monsegur pleaded guilty to taking part in the hack attack against HB Gary, stealing information about X-Factor contestants after breaking into systems at Fox, as well as hacks against FBI-affiliated computer security association Infraguard. Hacks against PBS and Sony Pictures also appear on the charge sheet.

He has also pleaded guilty to using stolen credit card information to pay for car parts valued at $3,450. Monsegur also admitted profiting by selling on the login details of compromised bank accounts, a form of aggravated identity theft.

The FBI said that information supplied by Monsegur allowed it to charge four men with offences linked to LulzSec and another US man regarding the high-profile hack on Stratfor, the private-sector intelligence firm, as explained in a statement here.

Ryan Ackroyd (AKA Kayla), 23, of Doncaster, United Kingdom, Jake Davis (AKA Topiary), 29, of Lerwick, Shetland Islands, Darren Martyn (AKA pwnsauce), 25, of Galway, Ireland, and Donncha O’Cearrbhail (AKA palladium), 19, of Birr, Ireland, were charged with various offences connected to LulzSec. The quartet are accused of conspiring to hack Fox Broadcasting Company, Sony Pictures Entertainment, and the Public Broadcasting Service (PBS).

O’Cearrbhail was further charged in a separate case with intentionally disclosing an unlawfully intercepted wire communication - a conference call between law enforcement officers on both sides of the Atlantic discussing investigations against members of Anonymous that was leaked by the hacktivist collective last month.

It now seems likely that those taking part in the call were likely tipped off that an eavesdropper was on the line or at least that the leaked excerpt was screened by Monsegur and his FBI handlers.

A fifth suspect – Jeremy Hammond (AKA Anarchaos), 27, of Chicago, Illinois – was arrested on access device fraud and hacking charges, and is suspected of involvement in the December Anonymous hack on security intelligence outfit Stratfor.

LulzSec began as a splinter group separated off from anarchic online collective Anonymous prior to mounting scores of high-profile hacks over a seven-week period before disbanding in late June last year, shortly after Monsegur's initial arrest. Its targets included HB Gary Federal, defence contractors, police departments, FBI-affiliated security firms, the CIA, the US Senate, online gaming operations including EVE Online and corporations including Fox, News Corporation, Sony and many others.

Website defacement and the extraction and release of sensitive information siphoned away from insecure systems were among the activists group's typical tactics.

After disbanding the group returned to the Anonymous fold, most notably taking part in OpAntiSec operations designed to expose poor corporate security and show support for various political causes including the Occupy movement and the Arab Spring protests, among others.

Sabu signed off from his @AnonymousSabu account hours before news of Monsegur's arrest – and co-operation with the FBI – became public knowledge with a quote from Marxist revolutionary Rosa Luxemburg. The German message translates as: "The revolution says I am, I was, I will be." ®

Bootnotes

1It's unclear at the time of writing whether this compromised access was linked to the July 2011 arrest of a 19-year-old from Essex, who allegedly ran an IRC channel used by LulzSec.

2Sabu took his handle from a New York-born pro-wrestler who billed himself as a Saudi Arabian to incite jingoistic crowds. "Sabu the Elephant Boy" played the bad guy in bouts and had a reputation for shedding as much blood as he drew during his heyday in the '80s and '90s. Sabu also means father in Arabic but that seems to have been something of a coincidence.

3The close monitoring is at least partially explained by the case of Albert Gonzalez, a cybercrook who went on to mastermind the multi-million Heartland Systems and TJ Maxx credit card frauds at the same time as working as an US Secret Service informant. Gonzalez was jailed for 20 years in March 2010.