by Parmy Olson
Storm could use his server to fling a hundred megabytes of junk traffic per second to a target. The process was not that different from uploading a picture or movie to Facebook or to a file-sharing site. In that case, you are uploading something useful at perhaps four megabytes a second. Storm’s extra server acted like an electric guitar amplifier, but increasing data speed, not sound.
Storm would use his server to aim junk packets at certain sections of the 2600 chat network, server nodes of the network known as leaves. If you’re sending junk packets instead of useful data, it can overload a server and take it offline. An IRC network was like a tree, and 2600 had three so-called leaves. Instead of attacking the whole network at once, Storm flooded each individual leaf. Using this plan, he could needle the hundreds of participants to scramble from one leaf to another instead of disconnecting altogether and waiting for the network to come back up. The ultimate goal was to annoy them as much as possible.
Through the IRC command map, the LulzSec group could watch how many users were on each of their enemy network’s leaves. Before Storm’s attack there had been about six hundred people on all leaves, and then the number started dropping. In just over ten minutes, one of the leaves went down.
“It’s nulled,” said Storm.
“Haha,” said Kayla.
After seven minutes, as the users were jumping around to stay connected, Storm took down another leaf and kept it down for about fifteen minutes. He let it up again for twenty minutes so participants would think everything was okay, and then he took it down again.
“I can’t even connect to 2600,” reported Kayla. Storm laughed.
“These guys are so fun to fuck,” said Topiary.
“Wait :D let us troll the shit out of them first :D,” said Kayla, “then we can PUSH/SYN/ACK/UDP them to oblivion hahahahahahaha.” That was a reference to different types of junk packets. Attacking an entire network to get back at one annoying clique didn’t seem to strike anyone in the group as an abuse of power or an act of bullying. Instead, with Storm now getting the limelight, Kayla couldn’t help but mention her own successful attacks of the days of Chanology, and she started reminiscing about how she had DDoS’d three Chanology sites for three weeks back in 2009—the incident where she had been stumbled upon by Laurelai.
“Ahaha that was you?” asked Topiary.
“Yes :D,” said Kayla.
“Gregg Housh was bitching about that.”
“A lot of people were bitching about it.”
“Sending packets of size 40…” Storm reported. Another server leaf was nulled. “Dude, they’re not gonna have anywhere to chat.” Now three key servers hosting the 2600 chat network were down. He and Topiary started trying to connect to the network and couldn’t.
“Lolz,” said Storm.
“We should do this everyday until they refuse to house Jester,” said Topiary. He pointed out the small clique of people communicating with Jester on Twitter, and Awinee, from Holland, was being especially vindictive. “These are the same guys who specifically went after Sabu and our crew back in February with HBGary,” Topiary added. “They’re a lovable bunch of scoundrels.”
Topiary sent some messages from the LulzSec feed: “What’s wrong with irc.2600.net AKA Jester’s hideout? Oops, I think we just fucked it. Sorry, Awinee and crew. Have fun explaining to the 2600.net admins that we just took down the entire network because of Jester people. Uh-oh!”
Back on #pure-elite, weapons were still firing at the 2600 servers. “Should I let it back up?” Storm asked Topiary.
“Whatever you want.”
When he saw more criticism from Jester’s people on Twitter, Storm switched to a different type of junk packet. And as Awinee kept up his rhetoric, LulzSec kept attacking. LulzSec was behaving like other hacker groups with its tit-for-tat behavior, except that more traditional hackers wouldn’t have been riled up by a few relatively unskilled hecklers on Twitter. Perhaps it was because LulzSec was so open and public, but it was the critics who spoke the loudest that seemed to get under the group’s skin the most.
Storm was proving a useful supporter with his DDoSing ability. In front of the crew, Topiary called him the LulzSec “cannonfire officer,” working in tandem with Kayla, who was the group’s assassin and spy. “We dock in ports and she immerses, and eliminates.”
“I also bake cookies,” she added.
Everyone was laughing. They were all game for more attacks when Sabu finally entered the room. By now it was early in the morning New York time.
“I wake up to Storm packeting, and Kayla excited,” he said. “What you niggas been doing without me?” There was a pause. His tone was lighthearted, but the crew knew about his hot temper from the #HQ channel with Laurelai and about his general tendency to blow up at others who disagreed with him. His presence made some a little anxious. If this had been real life, everyone might have been glancing at one another or at the floor.
“Owning 2600.net,” said Storm. “About it.”
“Lol, they’re going to end up losing some servers,” said Sabu. “I want to own 2600 servers themselves.”
“That would be awesome,” Topiary said.
“Topiary my brother, how are you?” Sabu asked.
“Good Sabu, what’s up?”
“Nothing broscope. Just woke up, tired as balls.” Sabu took a break from the discussions, and people went back to planning ways to mess with Jester’s crew or configuring software tools and scripts for future hacks.
Quickly the group was splitting into all manner of channels to find new leads for hacks or flush out spies. Hopping from channel to channel and network to network was no trouble for these guys, some of whom were used to jumping around twenty-five IRC networks at the same time.
When 2600 came back online, Topiary, Joepie91, and others started hopping over to the network to spy on its participants before coming back to report new gossip. Rather brazenly, they then set up their own #LulzSec channel on the 2600 network. Pretty soon it was teeming with dozens, then more than a hundred people. It was impossible to tell at first who they all were, but enough observation showed they were a mixture of Anons, script kiddies, general fans who had heard about LulzSec from media reports, and white hat hackers. Over time the LulzSec crew came to believe that around half the makeup of that channel, which anyone could access, was a mixture of spies from enemy groups like Jester’s and Feds. In their new, public #LulzSec chat room on 2600, the crew were disguised by their maritime-related names: Whirlpool for Topiary, Kraken for Kayla, and Seabed for Sabu.
As Sabu observed these developments, he grew concerned that the crew was getting too excited about having fun on the 2600 network—a place they had attacked but where they had also set up their own public meeting room. It was impossible to distinguish the real fans from the spies who wanted to manipulate the crew for information and access. At one point it looked like Kayla had gone back into Santa Claus mode and offered some stolen voucher codes from Amazon to someone outside the crew. When Sabu found out about the conversation, Kayla explained that she had merely given someone a few of the coupons so they could be tested and eventually sold on the black market. Sabu, who was already wary of Kayla’s connection to Laurelai, was perturbed.
“Ok guys,” he suddenly said. “I don’t have to say this more than once I hope. But people on 2600 are not your friends. 95% are there to social engineer you. To analyze how you talk and make connections. Don’t go off and befriend any of them.”
He didn’t mind that the reprimand pierced the lighthearted atmosphere. Four other secondary-crew members quickly insisted that they were being careful about hiding their identities, doing so by speaking in broken English so they would appear to be foreign. But Sabu added that if anyone gave them private info, they should log it and show it to the team. If they were sent a link, look at it from a secure connection.
“Be smart about shit,” he concluded. “If any of you get owned, I’ll LOL.”
Kayla then piped up,
as if she wanted to show the others that she was on the same page with Sabu. “Another protip,” she said. “Even if you are American, don’t spell it ‘color,’ use ‘colour,’ which is wider used around the world. Just saying ‘color’ means you are American.”
Sabu didn’t seem to be listening and gave Kayla a new order. He wanted her to change the topic of the public #LulzSec chat room to say that anyone with 0days and leaks should message her new pseudonym in the channel.
“Make sure we take advantage of that,” he said. “See what niggers got access to.” Kayla signed out. Sabu enjoyed the banter that took place in #pure-elite between the organizational talk, but he was constantly reminding the group to stay focused on finding new exploits and keeping the group as tight-knit as possible. It made for a tense atmosphere, but it was necessary. The team’s profile was rising faster than they had ever expected. Googling the name LulzSec on June 1 had yielded twenty-five thousand mentions on the Internet. In less than twenty-four hours, that number had risen to two hundred thousand.
Chapter 20
More Sony, More Hackers
By the first of June, the LulzSec team and its associates had gathered a long list of vulnerabilities found by team members like Kayla, Pwnsauce, and Sabu. None were stored on an official group document since that was too risky—instead, whoever found a vulnerability kept it on his or her own computer and shared it with the group when needed. Here LulzSec was setting itself apart from Anonymous, not just because it was picking media companies but because of its focus on stealing data. HBGary had shown that stealing and selectively leaking data could be far more damaging—and “lulz-worthy” with all the attention it was getting—than a straightforward DDoS attack.
When the team found a vulnerability, the hope was that it would lead to critical secret data they could publish. Often following up a lead would happen spontaneously. Kayla had found the PBS security hole earlier in May, but the group had only followed it up because of the WikiSecrets documentary. Finding the security hole was one thing, but exploiting it took more work, and they would have to have a good reason to turn it into an operation. With one vulnerability they had recently found, though, the target company itself was reason enough.
Sony’s lawsuit against George Hotz in April, the resultant DDoS attack from Anonymous, and the devastating data theft by a small group of black hat hackers had snowballed into a new craze among hackers to hit Sony in any way possible. It meant that Sony had become something of a piñata for hackers. Partly the black hats found it funny to keep hitting the company over and over, and partly they believed Sony deserved it for waiting two weeks after the original data breach had been discovered before reporting it.
The PBS heist was finished, and the 2600 network was still smoldering from the attack, but Sabu and Topiary were now knee-deep in organizing data stolen from Sony’s servers: hundreds of thousands of users, administrators, internal upcoming albums releases from Sony, along with 3.5 million music coupons. Three weeks prior, the group had been poking around looking for vulnerabilities in Sony websites, finding and publishing the security vulnerabilities in the website of Sony Japan but also looking at Sony’s Hong Kong site and others. Whenever someone found a vulnerability, he would paste the web address in his private chat room, and someone else would go into the source code to see how it could be exploited. There was no order to this; people simply contributed when they were around.
Just for the heck of it, Sabu checked SonyPictures.com, the main website for Sony’s $7.2 billion film and television franchise. To his astonishment, there was a gaping hole in the innocuous Ghostbusters page that left the network wide open, once again, to a simple SQL injection attack.
“Hey guys, we need to dump all this now,” he said excitedly. He rushed to map out the area and gather everyone together so they could start taking different sections. “We’ve owned something big here. Sony are going to crash and burn.”
When the group entered the network they found a massive vault of information. It took a while to make sense of the data, but soon they had found a database with two hundred thousand users.
More shocking was that all of the data, including passwords, were stored in plaintext. The only encrypted passwords were those of server admins, and the team managed to crack those anyway.
It was a damning indictment of Sony’s security, just weeks after the big PlayStation Network data breach. Small schools and charities had better database encryption than Sony. In fact, by this time, rumor had it that the PlayStation Network had been hacked because a disgruntled employee at Sony had given hackers an exploit; the breach had occurred two weeks after Sony had fired several employees responsible for network security. Rumor also had it that those hackers had sold the database of more than a hundred million users for $200,000.
Kayla stumbled upon another Sony database that looked exploitable but did not bother to look inside. As per the usual custom, she pasted its location into the chat room for someone else to scan. When Topiary finally opened the database, he found a table with rows and rows of names and numbers that seemed to go on forever. Looking around he finally noticed a counter at the top with the number 3.5 million. It looked like coupons of some sort. It felt like getting an exceptionally good Christmas present.
“Sabu, this one is pretty massive,” Topiary called. Sabu came over and proceeded to poke around the new, massive database before coordinating the team’s gathering of it all.
“Wave bye-bye to Sony,” one of the team remarked.
“Kayla can you take users?” Sabu asked. He assigned one person to take care of the music codes, another the 3.5 million coupons, and Sabu himself took the admin tables. There were four core members and two other secondary-crew members helping out.
This was the kind of labor that would have put off a single hacker toiling alone. It involved downloading reams of data, sometimes manually. The work was monotonous and could take days. But as a group effort, the whole process suddenly became faster and more compelling, the team members motivated by the fact that this was a target they were about to publicly embarrass. The tasks of compiling the databases—one of 75,000, one of 200,000—took each person between a day and several days to complete, depending on how detailed the information he or she was dealing with was. Each member then set up a computer to download each database. The files were so big that it would take three weeks to download them, typically in the background of whatever else was being done online.
The team eventually decided they wouldn’t keep any of the coupons—they had tried taking them and got to only 125,000 when they realized the downloads were happening at the glacial rate of one coupon a second; all told the whole thing would take several more weeks. They didn’t have the time or resources to cope with such a huge download. Instead, they took a sample of this and a sample of that to demonstrate that they had gained access. They would also publish the exact location of the server vulnerability in the Sony Pictures site that led to the data (the Ghostbusters page) so that anyone who wanted could dive in to loot the bounty before Sony’s IT admins patched the hole.
Sabu gathered all the data together, and Topiary dressed the numbers and passwords up to make everything look palatable to a mass audience. “We have a lot of different files for various Sony sites,” he explained. “Press—less smart press—will get confused. Gotta have a summary document.” He would publish several documents revealing the heist in one big folder. He created a file called For Journalists that explained what they had found, using words that would grab headlines, such as compromised instead of stolen.
Topiary had been up since six o’clock that morning to keep up with Sabu’s time zone, but he wasn’t feeling tired. On Twitter he was counting down to their official release time, building anticipation among followers and the media. Gawker’s Adrian Chen quickly posted a story headlined “World’s Most Publicity Hungry Hackers Tease Impending Sony Leak.”
Topiary had gone through the Sony Pictures database looking for anyone wit
h a .gov or .mil e-mail address. He found a few and started posting their names and passwords on Twitter. Then At 5:00 p.m. eastern time on the same day that Sony finally restored its PlayStation Network, Topiary published everything.
“Greetings folks. We’re LulzSec, and welcome to Sownage,” he said in the introduction. “Enclosed you will find various collections of data stolen from internal Sony networks and websites, all of which we accessed easily and without the need for outside support or money.” LulzSec was kicking Sony just as it was getting back up.
Thirty-eight minutes after the release, Aaron Barr tweeted that LulzSec had released stolen Sony data. “The amount of user data appears significant.” In forty-five minutes fifteen thousand people had looked at the message, a rate of eighteen people a second, and two thousand had downloaded the package of Sony data from file-sharing website MediaFire.