by Parmy Olson
This was how it often went. The promise of leaks and exploits would come from gray and black hat hackers or anyone who had something worth offering. Often the data wasn’t as exciting as originally promised, but in the end, the team used the source code that the ex–Sony developer had passed them. And over time they stopped being surprised that so many outside people wanted to pass them vulnerabilities to exploit—it seemed like everyone in the IT security field, itself a medley of white hats with a darker past, was talking about LulzSec. A few secretly wished they could be a part of the fun.
One hacker had a particularly unusual way of demanding to be let in. One afternoon, the LulzSec crew found themselves getting individually kicked out of the public LulzSec chat room.
“Wow, bro,” Storm suddenly said on #pure-elite. “People are trying to down our ops.” Someone was sending junk packets and bumping each LulzSec crew member off the IRC channel. It wasn’t affecting their computers, but the virtual machines or virtual private networks being used to displace their true locations were getting hit. DDoSing someone’s IP could make him disappear from the Internet for a while, but if you did it enough he’d be booted from his hosting service altogether.
“We gotta get off that server,” said a second-tier member called Recursion.
“We’re getting hit,” cried Neuron. There was a general hubbub among the secondary crew as they floundered over a response to the attack.
Sabu almost rolled his eyes. “Neuron, so sign off? Look guys.” No one was listening.
“The whole room is hit,” Storm exclaimed. “He’s hitting random people.” It seemed a lone mercenary who went by the nickname Xxxx was trying to disrupt LulzSec’s attempts to meet with its fans.
Then Joepie received a private message: “Hi Kayla or Sabu or Tflow.” It had come from Xxxx. Joepie ran a search on the user’s IP and realized it was Ryan, the botnet-wielding temperamental operator from AnonOps.
Neuron received the same private message, then others in the secondary crew did too.
“Everybody shut the fuck up,” Sabu said. People were still talking excitedly. “EVERYONE. SHUT THE FUCK UP.” That seemed to get their attention.
“Relax,” he continued. “As for Ryan, ignore him. He doesn’t know it’s us. Jesus.”
“Relax,” said Joepie, adding a smiley face.
“Ryan, huh?” said Topiary.
“The situation is getting horribly stressing,” said Trollpoll.
“I know, Jesus,” said Sabu. “Look. From now on, no one goes on 2600 unless you prep yourself for the social engineering.”
Everyone was listening now. “If you don’t know how to social engineer do not get on 2600,” he said. “If you do not have a DDoS protected IP, do not get on 2600. That’s it.”
“Aye,” said Neuron.
“Exactly,” said Storm.
“Aye-aye, Storm,” said Recursion. “Err, Sabu. I meant to say aye-aye Sabu, not Storm.”
“Ok,” said Sabu. “Sony was leaked. We got bigger projects.” He pointed to Neuron’s work on the new Sony development source code. “How about those who are not too busy work on auditing that source code.” Everyone got back to work.
Chapter 21
Stress and Betrayal
As LulzSec’s targets got bigger, Kayla started drifting away a little from operations, more interested in taking revenge on enemies like Jester and Backtrace. She had always been a free spirit, loyal to her friends but never aligning herself too closely with any particular cause for too long. Sometimes, she just got bored. She also wasn’t as interested in reviving the Antisec movement as Sabu or Topiary. Instead, she started developing an elaborate plan to creep into the #Jester chat room as a spy, embed herself, then infect the computers of its members with a key-logger program so that she could monitor their key strokes, learn a few key passwords, and take them over. It was called a drive-by attack, and while in this case it was an elaborate operation, typically the attack was just a matter of enticing someone to visit a website and installing malware on their system as a result. It meant she was now spending just a couple of hours a day chatting with the crew before disappearing for a day or more.
In the meantime there was some surprising news coming from the United States. The Pentagon had announced that cyber attacks from another country could constitute an act of war and that the U.S. could respond with traditional military force. Almost at the same time, a draft report from NATO claimed that Anonymous was becoming “more and more sophisticated” and “could potentially hack into sensitive government, military and corporate files.” It went on to say that Anonymous had demonstrated its ability to do just that by hacking HBGary Federal. Ironically, it stated that the hackers had hit Barr’s company and hijacked his Twitter account “in response” to Bank of America hiring the security company to attack adversaries like WikiLeaks. Even NATO seemed to be inflating the abilities of Anonymous, seeing reason and connections where there were coincidences. The hackers hadn’t known about Barr’s plans with WikiLeaks until after they had attacked him. Even so, the news got everyone’s attention.
“Did you read the NATO doc about anonymous?” asked Trollpoll in the #pure-elite hub. Trollpoll did not sound like he was from the United States, though it was impossible to be sure of anyone there. “They will put tanks on our houses?”
“Obama will be like ‘Lol you just DDoS my server?’” said Kayla, “‘Nuke.’”
With the world’s attention now moving to LulzSec and the fighting words from the U.S. administration, it seemed as good a time as any to drop the FBI affiliate Atlanta Infragard. They’d had the site under their control for months and felt they now had enough on white hat Hijazi to expose him at the same time. This would bring more heat than ever on LulzSec, but the group was on a roll and felt safe.
LulzSec’s founding team members would carry out the final Infragard swoop. As they got ready to deface the site, Sabu entered the shell, the administrative page he had set up called xOOPSmaster, opened his terminal program so he could start playing with the source code, and, on a seeming whim, typed rm –rf /*. It was a short, simple-looking piece of code with a notorious reputation: anyone who typed it into his computer’s back end could effectively delete everything on the system. There was no window popping up to ask Are you sure? It just happened. Web trolls famously got their victims to type it in or to delete the crucial system 32 file in Windows.
“Oops,” Sabu told the others. “Just deleted everything. rm –rf /*.” Kayla made the face-palm gesture, and everyone moved on. On top of everything they had already done, deleting the Infragard website contents didn’t seem like a big deal. They then used the /xOOPS.php shell to upload a giant image and title onto the Infragard home page—their deface. It was no serious admonishment of the FBI but another prank aimed at Jester’s crew. The team had replaced the Atlanta Infragard home page with a YouTube video of an Eastern European TV reporter interviewing an impeccably drunk man at a disco. Someone had added subtitles spoofing him as a wannabe hacker from 2600 who didn’t understand what LulzSec was doing. Above the video was the title “LET IT FLOW YOU STUPID FBI BATTLESHIPS,” in a window captioned “NATO—National Agency of Tiny Origamis LOL.”
Topiary’s official statement was a little more serious—but not much. When everyone was ready, he hit publish.
“It has come to our unfortunate attention that NATO and our good friend Barrack Osama-Llama 24th-century Obama have recently upped the stakes with regard to hacking,” Topiary had written in their official statement. “They now treat hacking as an act of war. So, we just hacked an FBI affiliated website (Infragard, specifically the Atlanta chapter) and leaked its user base. We also took complete control over the site and defaced it.” Of course, LulzSec had not hacked Infragard in the past day or two or in response to the Pentagon’s announcement, but news outlets reported the attack as a “response.”
Infragard’s web contents had been deleted, the site defaced, and details of 180 people in its user ba
se had been published on the Web, along with their passwords in plaintext, their real names, and their e-mail addresses. Topiary had signed off the missive, declaring, “Now we are all sons of bitches.”
Since Topiary had been reminding the world for the past day on Twitter that an FBI hack was imminent, mainstream news agencies jumped into the story, leading a whole new stream of people to follow the group on Twitter. Their website had now received more than 1.5 million views. Despite the damage LulzSec had done to the 2600 network, the actual magazine 2600 sounded impressed. “Hacked websites, corporate infiltration/scandal, IRC wars, new hacker groups making global headlines,” its official Twitter feed stated, “the 1990s are back!”
Television news stations were racing to find security experts who could explain what was going on and offer some lucid opinions. “We are facing a very innovative crime, and innovation has to be the response,” said Gordon Snow, the assistant director of the FBI’s cyber division in an interview with Bloomberg right after the Infragard attack. “Given enough money, time and resources, an adversary will be able to access any system.”
Yet LulzSec’s hack into Infragard had not cost that much in terms of “money, time and resources.” All told, the operation had cost $0, had been carried out with the relatively simple method of SQL injection, and was made worse because an admin’s cracked password, “st33r!NG,” had been reused to get administrative access to the Infragard site itself. As for time, it had taken the team thirty minutes to crack the admin’s password and twenty-five minutes to download the database of users. Within two hours, the LulzSec team had complete administrative access to an FBI-affiliated site, and for several weeks no one from the FBI had had a clue.
Of course, along with the Infragard drop had been LulzSec’s condemnation of Hijazi. The team had kept some of their chat logs with the white hat and published them online as evidence that he was corrupt. And while the group members had told Hijazi that they wouldn’t release his e-mails, they published them too.
“We have uncovered an operation orchestrated by Unveillance and others to control and assess Libyan cyberspace through malicious means,” Topiary announced, meaning by assess that Unveillance wanted to spy on Libyan Internet users.
“We leaked Karim because we had enough proof that he was willing to hire us as hitmen,” Topiary added on Twitter. “Not a very ethical thing to do, huh Mr. Whitehat?”
Hijazi also released a statement immediately after, explaining that he had “refused to pay off LulzSec” or supply them with his research on botnets. Topiary shot back with a second official statement saying that they had never intended to go through with the extortion, only to pressure Hijazi to the point where he would be willing to pay for the hackers’ silence and then expose him publicly. It was a war of words built on the gooey foundations of lies and social engineering.
Topiary still called on journalists and other writers to “delve through” Hijazi’s e-mails carefully, hoping for the same kind of enthusiasm there had been around Aaron Barr’s e-mail hoard. But there was none. For a start, Hijazi just didn’t have enough dirty laundry. More, the infamy of LulzSec was overshadowing any more sobering, sociopolitical points the group was dimly making with each attack—that it didn’t like Fox, or that WikiSecrets “sucked,” or that NATO was upping the stakes against hackers, or whatever Unveillance might have been doing in Libya. It was quite an array of targets; LulzSec seemed to be attacking anyone it could, because it could.
This was getting to some of the secondary-crew members. The hacker Recursion came into the #pure-elite room late on June 3 after watching the Infragard events unfold. He hadn’t taken part in the hack and was shocked when he read the news reports.
“Holy shit,” Recursion told the others. “What the fuck happened today?”
“A lot,” said Sabu, adding a smile. “Check Twitter.”
“LulzSec declared war on the U.S.?” Joepie offered sardonically.
“I caught the jist of it,” Recursion answered before seeming to trail off. He didn’t say anything more on the subject, but twenty minutes later, after presumably holding a private conversation with Sabu, he left the channel, for good.
Sabu was disappointed in anyone who bailed on him in battle. It felt disrespectful. But he moved on quickly to guide the remaining troops. Sabu came back to the room and addressed the handful of participants. “Well guys. Those of you that are still with us through this, maintain alert, make sure you’re behind VPNs no matter what. And don’t fear. We’re ok.”
“Sabu, did we lose people?” asked Neuron.
“Yeah.”
“Who?”
“Recursion and Devurandom quit respectfully,” he answered, “saying they are not up for the heat. You realize we smacked the FBI today. This means everyone in here must remain extremely secure.” It was a grave reminder of the potential charges LulzSec was racking up if its team members were to get caught.
A few of the members started describing how they were strengthening their security. Storm was getting a new netbook and completely wiping his old computer. Neuron was doing the same. He used a virtual private network called HideMyAss. This was a company based in the United Kingdom that Topiary used and had recommended.
“Did you wipe the PBS [chat] logs?” Storm asked Sabu.
“Yes. All PBS logs are clean.”
“Then I’m game for some more,” said Storm. Sabu typed out a smiley face.
“We’re good,” he said. “We got a good team here.”
Not everyone was good though, and not all logs were clean. The aloof LulzSec secondary-crew member known as M_nerva, the one who had said “good night” to the others just a few days before and not said too much else afterward, had just gathered together six days’ worth of chat logs from the #pure-elite channel and repeated Laurelai’s frantic act in February. He leaked it. On June 6, the security website seclists.org released the full set of #pure-elite chat logs held on Sabu’s private IRC server. The leak revealed, embarrassingly, that not everyone in #pure-elite could be “100 percent trusted,” and that for all its bravado, LulzSec had weaknesses. The team jumped into action, knowing that they had to send a message that they did not accept snitches, even if M_nerva had allegedly been persuaded to leak the logs by another hacker, named Hann. They knew they could find out who M_nerva really was because among the other black hats supporting LulzSec was someone who had access to pretty much every AOL Instant Messenger account in existence. Since many people had set up an AIM account at one time or another, they only needed to cross-check the nickname and IP to come up with a real name and address. It turned out M_nerva was an eighteen-year-old from Hamilton, Ohio, named Marshall Webb. The crew decided to hold on to the information for now.
With Sabu’s trust betrayed, the older hacker was now more paranoid than before. Topiary felt vindicated. He had known that a leak could happen if Sabu kept inviting people into #pure-elite, and it did. But he didn’t push the point. When he brought it up with Sabu, the hacker brushed off the topic quickly. He had nothing to say about it. Instead, Sabu worked on making the wider group more secure by separating it into four different chat rooms. There was a core channel, which now had invited fifteen participants, and #pure-elite, then chat rooms called upper_deck, for the most trusted supporters, lower_deck, kitten_core, and family. Members could graduate up the tier system depending on how trustworthy they were. Neuron and Storm, for instance, eventually were invited into upper_deck, so that they could be phased into the main channel for LulzSec’s core six members: Sabu, Topiary, Kayla, Tflow, AVunit, and Pwnsauce.
The heat wasn’t coming only from the media attention; Topiary was seeing hackers with military IP addresses trying to compromise the LulzSec IRC network and users every day. Already, rumors were spreading that LulzSec had been founded by the same crew that had hit HBGary. Enemy hackers were posting documents filled with details they had dug up online about each member, much of it wrong but some of it hitting close to home. LulzSec’s memb
ers needed to switch their focus from finding targets to protecting themselves.
Kayla suggested a mass disinformation campaign. Her idea was to create a Pastebin document revealing that Adrian Lamo owned the domain LulzSec.com; then to add details of other Jesterfags and claim they were members of LulzSec; then to spam the document everywhere. It was a classic social-engineering tactic, and it sometimes worked.
“But saying more or less that LulzSec is CIA,” Trollpoll offered. It was outrageous, but some people would see sense in the idea that the CIA was using freelance hackers to hit Iran or Libya and would build their own conspiracy theories around it.
Topiary and Kayla wrote up a document titled “Criminals of LulzSec,” under the guise of a fictitious social engineer called Jux who claimed to have been invited into the group’s private channel, saying, “I believe they are being encouraged or hired by CIA.” In the document, Jux claimed Lamo was a key member of the group, along with a Pakistani hacker named Parr0t, a Frenchman named Stephen, and an unnamed hacker from the Netherlands. The document was viewed more than 40,000 times, retweeted by notorious hacker Kevin Mitnick, and mentioned in a few tech blogs as a rumor.
When Gawker’s Adrian Chen started reaching out to LulzSec via Twitter to try to investigate them, the crew, still bitter about his exposé on the #HQ log leak, decided to aim a separate misinformation campaign directly at him. They invited him into a neutral IRC channel, where Sabu posed as an ex–secondary-crew member of LulzSec who had run away and wanted to spill some secrets. The crew made their hoax on Chen especially elaborate, drawing up fake logs, fake web attacks on the fake persona’s school, and fake archives of data as proof for the journalist. Sabu then started feeding Chen a story that LulzSec was a tool of the Chinese government in a cyber war with the United States, that Kayla was working with Beijing, and that Topiary was funneling money from the Chinese government into the group.