We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous, and the Global Cyber Insurgency
Page 31
Kayla was just as concerned. “I’m gonna turn the Internet upside down if I find out Sabu’s been hit,” she told Topiary.
Still, the team was in a catch-22. If Sabu had been caught and forced to divulge information, then there was a large chance the Feds could monitor what they were doing. If they did nothing or fled, that would immediately implicate Sabu.
As evening fell, Topiary rang Sabu’s number again. Suddenly, someone picked up the phone. There was no voice. “Uh, who’s this?” Topiary asked.
“David Davidson.”
It was Sabu. Topiary let out a sigh of relief. Sabu sounded like he had a cold or had been crying. Sabu explained that his grandmother had died and that he had had to help with funeral arrangements. He then asked if the rest of the team was around and if Topiary could inform them that he was back. Topiary at first didn’t care that Sabu might have been lying—he was just glad to speak to him again. Not long after, Sabu changed his story and said that it had actually been the anniversary of his grandmother’s death. When they had first spoken, Sabu had probably changed his voice deliberately to make his story sound more genuine. By then, the FBI was logging everything that Sabu said online to LulzSec’s members, as well as everything he said on the phone to Topiary.
Sabu would end up being offline more than usual for the next few days as he began collaborating with the FBI, even working out of their office on a daily basis. Sabu occasionally kept his group abreast of other developments, but the still oblivious Topiary took more responsibility for the team.
As a precaution, Topiary deleted more files, then he redid all his passwords and encryptions to make them ultra-protected. He kept all passwords in a file on an encrypted SD card, with one character in each swapped around. Only he knew which characters were swapped. Still, he couldn’t help constantly looking outside his window and jumping whenever a van drove past. For the first time, he started seriously wondering if a couple of men in police uniforms would splinter his door at dawn the next morning.
A few days earlier when he had been out to buy some food, one of the local druggies had approached Topiary on his way home. “Hey,” the man had said, waving as Topiary took out his earbuds.
“There were some police knocking on your door the other day,” the man said in a thick Scottish accent. Topiary’s heart had started to pound.
“Really. What did they do?”
“They drove by in their car. Then a couple of them came out and knocked on your door, but there was no answer,” he said, shrugging. Topiary played it cool. The druggie might have been lying, but the police might also have stopped by while he was at his thinking spot, looking over the sea. And it was just as likely that they were doing a drug sweep of the area. Still, he resolved to wipe every shred of Topiary and Anonymous from his laptop, encrypt whatever he kept, and send it to all to himself in an e-mail via Hushmail. Eventually he would wipe his laptop completely.
If the police came to his door, they’d find a clean house with one rarely used desktop computer and his innocuous-looking Dell laptop, a couple of extra monitors for watching films, and one phone line going over his living room with clips. None of the empty pizza boxes associated with basement-dwelling hackers. Any documents the police might find about Anonymous on either of his computers could be passed off as research Topiary was doing for a book. They’d find some pirated music and a handful of databases holding a few hundred thousand names and passwords he had acquired from acquaintances or from his own scanning for LulzSec. Topiary called it his personal collection. Sometimes he used it for his own attempts at doxing people, but for the most part it was just nice to have.
He tried not to think that his virtual private network provider, HideMyAss, would ever turn him in to the authorities. His logic was that if customers of HideMyAss ever found out the company had turned in one of its users, they’d leave in droves, and HideMyAss would go out of business. They would surely never give him up.
As Sabu remained offline on the pretext of dealing with family matters, a familiar face came back into the LulzSec fold: Ryan. It made little sense at first, considering Ryan’s temperamental behavior in the past and his cyber attacks on the LulzSec communication channels, but that was hacker life for you. Even the most explosive of disputes could be remedied when someone needed something. In this case Ryan needed some friends, and LulzSec could use Ryan’s mammoth botnet, which infected computers via a rogue Facebook app. Ryan was well connected in the underground hacker scene and served as an administrator of Pastebin, the text application tool that LulzSec used to publish all its leaks, and Encyclopedia Dramatica. Ryan was like the kid in school that people didn’t necessarily like but whom they were compelled to befriend because he had a brand-new Hummer and a house with a pool. Ryan wasn’t rich in real life, but online he seemed loaded; he had spent years building up an impressive array of assets, from servers to his botnet. His servers helped host Encyclopedia Dramatica, and after he had reconnected with a member of the LulzSec crew in the previous week, they also hosted LulzSec’s new IRC network, lulzco.org.
After Topiary first reconnected with Ryan on IRC, he wanted to hear what the new ally sounded like in voice to better suss him out, so the two became contacts on Skype. When Ryan’s voice came through, his English accent was so strong, he sounded almost Australian. Ryan spoke at a rapid-fire pace, openly bragging about his botnet, his hacking, and how he was making money on the underground; he littered his prose with swearwords then described at great length a farmhouse-bread ham sandwich his mother had once made him. Ryan seemed pretty unhinged and insecure, but Topiary’s opinion of him softened when he explained why he’d leaked hundreds of names from AnonOps months before. The network operators had been hassling him, and then someone else had gathered all the data and given it to him to leak. It was water under the bridge. Oh, he added, and that dox of his full name, address, and phone number that had been posted online? That was based on fake information he had created four years ago. Ryan assured Topiary that he had made the false documents and spread them everywhere so that his real information would remain hidden.
Topiary figured he could tell when someone was bullshitting, especially when it was in voice. Ryan, he believed, was genuine. In fact, Topiary started to feel sorry for the guy. People on AnonOps had accused Ryan of being a perpetually angry cretin who logged and attacked everything. But he wasn’t really angry; he was just passionate. Perhaps he came across as rude, but he worked hard and got into things, Topiary thought. With Sabu gone, Topiary missed having someone passionate and a little crazy to talk to, to counteract his laid back personality.
Ryan promised not to log any of the chats, and said he would give the LulzSec crew complete control over his logging ability. He also said the team could use his botnet any time they wanted. He had used it in the past to prank DDoS sites of the U.S. Air Force and then call them afterward to mock them. He could also make hundreds of dollars a day by subletting the botnet to others who wanted to use it for nefarious purposes like extortion and hacker skirmishes. But LulzSec could use it for free. This was like fresh meat to a ravenous dog: with Ryan’s botnet, LulzSec could bring down almost any website it wanted at the drop of a hat.
During one of Sabu’s occasional drop-ins on IRC, he mentioned to Topiary that he did not like having Ryan as a supporter. LulzSec was making too many contacts, he added. (It is unclear if this was the case, or why that might have concerned him now that he had started working as an FBI informant.) Topiary argued back that Sabu himself had been inviting his trusted associates into #pure-elite, including log leaker M_nerva. Topiary won the argument, and Ryan stayed. With Sabu mostly away now, Topiary was enjoying the funnier side of what LulzSec could do with its growing stable of Twitter followers. After he released the administrative passwords of fifty-five porn sites and twenty-six thousand porn passwords, he got replies from people on Twitter saying they had used the data dump to hack into other people’s e-mails or, in one case, find out a guy was “cheating on hi
s girlfriend.”
Topiary realized he could start making things more interactive. He could send a hundred thousand people to a YouTube video and grant the account holder a huge increase in views, or he could send the horde to crash a small website or IRC network. LulzSec’s attacks would become a lot more fun. He and Ryan started talking and doing some prank calls on Skype with some of Ryan’s friends as an audience. Then Ryan set them up with a joint Skype Unlimited account so they could call anywhere in the world, dropping eighty dollars in credit without blinking an eye.
Topiary had an idea. Instead of making prank calls, what if they got LulzSec’s Twitter followers to call them? Topiary suggested setting up a Google Voice number so that anyone in the world could call LulzSec (or at least himself). He wanted the number to spell out the group’s name, as in 1-800-LULZSEC, but he couldn’t find an area code where the number would work. Eager to prove himself, Ryan spent hours going through every possible U.S. number till he found that 614, the area code for Columbus, Ohio, was available with the corresponding digits. They now had a telephone hotline: 1-614-LULZSEC.
It was a free Google number that directed to their new Skype Unlimited-World-Extra number that in turn could bypass to two other potential numbers registered to fake IP addresses. The pair created two voice-mail messages, using voice alteration and over-the-top French accents for the fictional names Pierre Dubois and Francois Deluxe, saying they couldn’t come to the phone because “We are busy raping your Internets.”
Once Topiary announced the hotline on LulzSec’s public chat room, they got several calls a minute; they answered a few and joked with their callers. Without giving any hints, Topiary stated there would be a $1,000 prize for anyone who called in with the magic word—lemonade—but nobody guessed correctly, and around forty people thought it was please. At the end of the day they’d received 450 calls.
In between fielding calls, Topiary wrote up an announcement of the group’s latest drop: a directory listing of every single file on the U.S. Senate’s web server, which had come to them thanks to another black hat. This was a serious attack that could earn someone five to twenty years in prison, but Topiary was mostly eager to get back to his LulzSec hotline.
“This is a small, just-for-kicks release of some internal data from Senate.gov,” Topiary had written. “Is this an act of war, gentlemen? Problem?”
Along with that release was a dump of the source code and database passwords of the gaming company Bethesda—a topic totally unrelated to the Senate, just one of the leaks they were sitting on. They also had a database of two hundred thousand users stored on the servers of gaming company Brink, but they wouldn’t release that because “We actually like this company and would like for them to speed up the production of Skyrim. You’re welcome!” At the top of each release was now a short list of contact and donation details for LulzSec, including the telephone hotline and the IRC chat room.
“It is unclear why LulzSec decided to attempt to embarrass yet another video game company other than to show off,” said Naked Security journalist Chester Wisniewski. “It is difficult to explain random acts of sabotage and defacement, so I am not going to attempt to get into the heads of those behind these attacks.” Yet this was not a matter of motivation, but of circumstance. Back when Kayla had used her botnet to scan the Web for vulnerabilities, hooking it up to an IRC channel and using basic chat commands to run it, she had stumbled on a vulnerability in the network of Bethesda that had given her access to its servers. Since the company was so big, the team chose not to root around for databases right away, using Bethesda’s bandwidth to help search for other sites to hack into and using it as a safe location to hide bots. The gaming company had no idea it was effectively being used to hack other sites. When the servers outlived their usefulness, it was time to dump the data stored on them.
Now the hacks were about to get even more arbitrary. Knowing that Ryan’s botnet could take out anything, Topiary announced the LulzSec hotline on Twitter and told the public: “Pick a target and we’ll obliterate it.” The hotline was suddenly inundated with calls, and the three people that initially got through all requested gaming companies: Eve, Minecraft, and League of Legends.
Within minutes, Ryan’s botnet had hit all three, as well as a site called FinFisher.com, “because apparently they sell monitoring software to the government or some shit like that.” DDoSing sites like this was nothing new, and neither was one or two hours of downtime, but it was the first time anyone had boasted about it to a hundred fifty thousand Twitter followers or referred to it as a DDoS party called Titanic Takeover Tuesday.
“If you’re mad about Minecraft, we’d love to laugh at you over the phone,” Topiary announced. “Call 614-LULZSEC for your chance to reach Pierre Dubois!”
When Topiary started thinking about the Internet meme phrase “How do magnets work?” made famous by the hip-hop duo Insane Clown Posse, he called up the offices at Magnets.com. He asked the woman who answered that question and got a bemused response, hung up, then redirected the LulzSec hotline to the main switchboard of Magnets.com.
“Everyone call 614-LULZSEC for a fun surprise,” he tweeted. About three minutes later he called the number again and heard dozens of phones going off at the same time with answers of “This is Magnets.com…Uh…” He asked to speak to a manager. When a man’s voice came on, Topiary explained the reason for the flood of strange calls. To his credit, the manager took it in good humor.
“How did you do it?” he asked.
“We’re testing out our new Lulz Phone Cannon,” Topiary said. “How are you feeling?”
“I’m a little out of breath.” Magnets.com had been getting more than two hundred calls a minute to their customer support center.
“Okay, I’ll get it to stop,” Topiary said.
“Good, because I feel like I’m about to pass out.”
With a few clicks he stopped the hotline from redirecting, and he heard all the phones in the background suddenly go silent. It was like a DDoS attack by telephone. It made sense to keep this going. Soon he was redirecting the LulzSec hotline to the World of Warcraft online game, then to the main switchboard for FBI Detroit, and then, naturally, to the offices of HBGary Inc.
“You take care of the horde while we’re gone, AaronBarr,” Topiary tweeted to its former executive. “Thanks mate. Bye for now.” In the next twenty-four hours, in between his talking with the other LulzSec hackers and manning a Twitter feed, Topiary’s busy switchboard had received 3,500 missed calls and 1,500 voice mails; the following day, 5,000 missed calls and 2,500 voice mails.
Soon, though, Ryan started to get restless. He wanted to do more than just play around with hotline callers; he wanted to go back to hitting websites, bigger ones. He had a rapt audience now, and a gang of people who were willing to go after the big names under this banner of LulzSec, or Antisec, or Anonymous. Whatever. On his own initiative, he hooked up his botnet, then called up most of his bots and aimed at the main website of America’s Central Intelligence Agency. Then he fired.
Within a few minutes, CIA.gov had gone down.
“CIA ovened,” Ryan said on Skype before beginning a monologue about how he disliked the United States. Topiary was stunned. He visited the CIA’s main site and saw it really was down. He couldn’t help feeling a little uncomfortable. This was big. But he couldn’t leave it unannounced. Through Twitter he said, almost quietly:
“Tango down—cia.gov—for the lulz.”
News outlets on television, print, and the Web instantly took notice and published screaming headlines that LulzSec had just hit the CIA. A few said, incorrectly, that the CIA had been “hacked.” LulzSec was clearly provoking the authorities now, almost inviting them to come and arrest the group.
At around the same time Aaron Barr came onto Twitter to send a new, public message to HBGary Inc.’s chief, Greg Hoglund. “Damn good to see you,” Barr said. “Let’s grab some popcorn. I feel a show coming.” Topiary saw the remark, and it seeme
d out of the blue.
“Hello Aaron,” Hoglund replied in his first-ever tweet, which he also directed to LulzSec. “I created my Twitter account because I wanted a ringside seat for what is about to go down.” Topiary’s gut feeling was to be skeptical of the veiled threat—he was getting them almost every day now—and he responded with sarcasm.
“What does kibafo33 mean?” he asked Barr on Twitter. “Is it a Turkish/Portuguese combination of ‘that’ and ‘breath?’ Are you a 33rd degree Freemason also?”
Besides, Topiary had other, bigger distractions. About three hundred miles away in London, WikiLeaks founder Julian Assange had heard about LulzSec’s takedown of the CIA website, and he was chuckling to himself.
For Assange, a simple DDoS attack on CIA.gov was some much-needed comic relief. Since Anonymous had leaped to his defense in December, he had spent the last few months fighting the threat of extradition to the United States and accusations of treason over WikiLeaks’s release of diplomatic cables. Swedish authorities had doubled his problems by charging him with attempted rape, which meant he was now fighting extradition to Sweden too. In the meantime, he was staying in the countryside manor of an English journalist, wearing an electronic tag, and trying to keep up with developments in the world of cyber security. It had been hard not to notice LulzSec. On the one hand, the group looked like fearless comedians. On the other, it clearly had skilled hackers on the team.
Impressed and perhaps unable to help himself, Assange had opened the main WikiLeaks Twitter account and posted to its nearly one million followers: “WikiLeaks supporters, LulzSec, take down CIA…who has a task force into WikiLeaks,” adding: “CIA finally learns the real meaning of WTF.” Soon after a few news agencies and websites reported that WikiLeaks was supporting LulzSec, he deleted the first tweet. He didn’t want to be publicly associated with what were clearly black hat hackers. Instead, he decided it was time to quietly reach out to the audacious new group that was grabbing the spotlight. On June 16, the day after Ryan set his botnet on CIA.gov, an associate of WikiLeaks contacted Topiary.