Threat Management, Network Security, Threat Management

Anonymous hacker-turned-informant helps feds arrest five

One of the most visible members of Anonymous and LulzSec is a snitch.

His name is Hector Monsegur, a 28-year-old living in the housing projects on New York's Lower East Side. But to most people, he's Sabu, one of the major mouthpieces of the Anonymous movement who was responsible, according to authorities, for a number of high-profile hacks. 

But since he was arrested in early June, he's been working with the FBI to rat out his fellow Anons, all the while continuing to urge on his Twitter supporters, as recently as last week, to infiltrate police and government agencies around the world.

"He was admired and disliked, just like any prominent figure in Anonymous," Barrett Brown, an unofficial spokesman with Anonymous and founder of the online activist group Project PM, told SCMagazine.com on Tuesday.

Monsegur pleaded guilty in August to 12 hacking charges, including his role in attacks on HBGary, Sony Pictures, Fox, InfraGard and PBS, in addition to government systems in Algeria, Yemen and Tunisia, according to an FBI news and U.S. attorney's office release.

The federal complaint against Monsegur was unsealed on Tuesday. It details the alleged actions of Monsegur from December 2010, when he helped launch distributed denial-of-service attacks against companies, such as MasterCard, out of support for WikiLeaks, until June 7 of last year. When he was picked up by authorities, Monsegur was helping to lead LulzSec, a tight-knit but highly skilled offshoot of Anonymous.

Monsegur faces up to 124 1/2 years in prison, but will likely cut a deal that will result in far less time. According to the FBI, his statements helped law enforcement charge five other people on Monday with roles in hacks.

They were: Ryan Ackroyd (aka kayla), 23, of the U.K.; Darren Martyn (aka pwnsauce), 25, of Ireland; Donncha O'Cearrbhail (aka palladium), 19, of Ireland and Jeremy Hammond (aka anarchaos), 27, of Chicago. In addition, Jake Davis (aka topiary), who was arrested in July for his alleged involvement with LulzSec, faces additional charges.

Two of the defendants were responsible for highly publicized recent attacks. Hammond helped break into the databases of global affairs firm Stratfor to steal millions of corporate emails, hundreds of thousands of records on clients and tens of thousands of credit card numbers, authorities said. Meanwhile, O'Cearrbhail is accused of hijacking the personal email account of an Irish police agent to retrieve information that enabled him to dial in to an FBI-Scotland Yard conference call and record it.

But while Tuesday's news sent shockwaves across the security industry and hacking community, Sabu's identity was accurately doxed months earlier in a number of posts, including here and here.

There was also suspicion that he was working with authorities. In an exchange posted Aug. 16 to Pastebin, Sabu and a hacker using the alias "Virus" hold a lengthy online conversation. It gets heated at times.

At one point, Virus offers a prescient comment: "I'm absolutely positive you already got raided, and are setting your friends up and when they're [authorities] done draining you for information and arrests they'll sentence you..."

Brown, the Anonymous operative, said he recently worked with Monsegur in an IRC channel to dissect and analyze the Stratfor emails. He said he trusted Monsegur and now is "trying to assess what the deal is entirely."

On Tuesday morning, federal agents raided Brown's apartment in Dallas, as well as the home of his mother, where he was staying, he told SCMagazine.com. On Monday, he was tipped off about the raid, so he was able to secure his laptops before the authorities showed up.

Brown, one of the most visible faces of Anonymous who has described himself as a former member of the group, said this is the first time he has ever been contacted by law enforcement related to his association.

He said he doesn't anticipate any Anonymous-led intrusions coming to a halt.

"Stuff is going to keep happening and probably there will be reaction to this in particular, against the feds," Brown predicted.

Jeffrey Carr, founder and CEO of security firm Taia Global who closely monitors the actions of Anonymous, agreed that little is likely to change as a result of the Sabu revelations. But the incident may force the loose-knit hacktivist collective to implement better internal security measures to ensure others aren't trusted while at the same time serving as informants.

"Anonymous has the same problem many corporations have," Carr told SCMagazine.com. "How to defend against the insider threat."

Mikko Hypponen, chief research officer of anti-virus firm F-Secure, said he interacted with Monsegur in 2005 when the hacker discovered a vulnerability in an F-Secure gateway product, which he responsibly disclosed. But he became upset when he didn't hear back from the company, which occurred because he was emailing an account that wasn't regularly monitored. The pair later squabbled over Twitter when Monsegur, who at that time was working with the FBI, accused F-Secure of supporting the controversial Stop Online Piracy Act (SOPA).

"This guy is really unpredictable," Hypponen said.

As for the future of Anonymous, Hypponen said he thinks the news may have a detrimental effect, at least in the short term.

"It will spread paranoia within the Anonymous movement," he said. "Now they will be thinking, 'Who else is snitching?' If you can't trust Sabu, who else can't you trust?"

Some of the more reliable Anonymous Twitter accounts took the news in stride.

"Don't you get it by now?" one tweeted. "Anonymous is an idea. Anonymous is a movement. It will keep growing, adapting and evolving, no matter what."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.