U.S. News

06.06.14

How an FBI Informant Orchestrated LulzSec’s Hacking Spree

Newly revealed chat logs may corroborate an imprisoned hacker’s story: An informant facilitated Anonymous’ attacks on Stratfor and hundreds of foreign websites.

When the hacktivist Jeremy Hammond was sentenced last year after a string of high-profile computer crimes, he left the court with a clear message: This isn't over.

Hammond, 29 years old, had pleaded guilty for his role in the now-infamous 2011 “LulzXmas” hack of Stratfor Global Intelligence Service, a U.S. security contractor whose clients included employees of defense contractors, NATO, and the National Security Agency, among others. The breach resulted in the leak of millions of internal emails, revealing surveillance of peaceful political activist groups, as well as the theft of around 60,000 credit cards belonging to the firm’s customers. Unbeknownst to Hammond at the time, the hacker directing and instigating this and many other attacks—Hector Xavier Monsegur, aka “Sabu”—was actually an FBI informant.

In his final comments in court, Hammond said the Anonymous kingpin-turned-snitch had orchestrated the infiltration of Stratfor, as well as attacks on government websites belonging to Turkey, Syria, Brazil, Iran, Pakistan, and dozens more. The FBI sting not only caught Hammond, but duped him into depositing data stolen from foreign governments directly into a server controlled by the FBI. “The government celebrates my conviction and imprisonment, hoping that it will close the door on the full story,” Hammond told the court last November. “I took responsibility for my actions by pleading guilty, but when will the government be made to answer for its crimes?”

That question is being raised again in light of previously unseen chat logs uncovered by Motherboard and the Daily Dot. The chats corroborate Hammond’s version of the events, as well as the statements of another mysterious hacker who was instrumental to the breach. It shows that the FBI, contrary to its previous statements, was fully aware when hackers first got access to Stratfor’s systems, and stood idly by as they wreaked havoc on various targets for the next several months.

According to the newly revealed chat logs, on Dec. 4, 2011, a hacker using the handle “Hyrriiya” first told Monsegur, then a respected leader figure within the Anonymous offshoot LulzSec, about a vulnerability granting access to some of Stratfor’s databases. “That’s perfect for #antisec,” responded Monsegur, referring to the “AntiSec” hacking group he had set up within Anonymous after becoming an FBI informant. Monsegur then gave the access to Hammond, along with an unsolicited sample of credit-card information from Stratfor’s database. A week later, Hammond had unlocked the rest of Stratfor’s network, eventually culminating in the LulzXmas hack on Dec. 24 in which tens of thousands of credit-card numbers were stolen and used to make fraudulent charges to various charities and nonprofits.

“Hit these bitches for our Brazilian squad,” Monsegur instructed Hammond in a private chat on Jan. 23, 2012, with the FBI watching.

More than a month later, on Jan. 11, 2012, Stratfor Chairman George Friedman issued a statement saying that the FBI had told them about the breach in “early December,” and had specifically asked them not to inform their customers. The company complied after the FBI said it had notified the credit-card companies of the initial breach.

Since he was arrested on June 6, 2011, Monsegur’s every move was being monitored by law enforcement, through both software installed on a replacement laptop to record his keystrokes and track his online activity as well as “video surveillance in the defendant’s residence,” according to U.S. Attorney James Pastore. And yet, despite having a front-row seat inside LulzSec’s base of operations, it seems the FBI simply watched as the hackers launched their Christmas Day attack, which resulted in a thorough digital ransacking and defacement of Stratfor’s databases and website. Stratfor calculated the subsequent damage at approximately $3.78 million, and reportedly settled a $1.75 million class-action lawsuit with affected customers in 2012.

“[The FBI] could’ve stopped me,” Hammond told the Daily Dot during a prison interview last month. “They knew about it. They could’ve stopped dozens of sites I was breaking into.”

In addition to Stratfor, those attacks compromised hundreds of online domains belonging to various foreign governments in early 2012, including a rash of attacks in Brazil. Armed with knowledge of a powerful “zero-day” vulnerability affecting the popular Plesk Web hosting platform, Hammond and other hackers were fed lists of vulnerable websites to break into by Monsegur, who frequently and generously redistributed the backdoor access details for fully hacked sites to different hacker groups.

“Hit these bitches for our Brazilian squad,” Monsegur instructed Hammond in a private chat on Jan. 23, 2012, with the FBI watching. According to the logs, later that same day, Monsegur returned with a “big target” for Hammond, which turned out to be a server used by Globo, the biggest media company in Brazil. But it wasn’t until months later, after Hammond was arrested and Monsegur was revealed as an informant, that Globo’s site was compromised.

It remains unclear to what extent the FBI directed Monsegur’s actions while he facilitated these attacks, because the Confidential Human Source (CHS) reports and other documentation detailing his interactions with FBI handlers remain under seal. But Pastore, the U.S. Attorney, has stated that Monsegur regularly debriefed members of law enforcement after talking with the hacktivists, describing “exactly who each of those individuals were, what he knew about them, and how they fit into the overall picture of LulzSec and the other cybercrimes that he provided information about.”

In the end, Hammond received the maximum 10-year sentence for his digital intrusions, which were harshly characterized by Judge Loretta Preska as acts motivated by a desire to cause “mayhem.” Meanwhile, Monsegur, who originally faced up to 122 years in prison, was released with time served last week after spending only seven months in custody. Preska repeatedly praised his decision to “turn on a dime” and work “around the clock,” providing the FBI with information on “targets of national and international interests.” Prosecutors claim that Monsegur helped prevent as many as 300 cyberattacks during his time as an informant.

The chat logs, however, seem to tell a different story: one of an FBI informant actively facilitating cyberattacks against governments and corporations, in hopes that it might result in a handful of convicted hackers. But if “damage” is the true metric of a hack, the significant collateral damage apparently caused by the FBI’s operation raises more urgent questions of just how far law enforcement should go to crack down on cybercrime.