On the wake of similar operations carried on by Hacktivists against Law Enforcement Agencies all over the World, the Italian Cell of the infamous collective Anonymous has decided to cross the line targeting the Italian Police with a clamorous Cyber Attack under the label of #Antisec movement.
On October, the 23rd, the Hactkivists have leaked more than 3500 private documents, claiming to own an additional huge amount of sensitive information such as lawful interception schemes, private files and e-mail accounts.
The Italian Police has indirectly confirmed the attack, downplaying its effects with a scant statement (in Italian) that (easily predictable) has raised a furious reaction by the Hacktivists. According to the above mentioned statement, no server was compromised, but the leaked data were just the consequence of several “illegitimate accesses” to private emails belonging to police officers (as to say that several compromised accounts are less severe than a hacked server).
Strictly speaking, this latest attack is not a surprise since in the past months, mainly after the infamous 50 days of Lulz of the LulzSec collective, Governments and Law Enforcement Agencies all over the world have become the preferred targets for Hacktivists under the Antisec shield. From a broader perspective this trend was apparently decreasing during 2012 because of several factors: the discovery of the double identity of Sabu (an hacktivist during the day and an FBI informant during the night), the arrest of W0rmer and ItsKahuna (two members of the CabinCr3w collective who left behind them a long trail of cyber-attacks against law enforcement agencies, and, last but not least, the arrest of the members of the Team Poison Collective.
Unfortunately This cyber-attack changes the rules and brings the things back in time to Summer 2011. It looks similar to LulzSec’s Operation Chinga La Migra, targeting Arizona Border Patrol, and to another (nearly contemporary) cyber attack that allowed LulzSecBrasil (??) to leak 8 Gb of data from the Brazilian Police.
Hopefully this cyber-attack will change the rules in Italy, it has dramatically demonstrated the real risk for public institutions and the need for a greater level of security. As a consequence it cannot be absolutely underestimated.
For a moment I was believing to have gone a couple of months back in time, with the calendar set in the first half of February when @ItsKahuna and @CabinCr3w put in place a long trail of attacks against Law Enforcement Agencies. (Un)Fortunately they left several cyber fingerprints in the crime scene which allowed the LEAs to take their revenge and stop the long line of attacks.
Today, nearly in contemporary, the IPA, International Police Association (ipa-iac.org) has been defaced “for the lulz” and the same fate, with more serious consequences, has happened to Lake County Sheriff’s Office (LCSO.org). In the latter circumstance it looks like the attackers were able to leak 40 Gigabytes of internal files.
Despite the number of attacks suffered (and the consequent arrests made) Law Enforcement Agencies continue to be vulnerable and, even worse, the techniques used and the exploited vulnerabilities are apparently always the same.
Last week, while browsing the 2012 Cyber Attacks Timeline, I could not help but notice the huge amount of cyber attacks that the collective @CabinCr3w did between January and February 2012 in the name of the so-called #OpPiggyBank. You will probably remember that most of those Cyber Attacks, made in combination with @ItsKahuna, were targeting Law Enforcement Agencies in support of the occupy movements. The crew was not new to such similar actions (for instance they doxed the Citigroup CEO in October 2011), in any case I was impressed by their sudden peak and by the equally sudden disappearance in the second half of February.
Few clicks on Google were enough for me to came across an article on Threatpost that I had missed a couple of days before.
On March 20 federal authorities had arrested Higinio Ochoa, AKA @Anonw0rmer, a resident of Texas accused of working for the hacking group CabinCr3w. He had been taken into custody by FBI agents and charged with unauthorized access to a protected computer in a criminal complaint dated March 15 whose Offense Description indicates an “Unauthorized Access to a protected computer” made on February 2012 in the County of Travis, District of Texas.
The rich Resumé of the @CabinCr3w, part of which is listed on the Criminal Complaint, includes 10 cyber attacks made between January and February 2012, in particular one against the Texas Police Association, on February the 1st 2012, and one against the Texas Department of Public Safety, on February, the 8th 2012. The latter, at least according to an alleged self-written memorial that W0rmer Higinio Ochoa allegedly posted on pastebin on Mar 30 2012, is maybe the one for which he was charged.
The list of the facts contained in the Criminal Complaint and how the FBI combined them to identify Higinio Ochoa and to join his real identity with the virtual identity of W0rmer, is a brilliant example of Open Source Intelligence clearly summarized in this article by ArsTechnica. Incredible to believe for a hacker, who should be supposed to clean each trace he leaves on the cyber space, is the fact that the main security concern for a mobile device, the geo-tagging feature, was one of the elements which led Investigators to Higinio Ochoa. By mining EXIF data contained in a photo on the web page left after the defacement of the Texas Department of Public Safety (showing a woman in a bikini with the sign: “PwNd by w0rmer & cabincr3w”), the Feds were able to collect the GPS data in the image, and to consequently identify it was taken with an iPhone 4 at a location in South VIC, Australia. By browsing the (inevitable) Ochoa’s Facebook Profile, the agents also learned that a girlfriend of him, Kylie Gardner, had graduated from a high school in Australia, the same country in which the first photo was shot.
Inevitably, this event has (too) many points in common with the affaire of Sabu, the alleged leader of the infamous LulzSec Collective, arrested by the Feds approximately a month before.
Both crews, LulzSec and CabinCr3w, targeted Law Enforcement Agencies, both crews met the same destiny: hit in the heart (or better to say in the head) by those same Law Enforcements they mocked so deeply during their days of lulz.
But the points in common do not end here… Sabu was discovered to act as an informant of FBI, and the above quoted pastebin suggests that W0rmer did the same prior of his arrest.
Were you ever approached to be a confidential informant? Of course I was! Some body such as myself who not only participated in the occupy movement but knew many and knew the inner workings of the “infamous” cabin crew would not be just put away without wondering if he could be turned. I did how ever tell FBI that I would participate in the capture of my fellow crew mates
Even if it is not clear if his cooperation was really genuine. As a matter of fact in the following sentence, he refers to his role as an informant as a “play” which created confusion on FBI:
a play which undoubtfully both satisfied and confused the FBI
Maybe this is the reason why the Twitter account of the CabinCr3w on April 3, tweeted:
(Curiously it looks like at 00:04 (UTC +1) this tweet has just disappeared)
In any case the court documents indicate that Ochoa first appeared in federal court for the Southern District of Texas on March 21, subsequently released on bail and forbidden to use a computer or smart phone, hence it is possible that the post on pastebin, which is dated March 31st, has not been written directly from his hand.
Last but not least there is a strange coincidence: W0rmer had a twitter account with the nick @AnonW0rmer who ceased to tweet on March, the 20th (@ItsKahuna ceased to tweet on March, the 23rd while @CabinCr3w is the only still active). Guess what is the name associated with the @AnonW0rmer account? FBI HaZ A File on ME. A dark omen or a dissimulation?
Find here February 2012 Cyber Attacks Timelime Part I.
With a small delay (my apologies but the end of February has been very busy for me and not only for Cybercrooks as you will soon see), here it is the second part of my compilation with the main Cyber Attacks for February 2012.
Easily Predictable, the Hacktivism is still the main concern for System Administrators, in particular for the ones of Stratfor who suffered a huge leak of 5 million of emails.
On the same front, the threats of the Anonymous for the Friday actions have come true and as a matter of fact Law Enforcement Agencies suffered other remarkable breaches in this month: Infragard for the second time and also Interpol (a new entry) that was taken down after the arrest of 25 members of the collective. Anti ACTA protest also continue to shake Europe as also the delicate economical and social situation in Greece.
Last but not least, this month has also seen an unforgettable leak, affecting potentially more than 1.000.000 Youporn users.
As usual, the chart does not include the events related to Middle East Cyber War Timeline, that you may find at this link, as they “deserve” a dedicated timeline.
February 2012 brings a new domain for my blog (it’s just a hackmaggedon) and confirms the trend of January with a constant and unprecedented increase in number and complexity of the events. Driven by the echo of the ACTA movement, the Anonymous have performed a massive wave of attacks, resuming the old habits of targeting Law Enforcement agencies. From this point of view, this month has registered several remarkable events among which the hacking of a conf call between the FBI and Scotland Yard and the takedown of the Homeland Security and the CIA Web sites.
The Hacktivism front has been very hot as well, with attacks in Europe and Syria (with the presidential e-mail hacked) and even against United Nations (once again) and NASDAQ Stock Exchange.
Scroll down the list and enjoy to discover the (too) many illustrious victims including Intel, Microsoft, Foxconn and Philips. After the jump you find all the references and do not forget to follow @paulsparrows for the latest updates. Also have a look to the Middle East Cyberwar Timeline, and the master indexes for 2011 and 2012 Cyber Attacks.
Addendum: of course it is impossible to keep count of the huge amount of sites attacked or defaced as an aftermath of the Anti ACTA movements. In any case I suggest you a couple of links that mat be really helpful:
- List of all vulnerable websites attacked by anonymous Part II (updated daily) (via cylaw.info)
- List of Websites Hacked, Defaced & Taken Down By Anonymous (via valuewalk.com)
It looks like that Christmas approaching is not stopping hackers who targeted a growing number of organizations including several security firms (Kaspersky, Nod 32 and Bitdefender) even if in secondary domains and with “simple” defacements.
Cyber chronicles report of Gemnet, another Certification Authority Breached in Holland (is the 12th security incident targeting CAs in 2011) and several massive data breaches targeting Finland (the fifth this year, affecting 16,000 users), online gambling (UB.com affecting 3.5 million of users), Telco (Telstra, affecting 70,000 users), and gaming, after the well known attacks to Sony, Sega and Nintendo, with Square Enix, which suffered a huge attacks compromising 1,800,000 users (even if it looks like no personal data were affected).
Online Payment services were also targeted by Cybercrookers: a Visa East European processor has been hit by a security breach, but also four Romanian home made hackers have been arrested for a massive credit card fraud affecting 200 restaurants for a total of 80,000 customers who had their data stolen.
As usual, hacktivism was one of the main trends for this first half of the month, which started with a resounding hacking to a Web Server belonging to ACNUR (United Nations Refugees Agency) leaking more than 200 credentials including the one belonging to President Mr. Barack Obama.
But from a mere hactvism perspective, Elections in Russia have been the main trigger as they indirectly generated several cyber events: not only during the election day, in which three web sites (a watchdog and two independent news agencies) were taken down by DDoS attacks, but also in the immediately following days, when a botnet flooded Twitter with Pro Kremlin hashtags, and an independent forum was also taken down by a further DDoS attacks. A trail of events which set a very dangerous precent.
Besides the ACNUR Hack, the Anonymous were also in the spotlight (a quite common occurrence this year) with some sparse attacks targeting several governments including in particular Brazil, inside what is called #OpAmazonia.
Even if not confirmed, it looks like that Anonymous Finland might somehow be related to the above mentioned breach occurred in Finland.
Other interesting events occurred in the first two weeks of December: the 0-day vulnerability affecting Adobe products, immediately exploited by hackers to carry on tailored phishing campaigns and most of hall, a targeted attack to a contractor, Lockheed Martin, but also another occurrence of DNS Cache Poisoning targeting the Republic of Congo domains of Google, Microsoft, Samsung and others.
Last but not least, the controversial GPS Spoofing, which allegedly allowed Iran to capture a U.S. Drone, even the GPS Spoofing on its own does not completely solve the mistery of the capture.
Other victims of the month include Norwich Airport, Coca Cola, and another Law Enforcement Agency (clearusa.org), which is currently unaivalable.
As usual after the page break you find all the references.