‘He turned against the very people who trusted him most’ - The story of Sabu, hacker turned FBI informant

Sabu, aka Hector Monsegur
Sabu, aka Hector Monsegur
Have your say

As notorious hacker Sabu turns informant for the FBI, snaring the cyber cohorts who revered him, Dani Garavelli explores the ultimate betrayal of the worm that turned

TO THE shadowy band of virtual outlaws who belong to LulzSec, Sabu was a hero – the brains behind a series of cyber attacks so audacious they struck at the heart of banks, multinational corporations and even governments. Today, however, they are facing up to the fact that their revered leader, who, as recently as last month, was spurring them on to ever more daring acts of sabotage, has committed the ultimate act of betrayal.

Ever since Sabu – or Hector Xavier Monsegur, an unemployed Puerto Rican living in a drugs-ridden housing project on Manhattan’s lower east side in New York – was arrested in June last year, he has been working undercover for the FBI, passing on information of fresh offensives he continued to plot with his former comrades to the officers involved.

Throughout his time as a double agent, Sabu drip-fed false rumours and misinformation to fellow hacktivists and journalists in a largely successful attempt to cover his tracks.

Five alleged LulzSec members – including Jake Davis, aka Topiary, from Shetland, have already been charged in the US with hacking offences, as a result of his collusion, and the underground movement – always prone to paranoia – is now gripped by panic as it waits to see how much damage Sabu’s treachery will inflict. “People are freaking out. Everyone’s totally freaking out,” one hacker told FoxNews.com. The question is, with LulzSec’s leaders out of action, is the organisation now dead in the water or are such groups, as some have suggested, hydras, where if one head is cut off another will immediately appear?

Either way, the turning of Sabu has thrown the window open on cyber-terrorism, a world where anonymous, often nihilistic players, launch random attacks on unsuspecting targets.

Like conventional terrorism it involves loose cannons, code names, collusion and double crosses. Unlike conventional terrorism, it is being waged with invisible weapons by people who lack any cohesive strategy or agenda. The majority of those involved are young, self-taught and operating from bedsits or the bedrooms of their parents’ home. Eighteen-year-old Davis, who is accused of attacking The Sun website and publishing a false story saying Rupert Murdoch had died, is an autistic loner who was home-tutored after being bullied at school. Jeremy Hammond (Anarchaos) is a 27-year-old university drop-out, whose mother Rose Collins described him as “a genius without wisdom”.

Some, as the LulzSec name (based on the term LOL or laugh out loud) suggests, are nothing more than mischief-makers bent on causing mayhem for the sheer hell of it; others, many of whom hitched their wagon to the WikiLeaks cause, are more politically motivated, targeting institutions which have offended them ideologically (they hit MasterCard and PayPal for being anti-WikiLeaks). On occasion, their attacks are also driven by pure revenge. For example, they attacked Sony for taking action against hacker George Hotz, the coder behind a popular tool that allowed “homebrew” software to run on the PlayStation 3. Their skills allow them to bring down entire computer networks using viruses, the creation of botnets to spread malware and Distributed Denial of Service attacks, which overload systems, causing them to collapse.

LulzSec, whose motto is “laughing at your security since 2011”– has gained attention for the sarcastic messages it posts in the aftermath of its attacks. Its exploits include releasing the transaction logs of 3,100 Automated Teller Machines in the UK and hacking into the website of Black & Berg Cybersecurity Consulting, a small network security company, and changing the image displayed on their front page to one containing the LulzSec logo. They did this after the company had issued a “Cybersecurity For The 21st Century, Hacking Challenge”, in which they offered hackers $10,000 and a job if they could hack the site and alter the homepage graphic. LulzSec’s intrusion came after the owner Jope Black posted the message “Black & Berg Cybersecurity Consulting appreciate all the hard work that you’re putting in. Your Hacking = Clients for us. Thx” to the LulzSec Twitter account. When LulzSec succeeded they left the reply “Done. That was easy. Keep the money. We do it for the Lulz”.

They also took down the website of the CIA and released the emails and passwords of a number of users of the US Senate website, before joining forces with Anonymous for Operation Anti-Security, which involved, among other things, temporarily taking down two Brazilian government websites and the website of the Serious Organised Crime Agency.

The length of the Sabu operation has led some to question the ethics of the FBI’s actions. With at least one big attack – the leaking of five million emails at Stratfor, a Texas-based intelligence firm on December 24 – taking place long after Sabu was turned, were the police effectively acting as agents provocateurs?

The murky story of how Sabu, once known as the high priest of LulzSec, came to bring down the movement he led has its roots in the internecine fighting that has been a feature of hackers collective Anonymous (and its offshoots, of which LulzSec is just one) ever since it was founded in 2008. Over the past 18 months, the in-fighting has increased, with feuding members “doxxing” – publicly identifying – each other in retaliation for perceived slights. It was such a doxxing which led to the arrest in June last year of Ryan Cleary, an alleged LulzSec member operating from a bedroom in Essex.

Some time earlier in the US it has now emerged Sabu too had been doxxed. The theory is that the Lulzsec leader had fallen foul of two former Anonymous members – Jennifer Emick and Jin Soo Byun – who had joined to protest against the Church of Scientology, but questioned the morality of later actions.

They set up an organisation called Backtrace Security, and pledged to “out” Anonymous/LulzSec members. One day they discovered a link to a page where Monsegur had posted photos and video of his Toyota AE86 on a car enthusiast social-networking site. That led to a YouTube video that had information that allowed Emick to eventually find Monsegur’s Facebook page using a Google search. It was, in this world, a rookie error.

Emick claims that when the organisation published a list of names, including Monsegur’s, the FBI intervened, asking them to remove it and pass on the information to them instead.

Unbeknownst to his fellow hacktivists, Sabu was arrested on 7 June last year. He went to ground for several weeks only to re-emerge – as a double agent – in July. The FBI had gained his co-operation by threatening him with separation from his children and agreeing to plead leniency from a potential prison sentence of 124 years. For the next six months, at least, although LulzSec had by then officially disbanded, he continued orchestrating attacks, including the one on Stratfor and was, apparently as committed to the cause as ever. Yet at the same time he was tweeting misinformation and even intervening to prevent various operations.

When the CIA came under threat from DD0S attacks, his handlers told him to bring it to a halt. He did, saying: “You’re knocking over a bee’s nest. Stop.” At a secret hearing days before Monsegur pleaded guilty to the charges in August, assistant US Attorney James Pastore told a Manhattan federal court judge he had sometimes stayed up all night talking to co-conspirators to help the government make its case.

Sabu’s protracted absence was remarked upon. Many were suspicious. But Sabu played a clever game. He said he’d been away on account of a family bereavement, cast doubt on the trustworthiness of other members and conducted misleading interviews with journalists, in which he both raised then refuted suggestions he might be working for the FBI.

The five who have been named on the New York charge sheet – Hammond; Davis; Ryan Ackroyd, said to be “Kayla”, from Doncaster; Darren Martyn, said to be “pwnsauce” from Galway; and Donncha O’Cearrbhail, a county councillor’s son said to be “palladium”, from Dublin; all face sentences of up to 20 years if convicted.

“What this case shows is that the FBI is getting very effective in going after these groups,” Jerry Dixon, a former head of the Department of Homeland Security’s National Cyber Security Division and director of analysis at Team Cymru, a cyber security research group, said. “They are able to get members to turn in the others and peel back the onion and ferret out many more of the members.”

Graeme Batsman, of Data Defenders, a UK firm that specialises in data protection, says it’s not surprising the FBI eventually found someone willing to be a mole. “There’s always been a lot of infighting. It seemed obvious that someone might infiltrate or co-operate in return for money or a job,” he says.

Avunit, the only original member of LulzSec who is as yet unindicted, has spoken of his fears for the future. “I’m on a new laptop and everything incriminating has been burned,” he told one journalist. Having learned his craft from Sabu, he is particularly distressed by his actions. “I can’t even begin to describe what it’s like to have someone that taught you and quite honestly inspired me (and many others) turn against the very people who trusted him the most.”

Yet despite Sabu’s betrayal there are others who cling to the idea that, even as he passed information to the Feds, he tried to bear the brunt of the blame himself. Having examined the indictment sheet, they say he has taken the rap for crimes he did not commit. Others insist he tried to warn his cohorts. “You don’t know who is your friend, don’t trust anybody,” he purportedly posted just before he took his plea deal.

As for the future, LulzSec may be finished, but few believe other hacktivists in the Anonymous collective won’t step into the breach. Demonstrating their continued effectiveness, Anonymous sympathisers last week attacked PandaSecurity.com after the company criticised the group’s tactics.

Indeed, globally, cyber-terrorism and cyber-warfare is on the rise. In his book Worm, Mark Bowden writes about what he describes as the first digital world war, the coming together of an ad-hoc collective of computer technicians called the Cabal to fight the Conficker worm, a piece of malign software, apparently originating in Ukraine, that propagated through the internet in 2008 and 2009 with terrifying speed. Although the experts managed to more or less hold the threat at bay, they never found out exactly where Conficker had come from or why it had been used. Since then cyberwarfare has become a more established part of many countries’ armouries, with the CIA/Mossad for example, suspected of using the Stuxnet worm – dubbed the world’s first guided cyber missile – to attack Iran’s Bushehr nuclear reactor last year.

Batsman says cyber-warfare will increase because it has “more pros than cons,” appealing in equal measure to lone anarchists and nation states. The likes of Hamas or Hezbollah can’t afford to buy a nuclear warhead, he points out, but they could inflict serious damage by sending out malign software.

Meanwhile Sabu, out on $50,000 bail, is having to adjust to life as a hate figure rather than a hero. Yet despite being in the pocket of the FBI, he may be holding out some hope that his work will continue in his absence. His last tweet, in German, seemed aimed at securing his legacy. “Don’t give into these people,” he wrote, ridiculing the “cowards” in the federal government. “Fight back. Keep Strong.”

Glossary of terms

Botnet: A network of private computers infected with malicious software and controlled as a group without the owners’ knowledge, to send spam, for example.

Distributed denial of service attacks: An attack in which a multitude of compromised systems attacks a single target, overloading the targeted system. The flood of incoming messages to the target system essentially forces it to shut down, thereby stopping legitimate users from being able to use the system.

Doxxing: When a person is doxxed, they are stripped of their anonymity. All their personal information, name, addresses, phone numbers, are put online. This usually happens as part of a feud, and is sometimes followed by 17 pizzas arriving at their house in the middle of the night.

Moralfags: The name given to hacktivists who are not content to wreak havoc for “Lulz”, but want to make some kind of political statement, usually about freedom of information or civil liberties.

White hats: Hackers employed by a company to test its own security system.

Black hats: Hackers who break in illicitly for personal gain, to make a point or just because they can.

Script Kiddies: A derogatory term used to describe programs developed by others to attack computer systems and networks or to deface websites, with little understanding by the users of the underlying concept.