Anonymous in cyber wars

Anonymous thrown into China-US cyberwar scandal

RT,

20 February , 2013 16:04

Members of the Anonymous movement including alleged ringleader-turned-informant Hector “Sabu” Monsegur may have played a crucial role in helping cybersecurity experts narrow in on the Chinese hackers profiled in a highly touted report released this week

In a report published Tuesday by Northern Virginia information security company Mandiant, an elusive cybersquadron of hackers hired by China’s People’s Liberation Army are linked to compromising as many as 141 companies across 20 major industries in recent years, including a corporation with access to Canada’s oil pipelines and entities of the United States government.

At around 70 pages, the report offers an introduction into the group, Unit 61398, and explains how computer experts at Mandiant were about to come close to pin-pointing three agents within the “Advanced Persistent Threat” group, or ATP1, that they believe have participated in a covert cyberwar against the US on behalf of the Chinese military.

Buried deep in the report, however, is evidence that Mandiant didn’t do all the work alone: the authors of “Exposing One of China’s Cyber Espionage Units” say that a 2011 hack perpetrated by the loose-knit Anonymous collective has been instrumental in making ground regarding the identity of the Far East hackers.

In the report, Mandiant offers a brief profile of three hackers believed to be involved with ATP1: “uglygorilla,” “DOTA” and “SuperHard.” But while the company admits that their investigation into the unit has been underway for several years already, Mandiant says information released by Anonymous in 2011 has only helped them come closer to catching accused cybercriminals.

In 2011, Anonymous retaliated against so-called security firm HBGary after hacktivists became aware that the company’s CEO, Aaron Barr, had infiltrated the movement and planned to rat out the identities of Anons to federal investigators. In response, Anonymous waged an all-out war on HBGary and its associates, hacking the company’s websites, stealing tens of thousands of emails and compromising the online accounts registered to most of the group’s staff. Among the sites targeted was rootkit.com, a coding website founded by HBGary associate Greg Hoglund. After Anons compromised accounts belonging to Barr, they used new-fangled access to get into Hoglund’s corporate email and from there they socially engineered a colleague of his in order to obtain access to rootkit.com

In her 2012 book We Are Anonymous, author Parmy Olson says Anon hackers “had complete control of rootkit.com” and quickly attempted to ravage the site in conjunction with other attacks waged at HBGary and Mr. Barr.

“First they took the usernames and passwords of anyone who had ever registered on the site, then deleted its entire contents. Now it was just a blank page reading ‘Greg Hoglund = Owned,’” Olsen writes.

Next, Anonymous publically released a file that contained the usernames, passwords and other log-in credentials for every registered account on rootkit.com. Among those, says Mandiant, were log-ins for both “uglygorilla” and “SuperHard,” two identities security experts believe to be registered to Chinese hackers working in Unit 61398.

“[T]he disclosure of all registered ‘rootkit.com’ accounts published by Anonymous included the user “uglygorilla” with the registered email address uglygorilla@163.com. This is the same email used to register for the 2004 PLA forum and the zone hugesoft.org,” claims Mandiant, referring to the Chinese military branch and another hacker-friendly website believed to be founded by the person using the “uglygorilla” name, respectively.

Mandiant says the trove of information didn’t run dry with just that one link, though. Also included in the rootkit.com leaked account information was the IP address uglygorilla used to sign up for the website, which matched a Shanghai-area address all but certainly tied to Unit 61398, as well as information about another alleged Chinese hacker.

“Once again, in tracking [SuperHard] we are fortunate to have access to the accounts disclosed from rootkit.com. The rootkit.com account ‘SuperHard_M’ was originally registered from the IP address 58.247.237.4, within one of the known APT1 egress ranges,” Mandiant reports.

Olson says the hack against HBGary was spearheaded by Hector Xavier Monsegur, or “Sabu,” the alleged ring-leader of the Anon sect LulzSec who was arrested by the FBI several months later and has since become a federal informant for the agency. Monsegur is expected to be sentenced in a New York City courtroom on Friday for a laundry list of criminal activity linked to Anonymous, including hacking HBGary and gaining unauthorized access to Hoglund’s site. Meanwhile, Mandiant says that the infamous hugesoft.org zone website registered to uglygorilla has remained continuously active, at least up until the release of their report this week.

After his 2011 arrest, Monsegur allegedly aided authorities in swooping up other hackers internationally. He is believed to have been provided with a server by the FBI that was allegedly used by activist Jeremy Hammond to upload files confiscated in late 2011 from private intelligence firm Stratfor. Hammond himself will be in court this week for a hearing regarding that case.

White House to issue plan to combat cyber theft

the Age,

21 February, 2013

President Barack Obama's administration is preparing a strategy to counter theft of US trade secrets, including by hackers in China and other countries, according to two former government officials briefed on a report to be released Wednesday US time. The report will outline a coordinated diplomatic effort to push back against other nations linked to theft of intellectual property and lay out best practices for companies to protect their material, according to the former officials, who asked not to be named before the official announcement.

The document will also outline a government program to share information on trade secret theft with companies, and highlight efforts by the Justice Department and FBI to pursue investigations and prosecutions, according to one of the former officials.

Attorney General Eric Holder will join Victoria A. Espinel, US Intellectual Property Enforcement Coordinator at the Office of Management and Budget, and officials from General Electric Co. and American Superconductor Corp., to release the document titled, "Strategy to Mitigate the Theft of US Trade Secrets," according to a statement on the OMB website.

The strategy "coordinates and improves US efforts to protect innovation" from thefts of intellectual property, Jay Carney, the White House spokesman, said at a briefing today. The effort is related to, though separate from, the administration's efforts to improve US cybersecurity, Mr Carney said.

A US-based security company, Mandiant Corp., released an analysis yesterday that said the Chinese army is probably the source of computer-hacking attacks against at least 141 companies worldwide since 2006.

Government Sponsored

The intrusions, mainly directed at US companies, were carried out by a group that is "likely government sponsored" and is similar "in its mission, capabilities, and resources" to a unit of the People's Liberation Army, according to the Mandiant report.

A spokesman for China's Foreign Ministry, Hong Lei, denied any military involvement and said his department is opposed to computer hacking and has been a victim of attacks itself.

Mr Obama issued an executive order February 12 that calls for sharing of secret government information on the operations of Chinese hackers and other cyber threats. It directs the government to develop voluntary cybersecurity standards for companies operating the nation's vital infrastructure, such as power grids and air traffic control systems.

In his State of the Union address, Mr Obama warned that hackers, including those who are state sponsored, are a national security threat as well as an economic one.

Swiping Secrets

"We know foreign countries and companies swipe our corporate secrets," Mr Obama said. "Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems."

The news conference is scheduled for 3.15pm. Washington time and will be broadcast on the White House website.

"The administration is focused on protecting the innovation that drives the American economy and supports jobs in the United States," Espinel wrote on OMB's blog.

They're coming to get you!

.