juki: nbc news investigation · juki: nbc news investigationinv estigationss . nbcnews. com the...

JUki: NBC NEWS INVESTIGATIONS inv estigations. nbcnews. com

The Snowden files: British intelligence agency describes attack on Anonymous

GCHQ, the British signals intelligence agency, prepared the following slides for a top-secret conference in 2012, revealing that it had mounted an online attack on the hacktivist collective known as Anonymous in September 2011.

The slides were leaked by former NSA contractor Edward Snowden and obtained exclusively by NBC News.

NBC News is publishing the documents with minimal redactions to protect individuals. All annotations appear in the original documents prepared by GCHQ.

¿fe NBC NEWS INVESTIGATIONS i n v e s t i g a t i o n s . n b c n e w s . c o m

Hacktivism: Online Covert Action • Hacktivist groups

• Online Humint

• Effects Operations

TOP SECRETffCOM INTWREL TO USA, AUS. CAN. GBR. NZL

¿fe NBC NEWS INVESTIGATIONS inv estigations. nbcne ws. com

Hacktivist groups • They are diverse and often have multiple, varied aims

• Anonymous

• LulzSec

• A-Team

• Syrian Cyber Army

• Targets include: Corporations, banks, governments, copyright associations, political parties

• Techniques: DDoS, data theft - SQLi, social engineering

• Aims:



Online HUMINT-CHIS • 2 Examples from Anonymous SRC Channels:

• Gzero

• POke



• Asking for traffic

• Engaged with target

• Discovered Botnet with malware analysis & SIGINT

• Outcome: Charges, arrest, conviction


Jit NBC NEWS INVESTIGATIONS inv estigations. nbcnews. com

# 0 p e r a t i o n P a v b a c k

[11:26] Anyone here have access to a website xith atleast 10,&3B+ unique

traffic per day

[11:27] <CHIS> admin access to it?

[11:27] F T P

access/cPanel yes.

Private Messages

[11:28] <CHIS> aaybe, what do you want it for [11:28] ^ ^ • . n a t ' s the traffic rate? [11:23] • • • i t ' l l help the Op [11:29] <CH1S> nine got 27k per day yesterday (prSn) [11:29] Love

[11:29] Using TPC's?

[11:30] <CKIS> it's here|

[11:32] Pretty uuci it's a crypted ifraie which will attempt to attack all PC's heading

to that website. [11:32] If they have vuln software they're added to a net that is used for OP Paybacks

DDoS artillary

ei[ll:32j <CHIS> so you will use exploit or some javascript thing? [11:32] If they are not vuln then nothing happens

[11:32] Yes [11:33] • • • The frame is obfuscated JS

TOP SECRETOCOMINTORELTO USA. AUS. CAN. GBR. NZL


GZero 15:16 15:16 15:16 15:16 15:17 15:17 15:17 15:17

15:18 15:19 15:19 15:19

15:21 15:21 15:21 15:22 15:22

<GZero> yo <GZero> works with ire <GZero> i r.eed traffic <CHIS> hey. <CHIS> what for? <GZero> exploit pack <GZero> will pay you if traffic is go <6Zero> u wanna talk?

Infrastructure WHOIS: gzerol

<6Zero> http://alpha.bgx.su/hits.txt - Need to aiake this bigger ;} <GZero> http://pastebin.con/|BHI " if^anie <GZero> http://alpha.b0x.su/iqjtcoxo8.php- Live URL <GZero> U have traffic?

<CHIS> so what is at that page anyway? <6Zero> several exploits <CHIS> yeah I've got traffic, got 92fe hits yesterday. <GZero> ok <GZero> lets talk :p

1st Stage implant: Lead to 2nd stage & WARPIG botriet, SpyEye malware


http://alpha.bgx.su/hits.txt

http://pastebin.con/%7cBHI

http://alpha.b0x.su/iqjtcoxo8.php-


Online Humint - Gzero • JTRIG & SIGINT reporting lead to identification, arrest

• Sentenced for 2 years - April 2012 Hacker jailed for stealing 8 million identities

e h *estt rule Sumjttarj;: A Bn&rf fcciir- 6« bur. M&mord to zt iccodbJtc-«rafreg- jog.aoo Pci^Pcl ccKcr.rs. 2.-0* ic.l tcrimmberK cs a «0« $.rio~jrj r.cxxs. ¿sus of birth, mdpestcodn ofVIL nestfmm

3>|«r-cM EdAjr-i *ear»n U v©ek, Marttem Er; ar.d .v=3 *rd two rJ tw raorths behind bars tor his hading sp-e*. The sccCcnot rcUU h m t«n trwttf if h« rude more uvc erf it« huflf A*»xri cf strten Sat*.

Tbs Sresh taker used Che Zr» rd Spwf .e Ticriara Co-RejC ccr*derGia2 data tiers U.K. sictxra beta*«* Jaasrr L.2dj(J.a«iJ<ogu*s 30. SOLI-from an «urce-. Oehi-s ccrnctEers poSc« ftxrrf 21»,000 si lver W »CCOuris. 2.7131 baric r-.Tri«f 5. as ««3 as. 5,110,474 names. dateefUrth and postcotf** erf U.K. reader«. If a« tJ-e drtais of ci-ae a* had »arvetttd were ported oc*. it «.oud fl 67.500 4xtfe-sOe£ <W pages, xoxdr« »artists.



pOke • Discussing a database table labelled 'FBI', in Anon Ops IRC

• Engaged with target - exploiting US Government website, US company website

SOperationPayback [19:43] <8p0ke> Topiary: I has list of eraail:phonenunnber:nane of 700 FBI tards

[19:43] <8p0ke> :P [19:41] <Topiary> what about passwords? [19:41] <&p0ke> It was dumped from another gov db, Topiary [19:41] <8p0ke> A table naned fbi [19:42] <Topisry> ah, like an FBI affiliated contact userbase? [19:42] <8peke> that was all it contained D:

TOP SECRETWCOtAINTORELTO USA, AUS. CAN, GBR. KIZL

¿fe NBC NEWS INVESTIGATIONS inv estigations. nbcnews. com

pOke Private Messages

[20:34] so what was the site?! [20:04] if its special ;) [20:34] <p8ke> usda.gov

[20:33] ¡ i ^ ^ H I :(. did you get past the site 3b tho? [20:39] <s6ke> Ves [20:13] i ^ ^ H H so u had a poke around on the network? lol [20:13] <p0ke> neh a lil ^ ^ ^ ^ ^ ^ ^ ^ [20:13] <p®ke> M a s t e r c a r d : t o u s e . g o v [20:13] <p0ke> IHPAC Socar. a m y .pentagon.nil [20:13] <p0ke> VISA: ^ ^ ^ ^ c g l n a i l . a f . » i l

TOP SECRETWCOM INTiVREL TO USA, AUS. CAN. GBR. NZL


POke - Identification mmm^mi i . . W W i i T i • • . - ¿ J

Private Messages

121:87] B H ^ ^ ^ H oh btw have you seen this [21:68] < o 6 k e ^ e x y È21:09] cool huh?

[21:11] <p0ke> lía

Who lowes II* hachtmsbs?

...Enabled SIGINT POke: Name: I Facebook, email accounts

TOP SECRET//COMINTOREL TO USA. AUS, CAN. GBR. NZL


Effects ori Hacktivisim • Op WEALTH- Summer 2011

• Intel support to Law Enforcement - identification of top targets

• Denial of Service on Key Communications outlets

• Information Operations



DDoS ROLLING THUNDER

• RT initial trial info

[15:40] <srewder> hello, was there any problen with the ire network? i wasnt able to connect the past 30 hours. [15:42] <speakeasy> yeah [15:42] <speakeasy> we're being hit by a syn flood [16:44] <speakeasy> i didn't know whether to quit last night, because of the ddos

nanonjnonz

xc anono<>s li Ungo down (

anon_anom 720pH hCeferutwn inoiice the typoi co YoaT ube anon _anonz on twitter nickname meoivrtude

anon_anonz ic anonops li backup anonops- isirjmws arsisec

TOP SECRETffCOMIMTWRELTO USA. AUS, CAN. GBR. NZL

¿fe NBC NEWS INVESTIGATIONS inv estigations. nbcnews. com

10 Outcome • CHtS w i t h |

• 80% of those messaged where not in the IRC channels 1 month later

TOP SECRETWCOM INTiVREL TO USA, AUS. CAN. GBR. NZL

investigations. nbcnews. com

Conclusion • Team working -SIGINT, JTRIG, CDO, !NOC- was key to

success

• Online Covert Action techniques can aid cyber threat awareness

• Effects can influence the target space

TOP SECRETffCOM INT//REL TO USA. AUS. CAN. GBR. NZL

juki: nbc news investigation · juki: nbc news investigationinv estigationss . nbcnews. com the...

Documents