JUki: NBC NEWS INVESTIGATION · JUki: NBC NEWS INVESTIGATIONinv estigationsS . nbcnews. com The...
Transcript of JUki: NBC NEWS INVESTIGATION · JUki: NBC NEWS INVESTIGATIONinv estigationsS . nbcnews. com The...
JUki: NBC NEWS INVESTIGATIONS inv estigations. nbcnews. com
The Snowden files: British intelligence agency describes attack on Anonymous
GCHQ, the British signals intelligence agency, prepared the following slides for a top-secret conference in 2012, revealing that it had mounted an online attack on the hacktivist collective known as Anonymous in September 2011.
The slides were leaked by former NSA contractor Edward Snowden and obtained exclusively by NBC News.
NBC News is publishing the documents with minimal redactions to protect individuals. All annotations appear in the original documents prepared by GCHQ.
¿fe NBC NEWS INVESTIGATIONS i n v e s t i g a t i o n s . n b c n e w s . c o m
Hacktivism: Online Covert Action • Hacktivist groups
• Online Humint
• Effects Operations
TOP SECRETffCOM INTWREL TO USA, AUS. CAN. GBR. NZL
¿fe NBC NEWS INVESTIGATIONS inv estigations. nbcne ws. com
Hacktivist groups • They are diverse and often have multiple, varied aims
• Anonymous
• LulzSec
• A-Team
• Syrian Cyber Army
• Targets include: Corporations, banks, governments, copyright associations, political parties
• Techniques: DDoS, data theft - SQLi, social engineering
• Aims:
TOP SECRETffCOM INTWREL TO USA, AUS. CAN. GBR. NZL
¿fe NBC NEWS INVESTIGATIONS inv estigations. nbcne ws. com
Online HUMINT-CHIS • 2 Examples from Anonymous SRC Channels:
• Gzero
• POke
TOP SECRETffCOM INTWREL TO USA, AUS. CAN. GBR. NZL
¿fe NBC NEWS INVESTIGATIONS inv estigations. nbcne ws. com
• Asking for traffic
• Engaged with target
• Discovered Botnet with malware analysis & SIGINT
• Outcome: Charges, arrest, conviction
TOP SECRETffCOM INTWREL TO USA, AUS. CAN. GBR. NZL
Jit NBC NEWS INVESTIGATIONS inv estigations. nbcnews. com
# 0 p e r a t i o n P a v b a c k
[11:26] Anyone here have access to a website xith atleast 10,&3B+ unique
traffic per day
[11:27] <CHIS> admin access to it?
[11:27] F T P
access/cPanel yes.
Private Messages
[11:28] <CHIS> aaybe, what do you want it for [11:28] ^ ^ • . n a t ' s the traffic rate? [11:23] • • • i t ' l l help the Op [11:29] <CH1S> nine got 27k per day yesterday (prSn) [11:29] Love
[11:29] Using TPC's?
[11:30] <CKIS> it's here|
[11:32] Pretty uuci it's a crypted ifraie which will attempt to attack all PC's heading
to that website. [11:32] If they have vuln software they're added to a net that is used for OP Paybacks
DDoS artillary
ei[ll:32j <CHIS> so you will use exploit or some javascript thing? [11:32] If they are not vuln then nothing happens
[11:32] Yes [11:33] • • • The frame is obfuscated JS
TOP SECRETOCOMINTORELTO USA. AUS. CAN. GBR. NZL
¿fe NBC NEWS INVESTIGATIONS inv estigations. nbcne ws. com
GZero 15:16 15:16 15:16 15:16 15:17 15:17 15:17 15:17
15:18 15:19 15:19 15:19
15:21 15:21 15:21 15:22 15:22
<GZero> yo <GZero> works with ire <GZero> i r.eed traffic <CHIS> hey. <CHIS> what for? <GZero> exploit pack <GZero> will pay you if traffic is go <6Zero> u wanna talk?
Infrastructure WHOIS: gzerol
<6Zero> http://alpha.bgx.su/hits.txt - Need to aiake this bigger ;} <GZero> http://pastebin.con/|BHI " if^anie <GZero> http://alpha.b0x.su/iqjtcoxo8.php- Live URL <GZero> U have traffic?
<CHIS> so what is at that page anyway? <6Zero> several exploits <CHIS> yeah I've got traffic, got 92fe hits yesterday. <GZero> ok <GZero> lets talk :p
1st Stage implant: Lead to 2nd stage & WARPIG botriet, SpyEye malware
TOP SECRETffCOM INTWREL TO USA, AUS. CAN. GBR. NZL
¿fe NBC NEWS INVESTIGATIONS inv estigations. nbcne ws. com
Online Humint - Gzero • JTRIG & SIGINT reporting lead to identification, arrest
• Sentenced for 2 years - April 2012 Hacker jailed for stealing 8 million identities
e h *estt rule Sumjttarj;: A Bn&rf fcciir- 6« bur. M&mord to zt iccodbJtc-«rafreg- jog.aoo Pci^Pcl ccKcr.rs. 2.-0* ic.l tcrimmberK cs a «0« $.rio~jrj r.cxxs. ¿sus of birth, mdpestcodn ofVIL nestfmm
3>|«r-cM EdAjr-i *ear»n U v©ek, Marttem Er; ar.d .v=3 *rd two rJ tw raorths behind bars tor his hading sp-e*. The sccCcnot rcUU h m t«n trwttf if h« rude more uvc erf it« huflf A*»xri cf strten Sat*.
Tbs Sresh taker used Che Zr» rd Spwf .e Ticriara Co-RejC ccr*derGia2 data tiers U.K. sictxra beta*«* Jaasrr L.2dj(J.a«iJ<ogu*s 30. SOLI-from an «urce-. Oehi-s ccrnctEers poSc« ftxrrf 21»,000 si lver W »CCOuris. 2.7131 baric r-.Tri«f 5. as ««3 as. 5,110,474 names. dateefUrth and postcotf** erf U.K. reader«. If a« tJ-e drtais of ci-ae a* had »arvetttd were ported oc*. it «.oud fl 67.500 4xtfe-sOe£ <W pages, xoxdr« »artists.
TOP SECRETffCOM INTWREL TO USA, AUS. CAN. GBR. NZL
JUki: NBC NEWS INVESTIGATIONS inv estigations. nbcnews. com
pOke • Discussing a database table labelled 'FBI', in Anon Ops IRC
• Engaged with target - exploiting US Government website, US company website
SOperationPayback [19:43] <8p0ke> Topiary: I has list of eraail:phonenunnber:nane of 700 FBI tards
[19:43] <8p0ke> :P [19:41] <Topiary> what about passwords? [19:41] <&p0ke> It was dumped from another gov db, Topiary [19:41] <8p0ke> A table naned fbi [19:42] <Topisry> ah, like an FBI affiliated contact userbase? [19:42] <8peke> that was all it contained D:
TOP SECRETWCOtAINTORELTO USA, AUS. CAN, GBR. KIZL
¿fe NBC NEWS INVESTIGATIONS inv estigations. nbcnews. com
pOke Private Messages
[20:34] so what was the site?! [20:04] if its special ;) [20:34] <p8ke> usda.gov
[20:33] ¡ i ^ ^ H I :(. did you get past the site 3b tho? [20:39] <s6ke> Ves [20:13] i ^ ^ H H so u had a poke around on the network? lol [20:13] <p0ke> neh a lil ^ ^ ^ ^ ^ ^ ^ ^ [20:13] <p®ke> M a s t e r c a r d : t o u s e . g o v [20:13] <p0ke> IHPAC Socar. a m y .pentagon.nil [20:13] <p0ke> VISA: ^ ^ ^ ^ c g l n a i l . a f . » i l
TOP SECRETWCOM INTiVREL TO USA, AUS. CAN. GBR. NZL
JUki: NBC NEWS INVESTIGATIONS inv estigations. nbcnews. com
POke - Identification mmm^mi i . . W W i i T i • • . - ¿ J
Private Messages
121:87] B H ^ ^ ^ H oh btw have you seen this [21:68] < o 6 k e ^ e x y È21:09] cool huh?
[21:11] <p0ke> lía
Who lowes II* hachtmsbs?
...Enabled SIGINT POke: Name: I Facebook, email accounts
TOP SECRET//COMINTOREL TO USA. AUS, CAN. GBR. NZL
¿fe NBC NEWS INVESTIGATIONS inv estigations. nbcne ws. com
Effects ori Hacktivisim • Op WEALTH- Summer 2011
• Intel support to Law Enforcement - identification of top targets
• Denial of Service on Key Communications outlets
• Information Operations
TOP SECRETffCOM INTWREL TO USA, AUS. CAN. GBR. NZL
JUki: NBC NEWS INVESTIGATIONS inv estigations. nbcnews. com
DDoS ROLLING THUNDER
• RT initial trial info
[15:40] <srewder> hello, was there any problen with the ire network? i wasnt able to connect the past 30 hours. [15:42] <speakeasy> yeah [15:42] <speakeasy> we're being hit by a syn flood [16:44] <speakeasy> i didn't know whether to quit last night, because of the ddos
nanonjnonz
xc anono<>s li Ungo down (
anon_anom 720pH hCeferutwn inoiice the typoi co YoaT ube anon _anonz on twitter nickname meoivrtude
anon_anonz ic anonops li backup anonops- isirjmws arsisec
TOP SECRETffCOMIMTWRELTO USA. AUS, CAN. GBR. NZL
¿fe NBC NEWS INVESTIGATIONS inv estigations. nbcnews. com
10 Outcome • CHtS w i t h |
• 80% of those messaged where not in the IRC channels 1 month later
TOP SECRETWCOM INTiVREL TO USA, AUS. CAN. GBR. NZL
investigations. nbcnews. com
Conclusion • Team working -SIGINT, JTRIG, CDO, !NOC- was key to
success
• Online Covert Action techniques can aid cyber threat awareness
• Effects can influence the target space
TOP SECRETffCOM INT//REL TO USA. AUS. CAN. GBR. NZL