LulzSec says it's stopped hacking, but criminal case against it gains steam
Those behind LulzSec – which forced the CIA’s public website down and hacked Sony, among other things – are among the most wanted cyber-criminals.
The heat is still growing for a group of perhaps six to eight people believed to be behind Lulz Security, even though the flamboyant social-media-savvy enterprise suddenly announced over the weekend that it would stop hacking government and business computers.
Just a few days ago, the group was yucking it up, grandstanding for its 280,000 Twitter followers (up from 100,000 just over a week ago). On Thursday, it exulted in posting law-enforcement information stolen from the Arizona Department of Public Safety. Then on Sunday, it announced it was retiring from hacking.
"Our planned 50 day cruise has expired," the group wrote in a post, "and we must now sail into the distance, leaving behind – we hope – inspiration, fear, denial, happiness, approval, disapproval, mockery, embarrassment, thoughtfulness, jealousy, hate, even love.”
It added, “If anything, we hope we had a microscopic impact on someone, somewhere. Anywhere." The group also encouraged others to imitate its cyberattacking ways.
But the wisecracker hackers – who forced the Central Intelligence Agency's public website down, hacked Sony, and tossed 62,000 passwords and e-mail addresses across the Internet like confetti – still remain among the most wanted cyber-criminals, cybersecurity experts say.
"These guys better hope that the FBI finds them first, because there are probably a lot of people in organized cybercrime who aren't very happy about what they've been doing – drawing all this attention," says Jeff Bardin, chief security strategist for Treadstone 71, a cybersecurity and intelligence firm based in Boston.
The term "Lulz" is hacker lingo for "laughs." All along, it has claimed that its activities are about "doing it for the laughs" and raising Internet security awareness. Its tag line is, "Laughing at your security since 2011!"
But for others, LulzSec’s activities have been a serious matter. And in the end, the anonymity of the Internet may not have been anonymous enough for the very real people behind its hacker handles. Was Sabu the ringleader? Is Kayla the group's botnet expert? What about Topiary, Storm, Tflow, Joepie91, Avunit, and the others?
Those nicknames appear in chat logs from late May – purportedly conversations from LulzSec's private chat channel that were leaked anonymously to London's Guardian newspaper and posted to its website Friday. Other similar chat logs were leaked in March to the online magazine Gawker.
At about the same time, lists of names associated with the handles began to be tweeted along with a flotsam of corroborating information. Was Sabu living in New York City and Avunit in England? That was implied by one Internet security company report circulating online.
Some argue that chat logs are easily faked. Also, are the tweeted names of people really those behind the LulzSec attacks? Impossible to tell – yet.
But such clues could quickly become exhibits in criminal cases as more details are tweeted or divulged by vigilante hackers, computer security companies, or disgruntled members of the affiliated Anonymous group.
"The chances they'll get nailed are pretty good," Mr. Bardin says. "Sure, they're pretty smart about how they hide themselves and their tracks. But some of them have already been nailed," he says, referring to a recent arrest in England. "They've been tugging on the tail of the beast for a while, and now the beast is turning around to get them."
One vigilante hacker dubbed "the Jester," purportedly a former cyber-expert for the US military, has in recent weeks exposed details of the group's members, Bardin notes. In a possible break in the case, British authorities on Wednesday charged Ryan Cleary of Essex, England with five counts of computer crimes. His connection with the group remains unclear, although he was reported to have operated a computer server the group used.
"The Jester is out there exposing these guys, and you've got other people doing the same thing," Bardin says. "As soon as they got Ryan Cleary, you could see the writing on their Twitter feed changed. I think this becomes a fairly simple law-enforcement case now."
Long before LulzSec appeared, the Anonymous group was being scrutinized by Gabriella Coleman, an anthropologist at New York University. For years, she has observed the online discourse in the chat boards operated by Anonymous, and a few months ago, she noticed when six to eight of them seemed to break away and set up shop in their own chat boards, as LulzSec.
Anonymous is a larger group that has attacked websites of organizations it deems to have curbed Internet or political freedom, including MasterCard, Visa, and PayPal. Anonymous has also attacked government sites in Tunisia, Egypt, and elsewhere in support of the Arab Spring uprisings. LulzSec, by contrast, has only rarely claimed to be acting for philosophical reasons.
"Anonymous and LulzSec are clearly in conversation with each other at some level, and their existence helps to clarify what's unique about each one," Dr. Coleman says. "Anonymous uses LulzSec as a political tactic, whereas LulzSec says what it does is all about the laughs. They each benefit from the association."
But although LulzSec claims to be "doing it for the laughs,” that wasn't always the motivation, Bardin and others in the Internet security realm say. Revenge was another motive, as the computer security firm HBGary concluded when a trove of its stolen e-mails were dumped on the Internet for anyone to read. One of its officers had claimed he would expose the members of the group.
Greed could be another motive. In late May, Unveillance, a botnet-tracking start-up company, was attacked – and though its intellectual property remained safe, the e-mail of its founder was stolen. In contacts with LulzSec, detailed in logs supplied to the Monitor by Karim Hijazi, CEO of the firm, the group appears to tell him they won't dump his private e-mails on the Internet if he supplies them with money or botnet technology. When he refused, the group publicized his e-mails.
"There's certainly a leadership structure there," Mr. Hijazi says. "There's definitely youth involved because they don't know the ramifications of what they're doing.... It was clumsy, truly like these kids had watched movies ... saying, 'If you play this right, it will work out' and 'Don't mess up.' "
One distinction that solidifies LulzSec in the criminal category is the group's intense interest in developing its botnet technology – malicious software used to enslave the computers of companies and ordinary households for criminal purposes, says Luis Corrons, the Spain-based technical director of PandaLabs, a cybersecurity company.
"This group owns a number of different botnets," he says. "They were powerful enough to fire at the CIA site and take it down. In my 12 years working in the security industry, all the botnets belonged to cybercriminals. They may be young people looking to make some money, but that's the direction they've gone."
Hijazi agrees that the group could be in physical danger as their identities leak into the open – since organized crime cares a great deal about preserving its botnets, and it may not welcome the spotlight that LulzSec has thrown on their use.
"These guys should pray law enforcement finds them first," he says.