Hacktivism: Online Covert Action Hacktivist groups
Online Humint
Effects Operations
TOP SEC RETYCOMENTNREL TO USA_ AUS. CAN. GBIR, NZL
Hacktivist groups They are diverse and often have nnultip[e, varied aims
Anonymous
LulzSec
A-Team
Syrian Cyber Army
Targets include: Corporations, banks, governments,
copyright associations, political parties
Techniques: DDoS, data theft — SQLi, social engineering
Aims:
TOP SEC RETI1COMINTAREL TO LISA_ AUS_ CAN GBR
Online HUMINT -CHIS 2 Examples from Anonymous IRC Channels:
Gzero
POke
TOP SECRETHCOMINTMEL TO USA. AUS. CAN. GBR. NZL
Gzero Asking for traffic
Engaged with target
Discovered Botnet with rnalware analysis & SiGINT
Outcome: Charges, arrest, conviction
TOP SECRET/COM INTYIREL TO USA. AUS. CAN_ GBR. N7L
gaper at iorPa balk
[11:26] Anyone here have access to a welbsite with atleast 10,000+ unique traffic per day [11:27] <CRIS> adain access to it?
[11:27] FTP accessiciPanel yes_
Private Messages [11:28] SCHISu maybe, what do you want it for
[11:28] What's the traffic rate?
[11:28] It'll help the op [11:29] <CHtS3 mine got 27k per day yesterday {gran)
[11:29] Love it
[11:29] Using TPG's? [11:30] <CITIS it's here
[11:32] Pretty each it's a crypted 'frame which will attempt to attack all PC's heading to that wensite.
[11:22] if they have vuln software they're added to a net that is used for OP Paybacks D005 artillery 01[11:32] <CPIS> so you will use exploit or some javascript thing?
[11:32] If they are not voin then nothing happens
[11:32] Yes
[11:13] The frame is obfuscated 15
TOP SECRET#COMINTRREL TO USA. AUS. CAM. GBIR. Na
GZero
[15:16] (6Zero, yo [15:16] c62eno) works with me [15:16] <G2ero> i need traffic [15:16] <CRIS> hey. Infrastructure [15:17] (CHIS› what for? WHO'S: gzero 115:171 <G2eros exploit pack [15:12] c62ero› will pay you if traffic is [15:17] caZero> v wanna talk?
[15:19] (62aro) http://alpha_bax.sidhits.txt - 'Feed to make this bigger ;) [15:19] (Hero> http://pastebin.conall= - 15 for iframe [15:19] cGaror http://alpha.bOx.soficlitcomog.php Live URL 1 ,, Stage implant: [15:19] (Gam> U haae traffic?
Lead to 2r" stage & WARPIG [15:21] (MIS> so what is at that page anyway? botnet, SpyEye malware [15:21] c62ero) several exploits [15:21] <COIS> yeah I've got traffic. got 92k hits yesterday. [15:22] (aZera› ok [15:22] <Gam> lets talk :p
TOP SECRETAICOMINTUREL TO USA. AUS. CAN. GBR. NZL
Online Humint - Gzero JTRIG & SIGINT reporting lead to identification, arrest
Sentenced for 2 years — April 2012
Backer jailed for stealing 8 million identities
31d rumen,: Ecs be-rc s,..5r.sard ra -NS re alr.%-qi, eroag-xoaarz ; • .
nomrs. &au 36-0:Arrapag.3rs 1 •
23.,ear-dd Ed&rd Nam, sped r. as tsgo Ideried.
trEeind bars for es hagasp sLeee. Tee soetema, eadd ham ten omaw N ee ruda Mae me sO
tee haie amr...rfi ei prim -des
Tice Er3i5h NKker used dw bnaM Solve- Tra.ss: rd 1312.g CLIF dial Fez ilk-nkLara betray. Jarzatr 1.2010. Si August 30. 301 from an uldsda,ad ware. 0.0 ,-s dies. pa.ce ku,d 20G. OW 1,17,1n radal eaur 0.701 Cal. ,.- tr .as As, :7.914 rime, G ies brrd, and reRierKs teehtds NaFad •,- 4,4412 A.m. Pr, Mi e l it zeta fa 67.5:9 3,ee-siS20 paw accacd-ry k aL..tharids.
TOP SECRET/FOOL' INTHRIEL TO LISA. AUS. CAN. GBR 1,121
pOke Discussing a database table labelled 'MI', in Anon Ops IRC
Engaged with target — exploiting US Government website,
US company website
7,0perationPayback ;19:40] s&pOke> Topiary: I has list of email:phonenumber:nane of 100 fBI -lands [19:40] (U.Bkes :P [19:41] (Topiarp what about passwords? :19:41] <P,ceke> It was dumped from another giro lb, Topiary :19:41] (13Aiker I table natied fbi [19:42] a Topiary> ah, like an FBI affiliated contact userbase? [19:42] sarrOke> that was all it contained 13:
TOP SECRETACOMINTUREL TO USA. AUS. CAN. GBE. NZL
poke Private messages
pa:e4j 11= sG what was the site?! [29:04] if its special j)
[29794] rpeke5 usda.gov
[29 :88] :C. did you get past the site db tho? [Mee] ( eke> Yep [20:13] so u had a poke around on the network? lol [20:13] (peke> web a lil [20:13] <peke, hause.gov [20:13) (peke> PIAK:11111M [email protected] [ 29 23] < pek e > VISA: Illtegineil.af -mil
TOP SECIRIETVCOMMWREL TO USA. AUS. CAN. GB:R. NA
POke Identification
UMW'
NEWS r.ECHNOLOGY
Private messages
[21:67] oh btw have you seen this
[21:08]
[21:89] cool hub? [21:11] <peke) Ya
VA. ktres the Foe k tiles Is,
It'
...Enabled
POke:
Name:
Facebook, email accounts
TOP SECREIMOMINTAREL TO USA. AIDS, CAN. GBIR. NZL
Effects on Hacktivisim Op WEALTH — Summer 2011
Intel support to Law Enforcement — identification of top targets
6' Denial of Service on Key Communications outlets
0 Information Operations
TOP SECRE1TCOMINTMELTO USA. AUS. CAN. GBR. Na
DDoS ROLLING THUNDER
• RT initial trial info
[15:40] <srewder> hello, was there any problem with the irc network? i wasnt able to -connect the past 30 hours. [15:42) <speakeasy> yeah [1.5:42] <speakeasy> were being hit by a syn flood [16744] <speakeasy> i didn't know whether to -quit last night, because of the ddos
Ei anon_anons
- : anocns.'s i ■ Larigo clovm (
anon_anonz 20ptiba0nefeetton morice the typo) en YouTube anon _anon on
,...7itter nickname etude
as 2110111
anonops li beat* ariorop5
TOP SECRETY/COMINTEREL TO USA_ AUS, CAN. GBR.
10 Outcome CH IS with
80% of those messaged where not in the IRC channels 1 month later
TOP SECRETICOMINTUREL TO LISA. AUS. CAN_ GE R. NZL
Conclusion Team working —SIGENT, JTRIG, CDO, ll\10C— was key to
success
Online Covert Action techniques can aid cyber threat
awareness
Effects can influence the target space
- OP SECRETPCOMINDIREL TO LISA. AUS. CAN. GBR. NZL