Hacktivism: Online Covert Action Hacktivist groups

Online Humint

Effects Operations

TOP SEC RETYCOMENTNREL TO USA_ AUS. CAN. GBIR, NZL

Hacktivist groups They are diverse and often have nnultip[e, varied aims

Anonymous

LulzSec

A-Team

Syrian Cyber Army

Targets include: Corporations, banks, governments,

copyright associations, political parties

Techniques: DDoS, data theft — SQLi, social engineering

Aims:

TOP SEC RETI1COMINTAREL TO LISA_ AUS_ CAN GBR

Online HUMINT -CHIS 2 Examples from Anonymous IRC Channels:

Gzero

POke

TOP SECRETHCOMINTMEL TO USA. AUS. CAN. GBR. NZL

Gzero Asking for traffic

Engaged with target

Discovered Botnet with rnalware analysis & SiGINT

Outcome: Charges, arrest, conviction

TOP SECRET/COM INTYIREL TO USA. AUS. CAN_ GBR. N7L

gaper at iorPa balk

[11:26] Anyone here have access to a welbsite with atleast 10,000+ unique traffic per day [11:27] <CRIS> adain access to it?

[11:27] FTP accessiciPanel yes_

Private Messages [11:28] SCHISu maybe, what do you want it for

[11:28] What's the traffic rate?

[11:28] It'll help the op [11:29] <CHtS3 mine got 27k per day yesterday {gran)

[11:29] Love it

[11:29] Using TPG's? [11:30] <CITIS it's here

[11:32] Pretty each it's a crypted 'frame which will attempt to attack all PC's heading to that wensite.

[11:22] if they have vuln software they're added to a net that is used for OP Paybacks D005 artillery 01[11:32] <CPIS> so you will use exploit or some javascript thing?

[11:32] If they are not voin then nothing happens

[11:32] Yes

[11:13] The frame is obfuscated 15

TOP SECRET#COMINTRREL TO USA. AUS. CAM. GBIR. Na

GZero

[15:16] (6Zero, yo [15:16] c62eno) works with me [15:16] <G2ero> i need traffic [15:16] <CRIS> hey. Infrastructure [15:17] (CHIS› what for? WHO'S: gzero 115:171 <G2eros exploit pack [15:12] c62ero› will pay you if traffic is [15:17] caZero> v wanna talk?

[15:19] (62aro) http://alpha_bax.sidhits.txt - 'Feed to make this bigger ;) [15:19] (Hero> http://pastebin.conall= - 15 for iframe [15:19] cGaror http://alpha.bOx.soficlitcomog.php Live URL 1 ,, Stage implant: [15:19] (Gam> U haae traffic?

Lead to 2r" stage & WARPIG [15:21] (MIS> so what is at that page anyway? botnet, SpyEye malware [15:21] c62ero) several exploits [15:21] <COIS> yeah I've got traffic. got 92k hits yesterday. [15:22] (aZera› ok [15:22] <Gam> lets talk :p

TOP SECRETAICOMINTUREL TO USA. AUS. CAN. GBR. NZL

Online Humint - Gzero JTRIG & SIGINT reporting lead to identification, arrest

Sentenced for 2 years — April 2012

Backer jailed for stealing 8 million identities

31d rumen,: Ecs be-rc s,..5r.sard ra -NS re alr.%-qi, eroag-xoaarz ; • .

nomrs. &au 36-0:Arrapag.3rs 1 •

23.,ear-dd Ed&rd Nam, sped r. as tsgo Ideried.

trEeind bars for es hagasp sLeee. Tee soetema, eadd ham ten omaw N ee ruda Mae me sO

tee haie amr...rfi ei prim -des

Tice Er3i5h NKker used dw bnaM Solve- Tra.ss: rd 1312.g CLIF dial Fez ilk-nkLara betray. Jarzatr 1.2010. Si August 30. 301 from an uldsda,ad ware. 0.0 ,-s dies. pa.ce ku,d 20G. OW 1,17,1n radal eaur 0.701 Cal. ,.- tr .as As, :7.914 rime, G ies brrd, and reRierKs teehtds NaFad •,- 4,4412 A.m. Pr, Mi e l it zeta fa 67.5:9 3,ee-siS20 paw accacd-ry k aL..tharids.

TOP SECRET/FOOL' INTHRIEL TO LISA. AUS. CAN. GBR 1,121

pOke Discussing a database table labelled 'MI', in Anon Ops IRC

Engaged with target — exploiting US Government website,

US company website

7,0perationPayback ;19:40] s&pOke> Topiary: I has list of email:phonenumber:nane of 100 fBI -lands [19:40] (U.Bkes :P [19:41] (Topiarp what about passwords? :19:41] <P,ceke> It was dumped from another giro lb, Topiary :19:41] (13Aiker I table natied fbi [19:42] a Topiary> ah, like an FBI affiliated contact userbase? [19:42] sarrOke> that was all it contained 13:

TOP SECRETACOMINTUREL TO USA. AUS. CAN. GBE. NZL

poke Private messages

pa:e4j 11= sG what was the site?! [29:04] if its special j)

[29794] rpeke5 usda.gov

[29 :88] :C. did you get past the site db tho? [Mee] ( eke> Yep [20:13] so u had a poke around on the network? lol [20:13] (peke> web a lil [20:13] <peke, hause.gov [20:13) (peke> PIAK:11111M i@ocar.aray.pentagon.rmil [ 29 23] < pek e > VISA: Illtegineil.af -mil

TOP SECIRIETVCOMMWREL TO USA. AUS. CAN. GB:R. NA

POke Identification

UMW'

NEWS r.ECHNOLOGY

Private messages

[21:67] oh btw have you seen this

[21:08]

[21:89] cool hub? [21:11] <peke) Ya

VA. ktres the Foe k tiles Is,

It'

...Enabled

POke:

Name:

Facebook, email accounts

TOP SECREIMOMINTAREL TO USA. AIDS, CAN. GBIR. NZL

Effects on Hacktivisim Op WEALTH — Summer 2011

Intel support to Law Enforcement — identification of top targets

6' Denial of Service on Key Communications outlets

0 Information Operations

TOP SECRE1TCOMINTMELTO USA. AUS. CAN. GBR. Na

DDoS ROLLING THUNDER

• RT initial trial info

[15:40] <srewder> hello, was there any problem with the irc network? i wasnt able to -connect the past 30 hours. [15:42) <speakeasy> yeah [1.5:42] <speakeasy> were being hit by a syn flood [16744] <speakeasy> i didn't know whether to -quit last night, because of the ddos

Ei anon_anons

- : anocns.'s i ■ Larigo clovm (

anon_anonz 20ptiba0nefeetton morice the typo) en YouTube anon _anon on

,...7itter nickname etude

as 2110111

anonops li beat* ariorop5

TOP SECRETY/COMINTEREL TO USA_ AUS, CAN. GBR.

10 Outcome CH IS with

80% of those messaged where not in the IRC channels 1 month later

TOP SECRETICOMINTUREL TO LISA. AUS. CAN_ GE R. NZL

Conclusion Team working —SIGENT, JTRIG, CDO, ll\10C— was key to

success

Online Covert Action techniques can aid cyber threat

awareness

Effects can influence the target space

- OP SECRETPCOMINDIREL TO LISA. AUS. CAN. GBR. NZL