24 April 2014
Sabu Aided FBI in Cyberattacks
2014-0621.pdf Jeremy Hammond Docs on Sabu Aiding FBI Attacks April 24, 2014 (8.7MB)
F.B.I. Informant Is Tied to Cyberattacks Abroad
By MARK MAZZETTIAPRIL 23, 2014
WASHINGTON An informant working for the F.B.I. coordinated a 2012
campaign of hundreds of cyberattacks on foreign websites, including some
operated by the governments of Iran, Syria, Brazil and Pakistan, according
to documents and interviews with people involved in the attacks.
Exploiting a vulnerability in a popular web hosting software, the informant
directed at least one hacker to extract vast amounts of data from
bank records to login information from the government servers of a
number of countries and upload it to a server monitored by the F.B.I., according
to court statements.
The details of the 2012 episode have, until now, been kept largely a secret
in closed sessions of a federal court in New York and heavily redacted documents.
While the documents do not indicate whether the F.B.I. directly ordered the
attacks, they suggest that the government may have used hackers to gather
intelligence overseas even as investigators were trying to dismantle hacking
groups like Anonymous and send computer activists away for lengthy prison
The attacks were coordinated by Hector Xavier Monsegur, who used the Internet
alias Sabu and became a prominent hacker within Anonymous for a string of
attacks on high-profile targets, including PayPal and MasterCard. By early
2012, Mr. Monsegur of New York had been arrested by the F.B.I. and had already
spent months working to help the bureau identify other members of Anonymous,
according to previously disclosed court papers.
One of them was Jeremy Hammond, then 27, who, like Mr. Monsegur, had joined
a splinter hacking group from Anonymous called Antisec. The two men had worked
together in December 2011 to sabotage the computer servers of Stratfor Global
Intelligence, a private intelligence firm based in Austin, Tex.
Shortly after the Stratfor incident, Mr. Monsegur, 30, began supplying Mr.
Hammond with lists of foreign websites that might be vulnerable to sabotage,
according to Mr. Hammond, in an interview, and chat logs between the two
men. The New York Times petitioned the court last year to have those documents
unredacted, and they were submitted to the court last week with some of the
After Stratfor, it was pretty much out of control in terms of targets
we had access to, Mr. Hammond said during an interview this month at
a federal prison in Kentucky, where he is serving a 10-year sentence after
pleading guilty to the Stratfor operation and other computer attacks inside
the United States. He has not been charged with any crimes in connection
with the hacks against foreign countries.
Mr. Hammond would not disclose the specific foreign government websites that
he said Mr. Monsegur had asked him to attack, one of the terms of a protective
order imposed by the judge. The names of the targeted countries are also
redacted from court documents.
But according to an uncensored version of a court statement by Mr. Hammond,
leaked online the day of his sentencing in November, the target list was
extensive and included more than 2,000 Internet domains. The document said
Mr. Monsegur had directed Mr. Hammond to hack government websites in Iran,
Nigeria, Pakistan, Turkey and Brazil and other government sites, like those
of the Polish Embassy in Britain and the Ministry of Electricity in Iraq.
An F.B.I. spokeswoman declined to comment, as did lawyers for Mr. Monsegur
and Mr. Hammond.
The hacking campaign appears to offer further evidence that the American
government has exploited major flaws in Internet security so-called
zero-day vulnerabilities like the recent Heartbleed bug for intelligence
purposes. Recently, the Obama administration decided it would be more forthcoming
in revealing the flaws to industry, rather than stockpiling them until the
day they are useful for surveillance or cyberattacks. But it carved a broad
exception for national security and law enforcement operations.
Mr. Hammond, in the interview, said he and Mr. Monsegur had become aware
of a vulnerability in a web-hosting software called Plesk that allowed backdoor
access to thousands of websites. Another hacker alerted Mr. Hammond to the
flaw, which allowed Mr. Hammond to gain access to computer servers without
needing a user name or password.
Over several weeks in early 2012, according to the chat logs, Mr. Monsegur
gave Mr. Hammond new foreign sites to penetrate. During a Jan. 23 conversation,
Mr. Monsegur told Mr. Hammond he was in search of new juicy targets,
the chat logs show. Once the websites were penetrated, according to Mr. Hammond,
emails and databases were extracted and uploaded to a computer server controlled
by Mr. Monsegur.
The sentencing statement also said that Mr. Monsegur directed other hackers
to give him extensive amounts of data from Syrian government websites, including
banks and ministries of the government of President Bashar al-Assad. The
F.B.I. took advantage of hackers who wanted to help support the Syrian people
against the Assad regime, who instead unwittingly provided the U.S. government
access to Syrian systems, the statement said.
The court documents also refer to Mr. Monsegurs giving targets to a
Brazilian hacker. The hacker, who uses the alias Havittaja, has posted online
some of his chats with Mr. Monsegur in which he was asked to attack Brazilian
One expert said that the court documents in the Hammond case were striking
because they offered the most evidence to date that the F.B.I. might have
been using hackers to feed information to other American intelligence agencies.
Its not only hypocritical but troubling if indeed the F.B.I.
is loaning its sting operations out to other three-letter agencies,
said Gabriella Coleman, a professor at McGill University and author of a
forthcoming book about Anonymous.
During the prison interview, Mr. Hammond said that he did not have success
hacking a large number of the Plesk websites that Mr. Monsegur had identified,
and that his ability to create a so-called back door to a site depended on
which operating system it ran on.
He added that Mr. Monsegur never carried out the hacks himself, but repeatedly
asked Mr. Hammond for specific details about the Plesk vulnerability.
Sabu wasnt getting his hands dirty, he said. Federal
investigators arrested Mr. Monsegur in mid-2011, and his cooperation with
the F.B.I. against members of Anonymous appears to have begun soon after.
In a closed hearing in August 2011, a federal prosecutor told a judge that
Mr. Monsegur had been cooperating with the government proactively
and had literally worked around the clock with federal agents
to provide information about other hackers, whom he described as targets
of national and international interests.
During this time the defendant has been closely monitored by the
government, said the prosecutor, James Pastore, according to a transcript
of the hearing. We have installed software on a computer that tracks
his online activity. There is also video surveillance in the defendants
Mr. Monsegurs sentencing hearing has been repeatedly delayed, leading
to speculation that he is still working as a government informant. His current
location is unknown.
Exactly what role the F.B.I. played behind the scenes during the 2012 attacks
is unclear. Mr. Hammond said he had been in constant contact with Mr. Monsegur
through encrypted Internet chats. The two men often communicated using Jabber,
a messaging platform popular among hackers. Mr. Monsegur used the alias
Leondavidson and Mr. Hammond used Yohoho, according to the court records.
During a conversation on Feb. 15, 2012, Mr. Hammond said he hoped all the
stolen information would be put to good use.
Trust me, Mr. Monsegur said, according to the chat logs.
Everything I do serves a purpose.
Now, sitting in prison, Mr. Hammond wonders if F.B.I. agents might also have
been on the other end of the communications.