Hacktivism: Online Covert Action Hacktivist groups Online Humint Effects Operations TOP SEC RETYCOMENTNREL TO USA_ AUS. CAN. GBIR, NZL Hacktivist groups They are diverse and often have nnultip[e, varied aims Anonymous LulzSec A-Team Syrian Cyber Army Targets include: Corporations, banks, governments, copyright associations, political parties Techniques: DDoS, data theft — SQLi, social engineering Aims: TOP SEC RETI1COMINTAREL TO LISA_ AUS_ CAN GBR Online HUMINT -CHIS 2 Examples from Anonymous IRC Channels: Gzero POke TOP SECRETHCOMINTMEL TO USA. AUS. CAN. GBR. NZL Gzero Asking for traffic Engaged with target Discovered Botnet with rnalware analysis & SiGINT Outcome: Charges, arrest, conviction TOP SECRET/COM INTYIREL TO USA. AUS. CAN_ GBR. N7L gaper at iorPa balk [11:26] Anyone here have access to a welbsite with atleast 10,000+ unique traffic per day [11:27] <CRIS> adain access to it? [11:27] FTP accessiciPanel yes_ Private Messages [11:28] SCHISu maybe, what do you want it for [11:28] What's the traffic rate? [11:28] It'll help the op [11:29] <CHtS3 mine got 27k per day yesterday {gran) [11:29] Love it [11:29] Using TPG's? [11:30] <CITIS it's here [11:32] Pretty each it's a crypted 'frame which will attempt to attack all PC's heading to that wensite. [11:22] if they have vuln software they're added to a net that is used for OP Paybacks D005 artillery 01[11:32] <CPIS> so you will use exploit or some javascript thing? [11:32] If they are not voin then nothing happens [11:32] Yes [11:13] The frame is obfuscated 15 TOP SECRET#COMINTRREL TO USA. AUS. CAM. GBIR. Na GZero [15:16] (6Zero, yo [15:16] c62eno) works with me [15:16] <G2ero> i need traffic [15:16] <CRIS> hey. Infrastructure [15:17] (CHIS› what for? 115:171 <G2eros exploit pack WHO'S: gzero [15:12] c62ero› will pay you if traffic is [15:17] caZero> v wanna talk? [15:19] (62aro) http://alpha_bax.sidhits.txt - 'Feed to make this bigger ;) [15:19] (Hero> http://pastebin.conall= - 15 for iframe [15:19] cGaror http://alpha.bOx.soficlitcomog.php Live URL 1 ,, Stage implant: [15:19] (Gam> U haae traffic? Lead to 2r" stage & WARPIG [15:21] (MIS> so what is at that page anyway? botnet, SpyEye malware [15:21] c62ero) several exploits [15:21] <COIS> yeah I've got traffic. got 92k hits yesterday. [15:22] (aZera› ok [15:22] <Gam> lets talk :p TOP SECRETAICOMINTUREL TO USA. AUS. CAN. GBR. NZL Online Humint - Gzero JTRIG & SIGINT reporting lead to identification, arrest Sentenced for 2 years — April 2012 Backer jailed for stealing 8 million identities 31d rumen,: Ecs be-rc s,..5r.sard ra -NS re alr.%-qi, eroag-xoaarz ; • . nomrs. &au 36-0:Arrapag.3rs 1 • 23.,ear-dd Ed&rd Nam, sped r. as tsgo Ideried. trEeind bars for es hagasp sLeee. Tee soetema, ten omaw N ee ruda Mae me sO eadd ham tee haie amr...rfi ei prim -des Tice Er3i5h NKker used dw bnaM Solve- Tra.ss: rd 1312.g CLIF dial Fez ilk-nkLara betray. Jarzatr 1.2010. Si August 30. 301 from an uldsda,ad ware. 0.0 ,-s dies. pa.ce ku,d 20G. OW 1,17,1n radal eaur 0.701 Cal. ,.- tr .as As, :7.914 rime, G ies brrd, and reRierKs teehtds NaFad •,- 4,4412 A.m. Pr, Mi e l it zeta fa 67.5:9 3,ee-siS20 paw accacd-ry k aL..tharids. TOP SECRET/FOOL' INTHRIEL TO LISA. AUS. CAN. GBR 1,121 pOke Discussing a database table labelled 'MI', in Anon Ops IRC Engaged with target — exploiting US Government website, US company website 7,0perationPayback ;19:40] s&pOke> Topiary: I has list of email:phonenumber:nane of 100 fBI -lands [19:40] (U.Bkes :P [19:41] (Topiarp what about passwords? :19:41] <P,ceke> It was dumped from another giro lb, Topiary :19:41] (13Aiker I table natied fbi [19:42] a Topiary> ah, like an FBI affiliated contact userbase? [19:42] sarrOke> that was all it contained 13: TOP SECRETACOMINTUREL TO USA. AUS. CAN. GBE. NZL poke Private messages pa:e4j 11= sG what was the site?! [29:04] if its special j) [29794] rpeke5 usda.gov [29 :88] :C. did you get past the site db tho? [Mee] ( eke> Yep [20:13] so u had a poke around on the network? lol [20:13] (peke> web a lil [20:13] <peke, hause.gov [20:13) (peke> PIAK:11111M [email protected] [ 29 23] < pek e > VISA: Illtegineil.af -mil TOP SECIRIETVCOMMWREL TO USA. AUS. CAN. GB:R. NA POke Identification UMW' NEWS r.ECHNOLOGY VA. ktres the Foe k tiles Is, Private messages It' [21:67] oh btw have you seen this [21:08] [21:89] cool hub? [21:11] <peke) Ya ...Enabled POke: Name: Facebook, email accounts TOP SECREIMOMINTAREL TO USA. AIDS, CAN. GBIR. NZL Effects on Hacktivisim Op WEALTH — Summer 2011 Intel support to Law Enforcement — identification of top targets 6' Denial of Service on Key Communications outlets 0 Information Operations TOP SECRE1TCOMINTMELTO USA. AUS. CAN. GBR. Na DDoS ROLLING THUNDER • RT initial trial info [15:40] <srewder> hello, was there any problem with the irc network? i wasnt able to -connect the past 30 hours. [15:42) <speakeasy> yeah [1.5:42] <speakeasy> were being hit by a syn flood [16744] <speakeasy> i didn't know whether to -quit last night, because of the ddos anon_anons ■ Ei - : anocns.'s i Larigo clovm ( anon_anonz 20ptiba0nefeetton morice the typo) en YouTube anon _anon on ,...7itter nickname etude as 2110111 anonops li beat* ariorop5 TOP SECRETY/COMINTEREL TO USA_ AUS, CAN. GBR. 10 Outcome CH IS with 80% of those messaged where not in the IRC channels 1 month later TOP SECRETICOMINTUREL TO LISA. AUS. CAN_ GE R. NZL Conclusion Team working —SIGENT, JTRIG, CDO, ll\10C— was key to success Online Covert Action techniques can aid cyber threat awareness Effects can influence the target space - OP SECRETPCOMINDIREL TO LISA. AUS. CAN. GBR. NZL .