An informant working for the FBI directed at least one hacker to extract vast amounts of data - from bank records to login information - from the government servers of a number of countries.
An informant working for the FBI coordinated a 2012 campaign of hundreds of cyberattacks on foreign websites, including some operated by the governments of Iran, Syria, Brazil and Pakistan, according to documents and interviews with people involved in the attacks.
Exploiting a vulnerability in a popular Web hosting software, the informant directed at least one hacker to extract vast amounts of data - from bank records to login information - from the government servers of a number of countries and upload it to a server monitored by the FBI, according to court statements.
The details of the 2012 episode have, until now, been kept largely a secret in closed sessions of a federal court in New York and heavily redacted documents. While the documents do not indicate whether the FBI directly ordered the attacks, they suggest that the government may have used hackers to gather intelligence overseas even as investigators were trying to dismantle hacking groups like Anonymous and send computer activists away for lengthy prison terms.
The attacks were coordinated by Hector Xavier Monsegur, who used the Internet alias Sabu and became a prominent hacker within Anonymous for a string of attacks on high-profile targets including PayPal and MasterCard. By early 2012, Monsegur, of New York, had been arrested by the FBI and had already spent months working to help the bureau identify other members of Anonymous, according to previously disclosed court papers.
One of them was Jeremy Hammond, then 27, who, like Monsegur, had joined a splinter hacking group from Anonymous called Antisec. The two men had worked together in December 2011 to sabotage the computer servers of Stratfor Global Intelligence, a private intelligence firm based in Austin, Texas.
Shortly after the Stratfor incident, Monsegur, 30, began supplying Hammond with lists of foreign websites that might be vulnerable to sabotage, according to Hammond, in an interview, and chat logs between the two men. The New York Times petitioned the court last year to have those documents unredacted, and they were submitted to the court last week with some of the redactions removed.
"After Stratfor, it was pretty much out of control in terms of targets we had access to," Hammond said during an interview earlier this month at a federal prison in Kentucky, where he is serving a 10-year sentence after pleading guilty to the Stratfor operation and other computer attacks inside the United States. He has not, however, been charged with any crimes in connection with the hacks against foreign countries.
Hammond would not disclose the specific foreign government websites that he said Monsegur had asked him to attack, one of the terms of a protective order imposed by the judge. The names of the targeted countries are also redacted from court documents. But according to an uncensored version of a court statement by Hammond, leaked online the day of his sentencing in November, the target list was extensive and included more than 2,000 Internet domains. The document said that Monsegur had directed Hammond to hack government websites in Iran, Nigeria, Pakistan, Turkey, Brazil and other government sites, like those of the Polish Embassy in Britain and the Ministry of Electricity in Iraq.
An FBI spokeswoman declined to comment, as did lawyers for Monsegur and Hammond.
The hacking campaign appears to offer further evidence that the U.S. government has exploited major flaws in Internet security - so called "zero-day" vulnerabilities like the recent Heartbleed bug - for intelligence purposes. Recently, the Obama administration decided it would be more forthcoming in revealing the flaws to industry, rather than stockpiling them until the day they are useful for surveillance or cyberattacks. But it carved a broad exception for national security and law enforcement operations.
Hammond, in the interview, said that he and Monsegur had become aware of a vulnerability in a web-hosting software called Plesk that allowed backdoor access to thousands of websites. Another hacker alerted Hammond to the flaw, which allowed Hammond to gain access to computer servers without needing a user name or password. Over several weeks in early 2012, according to the chat logs, Monsegur gave Hammond new foreign sites to penetrate. During a Jan. 23 conversation, Monsegur told Hammond he was in search of "new juicy targets," the chat logs show. Once the websites were penetrated, according to Hammond, emails and databases were extracted and uploaded to a computer server controlled by Monsegur.
The sentencing statement also said that Monsegur directed other hackers to give him extensive amounts of data from Syrian government websites, including banks and ministries of the government of President Bashar Assad.
"The FBI took advantage of hackers who wanted to help support the Syrian people against the Assad regime, who instead unwittingly provided the U.S. government access to Syrian systems," the statement said.
The court documents also refer to Monsegur giving targets to a Brazilian hacker. The hacker, who uses the alias Havittaja, has posted online some of his chats with Monsegur in which he was asked to attack Brazilian government websites.
One expert said that the court documents in the Hammond case were striking because they offered the most evidence to date that the FBI might have been using hackers to feed information to other U.S. intelligence agencies. "It's not only hypocritical but troubling if indeed the FBI is loaning its sting operations out to other three-letter agencies," said Gabriella Coleman, a professor at McGill University and author of a forthcoming book about Anonymous.
During the prison interview, Hammond said he did not have success hacking a large number of the Plesk websites that Monsegur had identified, and his ability to create a so-called back door to a site depended on which operating system it ran on.
He added that Monsegur never carried out the hacks himself, but repeatedly asked Hammond for specific details about the Plesk vulnerability. "Sabu wasn't getting his hands dirty," he said.
Federal investigators arrested Monsegur in mid-2011, and his cooperation with the FBI against members of Anonymous appears to have begun soon after.
In a closed hearing in August 2011, a federal prosecutor told a judge that Monsegur had been "cooperating with the government proactively" and had "literally worked around the clock with federal agents" to provide information about other hackers - whom he described as "targets of national and international interests."
"During this time the defendant has been closely monitored by the government," said the prosecutor, James Pastore, according to a transcript of the hearing. "We have installed software on a computer that tracks his online activity. There is also video surveillance in the defendant's residence."
Monsegur's sentencing hearing has been repeatedly delayed, leading to speculation that he is still working as a government informant. His current location is unknown.
Exactly what role behind the scenes the FBI played during the 2012 attacks is unclear. Hammond said he had been in constant contact with Monsegur through encrypted Internet chats. The two men often communicated using Jabber, a popular messaging platform among hackers. Monsegur used the alias Leondavidson and Hammond used Yohoho, according to the court records.
During one of the conversations, on Feb. 15, 2012, Hammond said he hoped that all of the stolen information would be put "to good use."
"Trust me," Monsegur said, according to the chat logs. "Everything I do serves a purpose."
Now, sitting in prison, Hammond wonders if FBI agents might also have been on the other end of the communications.
© 2014, The New York Times News Service