Hacker group Lulz Security (aka LulzSec) is on a war path. Following their highly public hacks of the PBS website and SonyPictures.com, LulzSec has now set its sights on the top law enforcement agency in the United State: The Federal Bureau of Investigations.
In a press release posted to anonymous message board PasteBin.com, the group announced that it hacked the website of the Atlanta chapter of Infragard, a non-profit that serves as a partnership between the FBI and private business, which the American Civil Liberties Union describes as “a corporate TIPS program, turning private-sector corporations…into surrogate eyes and ears for the FBI.” LulzSec also uploaded Infragard Atlanta’s user database to the Internet. The group says that the attack was launched in retaliation for NATO and the Pentagon officially declaring hacking an act of war.
“It has come to our unfortunate attention that NATO and our good friend Barrack Osama-Llama 24th-century Obama have recently upped the stakes with regard to hacking. They now treat hacking as an act of war. So, we just hacked an FBI affiliated website (Infragard, specifically the Atlanta chapter) and leaked its user base,” wrote LulzSec. “…Most [Infragard members] reuse their passwords in other places, which is heavily frowned upon in the FBI/Infragard handbook and generally everywhere else too.”
With the user login info at its disposal, LulzSec explains that it then hacked the private Gmail account of one Karim Hijazi, a “whitehat” hacker who owns data security firm Unveillance. LulzSec hacked Unveillance, too, and “briefly took over, among other things, their servers and their botnet control panel,” LulzSec writes.
“After doing so, we contacted Karim and told him what we did. After a few discussions, he offered to pay us to eliminate his competitors through illegal hacking means in return for our silence. Karim, a member of an FBI-related website, was willing to give us money and inside info in order to destroy his opponents in the whitehat world,” writes LulzSec. “We even discussed plans for him to give us insider botnet information.”
This exchange has, in some ways, been confirmed by Hijazi, who posted a statement about the breach and his contact with LulzSec members on the Unveillance website. One glaring difference between the opposing accounts of their discussions remains, however: While LulzSec claims Hijazi tried to pay them to “destroy his opponents,” Hijazi says he was simply extorted by LulzSec.
“Over the last two weeks, my company, Unveillance, has been the target of a sophisticated group of hackers now identified as ‘LulzSec,” writes Hijazi. “During this two week period, I was personally contacted by several members of this group who made threats against me and my company to try to obtain money as well as to force me into revealing sensitive data about my botnet intelligence that would have put many other businesses, government agencies and individuals at risk of massive Distributed Denial of Service (DDoS) attacks.
“In spite of these threats, I refused to pay off LulzSec or to supply them with access to this sensitive botnet information. Had we agreed to provide this data to them, LulzSec would have been able to grow the size and scope of their DDoS attack and fraud capabilities.”
Hijazi also posted a chat log between himself and two members of LulzSec, identified in the chat as “Ninetales” and “hamster_nipples.” The back-and-forth explicitly shows Ninetales mention the word “extortion,” and shows the pair’s attempts to be paid for their “silence.”
“While I do get great enjoyment from obliterating whitehats from cyberspace, I can save this pleasure for other targets,” writes LulzSec’s Ninetails. “Let’s just simplify: you have lots of money, we want more money.”
LulzSec says they were simply trying to “stringing [Hijazi] along to further expose the corruption of whitehats.”
Regardless of who’s telling the truth, it would seem that LulzSec’s war has only just begun, so stay tuned.