Members of the Anonymous movement including alleged ringleader-turned-informant Hector “Sabu” Monsegur may have played a crucial role in helping cybersecurity experts narrow in on the Chinese hackers profiled in a highly touted report released this week.
In a report published Tuesday by Northern Virginia information security company Mandiant, an elusive cybersquadron of hackers hired by China’s People’s Liberation Army are linked to compromising as many as 141 companies across 20 major industries in recent years, including a corporation with access to Canada’s oil pipelines and entities of the United States government.
At around 70 pages, the report offers an introduction into the group, Unit 61398, and explains how computer experts at Mandiant were about to come close to pin-pointing three agents within the “Advanced Persistent Threat” group, or ATP1, that they believe have participated in a covert cyberwar against the US on behalf of the Chinese military.
Buried deep in the report, however, is evidence that Mandiant didn’t do all the work alone: the authors of “Exposing One of China’s Cyber Espionage Units” say that a 2011 hack perpetrated by the loose-knit Anonymous collective has been instrumental in making ground regarding the identity of the Far East hackers.
In the report, Mandiant offers a brief profile of three hackers believed to be involved with ATP1: “uglygorilla,” “DOTA” and “SuperHard.” But while the company admits that their investigation into the unit has been underway for several years already, Mandiant says information released by Anonymous in 2011 has only helped them come closer to catching accused cybercriminals.
In 2011, Anonymous retaliated against so-called security firm HBGary after hacktivists became aware that the company’s CEO, Aaron Barr, had infiltrated the movement and planned to rat out the identities of Anons to federal investigators. In response, Anonymous waged an all-out war on HBGary and its associates, hacking the company’s websites, stealing tens of thousands of emails and compromising the online accounts registered to most of the group’s staff. Among the sites targeted was rootkit.com, a coding website founded by HBGary associate Greg Hoglund. After Anons compromised accounts belonging to Barr, they used new-fangled access to get into Hoglund’s corporate email and from there they socially engineered a colleague of his in order to obtain access to rootkit.com
In her 2012 book We Are Anonymous, author Parmy Olson says Anon hackers “had complete control of rootkit.com” and quickly attempted to ravage the site in conjunction with other attacks waged at HBGary and Mr. Barr.
“First they took the usernames and passwords of anyone who had ever registered on the site, then deleted its entire contents. Now it was just a blank page reading ‘Greg Hoglund = Owned,’” Olsen writes.
Next, Anonymous publically released a file that contained the usernames, passwords and other log-in credentials for every registered account on rootkit.com. Among those, says Mandiant, were log-ins for both “uglygorilla” and “SuperHard,” two identities security experts believe to be registered to Chinese hackers working in Unit 61398.
“[T]he disclosure of all registered ‘rootkit.com’ accounts published by Anonymous included the user “uglygorilla” with the registered email address firstname.lastname@example.org. This is the same email used to register for the 2004 PLA forum and the zone hugesoft.org,” claims Mandiant, referring to the Chinese military branch and another hacker-friendly website believed to be founded by the person using the “uglygorilla” name, respectively.
Mandiant says the trove of information didn’t run dry with just that one link, though. Also included in the rootkit.com leaked account information was the IP address uglygorilla used to sign up for the website, which matched a Shanghai-area address all but certainly tied to Unit 61398, as well as information about another alleged Chinese hacker.
“Once again, in tracking [SuperHard] we are fortunate to have access to the accounts disclosed from rootkit.com. The rootkit.com account ‘SuperHard_M’ was originally registered from the IP address 220.127.116.11, within one of the known APT1 egress ranges,” Mandiant reports.
Olson says the hack against HBGary was spearheaded by Hector Xavier Monsegur, or “Sabu,” the alleged ring-leader of the Anon sect LulzSec who was arrested by the FBI several months later and has since become a federal informant for the agency. Monsegur is expected to be sentenced in a New York City courtroom on Friday for a laundry list of criminal activity linked to Anonymous, including hacking HBGary and gaining unauthorized access to Hoglund’s site. Meanwhile, Mandiant says that the infamous hugesoft.org zone website registered to uglygorilla has remained continuously active, at least up until the release of their report this week.
After his 2011 arrest, Monsegur allegedly aided authorities in swooping up other hackers internationally. He is believed to have been provided with a server by the FBI that was allegedly used by activist Jeremy Hammond to upload files confiscated in late 2011 from private intelligence firm Stratfor. Hammond himself will be in court this week for a hearing regarding that case.