Hacker OPSEC

STFU is the best policy.

When in Doubt, It's a Tout

When in doubt, it’s a tout

Robust Operational Security Practices Aren’t Enough

A British man, Lauri Love, has been indicted for hacking. The indictment is thin on details, but does have some interesting OPSEC insights that can be teased out by the patient reader.

The indictment of Lauri Love doesn’t reveal much about how he was identified. There is some interesting info about the operational security measures taken by his crew, and they appear robust. The lack of information on how Mr Love was caught, along with the revelation of good security practices suggests one thing: informant.

This post will only highlight the good operational security practices of the hacker group, since we don’t know what the mistakes were.

Indictment Critical Analysis

The indictment lists four members of the crew:

  1. Lauri Love, “nsh”, “peace”, “route”
  2. CC-1 “in New South Wales, Australia”
  3. CC-2 “in Australia”
  4. CC-3 “in Sweden”

If I were to venture a guess, I’d reckon that CC-1 was caught first and became the informant used to take down the crew. I think this because CC-1 has the most specific geographic information, and the others are more vague in their location. As if there was a lot of effort invested in locating CC-1, and then the investigation focussed in on Mr Love.

Timeline

  • October, 2012: Start of the conspiracy
  • October 2, 2012: Army Network Enterprise Technology Command (“NETCOM”) hack
  • October 6, 2012: log of nsh on IRC discussing NETCOM hack with CC-1, later w/ CC-2
  • October 7-8, 2012: Army Contracting Command’s Army Materiel Command (“ACC”) SQLI hack
  • October 10, 2012: LOVE discusses ACC hack on IRC

  • October, 2013: End of the conspiracy

Hacking 101

The crew used scanners to locate vulnerable servers to exploit, and they shared the findings via their IRC.

peace: so can pivot and scan for other vulns [vulnerabilities] 
peace: we might be able to get at real confidential shit

The crew used SQLI and ColdFusion exploits.

The crew used proxies and Tor to mask the origins of their attacks.

conceal their attacks by disguising, through the use of Proxy Servers, the IP addresses from which their attacks originated. Defendant LOVE and the other Co-Conspirators further used the Tor network, which was an anonymizing proxy service, to hide their activities.

Operational Security Measures

Migration

The crew moved comms to new systems and changed their identities when they did so. This is a very good practice. Unfortunately, it appears that at least one member was logging the comms traffic. This created a security problem that could be exploited by the authorities.

route: consideration 1 : behaviour profile should not change 
route: public side i mean 
route: so whatever "normal", activities we do 
route: should continue 
route: but we move from this irc to better system 
route: also 
route: these nicks should change 
route: i think 
route: when we get on new communications 
route: all new names

OPSEC Violation: No logs, no crime. Do not keep any unnecessary logs. If there is operationally critical information, make a record of that information. Practically, this means: cut and paste into a file; keep that file encrypted.

OPSEC Lesson: Migrating communications infrastructure and changing identities regularly is a good idea. It creates chronologically compartmented silos of info that limit the impact of a compromise. It can provide plausible deniability, and it can reduce the severity of a compromise. Do not contaminate between the compartments. And, of course, ensure that each commo channel is secure.

Logistical Compartmentation

For at least some operations (all?) the crew spun up a new dedicated support server. This compartmented server was then discarded after use to minimize the connection to the group and any other operations. This is very effective OPSEC.

CC#2: but server must have no link to you or us
peace: :)
CC#2: when done we kill it
CC#2: for this plan
CC#2: we can reopen another one for other ongoing stuff
CC#2: but once this plan done we need to make sure they cannot all trace it back to us

OPSEC Lesson: Compartment as much as possible for each operation to avoid linking separate ops together. This also helps contain the damage if an operation is compromised and an investigation launched. Dedicated logistical infrastructure is best. Don’t forget to santize it, both at the beginning and the end of the op.

Conclusion

Even a group with robust operational security practices is vulnerable to the oldest trick in the book: the informant. The take away lessons are slightly more interesting:

  • Migrate comms and identity on a regular basis
  • Never store incriminating logs
  • Compartment heavily, and sanitize frequently

So it is sad news for Mr Lauri Love facing hacking charges, but at least there’re some valuable OPSEC lessons for the rest of us. Remember: No logs, no crime.