When in doubt, it’s a tout
Robust Operational Security Practices Aren’t Enough
A British man, Lauri Love, has been indicted for hacking. The indictment is thin on details, but does have some interesting OPSEC insights that can be teased out by the patient reader.
The indictment of Lauri Love doesn’t reveal much about how he was identified. There is some interesting info about the operational security measures taken by his crew, and they appear robust. The lack of information on how Mr Love was caught, along with the revelation of good security practices suggests one thing: informant.
This post will only highlight the good operational security practices of the hacker group, since we don’t know what the mistakes were.
Indictment Critical Analysis
The indictment lists four members of the crew:
- Lauri Love, “nsh”, “peace”, “route”
- CC-1 “in New South Wales, Australia”
- CC-2 “in Australia”
- CC-3 “in Sweden”
If I were to venture a guess, I’d reckon that CC-1 was caught first and became the informant used to take down the crew. I think this because CC-1 has the most specific geographic information, and the others are more vague in their location. As if there was a lot of effort invested in locating CC-1, and then the investigation focussed in on Mr Love.
- October, 2012: Start of the conspiracy
- October 2, 2012: Army Network Enterprise Technology Command (“NETCOM”) hack
- October 6, 2012: log of
nshon IRC discussing NETCOM hack with CC-1, later w/ CC-2
- October 7-8, 2012: Army Contracting Command’s Army Materiel Command (“ACC”) SQLI hack
October 10, 2012: LOVE discusses ACC hack on IRC
October, 2013: End of the conspiracy
The crew used scanners to locate vulnerable servers to exploit, and they shared the findings via their IRC.
peace: so can pivot and scan for other vulns [vulnerabilities] peace: we might be able to get at real confidential shit
The crew used SQLI and ColdFusion exploits.
The crew used proxies and
Tor to mask the origins of their attacks.
conceal their attacks by disguising, through the use of Proxy Servers, the IP addresses from which their attacks originated. Defendant LOVE and the other Co-Conspirators further used the Tor network, which was an anonymizing proxy service, to hide their activities.
Operational Security Measures
The crew moved comms to new systems and changed their identities when they did so. This is a very good practice. Unfortunately, it appears that at least one member was logging the comms traffic. This created a security problem that could be exploited by the authorities.
route: consideration 1 : behaviour profile should not change route: public side i mean route: so whatever "normal", activities we do route: should continue route: but we move from this irc to better system route: also route: these nicks should change route: i think route: when we get on new communications route: all new names
OPSEC Violation: No logs, no crime. Do not keep any unnecessary logs. If there is operationally critical information, make a record of that information. Practically, this means: cut and paste into a file; keep that file encrypted.
OPSEC Lesson: Migrating communications infrastructure and changing identities regularly is a good idea. It creates chronologically compartmented silos of info that limit the impact of a compromise. It can provide plausible deniability, and it can reduce the severity of a compromise. Do not contaminate between the compartments. And, of course, ensure that each commo channel is secure.
For at least some operations (all?) the crew spun up a new dedicated support server. This compartmented server was then discarded after use to minimize the connection to the group and any other operations. This is very effective OPSEC.
CC#2: but server must have no link to you or us peace: :) CC#2: when done we kill it CC#2: for this plan CC#2: we can reopen another one for other ongoing stuff CC#2: but once this plan done we need to make sure they cannot all trace it back to us
OPSEC Lesson: Compartment as much as possible for each operation to avoid linking separate ops together. This also helps contain the damage if an operation is compromised and an investigation launched. Dedicated logistical infrastructure is best. Don’t forget to santize it, both at the beginning and the end of the op.
Even a group with robust operational security practices is vulnerable to the oldest trick in the book: the informant. The take away lessons are slightly more interesting:
- Migrate comms and identity on a regular basis
- Never store incriminating logs
- Compartment heavily, and sanitize frequently
So it is sad news for Mr Lauri Love facing hacking charges, but at least there’re some valuable OPSEC lessons for the rest of us. Remember: No logs, no crime.