Season 3 / Episode 187
The name Lulzsec is probably very familiar to listeners who were around in 2011, when this hacking group was at the peak of its nefarious activity. As their name implies, Lulzsec was known for trolling their victims: their childish behavior might have fooled some people into thinking that Lulzsec was mostly harmless - but as the story you’re about to hear will show, they were anything but.
- Episode 22
- Episode 23
- Episode 24
- Episode 25
- Episode 26
- Episode 27
- Episode 28
- Episode 29
- Episode 30
- Episode 31
- Episode 32
- Episode 33
- Episode 34
- Episode 35
- Episode 36
- Episode 37
- Episode 38
- Episode 40
- Episode 42
- Episode 43
- Episode 44
- Episode 45
- Episode 46
- Episode 47
- Episode 48
- Episode 49
- Episode 50
- Episode 51
- Episode 52
- Episode 53
- Episode 54
- Episode 55
- Episode 56
- Episode 57
- Episode 58
- Episode 59
- Episode 60
- Episode 62
- Episode 63
- Episode 64
- Episode 65
- Episode 66
- Episode 67
- Episode 68
- Episode 70
- Episode 71
- Episode 72
- Episode 73
- Episode 74
- Episode 75
- Episode 77
- Episode 78
- Episode 79
- Episode 80
- Episode 81
- Episode 82
- Episode 83
- Episode 84
- Episode 85
- Episode 86
- Episode 87
- Episode 88
- Episode 89
- Episode 90
- Episode 91
- Episode 92
- Episode 93
- Episode 94
- Episode 95
- Episode 96
- Episode 97
- Episode 98
- Episode 99
- Episode 100
- Episode 101
- Episode 102
- Episode 103
- Episode 104
- Episode 105
- Episode 106
- Episode 107
- Episode 108
- Episode 109
- Episode 110
- Episode 111
- Episode 112
- Episode 113
- Episode 114
- Episode 115
- Episode 116
- Episode 117
- Episode 118
- Episode 119
- Episode 120
- Episode 121
- Episode 122
- Episode 123
- Episode 124
- Episode 125
- Episode 126
- Episode 127
- Episode 128
- Episode 129
- Episode 130
- Episode 131
- Episode 132
- Episode 133
- Episode 134
- Episode 135
- Episode 136
- Episode 137
- Episode 138
- Episode 139
- Episode 140
- Episode 141
- Episode 142
- Episode 143
- Episode 144
- Episode 145
- Episode 146
- Episode 147
- Episode 148
- Episode 149
- Episode 150
- Episode 151
- Episode 152
- Episode 153
- Episode 154
- Episode 155
- Episode 156
- Episode 157
- Episode 158
- Episode 159
- Episode 160
- Episode 161
- Episode 162
- Episode 163
- Episode 164
- Episode 165
- Episode 166
- Episode 167
- Episode 168
- Episode 169
- Episode 170
- Episode 171
- Episode 172
- Episode 173
- Episode 174
- Episode 175
- Episode 176
- Episode 177
- Episode 178
- Episode 179
- Episode 180
- Episode 181
- Episode 182
- Episode 183
- Episode 184
- Episode 185
- Episode 186
- Episode 187
- Episode 188
- Episode 189
- Episode 190
- Episode 191
- Episode 192
- Episode 193
- Episode 194
- Episode 195
- Episode 196
- Episode 197
- Episode 198
- Episode 199
- Episode 200
- Episode 201
- Episode 202
- Episode 203
- Episode 204
- Episode 205
- Episode 206
- Episode 207
- Episode 208
- Episode 209
- Episode 210
- Episode 211
- Episode 212
- Episode 213
- Episode 214
- Episode 215
- Episode 216
- Episode 217
- Episode 218
- Episode 219
- Episode 220
- Episode 221
- Episode 222
- Episode 223
- Episode 224
- Episode 225
- Episode 226
- Episode 227
- Episode 228
- Episode 229
- Episode 230
- Episode 231
- Episode 232
- Episode 233
- Episode 234
- Episode 235
- Episode 236
- Episode 237
- Episode 238
- Episode 239
- Episode 240
- Episode 241
- Episode 242
- Episode 243
- Episode 244
- Episode 245
- Episode 246
- Episode 247
- Episode 248
- Episode 249
- Episode 250
- Episode 251
- Episode 252
- Episode 253
- Episode 254
- Episode 255
- Episode 256
- Episode 257
Hosted By
Ran Levi
Exec. Editor @ PI Media
Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 15 million downloads as of July 2022.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.
Special Guest
Karim Hijazi
Founder, CEO & Executive Chairman at Prevailion
Multi-time CEO and Founder of disruptive intelligence solutions and platforms.
Episode Transcript:
Transcription edited by SODA
[Karim] What tipped us off was a very cryptic email I got in the middle of the night. It dawned on me that this was a legitimate malicious group, but I didn’t really know who it was.
[Ran] Hi, and welcome to Cybereason’s Malicious Life B-Sides. I’m Ran Levi.
The name LulzSec is probably very familiar to listeners who were around in 2011, when this hacking group was at the peak of its nefarious activity. The group was responsible for some high-profile attacks against corporations such as Fox News, Sony Pictures, and Bethesda Game Studios, and DDoS attacks against various organizations, including the FBI’s own Detroit office.
LulzSec’s leader was a hacker called Hector Monsegur, aka Sabu, whose arrest we covered in a two-part series called The Stratfor Leaks. As their name implies, LulzSec was known for trolling their victims, defacing websites with internet memes, playing the theme of the love boat on their website, and posting silly ASCII art on Twitter. This childish behavior might have fooled some people into thinking that LulzSec was mostly harmless, but as the story we’re about to hear will demonstrate, there were anything but.
Karim Hijazi is the CEO and founder of Prevailion, a cyber intelligence company, and in 2011 he was the CEO of another cybersecurity company when he became a target for LulzSec’s shenanigans. Karim spoke with Nate Nelson, our senior producer, about the not-so-funny experience he had to endure. So, what’s it like to fight LulzSec? Have a listen.
[Nate] What were you up to in 2011 prior to the events of the story we’re about to talk about?
[Karim] Yeah, so I had founded Unveillance in 2010 based on an effort that I was part of with a greater group of people pursuing the Mariposa botnet, if everyone remembers that who’s listening now, pretty famous one. And during that effort, we were able to figure out that there was a really elegant way to intercede on the communications between malware that’s deployed into these victim environments and command and control, which we could actually interdict and essentially take over and collect telemetry on who was victimized.
And through that period, there was a whole uprising of the hacktivist period of time with Anonymous really tied to the whole WikiLeaks mess. And then lo and behold, I ended up getting completely embroiled in it in May of that year, which is where the story begins.
[Nate] Right. So how does somebody like yourself end up in the crosshairs of an international hacktivist group?
[Karim] We did end up taking down part of the infrastructure they had set up to attack some of these organizations, and we didn’t know that we did because our day-to-day job was essentially looking for malware, looking for binaries that were malicious, whether they were built for information harvesting or if they were a part of a denial of service capability. It was we didn’t care if it was malicious in its intent. It was fair game for us to pursue. So to the degree that I understand what happened, we took down part of the infrastructure, which essentially drew the fire of LulzSec onto us for a period of time in May through around July of 2011.
[Nate] And can you talk a little bit more about the nature of your work, the nature of the sort of cyber counter-offensives? Because I really dig that stuff.
[Karim] What we’re doing, which is fascinating, is we’re actually in the simplistic form of putting it, which I do every now and then speaking to journalists and whatnot, is we’re hacking hackers. We’re letting potential victims and active victims of these hackers know that these guys have gotten into their environments by way of whatever malware they’ve deployed. And the reason we know this is because the malware is now speaking to infrastructure that we’ve taken over. And so we’re essentially the recipients of the communications from this malware. The malware still thinks it’s speaking to its owner, when in reality it’s actually speaking to us. Because what I am doing is I am trying to identify infrastructure set up by adversaries, either actively or preemptively.
In other words, I’m looking for infrastructure that’s either put into use at the moment or in some cases basically laying in wait and yet to be weaponized out there waiting for either a first stage of infection to happen and then some secondary binary or malicious binaries deployed that will then communicate to this infrastructure that’s not yet even weaponized.
But I’ll find it initially through a variety of kind of tradecraft that we’ve designed over the years. We’re effectively leveling the playing field for the defenders by being slightly disruptive to the bad guys.
[Nate] What was the first sign that you had gotten in trouble?
[Karim] I do recall seeing my email, that email account, an email go from read to unread to read again. I didn’t have an EA, so it wasn’t like there was someone else that was probably going through my personal email account or whatever and toggling it back to set it to read for me. So that put me on a little bit of an edge and it did prompt me to go change all my passwords. So that’s what instigated their frustration that they had no longer had access to that account when I changed the password.
But that was not an indication that I thought I was hacked. It was not an indication that I thought it was lol psyched, nothing like that.
[Nate] How then did you discover who it was?
[Karim] What tipped us off was a very cryptic email I got in the middle of the night in May where the email essentially had one of my, it wasn’t a password to anything critical. It was a password to a personal Gmail account that I had that unbelievably was a variation of a password, admittedly, that I had for InfraGuard Atlanta, which they had, if everyone recalls the story, they had also hacked into previously about a month or so prior to that.
So I had no idea it was them. I did initially think, quite frankly, that it could have been a friend that was just goofing around. And then it dawned on me that no, there’s a there’s a code of ethics among friends, even in this industry where you wouldn’t put something as brazen as someone’s password in the subject line of an email.
That goes, that’s pushing the limits a little too far. So it dawned on me that this was a legitimate malicious group, but I didn’t really know who it was until I started communicating with them over an encrypted chat that they had sent me a link to figure out what their demands were, essentially.
And we slowly but surely started to eke out more and more information about who they were.
[Nate] Is it sort of the classic threatening, like, hacktivist groups trying to sound scary? What did they want?
[Karim] Part of the reason why I mentioned that I couldn’t figure out if it was a legitimate threat or if it was possibly a friend playing a really, really over the top practical joke was that it had the password as a subject line, you know, clear text, and then the actual body of email was let’s talk.
That was it.
And yeah, from some sort of email address, I can’t remember what it was. I think back then it was hushmail, if I’m not mistaken. This is before proton mail existed and whatnot. So I think that was the de facto kind of encrypted free mail service that you could send stuff from, if I remember correctly.
And so obviously it was anonymous in terms of the email. There was no way to track back essentially who that was. So I think my response that emails email was, what do you want to talk about? And that’s when the subsequent email to mine came back with a link to an encrypted chat.
[Nate] And you realized then that you were dealing with a whole sophisticated organization.
[Karim] I really didn’t think it was a sophisticated group the way it was being handled. But nonetheless, sophistication doesn’t have any bearing on the devastation that can transpire, right? So that was part of my concern is that sometimes the most unskilled can be the most reckless.
So I wasn’t at ease that it was some sort of immature group. It made it even worse in some ways.
[Nate] Yeah, interesting. No, but I’m also thinking I have had at least once or twice an email sent to me with one of my passwords in the subject line because hackers sort of scan those data breaches for your password and then send you those extortion emails.
So how did you know that this was anything other than that?
[Karim] It’s funny because something like this that would have probably hit my inbox all these years later after doing what I do, probably would have gotten ignored. So you bring up an excellent point. I think it was probably the combination of the night before where I saw that shift of the email going from red to unread to red again, and then ultimately changing all the passwords and just kind of having an eerie feeling about.
I hope nothing bad’s going on. And it was just, by the way, the whole thing with Anonymous, the HBGary mess that happened and the WikiLeaks debacle was in full blown. Everything was going crazy.
[Nate] And just because it seems like important context to the story, can you give me that sort of overview of what was going on at the time? What HBGary was and how the state of security was?
[Karim] Really, this is when WikiLeaks was denied payment processing by several large credit card companies and then some large banks.
And that is what inspired Anonymous to come to the rescue essentially of WikiLeaks to say, look, you’re obstructing free speech, blah, blah, blah. That was their whole mantra.
And really with HBGary, and this is loosely my understanding, they were contracted by some of the banks that had these issues of attacks going on to unearth and identify some of these hackers, specifically WellSec. And that’s what inspired their attack on them. And it was specifically HBGary Federal. And it was the CEO at the time of Federal that was really, really attacked pretty heavily. And it was a shot heard around the world within the community back then. Big deal for the times.
And so I think what happened really was that this group got a little blood drunk on their capabilities.
They really were good. They had a very interesting methodology, which is they would get into a place, not tell anyone about it, then broadcast to the world through Twitter and other channels that on this exact date, they were going to get into some place. And it made it look like to the general population that they would do what they said they were going to do on the day they were doing it, which is not the case. They already had access. They already had either an implant or some sort of access to an environment, but it made them look a lot more skilled than they actually were.
It was a fairly small group. WellSec was not this very large contingent. It was probably about five to seven core people.
I think Hector Montseguir was Sabu, if you remember his name, out of New York was the proverbial head of that group, Topiary, few others.
[AD] The best strategy for organizations to avoid becoming a victim of ransomware is to prevent the attack from being successful in the first place.
CybeReason remains undefeated in the fight against ransomware because it moved beyond alerting to deliver an operation-centric approach that detects and prevents ransomware attacks at the earliest stages of initial ingress and lateral movement.
The CybeReason predictive response capability disrupts ransomware attacks prior to data exfiltration and long before the ransomware payload can be delivered.
Visit cybereason.com to learn more about predictive ransomware protection and how your organization can realize both increased efficiency and efficacy through an operation-centric approach to security operations.
[Nate] Okay, so back to our story. You are now in this, you pursue this encrypted chat link and you’re in an online chat with people who you don’t yet know are LulzSec. How do these conversations go? How do these people talk?
[Karim] They started off very threatening, which is you do anything along the lines of share that this is going on or we’ve gotten into your environment, we’ll dox you immediately.
Hyperbole around, we’re already in all of your infrastructure, we already have it all, which was contradictory to their narrative anyway because they kept asking us for, you better give us the access to this botnet intel, otherwise we’ll do this or that. But it’s in the same breath, we’re already into your infrastructure, we know everything about it.
So there was a lot of cracks in the way that they were threatening, which was good because it gave me the confidence that they were still obviously lusting after something. If they had already gotten it, they would have leveraged it by now.
[Nate] Then because you understood the threats were empty, did you just disregard them and contact law enforcement?
[Karim] I did contact law enforcement immediately, started with local law enforcement, local bureau, FBI bureau, which then escalated into the DC office, which I think at the time was handling the larger, broader problem. They asked me to maintain the communication as long as they possibly could, which was terrible because I’m a going concern of a startup.
The last thing I need to be doing is working as some sort of conduit to a hacker group that would be used by law enforcement to eventually infiltrate and get some of them to turn, which I’m glad they did in the long run.
Naturally, just my concerns were how am I going to maintain operations, what if they eventually do something damaging like disclose that they’ve hacked me as a security firm or an intel firm, I’ll lose all my customers, all the fears that kind of come with that kind of thing. Not to mention the threats that came from this group that go a little deeper. If we have time for this, it’s worthwhile part of the story.
[Nate] Yes, please tell.
[Karim] About two or three months prior to this, Unveillance participated in a open source project with MIT and this group called CSFI, which was an analysis of certain Middle Eastern countries during the Arab Spring. And it was a look at just how infiltrated they were from a malware perspective.
The lulzite group found that I and my team were an author along with Palantir and a few other companies on this project and used it as leverage to suggest that I was part of some deeper, darker government initiative to go hack into these countries in the Middle East.
[Nate] And they really truly believe this or they were just trolling you?
[Karim] It was a tool, certainly, to sort of say, look, we can attempt to smudge your reputation with this and disseminate false information like this and create a lot more trouble for you if you don’t comply with their demands. I think it was more of a weaponized utility than it was the reason for the coming after me. Because if they had read the document, which is actually still publicly available online, if you look for it, it’s called Project Cyberdon, you’ll find it. And it’s not a document that looks like some sort of roadmap for conquest from a cyber perspective in the Middle East. It was simply an analysis of the region.
So I got a whole bunch of fans being sarcastic here over there that wanted to do me some serious harm beyond just sort of keyboard harm. And that was concerning and that was very, very disruptive to our life.
[Nate] Disruptive in what ways?
[Karim] Ultimately, I had to start fielding a lot more hate mail from folks that thought I was part of some initiative to hack into countries. I did indeed get death threats. And that was an unpleasant experience for my family and I, as you can imagine.
So naturally, there was a period where we were in a pretty high state of vigilance. I moved out of the location I was in for a while just to be on the safe side because they did identify that location as where I lived. So the last thing I needed was anyone trying to physically incur it in my environment.
It was not a pleasant situation. So really taxing on the family. My wife and kids at the time were not happy, understandably so. I was not happy. We had to find ways to kind of solve that.
Had that not been part of it, that specific piece, I think this would have been a little bit more, I would never say humorous because, again, I thought my company would be really damaged by it, which it was not, thankfully. But it wouldn’t have been so dire.
[Nate] With all of those threats coming in, were you able to keep a cool head and not give in to them?
[Karim] Yeah. So, you know, in the very beginning, I was as inquisitive as anyone would be concerned, you know, like, hey, you know, what’s going on? Why are you doing this? How did we offend or, you know, along those lines? I’m paraphrasing, obviously.
And once they were threatening enough where it was it was childish a bit, then I was able to get a little bit more. Well, I’m not giving you anything. So too bad.
And, you know, I’ll be very honest. The reason I was not going to do it was, one, ethically, that would be completely terrible to do- A, but then B, it would have made me an accessory to some horrible, horrible events that could have happened if they had gotten control of some of the stuff that we had taken over, right? We would have amplified their capability incredibly.
So it was a very, I had a very clear, unfortunately clear idea of what I had to do. It wasn’t me being blustery for no for no reason. It was because there was no other option.
[Nate] And did you already spell out before what exactly you had that they wanted the counterintelligence data?
[Karim] I don’t think I did.
So what we had as unbalance was control of a slew of command and control domains for a variety of different botnets that could have been leveraged by this group in ways that you can only imagine, right?
They could have used it to further perpetuate subsequent infections and persistent malware into these environments. They could have used some of the larger botnets that we had been able to infiltrate for other denial of service attacks. And at minimum, it would have given them a really phenomenal lay of the land of who’s compromised.
So beside the utility of the botnet, they would have seen all the telemetry and the beacons from the organizations that already were compromised, which would have given them a much bigger list of viable targets.
[Nate] OK, so they’re pestering you and you can’t budge. How does this end?
[Karim] So I communicated with them for probably close to four to five days. And then, interestingly enough, they did go dark on me and there was no response. And now, you know, I know what to think of much. They ultimately did doxx.
I think a few a few thousand of my personal emails from that email account that they had gotten into that didn’t have anything really critical in there. So it really wasn’t a big deal. They didn’t compromise anything from my organization. So that was a that was a relief.
Then in the end, they were all talk and no game. Putting two and two together, Nathaniel, I think the period of time when I was communicating with them was when law enforcement had been able to get in touch and turn the key member there. And I think that that shut down was essentially when that team member started to out all the rest of these groups. And that’s when things really sort of took a turn.
[Nate] You know, I hadn’t actually really considered it before, but you’re right. I mean, in the CNET article, I see that some of the emails they were targeted as 26th of May. So you were talking in late May and Hector Montseguer was being staked out by I think it was the FBI in early June. So you really were right at the peak slash end of lulsec.
[Karim] We did actually find Hector.
Now, I don’t want to broadcast that we can take credit for identifying who he was and delivering that information to law enforcement. We did what we did to identify him is that and this is classic somewhere along the way. One of the domains that was tied to an IP that he was using to communicate with did have his real name on it that was registered years and years prior.
We weren’t confirmed on who he was, but we found the name. It was such a unique name. We remember identifying it and passing it on to law enforcement contacts. And, you know, as with anything in that time frame and with anyone that’s ever dealt with law enforcement, it’s one directional. You hand it over and you hope for the best and you wonder if it was useful.
We never knew that until everything was said and done. And so it’s a testament to the fact that I don’t care how sophisticated you are as a threat actor. You’re never going to be born into this. You’re going to have an identity. You’re going to have the footprints that is inevitably going to be tied to your existence.
[Nate] And how do you feel after, you know, you have this kind of what I imagine to be scary period of time?
Maybe you handled it well, but it must have been intimidating in some regard. These hackers are threatening you in this way or that. You don’t really know who they are because they’re faceless.
And then not long after that, you see that, I mean, look, Hector Monskier has been doing interviews since that time.He’s like a super ordinary-seeming guy. How do you how does that track with your experience?
[Karim] Well, it’s funny because one of the most famous lines that I said that still gets quoted today in one of the interviews, I think it was a CNN interview I did at the time about the events that happened.
And I said the sophistication of the communication, the way they were communicating with me indicated their age. I’m not talking about necessarily their actual age, but certainly the level of sophistication we were dealing with was low. It just wasn’t that good.
Look, being a someone that had a fight with this group, I’d love to claim that this was the most sophisticated hacker group in the world. But it really was not. It was a particularly annoying one that had a really good job of Twitter jockeying effectively. And that’s how I feel about today.
[Nate] OK, well, I mean, these days we have fewer of those more informal hacktivist groups that you had to deal with and more, I guess, institutional cybercrime operations.
As you think back to the story, is there anything that you learned from your experience with LulzSec that can help people being targeted by today’s hacker groups or that helps you in your own work?
[Nate] I think, you know, with what I do today, there’s a delicate balance that needs to be struck between how much you push.
As certainly you mentioned this earlier on, a private sector organization that is doing something that normally a government might be considered able to do, how much you can actually get away with without drawing even worse fire than something like a LulzSec. And there’s plenty of that out there now, as you properly articulated.
So I do kind of measure my approach now and say, all right, just how far would I go here? And that’s a hard line to draw. It isn’t something that’s very clear. There are times where I have the means to really impact a terrible scourge of an APT group and I choose to do it and I sit there and worry a little bit for a few weeks after it happens and hope that everything dies down and cools down and it does. And then there are times where I’ll choose not to because I think it just might be too much.