What it’s Like to Fight LulzSec [ML B-Side]

The name Lulzsec is probably very familiar to listeners who were around in 2011, when this hacking group was at the peak of its nefarious activity. As their name implies, Lulzsec was known for trolling their victims: their childish behavior might have fooled some people into thinking that Lulzsec was mostly harmless - but as the story you’re about to hear will show, they were anything but.

Hosted By

Ran Levi

Exec. Editor @ PI Media

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 15 million downloads as of July 2022.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Special Guest

Karim Hijazi

Founder, CEO & Executive Chairman at Prevailion

Multi-time CEO and Founder of disruptive intelligence solutions and platforms.

Episode Transcript:

Transcription edited by SODA

[Karim] What tipped us off was a very cryptic email I got in the middle of the night. It dawned on me that this was a legitimate malicious group, but I didn’t really know who it was.

[Ran] Hi, and welcome to Cybereason’s Malicious Life B-Sides. I’m Ran Levi.
The name LulzSec is probably very familiar to listeners who were around in 2011, when this hacking group was at the peak of its nefarious activity. The group was responsible for some high-profile attacks against corporations such as Fox News, Sony Pictures, and Bethesda Game Studios, and DDoS attacks against various organizations, including the FBI’s own Detroit office.
LulzSec’s leader was a hacker called Hector Monsegur, aka Sabu, whose arrest we covered in a two-part series called The Stratfor Leaks. As their name implies, LulzSec was known for trolling their victims, defacing websites with internet memes, playing the theme of the love boat on their website, and posting silly ASCII art on Twitter. This childish behavior might have fooled some people into thinking that LulzSec was mostly harmless, but as the story we’re about to hear will demonstrate, there were anything but.
Karim Hijazi is the CEO and founder of Prevailion, a cyber intelligence company, and in 2011 he was the CEO of another cybersecurity company when he became a target for LulzSec’s shenanigans. Karim spoke with Nate Nelson, our senior producer, about the not-so-funny experience he had to endure. So, what’s it like to fight LulzSec? Have a listen.

[Nate] What were you up to in 2011 prior to the events of the story we’re about to talk about?

[Karim] Yeah, so I had founded Unveillance in 2010 based on an effort that I was part of with a greater group of people pursuing the Mariposa botnet, if everyone remembers that who’s listening now, pretty famous one. And during that effort, we were able to figure out that there was a really elegant way to intercede on the communications between malware that’s deployed into these victim environments and command and control, which we could actually interdict and essentially take over and collect telemetry on who was victimized.
And through that period, there was a whole uprising of the hacktivist period of time with Anonymous really tied to the whole WikiLeaks mess. And then lo and behold, I ended up getting completely embroiled in it in May of that year, which is where the story begins.

[Nate] Right. So how does somebody like yourself end up in the crosshairs of an international hacktivist group?

[Karim] We did end up taking down part of the infrastructure they had set up to attack some of these organizations, and we didn’t know that we did because our day-to-day job was essentially looking for malware, looking for binaries that were malicious, whether they were built for information harvesting or if they were a part of a denial of service capability. It was we didn’t care if it was malicious in its intent. It was fair game for us to pursue. So to the degree that I understand what happened, we took down part of the infrastructure, which essentially drew the fire of LulzSec onto us for a period of time in May through around July of 2011.

[Nate] And can you talk a little bit more about the nature of your work, the nature of the sort of cyber counter-offensives? Because I really dig that stuff.

[Karim] What we’re doing, which is fascinating, is we’re actually in the simplistic form of putting it, which I do every now and then speaking to journalists and whatnot, is we’re hacking hackers. We’re letting potential victims and active victims of these hackers know that these guys have gotten into their environments by way of whatever malware they’ve deployed. And the reason we know this is because the malware is now speaking to infrastructure that we’ve taken over. And so we’re essentially the recipients of the communications from this malware. The malware still thinks it’s speaking to its owner, when in reality it’s actually speaking to us. Because what I am doing is I am trying to identify infrastructure set up by adversaries, either actively or preemptively.
In other words, I’m looking for infrastructure that’s either put into use at the moment or in some cases basically laying in wait and yet to be weaponized out there waiting for either a first stage of infection to happen and then some secondary binary or malicious binaries deployed that will then communicate to this infrastructure that’s not yet even weaponized.
But I’ll find it initially through a variety of kind of tradecraft that we’ve designed over the years. We’re effectively leveling the playing field for the defenders by being slightly disruptive to the bad guys.

[Nate] What was the first sign that you had gotten in trouble?

[Karim] I do recall seeing my email, that email account, an email go from read to unread to read again. I didn’t have an EA, so it wasn’t like there was someone else that was probably going through my personal email account or whatever and toggling it back to set it to read for me. So that put me on a little bit of an edge and it did prompt me to go change all my passwords. So that’s what instigated their frustration that they had no longer had access to that account when I changed the password.
But that was not an indication that I thought I was hacked. It was not an indication that I thought it was lol psyched, nothing like that.

[Nate] How then did you discover who it was?

[Karim] What tipped us off was a very cryptic email I got in the middle of the night in May where the email essentially had one of my, it wasn’t a password to anything critical. It was a password to a personal Gmail account that I had that unbelievably was a variation of a password, admittedly, that I had for InfraGuard Atlanta, which they had, if everyone recalls the story, they had also hacked into previously about a month or so prior to that.
So I had no idea it was them. I did initially think, quite frankly, that it could have been a friend that was just goofing around. And then it dawned on me that no, there’s a there’s a code of ethics among friends, even in this industry where you wouldn’t put something as brazen as someone’s password in the subject line of an email.
That goes, that’s pushing the limits a little too far. So it dawned on me that this was a legitimate malicious group, but I didn’t really know who it was until I started communicating with them over an encrypted chat that they had sent me a link to figure out what their demands were, essentially.
And we slowly but surely started to eke out more and more information about who they were.

[Nate] Is it sort of the classic threatening, like, hacktivist groups trying to sound scary? What did they want?

[Karim] Part of the reason why I mentioned that I couldn’t figure out if it was a legitimate threat or if it was possibly a friend playing a really, really over the top practical joke was that it had the password as a subject line, you know, clear text, and then the actual body of email was let’s talk.
That was it.
And yeah, from some sort of email address, I can’t remember what it was. I think back then it was hushmail, if I’m not mistaken. This is before proton mail existed and whatnot. So I think that was the de facto kind of encrypted free mail service that you could send stuff from, if I remember correctly.
And so obviously it was anonymous in terms of the email. There was no way to track back essentially who that was. So I think my response that emails email was, what do you want to talk about? And that’s when the subsequent email to mine came back with a link to an encrypted chat.

[Nate] And you realized then that you were dealing with a whole sophisticated organization.

[Karim] I really didn’t think it was a sophisticated group the way it was being handled. But nonetheless, sophistication doesn’t have any bearing on the devastation that can transpire, right? So that was part of my concern is that sometimes the most unskilled can be the most reckless.
So I wasn’t at ease that it was some sort of immature group. It made it even worse in some ways.

[Nate] Yeah, interesting. No, but I’m also thinking I have had at least once or twice an email sent to me with one of my passwords in the subject line because hackers sort of scan those data breaches for your password and then send you those extortion emails.
So how did you know that this was anything other than that?

[Karim] It’s funny because something like this that would have probably hit my inbox all these years later after doing what I do, probably would have gotten ignored. So you bring up an excellent point. I think it was probably the combination of the night before where I saw that shift of the email going from red to unread to red again, and then ultimately changing all the passwords and just kind of having an eerie feeling about.
I hope nothing bad’s going on. And it was just, by the way, the whole thing with Anonymous, the HBGary mess that happened and the WikiLeaks debacle was in full blown. Everything was going crazy.

[Nate] And just because it seems like important context to the story, can you give me that sort of overview of what was going on at the time? What HBGary was and how the state of security was?

[Karim] Really, this is when WikiLeaks was denied payment processing by several large credit card companies and then some large banks.
And that is what inspired Anonymous to come to the rescue essentially of WikiLeaks to say, look, you’re obstructing free speech, blah, blah, blah. That was their whole mantra.
And really with HBGary, and this is loosely my understanding, they were contracted by some of the banks that had these issues of attacks going on to unearth and identify some of these hackers, specifically WellSec. And that’s what inspired their attack on them. And it was specifically HBGary Federal. And it was the CEO at the time of Federal that was really, really attacked pretty heavily. And it was a shot heard around the world within the community back then. Big deal for the times.
And so I think what happened really was that this group got a little blood drunk on their capabilities.
They really were good. They had a very interesting methodology, which is they would get into a place, not tell anyone about it, then broadcast to the world through Twitter and other channels that on this exact date, they were going to get into some place. And it made it look like to the general population that they would do what they said they were going to do on the day they were doing it, which is not the case. They already had access. They already had either an implant or some sort of access to an environment, but it made them look a lot more skilled than they actually were.
It was a fairly small group. WellSec was not this very large contingent. It was probably about five to seven core people.
I think Hector Montseguir was Sabu, if you remember his name, out of New York was the proverbial head of that group, Topiary, few others.

[AD] The best strategy for organizations to avoid becoming a victim of ransomware is to prevent the attack from being successful in the first place.
CybeReason remains undefeated in the fight against ransomware because it moved beyond alerting to deliver an operation-centric approach that detects and prevents ransomware attacks at the earliest stages of initial ingress and lateral movement.
The CybeReason predictive response capability disrupts ransomware attacks prior to data exfiltration and long before the ransomware payload can be delivered.
Visit cybereason.com to learn more about predictive ransomware protection and how your organization can realize both increased efficiency and efficacy through an operation-centric approach to security operations.

[Nate] Okay, so back to our story. You are now in this, you pursue this encrypted chat link and you’re in an online chat with people who you don’t yet know are LulzSec. How do these conversations go? How do these people talk?

[Karim] They started off very threatening, which is you do anything along the lines of share that this is going on or we’ve gotten into your environment, we’ll dox you immediately.
Hyperbole around, we’re already in all of your infrastructure, we already have it all, which was contradictory to their narrative anyway because they kept asking us for, you better give us the access to this botnet intel, otherwise we’ll do this or that. But it’s in the same breath, we’re already into your infrastructure, we know everything about it.
So there was a lot of cracks in the way that they were threatening, which was good because it gave me the confidence that they were still obviously lusting after something. If they had already gotten it, they would have leveraged it by now.

[Nate] Then because you understood the threats were empty, did you just disregard them and contact law enforcement?

[Karim] I did contact law enforcement immediately, started with local law enforcement, local bureau, FBI bureau, which then escalated into the DC office, which I think at the time was handling the larger, broader problem. They asked me to maintain the communication as long as they possibly could, which was terrible because I’m a going concern of a startup.
The last thing I need to be doing is working as some sort of conduit to a hacker group that would be used by law enforcement to eventually infiltrate and get some of them to turn, which I’m glad they did in the long run.
Naturally, just my concerns were how am I going to maintain operations, what if they eventually do something damaging like disclose that they’ve hacked me as a security firm or an intel firm, I’ll lose all my customers, all the fears that kind of come with that kind of thing. Not to mention the threats that came from this group that go a little deeper. If we have time for this, it’s worthwhile part of the story.

[Nate] Yes, please tell.

[Karim] About two or three months prior to this, Unveillance participated in a open source project with MIT and this group called CSFI, which was an analysis of certain Middle Eastern countries during the Arab Spring. And it was a look at just how infiltrated they were from a malware perspective.
The lulzite group found that I and my team were an author along with Palantir and a few other companies on this project and used it as leverage to suggest that I was part of some deeper, darker government initiative to go hack into these countries in the Middle East.

[Nate] And they really truly believe this or they were just trolling you?

[Karim] It was a tool, certainly, to sort of say, look, we can attempt to smudge your reputation with this and disseminate false information like this and create a lot more trouble for you if you don’t comply with their demands. I think it was more of a weaponized utility than it was the reason for the coming after me. Because if they had read the document, which is actually still publicly available online, if you look for it, it’s called Project Cyberdon, you’ll find it. And it’s not a document that looks like some sort of roadmap for conquest from a cyber perspective in the Middle East. It was simply an analysis of the region.
So I got a whole bunch of fans being sarcastic here over there that wanted to do me some serious harm beyond just sort of keyboard harm. And that was concerning and that was very, very disruptive to our life.

[Nate] Disruptive in what ways?

[Karim] Ultimately, I had to start fielding a lot more hate mail from folks that thought I was part of some initiative to hack into countries. I did indeed get death threats. And that was an unpleasant experience for my family and I, as you can imagine.
So naturally, there was a period where we were in a pretty high state of vigilance. I moved out of the location I was in for a while just to be on the safe side because they did identify that location as where I lived. So the last thing I needed was anyone trying to physically incur it in my environment.
It was not a pleasant situation. So really taxing on the family. My wife and kids at the time were not happy, understandably so. I was not happy. We had to find ways to kind of solve that.
Had that not been part of it, that specific piece, I think this would have been a little bit more, I would never say humorous because, again, I thought my company would be really damaged by it, which it was not, thankfully. But it wouldn’t have been so dire.

[Nate] With all of those threats coming in, were you able to keep a cool head and not give in to them?

[Karim] Yeah. So, you know, in the very beginning, I was as inquisitive as anyone would be concerned, you know, like, hey, you know, what’s going on? Why are you doing this? How did we offend or, you know, along those lines? I’m paraphrasing, obviously.
And once they were threatening enough where it was it was childish a bit, then I was able to get a little bit more. Well, I’m not giving you anything. So too bad.
And, you know, I’ll be very honest. The reason I was not going to do it was, one, ethically, that would be completely terrible to do- A, but then B, it would have made me an accessory to some horrible, horrible events that could have happened if they had gotten control of some of the stuff that we had taken over, right? We would have amplified their capability incredibly.
So it was a very, I had a very clear, unfortunately clear idea of what I had to do. It wasn’t me being blustery for no for no reason. It was because there was no other option.

[Nate] And did you already spell out before what exactly you had that they wanted the counterintelligence data?

[Karim] I don’t think I did.
So what we had as unbalance was control of a slew of command and control domains for a variety of different botnets that could have been leveraged by this group in ways that you can only imagine, right?
They could have used it to further perpetuate subsequent infections and persistent malware into these environments. They could have used some of the larger botnets that we had been able to infiltrate for other denial of service attacks. And at minimum, it would have given them a really phenomenal lay of the land of who’s compromised.
So beside the utility of the botnet, they would have seen all the telemetry and the beacons from the organizations that already were compromised, which would have given them a much bigger list of viable targets.

[Nate] OK, so they’re pestering you and you can’t budge. How does this end?

[Karim] So I communicated with them for probably close to four to five days. And then, interestingly enough, they did go dark on me and there was no response. And now, you know, I know what to think of much. They ultimately did doxx.
I think a few a few thousand of my personal emails from that email account that they had gotten into that didn’t have anything really critical in there. So it really wasn’t a big deal. They didn’t compromise anything from my organization. So that was a that was a relief.
Then in the end, they were all talk and no game. Putting two and two together, Nathaniel, I think the period of time when I was communicating with them was when law enforcement had been able to get in touch and turn the key member there. And I think that that shut down was essentially when that team member started to out all the rest of these groups. And that’s when things really sort of took a turn.

[Nate] You know, I hadn’t actually really considered it before, but you’re right. I mean, in the CNET article, I see that some of the emails they were targeted as 26th of May. So you were talking in late May and Hector Montseguer was being staked out by I think it was the FBI in early June. So you really were right at the peak slash end of lulsec.

[Karim] We did actually find Hector.
Now, I don’t want to broadcast that we can take credit for identifying who he was and delivering that information to law enforcement. We did what we did to identify him is that and this is classic somewhere along the way. One of the domains that was tied to an IP that he was using to communicate with did have his real name on it that was registered years and years prior.
We weren’t confirmed on who he was, but we found the name. It was such a unique name. We remember identifying it and passing it on to law enforcement contacts. And, you know, as with anything in that time frame and with anyone that’s ever dealt with law enforcement, it’s one directional. You hand it over and you hope for the best and you wonder if it was useful.
We never knew that until everything was said and done. And so it’s a testament to the fact that I don’t care how sophisticated you are as a threat actor. You’re never going to be born into this. You’re going to have an identity. You’re going to have the footprints that is inevitably going to be tied to your existence.

[Nate] And how do you feel after, you know, you have this kind of what I imagine to be scary period of time?
Maybe you handled it well, but it must have been intimidating in some regard. These hackers are threatening you in this way or that. You don’t really know who they are because they’re faceless.
And then not long after that, you see that, I mean, look, Hector Monskier has been doing interviews since that time.He’s like a super ordinary-seeming guy. How do you how does that track with your experience?

[Karim] Well, it’s funny because one of the most famous lines that I said that still gets quoted today in one of the interviews, I think it was a CNN interview I did at the time about the events that happened.
And I said the sophistication of the communication, the way they were communicating with me indicated their age. I’m not talking about necessarily their actual age, but certainly the level of sophistication we were dealing with was low. It just wasn’t that good.
Look, being a someone that had a fight with this group, I’d love to claim that this was the most sophisticated hacker group in the world. But it really was not. It was a particularly annoying one that had a really good job of Twitter jockeying effectively. And that’s how I feel about today.

[Nate] OK, well, I mean, these days we have fewer of those more informal hacktivist groups that you had to deal with and more, I guess, institutional cybercrime operations.
As you think back to the story, is there anything that you learned from your experience with LulzSec that can help people being targeted by today’s hacker groups or that helps you in your own work?

[Nate] I think, you know, with what I do today, there’s a delicate balance that needs to be struck between how much you push.
As certainly you mentioned this earlier on, a private sector organization that is doing something that normally a government might be considered able to do, how much you can actually get away with without drawing even worse fire than something like a LulzSec. And there’s plenty of that out there now, as you properly articulated.
So I do kind of measure my approach now and say, all right, just how far would I go here? And that’s a hard line to draw. It isn’t something that’s very clear. There are times where I have the means to really impact a terrible scourge of an APT group and I choose to do it and I sit there and worry a little bit for a few weeks after it happens and hope that everything dies down and cools down and it does. And then there are times where I’ll choose not to because I think it just might be too much.