FYI.

This story is over 5 years old.

Tech

How an FBI Informant Helped Orchestrate the Hack of an FBI Contractor

Weeks after he started working quietly as an FBI informant, the hacker known as Sabu led a cyber attack against one of the bureau's very own IT contractors.
TK
Hector Xavier Monsegur. Illustration by Clark Stoeckley

Weeks after he started working quietly as an FBI informant, Hector Xavier Monsegur, known by his online alias "Sabu," led a cyber attack against one of the bureau's very own IT contractors.

In July 2011, at Monsegur's urging, members of AntiSec, an offshoot of the hacking collective Anonymous, took advantage of compromised log-in credentials belonging to a contractor with a top secret security clearance employed at the time by ManTech International.

Advertisement

According to chat logs recorded by Monsegur at the behest of the FBI and obtained by Motherboard, the informant directed hackers to pilfer as much data as possible from ManTech's servers as investigators stood by. Stolen data was published as the third installment of AntiSec's "Fuck FBI Friday" campaign: a collection of leaks intended to embarrass the same federal agency that presided over the hack and others.

During a span of a few months, fellow FBI security advisers and contractors that fell victim to Anonymous's "FFF" attacks included the Atlanta chapter of InfraGard, Unveillance, and Booz Allen Hamilton.

After being arrested on June 7th, 2011 for a series of high-profile cyber crimes, Monsegur promptly began cooperating with federal agents in lieu of fighting charges that carried a potential 124 years in prison if convicted. The attack he organized against ManTech would make headlines only eight weeks later.

As a cyber security firm servicing various branches of the US government, including the Pentagon, DHS, and NSA, ManTech was at the time of the breach among one of the FBI's most preferred contractors. The company had months earlier secured two five-year contracts with the bureau worth a combined total of $108.7 million, as part of an eight-year, $30 billion 'IT Triple S contract' involving numerous companies.

Advertisement
ManTech headquarters, Fairfax, VA. Image: Andrew Blake

"We look forward to expanding our long-standing relationship with the FBI as we further enhance its preparedness and ability to respond to external and internal cyber threats," L. William Varner, president of ManTech's Mission, Cyber, and Technology Solutions group, said of the contracts.

While the roughly 400 megabyte torrent of ManTech's stolen files pertaining to the company's work and its relationship with NATO was leaked almost three years ago, the involvement of an FBI informant in the attack has not been previously reported.

On July 17th, 2011, Monsegur learned that ManTech's computer servers had been breached after being approached by a hacker who went by the alias "LulzSupport.”

Monsegur was signed on to IRC (Internet Relay Chat, a service frequented by members of Anonymous) recording his conversation, as per his agreement with the FBI.

"ManTech is NATO IT company of US," LulzSupport messaged Monsegur while scouring through the company’s systems. He then listed two email addresses, one belonging to an NSA employee, another to an HBGary Federal employee, and divulged that both were tied to ManTech.

22:50 wait
22:50 did you own mantech ???

LulzSupport confirmed that he had in fact breached the contractor's network and had stolen files after having acquired access through an employee's virtual private network. He then told Monsegur that it might be possible to exploit other users with access to ManTech's servers.

Advertisement

Monsegur spared no time when LulzSupport told him about the intrusion. "OMFG," he responded. "That is what we needed."

23:39 my brother come to our private server / channel
23:39 so we can do this

Within an hour, LulzSupport was recruited by Monsegur and introduced to a handful of other hackers who would turn the ManTech breach into a full-fledged Anonymous operation. In a newly created IRC channel, named "babytech," LulzSupport told the group what he’d uncovered.

For the next several days, Monsegur spearheaded the hack, and lauded the work-in-progress in advance of AntiSec's eventual dumping of the documents on July 29th. He requested that LulzSupport and others keep an eye out for sensitive correspondence, and to quietly attempt additional theft.

"[A]s you know mantech is very itnersting [sic] to us," Monsegur told the "babytech" hackers in one session.

"[G]rab as much as possible," he said in a private conversation with another hacker, "… in the process save as much files as possible cause mantech is a security company after all."

00:34 if they detect us and we didnt get shit
00:34 we'll be gay

Monsegur privately told a fellow AntiSec hacker to "work on mantech asap," and insisted the data harvested by LulzSupport be secured so it could be distributed by the group.

00:37 yup make sure you get that 600mb somewhere

Advertisement

AntiSec would eventually justify dumping the stolen files by calling it a strike against the cyber industrial complex. At Monsegur’s behest, the leak would also be labeled an act of retaliation.

Earlier that week, the FBI had arrested 14 individuals associated with Anonymous for involvement in a digital protest waged months earlier against PayPal.com after the company suspended donations to WikiLeaks.

07:30 < Sabu> those raids were fbis respponse to us
07:30 < Sabu> a mantech release would be our response to those fallen anons

"It's amazing to see how gullible people were," Josh Covelli, one of the 14 hacktivists charged with taking down PayPal, told Motherboard. "To see [Monsegur] use us as motivation does not surprise me; it's genius, just twists the knife a bit more knowing it was all an act."

Covelli and his 13 cohorts currently owe the US government a total of $78,400 for crashing PayPal's site with a distributed denial-of-service, or DDoS attack, in late 2010.

According to a pre-sentencing memorandum filed by Monsegur's attorneys last month, he'd participated in the same DDoS attacks “against the computer systems of PayPal, MasterCard and Visa,” along with myriad other crimes.

Thanks to his "extraordinary cooperation," Monsegur served a total of seven months and paid a special assessment fee of $1,200: $100 for each of the dozen counts he pleaded to shortly after being arrested.

Advertisement

When the ManTech documents dropped on July 29th, a statement authored by members of AntiSec addressed the FBI. "It's really good to know that you guys are taking care of protecting the United States from so-called cyber threats," it read. "It also remains to be seen how much longer the public will accept how completely incompetent law enforcement agencies are spending their citizens' money to fund even more incompetent federal contractors."

For LulzSupport, the ManTech hack was not just a random act of online mischief, but rooted in an earlier hack. In February 2011, Anonymous targeted HBGary Federal after discovering that its CEO, Aaron Barr, had planned on exposing the supposed identities of Anonymous members to the FBI. Before those plans could come to fruition, though, Anonymous attacked Barr and his company.

The contents of Barr’s iPad, laptop and other electronic devices were remotely erased by Anonymous, HBGary's website was defaced, and tens of thousands of emails were leaked online. When Monsegur was arrested that summer, he acknowledged that he had played a direct role in hacking HBGary.

"[I]t was a nice target to interfere with since i saw the mails from hbgar and found the connection between them," LulzSupport told hackers in the BabyTech IRC channel when he first shared details about ManTech with AntiSec. "[F]rom that workstation we've got access to file servers with private and confidential staff on nato, nato installations, projects in afganistan [sic] etc etc."

Advertisement

Among fellow hackers, two of which were later jailed and investigated because of leads he’d provided, Monsegur responded:

23:56 <@Sabu> fuck yes.
23:57 <@Sabu> I have a full on erection atm.
23:57 <@Sabu> those file servers is what we mainly want
23:57 <@Sabu> to expose them

LulzSupport privately supplied Monsegur, and soon after other hacktivists, with "the full list of internal users [and] roles."

Monsegur discussed targeting additional victims, but evidence that such events took place has not been found. What chat logs do reveal is that Monsegur undoubtedly encouraged LulzSupport and others to escalate the scale of the hack once the wheels were set in motion.

In one instance, for example, Monsegur willingly offered to provide the "unix reverse shell we use when we own unix web servers."

Elsewhere, he directed other hackers to employ their specific skill sets to attack the company:

From the moment LulzSupport informed Monsegur about the breach to the days spent tasking AntiSec hackers, FBI agents met regularly with their informant and reviewed his online logs. Not only did investigators have access to all of Monsegur’s conversations, but have testified that they routinely interviewed Monsegur about his online activity, and had his residence under constant video surveillance.

This persistent monitoring allowed authorities to narrow in on no fewer than eight other hackers, and Monsegur's "extraordinary cooperation" with the feds was cited more than a dozen times at his sentencing. Despite the close relationship, however, the FBI neglected to pursue any individuals for the hack of ManTech.

Advertisement

Had the FBI been paying attention to Monsegur's correspondence with LulzSupport and others, it would have been aware of the hack for nearly two weeks before stolen ManTech documents surfaced on The Pirate Bay. However, it remains unclear if the bureau was aware of the attack, or if it had even directed the attack as part of a sting or other operation.

Spokespersons from the bureau have repeatedly denied requests for comment on Monsegur's role in the hack. No arrests were ever announced in connection with the theft of ManTech's data.

When asked by Motherboard about the history of the attack, and the company's subsequent plunge in stock value (which to this day hasn't recovered), ManTech staff declined to discuss any concrete specifics. Several messages left for an executive, along with one of his deputies, remain unanswered.

ManTech's statement regarding the AntiSec hack.

ManTech didn't directly mention the hack in its 2011 end-of-year report. Still, the intrusion and method of attack raised doubts about the promises the firm made about its capabilities.

"Our network architecture planning and implementation services and systems engineering services support enterprise-wide network infrastructures and components that include local area network/wide area network architectures, messaging architectures, network management solutions, directory services architecture and web hosting," the company said at the time.

Advertisement

"These services are provided within secure environments requiring the application of multi-level security policies across the enterprise," and involved "state-of-the-art analytic environment that provides access to regional, national and international information with appropriate security level access controls, providing direct operational support to time-sensitive counterterrorism activities in support of an intelligence community customer," the report read.

Historical data shows that ManTech's stock market value took a nosedive the week of the AntiSec hack, and to date the company's shares have yet to return to pre-June 2011 figures. Twelve months later, ManTech's stocks had declined by 46 percent.

ManTech's stock price falls on the same day of AntiSec's hack. Source: Google.

Publicly, Monsegur has said little about the ManTech hack aside from a handful of preserved messages, including a tweet in early 2012:

Just read that ManTech bought out HBGary - http://t.co/zHg38TkA and considering #antisec hacked both I find it funny they're both insecure.

— The Real Sabu (@anonymouSabu) February 28, 2012

Monsegur, approached last month by Motherboard, implied he was not yet ready to discuss any involvement with Anonymous on the record.

Six months after the ManTech attack, however, Monsegur would again act on a similar tip, and pass information to a man later identified as Jeremy Hammond to attack Strategic Forecasting, also known as Stratfor.

Advertisement

Hammond, 29, is currently serving a ten-year prison sentence due largely to information provided by Monsegur during his tenure as a cooperating witness.

Despite the lack of arrests pertaining to the ManTech hack, chat logs show that Monsegur exhaustively asked LulzSupport and others to break into protected computers to share sensitive information:

At one point, Monsegur said he had a secure server that LulzSupport could upload the documents to:

15:41 <@Sabu> I'll give you personal access only
15:41 <@Sabu> sftp access
15:41 <@Sabu> can you start throwing mantech docs in there?

And as the rest of his crew plotted, Monsegur stayed close to the operation:

00:23 <@Sabu> do you have access to the filesystem with all the docs ATM?
00:23 <@Sabu> can we have two process where we spear phish
00:23 <@Sabu> while we download them docs?

17:05 <@Sabu> can you setup a secure rdp that lulzsupport can use as a reverse shell hub
17:05 <@Sabu> where he can send his targets to

Monsegur went as far as to suggest activity that could easily be equated as encouraging international espionage:

"[I]f we can get $10 mil we can split that shit 1 mil each," he said. "sadly it wont happen we're too underground."

In 2012, the Pentagon was on the receiving end of a reported 10 million attempted cyber attacks each day. Along with the government, private firms like ManTech were also ripe targets, and whether it's hacktivists or state-sponsored hackers, that trend will continue.

"you have organizations like palantir, mantech, booz, et al," Monsegur told another hacker in sealed chat logs. "they're dipping into millions-billions of dollars of u.s. money for cyber security IT, IT/INFOsec."

03:12 and if I can hack them, and expose them
03:12 what makes you think our infrastructure is any secure
03:12 I mean its just one big joke

Follow Daniel Stuckey and Andrew Blake on Twitter.