In July of 2011, the website for the British tabloid The Sun announced that media mogul Rupert Murdoch had been found "dead in his garden."
It was a lie, of course; a fake article planted by hackers who spent a week flitting in and out of the newspaper's servers. The cyberattack was part of a campaign against Rupert Murdoch's British media empire in the midst of the News of the World phone hacking scandal.
It was perpetrated, like so many of these things, by a group of anonymous online hackers. Except one of their leaders was an FBI informant.
Hector Xavier Monsegur, also known online as "Sabu," was caught by the FBI in June of 2011 for a litany of hacking-related offenses and, within hours, began cooperating with authorities in hopes of receiving a lenient sentence.
Now, never-before-published FBI records and exclusive interviews detail how the informant rallied other hackers to attack various News Corp. interests, including The Sun, at a time that the FBI has said it was tracking all of Monsegur's online activity.
A 12-count indictment charged against Monsegur carried with it a maximum sentence of 124 years in prison, but he promptly pleaded guilty and began assisting the feds. US District Court Judge Loretta Preska credited the informant's "extraordinary cooperation" when she let him walk out of a Manhattan courtroom a free man at his sentencing hearing in late May.
Monsegur's assistance was beneficial to the DOJ closing a handful of cyber cases. However, while working with the FBI, Monsegur dove back into his circle of Anonymous members to begin plotting attacks against a wide range of global targets.
Sealed documents from the government's case against Jeremy Hammond that were leaked to journalists at Motherboard and the Daily Dot earlier this year detail how Monsegur spearheaded cyberattacks against FBI contractors and computer servers in dozens of foreign countries, including Brazilian government websites, all while under the constant supervision of law enforcement handlers.
And for a week shortly after his arrest, he was privy to the anti-Murdoch campaign waged by Anonymous, according to the documents obtained by Motherboard.
The successful attack involved LulzSec, an offshoot of Anonymous led by Monsegur, gaining access to the tabloid’s website, publishing a fake obituary announcing the death of Murdoch, and subsequently redirecting the site to LulzSec’s Twitter profile.
Screenshot from the FBI documents obtained by Motherboard.
Software placed on Monsegur's computer gave the FBI real-time access to chat rooms where the attack against The Sun and others were hatched. It's unclear if the plot was a sting gone too far, or if the FBI was even aware that one of its informants had organized an attack on a foreign newspaper.
While the FBI has declined repeated requests for comment on the specifics of this case, the Department of Justice and US attorneys asserted at Monsegur’s sentencing that the informant’s online activities were constantly monitored, and that FBI agents were fully debriefed after each of his marathon chat sessions. Both the US Attorney's Office for the Southern District of New York and an assistant speaking on Rupert Murdoch's behalf also declined to comment on this story.
A representative for The Sun who is familiar with the attack said the paper was never warned by American authorities that its website was under attack for a week, nor that an individual under FBI supervision had orchestrated the attacks. “It was not the FBI who tipped us off about the hack,” a spokesperson for The Sun told Motherboard in a phone conversation.
“In 2011, the online team wasn’t very big,” the spokesperson explained, adding that the tabloid’s IT department had learned of the defacement through its own monitoring, and due to the false obituary’s rapid spread through social media. The Sun declined to comment any further with regards to damages, security audits, or expense figures it ostensibly incurred as a result of LulzSec’s attack.
"What’s most interesting to me is how the FBI, DOJ, and perhaps others used Monsegur, or ‘Sabu,’ to catch other hackers,” said Michael Ratner, an attorney for WikiLeaks who is familiar with the case, in a phone interview with Motherboard. “Who should be on trial here isn’t Hammond, and isn’t Sabu, but the federal government which used this group of hackers to penetrate other websites as well as foreign countries.”
Former members of Anonymous corroborated to Motherboard that a lone hacktivist discovered an exploit on The Sun's network in early July 2011 and soon after sought out other Anons to see if the group should collectively take charge.
In an Internet Relay Chat channel aptly named #!sunnydays, logs saved by Monsegur's FBI-provided computer show the informant intended to maximize the impact of the hack: Not only did he express his intentions to embarrass Murdoch, but to peripherally sabotage the credibility of various outlets by spreading misinformation to a handful of eager journalists.
Hacktivists first began plotting in #!sunnydays on July 12, 2011, and were in and out of The Sun's server for nearly a week before the operation pinnacled with the group publishing Murdoch's fake obituary on July 18. Only a few Anons were in #!sunnydays that evening, and the hack might never had occurred if one of them hadn't decided on his or her own to publish the death notice before the group lost access to the site.
“The Sun is setting UK now. So wat do?” one Anon asked at 8:08 that evening, according to the timestamp on Monsegur's detailed chat logs.
The group had yet to prepare any sort of statement about the hack, and had already botched the operation earlier by getting themselves temporarily locked out of The Sun's servers in the midst of what was now a six-day-old ordeal.
A half-hour later, Monsegur began participating in the conversation and suggested that the group “fuck murdoch up.” Within minutes, the most-followed Twitter accounts associated with Anonymous had announced the defacement.
"We have joy we have fun we will mess up Murdoch's Sun," @AnonymousIRC tweeted. "Hi Rupert! Have fun tomorrow at the Parliament!
"Not so fun to get hacked Mr. Murdoch, is it? u MAD?" another
account tweeted. "Also, why'd you use
Logs from #!sunnydays suggest Monsegur was upset at first that the hack had been so hastily revealed to the public with an impromptu tweet, but soon started taking control of the operation. (Note: Users' handles have been redacted from chat logs to protect the identify of sources who corroborated the substance of the chats to Motherboard and who fear legal action.)
Instantly the obit made its ways across the web, and soon was featured on a live CNN newscast. As Monsegur considered his next move, the obit was read the world over.
"Murdoch, aged 80, has said to have ingested a large quantity of palladium before stumbling into his famous topiary garden late last night, passing out in the early hours of the morning," read a portion of the phony report. “Officers on the scene report a broken glass, a box of vintage wine, and what seems to be a family album strewn across the floor, containing images from days gone by; some containing hand-painted portraits of Murdoch in his early days, donning a top hat and monocle.”
Image: The Register
The over-the-top obituary was as believable as it was subtle, and the inclusion of handles used by two members of LulzSec—"topiary", aka Jake Davis, and "palladium," aka Donncha O'Cearbhaill, according to criminal indictments—led most anyone following the hijinks of LulzSec to conclude that the Anonymous offshoot had been resurrected just weeks after rebranding as AntiSec.
Monsegur and his comrades couldn't have picked a better time to embarrass the publisher: Murdoch was coincidentally scheduled to appear before British parliament only hours later to testify with regards to the phone-hacking scandal that led to the shuttering of NOTW after 168 years of publishing.
“It's the right timing,” one Anon wrote in #!sunnydays. “Media will know of this tomorrow when they report about the hearing. it’s perfect imo [in my opinion].”
Additionally, a crudely drawn comic strip circulated by LulzSec also acknowledged rather openly the group's latest attack.
Nevertheless, Monsegur attempted to elevate the group's efforts beyond what they actually had accomplished.
Soon, the informant began to make grandiose claims on Twitter, announcing that Anonymous had pilfered a trove of correspondence from the shuttering News of the World and suggesting that no one at News Corp. was safe from the wrath of the hacktivists.
Days earlier, an Anon inside of The Sun's servers found the encrypted password for a user of the site that turned out to be embattled and outgoing News of the World editor Rebekah Brooks. Although the credentials hadn't been cracked, and were thus unusable, Monsegur wanted to make the potential damage from the anti-Murdoch op seem more colossal. After the defacement went live on a moment's notice, Monsegur tweeted her login info.
"Sun/ News of the World OWNED. We're sitting on their emails. Press release tomorrow," Monsegur tweeted from his Sabu account. "In the meantime check: new-times.co.uk/sun/ #antisec."
As his Twitter account blew up with activity, the informant plotted in #!sunnydays about what to do next, and privately approached a variety of journalists to push them towards coverage.
"Here goes the shit storm," Monsegur typed in #!sunnydays after posting Brooke's encrypted credentials on Twitter. "Lets fucking terrify them."
Although Monsegur doesn't appear to have performed any actual hacking himself during this operation, interviews and chat logs show he offered technical assistance and largely orchestrated the PR of the prank.
But in addition to announcing the defacement to his Twitter followers, Monsegur continued to claim that his hacking crew had taken ownership of a trove of Murdoch-related emails.
For days Monsegur teased journalists with the promise of handing over News of the World’s compromised emails. Really, though, he was wrestling with the idea of sabotaging reporters by presenting them with phony evidence: NATO-related emails the crew had garnered previously in a hack against FBI security contractor ManTech.
In one exchange, Monsegur specifically mentioned targeting a journalist who'd reported on the group's release of Rebekah Brooks's hashed credentials, Kevin Rawlinson of The Independent, with a disinformation campaign.
“I, like just about everyone else, didn't know at the time that Sabu was working for the FBI,” Rawlinson told Motherboard in an email. “He was evidently quite effective. I’m not sure I’d agree that he set out to make a fool of me or damage my career."
"Like most journalists, I’m passed information by people all the time, much of which turns out not to be all it seems," he added. "If he’d tried to pass off falsified emails, I would’ve checked them out and, most likely, quite quickly identified them as fakes. To be honest, one phone call would usually expose a fabricated email.”
As intricate as Anonymous' plans were, gaining access to The Sun's servers didn't require much effort aside from taking advantage of a well-known exploit available in practically any amateur hacker's toolkit.
The conspirators used a tactic called a Local File Inclusion, or LFI, to exploit a glitch in PHP, the programming language used by more than three-quarters of online applications, according to a 2012 report by security firm Imperva, making it, in their words, “a favorite choice for hackers.”
Novice penetration testers can determine with free software if a website uses any vulnerable versions of PHP and then can attempt to trick the targeted network into executing malicious code by sending its servers instructions that exploit the glitch.
"LFI is a gaping hole in the security of a webserver, caused by the programmer being a fucking massive retard," one of the Anonymous hackers that exploited The Sun’s LFI vulnerability told Motherboard. The hacker also produced a GIF, in which an LFI hack is simulated, and explained the procedure:
"First, the hacker identifies the vulnerability (shown by requesting the /etc/passwd file in the browser), then gives the vulnerable page and parameter to the automated script which tests a number of methods to get the hacker a shell on the server," the source said. “Once a shell on the server is obtained, the hacker can execute commands, elevate privileges to root (super user/admin account), steal or modify data on the server, etc."
Anonymous executed an LFI hack that allowed them access to The Sun's web server. From there, the group uploaded a number of PHP scripts that, if exploited, could give them access to the tabloid's publishing system.
“Multiple shells were uploaded,” the Anon told Motherboard, “as is normal.” According to the hacker, who asked to remain nameless over fear of prosecution, Anons uploaded several PHP scripts to the server in hopes that, should an administrator spot one, others might go unnoticed. “It's a standard enough trick,” the hacker said. “Backdoor different things, put backdoors everywhere.”
At one point in the campaign, however, Anonymous almost lost its chance at hacking The Sun. According to the leaked chat logs, an attempt to root The Sun's servers ended with Anonymous being indefinitely locked out.
"It'll come back," an optimistic Monsegur typed in IRC on July 13. "lets just assess what we got. lets imagine we cant root it. what do we have access to? any dbs [databases]? intranet? defacement?"
After hours of panic, the breached networks appeared to have been reset with the group's backdoors still intact. Several days later, Murdoch's phony obituary went live.
The hack was one of the first successful operations carried out by AntiSec in which Monsegur acted as an informant. For days he dragged the project on, insisting on attempting to humiliate other members of the media once Murdoch had had his time in the collective's crosshairs.
Having aided in the FBI’s purposes to arrest members of LulzSec and convict its most wanted cybercriminal, Jeremy Hammond, Monsegur was highly praised by federal prosecutors and Judge Loretta Preska for his swift decision to become an informant, for providing “unprecedented access to LulzSec,” and for having helped prevent at least 300 other cyberattacks aimed at both domestic and foreign targets.
Despite using the #!sunnydays chatlogs to identify suspects in an international string of LulzSec arrests, the FBI does not appear to have taken action to prevent the actual hack itself, along with a host of other cyberattacks organized by its informant.
Without a doubt, Monsegur's grudge with Murdoch didn't end with the campaign against The Sun: Nearly a year later, in March 2012, Fox News would be the first outlet to report that Jeremy Hammond and others had been arrested with the help of Monsegur, putting a name and face on the "Sabu" alias for the first time.
Correction 10/14: This story initially identified the hacker "palladium," also known as Donnacha O'Cearbhaill, as another person who was indicted with O'Cearbhaill in 2013. We regret the error.