LulzSec Leader Sabu Details Exploits

In an interview, Sabu discloses LulzSec and Anonymous are sitting on hacked data from HSBC, Koch Brothers stored on a server in China.

Mathew J. Schwartz, Contributor

October 11, 2011

5 Min Read

The LulzSec and Anonymous hacktivist groups have unreleased data stolen from HSBC, Koch Brothers, as well as other banks and newspapers, secreted on a server in China. But it doesn't plan on releasing most of it--at least not right away.

Those revelations came to light when Sabu, the ostensible leader of LulzSec, recently conducted a wide-ranging interview on Reddit, posting answers to questions via his Twitter account.

In the course of the interview, his responses touched on everything from unreleased data dumps and distributed denial-of-service (DDoS) sentencing guidelines--"rapists and murderers do less ... time," he claimed--to legalizing marijuana and the origins of his handle, which turns out to be a tribute to the ring name of an Extreme Championship Wrestling champion.

[Think your intrusion detection systems are tight? Think again: Most Businesses Don't Spot Hack Attacks.]

Asked if he planned to release numerous emails stolen from Britain's Sun newspaper, Sabu said via Twitter: "With time for sure. There are a lot of interesting dumps we're sitting on due to timing. ... We got them stashed on a Chinese storage server. Alongside the dumps of a whole bunch of hits we did."

In particular, Sabu said that LulzSec and Anonymous had breached the websites of numerous banks, including HSBC, and that it was planning to release data dumps related to Koch Brothers soon. But when it came to the content of the information the groups had obtained, there were "no smoking guns yet," he said.

LulzSec officially concluded its 50-day hacking spree in June, after a string of data breaches accomplished using relatively straightforward--albeit effective--attack techniques, mixed with a penchant for self-promotion. While Sabu has remained active on IRC channels since then, his agreeing to an interview--his first--was surprising, given the current law enforcement investigations into LulzSec and Anonymous activities. "Technically I'm on the run," he said via Twitter.

If that's the life facing former LulzSec members, what initially motivated them? In his interview, Sabu described himself as a "security researcher / hacker" who came to LulzSec via Anonymous. "I got involved in Anonymous around the time Bradley Manning did his leak and Julian Assange got locked up," he said, referring to Manning having allegedly leaked sensitive State Department cables and helicopter gunship footage to WikiLeaks--for which he was arrested in May 2010--as well as Assange's arrest on rape charges in December 2010.

Now, of course, authorities are also hunting LulzSec and Anonymous members. In July, British police arrested the alleged spokesman of LulzSec, teenager Jake Davis, aka Topiary, in the Shetland Islands in Scotland.

Meanwhile, last month authorities arrested 23-year-old Cody Kretsinger in Phoenix, who they allege was the LulzSec member known as "recursion." Kretsinger has been accused of participating in the breach of the Sony Pictures website earlier this year, and also releasing stolen Sony data. He was apparently identified, at least in part, after (HMA), a British VPN service, disclosed his VPN server connection and disconnection times in response to a court order.

Sabu, in his Reddit interview, confirmed that LulzSec members relied on VPN connections to help disguise their identity. "We use(d) a lot of different VPN services and located all around the world. HMA was one of them and [it's] a sham," he said, and also threatened payback. "We should have a nice expose for HMA and its mother computer/investors soon."

Unlike some other LulzSec members, Sabu remains free. Asked to describe how, he said, "I use prepaid blackberrys for temporary calls / twitter. They're expendable."

Even so, in the course of the interview, he divulged a number of additional biographical details, saying he speaks English, Spanish, and German fluently, as well as passable Portuguese and Italian, that he'd studied the social sciences and English literature, and that where technology was concerned, he was self-taught, via Slackware--one of the first operating systems to be developed on top of Linux--as well as the Python programming language. Previous unconfirmed and anonymous online posts had suggested that Sabu was a 30-something man of Puerto Rican extraction living in the New York City area.

The uptick in hacktivism-related arrests has led Anonymous to change its tactics. Members of the group have said they're working on "RefRef," a replacement for their so-called Low Orbit Ion Cannon (LOIC) tool, which volunteers had used to launch DDoS attacks against the websites of businesses that were perceived to be anti-WikiLeaks.

But Sabu dismissed many of the supposed Anonymous tools. "RefRef doesn't exist. HOIC/LOIC are jokes." That would appear to be borne out by the LOIC aftermath. Notably, many of its users appeared to be unaware that LOIC often coded their IP address into the packets it generated. As a result, after at least some of the attacked organizations, including PayPal, shared the IP address data with authorities, law enforcement agencies have been tracing the IP addresses back to individual Internet service provider subscribers, and making arrests.

That aside, Sabu said he's still committed to the hacktivist cause. For example, asked if he was still directly involved in AntiSec--the Anonymous and LulzSec offshoot--he replied, "No, my [team's] working on that. My priority is more #OWS as of recently," referring to the Occupy Wall Street movement.

Sabu said his political bent had led him to join Anonymous and then LulzSec, the latter serving as a "political PoC [proof of concept] of the lax security across govt and media." Asked what LulzSec had accomplished during its 50-day hacking spree, meanwhile, he said that it had "exposed the sad state of security across the media, social, [and] government online environments."

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights