Archive for June, 2014

Anonymous Cambodia: The OPSEC disaster

Tuesday, June 17th, 2014

Pol-22-April-2014-09-18-17-47516

On the 30th August, 2012, a group of police officers met outside a local minimart near Riverside in Phnom Penh, Cambodia. Their mission was to raid and arrest anakata in his apartment located nearby as requested by Swedish authorities.

A group of hacktivists that calls itself NullCrew was quick to revenge carrying out attacks under the suitably chosen name: “Operation TPB”. On the 2nd September, 2012, they began leaking documents, usernames and passwords from Cambodian computer systems. They attacked the Cambodian Ministry of Public Works, the Institute of Standards, the general taxation department and the military. NullCrew’s attacks hit the local media and this is where the story about Anonymous Cambodia begins.

Most likely inspired by the press coverage of NullCrew’s attacks the Cambodian branch of Anonymous was formed. They adopted NullCrew’s OpTPB and on 12th September, 2012, the day after anakata landed in Sweden, it was reported that Anonymous Cambodia had broken into and leaked sensitive data extracted from the Cambodian Ministry of Foreign Affairs and defaced its website calling for anakata’s release.

The Cambodian branch went silent for a while only to wake up ready for the national elections held in July, 2013. They began defacing sites to spread their political message and DDoSing those that they could not deface accusing the ruling party of electoral fraud. Their mission was to topple the government lead by the Cambodian People’s Party which has ruled the country with an iron fist since the fall of Pol Pot and the Khmer Rouge regime.

“Because he has no formal training and uses programming scripts created by others, he said that he is a ‘script kiddie’ and not a true hacker.”

Less than two weeks before the election Anonymous Cambodia made their grand mistake. They participated in an interview with The Phnom Penh Post in which one of their members, “Black Cyber”, revealed personal information about himself and his agenda. In an interview with The Cambodia Daily he relied on “blacked-out webcam and computer software to distort his voice for fear that the call would be intercepted by U.S. intelligence agencies”.

Black Cyber was portrayed as a twenty-something IT security consultant who had become involved in Anonymous by participating in Operation Payback targeting pro-copyright, anti-piracy organizations and payment processors which had withdrawn banking facilities from WikiLeaks, similar to the attacks which would later be carried out as revenge for the arrest of The Pirate Bay founder anakata. Black Cyber denied involvement in OpTPB.

The interview given by Black Cyber provided excellent profiling data for law enforcement agencies. He revealed the size of Anonymous Cambodia and claimed that three people had participated in attacks against the National Election Committee. Jao Kamsot, another individual who was interviewed for the article, said that he is a script kiddie and not a true hacker.

“I don’t think their group has many people, and we will wipe it out.”

Immediately after the interview given by Black Cyber the Cambodian Ministry of Interior Department of Security began collaborating with the United States’ FBI in an investigation against Anonymous Cambodia. On 7th April, 2014, 21 year old Bun Khing Mongkul Panha, known online as Black Cyber, was arrested together with 21 year old Chou Songheng, alias Zoro.

The pair was charged with cyber crimes conducted against 30 government websites including the National Election Committee, Ministry of Foreign Affairs, Ministry of Defense, Anti-Corruption Unit and Phnom Penh Municipality. They were charged with unauthorized access to an automated data processing system, obstructing the functioning of an automated data processing system and fraudulent introduction, deletion or modification of data. Black Cyber confessed immediately.

On 22nd April, 2014, an individual calling itself “Attacker Fiber” created a Facebook page named after the group vowing revenge and posting YouTube videos showing how to conduct DDoS attacks. He used the page to market his own page (Attacker-Fiber) on which he advertised “Website Security Learning to be Anonymous” [sic] including SQL injection, defacement and backdoor techniques for $100 per course. He also set up a site titled “Cambodia Security” advertising the same services and posting guides for trivial things such as XAMPP installation.

On 29th April 2014 Anonymous Cambodia claimed on its Facebook page that they had breached the site belonging to the Anti-Corruption Unit promising further attacks. Dim Chaoseng, the lawyer defending the members of Anonymous Cambodia arrested earlier, expressed his concerns saying: “All the activity that Anonymous is doing at the moment is not going to help my clients. It is going to get more difficult to release my clients on bail.”

“…he said using a blacked-out webcam and computer software to distort his voice for fear that the call would be intercepted by U.S. intelligence agencies.”

Only days after the claimed attacks against the Anti-Corruption Unit, on 1st May 2014, two additional (unnamed) members of Anonymous Cambodia were arrested and charged with disrupting the ACU using the moniker Game-Over-xX23xX.

Angered by the four arrests, on the 4th May 2014, the group attacked the Royal Gendarmerie, Ministry of National Defense and CamCERT (Cambodia Computer Emergency Response Team) demanding the release of their “comrades”. Military Police spokesman Kheng Tito was quoted saying: “I don’t think their group has many people, and we will wipe it out.”

On 4th June Attacker Fiber, a 17 year old boy named Chin Neangleangmeng, became the 5th arrested member of Anonymous Cambodia. He confessed immediately.

Since the arrest of Attacker Fiber the small but very cocky group has been very quiet online. Anonymous Cambodia is now held in Prey Sar Prison in Phnom Penh, which was built for 500 inmates but was reportedly the home of 3,000 inmates in 2011, and they will most likely stay there until the authorities figure out how to punish them as Cambodia is currently lacking many internationally common cybercrime laws to regulate hacking and DDoS attacks.

SÄPO doesn’t have time for virus scans

Sunday, June 8th, 2014

Earlier this week Torrentfreak reported that the Danish police investigating anakata for hacking charges had discovered that the analyzed computer had been hacked and infected by malware. Kristina Svartholm reported that the computer had been infected by more than 500 trojans.

Let’s rewind the tape from Denmark to Sweden, where the same computer (seizure 2012-0201-BG25023-26) was used as evidence against anakata. My translated version of the Swedish Security Service’s investigation of remote control possibilities can be downloaded from here. I also wrote a short paper in response to the investigation report which can be read here (tl;dr version available here).

The 12 SLOC Python example that I wrote and included in the paper played an important role in having all intrusion and fraud charges regarding the Nordea bank dropped. In the paper I also called the investigators biased for working with the assumption that computers can only be remotely controlled in legit ways, such as PowerShell and Remote Desktop mentioned by anakata as technical possibilities in hearings.

The Swedish Appeal court agreed with the points that I made and Jacob Applebaum pointed out in his witness testimony: remote control could not be excluded, hence the SÄPO investigation written by Jesper Blomström fell. Anakata was however sentenced for intrusions dated 2011 as it was considered “unlikely” that it would have been hacked since 2011 without notice.

A very important point to raise here is the fact that Jesper Blomström was the same person who made the discoveries of sensitive data originating from Denmark on the computer in question. He was also the one who rang to Denmark with his revelations. What Jesper found on the laptop and his investigation was the entire basis for extraditing Gottfrid from Sweden to face similar charges with evidence originating from the same harddrive as the court in Sweden had already ruled may have been remotely controlled.

Let’s revisit the court hearing with Jesper:

“I also think that it’s important to read the introduction of the PM when reading the conclusions, because we were given a task from the Stockholm County Police department that the computer had been remotely controlled first through one way that we investigated and then another that we controlled, so that you have that in the back of your head when you read the PM.”

“It’s when we write that we don’t see any programs that have been used for remotely controlling the computer. Based on the given task and the circumstances then in those frames we don’t see any traces.”

“It can be worth adding that we haven’t looked at every every file in every computer, because it’s like a giant haystack with enormous, thousands, of files in various ways. And then we would need to go through each individual program: is it this one that has remotely controlled, is it this, is it this, and that whole part. There hasn’t been any investigation like that on the computer because there is simply not enough time.”

The Swedish Security Service didn’t have time to do an antivirus scan on the computer and since the Stockholm County Police department didn’t specify it in their request nobody in Sweden appears to have scanned the computer for viruses.

This is outrageous on every level possible. Gottfrid was sentenced to jail in Sweden because the police didn’t have time to find anything that may have been in his favor. Guilty until proven innocent, eh?

This entire fiasco could have been avoided if Sweden had replaced the so called IT Security Specialists involved in the investigation with any ten year old from the street who learned Norton at Christmas family dinner, because obviously the computer was infected and obviously it was discovered as soon as somebody ran a virus scan.