Anakata translated hearings

Pasted below is the translated hearings with Anakata regarding the Logica hacking case. The hearings have been transcribed by the Swedish government based on audio recordings of the hearings and then OCRed and translated (by me) to English.

2012 09 13
Interrogator: You are previously served on suspicion of several hacking cases, that you have prepared access to Logica’s servers.
G: Oh well…
Interrogator: What is your approach to the suspicion?
G: I deny crime.
Interrogator: This investigation, it has gone on since this spring and we have have quite a lot of material that we’ve been looking at. There are clear indications in this material that shows that you would be involved. Do you know of this breach of Logica?
G: No comments!
Interrogator: Do you have any special reasons to why you don’t want to comment?
G: No comments!
Interrogator: Do you know MG?
G: No comments!
Interrogator: Do you know KS?
G: No comments!
Interrogator: Does the lawyer have any questions?
Lawyer: I don’t have a question, no.
Interrogator: No. Then we finish the hearing here. Hearing finished at 13:07.

2012 10 11
Present during the hearing is lawyer Ola Salomonson (OS) interrigator Olle Wahlstrom (OW), co-interrigator John Steenmark (JS). Suspect is Gottfrid Svartholm Warg (GSW)

OW: Yes, since our last hearing… is there anything that you have thought of that you want to… (The interrigator doesn’t finish his question before the suspect replies)
G: No comments.
OW: This breach of Logica, do you have anything to say about that?
G: No comments.
OW: And if you know MG.
G: No comments.
OW: Or… CS?
G: No comments.
OW: Does the lawyer have any questions?
OS: No.
OW: The time is 09:57 and the hearing is finished.

2013 03 08
(Deputy interrogators, Joakim Persson and John Steenrnark from the County Criminal Police)

OW: I begin by asking, this apartment where you lived when you were arrested, how long had you lived there?
G: No comments.
OW: When you were in Cambodia did you have any job there or were you running any businesses?
G: Answer yes.
OW: Can you describe further what you worked with?
G: Yes… I freelanced as a consultant and also for nearly two years had an outsourcing company involved in web development.
OW: What was the name of that company?
G: No comments… yes that I can actually answer, it was called Arocore and later Finesy.
OW: You consulted for someone too you said?
G: I freelanced.
OW: At any particular company?
G: Freelanced.
OW: Did you have any income?
G: Yes
OW: Around how much?
G: No comments.
OW: A company called Mysec, have you worked any for them?
G: No comments.
OW: I guess you do not comment if you got any payment from them either?
G: No comment.
OW: In your apartment, we found two computers, a desktop and a MacBook. Were you using them?
G: Not personally, no, they are servers.
JP: Both?
G: Yes, it is quite clear on the laptop, if you doubt it the keyboard was broken. I might add that I actually think Steenmark here can confirm that I always had servers at home.
OW: Yes. If we take this desktop first. What is it used for then? In addition to being a server. What have you done with it?
G: It has been used as a server.
OW: For what purpose?
G: It has been used as a server.
OW: And the MacBook then?
G: It has been used as a server.
JP: What did you have for server software for it?
GS: I have already answered that.
JP: And the answer is?
GS: Yes… ssh, PowerShell Server, Remote Desktop, etc.
JP: On the MacBook?
GS: Yes
JP: What is the OS on the MacBook?
GS: There are two OS installed OS X and Windows 7
OW: And which one have you used?
GS: Both, or well yes I, both of them, I have used at various times.
OW: How long ago was it you used Mac part?
GS: No idea
OW: In the desktop computer, where there was a hard drive that was a bit loose, which had two partitions. My question is, the other partition what did you use it for?
GS: No idea, don’t remember.
JP: Do you remember what is located on the first partitions?
GS: How should I remember that? There are quite many months or years since it was partitioned.
JP: But the data on it is not that old is it?
GS: Yeah, I say what I said previously, it stood as a server. I do not know exactly what was on it. And it’s pretty ridiculous that you have to remember specific things like how my disks are partitioned so far into the future.
OW: The second hard drive which had a Linux OS installed, where you had six partitions. What are the last two partitions there, what do they contain, do you remember that?
GS: Do not remember.
OW: If we take your MacBook then, there was the Windows and Mac. You say you have used both the OS there.
GS: Both OS have been used on the computer and I want to emphasize that it is not me personally that has been using them recently.
OW: No, but have both been used?
GS: Yes, that sounds reasonable.
OW: In Windows, there are many accounts, do you remember who has had accounts on the computer?
GS: Yeah, I know approximately who they are, but…
OW: The account “A” for example?
GS: As I said I recall who they might be and I… for fear for my own life, I don’t choose… I don’t choose who they are.
OW: Are there people who have had physical access to your computers?
GS: In a couple of cases, yes.
OW: Over what period of time then?
GS: Some accounts have been used by multiple people.
OW: Over what period of time have these people had access to the computer physically?
GS: How would I be able to remember that?
OW: I don’t know.
GS: No exactly.
OW: But is it like a day, a week, a month or a year?
GS: How would I be able to remember that? How did you think that… I don’t write a diary.
OW: Yes. You have already talked about how others could access your computers remotely.
GS: Yes.
OW: Who could do that?
GS: I refer to my previous answer.
JP: And how has it been possible to remote access them?
GS: PowerShell Server, Remote Desktop, both installed and active.
OW: What computer are you talking about?
GS: I’m assuming that we are talking about the laptop…
OW: Mm… Remote desktop…
GS: …yes and PowerShell server.
OW: How often has someone connected via Remote Desktop to it?
GS: Don’t know.
OW: Is it often?
GS: Don’t know.
OW: Do they connect via Remote Desktop?
GS: Answer yes. I’m assuming so anyway, I haven’t kept track.
OW: I looked at your log files on the Windows computer, there is not a single connection via Remote Desktop.
GS: Yes… That said, I refer to my previous answers. Remember that PowerShell server is used also.
OW: But you said the Remote Desktop as an example.
GS: I said it as an example yes.
OW: SSH you said too
GS: Yes and PowerShell Server
OW: These people then, who have accessed it. Do you want to say something about them?
GS: Answer no.
OW: Is there any reason you do not want to say…..?
GS: Yes, because I fear for my own life.
OW: These people that you are afraid of, is it people you’ve met physically, who have visited you?
GS: Yes.
JP: Why have they visited you?
GS: No comments.
OW: In Cambodia, which ISP did you have?
GS: Don’t remember.
OW: Cogetel, could that be it?
GS: Don’t remember.
OW: Do you use any VPS or cloud service?
GS: Don’t remember.
OW: Don’t remember or don’t want to say?
GS: Don’t want to say.
OW: On your Windows partition here on the Mac, you can see that your clock is reset quite frequently, manually. Why is that?
GS: Because the backup battery in the computer is broken.
OW: To clarify. What happens then?
GS: To clarify. What happens then? Well, then the clock resets.
OW: To which date?
GS: … or alternatively, alternatively displays wrong.
OW: To which date is it reset?
GS: Good question. It depends on, eh, if when the battery is like half… half… (unhearable)
OW: But most common is?
GS: If it’s entirely nulled so, no I don’t know what that is.
OW: Can it be 1st January 2001?
GS: That sounds like a reasonable epoch date. I can’t comment any more.
OW: When you… adjusted the time then, when it’s wrong… How do you usually do then? Do you set the correct date or how?
GS: I don’t remember.
OW: Do you sync against a server?
GS: Don’t remember.
OW: On your Windows partition, there is a file named t001a, 16 Gb size. Do you recognize that?
GS: Don’t remember.
OW: If we say that it’s a TrueCrypt container
GS: Don’t know.
OW: Nothing you know anything about?
GS: No
OW: Have you ever used it?
GS: I just said that I don’t know about it.
OW: You don’t know about it at all?
GS: No
OW: But it’s still created already 2010 I think it is.
GS: I just said that the time in the computer is wrong.
OW: Yes, not since 2010 I hope.
GS: Bad quality on that fucking… fucking Mac
OW: Mac?
JP: It was almost new 2010
OW: PuTTY do you use it?
GS: No comments.
OW: MG do you know him?
GS: No comments.
OW: Do not want to comment or are you scared or do not know, can you answer that?
GS: No comments.
OW: diROX…?
GS: No Comments
OW: We can see, or we know from before that you had e-mail contact with MG already in 2006.
GS: Now you don’t stick to the time…
OW: Yes, but the question is if you know him.
GS: Yes, I leave no comment on it.
OW: In your computer, there are a number of different log files, the connections you have done to Logica… or that’s in your computer against Logica systems, what were these log files from?
GS: Probably from those who used the computer. Either locally or, more likely remote.
OW: Have you seen these log files?
GS: Answer no. On which of the computers was that?
OW: It’s on the MacBook.
JP: Windows partition
OW: Yes, on your computers, there is a fairly large amount of data coming from Logica, now we’re talking two computers. How did it get there?
GS: Referfing to previous answers.
JP: Which are?
GS: Referring to the previous answer.
OW: OK. I told you t001a was a TrueCrypt container, do you use the program TrueCrypt?
GS: No comment.
OW: Do you know if you autostart something with TrueCrypt?
GS: What?
OW: That it mounts anything when you start the computer?
GS: (Inaudible mumbling)
OW: I think we’ll do some questions, Joakim.
JP: Mm, exactly. As you may know MG is also served suspicion of the breach of Logica. And in his material we have found large amounts of chat logs… and now the question is: what username do you usually use on…..?
GS: Yeah, mine is pretty well known, Anakata
JP: Hmmm, do you use other one?
GS: Answer no.
JP: No?
GS: Not normally.
JP: Not normally. tLt. (Rest lost in transcription, MG chatting with tLt in logs.)
GS: I can not answer that.
JP: You can not answer that. In this chat, there’s quite a lot of evidence that a person who is called tLt would be involved in this breach of Logica. There are also indications that this person would be Gottfrid Svartholm Warg.
GS: So, I would like to point out that IRC does not have any form of registration of nicknames or something. It doesn’t require any passwords to…
JP: No.
GS: …
JP: But the nick Anakata is pretty well known.
GS: Yes
JP: Mm. For example diROX asks TiAMO where is Anakata? So he responds Cambodia, that’s correct isn’t it?
GS: That sounds reasonable.
JP: Later diROX writes, talking to tLt. tLt says he’s been very focused on z/OS. Do you know what that is?
GS: No I don’t.
JP: diROX then says that, yes, asks a bit and tLt says that maybe they should speak encryptedly and invites him to SSL mIRC on planet.wideopenbsd.org. Do you know that server?
GS: No Comments
JP: That’s a lot of material. tLt writes for example this also: “hello again, are you doing? right now I’m snorting amphetamine and swear a bit over the electricity, hope it doesn’t disappear again for 18 hours.” Could it be, perhaps that power is lost in Phnom Penh?
GS: I’ve been through lengthy power outages in Sweden too, so it…
JP: 18 hours is maybe a little…
GS: Locally in smaller areas I’ve experienced 36 hour outages.
JP: He also says, among other things… tLt, that he has an SSH key that he uses to backdoor an admin account
GS: Oh well
JP: tLt also writes: so download, and then he writes again that hoho they are so fucking owned, their RACF database tank/etc/passwd. Nothing you recognize?
GS: No
JP: Do you know what a RACF is?
GS: No Comments
JP: And you did not know MG?
GS: I said that I do not comment that.
JP: If we say like this then, in your computer we found a tool called HexMvsdump. Is it something you know anything about?
GS: No Comments
JP: Anyway here diROX writes asking, I need to access the police multi question and tLt replies that, have to crack the RACF database and it’s encrypted with DES encrypted with the password key and then tLt writes, I’m changing the password for a cop. Lower down he writes later, did you crack the db. Yes, says diROX. Looked through it briefly. Have you also gotten my HexMvsdump tool? No I don’t think so, tLt sends a link to Pastebin where it is, diROX replies now so (rest lost in OCR/transcription)
GS: No comments.
JP: Another excerpt here. tLt asking if diROX wants a pair of Infotorg accounts. Approximately 70000 and diROX asks if he has any police accounts. This is nothing you know anything about either?
JP: tLt also writes, I also have complete dumps of amongst others the bailiff registry, only that is 12 Gb haha, got hold of the table of contents, it’s a little easier to find fun things then. Do you know anything about this?
GS: I… just want to comment that bailiff records are public documents.
JP: In your computer we have found the records, which are 10.6 gig. It matches pretty well with this number. Do you have any comments about that?
GS: Nope. Can you show me the notorious bailiff register, what does it contain?
JP: Yes, I didn’t bring 12 Gb printed with me and so but…
GS: You did in the Pirate Bay trial.
JP: Yes, but you know, times change, unfortunately.
OW: Before the trial, you will see the material we present, of course.
JP: diROX also says he wants their records for the tax agency, tLt asks, don’t you want some money from the bailiff too. Yes says diROX, have 1700000 SEK in debt, tLt answers, yes if you have someone to put it on then maybe we can…
JP: Do you know of others who hang in #hack.se?
GS: No comments.
JP: In conjunction with this list of protected security number being put on Pastebin, diROX writes that the dump was stolen over a year ago, the one with the protected. tLt answes, yes. diROX responds, it didn’t even include names. tLt writes fuck what a lot of things, and then links to some files. tLt also writes that SPAR is not in the Infotorg/Sema/Logica anymore, however, makes KFMs register REX, you saw that I stole the entire thing.
OW: This specific dump, is it something that was on Pastebin that you recognize? That we talked about, with protected
GS: I’ve seen it on pastebin, yes.
OW: Have you had part of it yourself?
GS: Like I said I’ve seen it on… and it was as said only a list of social security numbers, no secret information in itself… More accurate way of saying it is that it’s the social security numbers for people with protected identities, not security numbers that are in itself protected.
OW: No, that’s right.
GS: I would personally be very surprised if it was on the Internet connected systems over. I assume that it is not…. intrusion has occurred…
JP: diROX also writes that, do you like Cambodia by the way? Mm, says tLt. diROX, found the border between Cambodia and Thailand to be pretty shitty. tLt, yes.
GS: And here I would like to comment that there is more than one Swedish person in Cambodia.
JP: Mm
GS: Even in time of writing, time of speaking
JP: tLt also pasted into a post, including where it says, port 443 is listening waiting for the APT callback, alert advancing port 443 threatning accepted presistent TCP connection from 93.1.86.1.70.54, port number, then commenting advanced printer typewriter fashion. Do you recognize this extract?
GS: No Comments
JP: In your computer, there is a script… exact same excerpt at least three times… And then tLt writes, well look at that. diROX asks, what does this mean now? tLt responds, yes, let get up some of that root. tLt, diROX writes and then, can you access everything now? There’s more; these are just a few excerpts contained in this material. Is that enough?
OW: Yeah, the last thing here, among others…. the script we talked about, there’s a lot of log files in your encrypted container, where this script is used. Do you know of it?
GS: Answer no.
OW: On your computer, in this encrypted container there is a file called prim.gz containing Logica RACF database that we talked about in the chat.
GS: I refer to the previous answer.
JP: Should we explain to the lawyer what RACF is?
ML: Yes, please.
JP: RACF database is a user permission database that Logica has in their mainframe systems, with usernames, details of passwords, and in cases where they have Infotorg accounts, also affiliation, organizational membership, and services or yes, company names and such things.
ML: Okay, thank you.
OW: When Logica themselves went through this intrusion, went through their system, they found a number of files that were uploaded to their system. Backdoors, various program files. They came from several different IP addresses. Common to these, many of them, is that they are on your computer, inside your encrypted container.
GS: Yes, I refer to previous answers.
OW: Eg a program called kuku, do you know that?
GS: I refer to the previous answer.
OW: During these breach so, he or they that did it. They compressed a whole lot of Logica’s material into tgz-files and then downloaded them with FTP. Even a portion of these compressed files are on your computer in…
GS: …referring to previous answers
OW: We spoke about a SSH key… in the chat, even that is in the encrypted container.
GS: Referring to my previous answer.
OW: In the computer there are also four files with usernames and passwords, it’s over 100 000. Anything you recognize?
GS: Referring to previous answers.
ML: Which computer?
OW: The MacBook. In your computer there is a file called just “out”, it includes a summary of data, raw data from the tax agency.
JP: I have it with me if you want to show it.
OW: Yes, no. This summary is about your security number, you.
GS: Partially I’m referring to previous answers and partially I also want to comment that I am somewhat famous. So there are a lot of reasons why people would look up my information… me.
OW: It’s not queries. They have withdrewn…
GS: Yes but queries… (interrupting eachother)
GS: You understand what I mean…
OW: So it is not you who has done this?
GS: No
OW: There is one about Fredrik Neij too, the same.
GS: I refer to the same thing, he is famous too. Famous for having large debts, if it’s the bailiff it’s about then I would like to add that it seems likely.
JP: These are datasets… that are a little, not only at the tax agency, but several different dataset that the data is gathered from, it’s not only tax agency or or bailiff data.
GS: What data is it then?
JP: Datasets that you have… that are on your computer.
GS: Yes it is good that people have decided that I am guilty already from the start. Thanks for that.
JP: I’m sorry, that’s not what I meant. I meant…
GS: …that’s exactly what you meant
JP: I just meant that your computer contains these datasets that the summary is based on.
GS: Yes queries, summary, whatever… I’m still wondering what kind of data it is.
JP: Shall we show it in that case?
OW: Yes, you can do that.
JP: Then you can see for yourself.
JP: The file… name is out.txt
GS: Yes, this is easy to understand?
OW: It’s various data about you.
GS: But where is it from? Half of it is entirely impossible to understand. Then there are some tips I can guess are cash amounts and… some obvious dates… so congratulations, somebody has done a credit check on me.
JP: If it now is a credit check…
GS: I’m guessing that it is.
JP: Considering that the dataset names are also here, D044, and the prefix D044… so it is very unlikely that it would be a credit check.
GS: Equivalent information at least.
OW: A last question about Logica here. We spoke about these social security numbers, the list with the security numbers that was on Pastebin. In your computer you have, in two places, that list.
GS: I’m referring to previous answers.
OW: There is an Excel spreadsheet called infotorgusers. It contains around 3 000 names, people and their permissions in Infotog. The main portion of these people are police employees. Do you know of this list?
GS: Answer no
OW: Does the lawyer have any questions regarding what we have talked about now?
ML: I don’t have any questions about what we talked about now.
OW: The time is 10:40 and we finish the hearing regarding Logica.

Leave a Reply

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>