Logica, National Special Event: Morgan (part 1)
Logica discovered that their systems had been breached 6th March 2012. 16 days later they filed a report to the Swedish police. The extent of the breach was unknown and it was assumed at the beginning that all information handled by the company had leaked. It was confirmed pretty soon that the social security numbers of over 10 000 individuals with protected identities had been stolen from the mainframes.
This writing is split into multiple parts, links to following parts will be added when published in the future.
The investigation work was found to be outside the Security Police’s scope and RPS (national police) initiated the work. All affected staff in national police forces, the tax agency and bailiff agency received information about the incident. A big meeting was held 23rd March to organize the investigation, approximately 40 people were in the meeting. The work was divided into smaller groups where each company and governmental agency had at least one representative in each group.
The coming weeks a large portion of the involved staff had their hands full. The security service assisted the national police agencies. The incident was considered so serious that on 28th March the head police chief issued a national special event in accordance with Ordinance (1989:773) with instruction to the national police to coordinate the police tasks and cooperate with external governmental agencies.
The Swedish police did it’s investigation at a flat rate price of 920 kr/hour, same price as the police charges for covering sports events. The calculation below is only based on the work that RPS spent on “handling the incident and securing that the information used in the investigation is trustworthy” (sic).
RPS Activity protection: 1 273 599,00 kr
RPS Communications department: No data
RPS/RKP: 63 480,00 kr
RPS/PVS: 713 000,00 kr
RPS System owners: No data
SÄPO (Security Service): 2 300 000,00 kr
HK Management: 36 800,00 kr
PVS Management staff: No data
Remaining work (estimated): 326 792,00 kr
Total: 4 533 823,00 kr
“Virtually all communication between suspects has occurred or is occurring through the IRC channel #hack.se. In there people are relatively openly discussing hacking and “everybody” knows what is happening, is involved to some extent or have an overview of what is going on. (sic)”
Fishing in Ludvika
By analyzing logfiles from Logica and subsequent IP tracing it was found that multiple IP-addresses pointed to a relatively small geographical area in Ludvika, Sweden. There was therefor reason to suspect that one and the same person had used multiple wireless networks. Multiple queries done on Infotorg’s web interface could be connected to diROX, suspect “MG”, through internal reconnaissance.
On suspect MG’s cellphone forensics personnel found the Infotorg app installed, which should only be available for companies, organizations and governmental agencies that are Infotorg customers. When forensics personnel started the app the username “KURS104” was saved. MG’s cellphone also contained an installed portscanner app, which when started container “ftp.infotorg.se” prefilled in the host field.
On an SD-card found in MG’s cellphone the forensics personnel found, in the path /u1/Ubuntu One/Linux/Hacking/, the programs reaver_v1.4 and wpstools, which can be used to break into WiFi networks. In the Keys folder they discovered folders named wep, wpa-captures, wpa-knackt and wpa-oknackt. In wpa-knackt they found text documents 54-E6-FC-BE-80-9A_Backe.txt and A0-21-B7-7A-3E-7E_LINNEA_Network.txt containing identification details and login credentials to WiFi networks that had been used to access Infotorg/Logica servers.
Much of the contents of the SD-card was also retrieved from an FTP account on Passagen.se and Ubuntu One, with nicknames being dirox and e-mail address [email protected] In a computer seized by the police from diROX they found browsing history for his ftp.passagen.se account, using password qw97p48z
Screenshots seized from diROX’s Ubuntu One cloud storage show somebody was signed into hacked Infotorg accounts at the same time as browsing social media sites like Facebook and Helgon while chatting on MSN and reading Gmail account luciddream:
Large amounts of files with usernames and passwords for Infotorg accounts were discovered in MG’s possession along with multiple files containing passwords to hacked WiFi accesspoints located around his address. On his passagen.se FTP account the investigators found large amounts of logfiles containing communication with tLt. On MG’s Ubuntu One account they found a large amount of datasets matching the data that had been downloaded from Logica mainframes. There were also traces of intrusion targeting Logica and Infotorg dated 2010, 2011 and 2012. Both connections to Logica mainframes and queries in Infotorg.
15th April 2012
MG was heard in regards to being suspected of hacking alternatively assisting hacking between 25th February and 15th April 2012. MG is suspected of illegally accessing and searching in Logica hosted Infotorg registries.
MG is informed about his right to have a lawyer present but chooses to be heard alone. MG denies crime. He states that he has signed into Infotorg from his own or his girlfriends computer at a few times. At these times he has found some passwords on the Internet that other people have posted. MG states that he has used his own security number to login using these passwords. MG considers himself to be pretty good at handling computers. His girlfriends name is LB and owns an IBM laptop protected by the password phrase FITTJUV.
MG is asked if he really doesn’t want a lawyer present and after thinking for a while says that perhaps that would be a good idea. MG requests Björn H. The hearing is cancelled.
15th April 2012, 14:00 PM
Two police officers transported diROX from Borlänge to Stockholm. The trip took 2.5 hours and the three of them had a social conversation during the whole time. diROX was disappointed over his life and thought that he had let his parents and his girlfriend down. diROX asked what kind of punishment he would be facing for hacking and stated that his girlfriend’s innocense. He also said that he had found passwords on the Internet and tried if they worked. According to himself he had only queried information about himself. He added that “there are more people involved, not only him.”
17th April 2012, 14:10 PM
MG admits crime as soon as they are presented. He says that he has only been logged into Infotorg’s website. He states that he has Linux experience, not very good at networking and has no programming knowledge. Interrogators ask why he has been googling about Infotorg, MG replies that he hasn’t been looking for anything specific. MG says that he found login credentials on a Swedish forum that he forgot the name of. He claims to have tried around 5 accounts and that he doesn’t have anything on his computer after it’s been lost at reinstall done “the other day”.
MG says that he has been logged into Infotorg “maybe a week ago” and has only been looking up himself and his friends in the registry. MG says that he has been acting alone and doesn’t know if he has shared the information with anybody else.
Interrogators bring up his .bash_history file where he is greping a file named log.txt for the string Ludvika. Interrogators bring up that his girlfriend has stated in hearings that he can hack into wireless networks, that MG accesses access points in the area. He names his passwords being fittjuv and apa123 on his computers, apa123 being his most commonly used password.
16th May 2012, 09:00
MG is informed that the suspicions have been extended from 25th February 2012 – 15th April 2012 to January 2010 – 15th April 2012. MG says that he doesn’t think so and denies. When asked if he’s denying both Logica and Infotorg he responds that he possibly may have been illegally accessing Infotorg since 2010. Interrogators continue asking about the .bash_history file found on MG’s girlfriend’s computer which contains data about Infotorg. MG doesn’t know anything about it, except the name Infotorg. MG denies knowledge about a memory card containing a folder called Infotorg, which his girlfriend has said in a hearing belongs to him. He also denies using cloud services and the hearing is ended shortly after.
14th June 2012
Interrogator asks if MG has gotten the Infotorg accounts from somebody, MG responds “unfortunately no” and continues stating that he just finds them, but doesn’t want to say where. Interrogator asks if MG knows the IRC channel #hack.se, which he does and he has been there before but doesn’t know how long ago or what nickname he used. The nickname diROX sounds familiar to MG, but he says it is not his and he doesn’t know him. MG is asked about KS (suspect #2) and his IRC nickname used in #hack.se. The interrogator tells MG that KS is also detained as part of the investigation of the case.
The interrogators explain that they have found material from Infotorg and Logica on computers seized from KS. MG denies that KS has received such data from him. The interrogator says that KS has said that MG is diROX, MG denies and says that he doesn’t think that he has used that nickname but he has seen it. MG doesn’t know if it is his nickname or somebody else’s. The interrogator tells him that they have seen in his computers that MG is in fact diROX.
The interrogator continues listing nicknames from #hack.se which MG confirms he has seen and spoken to. The interrogator asks if MG recognizes the nickname Anakata. MG says that Anakata is Gottfrid from The Pirate Bay. Interrogator asks if he knows TiAMO, which he does from The Pirate Bay and #hack.se but they haven’t spoken.
The interrogator asks about what they talk about in #hack.se, and says that KS has said in a hearing that the latest topics have been the hacking of Logica and Infotorg. The interrogator explains that KS has named MG as connected to the attacks on the two named targets. MG denies that he is involved or that he knows anybody that is.
18th June 2012
Interrogators clafiry that MG is suspected of retrieving data from Logica mainframes and manipulating RACF. MG doesn’t understand. Interrogators ask about RACF and talk about traces they have found in MG’s possession. MG doesn’t know anything about RACF and denies retrieving info from the mainframes. MG doesn’t understand anything except that Logica has been breached.
Interrogators continue by asking if MG knows about Infotorg, which he does but he doesn’t have any ideas who’s running it. Interrogators ask if he knows what a mainframe is, MG explains that they are computers that can handle pretty much.
Interrogators clarify that MG is suspected of visiting Logica mainframes, manipulating RACF and done unauthorized queries in Infotorg. MG admits the Infotorg parts and knows that he isn’t allowed to do what he’s done using other peoples’ accounts.
Interrogators name the third suspicion, that MG has illegally broken into and used WiFi networks of his neighbors, which MG admits he has. Interrogators explain that MG’s IP address has been found in Logica mainframe logs along with his neighbors’ IP addresses.
After the interrogators continously state that suspect KS has named MG as diROX, that the nickname is found on MG’s computers and on his neighbors’ network activity he says that maybe he has used that nickname sometimes. MG admits that he has received several hundred Infotorg accounts from somebody on IRC but doesn’t want to say who gave them to him, although he knows who gave it to him.
MG denies that he has downloaded any data from any intrusion except saved queries he’s done on his friends in Infotorg. The interrogator asks if those friends of his can have been Hells Angels members, whereas MG responds “maybe”.
The interrogator says that he finds it strange that MG is admitting some things but not others and asks why that is. MG replies that he hasn’t done some of the things. The interrogator continues stating that they have data proving otherwise, which MG finds strange and doesn’t believe. When asked if MG thinks they are bluffing, he responds yes. The interrogators explain that there is more than they have told them, such as logs from CSN and IRC logs from #hack.se.
“We suspect or we strongly believe that you are not alone in this, we think that there are many more involved. The problem is that we can’t prove it. We only have what we have from you, so to speak.”
After chatting about his WiFi hacking activities the interrogators start pressuring him to reveal the identity of the person that supposedly gave the Infotorg access to MG, stating that KS has said that MG is diROX and that diROX is somebody involved in these matters. MG doesn’t know and the interrogators continue by verifying that MG admits two out of three charges. MG states that he knows somebody who has hacked the Logica mainframe on which Infotorg is run but doesn’t know if they are alone of how it happened.
“You don’t know. Have you been like a little hangaround, maybe you haven’t been allowed to be in the gang and haven’t really…?”
MG says that he thinks so. When asked he replies that he didn’t give anything in return for the data that he has received from an unnamed somebody or somebodies. He doesn’t know if it’s a criminal gang that has breached the mainframes or a loner.
JP: No… But, as long as you don’t want to tell it’s a little… then there are problems. We can’t… Because we know a lot of things that we can’t or want to tell, and if you don’t want to tell then we don’t get anywhere with this. Is there anything you would like to tell us that you think is important for us, without revealing too much?
MG: I don’t know, I can’t think of anything.
JP: It’s very sad when you can’t… that you can’t or don’t want to tell. That’s how it is. It would be better for yourself to say and…
MG: That I… (inaudible)
JP: But why so to speak?
MG: No, but then I will have problems later.
JP: Oh. So you’re afraid that they will retaliate?
JP: OK. But how do you think it’s going to look later when you… when you’re released and this goes to court and we put up all the evidence? Then you will start to think anyway about what you said or why you were so careless to leave chat…
MG: Because of this chat?
JP: No, but why… We have found your chatlogs.
JP: You don’t think that these people that you are afraid of will start to consider anyhow?
Lawyer: That is not an appropriate question to ask!
JP: Do you want to ask a question or what are you saying?
Lawyer: No, but I think it’s inappropriate that you formulate your question that way and put him in a corner saying he’s risking retaliation anyway. The court says that you can’t force somebody to say something that they don’t want to say if they are afraid of retaliation. Your question formulated that way (inaudible) and I don’t think that is an appropriate question.
Fhl: Yes, it is noted. But, we can ask that question anyway, I think. Do you have any comments on it then?
6th November 2012
MG voluntarily chooses not to have any legal defense at this hearing.
MG is asked what nicknames he’s using on IRC, he responds that he has difficulties with his memory sometimes. MG remembers that he used many different nicknames, among others diROX and Matte76.
Interrogators ask about Gottfrid Svartholm Warg. MG replies that he knows GSW, that they have met personally but doesn’t remember how long time ago. MG says that GSW has said on IRC that he was in Cambodia, that he left after The Pirate Bay conviction. MG says that he doesn’t remember GSW’s nickname that he used when they spoke on IRC.
Interrogators ask what computer knowledge GSW has. MG replies that GSW is very smart and knowing. MG considers himself good at computers but states that GSW beats him in computer science.
MG is informed about IRC conversation logs. MG is shown chat traffic retrieved from diROX’s Passagen.se FTP account between the aliases diROX and tLt between 2012-03-10 16:54-16:56 and 2012-03-25 21:11-21:15 and is asked to comment this log. MG spontaneously replies that tLt is Gottfrid Svartholm Warg. He remembers it clearly. He also says that the 2nd conversation where tLt talks about Infotorg accounts that it proves that MG has always been right in what he has been trying to explain: that he himself doesn’t have anything to do with these accounts. MG states that he has only tested to login on a few of those accounts but that other people have breached the systems. MG doesn’t want to name those individuals.