How the AFP nabbed an Aussie Anonymous hacker

In early 2013, the Australian Federal Police’s cyber crime officers decided to focus their efforts on hacktivism: issue-motivated groups and disaffected individuals aiming to steal data and deface or disrupt private and public sector websites, under what they dubbed Operation Alastria.

Their attention quickly turned to the Anonymous collective.

Late that year, secret documents leaked by former NSA contractor Edward Snowden revealed the Australian government had tried to monitor the Indonesian president and several of his close affiliates.

It caused a war to break out between Australian and Indonesian hackers connected to the Anonymous movement.

A group calling itself Anonymous Indonesia launched attacks against random Australian websites, which was not well received by local hackers.

They told the Indonesians to target the websites of the government and spy agencies involved in the Snowden reports instead, which the Indonesian group subsequently did.

But they also continued to target other, unrelated, websites, incurring the wrath of local hackers.

One, the infamous Lorax, well-known for his radio show Lorax Live, came across a free DNS service - afraid/org - that was utilised by some Indonesian government departments.

He realised he could add new subdomains to Indonesian government domains managed by the service, so he did, and pointed the new subdomains to shock site Meatspin.

Absantos

Lorax had been under surveillance by the AFP for several years prior, making the hacker well-known to the force, but it was while they were monitoring his activity that they came across Absantos.

The hacker - who also went by Juzzy - was active on the Op Australia channel of the AnonOps IRC network, and associated with Lorax and another hacker dubbed Rax that were engaged with the Indonesian Anonymous group.

“At this stage I suspected that Absantos had played a role in the extra subdomains being added,” federal cyber crime agent Jade Newman-Andrews told last week’s ACSC 2017 conference.

“This is where I started becoming more concerned about Absantos.”

Monitoring the AnonOps channel, the AFP watched as Absantos taunted another individual on the channel with their IP address and mobile phone model, which he’d obtained after having gained access to the database of the ACT Long Service Board.

He'd exploited an Adobe ColdFusion vulnerability in the web server of an internet service provider called NetSpeed to access its customers' credentials, and subsequently the ACT Long Service Board server, then uploaded shells that gave him privileges reserved for administrators.

At this point, the AFP was starting to pull together Absantos’ approximate physical whereabouts through a range of digital, human, and open source intelligence tools. It had already managed to uncover the 19-year-old's real-life identity through the same tools.

“We were getting relatively good insights into what Absantos was doing most of the time and the types of crimes he was committing,” Newman-Andrews said.

“Our online covert employees continued to engage Absantos with far more insights into who he actually was.”

But it didn’t yet have enough to charge the hacker with the two offences - the Indonesian subdomain redirections and NetSpeed intrusion - that it suspected him of committing.

Between March and June 2014, the AFP intercepted the hacker’s data, voice, and SMS to gather more evidence on his activities.

This interception soon gave the force enough information to get search warrants signed by a judge. They also managed to get one for Lorax in Perth, who was charged with being involved in the 2012 hack of Melbourne IT as well as over the Indonesian government domain redirects.

When they went through Absantos' door at midnight on May 22, the hacker was nowhere to be seen, but his laptop was on his bed in sleep mode, with no password required to wake it.

What police found were open terminals containing records of his offences, a logged-in Facebook session, and open chat and mail clients, among other things.

Absantos himself was located about four hours later on a park bench metres away from the Sydney apartment, where he watched the search warrant being executed.

He was arrested two hours after being spotted, and released later that day with strict conditions around internet access.

Analysis of Absantos’ laptop following the raid resulted in the hacker being charged with 60 offences out of an alleged 300, Newman-Andrews said.

Twenty-one victims - including NetSpeed as well as Telstra, CSC, Victoria Police, ASIO, Hurstville City Council, Corrective Services NSW, the US Defence agency, and NATO - were identified.

Favoured techniques

Combing through his history and chat logs, police discovered Absantos had used the Heartbleed vulnerability to gain access to servers, in particular one belonging to Telstra that provided remote access for staff members to the internal Telstra network.

Absantos had exploited Heartbleed to exfiltrate data from the Telstra server, including system names, passwords, and billing information, Newman-Andrews said.

His goal was to obtain usernames and passwords so he could gain further access to a targeted server, then upload exploits.

Telstra had captured the traffic between its server and Absantos’ computer at the time of the attack, and confirmed the offence and provided an incident report to the police.

Police found further evidence of another victim - CSC - which Absantos and a Danish hacker dubbed ‘Panda’ targeted via SQL injection.

Panda had gained access to a CSC server through a web form whilst chatting to Absantos three days before police executed the May search warrant, Newman-Andrews revealed. The server in question was designed to collect data from back-up master servers and report back on their status.

“Absantos thought he would help out initially by telling Panda to download the users from the CSC database and upload shells on the server to gain further access,” Newman-Andrews said.

But he later decided to help directly by identifying a vulnerable injection point, and downloading tables from the database. His chat logs revealed Absantos told Panda he had logged on to the CSC site as an employee.

The hacker then explored ways to exploit the web form’s upload functionality, but “got bored of the intrusion and went out partying for the next several days before the search warrant”. CSC similarly provided the police with a report of the incident.

Through the courts

The AFP had spent two months going through Absantos' laptop by this point. 

He would later plead guilty to 21 charges of computer hacking in June 2015, and was sentenced in October 2015 to 12 months in prison and a three-year recognisance.

In March 2016, Lorax was given two years’ suspended imprisonment, as well as 200 hours of community service and an intensive supervision order.