The Department of Justice has announced the arrest of two North Carolina based members of the group “Crackas With Attitude” who famously broke into the AOL email account of CIA Director John Brennan and the Verizon account of Director of National Intelligence James Clapper last year.
Motherboard on Crackas With Attitude #CWA
Often hackers will find a sympathetic listening ear in the form of a journalist, and the original bad boy of CWA did so with Lorenzo Franceschi-Bicchierai, who writes for Motherboard at Vice.com.
Lorenzo’s headlines about CWA tell the timeline of the case:
- Teen Hackers: A ‘5-year-old’ Could Have Hacked into CIA Director’s Emails
- Alleged Hacker Behind John Brennan Email Breach: ‘I Don’t Want to go to Jail’
- Teen Hackers Who Doxed CIA Chief Are Targeting More Government Officials
- Teenage Hackers Say They’ve Doxed More Than 2,000 Government Employees
- The Dox of More than 2,300 Government Employees Might Be Worse Than We Thought
- Teenage Hackers Return With New List of Government Employees
- The FBI is Worried About Hacktivists Targeting Politicians and Cops
- Teen Who Hacked CIA Email Is Back to Prank US Spy Chief
- Teen Hacker Claims Another Victim in Campaign Against Government
- Teens Who Hacked CIA Director Also Hit White House Official
- Hackers Dox Miami Police Officers with Data Stolen from Government Database
- Hacker Published Personal Info of 20,000 FBI Agents
- Teen Allegedly Behind CIA, FBI Breaches: “They’re Trying to Ruin My Life.”
- Teenage Hackers Promise More Government Hacks After Alleged Leader’s Arrest
- No One’s Emails Are Safe, Says CIA Director Who Got Hacked
- Police Arrest Second Alleged Member of Teen Group that Hacked CIA Director
All of the articles above can be found by using the Motherboard tag “Crackas With Attitude”
And then, finally, this one:
The Arrest of @Incursio and @_D3f4ult (Andrew Boggs and Justin Liverman)
The two Americans who were arrested were Andrew Otto Boggs, 22, from North Wilkesboro, North Carolina, who is behind the online moniker Incursio and Justin Gray Liverman, 24, from Morehead City, North Carolina, who is behind the online moniker @_D3F4ULT.
Like many hackers, Boggs and Liverman both lived with their parents. In fact, Boggs was arrested because Twitter records showed that he created and frequently logged in from one of his several #CWA Twitter accounts, @GenuinelySpooky, from a Charter Communications IP address that subscriber records revealed was his father’s home, where he lived. Exactly the same thing happened to Liverman, who used the Twitter account @_D3F4ULT from an Time Warner Cable IP address that was registered to his mother, Edith Liverman, with whom he was living at the time.
While Twitter “private messages” are not revealed to the public at large, they still contained pretty damning information. The 37 page criminal complaint, an affidavit prepared by a thorough FBI agent, reveals that the two adult Americans were participating in this conspiracy with three British teenagers who were known as CRACKA (AKA @PORNG0D, @PHPHAX, @DICKREJECT), who was 17 years old, DERP (AKA @DERPLAUGHING) also 17, and CUBED (AKA @FRUITYHAX) who was 15 years old. The other three have all been identified and apprehended in the United Kingdom, where their identities are protected due to their minor status.
In addition to @_D3F4ULT, Liverman used the handles @BASHTIEN_ and @SH1N0D4.
Boggs also used the identities @INCURSIOSUBTER and @GENUINELYSPOOKY.
Social Engineering the Law Enforcement Enterprise Portal (LEEP)
While the affidavit refers to “Victim 1” and “Victim 2”, public reporting about these accounts make it clear that Victim 1 is CIA Director John Brennan and Victim 2 is FBI Deputy Director Mark Giuliano. The affidavit explains that “In or about November 2015” the hackers used Victim 2’s credentials to log in to the Law Enforcement Enterprise Portal. LEEP is a Very Big Deal, because it has information to basically everything about federal law enforcement, including directories of law enforcement officers who have been granted access to the system to enhance their state and local policing capabilities. The Joint Automated Booking System (JABS), the Internet Crime Complaint Center (IC3.gov) and the Virtual Command Center/Special Interest Group can all be access through LEEP. Imagine that! Cybercriminals with full unlimited access to the details of every cybercrime complaint that has been made to the Internet Crime Complaint Center!
But that isn’t how they used the information.
On November 4, 2015, Cracka sent a screen shot of the LEEP computer system login page, showing that he was logged in to Giuliano’s account. When Liverman asked what type of information was there, Cracka replied “every law enforcement info. fucking shaking.” Liverman replied “holy fucking shittttttt.” Liverman then asks Cracka to search by state/city and requested the list of officers in Miami, which Cracka sent via Jabber message at 18:43 EST that evening. This is the list of 80 Miami-area officers that was blasted out as their first LEET related “doxing.” The list was found on Liverman’s hard drive, pursuant to a lawful search warrant, in a file named “miami_officers.txt”.
The following day, Cracka posted links from his @PHPHAX twitter account to copies of the records for Jeremy Hammond (a hacker who participated in the Anonymous movement) that had been obtained through JABS. He tied this event to November 5th, the date associated with the Anonymous/Guy Fawkes chant “Remember, remember, the fifth of November”, a date associated with anti-government actions due to the Gunpowder Treason in 1605, when Guy Fawkes and others attempted to blow up the House of Lords.
In January 2016, they posted publicly the names, work telephone numbers, emails, and titles of 80 police officers in the Miami area, dumped from the LEEP system back in November.
After being locked out of the LEEP system, the hackers tried repeatedly to social engineer their way back in. The FBI has recordings of 34 calls placed to the LEEP help desk and 56 calls placed to the CJIS (Criminal Justice Information System) help desk attempting to regain acess to the system.
Charges Against CWA Hackers
a. 18 USC § 912 – falsely assuming or pretending to be an officer or employee of the US Government to obtain money, paper, documents, or any thing of value
b. 18 USC § 1028A – knowingly transfering, possessing, or using without lawful authority a means of identification of another person during and in relation to the commission of a felony
c. 18 USC § 1030(a)(2)(B) – intentionally accessing a computer without authorization or exceeding authorized access to obtain information from any department or agency of the US Government
d. 18 USC § 1030(a)(2)(C) – intentionally accessing a computer without authorization or exceeding authorized access to obtain information from a protected computer
e. 18 USC § 1030(a)(3) – intentionally without authorization accessing a nonpublic computer of the United States that is exclusively for the use of the Government of the United States
f. 18 USC § 1038 – engaging in conduct with the intent to convey false or misleading information where such information may reasonably be believed that activity has taken, is taking, or will take place that would constitute a violation of chapter 40 of Title 18 (18 USC 40 is about explosives – so this is about making a bomb threat)
g. 47 USC § 223 – making a telephone call intented to abuse, threaten or harass any specific person without disclosing identity.
A Look Into Motivations
Here’s an interesting example exchange between Boggs (@Genuinelyspooky) and Cracka (@PHPHax):
@GenuinelySpooky: I’m going to help you with 0wning the [agency where Victim #1 worked]. I’ve been looking for evidence of aliens since Gary.
@PHPHax: i fucking own this loser, i have just released emails of them admitting to torture.
@GenuinelySpooky: If you need any publishing done, let me know. I’ll go Charlotte and use public wifi to publish the stolen information.
@PHPHax: that sounds great 🙂
Really? The reference to Gary is to Gary McKinnon, the UFO conspiracy theorist who was arrested for hacking NASA. He has posted many things on social media claiming that while in the NASA systems he found “proof” that NASA knows all about the aliens living among us.
Cracka broke into John Brennan’s account by calling Verizon technical support, impersonating a Verizon employee, and getting them to share certain information, including the last four digits of the credit card being used to pay the Verizon bill. He then used that information in a call to AOL to convince them he was Brennan and get them to reset the AOL password. WIRED tells more of that story in “Teen Who Hacked CIA Director’s Email Tells How He Did It”.
Cracka was thrilled with the publicity he was getting, boasting about his interview with the New York Times about the Brennan hack via Twitter direct messages with Boggs.
Cracka told Liverman about his access to the FBI Deputy Director’s account, including the last four digits of his Social Security Number, access to his Comcast account and other information, including a screen shot of the Comcast billing information. Cracka revealed to Liverman that the Comcast account contained an address book with at least 200 contacts, including many government people. Several of these screen shots were posted to a Facebook account using the name “Joseph Markowicz” that was registered using the same email address as the Twitter account @_D3F4ULT. On several occasions, the same proxy IP address was used to access both the Twitter account and the Facebook account in close succession. The Comcast details also provided the hackers with detailed call logs, showing who the FBI Deputy Director called and on what numbers. By calling several of these telephone numbers, they were able to locate the government cell phone number of the FBI DD. They paid $20 to launch a “phone-bombing” attack against the number, which caused anonymized calls to be placed to the phone every hour for thirty consecutive days.
They also sent insulting and threatening text messages to the cell phone, including one (using the redacting from the affidavit:
“Listen here you fucking boomer, we will destroy your reputation. Just like [two senior US government officials, including Victim 1]…I guess you couldn’t handle us jacking your Comcast ISP accounts too many times so you actually canceled your account! And telling me to ‘watch my back’ wasn’t a good idea lol. How is your [derogatory comment][incorrect spouse name]? We will keep a close eye on your family, especially your son!”
Liverman made a Bandicam (video screen capture recording software) video of himself creating a dark market account in Giuliano’s name on the Abraxas Market (where drugs are often sold using Bitcoin.) He also posted Facebook messages to many accounts inviting “sexy nudes” to be sent to the FBI-owned cell phone number and tweeted the same from the @_D3F4ULT account.
Ridiculing Federal government authorities and insulting them and their family members was part of the motivation. The fact that the very first thing that crosses their minds when they had full access to every criminal record in the United States was to search for information about the arrested Anonymous hacker Jeremy Hammond helps to cast this as an “Us versus Them” battle between hackers and the U.S. Government.
DOJ Civil Division information
On February 3, 2016, Cracka and Liverman had a Jabber chat where Cracka reveals:
“…i owned the entire doj. like, all doj agencies so fbi, dea, Interpol, dhs. i’m sitting here with 20k fbi employee names, country, email, phone number, title. i have access to a doj computer”
As proof, Cracka shared screenshots of this with Liverman.
Tweets related to this data started showing up on January 30, 2016, when @DOTGOVS tweeted “9,000 @DHSGov employees.” with a partial screenshot of personnel information. About twenty minutes later the same account tweeted “Why do we have 20,000 @FBI employees: names, phone numbers, countries, and emails? Including ones abroad :).”
While this information is not supposed to be publicly available via the Internet, the DOJ Justice Security Operations Center determined that the DOJ Civil Division help desk had been socially engineered to provide a contract employee’s credentials. These credentials were used multiple times between Jan 27, 2016 and Feb 2, 2016 to access the CIMS (Case Information Management System) application.
On February 7, @DOTGOVS tweeted links to the website “cryptobin.org” providing a password for decrypting the files, which included the 9,000 DHS.gov employees information and the 20,000 FBI employees’ information.
Several members of the conspiracy became involved with propagating these materials, sharing the information on Pastebin, Ghostbin, IndyBay and other locations. While it seems the 17-year old “Cracka” was the primary person to infiltrate the DOJ systems, the others were certainly encouraging such activity, asking for custom searches within the data, and gleeful in their attempts to help leak sensitive government information to the public through their repeated posts and reposts of the information.
This is a Security Bloggers Network syndicated blog post authored by Gary Warner, UAB / PhishMe. Read the original post at: CyberCrime & Doing Time