Fraud , ID Theft

Feds Bust Alleged 'Crackas With Attitude' Hackers

Group Claimed Credit for Dumping CIA Director's AOL Emails
Feds Bust Alleged 'Crackas With Attitude' Hackers

Two men allegedly tied to the hacking group "Crackas With Attitude" have been arrested as part of an investigation into hacks against U.S. government systems as well as senior government officials, including CIA Director John Brennan's personal AOL email account.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

Andrew Otto Boggs, a.k.a. "Incursio," 22, and Justin Gray Liverman, a.k.a. "D3f4ult," 24, were both arrested Sept. 8 in North Carolina as part of a joint operation involving the FBI and the U.S. Secret Service, according to the Justice Department.

The men have been charged with conspiring to violate numerous federal laws, including falsely impersonating an officer or employee of the United States, aggravated identity theft, computer-related fraud, providing false information or perpetuating hoaxes as well as making harassing telephone calls.

The FBI alleges that the Crackas with Attitude group included not just Boggs and Liverman, but also three individuals based in the United Kingdom - Cracka, 17; Derp, 17; and Cubed, 15 - who legally cannot be named because of their ages. They were arrested in January and February (see UK Police Arrest Suspect Over CIA Director's Email Hack).

Boggs and Liverman are due to first appear in federal court next week.

The FBI's affidavit details Crackas With Attitude suspects and Twitter handles.

According to charging documents filed in federal court Sept. 2 and unsealed Sept. 8, Cracka - using the Twitter screen name @Porng0d - first began exchanging Twitter direct messages with the Twitter account @GenuinelySpooky, controlled by Boggs, around July 17, 2015. "In one of these DMs, Cracka related he had obtained the Social Security number of a senior U.S. government official and 'jacked [their] comcast email so I can listen to [their] voicemail, look at [their] answered calls and missed calls and control whats on [their] tv. Nvm, I don't regret it, [expletive] the gov'" (all sic), according to an FBI affidavit included with the charging documents.

Boggs allegedly asked Cracka later that day if he wanted "to join TeamInncuous," adding: "We'll only be hitting governments and security firms. I'm waiting on our logo to be finished before we commence attacks on governments :)." Cracka allegedly responded, "Sure, I'd love to join :P."

By way of motivation, Boggs later claimed that he'd been "looking for evidence of aliens since Gary," an apparent reference to Gary McKinnon, a Scottish man who allegedly hacked into computers operated by NASA in search of proof of extraterrestrial life, according to the affidavit.

Cracka responded that he was in, and that he had "just released emails of them admitting to torture."

Socially Engineering Victims

The affidavit reveals how the Crackas With Attitude group allegedly executed their attacks.

On Oct. 12, 2015, for example, "victim 1's spouse" - Kathy Brennan, wife of CIA Director John Brennan - received an email from Verizon saying that her online password had been changed, according to the complaint. "Records obtained from Verizon included October 11, 2015, voice recordings from multiple calls by Cracka who impersonated [both] a Verizon employee and Victim 1 [John Brennan] to gain unauthorized access to Victim 1's Verizon ISP account," according to the FBI's affidavit.

Shortly thereafter, Cracka claimed credit online for stealing the contents of Brennan's personal AOL email account - AOL is owned by Verizon - and routing them to WikiLeaks, which released them on Oct. 21, 2015. At the time, Cracka said the leaks were retaliation for U.S. foreign policy, and multiple posts to Cracka-controlled Twitter accounts voiced support for Palestine.

One of the alleged attackers - who demonstrated control of the Twitter account @phphax that sported the username "cracka" - told the New York Post that in Brennan's AOL account, he found a contact list containing 2,611 email and instant message addresses, including some for top U.S. national security and intelligence officials. He added that 40 emails had file attachments that also contained sensitive information, including Brennan's application for a top-secret security clearance.


A spreadsheet of information compiled by "Cracka" and posted to Twitter, containing excerpts of the allegedly stolen data.

'Hello, I'm DHS Secretary Johnson'

Cracka also said he'd accessed the online Comcast account for Homeland Security Secretary Jeh Johnson, "victim 2" in the affidavit, listened to his voicemails and subsequently published what he said were personal details about Johnson and his family.

On Nov. 4, according to the affidavit, Cracka used Secretary Johnson's credentials to access the Law Enforcement Enterprise Portal - or LEEP - which the bureau describes as "a secure, internet-based information sharing system available to agencies around the world that are involved in law enforcement, first response, criminal justice, anti-terrorism, intelligence and related matters" (see Hackers Claim FBI Information-Sharing Portal Breached).

Cracka used the portal to also gain access to the Justice Department's Joint Automated Booking System and search for information relating to Jeremy Hammond, a U.S. hacker currently serving a 10-year sentence for hacking into global intelligence firm Stratfor, according to the affidavit. At the time, the hacker group tweeted screenshots of Hammond's alleged JABS records.

The group also allegedly stole and leaked personal information relating to Director of National Intelligence James Clapper, White House Deputy National Security Advisor Avril Haines, and others (see Dox Files: DHS Probes Information Dump).

Poor Opsec

According to the affidavit, Boggs and Liverman failed to practice good operational security. For example, it says members of the group began recommending - via unencrypted Twitter direct messages - the encrypted chat programs Cryptocat and Wickr to each other.

The FBI said it traced the IP address used to register the @GenuinelySpooky Twitter account, which was also used to access it repeatedly from Oct. 2, 2015, to Nov. 11, 2015, to a Charter Communications ISP account registered to Bogg's father, with whom he lived.

The affidavit also reveals that federal agents executed a search warrant against Liverman that found evidence of the group's activities on one of his hard drives, including instant messaging conversations - using the Jabber chat client - that included the transfer of stolen information obtained from victims, including ISP records; a list of more than 80 Miami-area police officers that were leaked via Twitter on Jan. 21; as well as Bandicam screen-recorder videos of Crackas With Attitude chat sessions. Investigators said they also found a list containing information about 20,000 FBI employees and 9,000 DHS employees on the hard drive, which had been leaked online by the hacker group.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network