Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations
NullCrew Hacker Pleads Guilty to Cyberattacks
Gang Exploited SQL Injection Flaws to Hack Bell Canada, Comcast, U.K. Ministry of DefenseA former member of the notorious NullCrew hacking group has pleaded guilty to participating in hack attacks against several organizations - including telecommunications company Bell Canada, mass media company Comcast, the U.K.'s Ministry of Defense and some universities - as well as leaking stolen data.
See Also: Gartner Market Guide for DFIR Retainer Services
Timothy Justen French, 21, of Morristown, Tenn., pleaded guilty Dec. 8 to one count of intentionally damaging a protected computer without authorization, which carries a maximum sentence of 10 years in prison and a fine of up to $250,000. French is due to be sentenced on March 9, 2016.
"Hackers who think they can anonymously steal private business and personal information from computer systems should be aware that we are determined to find them, to prosecute pernicious online activity and to protect cyber victims," says Zachary T. Fardon, U.S. attorney for the Northern District of Illinois.
French had been charged with hacking into five organizations and releasing thousands of stolen access credentials for online accounts. That included participating in a Nov. 5, 2012, SQL injection attack against the U.K.'s Ministry of Defense website, after which NullCrew exfiltrated and then dumped more than 3,000 usernames, e-mail addresses and passwords purportedly belonging to members of the defense ministry (see Alleged Hacker Charged in Five Attacks).
In his plea bargain, however, French admitted to participating in not five but "at least seven cyberattacks while a member of NullCrew from 2012 to 2014," according to the Department of Justice. Authorities said they traced the attacks to an IP address associated with the user name "Orbit," which led them to French's house and found that computers using that IP address had been active during times when attacks were being discussed online by NullCrew members or related attacks were being launched.
FBI: Confidential Informant
The FBI's affidavit for French's arrest also stated that the bureau had been working with a confidential informant who had participated in NullCrew chats held using Skype, Twitter and the secure online chatting app CryptoCat. "During these chats, ... Nullcrew members discussed past, present and future computer hacks, shared current computer vulnerabilities and planned target, and discussed releases of their victims' information," according to the affidavit.
French was arrested by the FBI on June 11, 2014. Two days later, in a related investigation, another alleged NullCrew member was arrested in Canada by the Royal Canadian Mounted Police's technology crime unit. The RCMP didn't release the name of the Quebec-based teenager - who used the handle "Null" online and who was referred to as "Dominik" by a fellow NullCrew member after his arrest (see NullCrew Arrest Leads Breach Roundup).
The teenager was suspected of discovering a SQL injection flaw in the website of telecommunications company Bell Canada and sharing that information with a fellow NullCrew member who used the online handle "Orbit," according to Canadian prosecutors.
The vulnerability was then exploited to steal millions of files, including 300,000 files containing client information, as well as 22,421 access credentials, with Orbit allegedly posting 12,700 of them online and linking to the data dump via NullCrew's Twitter account, the Ottawa Citizen reported.
Online Taunt
On June 17, those two NullCrew members were the subject of an expletive-laden taunt posted to text-sharing site Pastebin by a fellow NullCrew member, who accused the two suspects of being "skids." That's short for "script kiddies," meaning would-be hackers of little ability, and the post accused them of having failed to practice proper operational security - OPSEC - by using separate online personas for their personal and hacking lives or covering their tracks by using a VPN.
"Delete your old ... personas completely before adopting new ones you intend to commit federal crimes with. I told that ... idiot Timmy (c0rps3, Orb1t_G1rl, rootcrysis) that his dox was too easy to find and provided ways for him to escape it. He obviously didn't," the post reads. "And Dominik (thebinkyp, zer0pwn, phlex, nop_nc, ... theindigator, NULL), you seemed to think that no one would ever find your old aliases? Maybe you've never seen the hackforums dump that showed thebinkyp = zer0pwn? Maybe you deserved to get ... burned for being on hackforums in the first place?"
Security experts say many young would-be hackers go to the underground site Hack Forums to learn the ropes.