The FBI yesterday pulled off a major coup when it went public claiming that a key figure of the LulzSec hacktivist group — Hector Monsegur, know as ‘Sabu’ — had been working for the organisation to help bring down the group.
The FBI says it pushed Sabu into cooperating after he had been identified online, however evidence suggests that he was not entirely focused on helping US authorities, as he was still assisting with hacking exploits.
According a Pastebin posting that details a conversation between Sabu and ‘Havittaja‘, a hacker associated with LulzSec and Anonymous, Sabu was continuing to support the efforts by supplying passwords and website data as recently January. That’s some way after August, when the FBI says Sabu first began cooperating after he pleaded guilty to 12 charges of hacking-related offenses.
The recruitment of Sabu was said to be “devastating to the organization” and akin to ““chopping off the head of LulzSec”. Working with Sabu, who is said to have opted to work as an informant rather than risk lengthy time in prison, the FBI was able to capture five high-level figures from LulzSec.
However, a tweet from Havittaja even claims that Sabu had a hand in its most recent attack:
For those who do not know our last deface were supported by Sabu.@anonymouSabu @AnonymousIRC @YourAnonNews @AnonIRC @PlanoAnonBR
— Havittaja (@Havittaja) March 7, 2012
Sabu himself took to Twitter this week after news of his defection went public. His earlier tweets claimed that authorities were searching his property, listening in to his calls and keeping him closely under surveillance:
The federal government is run by a bunch of fucking cowards. Don’t give in to these people. Fight back. Stay strong.
— The Real Sabu (@anonymouSabu) March 5, 2012
Either way, figures within Anonymous — Havittaja included — have turned their back on Sabu for assisting the state, suggesting that his time assisting them is over. And for the FBI, the cheers for hooking a bad guy may not ring so loudly if it is indeed true that he was continuing to help set up more hacks.
It’s worth saying that the exact details of Sabu’s assistance with the FBI are unknown, while the alleged continuation of his work with LulzSec and Anonymous would give him cover to ensure he was not exposed for snitching on the organisation. Nonetheless, it is fascinating to consider that he may have been both problem solver and problem creator for the FBI at the same time.
The full text from Pastebin is below:
24/01/2012
Tweets by Havittaja
Tweets by theevilc0de
One of the last conversations with Sabu.
WHAT REALLY SABU WAS DOING.A QUESTÃO É porque ele estava me dando senhas se ele estava com o FBI?
THE QUESTION IS why he was giving me passwords if he was with the FBI?censored password obvious reasons
18:51 Havittaja hey
18:51 Sabu my brother!!!
18:51 Havittaja what’s happen
18:52 Havittaja ;D
18:52 Sabu FTP:
18:52 Sabu camaraindianopolis.mg.gov.br censored
18:52 Sabu sja.go.gov.br censored
18:52 Sabu root:
18:52 Sabu http://censored/core.php
18:52 Sabu ./core “id;cat /etc/shadow” for root
18:52 Sabu gov.br in: /var/www/vhosts/
18:52 Sabu ./core “cat /etc/psa/.psa.shadow” for admin password
18:52 Havittaja ohh
18:52 Havittaja its for me ?
18:53 Sabu I showed lala/hard366 as well but I don’t think they’ll do something with the root
18:53 Sabu also
18:53 Sabu for the first 2, they’re on the same server with hundreds of .br domains
18:53 Sabu you have control of them. I can give you the xml file with all passwords
18:53 Sabu want them?
18:53 Havittaja hm sure
18:54 Havittaja so i’ll wait evilc0de
18:54 Havittaja we working together
18:54 Sabu ok
18:54 Sabu the most important is the root. php shell: http://censored/core.php
18:55 Havittaja okyftp: camaraindianopolis.mg.gov.br user: censored pass: censored
ftp: sja.go.gov.br user: censored pass: censored
ftp: newsletter.editoraglobo.com.br user: censored pass: censored
ftp: diretorepocanegocios.com.br user: censored pass: censored
ftp: canais.tv.br user: censored pass: censored
ftp: canal.tv.br user: censored pass: censored
ftp: acertai.com.br user: censored pass: censored
ftp: emailsender.com.br user: censored pass: censored
ftp: guapiacu.sp.gov.br suser: censored pass: censored
ftp: tabapua.sp.gov.br user: censored pass: censored
Get the TNW newsletter
Get the most important tech news in your inbox each week.