Anonymous Splinter Group Implicated in Game Company Hack

The Web sites for computer game giant Eidos Interactive and one of its biggest titles — Deus Ex— were defaced and plundered on Wednesday in what appears to have been an attack from a splinter cell of the hacktivist group Anonymous. The hack comes just days after entertainment giant Sony told Congress that Anonymous members may have been responsible for break-ins that compromised personal information on more than 100 million customers of its PlayStation Network and other services.

The defacement message left on deusex.com.

For several hours early Thursday morning, the Deus Ex Web site, user forum, and Eidos.com were unreachable. For a brief period late Wednesday evening, the sites displayed a defacement banner that read “Owned by Chippy1337” (click screen shot at right for a larger version), along with several names and hacker handles of those supposedly responsible for the break-in.

KrebsOnSecurity.com obtained an archived copy of the attackers’ online chatter as they were covering their tracks from compromising the sites. A hacker using the alias “ev0” discusses having defaced the sites and downloading some 9,000 resumes from Eidos. ev0 and other hackers discuss leaking “src,” which may refer to source code for Deus Ex or other Eidos games. In a separate conversation, the hackers also say they have stolen information on at least 80,000 Deus Ex users and that they plan to release the data on file-sharing networks.

Neither Eidos nor its parent company Square Enix Co. could be immediately reached for comment. (This may not be the first time Eidos was breached: In a story I wrote earlier this year, I detailed how hackers on an underground criminal forum claimed to be selling access to Eidos’ customer database).

The attack seems to have been engineered by a faction of the hacker collective that recently seized control over Internet relay chat (IRC) channels previously used by Anonymous to help plan and conduct other, high-profile attacks. According to several news sites which covered that coup, the Anonymous control networks were taken over by a 17-year-old hacker from the United Kingdom who uses the handle “Ryan,” (shown in the chat conversation included below using the nickname “Blackhatcat”).

Also in the channel discussing the defacement and theft of the Deus Ex database are hackers “ev0,” “nigg” and “e”, screen names of Anonymous sympathizers who have been connected with Ryan’s recent coup. But according to one observer who’s been monitoring the Anonymous faction’s activities, this Anonymous splinter group appears to be splintering as well, turning on each other and framing one another for this latest attack. In the defacement message left on Eidos.com, ev0 and nigg finger Ryan in the hack, even using his supposed real name (Ryan Cleary). According to reporting by Ars Technica, Anonymous organizers angry over Ryan’s activities recently “doxed” him — publishing documents including his full name, home address, phone number and Skype handle, among other details.

“ev0 and nigg got the 0day they used to break in [to Eidos.com] from one guy, then got Blackhatcat to execute it and then screwed everyone, stole the database,” said the observer, who asked not to be named for fear of retribution from the hackers. “This is how those guys roll: One day they work together, the next they war. They drop dox on each other like it’s a game. Just like they did pinning the defacement of Dues Ex on Blackhatcat. Then denied the whole thing. Its psychotic behavior like I have never seen. Its like they hate each other but will work together on certain ops if it suits them, but then might turn on each other in the end…and then laugh it off.”

As an illustration of the above-described dynamic, a snippet of the chat conversation between ev0 and nigg discussing what to do with the Deus Ex Web site and data is pasted below.  (WARNING: some of the text below contains strong language that may be offensive to readers):

  • [16:06] <ev0> we should put 0day
  • [16:06] <ev0> or exploits
  • [16:06] <ev0> in the pdf
  • [16:06] <ev0> and see if someone logs in
  • [16:06] <ev0> we will use a RAT
  • [16:06] <ev0> that will be the payload
  • [16:07] <ev0> one thing that would be funny
  • [16:07] <ev0> i write a nasty virus
  • [16:07] <ev0> that will bsod on startup
  • [16:07] <ev0> fuck up all your drivers
  • [16:07] <ev0> delete tons of files
  • [16:07] <ev0> forkbom on start
  • [16:07] <ev0> etc
  • [16:08] <ev0> we put that in an exploit kit
  • [16:08] <ev0> on the main page
  • [16:08] <ev0> there security will be responsible
  • [16:08] <ev0> for like
  • [16:08] <ev0> thousands of fucked up computers
  • [16:08] <ev0> and it would make the news
  • [16:08] <ev0> n`
  • [16:09] <@n`> no
  • [16:09] <@n`> wont work
  • [16:09] <@n`> be serious
  • [16:09] <@n`> this is srs biz
  • [16:09] <ev0> i am serious
  • [16:09] <ev0> oh we wil lget fucked
  • [16:09] <@n`> more like
  • [16:09] <@n`> where do we get the 0day from
  • [16:09] <@n`> who writes the virus
  • [16:09] <@n`> tests it etc
  • [16:09] <@n`> fyi
  • [16:09] <ev0> an exploit kit
  • [16:10] <@n`> i vote for
  • [16:10] <@n`> defacing this right now
  • [16:10] <ev0> alright
  • [16:10] <ev0> im game
  • [16:10] <ev0> wanna make a deface page
  • [16:10] <ev0> make one with #krack
  • [16:10] <ev0> and leak the src
  • [16:10] <ev0> in a torrent
  • [16:10] <ev0> and we’ll make a twitter
  • [16:10] <ev0> and link it to the page
  • [16:11] <@n`> no
  • [16:11] <@n`> dont link it to krak
  • [16:11] <@n`> baadddd idea
  • [16:12] <@n`> make a deface page pointing @ xero
  • [16:12] <@n`> with personal info
  • [16:12] <@n`> or someone else you dont like
  • [16:12] <@n`> “This hack was brought to you by X
  • [16:12] <@n`> ya i got them all here
  • [16:13] <ev0> is the lfi patched
  • [16:13] <ev0> and the box secured
  • [16:13] <ev0> we’re going to get ddos
  • [16:13] <@n`> no
  • [16:13] <@n`> too much effort
  • [16:13] <@n`> i cleared the logs
  • [16:13] <ev0> we put it in the name of chippy1337
  • [16:13] <ev0> and direct it to irc.ddosing.eu #808
  • [16:13] <ev0> and write the names
  • [16:14] <ev0> ryan, dfs, xero, nikon, xix, venuism
  • [16:14] <ev0> and evilhom3r
  • [16:14] <@n`> YES
  • [16:14] <@n`> *yes
  • [16:14] <ev0> lol
  • [16:14] <@n`> and call out their dox if we have it
  • [16:14] <@n`> add some skiddy shit
  • [16:14] <@n`> idk
  • [16:15] <@n`> make it look funny
  • [16:15] <ev0> we can put ryans dox
  • [16:15] <ev0> kayla said she was gonna get xeros dox
  • [16:15] <ev0> hmm
  • [16:15] <ev0> we put Ryan Cleary
  • [16:15] <ev0> Ryan King
  • [16:15] <ev0> Xero aka Ryan King
  • [16:15] <ev0> Ryan Cleary
  • [16:15] <ev0> like that
  • [16:16] <@n`> ya
  • [16:16] <ev0> 16:16 &ev0 • http://deusex.com
  • [16:16] <ev0> 16:16 &ev0 • look at it now
  • [16:16] <ev0> 16:16 &ev0 • because it will be different later…
  • [16:16] <ev0> said that in their irc
  • [16:17] <ev0> this is the ultimate troll

Anyone interested in reading more can see the entire conversation at this Pastebin link.

Anonymous has officially denied being responsible for the Sony breaches. Meanwhile, the Financial Times reports that two veterans of Anonymous have acknowledged that members of the cyber-activist group are likely to have been behind the recent hacking attacks on Sony, in spite of the group’s official denials.

Anonymous has been around in various forms for many years, but it vaulted into the international spotlight last year when it leaped to the defense of WikiLeaks, after the latter came under fire for posting secret government documents. It is worth noting that Anonymous seems to be in a state of conflict at a time when Wikileaks appears to be trying to discourage disloyalty among its own sympathizers. A story Wednesday by New Statesman reporter David Allen Green reveals that Wikileaks founder Julian Assange now makes his associates sign a nondisclosure agreement that asserts that the organization’s huge trove of leaked material is ‘solely the property of WikiLeaks,’ and that anyone who violates this agreement by leaking the organization’s unpublished material is subject to penalties of up to 12 million British pounds– nearly $20 million.

Оставьте комментарий