Anonymous (AntiSec) says we’re still here; takes down PandaLabs

It’s always sad, and more than a little embarrassing, when a security site gets owned. But that’s what happened to PandaLabs yesterday evening. AntiSec hit back in retaliation, it said, for PandaLabs’ involvement in the arrest of 25 Anonymous members reported on 28 February. The timing, and indeed the opening statement on AntiSec’s defacement, suggests that it had just as much to do with the FBI yesterday charging six LulzSec hackers, including Sabu (so-called leader of LulzSec) over the Stratfor hack. Sabu had been arrested last summer, but it was never officially announced. Yesterday it became clear that he ‘pled guilty’ at the time – which pretty much confirms that he has been acting as an informant for the FBI ever since.

Reports suggested that he turned President’s Evidence to minimize any prison term away from his family – and any parent will recognize the pressure. AntiSec’s opening statement on the PandaLabs’ defacement accuses PandaLabs of ‘traison’ – “something we don’t forgive”. But then it immediately goes on to say, “Yeah, yeah, we know… Sabu snitched on us. As usually happens FBI menaced him to take his sons away. We understand, but we were your family too (remember what you liked to say?).”

So in one sense PandaLabs was chosen to make a statement to the world: “We’re still here – expect us.”
However, AntiSec specifically accuses PandaLabs of helping “to jail 25 anonymous in different countries and they were actively participating in our IRC channels trying to dox many others.” At the time, because five of the 25 were arrested in Spain, I specifically asked Panda if it had been involved. “This time, we were not involved on this case,” came a very clear reply. I had earlier talked to Panda about its involvement in the takedown of the Mariposa botnet. “We co-operate with the Spanish police and some other institution on a regular basis,” he added, “but we were not informed about it.”

AntiSec also makes it clear that it takes exception to PandaLabs’ technical director, Luis Corrons. It’s personal. He is quoted: “Really good news. I have just read that LulzSec members have been arrested and that their main head Sabu has been working as an informant for the FBI. It turns out he was arrested last year, and since then he has been working with Law Enforcement. As I said, really good news ” He is also quoted as saying “sometimes if you want to infiltrate and you have to be one of the criminals, you have to do things that you shouldn’t. In that case, you need to be with law enforcement.” To be frank, neither of these statements sound like the Luis Corrons I know – but time will unravel all.

Perhaps more worryingly, AntiSec also claims to have back-doored Panda’s security products. Again, Panda is categoric: “Neither the main website www.pandasecurity.com nor www.cloudantivirus.com were affected in the attack. The attack did not breach Panda Security’s internal network and neither source code, update servers nor customer data was accessed. The only information accessed was related to marketing campaigns such as landing pages and some obsolete credentials, including supposed credentials for employees that have not been working at Panda for over five years.”

The difficult thing, however, is to see the wider picture and to determine what is really going on. Remember Luis comment: “you have to do things that you shouldn’t.” Well, law enforcement has certainly been doing that in recent years. There’s the German police spyware, and the FBI’s very own CIPAV – and God know’s what that we haven’t heard about. So let’s look at the last week. Twenty-five Anonymous arrests rapidly followed by the disclosure that the Anonymous free DDoS tool (slowloris) had been poisoned with the, frankly, most well-known and feared malware of the day – Zeus – closely followed by charges against the main figures in LulzSec. That reads like a campaign organized by a marketing company to discredit Anonymous and sow seeds of distrust.

Read the DDoS-hacked announcement from Symantec here. Make up your own mind, but to me it simply doesn’t hang together properly. I’ve got a question mark there. Did the FBI poison slowloris? Now go back the Stratfor hack (late December 2011). It happened after Sabu became an informant, yet he is charged over it. Anonymous very clearly denied any involvement, stating “Sabu and his crew are nothing more than opportunistic attention whores who are possibly agent provocateurs.” And yes, Anonymous knew that Sabu had been turned by the FBI. But the wider and more worrying question is this: if Sabu was already working for the FBI when LulzSec hacked Stratfor, does that mean that Stratfor was sacrificed by the FBI on the altar of misinformation? As Luis is quoted: “you have to do things that you shouldn’t.” But if this is true, it’s going too far.