In simultaneous raids last month, federal agents searched the Long Island homes of three teenagers who have excelled academically at Bellport High School on Long Island’s South Shore. Agents removed an assortment of computer equipment from the respective homes in connection with the criminal investigation being run from the FBI’s Kansas City field office (Koch Industries is headquartered in Wichita).As TSG reported last month, the FBI is probing a coordinated series of distributed denial of service (DDoS) attacks on Koch Industries web sites in February and March. The assault–organized by the so-called hacktivist group “Anonymous”–flooded several Koch Industries web sites with so many requests that it left the sites unavailable for legitimate visitors.
Forensic job. High School Pals Targeted In FBI Hacktivist Prob ☻Anonymous
CrimeHigh School Pals Targeted In FBI Hacktivist Probe
Three teens eyed in “Anonymous” attack on Koch sites
AUGUST 10–A trio of high school buddies are among the targets of on ongoing FBI probe into an online “Anonymous” assault carried out earlier this year against web sites of Koch Industries, the conglomerate owned by billionaire brothers Charles and David Koch, the influential Republican benefactors, The Smoking Gun has learned.
Confidential affidavit details probe of attack on GOP benefactors
service with external communications requests such that it cannot respond to
legitimate traffic, or responds so slowly as to be rendered effectively unavailable.
f. Botnet: Botnet is a jargon term for a collection of software robots, or “bots,”
which run autonomously. This can also refer to a network of computers using
distributed computing software. While the term “BotNet” can be used to refer to
any group of bots, such as Internet Relay chat (“IRC”) bots, the word is generally
used to refer to a collection of machines running programs, usually referred to as
worms, Trojan horses, or backdoors, under a common “command and control”
(“C&C”) infrastructure. A BotNet’s originator, referred to as a “botherder” can
control the group remotely through communications using a specific protocol,
usually IRC, and usually for nefarious purposes. Individual programs can
manifest as IRC “bots.” Often the command and control takes place via an IRC
server or a specific channel on a public IRC network. A bot typically runs
hidden, that is, the user of the infected computers is not aware that it is running
the bot program. However, there are cases in which the user volunteers his/her
computer to the botnet by downloading and installing the bot program and
volunteering control of the computer to the botherder.
7. On February 24,2011, Koch Industries, located in Wichita, Kansas, received an
e-mail with the subject line “URGENT: Cyberattack Planned on Koch Web Properties.” The
email originated from the address boxoftrial(g> gmail.com and was sent to Koch Industries at
http://www.kochind.com. The e-mail advised the group “ANONYMOUS” was planning on attacking
several of Koch Industries’ web properties, to include community.quiltednorthern.com.
8. Based on a Wikipedia search, I learned that Koch Industries is an American
private energy conglomerate based in Wichita, Kansas, with subsidiaries involved in
manufacturing, trading and investments. Koch also owns Invista, Georgia-Pacific, Flint Hills
Resources, Koch Pipeline, Koch Fertilizer, Koch Minerals and Matador Cattle Company. Koch
companies are involved in core industries such as the manufacturing, refining and distribution of
petroleum, chemicals, energy, fiber, intermediates and polymers, minerals, fertilizers, pulp and
paper, chemical technology equipment, ranching, finance, commodities trading, as well as other
ventures and investments. The firm employs 50,000 people in the United States and another
20,000 in 59 other countries.
9. On or about February 27,2011, Koch Industries reported to the Kansas City FBI a
Distributed Denial of Service (DDOS) attack directed at their website entitled
community.quiltednorthern. An investigation of these attacks was undertaken by SA Richard
Anderson following the report. The investigation found that these attacks continued for several
hours. A second DDOS attack on the Koch Industries website, http://www.kochind.com, occurred on
or about February 28,2011. A third DDOS attack on Koch Industries website,
http://www.angelsoft.com, occurred on or about March 1,2011.
10. Through telephone conversations with SA Richard Anderson I found that
investigations by FBI Agents in Washington, Sacremento, and San Francisco field offices
revealed that ANONYMOUS took credit for earlier DDoS attacks occurring in September
through November 2010, including among others, a DDOS attack on the website of the U.S.
Copyright Office. I also learned that ANONYMOUS has taken credit for attacks against Paypal,
HBGary, MasterCard, Bank of America, and the RIAA. I also learned that the investigating
Agents found this information through, but not limited to, Twitter feeds, ANONYMOUS blog
posts, and anonnews.org.
11. Investigation by SA Richard Anderson revealed that ANONYMOUS utilized IRC
chat channels(1) and websites to advertise the attacks. For example, anonymous web hosting sites
such as piratenpad.de, piratepad.net, pastebin.com, scribd.com, imgur.com and others were used
extensively for these purposes as well as networking sites such as Twitter.com, Reddit.com, and
virtual private networking (“VPN”) sites such as proxpn.com.
12. Investigation by SA Richard Anderson also revealed that some IRC chat channels
utilized by ANONYMOUS to coordinate the attacks against Koch Industries were
#OPWISCONSIN, or OPERATION WISCONSIN. ANONYMOUS members advertised
#OPWISCONSIN in other IRC chat channels, such as #OPERATIONPAYBACK. One comment
posted was “#opwisconsin LOIC koch industries, all who want to be involved join chan.” On or
about February 26, 2011, a press release for #OPWISCONSIN was posted to anonnews.org. The
press release advised ANONYMOUS was “actively seeking vulnerabilities” and also called for
the boycott of all Koch Industries* paper products.
13. Investigation by SA Richard Anderson found that in the DDOS attacks,
ANONYMOUS members discussed using, or “firing,” a tool called Low Orbit Ion Cannon
(LOIC).(2) The LOIC tool, originally developed as an open source tool to test the vulnerabilities
(1) The group ANONYMOUS used many IRC channels. Some of the names of the channels they used include:
#opwisconsin; #OperationPayback; opkochblock; # opetemalruin.
(2) Although the Low Orbit Ion Cannon, or LOIC, was the primary tool advocated for use by ANONYMOUS, other
tools were also available for use. These other tools included a Java script version of the LOIC tool (JSLOIC), the
High Orbit Ion Cannon (HOIC), and the Geosynchronous Orbit Ion Cannon (GOIC).
of networks, can be modified to DDoS a target website by overwhelming that websites’ servers
with a high volume of repeated requests until the site becomes inoperable.
14. I am aware that SA Anderson consulted with the National Cyber-Forensic
Training Alliance (NCFTA), concerning analysis conducted on the LOIC tool. NCFTA, in
December 2008, indicated that this tool, once downloaded and installed by the user, can be used
in manual mode or in an automatic (hive) mode. If operated in manual mode, the user can
configure the tool to target a website for a DDOS attack. However, the user would always
control the “firing” of the tool. In automatic mode, the user, after downloading and installing the
tool, would point their computer to a pre-determined command and control IRC channel
volunteering their computer to be used by the attackers who would determine against which site
and when a DDOS attack would be launched. IRC chat logs in #OPWISCONSIN indicate hive
mode for LOIC was not setup for the attacks against Koch Industries. As a result, manual
configuration settings for LOIC to attack community.quiltednorthen.com were posted on
various channels of communication that ANONYMOUS maintained. One such set of manual
configuration settings was posted to #OPWISCONSIN in the form of an image.
http://img718.imageshack.us/f/loic2.jpg, a screenshot of which is depicted below.
(from image) 220.127.116.11
15. Investigation by SA Richard Anderson found that within the IRC chat channels,
during the time frame of the attacks, ANONYMOUS members referred to the message board
“/b/” located at 4chan.org. On the message board there were the following posts:
“http://boards.4chan.Org/b/res/312688936; BUMP THIS FOR LOIC TROOPS” and “time to
L0IC guys; bringing troops; helpp me bump thread http://boards.4chan.org/b/res/3126889363.”(3)
Another reference to 4chan.org and LOIC posted in the IRC chat channels states: “can someone
be ready at all times with a link to LOIC info and download?” followed by
“http://sourceforge.net/projects/loic/ and http://img718.imageshack.us/f/loic2.jpg/,” and “need to
be ready, cause im gearing up to bring /b/ over here for some brunch DDoS.”
(3) The abbreviation /b/ refers to the “random” board on 4chan.org.
16. Investigation by SA Richard Anderson revealed that on February 27,2011, in the
#OPWISCONSIN IRC chat channel an individual posted: “quiltednorthen.com <<<target
????” followed by the response “yes we need moar loic gunhands, please target:
quiltednorthen.com TCP 80.” This was followed by the advice that “if you need more cannons,
you have to spread the word of the attack” “start your propaganda,” and “spam /b/.” Within the
#OPWISONSIN IRC chat channel the question was asked “is there a way to loic without getting
busted on iphone.”
17. Investigation by SA Richard Anderson revealed that on February 28,2011, in
#OPWISCONSIN IRC chat channel an individual posted “Keep it up, boys and kids! LAZERS
TO 18.104.22.168 kochind.com is down and sinking further! Keep it up!” The topic of #
OPWISCONSIN was changed to “Get your LOIC here: http://sourceforge.net/projects/loic/
(ignore virus scanners false positives). Hide your IP: http://www.i2p2.de/ – READ: Anonymous
22.214.171.124 –DIG DIRT: http://tinyurl.com/4pk5nbs.” The IP address 126.96.36.199
resolved to kochind.com. Posts were also made stating: “hmmm… kochind looks down to me”
followed by the question of “after it’s down, do you have to keep firing?” The response on
#OPWISCONSIN was “YES ALWAYS KEEP FIRING.”
18. Investigation by SA Richard Anderson revealed that on March 1,2011, the topic
of #OPWISCONSIN was changed to “DDOS Target: http://www.angelsoft.com/ (HOLD
FIRE!).” Within the channel the question was asked “Why the hate on angelsoft” with the
response “angelsoft owned by koch.” The channel topic was then changed to “DDOS:
188.8.131.52 (http://www.angelsoft.com/) FiRe Ur L4z0rz! | Attack method: HTTP 200
threads, uncheck ‘wait for reply’.” Also on March 1,2011, in the IRC chat channel
#OPKOCHBLOCK, a channel related to #OPWISONSIN, the message was posted “why are
idiots trying to run mobile LOIC from their fucking phones.”
19. Firewall logs from Koch Industry indicate the computers assigned the IP
addresses, listed as TARGET IP ADDRESSES in Table A, displayed a large number of
connections (specifically detailed in paragraph 21) to one or more of their websites between
February 27,2011 and March 1,2011, and exhibited randomization of the source port, sequential
increase of the source port, and/or contained a hypertext transfer protocol (HTTP) referrer(4) of
“http://loic.planned-chaos.com/.” According to SA Richard Anderson, the large number of
connections and randomization/sequential increase of source port and/or containing an HTTP
referrer of “http://loic.planned-chaos.com” are consistent with a denial of service attack.
20. The investigation has revealed that the following TARGET IP ADDRESSES
were assigned by the ISP to the following TARGETS as listed in Table A below.
(info originaly removed)
TARGET IP ADDRESSES TARGETS
.38.76 (i.p. removed)
.208.107 (i.p. removed)
.207.247 (i.p. removed)
.151.10 (i.p. removed)
.254.189 (i.p. removed)
.230.226 (i.p. removed)
.87.45 (i.p. removed)
.6.78 (i.p. removed)
.16.48 (i.p. removed)
.123.133 (i.p. removed)
.248.136 (i.p. removed)
.112.102 (i.p. removed)
(4) A HTTP referrer, a component of an HTTP message header, contains the Uniform Resource Locator (URL) of the previous web page from which a link to the currently requested page was followed.