CONFIDENTIAL

SUMMARY OF THE EU/USA EXPERIENCE WITH THE ANONYMOUS AND LULZSEC HACKTIVIST GROUPS. ANONYMOUS AND LULZSEC MEETING EUROPOL HQ 14/12/2011 ATTENDEES: Austria, FBI, Portugal, Spain, France, Europol, USA LEG ATT, Belgium, Norway, Finland, UK, Italy, Ireland and Germany. 1. USA: main points: a. LULZSEC AND ANONYMOUS have a very loose membership b. Phenomenon called Hactivism c. Not necessarily financially motivated. Rather politically or principle based. d. They use IRC chats and a web forum to communicate e. The group were born out of the Anti-piracy movement, attacking the likes of FACT and INFACT for example and then progressed to the protection of the leaders of WIKILEAKS. f. Moved to hacking and harvesting information from computer system worldwide, exposing this information worldwide. g. Approx 10 main attacks in the USA of which a number originated from Ireland. (source - FBI). h. Attacks are motivated to gain maximum media coverage for the cause. i. Global trends show the following: i. The attacks are revenge motivated and target financial services and government entities and now they are targeting Law Enforcement agencies and individual police officers. . j. USA 19 arrests and 105 searches, identifying additional suspects every week

k. Attacks are ongoing. FBI Website compromised last week. l. In Europe there were 13 arrests incl. 2 from Ireland. The two Irish Subjects were ranked as members of the top hackers within the Anonymous Movement (Source FBI).

m. There is a new breakaway group called AntiSec as a breakaway group attacking Police Departments in USA and Europe, targeting individual police officers.

n. TeaMpOison are another breakaway group and who are stealing data and money and donating to charity and they call their war: Operation Robin Hood.

2. UK gave a comprehensive update. The UK have got very advanced investigations.

a. The UK highlighted a very frightening tool called LOIC Low Orbit Ion Cannon; this is an idiot proof attack programme that allows a low skilled person to attacks company and web server by putting in an IP Address. This is being deployed by the hacktivists now as part of OPERATION PAYBACK (name given by the hacktivists to their work). The use of the LOIC tool with a Botnet is devastating. The UK presentation revealed that attacks on the Church of Scientology in Ireland was conducted by the group Anonymous. b. The UK has informed us that the Group are now using the functionality of a clean Operating System and the Dirty Operating System. This means the suspect will disclose a password to police and when Police log on they get a clean disk, the second password that is NOT disclosed decrypts the full disk will all the evidence that incriminates the suspect. This is on a URL posted as a security method for LulzSec and Anonymous activists, once searched by Police. c. UK also said that Irish Suspects played a very major role in Anonymous. d. The UK highlighted the problem we are all having reading the millions of logs of chat between the suspects once the computers are seized. This is a major issue for CCIU too. There is no solution as yet other than reading data.

3. UPDATE FROM IRELAND: Ireland have seen attacks against Irish Entities and against foreign entities from Ireland. Gardai have seen ANONYMOUS Activity in Ireland. Two arrests made to date. 4. Portugal: there was an update from the Portuguese who outlined that their government is under heavy attack from the anonymous group and that their citizens are attacking in the name of the ANONYMOUS grouping. The Portuguese are not making much progress in the investigations and only know the Internet NICS and not the real world names.

5. Austria: The Austrian delegate gave an update on the situation in Austria with regard to Anonymous. Austria are experiencing similar problems and similar types of attacks, the attackers are competent and are using Proxy servers to hide their identity. The group are calling themselves AnonAustria. The group use twitter to publish the information on attacks. The attacks are geared towards political parties in Austria in 2011. The attacks get access to secret information in the political party and publish it on the Internet, politically embarrassing. The attackers are also targeting the police systems and releasing the data on the internet. They then began to publish where the police are living and showing the houses on GOOGLE MAPS. This even shows a photo of the house of the Police officers. The group started with attacking on grounds on piracy and graduated to government. 6. Spain: The Spanish Delegate gave an update on the Spanish experience, the hackers called it operation payback, the same as USA and other countries. The attacks also started as attacks against copyright organisations. The tool called LOIC mentioned above by the UK, was used in Spain to devastating effect. The attacks were directed at: SGAE the Spanish copyright people. The Spanish police are struggling to identify suspects, only Internet NICS. The Spanish did not have a crime for DDoS. The groups use IRC to communicate same as Ireland and they publish their activities on Twitter and YouTube. The Spanish Police are now working in the IRC chat channels and they are gaining access to the channels. They are getting good intelligence. The Spanish police have been discovered by the hackers and dumped out as well. the Spanish Police have access to the public chat rooms and then there is very limited access to the real PRIVATE channels where trusted members go. Spanish police say monitoring the channels is very time consuming and they are struggling to keep up. Spanish Police have now arrested 3 administrators of the channels in Spain. Admissions made and charges to follow. The Spanish, USA and UK are using a very interesting tactic where after arresting the suspects, the Police use the Internet NIC of the suspect in order to gain access to the secret private channels where the real business is done. The Spanish speaking world in STH AMERICA are also attacking Spain. 7. Belgium: Belgium are not seeing so many attacks. 8. Norway: They are experiencing similar attacks all started the same way as in other countries, starting with Anti-piracy organisations, working their way to government sites. The Norwegians also have break away groups in Norway. They are working on identifying targets in Norway. Anonymous group are even holding questions and answers sessions in the media and the media is supporting them in this question and answer session. 9. Italy: The Italians are experiencing the same as everyone else, the Italians have arrested 30 people, the attacks in Italy are geared towards

the police and Political targets. Some very sensitive files were stolen from the Italian police and published in full on the internet. Very embarrassing for the Italian National police. The Police in Italy are seeing the LOIC tool used by Italian Anonymous and seen it used with a BOTNET. The Italians are very advanced in the technical investigations on the chat channels and against the suspects including full time undercover police in channels, using fake IDs and IDs from suspects who have been arrested etc. They use these IDs in the private areas of the Chat Channels. This is very effective and the Italian police also use Trojan software to target suspects. Record their encryption keys before searching their homes, they know when they are online and they also have loads of useful intelligence from the use of these Trojans. The Italians have similar break away groups such as GREEN RIGHTS, this group have committed web attacks against sites such as the TURIN to LYON railway project. The M.O. is the same LOIC M.O. used by other Anonymous attackers. 10. Finland: the Finnish experience is less formal. The group has hacked servers and published names and details of 16,000 citizens. The result was the Finnish police were inundated with requests for information causing the Police IT systems to collapse under the weight of enquiries. Finland experiencing similar problems to the rest, IP rights and Government targets and publishing the data in the media. 11. Germany: the German police are experiencing the exact same thing, they are working at targeting the German gang members. They have no arrests but they have located equipment being used by Anonymous gang within Germany.

OPEN WRAP-UP SESSION: The day was informative and showed the extent of the problem within Europe and the World. We ran out of time and had to resort to having a quick wrap-up. The issue of the EU Cybercrime Centre may be able to resolve the coordination of the EU investigations. There is an issue with undercover cops are investigating other undercover cops in the channels. All member states to deliver intelligence to AWF CYBORG and EUROPOL will develop an EU position report for distribution to the MS Cybercrime Units. Each MS to deliver a list of all NIC names discovered in their investigations. They will be coordinated in a Europol database and will be analysed.