20-year old LulzSec hacker Raynaldo Rivera, also known as “neuron” has made a plea agreement admitting to hacking into Sony, according to a filing in federal court. Rivera was arrested this past August. Details of the agreement illustrate how Rivera committed this act, which notoriously ended up in the compromise of information on thousands of the company’s users.
“Defendant was a member of LulzSec who went by the username/nickname “neuron.” Defendant also used the online usernames/nicknames “royal” and “wildicv.” Other members of LulzSec included, among others, individuals who went by the usernames/nicknames “sabu,” “topiary,” “t-flow,” “kayla,” “recursion,” “pwnsauce,” “joepie,” “trollpoll,” and “m_nerva.” From approximately late May through early June 2011, defendant knowingly combined, conspired, and agreed with other members of LulzSec, including “sabu,” “topiary,” “tflow,” “kayla,” “recursion,” “pwnsauce,” “joepie,” “trollpoll,” and “m_nerva,” to knowingly cause the transmission of codes and commands to the computer systems of Sony Pictures”
In quantifying these specific “overt acts”, the timeline of events that we have known and those we have not known up until this point are discussed. The document rings to the detailed conspiracy charges report released against LulzSec member “Sabu” aka Xavier Monsegur, who acted as an FBI informant. As the “defendant, together with other members of LulzSec, committed the following acts”:
- Registered for a proxy service to attempt to hide his true Internet Protocol or “IP” address from law enforcement while defendant engaged in criminal activity as part of LulzSec.
- Caused the transmission of programs, information, codes, and commands, specifically, commands to execute a SQL injection attack against the computer systems of Sony Pictures described above
- Impaired the integrity and availability of data, programs, systems, and information on such systems, including by flooding such systems with SQL commands and stealing confidential data
- Provided to members of LulzSec confidential information he had stolen from Sony Pictures’ computer systems via the SQL injection attack.
- LulzSec members then published the information on the lulzsecurity.com website and announced it @LulzSec Twitter account, making the confidential information publicly available.
The May 2011 attack resulted in more than $605,000 worth of reported losses. The agreement lays out a number of penalties including a minimum $250,000 fine, up to a five year prison sentence, and full restitution will be paid back to victims of the offenses. Referencing some historical cybercrime sentences, these penalties are not out of line. What the actual prison sentence ends up being will probably be what is affected the most by this admission. It is difficult to envision how much more severe the penalties and conviction could be without the aim of a reduced prison sentence. LulzSec was notoriously very overt in promoting their conquests, often exposing how insecure the public’s information actually is, openly taunting the FBI and other law enforcement along the way. While the impact of many of their misadventures had significant privacy and financial impact, the technology community was suddenly on alert. The impact of outage and reputation increasingly have become priorities and have driven improving security initiatives throughout this time as attacks rise globally.