You’ve probably already heard of Anonymous, the world’s most infamous group of cybertrolling hacktivists. They frequently make headlines for crashing websites and looting corporate and government servers. Usually these hacktivists come together in defense of others, such as Julian Assange, the people of Gaza, victims of police brutality, or even victims of rape. But now, Anonymous has turned its eyes on a personal rival. This enemy has its own cybersquad of secret spies who, according to Anonymous, spend the majority of their time in chat rooms collecting intelligence about them. With this latest release of stolen data, Anonymous has just pulled back the curtain on their foe: the Bank of America.
On February 25 @AnonymousIRC, an Anonymous Twitter account with over 280,000 followers, began posting “teasers” about a massive Bank of America data leak. The first post declared, “If you spy on us, we spy on you.” What followed was 14 gigabytes of private emails, spreadsheets, and a “text analysis and data mining” program called OneCalais. The emails in the release originated from “Cyber Threat Intelligence Analysts” who identified themselves as employees of a company called TEKsystems. The TEKsystems website appears to be nothing more than a staffing agency and seems wholesome enough. There’s definitely nothing that screams “we are cyberspies!” It’s safe to assume these analysts were hired by Bank of America, regardless of their TEKsystems titles, because according to the leaked emails that Anonymous released, each of them were using @bankofamerica.com email addresses while filing their reports.
Having a team on staff to protect a corporation from potential cyberthreats is nothing new. This isn’t what caught the attention of Anonymous to begin with; it was the methods being employed by Bank of America to gather data. Each of the 500 plus emails pilfered reads like a surveillance report, most of them reporting on the activities of online activists from Anonymous to Occupy Wall Street.
In one email, TEKsystems reveals that IRC chat users were discussing a document on the US House of Representatives website, house.gov, which listed companies that had officially given their support to the Stop Online Piracy Act (SOPA). In the IRC chat, one of the users says, “Do these organizations know what they’ve started? Follow the money.” In the email, the Bank of America security analyst responds to this unrest privately, writing, “Included among those named are two of our critical suppliers: MasterCard Worldwide and Visa, Inc. This has been the only mention of this document at this time, and it has not hit Twitter as of yet.”
In another email, a TEKsystems analyst identifies an Anonymous Twitter account known as “Anonymousown3r” and then shares a document that appears to show the user’s real identity, along with his IP address. The analyst states, “[the IP address] is listed in Brazil... This was also confirmed by a security analyst 86_g (Twitter).” This isn’t the only private information Bank of America was handling. Another report discusses a different Twitter account, “DestructiveSec”, and their conflict with hackers known as TeaMp0is0N. The analyst writes, “TeaMp0is0N is claiming victory over the feud between the two groups and has provided a d0x of DestrutivSec [sic] in the form of a passport photo with comments: Yes! Submit them! Also, report to the feds. Get em arrested as well #RunRabbitRun.”
It’s fair to note that a large number of the emails appear to be addressing legitimate threats to Bank of America, such as databases of stolen credit card numbers, or plans by activists to crash a website by flooding it with useless traffic via a denial of service attack. Other reports detail live protests meant to take place at actual Bank of America locations.
The stolen data was spread through various Anonymous accounts, but one group in particular took responsibility for its release. They’re called “Par:AnoIA,” and I had the opportunity to interview one of their members. They preferred not to be identified by name or even by gender. The first thing Anon wanted me to know was, “Par:AnoIA is no ‘hacking group.’ We are a publisher much like any other media outlet. The main difference is that we publish data and information as received.” According to Par:AnoIA, information is given to them, and their sources intentionally remain anonymous.The information, Par:AnoIA says, wasn’t hacked at all. It was just sitting on an unsecured server readily accessible by anyone who knew where to look. This is a common issue that they believe endangers the personal and financial information of millions of consumers.
I asked Par:AnoIA, who was busy indexing Bank of America’s emails to ease search capabilities of the leaked information, what they had found most interesting about the data released so far. “It’s amazing to learn that there are paid analysts actually reading public chat rooms. We were quite aware of the fact that Anonymous are likely monitored, but we were thinking more along the lines of automatic logging. The data not only shows that there were actual people monitoring the channels (and Twitter) 24/7, but they send shift reports to Bank of America with their ‘findings.’”
A list of thousands of keywords was included in the released data, presumably to aid Bank of America in data mining. According to Par:AnoIA, “The keyword list is just ridiculous. It has become a running joke to use the keywords in every sentence now, rendering it useless.” The ridiculousness of the keywords frankly cannot be overstated. Among the words Bank of America was searching for, I found “homosexual,” “demonology,” and “Buck 65.” The last is the name of a Canadian hip-hop artist. However there are also terms like “OccupyWallStreet,” “Internet Kill Switch,” and “Interrogation.”
Par:AnoIA was still reviewing the bulk of the data when I spoke with them, but there were a few items that seemed to stand out, such as the installation files for the text-analyzing software OneCalais. Included was an additional code for OneCalais that Par:AnoIA claimed was likely used to customize the program for Bank of America’s use. OneCalais is software sold by ClearForest, a Thomson Reuters company based in Israel, and according to Par:AnoIA, Israel is where the server they took all this data from sits. According to Par:AnoIA’s press release, an additional “4.8 Gigabyte of data containing detailed career and salary information of thousands of executives and employees from various corporations all around the world” was extracted from the server. The folder the employee data was located in was labeled “Bloomberg,” which Par:AnoIA believed might link to the multinational media corporation of the same name.
I asked Par:AnoIA whether they were concerned about the consequences of releasing the Bank of America intel ,or putting a copy of what is likely a very expensive piece of software like OneCalais online for anyone to access. The Anons replied, “Yeah… the thing is, the download of the data *might* be illegal, but no one has claimed it. That would mean confirming its authenticity. Either way, it’s a win-win for us.”
Disclaimer: Bank of America has not admitted that the data Anonymous released belongs to them, nor have they admitted that they are working with the third-party technology company, TEKsystems. Their statement on the matter was merely that "a third-party company was compromised... This company was working on a pilot program for monitoring publicly available information to identify information security threats." Adding that their own internal systems were not compromised.
More on hacktivists: