You’ve probably already heard of Anonymous, the world’s most infamous group of cyber-trolling hacktivists. They frequently make headlines for crashing websites and looting corporate and government servers. Usually these hacktivists come together in defense of others, such as Julian Assange, the people of Gaza, victims of police brutality or even victims of rape. But now, Anonymous has turned its eyes on a personal rival. This enemy has its own cyber-squad of secret spies that, according to Anonymous, spend the majority of their time in chat rooms collecting intelligence about them. With their latest release of stolen data, Anonymous has just pulled back the curtains on their foe: the Bank of America.
On February 25th @AnonymousIRC, an Anonymous Twitter account with over 280,000 followers, began posting “teasers” about a massive Bank of America data leak. The first post declared, “If you spy on us, we spy on you.” What followed was 14 Gigabytes of private e-mails, spreadsheets, and a “text analysis and data mining” program called OneCalais. The e-mails in the release originated from “Cyber Threat Intelligence Analysts” who identified themselves as employees of a company called TEKsystems. The TEKsystems website appears to be nothing more than a staffing agency and seems wholesome enough. There’s definitely nothing that screams “we are cyber-spies!” It’s safe to assume these analysts were hired by Bank of America, regardless of their TEKsystems titles, because according to the leaked emails that Anonymous released, each of them were using @bankofamerica.com emails while filing their reports.
Having a team on staff to protect a corporation from potential cyber-threats is nothing new. This isn’t what caught the attention of Anonymous to begin with; it was the methods being employed by Bank of America to gather data. Each of the 500+ e-mails pilfered reads like a surveillance report, most of them reporting on the activities of online activists from Anonymous to Occupy Wall St.
In one e-mail, TEKsystems reveals that IRC chat users were discussing a document on the US House of Representatives website, house.gov, which listed companies that had officially given their support to the Stop Online Piracy Act (SOPA). In the IRC chat, one of the users says “Do these organizations know what they’ve started? Follow the money.” In the email, the Bank of America security analyst responds to this unrest privately, writing: “Included among those named are two of our critical suppliers: MasterCard Worldwide and Visa, Inc. This has been the only mention of this document at this time, and it has not hit Twitter as of yet.”
In another e-mail, a TEKsystems analyst identifies an Anonymous Twitter account known as “Anonymousown3r” and then shares a document that appears to show the user’s real identity, along with his IP address. The analyst states, “[the IP address] is listed in Brazil...This was also confirmed by a security analyst 86_g (Twitter).” This isn’t the only private information Bank of America was handling. Another report discusses a different Twitter account, “DestructiveSec”, and their conflict with hackers known as TeaMp0is0N. The analyst writes, “TeaMp0is0N is claiming victory over the feud between the two groups and has provided a d0x of DestrutivSec (sic) in the form of a passport photo with comments: Yes! Submit them! Also, report to the feds. Get em arrested as well #RunRabbitRun.”
It’s fair to note that a large number of the emails appear to be addressing legitimate threats to Bank of America, such as databases of stolen credit card numbers, or plans by activists to crash a website by flooding it with useless traffic via a denial of service attack. Other reports detail live protests meant to take place at actual Bank of America locations.
The stolen data was spread through various Anonymous accounts, but one group in particular took responsibility for its release. They’re called “Par:AnoIA,” and I had the opportunity to interview one of their members. They preferred not to be identified by name or even by gender. The first thing the Anon wanted me to know was “Par:AnoIA is no ‘hacking group’. We are a publisher much like any other media outlet. The main difference is that we publish data and information as received.” According to Par:AnoIA, information is given to them and their sources intentionallyremain anonymous.The information Par:AnoIA says wasn’t hacked at all. It was just sitting on an unsecured server readily accessible by anyone who knew where to look. This is a common issue that they believe endangers the personal and financial information of millions of consumers.
I asked Par:AnoIA, who was busy indexing Bank of America’s e-mails to ease search capabilities of the leaked information, what they had found most interesting about the data released so far. “It’s amazing to learn that there are paid analysts actually reading public chatrooms. We were quite aware of the fact that Anonymous are likely monitored, but we were thinking more along the lines of automatic logging. The data not only shows that there were actual people monitoring the channels (and Twitter) 24/7, but they send shift reports to Bank of America with their ‘findings.’”
A list of thousands of keywords was included in the released data, presumably to aid Bank of America in data-mining. According to Par:AnoIA, “The keyword list is just ridiculous. It has become a running joke to use the keywords in every sentence now, rendering it useless.” The ridiculousness of the keywords frankly cannot be overstated. Among the words Bank of America was searching for, I found “homosexual”, “demonology” and “Buck 65.” The last is the name of a Canadian hip-hop artist. However there are also terms like “OccupyWallStreet,” “Internet Kill Switch,” and “Interrogation.”
Par:AnoIA was still reviewing the bulk of the data when I spoke with them, but there were a few items that seemed to stand out, such as the installation files for the text-analyzing software OneCalais. Included was additional code for OneCalais that Par:AnoIA claimed was likely used to customize the program for Bank of America’s use. OneCalais is software sold by ClearForest, a Thomson Reuters company based in Israel, and according to Par:AnoIA, Israel is where the server they took all this data from sits. According to Par:AnoIA’s press release, an additional “4.8 Gigabyte of data containing detailed career and salary information of thousands of executives and employees from various corporations all around the world” was extracted from the server. The folder the employee data was located in was labeled “Bloomberg”, which Par:AnoIA believed might link to the multinational media corporation of the same name.
I asked Par:AnoIA whether they were concerned about the consequences of releasing the Bank of America intel ,or putting a copy of what is likely a very expensive piece of software like OneCalais online for anyone to access. The Anons replied, “Yeah… the thing is, the download of the data *might* be illegal, but no one has claimed it. That would mean confirming its authenticity. Either way, it’s a win-win for us.”
Disclaimer: Bank of America has not admitted that the data Anonymous released belongs to them, nor have they admitted that they are working with the third party technology company, TEKsystems. Their statement on the matter was merely that "a third-party company was compromised... This company was working on a pilot program for monitoring publicly available information to identify information security threats." Adding that their own internal systems were not compromised.
More on hacktivists: