The Impact Team's Red Herring

The spotlight of the Ashley Madison hack has in recent days been turned on the Twitter persona "Thadeus Zu" (@deuszu) after Brian Krebs noticed that the account had tweeted about the dump 12 hours before Wired, Gizmodo et al. reported on it, supposedly when only journalists and security researchers were in possession of the data.

At first glance it seems like a great connection. I would add that people, especially hackers, often give themselves pseudonyms that have some underlying meaning. Thadeus (properly, "Thaddeus") is a Greek name meaning "Courageous Heart", Zu is slang for "cool" and was also an Evil Storm God, and deus obviously means God as well. Plus, if you take the name out of context, it could also mean "THA COOL GOD". We're batting three for three here, so it's likely that there is a deeply moralistic motivation behind the group.

There has been a lot of discussion about morals and ethics surrounding the leak, to be sure.

As Krebs pointed out, the AC/DC references, the cryptic one-sided conversations coincidentally timed around the time the story was about to explode... it all lines up neatly. Too neatly.

Mr. Krebs' eloquent article was engaging and without question contained some quality sleuthing. As an investigator myself, I enjoyed seeing the OSINT connections being made like the script for a modern Poirot mystery.

It's for that same reason that I can't help but feel that it all kind of smells. Of fish. Red herring, to be precise.











OPSEC. Sure, hackers have been known to compromise operational security to satisfy their egos by bragging publically to up their scene cred. Truth be told, 99 times out of 100 that is what ends the lulz for them. (See Zoz's DEFCON 22 talk "Dont' fuck it up"). And no doubt damn near every hacker who isn't in hiding and even civilians who have even the faintest interest in hacker culture (not to mention the 30 or so million exposed users) now knows the name "Thadeus Zu", so if that was the goal then mission accomplished.



Of course it remains a possibility that they are deliberately remaining topside to taunt Avid Life Media, the victims, the authorities, and now the legion of bounty hunters hammering the public transform servers at Paterva while salivating over the cool half million prize for whoever untangles the mystery, confidently cocky that they have burned all their phones and are behind seven proxies... deus knows it wouldn't be the first time. Yet if that's true it is so brazenly stupid that I can't really bear to swallow it.

There's some ~102,000 tweets coming from this account - that's an awful lot of OSINT to leave laying around. Nevermind the fact that LEA's can subponea Twitter, Facebook and Google's records to triangulate IP's and eventually cellphones and hone in on them, the sheer volume of publically available open-source information is staggering.



So here's the $500,000 question that's just begging to be asked: WHY?

It only makes sense if you accept the premise that @deuszu is essentially taunting everyone with "come find me" with more than a hundred thousand public tweets to mine through and puzzle over and gossip about. This would have had to have been a conscious decision, agreed upon by all members, made years ago to contravene the most basic principles of operational security, which tends to be paramount if one values their freedom.

WHY? Why oh why hold their group discussions in a public-facing medium when they could have just as easily conferred over a private IRC channel or even AIM for that matter?
Furthermore, any mechanic will tell you that the more components you put in a vehicle the greater the likelihood the machine will fail sooner rather than later, so with multiple members in the group why would they agree to point the spotlight directly at themselves, trusting implicitly over vast geographical distance that none of the others had "fucked up", as they say, even once (see "Sabu").

If one reads past the AM leak drama, a consistent theme of hacktivism is clear in their timeline - even interspersed between the tweets about the leak are links to UNICEF stories and various other human rights travesties happening around the world right now. Obviously, they consider themselves to be fighting "the good fight".



If they're fighting the good fight, why are they treading so dangerously with such swagger, with so many breadcrumbs and so many potential points of failure to endanger their ability to continue to do so when there's so much more to be done?

The answer is obvious... they aren't.

Although an argument could be made that @deuszu is obviously a morally - perhaps even religiously (if their name is to be given any weight) - motivated group and therefore exposing the cheaters of the world is a worthy cause, my gut tells me that it's simply not the case. The causes they seem to care about are much more fundamentally moral than the complex questions which arise when someone is asked "why does someone even consider cheating on their spouse", as so many articles have already covered.

Frankly, it's small potatoes.

Unjust wars, clean water, refugees, illegal detentions, poverty, endangered and exploited children... just keep scrolling. Prior to all this and even throughout, the group seemed to concern themselves more with what philosophers would call the "simple moral issues". The black and white ones. Nobody of moral character is going to argue that children ought to live in danger. Nobody of moral character is going to say that war for oil is a good thing. But exposing every person who ever had an account at Ashely Madison has raised many conversations about the ethics of such a breach.

I've done a lot of investigations, and never with this level of public intelligence overhead - usually the target is not-so-technically savvy and has no idea they're even being watched and caught in honeypots until well after the jig is up, and those targets still had more situational awareness and OPSEC than @deuszu has shown around the AM "affair", if they are in fact the Impact Team.



Obviously, they're not.

It's made for an entertaining diversion, but I think it might be time the spectators and speculators gave up on the notion that something this big would be so easy to figure out... the real investigators already have.

That being said, my gut also tells me that Mr. Krebs is correct in his assumption that "if they didn't do it, they know who did". Almost certainly not personally by any of them but indirectly. This has all been a well-orchestrated counter-intelligence campaign devised by Impact Team designed to throw investigators off the scent for a while and willfully participated in by @deuszu for the #lulz, and everyone's fallen for it.. if you will permit me:

hook, like and sinker.

Comments

Popular Posts