May 12, 2011

The Web sites for computer game giant Eidos Interactive and one of its biggest titles — Deus Ex— were defaced and plundered on Wednesday in what appears to have been an attack from a splinter cell of the hacktivist group Anonymous. The hack comes just days after entertainment giant Sony told Congress that Anonymous members may have been responsible for break-ins that compromised personal information on more than 100 million customers of its PlayStation Network and other services.

The defacement message left on deusex.com.

For several hours early Thursday morning, the Deus Ex Web site, user forum, and Eidos.com were unreachable. For a brief period late Wednesday evening, the sites displayed a defacement banner that read “Owned by Chippy1337” (click screen shot at right for a larger version), along with several names and hacker handles of those supposedly responsible for the break-in.

KrebsOnSecurity.com obtained an archived copy of the attackers’ online chatter as they were covering their tracks from compromising the sites. A hacker using the alias “ev0” discusses having defaced the sites and downloading some 9,000 resumes from Eidos. ev0 and other hackers discuss leaking “src,” which may refer to source code for Deus Ex or other Eidos games. In a separate conversation, the hackers also say they have stolen information on at least 80,000 Deus Ex users and that they plan to release the data on file-sharing networks.

Neither Eidos nor its parent company Square Enix Co. could be immediately reached for comment. (This may not be the first time Eidos was breached: In a story I wrote earlier this year, I detailed how hackers on an underground criminal forum claimed to be selling access to Eidos’ customer database).

The attack seems to have been engineered by a faction of the hacker collective that recently seized control over Internet relay chat (IRC) channels previously used by Anonymous to help plan and conduct other, high-profile attacks. According to several news sites which covered that coup, the Anonymous control networks were taken over by a 17-year-old hacker from the United Kingdom who uses the handle “Ryan,” (shown in the chat conversation included below using the nickname “Blackhatcat”).

Also in the channel discussing the defacement and theft of the Deus Ex database are hackers “ev0,” “nigg” and “e”, screen names of Anonymous sympathizers who have been connected with Ryan’s recent coup. But according to one observer who’s been monitoring the Anonymous faction’s activities, this Anonymous splinter group appears to be splintering as well, turning on each other and framing one another for this latest attack. In the defacement message left on Eidos.com, ev0 and nigg finger Ryan in the hack, even using his supposed real name (Ryan Cleary). According to reporting by Ars Technica, Anonymous organizers angry over Ryan’s activities recently “doxed” him — publishing documents including his full name, home address, phone number and Skype handle, among other details.

“ev0 and nigg got the 0day they used to break in [to Eidos.com] from one guy, then got Blackhatcat to execute it and then screwed everyone, stole the database,” said the observer, who asked not to be named for fear of retribution from the hackers. “This is how those guys roll: One day they work together, the next they war. They drop dox on each other like it’s a game. Just like they did pinning the defacement of Dues Ex on Blackhatcat. Then denied the whole thing. Its psychotic behavior like I have never seen. Its like they hate each other but will work together on certain ops if it suits them, but then might turn on each other in the end…and then laugh it off.”

As an illustration of the above-described dynamic, a snippet of the chat conversation between ev0 and nigg discussing what to do with the Deus Ex Web site and data is pasted below.  (WARNING: some of the text below contains strong language that may be offensive to readers):

  • [16:06] <ev0> we should put 0day
  • [16:06] <ev0> or exploits
  • [16:06] <ev0> in the pdf
  • [16:06] <ev0> and see if someone logs in
  • [16:06] <ev0> we will use a RAT
  • [16:06] <ev0> that will be the payload
  • [16:07] <ev0> one thing that would be funny
  • [16:07] <ev0> i write a nasty virus
  • [16:07] <ev0> that will bsod on startup
  • [16:07] <ev0> fuck up all your drivers
  • [16:07] <ev0> delete tons of files
  • [16:07] <ev0> forkbom on start
  • [16:07] <ev0> etc
  • [16:08] <ev0> we put that in an exploit kit
  • [16:08] <ev0> on the main page
  • [16:08] <ev0> there security will be responsible
  • [16:08] <ev0> for like
  • [16:08] <ev0> thousands of fucked up computers
  • [16:08] <ev0> and it would make the news
  • [16:08] <ev0> n`
  • [16:09] <@n`> no
  • [16:09] <@n`> wont work
  • [16:09] <@n`> be serious
  • [16:09] <@n`> this is srs biz
  • [16:09] <ev0> i am serious
  • [16:09] <ev0> oh we wil lget fucked
  • [16:09] <@n`> more like
  • [16:09] <@n`> where do we get the 0day from
  • [16:09] <@n`> who writes the virus
  • [16:09] <@n`> tests it etc
  • [16:09] <@n`> fyi
  • [16:09] <ev0> an exploit kit
  • [16:10] <@n`> i vote for
  • [16:10] <@n`> defacing this right now
  • [16:10] <ev0> alright
  • [16:10] <ev0> im game
  • [16:10] <ev0> wanna make a deface page
  • [16:10] <ev0> make one with #krack
  • [16:10] <ev0> and leak the src
  • [16:10] <ev0> in a torrent
  • [16:10] <ev0> and we’ll make a twitter
  • [16:10] <ev0> and link it to the page
  • [16:11] <@n`> no
  • [16:11] <@n`> dont link it to krak
  • [16:11] <@n`> baadddd idea
  • [16:12] <@n`> make a deface page pointing @ xero
  • [16:12] <@n`> with personal info
  • [16:12] <@n`> or someone else you dont like
  • [16:12] <@n`> “This hack was brought to you by X\
  • [16:12] <@n`> ya i got them all here
  • [16:13] <ev0> is the lfi patched
  • [16:13] <ev0> and the box secured
  • [16:13] <ev0> we’re going to get ddos
  • [16:13] <@n`> no
  • [16:13] <@n`> too much effort
  • [16:13] <@n`> i cleared the logs
  • [16:13] <ev0> we put it in the name of chippy1337
  • [16:13] <ev0> and direct it to irc.ddosing.eu #808
  • [16:13] <ev0> and write the names
  • [16:14] <ev0> ryan, dfs, xero, nikon, xix, venuism
  • [16:14] <ev0> and evilhom3r
  • [16:14] <@n`> YES
  • [16:14] <@n`> *yes
  • [16:14] <ev0> lol
  • [16:14] <@n`> and call out their dox if we have it
  • [16:14] <@n`> add some skiddy shit
  • [16:14] <@n`> idk
  • [16:15] <@n`> make it look funny
  • [16:15] <ev0> we can put ryans dox
  • [16:15] <ev0> kayla said she was gonna get xeros dox
  • [16:15] <ev0> hmm
  • [16:15] <ev0> we put Ryan Cleary
  • [16:15] <ev0> Ryan King
  • [16:15] <ev0> Xero aka Ryan King
  • [16:15] <ev0> Ryan Cleary
  • [16:15] <ev0> like that
  • [16:16] <@n`> ya
  • [16:16] <ev0> 16:16 &ev0 • http://deusex.com
  • [16:16] <ev0> 16:16 &ev0 • look at it now
  • [16:16] <ev0> 16:16 &ev0 • because it will be different later…
  • [16:16] <ev0> said that in their irc
  • [16:17] <ev0> this is the ultimate troll

Anyone interested in reading more can see the entire conversation at this Pastebin link.

Anonymous has officially denied being responsible for the Sony breaches. Meanwhile, the Financial Times reports that two veterans of Anonymous have acknowledged that members of the cyber-activist group are likely to have been behind the recent hacking attacks on Sony, in spite of the group’s official denials.

Anonymous has been around in various forms for many years, but it vaulted into the international spotlight last year when it leaped to the defense of WikiLeaks, after the latter came under fire for posting secret government documents. It is worth noting that Anonymous seems to be in a state of conflict at a time when Wikileaks appears to be trying to discourage disloyalty among its own sympathizers. A story Wednesday by New Statesman reporter David Allen Green reveals that Wikileaks founder Julian Assange now makes his associates sign a nondisclosure agreement that asserts that the organization’s huge trove of leaked material is ‘solely the property of WikiLeaks,’ and that anyone who violates this agreement by leaking the organization’s unpublished material is subject to penalties of up to 12 million British pounds– nearly $20 million.


43 thoughts on “Anonymous Splinter Group Implicated in Game Company Hack

  1. Kevin

    I just know that the these guys are just going to love the fact that they don’t know who is idling in their IRC channels. I am surprised Kayla wasn’t involved in this. Ev0 and Kayla have been going back and forth for a week talking about Ryan and Anon stuff.

  2. Kevin Y.

    Pastebin link not working…. Unknown Paste ID!

  3. TheGeezer

    Very interesting. Nice work, Brian.

  4. Nick P

    That conversation sure sounds like them. I was wondering why they went for Eidos and Deus Ex. That source code was a nice steal maybe a half-decade or so ago, but today? Perhaps they weren’t skilled enough to penetrate the repo’s of some truly valuable source code, like Modern Warfare 3 or Windows 8. I doubt they will be capable of that, as it takes talented clever hackers. These guys were script kiddies with self-esteem issues.

    1. bob

      the code for the new Deus Ex game coming out in a few months might be worth something to someone….

  5. Daniel Marino(not football player)

    A: I see nothing here that indicates that this group has any relation to Anonymous

    B: There is no evidence to suggest that members of Anonymous are hackers beyond the use of DDOS attacks, which this is not an instance of.

    C: Anonymous is not a group with members in the traditional sense and are certainly not in any way an organized hactivist group or even really hactivists for that matter. Largely they are teenagers and young adults who happen to browse the same image boards that do not require usernames.

    Please do your research before making correlations. I have written a discourse on the philosophy of hacking that has a large section on Anonymous and their association with hactivism as well as the history of hacktivism. If you are interested in reading it to augment your research for further articles such as this feel free to email me.

  6. Helly

    I am bit confused by your post. You begin by saying that you see nothing that ties this group to Anonymous. Then you say that Anonymous has no members who are “hackers”, and that they only use DDOS. And finally you indicate that they aren’t a formal group.

    Given that Anonymous is random gathering of loosely affiliated individuals for a sometimes common cause your arguments seem a bit contradictory. It seems entirely plausible to me that Anonymous would contain some “hackers” with more significant skills than visiting a LOIC page. In fact I have seen convincing proof of that fact in the past.

    Your last point that Anonymous isn’t a traditional group, I agree with. And for that reason it seems entirely likely that the group referenced in the article may indeed be related to Anonymous.

    Overall I disagree with your points A and B, and personally I thought the correlations made were reasonable. Having also researched this particular story in a variety of other locations I think your argument here is a bit flawed.

    1. Helly

      Dangit, that was @ Daniel Marino(not football player)

    2. Lulzcat

      Care to share some of your other various sources? The only other two places I have seen this discussed were #1 where ev0 and his bitches hang out and on cnet (who point to this blog here). Troll fail my friend.

  7. Well...

    I have a friend who has been following the IRC of anon and other hacker groups and thinks he has learned hacking techniqeues etc etc. Today I challenged him to try to take down my webserver (a pretty fast VPS server), the server isn’t anything crazy, Centos 5.5 64-bit, with whm and cpanel, well he has tried everything in his power and his little script program for the last id say 4 hours and hasn’t managed to find a SINGLE entry way into my server, these are script kiddies like someone said above that think they are hot shit because they actually managed to get into a server, anyone who knows how to actually run a web server securely would have no problem defending against these kids.

    1. Boxxy

      You make no point other then your “buddy” has no skillz. So, basically he lurks on anon irc servers and is a moron…

    1. Matt

      Yep, it’s been out there but no seeders – lol.

      1. Alderien

        Are you kidding me?
        there’s three types of hackers,
        1. Black-Hat Hackers: they break in and steal info like passwords, Credential info and the like.
        2. White-Hat Hackers: they’re payed to get through “security systems” to further increase the payers “Anti-Hacker-Defence”
        3. Gray-Hat hackers: by far the most dangerous, they have their own agenda and are a cross between black and White-hat hackers.

        1. RK

          There are more then three kinds of hackers. Once you have only recognized white/grey/black hat’s, the game is over as you have only identified the basic moral association amongst the different “classes”.

          Thanks to our wonderful, clueless lawmakers, the majority would fall into being blackhat criminals over basic concepts such as watching digitally pirated content, looking at specific computer code or using your sisters computer without asking…

          If you are looking to elaborate amongst the different “class” of hackers, albeit not as descriptive as it needs to be, Bruce Schneier posted a link to a great article explaining the different kinds of hackers and the roles they play in today’s society…

          http://www.ehow.com/facts_5003123_types-computer-hackers.html
          http://hubpages.com/hub/Meaning-of-Hacking-and-the-Different-Kinds-of-Hackers

  8. ilold

    wtf

    what a dump troll.

    but a very interes. article/blogpost

  9. ev0

    i will hack you to prove it, i am fluent in over 32 programming languages and have tutored high profile hackers on everything.

    i have over 17 million bots as well in my botnet

    1. george

      @ ev0,

      Well, if you really have control over 17 million bots as you boast, would be easy to prove by voting your own comment here 10.000 times “thumbs-up”. Are you up for this challenge ? I guess not…

      1. dude

        evo appears to actually control a botnet of 7.

        1337 d00d

    2. RK

      32 programming languages? Really? Coming from someone who was “Just learning C” in Feb.?

      Just cause you know how to command bots, doesn’t make you special.

  10. hey

    evo please get anonops working again its still owned you faggot

  11. Crapbag

    Official statement by Square-Enix:

    Square Enix can confirm a group of hackers gained access to parts of our Eidosmontreal.com website as well as two of our product sites. We immediately took the sites offline to assess how this had happened and what had been accessed, then took further measures to increase the security of these and all of our websites, before allowing the sites to go live again.

    Eidosmontreal.com does not hold any credit card information or code data, however there are resumes which are submitted to the website by people interested in jobs at the studio. Regrettably up to 350 of these resumes may have been accessed, and we are in the process of writing to each of the individuals who may have been affected to offer our sincere apologies for this situation. In addition, we have also discovered that up to 25,000 email addresses were obtained as a result of this breach. These email addresses are not linked to any additional personal information. They were site registration email addresses provided to us for users to receive product information updates.

    No dissemination or misappropriation of any other personal information has been identified at this point.

    We take the security of our websites extremely seriously and employ strict measures, which we test regularly, to guard against this sort of incident.

    lmao, what a fail hacker. Some resumes and email addresses? You know, just in case LinkedIn is down. Biggest fail of the week.

  12. a problem with spam?

    downloading the torrent now

    not gonna turn down 25k of emails in the gaming niche!

  13. The Red Russain

    You know who I blame, the parents. They need to monitor their children’s internet use. I would really love to find out what their parents would think of them if they knew their child was doing this sort of thing. Very sad indeed, very sad.

  14. RK

    Know who I blame? Weak little bitches that hack under the cozy watch of federal agents…

    Granted, our culture has always had a history of double agents, from Agent Steal to Albert Gonzalez. I realize it’s the ultimate dream to hax on the Feds dime, but what they don’t realize is once there has been a leak, snitches still working, still get to visit prison.

  15. chnku

    Anonymous is a sample of the waste
    Please introduce a doctor

  16. bob

    Unusual to have say such things on this blog but: Anonymous is not a group and therefore doesn’t have splinter groups.

    “…an attack from crackers who have used the Anonymous name in the past.”, might make more sense.

  17. random

    I have to say anyone here bringing up Anonymous needs to get educated, this is Ryan Cleary and his friends who also hacked Anon ops sites and release Anon members information they are no friends to Anon, they are working for their own self interests and it’s only a matter of time before Essex Police pick Ryan up and I.D his friends.

    1. truth

      You speak as if you have a informed opinion, little do you know you are just as uneducated as most people commenting here. The people who understand and know the full truth are laughing at this whole thing. ev0/xyz aka Robert Cavanaugh of 306 Old Westbury Road,
      East Meadow,
      New York
      11554

      has/will most likely get arrested, considering the FBI are involved.

      So fuckin retarded…

  18. Neverloughed so good

    If those are Hackers im Santa Claus 🙂

    1. I lough if i need to

      And Mr Krebs should know this with his years of Experience in this field also 😉

  19. AT

    “Julian Assange now makes his associates sign a nondisclosure agreement that asserts that the organization’s huge trove of leaked material is ‘solely the property of WikiLeaks,’ and that anyone who violates this agreement by leaking the organization’s unpublished material is subject to penalties of up to 12 million British pounds– nearly $20 million.”

    This is classic; “I have stolen information in my possession, so it’s mine and if you steal it from me I will have you prosecuted…”

    WTF world is he living in?

    1. Kooberfacer

      Yeah.I also would like to know what world Assange is on to have an NDA on material stolen from the US?

      Still shaking my head over that one.

  20. New Guy

    here is a list of a few of anon’s passwords. They were in the pastebin link provided. I don’t know if they still work, hopefully they were smart enough to change them.

    AnonRyUk -> nickserv: identify MyLif3Rulz
    AnotherAnon -> NickServ: IDENTIFY asdfjkl
    Bastion -> NickServ: IDENTIFY lanterne
    Bastion -> NickServ: identify lanterne
    Billlybot -> nickserv: identify billybot budgie69
    Billlybot -> nickserv: identify budgie69
    Billlybot -> nickserv: identify help
    Billybot -> nickserv: identify budgie69
    Busirako -> nickserv: identify Chaosium
    Cr1SA1 -> NickServ: IDENTIFY crisao09*
    CrimsonKing -> nickserv: identify 123456789987654321
    Deadward -> NickServ: IDENTIFY wutlol
    Der_Bluthund -> NickServ: IDENTIFY endemoniada
    DocEvil -> NickServ: IDENTIFY bbc199421
    Echelo -> nickserv: IDENTIFY p455w0rd1q2w3e
    Emperor_Whimsical -> NickServ: identify blaze11
    Emperor_Whimsical -> nickserv: identify blaze11
    EsPeJiSmO -> nickserv: identify c4rolin4
    Hajiki -> NickServ: IDENTIFY 1337h4x
    Hajiki -> NickServ: IDENTIFY anxpv189@$
    Joe_Yabuki -> nickserv: identify azazel
    Kashiwaba_Tomoe -> nickserv: identify tomoenewed
    Kashiwaba_Tomoe_ -> nickserv: identify tomoenewed
    Kl4us -> NickServ: IDENTIFY c0p0clephile
    LoBot -> NickServ: IDENTIFY pass4egg
    M4C -> NickServ: IDENTIFY M4C P455w0rd
    M4C_ -> NickServ: IDENTIFY M4C P455w0rd
    MacGyver -> nickserv: identify azazel
    Mugen -> nickserv: identify sepialoca
    Muskui -> nickserv: identify skariot&darkness
    Mutiny -> NickServ: IDENTIFY bros4lyfe
    OpNoPro -> NickServ: identify batman1927
    Piruco -> NickServ: IDENTIFY icaro2011
    Psycho -> nickserv: identify Marlene
    Radiation -> nickserv: identify nuclear
    Ryonymous -> nickserv: identify alpha1010182198
    Sabit -> nickserv: identify lawlawl
    Sam-L -> nickserv: identify 123456
    Shinigami -> NickServ: IDENTIFY 1337#4x0r
    Silivrenion[away] -> NickServ: IDENTIFY homework6
    SmilingDevil -> nickserv: identify owk426wi
    Swahv -> nickserv: identify leinad298198
    TheFizz -> nickserv: identify hibillymays
    UnrealPancake -> nickserv: identify keepout1
    Vertigo -> nickserv: identify 01326fr
    Yamajun -> nickserv: identify escarabajo
    aKnox -> nickserv: identify pornoM
    aldiyen -> nickserv: identify Yay1nt3rN3ts!2
    anolio -> NickServ: identify okm09889
    anon-ymous -> nickserv: identify logitech123
    anon-ymous32 -> nickserv: identify logitech123
    anon_weqtq4fgkjrfk -> nickserv: identify foobar
    anonemous -> NickServ: IDENTIFY Anonymous
    anteaterz2 -> nickserv: identify derzderz
    antitodo -> nickserv: identify julio1889
    arash -> nickserv: identify paganihuayra
    brainsh -> nickserv: identify hxcbmxn1
    cooljack -> NickServ: IDENTIFY kekse123
    crapulia -> nickserv: identify hispano
    d3t3r0k -> nickserv: identify l0r3n1t4
    daboogieman -> nickserv: IDENTIFY r2d2c3po9021
    daboogieman -> nickserv: identify r2d2c3po9021
    dpsi -> NickServ: IDENTIFY dar1997ien
    drp -> nickserv: identify metalgear
    e -> NickServ: IDENTIFY lolpass2
    edgey -> nickserv: identify blackhatcatmakesmehard
    gailo -> NickServ: IDENTIFY passwerd
    gtn -> nickserv: identify hockey14
    hacknwheeze -> NickServ: IDENTIFY Anonymous
    halcy -> nickserv: identify iluvero
    heyguise -> nickserv: identify p@ss4anon
    kk -> nickserv: identify hockey14
    kzanon -> nickserv: identify viertel
    mR_doigO -> nickserv: identify jojojo**
    maximus -> nickserv: identify 12345
    moe -> nickserv: identify 1234
    nawcom -> nickserv: identify nawben123
    opensourcerer -> NickServ: IDENTIFY fajita3a
    opoze -> NickServ: IDENTIFY nolimit13
    packetfl0 -> nickserv: identify .4n0n0ps!
    packetfl0 -> nickserv: identify 4n0n0ps
    packetfl0 -> nickserv: identify 4n0n0ps!
    packetfl0 -> nickserv: identify 4n0n1rc
    packetfl0 -> nickserv: identify 4n0n1rc!
    pipe1143 -> nickserv: identify pipe88
    plato -> NickServ: IDENTIFY throw1away
    pnook|awy -> NickServ: IDENTIFY k27p9f3x
    pnook|awy -> nickserv: IDENTIFY k27p9f3x
    pr0ject -> nickserv: IDENTIFY mynewpassw0rd
    pr0ject -> nickserv: IDENTIFY password
    pr0ject -> nickserv: IDENTIFY password1
    pr0ject -> nickserv: IDENTIFY pw1
    psycho_ -> nickserv: identify nototetremor
    sleinad -> nickserv: IDENTIFY lolol
    stonedguise -> NickServ: identify p@ss4anon
    sylvian -> NickServ: identify 52522704140608
    toxin2 -> NickServ: IDENTIFY 21121983geb
    turen365 -> nickserv: identify Behemoth0089
    xyz -> nickserv: identify FUCKYOU
    younghero` -> NICKSERV: IDENTIFY chronic
    younghero` -> nickserv: identify chronic
    zaiger -> NickServ: IDENTIFY password
    zaiger -> nickserv: Identify password
    zappe -> nickserv: identify mosquito

  21. Fike

    Funny thing is I know Xero (one of the hackers). We used to talk before, not often but we did.

    He is skilled, very skilled…

  22. C U Anon

    Brian,

    As you might know by now Ryan Cleary was arressted by the eCrime unit of the. UK’s Met Police.

    However if you search the Internet on the other home address (ie 10 South… not 33) you will find that the family is well known to Essex police. His Mother and elder brother have been convicted of drugs related crime. Further both of them are claiming state benifits for agriphobia even though there are a number of photos of them up on the net walking around outside.

Comments are closed.