The leader of legendary international hacker crew LulzSec. A high-placed mole inside the central nervous system of the global intelligence community. A man who defaced a government website in contravention of the law and all bounds of civil behavior.
Clearly, any man who was all that would be at the top of any Most Wanted list. The Australian Federal Police say that after an intense two-week investigation, they have got their man. But is he really what he seems?
According to the Federal Police, who held a news conference a few hours ago, on Tuesday night they arrested a man going by the username of Aush0k at his Sydney office. The crime they arrested him for was defacing an unnamed government agency website, and the hack apparently happened within the past month. Detective Superintendent Brad Marden, national coordinator of cyber crime for the Federal Police, explained, "He took advantage of a known exploit to access the website, then put a backdoor in," although police clarified he did not use it to access, copy or alter the website data, but rather to execute the defacement.
The arrested man is facing a possible 12 years in prison on two counts of unauthorized modification of data to cause impairment, and one count of unauthorised access to a restricted computer system. The man went unnamed by the police because of privacy legislation, but was identified by the Financial Review as 24-year-old Point Clair resident Matthew Flannery.
The police say that Flannery told them he was the leader of LulzSec, the infamous breakaway Anonymous group who are credited with hacking Stratfor, Sony, Paypal, Visa, Mastercard, and many others on a 50-day spree during the summer of 2011 which demonstrated the effectiveness of small hacking crews at the same time as it exposed their weakness: they were easier for law enforcement to track down than the murky, hydra-headed Anonymous collective.
Seven core members of LulzSec have faced or are facing charges, and none are currently at complete liberty. Even LulzSec leader Sabu, who was working as a police informant and has had his trial date pushed back repeatedly, has been in custody intermittently at New York's Metropolitan Corrections Center, probably for protection.
Anonymous itself was quick to deny that any Australian was the "supreme leader" of LulzSec; in fact, claiming to be the Supreme Leader is a long-running joke among members of the collective. The Anonymous Australia Twitter account stated he was, "not part of the usual suspects on any of our chains of communication I suspect some DDos skid on his mums win box."
Aush0k's Vimeo account certainly attests to a flair for the grandiose and a love of trolling. In this short video he heralds his own "return to the Internet," of which he calls himself the "final boss."
Swank PJs, dude.
The police, in their press conference, stated that he frequented forums known to belong to Anonymous, where he also stated he was the leader, and that other Anons failed to contradict him. "This is not harmless fun. This is serious," said AFP Commander Glen McEwen.
The reason they're taking it so seriously is the level of access that Flannery had, in his role as a security engineer. Although they do not claim he misused his access in any way other than defacing a single website, the police took pains to point out that, "This man is known to international law enforcement and police will allege he was in a position of trust within the company with access to information from clients including government agencies."
Flannery's LinkedIn page lists his position as Security Engineer, Tenable Network Security, and simultaneously Managing Director/Consultant of his own company, Greyhat Consulting. His time at Tenable dates only to February, while it appears he's been self-employed for more than a year. Tenable is indeed a major threat assessment and security company, and a senior security consultant there would have access to a jaw-dropping amount of information about governments, corporations and individuals should he choose to use it, but a representative from Tenable told The Australian at length that Flannery does not work there and has never worked there.
"Matthew Flannery does not and has never been an employee of Tenable. Network Security holds a zero tolerance policy for employees and partners with regards to malicious digital activity. It is our mission to defend cyberspace from the activities of hackers, thieves and spies and we remain committed to bringing such criminals to justice."
The Australian also reports that on his Facebook page, he claimed to work for the FBI.
Tenable, however, does provide training; exactly the kind of training a self-employed computer consultant would need to stand out from the crowd, and it teaches these courses via webinar. The three courses Flannery lists on his LinkedIn page under the Tenable entry are: Introduction to SecurityCenter, Security and Compliance Monitoring with SecurityCenter, and Security Event Management with Log Correlation Engine, all designed to train the security professional in the use of Tenable's proprietary products. It is entirely possible that Flannery's association with Tenable is nothing more than having taken a few webinars for professional development and being guilty of the sin of LinkedIn-padding.
McEwen stated the police perspective with crystal clarity. "This individual was operating from a position of trust who had access to sensitive information from clients including government agencies. The AFP believes this man's skill sets and access to this type of information presented a considerable risk for Australian society."
Is Matthew Flannery the supreme leader of LulzSec? Does LulzSec still exist as a force? Is he a highly skilled, highly dangerous security expert, a white hat turned black at the nexus of international security?
For now, he's just another 24-year old self-employed geek, and he is reportedly out on bail.
Photo via LinkedIn