A group of hackers claiming to be affiliated with the group known as Anonymous had until today been negotiating with Symantec for a safe return of stolen property through an online personality named YamaTough. The YamaTough personality spoke on behalf of the Lords of Dharmaraja, a known hacker collective responsible for several thefts and subsequent releases of data in similar security related events in the recent past, Norton Antivirus amongst them. At the time of this posting, portions of the codes claimed to have been stolen by LoD have been pasted in several public forums and YamaTough has refused payment of $50,000 USD as ransom for the destruction of all semblance of said codes.
Of course it’s absurd to expect any such complete forfeiture of a set of stolen codes which could so very easily be copied out and duplicated, so who do we look to questioning the logic behind a cash sum trade to hackers such as this? According to LoD, it was Symantec spokesperson Chris Paden, not the FBI or a federal commission of any kind as many news sources are reporting today. Though Paden is on record saying the following:
“The communications with the person(s) attempting to extort the payment from Symantec were part of the law enforcement investigation.” – Paden
A series of emails were sent back and forth between YamaTough and a person claiming to be working with Symantec but whom Symantec has since said was working with a law enforcement group they’d been working with specifically for this job. In the email conversation between the two, pasted in PasteBin for your full reading if you wish, the first mention of a cash transaction is made by DoM in their suggestion of a sale of the codes to the highest bidder. It’s the negotiator, on the other hand, that suggests Symantec purchase it first. In the middle of this negotiation is an interesting moment in which YamaTough is asked to provide a set of guarantees to Symantec for the deal:
“What are the guarantees that we wont come back for more? – NONE ofcourse, you have to trust us on this one, if we were really bad guys we would have already released or sold your code at the time of exchanging emails with you which is almost a month – AND WE KEPT SILENT all that time and stuck to our word given to you.” – YamaTough
At this point the negotiator, whose name is unimportant by the way since it’s almost certainly a placeholder “Sam Thomas”, suggests that $1,000 be sent to YamaTough via PayPal so they can continue negotiations. YamaTough disagrees and says they do not work with PayPal – they’ve been speaking about Liberty Reserve (an offshore group for no questions asked transactions) and Sam returns with an offer of the following:
“We are still looking into Liberty Reserve but we have to figure out how to get our money safely into our Liberty Reserve account through an exchanger.
We will pay you $50,000.00 USD total.
However, we need assurances that you are not going to release the code after payment. We will pay you $2,500 a month for the first three months. Payments start next week. After the first three months you have to convince us you have destroyed the code before we pay the balance. We are trusting you to keep your end of the bargain.” – Sam Thomas
At this point YamaTough sends the following message:
“Say hi to FBI agents,
It’s funny you do not use your corp account anymore =)
We wonder why is that be that way? =)” – YamaTough
And the stories begin to fly on the web that DoM has discovered an FBI link to the Symantec investigation on the situation. While this is happening, Sam notes that “We are not in contact with the FBI. We are using this email account to protect our network from you.” and appears to send no following messages after another offer of $50,000 total. This brings us up to now.
What’s happening now is DoM is releasing the code bit by bit (and perhaps all at once at some point down the line here) and is suggesting the following:
“The real sting sends money and bust the crooks at the cash pickup =) it wasn’t feds – it was slimey Paden UNEMPLOYED =)” – @YamaTough
And thus is the truth of the matter, in this part of the situation anyway: it would have made one whole heck of a lot more sense for the FBI to have set up a real-world drop of cash for code as they would have had the upper hand without a doubt. Instead the situation appears to be that the negotiators that were actually involved took no such precaution for exchange of cash online and are not falling victim to circumstance and hackers with a taste for trade.
For those of you out there using Symantec software: you likely have nothing to worry about. The codes that DoM are releasing are of pcAnywhere and blueprints for old software that has been long-since outdated. Or so Symantec says. The important part of this equation for Symantec is bad PR as well as a possibility that the codes, once analyzed, may prove to be helpful to competing companies as well as hacker groups hoping to gain some insight into their code-building process.