Update: Alleged Source Code Thieves Attempt to Extort Symantec

Monday, February 06, 2012

Anthony M. Freed

6d117b57d55f63febe392e40a478011f

UPDATE:  Symantec: Emails Part of Law Enforcement Sting Operation

"The e-mail string posted by YamaTough was actually between them and... law enforcement. YamaTough actually reached out to us, first, saying that if we provided them with money, they would not post any more source code. At that point... it was a clear cut case of extortion..."

*   *   *

Anonymous-aligned hacker YamaTough, the spokesperson for the hacktivist group “The Lords of Dharmaraja”, falsely accused Symantec of attempting to bribe the group in order to prevent the release of source code for the company's PCanywhere product, among others.

Looking through the email exchange posted on Pastebin alleged to have taken place between YamaTough and a representative from Symantec, it appears that the attempt to reach an arrangement was nothing more than an exercise in good business practices on the part of the software giant at best - and perhaps an extortion operation on the part of the hackers at worst.

It is hard to characterize Symantec's efforts to prevent the release of proprietary information in an illegal data dump as being anything approaching unsavory.

In a series of tweets, YamaTough said  "Sorry everybody for being silent that much. You won't believe it but Symantec offered us money to keep quiet... And quess what they couldn't make it over 50k for the whole range of their src sh*t, therefore the show starts as of tuday... they've been tricked trolled into offering a bribe so the false statement be made we never had the code and lied..."

The assertion that Symantec wanted the hackers to "lie" is not clear in the exchange at all. It looks to be that Symantec is maintaining that the source code was stolen in 2006, and that the demand placed on the hacker group was to admit they had lied about obtaining the code from a breached Indian government server, as the the hackers had originally claimed.

The particular statement attributed to Symantec in the Pastbin posting is as follows:

"We can't pay you $50,000 at once for the reasons we discussed previously.  We can pay you $2,500 per month for the first three months.  In exchange, you will make a public statement on behalf of your group that you lied about the hack (as you previously stated).  Once that's done, we will pay the rest of the $50,000 to your account and you can take it all out at once. That should solve your problem."

What is clear from the exchange, if it is legitimate, is that the hackers were eager to negotiate a price to refrain from releasing the stolen source code, regardless of the origin, including setting up an off-shore account through an organization referred to as "Liberty Reserve".

It is also clear that the reasons for threatening to release the source code has little or nothing to do with the original stated purpose YamaTough provided in an Interview with Infosec Island in January.

YamaTough had said the group's intentions were to use the stolen data as a means to gain attention from the press and to undermine the current government of India in an effort to replace them with a more pro-American regime.

Infosec Island had made multiple attempts to prompt YamaTough to provide actual proof that the data had in fact been stolen from servers owned and operated by the Indian government, but all requests were either met with silence or an outright refusal.

“…my team is pro US, we fight for rights in our country we are not intentionally harm US companies (sometimes we do hack into since our botnet is worldwide) but we do not steal credit cards and make money of it and we do not do banks etc. Our mission - exposure of the corruption... We wanna apologize for harm taken by the Symantec USCC and others, but without them being involved things which do occur in our state would never be covered and taken to the public, sometimes you have to sacrifice in order to achieve... and we do not approve sharing personal data and source codes with foreign governments. We want free and nice India and not police state,” YamaTough had previous proclaimed.

Furthermore, YamaTough tweeted that the stolen source code was now available for purchase on the black market"All the Symantec source codes are now on sale! PcAnywhere, System Works, Internet Security and Norton GoBack with Utilities, NAV".

Of course, it is not surprising that the hordes of Anonymous supporters are attempting to characterize Symantec's effort to protect its intellectual property and millions of customers from exposure as "bribery", but rationally it does not play out that way.

We continue to seek proof that the materials were actually obtained from the Indian government, but at this point have to conclude that the statements were most likely false and that the code was stolen in a 2006 breach of Symantec's company networks as stated.

If YamaTough would like to provide proof of his assertions to the contrary, we still welcome them.

Possibly Related Articles:
11435
Breaches
Antivirus Symantec Anonymous hackers breach Source Code Black Market Pastebin India The Lords of Dharmaraja YamaTough PCAnywhere Norton Utilities Extortion Bribery
Post Rating I Like this!
6f11dfa37d387cd7c2099ebcd00bccdd
Laura Walker Title 18, United States Code, Section 875(d)
http://trac.syr.edu/laws/18/18USC00875.html

Not looking very political
1328587217
A762974cfbb0a2faea96f364d653cbc6
Michael Menefee Laura,

My guess is (among other things) that's what Symantec was going for...that exact response from these guys.

Now, whether or not this is a real email thread, and even who actually posted it, is another issue altogether :)

One thing we can be sure of, is that whoever he/they are, they certainly seem hell-bent on trying to hurt Symantec....not sure it's gonna work
1328587473
Default-avatar
Cris Paden In January an individual claiming to be part of the ‘Anonymous’ group attempted to extort a payment from Symantec in exchange for not publicly posting stolen Symantec source code they claimed to have in their possession. Symantec conducted an internal investigation into this incident and also contacted law enforcement given the attempted extortion and apparent theft of intellectual property. The communications with the person(s) attempting to extort the payment from Symantec were part of the law enforcement investigation. Given that the investigation is still ongoing, we are not going to disclose the law enforcement agencies involved and have no additional information to provide.
1328588824
A762974cfbb0a2faea96f364d653cbc6
Michael Menefee Thanks Cris,

Seems like these jokers had it out for Symantec all along and this was their goal from the "get-go". We wish you and law-enforcement all the best in bringing the individuals responsible for this to justice.
1328589056
6f11dfa37d387cd7c2099ebcd00bccdd
Laura Walker From espionageand political protest, downgraded to theft, now upgraded to extortion. Fire up the espresso machines lol

1328589289
6f11dfa37d387cd7c2099ebcd00bccdd
Laura Walker I hope you nail them Cris. What a headache. Best to you & all working on the investigation.
1328589541
Da3ca2c61c4790bcbd81ebf28318d10a
Krypt3ia *walks in and cryptically says*.... Meh, why has no one gone after the fact that this code has been in the wind since 06 and tie it to malware development since?

Yeah... Post coming.
1328709660
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.