A compromise of the Web site that is a repository for tens of thousands of sensitive documents has led to questions about the purpose of the hack, and whether the identity of those who have leaked information may have been exposed.
John Young, the founder of Cryptome.org, confirmed for Threatpost.com that his personal e-mail account, a personal computer and the Web hosting account of the site he started in 1996 were targets of hackers over the weekend. The site was restored within hours, but not before the as-yet unidentified attackers made off with the contents of the Web site, as well as e-mail messages and other files taken from a local network his computer was connected to.
Young said he knows who the perpetrators were and suggested the motive for the attack may have been payback for sensitive documents the site has published in recent weeks. That, despite a report from Wired.com that suggested the hack was more or less indiscriminate – carried out by members of the well known Kryogeniks hacking group to embarrass a fellow hacker named who uses the handle “TrainReq.”
Cryptome is a well-known repository for sensitive documents from both the government and private sector, with more than 60,000 documents posted online, totaling more than 7 G bytes. The site predates the better known Wikileaks site, which burst into the public spotlight with the publication of 90,000 documents relating to the wars in Iraq and Afghanistan – some classified.
Unlike Wikileaks, however, Cryptome focuses more on open source intelligence and documents in the public domain – generally reposting everything of value that is sent to its curators (including e-mail exchanges with members of the press) rather than serving as a front for anonymous, leaked information.
“We generally dig up the documents ourselves, they’re good solid educational information,” Young said. However, he acknowledged that some of the information posted on Cryptome is sent by third parties, with the expectation of anonymity, though “that’s not what we’re in business to do.”
In recent months, Cryptome has run afoul of Wikileaks, posting and reposting documents regarding the site’s operation, internal divisions and the legal travails of Wikileaks owner Julian Assange. It was also the subject of a court ordered shutdown in February, after Microsoft accused the site of a violation of the Digital Millenium Copyright Act (DMCA) for posting its Global Criminal Compliance Handbook for responding to wiretap requests. Young suggested the hack was in retaliation for its posts on Wikileaks, Microsoft or some other “authority.”
“We try to run on the wrong side of as many people as we can. Authoritative people – and we think of hackers as authorities,” he said. Young said, aside from the DMCA takedown, the site was only compromised once before: a Web site defacement in 2003.
Writing for Wired.com reporter Kim Zetter – communicating via e-mail with hackers who claimed to be responsible for the attack – claims that the actual target of the attack was not Young and Cryptome, but a hacker who goes by the handle “TrainReq.”
Quoting e-mail conversations with a hacker using the handle who asked to be identified as “Ruxpin” or “Xyrix,” Zetter writes that Cryptome.org was merely interesting to the attackers because it was a high profile account, posting a defacement message that credited the attack to TrainReq and later Ruxpin.
That said, the attackers copied the entire published contents of Cryptome and changed access permissions on them to make the files in accessible. They also scoured Young’s Earthlink e-mail account for information, showing Zetter 30 names and e-mail addresses of sources who communicated with Cryptome, including a Wired.com contributor and e-mails purporting to be from Wikileaks insiders, Zetter reported.
Young didn’t deny that hackers gained access to his e-mail account and personal computer, but wouldn’t say whether or not such e-mail exchanges existed, noting that Zetter hadn’t shared the hacker screenshots with him. In a post on Tuesday, he called Wired.com “complicit” in the attacks for refusing to disclose the identity of the attackers. He claimed to know who was behind the attacks, which he noted were “federal crimes.”
He said he’s been contacted by intermediaries purporting to be in contact with the hackers, but hasn’t had any direct contact with them or been asked to pay to restore the data stolen from his account. He said he’s going to “take a wait and see approach” to dealing with anyone purporting be be involved in the attack.