A federal jury in Newark today convicted the mastermind who, with another man, hacked into AT&T’s computer servers and stole information from 120,000 iPad subscribers, including “the most exclusive list on the planet,” and then disclosing the information online.
Andrew Auernheimer, 27, told CNET that his accomplice, Daniel Spitler, “used this AT&T security maintenance app” to hack into AT&T, showing servers how vulnerable they were. “It was part of the normal user experience that tipped him off to something that would allow him to scrape this data.”
The total monetary loss was about $30,000, which Spitler has agreed to repay under a plea deal with the government. His sentencing had been postponed pending the outcome of the trial against Auernheimer.
“I hack, I ruin, I make piles of money. I make people afraid for their lives,” Auernheimer — known as “Weev” — once boasted.
He also accused Assistant U.S. Attorney Lee Vartan, then the lead federal prosecutor in the case, of conducting a “smear campaign” against him. In an open letter, he predicted that Vartan “may be required to resign” as a result of the investigation.
“[U]ltimately, you will be held accountable to the people for your actions,” Auernheimer wrote, adding that he believed the government was prepared to “engage in the manufacture of evidence” to prosecute him.
FBI investigators said all of the evidence was produced by both men. This included videos posted by Auernheimer urging people to arm themselves with “lots of” guns and saying, “Jesus wasn’t a kike.”
All told, the hackers reportedly swiped email addresses for members of several branches of the military, NASA, the FCC, the Senate, the House of Representatives, the Department of Justice, the Department of Homeland Security and the National Institute of Health, as well as for executives from The New York Times Company, Dow Jones, Condé Nast, Viacom, Time Warner, News Corporation, HBO, Hearst as well as others from Google, Amazon, AOL, Microsoft, Goldman Sachs, JP Morgan, Citigroup and Morgan Stanley.
Also on the list were Diane Sawyer, Harvey Weinstein, Mayor Michael Bloomberg, and former White House Chief of Staff Rahm Emanuel.
The duo even posted a video that shows how they did it:
Because he was “very public concerning his hacking and trolling activities, giving interviews to The New York Times, as well as other publications,” said FBI agent Christian Schorte, Auernheimer clearly “was not working for the public interest.”
An “Account Slurper” created by Spitler for what the duo called “Goatse Security” attacked AT&T’s servers for several days in early June 2010, with the purpose of harvesting as many email addresses as possible from Apple iPad users who accessed the Internet through the 3G network, Schorte wrote in an application for a warrant to search Auernheimer’s Fayetteville home.
The slurper, he said, “was designed to mimic the behavior of an iPad 3G so that AT&T servers would falsely believe that the servers were communicating with an actual iPad 3G.”
During the “brute force” attack, the slurper cycled through different possible account numbers until it hit on genuine AT&T accounts, then stole the email addresses and other information, the agent added.
Auernheimer and Spitler, 27, of San Francisco, then gave the information to the gossip website gawker.com.
Gawker, in turn, published an article “Breach Details: Who Did It and How,” in which it said the breach “exposed the most exclusive email list on the planet.”
FBI agents said Auernheimer even emailed a members of News Corp’s Board of Directors, saying, “Your iPad’s unique network identifier was pulled straight out of AT&T’s database.”
Auernheimer also claimed he trolled Amazon.com and caused a “one billion dollar change in their market capitalization.”
According to the FBI, Auernheimer also told The New York Times he had collected hundreds of Social Security numbers — and, as proof, sent the number of the author of the story.
FBI agents identified Auernheimer as the author of the emails thanks to, of all people, his parents.
Spitler and Auernheimer exchanged instant messages in which they discussed conducting the breach to simultaneously damage AT&T and promote themselves, the evidence showed. They also chatted about destroying evidence linking them to the crime, federal prosecutors said.
Fishman credited special agents of the FBI’s Newark Cyber Crimes Task Force, as well as the forensic examiners of the New Jersey Regional Computer Forensics Laboratory and the New Jersey Division of Criminal Justice.
He also thanked special agents of the FBI’s Little Rock, Arkansas Divison, Fayetteville Resident Agency; and the San Francsiso Division; as well as the U.S. Attorney’s Office for the Western District of Arkansas.
“It’s important to note that it wasn’t just the hacking itself that was criminal, but what could potentially occur utilizing the pilfered information,” said Michael B. Ward, Special Agent In Charge of the FBI’s Newark Division. “Because of the popularity and widespread use of the new and emerging technology of the iPad and devices like it, it was absolutely critical that emerging threats to it were addressed promptly and aggressively.”
Prosecuting for the government was Executive Assistant U.S. Attorney Michael Martinez and Assistant U.S. Attorney Zach Intrater of the Computer Hacking and Intellectual Property Section of the U.S. Attorney’s Office Economic Crimes Unit.