Hector Monsegur (formerly sabu of Lulzsec) has responded to my analysis of the Wikileaks Global Intelligence Files

Some time ago I wrote two blog posts about my discovery about a series of malware-infected files within a torrent being circulated by global whistleblower organization Wikileaks.

The torrent file was one of the latest versions of what Wikileaks has named the "Global Intelligence Files" - a large cache of documents obtained from the email spool of a government contractor known as Stratfor.

Since my discovery I have made several attempts to contact Wikileaks:

@wikileaks sorry to contact here but no other means Ive identified sec issues with most recent torrent here: https://t.co/oeBLtLgDeb

— Josh Wieder (@JoshWieder) May 3, 2015

@wikileaks I have some very basic info here http://t.co/cvjY4xWuIr and here: http://t.co/74Xbmxjmy7 can provide more as needed

— Josh Wieder (@JoshWieder) May 3, 2015

In addition to Twitter I have attempted to email just about every address I could find on their site (none of them work), as well as attempting to use the chat function mentioned on the Wikileaks Twitter feed. I have been unable to receive a response. Users must be notified when a file transfer contains malware; particularly given the sensitive nature of the documents in question.

This afternoon I received a series of comments on Twitter from former Lulzsec member Hector Monsegur. In his comments, Monsegur denies instigating the attack that lead to the release of the Stratfor files while confirming the danger of the malware contained in the files I identified:

@JoshWieder Nice read but I didnt instigate the attack. A lot of those big dumps at the time (Italian Cybercrime hack) had malware within.

— Hector X. Monsegur (@hxmonsegur) July 13, 2015

@JoshWieder @wikileaks You are correct. Nosediving into these kind of dumps without an understanding of risk will lead to compromise.

— Hector X. Monsegur (@hxmonsegur) July 13, 2015

@JoshWieder An attackers assumption would be that media and LEAs will click around files looking for info. What better way to get new vics

— Hector X. Monsegur (@hxmonsegur) July 13, 2015

Hector Monsegur during an interview with CBS

I responded to Hector's comments by thanking him for his input, putting forth my own theory that the malware contained in the document dumps is typical of snowshoe-spam malware infiltration techniques and reiterated the importance of Wikileaks notifying users of the danger of downloading malware contained in the torrent in question:

@hxmonsegur Thanks for reply. I tend to agree w/ your assessment. It looks like these guys ran a mailserver w/out clamav or similar

— Josh Wieder (@JoshWieder) July 13, 2015

@hxmonsegur So all of the typical spammer garbage got delivered & stored. At this point my main frustration is that the files are being

— Josh Wieder (@JoshWieder) July 13, 2015

@hxmonsegur circulated by @wikileaks w/out warning users of malware within despite multiple attempts to contact them

— Josh Wieder (@JoshWieder) July 13, 2015

As of this writing (3PM @ 7-13-2015) Wikileaks continues to provide a torrent file with an identical timestamp, filename and byte size as the one I analyzed without any warning message notifying users of the danger of handling the files.

To return to the first post in our series on the Wikileaks / Strafor email malware click here.

If you are looking for the second post, where we look briefly inside one of the executables click here.

And here is a link to the next post in my Wikileaks / Strafor email malware series, where I demonstrate how the malware is available file by file on the Wikileaks.Org website, and not just within the torrent as I originally suspected.