The U.S. is stepping up a search for participants in WikiLeaks-related cyber attacks on PayPal Inc. and other payment processors, raiding a Dallas company last month and coordinating a seizure of evidence with police in Germany, according to a request for a federal search warrant.
A Federal Bureau of Investigation raid of the Dallas computer server company Tailor Made Servers, which a person familiar with the case said occurred on Dec. 16, could provide investigators with information about the creators of chat rooms used by a group of WikiLeaks supporters that calls itself Anonymous. The group said it was behind more than two weeks of cyber attacks in December.
The chat rooms were used to issue instructions about how to download software that could flood the websites of payment processors with thousands of commands a second, slowing or even disabling them, according to an affidavit filed in Dallas federal court, which was briefly made public and posted on the Smoking Gun website because of a court error.
U.S. Attorney General Eric Holder told reporters last month that the Justice Department would investigate the attacks, launched by an informal global network of activists in retaliation for the decision by some companies to stop processing donations to WikiLeaks after it released thousands of confidential U.S. diplomatic cables.
The targets included EBay Inc.’s PayPal unit, MasterCard Inc., Visa Inc. and Moneybookers.com.
“We are looking into them,” Holder said on Dec. 9.
The attacks could be prosecuted as a conspiracy to cause damage to computer networks, a federal crime.
Seven days after Holder spoke, FBI agents raided the server company in a Dallas industrial park, which uses one of eight Internet Protocol addresses globally that hosted the chat rooms, according to the affidavit in support of the search warrant.
Jose Quinones, a Tailor Made Servers employee, said by e-mail that the authorities asked him not to speak to the press about the raid. Special Agent Mark White, a spokesman for the FBI field office in Dallas, confirmed the raid but said he couldn’t provide details other than those in the affidavit.
Cyber security experts said the servers may contain detailed log information, including data that could lead investigators back to individual computers and their users.
“Those servers are likely to have logs showing certain events -- people setting up the server,” said Jose Nazario, a cyber security expert with Arbor Networks, based in Chelmsford, Massachusetts. “It gives you an indication of who the ring-leaders were.”
The route to those leaders runs through Germany and France, as well as Canada and U.S. states including California and Texas, a zigzag path that security experts say the cyber attackers may be using to hide their tracks.
Investigators with the German Federal Criminal Police traced one of the eight IP addresses to the German Internet service provider Host Europe, according to the affidavit. The German police executed their own search warrant, uncovering Host Europe business records that showed the server actually belonged to a resident of Herrlisheim, France, the FBI said.
From there, investigators tracked commands being issued to the French server from one hosted by Tailor Made Servers, the affidavit said. On its website, Tailor Made Servers said it offers server space to various clients with the motto “we put a lot of passion into building the best servers possible.”
“The multiple layers add to the difficulty,” Nazario said.
While it’s difficult for investigators to find the culprits behind so-called denial of service attacks, security experts say the assault by Anonymous could be an exception. To enlist thousands of volunteers to lend their personal computers to the attack, nicknamed “Operation Payback,” organizers were forced to discuss logistics and plans in open web forums.
Participants were given instructions on how to download the software, known as Low Orbit Ion Cannon, which is able to barrage target websites with commands meant to disable them. Activists in the U.S. and Europe were given websites to target and told when to activate the software through Twitter accounts associated with Anonymous, with simple messages like “fire now.”
“Users discussed their opinions on ‘Operation Payback,’ obtained technical support on how to install and use the LOIC program, and voted for which websites should be the next target,” the affidavit said.
Security experts who have tracked Anonymous and its roots say the group spans the U.S., Western Europe and Japan and is generally made up of middle and upper-class teenagers, most of them male.
The leaders number fewer than two dozen, according to one security expert, who has studied its members closely and asked for anonymity because he said the group is known to retaliate against critics or perceived enemies.
Clues to Leaders
Nazario said that computer servers may provide clues not just to the group’s leaders, but also to thousands of people in the U.S. and elsewhere who participated in the cyber attacks by using Low Orbit Ion Cannon software.
Dutch police in December said they arrested a 16-year-old who is suspected of being involved in the attack. It’s unclear whether U.S. authorities will charge low-level participants as opposed to key organizers, Nazario said.
“That may be a lot of overhead for very little gain,” he said.