The Australian Federal Police (AFP) has arrested a hacker claiming to be the leader of the Lulz Security (LulzSec) group, after he inadvertently alerted authorities to his presence during an attack.
The 24-year-old — an Australian national from Point Clare, Gosford — attracted suspicion to himself after attacking and defacing an Australian government website. The AFP has not released the name of the individual, but said his online handle was AusShock, and that he is known internationally by other law-enforcement agencies.
"He is a well-respected person within the Anonymous community, within LulzSec and that side of the house, but he has also worked in the IT professional field," AFP national coordinator for cybercrime operations Brad Marden told reporters at a media briefing at the AFP's NSW headquarters on Tuesday.
The AFP has stated that AusShock's employer was unaware of the attacks, and that it had cooperated with law enforcement when it was alerted. AusShock was consequently arrested at his workplace on Monday evening, and although the employer has not been named, it has been confirmed by the AFP to be a "local offshoot of an international company" that is in the IT security field.
As for how AusShock gained access to the government website, Marden said that there was a known vulnerability that should have been protected by restricting remote access to it.
"He took advantage of an exploit — a commonly known exploit — accessed the thing, and then put a backdoor in so he could gain further access to that website."
Remote access to the server has been closed.
An investigation is still ongoing, but Marden said that so far, there is no reason to believe that any personal or private information was exposed.
AusShock has been granted bail, and is set to appear in Woy Woy local court on May 15. He has been charged with three offences: Two counts of unauthorised modification of data to cause impairment, and one count of unauthorised access to, or modification of, restricted data.
The maximum penalty for these offences are 10 years and two years imprisonment, respectively.
Although AusShock claims he is the leader of LulzSec, and the AFP noted that in several online hacking forums, this claim has not been disputed, Hector "Sabu" Xavier is generally believed to be the group's founder and leader.
Sabu was arrested in June 2011, and became an informant for the FBI.
Other known LulzSec members Jake "Topiary" Davis, Ryan "Kayla" Ackroyd, Mustafa "Tflow" Al-Bassam, Darren "Pwnsauce" Martyn, Donncha "Palladium" O'Cearbhaill, and Jeremy "Anarchaos" Hammond have also been arrested.
Another man, Ryan Cleary, was arrested in connection with the group, and pleaded guilty to attacks on the Serious Organised Crime Agency and the CIA.
Content Security has confirmed to iTNews that it was the IT security firm that hired Aush0k, who has now been outed as Matthew Flannery.
Content Security was responsible for providing support to Tenable Network Security, indirectly providing it with services. Tenable itself has denied that Flannery is a current or past employee.
Content Security's clients include NSW Health, the Victorian Department of Human Services, and the Arab Bank Australia.
According to Flannery's LinkedIn profile, he had only been employed with Tenable/Content Security for three months.
While he has a professional profile that includes Cisco Certified Network Associate certification, a diploma and Certificate IV in Network Engineering, and previous experience as a network operation engineer and analyst, Flannery's online Aush0k persona is in stark contrast.
He has won himself his own mention on Encyclopedia Dramatica by leaking fake information to Google's search results via Pastebin, according to a post of his on online gaming forum Got Games, and has garnered a reputation of being an online troll.
Aush0k's name also appeared on the second defacement of the Massachusetts Institute of Technology (MIT) website earlier this year, and while Flannery has highlighted the attack on the GTeSports forum, it is not clear whether he was ultimately responsible for the defacement.
Content Security has now released a statement clarifying that Flannery no longer has access to its systems, and that it undertook the necessary background checks prior to his employment.
"Flannery was employed by Content Security to undertake low-level support on a help desk for a US company. We did thorough background checks during his employment, as we do for all our prospective employees. The US company then came out and gave him and the rest of the help desk team training. Up until yesterday, he was still on probation.
"Contrary to an earlier report, he has not been in the office today, and he will not be returning. He has no access to the building or IT systems."
A spokesperson for Content Security told ZDNet that he does not believe Flannery's employment has been terminated at this point in time.
Updated on Wednesday, April 24, 2013, at 3.46pm AEST: Added additional details identifying Flannery.
Updated on Wednesday, April 24, 2013, at 4.59pm AEST: Added statement from Content Security.