This article is more than 1 year old
Prepare to be Thunderstruck: What if 'deuszu' ISN'T the Ashley Madison hacker?
Attribution is harder than a taste in music
Security researcher Brian Krebs last week named whoever is behind the Twitter account deuszu as likely having had a hand in the Ashley Madison hack. But has Krebs named the right entity?
Attribution isn't that easy and Krebs has gone out on a limb.
Take, for example, Krebs' belief that a fondness for the AC/DC tune Thunderstruck links deuszu to the Ashley Madison attack in July.
A screen-cap posted by Krebs – sourced from deuszu’s Twitter account – shows a 2012 tweet referencing AC/DC's Thunderstruck: the tweet shows a defaced security website playing a video of the hard-rock hit.
On August 19, 2015, deuszu tweeted a screen-cap showing a tab open playing AC/DC's Thunderstruck. And in 2015 the Ashley Madison hackers made the company’s work computers play the song Thunderstruck as well.
The image below shows deuszu's tweet from August 4, 2012. Might it indicate guilt in the Ashley Madison hacking? Or is there something else tying deuszu, Thunderstruck, and later events?
To form a counter-argument, consider the other news grabbing global attention in late July 2012?
Iranian nuke plants rocked in midnight "heavy metal blast" – a tale of something odd going on in Iran emerged in late July of that year.
It’s not really too much of a stretch to think that in early August 2012, deuszu might have been listening to Thunderstruck, based on his interest in infosec news and the level of media attention mentioning the song at the time.
Even deuszu's later use of the tune in defacements he tweeted seems like simple imitation of what had happened in Iran.
The claim that the Impact Team hackers managed to make Ashley Madison employees' computers play AC/DC’s Thunderstruck in 2015, and a screenshot showing deuszu once listened to the same song in 2012, is hardly forensic proof deuszu was responsible for the Ashley Madison hack.
Who knew what, first?
The second point that bothers me is to attribute this hack to deuszu based on a belief that Twitter provides the best – or only – timeline for the hack.
Krebs' assertion that Twitter account deuszu appears “to be closely connected” to the Ashley Madison hack appears to rest on this tweet:
Krebs wrote that deuszu’s tweet, on 19 July 2015 (containing a link to hacked Ashley Madison data), “startled” him, because he “... couldn’t find any other sites online that were actually linking to that source code cache.”
Yet the news was already spreading over on Full Disclosure:
Thadeus Zu may well have been the first to post about it on Twitter on 17 July (without linking to the dumps), but frankly, tweeting about a breaking story – already announced online for more than 48 hours – seems a pretty crummy indication of potential guilt in perpetrating the original hack.
Impact Team publicly announced the hack on 15 July 2015 — two whole days before deuszu first tweeted about the breach on 17 July. It’s only strange nobody tweeted about the hack sooner.
Where in the world is deuszu?
Evidence about Zu's location, based on his tweet-stream, is also equivocal.
Krebs has made a number of claims about Thadeus Zu’s potential location, based on social media open source intelligence (OSINT) garnered from Facebook and Twitter.
“Zu’s Facebook profile wants visitors to think he lives in Hawaii,” Krebs wrote, basing his claim on stock photos and a time zone posted by Zu.
Yet evidence Zu actually lives in Hawaii is scant, as Krebs noted: it's limited to time zone information and tags from other people. It's not hard to change time zone settings, or to misinform.
One of Zu's Twitter accounts follows Australian news and political accounts (as Krebs spotted), but it's also worth stating that Zu is a member of a number of Facebook groups with links to Italy and Australia; and that ThadeusZu has previously posted links mentioning Brisbane, Australia.
Over the past few days, Krebs' article has kicked off a Twitter spat with Zu and the researcher's claims were widely reported.
But there’s two particular details that are just as indicative of Zu's identity and association as Krebs' observations:
- The website linked on ThadeusZu’s Twitter account profile points at nsa.gov; and
- One of the small number of ThadeusZu's followers includes the Twitter account ArmyCIOG6 – the official Twitter account for the US Army's Chief Information Officer/G-6 news.
It would be just as easy (although outrageously conspiratorial) to paint Zu as an Army psy-ops cointel-pro Twitter account, partly-human-manned, part-bot script account, scraping and scanning social media, trying to gather intel by tweeting tantalising snippets in almost gibberish tweet-speak and perpetrating small defacements on a regular basis in an attempt to appear legitimate to other hackers. An intelligence organisation-funded Twitter account, that potentially jumped the gun and tweeted a link about a hack it was tracking just a little too early, gaining international media interest.
Of course, such claims are utterly unfounded (for now), but Krebs' theories about deuszu and the Ashley Madison hack are little stronger. For all we know, Zu may be a dog on the internet.
Zu's potential involvement in previous website defacements seems like a fairly low-value target for a legal prosecutor to chase.
Although linking to dumped data has landed others in jail before, based on the actual evidence at hand it seems there's little evidence in the public realm that Zu is behind the Ashley Madison hack.
Of course, the Ashley Madison hack has generated huge public interest, fuelled by a $500,000 reward offered by Avid Life Media for information leading to the prosecution of the hackers.
And Zu is unlikely to mount any legal challenge, since that would expose his identity, and his numerous screen-caps over the years of various website defacements would certainly bring unwanted attention from law enforcement.
Zu looks like an easy target – but probably the wrong one. ®
Editor's note: This article was updated after publication to switch the first screenshot to the correct one.