The bug they claimed to have used isn't the current Java 0day, but a previous 0day. That Java 0day was being actively exploited in March 2012, as described in this MS TechNet article on CVE-2012-0507. The hackers claimed to have done this hack "during the second week of March 2012", which fits this timeline.
This was soon after the February 3 2012 release of an intercepted FBI conference call. This was a conference call of about 40 law enforcement agents from various parts of the world. Hackers were able to listen into the conference call because they somehow were able to intercept the e-mail message sent to all the agents listing the time and code to get in.
This e-mail was also published. That e-mail was sent directly to all 40 agents in the "To:" field (rather than "Bcc:"), which means their e-mail addresses were all exposed. That means every hacker on the Internet now has a list of the 40 officers in charge of hunting down LulzSec. The e-mail address of Chris Stangl (the guy whose notebook was hacked) is among those 40.
The obvious attack is for hackers to is to phish all 40 of those e-mail addresses. The phishing message would appear to come from the same sender, and simply point to a website hosting a Java app with that exploit. It might look like:
From: "Lauster, Timothy F. Jr."<Timothy.Lauster@ic.fbi.gov> Subject: Interception of Anon/Lulz Conference Call All, Our conference call of January 27 was intercepted by hackers associated with LulzSec. An audio recording was posted to the Internet. More details can be found here: http://totallyinnocent.com/no-java-exploit-here-at-all.html Please contact me if you have any questions. Regards, Tim SSA Timothy F. Lauster, Jr. Federal Bureau of Investigation 202-651-3211 (w) 202-651-3193 (f)Where the URL would consist of some innocent looking site, but which would in fact host an evil page hosting a Java 0day. I'd guess that hackers got about 20% of those on the original list (or 8 out of 40).
The hackers can repeat this for every new 0day. For example, when the Metasploit module was released last week with yet another Java 0day, they could've phished that list of 40 agents yet again. Frankly, the FBI should consider all those e-mails burned. They should just assign the agents new addresses, then point the old ones to a special server that scrapes them for phishing 0day, to be notified every time hackers come up with new techniques.
One thing I'm trying to point out here is that hackers aren't necessarily smart, but operate from a set of well-known principles. If I have an e-mail list of victims, and a new 0day appears, I'm immediately going to phish with it. It's not Chinese uber APT hackers, it's just monkeys mindlessly following a script.
Or, it could've worked the other way around. Maybe that's how they intercepted that e-mail to be begin with, having used the Java 0day against Stangl's notebook computer. My point here is only that if I were a hacker who was a fan of LulzSec/Anonymous, and somebody dumped that list of FBI agents hunting LulzSec, I would certainly phish it at every opportunity.
Since that original e-mail list is all over the Internet, and the addresses should all be changed anyway, I'm reproducing it here for reference:
MIME-Version: 1.0 acceptlanguage: en-US Accept-Language: en-US Content-class: urn:content-classes:message Subject: Anon-Lulz International Coordination Call Date: Fri, 13 Jan 2012 19:21:49 -0000 X-MS-Has-Attach:X-MS-TNEF-Correlator:thread-topic: Anon-Lulz International Coordination Call From: "Lauster, Timothy F. Jr."<Timothy.Lauster@ic.fbi.gov> To: "Reichard, Gerald A." <Gerald.Reichard@ic.fbi.gov>, <firstname.lastname@example.org>, <Raymond.Massie@met.police.uk>, <email@example.com>, <Stewart.Garrick@met.police.uk>, "Gillen, Paul G" <firstname.lastname@example.org>, "Gallagher, Colm" <email@example.com>, <firstname.lastname@example.org>,<Gea@nhtcu.nl>, <email@example.com>, <firstname.lastname@example.org>, <email@example.com>, <firstname.lastname@example.org>, <email@example.com>, <firstname.lastname@example.org>, <email@example.com>, <firstname.lastname@example.org>, <Jaap.Oss@europol.europa.eu>, <email@example.com>, "Helman, Bruce C. Jr." <Bruce.Helman@ic.fbi.gov>, "Sporre, Eric W." <Eric.Sporre@ic.fbi.gov>, "Buckler, Lesley" <Lesley.Buckler@ic.fbi.gov>, "Geeslin, Robert C." <Robert.Geeslin@ic.fbi.gov>, "Plunkett, William R." <William.Plunkett@ic.fbi.gov>, "Roberts, Stewart B." <Stewart.Roberts@ic.fbi.gov>, "Brassanini, David" <David.Brassanini@ic.fbi.gov>, "Stangl, Christopher K."<Christopher.Stangl@ic.fbi.gov>, "Patel, Milan" <Milan.Patel@ic.fbi.gov>, "Ng, William T." <William.Ng@ic.fbi.gov>, "Adams, Melanie" <Melanie.Adams@ic.fbi.gov>, "Culp, Mark A." <Mark.Culp@ic.fbi.gov>, "Arico, Nicholas J." <Nicholas.Arico@ic.fbi.gov>, "Tabatabaian, Ramyar" <Ramyar.Tabatabaian@ic.fbi.gov>, "Penalosa, Jensen" <Jensen.Penalosa@ic.fbi.gov>, "Bales, Will" <Will.Bales@ic.fbi.gov>, "Burton, Kevin C." <Kevin.Burton@ic.fbi.gov>, "Nail, Michael A." <Michael.Nail@ic.fbi.gov>, "Grasso, Thomas X." <Thomas.Grasso@ic.fbi.gov>, "Thomas, Christopher T." <Christopher.Thomas@ic.fbi.gov>, "Caruthers, John" <John.Caruthers@ic.fbi.gov>, "Phoenix, Conor I." <Conor.Phoenix@ic.fbi.gov>, "Hunt, Chad R." <Chad.Hunt@ic.fbi.gov>, "Willett, Bryan G." <Bryan.Willett@ic.fbi.gov>, "Patrick, Kory D." <Kory.Patrick@ic.fbi.gov> All, A conference call is planned for next Tuesday (January 17, 2012) to discuss the on-going investigations related to Anonymous, Lulzsec, Antisec, and other associated splinter groups. The conference call was moved to Tuesday due to a US holiday on Monday. Date: Tuesday, January 17, 2012 Time: 4:00 PM GMT BridgeTN: 202-393-2430 Access Code: 6513211# Please contact me if you have any questions. Regards, Tim SSA Timothy F. Lauster, Jr. Federal Bureau of Investigation 202-651-3211 (w) 202-651-3193 (f)
explanation of UDID
finding your UDID
FBI denies it was their laptop