A second member of the LulzSec hacking collective has been arrested by US authorities in connection with attacks on Sony Pictures Europe
US police have arrested Raynaldo Rivera, 20, an alleged member of the hacking group LulzSec, on charges that he took part in an extensive breach of the computer systems belonging to Sony Pictures Europe.
Rivera, of Tempe, Arizona – who allegedly used the online nicknames of “neuron”, “royal” and “wildciv” – surrendered to police in Phoenix six days after a federal grand jury in Los Angeles produced an indictment charging him with conspiracy and unauthorised impairment of a protected computer. If convicted, he could face 15 years in prison.
The indictment, which was unsealed on Tuesday, accuses Rivera and co-conspirators of stealing information from Sony Pictures Europe’s computer systems in May and June 2011 using an SQL injection attack – which exploits flaws in the handing of data input for databases to take control of a system – against the studio’s website.
SQL injection, or SQLi, is an increasingly common technique used by hackers to break into systems.
The indictment says Rivera then helped to post the confidential information onto LulzSec’s website and announced the intrusion via the hacking group’s Twitter account.
While Rivera was the only person named in the indictment, the FBI said his co-conspirators included Cody Kretsinger, 24, a confessed LulzSec member who pleaded guilty in April to charges stemming from his role in the Sony attack.
Yet the indictment and the arrest still leaves open one of the most puzzling questions left by the hacking spree seen in the first half of 2011, when the hacking collective Anonymous – and LulzSec, which grew out of it, were coming to public attention.
That is the question of who hacked into Sony’s PlayStation Network (PSN) system in April.
The attack, which may have leaked credit card details for millions of users, has never been traced to any group – although Sony suggested not long afterwards that Anonymous might have been involved.
Since then it has given no further details about who it suspects of carrying out the attack, and no data from the attack has ever been posted publicly.
By contrast the Sony Pictures Europe hack of which Rivera is accused saw the data leaked on 2 June, and LulzSec’s activities are generally reckoned to have begun on 30 May with the posting of a fake story about Tupac Shakur to the PBS website.
Following the Sony Pictures Europe breach, LulzSec published the names, birth dates, addresses, emails, phone numbers and passwords of thousands of people who had entered contests promoted by Sony, and publicly boasted of its exploits.
“From a single injection we accessed EVERYTHING,” the hackers said in a statement at the time. “Why do you put such faith in a company that allows itself to become open to these simple attacks?”
Authorities have said the Sony breach ultimately cost the company more than $600,000 (£378,000).
LulzSec, an underground group also known as Lulz Security, is an offshoot of the international hacking collective Anonymous and took credit for attacks on a number of government and private sector websites, including the UK’s Serious Organised Crime Agency, the US Congressional website, and the Sun and News International sites.
The latest indictment says Rivera is suspected of using a proxy server in a bid to conceal his IP address to avoid detection.
Court documents revealed in March that a former Anonymous member known as Sabu, whose real name is Hector Xavier Monsegur, had pleaded guilty to hacking-related charges and had been providing information on his cohorts to the FBI since June 2011, after he was identified as he logged into a public bulletin board from his home address.
That same month, five other suspected leaders of Anonymous, all them alleged to be LulzSec members as well, were charged by US authorities with computer hacking and other offences.
A number of arrests followed in the UK, where six people have been charged with various offences linked to LulzSec’s activities.
An accused British hacker, Ryan Cleary, 20, was indicted by a US grand jury in June on charges related to LulzSec attacks on several media companies, including Sony Pictures.
Kretsinger, who pleaded guilty to the same two charges now facing Rivera, is due to be sentenced on 25 October. A prosecutor said he was likely to receive substantially less than the 15-year maximum prison term carried by those offenses.
Monsegur, 28, a Puerto Rican living in New York, has pleaded guilty to 12 charges, including three of conspiracy to hack into computers, five of hacking, one of hacking for fraudulent purposes, one of conspiracy to commit bank fraud, and one of aggravated identity theft.
Those charges would attract a total of 124 years’ jail, but it is thought he has arranged a plea bargain with the US government. Monsegur received a six-month reprieve from sentencing earlier in August in light of his cooperation with the government.
Anonymous and its offshoots focused initially on fighting attempts at internet regulation and the blocking of free illegal downloads but have since taken aim at the Church of Scientology, global banking and other targets.
Anonymous, and LulzSec in particular, became notorious in late 2010 when they launched what they called the first cyberwar in retaliation for attempts to shut down WikiLeaks.
The rise of LulzSec saw a burst of similar “crews” aiming to hack sites, but since then Anonymous has focussed on providing an outlet for documents released by WikiLeaks.