Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations
Will Xbox Hacker Sentence Deter Others?In a First, A Foreigner Gets Sentenced in Trade Secret Theft
For the first time, a foreigner has been convicted and sentenced in a U.S. court for hack attacks that resulted in the theft of U.S. intellectual property.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
Prosecutors say the case is meant to serve as a warning to foreign hackers. But one legal observer questions whether the conviction and sentencing would deter any other young hackers, much less organized crime syndicates.
David Pokora (a.k.a. Xenomega), 22, of Mississauga, Ontario, Canada, was sentenced on April 23 to 18 months in prison after he pleaded guilty to participating in a hacking ring that successfully stole data from a variety of gaming-related businesses. Among his thefts: pre-release technical details relating to Microsoft's Xbox One gaming system (see Third Microsoft Hacker Pleads Guilty).
Pokora had pleaded guilty to conspiracy to commit computer intrusions and criminal copyright infringement as part of a hacking campaign that targeted a number of organizations, including the U.S. Army, Microsoft, as well as game-makers Activision/Blizzard, Epic, Valve and Zombie Studios. By using the stolen information, the group was able to build and sell an Xbox One gaming system before it was publicly released in November 2013, prosecutors say. As part of his plea deal, the government dropped an additional 15 charges it had filed against Pokora.
Seeking Strong Sentence
Prosecutors had requested a two-year prison sentence for Pakora, saying that a strong sentence was needed "to promote international respect for U.S. law" as well as "to punish and deter international cybercriminals," who often operate beyond the reach of U.S. law, according to a court document filed by the Department of Justice.
But attorney Mark Rasch, a former U.S. Department of Justice official who created its computer crime unit, tells Information Security Media Group that it's unlikely that the prison sentence imposed on a young Canadian would have a meaningful deterrence effect, especially when it comes to overseas organized cybercrime syndicates, for example, those operating from Eastern Europe.
"Criminal law and enforcement changes behavior, but it doesn't necessarily deter crime. It tends to push people underground, increase the cost of doing what they do, and you catch mostly the dumber or less sophisticated people, or those who make mistakes - what we used to call criminal Darwinism," Rasch says.
SQL Injection, Credential Harvesting
In the case involving Pokora, members of the hacking team, known as the XU Group, used relatively simple "hacking" techniques - including harvesting valid usernames and passwords from targeted firms and using SQL injection attacks - to steal "unreleased software, software source code, trade secrets,and other confidential and proprietary information," in part by infiltrating businesses' virtual private networks and software development networks, court documents say.
Pokora's attorney, Solomon L. Wisenberg, had asked U.S. District Judge Gregory M. Sleet to sentence Pokora to the time he'd already served since his March 2014 arrest, and argued that the value of the data he'd compromised amounted to only $50,000, according to court documents.
But U.S. prosecutors, in a sentencing memorandum, argued that their "extremely conservative" estimate of the value of the compromised data was at least $100 million. They also noted that Pokora "is the first foreign hacker convicted in this country of crimes involving the theft of trade secrets," and argued that under federal sentencing guidelines, up to five years of jail time could be imposed.
Rasch says the wildly diverging estimates of the value of the stolen data demonstrates the difficulty that every organization faces when it attempts to place a value on intellectual property, for example, for cyberinsurance purposes. "If I steal a truckload of money, I have a lot of money, and the truck, and the guy who owns it doesn't," he says. "When I steal intellectual property, I have it, but so does the guy who still owns it. So a lot of [the potential damage] has to do with why I stole it and what I do with it."
Targeting Foreign Hackers
To bolster its sentencing request, the government included an excerpt from an audio call - which had been sealed by the court - in which Pokora told other members of XU Group that he wasn't worried about being extradited to the United States, saying that so long as he remained in Canada, even if he was caught, the sentence would be relatively light. "The Canadian government would probably be a lot cooler than the U.S. government," he said. "They're not going to want to put me in a really harsh U.S. federal prison where I get raped by some murderer."
Pokora was arrested in March 2014, when attempting to cross the U.S.-Canada border at Lewiston, N.Y.
Sleet's 18-month sentence was middle ground between the requests filed by prosecutors and the defendant's attorney, and the judge said his decision was based on the precise details of this case. But many of those details were sealed at the government's request, and related information was likewise redacted from Sleet's sentencing judgment.
The lead prosecutor in the case, Assistant U.S. Attorney Edward McAndrew, didn't immediately respond to a request for comment about why the government had requested that some records relating to the case be sealed. A spokeswoman for his office wasn't able to provide full details, but said the sealing of information might be due to the ongoing cases involving other members of the XU Group.
Pokora, a former University of Toronto computer science student, told the court that he regretted participating in the hacking spree and also understood the magnitude of his crimes. "I hurt a lot of people, including the companies that I valued and looked up to," Pokora said, according to Delaware Online. "They work really hard on innovating, and they don't deserve to have their hard work [stolen] like that."
The FBI launched a related investigation in 2011 after officials were tipped off to the hack attacks by a confidential informant (see Hackers Exploit U.S. Army, Microsoft).
XU Group: More Guilty Pleas
Three other members of the XU Group who have been charged by the U.S. government have pleaded guilty to a related conspiracy charge. They include Nathan Leroux, 20, of Bowie, Md., and Sanadodeh Nesheiwat (a.k.a. rampuptechie, Soniciso), 28, of Washington, N.J. Both are due to be sentenced in the coming weeks.
Earlier this month, Austin Alcala, 19, of McCordsville, Ind., pleaded guilty to related charges. Alcala is due to be sentenced on July 29. "Alcala admitted in court that he was personally involved in hacking into and stealing log-in credentials and intellectual property from victim companies including Microsoft and Zombie Studios," the Department of Justice said in a statement. "Alcala further admitted that, on one occasion, he transmitted to co-conspirators a database file containing approximately 11,266 log-in credentials stolen from a victim company."
According to court documents, a fifth member of the group - an Australian teenager identified in court documents only as "D.W." - claimed to have hacked into not just gaming companies, but also "the U.S. military," "the Australian Department of Defense," and "every single big company," including "Intel, AMD, Nvidia, any game company you can name, Google, Microsoft, Disney, Warner Brothers."
After the Australian teenager's residence was searched by Western Australia Police, he threatened to release "1.7 terabytes of intellectual property from victim companies online if law enforcement agents pursued their investigation of him," according to U.S. court documents. D.W. was reportedly later charged in Australian children's court with a variety of crimes.