Upload
smiley-hill
View
55
Download
6
Embed Size (px)
DESCRIPTION
FBI documents released via a FOIA request regarding the 2012 "Hacking Incident" of Lake County Sheriff's Office LCSO.org allegedly by Anti-Sec/Anonymous Romania. The pastehtml of this hack is still active at http://pastehtml.com/view/bw7zekmcd.html
Citation preview
X Deleted Page(s) XX No Duplication Fee XX For this Page XXXXXXXXXXXXXXXXXXXXXXXXX
Total Deleted Page(s) 8Page 21 - b6 ; b7C; b7D;Page 22 - b6 ; b7C; b7D;Page 23 - b6 ; b7C; b7D;Page 26 - b6 ; b7C; b7D;Page 27 - b6 ; b7C; b7D;Page 38 - b6 ; b7C; b7E;Page 39 - b6 ; b7C; b7E;Page 40 - b6 ; b7C; b7E;
XXXXXXXXXXXXXXXXXXXXXXXX
FEDERAL BUREAU OF INVESTIGATIONFOI/PADELETED PAGE INFORMATION SHEETFOI/PA# 1272054-0
b6b7C
UNCLASSIFIED
of LCSO was interviewed on b6.~~-~--~-~~~~-~4/23/2012 about a potential intrusion into the LCSO network. b7CI Istated that he had been contacted by an FBI Agent out ofSan Antonio (SA) and told of a possible computer intrusion backin January of 2012. I Istated that he attempted multiple timesto reach back out to FBI SA with negative results.
L...-_~Istated that he believed that the intrusion attempt b6was un-successful and provided logs and data. Writer and SA b7CI I advised I I to look again for the possible intrusion bychecking server logs and legitimate user accounts for unusualactivity and gave him an overview of criminal hacking proceduresand techniques. I I called Writer back on 4/23/2012 after themeeting to report that he had found a user account that was beingaccessed for illegitimate purposes and was going to contipue theinvestigation.
HQby
b6b7C
Details: On 4/23/2012 SAl land SAlof FBI JK met withl I at~I------------~~~~~----r--~Florida 32778 to discuss information that was passed from FBIon 4/21/2012 to SAl I about a possible computer intrusionI I into the t;cso network. .
Title: UNSUB (S);LAKE COUNTY SHERIFF's OFFICE - VICTIM
countySynopsis: To open case and document meeting withSheriff's Office (LCSO).
b7E
Drafted
Approved By:
Case ID
b6b7C
To: Jacksonville
Date: 04/24/2012Precedence: ROUTINE
FEDERAL BUREAU OF INVESTIGATION
UNCLASSIFIED
From: Jacksonville11Contact: SA L...-r---...,...---------- .....
•(Rev. 05·01-2008)
b7Db6 Ib7C
b6b7C
b6b7C
2
UNCLASSIFIED
FBI ALAT Bucharest provided the following:
LCSO,LCSO,LCSO,LCSO,LCSO,LCSO,LCSO,LCSO,LCSO,LCSO,LCSO,LCSO,LCSO,LCSO,LCSO,LCSO,LCSO,LCSO,LCSO,LCSO,LCSO,LCSO,
Table name: SO TBL USERACCESSData:
FBI SA provided the following:
Writer reached out to Cyd HQ, Bucharest ALATI I~----~I, and FBI SA on 4/23/2012 to coordinate the investigationand collect information pertaining to the possible intrusion atLCSO. The following is the details of the information that wasprovided:
To: Jacksonville From: JacksonvilleRe: 288A-JK-NEW, 04/24/2012
UNCLASSIFIED ••
3
UNCLASSIFIED
I
b7Db6 Ib7C
To: Jacksonville From: JacksonvilleRe: 288A-JK-NEW, 04/24/2012
•UNCLASSIFIED•
b6b7C
b7D
b6b7Cb7D
4
UNCLASSIFIED
Based on the above information Writer requests the abovecase be opened and assigned to SAl and Co-Case SA
I I••
ALAT Bucharest advised that!
[please note, some of the above may be misspelled]
To: Jacksonville From: JacksonvilleRe: 288A-JK-NEW, 04/24/2012
•UNCLASSIFIED•
~.'<I!.W'". ~. .~. Jot
•. ~.;.:-~';~,!t'~;;%~~.sf.::.;..~..:.,..\~J;:;~ ..~/': ,~'~ ".,. .. ,,"
Item .Date To be returned DispositionFiled Yes No
, .. ,
..
" ,,,
,
.'
!
.
. .,
..
.
(Title) _
(FileNo.) 2~kJ"- £335:'/'
~D-340a (Rev. 1-27-03)
Ii
..,
,,_~,,e.~
F.~b6
" b7C
~
o Original notes re interviewofDescription:
(Communication Enclosing Material)Reference:
r j
~No
~ NoFederalTaxpayer Information (FTI)
DYes
To Be Returned 0 Yes 4p NoReceiptGiven 0 Yes ~ NoGrand Jury Material- Disseminate Only Pursuant to Rule 6 (e)FederalRules ofCrirninal Procedure
DYes
By 51A I(City and State)
(Address)'
_,t'r,,..- .'!_ '.'
, '. (Name ofContributorllntcrviewcc)
• -"I•.:.....i ....__;:-, - -,.,
From
" ~"Date Received
. .
Field Office Acquiring' EVldenee ' __ ., "0X~' ..L,'~',':..",...' ,,..,..',_.' ., __ '..;.,'~, '_',,!-,-' '0,:..',",,-.,' __~ ,..." .:,.-;'.,...'.,_:<_',...'/_"',...:'<! __' _': ., :;,-:'_'.' .~.~:~
Serial # of Originating Do'cu,inent--:-- ....~...., .,;,;::~,'..;.....,........,_....,....,-:--;.......,.__,..._,_'''~-,....__,...'.;~'., ,..0---",~..- ~ . -
cP'1 ).~lo I ~<:p is: ,
I'
I,
b6b7C
o Original notes re interview ofDescription:
Reference: _(CommunicationEnclosingMaterial)
To Be Returned 0 Yes ~~"Receipt Given Jl.l Yes .FiJGfJGrand Jury Material- Disseminate Only Pursuant to Rule 6 (e)Federal Rules of Criminal Procedure
DYesFederal Taxpayer Information (FTI)
DYes
By 5;&1
(CityandState)
(Address)
Serial # of Originating Document _
::~~ ... Ived 1/?>f ( t.cso~------~~(N~a~m~eo~fA~=n~m~bu~to~r~~nre=N~ie~~=)~------------
3<;;0 \,J ,,(J, '8 5 T
-FO-340 (Rev. 4-11-Ol)
File Number ~ 88f) , \J'K - S33~L{field ornee Acquiring Evidence _:J~...1.K'~ _
oo-
(" ART ~prvir,p RPl111Pc:t("nnfirmMinn - 1A M~tpri~l IPrintp/J nn OdI?7I?OI?\
6061 Gate ParkwayJacksonville! FL 32256, ,JKI External HOD containing backups and imagesof three (3) virtual servers and logs.C9PyHDDTo,Be Determined
b6b7Cb7E
FBIJK
b6b7Cb7D
b6b7C
44687Exam04/27/20122 (Priority)05/0212012
Assign Request To:Evidence to be Examined:Request Description:Legal Authority:
SUbmitting Agency:Agency Case/File Number:Contact Information:
Case Synopsis:
Service Request ID:Request Type:Request Date:Request Priority:Requested Completion Date:Investigative Request? YesUCFN: 288A - JK - 53354Case Agent/Investigator: I ICase Agent/Investigator Field Office: IJKCase AgentlInvestigator Supervisor: .-,-------.Case Title: UNSUB (S); LAKE COUNTY SHERIFF'S OFFICE - VICTIM
Your Exam service request has been entered into the system and is pending review by the JK office. A representative, from the JK office will contact you shortly regarding thestatus of your request with further information and instructions.
•-
b6 Ib7C
Received By: I Received From:i L--- ~_:-f -
. - -, - r
!
II
r
-
srr: (c EO TTIf)
Description of Item(s): \,AIe5h.;(1 I2g ,-kt I All y $~0 k ~It" "',~&11 f/;(_/"7iJt~ tCc~kttf r alA d r,."aJ&~ 6 ;D
- .- I~a gq~ .
(City)__ -:-.:..o....:-. ''""'"-"..-'.:-_,~."...--......;"..;~".......,. ~ _
\
r ."'-"File #
,UNITED STATES DEPA&TMENT OF JUSTICEFEDERAL BUREAU OF INVESTiGATiON "
Receipt for Property' Received/Returned/Released/Seized
Page _-::-_0£ .L:FD-597 (Rev 8-11-94)
b6b7C
'below were:t"'t>,,,t>rt From
d To.I.'\.v."a;)vu To
, '",,'-_,::...-:::
b6b7C
.,
,.I..
b6b7C
"j
Description: jQ Original notes re interview of
(Communication Enclosing Material)Reference:
r:..j
00 NoFederal Taxpayer Information (FTI)
DYes
To Be Returned 0 Yes ~ NoReceipt Given 0 Yes 9 NoGrand Jury Material- Disseminate Only Pursuaht to Rule 6 (e)Federal Rules of Criminal Procedure
DYes
By
(Cjty and State)
(Address)>f -"
.jI FO·340 (Rev. 4·11"()3)
t-··
4460 wasfiYlgtoYl Road • SlAite 2Q • EvaYls,Georgia 30809Office 706.854,8838 • Fax 706.854.8022
\
',j
"o "
," 0~:
" ~ ,1
-¢l?
",.,:0
DAILY GRIN
"
b6b7C
;.
Description: 0 Original notes re interview of
VCe-$"5 /eIC~.f-C- ~<ffcJ
.. (Communication Enclosing Material)Reference:
fl No
"
j By SAI ~~------------~--------------------I ' To Be Returned 0 Yes ~ No
Receipt Given 0 Yes lfJ NoGrand Jury Material- Disseminate Only Pursuant to Rule 6 (e)Federal Rules of Criminal Procedure
DYes ji3 NoFederal Taxpayer Information (FfI)
o Yes
(City and State)
(Address)
~ I
t3 u cho (~.),'(Name orContributorllntcrvicwec)
From AUTDate Received
Serial # of Originating Document "'_. _
Group leader was identified as the accused BALAEASA Gabriel, 24, of Piatra Neamt,known in the virtual environment with nicknames "lulzcart, anonsboat, anonsweb, Cartman."
This, together with Gabor and Picos Fabian accused Michael Emil was a group, joined byother people involved in the cyber terrorist attacks.
The group conducted an extensive criminal activity specific for cybercrime, whichconsisted of illegal access to computer systems, misuse of confidential or non public andpublished in the online environment seep data.
Databases confidential 1classified subjects were given preference for public institutionsand businesses, both in Romania and abroad.
For technical and practical way of operating, cyber attacks launched on the target serverand Web pages, were SQL injection, using different applications, namely Havij, SQL, etc.Map. In most cases, after compromise and obtain unauthorized access to targeted sites, thegroup members brought changes to computer data, executing attacks "deface", consists ofapplying a web page instead of the main site, which was to change general in certain postingmessages, links and images that promote group claims attack and hackers.
Attacks were launched in order to obtain computer data, appropriate data were copied 1transferred without the right and subsequently published in the virtual environment on varioussites as evidence of hacking activity.
Group members did so to launch attacks on a total of 29 sites, information infrastructuresuch unauthorized penetration achieved by infringement of security measures implemented inthe server that housed the target Web sites. .
Criminal activity led to total or partial compromise of Internet sites and areas covered,resulting in significant costs to recover data and implement new security measures. .
At the D .I.I.C.O.T. will be brought to hear 12 people, to which research is carried out forcrimes without the right to access information systems in order to obtain computer data inviolation of security measures, modification of computer data without right and unauthorizedtransfer of data a computer system provided. of art ..Article 42. 1,2,3 and art. Article 44. 1,2of Law no. 16112003.
The investigations were carried out with the judicial police officers in DCCO. - S .C.C.!.and Special Operations Division.
The action was carried out with the support of the Romanian Gendarmerie.Technical support and information was provided by SRI.
Prosecutors Department for Organized Crime and Terrorism - Central structuredeconstructed a criminal-group, consisting of 14 persons, so they carried out 12 house searchesin Bucharest, Iasi, Alba Iulia, Piatra Neamt, Cluj Napoca, Turnu Severin, Arad, Craiova andTargu Mures Resita. .
PRESS RELEASE05/29/2012
Acesta, tmpreuna cu tnvinuitii Fabian Gabor sl Picos Mihai Emil a constltult '0 grupare, lacare,au aderat ~i alte persoane, implicata in derularea agresiunilor de terorism cibernetic. -
Gruparea a desfasurat 0 vasta activitate lnfractlonala speciflca, de, crimlnalltatainformatica, ce a constat in accesarea i1egalaa sistemelor informatice, sustragerea de dateconfldenflate sau nedestinate publicitatii, precurn ~i publicarea in mediul on-line a datelorexfiltrate.
Bazelede date confidentiale/clasificate vizate erau de predllectle administrate de lnstltutll~i persoanejuridice publice, atat din Romania cat ~i din stralnatate,
Din punct de vedere tehnic ~i al modalitatii concrete de operare, atacurile Informatlcelansate asupra serverelor ~i paginilor web tinta, erau de,tip Sql Injection, prin folosirea unordiferite aptlcatu informatice, respectiv Havij, SQl Map, 'etc. In majoritatea cazurilor, dupacompromlterea ~i obtlnerea accesului neautorizat la site-urile vizate, membrii grupariiaduceau modiflcarl datelor informatice, executand atacuri de tip "Deface", constand inintroducerea unei pagini web in locul paginii prlnclpale a site-ului, modificare care consta ingeneral in postarea anumitor mesaje, link-uri sl imagini prin care se revendica atacul ~i sepromova gruparea de hackeri.
Atacurile erau lansate in scopul obtlnerii de date informatice, date care erau dupa cazcopiate/transferate fara drept sl publicate ulterior in mediul virtual pe diverse site-uri, cadovada a 'activitatii de hacking.
Membrii gruparii au procedat astfel la lansarea de atacuri informatice asupra unui numarde 29 de site-uri, patrunderea neautorlzata in respectivele infrastructuri lnformatlonalerealizandu-se prin tncalcarea masurilor de securitate implementate la nivelul serverelor caregazduiau site-urile web tinta.
Activitatea infractionala a dus la compromiterea totala sau partlala a paginilor ~idomeniilor de internet vizate, generand costuri semnificative in vederea recuperaril datelor~i lmplementarll de noi masurl de securitate .
Procurorii Dlrectlel de Investigare a Infractiunilor de Criminalitate Organizata ~i Terorism- Structura centrata au destructurat 0 grupare,infractionala, constltulta din 14 persoane, sensin care au efectuat 12 perchezltll domiciliare in municipiile Bucure~ti, Iasl, Alba lulia, PiatraNeamt,Cluj Napoca, Drobeta Turnu Severin, Arad, Craiova, Re~ita ~i Targu Mure~.
Liderul gruparif a fost identificat ca fiind invinuitul BAlAEASA Gabriel, 24 de ani, dinmunicipiul Piatra Neam], cunoscut in mediul virtual cu nickname-urile "Iulzcart, anonsboat,anonsweb, cartman". '
COMUNICAT DE PRESA
29.05.2012
Comunicat de presa - 29.05.2012Marti, '29 Mai 2012 00:00
http://www.diicot.ro/index.php?view=articlc&catid=38:mass-m ...Comunicat de presa - 29.05.2012
5/29/129:58 AMlof2
Cercetarileau fost efectuatetmpreunacu oflterl de politle judiciara din cadrul D.C.C.O. -S.C.C.I.~i DlrectiaOperatlunlSpeciale.
Actiuneaa fost efectuatacu sprijinul JandarmerieiRomane,
Suportul tehnic'~i informativ a fost asigurat de catreSRI.
La sediul D.LI.C.O.T.vor fi aduse in vedereaaudierii 12 persoane,fata de care seefectueaza cercetarl pentru savarslrea lnfracflunllor de acces fara drept la sistemeinformatice, in scopul obtlnerli de date informatice prin lncalcarea rnasurllor de securltate,modificare fara drept de date informatice ~i transfer neautorizat de date dintr-un sisteminformatic, prey.deart. 42alin.1, 2,3 ~i art. 44alln. 1,2 din Legeanr.161/2003 ..,
http://www.diicot.ro/index.php?view=article&catid=38:mass-m ..." ..."
Comunicat de presa - 29.05.2012
5/29/129:58 AM20f2
(Communication Enclosing Material)Reference:
J&] No
To Be Returned 0 Yes lSi NoReceipt Given 0 Yes 121 NoGrand Jury Material- Disseminate Only Pursuant to Rule 6 (e)Federal Rules of Criminal Procedure
DYes g] NoFederal Taxpayer Information (FfI)
DYes
Original notes re interview of
I~-r ?f,'ffrtr1T <iF- ~vjp"ce ·Description: 0Letfrl .froVVl I
jl r!IF~1~34~)~30~------------- (City and State)
tBy sf I
Date Received 5130/, .;lFrom J L
Serial # or Originating Document _
Field om« Acquiring E~ldence _~\J~.r...I<~ -:
'.
~
b7D-
!
::
'"• ,I
"
\. p
f b6,t
b7C.'
'. "
:
.: ,
_"
-I,,
·1' '
~' 'II b7D
v:
".! ,, , r ..~~
•~ . .~. ,..
CART Service Request Confirmation - lA Material (Printed on 05/30/2012)
copy media and give to SA and retum originals to evidence.Consent
904-2487214JK
JK
b7D
b6b7C
45405Exam05/30nOl22 (priority)06/0sn012
Submitting Agency:Agency Case/File Number:Contact Information:. Assign Request To:Evidence to be Examined:Request Description:Legal Authority:
Service Request 10:Request Type:Request Date:
. Request Priority:Requested Completion Date:Investigative Request? YesUCFN: 288A - JK - 53354Case AgentlInvestigator: SAl ICase AgentlInvestigator Field Office: JKCase AgentlInvestigator Supervisor: SSALI ...I
Case Title: UNSUB (S); LAKE COUNTY SHERIFFS OFFICE - VICTIMCase Synopsis: ,..:O~ni!.,,2=..lwAi:l~pl:!lr~il-=2~0.!.i12!:.1U Jn,l!!::::ot~ifi~le~d..!:L~E~G~A~T~B~u~c:!!h~are~s~t.!:th~a~d ~
Your Exam service request has been entered into the system and is pending review by the JK office. A representative from the JK office will contact you shortly regarding thestatus of your request with further information and instructions.
CART Exam Service Request Confirmation - lA Material
b7D
" I,"'..
e:b6b7C
/;
~
b6b7C
L_ ~~
-Description: o Original notes re interview of
(CommunicationEnclosingMaterial)Reference:
Title:
rn No
;, ToBeRetumed D Yes ~ No
Receipt Given 0 Yes ~ NoGrand Jury Material- Disseminate Only Pursuant to Rule 6 (e)Federal Rules of Criminal Procedure
DYes 51 NoFederalTaxpayerInfonnation(F11)
<
DYes
By SA I') (City and State)
(Address)I
Tov are~ I Fi , 3 ;).77 8'
From ,r.~; afl",c e----~~--~~--~--7(N~am=e~o~f~C~o=nt~ri~bu~t=ot~/l~nt~eN~ie~w=ee~)~~~------------_;------
3({J Werr- ~ v-b'1cs:+(~T/
Date Received
Serial # of Originating Document '~ __=_
Fjeld Office Acquiring Evidence
"
~ Description: 0 Original notes re interview of
I CYj C6c. Cfr ED- 19'Z..:t llS 1 ~o,_ .1-g?~
'.- .
.;tI:. Reference: -...,.~I;,;;::,....,._-------------,.-_::_
(Cominunica'tionEnclosingMaterial)
.rf (CityandState) , 1;· r. frEer 4i'By --"-l..~"""-"--L_ __ J__----------,~lt To Be Returned 0 Yes 0 No I.t:( Receipt Given 0 Yes Cl No 1,t Grand Jury Material- Disseminate Only Pursuant to Rule 6 (e) 4f Federal Rules of Criminal Procedure 'l:,1. 0 Yes 0 No ,.1,t' Federal Taxpayer Information(FfI) V-
i 0 Yes 0 No i't Title: ,;
l'y.
t
., )'"
,,
b6b7C
..,Date Received __ --;::===::::;- _l From' ~b It ----~~-1--~c~,,-=,J,!~o~fcfcownm~·bbtU~w~dl~nt~eN~i;e~~)----------- 'I! ;; (Address)
1 Serial # of Originating Document _3~_7=-,- " _~i
i
Case Number: 288A-JK-53354Owning Office: JACKSONVILLE
Q4/25/2012BIN14CARTLocation: ECRBarcode: E472S431
WESTERN DIGI~AL MY BOOK STUDIO EXTERNAL HARD DRIVE,SN: WCAZA3,18'8836(2TB,W/POWER SUPPLY & USB CABLE)CONTAINING: BACKUPS & IMAGES,OF LEO APP1, LEO CITRIX,APP2{LEO TTA), AS WELL AS LOGS FROM LEO APPL, LEOCITRIX,LEOASP1,WEBSITE LOGGING
Date EnteredDe'scriptionof Property:1B 1
Case Agent:I
Anticipated Disposition: Acquired By:I
--_ ,'_'
b6b7C04/25/2012 360 W RUBY STREET
TRAVORES FL 32778 .
Date Property Acquired: Source from which Property Acquired:LCSO
,LAKE COUNTY SHERIFFS OFFICE
Title and Character of Case:,
ICMIPR01Page 1
O.~/25/1216:16:22-
Case 10: ~<g~A - JK- 53354Firearms Certification:Printed Name: Signature: Date: _
IB: __ -I- Barcode: G' '-17 ;?51/-3[
Reason:Reason:
Printed Name:Printed Name:
Signature: Signature:
I-S_ig_n_at_ur-1eh--r:======:!=::::;-__ -t lfj')..5/;)01J. b7CI I I \/Printed N~: I I /0:001}VV\ l'
Reason: Collected
o FOJo Refrigerate
o Batteries 0 Biohazardo HAZMAT 0 Latentso Req. Charging 0 Noneo Other
b6
FEDERAL BUREAU OF INVESTIEVIDENCE CHAIN-OF-CUSTODY
FD.I0Q4Revised
§·16·2009
o Firearm/Weapono Firearm/Other
o DrugoValuable
Evidence Type: 0 General~CART
Case ID: IB: Barcode: _
Reason:Reason:
Printed Name:Printed Name:
Signature:Signature:
Reason:Reason:
Printed Name:Pr_intedName:
~ Signature:Signature:
Rea~on:
Printed Name:Printed Name:
Signature:Signature:
.¥ ,; ...~ ....
", .':Date and -,- -. 'TillIe'· ,
.Reason:Reason:
Printed Name:Printed Name:
Signature:Signature:
,,' .
. D~te and". :Accepted:Custody,:,< ,; ': . '~.':,:':" " .' ,D~t~'arid;:~::, "Time",'" ,,:: "',' "',>~-/,-:::->:,:, ·J,:~tP~";':--<
, "'.','
Reason:Reason:
Printed Name:Printed.Name:
Signature:Signature:
Reason:Reason:
Printed Name:Printed Name:
Signature:'Signature:
Continuation Page
EVIDENCE CHAIN-OF-CUSTODY
...
:A.ccept~~·C~siO~1-:....:.: .',-,:':;:;; ,~Dat'e ~rt'd;Y." , , ': .:,rime .: ,~',..',Date ahd '~.'
-Tlme
Received By: L...I __ ----.,.. __ ____JI--- Received From: 1L.. _;--- __ -~-_. ~~ .. ~~c.j-". ~_=";:J.
~s~
-'
" / I 7
!tlf2 ( L EO T7 A)/ eQ C;/ r,' X
FL J..27711(Name) LIA keG (() tAn f't ~4e /',r Fis 0 f(,'c,e 1(Street Address) J?O Wb~t !(t/;l~ .5fkcf TaVQ1/'-e.s
-_7 7(City) ,-- \......:;_"'< _
UNITED STATES DEPARTMENT OF JUSTICEF£DERAL BUREAU OF INVESTIGATION
Receipt for Property Received/Returned/Released/Seized
File # ;)~?lA - J 1<- 5335'i
I of IPageFD-597 (Rev 8-11-94)_f
b6b7C
item(s) listed below were:G:VReceived FromD Returned ToD Released ToD Seized
On (date) LJ/_asjao I J.
Case Number: 288A-JK-53354Owning Office: JACKSONVILLE
1.2: SEAGATE 1TB HDD, SN:W1D07MG6 (EXCHANGE LIVE ACQUISITION,4/30/12, SECOND ORIGINAL FORENSIC IMAGE,2.2: SEAGATE 1TB HDD, SN:W1D06LAK (LOG SERVER_4/30/12,SECOND ORIGINAL FORENSIC IMAGE)3.2: SEAGATE 500GB HDD, SN:9QM9T8PD (IMAGES FROM LCSO,LEOCITRIX, LEOAPP1, LEOTTA APP2, SECOND ORIGINAL FORENSICIMAGE)4.2: COMPACT DISK (CD), COpy OF LSCO-120490-4 CD REC'D FROMLCSO HELP DESK E-MAIL5.2: SEAGATE 500GB HDD, SN:W1D072K7 (IMAGES FROM (USERS +DEPTS BACKUP FROM 3-31-12) SECOND ORIGINAL FORENSIC IMAGE6.1: SEAGATE 1TB HDD, SN:5VP9S0H9 (IMAGES FROM LSCO 5/7/12,ORIGINAL FORENSIC IMAGE)
Date EnteredDescription of Property:1B 2
05/30/2012CART 131 tJ IY.Location: ECRBarcode: E4725693
b6b7C
Case Agent:I
Anticipated Disposition: Acquired By:
05/30/2012
b6=D-a-:-te-P=r-o-p-e-r--:t~y--:A:-c-q-u--:i:-r-e-:d;-:--::S~o-u-r-c-e--;::'f-r-om-w--:h;-~-:-'c""h--:P:::-r-o-p-e-r""7t-y---=A-c-q-u""":i-r-e-:;d:-:--------'b7c
b7D
LAKE- COUNTY SHERIFFS OFFICE.HTTP PASTEHTML COM VIEW BW2M4UWHB HTML
Title and Character of Case:
ICMIPR01Page 1FD-192
0.2/04'1209:03:36
IB: __ _..;;;.~-=-- _
Firearms Certification:Printed Name: Signature: Date: _
Barcode: El{7a 5<093Case ID:J'6'8fr- J/4-5335~
..__~ 5/3(:'/1 ~!:;':Y/ pM
Reason:
b6b7C5/30/1d
I-----I.___,...-----,-, ,-1',-,----1,) ~CkJptV\
o FGJo Refrigerate
o Biohazardo LatentsoNone
o Batterieso HAZMAT
o Firearm/Weapono Firearm/Other
o DrugoValuable
Evidence Type: 0 Generalo CART
FEDERAL BUREAU OF INVESTIGATIONEVIDENCE CHAIN-OF-CUSTODY
li'D-I004Revised
9-16-2009
b6b7C
Barcode: ._. _IB: __Case ID: --_". _.~, _
"Reason: Reason]
Printed Name:
Signature: Sign~_tm.e:... , . ~t-P-r-in......:te::..d.;_N-a.,.·m....,~..;.:_;....;..~--.,.........;;.,::..--.._-·,..."·-.;.,;,,.;-_;~, ".:". '
~--------------------------------~
Reason:
Printed Nan:.~:
Signature:
Reason:Reason:
)Printed Name: Printed Name:
Signature: Signature:
Reason: Reason:
Printed Name:Printed Name:
Signature: Signature:
Reason:
Printed Name:
Signature:
Continuation Page
EVIDENCE CHAIN-OF-CUSTODY
S:\ORAFTS\S~RUl~r\117sp0212.wpd;
This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency;it and its contents are not to be distributed outside your agency.
Not dictatedFile # 288A-JK-53354 _..}- Date dictated----------------------------------------------~ __ S_A~I Jr=J~~--------------------------------------
04/26/2012 at Jacksonville, Florida____;_ _.;... -Investigation on
The screen captures and.web page content pdf were copiedto a CDR and placed in an FD-340 1A envelope and added to the lAsection of the case file.
http://pastehtml.cQm/view/bw2m4uwhb.html
The resulting web page appeared to be a tree listing of the LakeCounty Sheriff's Office (LCSO) server files. The web page, r-'~::.:' f=--_...,printed, would have been 194 pages in length; therefore, SAl b6sayed the web page to a Portable Document Format file (PDF). SA b7CI I then captured a screen print of the top of the web page,scro11ed to the bottom of the web page and captured another screenprint.
On April 26, 2012 Federal Bureau of Investig-ation (FBI)Special Agent (SA)I I connected to the Internet and' b6navigated to the following Uniform Resource Locator (URL): b7C
Date of transcription 04/26!2012
- 1-
FEDERAL BUREAU OF INVESTIGATION
b6b7C
•~ _ t..
FD-302 (Rev. 10-6-95)
b6b7C
This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency;it and its contents are not to be distributed outside your agency. s:\ORAF'I'S~ ~1.2011..2.wpd
b6b7C
Date dictatedFile # 2881\-JK-53354......t1by SA
4/30/2012 at Tavares, Florida--=---:....-----Investigation on
b7Cb7D
b6
On 4/27/2012 of the Lake b6county Sheriff's Office (LCSO) at 360 West Ruby Street, Tavares, b7CFlorida 32778 was contacted telephonically to discuss theinvestigation into the LCSO network intrusion. Writer informedI I that data related to the intrusion had been placed on-line atthe Uniform Resource Locator (URL)http://pastehtml.com/view/bw2m4uwhb.html. The resulting web pageappeared to be a directory tree 'listing of the LCSO files. The webpage, if printed, would have been 194 pages in length and containedthe names of directories and files that may have been exfiltratedfrom the LCSO network. It was later learned that four (4) fileswere posted to pastebin.com which were named Cyber Crime.zip, 911Calls.zip, Swat Team Files.zip and Full Dump With Even More filesthen above.zip. Writer downloaded the above referenced files whichwere over 4.7 GB of data. I I said that he would report theposting of the data to his command staff.
During the night of 4/27/2012 I I contacted writer b6again multiple times about email that was sent out to all the users b7Con the LCSO network from the hackers. The email informed al.ltheusers that received the email that the LCSO network had beenhacked. Writer again informed I I that it was safe to assume thatthe entire LCSO network was compromised and that proper incidentresporse and remediation should be undertaken by an outside firm.
asked if Writer could recommend any good groups to whichWriter gave I I a list of IT consulting firms. I I said thatthey had changed all the passwords that they believed werecompromised but that obviously did not work. He stated he wouldbrief his command staff again and emphasize the severity of thesituation and the need to have an external professional team comein and conduct the proper incident response and mitigation.
On 4/28/2012 I I met with I Iwhich is a CyberSecurity Firm located at IL--__ ~ =---------- ~ :--~~I~I~~~---~--~I Writer reached out to contacts in the TampaDivision and was assured that was a credible C ber SecuritFirm. ~~~~~~~~~~~~~~--~~~~~~~~~~~~~~~~~-,
Date of transcription 04!30/2012
- 1-
FEDERAL BUREAU OF INVESTIGATION
FD·302 (Rev. 10·6·95)t'
b6b7C
I
news.softpedia.com/news!AntiSec-Hackers-Leak-40-GB-of-Data-fromLake-County-Sheriff-s-Office-266784.shtml
paintsthefuture.com/lake-county-sheriffs-office-hacked-by-antis~cand-leaked-4-7-gb-of-stolen-data/
Writer identified the following online reports about theintrusion:
s.\DRAFTS\lc=::::J.il2Dll2.'Wpd
FBI HQ Cyber Criminal PM SSA who has b6been working with Jacksonville on this intrusion was updated and b7Cadvised of the current situation and continues to coordinate withFBI Jacksonville.
On 4/28/2012 with the LCSO b6reached out telephonically to Writer about a possible press report b7Cthat would be coming from a news team out of the Orlando area. Thenews team received a tip and was asking LCSO for astatement/interview. Writer contacted and briefed I~--------------~of FBI Jacksonville on the situation. I I contacted ~I ...and asked him to limit his comments if possible and would notobject to mentioning the FBI if he and/or the Sheriff thought itwould help. I lof the Office of Public Affairs, NationalPress Office, FBI HQ was briefed on the situation and advised allto use the statement "We1re aware of this report but cannot commentfurther."
contacted Writer and provided his cell phone number b6~------_'--~Iand office number I I and said that they were b7Ctaking steps to secure the LCSO network and would retain any andall evidence of the intrusion to assist in the on-goinginvestigation. I Ibelieved that the intrusion was related tomultiple other intrusions by the same group of hackers and hadlocated several IP addresses that he believed went back toinfrastructure controlled by the hackers.
On 4/28/2012 I I informed Writer by telephone that the b6Florida Department of Law Enforcement (FDLE) had contacted him b7Cbecause of some information they had received about the intrusioninto the LCSO network. Writer s oke with of FDLE and
for FDLE and~~~~~~_r~~~~~~~------------------~s.
( 'IFD-302a (Rev. 10-6-95)
, Page _....:2=--__________________________________________ ,On 4/30/2012Continuation of FD-302 of
b6b7C
I
S: \OAAFTs\lL.__ ---Ih 20112. wpd
on 4/30/2012 I I was contacted telephonically and b6stated that the LCSO was in lock down mode with the email server b7Cand website down as well as other services and that they were b7Dworking withl Ito review all systems and bring them up one ata time once they had been secured. I I is currently collectingdata related to the intrusion and cop1es will be made and providedto the FBI to support the ongoing investigation. News channel 9reported the LCSO intrusion.
gnsec.com/modules/d3pipes/index.php?page=clipping&clipping_it71380
On 4/30/2012 I I stated via telephone that they had b6collected images of drives and other evidence of the intrusion and b7Cbelieved that it involved three 3 people, 1 in the US, 1 in Moscowand 1 in the Ukraine.
jimmy89vl.blogspot.com/2012/04/lake-county-florida-sheriffsoffice.html
Ii 'lFD-302a (Rev. 10-6-95)
(.4. "
,Page _3_________________________________________ ,On 4/30/2012Continuation ofFD-302 of
S~\DRAFTS\JMBOL~N\~~6jbOl12.wpd
This .document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency;it and its contents are not to be distributed outside your agency.
b6b7C
by SA
Date dictated_..;
File # 288A-JK-53354 - b4/25/2012 at Tavares, Florida____-=-- :..,._ -Investigation on
I I was interviewed about a potential intrusion into b6the LCSO network. I Istated that he had been contacted by an FBI b7CAgent out of San Antonio (SA) and told of a possible computerLntrus Lon into the LCSO back in January 2012. I I stated that hechecked his systems and found no evidence of the intrusion andattempted multiple times to reach back out to the FBI SA withnegative results.
~ ~I was asked about any new intrusions into the LCSO b6network and stated that there were un-successful attempts and b7Cprovided logs and data to back up his conclusions. Writer and SAI I advised I I to look again for the possible intrusion bychecking server logs and legitimate user accounts for unusualactivity and gave him an overview of criminal hacking proceduresand techniques. I I called Writer back on 4/23/2012 af'terthemeeting to report that he had found a user account; that was beingaccessed for illegitimate purposes and was going to continue theinvestigation. I Iwas given part of a database table that FBISan Antonio had provided to Jacksonville when Jacksonville hadreached out and inquired about the January 2012 contact with LCSOafter'leaving the LCSO meeting.
On 4/25/2012 Writer met with I I and other 'stafffrom b6the LCSO. LCSO was again informed that the FBI had an open ongoing b7Cinvestigation into the intrusion and was working with internationalpartners. I I provided one (1) hard disk drive (HDD) thatcontained ,mages1of 3 virtual servers, logs and data related to theintrusion. was given a property receipt (FD-597) for the HDDand signed a consent to search computers form. The HDD was placedinto evidence and a CART request was completed requesting theimaging of the drive. HQ was contacted and forwarded a case supportrequest form for assistance in reviewing the HDD and data providedby LCSO.
b6b7C
On 4/23/2012 SA I Iand SA I lofFBI JK met with I lof the Lake CountySheriff I s Off,ice (LCSO) at 360 West Ruby Street, Tavares, Florida32778 to discuss information that was passed from FBI HQ on4/21/2012 to SAl I about a ,possible computer intrusion byI I into the LCSO network.
Date of transcription 04/25/2012
- 1-
FEDERAL BUREAU OF INVESTIGATION
FD·302 (Rev. 10.6·95) •r
•
b6b7C
b6b7Cb7D
b6b7C
UNCLASSIFIED/ /FOR OFFiCIAL "{JSEq!S'JJI~FTS~.r--""U20212.WPd
(UtiFOUo+ LCSO was unsuccessful in fully eradicating themalicious actors, and on 27 April 2012 the LCSO mail server wascompromised and used to distribute a mass e-mail message alertingall system users to the intrusion activity. One of therecipients of the message 'wasthe Florida Department of Law
(U//FOUO) FBI Jacksonville immediately notified LCSO ofthe suspected intrusion. On 23 April 2012 Jacksonville met withLCSO and provided them an overview of criminal hackingtechniques. Shortly thereafter, LCSO identified an unauthorizeduser account being accessed for illegitimate purposes. LCSO wasinstructed to begin remediating the problem and capturingforensic evidence.
Synopsis: To update case.
Details: (Uj/FOUO) On 21 April 2012not~~'f~~~'e-d~~L=E~G~A=T~B~u-c~h-a-r-e-s~t~t~h-a~t--~
Title: UNSUB (S);LAKE COUNTY SHERIFF's OFFICE - VICTIM
Case ID #: 288A-JK-53354
Drafted By:
Approved By:
From: Jacksonville1~Contact: SA ~ __~==~ ~
~ L.....-_JI sf, Il-1.
o .,Le(Pending)
To: Jacksonville
Date: 04/30/2012Precedence: ROUTINE
FEDERAL BUREAU OF INVESTIGATION
UNCLASSIFIED/ ZFOR OFl"IC!AfItlSEONLi::
(Rev. 05·01·2008)
2
UNCLASSIFIED//FOR OFl"IeIAL OSE ONLY
••
8 .
7.
6.
5.
4.
3 .
2.
Enforcement (FDLE), the state's central law enforcement agency.Later the same day, Twitter user "EviISecurity" tweeted links toapproximately 4.7 GB of LCSO's data, as well as a username andpassword to an account on Leso's mail server.
< (u//~) On 28 April 2012 the Romanian-owned websiteSoftpedia reported the theft of 40 GB of data from Leso. Thebreach was attributed to Operation AntiSec, a series of hacksperformed by members of Anonymous and LulzSec. According toSoftpedia, one of the hackers, presumably I I, claimed 35 GB b6of the stolen data consisted of law enforcement software b7Capplications. The remaining 5 GB, which was posted online,consisted of "everything stored in the office's internal networkthat could be considered of value," including cyber crimeinformation, audio recordings of 911 calls, photographs andpersonal details of SWAT operators, subpoena records, and FBIIntelligence Bulletins.
Investigative Action Plan: (u~ Jacksonville is currentlycoordinating this investigation with LeSO, FDLE, FBI Phoenix,LEGAT Bucharest, and I I The following investigative activity b7Dis ong linn nr ::Inril""in::lrl=>"· I1. b6
b7C
To: Jacksonville From: JacksonvilleRe: 288A-JK-53354, 04/30/2012
UNC!SSIFIED/ IFOR Oli'FIe:!A!J USE'NLY.", ,
S:\ORAFTS\~OL1N\122jbOlt2.wpd
This document contains neither recommendations nor conclusions of the FBI. It is the property of the FB[ and is loaned to your agency;it and its contents are not to be distributed o~tsille your agency,
b6b7C[]~-----------------------------------------------------------------------------------------------------
Not dictatedDate dictated
(telephonically)at Jacksonville, FloridaInvestigation on 05/01/2012
Fi[e II 288A-JK-53354 ".....'1by SA I
According to a conversation I Ihad with Lt. c::J b6~ ~~~I who coordinates the Leso S.W.A.T team, there were no FBI b7Cagent's personal information obtained.
Lt. I, Lake county Sheriff's Office (LeSO), b6Florida was interviewed by the Federal Bureau of Investigation b7C(FBI) regarding a recent computer intrusion into Leso. After beingadvised of the identity of the interviewing Agent and the nature ofthe interview, I Iprovided the following"information:
I I contacted FBI Special Agent (SA) and b6advised that she had gone through the files that they believe were b7Ccompromised and identified a file named FBI UPDATE TARGETING OFPRISONERS FOR IDENTITY THEFT.pdf from 2010 and that it wasunclassified. I I is not aware of any classified information atthe Leso.
- 1-
FEDERAL BUREAU OF INVESTIGATION
Date of transcription 05/01!2012
'/J .,FD·302 (Rev. 10-6-95)
;S: \DRAf'I'S\SPRU!'l'T\1.22sp0212. wpd
This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency;it and its contents are not to be distributed outside your agency.
b6b7C
by S_A~.~I ~I~~~ ___Date dictated Not dicta ted
at Jacksonville, Florida (telephonically)Investigation on 04/2 7/2 012
File # 288A-JK-53354 ,/ '%
b6b7Cb7D
I toL
After receiving the emaLL, several LCSO members contactedreport the incident. I I stated I
~ Lake b6Coun t y SheL:-r~~"""lf"""lf....,r-s~o~f""f""'i~c-e~('""'L""'C'="'S'="'O=:"')!'"",-'I"'IF.....l~o~r~l.~d~a~w~a~.s~l.~n~t-::-e~r~v~l.~e-::-w~e~dT"""'Ib~ythe b7C
Fede ra L Bureau of lnvestig'ation (FBI) regarding a recent computerintrusion into LCSO. After being advised of the identity of theinterviewing Agent and the nature of the interview, I I providedthe following information:
I contacted FBI Special Agent (SA) I b6b7Cb7D
- 1 -
FEDERAL BUREAU OF INVESTIGATION
05/01/2012Date of transcription
•\!.;J \:;; ~4
FD·302(Rev. 10.6.95)
CONF1nENT1Ali/IFeI ROe/REI;; '1'() ugh 1 ROU
b6b7Cb7E
(U) Legat Bucharest's coordination with the FBI's CyberInitiative and Resource Fusion Unit (CIRFU) previously identified
blb3
Sources
blb3b7D_nonymous
Anonymous RomaniaTitle: (U)
Case 1D #: (U) 163K-BO-893 (pending)A3 tit(U) 288A-JK-53354 (Pending)"
Drafted By:
Approved By:
b6b7C
ALAT~ __ ~===- ~
~_____.DDFrom: Bucharest
Contact:
Attn:Jacksonville
Attn:International Operations
b6b7C
CCU1, SA ~I;::::::=====!...,_ .....CCU2, SSASSAI~~Ir-a-------"II-----JEurasia Unit, SSA ....1-----.,
Attn:CyberTo:
Date: 5/02/2012Precedence: ROUTINE
FEDERAL BUREAU OF INVESTIGATION
CONFIDENT1Al:i/IFeI ROe/RELI '1'1' liSA 1 ROU•
CONE'IIlElIl'1':tAL//PEU ROe/REL '1'0 USA, ROU
2
blb3
b6b7C
(U) On 4/21/2012, ALAT L..I__ ----II contacted LCSO andthe d . administrator there, I I e-mail
regarding the possib~l~ty of an ~ntrusion.L..-._~ acknowledged the notification and began conducting researchto veri,fythe intrusion.
b6b7Cb7E
To: Cyber From: BucharestRe: (U) 163K-BO-893, 5/02/2012
cONFtIN'l'IALI /EGI RO~/RElL 1'0 USA!ou
..,r
blb3b6b7C
3
CONFIDEN'I'IAL//FSI ROuiML TO USA, BOU
Cyber From: Bucharest(U) 163K-BO-893, 5/02/2012
To:Re:
CONFIDENTIAL//PS! OO'6i:REL TO USA, ROU
(U) The information resulted in coordination with CyDand JK Division, resulting in the initiation of case 288A-JK-533S4.
4
blb3
To: Cyber From: BucharestRe: (U) 163K-BO-893, 5/02/2012
f'UlIIFT1r, ......."' ......,._, ' ..."T e!= ~.L>J..&r ~,-,-i:'"0i:I::c ROU/REIi r;ro TTSl§ j goOt • '\
jC)··························· .
CONFTDEN'l'lAl://FSI ROe{REL '1'0 "SA, ROU
••(U) For infQrmation.
ALL RECeIVING OFFICES
Set Lead 1: (Info)
LEAD (s) :
Cyber From: Buch_arest(U) 163K-BO-893, 5/02/2012
To:Re:
- " ,- .eMF IDEfII'!'IAL, ,-FSI ROU, REL '1'0 USA~QU" .. .' "'t
5
b6b7C
..
CLASSIFICATIONLEVEL ATfENTION: S_.:.;._'A---1!i...,___ ___J.--L.. ....J
(QJECKONB)
cUNCLASSlFIED· NOTSENSITIVE
<!~s;nw CO~IAL
TO: cAlbany cHouston cNorfolk cAbuDhabl o Jakarta cSeoulCAlbuquerque c Indianapolis oOklahoma City cAmman cKabul oSingaporcCAncborage ClJ~ cOmaha oAnksra o Kiev cSofaaoAtlanta ~ OP~tadcJphia oAstana o KualaLumpar oTallinnoBaltimore Cl Kansas City cPhoeniX cAthau CLagos cThilisi
ClBinningham oKnoxville oPiUsburgh o Baghdad o London CTclAviv
CBoston o Las Vegas oPortland o Bangkok cMadrid CTokyo
CBuffalo ClLittle Rock CJRicbmond CBcUfng CManila OVienna
CICharlotte oLos Angeles Cl Sacramento CBeirut cMexlco City o WarsawoBctlln cMoscow E:l
ClChicago Cl Louisville CISaint Louis cBern cNairobiCJCincinnati ClMemphis c:::JSaltLake City o Bogota cNewDclhiCJ Cleveland CJMiami ClSan Antonio CBrasllia o OttawaoColumbia CJMilwaukee ClSanDiego CBridgetown o PanamaCityCDallas t:::IM'mneapoUs CSan Frimcisco o Brussels oPerisCJDenver ClMobilc cSanJuan o BuenosAires ClPragueCDetroit CNewark cSeattle oCalro CPretoriACJElPaso ONcwHavcn ClSpringficld cCanberra. ClRabatCFBIHQ ONcw Orleans ClTampll cCaracas o RiyadhClHonolulu cNcw YorkCity cWasbing10n Pield CJCopenhagen CRome
pDakar C SanSalvadorIJ:JButt~ose CQuantico (ClRG) c:J Savannah asc cDoha CSanaa
Cl Cluksbmg (CJIS) OQuan(lCO(Div. 2) Cl WInchester (RMD) OFrec:town CSanliagoOFt. MonmouthITC C Quantico(ERF) J:J oHongK'Ong C santo DomingoCPocatelJo ITC 0Qllantico (Lab) cIsl~abad c S1lI'8jcvo
FOR INTERNAL USE ONLYLegat ..BucharestNaDle.~· _Legal Attache
.'-U.S. Embassy ..Bucharest5260 Bucharest PlaceDulles, VA 20189~--~-----------(011-4(}"21)200..3339
blb3
blb3b7D
b6b7C
CbNFIDEN'!'I1Gi//FGI ROe,'ML '1'0 uSA, Ron
Svnppsisu; tII:!Q!Jmt-$ylu
Drafted By: '_____~IDCase ID #: 163L-BO-893 (pending)...-I'\'
288A-JK-53354 (~ending)/IO
Approved By:
Attn:International Operations
IC)
Attn:Jacksonville
I' I regard1ng theAnonymous Romania hack ,into the Lake County Sheriff's Office.
Derive~iple SourcesDeclas~0502
Title: ANONYMOUS ROMAN1A.
From: BucharestContact: ALAT ~I---r--,_---------~
CCU1, SA 1....,.. ...... _....,CCU2, SSA ISSA~I r--~SA ,...1 ........ 1SA ....1~_~ __ ____,I r----....,Eurasia Unit, SSA ....1__ ~
Date: 05/02/2012
Attn:To: Cyber
Precedence: ROUTINE
FEDERAL BUREAU OF INVESTIGATION
.CONFIOE»I'I'IAL//FGI ROeY:REL '1'0 USA, BOIT
IC)
(Rev, 05·01.2008)
CONFTOEN'I'lAI:! /FSI ROe/REL '£0 USA, ROU
2
b6b7C
(U) ALAT I I provided the l.ink to pastehtml.com toJacksonvi11e Cyber on 04/26/2012.
blb3
Cyber From: Bucharest163L-BO-893, 05/02/2012
To:Re:
CONFIIN'PIAL/ /FGI ROt1/REL'1'0USA!lou
CONFIDEN'fIAL//!GI ROO/REL fO USA, ROU
++
Read and clear.
AT EURASIA UNIT, DC
Set Lead 3: (Info)
INTERNATIONAL OPERATIONS
Read and clear.
AT JACKSONVILLE, FL
JACKSONVILLE
Set Lead 2: (Info)
Read and clear.
AT CCU-1, DC
CYBER
Set Lead 1: (Info)
LEAD (s) :
To: Cyber From: BucharestRe: 163L-BO-893, 05/02/2012
"
3
UNCLASSIFIED
b6b7Cb7D
IDetails: I
CIRFU searches on the
b7D
Title: ANONYMOUS ROMANTA
L...--....------'O (Case ID #: 163L-BO-893 (pending~
288A-JK-53354 (pending)..-II
Drafted By:
Approved By:
From: Buchares~Contact: ALAT~I ...,....._r- ___'
~
Jacksonville
To: Cyber b6b7C
Attn: UC !":;I --:::-;:r==::::::!...----...,CCU1, SA .1_.,.... ........ ___,CCU2, SSA ISSA I
Attn: SA ~I~-----------r-~SA L...- ___.r---___,
Attn: Eurasia Unit, SSA L....I __ .....IInternational Operations
Date: 05/02/2012Precedence: ROUTINE
FEDERAL BUREAU OF INVESTIGATION
UNCLASSIFIED•!t\.,
(Rel~05-01-2008)
UNCLASSIFIED
2
b7Dmet withALAT
b7D
To: Cyber From: BucharestRe: 163L-BO-893, 05/02/2012
UNCLASSIFIED ••
UNCLASSIFIED
••Read and clear .
AT EURASI-AUNIT, DC
INTERNATIONAL OPERATIONS
Set Lead 4: (Info)
Read and clear.
AT JACKSONVILLE, FL
JACKSONVILLE
Set Lead 3: (Info)
Read and c.rear.
AT CCU-l, DC
CYBER
Set Lead 2: (Info)
3
b7Db7E
AT CIRFU, DC
Conduct I ~ and/or ~ny otherchecks for nicknames prov~ded and coord~nate anyresults with Bucharest and Jacksonville for
IrelevantpositiveI
CYBER
Set Lead 1: (Action)
LEAD (s) :
To: Cyber From: BucharestRe: 163L-BO-893, 05/02/2012
UNCLASSIFIED
,•
gONE'IDENTTls'fl//FGI ROY/~L 'fa USA( ReQ
blb3
Il'l
Sources
oman~a, reporte
blb3b7D
ANONYMOUS ROMANIATitle:
(Pending)";JJ(Pending)....l~
Drafted By: I I IL--------L____J
Case ID #: 163L-BO-893288A-JK-53354
From: BucharestContact: ALAT I~-----r------~----------------~
Approved By: I~--------------~
Attn:International Operations
Attn:Jacksonville
CCU1,~~A1
b6CCU2, b7CSSA I
ISA ISA I IEurasia Unit, SSAI
I b6b7C
Attn:To: Cyber
FEDERAL BUREAU OF INVESTIGATION
CONFIDEN'!'IAL//P(!! RO'6/REL '1'0 USA, ROO
Date: 05/10/2012Precedence: ROUTINE
blb3
2
~ONFIDEN'li Iln,llFGI Reg/REX. T!! OSA, ROO::
To: Cyber Frpm: BucharestRe: 163L-BO-893, 05/10/2012
blb3
3
CpNFIOE~ITIliL//PS:f ReetREL '1'0 aSA, ;OTJ
To: Cyber From: BucharestRe: 163L-BO-893, 05/10/2012
...I CONF&I'.1.'lALI /PS! ReetREL '1'0 aSA~OIJ
CONFIOEN'!'IAL//FSiROe/R!lL '1'0 USA, BOTT
• +
Read and clear.
AT EURASTA UNIT, DC
Set Lead 3: (Info)
INTERNATIONAL OPERATIONS
Read and clear.
AT JACKSONVILLE, FL
.JACKSONVILLE
Set Lead 2: (Info)
Read and clear.
AT CCU-I, DC
CYBER
Set Lead 1: (Ipfo)
LEAD (s) :
To: Cyber From: BucharestRe: 163L-BO-893, 05/10/2012
,...
J. CPNF:lN'l'Ila/ /PSl: ft06/REL '1'0 gSA~OTT
4
./ ReqUItesthat an exptanatlonbe attachedand loadedInto ISRAAfo( recovoryoverS1m andPElP over$5 m, dISruption.drsmanucment, anddrug secures,
b6b7C
I SerialNo.of FO·515
I 1.&:\
ISocialSocurotyNo. (if ava~able)
I
DOeccased
E. lIost390S(S) Ro!o~sod Oalo: _
Releasedby:DTorrorist 0Other
Numberof Hoslagos: _
x AddItionalinformationmay beaddedby attachinganotherform ()t a plainsheetof papor foradditionalentries., Seecodes on reverseside•
fot ...,_</CoII'iIcOoOMO<tf'oSvb.<><I' .... 1odIO.VILCN."" ..", ~""Cr_ (AOC~_00ll....'0<1o-..."e '(I()C~1l.... ~""MI.,.c....Of>O"'\. Car_ .....Of t:o.,...,()r~"""'"0-_Ctou:>.CoMpIol. f().S 15.>.$<I, I e~.I\-E """"'''''Y.r ... '''WOP'-o Sub,,,,,'o,",,,,, 10.... OCf~ otOb""""". VCMOI'W-NO!","",Ca"Q SUo!O?Y"'0" g""'l>.Qt • VCMOPIOQIAI'I110>1""'"rrOOlty... ~....... !;vQ<41J1_'~f()'51S..s.o.1 """",A-(;o<>Y_
II
P.Subjocllnformatlon • Required for all blocks excluding block 0 (Recovery/PElP), blocks E,I, Land N
NameI Oateof Birth
I 1MI Raco" I Sex
CompletionOfFO·515aSide2 Mand~lory
I.Olsruption/Olsmantlemont: '"
Yellrs Months _
'" Amount SCode •
DPrclrial DiversionAmount S _
O.Recovery I Restitution / PELP XoFedoral olocal OlntcrnatiooalRecovery Oale: _Code ' __ ", Amount $ _Code' _,__ .r Amounl $ _
Restitution Oato: _
OCourt OrderedCode' __ '"PElP Oalo: _
C. Summons Date: _
oFederal 0 local
O. Locale I ArrosloFederal OLocal .I8I!nlornatlonal
SubjectPriority: OA~B l8lClocate Dale: .5/J.9. Jol ~Arrest Oato: sh f/aol "
'{oSubjectResistedArrestoSubjectArrestedwasArmod
IndiclmenIOale: _
A. Comp!alnt /Information/lndlctment
Qedorlll DLocal OlnternatronalComplaint 0310: _
Check if ClVltRico Complaint 0Information Oale: _
2.
Suspended: Years Months _
Probation: Years Months _Flnos:, $ _
O. Child Victim Inforrnatlon
Childlocated/ identined Date: _OismanUomentOato: _
N.Drug Solzures.r 0310: _
OrugCode' -::- _Weight Code' _FDIN _
00 nol indicale$ in Section0
M,Acquiltall Dismissal/,Prolrial Olvors!on(Circleone) Oale: _
Name:·
1.
In Jan:
H. Sentenco 0310: _SentencoType:_ • , •
l. Assot Sei~uro Oate: _Asset Forfalture Oale: _CATSIIMandotory _Circlebelowone of the threeassetforfeiture:Admin, Civil Judicial, or C(imlnal00 nol indlcate-Svaluein Section0
BsuspenSionDebarmento Injunction
K.Administrative Sanction 03te: _SUbJoctDescriptionCode _'Type: length:
Dpcrmanonlor
Yoar Months__IICountsSectionTitle
G. U.S. code Violat!onRequired(or sectionsA, B. r:and J(Fed()raIOn!y)
Convictlan Oalo: _
SubjectDescriptionCode • (---) ,
for SF.G, H·lncludaAgoncyCodeoFolony or OMisdemeanoroPlea or oTria!State: JudicialOistrict;
o Federal
F.Conviction
..OisruptionOato: _
J. Civil RIco Matters Oate: _Also complete'Sochon G'Other Civil Matters OMo: _Judgment__ ' '
JudiCIalOutcome • xAmountS _
Suspension;Years__ Months _
OChRospOM
~or.lang ASSI.~onF6Ilabe:
ee-sc
eons""Mon.ELSUR/FISC
ELSURIT.IIIEng. fJeldSpl.Eng. Tape Ex.
'Legats AnI.
Evid. Purctlaso
InflONlnfolab Oiv. Exam
b6b7Cb7E
Aireron Asst.Computer
2.AssistIngAgencies x •
TaskForce
PPP
InI(~G3rdlCyOOFClCIO
Assetfori ProgfOIlS~wortProtTFOSICTO
CXSICTO
CART
10WanlOdFlyet
SARs
vUe·OSC
~v·OSC
~CAVClV~CMrlnVNSl!IIdAS$~wNcq ••FO(
~lsisne9'l~RTAsst.
Tcct~AglEqvlpPhone TollReoUCO·Group'
UCO·Groupli
Sc3lChwarranShow Money
SOGAssl.
PenRegistersPholoCover
Polygraph
IAT Rate ro IAT Rate FO IAT Rata FO IATRato FO
Investigative Asslstanco or Technique Used1.Used,but did not help 3. Helped,substanliaUy2. Helped,minimally 4,Absolutelyessential
For Sub, Invest.Assist. by other FO(s) indicateA. O. C, 0 for correspondingFO
AssistingAgentsSoc.Sec.No. x11 INamJ
RAIAsst. FO(s) I
A. O. C. O.
AccomplishmentInvolves:(checkall that apply) I F~oNumber I
Orugs B 0i8}iA-JK-S335l/A Fugitive I StatAgentSoc.Sec.No. IBankruptcyFraud E IComputerFraud/Abuse ~!Corruption01 PubliCOlliCial 0011 I StalAgentName:::J' Moneylaundering 1-__ ;;';;:::':';ll::.:':':':'~::;'I __ -!Sub InvoslAsst by FO(s) q "------- ........,
I
nate loader's Initialsb6b7C
Accomplishmenl Report(Accomplishmenlmust be reportedandloadedintoISRAAwIthin 30days fromdate 01 accomplishment)Dov.8.30.2010)
Squadsupervisorapproval(pleaseinitial)
-2-
9A CI>,'dc....provj"'~911 Ckrl')'9C Athl<ti. (,0Kh9J) T.w...~IAi<le9H law Ui[on,('I'flj,."!I\II'ersoMd,)1~ ("oUl\S(lor90 R<I>t>vc911 Sltan.:cr91 0Iher
CIIII.P1'lItllATOIIS
.!.U:!!!::!lli3A AUOther Subjros811 ('o""",ny '" ('o.ror:l,ion
'A lWlI.Om",~" II H"'" C"'l'loY'""
!lANK .:r.lrl,Ovn~"
6N State Prosecutor6P Statol.ow r"'(0I'00"eI1100i<cf6Q Sure-AIIOO""6K Ma)'Ol6S Lo.:.>II.q;l,l.tor6T 1"""l1l1dgcIM'l:'s",'.6U to.::all'ro$«uIO<6V 1",,~I""w 1:"(0"'01'<111 Ofli<cr6W loo.',I-AII0tI>cn6X C<>unI)'Conll1l;s,;"nct6Y CllyCo"""ilnwl
4A KnownMcmwQr.T<n"\)1u, Organit>uon411 1''''''bfeTnroIUIM.mb<r
Q' S)TnP>'l>iLCt
·ItJ(R()RJ~'TS
lA I.<g>lAI,<I'I311 1IIq:>lAlicnJC .'orclgnOmciolWlout
ViplOlN-uc: Inun~i'y3D U,N.~~Ioy« WI"",
DiplQlmtl(" Imm~il)'Jll J'orcignStud<n131' AIJOthm
HlRt'lGN NA'IIOSAIS
2A TopTa,,,, to, t'ug,tive21l TopThi<f2(' Top Con M..
KNOWN ('KI~IINAI.s
lIos.Un<JcrlJosoeon.is.li=A<tin.: BessC>pod<I.;noSoldfa
II',:~IIII:II,
C;OVt:JtNMt:NTSIIJU.:C'rs(6t;6G, 611.Inclu<leAgf"'Y (,O<k)
6A r....id<ntiaJ Appoilll<x:611 U,S, ScnatorlS .. rru: U,S Rcpre><nlOuvelStarr61) fcxkt.uu.%.n.lagl$tn,e6t! J'cdcr-.Ip~r61' .' • .)" .... L:ow [nfOlc<nl<lll om""w t'cdo:r.1 Cmploy«' GS J) &..Al>ov.611 ~"cdo:r.Il:mploy«. OS 12& lleIow6J GOYmm6K Ll. Gov""",61. St)te J..4o&isl.tor6M S... eJoo':<lM.~istra..
SI> r, esidcnt$I! Vi«o-P....Kl<nt$1' TI'<..",~rSO s«r<W)l/rl'CON<~$11 ll""",.iv.lloard M<ln()<r51 lIoslnas AJ:cnt$J k~alUtivc~" ~3IIi ...~1. lI .. in~ Man>!:er~M !'.nonciaJ S"'fct>rySN K.'«>rdi",S=tury~l· 00;\.'(' MaNger~Q Cr",k5R SI>o;'>S.eward55 M",>b<~ST '(nISI""~U OIl,er
OJH:ANll,t:1lclu~n:~
SUII,n:CTnt:SCUIP'I'IONcom:s
GM Gt;U1~$)lW Kil<>gr'I1l(S)I.. Li!<t(.)~Il, Milhht.,(s)P Pbnt(.)I)U l>osoS.Uni'(s)
Illllle Wt:,GIII' ("()Ut~~
CJ C<>nstnlJ""!:>ncnlco C<>urtOnJon-dSct"cmcnI01' Def.ult Jud-.:,ncnIDI I>i.m~IN J""g1l><I" Notw11h>1on<J10!:MV Mncd Verdict81 S",nm>IY1""!:>ncnIVI> V¢rd1<1(<< Deftnd.v>tVI' Vmll<l (or I'J.;n,i.f
coc ('(>..1in<:III,R lI"I"O'nIlSJI IIashishKAt Kh31lSI) I,sOMAR M.. iJI.Ot\OMDM Mcthylcned'O')'In<tJwnfll«>n'''''Mer M<I}",nph<umincMOR Motphi""OPM OpienOft) OIherdtlrj;S
A s"bied W>nt<d(01 enol<>o( viol<r>ce.(I e, , """do:r,nuns4\JShta.Jorobl< rape)>pins' another '",,"vid .. l« _v""cd ofw<h a aim" In ,he J>3>Irivcrc=
II Subject """,<d (or aim"" involv"" loss«d¢sI'uctionofprol"'1y voIocd in excessof S2S,OOO01 convict<d o(sud>. en'''''in.he ~ fi"" YO"'"
C AUotl>.:rsubi«u-IllHJC:C()t)K~
SIIIIU'C'r 1'lUOllrrV
AG AS""<:I11<n'ilK 14m'dIKanov<dCC Ci,il('Qn(""'fIIDC I>>>clplln>!)'CNI1."<$fl t,neFI I'rclimin>ry InjunctionFR T~R<>It';nin.:OrdcrPS rrc-riH,,; Satlcma~RN ROIl'"'ionSI' S.,penslonVR Volunto>y R.. il»",ionOT OIll<'l'
Air Force om..,o(sp«iaJlnv<Stit.bon<AnnyClimiruJ Inv.,..;;.uve Smi«llurc.>lIo( Alcohol, Tob.>«o& .; re..,,1$1l.. ""uoflndi'onAlTairs(.\o;,onl$ andHonk< I'ro,"";on1)«.".., Contn<l AIId,' A;<n<yDe(en><:Crin';n>I.lnvcsl".tivc Savke0.'-'0: [n(orccm<nl Ad:niniotra"Dn~",",of(,orroctionslh-pt.o( In,erio<V<pt. o(Ilomdw S«»rity[nvironma>U1 Pro,«:Iion A~<n<yf<dcr:ll Aviation Admin4~,ion1'00<1and ON!: Adminislt'lIonDcpt.'oWcallh & II"",.,.. ServlccsI>cpc. ofllousin.: & Urb.ln DevclOI'Il_1lMliU;.tion >rod (,,,,tenU I:nforccm<nl1nt<tN1 Revenoe Seviee1'1'11Acronollli<s &.51»<0 AdminN.n NARC Honlet IntmlictionN.voI Criminollnvcst,s-livc S<I\'i.:eRoyal CoNdi .. Mountcd PoliceSm.lll1usln<>'SAdln",MuonUS. ('_, Gu>tdU.S, tx.·p.. t",<t>t o(S.. teU.s, M.I>NI$ ServiceU S~Posw SctV~CCUS. S.uct serviceU.s, 1)"""'y1"".1e,yCo""'YS"'eOther
MOSIACISUATFiliAClIPDCMDCISVIlADOCDOlOilSI:PAI'AAl·llAUIISUUI>ICI!IRSNASANUISNCISRCMPSllAUSCGUSOSUSMSUSPSUSSSusiaweCITYCOUNSTOTUR
JUI)1('IAI.01,rCOMt:
A A.i.,.tl·>cifid.l~II UI><:kI Indl#11AI1)CncatfiU Unlr.ownW \Vhil~X Nonj,..hvi<fu>1
Z2 0,,,,,<11<>.S,oel.slllo<ld>lC"m-n.;ylN,..'OIi.t>Ie rn.uunentS
2J Co""roclVl'ir:l,<d SoundRCO)rdll~~s« Motion PKtm:::
24 II"'" Thcl\ S<ha"" Abort<dlS Ronson"u.ortlOll or Ilribe
1)aNn<! Abortod26 Thtfl I'rom'or Frolld Apr""
Govan",,,,. Sd><me AI>oo1«l27 C<>,,..,,,,,,," or ~I
'11><[1 SdlCnlCAbortodJO "'10th«
1'.'1,1'('()lIK~
CI'· 'Copiul P",i$hn>mtJS J';IS",.""",LI' WoP"",1elS 1.l(eScnloxcNS NoSeoteece (S"l>jedis • fugibve,
Ins>ne, Nufo<d, I.. Co<ponIion orm",' p>y rUle ""Iy)I'll Probotion5J Suspension'o( Joll Sa>'mo<VC YoulhC.omx~ionAct
01 c..-.h02 S.ods.1londs 0<N,..'Q~Imtnm:nl>OJ G<n<r>1K..... IMmhond...,01 Vd,icl<$OS I Ie:>vy Mod"n<I)' & r.q"pmo:n.06 Ainnflen Jew<11)'OS V....,I.09 ArI, AnU~ or K.... Colk><li<>n>II RnIProperly20 AIIOth<t
l'IHlP.:!l'l'V ('()1m;
For Further lnstructlcns Sec: MAO I', Part Il, Sections 3·5 thru 3·5,3,Revised 12·19·2006
Accomplishment Narrative
................................ -.-" _-_._ -_- -.._ _._ ..
Section Count--------------------------------------------------------
Title
United States Code Violation
................................ -.-'-~".--.- _-_ ..
b7E
1 = Used, but did not help2 = Helped, Minimally3 = Helped, Substantially4 = Absolutely Essential
11HQ
Squad Task ForceRA
VICT-YITN COOR10 YANTED FLYRSARSCARTASSET FORF PROFORF SUPPORT PTFOS/CTDCXS/CTDINFRAGARD/CYDOFC/CIDPPPFUSION CENTERS
._____ ___.UIIIII
............ -_ ... -.+-__.. -.-"""'''''
Arrest is for Federal, Local, or International (F/L/I)••Arrest Subject Priority (A/B/C)••••••••••••••••••••••••• : CDid Subject Resist (Y/N)•••.•••••••••••••••••••••••••••• : NYas Subject Armed (Y/N).•..••••••••••••••••••••••••••••••: N
b6b7C
Assisting Agents SOC Subject Name
b6b7C
CO - NAr BACNCAVC/VI-CAPCRIM/NS INTELCRIS NEG-FEDCRIS NEG-LOCERT ASSTBUTTE OSCSAV OSCPOC SCFT. MON-NRCSCFOR LANG ASSTNON FBI LAB E
LAB FIELD SUPPEN REGISTERSPHOTO COVERGEPOLYGRAPHSRCH YAR EXECSHOY MONEYSOG ASSTSYAT TEAMTECH AG/EQUIPTEL TOLL RECSUCO-GROUP IOCO-GROUP II
INAN ANALYSTIRCRAFT ASSTOMPUTER ASSTONSEN MONITRLSUR/FISCLSUR/IIING FIELD SUPNG TAPE EXAMEGATS ASST.VIDNCE PURCHINFORMANT/CYAB DIV EXAMS
Investigative Assistance or Technique Used
NNNY
Assisting Joint Agencies
Stat Agent Name: IStat Agent SOC.: .__ ___~
SENSITIVE / UNCLASSIFIED***************** ARREST ****************
Sub. Invest. Asst by Other FOs:
Corruption of Public Officials: NMoney Laundering. • • • • • • : N
Drugs • • • • • •A Fugitive ••.•••Bankruptcy Fraud. • •Computer Fraud/Abuse.
Does Accomplishment Involve
Case Number: 288A-JK-53354Serial No.: 15
05/31/2012
Report Date: 05/31/2012Accom Date.: OS/29/2012
This document contains neither recommendations, nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; it andits contents are not to be distributed outside your agency,
By: SA L-I __.
Assistant Legal Attache
SA~I --I
FBILegal AttacheI I
b6b7CYours truly,
b7D
DearL-I .....
RE: Anonymous Romania
b7D
1 June 2012...~'> .,. l~
File No. 163L-BO-89.3; 288A-JK-53354
Office of Legal AttacheBucharest, Romania
Embassy of the United States of America
•
b7CUNCLASSIFIED//FOR OP'FIC!AI:i USE g~la:iXFTs~~~~150312'WPd
(U/~LCSO was contacted and'advised of the arrestand stated that they will continue to coordinate with the FBI onany press releases they provide. ~ ~
b6b7C
(U/~ALATI Iprovided a link to the officialpress release which was printed out and placed in a 1A and sentto the file.
b6b7Cb7D
I(ULI_ru:\U()_) I
b6b7Cb7D
Synopsis: To update case on arrest of multiple individualsrelated to the above referenced investigation.
Title: UNSUB (S)iLAKE COUNTY SHERIFF's OFFICE - VICTIM
(Pending)Case ID #: 288A-JK-53354
Drafted By: ....___------'lD
Iadvised thatDetails: (UII~~TT~\On 5/29/2012 ALATI
Approved By:
b6b7C
From: Jacksonville11Contact: SA ~-,~==,- ~
I
To: Jacksqnville
FEDERAL BUREAU OF INVESTIGATION
UNCLASSIFIED//FOR OFFICIAL USB ONLY=•(Rev, 05-01-2008)
Date: OS/29/2012Precedence: ROUTINE
UNCLASSIFIED/ /FOR OI:'!"Ie!zAfi USB ONLY
++
2
b7DLeso
~h~a-s--a-l~s-o--p-r-o-v~id~e-d~I----------------------------------------=;1copies of data from the intrusion which were shipped to FBIJacksonville on 5/25/2012.
To: Jacksonville From: JacksonvilleRe: 288A-JK-53354, OS/29/2012
UNCLA~SIFIED/ lEOR Ol"l'Ie!!Afi USB Oly .
b6b7C
b7D
b7D
b6b7C
UNCLASSIFIED//FOR OI"£'ICfA:fi USE qR:r;axF'l'S~""----'11500112'WPd
Synopsis: To document rece~pt of evidence.
Details: {U/~OOOr- On 5/30/2012 Writer received two (2)shipments of evidence I I relating to the aboveinvestigation. The two (2) shipments contained the followingwhich were placed in evidence on 5/30/2012:
Item ff Descrip~ion
Title: UNSUB (S);LAKE COUNTY SHERIFF's OFFICE - VICTIM
288A-JK-53354 (Pending)Case ID #:
Drafted By:
From: Jacksonville11Contact: sA~1--r-----T-----------------~
Approved By:
To: Jacksonville
Date: 05/30/2012Precedence: ROUTINE
FEDERAL BUREAU O,F INVESTIGATION
UNCLASSIFIED//FOR Ot'I"IC!A:!:I USE ONLY
(Rev. 05·01-2008)
b6b7C
b6b7Cb7D
b6b7C
UNCLASSIFIED//ECR Ol'Fl:€IAI:JUSE Y'biX;rs~r--""h5:[]O:!12'WPd
L~~ ......J and a copy p.raceoan a 1A and sent to tnefile.
IDetails: (U//FOUO) Writer has worked with the Lake CountySheriff's Office I
Synopsis: (U//FOUO) To update case and claim statisticalaccomplishments.
Title: UNSUB (S);LAKE COUNTY SHERIFF's OFFICE - VICTIM
DApproved By:
Drafted By:\<\
Case ID #: 288A-JK-53354 (Pending)."
From: Jacksonville11Contact: SA L...- ____~
To: Jacksonville
Date: 05/31/2012Precedence: ROUTINE
FEDERAL BUREAU OF INVESTIGATION
UNCLASSIFIED//JiOROFl"IC!AI:I OSB ONLY
FD-S42 (Rev. 03-23-2009)
UNCLASSIFIED/jJ!OR OFP'!€IAL USE OlSlLY
2
b7ENumber: 1Type: CIP CASEITU: CIP ~--------------------------------~Claimed By:
b6b7C
Number: 1Type: CIP VICTIM CONTACTED/INTERVIEWEDITU: CIPClaimed By:.--- ~
SSN: IName: ~Ir-----L..--...,Squad: 11
b6b7C
Number: 1Type: CIP SUBJECT TOOL/EXPLOIT/MALICIOOS CODE IDENTIFIEDITU: CIPClaimed By:r--- ...,
SSN: IName: ~I~------~--~Squad: 11
b6b7C
Number: 1Type: CIP SUBJECT IDENTIFIEDITU: CIPClaimed By:
SSN: 1"'"1 ---------,
Name: ~I~ ~Squad: 11
b6b7C
b7ENumber: 1~ ~Type: CIPI IARREST/SEARCH WARRANT CONDUCTEDITU: CIPClaimed By:
SSN: ....1------,Name: I~~ ~Squad: 11
b6b7C
b7E
Accomplishment Information:
To: Jacksonville From: JacksonvilleRe~ 288A-JK-53354, 5/31/2012
Number: 1Type: CIP CASEITU: CIP ~--------------------------------~Claimed By:
SSN: 1"'"1 ------,
Name: ~I~~ ~Squad: 11
UNCLASSIFIED//F!lOR OFFIOIAL USE ONLx
++
3
b6b7C
Number: 1Type: CIP VICTIM CONTACTED/INTERVIEWEDITU: CIPClaimed By:~ --,
SSN: IName: ~I~ L-__~Squad: 11
b6b7C
Number: 1Type: CIP SUBJECT TOOL/EXPLOIT/MALICIOUS CODE IDENTIFIEDITU: CIPClaimed By:
SSN: r-r---~Name: lL- .....I
,Squad: 11
b6b7C
Number: 1Type: CIP SUBJECT IDENTIFIEDITU: CIPClaimed By:~ ~
~!~~:L..~r----___'_--.....,Squad: 11
b6b7C
b7ENumber: 1~--------~Type: CIP~ ~ARREST/SEARCH WARRANT CONDUCTEDITU: CIPClaimed By:~ .....,
SSN: IName: ~I------~--~Squad: 11
b6b7C
SSN: ~I .......__--,Name: I~ ~Squad: 11
To: Jacksonville From: JacksonvilleRe: 288A-JK-53354, 5/31/2012
b6b7C
UNCLASSIFIED//EOR IJFP'!€!IALUSE gr'l\tIIFTs~r--.....u5£Oo212.wpd
Details: (U/tF05ot On 5(30/2012 writer received tw~ (2) shipmentsof evidence I . relating to the above investigation. The b7Dtwo (2) shipments contained the following which were placed inevidence on 5/30/2012:
b7E
b6b7C
Synopsis: To document
Title: UNSUB ($);LAKE COUNTY SHERIFF's OFFICE - VICTIM
.____------JlcD( Lnq) .'" dOPend~ng
Approved By:
Drafted By:
Case ID #: 288A-JK-53354
From: Jacksonville11Contact: SA .___;:::=::::;- ----'
To: Jacksonville
Date: 06/04/2012Precedence: ROUTINE
FEDERAL BUREAU OF INVESTIGATION
UNCLASSIFIED//FOR OF£lIC!ALOSE ON~
(Rev. 05.01:2008)'
''c.j,' • '. ..
2
UNCLASSIFIED/ /'ilOR Ol1'£o'IC!Afi eSB ON~
.+
b7EI(u/tt?Sgg)- CART made copies of the above media I
To: Jacksonville From: JacksonvilleRe: 288A-JK-53354, 06/04/2012
UNclsSIFIED/ liaR OFl"le!AfI ~SATOf.. . Ii
This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; it andits contents are not to be distributed outside your agency.
By: SA.....I .....Assistant Legal Attache
Legal AttacheI I
b6b7C
b7D
Dea~ b7D
RE: Anonymous Romania
b7D
Office of Legal AttacheBucharest, Romania
Embassyof the UnitedStatesofAmerica
6 June 2012'Y~ ?-\;' ,-
File No. 163L-BO-893; 288A-JK-53354
b6b7CATTENTION: ~L _ __J-I ..L-I __ ....J-CLASSIFICATION LEVEL
(<lma0NB)
i$'UNCLASSlFIED- NOT SENSITIVEc::JUNCLASSIFIED- SENSITIVEc::JCONPJDBNTIALCJSECRET
TO: cAlbany cHouston cNorfoIk cAbuDhabi CJaIcartB cSeoul
CAlbuquerque CJ Indianapolis oOklahoma City cAmman cKabuJ cSingaporet::IAnchorage
~
oOmaha cAnkara CKiev cSof.a
CJAtlanta e O})h]tadeJphia cAstana C KualaLumpar oTallinn
t::J Baltimore ty OJlhOenlX cAthens cLagos cThilisi
CJBinningham C Knoxville cPittsburgh cBaghdad CLondon CTclAviv
CJBoston cLasVegas oPortland CBangkok CMadrid CTokyo
ClBuffalo CJ Little Rock CJRicbmond cBeijing oManila CVienna
CCharlotte oLos Angeles CSacramentoo Beirut cMexlco City CWarsawo Bedln cMoscow C
CJChicago Cl Louisville Cl Saint Louis cBcm cNairobio Cincinnati t:lMemphis t:JSalt Lake City CBogota ClNewDelhio Cleveland o Miami aSan Antonio CBrasllla o Ottawa.I:JColumbia ClMilwaukee a San Diego cBridgetown o Panama CityClDallas c:JM'mneapolis c:JSan Francisco o Brusscls o Pariso Denver CJMobile OSanJuan CIBuenosAires ClPragueo Detroit ONewark oSeattle oCalro CPretoriaCJEIPaso ONcwHavcn c:::::JSpringficld cCanberra ca Rabat
t:JFBIHQ ClNew Orleans CJTampll. r::JCaracas CRiyadh
CHonolulu ClNew York City ClWasbington Field r::JCopenhagen CRomc!=JDakar C SanSalvador
r::JButt~osc c:JQuantico (CIRG) c SavannahOSC cDoha cSanaa
C Clarksburg (CJIS) cQuantico (Div. 2) o Wmchester(RMD) CFreetown C SantiagoOFt.Monmouth rrc CIQuantico (ERF) CI CJHong K-ong oSantoDomingo
cPocateUo ITC CJQuantico(Lab) clslamabad c::JSarajevo
FOR INTERNAL USE ONLYLegat - BucharestName~·__~ __Legal AttacheU.S. Embassy - Bucharest5260 Bucharest PlaceDulles, VA 20-189
(011-40-21) 200..3339
b6b7C
UNCLASSIFIED/ /OE'OR OFFI9IAL gSE g~t~TSlr--""'h6tOOl12'WPd
Title: UNSUB (S);LAKE COUNTY SHERIFF's OFFICE,- VICTIM
.____-_____.D :>.:1-Case ID #: 288A-JK-53354 (pending)"
Synopsis: To document the receipt of a report b7EI lof data for the above referenced case for th~ period6/4/2012 ~ 6/8/2012.
Details: (U/~Writer received the following report from thefirst part of the data analysis of the Lake County Sheriff'sOffice data I ~ b7E
Approved By:
Drafted By:
b6b7C
From: Jacksonville11Contact: SA~I--,_---r--------------------~
I
To: Jacksonville
.FEDERAL BUREAU OF INVESTIGATION
UNCLASSIFIED/{FOR Ol"£I'ICIAL USB ONLY
(Rev. 05·01.2008)
Date: 06/14/2012Precedence: ROUTINE
b6b7Cb7E
2
UNCLASSIFIED/noR ClD'FI€HALUSE I !NLY
To: Jacksonville From: JacksonvilleRe: 288A-JK-53354, 06/14/2012
UNAsSIFIED/ (.FOR Ol"l"'Ie::fA!I US£LY:
3
UNCLASSIFIED/liaR !IOGFICIAL USE ()NL~
••
b7E
To: Jacksonville From: JacksonvilleRe: 288A-JK-53354, 06/14/2012
UNAsSIFIED/ lEOR Ol"l"Ie!A:f1USEtltr'f
~,. ...
blb3
blb3b7D
b6b7C
CONE'IDEN'l1IAL//F8:E R06iREL '1'0 ~SA, BrlIt
regard~ng member's ,ofIArn~o-n~y-m-o~,u-s~R~o-m~-a-n~i~a-.----------------~
Title: ANONYMOUS ROMANrA
..Synopsis;---{l/~o~ 00-+-
Case 10 #: 163L-BO-S93;288A-JK-5'3354
Drafted By:
From: Bucha re's t;
Contact: A.LAT ~I-------r--~------------------~Approved By: L--. __.L
~--O(Pending) ~-tJ"'(Pending) ,..,.
International- Operations
Attn: CeU1, SA. ,1-1.,..... ....1----,
CCU2, $SA. ISSA I
Attn: SA. ~I===='::::::::==::;-I-_,ISA I I
Attn: EUrasia Unit, SSA r-I --....,
Jacksonville
To: Cyber
Date: 06/26/2012Precedence: ROUTINE
FEDERAL BUREAU OF INVESTIGATION
.CONFIOgNTIAL//FGI RO:S-/REL TO II$A( ROU
(Rev. 05:01-2008)
blb3
2
cbNFIDEN'l'lAI;//FSI Rae/REI; '1'0 USA, ROU
Cyber From: Bucharest163L-BO-893, 06/26/2012
To:Re:
CONFI!NTIAtilIF€I ROU/REL '1'0 TTSA,'tOU
blb3
3
CdNFIOEN'!'lAli//FSI RO'e/REL TO USA, gon
(U//F0f:10)Cyber and Detroit divisions confirmed thehack related to Berrien, Michigan.
Cyber From: Bucharest163L-BO-893, 06/26/2012
To:Re:
•
4
ROUliSACONFTlle:NTIAIi//F8I ROu/REL '1'0
••Read and clear .
AT EURASIA UNIT, DC
INTERNATIONAL OPERATIONS
Set Lead 3: (Info)
Read and clear.
AT JACKSONVILLE, FL
JACKSONVILLE
Set Lead 2: (Info)
Read and clear.
AT CCU-I, DC
CYBER
Set Lead 1: (Info)
LEAD(s) :
eyber From: Bucharest16JL-BO-B93, 06/26/2012
To:Re:
CONFI!N1!'IAL//FSI ROT:1/REL'1'0 uSA/lton
•
CONFIDENTIAL//FS! RO'6"REL ''£0USA, ROU
blb3
JI'I
members, activities, and plans.
blb3b7D
regard~ng Anonymous Romania's
Title: ANONYMOpS ROMANIA
sYnoPsisu:mmu(I~)mu+Ie)
Case ID #: 163L-BO-893288A-JK-53354
.,..'"(Pending);'~(Pending),.
Drafted By:
From: BucharestContact: ALAT ~I ~_~ ~
Approved By: U~-Attn:International Operations
b6b7C
Attn: CCU1,CCU2,CIR~F~UL-~~ ~lA
Attn: SA \--------....,...----.
SA ~-----~~SSA
Jacksonville
Date: 06/27/2012Precedence: ROUTINE
FEDERAL BUREAU OF INVESTIGATION
~1(Rev.05·01·2008)
To: Cyber
CONFIDENTIAL,../F6! Re'6/nEL '1'0USAI ROU
blb3
2
CONE'IDENT!:ATe/,'PSI M'g'/REL 'I'O USA. ROO
Cyber From: Bucharest163L-BO-893, 06/27/2012
To:Re:
t
3
blb3
CONe' IDENTlAIi//F61 Roe/REL TO USA, ROH
To: Cyber Frpm: BucharestRe: 163L-BO-893, 06/27/2012
COUE'!!NfI1tLJ lEG! ROO, Hfi '1'0 eSA~
blb3
4
~ONFIDENTJ1n'l!FGI 009/REL TO uSA, ROU~
To: Cyber From: BucharestRe~ 163L-BO-893,06/27/2DL2
CONFI!N'l'IAL//EGI ROO/REL TO USA~U .
5
CONFIDEN'fIAL//FG! ROt1/ML fO USA, ROU
••Read and clear .
AT EURASIA UNIT, DC
INTERNATIONAL OPERAT'IONS
Set Lead 3: (Info)
Read and cl.eer .
AT JACKSONVILLE, FL
JACKSONVILLE
Set Lead 2: (Info)
conduct searches of relevant,dat.aae.ts andprovide any informat,ion on the channels #OpRomania and#tangodown. Also, provide any information on planned attacks onRomania due to the recerrtar-r-ests,of Anonymous Romania members i-fencountered.
AT PITTSBURGH, PA, CIRFU
CYBER'
'SetLead 1: (Action)
LEAD (s) :
Cyber From: Bucharest163L-BO-893, 06/27/2012
To:Re:
e " , •CONFIDEN'l'IAL,TFG:f RO'tfrREL '£'0 OSA;-ioO
UNCLASSIFIED
b6b7C
Although Legat Bucharest would have liked to worktowards I I extradition to the United st.ates to faceprosecution, due to the extradition treaty between Romania andthe United States (US), he cannot be extradited until all legalproceedings in Romania, including the prison sentence, arecomplete. Once judicial authority has been requested in a
b6b7Cb7D
I I The prosecutor placedtwo of 't,hesubjects under arrest including the primary suspectimplicated in the Lake County Sheriff's Office (LCSO) computerintrusion, I J The other'personarrested was ~I __.!
b6b7Cb7D
Details: On 5/29/2012 I rSynopsis: Provide details of arrest and case update.
Title: ANONYMOOS ROMANIA
-;~(Pending)'"(Pending)",Ot1
b6b7C
From: BucharestContact: ALATI~ -r__~ ~
Approved By: ~I ~I c==JDrafted By: I 0Case ID #: 163L-BO-893
288A-JK-53354
Attn: Eurasia Unit, SSA '---__ .....International Operations
Jacksonville
b6b7C
Attn:To: Cyber
Date: 06/25/2012Precedence: ROUTINE
FEDERAL BUREAU OF INVESTIGATION
UNCLASSIFIED
~~(R,~v."QS·OI.2008)
Attn:
2
UNCLASSIFIED
Romanian investigation, such as a search warrant, the" police" areunable to pass the case to another jurisdiction for p.rosecut.i.on ,Addit.LonaLly , because" Romania charged the Leso in theirindictment, extradition proceedings would face a more fundamentaldouble-jeopardy issue in both the US and Romania.
TQ: Cyber From: BucharestRe: 163L-BQ-893, 06/25/2012
UNCLASSIFIED
------ ~~~~~~~~~~~~_____.