He calls himself Abdilo. He’s bragged online about hacking into websites on three continents, daring the authorities to catch him.
Now the U.S. Secret Service is trying to find out whether the boastful blogger — said to be a 16-year-old Australian — is behind a massive computer security breach at Metropolitan State University in St. Paul.
Two weeks ago, police raided the Queensland home of the “infamous Australian teen hacker,” as one local news report put it.
The suspect, who has not been publicly identified, has claimed responsibility for a four-month hacking spree that targeted at least one nuclear power organization in Australia, as well as police, government and college websites in his own country, the United States and Britain.
In the process, he attracted the attention of the Minneapolis field office of the Secret Service, which is investigating the Metro State incident. Louis Stephens, special agent in charge, said this week that his agency is working with Australian authorities to determine whether “an Australian teenage hacker utilizing the online alias ‘Abdilo’ is responsible for this and other data breaches.”
Since Metro State discovered that its computers had been hacked in December, it has been scrambling to assess and contain the damage.
This week, after a monthslong investigation, the school announced that the hacker had exposed the personal information of some 160,000 people, including faculty and students, dating back almost 20 years. Some of the data included full or partial Social Security numbers. But so far, there’s no evidence that anyone has used the information for nefarious purposes, says Devinder Malhotra, Metro State’s interim president.
Although he’s heard reports about the teen hacker, he says there’s no proof yet who was behind this “criminal act.”
It was the blogger himself who first blew the whistle. In December, Abdilo wrote a blog post claiming he had hacked into Metro State’s website, among dozens of others. A cyber security firm, which monitors the Web for threats, stumbled across it and notified the university. When the school checked out the claim, it discovered that it had in fact been hacked.
Faisal Kaleem, a computer security expert who teaches at Metro State, said he first learned about the incident from an all-campus e-mail alert in January. Curious, he set out to track down the hacker. He found Abdilo’s profanity-laced blog site, buried deep in the Web’s netherworld, in a matter of minutes.
On the blog, Abdilo wrote that he decided to break into various websites to “see if I got away with it.”
“What most people think is when you attack .edu, .gov and .mil [sites] you get arrested instantly. I decided to test that,” the blogger wrote.
“Here are some of the sites I messed with:”
Yale (“So easy”).
Harvard (“was a challenge but they are dumb”).
Princeton (“LOL easy”).
Why Metro State, a public university in St. Paul? “I broke into you cause i like 22 jump street,” he wrote — an apparent reference to the 2014 film, about undercover cops at a fictional school called Metro City State College.
Kaleem, an associate professor of computer sciences, was struck by the brazenness of the blogger. “It’s basically like a ticket to jail,” he said. “He’s saying that ‘I did it.’ ”
At one point, Abdilo actually live-streamed one of his hacking sessions, according to an Australian news report in January. The report, on abcnet.au, said Abdilo “was showing off his hacking skills to anyone who wanted to watch.” He demonstrated how he broke into American education websites, the report said, and displayed a video stream as databases “spat out people’s private information.” In an Internet chat with the news site, Abdilo said he wasn’t worried about the police.
Kaleem, who teaches courses on cyber security, said the blogger’s braggadocio reveals that he’s probably not an “elite hacker” — the kind who spy on corporations or governments.
“It looks like he wanted to brag about his skills,” he said.
Technically, though, it wasn’t all that difficult to find the weaknesses in these websites, Kaleem said. “There is a plethora of all these ready-made tools that are available online that you can download for free,” he said. The programs can search a website to see whether it’s vulnerable to attack, and if so, steal information before anyone notices.
That’s essentially what Abdilo did, he said. Metro State has said it has since uncovered the flaw in its computer security and fixed it.
Beyond bragging rights, what might motivate someone like Abdilo?
One possibility, of course, is money. “Just imagine,” said Kaleem, “if he were to sell all this information to the organized crime outlets, that could have been a disaster.”
In Abdilo’s case, that doesn’t seem to be the primary motivation, he noted. Yet the hacker claimed, at one point, that he tried to sell his covert access to an insurance company’s website for $5,000, but that the company “fixed it just before I was about to sell it.”
Young hackers, though, may not be in it for the money, experts agree.
“There’s a certain kind of macabre fantasy to it all,” said Cameron Camp, a cybersecurity expert at ESET North America, a San Diego firm that makes software to protect against “cyber criminals.”
For a bored teenager, he said, it can be an ego boost. “It’s this weird thing where you think, hope, somebody takes notice and says, ‘Hey, that’s the smartest kid we’ve met.’ ”
They may fantasize that someone will hire them for their computer savvy, Camp said, but it rarely works out that way. He compares it to bragging to the police about speeding. “It feels good for a second. But then there’s that other part, where they come get you.”
From all appearances, Abdilo apparently thought he had outsmarted the authorities. But the recent police raid, notes Kaleem, suggests that his assumptions “have been proven to be false.”
Even if this hacker is caught, there’s little doubt that others could take his place.
“There’s a lot of 16-year-olds out there,” said Camp. “There’s less than that number inside the university working to defend it.”
That’s the challenge for any organization, he adds. “The 16-year-old only has to be right once. You have to be right all the time.”
Maura Lerner • 612-673-7384