So who is the McCully hacker?

By Patrick Gower

So the mystery around the hacker who got into Murray McCully's emails continues.

Documents released under the Official Information Act show spies from the Government Communications Security Bureau believed it was the hacking group "Anonymous".

The documents date from April 2011, soon after the hack was discovered.

And remember Anonymous have never taken responsibility publicly - although John Key today seemed adamant it was them.

But in February this year someone else did - some chap calling himself "Yuri Petrov".

So who is this Yuri Petrov?

And why has he recently resurfaced in a seemingly clumsy bid to disguise his tracks?

One thing we know for certain about Yuri is he had some of McCully's emails - he provided me with a handful later released on the internet.

Other than that it's all speculation.

Yuri himself claims he was the Russian "Black Hat" hacker on the hunt for military secrets.

Another theory is that he was an MFAT insider who decided to release the emails under the cover of the hack to embarrass McCully.

And some Wellington lefties have even advanced the theory that it was McCully himself - now that's what you call a conspiracy.

All these theories seem far-fetched to my mind - it's probably something in between all of them.

What I can say is about how I came into contact with Yuri - it was through Twitter.

• If you have any information about the McCully hacker or Yuri Petrov, email me: pgower@mediaworks.co.nz

After Vernon Small's story on the McCully hack broke I put out an all points bulletin looking for "Anonymous".

At that point I was contacted by someone who said they knew who did the hack and we began corresponding.

This person - whose Twitter identity no longer exists - acted as an intermediary.

Importantly, it was clear from reading their Twitter stream that they had a long interest in hacking, and were likely from New Zealand.

Eventually "Yuri" emailed me - claiming to be a Russian, from a hacking group called "the Comrades".

He released a series of emails to me in order to prove that he was the hacker - and later put them up on the internet.

I worked with some computer security experts from a reputable company to see if we could get any clues as to the veracity of his story or otherwise - they found it could be either true or false.

The hunt went on with lots of people trying to figure out where Yuri was from - essentially to see if he lived closer to Mount Vic that he did to Moscow.

Then Yuri disappeared.

And just as suddenly he popped up again last week. Once again - plenty of emails, no phone calls.

This latest reincarnation came with a Russian email address and a Russian website for the Comrades.

It's in English and Russian and shows a series of other hacks they were supposedly involved in - Vodafone, the National Security Agency and so forth.

Were "the Comrades" the real deal?

Well, unlikely once the computer security experts and I drilled down into it.

The information on the Comrades website all appears to be in the public arena. 

For example, from a little bit of effort:

• The US Department of Justice audit report appears to be a public version of the document. It's readily available to the public.
• The information listing IP address ranges for a variety of organisations could also come from public sources, as IP address ranges are listed in publicly accessible registries.
• The list of NSA email addresses is the same as a list released earlier in the month, but credited to others.
• The default passwords listed for Vodafone routers/modems are all available elsewhere on the Internet too.
• The list of 2619 CIA sources is an old list public available elsewhere.
• The list of 4000 personal addresses information for the NSA is in the same document referred to above containing the email addresses.
• The list of 10,000 Structured Query Language websites can be found elsewhere.
• The US Military Code Words is a version of a public document. The version shown isn't the public release, but is available elsewhere.
• The list of Public Security, Intelligence Operatives for Japan has been released elsewhere .
• And of course while the website is based in Russia, a Russian email address doesn't necessarily mean these are Russians using it.

But all this raises questions about the McCully hack:

1. If it was Anonymous, why have they not taken responsibility publicly? Surely this amorphous group has nothing to lose?
2. Why is this Yuri Petrov suddenly going to some length to act like a Russian hacker?
3. Where is the rest of the material? And will it ever surface.

But the real question that remains is this: Who is Yuri Petrov?

Well, all I really know is it isn't the Russian international footballer.