How the Sophos Managed Threat Response team helped put a dangerous online sextortionist behind bars for 75 years

Security OperationssextortionSophos Managed Threat Response (MTR)

Disclaimer: The security company that assisted in the investigation, and played a supporting role contributing to the ultimate apprehension of Brian Hernandez, was Rook Security, which was acquired by Sophos in 2019 as the operations kernel of Sophos’ MTR service.

Earlier this year, 30-year-old Buster Hernandez, aka “Brian Kil,” was sentenced to 75 years in prison after pleading guilty in U.S. court to 41 counts of, among other charges, threats to kill, kidnap and injure; coercion and enticement of a minor; and production of child sexual abuse images. The crimes amounted to what prosecutors called psychological torture of children, with the judge presiding over the case labeling Hernandez as “one of the most prolific sextortionists in American history.”

Rook was involved in the case, working more than 1,100 hours behind the scenes with state and local police, the FBI and numerous Silicon Valley partners to help bring down Hernandez. It was a truly collaborative effort that highlighted the kind of good work the cybersecurity community can achieve when banding together. Here’s what happened.

The case

Over a period of at least five years, ranging from 2012 to August 2017, Hernandez, using the alias “Brian Kil,” terrorized hundreds of alleged victims – most of them minors – as part of a nationwide sextortion scheme.

Each assault began with the same coercive script that started with the victim’s name and claims to have compromising pictures of them. Using the Tor network to disguise his IP address and location, Hernandez would send his scripted message to hundreds of minors, typically between the ages of 12 and 15, blackmailing his victims into sending him explicit photos and videos.

This went on for years. It was only when Hernandez set his sights on a teenage girl in Plainfield, Indiana, that the case rose to a dangerous new level and caught the authorities’ attention. Hernandez had previously harassed and threatened his victims over social media, particularly Facebook, and for this girl he too posted sexually explicit photos of her onto one of his many Facebook accounts. But within these messages he also began making bomb and shooting threats against the victim’s high school, another school, a Walmart supermarket, and a mall, prompting closures at all four facilities. These threats compelled local police to contact the FBI for help in December 2015, ultimately leading to his arrest in August 2017 after federal agents ensnared him in a scheme developed by Rook.

The Rook digital forensics and NIT strategy that brought down Hernandez

Word of Hernandez’s terrorist threats traveled fast through the community, and made their way to the Indiana-based team at Rook. After reaching out to a contact in the FBI, Rook was quickly pulled in to collaborate with a joint cyber task force consisting of state and local police, and the FBI.

Hernandez’s threats raised the case to the level of “exigent circumstances,” meaning imminent harm and threat to life. When cases are elevated to that level, they cross a threshold where organizations – like telecom companies, internet service providers and social media companies – are legally compelled to prioritize and reply to requests for assistance. Rook was able to help further ensure that these vital requests got to the right people immediately, leveraging their Silicon Valley ISSA relationships with particular file transfer services, telecom carriers, and social media platform companies. If the only thing it takes for evil to triumph is for good people to do nothing, as the expression goes, then this was just the opposite: the cybersecurity community came together to help stop Hernandez as fast as possible.

In his extortion scheme, Hernandez had created multiple Facebook accounts posting the same threatening messages to different victims. Rook attempted to back trace his IP addresses and proxies through these accounts, but discovered he was using a combination of Tor and the privacy-focused portable operating system Tails to mask his real location. In a traditional case, when someone commits a crime with a digital platform and you have the evidence of that crime, you can subpoena that ISP’s records for the culprit’s IP address. Then you cross-reference that with the carrier’s records of who was using that given IP address during the time of the crime. Once you have that, you begin the physical investigation for attribution – issuing a warrant and deploying tactics to catch the suspect in the act of committing the crime. Nailing that attribution game is what’s vital to bringing down cybercriminals.

Here’s how the Rook team developed their digital forensics approach for bypassing Hernandez’s security measures and attributing his crimes directly to him:

  • They created a social map linking together his multiple Facebook accounts, as well as identifying the accounts he was interacting with, including those of the victims he was extorting. The FBI supported these victims, and some agreed to help catch the then-unknown Hernandez.
  • While it’s typically not possible to back trace an IP address through Tor, Rook developed a network investigative technique (NIT) by working with cooperating victims that could do just that. They then facilitated an approach for delivering that NIT.
  • One of the cooperating victims was being extorted into sending a video. She agreed to create a fake video, which would carry the NIT. The video itself was nothing explicit – to Hernandez’s eyes, it would start to play as what he was expecting, but then the picture would fade out. But by playing the video, Hernandez would unwittingly reveal identifiers about his IP address and system.
  • That NIT unmasked his IP address in a manner that bypassed Tor and Tails obfuscation layers. Ironically, it was a TTP usually associated with malware operators: a command-and-control beacon set to a predefined IP address and signal, created specifically for this one use-case. So Rook knew that when they got a signal from the beacon, it could only be Hernandez’s IP address. That linked the extortion to this specific IP address.
  • At the same time, a telecommunication carrier was working with Rook in real time to link his IP address, once confirmed, to a physical address. Unfortunately, in this iteration of usage, the NIT worked successfully, but it revealed a shared IP space on a tower where it wasn’t possible to obtain the information on the unknown subject without compromising privacy for others who were on that same tower, and the team had to re-group.
  • At a later date, the same technique was used again, which was publicized. This time the NIT was able to reveal the IP address, which led to the need for pure attribution – i.e., making it irrefutable that the suspect was the only one in the home at the time that a crime was being conducted from that address, from a specific system, with a unique IP address, at that exact time of the crime. Establishing all of these is important to leaving no doubt as to who the perpetrator was.
  • To accomplish pure attribution, the FBI used tactics out of a movie: obtaining a utility truck and parking it on his street as cover for installing cameras up on a nearby power pole for monitoring the house. The cameras were able to prove he was the only one at home at the time his crimes were being committed – in other words, that he and he alone could be the only one responsible.

From there, the US Attorney’s Office was able to bring this criminal’s years-long online reign of terror to an end. It was an amazing collaborative effort, in which the Rook team helped put a stop to Hernandez’s crimes with him now behind bars for the rest of his life.

This case was a testament to the individuals in the communities, law enforcement and the cyber security community who banded together to do what was right and stop what was wrong. According to those team members directly involved, it was an honor and a privilege to be able to help on this case.

How to protect loved ones from similar attacks

To prevent your loved ones from being victimized by similar crimes, consider some of the below practices:

  • Teach your kids about the sort of social engineering methods that online attackers may use to extort their victims (e.g. the phony scripts about explicit material).
  • Just as importantly, make sure they know that if they ever end up on the receiving end of such an attempt, that they can come for you to help and don’t need to suffer in silence over it.
  • Never continue providing compromising material or content to an attacker. Even if it feels like the only way out in that situation (and it isn’t), it will only give the attack more leverage over you.
  • Disengage from the attacker.
  • Report such incidents to local law enforcement and the FBI tip line: https://www.fbi.gov/tips

Leave a Reply

Your email address will not be published.