Sacramento, California - Matthew Keys, 29, former web producer and network site administrator for KTXL FOX40, a Sacramento television station, was sentenced Wednesday to two years in prison for inciting, assisting, and conducting a weeks-long campaign of online attacks against FOX40 and The Los Angeles Times, United States Attorney Benjamin B. Wagner and FBI Special Agent in Charge Monica M. Miller announced.
On October 7, 2015, following an eight-day trial, a jury found Keys guilty of one count of conspiracy to make unauthorized changes to the Tribune Company’s websites and damage its computer systems, one count of transmitting malicious code, and one count of attempted transmission of malicious code.
At sentencing, United States District Judge Kimberly J. Mueller stated: “Ultimately, his downfall came from playing his former employer against Anonymous, while holding himself out as a professional journalist. … The mask that Mr. Keys put on appeared to allow a heartless character to utter lines that are unbecoming a journalist.” Judge Mueller ordered Keys to begin serving his sentence on June 15, 2016.
“Although this case has drawn attention because of Matthew Keys’ employment in the news media, this was simply a case about a disgruntled employee who used his technical skills to taunt and torment his former employer,” said U.S. Attorney Wagner. “Although he did no lasting damage, Keys did interfere with the business of news organizations, and caused the Tribune Company to spend thousands of dollars protecting its servers. Those who use the Internet to carry out personal vendettas against former employers should know that there are consequences for such conduct.”
“Matthew Keys will spend the next two years in prison,” said Assistant Special Agent in Charge Tom F. Osborne. “This sentence serves as a warning that those who engage in this type of behavior face harsh penalties.”
According to evidence produced at trial, Keys was a site administrator for FOX40’s access to Tribune Company’s content management system (CMS). Tribune Company’s various broadcast and print media properties all used the CMS to publish their news content on the Internet. Keys had an argument with his supervisor on October 28, 2010, after which time FOX40 terminated Keys’ CMS user account, and Keys never returned to work. Secretly, Keys had maintained an unauthorized access point through a set of unauthorized “super user” credentials.
In his own words, Keys later admitted that he was “angry” and “hurt.” Initially, he refused to relinquish control over the station’s Twitter and Facebook accounts. On November 3 and November 22, 2010, Keys used his unauthorized CMS access to download the email list of FOX40 viewers who had given the station their personal information as part of a rewards program. Then, beginning on December 1, 2010, Keys used that list to send anonymous emails denigrating the station and implying that viewer information was not secure. Simultaneously, Keys sent anonymous emails to his former supervisor at FOX40 taunting him that Tribune Company’s CMS was not secure and that corporate information security cannot defend against an insider who decides to “go rogue.” During this time, Keys also used his unauthorized network access to repeatedly deactivate the credentials of the person who took over his duties at FOX40.
According to the evidence at trial, on December 8, 2010, Keys, using the moniker “AESCracked,” appeared in chatrooms used by Anonymous. This was during the time of “Operation Payback,” when Anonymous initiated attacks on various entities that had acted against the interests of WikiLeaks. In the Anonymous chatroom, Keys posted super user credentials to the Tribune Company CMS and exhorted those present to “go f--- s--- up.” He instructed those present on what Tribune Company’s “bread and butter assets” were and what media organizations should be targeted for the “largest impact.” Keys also tutored Anonymous members on how to navigate the CMS and create super user credentials that blended in more easily on the network.
Anonymous did not immediately use the credentials for malicious purposes, and Keys spent the next few days advocating an attack on Tribune media properties. When one member said he was researching the network, Keys responded, “I did not give you those passwords for research. I want you to f--- s--- up.” On December 9, 2010, Keys posted a link to a Los Angeles Times story critical of WikiLeaks and characterized it as “yet another reason why the Times must be demolished.” On December 10, 2010, when a member of Anonymous stated opposition to attacking a media site, Keys replied, “FOX News is not media, it’s ‘infotainment’ for inbreds. I say we target them.”
At the same time that he was instigating an attack against Tribune Company and the Los Angeles Times, Keys sought credit as a journalist for predicting it. On December 12, 2010, in an email and a recorded telephone conversation, Keys declared that he had acquired “documents pertaining to future operations,” including “operations” against The Los Angeles Times.
On December 14, 2010, an Anonymous member who used the moniker “Sharpie” used backdoor credentials to deface a story on the website of the Los Angeles Times. What readers noticed on the front side of the CMS was limited because editors quickly noticed what had happened. They were able to repair the defacement within 40 minutes of the desktop site and a day on the mobile site. The next day, Keys tried to help Sharpie put up altered front-page layouts on several Tribune Company properties, but failed.
Keys’ actions involved disclosure of super user credentials and required the Tribune Company to conduct a damage assessment that lasted to late January or early February of 2011. Five high-level Tribune Company information technology professionals testified at trial that they and their subordinates spent an urgent night searching for and deactivating unauthorized credentials on the CMS. They reset every password on the network. Information security then spent weeks assessing the extent of the compromise and how the breach had occurred. They did not know whether CMS server logs themselves had been altered and whether even the authentication system itself had been compromised. Information security managers had to review whether the attack had changed archived news stories, changed newspaper circulation information, accessed payment systems, or altered the systems that printed actual newspapers. According to trial testimony, this involved “literally hundreds of servers with thousands of pages and archives and things of that nature.”
The case was the product of an investigation by the Federal Bureau of Investigation. Assistant U.S. Attorneys Matthew D. Segal and Paul A. Hemesath of the Eastern District of California and Deputy Chief James A. Silver of the Criminal Division’s Computer Crime and Intellectual Property Section (CCIPS) prosecuted the case.