The Dark Game
Page 13
While the CIA and FBI investigations were under way, Ames continued to spy. He did change his tactics, however, curtailing face-to-face meetings, relying, instead, on “signal sites” and “dead drops” to conduct his business. When Ames had documents to deliver to his handler, he would leave a mark at a signal site, often a simple chalk mark on a U.S. mailbox. The signal meant that his handlers could go to the dead drop that corresponded to that signal sight to pick up the documents. A dead drop is an out-of-the-way spot where documents and cash could be left, such as a drainage pipe ($30,000 in one-hundred-dollar bills is only about an inch and a quarter thick) in a secluded part of a park. When the Soviets had payment for the spy, they used the same signal site to let him know it could be retrieved at the dead drop. Their signal sites and dead drops were known by codes names, such as Smile and Hill (signal sites), and Bridge and Ground (dead drops).
The ongoing CIA–FBI investigation, begun in 1986, was marked by numerous dead ends and promising leads that turned out to disappoint the mole hunters. By the summer of 1987, the head of the CIA special task force was forced to concede that they needed to go “back to square one.” The mole hunt was not renewed until 1991.
There does not seem to have been any one specific reason that the CIA wanted to reopen the case with the FBI. As one agent put it, the case was “always there and it was always an open wound that we wanted to solve.”
By August, the CIA had identified 198 employees who had access to the pertinent documents. They flagged twenty-nine employees, including Ames, as priority targets. Ames’s name rose to the top of each investigator’s list, since, in addition to having access to files involved in the loss of agents, the investigators were not satisfied with the explanations for his sudden wealth. Ironically, though, Ames had passed a routine polygraph test earlier in the year. In November, the CIA/FBI unit interviewed Ames. Those involved in the interview came away feeling uneasy about Ames. They discovered that several meetings between Ames and Chuvakhin went unreported to his supervisors, a violation of CIA rules. With this new bit of information, the investigators decided it was time to intensify their scrutiny of Ames.
As they did, the evidence piled up, especially concerning his wealth. But the real breakthrough came when Sandy Grimes, an experienced officer in the Soviet Division of the CIA, compared the dates of the meetings between Ames and Chuvakhin with the dates of his large bank deposits. She discovered that Ames made many of his cash deposits right after meetings with his handler. Next they discovered Ames’s Swiss bank accounts. By October 1992 the joint unit was confident that Rick Ames was a Soviet mole. They gave him a code name: Nightmover.
The FBI began a closer investigation of Ames, initiating electronic surveillance of his home and office. They installed a tracking device on his car. When they searched his office at Langley, they discovered 144 documents that were not related to his CIA assignments. In June the FBI tapped the phones in Ames’s house. Two months later they decided to launch a “trash cover” of the home. They didn’t need a search warrant to search his garbage because it was outside the home and considered fair game. The plan called for a CIA van to cruise slowly by the Ames’s house in the dark of night, while agents dragged his trash can into the van and quickly replaced it with an identical can. Although some of the agents were worried that Ames may have sensed that the investigation was focusing on him, the Bureau carried out its operation. It paid immediate dividends when they found a crumpled sticky note.
According to an FBI “translation,” this message, which was determined to be in Ames’s handwriting, said that Ames was ready to meet his handler in Bogotá, Colombia, on October 1. He would be away on CIA business on September 13 to 19, so he would not be able to pick up any messages. He asked the KGB to leave a signal at North (a telephone pole) or to leave a message at the dead drop Pipe if the meeting was canceled.
The damning evidence in this note was enough to allow the FBI to move to the next level of surveillance. When Ames and his family left for a family vacation on October 9, 1993, the FBI moved into the home and conducted a thorough search. As one agent said, “The best stuff we got was from the hard drive of his computer.” All pertinent information was downloaded and copied to floppy disks. Although the phones in the house had been tapped since midsummer, the FBI now planted listening devices throughout the house. In a few hours, the FBI team was gone.
With Ames’s phones tapped and his house bugged, there was little he or his family could say or do that would escape notice by the FBI. The evidence against Ames grew. Still, the FBI hoped for more and kept Ames under constant physical surveillance. However, in early 1994, the FBI received word that the CIA was sending Ames to Moscow to participate in a conference on drug trafficking. Knowing that they could not postpone his trip without rousing Ames’s suspicions and fearful that the mole might defect once he was on Soviet soil, the FBI decided that it was time to arrest Rick Ames.
On February 21, 1994, Ames left his family at home while he drove to his office to get a few things he needed for his trip to Russia the next day. On a one-way street about a block and a half from his home, he pulled his new red Jaguar behind a car stopped at the stop sign. The car next to that one was ready to turn left. But, for some reason, neither moved. Before Ames could figure out why, he saw cars with red lights flashing pull up behind him. Two men in suits stepped out of one of the cars and approached Ames. The spy rolled down his window and both men flashed their picture identity cards. “FBI,” one of them called. “You’re under arrest. Get out of the car.” Ames stepped out of his car. He was turned around and handcuffed. The arrest of Aldrich Ames took less than sixty seconds.
What motivated this career CIA agent to become a mole for the Soviet Union? In interviews after his arrest, Ames claimed that he considered this first exchange with the Soviets to be a one-time deal. He did it for the money. He called it “running my little scam,” in which he would give the Soviets the names of agents and their cash would solve his financial difficulties. He also rationalized his betrayal by saying that he was really giving the KGB names that they already knew, since they were Soviet agents that the CIA had turned. In Ames’s mind, the KGB already knew that the agents were spying for Russia. They just didn’t know that they were now double agents. Ames was eager to sell this information to the KGB.
The case of Aldrich Ames pointed out many defects in the operations of the CIA. By the time Congressional hearings were over and Ames was locked away for life with no chance for parole, R. James Woosley Jr., the director of the CIA, had resigned. Congress demanded that the agency clean house and revamp procedures to ensure that the likes of Ames could not penetrate the CIA again. No one knew at that time, but the FBI, instrumental in tracking down the CIA mole, would soon need to investigate a mole of its own.
IT SEEMS THAT A WEEK doesn’t go by without news about computer hackers stealing massive amounts of information from supposedly secure databases. We read stories of computer viruses, worms, and Trojan horses that affect millions of computer users. Computers have become another target for thieves and spies who are looking for information that will give them or their employers valuable intelligence. It should come as no surprise that cyber espionage has grown right along with the popularity and sophistication of computers. With some elementary software and a few clicks of a mouse, spies can sit in front of their computers and spy on computers thousands of miles away. The GhostNet episode serves as a cautionary tale of cyber espionage.
In the spring of 2008, members of the Dalai Lama’s government-in-exile in three locations in Dharamsala, India, had reason to believe that their computers had been compromised. They asked the Information Warfare Monitor (IWM) to investigate. IWM includes researchers from the Munk Centre for International Studies at the University of Toronto. Collaborating in the investigation were researchers from Cambridge University, in the U.K., and Dartmouth College.
An exhaustive ten-month investigation revealed shocking information about GhostN
et, the name given to the huge cyber spying operation. The researchers discovered a network of nearly 1,300 infected host computers in 103 countries. Nearly 30 percent of the infected computers were considered high-value targets, such as computers in ministries of foreign affairs, embassies, international organizations, and new media outlets. The targeted computers were spread throughout the world, in places like Iran, Brussels, South Korea, Portugal, and Pakistan. The investigators found interfaces that allowed the spy (or spies) to send instructions to, and receive data from, compromised computers.
How was such a spy system possible? It all started when a Trojan horse, a hidden computer virus, known as ghOstRAT was sent to the computers at the Dalai Lama’s headquarters as an attachment in a legitimate-sounding e-mail. When the attachment was opened, ghOstRAT spread throughout the computer, including any e-mail address book, which allowed the Trojan horse to be sent to still more computers. In computer language, RAT means Remote Access Trojan and gives the hacker a back door to the infected computer, allowing it to do all sorts of malicious things.
ghOstRAT attached itself to interesting files and information. It kept track of keystrokes, recording whatever the users typed. It could even turn on a webcam and take a picture of the persons using the computer, and turn on the microphone to record conversations! Cyber spies could use GhostNet to gather files and e-mail contact information, lists of meetings and the names of who attended, organizational budgets, and lists of visitors. In other words, it was an espionage gold mine. What made this particular case of cyber espionage so difficult to combat was that the malware was disguised in the emails, which made it difficult for commercial anti-virus programs to detect the problem. In fact, only about a third of the thirty-four anti-virus programs used to detect such hacking could find the malware hidden in the document.
As one computer expert put it, while the tools used to breach the Dalai Lama’s walls were “relatively simple, the social engineering bit is quite meticulous.” In other words, the hackers studied the types of e-mails and documents that the government-in-exile received, then took pains to create bogus e-mails and attachments that appeared to be real. When opened, the documents looked and sounded real, but they contained a hidden code that would download and install software that would serve the spies.
The investigation discovered that all the information gathered in GhostNet was sent to remote servers in China, although IWM stopped short of accusing the Chinese government of masterminding GhostNet. However, researchers at Cambridge University who focused on the computers at the Office of His Holiness the Dalai Lama “dubs the spy network ‘snooping dragon’” and indicates that Chinese government and intelligence services are the masterminds behind the hacking.
Other researchers believed that, while the hacking may have been done by private citizens in China, it seemed unlikely that it could have been carried out without the knowledge (and possibly approval) of the Chinese government. The Chinese embassy in London denied having anything to do with GhostNet, calling the investigation and its findings “a propaganda campaign.” The Chinese consulate in New York called any suggestion of China’s involvement “nonsense.” Nonetheless, within a day after China denied any complicity in GhostNet, the servers that had been gathering intelligence went offline.
Robert Hanssen’s life path took many twists and turns before he settled on a career in the FBI. He grew up in Chicago in the 1950s, the son of an emotionally abusive and demeaning father. Hanssen spent his life trying to measure up to his father’s expectations. A bright student who excelled in science, Hanssen lacked the social skills of his friends and was uncomfortable with other people. Yet underneath his awkward exterior was a risk taker. He enjoyed the rush he got from pushing the limits, such as by driving his car as fast as he could before slamming on the brakes and sending the car into a crazy spin, often to the terror of the friends riding with him.
After college, Hanssen worked as an accountant for Sears, but he soon quit when he found the work unbearably boring. He decided to become a Chicago police officer, like his father. Hanssen worked in the early 1970s as a member of C5, the internal affairs unit, whose job was investigating other cops. When he found the job unsatisfying, he applied to work for the FBI. He was rejected the first time he applied because of bad eyesight, but he was accepted on his second try. On January 12, 1976, Robert Hanssen began his training at the FBI Academy at Quantico, Virginia.
Hanssen served his first two years with the FBI as a field agent in Indiana but was transferred to the New York City office in 1978. Despite the excitement of working in such a dynamic international city, Hanssen began to become disillusioned with the bureaucracy of the FBI. He hadn’t worked for the Bureau very long before his arrogance began to show itself. Hanssen considered most of the other agents, as well as his supervisors, to be his intellectual inferiors.
One evening in 1980, Hanssen’s wife, Bonnie, returned home unexpectedly from errands and found her husband trying to cover up a pile of cash. She was dumbfounded. Hanssen told her part of the truth, that he had received the money from Soviet military intelligence officers for useless information that he had passed on to them. The truth was grimmer than Hanssen’s fiction. He had turned over to the Soviets the identity of Dmitri Polyakov, a Soviet general who had been a mole for the FBI for more than two decades, operating under the code name Tophat. Hanssen’s “useless” information led to Polyakov’s execution by the Soviets.
Believing her husband’s lie, Bonnie was still horrified that her deeply religious husband would have any dealings with the Communists, even if he had duped them. She didn’t know what to do. She finally decided that he needed to seek help from the parish priest. Reluctantly, Hanssen did so. He then apologized deeply to Bonnie, begging her to forgive him. She did, believing that his dealings with the Communists were behind him. Little did she know that they were just beginning.
As the next few years passed, Hanssen became even more disillusioned with the Bureau, feeling more like an outsider then ever before. When he was transferred to the Budget Unit, his disgust for the bureaucracy and its old-fashioned methods grew. He frequently mocked the seriously outdated computer system. He had contempt for the Bureau’s leaders, fantasizing about the “bold, brave FBI agent in the dark suit,” acting on the orders of J. Edgar Hoover, the FBI’s legendary director.
Robert Hanssen did little to become a more likable or approachable fellow, and his social skills had not improved much from his high-school days. He rarely participated in conversations. Other agents made fun of him, calling him the Mortician or Dr. Death because he always wore dark suits. Agents remembered him as “an oddball out” and “very dour.” He had “fairly long, canine teeth that would give him a vampire-like appearance.” And, as one of his administrators said, he was “one of the smartest FBI agents I ever met.”
Grateful that his wife had accepted his apology, Hanssen had a second chance to spy. He realized that he needed to operate much more carefully. He still felt the sting of the embarrassment of getting caught and vowed that it would never happen again. He decided to work for the KGB and do whatever he needed to do to protect himself from discovery. Even as he mapped out his safeguards, Hanssen convinced himself that he could live the fantasy life of a spy who would prove himself to be smarter than the FBI and the KGB.
Hanssen made his initial contact with Victor Ivanovich Cherkashin, the number-two KGB agent in Washington. Although Hanssen had no way of knowing it, Cherkashin was also Aldrich Ames’s handler. Hanssen wrote a letter to Cherkashin, but, true to his promise to himself, he was very careful with the first step in his new double life. First of all, he mailed the letter from a Maryland suburb of Washington, D.C., rather than from New York, where he was then posted. He had been in the capital on Bureau business, so it was easy for him to drive over to Maryland and mail the letter, which he hadn’t signed. Hanssen made sure that the letter and its envelope bore no marks that would tip off the Bureau agents, who were always watching Cherka
shin. To add another layer of protection, he addressed the letter to the home of Victor M. Degtyar, another KGB agent. Inside that envelope was a second envelope with the name of Victor Cherkashin on it as well as a clear warning: DO NOT OPEN. TAKE THIS ENVELOPE UNOPENED TO VICTOR I. CHERKASHIN. And it was in that envelope that Hanssen divulged information that he hoped would establish him as an inside player with formidable sources. Hanssen included:
The names of three KGB double agents (All three were recalled to Moscow. Two were executed, while the third was banished to a labor camp for fifteen years.)
Information about a top-secret information collection operation
News of the Bureau’s electronic eavesdropping operation targeting Soviet communications
So it was that Robert Hanssen took a big step on the road of betrayal.
After considering the methods of delivery of information, Hanssen developed a system of signal sites and dead drops that prevented face-to-face meetings between him and his handler. For example, Hanssen marked a mailbox on a street corner not far from his home with a small piece of masking tape or a short line drawn with a piece of chalk to let his handler know that there was a package waiting for him. Hanssen’s handler watched for the mark then furtively removed it and went to the dead drop to pick up a bundle of secret documents. Hanssen had developed about a dozen dead drops, each code-named, including Bob, Charlie, Doris, Ellis, and Grace. One of his favorite dead drops was Ellis, a footbridge in a park not far from his home.
When Hanssen did have written communication with his handler, he encoded times and dates with what is called the “minus 6” formula. Here’s an example of a passage that Hanssen included at the end of one of his letters: