Hacker, Hoaxer, Whistleblower, Spy
Page 21
Let’s fast forward to February 5, 2011, when Anonymous uncovered a corporate plot devised by Washington, DC–based security firm HBGary Federal to spy on and disrupt WikiLeaks. Given the digital nature of contemporary documents, there is no longer a need to leave the comfort of one’s home, much less break into some office space, to access secret documents. Working together on IRC, Anonymous hackers penetrated the HBGary computer system and downloaded seventy thousand company emails, along with other files that included a PowerPoint presentation entitled “The WikiLeaks Threat.” The tactics suggested therein are strikingly similar to those practiced and perfected during COINTELPRO. The presentation outlines a set of strategies the firm claimed could be “deployed tomorrow”:
Palantir Potential Proactive Tactics
•Feed the fuel between the feuding groups. Disinformation. Create messages around actions to sabotage or discredit the opposing organization. Submit fake documents and then call out the error.
•Create concern over the security of the infrastructure. Create exposure stories. If the process is believed to not be secure they are done.
•Cyber attacks against the infrastructure to get data on document submitters. This would kill the project. Since the servers are now in Sweden and France putting a team together to get access is more straightforward.
•Media campaign to push the radical and reckless nature of wikileaks activities. Sustained pressure. Does nothing for the fanatics, but creates concern and doubt amongst moderates.
•Search for leaks. Use social media to profile and identify risky behavior of employees.
They also proposed to identify and intimidate WikiLeaks donors and smear the reputation of supporters and journalists like Glenn Greenwald. They explained that these people were “established professionals that have a liberal bent, but ultimately most of them if pushed will choose professional preservation over cause, such is the mentality of most business professionals.”
Although Anonymous did illegally compromise the servers to steal these docs, it is likely that the actions proposed in the PowerPoint presentation, had they been carried out, would have seen the breaking of even more laws. As Glenn Greenwald explains: “Manufacturing and submitting fake documents with the intent they be published likely constitutes forgery and fraud. Threatening the careers of journalists and activists in order to force them to be silent is possibly extortion … Attacking WikiLeaks’ computer infrastructure in an attempt to compromise their sources undoubtedly violates numerous cyber laws.”7
While “The WikiLeaks Threat” presentation is similar in spirit to COINTELPRO, there are numerous important differences. HBGary is not a government intelligence agency—it is a corporate firm that had concocted a plan for corporate clients. HBGary Federal, working with two other security companies, Palantir Technologies and Berico Technologies, was pitching the WikiLeaks sabotage proposal to Bank of America through their legal representatives at the Hunton and Williams law firm. Palantir and Berico, working together under the name Team Themis (a reference to the ancient Greek Titaness of divine order and justice), were hoping such pitches would result in a lucrative contract. Assange had announced on November 29, 2010, that he held documents revealing an “ecosystem of corruption [that] could take down a bank or two,” and Bank of America had reason to believe that it was one of these banks. According to the New York Times, the bank set to work, “scouring thousands of documents in the event that they become public” and hiring outside security and law firms “to help manage the review.”8 Since Bank of America was not named directly by Assange, its reaction had the interesting effect of drawing attention to itself.
In the aftermath of the HBGary document leaks, Bank of America denied knowledge of the Team Themis proposal, describing it as “abhorrent,” even though it was certainly intended for the eyes of one of its legal teams (Hunton and Williams never commented on the matter).9 Ultimately, the Team Themis scheme was never carried out—as a result, perhaps, of the leak itself; such a scheme relied on illegal tactics and could only be carried out if there was plausible deniability to protect those involved from backlash.
Beyond any possible direct disruption, the content of the corporate emails themselves provided Anonymous and others interested in corporate security practices with a great deal of insight. Corporate espionage and sabotage leveled against workers, nonprofits, and activists is nothing new. Henry Ford relied on an internal security unit headed by Harry Bennett to intimidate workers attempting to unionize. A private security firm called the Pinkertons, established in 1850 and still in service today, gained notoriety for infiltrating unions and spying on workers for its corporate clients. In fact, this practice is so common that it has been given a name: “labor spying.” More recently, Walmart has come under fire after accusations of widespread surveillance against “shareholders, critics, suppliers, the board of directors, and employees.”10
Today the private surveillance industry is a more profitable, wide-ranging, and robust sector than ever before—boasting close ties to three-letter government agencies (indeed, many contractors employ government- and military-trained operatives). A 2013 report entitled Spooky Business, written by the Center for Corporate Policy, a nonprofit seeking to check corporate abuse, enumerates over a dozen examples of corporate-led spying and infiltration—many using standard COINTELPRO-style tactics—directed at antiwar, environmental, food safety, animal rights, and gun control groups, among others. To take one example, the environmental group Greenpeace has been subject to numerous illegal infiltrations—Électricité de France, for instance, employed a firm to hack Greenpeace France in 2006 and was fined 1.5 million euros when the action was revealed.11
The report conveys the disturbing crux of the contemporary problem of corporate infiltration as follows: “The corporate capacity for espionage has skyrocketed in recent years … These current and former government employees, and current government contractors, do their spying against nonprofits with little regulation or oversight, and apparently with near impunity.”12
HBGary’s specialized services, which offered “sophisticated” spy operations, was but a small player in a vast industry. However, a team of tech-savvy journalists at Ars Technica, after carefully sifting through the emails procured by Anonymous and writing a dozen in-depth accounts (later compiled into a book), ultimately concluded that the “WikiLeaks Threat attack capability wasn’t mere bluster.” HBGary was on the forefront of these types of services, having developed effective anti-malware software and custom trojans, rootkits, and spyware which facilitated unauthorized access into computer systems. HBGary had also stashed away a bundle of zero-day exploits—those vulnerabilities that have not been publicly disclosed—for future use, thus ensuring direct access to untold numbers of networks, computers, and emails. According to the leaked documents, HBGary provided a cache of these zero-days, code-named Juicy Fruit, to a subdivision of military contractor Northrop Grumman called Xetron.13
Public information about this market in zero-days was nearly nonexistent until a series of investigative reports filed between 2012 and 2014 revealed it as a thriving industry. According to the New York Times, these exploits can sell from $35,000 to $160,000 a piece. Governments pay the highest prices, ensuring significant control of the vulnerabilities. The US government, in particular, is considered a leading client.14 Exploits can be used defensively, but it is increasingly clear they are often “weaponized and deployed aggressively for everything from government spying and corporate espionage to flat-out fraud,” as technology journalist Ryan Gallagher has pointed out.15
While publicly available information about these practices is slowly growing, our understanding is still incomplete and fragmented. This work is mostly done or brokered by corporations with laxer mandates and fewer disclosure obligations than their government counterparts. The HBGary and HBGary Federal emails helped fill in the gaps, providing a reminder of “how much of this work is carried out privately and beyond the control of government
agencies,” as Nate Anderson concluded.16
It is important to note that those who exhumed this information were not, unlike the Citizens’ Commission that uncovered COINTELPRO, looking for anything in particular. The accidental nature of these contemporary discoveries is not unique to Anonymous. According to Spooky Business, most of what we know about corporate spying has “been uncovered by accident, arising from brilliant strokes of luck.”17 However, we might suggest that it was not luck at all, but instead a welcome public good provided by the insatiable, boundless curiosity of hacking—albeit spurred by external circumstances. The HBGary emails, for instance, were procured through the handiwork of hackers hell-bent on simple revenge.
“If we can get that level of information then
we really are the private CIA lol”
A week before his company was targeted by ruinous attacks, the founder and CEO of HBGary, Greg Hoglund, praised his team in a series of emails. After giving some instructions pertaining to the surveillance of a malware author, Hoglund ends with a final boast:
Team,
Good work. Check out this site http://www.freelancesecurity. com/ and find an investigator who can perform surveillance and a positive ID on this person. I spoke with Penny and she indicated she *might* be willing to support you guys hiring out boots on the ground to get eyes on target. I would expect some photos, place of work, home, maybe some associates. The site I mentioned is only one—there are a few others. If we can get that level of information then we really are the private CIA lol. 18
Though Hoglund envisioned his company as a sharper, meaner, and leaner replacement for law enforcement and intelligence agencies, in practice HBGary was mostly in the business of developing anti-malware software and rootkits—stealthy software tools that allow a user to access a computer system undetected. But Aaron Barr, CEO of the subsidiary HBGary Federal, which was created by HBGary to land lucrative government contracts, wanted to branch out into the field of intelligence gathering. This was evident in the cocky title of a talk slated for mid-February 2011 (but cancelled due to the events in question) at a popular security conference in San Francisco: “Who Needs NSA When We Have Social Media?”
Barr culled the data for his presentation by “infiltrating” Anonymous. His method? For much of January, using the handle CogAnon, he hung out on the AnonOps IRC channels and correlated activity between the IRC channels and social media. On IRC he would watch for someone posting a link, and then he would turn to Twitter to see if the same link or topic would appear at the same time, before deducing that the IRC alias and Twitter profile were attached to the same person. By the end of the month he had a list of nicknames, real names, Twitter accounts, and locations of individuals he claimed were the major Anonymous players. According to the leaked emails, Barr’s aim was to expose key operatives:
From: Aaron Barr
Subject: Focus of presentation
To: Mark Trynor, Ted Vera
Date: Wed, 19 Jan 2011 12:14:26 -0500
ok so I am giving a social media talk @ BSIDES SF next month. I am going to focus on outing the major players of the anonymous group I think. Afterall—no secrets right? :) We will see how far I get. I may focus on NSA a bit to just so I can give all those freespeech nutjobs something. I just called people advocating freespeech, nutjobs—I threw up in my mouth a little. Man I find myself in a weird position.
In another email he insists to a programmer colleague—who repeatedly questioned the reliability of Barr’s conclusions—that “I will sell it,” referring to his docket of identities.19 (Eventually the coder was so concerned about Barr that he wrote an email on February 5 with a prescient warning: “I feel his arrogance is catching up to him again and that has never ended well … for any of us.”)
Barr, on the other hand, thought his operation was going swimmingly. So how did Anonymous get wind of Barr’s infiltration in the first place? Unbelievably, Barr handed the information to them on a silver platter by going public with his project. HBGary’s PR department offered Joseph Menn of the Financial Times a story about Barr’s upcoming talk. As Menn explained to me, he “respected the work of the affiliated HBGary proper,” and “because Anonymous’s structure and traceability was a topic of serious interest,” he decided to move forward with immediate publication. On February 4, 2011, Anons woke up to these lines: “An international investigation into cyberactivists who attacked businesses hostile to WikiLeaks is likely to yield arrests of senior members of the group after they left clues to their real identities on Facebook and in other electronic communications, it is claimed.” The article also featured nicknames and conjectures as to where these participants resided, which turned out to be off the mark:
A senior US member of Anonymous, using the online nickname Owen and evidently living in New York, appears to be one of those targeted in recent legal investigations, according to online communications uncovered by a private security researcher … Mr Barr said Q and other key figures lived in California and that the hierarchy was fairly clear, with other senior members in the UK, Germany, Netherlands, Italy and Australia.20
While Owen and q (lowercase) were prominent figures, Owen lived in Toledo, Ohio, and q resided, more accurately, on the European continent.
A feature story in a respected publication is a precious commodity. If HBGary Federal was really badass enough to identify the movers and shakers behind Anonymous—before even the FBI—corporate executives would, with good reason, be falling over themselves to employ them. The firm’s finances were on the rocks; a lucrative contract with Hunton and Williams would mark a change of fortune.21 HBGary crowed about the seemingly guaranteed meal ticket in internal exchanges:
From: Aaron Barr
To: Karen Burke, Greg Hoglund, Penny Leavy, Ted Vera
Subject: Story is really taking shape
Date: 2011-02-05
http://www.ft.com/cms/s/0/87dc140e-3099-11e0-9de3-00144feabdc0.html
--------------------------------------
From: Greg Hoglund
To: Aaron Barr
Cc: Karen Burke, Penny Leavy, Ted Vera
Subject: Re: Story is really taking shape
We should post this on front page, throw out some tweets.
“HBGary Federal sets a new bar as private intelligence agency.”—the pun on bar is intended lol.
—G
They were getting all the attention they wanted—only the good kind, it seemed at first. The FBI contacted HBGary Federal the same day the story came out, requesting a meeting for the following Monday morning at 11 am. But as comedian Stephen Colbert memorably put it: “Anonymous is a hornet’s nest, and Barr said, ‘I’m going to stick my penis in that thing.’”
Upon reading the Financial Times article, hackers who had just completed the team-building exercise of “pwning” Middle Eastern governments were ready to rumble. The article contained given names for many Anons—and after the recent spate of Anonymous arrests in the UK and warrants in the US, the matter was perceived as urgent. Sabu was the first to suggest an attack, spurred in part by his deep-seated hostility for white hat hackers and a security industry he regarded as peddling snake oil: subpar security software. At first, some but not all were on board. tflow later recounted:
With a vulnerability too good to resist, the crew was all on board, entering the HBGary systems right on the heels of the Financial Times article. They downloaded scores of HBGary and HBGary Federal emails, deleted untold numbers of files and their backups, and, it is purported, wiped the data on Barr’s iPhone and iPad. One of the first emails they came across featured a PDF containing the unfiltered data Barr had gathered on Anonymous. They quickly noticed innumerable mistakes. Many of the named ind
ividuals had done nothing illegal. Perhaps the most glaring problem was his ignorance of the key operatives behind this very hack—tflow, Topiary, Avunit, Kayla, and Sabu. Deep infiltration was unnecessary to ascertain the existence of many of these participants, like Topiary and tflow—publicly known and prominent members who spent time on open IRC channels, notably #reporter and #lounge.
Using security scanning software designed to look for known vulnerabilities, the hackers probed HBGary’s website and quickly found a vulnerability in the custom-made CMS (content management system). Peter Bright, a reporter from Ars Technica who conducted a thorough accounting of the technical details relating to the hack, wrote that “In fact, [the HBGary system] had what can only be described as a pretty gaping bug in it.”22 Once inside, they rummaged around and found encrypted passwords. The encryption was too strong to crack on their own, but by utilizing the brute force of a pool of GPUs (graphics processing units) they were able to crack the hashes in a number of hours.
One of the passwords, “kibafo33,” granted access to Barr’s Gmail-hosted email account. There the Anons saw the jubilant internal HBGary email exchanges. Naturally, the hackers tried the password on all of Barr’s social media accounts and found that he violated the first rule of informational security: never use the same password across platforms. The team could now commandeer all of Barr’s social media accounts for lulz and worse. Getting in was just the beginning.