by Shane Harris
CrowdStrike will also compare an intruder’s various victims to see if a particular industry or type of technology is being targeted. Then the company builds a dossier, even giving the hacker a name in some cases. For more than a year CrowdStrike analysts tracked one “adversary,” which it named Anchor Panda, as it spied on companies involved in the maritime satellite business, aerospace, and defense contracting and targeted foreign governments with active space-exploration programs. Armed with such specific intelligence about what a hacker is after and what methods the hacker is using to break in—his “signatures”—CrowdStrike’s clients can theoretically take more precise defensive actions. It’s like sending out an all-points bulletin about a fugitive, complete with a physical description and modus operandi, rather than warning the public to be generally on the lookout for suspicious people.
That sounds a lot like the work of a law enforcement agency. And no surprise, since two of CrowdStrike’s top executives are former FBI officials. Shawn Henry, CEO of CrowdStrike Services, the part of the company that tracks and identifies intruders, spent twenty-four years in the bureau, retiring in 2012 as the senior official in charge of all cyber programs and investigations worldwide. (The former deputy head of cyber for the FBI is the company’s general counsel.) CrowdStrike is different from other cyber security companies, Henry says, because “when we respond to an incident, we actually hunt for the adversary.” He says the company employs network forensics and reverse engineering of malware to understand the hackers’ tactics, techniques, and motivations. He is careful to avoid any suggestion that the company breaks in to their adversaries’ computers—the former G-man spent years prosecuting people for violating anti-hacking laws. But the word hunt reveals a more aggressive form of analysis than many other firms in the business will admit to. CrowdStrike deploys sensors on its clients’ networks and uses crowdsourcing to collect more information on hacks as they’re happening, rather than wait for a client to be hit and collect evidence after the fact. It uses intelligence to attribute, as closely as possible, the hacker to a particular country or group. This is one of the hardest things to do in cyber forensics, because skilled hackers conceal their physical location, often by launching their attacks from compromised computers in other countries. CrowdStrike promises to tell clients not just how they’re being attacked but why, and by whom. The company focuses particularly on spies and hackers operating on behalf of foreign governments, including China, Iran, and Russia. (A group of analysts in the “strategic intelligence group” reads Chinese, Farsi, and Russian.) In its marketing materials, CrowdStrike repeatedly states that it uses its intelligence-gathering methods to identify intruders and hand over specific, useful information about them to its clients.
This, too, is a technique drawn from the FBI’s playbook. The bureau has rounded up hackers, most famously some members of the collective Anonymous, by watching them steal data from companies and individuals. That information becomes the basis for a criminal indictment. But CrowdStrike and its clients aren’t always looking to press charges. And here the company’s business model gets aggressive.
The other feature that separates CrowdStrike from the competition, Henry says, is its “strike capability.”
“We’re not talking about hacking back at the hackers,” Henry says, batting away any notion that the company has crossed a legal line. “What we’re talking about is providing the client certain capabilities to make and create a hostile work environment on their network.” CrowdStrike executives know that one way some companies create such a hostile environment is to implant malware in honeypots they scatter throughout their networks. When the intruder brings a document or a file back onto his own computer and tries to open it, a virus is unleashed. It could destroy data on his hard drive, or implant spyware or a backdoor for ongoing access by his victim. CrowdStrike says it doesn’t engage in that kind of infection via subterfuge. But in an interview in 2013, Dmitri Alperovitch, CrowdStrike’s cofounder, said he approved of similar actions by the government of Georgia, which tricked a Russian hacker into downloading spyware that turned on his webcam and let officials take his picture. They published his photograph in an official report. “The private sector needs to be empowered to take that kind of action,” Alperovitch said.
In February 2014, after Target reported that hackers had stolen more than 100 million customers’ credit and debit card numbers, CrowdStrike publicized an online seminar that teaches business how to combat cybercrime. “Retail(iate): Don’t Be a Target,” said an advertisement that the company e-mailed to prospective clients. The course promised to teach companies “how to take a proactive approach to defending your network” and to show them “how threat intelligence can be used to get ahead of the game.” CrowdStrike may not be hacking back. But the alerts the company sends to its clients, as well as the services it advertises, suggest that customers could end up learning the skills they need if they choose to retaliate on their own.
Finding an adversary is a big step beyond watching his movements—technically and legally. But here, too, there is a market, in which cyber mercenaries are building and selling spyware and hacking tools as sophisticated as any the US government was producing a few years ago. As the power of distributed computing platforms such as cloud services allows smaller groups of people to conduct ever more complicated feats of programming, small companies soon will be building big, powerful cyber weapons that, so far, have remained the exclusive domain of governments. Already the mercenaries have made their mark helping officials intimidate and suppress activists and dissidents. The devices they’ve built are among the most feared and menacing in cyberspace.
The firm Gamma, based in the United Kingdom, sells a spyware program called FinFisher that hides inside “fake software updates for popular software,” according to the company’s marketing documents. The spyware, which can take over a computer, copy its files, and record every word a user types, can be disguised as an update to the popular iTunes app. Users click on the update, thinking they’re getting the latest version of the music software, but actually they’re installing FinFisher on their computers. Egyptian democracy activists have accused the company of providing spyware to the regime of President Hosni Mubarak, an allegation it denies. Mubarak ordered a brutal crackdown on Egyptian citizens in 2011 before he was ultimately driven from power. Security researchers also claim to have found copies of FinFisher in e-mails sent to democracy activists in Bahrain.
Cyber spies and hackers-for-hire openly market their services to law enforcement and intelligence agencies. An Italian company called Hacking Team, based in Milan, promises “total control over your targets” using “invisible” techniques that are “stealth and untraceable.”
“Defeat encryption,” says one presentation on the company’s home page, parroting the language of the NSA. “Thousands of encrypted communications per day. Get them.” In 2011 the company opened an office in Annapolis, Maryland, to sell to US clients.
Hacking Team is upfront about the business it’s in. “Sometimes relevant data are bound inside the device, never transmitted and kept well protected . . . unless you are right on that device,” says a brochure for one of the company’s spyware tools, Remote Control System.
Question is, is there an easy way to hack into that device? . . . What you need is a way to bypass encryption, collect relevant data out of any device, and keep monitoring your targets wherever they are, even outside your monitoring domain. Remote Control System does exactly that. Take control of your targets and monitor them regardless of encryption and mobility. . . . Hack into your targets with the most advanced infection vectors available. Enter his wireless network and tackle tactical operations with ad-hoc equipment designed to operate while on the move. Keep an eye on all your targets and manage them remotely, all from a single screen.
Reportedly, the product can turn on a laptop computer’s camera and microphone, making it an eavesdropping device.
Only at the end of the brochure d
oes Hacking Team mention that its product is intended solely for “governmental interception.” (The company was founded by a pair of hackers who had built a spyware product purchased by local Italian police.) Hacking Team claims that it sells only to governmental law enforcement and intelligence agencies, and that it will not sell to “countries blacklisted” by the United States, the European Union and NATO, or members of the ASEAN group of Southeast Asian countries. It also promises to review all potential customers to ensure that the technology won’t “be used to facilitate human rights violations.”
But in October 2012, researchers with Citizen Lab at the University of Toronto reported that Hacking Team’s Remote Control System was used to infect the computer of a prominent pro-democracy activist in the United Arab Emirates named Ahmed Mansoor, a forty-four-year-old electrical engineer who had once been imprisoned for signing an online petition calling for open elections in a country ruled by hereditary monarchs. Mansoor had inadvertently downloaded the spyware, which was hidden inside a seemingly legitimate e-mail. The spyware burrowed deep into his personal computer, inspecting files and recording what Mansoor typed. He noticed that his computer was running slowly, and after seeing reports about FinFisher’s use against activists in Bahrain, he contacted a security researcher, who confirmed that he had been hacked. The spyware was so strong that even when he changed his e-mail password the unseen intruder was still able to read his messages. The intruder was fully in control of the computer, able to track all of Mansoor’s communications and his network of fellow activists. The intrusion was traced to an Internet address in the United Arab Emirates.
A month after Mansoor and the researcher managed to cleanse his computer of the infection, Mansoor was attacked on the street. The assailant knew Mansoor’s name, and Mansoor suspected he was able to track him via his cell phone. He was slightly injured in the scuffle. Less than a week later another man attacked him and repeatedly punched him in the head. He survived the attack.
Mansoor isn’t the only activist whom researchers have linked to Hacking Team’s spyware. It was part of a larger trend of commercial spyware being used against activists across North Africa and the Middle East during the tumultuous period. There is no evidence that Hacking Team had any knowledge or involvement in the attacks on Mansoor, and it called the documented evidence that its product had been used in a way it claims to forbid “largely circumstantial.”
The company’s enforcement regime is entirely of its own design. And in that regard it’s not unique. There is no international body or treaty for ensuring that spyware and hacking tools are sold only for legal purposes and to governments that don’t suppress civil rights and activism. There is also no regime for controlling the proliferation of cyber weapons such as Stuxnet. Foreign policy officials in the United States, Russia, China, and elsewhere have publicly broached the idea of a cyber arms treaty in recent years, but no country is yet prepared to commit to an agreement that might preemptively bind it from building the next generation of weapons. There is also no obvious way to enforce a cyber arms agreement. Nuclear enrichment facilities can be inspected. Tanks, ships, and aircraft can be seen from a distance. A cyber weapon can be built on a computer. It is practically invisible until it’s launched.
The Arab Spring wasn’t the first time cyber security companies were accused of being bagmen for governments. In the fall of 2010, just as the website WikiLeaks was preparing to release potentially embarrassing information on Bank of America, including internal records and documents, Justice Department officials contacted the bank’s lawyers and encouraged them to get in touch with Hunton & Williams, a Washington law firm. It had put together a trio of small tech companies to run a kind of cyber propaganda operation against opponents of the US Chamber of Commerce, the leading business lobbyist in Washington. The group planned to scour websites and social media with data-mining technology and build dossiers on the Chamber’s opponents. Hunton & Williams asked the trio, which operated under the name Team Themis, if they could do the same job for supporters of WikiLeaks, and also if they could locate where the organization was storing classified information it got from its anonymous sources.
“Apparently, if they can show that WikiLeaks is hosting data in certain countries, it will make prosecution easier,” a member of the trio wrote in an e-mail to his colleagues. Justice Department officials were looking for information they could use to indict WikiLeaks’ founder, Julian Assange, who had posted classified military intelligence reports and State Department cables. Now the feds wanted to outsource part of their investigation, by putting Bank of America in touch with Team Themis, which drew its name from the mythological Greek Titan who represented “divine law,” as opposed to the law of men.
Team Themis included Palantir Technologies, a Silicon Valley startup that had been making fast friends with such national security heavyweights as Richard Perle, former chairman of the Defense Policy Board and an influential Republican operative, as well as George Tenet, former director of the CIA, who had gone to work for Herb Allen, a Palantir investor and head of the enigmatic investment bank Allen & Company, which hosts the annual Sun Valley Conference, bringing together celebrity journalists, athletes, and business leaders. Palantir had also had early backing from the CIA’s venture capital group, In-Q-Tel, whose current chief is chairman of the board of Endgame.
Rounding out Team Themis were two cyber security firms, HBGary Federal, whose CEO had desperately been trying to make inroads with the NSA, to little avail, and Berico Technologies, which employed an Iraq War veteran who had in-the-field experience with cyber weapons. Themis planned to set up an analysis cell that would feed the law firm information about “adversarial entities and networks of interest,” according to a proposal the team created. The CEO of HBGary, Aaron Barr, said the team should collect information about WikiLeaks’ “global following and volunteer staff,” along with the group’s donors, in order to intimidate them. “Need to get people to understand that if they support the organization we will come after them,” Barr wrote in an e-mail. He suggested submitting fake documents to WikiLeaks in hopes that the site would publish them and then be discredited. Barr also urged targeting “people like Glenn Greenwald,” the blogger and vocal WikiLeaks supporter, and he said he wanted to launch “cyberattacks” on a server WikiLeaks was using in Sweden, in order to “get data” about WikiLeaks’ anonymous sources and expose them.
Team Themis never had the chance to launch its espionage and propaganda campaign. In February 2011, Barr was quoted in an article in the Financial Times bragging that he could penetrate the inner ranks of Anonymous. The group retaliated, breaking in to Barr’s e-mail account and publishing years’ worth of his correspondence, including the Team Themis proposals and communications. Barr left the company, telling reporters, “I need to focus on taking care of my family and rebuilding my reputation.” Berico is still in business, selling data-mining and geo-location software to government agencies. Palantir is one of the fastest-growing technology companies in the national security field and counts among its customers the CIA, Special Operations Command, and the US Marine Corps, which have all used its software to track down terrorists, as well as the Defense Intelligence Agency, the National Counterterrorism Center, the Homeland Security Department, and the FBI. Keith Alexander, former director of the National Security Agency, has said that Palantir could help the agency “see” hackers and spies in cyberspace, and that the NSA has evaluated the company’s product. The Los Angeles Police Department is another Palantir customer, as is the New York Police Department, which runs an intelligence and counterterrorism unit that many experts believe is more sophisticated than the FBI’s or the CIA’s.
Though Team Themis failed, the US government has turned to other private cyber sleuths to go after WikiLeaks and help with other investigations. Tiversa, a Pittsburgh-based company, grabbed headlines in 2011 when it accused WikiLeaks of using peer-to-peer file-sharing systems, like those used to swap music downloads, to obtai
n classified US military documents. WikiLeaks, which claims only to publish documents that it receives from whistleblowers, called the allegations “completely false.” Tiversa gave its findings to government investigators, who had been trying to build a case against Assange. Tiversa’s board of advisers includes prominent security experts and former US officials, such as General Wesley Clark, former Supreme Allied Commander of NATO forces in Europe and onetime Democratic presidential candidate, and Howard Schmidt, who was Barack Obama’s cyber security adviser in the White House.
Tiversa has revealed an array of classified and sensitive documents floating around file-sharing networks, and arguably, that does some good. Companies and government agencies embarrassed by a data breach have an incentive to shore up their security and work harder to protect sensitive information. Tiversa claims its analysts have found blueprints for the presidential helicopter, Marine One, on a computer in Iran. A defense contractor employee in Bethesda, Maryland, may have been running a file-sharing system and ended up giving an Iranian computer user access to his hard drive. In 2009, Tiversa told a congressional committee that its investigations had discovered a document giving the location of a Secret Service safe house used to protect the First Lady during a national emergency; spreadsheets containing personal identifying information of thousands of US military service members; documents pointing to the location of nuclear facilities; and personal medical information on thousands of individuals, including insurance and billing information as well as diagnosis codes.