by Shane Harris
But when pointing out weak security, Tiversa has courted controversy. In 2013, LabMD, an Atlanta company that performs cancer diagnoses, filed a complaint accusing Tiversa of stealing patient information from it and other health care companies through peer-to-peer networks. LabMD had been under investigation by the Federal Trade Commission after a data breach allegedly exposed patient information. The company claimed that the government had hired Tiversa to take the documents without LabMD’s knowledge or consent. According to court documents, Tiversa found LabMD patient information on a peer-to-peer network and then allegedly made repeated phone calls and sent e-mails to the health care company trying to sell Tiversa’s cyber security services. LabMD’s lawsuits were subsequently withdrawn or dismissed, and Tiversa has sued LabMD for defamation.
Cyberspace has no clear borders. But geography has a lot to do with how far a cyber mercenary will go to solve clients’ problems. Some companies in Europe have less compunction about hacking back because anti-hacking laws there are either loose or nonexistent. Romania is one hotbed of hackers and online scam artists willing to launch malware for a fee. And the gray market where zero day attacks are sold is another place to find hackers-for-hire. Until federal officials shut it down in 2013, the online market Silk Road, which was accessible via the Tor anonymous router system, included hack-back vendors.
To date, no American company has been willing to say that it engages in offensive cyber operations designed to steal information or destroy an adversary’s system. But former intelligence officials say hack-backs are occurring, even if they’re not advertised. “It is illegal. It is going on,” says a former senior NSA official, now a corporate consultant. “It’s happening with very good legal advice. But I would not advise a client to try it.”
A former military intelligence officer said the most active hack-backs are coming from the banking industry. In the past several years banks have lost billions of dollars to cybercriminals, primarily those based in Eastern Europe and Russia who use sophisticated malware to steal usernames and passwords from customers and then clean out their accounts.
In June 2013, Microsoft joined forces with some of the world’s biggest financial institutions, including Bank of America, American Express, JPMorgan Chase, Citigroup, Wells Fargo, Credit Suisse, HSBC, the Royal Bank of Canada, and PayPal, to disable a huge cluster of hijacked computers being used for online crime. Their target was a notorious outfit called Citadel, which had infected thousands of machines around the world and, without their owners’ knowledge, conscripted them into armies of “botnets,” which the criminals used to steal account credentials, and thus money, from millions of people. In a counterstrike that Microsoft code-named Operation b54, the company’s Digital Crimes Unit severed the lines of communication between Citadel’s more than fourteen hundred botnets and an estimated five million personal computers that Citadel had infected with malware. Microsoft also took over servers that Citadel was using to conduct its operations.
Microsoft hacked Citadel. That would have been illegal had the company not obtained a civil court order blessing the operation. Effectively now in control of Citadel’s victims—who had no idea that their machines had ever been infected—Microsoft could alert them to install patches to their vulnerable software. In effect, Microsoft had hacked the users in order to save them. (And to save itself, since the machines had been infected in the first place owing to flaws in Microsoft’s products, which are probably the most frequently exploited in the world.)
It was the first time that Microsoft had teamed up with the FBI. But it was the seventh time it had knocked down botnets since 2010. The company’s lawyers had used novel legal arguments, such as accusing criminals who had attacked Microsoft products of violating its trademark. This was a new legal frontier. Even Microsoft’s lawyers, who included a former US attorney, acknowledged that they’d never considered using alleged violations of common law to obtain permission for a cyber attack. For Operation b54, Microsoft and the banks had spied on Citadel for six months before talking to the FBI. The sleuths from Microsoft’s counter-hacking group eventually went to two Internet hosting facilities, in Pennsylvania and New Jersey, where, accompanied by US marshals, they gathered forensic evidence to attack Citadel’s network of botnets. The military would call that collecting targeting data. And in many respects, Operation b54 looked like a military cyber strike. Technically speaking, it was not so different from the attack that US cyber forces launched on the Obelisk network used by al-Qaeda in Iraq.
Microsoft also worked with law enforcement agencies in eighty countries to strike at Citadel. The head of cybercrime investigations for Europol, the European Union’s law enforcement organization, declared that Operation b54 had succeeded in wiping out Citadel from nearly all its infected hosts. And a lawyer with Microsoft’s Digital Crimes Unit declared, “The bad guys will feel the punch in the gut.”
Microsoft has continued to attack botnets, and its success has encouraged government officials and company executives, who see partnerships between cops and corporate hackers as a viable way to fight cybercriminals. But coordinated counterstrikes like the one against Citadel take time to plan, and teams of lawyers to approve them. What happens when a company doesn’t want to wait six months to hack back, or would just as soon not have federal law enforcement officers looking over its shoulder?
The former military intelligence officer worries that the relative technical ease of hack-backs will inspire banks in particular to forgo partnerships with companies like Microsoft and hack back on their own—without asking a court for permission. “Banks have an appetite now to strike back because they’re sick of taking it in the shorts,” he says. “It gets to the point where an industry won’t accept that kind of risk. And if the government can’t act, or won’t, it’s only logical they’ll do it themselves.” And hack-backs won’t be exclusive to big corporations, he says. “If you’re a celebrity, would you pay someone to find the source of some dirty pictures of you about to be released online? Hell yes!”
Undoubtedly, they’ll find a ready supply of talent willing and able to do the job. A survey of 181 attendees at the 2012 Black Hat USA conference in Las Vegas found that 36 percent of “information security professionals” said they’d engaged in retaliatory hack-backs. That’s still a minority of the profession, though one presumes that some of the respondents weren’t being honest. But even those security companies that won’t engage in hack-backs have the skills and the know-how to launch a private cyber war.
A former NSA official says that in his estimation, the best private security firms today are run by former “siginters,” and are using not just electronic intelligence but also human sources. From their NSA days, they learned to follow trends and conversations in Internet chat channels frequented by hackers, and how to pose as would-be criminals looking to buy malicious software.
One private security executive says some of the best intelligence on new kinds of malware, hacking techniques, and targets comes, not surprisingly, from the biggest source of spying and theft against the United States—China. Rick Howard, who before he became a private cyber sleuth ran the army’s Computer Emergency Response Team, says he stayed in regular contact with hackers and cyber weapons dealers in China when he was in charge of intelligence for iDefense, a private security firm. His sources told iDefense what was the latest malware on the street—as in the United States, it was sold through gray markets—who the major players were, and what targets were on the hackers’ lists. Hacking is a human business, after all.
Until 2013, Howard was the chief information security officer for TASC, a large security firm that runs its own “cybersecurity operations center.” TASC is located on a sprawling office campus in Chantilly, Virginia, near the corridor of tech companies that has made Washington one of the richest metropolitan areas in the United States. TASC’s offices, spread out over three buildings, resemble an NSA installation. The halls are lined with doors marked “Classified,” and the entran
ces are protected by keypad locks and card scanners. Stepping inside those secure rooms, you would find it hard to know for sure if you were in Chantilly or Fort Meade.
Many former NSA hackers aren’t afraid to talk about their time in the government. In fact, they publicize it. Brendan Conlon, who worked in the elite TAO group, founded a cyber security company called Vahna, according to his LinkedIn profile, “after 10 years of Offensive Computer Network Operations with the National Security Agency.” Conlon began his career developing software implants, then moved on to TAO, where he was chief of the Hawaii unit. He also worked in the NSA’s hunting division, which is devoted to tracking Chinese hackers. A graduate of the Naval Academy, he served with the NSA three times in Afghanistan and worked on hacking missions with the CIA. Vahna touts its employees’ “years of experience inside the intelligence and defense cyber communities” and claims to have “unparalleled capabilities to assess vulnerability in your information security, mitigate risk across your technology footprint, and provide tactical incident response to security breaches.” In other words, all the things that Conlon was trained to do for the NSA, he can now do for corporations.
Over the past several years, large defense contractors have been gobbling up smaller technology firms and boutique cyber security outfits, acquiring their personnel, their proprietary software, and their contracts with intelligence agencies, the military, and corporations. In 2010, Raytheon, one of the largest US defense contractors, agreed to pay $490 million for Applied Signal Technology, a cyber security firm with military and government clients. The price tag, while objectively large, was a relative pittance for Raytheon, which had sales the prior year totaling $25 billion. In 2013 the network-equipment giant Cisco agreed to buy Sourcefire for $2.7 billion in cash, in a transaction that reflected what the New York Times called “the growing fervor” for companies that defend other companies from cyber attacks and espionage. After the acquisition was announced, a former military intelligence officer said he was astounded that Cisco had paid so much money for a company whose flagship product is built on an open-source intrusion detection system called Snort, which anyone can use. It was a sign of just how valuable cyber security expertise had become—either that or a massive bubble in the market, the former officer said.
But the companies are betting on a sure thing—government spending on cyber security. The Pentagon cyber security budget for 2014 is $4.7 billion, a $1 billion increase over the previous year. The military is no longer buying expensive missile systems. With the advent of drone aircraft, many executives believe the current generation of fighter aircraft will be the last ones built to be flown by humans. Spending has plummeted on the big-ticket weapons systems that kept Beltway contractors flush throughout the Cold War, so they’re pivoting to the booming cyber market.
SEVEN
Cops Become Spies
THE SPYWARE WAS a triumph of engineering and cunning. It sat unnoticed on its victim’s computer and recorded everything he typed. E-mails. Documents. But what it was really after was a password. One in particular—the phrase or series of letters and numbers that the victim used to start an encryption program called Pretty Good Privacy. As encryption programs went, PGP was easy for a layperson to use. It could be downloaded from the Internet, and it afforded a level of security that had previously been available only to government agents and spies. Now, with a few clicks and a password, anyone could turn one’s own communications into indecipherable gobbledygook that could be unscrambled only by the intended recipient. The spyware, though, captured that password and sent it back to its master, who could then decode the encrypted messages that the victim believed were private. The designers chose an apt name for their creation, which shined a light into a previously dark space—Magic Lantern.
The creators of this malware weren’t Chinese hackers. They weren’t identity thieves in Russia. They were employees of the US Federal Bureau of Investigation. And they worked for one of the most secretive and technologically sophisticated operations in the entire bureau, one that, today, is the National Security Agency’s indispensable partner in cyber spying and warfare.
It’s called the Data Intercept Technology Unit, but insiders refer to it as the DITU (pronounced “DIH-too.”) It’s the FBI’s equivalent of the NSA, a signals intelligence operation that has barely been covered in the press and mentioned in congressional testimony only a few times in the past fifteen years. The DITU is located on a large compound at the Marine Corps base in Quantico, Virginia, which is also home to the FBI’s training academy. The DITU intercepts telephone calls and e-mails of terrorists and spies from inside the United States. When the NSA wants to gather mounds of information from Google, Facebook, Yahoo, and other technology giants, DITU is sent to retrieve it. The unit maintains the technological infrastructure for the agency’s Prism program, which collects personal information from the large tech companies. In fact, it’s the DITU’s job to make sure that all American companies are building their networks and software applications in a way that complies with US surveillance law, so they can be easily tapped by the government. And if they’re not, the DITU will construct a bespoke surveillance device and do it for them.
The NSA couldn’t do its job without the DITU. The unit works closely with the biggest American telecommunications companies—AT&T, Verizon, and Sprint. “The DITU is the main interface with providers on the national security side,” says a technology industry representative who has worked with the unit on many occasions. It ensures that telephone and Internet communications can easily be siphoned off the massive network of fiber-optic cables those companies run. In recent years, it has helped construct a data-filtering software program that the FBI wants installed on phone and Internet networks, so that the government can collect even larger volumes of data than in the past, including routing information for e-mails, data on traffic flow, Internet addresses, and port numbers, which handle incoming and outgoing communications and can detect what applications and operating system a computer is running.
Magic Lantern was one of the unit’s early triumphs. Developed in the late 1990s, it was a companion to the better-known e-mail-mining program Carnivore, which stripped the header information—the “to,” “from,” and date lines—out of an e-mail so that investigators could piece together members of a criminal network by their communications patterns. Both devices, along with other spying programs with names such as CoolMiner, Packeteer, and Phiple Troenix, were developed to help the bureau snare drug dealers, terrorists, and child-porn peddlers. But when Carnivore was revealed in news reports, it became synonymous with Big Brother–style government surveillance, and civil liberties groups said the FBI’s efforts would undermine encryption for legitimate purposes, such as protecting financial data and patient privacy. The same arguments echoed more than a decade later, when the NSA was revealed to be secretly handicapping encryption algorithms.
The FBI’s cyber spying programs began years before the 9/11 attacks and any attempts by the NSA to broaden its surveillance nets to cover the United States. FBI agents have been in the domestic cyber spying business for longer than their friends at Fort Meade. And today they are physically joined in those efforts. A fiber-optic connection runs between Quantico and NSA headquarters, so that the information the DITU collects from companies can be instantly transferred. FBI agents and lawyers from the Justice Department review the NSA’s requests to gather e-mails from Google or monitor Facebook posts. They represent the agency before the secret Foreign Intelligence Surveillance Court, which also reviews requests to spy on Americans. It was the FBI that petitioned the court to order telephone companies to give the NSA records of all calls placed in the United States. When journalists and lawmakers say that the NSA “spies on Americans,” what they really mean is that the FBI helps them do it, providing a technical and legal infrastructure for domestic intelligence operations. Having the DITU act as a conduit also gives technology companies the ability to say publicly that they do not provide any
information about their customers directly to the NSA. And that’s true. They give it to the DITU, which then passes it to the NSA.
The NSA is the biggest user of the DITU. But the unit is no mere errand boy. Along with other FBI cyber and surveillance groups, it conducts some of the government’s most sophisticated intelligence programs. At the FBI Academy in Quantico, the DITU shares space with the bureau’s Operational Technology Division, which is responsible for all FBI technical intelligence collection, processing, and reporting. Its motto is “Vigilance Through Technology.” Among the division’s publicly disclosed capabilities are surveillance of landline, wireless, and computer network communications technologies, including e-mail applications, switches, and routers; collecting audio files, video, images, and other digital evidence to use in investigations; and counter-encryption. It also specializes in black-bag jobs to install surveillance equipment and computer viruses. The DITU has negotiated with major US technology companies to get privileged access to their systems. For instance, on behalf of the NSA, it worked with Microsoft to ensure that a new feature in Outlook that allowed users to create e-mail aliases would not pose an obstacle to surveillance. The arrangement helped the government circumvent Microsoft’s encryption and ensure that Outlook messages could be read by government analysts.