Dark Territory
Page 9
Finally, three breakthroughs occurred independently. One was inspired by Stoll’s book. Stoll had captured the East German hacker a dozen years earlier by creating a “honey pot”—a set of phony files, replete with directories, documents, usernames, and passwords (all of Stoll’s invention), seemingly related to the American missile-defense program, a subject of particular interest to the hacker. Once lured to the pot, he stayed in place long enough for the authorities to trace his movements and track him down. The interagency intelligence group in charge of solving Moonlight Maze—mainly NSA analysts working under CIA auspices—decided to do what Stoll had done: they created a honey pot, in this case a phony website of an American stealth aircraft program, which they figured might lure their hacker. (Everyone in the cyber field was enamored of The Cuckoo’s Egg; when Stoll, a long-haired Berkeley hippie, came to give a speech at NSA headquarters not long after his book was published, he received a hero’s welcome.) Just as in Stoll’s scheme, the hacker took the bait.
But with their special access to exotic tools, the NSA analysts took Stoll’s trick a step further. When the hacker left the site, he unwittingly took with him a digital beacon—a few lines of code, attached to the data packet, which sent back a signal that the analysts could follow as it piggybacked through cyberspace. The beacon was an experimental prototype; sometimes it worked, sometimes it didn’t. But it worked well enough for them to trace the hacker to an IP address of the Russian Academy of Sciences, in Moscow.
Some intelligence analysts, including at NSA, remained skeptical, arguing that the Moscow address was just another hopping point along the way to the hacker’s real home in Iran.
Then came the second breakthrough. While Soup Campbell was setting up Joint Task Force-Computer Network Defense, he hired a naval intelligence officer named Robert Gourley to be its intel chief. Gourley was a hard-driving analyst with a background in computer science. In the waning days of the Cold War, he’d worked in a unit that fused intelligence and operations to track, and aggressively chase, Russian submarines. He’d learned of this fusion approach, five years earlier, at an officers’ midcareer course taught by Bill Studeman and Rich Haver—the intelligence veterans who, a decade earlier, under the tutelage of Admiral Bobby Ray Inman, had pushed for the adoption of counter command-control warfare.
Shortly before joining Campbell’s task force, Gourley attended another conference, this one lasting just a day, on Navy operations and intelligence. Studeman and Haver happened to be among the lecturers. Gourley went up to them afterward to renew his acquaintance. A few weeks later, ensconced in his task force office, he phoned Haver on a secure line, laid out the Moonlight Maze problem, as well as the debate over the intruder’s identity, and asked if he had advice on how to resolve it.
Haver recalled that, during the Cold War, the KGB or GRU, the Soviet military’s spy agency, often dispatched scientists to international conferences to collect papers on topics of interest. So Gourley assembled a small team of analysts from the various intelligence agencies and scoured the logs of Moonlight Maze to see what topics interested this hacker. The swath, it turned out, covered a bizarrely wide range: not just aeronautics (the topic of his first search, at Wright-Patterson) but also hydrodynamics, oceanography, the altimeter data of geophysical satellites, and a lot of technology related to surveillance imagery. Gourley’s team then scanned databanks of recent scientific conferences. The matchup was at least intriguing: Russian scientists had attended conferences on every topic that attracted the hacker.
That, plus the evidence from the honey pot and the absence of signs pointing to Iran or any other Middle Eastern source, led Gourley to conclude that the culprit was Russia. It was a striking charge: a nation-state was hacking American military networks—and not just any nation-state, but America’s former enemy and now, supposedly, post–Cold War partner.
Gourley brought his finding to Campbell, who was shocked. “Are you saying that we’re under attack?” he asked. “Should we declare war?”
“No, no,” Gourley replied. This was an intelligence assessment, though he added that he had “high confidence” in its accuracy.
The third intelligence breakthrough was the firmest but also the newest, the one that relied on methods unique to the cyber age and thus mastered by only a few fledgling specialists. Kevin Mandia was part of a small cyber crime team at the Air Force Office of Special Investigations. He’d visited the Air Force Information Warfare Center in San Antonio several times and had kept up with its network security monitoring system. When Moonlight Maze got started, Mandia, by now a private contractor, was sent to the FBI task force to review the hacker’s logs. The hacker was using an obfuscated code; Mandia and his team wrote new software to decrypt the commands—and it turned out they’d been typed in Cyrillic. Mandia concluded that the hacker was Russian.I
For the first several months of Moonlight Maze, the American intelligence agencies stopped short of making any statement, even informally, about the hacker’s origins. But the convergence of the Stoll-inspired honey pot, Bob Gourley’s analysis, and Kevin Mandia’s decryption—the fact that such disparate methods sired the same conclusion—changed the picture. It was also clear by now that the Moonlight Maze hackers, whoever they were, had pulled in quite a haul: 5.5 gigabytes of data, the equivalent of nearly three million sheets of paper. None of it was classified, but quite a lot of it was sensitive—and might add up to classified information if a smart analyst pieced it all together.
For nearly a year, an FBI-led task force—the same interagency task force that investigated Solar Sunrise—had coordinated the interagency probe, sharing all intelligence and briefing the White House. In February, John Hamre testified on the matter in closed hearings. Days later, the news leaked to the press, including the finding that the hackers were Russian.
At that point, some members of the task force, especially those from the FBI, proposed sending a delegation to Moscow and confronting Russian officials head-on. It might turn out that they had nothing to do with the hacking (Hamre had testified that it was unclear whether the hackers were working in the government), in which case the Kremlin and the security ministries would want to know about the renegade in their midst. Or maybe the Russian government was involved, in which case that would be worth knowing, too.
Task force members from the Pentagon and NSA were leery about going public. Maybe the Russians hadn’t read the news stories, or maybe they had but dismissed the reports as untrue; in other words, maybe the Russians still didn’t know we were on to them, that we were hacking their hacker. Meanwhile, we were learning things about their interests and operational style; an official confrontation could blow the operation.
In the end, the White House approved the FBI’s request to send a delegation. The task force then spent weeks discussing what evidence to let the Russians see and what evidence to withhold. In any case, it would be presented to the Russians in the same terms as the FBI officially approached it—not as a matter of national security or diplomacy, but rather as a criminal investigation, in which the United States was seeking assistance from the Russian Federation.
The delegation, formally called the Moonlight Maze Coordination Group, consisted of four FBI officials—a field agent from the Baltimore office, two linguists from San Francisco, and a supervisor from headquarters—as well as a NASA scientist and two officers from the Air Force Office of Special Investigations, who had examined the hacker’s logs with Kevin Mandia. They flew to Moscow on April 2, bringing along the files from five of the cyber intrusions, with plans to stay for eight days.
This was the era of warm relations between Bill Clinton and Russia’s reform president, Boris Yeltsin, so the group was received in a spirit of celebration, its first day in Moscow filled with toasts, vodka, caviar, and good cheer. They spent the second day at the headquarters of the Russian defense ministry in a solid working session. The Russian general who served as the group’s liaison was particularly cooperative. He brought out
the logs on the files that the Americans had brought with them. This was confirmation: the Russian government had been the hacker, working through servers of the academy of sciences. The general was embarrassed, putting blame on “those motherfuckers in intelligence.”
As a test, to see whether this might be a setup, one of the Air Force investigators on the trip mentioned a sixth intrusion, one whose files the group hadn’t brought with them. The general brought out those logs, too. This is criminal activity, he bellowed to his new American friends. We don’t tolerate this.
The Americans were pleased. This was working out extraordinarily well; maybe the whole business could be resolved through quiet diplomacy and a new spirit of cooperation.
On the third day, things took a shaky turn. Suddenly, the group’s escorts announced that it would be a day of sightseeing. So was the fourth day. On the fifth day, no events were scheduled at all. The Americans politely protested, to no avail. They never again stepped foot inside the Russian defense ministry. They never again heard from the helpful general.
As they prepared to head back to the States, on April 10, a Russian officer assured them that his colleagues had launched a vigorous investigation and would soon send the embassy a letter outlining their findings.
For the next few weeks, the legal attaché in the American embassy phoned the Russian defense ministry almost every day, asking if the letter had been written. He was politely asked to be patient. No letter ever arrived. And the helpful general seemed to have vanished.
Back in Washington, a task force member cautioned against drawing sour conclusions. Maybe, he said, the general was just sick.
Some members from the Pentagon and the intelligence agencies, who’d warned against the trip, rolled their eyes. “Yeah,” Bob Gourley scoffed, “maybe he has a case of lead poisoning.”
The emerging consensus was that the general hadn’t known about the hacking operation, that he’d genuinely believed some recalcitrant agents in military intelligence were engaged in skullduggery—until his superiors excoriated him, possibly fired him or worse, for sharing secrets with the Americans.
One good thing came out of the trip: the hacking did seem to stop.
Then, two months later, Soup Campbell’s Joint Task Force-Computer Network Defense detected another round of hacking into sensitive military servers—these intrusions bearing a slightly different signature, layered with codes that were harder to break.
The cat-and-mouse game was back on. And it was a game where both sides, and soon other nations, played cat and mouse. To an extent known by only a few American officers, still fewer political higher-ups, and no doubt some Russian spies, too, the American cyber warriors were playing offense as well as defense—and had been for a long while.
* * *
I. In 2006, Mandia would form a company called Mandiant, which would emerge as one of the leading cyber security incident consultants, rising to prominence in 2011 as the firm that identified a special unit of the Chinese army as the hacker behind hundreds of cyber attacks against Western corporations.
CHAPTER 6
* * *
THE COORDINATOR MEETS MUDGE
IN October 1997, a few months before Solar Sunrise, when the Marsh Commission released its report on the nation’s critical infrastructure, few officials were more stunned by its findings than a White House aide named Richard Alan Clarke.
As the counterterrorism adviser to President Clinton, Clarke had been in on the high-level discussions after the Oklahoma City bombing and the subsequent drafting of PDD-39, Clinton’s directive on counterterrorism, which eventually led to the formation of the Marsh Commission. After that, Clarke returned to his usual routines, which mainly involved tracking down a Saudi jihadist named Osama bin Laden.
Then the Marsh Report came out, and most of it dealt with cyber security. It was a topic Clarke had barely heard of. Still, it wasn’t his topic. Rand Beers, a good friend and Clinton’s intelligence adviser, had been the point man on the commission and, presumably, would deal with the report, as well. But soon after its release, Beers announced that he was moving over to the State Department; he and Sandy Berger, Clinton’s national security adviser, had discussed who should replace him on the cyber beat, and they settled on Clarke.
Clarke resisted; he was busy enough on the bin Laden trail. Then again, he had been the White House point man on the Eligible Receiver exercise; Ken Minihan, the NSA director who’d conceived it, had briefed him thoroughly on its results and implications; cyber security might turn out to be interesting. But Clarke knew little about computers or the Internet. So he gathered a few of his staff and took them on a road trip.
Shortly after the holidays, they flew to the West Coast and visited the top executives of the major computer and software firms. What struck Clarke most was that the heads of Microsoft knew all about operating systems, those at Cisco knew all about routers, those at Intel knew all about chips—but none of them seemed to know much about the gadgets made by the others or the vulnerabilities at the seams in between.
Back in Washington, he asked Minihan for a tour of the NSA. Clarke had been a player in national security policy for more than a decade, since the Reagan administration, but for most of that time, he’d been involved in Soviet-American arms-control talks and Middle East crises: the high-profile issues. He’d never had reason to visit, or think much about, Fort Meade. Minihan told his aides to give Clarke the full dog-and-pony show.
Part of the tour was demonstrating how easily the SIGINT teams could penetrate any foreign network they set their eyes on. None of it reassured Clarke; he came away more shaken than before, for the same reason as many officials who’d witnessed similar displays through the years. If we can do this to other countries, he realized, they’ll soon be able to do the same thing to us—and that meant we were screwed, because nothing on the Internet could be secured, and, as the Marsh Report laid out in great detail, everything in America was going up on the Net.
Clarke wanted to know just how vulnerable America’s networks were right now, and he figured the best way to find out was to talk with some hackers. He didn’t want to deal with criminals, though, so he called a friend at the FBI and asked if he knew any good-guy hackers. (At this point, Clarke didn’t know if such creatures existed.) At first, the agent was reluctant to share sources, but finally he put Clarke in touch with “our Boston group,” as he put it—a team of eccentric computer geniuses who occasionally helped out with law-enforcement investigations and who called themselves “The L0pht” (pronounced “loft”).
The L0pht’s front man—who went by the handle “Mudge”—would meet Clarke at John Harvard’s Brewery, near Harvard Square, in Cambridge, on a certain day at seven p.m. Clarke flew to Boston on the designated day, took a cab to the bar, and settled in at seven on the dot. He waited an hour for someone to approach him; no one did; so he got up to leave, when the man quietly sitting next to him touched his elbow and said, “Hi, I’m Mudge.”
Clarke looked over. The man, who seemed about thirty, wore jeans, a T-shirt, one earring, a goatee, and long golden hair (“like Jesus,” he would later recall).
“How long have you been sitting there?” Clarke asked.
“About an hour,” Mudge replied. He’d been there the whole time.
They chatted casually about the L0pht for a half hour or so, at which point Mudge asked Clarke if he’d like to meet the rest of the group. Sure, Clarke replied. They’re right over there, Mudge said, pointing to a large table in the corner where six guys were sitting, all in their twenties or early thirties, some as unruly as Mudge, others clean-cut.
Mudge introduced them by their tag names: Brian Oblivion, Kingpin, John Tan, Space Rogue, Weld Pond, and Stefan von Neumann.
After some more small talk, Mudge asked Clarke if he’d like to see the L0pht. Of course, he replied. So they took a ten-minute drive to what looked like a deserted warehouse in Watertown, near the Charles River. They went inside, walked upstairs to the second
floor, unlocked another door, and turned on the lights, which revealed a high-tech laboratory, crammed with dozens of mainframe computers, desktops, laptops, modems, and a few oscilloscopes, much of it wired—as Mudge pointed out, when they went back outside—to an array of antennas and dishes on the roof.
Clarke asked how they could afford all this equipment. Mudge said it didn’t cost much. They knew when the big computer companies threw out hardware (a few of them worked for these companies under their real names); they’d go to the dumpster that day, retrieve the gear, and refurbish it.
The collective had started, Clarke learned, in the early 1990s, mainly as a place where its members could store their computers and play online games. In 1994, they made a business of it, testing the big tech firms’ new software programs and publishing a bulletin that detailed the security gaps. They also designed, and sold for cheap, their own software, including L0phtCrack, a popular program that let buyers crack most passwords stored on Microsoft Windows. Some executives complained, but others were thankful: someone was going to find those flaws; at least the L0pht was doing it in the open, so the companies could fix them. The NSA, CIA, FBI, and the Air Force Information Warfare Center were also intrigued by this guerrilla operation; some of their agents and officers started talking with Mudge, who’d emerged as the group’s spokesman, and even invited him to give talks at high-level security sessions.
Not that the intelligence agencies needed Mudge to tell them about holes in commercial software. The cryptologists in the NSA Information Assurance Directorate spent much of their time probing for these holes; they’d found fifteen hundred points of vulnerability in Microsoft’s first Windows system. And, by an agreement much welcomed by the software industry at the time, they routinely told the firms about their findings—most of the findings, anyway: they always left a few holes for the agency’s SIGINT teams to exploit, since the foreign governments that they spied on had bought this software, too. (Usually, the Silicon Valley firms were complicit in leaving back doors open.) Still, the NSA and the other agencies were interested in how the likes of Mudge were tackling the problem; it gave them insights into ways that other, more malicious, perhaps foreign hackers might be operating, ways that their own security specialists might not have considered.