@War: The Rise of the Military-Internet Complex (20 page)

A month after Mansoor and the researcher managed to cleanse his computer of the infection, Mansoor was attacked on the street. The assailant knew Mansoor's name, and Mansoor suspected he was able to track him via his cell phone. He was slightly injured in the scuffle. Less than a week later another man attacked him and repeatedly punched him in the head. He survived the attack.

Mansoor isn't the only activist whom researchers have linked to Hacking Team's spyware. It was part of a larger trend of commercial spyware being used against activists across North Africa and the Middle East during the tumultuous period. There is no evidence that Hacking Team had any knowledge or involvement in the attacks on Mansoor, and it called the documented evidence that its product had been used in a way it claims to forbid “largely circumstantial.”

The company's enforcement regime is entirely of its own design. And in that regard it's not unique. There is no international body or treaty for ensuring that spyware and hacking tools are sold only for legal purposes and to governments that don't suppress civil rights and activism. There is also no regime for controlling the proliferation of cyber weapons such as Stuxnet. Foreign policy officials in the United States, Russia, China, and elsewhere have publicly broached the idea of a cyber arms treaty in recent years, but no country is yet prepared to commit to an agreement that might preemptively bind it from building the next generation of weapons. There is also no obvious way to enforce a cyber arms agreement. Nuclear enrichment facilities can be inspected. Tanks, ships, and aircraft can be seen from a distance. A cyber weapon can be built on a computer. It is practically invisible until it's launched.

 

The Arab Spring wasn't the first time cyber security companies were accused of being bagmen for governments. In the fall of 2010, just as the website WikiLeaks was preparing to release potentially embarrassing information on Bank of America, including internal records and documents, Justice Department officials contacted the bank's lawyers and encouraged them to get in touch with Hunton & Williams, a Washington law firm.
It had put together a trio of small tech companies to run a kind of cyber propaganda operation against opponents of the US Chamber of Commerce, the leading business lobbyist in Washington. The group planned to scour websites and social media with data-mining technology and build dossiers on the Chamber's opponents. Hunton & Williams asked the trio, which operated under the name Team Themis, if they could do the same job for supporters of WikiLeaks, and also if they could locate where the organization was storing classified information it got from its anonymous sources.

“Apparently, if they can show that WikiLeaks is hosting data in certain countries, it will make prosecution easier,” a member of the trio wrote in an e-mail to his colleagues. Justice Department officials were looking for information they could use to indict WikiLeaks' founder, Julian Assange, who had posted classified military intelligence reports and State Department cables. Now the feds wanted to outsource part of their investigation, by putting Bank of America in touch with Team Themis, which drew its name from the mythological Greek Titan who represented “divine law,” as opposed to the law of men.

Team Themis included Palantir Technologies, a Silicon Valley startup that had been making fast friends with such national security heavyweights as Richard Perle, former chairman of the Defense Policy Board and an influential Republican operative, as well as George Tenet, former director of the CIA, who had gone to work for Herb Allen, a Palantir investor and head of the enigmatic investment bank Allen & Company, which hosts the annual Sun Valley Conference, bringing together celebrity journalists, athletes, and business leaders. Palantir had also had early backing from the CIA's venture capital group, In-Q-Tel, whose current chief is chairman of the board of Endgame.

Rounding out Team Themis were two cyber security firms, HBGary Federal, whose CEO had desperately been trying to make inroads with the NSA, to little avail, and Berico Technologies, which employed an Iraq War veteran who had in-the-field experience with cyber weapons. Themis planned to set up an analysis cell that would feed the law firm information about “adversarial entities and networks of interest,” according to a proposal the team created. The CEO of HBGary, Aaron Barr, said the team should collect information about WikiLeaks' “global following and volunteer staff,” along with the group's donors, in order to intimidate them. “Need to get people to understand that if they support the organization we will come after them,” Barr wrote in an e-mail. He suggested submitting fake documents to WikiLeaks in hopes that the site would publish them and then be discredited. Barr also urged targeting “people like Glenn Greenwald,” the blogger and vocal WikiLeaks supporter, and he said he wanted to launch “cyberattacks” on a server WikiLeaks was using in Sweden, in order to “get data” about WikiLeaks' anonymous sources and expose them.

Team Themis never had the chance to launch its espionage and propaganda campaign. In February 2011, Barr was quoted in an article in the
Financial Times
bragging that he could penetrate the inner ranks of Anonymous. The group retaliated, breaking in to Barr's e-mail account and publishing years' worth of his correspondence, including the Team Themis proposals and communications. Barr left the company, telling reporters, “I need to focus on taking care of my family and rebuilding my reputation.” Berico is still in business, selling data-mining and geo-location software to government agencies. Palantir is one of the fastest-growing technology companies in the national security field and counts among its customers the CIA, Special Operations Command, and the US Marine Corps, which have all used its software to track down terrorists, as well as the Defense Intelligence Agency, the National Counterterrorism Center, the Homeland Security Department, and the FBI. Keith Alexander, former director of the National Security Agency, has said that Palantir could help the agency “see” hackers and spies in cyberspace, and that the NSA has evaluated the company's product. The Los Angeles Police Department is another Palantir customer, as is the New York Police Department, which runs an intelligence and counterterrorism unit that many experts believe is more sophisticated than the FBI's or the CIA's.

Though Team Themis failed, the US government has turned to other private cyber sleuths to go after WikiLeaks and help with other investigations. Tiversa, a Pittsburgh-based company, grabbed headlines in 2011 when it accused WikiLeaks of using peer-to-peer file-sharing systems, like those used to swap music downloads, to obtain classified US military documents. WikiLeaks, which claims only to publish documents that it receives from whistleblowers, called the allegations “completely false.” Tiversa gave its findings to government investigators, who had been trying to build a case against Assange. Tiversa's board of advisers includes prominent security experts and former US officials, such as General Wesley Clark, former Supreme Allied Commander of NATO forces in Europe and onetime Democratic presidential candidate, and Howard Schmidt, who was Barack Obama's cyber security adviser in the White House.

Tiversa has revealed an array of classified and sensitive documents floating around file-sharing networks, and arguably, that does some good. Companies and government agencies embarrassed by a data breach have an incentive to shore up their security and work harder to protect sensitive information. Tiversa claims its analysts have found blueprints for the presidential helicopter,
Marine One
, on a computer in Iran. A defense contractor employee in Bethesda, Maryland, may have been running a file-sharing system and ended up giving an Iranian computer user access to his hard drive. In 2009, Tiversa told a congressional committee that its investigations had discovered a document giving the location of a Secret Service safe house used to protect the First Lady during a national emergency; spreadsheets containing personal identifying information of thousands of US military service members; documents pointing to the location of nuclear facilities; and personal medical information on thousands of individuals, including insurance and billing information as well as diagnosis codes.

But when pointing out weak security, Tiversa has courted controversy. In 2013, LabMD, an Atlanta company that performs cancer diagnoses, filed a complaint accusing Tiversa of stealing patient information from it and other health care companies through peer-to-peer networks. LabMD had been under investigation by the Federal Trade Commission after a data breach allegedly exposed patient information. The company claimed that the government had hired Tiversa to take the documents without LabMD's knowledge or consent.
According to court documents, Tiversa found LabMD patient information on a peer-to-peer network and then allegedly made repeated phone calls and sent e-mails to the health care company trying to sell Tiversa's cyber security services.
LabMD's lawsuits were subsequently withdrawn or dismissed, and Tiversa has sued LabMD for defamation.

 

Cyberspace has no clear borders. But geography has a lot to do with how far a cyber mercenary will go to solve clients' problems. Some companies in Europe have less compunction about hacking back because anti-hacking laws there are either loose or nonexistent. Romania is one hotbed of hackers and online scam artists willing to launch malware for a fee. And the gray market where zero day attacks are sold is another place to find hackers-for-hire. Until federal officials shut it down in 2013, the online market Silk Road, which was accessible via the Tor anonymous router system, included hack-back vendors.

To date, no American company has been willing to say that it engages in offensive cyber operations designed to steal information or destroy an adversary's system. But former intelligence officials say hack-backs are occurring, even if they're not advertised. “It is illegal. It is going on,” says a former senior NSA official, now a corporate consultant.
“It's happening with very good legal advice. But I would not advise a client to try it.”

A former military intelligence officer said the most active hack-backs are coming from the banking industry. In the past several years banks have lost billions of dollars to cybercriminals, primarily those based in Eastern Europe and Russia who use sophisticated malware to steal usernames and passwords from customers and then clean out their accounts.

In June 2013, Microsoft joined forces with some of the world's biggest financial institutions, including Bank of America, American Express, JPMorgan Chase, Citigroup, Wells Fargo, Credit Suisse, HSBC, the Royal Bank of Canada, and PayPal, to disable a huge cluster of hijacked computers being used for online crime.
Their target was a notorious outfit called Citadel, which had infected thousands of machines around the world and, without their owners' knowledge, conscripted them into armies of “botnets,” which the criminals used to steal account credentials, and thus money, from millions of people. In a counterstrike that Microsoft code-named Operation b54, the company's Digital Crimes Unit severed the lines of communication between Citadel's more than fourteen hundred botnets and an estimated five million personal computers that Citadel had infected with malware. Microsoft also took over servers that Citadel was using to conduct its operations.

Microsoft hacked Citadel. That would have been illegal had the company not obtained a civil court order blessing the operation. Effectively now in control of Citadel's victims—who had no idea that their machines had ever been infected—Microsoft could alert them to install patches to their vulnerable software. In effect, Microsoft had hacked the users in order to save them. (And to save itself, since the machines had been infected in the first place owing to flaws in Microsoft's products, which are probably the most frequently exploited in the world.)

It was the first time that Microsoft had teamed up with the FBI. But it was the seventh time it had knocked down botnets since 2010. The company's lawyers had used novel legal arguments, such as accusing criminals who had attacked Microsoft products of violating its trademark.
This was a new legal frontier. Even Microsoft's lawyers, who included a former US attorney, acknowledged that they'd never considered using alleged violations of common law to obtain permission for a cyber attack. For Operation b54, Microsoft and the banks had spied on Citadel for six months before talking to the FBI. The sleuths from Microsoft's counter-hacking group eventually went to two Internet hosting facilities, in Pennsylvania and New Jersey, where, accompanied by US marshals, they gathered forensic evidence to attack Citadel's network of botnets. The military would call that collecting targeting data. And in many respects, Operation b54 looked like a military cyber strike. Technically speaking, it was not so different from the attack that US cyber forces launched on the Obelisk network used by al-Qaeda in Iraq.

Microsoft also worked with law enforcement agencies in eighty countries to strike at Citadel. The head of cybercrime investigations for Europol, the European Union's law enforcement organization, declared that Operation b54 had succeeded in wiping out Citadel from nearly all its infected hosts. And a lawyer with Microsoft's Digital Crimes Unit declared, “The bad guys will feel the punch in the gut.”

Microsoft has continued to attack botnets, and its success has encouraged government officials and company executives, who see partnerships between cops and corporate hackers as a viable way to fight cybercriminals. But coordinated counterstrikes like the one against Citadel take time to plan, and teams of lawyers to approve them. What happens when a company doesn't want to wait six months to hack back, or would just as soon not have federal law enforcement officers looking over its shoulder?

The former military intelligence officer worries that the relative technical ease of hack-backs will inspire banks in particular to forgo partnerships with companies like Microsoft and hack back on their own—without asking a court for permission. “Banks have an appetite now to strike back because they're sick of taking it in the shorts,” he says. “It gets to the point where an industry won't accept that kind of risk. And if the government can't act, or won't, it's only logical they'll do it themselves.” And hack-backs won't be exclusive to big corporations, he says. “If you're a celebrity, would you pay someone to find the source of some dirty pictures of you about to be released online? Hell yes!”