Cyberspies are everywhere. But who are they helping?
[dropcap]W[/dropcap]inding through corridors lined with poison-tipped umbrellas, pistols fashioned from lipstick tubes, and bulky buttonhole cameras, visitors to Washington’s International Spy Museum will soon be confronted by a modern, quotidian tool of the trade: a small black laptop. According to the computer’s owner, it was employed over a three-year period to briefly knock WikiLeaks offline, disable almost 200 jihadist websites, and develop a handful of sophisticated hacking tools. The laptop, says International Spy Museum executive director Peter Earnest, will “provide historical context to the … world of espionage and the intelligence community, in this instance through the scope of cyberterrorism.”
But the laptop’s owner claims no affiliation with the intelligence community; nor can he, by any traditional definition, be classified as a spy. He’s a freelancer, a “patriotic hacktivist” who goes by the nom de guerre “the Jester”—or, in hacker argot, “th3j35t3r.” Within certain cyber circles, he has achieved mythical status. According to security analyst T. J. O’Connor, the Jester has “proved that a single individual is very capable of waging cyberwar at a level we previously attributed only to intelligence agencies or crime syndicates.”
There exist countless blog posts and Twitter exchanges speculating on the Jester’s identity, but we still know almost nothing about him. He implies that he’s American, says he has a background in computer programming, and explains he was motivated to undertake offensive hacking operations against enemies of the United States after serving in the military. (He claims to have been affiliated with “a rather famous unit” in Afghanistan that was “involved with supporting Special Forces.”) These are, of course, unverifiable assertions.
The Jester first surfaced on Jan. 1, 2010, with a tweet announcing a “sporadic cyber-attack” on a Taliban website: “OWNED. By me, Jester.” He issues short epistles through Twitter, usually documenting websites he has disabled, and offers longer discussions of his work on his blog. But he jealously guards his anonymity, granting relatively few interviews to journalists. I first reached out to him for an interview last July, establishing contact through Twitter—the only way he communicates with unknowns. After telling me he would reconnect after an online vetting process, he hesitantly agreed to answer questions in an encrypted chat room. And then disappeared. When I reestablished contact a few months later, he declined to talk.
But recently, with fingers crossed, I made another approach and received a surprisingly quick response: “Can I ping you with secure [connection] in a bit?”
Hacking, the Jester tells me during our exchange, was merely “a continuation of [military] service.” Indeed, he believes that laptops will someday replace M-16s as the primary tool of warfare. Last year, in a rare live chat with computer science students at the University of Southern Maine, the Jester speculated that soon “wars won’t be fought with boots on the ground” but in dark basements packed with glowing computer monitors.
He claims “no official relationship with law enforcement agencies,” yet as members of the hacker collective Anonymous—who take a dim view of the American government—have been hauled into courtrooms around the globe, it’s noteworthy that the Jester has been left untouched. Given that his targets tend to be hostile to American foreign policy, it seems at least plausible that he is operating with the tacit permission of the U.S. intelligence community. Both the Jester and U.S. intelligence officials are tightlipped on these matters—and there is no suggestion of an active working relationship—but in the murky world of cyber warfare, it certainly seems that the feds are unconcerned by his attacks on their common enemies.
So does he, or does he not, provide information to the authorities? “I make my work available—sometimes [publicly], sometimes privately—but I have no official relationship with law enforcement agencies,” he tells me. “I just put things where certain people might ‘find’ them. It’s an unsaid, unspoken nonrelationship.”
The Jester’s techniques have varied over the years. In 2010 after WikiLeaks posted a tranche of classified State Department cables online, he launched a denial of service (DoS) attack—in which a server is flooded with junk data, rendering it unable to respond to legitimate queries—and briefly took the site offline. The goal, he tells me, was to knock WikiLeaks off servers in Sweden and “back onto U.S. servers, where I was hoping the legal peeps would shut that shit off now it was back in jurisdiction. But that didn’t happen and we are where we are today.”
On May 26, after the gruesome murder of a soldier by two lone-wolf jihadists in London, British Home Secretary Theresa May called for controversial new laws blocking extremist websites that ‘can lead to radicalization.’
In 2011 the Jester pummeled various Web properties of the Westboro Baptist Church (of “God Hates Fags” infamy) with DoS attacks in response to the group’s picketing the funerals of American soldiers killed in action. This month he took a slightly different tack with Westboro: after the group celebrated the destructive tornado that hit Oklahoma as divine retribution for America’s sins, the Jester took over their website, replaced it with an image of Jesus giving the middle finger, and then rerouted traffic to a Red Cross donation page.
On May 26, after the gruesome murder of a soldier by two lone-wolf jihadists in London, British Home Secretary Theresa May called for controversial new laws blocking extremist websites that “can lead to radicalization.” The previous day, the Jester—unconstrained by the niceties of parliamentary debate and British law—had knocked offline the website of the London-based radical Islamist preacher Anjem Choudary, who acknowledged that one of the accused killers had attended events organized by his (banned) group.
During the war in Libya, the Jester hacked into The Tripoli Post, a Gaddafi-backed news site, and The Malta Independent, planting fake news stories claiming that regime loyalists were defecting en masse. (It was a modern take on an old espionage trick—one perfected by the KGB during the Cold War.) He has also sought to expose the real identities of those he considers enemies of the United States—for instance, revealing the names of jihadists who recruit and proselytize online, as well as the names of people affiliated with Anonymous. He points out that, soon after he published the identities of Anonymous members, “there were some more Anonymous arrests. Just as a side note.”
When we spoke about Stuxnet, the sophisticated malware developed by the United States and Israel that attacked Iran’s nuclear facilities at Natanz, the Jester argued that the highly publicized attack demonstrated that cyber warfare is more than merely disabling websites and taunting your enemies online. “It showed that one could, with absolute precision, and no boots on the ground, target assets in the physical world too,” he says. “I find the ability to ‘touch’ and adversely affect real-world targets from … cyberspace very comforting.”
Given his list of nasty targets—jihadists, Gaddafi, the fanatics of Westboro—it’s hard for me not to find the Jester’s work comforting as well. But the wider phenomenon that he typifies is disquieting. Around the world, independent hackers are increasingly engaged in work that looks a lot like espionage and cyber warfare. Richard Bejtlich, chief security officer at Mandiant, an Alexandria -based cyber-security firm, sees these hackers as a “return to history. If you look at espionage over thousands of years, for the most part it has been private individuals who were spies. It was only in the 20th century that governments took a real step forward in the creation of national industries around espionage.” Now, he says, “the private sector is getting back into the game as a result of the technology available to everyone.”
[dropcap]T[/dropcap]he existence of both the Jester and his nemeses in Anonymous reflects the sea change that has occurred in hacking and cyber security over the past two decades. As Mikko Hypponen, chief research officer of the Helsinki-based firm F-Secure, recently put it, in the 1990s hackers hacked for fun, but “those happy days are behind us … The happy hackers have disappeared.” Today “all hackers have motives for their actions.”
A typical virus from the happy hacker days was “Form,” an annoyance that spread far and wide among computers running the DOS operating system in the early 1990s. Once a month, on a specific date, Form would produce a clicking sound in the computer’s speaker when the user pressed a key—but it did no real damage.
At that time, the notion that hacking could be something more dangerous—a tool of war or geopolitics—was little more than spy-novel fantasy. In April 1991, as the first Gulf War came to an end, tech journalist John Gantz perpetrated a hoax on his readers: he told them of a spectacularly successful virus developed by the National Security Agency, which had been smuggled from Jordan to Iraq in a printer chip. When the compromised printer chip was plugged into a network, it supposedly impregnated Saddam Hussein’s antiaircraft batteries with its destructive payload, rendering them useless against American air power. Gantz called the virus AF/91, a combination of the year the code was developed and “April Fools.”
AF/91 may have been fiction, but by the end of the decade Gantz’s basic idea was no longer farfetched. In 1999, during the Kosovo War, Bill Clinton green-lit a CIA campaign of cyber warfare against Serbian targets, including an attempt to drain Serbian bank accounts associated with the government. It remains unclear whether this was ever carried out—all relevant documents are still classified—but it was the first time an American hacking operation had been approved as part of a hot war. (Newsweek reported at the time that the plan was “criticized by some lawmakers who questioned the wisdom—and legality—of launching a risky covert action that, if discovered, could prolong the war, alienate other NATO countries—and possibly blow back on the United States.”)
More recently, the advent of the Stuxnet virus has made Gantz’s hoax seem even more prescient: Iran’s Natanz nuclear facility is not connected to the Internet, which means that, like the AF/91 virus of Gantz’s imagination, Stuxnet was smuggled in through an infected piece of outside hardware.
While all this was happening—that is, as governments were turning more and more to cyber warfare—another parallel trend was developing: the democratization of hacking among ordinary citizens. “The Jester might be the highbrow guy—what everyone pictures as ‘the hacker’—at the very top of the pyramid,” says Raj Samani, chief technical officer for security firm McAfee. “But that broad bottom of the pyramid is getting bigger because everyone can do it.” In a forthcoming paper on the proliferation of pay-to-hack tools, Samani points out that committing online crimes—like purloining email passwords or attacking websites—doesn’t require technical expertise. Just a credit card will suffice. A distributed DoS attack against a website, he says, can be purchased online from freelance hackers for as little as $2 an hour.
Given the ubiquity of hacking, it’s little surprise that private individuals and groups have become players in the cyber warfare arena. Sometimes, as with the Jester and Anonymous, the motive might be ideological. In other instances it may be profit. In October 2012, for instance, the Russian security firm Kaspersky Labs uncovered a massive cyber-espionage operation it dubbed “Red October.” The well-designed malware had been in the wild, infecting its quarry, since 2007. But Red October was unique in that it targeted the computers and mobile devices of diplomats, government agencies, and state-run scientific research institutions, allowing its creator to abscond with sensitive—often classified—information. The identity of the perpetrator remains unknown, but in January Kaspersky said it had “no evidence linking this with a nation-state sponsored attack,” and suggested that it could have been the work of freelance hackers-cum-spies interested in selling the material to governments.
‘I find the ability to “touch” and adversely affect real-world targets from … cyberspace very comforting.’
In some cases, hackers may be working more directly for the benefit of governments—even as the extent of their connections to those governments remains uncertain. To take one example: no one knows whether the Syrian Electronic Army—a pro-Assad hacking group once praised by the dictator as a “virtual army in cyberspace”—is part of the government it supports. (The organization recently claimed credit for using the Associated Press Twitter account to tweet that there had been an explosion at the White House, causing a brief plunge in the stock market. It has also hacked the Twitter accounts of The Onion—which has regularly mocked the dictatorship in Damascus—and Justin Bieber. And in Israel, government officials have alleged that the group tried unsuccessfully to penetrate a computer network controlling Haifa’s water supply.)
But even if a government doesn’t have an organization like the Syrian Electronic Army to rely on, it can still purchase the services of hackers. “Anybody, including a government without the offensive cyber capabilities, has this open marketplace,” Samani told me. During a recent trip to the Oslo Freedom Forum, a conference for dissidents and human rights activists, I had breakfast with the Angolan dissident and anticorruption campaigner Rafael Marques de Morais, who during the previous day’s session on cyber security had offhandedly mentioned that his computer—an Apple laptop—had seen a significant drop in performance. It wasn’t, he soon discovered, in need of routine maintenance. “Jacob took a look at it,” he told me gravely, “and found something.”
Jacob Appelbaum—a veteran of WikiLeaks who is currently affiliated with the Tor project, which produces free anonymizing software—had inspected Marques’s computer the previous day and quickly discovered a piece of malware. The surreptitiously installed software was taking a screenshot of Marques’s computer activity every 20 seconds and uploading the images to a server in India.
The story of Appelbaum’s discovery proliferated among tech journalists, but one important detail went largely unmentioned: when I emailed Marques last week, he said that, according to Appelbaum’s research, “the malware was custom designed for me.” (Appelbaum confirmed to me that the infected email that had triggered the attack “was crafted for him to read specifically.”) Moreover, Marques said digital fingerprints indicated that “a multinational based in Portugal” was behind the infection. “Once [Appelbaum] mentioned the name of the multinational, it all made sense,” Marques told me. “It provides auditing services and IT security solutions to the government of Angola.”
The Angolan government, an authoritarian regime flush with oil money, has the financial resources to pay a company to spy on dissidents, even if it probably does not have the technical ability to do so on its own. Of course, it’s impossible to know who was truly behind the attack on Marques’s computer. Cyber-espionage, after all, is hugely difficult to trace back to its original source. Indeed, for rogue governments, organizations, and individuals, that is part of the allure.
[dropcap]B[/dropcap]ut it isn’t just hackers whose political importance is on the rise; all of this online intrigue has also created a lucrative role for private companies that, for rather large fees, help victims of hacking play defense against their tormentors. In their own way, these people, too, have ended up as key players on the geopolitical stage.
In October 2012, New York Times’ China correspondent David Barboza published a blockbuster exposé—which would later win a Pulitzer—detailing the vast personal wealth accrued by former prime minister Wen Jiabao. It was classic shoe-leather journalism: using publicly available “corporate and regulatory records,” Barboza painted a picture of an authoritarian kleptocracy, in which party grandees feathered their nests with massive bribes and kickbacks.
China’s response to the story was swift: Beijing, which had previously been accused of infiltrating computers at Bloomberg and the Associated Press, hacked into the Times. The method was a simple—but effective—technique called spear-phishing, in which hackers send emails to a target organization containing an infected attachment or link. In the end, the Chinese intruders gained access to email accounts on about 50 Times computers and obtained the “corporate passwords” of every Times employee. (According to Times editor Jill Abramson, however, there was “no evidence that sensitive emails or files from the reporting of our articles about the Wen family were accessed, downloaded or copied.”)
In response to the breach, the Times notified the FBI, but federal investigators failed to expel the attackers. In its reporting on the subject, the Times obliquely noted the inadequacy of relying solely on the feds in such situations—pointing out that the U.S. Chamber of Commerce “worked closely with the F.B.I. to seal its systems” after a recent hack, but “months later, the chamber discovered that Internet-connected devices … were still communicating with computers in China.” The Times would not repeat that mistake: it hired the cyber-security firm Mandiant to help it defend itself.
During the Kosovo War, Bill Clinton green-lit a CIA campaign of cyber warfare against Serbian targets, including an attempt to drain Serbian bank accounts associated with the government.
Mandiant was founded in 2004 by Kevin Mandia, a former U.S. Air Force cyber-forensics investigator. It now has 330 employees—many of whom (Mandiant won’t say exactly how many) are former government computer security analysts and retired members of the intelligence community. After the Times discovered the intrusion, Mandiant allowed the hackers—who it quickly identified as being affiliated with the Chinese government—to skulk around the newspaper’s networks, tracking and learning from their movements before ejecting them.
“The counterintelligence model is the best one for this,” says Mandiant’s Richard Bejtlich. “In most cases, you are operating against the equivalent of a foreign intelligence agency.” When Mandiant released a minutely-detailed report on Chinese hacking of U.S. corporations in February, the Associated Press said the document was noteworthy because “the extraordinary details … came from a private security company without the official backing of the U.S. military or intelligence agencies that are responsible for protecting the nation from a cyberattack.”
Mandiant is not the only company operating in this space. CrowdStrike, a Mandiant competitor specializing in “helping enterprises and governments protect their most sensitive intellectual property and national security information,” takes a more aggressive—yet still defensive—approach, telling potential clients that they “don’t have a malware problem, they have an adversary problem.”
Adam Meyers, CrowdStrike’s director of intelligence, tells me that his company tries to “raise the costs” for those involved in electronic espionage and intellectual property theft, making it too expensive and time-consuming to target his clients. Meyers says that CrowdStrike “conducts counterintelligence” against hackers: “For instance, we can make that network they’ve infiltrated hostile by making them collect bad or inaccurate information, therefore limiting the effectiveness of the attack.”
Some believe that the intensity of attacks from hostile foreign intelligence agencies requires the offensive capability to “hack back.” A recent report by the Commission on the Theft of American Intellectual Property, a lobbying group led by former director of national intelligence Dennis Blair and former ambassador to China Jon Huntsman, urged the passage of laws allowing security companies to switch from defensive measures to offensive ones.
Both experts and politicians have bristled at this idea. “I get very, very concerned about an unleashed private sector doing active defense,” House Intelligence Committee chairman Mike Rogers told a cyber-security conference in February.
Of course, that kind of aggressive engagement with America’s adversaries is something the Jester is already doing. To his credit, he appears to have struggled with the morality of his actions. Around the time he became the Jester, he told the website Infosec Island, “I do wrestle with whether what I am doing is right.” In his 2012 chat with University of Southern Maine students, he acknowledged that he violates “the same laws the bad guys do. I am under no illusions that I am also a criminal.”
But when I ask him whether he still has mixed feelings about his work, he says that his doubts have receded. “I used to have a harder time with my moral compass than I do now,” he replies, adding that “the law is murky and unclear at the moment on cyber related issues [and] I am capitalizing on that fact while I can.”
It’s an unsurprising sentiment from someone who sees himself as a soldier in an ongoing war. As he puts it during our chat, “Cyberspace is fast becoming a serious battle space, everyone is now taking notice, and I am proud to be on the right side of things (kinda).”
From our June 14, 2013, issue; You’re Being Hacked.