@War: The Rise of the Military-Internet Complex (22 page)

In 2012 the bureau was spending $296 million on its various cyber-related operations. The following year officials asked Congress for $86 million more as part of the FBI's Next Generation Cyber Initiative, which would expand the bureau's monitoring capabilities by hiring more personnel and creating a new system for analyzing malware and intrusions. The bureau wanted to hire 152 new employees—on top of the existing 1,232—the majority of whom were not FBI agents but computer scientists, engineers, forensic examiners, and intelligence analysts. Cyber programs constitute the fastest-growing parts of the FBI's budget. Before he retired, FBI director Robert Mueller—who took the job one week before the 9/11 attacks—told Congress that “the cyber threat will equal or surpass the threat from counter terrorism in the foreseeable future.”

Chasing criminal hackers and foreign cyber warriors is the FBI's future. And the agency is looking a lot more like the CIA or the NSA. Most of the new staff are intelligence analysts and hackers, not law enforcement officers. And the official says that the FBI is using the Foreign Intelligence Surveillance Act more often to gather information during cyber investigations because it's easier to obtain surveillance authorizations under that law than using criminal statutes, which require law enforcement to show probable cause that a crime is being committed.

“When information comes from FISA, it's not being used in a criminal prosecution. So, why are we collecting it? I scratch my head at that,” the senior law enforcement official says. “At some point, we're no longer driving an investigation. We're just collecting intelligence.” Put another way, the FBI is spying.

This is a historic shift in policy for the United States' top law enforcement agency. When the FBI collects information to use in a trial, it follows stricter procedures for control of evidence and narrows its investigations. When it makes intelligence its primary mission, it casts a wider net and puts more emphasis on providing targets for the NSA and military cyber warriors than on bringing criminals to justice.

 

Some of the FBI's most important intelligence targets today are Chinese cyber spies stealing intellectual property. “We do a lot of collection on China's victimizing US companies,” says a former senior FBI official who managed cyber cases.
The bureau has broken in to the computers of Chinese hackers and stolen the lists of specific companies they're targeting. “We identify and notify those companies: ‘This is a computer on your network taken over by China. This is how we know.'”

FBI cyber operators have also obtained the e-mail addresses of employees whom Chinese hackers intend to spear phish, sending them legitimate-looking e-mails that actually contain spyware. “We knew what luring words and phrases the e-mails used before they were sent,” the former official says. “We told companies what to be on the lookout for. What e-mails not to open. We could tell them ‘You're next on the list.'”

Among the most worrisome people on those lists were employees of American oil and natural gas companies. These businesses own and operate major refineries and pipelines that are run by SCADA (supervisory control and data acquisition) systems, the same kinds of devices that the NSA attacked in the Iranian nuclear facility to make centrifuges break down. Chinese attempts to penetrate oil and natural gas companies “were never-ending,” the former official says. The campaign reached a fever pitch in the spring of 2012, when hackers penetrated the computer networks of twenty companies that own and operate natural gas pipelines. FBI and Homeland Security Department officials swooped in and gave classified briefings to executives and security personnel. They watched the hackers move on the networks in order to get a better sense of how they got in, and what damage they might cause. There's no evidence that they gained access to the critical SCADA systems that actually control the pipelines—the spies could also have been looking for strategy documents or information about US energy supplies. But the penetrations were so rampant, and so alarming, that the Homeland Security Department issued a broad alert to the energy industry about the threat and what steps they could take to protect their systems.

The former official says the FBI has also infiltrated Russian and Eastern European criminal organizations that specialize in stealing money out of companies' bank accounts—to the tune of several billions of dollars a year. The FBI discovered the crooks' targets, then warned those people and companies that an attack was coming. And the bureau infiltrated the computers of the hacker collective Anonymous, found its target lists, and warned the people on them.

Does any of this intelligence actually stop attacks from happening? “I definitely saw prevention,” the former official says, in the form of software patches applied, particular IP addresses blocked from connecting to corporate computer networks, or improvements in basic security practices such as using longer or harder-to-guess passwords, which even sophisticated companies sometimes fail to do. But success is hard to quantify. Companies don't acknowledge individual cases where assistance from the government paid off, because they don't want to admit that they were at risk in the first place.

The FBI spends most of its cyber budget and its investigative time tracking Chinese intrusions into US computer networks and trying to prevent a major attack on critical infrastructure, current and former officials say. This is an undoubtedly important mission, but it's not law enforcement, which is the FBI's mandate. The bureau doesn't decide which cases to prosecute—that's up to the Justice Department, federal prosecutors, and ultimately the attorney general. But to date the United States has never brought a case against any Chinese hacker for intellectual-property theft or violating US anti-hacking laws.

“What's happened in national security cases is the US government has prioritized counterintelligence, in the hopes that it will result in some strategy to stop China from doing what they're doing,” says the former official. Rather than resort to courts, the Obama administration has decided to publicly call out Chinese hackers and lean on their government to rein them in. Evidence collected by the FBI—and the NSA—helps them do that. (To be sure, the Chinese government would almost certainly not cooperate with a US criminal case against one of its own citizens. Chinese leaders barely acknowledge that their country is the source of so much spying on the United States, and they accuse American hackers—with some cause—of spying on them.)

While officials look for a diplomatic solution to rampant espionage, the information that the FBI gives to corporations is supposed to help them fend off future attacks. Much like the NSA providing intelligence to defense contractors, the FBI is giving it to owners and operators of critical infrastructure and to banks and financial services companies—which officials have deemed vital to US economic security and the basic functions of daily life.

 

The FBI doesn't always warn companies that they've been hacked. Sometimes it uses them as bait, and the consequences can be disastrous.

In early December 2011, George Friedman, CEO of the private intelligence company Stratfor, got a call from Fred Burton, his senior vice president for intelligence and a former counterterrorism specialist with the State Department. Burton told Friedman that the company's website had been hacked, and that credit card information for subscribers to its various reports about world affairs and international relations had been stolen. Those numbers had not been encrypted, a basic security measure the company had failed to take. The next morning, according to an account Friedman later wrote, he met with an agent from the FBI, “who made clear that there was an ongoing investigation and asked for our cooperation.”

The ongoing operation was an FBI sting against members of the hacker group Anonymous, who had targeted Stratfor because of its perceived connections to the US government and intelligence community. (One of the hackers later accused the company of “spying on the world,” as well as on Anonymous itself.)
Stratfor employs former government personnel, but it's a private company that generates reports and analysis not unlike many consulting firms or even news organizations. Its daily summaries of world events are read by government employees, including those within the military and the intelligence agencies, but they're not produced solely for them.

Six months before Stratfor learned that it had been infiltrated, the FBI had arrested the prominent hacker Hector Xavier Monsegur, who went by the name Sabu, and turned him into an informant. Monsegur was a leader in another hacker group, LulzSec, which had also targeted corporations and government agencies, including the CIA, whose website it once claimed to take offline. FBI officials would later say that Monsegur helped them charge hackers in Britain, Ireland, and the United States, and that the information he helped generate prevented intrusions against three hundred government agencies and companies. But Stratfor wasn't one of them.

The FBI learned that Anonymous had gone after Stratfor in December 2011, when Jeremy Hammond, the accused leader of the operation, contacted Monsegur and informed him that he'd broken in to the company's networks and was decrypting confidential information. But rather than alert Stratfor, the FBI baited a trap.

The bureau told Monsegur to persuade Hammond and his fellow hackers that they should transfer information from Stratfor to another computer, which was secretly under the FBI's control. According to a criminal complaint, the hackers moved “multiple gigabytes of confidential data,” including sixty thousand credit card numbers and records about Stratfor's clients, as well as employee e-mails. But during the two-week operation, the FBI also watched as the hackers stole innocent subscribers' financial information and deleted Stratfor's proprietary documents. The hackers also sent five million Stratfor e-mails to WikiLeaks. (The FBI later claimed it was powerless to stop the hackers because they'd stored the e-mails on their own computers.)

The FBI told Friedman not to inform his customers about the breach and not to go public with the news that Stratfor had been hacked. They wanted him to wait as the FBI followed the hackers' moves. But then, early on the afternoon of December 24, Friedman was informed that the Stratfor website had been hacked again. This time the hackers posted a “triumphant note” on the homepage announcing that they'd stolen credit card numbers and a large amount of e-mail, and that four Stratfor servers had been “effectively destroyed along with data and backups,” Friedman wrote.

This was a crippling blow to the company's infrastructure. Those servers stored years' worth of reports and analysis that Stratfor had produced and sold to subscribers. It was the essence of Stratfor's business. The e-mails were private and confidential, and in some cases contained embarrassing correspondence among Stratfor employees, such as Burton, who used various racial epithets to refer to Arabs.

Hammond later said that destroying servers was common practice. “First you deface, then you take the information, then you destroy the server, for the Lulz [fun of it], and so they can't rebuild the system. We don't want them to rebuild. And to destroy forensic information that could be used to find out who did it and how it was done.”

Deleting Stratfor's archives and exposing private communications materially damaged the company's business and its reputation. The FBI could have warned Stratfor to take emergency precautions to protect its information. It could have tried to apprehend the hackers earlier. But officials decided it was more important to get Hammond and his colleagues to move information onto an FBI computer, so it could be used to build a criminal case. Stratfor was caught in the crossfire of the FBI's hunt for Anonymous.

So were its clients. In the days after the break-in, hackers released credit card numbers of subscribers, which were reportedly used to make $700,000 in fraudulent purchases. Those transactions, some of which took the form of charitable donations, could be reversed by credit card companies. But the hackers also disclosed subscribers' e-mail addresses, which were later used for malware attacks.
Some of Stratfor's subscribers were retired intelligence officers. Many others worked in academia, international relations, or corporate security. Notable subscribers have included former secretary of state Henry Kissinger, former national security adviser John Poindexter, and former vice president Dan Quayle.

Stratfor estimated that the hack cost the company $2 million in lost revenue and cleanup expenses. It also settled a class-action lawsuit brought by a former subscriber, which reportedly cost the company at least another $2 million in free subscriptions it agreed to give to current and former customers, as well as attorney fees and credit-monitoring services for customers who requested it.

 

Stratfor's case is a chilling indication of the harm a company can suffer at the hands of hackers under FBI surveillance. To be sure, the bureau has to acquire evidence of a crime if it's going to arrest hackers. Officials later claimed that Monsegur helped them effectively topple the LulzSec group, which was blamed for a string of website defacements and intrusions. And many companies have been warned by the bureau about threats to their business. But the Stratfor operation exposed an ugly truth about the FBI's counter-hacking strategy. If the purpose is gathering intelligence, namely, about Chinese and Russian groups, then the FBI will help to preempt attacks and prevent damage. But if the bureau is operating in its traditional mode—catching bad guys and bringing them to justice—it's willing to sacrifice the victims.

Monsegur has proved to be a productive ally for the FBI. In 2013 the Justice Department requested that a judge delay sentencing him in light of the assistance he continued to provide with other undisclosed investigations.
“Since literally the day he was arrested, the defendant has been cooperating with the government proactively,” a federal prosecutor wrote to a judge in New York. “He has been staying up sometimes all night engaging in conversations with co-conspirators that are helping the government to build cases against those co-conspirators.” If given the maximum sentence, Monsegur could have spent the rest of his life in prison.