Information Security News
mailing list archives
FBI operation penetrates hacker underground
From: InfoSec News <isn () c4i org>
Date: Mon, 17 Sep 2001 04:03:21 -0500 (CDT)
Forwarded by: Jeff Moss <jmoss () blackhat com>
By DAN VERTON
September 11, 2001
The FBI has gained a foothold in the hacker underground thanks to an
18-month undercover operation launched during the height of the U.S.
military's 1999 bombing campaign in Kosovo.
What started out as a Defense Department operation designed to ferret
out pro-Serbian hackers responsible for the April 1999
denial-of-service attacks against U.S. government and NATO Web sites
soon led to the first coordinated undercover operation targeting
U.S.-based hackers, Computerworld has learned.
The operation, whose code name is being withheld for security reasons,
involved a joint team of half a dozen FBI and Pentagon criminal
investigators who posed as hackers on the Internet. Dozens of
investigations by the Justice Department have been opened as a result
of the operation's success, including some that are continuing.
During the course of the operation, agents developed multiple
informants within the hacker underground, conducted more than a dozen
authorized defacements of government Web sites to establish a
reputation among the hackers and received assistance and training from
hackers they had arrested.
William Swallow is director of incident response for the Cyber Attack
Tiger Team (CATT) at Exodus Communications Inc. in Santa Clara, Calif.
He is also the former lead investigator in the sting operation and one
of the agents who for a year posed as a hacker. Although the team
never defaced a corporate Web site, it received permission to hack
into and deface government Web sites and then posted those defacements
to Attrition.org, a Web site that archives hacker defacements, he
"Even a half-dozen hacks got you a pretty good reputation," said
Swallow. "I had to be able to demonstrate to them that I could do it."
The plan worked. Swallow and the other investigators developed close,
even competitive, relationships with hackers through the use of
Internet Relay Chat rooms. Soon, hackers were trying to get the
investigators to take part in coordinated hacking attacks and offering
to share stolen information.
"It took about six months to really get them to feel comfortable
enough to pass information along," said Swallow. "I had hackers pass
stolen credit cards to me and request help in hacks." Some of those
young hackers had relationships with Russian mafia organizations and
were trying to sell the information.
Swallow came up with the idea for the investigation shortly after he
was detailed to the FBI's computer intrusion squad in Los Angeles in
1999. He had been sent there by the Pentagon to help develop sources
in the Serbian hacker community who might be able to lead
investigators to the perpetrators of the April denial-of-service
attack against Defense Department Web sites. He managed to uncover a
valuable informant who helped him collect volumes of intelligence
information on hackers around the world. But when the Serbian hacker
operation was about to come to an end, Swallow realized that he and
others had managed to penetrate a good portion of the hacker
underground in the U.S.
Rather than shut down the operation, the FBI agreed to keep it going.
Although Swallow and others didn't know it at the time, the undercover
investigation would come to play a pivotal role in the eventual
prosecution of the 17-year-old hacker known as "Mafiaboy." The
Canadian hacker pleaded guilty to 58 charges stemming from the
February 2000 denial-of-service attacks against Web sites belonging to
five companies, including Amazon.com Inc., Dell Computer Corp., eBay
Inc., Yahoo Inc. and CNN.
On the night that Mafiaboy launched his attack, Swallow and other
hackers watched in disbelief as he bragged about what he had just
done. Nobody, including the other hackers who were present in the chat
room, believed him. As a result, Swallow, who had operator status in
the chat room -- giving him the authority to control who was allowed
in -- kicked Mafiaboy out and banned him from returning.
"Most of us really didn't have much respect for him," said Swallow.
"We didn't believe him and didn't think he was that good. I don't
think he was that good. I think he just had access to the right
tools." Hacker informants would later lead the FBI to the teenager.
A U.S. attorney who spoke on condition of anonymity said undercover
operations, including this one and others that are ongoing, have been
"very important" to the FBI's ability to track down hackers,
"especially with people that are beyond the reach of our courts
Eric Friedberg, a former computer and telecommunications crime
coordinator at the U.S. Attorney's Office in New York, said that
although undercover operations are "the wave of the future," there are
Hacker informants can be "extremely unreliable," said Friedberg, now a
computer crime consultant at Stroz and Associates in New York.
"It's hard to engender a sense of loyalty in that community," he said.
"They see it as sort of a game. Many of them don't appreciate that
they're jammed up [in trouble with the law]. It makes for very dicey
ISN is currently hosted by Attrition.org
To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.
- FBI operation penetrates hacker underground InfoSec News (Sep 17)