@War: The Rise of the Military-Internet Complex (19 page)

 

A few months after Rouland's appearance in New York, Endgame appointed a new CEO. Nathaniel Fick was a thirty-five-year-old former Marine Corps captain who'd served in Iraq and Afghanistan and later got his MBA from Harvard Business School and helped run a prominent Washington think tank. Fick wrote a memoir of his combat experience and was profiled in another book,
Generation Kill
, which was made into a miniseries for HBO.

According to two individuals who know Fick and are familiar with Endgame's business strategy, the new CEO was eager to wean the company off its intelligence contracts and to get out of the zero day business, which he saw as too controversial and ultimately not lucrative enough to justify the hundreds of thousands of dollars it takes to buy a single exploit. The margins for cyber arms were apparently too thin.

But getting out of the business won't be easy. Endgame's investors were drawn to its government clients, who had deep pockets and planned to spend billions of dollars over the coming years on cyber defense and offense. Endgame's board of advisers have historic ties to that lucrative customer base. They include a retired senior Pentagon official who served in several influential technology management posts, as well as the former chief information officer for the CIA. Endgame's chairman is the CEO of In-Q-Tel, the venture capital arm of the CIA, and a member of the board is a former director of the National Security Agency.

But as Fick noted in an interview shortly after his appointment in 2012, the post-9/11 bonanza of military spending is coming to end as the United States has wound down the wars in Iraq and Afghanistan and braced for a period of fiscal austerity amid calls in Congress for balanced budgets and smaller government. “The defense budget is going to be under pressure, and it should be,” Fick said. “In many cases, the rampant excesses of the last decade are completely unsustainable.” But, he added, “I think there are areas that will continue to grow.”

That growth is the private sector. The two people who know Fick say that Google has become one of the biggest buyers of Endgame's zero day packages. Google would be breaking the law if it retaliated against those trying to steal its intellectual property. But Google has been among the most vocal corporations—and certainly the most influential—urging Congress and the Obama administration to call out China for its cyber espionage and take diplomatic action if the country fails to rein in its hackers. Google began sharing information about attacks on its networks with the NSA after the company was hit in a massive Chinese spying campaign, which saw some of its intellectual property stolen.

Rouland isn't the only Endgamer who has claimed that companies have a right to defend themselves when the government can't or won't. After Anonymous revealed an Endgame presentation showing how customers could use clusters of infected computers, known as botnets, to launch attacks on websites or steal passwords and other sensitive information, a partner at one of Endgame's major investors defended the idea. “If you believe that wars are going to be fought in the world of cyber in the future, wouldn't you want to believe you would have a cyber army at your disposal?” Ted Schlein, who sits on Endgame's board, told Reuters.
“Why wouldn't you want to launch a cyber army if needed?”

 

Most private cyber security companies are at pains to stress that they don't conduct “hack-backs,” that is, breaking in to the intruder's computer, which is illegal in the United States. But companies will spy on intruders once they're inside clients' networks. One prominent player in that business, CrowdStrike, baits the spies with honeypots.
The company may lure hackers into what appears to be a client's network but is actually a kind of sterile zone walled off from any real or important computers. The idea is to buy time to watch intruders, to see what they're most interested in—technical diagrams, say, or negotiating points—and then force them to show what tools and techniques they're using to steal that information. The company might protect a document with an especially long password, hoping that the hacker will deploy a novel technique for cracking it. Once the client has seen what's in an intruder's toolkit, CrowdStrike can predict how the intruder will try to break in to other systems in the future. If the client wants to throw the intruder off the trail, it might plant misleading or untrue information in those documents that purport to be about business strategy or plans for a new product launch.

CrowdStrike will also compare an intruder's various victims to see if a particular industry or type of technology is being targeted. Then the company builds a dossier, even giving the hacker a name in some cases. For more than a year CrowdStrike analysts tracked one “adversary,” which it named Anchor Panda, as it spied on companies involved in the maritime satellite business, aerospace, and defense contracting and targeted foreign governments with active space-exploration programs. Armed with such specific intelligence about what a hacker is after and what methods the hacker is using to break in—his “signatures”—CrowdStrike's clients can theoretically take more precise defensive actions. It's like sending out an all-points bulletin about a fugitive, complete with a physical description and modus operandi, rather than warning the public to be generally on the lookout for suspicious people.

That sounds a lot like the work of a law enforcement agency. And no surprise, since two of CrowdStrike's top executives are former FBI officials. Shawn Henry, CEO of CrowdStrike Services, the part of the company that tracks and identifies intruders, spent twenty-four years in the bureau, retiring in 2012 as the senior official in charge of all cyber programs and investigations worldwide. (The former deputy head of cyber for the FBI is the company's general counsel.) CrowdStrike is different from other cyber security companies, Henry says, because “when we respond to an incident, we actually hunt for the adversary.” He says the company employs network forensics and reverse engineering of malware to understand the hackers' tactics, techniques, and motivations. He is careful to avoid any suggestion that the company breaks in to their adversaries' computers—the former G-man spent years prosecuting people for violating anti-hacking laws. But the word
hunt
reveals a more aggressive form of analysis than many other firms in the business will admit to. CrowdStrike deploys sensors on its clients' networks and uses crowdsourcing to collect more information on hacks as they're happening, rather than wait for a client to be hit and collect evidence after the fact. It uses intelligence to attribute, as closely as possible, the hacker to a particular country or group. This is one of the hardest things to do in cyber forensics, because skilled hackers conceal their physical location, often by launching their attacks from compromised computers in other countries. CrowdStrike promises to tell clients not just how they're being attacked but why, and by whom. The company focuses particularly on spies and hackers operating on behalf of foreign governments, including China, Iran, and Russia. (A group of analysts in the “strategic intelligence group” reads Chinese, Farsi, and Russian.) In its marketing materials, CrowdStrike repeatedly states that it uses its intelligence-gathering methods to identify intruders and hand over specific, useful information about them to its clients.

This, too, is a technique drawn from the FBI's playbook. The bureau has rounded up hackers, most famously some members of the collective Anonymous, by watching them steal data from companies and individuals. That information becomes the basis for a criminal indictment. But CrowdStrike and its clients aren't always looking to press charges. And here the company's business model gets aggressive.

The other feature that separates CrowdStrike from the competition, Henry says, is its “strike capability.”

“We're not talking about hacking back at the hackers,” Henry says, batting away any notion that the company has crossed a legal line. “What we're talking about is providing the client certain capabilities to make and create a hostile work environment on their network.” CrowdStrike executives know that one way some companies create such a hostile environment is to implant malware in honeypots they scatter throughout their networks. When the intruder brings a document or a file back onto his own computer and tries to open it, a virus is unleashed. It could destroy data on his hard drive, or implant spyware or a backdoor for ongoing access by his victim. CrowdStrike says it doesn't engage in that kind of infection via subterfuge. But in an interview in 2013, Dmitri Alperovitch, CrowdStrike's cofounder, said he approved of similar actions by the government of Georgia, which tricked a Russian hacker into downloading spyware that turned on his webcam and let officials take his picture.
They published his photograph in an official report. “The private sector needs to be empowered to take that kind of action,” Alperovitch said.

In February 2014, after Target reported that hackers had stolen more than 100 million customers' credit and debit card numbers, CrowdStrike publicized an online seminar that teaches business how to combat cybercrime. “Retail(iate): Don't Be a Target,” said an advertisement that the company e-mailed to prospective clients. The course promised to teach companies “how to take a proactive approach to defending your network” and to show them “how threat intelligence can be used to get ahead of the game.” CrowdStrike may not be hacking back. But the alerts the company sends to its clients, as well as the services it advertises, suggest that customers could end up learning the skills they need if they choose to retaliate on their own.

 

Finding an adversary is a big step beyond watching his movements—technically and legally. But here, too, there is a market, in which cyber mercenaries are building and selling spyware and hacking tools as sophisticated as any the US government was producing a few years ago. As the power of distributed computing platforms such as cloud services allows smaller groups of people to conduct ever more complicated feats of programming, small companies soon will be building big, powerful cyber weapons that, so far, have remained the exclusive domain of governments. Already the mercenaries have made their mark helping officials intimidate and suppress activists and dissidents. The devices they've built are among the most feared and menacing in cyberspace.

The firm Gamma, based in the United Kingdom, sells a spyware program called FinFisher that hides inside “fake software updates for popular software,” according to the company's marketing documents.
The spyware, which can take over a computer, copy its files, and record every word a user types, can be disguised as an update to the popular iTunes app. Users click on the update, thinking they're getting the latest version of the music software, but actually they're installing FinFisher on their computers. Egyptian democracy activists have accused the company of providing spyware to the regime of President Hosni Mubarak, an allegation it denies. Mubarak ordered a brutal crackdown on Egyptian citizens in 2011 before he was ultimately driven from power. Security researchers also claim to have found copies of FinFisher in e-mails sent to democracy activists in Bahrain.

Cyber spies and hackers-for-hire openly market their services to law enforcement and intelligence agencies. An Italian company called Hacking Team, based in Milan, promises “total control over your targets” using “invisible” techniques that are “stealth and untraceable.”

“Defeat encryption,” says one presentation on the company's home page, parroting the language of the NSA. “Thousands of encrypted communications per day. Get them.” In 2011 the company opened an office in Annapolis, Maryland, to sell to US clients.

Hacking Team is upfront about the business it's in. “Sometimes relevant data are bound inside the device, never transmitted and kept well protected . . . unless you are right on that device,” says a brochure for one of the company's spyware tools, Remote Control System.

 

Question is, is there an easy way to hack into that device? . . . What you need is a way to bypass encryption, collect relevant data out of any device, and keep monitoring your targets wherever they are, even outside your monitoring domain. Remote Control System does exactly that. Take control of your targets and monitor them regardless of encryption and mobility. . . . Hack into your targets with the most advanced infection vectors available. Enter his wireless network and tackle tactical operations with ad-hoc equipment designed to operate while on the move. Keep an eye on all your targets and manage them remotely, all from a single screen.

 

Reportedly, the product can turn on a laptop computer's camera and microphone, making it an eavesdropping device.

Only at the end of the brochure does Hacking Team mention that its product is intended solely for “governmental interception.” (The company was founded by a pair of hackers who had built a spyware product purchased by local Italian police.) Hacking Team claims that it sells only to governmental law enforcement and intelligence agencies, and that it will not sell to “countries blacklisted” by the United States, the European Union and NATO, or members of the ASEAN group of Southeast Asian countries. It also promises to review all potential customers to ensure that the technology won't “be used to facilitate human rights violations.”

But in October 2012, researchers with Citizen Lab at the University of Toronto reported that Hacking Team's Remote Control System was used to infect the computer of a prominent pro-democracy activist in the United Arab Emirates named Ahmed Mansoor, a forty-four-year-old electrical engineer who had once been imprisoned for signing an online petition calling for open elections in a country ruled by hereditary monarchs. Mansoor had inadvertently downloaded the spyware, which was hidden inside a seemingly legitimate e-mail.
The spyware burrowed deep into his personal computer, inspecting files and recording what Mansoor typed. He noticed that his computer was running slowly, and after seeing reports about FinFisher's use against activists in Bahrain, he contacted a security researcher, who confirmed that he had been hacked. The spyware was so strong that even when he changed his e-mail password the unseen intruder was still able to read his messages. The intruder was fully in control of the computer, able to track all of Mansoor's communications and his network of fellow activists. The intrusion was traced to an Internet address in the United Arab Emirates.