[BreachExchange] How Steel City Became the Front Line in America’s Cyberwar

[Audrey McNeil]

http://foreignpolicy.com/2016/05/12/how-steel-city-became-the-front-line-in-americas-cyberwar/

The portraits of Chinese army officers mounted on poster board stare down
from the walls of the FBI’s western Pennsylvania field office.

Though they will probably never see the inside of a courtroom, the five men
represent the culmination of arguably the most significant cybercrime
investigation to date carried out by federal agents based in Pittsburgh:
the case against the People’s Liberation Army hackers who were indicted in
2014for stealing industry secrets from the computers of major American
companies.

Over the last 15 years, Pittsburgh has emerged as a perhaps surprising
center of high-profile cybercrime investigations. Down in Washington, FBI
Director James Comey complains that encrypted communications and other data
advances have resulted in investigations going “dark” as suspects evade the
government’s efforts to nab them online.

But 250 miles away in the Steel City, prosecutors have blended gumshoe
tactics, sophisticated digital tools, and the area’s high-tech research
centers to unmask and charge hackers and organized crime bosses from China
to Russia.

“Companies were being intruded upon, and they didn’t understand it,” said
U.S. Attorney David Hickton, who took up the top prosecutor’s job in
Pittsburgh in 2010 and stepped up the office’s crackdown on cybercrime.

Never in human history has data encryption been so readily available, and
it has become a disturbing reality for law enforcement. That was made all
too clear in the immediate aftermath of the Dec. 2, 2015, attacks in San
Bernardino, California, when investigators were tripped up by the encrypted
contents of the iPhone of gunman Syed Rizwan Farook as they sought to piece
together why he and his wife opened fire on a community center, killing 14.

After the Justice Department sought, and received, a court order for Apple
to override the phone’s security features, the FBI’s pursuit of encrypted
data triggered a national debate over the limits of government power in the
digital age.

“Encryption is part of our lives,” said Keith Mularski, the FBI’s top
cybercrime investigator in Pittsburgh, who takes a laissez faire view
ofencryption. Though he regularly encounters phones that he can’t break
into — and tries to get around their security features when he can —
Mularski said he understands that encryption is now a part of the
Internet’s fabric and probably can’t be eliminated, even as it poses an
obstacle for law enforcement.

In Washington, encryption is often either heralded or demonized in national
security debates. But on the front lines in the fight against crime, law
enforcement officials are simply looking for solutions.

In 2006, Mularski went undercover to investigate online forums that bought
and sold credit card data. Working under the alias Master Splyntr, he soon
found himself confronting one of the most talented hackers of his
generation, Max Butler, better known as “Iceman.”

Iceman aspired to become an online credit card kingpin and began trading
and selling stolen data through the CardersMarket forum he was running.
Seeking to build and control one master site, Iceman attacked his rivals to
steal their users and credit card data.

By this time, Mularski was lurking undercover as an administrator on the
DarkMarket forum, which Iceman attacked — and in doing so, landed squarely
on the FBI’s radar.

To catch criminals online, federal agents have to “use to maximum effect
our ability to be as anonymous as they are,” said Eric Zahren, the special
agent in charge of the Secret Service’s Pittsburgh office. That reliance on
anonymity cuts both ways, however: As investigators try to identify the
location of online criminals, the hackers similarly nose around on the
identities of outsiders who are trying to infiltrate the site. Mularski,
for example, was outed as an agent when he went undercover to catch Iceman.

While collecting evidence, Mularski and other agents discovered a
sophisticated suite of encryption technology Iceman was running on his home
computers. Investigators desperately wanted the data stored on those
computers and enlisted researchers at Carnegie Mellon University in
Pittsburgh to work with FBI agents, leading to a nighttime raid on Butler’s
home.

At the time, investigators would usually just pull the plug on seized
computers to maintain the state they found them in. But doing so with
machines that contain encrypted information risks losing the chance to
examine it later, because the data is likely to be scrambled and lost,
saidKristopher Rush, deputy director for digital intelligence and
investigations at Carnegie Mellon’s Software Engineering Institute (SEI).

Using a “no knock” search warrant, FBI agents and Carnegie Mellon experts
carried out a “live capture” on Butler’s machines, said veteran Assistant
U.S. Attorney Paul Hull, who helped work the case. Once they cracked
Butler’s encryption, investigators found 1.8 million stolen credit card
numbers with $86.4 million in charges.

Though Butler was sentenced in 2010 to what was then a record 13-year
prison sentence for hacking, Hull won’t go into details about how the
Carnegie Mellon experts foiled his encryption. “How we do that is something
we don’t want to talk about,” he said.

Carnegie Mellon’s campus, and its skilled computer scientists, plays a key
role in the Justice Department’s burgeoning tech prowess in Pittsburgh. The
university is home to the first U.S. CERT — short for computer emergency
readiness team — set up in 1988 in response to the first-ever computer
virus.

Pittsburgh is also home to the National Cyber-Forensics and Training
Alliance, which was set up as a nonprofit organization in 1997 and serves
as a venue for law enforcement and industry representatives to share
information about cybercriminals. Law enforcement officials in Pittsburgh
described the NCFTA as a lucrative resource for technical expertise and
intelligence in their investigations.

Perhaps more importantly, Carnegie Mellon’s Software Engineering Institute,
established in 1984, is a Defense Department-funded research and
development center that works on long-term projects focused on securing
computer systems. Last July, the Pentagon renewed its five-year $1.73
billion contract with SEI.

SEI’s research focuses largely on emerging technologies and how they might
impact federal law enforcement. Its findings are distributed to clients,
including the Pentagon and agents and prosecutors. Even before federal
investigators asked for help to crack Iceman’s systems, Rush said, SEI
researchers were testing encryption products and their vulnerabilities.
When the FBI came knocking, they were ready to go.

If Iceman was the Internet supercriminal of yesterday, today that title
arguably belongs to Evgeniy Bogachev, the Russian mastermind behind the
GameOver Zeus botnet who is believed to have stolen close to $100 million
from businesses and individuals.

Botnets can be used to swamp websites with bogus traffic to take them down
— a distributed denial-of-service attack. GameOver Zeus was used mostly to
steal banking login credentials from unsuspecting consumers, using malware
that infected between 500,000 and 1 million computers before it was
dismantled in 2014.

At the time, FBI Executive Assistant Director Robert Anderson
calledGameOver Zeus the “most sophisticated botnet the FBI and our allies
have ever attempted to disrupt.” In Pittsburgh, prosecutors slapped
Bogachev with a 14-count indictment and charged him with computer hacking,
wire fraud, and money laundering.

But Bogachev remains at large, frustrating Pittsburgh investigators and
highlighting U.S. dependency on foreign allies to combat cybercrime’s
global reach. While Bogachev’s whereabouts remain unknown, it’s unlikely
Russia will return him to the United States for prosecution. One policeman
in the hacker’s home in a Black Sea resort town even told reporters he’d
just as likely “pin a medal on the guy” as arrest him. The FBI has offered
a $3 million reward for information leading to Bogachev’s arrest.

The GameOver Zeus botnet relied on a witches’ brew of encryption, proxies,
and sophisticated malware to carry out a large-scale digital heist. These
technologies help online criminals cover their tracks and obscure their
schemes — giving rise to authorities’ complaints their investigations are
going dark.

To track down Bogachev and defeat his security measures, investigators
followed a winding trail of servers around the world, relied on tips from
informants, executed wiretaps, and monitored his attacks in real time. To
take down his botnet, they teamed up with security experts from Dell and
CrowdStrike and researchers from Carnegie Mellon and the Georgia Institute
of Technology in a wide-ranging probe that also relied on assistance from
authorities in more than 10 countries.

But the federal government’s relationship with Carnegie Mellon is one
that’s also fraught with controversy.

In May 2014, two Carnegie Mellon researchers posted an abstract of an
upcoming talk at the Black Hat hacker conference that claimed they had
found a way to reveal the identities of users on Tor, a service that allows
individuals to mask their IP addresses. “You don’t have to be the NSA to
break Tor,” the researchers bragged. “We know because we tested it, in the
wild.”

In November 2014, the FBI’s New York office executed Operation Onymous, a
crackdown on online drug marketplaces, including some that used Tor’s
hidden services. The illicit sites included Silk Road 2.0, which emerged on
the dark web after Silk Road 1.0 was shut down in 2013. In subsequent court
filings, the FBI revealed that its investigation relied on information from
a “‘university-based research institute’ that operated its own computers on
the anonymous network used by Silk Road 2.0.”

It remains unclear whether that “university-based research institute” was
in fact SEI, which employed the two researchers responsible for the paper
slated to be presented at Black Hat. Tor developers have accused the FBI of
paying Carnegie Mellon for the Tor exploit, a charge the university has
denied.

In a November 2015 statement, Carnegie Mellon was coy about the connection.
“In the course of its work, the university from time to time is served with
subpoenas requesting information about research it has performed,” it said.
“The university abides by the rule of law, complies with lawfully issued
subpoenas and receives no funding for its compliance.”

Academics and civil liberties advocates are furious that the FBI may have
been able to obtain a huge trove of Tor user data by subpoenaing academic
research, which would have bypassed the legal scrutiny for obtaining a
warrant. While Tor can be used to host child porn and drug markets, it is
also used by dissidents and human rights activists to hide online from
oppressive regimes.

The Carnegie Mellon researchers may have put the safety of the Tor users at
risk when they were unmasked. “The CMU researchers acted with total
disregard for their subjects,” said Chris Soghoian, the principal
technologist at the American Civil Liberties Union.

Eight months after Silk Road 2.0 was crushed, the FBI office in Pittsburgh
launched a massive international operation to dismantle a hacker forum
known as Darkode, where digital criminals bought and sold malware. It has
been speculated that the takedown of Darkode, which was hosted using Tor,
was linked to Operation Onymous’s use of Carnegie Mellon data.

Yet prosecutors said the bulk of the Darkode case was built using detective
tools from the analog era that have since been adapted for the digital age.

“This was a forum that was infiltrated at the highest levels using more
traditional law enforcement techniques,” said Jimmy Kitchen, one of the
Pittsburgh-based prosecutors on the case.

Affidavits filed as part of the Darkode takedown show how the FBI relied on
confidential informants and undercover agents with access to the
password-controlled forum to gather evidence. As it turned out, Darkode was
rife with infiltrators, including security journalist Brian Krebs.

When it rolled up the site, the FBI worked with counterparts in 20
countries to arrest dozens of the forum’s members. In announcing the
arrests, Hickton described Darkode as “a cyber hornets’ nest of criminal
hackers which was believed by many, including the hackers themselves, to be
impenetrable.”

The investigation showed how international cooperation is essential —
necessary, even — for cybercrime investigations that often reach far beyond
U.S. borders. Affidavits in the Darkode case describe how, for example,
police in Slovenia raided a home to verify that a suspect had sold access
to a botnet to an undercover FBI agent posing as a hacker on the forum.

In a response to that borderless reality, judges now have greater authority
to allow police to hack computers whose users try to hide their location.
Late last month, the U.S. Supreme Court approved a change to what is known
asRule 41 of U.S. criminal procedure, giving judges the power to issue
warrants to seize information on computers located outside their immediate
jurisdiction.

Civil liberties advocates fear the change will vastly expand the FBI’s
ability to hack into computers. They also argue the extent of the
government’s power in this arena remains unclear, as it has refused to
reveal guidelines for when law enforcement can use hacking tools.

Justice Department spokesman Peter Carr declined to comment except to note
that the hacking tools are court-approved — ensuring the limits of
prosecutorial power and ensuring probable cause in investigations.

Hickton welcomed the Rule 41 change. “I love it,” he said.

But when they can, investigators are avoiding hacking tools in favor of
ordinary detective work to identify suspects hiding behind a digital wall.

In 2012, the University of Pittsburgh received a flurry of bomb threats
delivered through an anonymous email service to local media outlets. More
than 100 buildings were evacuated, the campus rattled by the repeated
threats of violence. The person responsible for most of the threats — some
were also scrawled on bathroom walls — used an anonymizing tool that
prevented authorities from easily determining his identity.

“I was told originally that we had about as much chance of identifying the
defendant in that case as identifying a single grain of sand on a beach on
the East Coast of the United States,” Hickton said.

Anonymizing tools such as remailers, which disguise the origin of an email,
and Tor, a program that conceals the IP address of a user, can be powerful
tools to shield one’s identity online. But the security they provide is far
from perfect.

By serving subpoenas to the Pittsburgh media organizations receiving the
threats, Hickton obtained the IP addresses of the emailed threats. From
there, he secured the cooperation of what he describes only as “overseas
partners” to examine servers the emails had bounced off of in order to
shield the identity of the sender.

And that led Hickton and his team to Adam Busby, the now 68-year-old leader
of a fringe Scottish nationalist terrorist group. An alleged serial
threatener, Busby has also allegedly delivered hoax threats against
high-profile British officials, including former Prime Minister Margaret
Thatcher, Cherie Blair, and members of the royal family. In October 2015, a
Glasgow court found Busby, who had been diagnosed with multiple sclerosis,
unfit to stand trial. Busby has reportedly admitted responsibility for
making the Pittsburgh threats.

“That was the case where we believed that we could do big-league
cyberthreats here,” Hickton said.

To pursue the Chinese hackers who targeted some of Pittsburgh’s flagship
companies, including U.S. steel and aluminum giant Alcoa, Hickton took a
similar approach, working closely with the companies to understand the PLA
officers’ actions. He assigned one team of investigators to collect
evidence from the companies and another to determine the hackers’
identities.

To shield their identity, the hackers were bouncing traffic off servers
around the world, including one in Kansas, and then on to Shanghai. It
quickly became clear to investigators that the hackers were working in
Shanghai’s time zone — and even that they lessened their attacks during the
proper lunch hour. Hickton wouldn’t directly say how investigators zeroed
in on the hackers named in the indictment but noted suspects in similar
cases had been identified after they had carried out their hacking while
also logged in to their private social media accounts.

U.S. intelligence analysts, with their considerable resources, also played
a role in identifying the hackers working on behalf of the People’s
Liberation Army. Though the investigations have not concluded in courtroom
convictions, and the hackers remain free, industry experts say their
detection and indictment carry an important symbolic value as an early shot
across Beijing’s bow to warn against wholesale stealing of American
corporate secrets.

The United States also threatened to impose sanctions against China for its
actions in cyberspace. Last September, U.S. President Barack Obama and
Chinese President Xi Jinping struck a landmark agreement to outlaw
corporate espionage in cyberspace.

Justin Harvey, the chief security officer at Fidelis Cybersecurity, said
his firm has seen a slight decrease in Chinese hacking activity in the
months since the agreement. He cautioned, however, that Chinese hackers may
merely have altered their methods — and American security researchers have
yet to catch on.

Last month, NSA Director Michael Rogers said Chinese hacking against the
United States is continuing but at a lower level than before the September
agreement. “The million-dollar question is: Is that activity for
governmental purposes, or is it being then passed from the government to
the private sector?” Rogers said during testimony before the Senate Armed
Services Committee. “The jury is still out.”

One cannot draw a straight line between the indictment against the Chinese
hackers and the diplomatic agreement that followed. But for Pittsburgh’s
cybercrime investigators, the case represented an attack on industries that
have defined the city’s history and a statement about its evolution from a
steel town to one on the cutting edge of the digital — and criminal —
revolution.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160513/686b22be/attachment.html>