Sacrificing Stratfor: How the FBI waited three weeks to close the stable door
What "sup_g" didn't know was that Sabu—one of the most visible characters in the Anonymous movement, a member of the Lulzsec hacking group, and a key reviver of the "AntiSec" hacking movement—had reportedly been arrested five months earlier, on June 7th, pled guilty in a secret court hearing on August 15th to charges potentially totaling 126.5 years of prison time, and was working for the Federal Bureau of Investigation as an informant.
"sup_g" quickly told Sabu ("CW-1" in the transcript below, full document available here) what was he was up to:
The scale of the hack was immense. Ultimately, Stratfor's e-mail lists of 860,000 subscribers would be accessed and the credit card information of 60,000 subscribers taken; employee e-mails stretching back to 2004 would be downloaded; internal financial documents and sole digital copies of Stratfor's pay-for publications would be spirited off site; web pages would be defaced and—finally—the data on Stratfor's servers, including backup servers on the same network, would be deleted.
The damage to the company has been immense and is still ongoing, as e-mails continue to be published at a rate of a handful a day by Wikileaks and its Global Intelligence Files media partners.
Yet, how could such a large-scale breach happen? Just as Rome was not built in a day, neither was Stratfor hacked in a day. To understand how major components of the Stratfor hack could have been prevented, we need only to glance at the timeline as it appears on public record, helpfully cataloged in the F.B.I.'s criminal complaint against alleged Stratfor hacker "sup_g", Jeremy Hammond.
Timeline of the Stratfor hack according to the F.B.I.The overall timeframe: As we already know from the December 6th chatlog (reproduced at the top of this page), the initial breach of Stratfor's servers had taken place but sup_g was still in the process of gaining access to the systems.
Hacking a company's servers is not unlike peeling an onion, where you have to get past one layer to get to the next. The hack was by no means completed on December 6th. Stratfor subscribers' e-mail addresses and credit card numbers were an early target of the hack but subsequent penetrations occurred repeatedly over the next weeks, and the final act of hacking Stratfor—the wiping of its servers—taking place as late as December 24th:
So, for almost three full weeks after the first intrusion, hackers were inside Stratfor's systems, in full view of the F.B.I. and presumably Stratfor itself. All of the incoming and outgoing network traffic could be monitored.
The exfiltration of e-mail: We learn from the criminal complaint that the process of e-mail exfiltration was ongoing as late as December 13th-14th:
And perhaps still ongoing even as late as December 19th:
Even on December 19th, the e-mail exfiltration is still being described in terms that suggest that it is ongoing. This discussion is taking place 13 days—almost two weeks—after the F.B.I. learned that Stratfor's servers had been penetrated.
The length of the e-mail exfiltration component of the hack: We also learn from this section of the criminal complaint that Stratfor's e-mails totaled 200GB of data, with an additional 30GB of documents stored on an e-mail attachment or intranet server named "Clearspace".
The sizes are significant. 230GB is a sizable amount of data, enough to take days to transfer to another server. Hacking into a computer system may potentially take only a few minutes but moving this quantity of data takes time, even with decent bandwidth. One internet company estimates that on a 10Mbps connection (comparable to home broadband), 200GB would take 2.6 days to move from one server to another.
The deletion of server data: Same story for the deletion of the servers on December 24th.
At any time up to the moment that the delete command was given, the data on the servers could have been protected by simply disconnecting the computers from the Internet, or from electricity for that matter.
Did the F.B.I. allow the Stratfor hack to catch Wikileaks?
On February 27th, Wikileaks began publishing Stratfor's e-mails, which were already known to have originated from the Christmas 2011 LulzSec hack of the company.
When the story of the arrests of LulzSec members broke just over a week later, on March 6th, 2012, lightbulbs went on for some. Two online publications published stories asking what many were thinking—whether the F.B.I. had intentionally permitted the Stratfor data leak in order to collect evidence for criminal charges against Wikileaks and Julian Assange?
It definitely seemed like a possibility in those early days but did the evidence or timeline back that up?
In the Hammond court documents there is zero mention of Wikileaks.
Aware of details of the Stratfor hack, they stated that the idea of giving the e-mails to Wikileaks only came after the mail spools were exfiltrated—not before—thus nixing the possibility of F.B.I. intent to entrap Wikileaks with the data. The F.B.I. only learned of the Wikileaks plan after the hack was completed.
New York Times "Bitz" blog reporter Nicole Perlroth noticed the articles—or at least the Crikey one, which she linked to in a March 12th post. Perlroth's article, Inside the Stratfor Attack, was interesting because this was the first reportage I saw in which the F.B.I. responded to any criticism of their handling of the Stratfor operation:
Conspiracy theorists across the Internet surmise that federal agents sat back and let the Stratfor attack occur to collect evidence, or perhaps net a juicier target — say, Julian Assange, the founder of WikiLeaks, which later released the five million internal e-mails that hackers obtained in the Stratfor hack.
The anonymous F.B.I. official's very next sentence was unequivocal:
"We would not have let this attack happen for the purpose of collecting more evidence."
According to statements by both the F.B.I. and Stratfor, they were aware of the hack as early as December 6th, and Stratfor was notified the same day. My favorite line in Perlroth's article is an F.B.I. statement that just doesn't add up next to other F.B.I. statements in the same article:
The F.B.I. said that it immediately notified Stratfor, but said that at that point it was too late.
How can it have been "too late" already on December 6th? The hack had only begun. It was to proceed for almost three more weeks.
While credit card and subscriber information had already been accessed, emails were not taken for another 1-2 weeks, and the servers were not deleted for another 18 days.
Stratfor confirmed that the F.B.I. informed them in early December. In a January 11th blog on Stratfor.com, CEO George Friedman wrote:
In early December I received a call from Fred Burton, Stratfor's vice president of intelligence. He told me he had received information indicating our website had been hacked and our customer credit card and other information had been stolen. The following morning I met with an F.B.I. special agent, who made clear that there was an ongoing investigation and asked for our cooperation. We, of course, agreed to cooperate. The matter remains under active investigation.
We worked to improve our security infrastructure within the confines of time and the desire to protect the investigation by not letting the attackers know that we knew of their intrusion. With the credit card information stolen, I assumed that the worst was done. I was wrong.
Friedman has repeatedly made the claim that Stratfor's backups were deleted, including at a March 13th talk at SXSW. Creating offline backups was the very least "improvement to their security infrastructure" that the company could have undertaken in the 18 days before their servers' contents were deleted.
@AnonymousIRC seemed bemused at the company's lack of action:
The sentiment that Stratfor totally failed to protect its customer data is widely shared and is already a matter for litigation. Stratfor has been hit with a $50 million class action lawsuit. According to Matt O'Donnell writing on TopClassActions.com, plaintiffs claim "the company failed 'to take reasonable steps to secure' its computer systems from outside attack and kept information about the hacking attack secret from its customers."
Hinted at between the lines in Friedman's statements are the depths of constraint that may have been imposed by the F.B.I.'s injunction "to protect the investigation". Was there a reminder that interfering with a federal investigation was a crime? How far did the F.B.I. go in dissuading Stratfor from any action?
Or did the F.B.I. promise that no ultimate harm would come to Stratfor, not with them watching so closely and with their inside man Sabu? Did Stratfor put too much faith in the Bureau?
Whether the reason for Stratfor's obvious paralysis was unmerited F.B.I. overconfidence, an F.B.I. warning that had a chilling effect, or another factor, the result remains the same, and it was only "too late" when it was, well, actually too late.
As I put it to Perlroth:
So, just to sum up.
The credit card and subscriber data was indeed accessed and downloaded at the beginning of the intrusion, somewhere around December 6th. There wasn't much that could have been done to prevent this part of the hack.
From the F.B.I.'s own court-filed criminal complaint, it appears as if Stratfor's e-mail was downloaded some time between December 13th-19th, 7-13 days after the initial intrusion.
And the server contents were not deleted until December 24th, 18 days after the initial intrusion.
At any time during this period that lasted almost three weeks, all Stratfor needed to do to stop the email and intranet documents being taken was pull the plug on its servers to cut the connection with the Internet.
Yet, not even the most basic, passive and undetectable steps to protect the data were taken. No server was ever disconnected from the compromised network or backed up offline during the 18 days.
The result of this was catastrophic from the company's point of view. When the servers were wiped on December 24th, literally the only existing copies of some of Stratfor's most precious data were left in the hands of hackers. And all of this happened while the F.B.I. watched.
In the first two months following Sabu's arrest according to Assistant U.S. Attorney James Pastore during a secret court session for Monsegur on August 5th, 2011, the alleged F.B.I. informant had helped:
to "patch" 150 vulnerabilities in computer systems being eyed by hackers, or in other cases react quickly to help attack victims mitigate the damage.
But in the case of Stratfor, even though Sabu gave the same warning to presumably the same handlers, the F.B.I. stood back and watched it happen for weeks.
Stratfor was sacrificed, yet all the F.B.I. have to show for it are charges against a single individual, Jeremy Hammond, alleged to be "sup_g" and innocent until proven guilty.
To grasp the extent of the gamble, even after the depths of Stratfor's sacrifice was apparent in the last days of 2011 the F.B.I. had still yet to prove who "sup_g" was. According to the criminal complaint, the evidence connecting "sup_g"'s online persona with a real life identity wasn't fully assembled until physical surveillance of Jeremy Hammond's Chicago apartment began at the beginning of March 2012, two months after the hack.
Hammond's fate is still undecided.
Stratfor's fate is not, with daily embarrassments scheduled at wikileaks.org for the foreseeable future, leaving a sad spectacle of a private intelligence company with no more privacy and no more secrets.
Nigel Parry—@flyingmonkeyair on Twitter—is a writer and independent media ninja who worked on the first warblog (1995) and first alt.news website from a warzone (1996), cofounded the Electronic Intifada/Iraq/Lebanon series of news websites, worked with the Global Revolution livestream team during #OccupyWallStreet, and wrote the article last August detailing how the unredacted Wikileaks' Cablegate archive could be decrypted. This article is the second in a series about the Lulzsec busts.
more from this section
• following wikileaks: Letter to Judge Preska requesting leniency for Jeremy Hammond (Wednesday, October 9th, 2013)
• following wikileaks: Sacrificing Stratfor: How the FBI waited three weeks to close the stable door (Sunday, March 25th, 2012)
• following wikileaks: Sabu the Inciter: Marveling at the FBI's Hacker Frankenstein Monster (Sunday, March 11th, 2012)
• following wikileaks: Wikileaks releases "The Global Intelligence Files" (Monday, February 27th, 2012)
• following wikileaks: Parody: Google Translation of the Sept 2nd Guardian Editorial: "Julian Assange and WikiLeaks: no case, no need" (Guardian English to Plain English) (Monday, September 5th, 2011)
• following wikileaks: Guardian Investigative Editor David Leigh publishes top secret Cablegate password revealing names of U.S. collaborators and informants... in his book (Wednesday, August 31st, 2011)
• following wikileaks: Leaked Los Angeles police documents: Radical Islamic Tattoos (Friday, June 24th, 2011)
• following wikileaks: Scary Daily Telegraph report that Al-Qaida's military leader threatened nuke attack if Osama captured or killed is unsupported by Wikileaks source documents (Sunday, May 1st, 2011)
• following wikileaks: The Wikileaks Story... Visually. (Friday, April 8th, 2011)
• following wikileaks: Glenn Greenwald presentation for Lannan Foundation (Tuesday, March 8th, 2011)
[ top of page | following wikileaks | home ]
Content & design ©1995-2010 Nigel Parry and nigelparry.net.