the website less traveled

following wikileaks

Sacrificing Stratfor: How the FBI waited three weeks to close the stable door

Jeremy Hammond, allegedly hacker "sup_g"
On 6th December, 2011, infamous computer hacker Sabu was contacted on an IRC chat server by a screen name familiar to him, "sup_g".

What "sup_g" didn't know was that Sabu—one of the most visible characters in the Anonymous movement, a member of the Lulzsec hacking group, and a key reviver of the "AntiSec" hacking movement—had reportedly been arrested five months earlier, on June 7th, pled guilty in a secret court hearing on August 15th to charges potentially totaling 126.5 years of prison time, and was working for the Federal Bureau of Investigation as an informant.

Hector Xavier Monsegur, AKA "Sabu"
"sup_g" had just logged in to the lion's den. Every character he typed was being seen and archived as evidence by the F.B.I.. What "sup_g" was about to share with Sabu in a private IRC chat would see—three months later almost to the day—his alleged Chicago home raided by armed federal agents and leave him facing criminal charges with a combined penalty totaling 30 years of prison time.

"sup_g" quickly told Sabu ("CW-1" in the transcript below, full document available here) what was he was up to:

Original transcript of the first chat references in the federal charges against Jeremy Hammond, alleged to be person behind the screen name "sup_g".

The scale of the hack was immense. Ultimately, Stratfor's e-mail lists of 860,000 subscribers would be accessed and the credit card information of 60,000 subscribers taken; employee e-mails stretching back to 2004 would be downloaded; internal financial documents and sole digital copies of Stratfor's pay-for publications would be spirited off site; web pages would be defaced and—finally—the data on Stratfor's servers, including backup servers on the same network, would be deleted.

The "Global Intelligence Files", Wikileaks' publication, Cablegate-style, of the leaked Stratfor emails.
To add insult to injury, the 8-year-long archive of Stratfor e-mail was passed to Wikileaks, who began publishing the 5 million leaked e-mails as the "Global Intelligence Files" on February 27th, 2012. Initial e-mails revealed disturbing advice from Stratfor CEO George Friedman to Director of Analysis at Stratfor, Reva Bhalla, on 6 December 2011, concerning how to exploit an Israeli intelligence informant. Friedman tells Bhalla, "[Y]ou have to take control of him. Control means financial, sexual or psychological control."

The damage to the company has been immense and is still ongoing, as e-mails continue to be published at a rate of a handful a day by Wikileaks and its Global Intelligence Files media partners.

Yet, how could such a large-scale breach happen? Just as Rome was not built in a day, neither was Stratfor hacked in a day. To understand how major components of the Stratfor hack could have been prevented, we need only to glance at the timeline as it appears on public record, helpfully cataloged in the F.B.I.'s criminal complaint against alleged Stratfor hacker "sup_g", Jeremy Hammond.

Timeline of the Stratfor hack according to the F.B.I.

The overall timeframe: As we already know from the December 6th chatlog (reproduced at the top of this page), the initial breach of Stratfor's servers had taken place but sup_g was still in the process of gaining access to the systems.

Hacking a company's servers is not unlike peeling an onion, where you have to get past one layer to get to the next. The hack was by no means completed on December 6th. Stratfor subscribers' e-mail addresses and credit card numbers were an early target of the hack but subsequent penetrations occurred repeatedly over the next weeks, and the final act of hacking Stratfor—the wiping of its servers—taking place as late as December 24th:

Generalized report of timeline of hack, noting data was not deleted on servers until December 24th, 18 days after the FBI knew Stratfor was hacked.

So, for almost three full weeks after the first intrusion, hackers were inside Stratfor's systems, in full view of the F.B.I. and presumably Stratfor itself. All of the incoming and outgoing network traffic could be monitored.

The exfiltration of e-mail: We learn from the criminal complaint that the process of e-mail exfiltration was ongoing as late as December 13th-14th:

December 14th chat log featuring sup_g discussing ongoing process of exfiltration of email spools as late as December 13th, one week after the FBI knew Stratfor was compromised.

And perhaps still ongoing even as late as December 19th:

December 19th chat in which "sup_g" discusses apparently still ongoing process of exfiltrating e-mail spool from Stratfor's servers, 13 days after the FBI knew of the Stratfor hack.

Even on December 19th, the e-mail exfiltration is still being described in terms that suggest that it is ongoing. This discussion is taking place 13 days—almost two weeks—after the F.B.I. learned that Stratfor's servers had been penetrated.

The length of the e-mail exfiltration component of the hack: We also learn from this section of the criminal complaint that Stratfor's e-mails totaled 200GB of data, with an additional 30GB of documents stored on an e-mail attachment or intranet server named "Clearspace".

The sizes are significant. 230GB is a sizable amount of data, enough to take days to transfer to another server. Hacking into a computer system may potentially take only a few minutes but moving this quantity of data takes time, even with decent bandwidth. One internet company estimates that on a 10Mbps connection (comparable to home broadband), 200GB would take 2.6 days to move from one server to another.

This handy Xbox diagram illustrates the concept of unplugging a device in terms so simple that even an F.B.I. agent or global intelligence company can understand.
At any point during the downloading of the e-mails, the data being removed could have been cut off and protected by simply severing the connection between the e-mail server and the Internet, essentially as easy as pulling a plug or flicking a switch.

The deletion of server data: Same story for the deletion of the servers on December 24th.

At any time up to the moment that the delete command was given, the data on the servers could have been protected by simply disconnecting the computers from the Internet, or from electricity for that matter.

Did the F.B.I. allow the Stratfor hack to catch Wikileaks?


On February 27th, Wikileaks began publishing Stratfor's e-mails, which were already known to have originated from the Christmas 2011 LulzSec hack of the company.

When the story of the arrests of LulzSec members broke just over a week later, on March 6th, 2012, lightbulbs went on for some. Two online publications published stories asking what many were thinking—whether the F.B.I. had intentionally permitted the Stratfor data leak in order to collect evidence for criminal charges against Wikileaks and Julian Assange?

  • Was the F.B.I. complicit in Anonymous hacking Stratfor and leaking its emails to WikiLeaks? (Death & Taxes, March 7th)
  • Federal Bureau of Facilitation — what was the F.B.I. doing with Stratfor and WikiLeaks? (Crikey, March 8th).

    It definitely seemed like a possibility in those early days but did the evidence or timeline back that up?

    In the Hammond court documents there is zero mention of Wikileaks.

    Twitter avatar of @AnonymousIRC
    I interviewed one of the people that runs the @AnonymousIRC Twitter feed, one of the larger Anonymous Twitter accounts with over 280,000 followers.

    Aware of details of the Stratfor hack, they stated that the idea of giving the e-mails to Wikileaks only came after the mail spools were exfiltrated—not before—thus nixing the possibility of F.B.I. intent to entrap Wikileaks with the data. The F.B.I. only learned of the Wikileaks plan after the hack was completed.

    New York Times "Bitz" blog reporter Nicole Perlroth noticed the articles—or at least the Crikey one, which she linked to in a March 12th post. Perlroth's article, Inside the Stratfor Attack, was interesting because this was the first reportage I saw in which the F.B.I. responded to any criticism of their handling of the Stratfor operation:
    Conspiracy theorists across the Internet surmise that federal agents sat back and let the Stratfor attack occur to collect evidence, or perhaps net a juicier target — say, Julian Assange, the founder of WikiLeaks, which later released the five million internal e-mails that hackers obtained in the Stratfor hack.

    "That's patently false," said one F.B.I. official, who would speak only on anonymity because the investigation was continuing.

    The anonymous F.B.I. official's very next sentence was unequivocal:
    "We would not have let this attack happen for the purpose of collecting more evidence."

    Yet standing aside in order to collect evidence is obviously exactly what happened, although Wikileaks is a red herring. Both the F.B.I. and Anonymous agree that Wikileaks was not the goal and the timeline doesn't support it. The only remaining conclusion is way more bizarre—that the entire Stratfor corporation was sacrificed to catch a single hacker!

    According to statements by both the F.B.I. and Stratfor, they were aware of the hack as early as December 6th, and Stratfor was notified the same day. My favorite line in Perlroth's article is an F.B.I. statement that just doesn't add up next to other F.B.I. statements in the same article:
    The F.B.I. said that it immediately notified Stratfor, but said that at that point it was too late.

    How can it have been "too late" already on December 6th? The hack had only begun. It was to proceed for almost three more weeks.

    While credit card and subscriber information had already been accessed, emails were not taken for another 1-2 weeks, and the servers were not deleted for another 18 days.

    Stratfor confirmed that the F.B.I. informed them in early December. In a January 11th blog on, CEO George Friedman wrote:
    In early December I received a call from Fred Burton, Stratfor's vice president of intelligence. He told me he had received information indicating our website had been hacked and our customer credit card and other information had been stolen. The following morning I met with an F.B.I. special agent, who made clear that there was an ongoing investigation and asked for our cooperation. We, of course, agreed to cooperate. The matter remains under active investigation.

    Friedman added:
    We worked to improve our security infrastructure within the confines of time and the desire to protect the investigation by not letting the attackers know that we knew of their intrusion. With the credit card information stolen, I assumed that the worst was done. I was wrong.

    Early in the afternoon of Dec. 24, I was informed that our website had been hacked again. The hackers published a triumphant note on our homepage saying that credit card information had been stolen, that a large amount of email had been taken, and that four of our servers had been effectively destroyed along with data and backups.

    We had expected they would announce the credit card theft. We were dismayed that emails had been taken. But our shock was at the destruction of our servers. This attack was clearly designed to silence us by destroying our records and the website, unlike most attacks by such groups.

    Friedman has repeatedly made the claim that Stratfor's backups were deleted, including at a March 13th talk at SXSW. Creating offline backups was the very least "improvement to their security infrastructure" that the company could have undertaken in the 18 days before their servers' contents were deleted.

    @AnonymousIRC seemed bemused at the company's lack of action:
    Twitter avatar of @AnonymousIRC
    It is indeed quite mysterious how Stratfor said that they couldn't do anything, despite a warning on December 6th. And that—according to CEO George Friedman—they weren't able to make offline backups with three weeks of a head start. If I was informed today that my company was breached? Oh there's a lot I could do.

    And if the F.B.I. told me: "No, please don't do anything or we won't have enough evidence!", what should I do then? Accept that all my e-mails and otherwise unsecured data get stolen and published to the world? Why would I do that?

    How could they not anticipate what would happen? They had Sabu under 24/7 coverage for half a year. They should have known exactly what would happen. It's not like Stratfor was the first hack that happened like that—where people broke in some server, stole all the data, and then released it and made it public? Kinda sounds familiar.

    The sentiment that Stratfor totally failed to protect its customer data is widely shared and is already a matter for litigation. Stratfor has been hit with a $50 million class action lawsuit. According to Matt O'Donnell writing on, plaintiffs claim "the company failed 'to take reasonable steps to secure' its computer systems from outside attack and kept information about the hacking attack secret from its customers."

    Hinted at between the lines in Friedman's statements are the depths of constraint that may have been imposed by the F.B.I.'s injunction "to protect the investigation". Was there a reminder that interfering with a federal investigation was a crime? How far did the F.B.I. go in dissuading Stratfor from any action?

    Or did the F.B.I. promise that no ultimate harm would come to Stratfor, not with them watching so closely and with their inside man Sabu? Did Stratfor put too much faith in the Bureau?

    Whether the reason for Stratfor's obvious paralysis was unmerited F.B.I. overconfidence, an F.B.I. warning that had a chilling effect, or another factor, the result remains the same, and it was only "too late" when it was, well, actually too late.

    As I put it to Perlroth:

    Exchange with NYT writer Nicole Perlroth, who wrote the article in which the FBI managed to state totally contradictory positions.

    So, just to sum up.

    The credit card and subscriber data was indeed accessed and downloaded at the beginning of the intrusion, somewhere around December 6th. There wasn't much that could have been done to prevent this part of the hack.

    From the F.B.I.'s own court-filed criminal complaint, it appears as if Stratfor's e-mail was downloaded some time between December 13th-19th, 7-13 days after the initial intrusion.

    And the server contents were not deleted until December 24th, 18 days after the initial intrusion.

    At any time during this period that lasted almost three weeks, all Stratfor needed to do to stop the email and intranet documents being taken was pull the plug on its servers to cut the connection with the Internet.

    Yet, not even the most basic, passive and undetectable steps to protect the data were taken. No server was ever disconnected from the compromised network or backed up offline during the 18 days.

    The result of this was catastrophic from the company's point of view. When the servers were wiped on December 24th, literally the only existing copies of some of Stratfor's most precious data were left in the hands of hackers. And all of this happened while the F.B.I. watched.

    In the first two months following Sabu's arrest according to Assistant U.S. Attorney James Pastore during a secret court session for Monsegur on August 5th, 2011, the alleged F.B.I. informant had helped:
    to "patch" 150 vulnerabilities in computer systems being eyed by hackers, or in other cases react quickly to help attack victims mitigate the damage.
    (Source: Associated Press, March 8th, 2012)

    But in the case of Stratfor, even though Sabu gave the same warning to presumably the same handlers, the F.B.I. stood back and watched it happen for weeks.

    Stratfor was sacrificed, yet all the F.B.I. have to show for it are charges against a single individual, Jeremy Hammond, alleged to be "sup_g" and innocent until proven guilty.

    To grasp the extent of the gamble, even after the depths of Stratfor's sacrifice was apparent in the last days of 2011 the F.B.I. had still yet to prove who "sup_g" was. According to the criminal complaint, the evidence connecting "sup_g"'s online persona with a real life identity wasn't fully assembled until physical surveillance of Jeremy Hammond's Chicago apartment began at the beginning of March 2012, two months after the hack.

    Hammond's fate is still undecided.

    Stratfor's fate is not, with daily embarrassments scheduled at for the foreseeable future, leaving a sad spectacle of a private intelligence company with no more privacy and no more secrets.


    Nigel Parry—@flyingmonkeyair on Twitter—is a writer and independent media ninja who worked on the first warblog (1995) and first website from a warzone (1996), cofounded the Electronic Intifada/Iraq/Lebanon series of news websites, worked with the Global Revolution livestream team during #OccupyWallStreet, and wrote the article last August detailing how the unredacted Wikileaks' Cablegate archive could be decrypted. This article is the second in a series about the Lulzsec busts.

    Bookmark and Share

    more from this section

    • following wikileaks: Letter to Judge Preska requesting leniency for Jeremy Hammond (Wednesday, October 9th, 2013)

    • following wikileaks: Sacrificing Stratfor: How the FBI waited three weeks to close the stable door (Sunday, March 25th, 2012)

    • following wikileaks: Sabu the Inciter: Marveling at the FBI's Hacker Frankenstein Monster (Sunday, March 11th, 2012)

    • following wikileaks: Wikileaks releases "The Global Intelligence Files" (Monday, February 27th, 2012)

    • following wikileaks: Parody: Google Translation of the Sept 2nd Guardian Editorial: "Julian Assange and WikiLeaks: no case, no need" (Guardian English to Plain English) (Monday, September 5th, 2011)

    • following wikileaks: Guardian Investigative Editor David Leigh publishes top secret Cablegate password revealing names of U.S. collaborators and informants... in his book (Wednesday, August 31st, 2011)

    • following wikileaks: Leaked Los Angeles police documents: Radical Islamic Tattoos (Friday, June 24th, 2011)

    • following wikileaks: Scary Daily Telegraph report that Al-Qaida's military leader threatened nuke attack if Osama captured or killed is unsupported by Wikileaks source documents (Sunday, May 1st, 2011)

    • following wikileaks: The Wikileaks Story... Visually. (Friday, April 8th, 2011)

    • following wikileaks: Glenn Greenwald presentation for Lannan Foundation (Tuesday, March 8th, 2011)

  • search

    google search

    what's new?
    about nigel parry
    multimedia blog
    selected writing
    songs & lyrics
    monkey times blog
    in the press
    action & events
    following wikileaks
    world news
    design & consulting

    get e-mail news
    edit subscription

    e-mail this page
    print this page
    contact nigel parry
    nigel on twitter

    web hosting