Hacking an Election

This is a pretty fair view into what the high-end hacker’s existence is like. There are blurry lines everywhere, so it’s a bit hard to even say what is “hacking” versus “marketing” or “information operations” – it’s complicated.

Bloomberg [bloom] profiles someone who may as well be ‘Guccifer 2.0’ or “Fancy Bear” or whoever. He’s also familiar to anyone who has read about Javier Montsegur (‘Sabu’) [stderr] who was the brains behind the “antisec” hacking crew that was all over the news in 2012.

When we read about them in the news, they seem a lot larger than life; they’re an ‘organization’ or a “hacking crew” but usually we’re talking about a couple IT experts with some hacking skills, scripting skills (automation is especially important!) and a lot of patience and beer. As we’ve seen over and over in the 2016 elections, it doesn’t take a whole lot of smarts to break the security of powerful people: they tend to have mediocre security because they’re powerful and important and security gets in their way. Usually these guys have a dozen or two techniques in their tool-bag that are particularly effective for them (and well-automated) and they go after targets of opportunity. That’s one of the reasons I am a bit dismissive when the news reports “group Flashy Ninja launched 10,000 phishing attacks against US government websites!” because I know that means they got their hands on an email address list from someplace, and ran it through a formatter, and sent 10,000 phishing attacks, with much much less time and effort than it’s taking me to write this posting.

For example, if you can get into an email server belonging to a government contractor like, oh, say, HBGary, and clean addresses that end in “.mil” (hint: grep “^From: .*@.*\.mil” | sed -e ‘s/^.*From: //’ -e ‘s/.\\.mil.*$/.mil/’ ) then you have your qualified target list. Or, you get targeted: break one email account for some lobbyist and now you’ve got a target list. Anyone who thinks this stuff is hard should go get a copy of Hacking Exposed (ideally, the edition [amazon] with the thoughtful forward by Marcus Ranum, CEO of Network Flight Recorder, Inc!) and you can acquire all the skills in a couple days.

Two thousand miles away, in an apartment in Bogota’s upscale Chico Navarra neighborhood, Andres Sepulveda sat before six computer screens. Sepulveda is Colombian, bricklike, with a shaved head, goatee, and a tattoo of a QR code containing an encryption key on the back of his head. On his nape are the words “</head>” and “<body>” stacked atop each other, dark riffs on coding. He was watching a live feed of Pena Nieto’s victory party, waiting for an official declaration of the results.

When Pena Nieto won, Sepulveda began destroying evidence. He drilled holes in flash drives, hard drives, and cell phones, fried their circuits in a microwave, then broke them to shards with a hammer. He shredded documents and flushed them down the toilet and erased servers in Russia and Ukraine rented anonymously with Bitcoins. He was dismantling what he says was a secret history of one of the dirtiest Latin American campaigns in recent memory.

Yup, that matches what I expect. Although 6 screens is a bit excessive. Most of the guys I know roll with a great big 4k panel that’s 5 feet wide, and then they can just tile windows all over it, and a small stack of used Dell laptops purchased on Ebay for $50 apiece and upgraded with RAM and SSDs, sitting on the floor under the desk. Here:

included, my Saudi Arabian ‘burner’ phone #falseflag

My “infrastructure” is humble because: a) I’m not a professional hacker and b) I’m really efficient with how I use systems and c) my office is small. When you read about Fancy Bear having a lot of infrastructure, that’s what you’re looking at: a couple of laptops and a pelican case, a load of compromised servers out in the cloud, some hacked AWS accounts, and some proxy servers in Russia paid for with a stolen paypal credential.

For eight years, Sepulveda, now 31, says he traveled the continent rigging major political campaigns. With a budget of $600,000, the Pena Nieto job was by far his most complex. He led a team of hackers that stole campaign strategies, manipulated social media to create false waves of enthusiasm and derision, and installed spyware in opposition offices, all to help Pena Nieto, a right-of-center candidate, eke out a victory. On that July night, he cracked bottle after bottle of Colon Negra beer in celebration. As usual on election night, he was alone.

When it says “he led a team of hackers” that probably means he had a few accomplices – fellow consultants. Do not imagine a dark room full of panels and black furniture with people wearing hoodies. Imagine one guy sitting in front of a stack of laptops and a blinking router, with a KVM and a bunch of panels, and an chat window open to 3 or 4 other guys with similar rigs, scattered all over the place. Back when I was watching Kevin Mitnick, just before he broke into Tsutomu Shimomura’s machine and got his ass handed to him, it was Kevin, and a kid from Israel who went by the handle “jsz” and a couple of useful idiots from a local hacking group in New Mexico State University. (If they’re reading this, now, somewhere, someone just shit themselves, and, PS: moink.nmsu.edu) I doubt that those characters were ever in the same room at the same time – it was all done over the internet. (hint: don’t use IRC, ssh in to your tool server and use the old unix write command, IRC is monitored)

Sepulveda’s career began in 2005, and his first jobs were small – mostly defacing campaign websites and breaking into opponents’ donor databases. Within a few years he was assembling teams that spied, stole, and smeared on behalf of presidential campaigns across Latin America. He wasn’t cheap, but his services were extensive. For $12,000 a month, a customer hired a crew that could hack smartphones, spoof and clone Web pages, and send mass e-mails and texts. The premium package, at $20,000 a month, also included a full range of digital interception, attack, decryption, and defense. The jobs were carefully laundered through layers of middlemen and consultants. Sepulveda says many of the candidates he helped might not even have known about his role; he says he met only a few.

This is also fairly typical. And, to be frank, Sepulveda’s a bit of a noob. 2005? Anyhow, if you google around on the underground there are services that send mass e-mails and texts, unlock cell phones, clone web pages (because gnu Wget is hard?) etc. Who do you think offers those services? When you examine the ‘stack’ of someone like Sepulveda, you’re going to see what looks like a large operation by the time you map out everyone who’s doing stuff, because there are subcontractors and sub-subcontractors, etc. When the media, or the intelligence community, report on a “hacking group” they are counting that kid in Romania who wrote the obfuscator as part of the operation. But, in fact, the Romanian kid has no idea what the obfuscator is going to be used for, and has no idea that they’re playing Basil Zaharoff to “Flying Ninja Group” or whatever.

There’s a point hidden in there: if you wanted to create a largeish footprint “North Korean hacking group” what you need is: a North Korean intelligence officer who tosses $12,000/month to someone who hires someone like Sepulveda. And a cool name. You always gotta have a cool name. [Hint: Use the unitarian jihad name generator!] There’s that old joke “on the internet, nobody knows you’re a dog” – well, on the internet, anyone who knows hacking knows that a massive hacking effort is probably one guy like Hector Montsegur, or Sepulveda, and 4 or 5 lower-level accomplices, and a bunch of toolsmiths and services who have no idea what they are involved with.

Usually, he says, he was on the payroll of Juan Jose Rendon, a Miami-based political consultant who’s been called the Karl Rove of Latin America. Rendon denies using Sepulveda for anything illegal, and categorically disputes the account Sepulveda gave Bloomberg Businessweek of their relationship, but admits knowing him and using him to do website design. “If I talked to him maybe once or twice, it was in a group session about that, about the Web,” he says. “I don’t do illegal stuff at all. There is negative campaigning. They don’t like it – OK. But if it’s legal, I’m gonna do it. I’m not a saint, but I’m not a criminal.” While Sepulveda’s policy was to destroy all data at the completion of a job, he left some documents with members of his hacking teams and other trusted third parties as a secret “insurance policy.”

This is how it is. Back in 2007 or so, a friend of mine approached me that he had been approached by an organization that you would not expect to be fomenting information warfare, about developing tools for subverting attempts to restrict communications. He was wondering if I was interested in taking on some of the design elements of the messaging infrastructure. There was a lot of money on the table. But it turned out that the prospective client zigged off in another direction and, frankly, we weren’t that interested in the project, anyway, since – and here’s the rub – when you’re on the tool-smith’s seat, you can’t always be sure who your paymaster is, either. It would have sucked to find out that we’d just taken $100,000 from the NSA or the FSB, or worse, the Russian mafia. NSA and FSB are dangerous, but the Russian mafia has been known to use circular saws to cut hackers into multiple pieces and leave them in dumpsters all over Amsterdam – just to let other hackers know that you shouldn’t do DDOS against Russian Mafia-owned gambling sites. My friend Greg Shipley did some “onsite” with a Brazilian hacking gang for a while, and he said the gang consisted of a leader (the “smart guy”) two assistants, a toolsmith (the guy who did the technical infrastructure and coding) and an enforcer who could be sent out to beat people’s passwords out of them.

Most jobs were initiated in person. Sepulveda says Rendon would give him a piece of paper with target names, e-mail addresses, and phone numbers. Sepulveda would take the note to his hotel, enter the data into an encrypted file, then burn the page or flush it down the toilet. If Rendon needed to send an e-mail, he used coded language. To “caress” meant to attack; to listen to music meant to intercept a target’s phone calls.

Rendon and Sepulveda took pains not to be seen together. They communicated over encrypted phones, which they replaced every two months. Sepulveda says he sent daily progress reports and intelligence briefings from throwaway e-mail accounts to a go-between in Rendon’s consulting firm.

Sepulveda’s tradecraft is pretty good! (Suspiciously overblown, more like)

By now you ought to be getting the point: he’s probably got an OK idea of who he’s working for and why, but he’s not sure and he doesn’t care. Is this state-sponsored hacking? Well, we’d know if Rendón came out and said he was working for the FSB (or whoever) but all we’d know is that that was what he said – was he lying? This is the torture problem applied to intelligence: when you’re dealing with professional liars, you should not assume they are telling the truth!

Each job ended with a specific, color-coded destruct sequence. On election day, Sepulveda would purge all data classified as “red.” Those were files that could send him and his handlers to prison: intercepted phone calls and e-mails, lists of hacking victims, and confidential briefings he prepared for the campaigns. All phones, hard drives, flash drives, and computer servers were physically destroyed. Less-sensitive “yellow” data – travel schedules, salary spreadsheets, fundraising plans – were saved to an encrypted thumb drive and given to the campaigns for one final review. A week later it, too, would be destroyed.

That’s got some of my bullshit detectors tingling. It seems a bit much like Hollywood. That kind of showy stuff is completely unnecessary: you use encrypted volumes and dekey the crypto and reformat them and sell them on Ebay. Doing all that stuff makes it pretty obvious that you’re doing something naughty. A more sensible hacker might have a couple drives that have pirated software and movies on them, and when they waterboard you, you give them the passwords to those. Let them spend ages doing a forensic analysis on a few terabytes of Sargon of Akkad videos from Youtube.

For most jobs, Sepulveda assembled a crew and operated out of rental homes and apartments in Bogota. He had a rotating group of 7 to 15 hackers brought in from across Latin America, drawing on the various regions’ specialties. Brazilians, in his view, develop the best malware. Venezuelans and Ecuadoreans are superb at scanning systems and software for vulnerabilities. Argentines are mobile intercept artists. Mexicans are masterly hackers in general but talk too much. Sepulveda used them only in emergencies.

Again, I’m a bit skeptical about the size and staffing of his crew. And that they were geo-located. That’s not only unnecessary, it’s stupid. Virtualization is the way to go. The bit about “scanning systems and software for vulnerabilities” is a joke: you use Nessus and Metasploit or – if you’re funded – something like Core Impact with custom exploits. You don’t develop your own malware, unless you’re NSA and you’re so stupid you want to sign your workmanship – you use off the shelf stuff like Zeus.

You don’t hire people to analyze the systems, or defeat login protections, you create jobs on Amazon Mechanical Turk, like this one:

You know those annoying login things that say “I am not a robot”? You hire people for $0.17 a crack to not be robots. And you don’t waste your precious time doing it – pay for it with a stolen credit card from some Congressperson’s slush fund. (The job above is probably some astroturfer creating hundreds of twitter accounts that they can sell “follows” from)

Early polls showed Pena Nieto 20 points ahead, but his supporters weren’t taking chances. Sepulveda’s team installed malware in routers in the headquarters of the PRD candidate, which let him tap the phones and computers of anyone using the network, including the candidate. He took similar steps against PAN’s Vazquez Mota. When the candidates’ teams prepared policy speeches, Sepulveda had the details as soon as a speechwriter’s fingers hit the keyboard. Sepulveda saw the opponents’ upcoming meetings and campaign schedules before their own teams did.

Money was no problem. At one point, Sepulveda spent $50,000 on high-end Russian software that made quick work of tapping Apple, BlackBerry, and Android phones. He also splurged on the very best fake Twitter profiles; they’d been maintained for at least a year, giving them a patina of believability.

“The very best fake twitter profiles” – there are entire businesses that specialize in astroturf marketing, who will sell you thousands of profiles that will like and upvote postings. I’ll do a posting about that, later. Here’s a question: are those services part of the footprint of the hacking team, or not? Or what about the ifthen.com infrastructure that is used to build plausible-looking ‘bots? Is that also part of the hacking team?

I remember when, back in 2012, some FBI spokesperson claimed that China had over 60,000 hackers attacking the US. A bit of math against the same FBI claims of “hundreds of thousands of hacking attacks” came out to about 12 attacks per hacker per year. By the way, that’s 10 combat brigades worth of people; I don’t think so!

It’s probably not worth belaboring the point further: this is a good example of the sort of extracurricular activities that have been going on in cyberspace for a long time. I’d be shocked out of my shoes if there weren’t Russians hacking at the 2016 elections. Whether they were getting paid by FSB, or paid by someone who was getting paid by FSB, or paid by someone who was getting paid by someone who was getting paid by FSB – that is the question. I’d also be shocked out of my shoes if there was only one set of hackers going into the 2016 election. I assume that both parties, anonymous, Mossad, and whoever else were all going into systems all over the place in 2016. For crying out loud, Podesta’s security was so terrible I’m surprised that some Mossad hacker didn’t fix it for him, to keep the Russians out!

By all means, go ahead and accept the simplistic analysis that is being promoted by the news media and the intelligence community, through the vendor and consultant mouthpieces they have hired. Go ahead.

------ divider ------

OK: how much of that story is true? Did I make the whole thing up, or is there an actual Bloomberg article? If there is an actual Bloomberg article, how much of what “Sepulveda” reports is true?  (Judging from the descriptions of the tradecraft, staffing, and techniques, I think “Sepulveda” seriously overblew what he was doing to the interviewer from Bloomberg.)

So, that little conference I went to in Chicago? It was called “ListonCon” – basically, a bunch of us went and hung out at Tom’s and had good food and wine. In terms of firepower, the collective security expertise sitting around in Tom’s basement that weekend probably dwarfed most hacking collectives and if I put on my trenchcoat and faked a Russian accent and showed up with all the bags of money, we probably could have really put any small nation through some painful changes. This stuff really is not that hard. It’s just a matter of patience, good tools, patience, and stupid targets. There are a LOT of stupid targets. (if you search facebook for Ron Dilley’s pictures of ListonCon you’ll see what I’m talking about…)


  1. Pierce R. Butler says

    Dunc @ # 1: … why is he talking to the press about it?

    From the linked Bloomberg piece:

    He’s serving 10 years in prison for charges including use of malicious software, conspiracy to commit crime, violation of personal data, and espionage, related to hacking during Colombia’s 2014 presidential election. He has agreed to tell his full story for the first time, hoping to convince the public that he’s rehabilitated—and gather support for a reduced sentence.

  2. Sunday Afternoon says

    …having a lot of infrastructure, that’s what you’re looking at: a couple of laptops and a pelican case…

    Hey, that’s me when I go to bicycle races to manage the race data. Good cover, eh???

  3. says

    Sunday Afternoon@#5:
    Hey, that’s me when I go to bicycle races to manage the race data. Good cover, eh???

    I remember reading a novel about a hitman who was a travelling musician with some symphony. What a great cover! I think your ‘legend’ (that’s the tradecraft term for it) is even better. Good job!
    (Or maybe someone could hide their stolen data in a partition mostly consisting of DNA sequences… transcode everything into ACTG!)