Authors: Fred Kaplan
“No, no,” Gourley replied. This was an intelligence
assessment
, though he added that he had “high confidence” in its accuracy.
The third intelligence breakthrough was the firmest but also the newest, the one that relied on methods unique to the cyber age and thus mastered by only a few fledgling specialists. Kevin Mandia was part of a small cyber crime team at the Air Force Office of Special Investigations. He'd visited the Air Force Information Warfare Center in San Antonio several times and had kept up with its network security monitoring system. When Moonlight Maze got started, Mandia, by now a private contractor, was sent to the FBI task force to review the hacker's logs. The hacker was using an obfuscated code; Mandia and his team wrote new software to decrypt the commandsâand it turned out they'd been typed in Cyrillic. Mandia concluded that the hacker was Russian.
I
For the first several months of Moonlight Maze, the American intelligence agencies stopped short of making any statement, even informally, about the hacker's origins. But the convergence of the Stoll-inspired honey pot, Bob Gourley's analysis, and Kevin Mandia's decryptionâthe fact that such disparate methods sired the same conclusionâchanged the picture. It was also clear by now that the Moonlight Maze hackers, whoever they were, had pulled in quite
a haul:
5.5 gigabytes of data, the equivalent of nearly three million sheets of paper. None of it was classified, but quite a lot of it was sensitiveâand might add up to classified information if a smart analyst pieced it all together.
For nearly a year, an FBI-led task forceâthe same interagency task force that investigated Solar Sunriseâhad coordinated the interagency probe, sharing all intelligence and briefing the White House. In February, John Hamre testified on the matter in closed hearings.
Days later, the news leaked to the press, including the finding that the hackers were Russian.
At that point, some members of the task force, especially those from the FBI, proposed sending a delegation to Moscow and confronting Russian officials head-on. It might turn out that they had nothing to do with the hacking (Hamre had testified that it was unclear whether the hackers were working in the government), in which case the Kremlin and the security ministries would want to know about the renegade in their midst. Or maybe the Russian government
was
involved, in which case that would be worth knowing, too.
Task force members from the Pentagon and NSA were leery about going public. Maybe the Russians hadn't read the news stories, or maybe they had but dismissed the reports as untrue; in other words, maybe the Russians still didn't know we were on to them, that we were hacking their hacker. Meanwhile, we were learning things about their interests and operational style; an official confrontation could blow the operation.
In the end, the White House approved the FBI's request to send a delegation. The task force then spent weeks discussing what evidence to let the Russians see and what evidence to withhold. In any case, it would be presented to the Russians in the same terms as the FBI officially approached itânot as a matter of national security or diplomacy, but rather as a
criminal
investigation, in which the United States was seeking assistance from the Russian Federation.
The delegation, formally called the Moonlight Maze Coordination Group, consisted of four FBI officialsâa field agent from the Baltimore office, two linguists from San Francisco, and a supervisor from headquartersâas well as a NASA scientist and two officers from the Air Force Office of Special Investigations, who had examined the hacker's logs with Kevin Mandia.
They flew to Moscow on April 2, bringing along the files from five of the cyber intrusions, with plans to stay for eight days.
This was the era of warm relations between Bill Clinton and Russia's reform president, Boris Yeltsin, so the group was received in a spirit of celebration, its first day in Moscow filled with toasts, vodka, caviar, and good cheer. They spent the second day at the headquarters of the Russian defense ministry in a solid working session. The Russian general who served as the group's liaison was particularly cooperative. He brought out the logs on the files that the Americans had brought with them. This was confirmation: the Russian government had been the hacker, working through servers of the academy of sciences. The general was embarrassed, putting blame on “those motherfuckers in intelligence.”
As a test, to see whether this might be a setup, one of the Air Force investigators on the trip mentioned a sixth intrusion, one whose files the group hadn't brought with them. The general brought out those logs, too. This is criminal activity, he bellowed to his new American friends. We don't tolerate this.
The Americans were pleased. This was working out extraordinarily well; maybe the whole business could be resolved through quiet diplomacy and a new spirit of cooperation.
On the third day, things took a shaky turn. Suddenly, the group's escorts announced that it would be a day of sightseeing. So was the fourth day. On the fifth day, no events were scheduled at all. The Americans politely protested, to no avail. They never again stepped foot inside the Russian defense ministry. They never again heard from the helpful general.
As they prepared to head back to the States, on April 10, a Russian officer assured them that his colleagues had launched a vigorous investigation and would soon send the embassy a letter outlining their findings.
For the next few weeks, the legal attaché in the American embassy phoned the Russian defense ministry almost every day, asking if the letter had been written. He was politely asked to be patient. No letter ever arrived. And the helpful general seemed to have vanished.
Back in Washington, a task force member cautioned against drawing sour conclusions. Maybe, he said, the general was just sick.
Some members from the Pentagon and the intelligence agencies, who'd warned against the trip, rolled their eyes. “Yeah,” Bob Gourley scoffed, “maybe he has a case of lead poisoning.”
The emerging consensus was that the general hadn't known about the hacking operation, that he'd genuinely believed some recalcitrant agents in military intelligence were engaged in skullduggeryâuntil his superiors excoriated him, possibly fired him or worse, for sharing secrets with the Americans.
One good thing came out of the trip: the hacking did seem to stop.
Then, two months later, Soup Campbell's Joint Task Force-Computer Network Defense detected another round of hacking into sensitive military serversâthese intrusions bearing a slightly different signature, layered with codes that were harder to break.
The cat-and-mouse game was back on. And it was a game where both sides, and soon other nations, played cat
and
mouse. To an extent known by only a few American officers, still fewer political higher-ups, and no doubt some Russian spies, too, the American cyber warriors were playing offense as well as defenseâand had been for a long while.
I
. In 2006, Mandia would form a company called Mandiant, which would emerge as one of the leading cyber security incident consultants, rising to prominence in 2011 as the firm that identified a special unit of the Chinese army as the hacker behind hundreds of cyber attacks against Western corporations.
I
N
October 1997, a few months before Solar Sunrise, when the Marsh Commission released its report on the nation's critical infrastructure, few officials were more stunned by its findings than a White House aide named Richard Alan Clarke.
As the counterterrorism adviser to President Clinton, Clarke had been in on the high-level discussions after the Oklahoma City bombing and the subsequent drafting of PDD-39, Clinton's directive on counterterrorism, which eventually led to the formation of the Marsh Commission. After that, Clarke returned to his usual routines, which mainly involved tracking down a Saudi jihadist named Osama bin Laden.
Then the Marsh Report came out, and most of it dealt with
cyber
security. It was a topic Clarke had barely heard of. Still, it wasn't his topic. Rand Beers, a good friend and Clinton's intelligence adviser, had been the point man on the commission and, presumably, would deal with the report, as well. But soon after its release, Beers announced that he was moving over to the State Department; he and Sandy Berger, Clinton's national security adviser, had discussed who should replace him on the cyber beat, and they settled on Clarke.
Clarke resisted; he was busy enough on the bin Laden trail. Then again, he had been the White House point man on the Eligible Receiver exercise; Ken Minihan, the NSA director who'd conceived it, had briefed him thoroughly on its results and implications; cyber security might turn out to be interesting. But Clarke knew little about computers or the Internet. So he gathered a few of his staff and took them on a road trip.
Shortly after the holidays, they flew to the West Coast and visited the top executives of the major computer and software firms. What struck Clarke most was that the heads of Microsoft knew all about operating systems, those at Cisco knew all about routers, those at Intel knew all about chipsâbut none of them seemed to know much about the gadgets made by the others or the vulnerabilities at the seams in between.
Back in Washington, he asked Minihan for a tour of the NSA. Clarke had been a player in national security policy for more than a decade, since the Reagan administration, but for most of that time, he'd been involved in Soviet-American arms-control talks and Middle East crises: the high-profile issues. He'd never had reason to visit, or think much about, Fort Meade. Minihan told his aides to give Clarke the full dog-and-pony show.
Part of the tour was demonstrating how easily the SIGINT teams could penetrate any foreign network they set their eyes on. None of it reassured Clarke; he came away more shaken than before, for the same reason as many officials who'd witnessed similar displays through the years. If we can do this to other countries, he realized, they'll soon be able to do the same thing to usâand that meant we were screwed, because
nothing
on the Internet could be secured, and, as the Marsh Report laid out in great detail, everything in America was going up on the Net.
Clarke wanted to know just how vulnerable America's networks were right now, and he figured the best way to find out was to talk
with some hackers. He didn't want to deal with criminals, though, so he called a friend at the FBI and asked if he knew any good-guy hackers. (At this point, Clarke didn't know if such creatures existed.) At first, the agent was reluctant to share sources, but finally he put Clarke in touch with “our Boston group,” as he put itâa team of eccentric computer geniuses who occasionally helped out with law-enforcement investigations and who called themselves “The L0pht” (pronounced “loft”).
The L0pht's front manâwho went by the handle “Mudge”âwould meet Clarke at John Harvard's Brewery, near Harvard Square, in Cambridge, on a certain day at seven p.m. Clarke flew to Boston on the designated day, took a cab to the bar, and settled in at seven on the dot. He waited an hour for someone to approach him; no one did; so he got up to leave, when the man quietly sitting next to him touched his elbow and said, “Hi, I'm Mudge.”
Clarke looked over. The man, who seemed about thirty, wore jeans, a T-shirt, one earring, a goatee, and long golden hair (“like Jesus,” he would later recall).
“How long have you been sitting there?” Clarke asked.
“About an hour,” Mudge replied. He'd been there the whole time.
They chatted casually about the L0pht for a half hour or so, at which point Mudge asked Clarke if he'd like to meet the rest of the group. Sure, Clarke replied. They're right over there, Mudge said, pointing to a large table in the corner where six guys were sitting, all in their twenties or early thirties, some as unruly as Mudge, others clean-cut.
Mudge introduced them by their tag names: Brian Oblivion, Kingpin, John Tan, Space Rogue, Weld Pond, and Stefan von Neumann.
After some more small talk, Mudge asked Clarke if he'd like to see the L0pht. Of course, he replied. So they took a ten-minute drive to what looked like a deserted warehouse in Watertown, near the
Charles River. They went inside, walked upstairs to the second floor, unlocked another door, and turned on the lights, which revealed a high-tech laboratory, crammed with dozens of mainframe computers, desktops, laptops, modems, and a few oscilloscopes, much of it wiredâas Mudge pointed out, when they went back outsideâto an array of antennas and dishes on the roof.
Clarke asked how they could afford all this equipment. Mudge said it didn't cost much. They knew when the big computer companies threw out hardware (a few of them worked for these companies under their real names); they'd go to the dumpster that day, retrieve the gear, and refurbish it.
The collective had started, Clarke learned, in the early 1990s, mainly as a place where its members could store their computers and play online games. In 1994, they made a business of it, testing the big tech firms' new software programs and publishing a bulletin that detailed the security gaps. They also designed, and sold for cheap, their own software, including L0phtCrack, a popular program that let buyers crack most passwords stored on Microsoft Windows. Some executives complained, but others were thankful:
someone
was going to find those flaws; at least the L0pht was doing it in the open, so the companies could fix them. The NSA, CIA, FBI, and the Air Force Information Warfare Center were also intrigued by this guerrilla operation; some of their agents and officers started talking with Mudge, who'd emerged as the group's spokesman, and even invited him to give talks at high-level security sessions.
Not that the intelligence agencies needed Mudge to tell them about holes in commercial software. The cryptologists in the NSA Information Assurance Directorate spent much of their time probing for these holes; they'd found fifteen hundred points of vulnerability in Microsoft's first Windows system. And, by an agreement much welcomed by the software industry at the time, they routinely told the firms about their findingsâmost of the findings, anyway: they
always left a few holes for the agency's SIGINT teams to exploit, since the foreign governments that they spied on had bought this software, too. (Usually, the Silicon Valley firms were complicit in leaving back doors open.) Still, the NSA and the other agencies were interested in how the likes of Mudge were tackling the problem; it gave them insights into ways that other, more malicious, perhaps foreign hackers might be operating, ways that their own security specialists might not have considered.