FBI operation penetrates hacker underground

The FBI has gained a foothold in the hacker underground thanks to an 18-month undercover operation launched during the height of the U.S. military's 1999 bombing campaign in Kosovo.

What started out as a Defense Department operation designed to ferret out pro-Serbian hackers responsible for the April 1999 denial-of-service attacks against U.S. government and NATO Web sites (see story) soon led to the first coordinated undercover operation targeting U.S.-based hackers, Computerworld has learned.

The operation, whose code name is being withheld for security reasons, involved a joint team of half a dozen FBI and Pentagon criminal investigators who posed as hackers on the Internet. Dozens of investigations by the Justice Department have been opened as a result of the operation's success, including some that are continuing.

During the course of the operation, agents developed multiple informants within the hacker underground, conducted more than a dozen authorized defacements of government Web sites to establish a reputation among the hackers and received assistance and training from hackers they had arrested.

William Swallow is director of incident response for the Cyber Attack Tiger Team (CATT) at Exodus Communications Inc. in Santa Clara, Calif. He is also the former lead investigator in the sting operation and one of the agents who for a year posed as a hacker. Although the team never defaced a corporate Web site, it received permission to hack into and deface government Web sites and then posted those defacements to Attrition.org, a Web site that archives hacker defacements, he said.

"Even a half-dozen hacks got you a pretty good reputation," said Swallow. "I had to be able to demonstrate to them that I could do it."

The plan worked. Swallow and the other investigators developed close, even competitive, relationships with hackers through the use of Internet Relay Chat rooms. Soon, hackers were trying to get the investigators to take part in coordinated hacking attacks and offering to share stolen information.

"It took about six months to really get them to feel comfortable enough to pass information along," said Swallow. "I had hackers pass stolen credit cards to me and request help in hacks." Some of those young hackers had relationships with Russian mafia organizations and were trying to sell the information.

Swallow came up with the idea for the investigation shortly after he was detailed to the FBI's computer intrusion squad in Los Angeles in 1999. He had been sent there by the Pentagon to help develop sources in the Serbian hacker community who might be able to lead investigators to the perpetrators of the April denial-of-service attack against Defense Department Web sites. He managed to uncover a valuable informant who helped him collect volumes of intelligence information on hackers around the world. But when the Serbian hacker operation was about to come to an end, Swallow realized that he and others had managed to penetrate a good portion of the hacker underground in the U.S.

Rather than shut down the operation, the FBI agreed to keep it going.

Although Swallow and others didn't know it at the time, the undercover investigation would come to play a pivotal role in the eventual prosecution of the 17-year-old hacker known as "Mafiaboy." The Canadian hacker pleaded guilty to 58 charges stemming from the February 2000 denial-of-service attacks against Web sites belonging to five companies, including Amazon.com Inc., Dell Computer Corp., eBay Inc., Yahoo Inc. and CNN.

On the night that Mafiaboy launched his attack, Swallow and other hackers watched in disbelief as he bragged about what he had just done. Nobody, including the other hackers who were present in the chat room, believed him. As a result, Swallow, who had operator status in the chat room -- giving him the authority to control who was allowed in -- kicked Mafiaboy out and banned him from returning.

"Most of us really didn't have much respect for him," said Swallow. "We didn't believe him and didn't think he was that good. I don't think he was that good. I think he just had access to the right tools." Hacker informants would later lead the FBI to the teenager.

A U.S. attorney who spoke on condition of anonymity said undercover operations, including this one and others that are ongoing, have been "very important" to the FBI's ability to track down hackers, "especially with people that are beyond the reach of our courts overseas."

Eric Friedberg, a former computer and telecommunications crime coordinator at the U.S. Attorney's Office in New York, said that although undercover operations are "the wave of the future," there are risks.

Hacker informants can be "extremely unreliable," said Friedberg, now a computer crime consultant at Stroz and Associates in New York.

"It's hard to engender a sense of loyalty in that community," he said. "They see it as sort of a game. Many of them don't appreciate that they're jammed up [in trouble with the law]. It makes for very dicey work."

Related stories:

Copyright © 2001 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon