- The FBI has gained a foothold in the hacker underground thanks to an 18-month undercover operation launched during the height of the US military's 1999 bombing campaign in Kosovo.
What started out as a Defense Department operation designed to ferret out pro-Serbian hackers responsible for the April 1999 denial-of-service attacks against US government and NATO websites soon led to the first coordinated undercover operation targeting US-based hackers, Computerworld US has learned.
The operation, whose code name is being withheld for security reasons, involved a joint team of half a dozen FBI and Pentagon criminal investigators who posed as hackers on the internet. Dozens of investigations by the Justice Department have been opened as a result of the operation's success, including some that are continuing.
During the course of the operation, agents developed multiple informants within the hacker underground, conducted more than a dozen authorised defacements of government websites to establish a reputation among the hackers and received assistance and training from hackers they had arrested.
William Swallow is director of incident response for the Cyber Attack Tiger Team (CATT) at Exodus Communications in Santa Clara, California. He is also the former lead investigator in the sting operation and one of the agents who for a year posed as a hacker. Although the team never defaced a corporate website, it received permission to hack into and deface government websites and then posted those defacements to Attrition.org, a website that archives hacker defacements, he says.
"Even a half-dozen hacks got you a pretty good reputation," says Swallow. "I had to be able to demonstrate to them that I could do it."
The plan worked. Swallow and the other investigators developed close, even competitive, relationships with hackers through the use of Internet Relay Chat rooms. Soon, hackers were trying to get the investigators to take part in coordinated hacking attacks and offering to share stolen information.
"It took about six months to really get them to feel comfortable enough to pass information along," says Swallow. "I had hackers pass stolen credit cards to me and request help in hacks." Some of those young hackers had relationships with Russian mafia organisations and were trying to sell the information.
Swallow came up with the idea for the investigation shortly after he was detailed to the FBI's computer intrusion squad in Los Angeles in 1999. He had been sent there by the Pentagon to help develop sources in the Serbian hacker community who might be able to lead investigators to the perpetrators of the April denial-of-service attack against Defense Department websites. He managed to uncover a valuable informant who helped him collect volumes of intelligence information on hackers around the world. But when the Serbian hacker operation was about to come to an end, Swallow realised that he and others had managed to penetrate a good portion of the hacker underground in the US.
Rather than shut down the operation, the FBI agreed to keep it going.
Although Swallow and others didn't know it at the time, the undercover investigation would come to play a pivotal role in the eventual prosecution of the 17-year-old hacker known as "Mafiaboy." The Canadian hacker pleaded guilty to 58 charges stemming from the February 2000 denial-of-service attacks against websites belonging to five companies, including Amazon.com, Dell, eBay, Yahoo and CNN.
On the night that Mafiaboy launched his attack, Swallow and other hackers watched in disbelief as he bragged about what he had just done. Nobody, including the other hackers who were present in the chat room, believed him. As a result, Swallow, who had operator status in the chat room -- giving him the authority to control who was allowed in -- kicked Mafiaboy out and banned him from returning.
"Most of us really didn't have much respect for him," says Swallow. "We didn't believe him and didn't think he was that good. I don't think he was that good. I think he just had access to the right tools." Hacker informants would later lead the FBI to the teenager.
A US attorney who spoke on condition of anonymity says undercover operations, including this one and others that are ongoing, have been "very important" to the FBI's ability to track down hackers, "especially with people that are beyond the reach of our courts overseas."
Eric Friedberg, a former computer and telecommunications crime coordinator at the US Attorney's Office in New York, says that although undercover operations are "the wave of the future," there are risks.
Hacker informants can be "extremely unreliable," says Friedberg, now a computer crime consultant at Stroz and Associates in New York.
"It's hard to engender a sense of loyalty in that community," he says. "They see it as sort of a game. Many of them don't appreciate that they're jammed up [in trouble with the law]. It makes for very dicey work."