Ep. 50: Cyberwarfare yesterday
This episode, we survey the history of cyberwarfare — from the ascent of Chinese hackers this century to the arrest of a Soviet-linked hacker 30 years ago, and a lot in between.
Today we turn from the possible future of cyberwarfare and to its fairly incredible past. We’ll start with the first major cyber attack on U.S. military networks, work our way up to the OPM hack of 2015, then all the way to East Germany in the 1980s. We’ll even make some brief stops in Hollywood, where a few films over the past 35 years got cyber risks you might say helpfully wrong, while others got various key elements uncomfortably right.
A transcript of this week's episode can be found below — beneath the table of 50 key events in the history of cyberwarfare.
Find part one in our series here.
And part two here.
Subscribe either on Google Play, iTunes, or Overcast, or wherever you listen to podcasts. Thanks for listening!
Select key events in cyber history (through 2018):
- 1986 Cliff Stoll notices, helps nab Soviet-linked hacker Markus Hess in honeypot folder scheme involving the U.S. military’s "SDI Network."
- 1990 The military of Iraq’s Saddam Hussein invades Kuwait in August; the U.S. hacks Iraq systems ahead of Desert Storm (Jan 1991).
- 1991 Internet goes mainstream (August).
- 1997 Original “hack the Pentagon” scheme begins with an exercise called "Eligible Receiver," with unsettling results (June).
- 1997 U.S. releases its Marsh Commission report on critical infrastructure, mostly cyber vulnerabilities (October).
- 1998 Teenagers in California (aided by an Israeli hacker) are caught in the "Solar Sunrise" U.S. military systems breach (first noticed around February).
- 1998 Russian-linked "Moonlight Maze" document-hunt inside U.S. military systems; ended via honeypot (March 1998 to April 1999 or so).
- 1998 White hat hackers "L0pht" testify on Capitol Hill (May).
- 1999 U.S./NATO hacked Serbian air defense (March; Milosevich surrendered in June).
- 2001 Chinese hacking effort, later dubbed "Titan Rain," picks up with attacks against U.S. and British military commands.
- 2004 AOL data breach — 92 million users affected.
- 2006 China vs U.S. defense contractors "Op Shady RAT" (Summer).
- 2007 U.S. hacks al-Qaeda in Iraq (April).
- 2007 Russia hacks (distributed denial of service attacks plus malware) Estonia (April).
- 2007 Israel hacks and disables Syrian air defenses during Operation Orchard (September).
- 2007 China hacks the Obama and McCain campaign records in a first for presidential candidates.
- 2008 Heartland Payment Systems breach — affecting more than 100 million users (May).
- 2008 Russia shutdown Georgia's internet during Moscow’s invasion of one half of the former Soviet republic (August).
- 2008 CENTCOM is hacked by Russia via a thumb drive inserted from Kabul (discovered in October).
- 2009 U.S. unleashes "Olympic Games/Stuxnet" worm versus Iranian centrifuges (February to June).
- 2009 China hacks under "Operation Aurora" take off against Google and other large and small U.S. companies (early Summer)
- 2009 North Korea DDoS attack vs. U.S. and South Korean banks as well as U.S. government websites (July).
- 2011 PlayStation data breach affects 77 million users (April).
- 2012 U.S. and NSA unleash the Flame virus vs. Iran’s oil sector (May).
- 2012 LinkedIn breach suffers a breach affecting 100 million users (June).
- 2012 Iran unleashes the Shamoon virus on Saudi Aramco and Qatar's RasGas (August).
- 2012 President Obama signs PPD-20, “U.S. Cyber Operations Policy” (October).
- 2013 South Korean banks are hacked presumably by North Korea (March).
- 2013 Edward Snowden’s NSA eavesdropping revelations become public (June).
- 2013 Yahoo data breach affects some 3 billion accounts (August).
- 2013 Syrian Electronic Army defaces multiple news sites (August).
- 2013 Britain practices attacks on its own financial sector (November).
- 2013 Target data breach affects 110 million customers (November).
- 2014 China's OPM hack first discovered (March); ops believed to have begun in 2012.
- 2014 Russia cyberattacks Ukraine during its invasion and illegal annexation (March).
- 2014 Home Depot data breach affects 53 million users (April).
- 2014 North Korea hacks Sony, sending a chill across Hollywood (November).
- 2014 Iran attacks Sheldon Adelson's casinos.
- 2015 Anthem data breach affects 78 million customers (February).
- 2015 Russian hackers access White House computers (April).
- 2016 Petya ransomware first surfaces (March).
- 2016 South Korean military is hacked presumably by North Korea (September).
- 2016 John Podesta’s emails are released via Wikileaks and Russian intelligence operatives (October).
- 2017 WannaCry ransomware attack surfaces (March).
- 2017 Hacked emails from France’s Emmanuel Macron are dumped (May).
- 2017 NotPetya ransomware hits Ukraine (June).
- 2017 The Swedish military is cyberattacked (June).
- 2017 Facebook data breach affects 50 million users (July).
- 2018 CYBERCOM takes the Russia-linked Internet Research Agency offline for a day (November) during the midterm elections.
- 2018 China hacks Marriott hotel networks, affecting some 500 million accounts (December).
Find this week's transcript below.
Phase One: The 90s
Last week we looked a bit at ways nation state hackers could take advantage of emerging technologies like quantum computers and 5G network infrastructure. Surrounding a lot of that was concerns about programming teams from America’s so-called great power competitors like China and Russia, even Iran and North Korea.
This week in our final episode in this cyberwarfare series, we’re gonna review some of the most notable episodes in the history of the domain.
While preparing for this series, I isolated more than 50 different key events in the history of cyberwarfare going back to 1982. We’ll put them all up our website. But looking over the list now, 40 of those 50-plus events took place in the past 20 years. And that kinda makes sense, right? As internet use has grown around the globe, so, too, has the frequency of attacks.
A few other quick takeaways from my research on the history of cyberwarfare:
- China showed up earlier than I thought (in 2001).
- North Korea began hacking sooner than I’d remembered, since I recalled mostly the Sony hack from 2014. But their hackers hit U.S. banks at least as early as 2009.
- Russia, too, began hacking the U.S. military far earlier than I’d thought, too — beginning at least in 1998, about a decade after a major episode in the 80s that we’ll get into later.
Alperovitch: “When I look at the history of cyber conflict, I kind of divide it into three generations.”
That’s Dmitri Alperovitch of the cybersecurity firm, CrowdStrike.
Alperovitch: “And the first generation, which was started in the early 80s and continued really through mid-to-late 90s, it was really nation state on nation state and was mostly espionage. At the time, the United States and the Soviet Union (later Russia) really taking their signal intelligence capabilities of collecting intelligence and moving into the cyber world — realizing the incredible power of this domain.”
Some of that was evident in the 1998 hacking work from Russia I mentioned above. That was a wake-up call for the entire U.S. government, not just the Defense Department, which spotted the attack as it was happening.
And what was happening was a systematic search for sensitive and secret military files. The espionage that Dmitri mentioned. And the strange thing about this attack, which the U.S. later called Moonlight Maze, was that it happened less than a year after the Pentagon ran its very own internal exercise to see how vulnerable its networks were to hackers. Eight months later, the U.S. Central Command officials down in Tampa noticed the first major cyber attack on its networks.
U.S. authorities’ called that operation Solar Sunrise, for the security vulnerability exploited in the attacks.
“Investigators track the intrusions back to their points of entry, and find they’ve been routed through a variety of internet service providers, or ISPs...”
This is a turn of the century training video the FBI put together on the lessons of Solar Sunrise.
“...Many of these points of entry are university sites, where security is typically lax, common passthrough sites used by hackers. But at least two of the passthrough sites seem to deserve a closer look: SonicNet, a commercial ISP in California; and EmirNet, in the United Emirates, one of the few electronic gateways into Iraq.”
Through those two gateways, U.S. federal investigators eventually traced Solar Sunrise to two teenagers in California poking around military networks for fun. Not too different in some ways from Matthew Broderick’s teenaged hacker character, David Lightman, in the old 80s film, “Wargames.”
Jennifer: “What are you doing?”
David: “Dialing into the school’s computer. They change the password every couple of weeks. But I know where they write it down.”
That film, by the way, got the serious attention of then-President Ronald Reagan, who sort of freaked out to his staff after seeing it one evening at Camp David in June 1983.
Complicating matters for our real-life hackers 15 years later in northern California: these guys were being taught by another teenage hacker, this time from Israel, named Ehud Tenenbaum. The Washington Post at the time reported that Israeli “Prime Minister Benjamin Netanyahu swelled like a proud father,” when the news broke about Tenenbaum, with Netanyahu praising the Israeli teenager as quote "damn good."
A brief fun diversion is Googling Tenenbaum for all the times he has variously been caught and arrested and evaded significant jail time, even to this day. He pretty much deserves a whole season on the podcast “Serial.”
But here’s the main lesson of Solar Sunrise, according to that FBI training video.
“To be a successful hacker nowadays, you don’t need to be a savvy, sophisticated, highly-educated computer scientist who writes his own exploits and attack scripts and figures out after a lot of work, background investigation into his target and figures out how to go after that system.”
Narrator: “The danger is real. Teenaged hackers have already interrupted air traffic control at an airport in Massachusettes and disrupted 911 emergency services in Florida. Imagine similar tools in the hands of a hostile government or terrorist group.”
So that was major cyber attack number one, Solar Sunrise. The second attack that year was happening as Solar Sunrise was being investigated. And it ran for at least another year or so before the attack was traced back to its source.
That story had no happy ending, or echo from Hollywood.
It began with an attack first noticed at Wright-Patterson Air Force Base in Ohio. The target there seemed to have been files relating to cockpit designs and microchips. And over time it was a consistent block of hours that this hacking occurred which helped lead investigators to its source. But not immediately. And only after there were enough months of his action logged in reports that the U.S. was satisfied at IP address at the Moscow-based Russian Academy of Sciences was the true culprit.
One year later, the U.S. sent a team of seven officials to Moscow to bring up the whole extended episode with the Russian defense ministry. The trip was supposed to last eight days. The intrusions were flagged on day two. The defense ministry gave a sort of “those bastards in intelligence” answer up front, and told the Americans this was not activity that they tolerate.
The trip, however, took an icy turn on day three. No more talks in the defense ministry. No more exchange of computer logs. By day five, there were no more activities of any kind planned for the American entourage.
“One good thing did come out of the trip,” as Fred Kaplan writes in his 2016 book, “Dark Territory: The secret history of cyberwar.” And that good thing was that the hacking did seem to stop.
Until two months later it started back up again.
Sen. Fred Thompson: “We’re joined today by the seven members of the L0pht, Hacker think Tank in Cambridge Massachusetts. Due to the sensitivity of the work done at the L0pht, they’ll be using their hacker names of; Mudge, Weld, Brian Oblivion, Kingpin, Space Rogue, Tan, and Stephen Von Neumann.”
The whole country was waking up to these cyber problems in 1998. While the FBI was hunting down the Moonlight Maze IP address, a group of elite U.S. hackers headed to Capitol Hill for an unprecedented hearing before puzzled lawmakers. It’s now cited as one of the first-ever Congressional hearings focusing specifically on cybersecurity.
It happened on May 19, 1998, before the Senate Committee on Governmental Affairs. Chairing the committee is one Sen. Fred Thompson, Republican from Tennessee. You’ll no doubt find his voice familiar, since he went on to star in many films and TV shows like “Die Hard 2” and “Law and Order.”
This May 1998 testimony is useful for understanding how governmental and public awareness of cyber challenges has evolved and how it hasn’t over the past 21 years. In it, we can begin to sense how officials then were in well over their heads. For example, at one point a lawmaker asked if it was possible to blow up a computer — a silly question that would later become relevant when we learned about the Stuxnet worm that wrecked Iran’s centrifuges 11 years later.
Among the exchanges that I find kinda interesting is the following between Senator Thompson and first the hacker named Mudge, then his pal, Space Rogue.
Thompson: “Part of what you’re trying to do is demonstrate something that you feel like the American people need to know and that’s part of our job also and I’m curious: if a foreign government was able to assemble a group of gentlemen such as yourself, and paid them large amounts of money and got them in here or hired him here to wreak as much havoc on this government as they could in terms of infrastructure, the governmental operations, whatever. How much damage can they do?”
Mudge: “...Some of the areas that you could, should worry about, our new phone systems are down, the electricity is gone and your financial markets? We recently had a very close call in the financial markets. The disruption of services is a wonderful way of messing people up. In addition, by disrupting service in certain patterns you can force people to take other routes. Let’s say that I have taken over MCI’s networks which would not be a tremendously difficult thing to do, I mean, most people can get access to the metropolitan area in the national access points, physical access even. So, I can watch everything that goes through this major backbone providers transitory networks but I can’t watch Sprint. Well, what am I gonna do? I’ll disrupt Sprint service so that everybody routes through me now I can learn everything you’re doing, I can watch your movements, I can stop your movements, I can issue requests on your behalf. You’d be surprised how much stuff is tied to the general networks now.”
Space Rogue: “I think if a nation state funded a group of people to attack the United States electronically, the number of systems that can be disrupted a compromised is so great that it would probably wreak a lot of havoc in the country. Whether or not the country can recover from that in inadequate period of time or defend against it is a good question. But there’s definitely some potential there for her abuse.”
And here’s the hacker called Kingpin discussing how it wasn’t hard to read people’s emails back in 1998.
Kingpin: “One can see the screens of people’s — they can read the email safe off the screen or maybe if they’re accessing some confidential system or looking up some kind of criminal records or something like that. And the outside or inside or intruder could then become familiar with the system and access it in a different way.”
And on the topic of encryption, which is an issue we’re very much still debating here in 2019, here’s astronaut and Senator John Glenn, Democrat from Ohio:
Sen. Glenn: “Do you think a system can be designed that would be fool proof that we could use for defense and for key elements such as the northeast grid or our financial, the Federal Reserve or whatever is it possible to design a foolproof system?”
Space Rogue: “I don’t think it’s possible to design a foolproof system but I don’t think that should be the goal. The goal should be to make it very difficult to get in. The more difficult you make it the less risk you assume from someone, foreign nation state or teenage kid from breaking into that system. So that the goal is to raise the bar and then have a plan to reconstitute after that fact if it does happen.”
Senator Glenn came back with one of the more oddball questions from that hearing — but one which kind of predicted where all this cyberwarfare stuff was believed to be headed: offensive cyberwarfare of the kind the Obama administration used to blow up Iran’s centrifuges in 2009.
Senator Glenn: “... Can you blow a computer? Can you overpower it? Can you put enough material in it and just blow it? You don’t need to worry about getting the material up for fouling up and just put it in and blow up the computer. Can you do that?”
Stephen Von Neumann: “Not so much an issue of blowing a computer, destroying it over power line… Maybe more of a concern would be interruption of power. We were in the course of one of our investigations, able to use a power interruption that was nothing to do with us, it happened to be — but to our benefit. A power interruption that was and deliberate could be.”
Senator Glenn: “Ok, I wasn’t thinking so much of overpowering with so many high-powered electric currents coming in; I was thinking of getting in and fouling up circuits in such a way that it’ll dump its programming and things like that. Can you do that?”
Stephen Von Neumann: “Yes. Yes. Mudge, care to talk about buffer overflow?”
Mudge: “Buffer overflows are an extremely common coding problem. Many of the problems that are out there that contribute to this lack of security are — are extremely simple. Buffer overflows are spottable in source code by a first-year college computer programmer, by people without any college computer programming skills. The notion of race conditions where there is a certain amount of time between what I tell you something and between what you tell another senator that could go in and change that information so that Senator Lieberman believes that you said something else. These are all very straightforward problems. They weren’t addressed because computers really came out of a tremendous amount of fun and joy in research and exploration they didn’t think about the commercial ramifications and aspects.”
Sen. Joe Lieberman of Connecticut struggled to find a historical parallel for what he felt like he was witnessing. Here he is in his final remarks.
Sen. Lieberman: “Senator Thompson indicated that somebody referred to your group as rock stars of the new computer age. It’s probably not what you came to hear, but I think you’re performing an act of very good citizenship and I appreciate it. I’d compare you, I hope you don’t mind I’m not gonna call you rockstars, I’d compare you more to Rachel Carson who sounded some real warnings about what environmental pollution was doing to the environment and in the defense context you may be modern-day Paul Reveres except in this case it’s not the British coming. We don’t know who’s coming, that’s the problem.”
But perhaps the most interesting takeaway, for my ears, was a kind of blind optimism that solutions for a lot of these cyber vulnerabilities would percolate up the various processes almost on their own. And that affected, hacked companies will all quickly realize the stakes and rush to protect their clients and customers. Here’s Senator Thompson.
Sen. Thompson: “The first time some big company has been compromised because of this, that it may fix itself because it’ll be a massive lawsuit and everybody will wonder why we didn’t address this in the beginning but the fascinating issues and you know you’ve pointed out that our computer security is virtually a non-existent and how easy it is to obtain sensitive information and shutdown liable governmental operations and we’re going to have to do something about it, it is that simple.”
Phase Two: Turn of the century
Alperovitch: “We now live in the golden age of signals intelligence in large part because of what cyber enabled us to do to go into networks and take data that would never otherwise be transmitted.”
That’s Dmitri Alperovitch of CrowdStrike again. And Dmitri would know.
Remember he told us: “When I look at the history of cyber conflict, I kind of divide it into three generations.”
Alperovitch: “... In the second phase, the second generation of cyber conflict, roughly from the late-90s through 2010 or so, we had an explosion of other nation states and criminal groups jumping on the bandwagon and getting significant capabilities — so nation states like China, Iran, North Korea and of course a huge number of criminal groups. And the nation state on nation state espionage expanded to now target private industry to doing intellectual property theft as we’ve seen from China and others, to do financially-motivated crime and so forth.”
Dmitri would know. He’s one of the McAfee cybersecurity analysts who helped pin a large number of cyberattacks on China seven years ago. The work is now known as “Operation Aurora.”
But the work of Chinese hackers appears to have begun at least as early as 1998, the same year as that Russian effort in Moonlight Maze. Once U.S. authorities finally caught wind of China’s first big cyber operation, it had already hit both U.S. and British military command networks. But it wasn’t only military commands. The hackers moved onto major U.S. defense contractors like Lockheed Martin.
By mid-2006, the Chinese expanded their scope dramatically — encompassing not just all major defense firms, but also the UN and the Olympics (China would host the 2008 games, remember).
Alperovitch helped pinpoint China in those attacks, which were given the name “Titan Rain” by U.S. investigators. It’s hard today to know the full extent of the damage from the persistent attacks. But we have sort of an idea: There’s a list of almost one-to-one copies of U.S. military equipment that are also in China’s military today. And that includes the U.S.-made F-35 Joint Strike Fighter, the F-22 Raptor, F-16 Falcons, the C-17 cargo freighter, Predator drones, Reaper drones, Black Hawk helicopters, humvees and more.
So there would seem to have been a quite obvious benefit to all that theft. And the theft didn’t stop at military equipment. As Dmitri Alperovitch pointed out, the Chinese shifted their sights to American private industry and intellectual property theft. Think companies like Google, Yahoo, Morgan Stanley, Dow Chemical. Those are some of the companies in Dmitri’s 2011 report on “Operation Aurora.” Stuff that had been going on for years, but was only discovered after the Stuxnet worm was released onto Iranian centrifuges.
One year after Operation Aurora became public, and three years after Stuxnet, Iran retaliated with its own cyberattack, using a virus called Shamoon to shut down computers across Saudi Arabia’s oil company Aramco and another gas company in Qatar.
China-linked hackers, meanwhile, were still persistently attacking U.S. networks and pilfering sensitive documents from apparently as many American companies as they could. And that was a point raised in subtle but significant fashion by President Obama’s national security adviser at the time, Tom Donilon. Speaking to the Asia Society in New York in March 2013, Donilon told the crowd:
Donilon: “But, specifically with respect to the issue of cyber-enabled theft, we seek three things from the Chinese side. First, we need a recognition of the urgency and scope of this problem and the risk it poses—to international trade, to the reputation of Chinese industry and to our overall relations. Second, Beijing should take serious steps to investigate and put a stop to these activities. Finally, we need China to engage with us in a constructive direct dialogue to establish acceptable norms of behavior in cyberspace.”
So how did that go over? Almost exactly a year later, U.S. authorities got their first clues about what would later become known as the OPM hack on the United States Office of Personnel Management — a breach of sensitive data, including social security numbers and fingerprints, on as many as 21 million Americans and their family members. To this day, that hack — like Aurora and Titan Rain — is believed to have originated in China.
Phase Three: The last 10 years
Alperovitch: “... And now in this third generation of cyber conflict where attacks are increasingly becoming destructive and disruptive.”
Alperovitch: “... And certainly we’ve seen that with Stuxnet; we have seen that with ransomware becoming a huge problem from a criminal perspective. And then attacks like NotPetya, launched from Russia, and Shamoon from Iran, increasingly showing us an impact that cyber can have beyond just theft, but veering into destruction and disruption. And those types of attacks, I think, are going to become more predominant over the coming years; industrial control systems in particular are becoming increasingly a target. And of course the danger there is that if you can target a life-safety system at a particular critical chemical or refinery complex, you can actually cause loss of life, you can cause widespread destruction, and that’s increasingly a big concern.”
It’s the sort of concern that hangs over the Russian cyberattacks against Ukraine when Russia invaded the country’s east and the peninsula of Crimea in March 2014. The sort of concerns that followed the release of the Petya ransomware, which first surfaced in March 2016, and that we discussed in our first episode in this series.
And as we also discussed in that episode, by 2016 cyber was taking on new and much larger meaning for everyone around the world — absorbing almost entirely the world of information operations, including disinformation campaigns across the news ecosystem and social media perhaps most notably.
It was all part of a change in cyber tactics that information security researcher, The Grugq, told us about in our first episode. Here he is explaining just a little bit more of that.
Grugq: “The emerging thing that we’re seeing now is basically this sort of shocking realizing that people who use computers can be targeted just as well as the computers can. So for a very long time, cybersecurity and cyberwarfare, all this stuff, was very, very focused on who we call it, ‘owns,’ it’s who basically has control, who has ultimate authority over a computer. And whoever has ultimate authority controls the data, controls what the computer does and so on. And this is considered very, very powerful and basically all anyone used to care about was access to the data.”
And access to the data was the theme of one of the great films on cyberwarfare — a film far more about encryption than I would have guessed was possible from the early 90s.
The movie was “Sneakers,” and it starred Robert Redford in the lead role as a kind of good guy hacker set against his old college friend, played by Ben Kingsley.
“So people hire you to break into their places to make sure no one can break into their places?”
“It’s a living.”
“Not a very good one.”
Kingsley’s character — as The Grugq pointed out — was fixated on owning the world’s data. And he wanted to do that through a fictional black box that offered unbreakable encryption.
Spoiler alert, but here’s Kingsley’s character, Cosmo, describing his sinister plan to Redford in one of the film’s final scenes.
“There's a war out there, old friend. A world war. And it's not about who's got the most bullets. It's about who controls the information. What we see and hear, how we work, what we think... it's all about the information!”
Grugq: “Sneakers is — it is the only hacker movie worth watching. It is absolutely excellent. It’s aged perfectly. Everything in there still holds as true today as it did when it came out. There’s a lot of people that got involved in cybersecurity because of that movie. It’s had a huge influence on the community and it deserves it. It’s a great movie.”
Part Four: The story of Cliff Stoll
One final episode in our extended look back over the history of cyberwarfare includes the legendary story of astronomer Cliff Stoll.
And to tell this part of our story, we’re gonna go to Cliff himself in conversation with the C-Span program “Booknotes,” way back in December 1989. It was three years after a world-changing event in not just Cliff Stoll’s life, but also for the U.S. intelligence community, the Defense Department, and the entire U.S. government at the time.
Here’s Cliff with the short version of the story.
Stoll: “This is the first case that we found of espionage taking place by breaking into American military computers. Someone from Europe who was systematically going after secret information in American military computers, and getting it, and then retailing it to the Soviet Union.”
How in the world did Cliff find this out? This is how he described it.
Stoll: “I was an astronomer in Berkeley, California, managing a couple computers, trying to keep them running, keep a bunch of astronomers happy. And most of my day was designing telescope optics and occasionally go down and check to make sure the computers were happy. From August 1986, the billing, the accounts on one of my computers was a bit out of balance — just 75 cents off. The accounts were incorrect to the tune of 75 cents. I look at it and say that’s really interesting. If the accounts are off by a thousand, ten-thousand dollars, it’s gonna be easy to understand. After all, you know, you’re balancing your checkbook and it’s off by 10,000 dollars, you know you made a simple mistake. But if you balance your checkbook and it’s off by 75 cents, then then you have a heavy-duty problem that’s worth exploring. So I looked into it and found, oh my little mistake is because someone from the outside has broken into my computer and used a little bit of computer time without my permission. Just enough to imbalance my account. I looked at it, looked at it closely and went hey, it’s not only someone from the outside who I haven’t authorized, but they’re using it in a peculiar way: they’ve become system manager. They’ve become super user in my computer and shouldn’t have. So I started watching them. I started just carefully and quietly seeing what’s going on in my computer and took a printer so that every time this hacker breaks into my computer, my printer over here would print out every keystroke that this guy types in. The guy breaks in and logs in, literally I could see everything that he was doing and everything that can back to him. I wanted to watch over his shoulder and see what he was doing. I wanted to capture everything. And what he was doing when he got into my computer was not reading my astronomy texts, he wasn’t reading about the structure of the galaxy and Orion, he wasn’t reading scientific things. He was using my computer in Berkeley to search out over the computer networks to go into military computers, one after another after another. He’d break into military computers in Alabama, California, the Pentagon, in Okinawa. He’d systematically reach out over the MILNET, the computer network connecting military computers together and into universities as well and try to break into them. And when he’d succeed in breaking into a military computer, he’d search — I’d watch him — I’d watch him search for words like SDI, like NORAD, he’d be systematically trying to get information about nuclear preparedness, and I’d watch him get information from a Pentagon computer about chemical and biological warfare plans for central Europe. I’m looking at it and I’m — I’m an astronomer! I’m an old long-haired from the 60s. This guy — I’m not accustomed to seeing this stuff go through my computers, let alone understanding what it’s talking about. And so I didn't quite know how to handle it. So I called the FBI in Oakland, California and said hey, we've got a problem… what should we do? I don’t know about things, but I think it’s worth continuing to watch. The FBI says oh look, just change your passwords and make sure that he can’t break in anymore and cut off your network connections and it’ll go away.”
You should really hear the full interview over at C-Span, so we’ll leave a link to it in the show notes. But the important point for our purposes today, and Cliff Stoll’s notoriety in the years since, is that the hacker was caught. And he was caught because Cliff set what’s called a “honeypot” trap involving some fake files on an ambitious U.S. defense program that had come to be known as “Star Wars.” The idea was to make a space-based laser that could shoot down Soviet ICBMs on their way to the U.S. mainland. The hacker, a German man named Markus Hess working out of Hanover, took the bait almost immediately — thinking the “Star Wars” files would fetch tens of thousands of dollars for the Soviets.
If you heard our episode with former Defense Secretary Ash Carter, you’ll know the “Star Wars” program was never really going to work as its fans had hoped — and those fans included most notably then-President Ronald Reagan. Carter himself took significant flack for pointing this out as a young analyst working with the Pentagon in the early 1980s.
I asked Carter about this early episode in cyber history when we spoke about a month ago.
Watson: “Did you have any idea that the Star Wars program would help nab the first Russia-linked hacker? German student Markus Hess in 1986 had hacked into ARPANET and was located by a person who created a honeypot and labeled it ‘SDI’ or ‘Star Wars’—”
Watson: “—It didn’t really exist, but the guy checked it out…”
Carter: “Well that’s not the earliest example of that that I know of. Here’s the earliest example that I know of. When I was accompanying then-Secretary of Defense Bill Perry to Russia and I was running the Nunn-Lugar program to establish the defense and intelligence relationship with all the new 15 countries that had come out of the Soviet Union, but especially Russia. And the big program, hundreds of millions of dollars a year, to denuclearize Ukraine, Kazakhstan, and Belarus and so forth. So I had Bill Perry there — who stood in for my father at my wedding, that’s how close I am to him — Bill and I were there at a reception. And in the middle of the reception, a Russian colonel staggered up to Bill drunk, naturally because all the Russians were by that hour, and said, ‘You ruined my career, Secretary Perry.’ And you know the PSOs, the security officers, stepped in to see whether this guy’s gonna try to punch him, and Bill being Bill asked him what the problem was. And the guy answered the following: When Bill had been undersecretary back in the Carter administration, the late 70s, the Soviets had attempted to acquire a digital equipment corporation, DEC-PDP8, computer. If you know computer history, it’s a storied computer. And we had found that out and attempted to let them succeed in a clandestine acquisition of a PDP8. And this guy had run the program, and he had taken the PDP8 and they’d taken it back to Moscow and they’d begun to run nuclear weapon design programs on it. And after a month or so, as it was programmed to do with a built-in virus, it sort of ate all their data or started to screw up all their data. And this was detected and the fact that it was a plant was detected and this guy was fired. That’s the first computer virus I know of. About 1977-78. Isn’t that interesting?”
Alperovitch: “I feel like we still don’t know the full history of this domain. A lot of those types of operations are classified and it’s great to see them coming out...”
Dmitri Alperovitch once more.
Alperovitch: “...Obviously the Cliff Stoll moment was so powerful not just because Cliff is such a legend, but because he almost single-handedly defined this domain and so many key concepts that we now use today — from attribution to forensics, to honeypots and deception and many, many other things that he just stumbled upon as he was pursuing those hackers from West Germany that we working on behalf of the Stasi in trying to steal our national secrets by breaking into his university lab and using it as a beachhead to get into other systems. For me personally, I’ve been involved in some of the more recent investigations and Operation Aurora that was unveiled in 2010, it is now coming up on the 10-year anniversary in about six months of that attack — was really defining in my career. And I think in many ways has accelerated the trends that are now seeing in this industry where the first time that the broader public had an appreciation that you had nation states — in that particular case, China — targeting private sector companies — in that case, Google and many others — and steal intellectual property and do it on a vast scale. And I think that was a huge wake-up call for many in this industry, many in the private sector and many in the government even that something had to be done about this problem.”
We’ll end today with a parting thought from Cliff. He was just asked by his intrepid host at C-Span, Brian Lamb, why the heck he even cares about cybersecurity. Why even go to the effort to write a book about computer-based espionage in 1989. I personally found his answer kind of encouraging.
Stoll: “What I get out of it is, like, it sounds weird, but you kind of have a responsibility to a community. The community happens to be pretty much synonymous with our country -- to tell people what's happened and to suggest what can be done about it… The scary one for me was to realize that to find some commonality with people who wear suits and ties and to find sort of a common denominator between people in secret agencies and myself to find that we’re both working in the same direction toward preserving a community… the political right is worried about secure computers because they hold national defense interests. And the political left is worried about computer security because they’re worried about privacy. And sort of people in the middle worry about security databases because they get ripped off when somebody breaks into a bank. It makes everything more expensive. But here’s sort of an issue that kind of across the spectrum people support for kind of diverse reasons. And it’s kind of reassuring to find that; I was surprised. It never occurred to me.”
That’s it for us this week. Special thanks to Dmitri Alperovitch of CrowdStrike, Dawn Thomas of CNA, Paul Gagliardi of SecurityScorecard, Jen Miller-Osborn of Palo Alto Networks, Adam Segal of the Council on Foreign Relations, Matt Wyckhouse of Finite State, The Grugq, as well as former Defense Secretary Ash Carter.
We hope you learned a little something in this three-part series on cyberwarfare.
And thanks for listening. We’ll see you again next week when we discuss great power competition between the U.S. and its main two rivals these days — Russia and China.
NEXT STORY: About that Counter-Iran Coalition...