Group items tagged

No, the most interesting part of the latest Torture Report details almost falls off the end of the page over at The Huffington Post. It's more hints of CIA spying, ones that go a bit further than previously covered. According to sources familiar with the CIA inspector general report that details the alleged abuses by agency officials, CIA agents impersonated Senate staffers in order to gain access to Senate communications and drafts of the Intelligence Committee investigation. These sources requested anonymity because the details of the agency's inspector general report remain classified. "If people knew the details of what they actually did to hack into the Senate computers to go search for the torture document, jaws would drop. It's straight out of a movie," said one Senate source familiar with the document. Impersonating staff to gain access to Senate Torture Report work material would be straight-up espionage. Before we get to the response that mitigates the severity of this allegation, let's look at what we do know.

The CIA accessed the Senate's private network to (presumably) gain access to works-in-progress. This was denied (badly) by CIA director John Brennan. The CIA also claimed Senate staffers had improperly accessed classified documents and reported them to the DOJ, even though they knew the charges were false. Then, after Brennan told his agency to stop spying on the Senate, agents took it upon themselves to improperly access Senate email accounts. This is all gleaned from a few public statements and a one-page summary of an Inspector General's report -- the same unreleased report EPIC is currently suing the agency over. Now, there's this: accusations that the CIA impersonated Senate staffers in hopes of accessing Torture Report documents. Certainly a believable accusation, considering the tactics it's deployed in the very recent past. This is being denied -- or, at least, talked around.

A person familiar with the events surrounding the dispute between the CIA and Intelligence Committee said the suggestion that the agency posed as staff to access drafts of the study is untrue. “CIA simply attempted to determine if its side of the firewall could have been accessed through the Google search tool. CIA did not use administrator access to examine [Intelligence Committee] work product,” the source said. So, it was a just an innocuous firewall test. And according to this explanation, it wasn't done to examine the Senate's in-progress Torture Report. But this narrative meshes with previous accusations, including those detailed in the Inspector General's report. Logging on to the shared drives with Senate credentials would allow agents to check the firewall for holes. But it also would allow them to see other Senate documents, presumably only accessible from that "side" of the firewall. While there's been no mention of "impersonation" up to this point, the first violation highlighted by the IG's report seems to be the most likely explanation of what happened here.

“Is this related to what we talked about before?” Bencsáth said, referring to a previous discussion they’d had about testing new services the company planned to offer customers. “No, something else,” Bartos said. “Can you come now? It’s important. But don’t tell anyone where you’re going.” Bencsáth wolfed down the rest of his lunch and told his colleagues in the lab that he had a “red alert” and had to go. “Don’t ask,” he said as he ran out the door. A while later, he was at Bartos’ office, where a triage team had been assembled to address the problem they wanted to discuss. “We think we’ve been hacked,” Bartos said.

They found a suspicious file on a developer’s machine that had been created late at night when no one was working. The file was encrypted and compressed so they had no idea what was inside, but they suspected it was data the attackers had copied from the machine and planned to retrieve later. A search of the company’s network found a few more machines that had been infected as well. The triage team felt confident they had contained the attack but wanted Bencsáth’s help determining how the intruders had broken in and what they were after. The company had all the right protections in place—firewalls, antivirus, intrusion-detection and -prevention systems—and still the attackers got in.

Bencsáth was a teacher, not a malware hunter, and had never done such forensic work before. At the CrySyS Lab, where he was one of four advisers working with a handful of grad students, he did academic research for the European Union and occasional hands-on consulting work for other clients, but the latter was mostly run-of-the-mill cleanup work—mopping up and restoring systems after random virus infections. He’d never investigated a targeted hack before, let alone one that was still live, and was thrilled to have the chance. The only catch was, he couldn’t tell anyone what he was doing. Bartos’ company depended on the trust of customers, and if word got out that the company had been hacked, they could lose clients. The triage team had taken mirror images of the infected hard drives, so they and Bencsáth spent the rest of the afternoon poring over the copies in search of anything suspicious. By the end of the day, they’d found what they were looking for—an “infostealer” string of code that was designed to record passwords and other keystrokes on infected machines, as well as steal documents and take screenshots. It also catalogued any devices or systems that were connected to the machines so the attackers could build a blueprint of the company’s network architecture. The malware didn’t immediately siphon the stolen data from infected machines but instead stored it in a temporary file, like the one the triage team had found. The file grew fatter each time the infostealer sucked up data, until at some point the attackers would reach out to the machine to retrieve it from a server in India that served as a command-and-control node for the malware.