The Global Intelligence Files - Re: [CT] DISCUSSION - Anonymous vs Cartels The Global Intelligence Files, files released so far... 1119 The Global Intelligence Files Index pages List of Releases by Date of Document unspecified 2004 2005 2006 2007 2008 2009 2010 2011 by Date of Release 2001-03-13 2010-03-10 2011-03-05 2011-03-15 2012-01-29 2012-02-27 2012-02-28 2012-02-29 2012-03-01 2012-03-02 2012-03-03 2012-03-04 2012-03-05 2012-03-06 2012-03-07 2012-03-08 2012-03-09 2012-03-10 2012-03-11 2012-03-12 2012-03-13 2012-03-14 2012-03-15 2012-03-16 2012-03-17 2012-03-19 2012-03-20 2012-03-23 2012-03-25 2012-03-26 2012-03-27 2012-04-01 2012-04-02 2012-04-24 2012-04-26 2012-04-30 2012-05-10 2012-06-18 2012-06-20 Our Partners ABC Color - Paraguay Al Akhbar - Lebanon Al Masry Al Youm - Egypt Asia Sentinel - Hong Kong Bivol - Bulgaria Carta Capital - Brazil CIPER - Chile Dawn Media - Pakistan L'Espresso - Italy La Repubblica - Italy La Jornada - Mexico La Nacion - Costa Rica Malaysia Today - Malaysia McClatchy - United States Nawaat - Tunisia NDR/ARD - Germany Owni - France Pagina 12 - Argentina Philip Dorling - Fairfax media contributor - Australia Plaza Publica - Guatemala Publica - Brazil Publico.es - Spain Rolling Stone - United States Russian Reporter - Russia Ta Nea - Greece Taraf - Turkey The Hindu - India The Yes Men - Bhopal Activists Sunday Star-Times - New Zealand Community resources Supporters Support Wikileaks Follow us on Twitter Twitter this Follow us on Facebook courage is contagious The Global Intelligence Files On Monday February 27th, 2012, WikiLeaks began publishing The Global Intelligence Files, over five million e-mails from the Texas headquartered "global intelligence" company Stratfor. The e-mails date between July 2004 and late December 2011. They reveal the inner workings of a company that fronts as an intelligence publisher, but provides confidential intelligence services to large corporations, such as Bhopal's Dow Chemical Co., Lockheed Martin, Northrop Grumman, Raytheon and government agencies, including the US Department of Homeland Security, the US Marines and the US Defence Intelligence Agency. The emails show Stratfor's web of informers, pay-off structure, payment laundering techniques and psychological methods. Re: [CT] DISCUSSION - Anonymous vs Cartels Email-ID 1272397 Date 2011-10-25 03:18:15 From sean.noonan@stratfor.com To analysts@stratfor.com List-Name analysts@stratfor.com Yes, in response to your first question. ---------------------------------------------------------------------- From: "Colby Martin" To: analysts@stratfor.com Sent: Monday, October 24, 2011 7:47:49 PM Subject: Re: [CT] DISCUSSION - Anonymous vs Cartels Sean, just to be clear Your point is that Anonymous hasn't mattered? Is your argument that hackers haven't mattered either? because if Anonymous is a mob of hackers as you argue, how haven't they mattered to their targets? what about all the money spent fighting them? and as Tristan just pointed out - how about HBGary Federal? He said the CEO's SSN and address were posted on Twitter. What about all the sensitive emails that were lost? We have no way of knowing what was in those emails, or how they are being used to make money at the expense of HBGary. I have always agreed that they haven't reached a level of threat to the US, but that surely doesn't mean they won't. And there are quite a few countries, organizations, and people below that rather high standard who could not withstand an attack, including an email purge of personal emails onto the web. On 10/24/11 7:33 PM, Tristan Reed wrote: As far as Aurora, I haven't followed it closely. Did they ever identify the attackers or number of attackers? I thought the target set was the only thing that led people to believe the Chinese government was responsible. 2. NSA will tell you otherwise. SIGINT is not the NSA's only responsibility. SIGINT assets do not carry over to investigating cyber intrusion, unless you are trying to corroborate, in this case HUMINT is just as significant as SIGINT. A country's SIGINT capabilities does not indicate its capabilities in tracking hackers. NSA may have there own department for tracking hackers but it does not make it SIGINT. Ok, Please define SIGINT for me. Wikipedia provides an indepth explanation on SIGINT . But in short, SIGINT is the capability in exploiting signals provided by communication devices, and what can be obtained by exploiting the signals. Combining computer network operations and SIGINT is innaccurate, because while SIGINT may be used with other intelligence disciplines in order to identify a hacker, it is not necessary and is no more related than any other intel discipline. SIGINT could help you identify a computer devices (not the operator) emitting a signal (wifi), and cryptanalysis, which is also separate from SIGINT but often used in conjunction, could help in providing methods to decrypt messages over a network, but SIGINT wouldn't obtain those messages. In order to exploit computer network operations, the operators involved are specifically trained in computer science disciplines and technologies tailored specifically for computer activity. NSA also is the primary agency for cryptanalysis. Because of technological demands of SIGINT and cryptanalysis, NSA has enormous resources in R&D, so I can see why the USG would move some CNO to NSA. But their SIGINT capabilities are not indicators of CNO capabilities. Writing the code and hacking was just a small part of necessary labor for the Stuxnet operation. I also don't think we are discussing operations on the scale of causing physical damage to extremely sensitive equipment . Well, this is an example of a cyber attack that matters, whereeas Anonymous so far has not mattered. You chose the most prolific example of a cyber attack (which the whole operation consisted mainly outside of the cyber attack itself). Anything that falls short of this doesn't matter? Define what matters. None of anonymous' attacks have physically damaged secret Iranian nuclear facilities, but I think you are downplaying too much the significance of exposing corporate secrets, halting businesses' revenues, and embarrassing State actors by defacing their websites. On 10/24/11 5:38 PM, Sean Noonan wrote: On 10/24/11 5:07 PM, Tristan Reed wrote: On 10/24/11 3:12 PM, Sean Noonan wrote: 1. Look at the anonymous hackers tacked down already The USG arrested 10 Russian spies last year, are you willing to say foreign intel is not capable of conducting espionage undetected? No, of course not. But I also would not argue that the SVR is so good to be immune to detection, as you are arguing with hackers. I'm saying they are more detectable than you think. There is no such thing as truly anonymous. Everythign leaves a trail. Will that trail in every instance lead to a single individual? no. but it can lead to a place, an organization, and often, an individual. 2. NSA will tell you otherwise. SIGINT is not the NSA's only responsibility. SIGINT assets do not carry over to investigating cyber intrusion, unless you are trying to corroborate, in this case HUMINT is just as significant as SIGINT. A country's SIGINT capabilities does not indicate its capabilities in tracking hackers. NSA may have there own department for tracking hackers but it does not make it SIGINT. Ok, Please define SIGINT for me. The question is if the attack is high priority enough. Many people assume there is no attribution because there is no response, but I don't think that is accurate. Many people say this, because no attribution is one reason for no response. Yes, they do, and if they think that is the primary reason for lack of response, then I think they are wrong. 3. Your example is short-sighted. You don't just open a new laptop and start hacking e-mail addresses. A cyber attack involves much more than a recently bought laptop. In the same way there is an attack cycle for a terrorist attack or crime, there is one for a cyber attack. A very simple attack may be as hard to trace as a nearly-random mugging in the dark in a neighborhood with much more serious crime and no CCTV cameras. A more complicated attack, however, involves pre-operational surveillance, developing exploits, developing programs and code, gaining access, exploiting that, and carrying out an attack. Discovering exploits and writing code can be done entirely offline, out of sight of law enforcement or intel agencies. Pre-operational surveillance and gaining access (the point of the exploit you write offline) would fit in my example. The point is, if you don't link your computer to identifiable information, you remain anonymous. Just like people use certain methods to build IEDs, people use certain mehtods to design programs and code for cyber attacks. Over time, those methods become identifiable and more and more attributable. This is, for example, how AURORA is linked back to the Chinese. and very specific Chinese, I may add. Being connected or unconnected doesn't matter, eventually you have to use what you develop, or copy from someone, and all of those things can be analyzed. And that takes time, giving more time for your exposure Exposure comes from network activity with the target, a lot of the pre-operational phase of an attack can occur without network activity. Look at everything that went into Stuxnet as a great example, that couldn't be done with one person with a new laptop. Writing the code and hacking was just a small part of necessary labor for the Stuxnet operation. I also don't think we are discussing operations on the scale of causing physical damage to extremely sensitive equipment . Well, this is an example of a cyber attack that matters, whereeas Anonymous so far has not mattered. All of this activity provides activity and evidence which helps for attribution. Of course it is always possible to develop an attack, just like any other operation, that even the best law enforcement and national intelligence agencies have trouble or cannot attribute. That's fine. My point is that it's very difficult for someone to successfully use Anonymous as a cover and have NSA, GHQ, MID, Aman, etc, be unable to attribute it. How do you know if NSA or GHQ is effective in identifying hackers?I don't, but I'm confident they are far better than you are allowing for. They may not choose to cover it if it is small scale crime, however. On 10/24/11 1:38 PM, Tristan Reed wrote: I wouldn't doubt using Anonymous as a cover for state sponsored cyber warfare. Not sure the number of benefits in actually doing that, since you can conduct a cyber attack without associating with a hacker group and still deny / cover actions on behalf of the State. An individual attacking US computer assets from China, may be working by himself or on behalf of the Chinese government, but unless the US has other intel on the Chinese government's cyber warfare activities in order to corroborate there is little capability to distinguish. It is very difficult to track down hackers. Computer network operations do not fall under the discipline of SIGINT. Assets from SIGINT would not directly help you track an individual responsible for hacking State run servers. In the past, I have turned to SIGINT organizations for collections on computer related material, but this was due to the US being behind in cyber warfare, and not knowing where to assign responsibility. However, this has changed dramatically in the last couple of years. Online activities, with adequate OPSEC, truly are anonymous. As an extreme scenario of OPSEC: If I purchase a laptop in cash, go to a Starbucks with free public wifi, and never attribute the online activity to something revealing (accessing personal email accounts, tweeting, entering personal information to the laptop, etc..), and begin hacking government email accounts then never use the laptop again. Unless LEA could get an accurate description of my appearance from Starbuck's patrons or possible security cameras, I can not think of way to identify me. Governments, attempting to track cyber enemies, do not refer to these enemies as individuals. Instead as generic entities tied to specific computer-related activities because of the difficulty in identifying individuals. I think the most likely way for a "Anonymous cover" to be blown, would be the chatter in all the IRC channels. But what if a common participant in "Anonymous" activities, was working for a State? Anonymous has denounced state governments before, if that State agent organizes an attack amongst his IRC / Twitter buddies, what signs could a LEA look for to distinguish? On 10/24/11 12:38 PM, Sean Noonan wrote: In reply to Kerley (my comments on the discussion coming in a bit) 1. Anonymous has not shown the capability to do anything actually harmful or devastating. I'm not saying they can't, but i'm very doubtfoul. Tristan's discussion shows the first real case where they could do some minor damage--to individual people, not not to an organization or anything that would come as a serious or strategic threat. 2. Attribution by the world' leading SIGINT agencies is actually pretty good. I see the fear of using 'anonymous' as a cover, but that would be pretty easy to bungle, and could probably still be attributed if important enough to those agencies. The recent attack on Sony actually brings this issue up- Whoever is calling themselves anonymous denies they did it. And keep in mind how much they have claimed an publicized attacks in the past, even before they were carried out. The attack on the Playstation Network was more sophisticated than anonymous' usual work (though potentially coordinated with Anonymous' DDOS attacks that distracted Sony's IT security). But whoever did it, again, no real damage came of it. Congress is holding hearings over data security, but this is no different than the OC groups stealing your credit card information. LE will go after them, have some success, but the threat is not that large. On 10/24/11 11:04 AM, Kerley Tolpolar wrote: I see the Zetas/Anonymous affairs as a good opportunity to have a broader piece on Anonymous. I believe our readers no nothing, or almost nothing about what this group is and the threat it poses. Reviewing their list of attacks (http://en.wikipedia.org/wiki/Anonymous_%28group%29), in most of the cases, they are the a**gooda** guys, sort of a Robin Hood of the internet . The interesting thing when it comes to their interactions with the cartels is the dubious role they play: at the same time they can be fighting crime by revealing cartel members/supporters, but they can also put lives in risk. However, I believe this is only one of the threats posed by Anonymous. The idea that states, and anyone else on Earth, can conduct a cyber attack under a**Anonymousa** is worrisome. (http://www.zdnet.co.uk/blogs/security-bullet-in-10000166/akamai-cyber-spies-are-hiding-behind-anonymous-10024573/) If I run an organization, if I am responsible for government websites, or if I am just a internet user, I would like to know more about these guys. Who they are? What are they interested in? How they operate? Who they have targeted so far? How can I defend myself from them? In what countries are they active? Should I worry about them at all? Can I use them to achieve any particular goal? On 10/24/11 10:22 AM, Colby Martin wrote: nice. i still think the central focus, and what everything else can build off of, is that Anonymous doesn't know the threat they pose to innocent people caught up in the terror that is Mexico. By focusing on journalists or taxi drivers they show little understanding of the situation. This has long term implications in not just Mexico. They don't consider the consequences of their actions and they act without understanding the environment. It was the same when they released information on the Sony Playstation network to protest Sony. They hurt innocent people to prove a point. On 10/24/11 9:32 AM, Tristan Reed wrote: Reposting this with a new shorter focus. Instead of discussing possible cartel responses, the focus is on what type of threat Anonymous can pose to cartels. The video released by Anonymous, threatens revealing personal information on cartels as well as states a member had been kidnapped. I could not find any sources outside of Anonymous' claims of the individual being kidnapped. According to their facebook sites (Anonymous Mexico and Anonymous Veracruz) it sounds like it may be an individual posting flyers in Veracruz as part of the Operation Paperstorm protest, although that is speculation. Anonymous, a well-publicized hacker group famous for distributed denial-of-service (DDOS) attacks on government websites, lashed out at drug cartels via the Internet with a statements denouncing Mexicoa**s criminal cartels, including a video depicting a masked individual addressing Mexican drug cartels on October 10? With the most recent video release, Anonymous makes bold threats towards the criminal cartels in Mexico. Threats such as releasing identities of taxi drivers, police, politicians, and journalists who collude with criminal cartels. The hacker group demanded Los Zetas release a fellow kidnapped member otherwise face consequences. In the Anonymousa** video, this coming November 5th was mentioned as a day cartels could expect Anonymousa** reaction if their demands of releasing a kidnapped member are not met. The potential of conflict between Mexicoa**s criminal cartels and hackers, presents a unique threat towards TCOs. We know of cartels lashing out at online bloggers, but I havena**t seen any reporting on cartels dealing with any headaches from hackers before. What Anonymous brings to the table in a conflict a*-c- Anonymous would not pose a direct physical security threat to Mexican cartels. a*-c- Anonymous' power base is the ability to exploit online media a*-c- Anonymous hackers do not have to be in Mexico to lash out at cartels While not certain, there is a potential for Anonymous to pose a threat a*-c- It is unknown if Anonymousa**s claims to possess identifiable information on cartel members a*-c- It is unknown what information Anonymous could acquire on cartels a*-c- Bank accounts, any online transactions or communications, identifiable information on cartels members have to be considered in the realm of possibilities for Anonymous o Anonymous has demonstrated ita**s ability to reveal illicit online activity (child pornography rings) Anonymous hackers likely have not been involved in the ultra-violent world of drug trafficking in Mexico. As a result, their understanding of cartel activities may be limited. Anonymous may act with confidence when sitting in front of a computer, but this may blind them to any possible retribution. They may not even know the impact of any online assault of cartels. a*-c- Revealing information on taxi drivers and journalists will cost lives. Anonymous may not understand some of these individuals are forced to collude with cartels. Taxi drivers are often victims of extortion or coerced to act as halcones. Revealing the identity of these individuals will not have a significant impact on cartel operations. Politicans have been accused of working with cartels (Guerrero & Veracruz' governor) before, however there has yet to be any consequences from this. a*-c- Anonymous hackers may not understand the extent cartels are willing to go protect their operations. o Any hackers in Mexico are at risk. o Cartels have reached out to the computer science community before, coercing computer science majors into working for them. o This provides the cartels with the possibility of discovering hackers within Mexico. On 10/17/11 10:19 AM, Marc Lanthemann wrote: Oh man we are threading new ground here - I like the idea but there are several issues to address and fix here. These are the bullets of my main analytical concern with the discussion: a*-c- we don't know who got kidnapped or why. that's fine but we can't gloss over that fact a*-c- "hackers" is a blanket term - there's a difference between stealing bank records from government computers and overloading www.loszetas.com main page. a*-c- There's no thought out process of what sort of information could anon have on the cartels. What kind of info is kept online and accessible to potential attacks? You seem to be talking about identities, whose? If anything it's dirty cops, politicians and businessmen who need to worry about what anon is going to be saying. Think about why the bloggers and media were killed in previous instances. Was it because they revealed operational details, because they acted as informants, because they exposed links with officials or because they somehow sullied the cartel's reputation? In short, what kind of information is damaging to the cartels themselves? a*-c- Once you identify this info - think about if anon can realistically access it and disseminate it so it causes a measure of damage. Anon doesn't have any intelligence capacity except for the technical ability by a very small number of its members to infiltrate certain networks and databases and steal information. Now what kind of information would a cartel keep on a network that is connected to the internet (aka no intranet)? Where else could information be found? Government databases? Once we know what kind of information is accessible, we can also know more about the consequences of dissemination. a*-c- What's the IT capacity of a cartel? Sufficient to trace back attacks? If it's not, there risks to be a lot of killings done by people who may not understand the difference between an anon hacker and a blogger. On 10/17/11 9:47 AM, Colby Martin wrote: wanted to forward Karen's thoughts to analyst -------- Original Message -------- Subject: Re: [CT] DISCUSSION - Anonymous vs Cartels Date: Mon, 17 Oct 2011 09:28:18 -0500 From: Karen Hooper Reply-To: CT AOR To: CT AOR you've got some of the issues here, but this is going to need a lot more work You need to lay out: a) What exactly is going on with Anonymous, your trigger section is unclear b) what our assessment of the online cartel presence is, and therefore their vulnerabilities and capabilities c) How capable is Anonymous of breaching high security anything d) how far the cartels would be willing to travel to kill anyone who breaches their systems or exposes their connections I also just want to point out that we have reasonable reliable insight that Sinaloa at the very least has some significant levels of sophistication in their online presence, to include the use of cyber currencies and significant IT capacity. There is no reason to assume that Los Zetas don't also conduct business online, in a protected fashion. Karen Hooper Latin America Analyst o: 512.744.4300 ext. 4103 c: 512.750.7234 STRATFOR www.stratfor.com On 10/17/11 8:46 AM, Renato Whitaker wrote: On 10/17/11 8:25 AM, Tristan Reed wrote: -- Sean Noonan Tactical Analyst Office: +1 512-279-9479 Mobile: +1 512-758-5967 Strategic Forecasting, Inc. www.stratfor.com