Wednesday 11.01.2012 | 16:31
The Hack on Stratfor
George FriedmanIn early December I received a call from Fred Burton, Stratfor’s Vice President of Intelligence. He told me he had received information indicating our website had been hacked and our customer credit card and other information had been stolen.
The following morning I met with an FBI special agent, who made clear that there was an ongoing investigation and asked for our cooperation. We, of course, agreed to cooperate. The matter remains under active investigation.
From the beginning I faced a dilemma. I felt bound to protect our customers, who quickly had to be informed about the compromise of their privacy. I also felt bound to protect the investigation. That immediate problem was solved when the FBI told us it had informed the various credit card companies and had provided those companies with a list of compromised cards while omitting that it had come from us. Our customers were therefore protected, as the credit card companies knew the credit cards and other information had been stolen and could act to protect the customers. We were not compelled to undermine the investigation.
The FBI made it clear that it expected the theft to be exposed by the hackers. We were under no illusion that this was going to be kept secret. We knew our reputation would be damaged by the revelation, all the more so because we had not encrypted the credit card files. This was a failure on our part. As the founder and CEO of Stratfor, I take responsibility for this failure, which has created hardship for customers and friends, and I deeply regret that it took place. The failure originated in the rapid growth of the company. As it grew, the management team and administrative processes didn’t grow with it. Again, I regret that this occurred and want to assure everyone that Stratfor is taking aggressive steps to deal with the problem and ensure that it doesn’t happen again.
From the beginning, it was not clear who the attackers were. The term „Anonymous“ is the same as the term „unknown.“ The popular vision of Anonymous is that its members are young and committed to an ideology. I have no idea if this is true. As in most affairs like this, those who know don’t talk; those who talk don’t know. I have my theories, which are just that and aren’t worth sharing.
I was prepared for the revelation of the theft and the inevitable criticism and negative publicity. We worked to improve our security infrastructure within the confines of time and the desire to protect the investigation by not letting the attackers know that we knew of their intrusion. With the credit card information stolen, I assumed that the worst was done. I was wrong.
Early in the afternoon of Dec. 24, I was informed that our website had been hacked again. The hackers published a triumphant note on our homepage saying that credit card information had been stolen, that a large amount of email had been taken, and that four of our servers had been effectively destroyed along with data and backups. We had expected they would announce the credit card theft. We were dismayed that emails had been taken. But our shock was at the destruction of our servers. This attack was clearly designed to silence us by destroying our records and the website, unlike most attacks by such groups.
Attacks against credit cards are common, our own failures notwithstanding. So are the thefts of emails. But the deliberate attack on our digital existence was a different order of magnitude. As the global media marveled at our failure to encrypt credit card information, my attention was focused on trying to understand why anyone would want to try to silence us.
In the days that followed, a narrative evolved among people claiming to speak for Anonymous and related groups. It started with looking at our subscriber list and extracting corporate subscribers who were now designated as clients. The difference between clients and subscribers is important here. A client is someone you do customized work for. A subscriber is simply someone who purchases a publication, unchanged from what others read. A subscriber of The New York Times is not its client. Nevertheless, some of the media started referring to these subscribers as clients, reflecting the narrative of those claiming to speak with knowledge of our business.
From there, the storyline grew to argue that these „clients,“ corporate and government, provided Stratfor with classified intelligence that we reviewed. We were no longer an organization that analyzed the world for the interested public, but rather a group of incompetents and, conversely, the hub of a global conspiracy. The media focused on the first while the hacking community focused on the second.
This was why they stole our email, according to some of them. As one person said, the credit cards were extra, something they took when they realized they could. It was our email they were after. Obviously, we were not happy to see our emails taken. God knows what a hundred employees writing endless emails might say that is embarrassing, stupid or subject to misinterpretation. What will not appear is classified intelligence from corporations or governments. They may find, depending on what they took, that we have sources around the world, as you might expect. It is interesting that the hacker community is split, with someone claiming to speak for the official Anonymous condemning the hack as an attack on the media, which they don’t sanction, and another faction defending it as an attack on the rich and powerful.
The interpretation of the hackers as to who we are — if indeed that was their interpretation — was so wildly off base as to stretch credulity. Of course, we know who we are. As they search our emails for signs of a vast conspiracy, they will be disappointed. Of course we have relationships with people in the U.S. and other governments and obviously we know people in corporations, and that will be discovered in the emails. But that’s our job. We are what we said we were: an organization that generates its revenues through geopolitical analysis. At the core of our business, we objectively acquire, organize, analyze and distribute information.
Summary of releases of STRATFOR documents, subscribers‘ firm names and personal information (including addresses, telephone numbers, credit card numbers and passwords), latest release at top:
STRATFOR Hacked Update 10
11 January 2012: Stratfor back online: http://cryptome.org/2012/01/0029.htm
10 January 2012. A sends:
Hello, in January the 3rd my bank alerted me about a (non requested) payment of 155.90 euro made with my credit card, to a company called marlahealth.comI inmmediately blocked the card. And to my amazement today arrives a parcel from marlahealth.com containing 4 boxes of a nutritional supplement for men and a DVD about penis enlargement therapies.
It’s nice to have my money back in the guise of such goods. Anyway, I thought that the thiefs where using the credit cards to make donations, not playing practical jokes.
PS If you want a photo of the goods (as a proof) just ask.
9 January 2012. A sends:
For what it’s worth:$ md5sum stratfor_full.tar.gz
I am pretty confident that this is the original and that it doesn’t contain any malware, but ask someone else for corroboration.
Cryptome: There are prowlers searching for possession and distribution. Best to get rid of copies and disk wipe.
8 January 2011. Initial sources for 860,000 Stratfor accounts appear to have been removed. Fakes have started to appear on Pastebin and Torrents using variations on the file name „stratfor_full.tar.gz.“
At 08:23 PM 1/7/2012 -0800, A wrote:I have not been able to find it anywhere—only a thousand or so references to the .gz file but all links are dead. Know several people who were compromised, though thankfully not me. Have you seen the actual list?
Cryptome: The list was available at the published URLs but now gone it seems, gone undercover to be forged, tampered with, lied about, used as bait. Be careful about anything you find, it is likely carrying a call home feature. This is not to discount that such a feature was in the original put there as entrapment, left available to be hacked. Standard secuity measures for these amazingly easy to penetrate sites. Using one of the CCs is a surefire way to call the cops to come arrest an idiot.
As a noted authority on authentication warns about unauthorized leaks:
„By the time we published the cables, the material was already on dozens of websites, including Cryptome, and were being tweeted everywhere. And even a searchable public interface had been put up on one of them.“
Another motive for publishing the tranche, Assange claims, was the provision of a reliable source for the leaks. In the field of leak publishing, he says, WikiLeaks has become a trusted brand. Although versions of the cable tranche were appearing online, „there was not an authorised version of the cables that the public could rely on“.
What does he mean by an „authorised“ version of cables, when they were US government property?
„By ‚authorised‘ I mean a version that is known to be true – it doesn’t have another agenda. The unauthorised versions that were being tweeted everywhere – although as far as we can determine they were accurate, the public and journalists couldn’t know they were accurate.“
He points to stories published in Tajikistan and Pakistan that have been based on fake cables. „WikiLeaks is a way for journalists and the public to check whether a claimed story based on a cable is actually true. They can come to our site to check. We have a 100 per cent accuracy record.“
30 December 2011. A writes that five Pastebin posts of recovered STRATFOR passwords have been removed as indicated below. In addition, four files from sources have been removed from Rapid Share (1) and Wikisend (3).
29 December 2011.
Lulzxmas Dumps 860,000 STRATFOR Accounts:
28 December 2011.
Prepping for the Stratfor 5M Email Release
27 December 2011.
http://pastebin.com/78MUAaeZ [Now removed]
These are 28517 of 53281 (54%) passwords from the list of STRATFOR customer accounts cracked.Part 1/3: http://pastebin.com/CdD92fJG [Now removed]
Part 2/3: http://pastebin.com/AcwQgHmF [Now removed]
Part 3/3: http://pastebin.com/78MUAaeZ [Now removed]
26 December 2011. Firms and personal first names beginning with „D“ through „My“ (~ 30,000).
And 25,000 IT work tickets:
26 December 2011. Sample Stratfor.com email:
http://pastebin.com/HmDs0EM4„just a small preview of the mayhem to come. 1 out of 2.7 million“
26 December 2011. STRATFOR leaked accounts (10257 passwords recovered)
http://pastebin.com/CdD92fJG [Now removed]
25 December 2011. Firms and personal miscellaneous names not in alphabetical order (~13,000):
http://pastebin.com/8v3768Bw[Now removed]http://wikisend.com/download/132838/stratfor_full_misc.txt.gz [Now removed]
25 December 2011. Firms and personal first names beginning with „B-By“ through „C-Cz“ (~4,000) :
25 December 2011. Firms and personal first names beginning with „A“ through „Az“ (~ 4,000).
25 December 2011. A message allegedly to subscribers from George Friedman, Stratfor, was posted to Facebook and Pastebin (below).
25 December 2011. A paste today denying Anonymous role:
And, Stratfor’s A client list of passwords:
24 December 2011
Subject: Important Announcement from STRATFOR
Date: Sat, 24 Dec 2011 19:49:58 -0500
From: STRATFOR <mail[at]response.stratfor.com>
Dear Stratfor Member,
We have learned that Stratfor’s web site was hacked by an unauthorized party. As a result of this incident the operation of Stratfor’s servers and email have been suspended.
We have reason to believe that the names of our corporate subscribers have been posed [sic] on other web sites. We are diligently investigating the extent to which subscriber information may have been obtained.
Stratfor and I take this incident very seriously. Stratfor’s relationship with its members and, in particular, the confidentiality of their subscriber information, are very important to Stratfor and me. We are working closely with law enforcement in their investigation and will assist them with the identification of the individual(s) who are responsible.
Although we are still learning more and the law enforcement investigation is active and ongoing, we wanted to provide you with notice of this incident as quickly as possible. We will keep you updated regarding these matters.
221 W. 6th Street, Suite 400
Austin, TX 78701 US