ACLU’s Chris Soghoian now delves into how he discovered the activities of contractor company employees supporting the Government’s hacking endeavors.
The feds have the big bucks, federal law enforcement agencies in the United States have enough money to use bespoke custom malware. They don’t need to use the same stuff that the Egyptian and the Turkmenistan governments are using. They can use their own custom spyware and they can buy zero days if they need them.
Again, our friend Valerie Caproni: “There will always be very sophisticated criminals … that are virtually impossible to intercept through traditional means. The government understands that it must develop individually tailored solutions for those sorts of targets.” And when Valerie says “individually tailored solutions”, what she means is hacking. She didn’t use the word “hacking” when she spoke to Congress, but what she means is hacking and malware.
In 2009 or so, I think EFF filed one of their many Freedom of Information Act requests to look into the FBI’s claims that they were going dark. A couple of years later they got hundreds of pages of documents, most of them heavily redacted.This is one that I found, I read a lot of the documents that groups like EFF produce and documents that the ACLU obtains, and this was one in several hundred pages that the EFF obtained. And most of it was redacted, as you can see (right-hand image), but there was one line that stuck out to me. This is their Remote Operations Unit, so that sounded really interesting, I didn’t really know what the Remote Operations Unit was but it was in a document about going dark. This was a document sort of describing each unit checking in and saying what their progress was. So I thought: “Let me see what else I can find about the Remote Operations Unit.” And so I spent the last six months researching this unit, mainly using open-source intelligence, basically just googling and using LinkedIn. And what I found is that the FBI is in the hacking business too. So I found the materials for a law enforcement conference that happened in April of this year (see left-hand image). This was a training seminar for prosecutors around the country. And in the list of attendees and speakers at this conference I found information for this guy, Eric Chuang, who is the Unit Chief of the Remote Operations Unit. I searched a bit more and I found a ZoomInfo page, this is a data mining company that collects information from elsewhere on the web. And Eric Chuang’s ZoomInfo page mentioned that he was the Unit Chief of the Remote Operations Unit, and it said that the Unit “provides lawful computer collection capabilities in support of FBI investigations” (see right-hand image).
Well, that sounded interesting. Then I turned to LinkedIn and I started researching the Remote Operations Unit. What I found is that there are a couple of contracting companies, a couple of contractors who supply people to the ROU. And contractors, like everyone else, want to keep their resume up to date in case they get a new job. So they list things in their resume, maybe things that they shouldn’t be listing, revealing what they did at their old job.I have not included the names of the low-level contractors but I will be quoting from the LinkedIn pages of several of these contractors because I think what they describe is fascinating. So this (see left-hand image) is a deployment operations analyst at a company called James Bimen Associates, they are a small boutique contracting company in Northern Virginia. So this person “performed testing on … software used as a critical function for counter terrorism and counter intelligence cases.” Okay, that sounds interesting.
He “worked with FBI Case Agents … with our surveillance / imagery software … that is currently installed on criminal subject machines in the field.” Okay, that’s even more interesting. They test “case specific implants against various OS’s and platforms,” – good to know; if you are using Windows or Mac or whatever, they have a tool for you. And then they create “documentation for the … various technologies and methods” that were used to gain access to subject machines.
Alright, so it’s clear from this profile what the Remote Operations Unit is doing. I also found another person, this is a Remote Operations deployment analyst, also at James Bimen Associates. Her profile was fascinating, I thought this was good. She “created policies, guidance and training materials to protect the Deployment Operations tools from being discovered by adversaries,” – those are us. We are the adversaries.
So, Bimen Associates is one of two companies that provide hackers to the FBI. It is my belief and understanding that the contracting companies actually supply the people who sit at the keyboard and are launching the tools. There hasn’t been a debate in Congress about the FBI getting into the hacking business. There hasn’t been any legislation giving them this power, this just sort of happened out of nowhere. And had it not been for the sloppy actions of a few contractors eagerly updating their LinkedIn profiles, we would have never known about this.
The president of James Bimen Associates is a guy named Jerry Menchhoff, he used to work at Booz Allen Hamilton, which is also the same place that Edward Snowden used to work. And so, this is the president of the company, his LinkedIn profile was pretty bare but it did describe one of his interests, and so he is a member of the Metasploit Framework Users Group, thought you guys would get a chuckle out of that.
So I gave Jerry a phone call a few weeks ago and asked him some questions, I of course told him who I was and I said I work for the ACLU, and he wasn’t very nice, he didn’t want to answer any of my questions.
So I gave some of this information to The Wall Street Journal and last night they published a story on this Unit. The nice part about giving these documents to a newspaper is that once they have a bit of information then they can go and report it and get other stuff too.And so The Wall Street Journal reporter was able to find former law enforcement officials who would be willing to talk on background about this practice. One former law enforcement official she spoke to said: “The bureau can remotely activate the microphones in phones … [and] laptops without the user knowing.” That’s pretty interesting, but she also added: “The [FBI] is loathe to use these tools when investigating hackers, out of fear the suspect will discover and publicize the technique.” So I guess that means that you are all safe from FBI malware.