Hacker for hire cases going federal in Minnesota
In the first Minnesota case to address a new and growing form of cybercrime, federal prosecutors have charged a former state resident with employing “hackers-for-hire” to sabotage the website of a local business.
The case reflects concern among law enforcement officials nationwide that hackers ranging from disgruntled ex-employees to enemy nation states are ramping up attacks on an ever-expanding array of personal digital devices connected to the web.
Prosecutors say John Kelsey Gammell, 46, paid hacking services to inflict a year’s worth of “distributed denial of service” (DDoS) attacks to bring down websites affiliated with Washburn Computer Group, a Monticello business where he used to work.
DDoS attacks overwhelm a network with data, blocking access for legitimate users and even knocking web services offline. Washburn, a point-of-sale system repair company, told prosecutors that Gammell’s attacks cost it about $15,000.
ities say Gammell didn’t stop there: He is accused of paying $19.99 to $199.99 in monthly payments to try to bring down web networks that included those of the Minnesota Judicial Branch, Hennepin County and several banks.
“As a society that is increasingly reliant on network-connected devices, these types of cyberattacks pose a serious threat to individuals, businesses, and even our nation’s critical infrastructure,” Acting U.S. Attorney Gregory Brooker in Minneapolis said, speaking generally about the new forms of crime.
The FBI’s Internet Crime Complaint Center reported more than $11 million in losses to victims of DDoS attacks last year.
“We have a growing trend where the sophistication of the dark web and the sophistication of certain professional hackers to provide resources is allowing individuals — and not just experienced individuals — to conduct hacks and conduct DDoS,” said FBI Supervisory special agent Michael Krause, who leads the FBI’s cyber squad in Minneapolis.
Devices such as digital video recorders and home appliances recently have been marshaled by cyber criminals to carry out massive operations like last year’s flooding of a prominent web infrastructure company that affected sites like Amazon and Netflix. In a separate attack, in June 2016, the Minnesota Judicial Branch’s website went down for 10 days, alarming local officials because so many government services have at least some nexus to the web.
“A lot of people think it’s just a nuisance,” said Chris Buse, Minnesota’s chief information security officer. “But it’s not. If you look at what government does — basic critical services — if those services don’t continue, people can literally die.”
Minnesota IT Services, which administers the state’s computer systems, said state networks field an average of more than 3 million attempted cyberattacks daily. Officials say the state still hasn’t experienced a major attack on par with a 2012 South Carolina breach that exposed personal data for 3.7 million residents and cost the state $20 million.
But with hackers able to take over hundreds of millions of unsecured devices worldwide to flood networks in a single DDoS attack, security professionals are trying to stay ahead of the threat.
“In our environment it’s pretty clear now that every organization needs some sophisticated and expensive tools to mitigate these DDoS attacks,” Buse said.
‘We will do much business’
The government’s case against Gammell underlines the difficulty of linking any suspect to the daily torrent of attacks often carried out by far-afield hackers who advertise their services online. ities might not have caught Gammell without tracing taunting e-mails he allegedly sent after attacks.
One of his preferred hacking-for-hire services was called vDOS, which was shuttered last year after the arrests of two alleged operators in Israel. The FBI obtained files from vDOS that included records of Gammell’s purchases, attacks and communications with vDOS administrators and customers.
Hacker for hire service
One day in 2015, according to a criminal complaint, Gammell eagerly wrote the company boasting of his success in blowing past a “DDoS mitigation” program to kick an unnamed network offline for at least two days. “We will do much business,” Gammell allegedly wrote. “Thank you for your outstanding product.”
According to an FBI agent’s sworn affidavit, Gammell sought out seven sites offering DDoS-for-hire services and paid monthly fees to three to carry out web attacks from July 2015 to September 2016.
Charges are also expected out of Colorado and New Mexico for firearms offenses stemming from searches in the case.
Appearing in a Minneapolis courtroom last week, Gammell confirmed that he rejected a plea offer that would have resolved all charges and capped his possible prison sentence at a mandatory 15 to 17 years. A federal magistrate is reviewing motions filed by Gammell’s attorney, Rachel Paulose, to dismiss the case or suppress evidence.
On Monday, Paulose told U.S. Magistrate Judge David Schultz that evidence the FBI obtained from an unnamed researcher should be thrown out and suggested the data could itself have been retrieved by hacking.
Paulose, who did not respond to messages seeking comment for this story, also argued in pretrial motions that Gammell didn’t personally attack Washburn.
“The government has failed to charge a single one of those ‘cyber hit men’ services, named and evidently well known to the government,” Paulose wrote. “Instead the government’s neglect has allowed the professional cyber hit men for hire to skip off merrily into the night.”
Addressing Schultz last week, Paulose described the attacks on Washburn as “essentially a prank on a dormant site not doing business.”
“Even if Gammell thinks it’s a prank,” Assistant U.S. Attorney Timothy Rank replied, “it’s a criminal prank.”
Professional hackers reveal why most companies don’t stand a chance
MINNETONKA, Minn. – It’s a typical Tuesday for Ben as he logs into his computer at work and starts to hack into a Fortune 500 company. “If I take control of this, I take control of the modem at the bank,” said Ben, whose real name we are not using to protect his identity. It’s dark, except for the blacklight and three LED Christmas light strings spraying dots of vibrant color across the ceiling of the 12-cubical office. Ben is a senior information security analyst at Minnetonka-based FRSecure. You could also title him as an ethical-hacker or legal burglar, because essentially, he gets paid by companies to break in and steal their information, then report back how he did it. “To be an attacker you got to think like the attacker,” he said. He has stolen health records, trade secrets, social security numbers, you name it. He says he has stopped counting how many businesses he has hacked. He can also speak binary coding language with his fingers (meaning, he knows computer code sign language). Sign up for the daily Sunrise Newsletter Sign up for the daily Sunrise Newsletter Something went wrong. This email will be delivered to your inbox once a day in the morning. Thank you for signing up for the Sunrise Newsletter. Please try again later. “That’s one of the things that sets us apart from the bad guys, we have rules,” said Evan Francen, CEO of FRSecure, who started the company 10 years ago. In that time, the business of benevolent burglary has boomed, growing from just one employee to 72. “They might be doing some phishing attacks, they might be doing some penetration tests, they might be doing some reconnaissance on the next test they are going to run,” said Francen while overlooking the hackers at work. The idea is to find any seam or weakness a company has and patch it before a hacker strikes. Just last year, there were 1,579 data breaches in the U.S., a record, according to the Identity Theft Resource Center. According to a report by Shape Security, last year more than 2.3 billion credentials from 51 different organizations were reported compromised. But protecting businesses from online hacks isn’t only part of FRSecure’s business. “We have a saying: It’s easier to go through your secretary than it is to go through your firewall,” said Francen. Francen says that businesses are most vulnerable because they have people. Unlike a firewall with passwords and two-factor authentication, which can be quite secure, it is the employee who is always more vulnerable. In one undercover video, a construction worker escorts Ben through a secure door while saying, “Yeah, I was told a three-piece suit or some bum off the street, don’t let them in unless they have clearance, so.” In another video, Ben has gotten inside a company’s building and is looking to access the data center. In the video, a manager sees Ben’s fraudulent badge not working on the keypad to the server room. The manager then asks if Ben was the person who needed the new laptop. The manager proceeds to unlock the door with a higher-level badge and then types the four-digit passcode into the room in front of the undercover camera, giving Ben access to the business’s most sensitive data room. “I could grab that, clone the badge, go back and have his code and have complete unescorted access into their most secure facility,” said Ben. Sometimes, he doesn’t even need to show up. Ben played a taped phone conversation between him and a Minneapolis business human resources manager whom Ben cold called. He tells her he is a contractor trying to get employees’ confidential ID numbers – which is actually the truth, Ben mentions. At first, the manager asks the right questions. “OK, what is your name again? Are you downstairs?” she asks. “I haven’t heard of this going on so I wanted to make sure I’m not giving out information I’m not supposed to.” A few questions later, she gives up the information. I asked Francen if he’s ever been arrested while doing these tests. “Booked and charged? No. Arrested, yes,” he said. His team carries a note from the company they’re breaking into with a phone number to the boss in the event security or the police question what they are doing, which does have to be used on occasion, they say. So, why help companies when you have the know-how of any top-level nefarious hacker? Why go the Superman route instead of the villain route? “I love people. I love helping people. I hate cheating. I hate when people take advantage of other people. It bothers me. I take it personally,” said Francen. So he’s made his life’s work personally breaking in, to keep the real criminals out. Here are a few more stories from Ben and other “ethical-hackers” Ben shares the story of a CEO who thought his company’s security was rock solid. But Ben and his team got right in. “We tailed some of the IT personnel with badges. Found out that they had a bowling night. We pocketed one of the badges while they were bowling, went back to the office, and with that badge we had full access,” said Ben. When they were done, they simply slipped the badge back to the employee at the bowling alley. Here’s another con Evan Francen, CEO and founder of FRSecure, says works all the time to get into businesses: dressing up like an exterminator. Francen says he “got a clear plastic specimen boxes, put a scary looking spider in it.” He then walked up to the front desk saying he was called to exterminate them. “Are there places around here that have high heat like a server room or electrical closet?” Francen said he would ask the receptionist. He said, every time, a person would lead him to the data security room where he would be left alone with a company’s most secure data. Francen recalls once being questioned by a police officer while digging through a dumpster behind a company he was testing. He told the officer that he was hired as a contractor to test the company’s security. The officer bought it, and soon, Francen says, the officer was helping him in the search for sensitive documents. Hire hackers