11th

The Hack on STRATFOR

January 2012

By

As most of you are probably aware, STRATFOR was attacked by hackers in December. There is a bit more to the story than has been reported thus far, and it has some lessons and implications I think are relevant to the Institute and the online community of which we are all a part. In this post, I will simply share the words of the person most able to tell that story, our CEO.

By George Friedman

In early December I received a call from Fred Burton, Stratfor’s vice president of intelligence. He told me he had received information indicating our website had been hacked and our customer credit card and other information had been stolen. The following morning I met with an FBI special agent, who made clear that there was an ongoing investigation and asked for our cooperation. We, of course, agreed to cooperate. The matter remains under active investigation.

From the beginning I faced a dilemma. I felt bound to protect our customers, who quickly had to be informed about the compromise of their privacy. I also felt bound to protect the investigation. That immediate problem was solved when the FBI told us it had informed the various credit card companies and had provided those companies with a list of compromised cards while omitting that it had come from us. Our customers were therefore protected, as the credit card companies knew the credit cards and other information had been stolen and could act to protect the customers. We were not compelled to undermine the investigation.

The FBI made it clear that it expected the theft to be exposed by the hackers. We were under no illusion that this was going to be kept secret. We knew our reputation would be damaged by the revelation, all the more so because we had not encrypted the credit card files. This was a failure on our part. As the founder and CEO of Stratfor, I take responsibility for this failure, which has created hardship for customers and friends, and I deeply regret that it took place. The failure originated in the rapid growth of the company. As it grew, the management team and administrative processes didn’t grow with it. Again, I regret that this occurred and want to assure everyone that Stratfor is taking aggressive steps to deal with the problem and ensure that it doesn’t happen again.

From the beginning, it was not clear who the attackers were. The term “Anonymous” is the same as the term “unknown.” The popular vision of Anonymous is that its members are young and committed to an ideology. I have no idea if this is true. As in most affairs like this, those who know don’t talk; those who talk don’t know. I have my theories, which are just that and aren’t worth sharing.

I was prepared for the revelation of the theft and the inevitable criticism and negative publicity. We worked to improve our security infrastructure within the confines of time and the desire to protect the investigation by not letting the attackers know that we knew of their intrusion. With the credit card information stolen, I assumed that the worst was done. I was wrong.

Early in the afternoon of Dec. 24, I was informed that our website had been hacked again. The hackers published a triumphant note on our homepage saying that credit card information had been stolen, that a large amount of email had been taken, and that four of our servers had been effectively destroyed along with data and backups. We had expected they would announce the credit card theft. We were dismayed that emails had been taken. But our shock was at the destruction of our servers. This attack was clearly designed to silence us by destroying our records and the website, unlike most attacks by such groups.

Attacks against credit cards are common, our own failures notwithstanding. So are the thefts of emails. But the deliberate attack on our digital existence was a different order of magnitude. As the global media marveled at our failure to encrypt credit card information, my attention was focused on trying to understand why anyone would want to try to silence us.

In the days that followed, a narrative evolved among people claiming to speak for Anonymous and related groups. It started with looking at our subscriber list and extracting corporate subscribers who were now designated as clients. The difference between clients and subscribers is important here. A client is someone you do customized work for. A subscriber is simply someone who purchases a publication, unchanged from what others read. A subscriber of The New York Times is not its client. Nevertheless, some of the media started referring to these subscribers as clients, reflecting the narrative of those claiming to speak with knowledge of our business.

From there, the storyline grew to argue that these “clients,” corporate and government, provided Stratfor with classified intelligence that we reviewed. We were no longer an organization that analyzed the world for the interested public, but rather a group of incompetents and, conversely, the hub of a global conspiracy. The media focused on the first while the hacking community focused on the second.

This was why they stole our email, according to some of them. As one person said, the credit cards were extra, something they took when they realized they could. It was our email they were after. Obviously, we were not happy to see our emails taken. God knows what a hundred employees writing endless emails might say that is embarrassing, stupid or subject to misinterpretation. What will not appear is classified intelligence from corporations or governments. They may find, depending on what they took, that we have sources around the world, as you might expect. It is interesting that the hacker community is split, with someone claiming to speak for the official Anonymous condemning the hack as an attack on the media, which they don’t sanction, and another faction defending it as an attack on the rich and powerful.

The interpretation of the hackers as to who we are — if indeed that was their interpretation — was so wildly off base as to stretch credulity. Of course, we know who we are. As they search our emails for signs of a vast conspiracy, they will be disappointed. Of course we have relationships with people in the U.S. and other governments and obviously we know people in corporations, and that will be discovered in the emails. But that’s our job. We are what we said we were: an organization that generates its revenues through geopolitical analysis. At the core of our business, we objectively acquire, organize, analyze and distribute information.

I don’t know if the hackers who did this feel remorse as they discover that we aren’t who they said we were. First, I don’t know who they actually are, and second, I don’t know what their motives were. I know only what people claiming to be them say. So I don’t know if there is remorse or if their real purpose was to humiliate and silence us, in which case I don’t know why they wanted that.

And this points to the real problem, the one that goes beyond Stratfor’s own problem. The Internet has become an indispensible part of our lives. We shop, communicate, publish and read on it. It has become the village commons of the planet. But in the village commons of old, neighbors who knew and recognized each other met and lived together. Others knew what they did in the commons, and they were accountable.

In the global commons, anonymity is an option. This is one of the great virtues of the Internet. It is also a terrible weakness. It is possible to commit crimes on the Internet anonymously. The technology that enables the Internet also undermines accountability. Given the profusion of technical knowledge, the integrity of the commons is in the hands of people whose identities we don’t know, whose motives we don’t understand, and whose ability to cause harm is substantial. The consequence of this will not be a glorious anarchy in the spirit of Guy Fawkes, but rather a massive repression. I think this is a pity. That’s why I wonder who the hackers actually are and what cause they serve. I am curious as to whether they realize the whirlwind they are sowing, and whether they, in fact, are trying to generate the repression they say they oppose.

The attempt to silence us failed. Our website is back, though we are waiting for all archives to be restored, and our email is working again. Our failures have been reviewed and are being rectified. We deliberately shut down while we brought in outside consultants to rebuild our system from the ground up. The work isn’t finished yet, but we can start delivering our analyses. The handling of credit cards is being handed off to a third party with appropriate capability to protect privacy. We have acted to help our customers by providing an identity theft prevention service. As always, we welcome feedback from our supporters as well as our critics.

We are fortunate that we have the financial resources and staff commitment to survive the attack. Others might not. We are now in a world in which anonymous judges, jurors and executioners can silence whom they want. Take a look at the list of organizations attacked. If the crushing attack on Stratfor is the new model, we will not be the last. No security system is without flaws even if it is much better than Stratfor’s was.

We certainly expect to be attacked again, as we were last week when emails were sent out to members from a fake Stratfor address including absurd messages and videos. Our attackers seem peculiarly intent on doing us harm beyond what they have already done. This is a new censorship that doesn’t come openly from governments but from people hiding behind masks. Do not think we will be the last or that we have been the first.

We will continue to publish analysis and sell it to those who believe it has value. To our subscribers who have expressed such strong support, we express our deepest gratitude. To our critics, we assure you that nothing you have said about us represents a fraction of what we have said about ourselves. While there is much not to be proud of in this affair, I am proud beyond words of all my dedicated colleagues at Stratfor and am delighted to return our focus to analyzing critical international affairs.

To all, I dedicate myself to denying our attackers the prize they wanted. We are returning to the work we love, dedicated to correcting our mistakes and becoming better than ever in analyzing and forecasting how the world works.

We have acted to help our customers by providing an identity theft prevention service.

As always, we welcome feedback from our supporters as well as our critics.




Posted by nhughes in Uncategorized


You can leave a response, or trackback from your own site.

  • ASM

    Those that perpetrated will be caught by the FBI and should be prosecuted to the maximum extent of the law. Truth is, no matter how many precautions are taken these hackers, tragically, will continue to undermine existing security. They are good at what they do, there is no question. And if it wasn’t Stratfor, it would have been somebody else…at this point, I think it’s more constructive to lay the blame to the offenders who attempt to ruin lives and spoil companies with their cynical, boring message of “freedom” which is actually anti-freedom…

    Fact remains that Stratfor is an incredible company with that provides valuable tools and insights that aid everyone from policy makers down to the engaged and informed citizen.

    George Freidman has created a truly remarkable company – victory is doing what they have been doing down there in Austin since this happened – get back in the fight and press the attack.

  • Alexander Martin

    Apologies for the poor grammar on the above comment….I never proof read, and should.

  • PJN

    I think this is a great thing to post, and an important message to get out. But, nhughes, I think you should also disclose your relationship with George Friedman and STRATFOR in the interest of full disclosure.

  • http://www.stratfor.com nhughes

    PJN, great point. My full bio is available under the ‘about our guest bloggers’ tab, but you are absolutely right that that should be front and center. I am an employee of STRATFOR and have been for the last six years. I work closely with Dr. Friedman, direct STRATFOR’s military analysis and help manage our tactical intelligence team.

  • Sperrwaffe

    I have to point this out: The FBI did not! inform the relevant credit card companies. Maybe those in the US but certainly not those abroad. And this should have been mentioned by the FBI to STRATFOR and then STRATFOR should have taken over the responsibility to inform the subscribers on a direct basis. I learned from this hack after I had returned from Seasons Holidays into office and looked into my mail account. Wonderful news and a lot of work to be done, especially looking for data if my credit card was under those. And it was. I should say that I was “lucky” to register under my office mail and not my private one.
    Due to this STRATFOR has lost a subsrciber, because I don’t tolerate such behaviour where the customer is left alone. And this company of identity theft prevention (never heard of them before, must be interesting only for US) where I have to register again, and leave a lot of information for them to process certainly does NOT compensate at all.
    A little bit off topic and I apologize, but when feedback is also not answered I get even more p****d.

  • http://www.stratfor.com nhughes

    Sperrwaffe, I appreciate and understand your frustration, and want to get it addressed. If you haven’t already, please use feedback[at]stratfor[dot]com and hopefully we can address your concern. If you used that address and did not get a response, please contact me directly at nathan[dot]hughes[dot]stratfor[at]gmail[dot]com and I’ll get you an answer. I also extend that invitation to any of our other readers or subscribers picking this story up here.

    My intention with this post was to raise some questions about our (if you will) common operating environment. As far as corporate-specific concerns like yours, we also have an active discussion going on over on our facebook page (http://www.facebook.com/stratfor) where public comments can also be posted and addressed.

  • Andy (JADAA)

    I am a long-time private US subscriber, and this is the very first communication from Mr. Friedman that I have seen, in any venue, regarding this matter. (I don’t use FaceBook for matters such as these) I did read about the credit card breach in the trade papers and was promptly notified when the one cuurently-active card account was attempted to be used unlawfully. That breach was stopped and I had a new account within 24 hours. I did have to spend considerable time visiting each and every restricted-access website where I use the same email address and changing out, for security purposes, my passwords.

    Does STRATFOR intend to contact those of us who still have paid subscriptions? How and when? Are our subscriptions still valid? What should I tell those to whom I have given gift subscriptions? A little more outreach to you remaining customer base via the usual means would be very greatly appreciated.

    P.S. Good luck in ever tracking down and physically apprehending those who committed the hack. They’re physically long-gone by now.

  • Sperrwaffe

    nhughes
    Thank you very much for your offer and the posting of your availability. Very much appreciated and I will come back to you when I am back in the office tomorrow afternoon, (taking into account my time zone(Alfa)).
    I used the feedback but no reply so far. After you posted the text above I got a little upset about the information concerning schedule of events and information policy.
    Sorry, but the facebook discussion is typical superficial facebook BS and certainly without any deeper substance. That’s why I definetely prefer platforms like the USNI Blog.

    What would be the focus of your common operatin environment. The internet issues, acting in such an environment as Mr. Friedman elaborated on, or would this be more on the service of information collection, availability of this information to your subscribers, and availability of analysis? With both you expose yoruself (as an organization and sometimes personally) to a groups or individuals which assess you as an “enemy”.

  • Matt

    Ditto Andy…I had no idea which credit card was compromised and never did get a call back.

  • http://www.stratfor.com nhughes

    Andy and Matt (and any other of our subscribers reading this), please do get in touch with me at the above address I provided Sperrwaffe, and I will make sure we get your concerns addressed.

    Sperrwaffe, in answer to your question, STRATFOR is a product of the internet — it makes what we do possible. We rely on it to both collect the open source information that informs our analysis and to communicate with contacts and sources all over the world. And more than a decade ago, it allowed us to publish our analysis long before we had the resources to publish by more traditional means — and we’ve stuck with it ever since. And as I’ve argued here in the past (http://blog.usni.org/2011/05/24/dare-to-read-think-speak-write-blog-and-try-new-things/), it also presents exciting new ways for the Institute to approach its own mission.

  • Sperrwaffe

    nhughes
    Right. Thank you for clarifying and the link. I will have a look.

    So what about the discussion you wanted to start with this: “My intention with this post was to raise some questions about our (if you will) common operating environment.” ;)

  • SB

    Mr. Hughes,
    I don’t think Anonymous was trying to silence Stratfor. Rather, Stratfor’s inexcusable lack of IT security provided Anonymous the opportunity to snatch up passwords. As many people reuse the same passwords over and over again, some number of these passwords were used to gain access to various other systems. Given the general nature of Stratfor’s clients and subscribers, the interest of Anonymous (particularly AntiSec) should be obvious.

    I would recommend this piece on Wired, as well as the previous two articles in the series:

    http://www.wired.com/threatlevel/2012/01/anonymous-dicators-existential-dread/

    To build upon Mr. Friedmand’s “village commons” allegory, I would offer that those who do not want to be caught with their pants down in the village commons should, in fact, check that they are wearing pants . . . and then put on a belt.

    Further, the fact that someone is laughing at you because you have no pants may in fact be doing so because they find it hilarious that you would wander the commons with your fanny showing, and not because they are actually interested in seeing it. Grand proclamations of “how dare these miscreants cast their eyes on my fanny!” are sure to only draw more laughter.

    Read the Wired article. Get a belt, then ask yourself how come there are globally crowd-sourced cyber campaigns going on and apparently Stratfor does not know much about it.

2014 Information Domination Essay Contest