Insights

CHASING “MR FOIA”, THE HACKER WHO CHANGED THE WORLD

Share

In November 2009, just before the United Nations Climate Change Conference (COP15) took place in Copenhagen, an unknown actor released 160 MB of data from a server located at the University of East Anglia’s Climate Research Unit (CRU). The leak included over 1,000 emails, 1,073 text files, and 3,480 documents in a folder named “FOIA2009”. This is how Climategate, “The Hack that Changed the World” – and spread a global wave of climate change scepticism – began. Thirteen years later, and after exhaustive investigations from law enforcement, intelligence investigators, and investigative journalists, the hacker’s identity remains a mystery.

At the beginning of the year, BBC Security Correspondent Gordon Corera decided to revisit the case, and asked Neon Century for support. Through dark web analysis, bitcoin investigations, and forensic linguistics, I investigated the individual(s) or group behind the attack. Here, I expand on what I revealed on the BBC Podcast “The Hack that Changed the World, Episode 3 – The Russia Mystery”.

"Early into the investigation, I could sense the smell of a quite sophisticated hack-and-leak operation."

SURPRISE! HACK-AND-LEAK EXISTED BEFORE THE 2020S

At the beginning, Climategate was one of those particularly challenging intelligence investigations because of the vast quantity of data that already existed on the case. It required my best sleuthing skills, and the support of Neon Century’s unique in-house technology platform, COSMIC. This allowed me to sift through the 250 trillion webpages on the Internet, analysing content across the surface, deep, and dark webs to find the signals amid the noise.

Early into the investigation, I could sense the smell of a quite sophisticated hack-and-leak operation. But this was seven years before the concept became popular following the 2016 Democratic National Committee email leakWas this even possible? I was about to find out that yes, it was.

Since the police investigation had already refuted the hypothesis of an inside job, I had to look for someone who had broken into the CRU from outside. My first step was to access the leaked emails and analyse a sample. Most of my findings suggested I should look eastwards for the location of the hacker:

  • Time zone: GMT+5

Former Bellingcat investigator Iggy Ostantin had implied that the hacker generated file names using Unix Time[1] to order their emails chronologically. Ostantin claimed that when the Unix Time file names were decoded, there was a mismatch: the system clock of the computer used to handle the hacked files was five hours (GMT + 5) ahead of the UK. My own investigation of the sample reached the same conclusions (see picture, below).

  • A Russian-domain website

I ran an email address (dima@sinwt.ru) belonging to the administrator of the website where some leaked files had been published through proprietary databases of leaked emails and credentials comprising 3,900 million records. The email had been subject to numerous data breaches, revealing the likely identity of the site’s owner – Dmitry Polegaev; his address – Parnikovaya (Парниковая) street, Yekaterinburg; and a password associated with the email: Tiss0Kimo. With IP lookup and domain analytic tools, I could confirm that the owner of the domain was a private person… And bingo! Although it was unclear whether Mr Polegaev was, or knew, the author of the hack, I had found someone who definitely had access to the hacker’s user information.

  • Political motivation

While the thesis of a private individual based somewhere in or near Russia was growing, I came across some cable messages from the United States Embassy in Ankara, dated December 8, 2009. These speculated the hack might have been orchestrated by the Russian Secret Service (FSB) and spread via Turkey in the context of COP15.

During their investigations, The Guardian and The Independent pointed to the FSB as a key suspect. However, I found no evidence to support this claim.

WE’VE GOT AN EMAIL

The golden nugget of intelligence was an email sent by the hacker, under the pseudonym “Mr FOIA” (Freedom Of Information Act) on March 13, 2013, to a selected number of individuals. As something written by the hacker himself, the email opened a window into the personal qualities of the individual behind the attack.

Mr FOIA was a self-described English-speaking male. However, clues within the writing insinuated he wasn’t a native speaker of English, but of a Slavic language instead:

  • He apologised if the email seemed “slightly disjointed”, explaining this was due to his linguistic background. He also mentioned being from outside the UK and unfamiliar with the US.
  • Although these declarations could have been made to deceive, his email included common mistakes made by Slavic speakers when translating into English – missing, for example, missing definite articles like “the”.
  • He used forms like “220.000”, and not “220,000”; “organize” instead of “organise”, indicating he had learned American English or used a grammar checker configured in American English. It was therefore unlikely that he was a UK national.

Mr FOIA also included a bitcoin address in his email, asking for funding. My investigation revealed this account had transacted nine times in the Bitcoin blockchain: seven between March 13 and March 19, 2013; once on August 12, 2013; and the last time on June 13, 2015. Remarkably, to this date, no money has been withdrawn from the wallet – which is now worth over $200,000!

CONCLUSION

Climategate shows that even though strategies like hack-and-leak have only recently gained public attention, attackers have spent decades practicing and refining their techniques.

Although nobody has been able to uncover the real identity of the perpetrator of the CRU hack yet, evidence gathered during our investigation –  from time zone analysis, linguistic forensics, and data leaked on the dark web – aligns with the hypothesis that the hacker is likely a Russian or Eastern European actor. As I mentioned during the BBC podcast, this is remarkable: if at any point it is confirmed that Russia was behind the attack, this would probably be the first hybrid warfare attack from Russia against the UK in history.

For now, the evidence is still merely indicative and not conclusiveThirteen years later, it’s still too early to tell.

 

[1] Unix time is a system for representing a point in time. It is the number of seconds that have elapsed since January 1st, 1970, 00:00:00 GMT.

Related News