It seems every week a big story pops up in the world of online security and privacy. Recently, WikiLeaks took center stage again when they began releasing over 5 million emails that were accessed from the servers of Strategic Forecasting Inc, also known as Stratfor. These emails were gathered by members of the Anonymous group back in December of last year, and are now being published by the disclosure group along with over 25 media partners. The disclosure had been expected for some time and is likely to turn up a lot of interesting discussions between Stratfor and many important staff members in other companies, U.S. government agencies, other countries, and the military. But is this the next CableGate? How damaging is this disclosure going to be, and for whom? Here’s some background on who Stratfor is, how they got hacked, and what to expect from these emails.
For those who don’t pay the hundreds of dollars (or thousands for business subscribers) to be part of the Stratfor subscriber list, here’s some background about the company. Established in 1996, Strategic Forecasting is a private company out of Austin, Texas, which many have referred to as a shadow CIA. Basically, they are an information gathering agency, going out and getting facts about political figures, world events, the economy, military movements, and more. They’ve been described as the authority on strategic and tactical intelligence issues, and provide their own analysis on the news they uncover, which they then publish to their subscribers, corporate partners, and even government organizations. As a news source, they’ve been quoted on CNN, Time, Bloomberg, the BBC, and more. But many suspected that there was far more going on under the table, and that they were more than a news agency.
On December 24, 2011, it was first reported that credit card data had been stolen from the Stratfor servers by members of Anonymous. The attackers claimed to have stolen over 200GB of data, and claimed that the Stratfor security had been severely lacking, including passwords being stored in plain text. Credit card data was published on two occasions, but people only learned about the massive amount of emails later on. It seems that those behind this breach decided to hand over that part of their treasure to WikiLeaks for disclosure. The organization has been working on making this happen, and last Monday was the day set for release. The disclosure was named The Global Intelligence Files, and hyped as an event that would be of global importance. When the time came, WikiLeaks published a long press release which hinted at some of the information we would be able to find in these millions of emails.
Basically, those emails cover the 2004 to 2011 period and reveal the inner workings of Stratfor, including how they provide intelligence to “Bhopal’s Dow Chemical Co., Lockheed Martin, Northrop Grumman, Raytheon and government agencies, including the U.S. Department of Homeland Security, the U.S. Marines, and the U.S. Defense Intelligence Agency.” According to the release, it quickly becomes clear that the company is more than a news organization, or even an intelligence gathering service. The emails hint at a large web of informants around the world, making up a complex pay-off system, that uses financial, sexual and psychological coercion. There is also the charge that government and diplomatic sources around the world give Stratfor advanced intelligence in exchange for money from secret Swiss bank accounts.
The press release goes on to explain that the company quickly aimed to turn this intelligence gathering into a money making opportunity, by launching StratCap, which the CEO describes in an email: “What StratCap will do is use our Stratfor’s intelligence and analysis to trade in a range of geopolitical instruments, particularly government bonds, currencies and the like.” It also seems like the company took great interest in WikiLeaks itself and its founder Julian Assange with over 4,000 emails mentioning both names. The release finally says that the emails will be analysed and released in the coming days and weeks, and over 25 media organizations will be working alongside WikiLeaks to parse through all that text.
But in less than 24 hours after the emails had been made public, news sites around the world were already hard at work finding out interesting tidbits of information. One email seems to indicate that the long-held suspicion that the Pakistani government was in contact with Osama Bin Laden before the famous raid that killed him is true: “Mid to senior level ISI and Pak Mil with one retired Pak Mil General that had knowledge of the OBL arrangements and safe house. I get a very clear sense we (US intel) know the names and ranks.” Another case was that of the 1984 Bhopal gas leak, where Dow Chemical is accused by thousands of local activists to have dumped toxic gas in the community, which led to the death of over 15,000 people. These activists have long suspected that the large company was spying on them, and it would seem like Stratfor was the company that Dow hired. And closer to home, in the US, another email from a Stratfor analyst claims that John McCain was advised on the night of the 2008 election by several staff members that he should mount a legal challenge against the Obama victory, and seek an injunction to prevent Ohio and Pennsylvania results from being certified, but that the Senator decided against it.
This is clearly just the tip of the iceberg as to what we’re likely to learn from this disclosure. Meanwhile, Stratfor posted a statement from its CEO claiming that the act is deplorable and illegal, and that some of the emails may have been forged. He goes on to say that this is an attempt at silencing them, and that they are always acting in an ethical manner. They learned from the attack, and their network and computer systems are apparently now secure. While this event is sure to bring a lot of information to the public at large, and possibly cause problems for many people involved in the Stratfor organization, it’s also a reminder as to what the worse case scenario can be for any company that doesn’t follow security best practices.