FBI used spyware to catch cable-cutting extortionist
CIPAV spyware helped nab unemployed engineer angry over outsourcing
April 18, 2009 (Computerworld) The FBI used spyware to catch a Massachusetts man who tried to extort money from Verizon Communications Inc. and Comcast Corp. by cutting 18 cables carrying voice and data in 2005, documents obtained under the Freedom of Information Act by Wired.com revealed yesterday.
Although the man's name was redacted in the documents provided to the Web site, their description of the case matches that of Danny M. Kelly, an unemployed engineer who at the time lived in Chelmsford, Mass. According to federal court records, Kelly was accused of cutting a total of 18 above-ground communications cables between November 2004 and February 2005 as part of a plot to extort money from Verizon and Comcast.
"Kelly sent a series of anonymous letters to Comcast and Verizon, in which he took responsibility for the cable cuts and threatened to continue and increase this activity if the companies did not establish multiple bank accounts for him and make monthly deposits into these accounts," the original complaint read.
According to the complaint, Kelly demanded $10,000 monthly from each company, and he told the firms to post the bank account information on a private Web page that he demanded they create.
"Both Comcast and Verizon did create the requested private Web pages in an effort to communicate with the extortionist and to gather information that might identify him," the complaint said. "When Kelly accessed the Web pages, he did so via an anonymizing Web site through which he sought to hide the Internet Protocol address of the computer he was using and therefore hide his identity."
The documents obtained by Wired.com said that the FBI obtained a warrant to use a program called Computer and Internet Protocol Address Verifier (CIPAV) to identify Kelly's computer as the one that accessed the extortion Web sites.
Details about CIPAV first surfaced in July 2007 in court records related to a case involving a rash of bomb threats e-mailed to a high school in Lacey, Wash. In a filing to the court, an FBI Special Agent said that after getting a warrant, the agency planted CIPAV on a 15-year-old's computer via a link posted to his MySpace page.
According to the agent in the affidavit, CIPAV would "cause any computer -- wherever located -- to send network-level messages containing the activating computer's IP address and/or MAC address, other environmental variables, and certain registry-type information to a computer controlled by the FBI."
However, the warrant application did not spell out whether the CIPAV captured keystrokes or injected other code into the compromised system, as do commonplace Trojan horse downloaders. "The exact nature of [the CIPAV's] commands, processes, capabilities and their configuration is classified as a law-enforcement-sensitive investigative technique," said the 2007 document.
In Kelly's case, the FBI was granted a warrant to use CIPAV on Feb. 10, 2005, said Wired.com. Later that year, Kelly pleaded guilty to extortion, was sentenced to five years probation and ordered to pay Verizon $378,000 for the damage he did.
According to the complaint filed against Kelly, he believed that "companies like Comcast and Verizon were indirectly responsible for his unemployment and dire financial situation because they worked with companies that favored foreign engineers over their counterparts and because they had indirectly stolen his intellectual property."
As part of his sentence in late 2005, Kelly was also ordered to enter a mental health program.
The court documents related to Kelly's case did not detail how the FBI managed to get CIPAV on his computer, but security researchers commenting on the Washington school bomb threat case speculated that the agency may have used an exploit -- one already in circulation or one of its own -- to plant the spyware.