Q&A: Meet the hacker that can overthrow a government.
Planning a coup? Skip the guns and bombs and hire a team of hackers instead.
DEFCON is one of the oldest and largest hacking conventions in the world, with more than 20,000 attendees from around the world. It seems hard to create a sensation at an event where the staff are officially referred to as “goons” and the rules of conduct (according to DefCon’s FAQ) include things like don’t throw “lit road flares in elevators,” but in 2015, Chris Rock did just that with his presentation “I Will Kill You and Birth You: How to kill someone and bury the body yourself without a shovel, and How to make Babies and then Harvest them.”
In the space of less than an hour, Rock (who is the CEO of Kustodian, an Australian computer security company) exposed the terrifyingly porous patchwork of protocols governments around the world rely on to officially declare a person dead — or living. He conjured a dystopian world of fake babies whose “burner identities” could be used to rake in millions, and revenge “killings” that take place remotely, by digitally declaring your enemies dead.
This was the cheery sort of stuff I had hoped to discuss with him via Skype the week before DefCon, but instead Chris offered me a preview of his forthcoming talk at DefCon 2016, How to Overthrow a Government, in which he describes a variety of hyperrealist scenarios by which cyber-mercenaries can engineer regime change, anonymously, from behind the safety of their own laptops. Chris didn’t want to reveal the full content of his talk before DefCon, so we mostly discussed the fascinating story behind the story: how he learned to think like a cyber-mercenary.
How did you get started on the topic of cyber coups and remote regime change?
In 2009, I was asked to look at the security of Kuwait by the Interior Ministry from a hacker perspective and see how they stood up against outside threats, not [internal] revolutions or coups. They wanted me to look at government banks, power and gas, that kind of stuff.
We hacked into the country’s assets to show the Interior Ministry the effects of what a hacker could achieve in the country of Kuwait. At that same moment there were allegations of money being transferred from the Central Bank of Kuwait to private banks and abroad. Here we were with our hands in the public and private tills, when there was already something going on! We then had the idea of capitalizing on this scenario. Instead of showing the Interior Ministry we hacked this and we hacked that, let’s make a bigger story, combine the hacks and showed what hackers could really do. With the Arab Spring, it was perfect timing. So we ran in parallel with real events to then show the Minister what could be achieved — not just this bank is weak, or this infrastructure is weak.
I did all this work. Over a year’s worth of work! Hacking into banks, blah, blah, blah. But after I showed them how to hack into these organizations, no work came out of it for me. They pretty much used me for my work and didn’t renumerate—they didn’t honor their agreement.
By the end of this effort, I had hacked into those various targets and aligned them into a presentation titled “Revolution of 2011.” Ironically, Kuwait had become engulfed by real protests. Then the Prime Minister resigned and we lost all contact with them.
So you were like, “I may as well put all this research to use…”?
Exactly. There was no non-disclosure agreement.
Then, working with Simon Mann, an old school mercenary, I learned where we went wrong, what we did right, how he would have done it, and meshed it all together.
But years went by before you contacted Simon Mann to learn how real mercenaries would engineer a coup. What brought you back to your Kuwait research?
What kicked this off is for me is when James Clapper, a National Intelligence Director, announced ISIS has now overtaken cyber-espionage as the biggest world threat. We’ve dropped our position on the leader board! [Until recently, cyber espionage was in first place.] And I thought: I really have to bring out the big guns to show hackers they need to focus on the bigger target, not just the bigger bank or government institution. Put your heads together to do a proper hack, because we’re dropping down the list! We’re getting overtaken by people like ISIS as the biggest world threat! It’s an entertaining talk.
And from there it was just a quick jump to training to be a cyber-mercenary with Simon Mann…?
I’ve always known how to be a cyber-mercenary in a way. As a pen tester, you get asked to do a lot of dodgy stuff. Certain tasks that aren’t necessarily… legal. Not that we take these assignments, but you then get to see how businesses operates without the normal legal constraints. This includes organized crime syndicates — the kind of people that can make money disappear at a bank after an illegal transfer. I’ve also sort of seen the underworld of hacking during my career. I hang around the black hat crowd.
But I got to learn how the way the world really works behind the scenes — not just what we see in the news — by studying how a coup works inside and out. Simon is really the key to the whole talk. I thought: I needed to step out of my own industry, consult with an expert, and join the two professions [that of mercenary and cyber-security specialist] together.
So how did you meet Simon and get him to take you on as a protégé?
I saw a documentary that he was in and thought he was very articulate. So I contacted him on Twitter, and he and I started corresponding over email. Then I asked him for his assistance. Being that he’s a mercenary, all I had to do was pay him and he was very happy to help. That’s how they operate. Once you pay them, they’re yours!
But weren’t you worried that his knowledge would be a little dated and, you know, analog? The coup he tried to precipitate in Equatorial Guinea took place back in 2004.
I thought the same thing. I thought his techniques would be, “Oh, there’s an electrical substation transformer that I’ll just go blow it up with some C-4 explosives to stop electricity going to a certain region.” Obviously, all I needed to hear was, “I need to stop power.” I don’t have C-4 in my pocket, but I could use digital components and do it that way. In the talk, for example, you will see me using a drone and circular cutting saw blades to disable power lines.
It’s not that it’s outdated; it’s different. But the info he has in his brain is unbelievable. If I gave him a country to study, he would learn that country inside and out. He’s probably one of the most intelligent men I’ve ever met.
So what did your crash course in coup-engineering involve exactly?
Simon made me read close to 80 books before we would even work together: historical coups, revolution, strategy, all that sort of stuff. I was his apprentice for 3 or 4 months before we really started working together. He also got me to study the fake coups, like the one that he was involved in, where the president of Equatorial Guinea would arrest his opposition leader if he began making any traction and claim [his opponent was plotting a political] coup, even though he wasn’t. I really enjoyed learning the political strangling points.
From there, we went over my Kuwait research and Simon was more, “You did this wrong. You should have done this. You should have done that. Next time do that. If you wanted to do it again in 2016, I recommend the following…”
So how easy is it to hack, say, the central bank of a given country?
Easy. Easy. Easy. It’s like fly swatting. Whether you go through the front door or you pay someone to walk in the building and implant something on the back of a computer. It’s laughable. It’s just a joke. A lot of hackers out there could easily do it without blinking an eye.
I know the American government now has a digital domain trying to disrupt Syria or ISIS and they’re not getting the results they would like. I would just like to show them there are other areas to target.
The threat is seems so nebulous. Or maybe just the opposite: everywhere at once. How does a government protect itself?
It can’t. It’s a joke to even say that it could. We’re at a tipping point now, where if someone like myself on the negative side of the world uses tactics like these, there’s nothing you could do. We’re starting to see some snippets of it now with the hack of the DNC emails. It’s tiny techniques, which, if combined together could decide who becomes president.
So do you believe the Russians were behind the release of those emails?
It’s too early. You, as a journalist, could study it for the next year and you will not know, because the whole idea of these operations is they’re done so you don’t know who is behind them. But for the cyber mercenary, it’s all about studying these techniques for use in future revolutions, election rigging or coups.
It seems like you could combine your two lines of research and propose a scenario where a fake baby helps cyber-engineer a fake coup.
Ha! I was thinking the fake babies could be used by a criminal syndicate — a mafia type organization to launder money through — but you’re right. You could use them to overthrow a government for profit.
When you did all your death hacking research, was anyone actually doing this stuff — killing people off digitally, creating fake birth certificates, etc. — or was it more like, Wow, criminals are idiots because they’re not doing this?
Criminals are idiots. I looked at every news report that I could find and every police report that I could get my hands on. The only thing were cases where funeral directors was doing dodgy paperwork. I don’t think there are a lot of people who combine a lot of these processes together, looking at the individual weak points in the system and then putting them together. I know the hackers aren’t doing it, because they don’t think like that. That’s the problem. That’s the purpose of the talk, to get them to think outside the tech box and look at the whole.
Practically Unhackable is an Intel publication built for anyone who uses the internet — someone like you! Take your first steps to a safer online life with our step-by-step guides on everything from managing passwords to tackling ransomware.