Was Stratfor Breached By an Insider?

Tuesday, January 03, 2012

Jeffrey Carr


While waiting for the other shoe to drop on the Stratfor breach (the release of a few million emails), I took a look at who works for the company in an attempt to understand how they could have made so many mistakes in handling their customer and client data as well as their network security.

The adage that a company is only as good as its employees is certainly true about Stratfor.

The company was founded in Austin, TX in 1996 by George Friedman, an academic. LinkedIn has profiles on 63 of its employees. According to those profiles none have a background in information security.

The company doesn't have a Chief Information Officer, Chief Security Officer, or Chief Information Security Officer. None of its employees' profiles show that any of them have ever worked at NSA, CIA or any other 3-letter agency.

Two senior executives (Fred Burton and Scott Stewart) came from State's Diplomatic Security Service. Many of Stratfor's employees came to the company just after they graduated from college including, most importantly, their IT director for almost 13 years Michael Mooney.

Mooney graduated from UT Austin in 1994, joined Stratfor in 1997 and left in September, 2011. I've tried to contact Mr. Mooney by email to find out his side of the story, why he left the company, etc., but so far, no joy. Stratfor's Chief Technology Officer Frank Ginac apparently didn't care for his work based upon his "Mooney's Turds" comment posted by Anonymous:

"It blew my mind to discover that our email server backups are being stored on the same physical server. I'm affectionately referring to these little discoveries as 'Mooney turds'."

If Mooney was fired and held a grudge against Ginac and/or Stratfor, then he would certainly have a motive for payback by helping Anonymous root the company's servers.

The timing is certainly interesting. Mooney left the company and a new replacement was found for him almost immediately (October, 2011) which suggests that Ginac was unhappy with Mooney and was looking for a replacement before letting him go. Considering the shabby state of Stratfor's network security, the attacker(s) could have been in there for a few months prior to the December 24th event.

I'm not accusing Michael Mooney of being involved. I am, however, stating that attacks by insiders who hold a grudge against their employer are commonplace and Mooney's position along with the circumstances around his departure will certainly be explored by law enforcement as part of the investigation.

Apart from who was allegedly involved, there's no mystery about why Stratfor's network was in the state that it was in. Security wasn't a priority and there was no in-house expertise to make it one.

Next comes the consequences to Stratfor's customers, which George Friedman (CEO), Frank Ginac (CTO), and Darryl O'Connor (COO) all need to be held responsible for.

Cross-posted from Digital Dao

Possibly Related Articles:
Information Security
Data Loss Enterprise Security Insider Threats Network Security Employees Investigation breach Stratfor Michael Mooney
Post Rating I Like this!
Xander Cage Jeffrey, great article! I guess what should be done next is look at if anyone is friends with Barrett Brown since he lives in Austin & Dallas. The other question that comes to mind is when did the initial compromise happen? I ask this because the specialforces.com password was in the STRATFOR Database.
Jeffrey Carr Thanks, Xander. Both good questions. I spoke with Barrett Brown about this but he didn't confirm or deny. I didn't know about the specialforces.com password but it makes sense to me that these were targets of opportunity that are related in multiple ways.

I updated my post at Digital Dao with some new info as well.
Andrea Zapparoli Manzoni Hello Jeffrey, there's another possible explanation --> it is very possible that mr. Mooney was hacked after leaving the company, and that he had still working Stratfor accounts on his own box(es)...

The sorry state of security at Stratfor makes me think that shared administrative accounts (or accounts hard-coded into scripts, non personal vpn credentials, etc) were the norm, therefore it's not unlikely that pwning Mooney would have given direct access to Stratfor's systems even after his departure / firing.

my 0,0002
Terry Perkins Great article, Jeffrey. I am stunned (though I shouldn't be) everyday at the lack of network security. It is really appalling. What is the solution to ensure that companies get the fact that security is vital?
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.