Lessons from a digital mercenary: Beware the ‘October Surprise'

Turns out, you don’t need a stash of guns and bombs to overthrow a government. All you need, according to researcher Chris Rock, is a capable team of hackers with a diverse set of skills to break into different systems, from banks to the power grid. And the creativity and determination to manipulate people into believing whatever you tell them.

Mr. Rock’s research for his talk on “How to overthrow a government” at the DEF CON hacker conference in Las Vegas, began well before the news that suspected Russian hackers breached the Democratic National Committee servers and leaked private emails to WikiLeaks. Yet the resulting political impact of the embarrassing public emails – the resignations of political leaders, the public’s questions about foreign interference in the election system – made the lessons from his talk eerily timely for Americans.  

An Australian and chief executive of the Kustodian cybersecurity firm, Rock says Americans need to start paying close attention to the world’s new phase of information warfare and the potential for hackers or foreign adversaries to try to interfere with their elections by releasing stolen – or faked – information. “This is the first, not the last” operation like this in the US elections, he says.

Passcode spoke to Rock in Las Vegas. Edited excerpts follow.

Passcode: How did you get the idea for your research project?

Rock: I wanted to overthrow a government using only digital means – using the traditional methods that mercenaries use. I’ve been working with a mercenary, because I wanted to get out of my own field of hacking or penetration testing, and work with a traditional mercenary who uses coup techniques such as blowing up power stations and stuff like that.

Passcode: So, when you say “mercenary” you mean an actual mercenary. That's not some sort of new cybersecurity slang.

Rock: No, a real mercenary. With guns, soldiers, tanks, helicopters. I reached out and contacted someone on Twitter. His name is Simon Mann, he was in the British Army and then turned mercenary. He’s fought in Sierra Leone and Northern Ireland. He planned a coup in Equatorial Guinea. He’s pretty much a coup architect. He got arrested and spent years in jail. I thought he’d be pretty much the perfect person to learn from.

I reached out and said, “I’d like to work with you, to learn the techniques you use.” Using my own digital techniques, I can cut the power, shut off the gas, the oil, the water, that stuff. But I don’t know in what order. I can turn it off and be malicious but I don’t know why you would do it, if your goal is to heat the population enough they would revolt against the government. So I was his apprentice.

Passcode: In your plan, did you pick a specific country?

Rock: Kuwait. I’d already done work with that government before. I wanted his take on what methods he’d use, to refine my art.

Passcode: But you don’t mean “work” in the sense of overthrowing the government, right? You mean actual work?

Rock: We were hired before the Arab Spring to look at their government from a cyber perspective. Their banks, their critical infrastructure – power, water, gas. They wanted to see how secure they looked from an outside perspective. At the same time, it was the Arab Spring and there were allegations of corruption that the prime minister of Kuwait moved money from reserve banks into private bank accounts and out of the country.

Passcode: So when you decided to “overthrow” the government years later, what’s the first thing you need?

Rock: A team. You need coup architects at the top. There were a group of advisers underneath Simon Mann the mercenary – the Navy, Air Force, ground troops to provide intelligence. For me, I’d need professional hackers, social engineers, denial of service specialists. People who can hack into banks and critical infrastructure. And you need intelligence, to find out what would overthrow the government. The country we chose, we knew corruption would be a huge thing in the Arab Spring in 2011.

Passcode: Let's say you have your band of hackers, what’s the first move?

Rock: To finance it. What we’d do is what Simon Mann the mercenary would do. He needs funding for the assignment. He needs to get funding for his coup. He planned a coup in Equatorial Guinea. His boss had to organize the finances, to pay bribes for what they call professional agitation. He had to contact people like Mark Thatcher, who is [former Prime Minister] Margaret Thatcher’s son, to provide funds.

For us, I wanted a full cyber perspective. No blood, no one loaning money.

Passcode: How do you get the money then?

Rock: The first thing we wanted to do is get access and compromise the central bank. It doesn’t matter what hacking methods we use. You can go through the front door, and hack through the firewall. Or pay a cleaner to put a key-logger [software that can record every keystroke you make] or wireless access point on the inside. In Kuwait, the average cleaner earns $150 a week, or $600 a month. If you give him $2,000, if he doesn’t run away out of the country immediately, he’ll put whatever you want inside the central bank.

In Kuwait, the central bank is owned by the royal family Al-Sabah. If we pwn the central bank, we can then manipulate private banks. I might move money from central bank – government community money – into private banks or offshore accounts to implicate people on fraud or bribery. You could then release that the media.

Or, you just take all the money out of the bank and use it for the exercise itself. Banks are critical. 

Passcode: How do you convince the media, presumably who you'd want reporting on this banking "fraud," that you’re a credible source? 

Rock: The first thing we need to do is figure out how the media works – basically, reverse engineer the media. Online there’s a handbook for journalists from Reuters, telling us what’s a documented source, an unsupported source. So we have to make sure we tick your journalistic boxes. Can it be validated by someone else? Things like WikiLeaks makes it really easy because nothing’s vetted. But for The Wall Street Journal or The New York Times or something, you have to make sure you tick the boxes so your story goes to the editor and goes through.

You need two verifiable sources to get the media. If I can hack a bank, I can add a picture of myself on the website like I work for the bank. I can phone from the bank, to call a reporter to release a story about whatever I wanted it to be.

[To verify the source], we’d need to compromise the government itself. The Ministry of Interior. The judges. We could swap phone numbers out – so when you call to verify I am who I say I am, it goes to a special Skype number [for someone on my team].

Passcode: Wow. So let’s say you succeed and the articles come out. What’s next?

Rock: We need to heat the population to boil to do a coup or revolution. In Kuwait, there are no legitimate elections; the royal family is the royal family. If the population aren’t protesting [from the news] you make them protest.

You can use the funds from the banking exercise to get them to protest – hiring people from unions and universities to start the population off. They don’t know our end exercise, they just know they need to show up at certain time, throw bottles, rocks.

Passcode: OK. So maybe the media will come and film the protests, which could incite the population even further. How do you make sure they revolt?

Rock: You need a full plan of what you want to leak at certain times. A 12-step plan to keep that heat up so the population actually goes through with a revolt.

Passcode: Does the information have to be real?

Rock: That’s the beauty of it. We can make it real. What’s the difference between real or fake?

Take the banking exercise. As an example, today, I could put money in your bank account from the Islamic State, and get the media to contact you. They’d ask, “Why are you receiving money?” You’ll say you’re not. Then we’ll move money from your account to somewhere else. It looks really bad for you, and you spend the next three weeks proving you’re innocent. By the time it comes out you’re innocent, it’s too late.

Passcode: So moving this into the real world, what do you think about the suspected Russian hacks on the Democratic National Committee servers?

Rock: Right now, everyone wants to know who and what the motive is. I’m not really interested, except for the techniques they used. They gave it to WikiLeaks who would not vet it before the release, without giving it to the media who would vet it. That is quite important.

Passcode: After all your research, what do you make of the way it was carried off? It’s causing quite an uproar.

Rock: The technique was correct but the timing was off. It’s all about timing.

There’s no point in talking about it now, whether it’s Russia or whoever. It’s too far out. The American population has got no time for that.  You need repeat drops of information, a campaign every day for 12 days – I’m calling it the 12 days before Christmas attack. And something will stick before the election.

Passcode: So now the hackers, maybe from Russia, have earned some credibility here in the US. People accept the premise that DNC emails were real and stolen and released. Are you predicting there will be some kind of October Surprise in the run-up to the election? A real or a fake one?

Rock: My prediction is there’s going to be another leak. I don’t care whether it’s real or fake. Release something that’s fake. By the time is vetted and deemed fake, it’s too late.

You can say Hillary Clinton accepted donations from ISIS. The National Rifle Association. Whatever it is. Dump it to WikiLeaks or media who don’t follow two source rule. We all know you can dump a piece of information to certain media and 100 other media will follow it by using that as single source. So you can manipulate the media into doing what you want.

I hate to say it, but it’s happening all over the world. Even in Australia, people got a text that appeared as if it was from Medicare (a publicly funded universal health care plan) – while they were in the polls. It said, “If you vote for this government, you’re going to lose all these medical rights.”

These types of attacks are going to get bigger, and smarter. In the US, this is the first not the last operation like this. It is information warfare – and if it’s not done by military it’ll be done by mercenaries or people like myself.

Passcode: That is, well, pretty depressing. And confusing, if there’s all kinds of potentially fake information flying around. What can voters and technologists do about it?

Rock: A lot of people presenting at Black Hat and DEF CON are so single focused on security. My talk was meant to get people to think outside their skill sets. Instead of just looking for bigger targets – like airlines – think about reverse engineering other industries.

And obviously, America is looking now at Russia for the possible cause for leaks, but they should be vigilant. Coming up to the election period, they should be vigilant for a kind of 12 days before Christmas attack.

Editor's note: This version corrects the name of the country in which Simon Mann helped architect a coup. It is Equatorial Guinea.