How Steel City Became the Front Line in America’s Cyberwar

Blending gumshoe investigations with high-tech research, Pittsburgh has become a hotbed of the Justice Department’s fight against international hackers.


PITTSBURGH -- The portraits of Chinese army officers mounted on poster board stare down from the walls of the FBI’s western Pennsylvania field office.

PITTSBURGH — The portraits of Chinese army officers mounted on poster board stare down from the walls of the FBI’s western Pennsylvania field office.

Though they will probably never see the inside of a courtroom, the five men represent the culmination of arguably the most significant cybercrime investigation to date carried out by federal agents based in Pittsburgh: the case against the People’s Liberation Army hackers who were indicted in 2014 for stealing industry secrets from the computers of major American companies.

Over the last 15 years, Pittsburgh has emerged as a perhaps surprising center of high-profile cybercrime investigations. Down in Washington, FBI Director James Comey complains that encrypted communications and other data advances have resulted in investigations going “dark” as suspects evade the government’s efforts to nab them online.

But 250 miles away in the Steel City, prosecutors have blended gumshoe tactics, sophisticated digital tools, and the area’s high-tech research centers to unmask and charge hackers and organized crime bosses from China to Russia.

“Companies were being intruded upon, and they didn’t understand it,” said U.S. Attorney David Hickton, who took up the top prosecutor’s job in Pittsburgh in 2010 and stepped up the office’s crackdown on cybercrime.

Never in human history has data encryption been so readily available, and it has become a disturbing reality for law enforcement. That was made all too clear in the immediate aftermath of the Dec. 2, 2015, attacks in San Bernardino, California, when investigators were tripped up by the encrypted contents of the iPhone of gunman Syed Rizwan Farook as they sought to piece together why he and his wife opened fire on a community center, killing 14.

After the Justice Department sought, and received, a court order for Apple to override the phone’s security features, the FBI’s pursuit of encrypted data triggered a national debate over the limits of government power in the digital age.

“Encryption is part of our lives,” said Keith Mularski, the FBI’s top cybercrime investigator in Pittsburgh, who takes a laissez faire view of encryption. Though he regularly encounters phones that he can’t break into — and tries to get around their security features when he can — Mularski said he understands that encryption is now a part of the Internet’s fabric and probably can’t be eliminated, even as it poses an obstacle for law enforcement.  

In Washington, encryption is often either heralded or demonized in national security debates. But on the front lines in the fight against crime, law enforcement officials are simply looking for solutions.

In 2006, Mularski went undercover to investigate online forums that bought and sold credit card data. Working under the alias Master Splyntr, he soon found himself confronting one of the most talented hackers of his generation, Max Butler, better known as “Iceman.”

Iceman aspired to become an online credit card kingpin and began trading and selling stolen data through the CardersMarket forum he was running. Seeking to build and control one master site, Iceman attacked his rivals to steal their users and credit card data.

By this time, Mularski was lurking undercover as an administrator on the DarkMarket forum, which Iceman attacked — and in doing so, landed squarely on the FBI’s radar.

To catch criminals online, federal agents have to “use to maximum effect our ability to be as anonymous as they are,” said Eric Zahren, the special agent in charge of the Secret Service’s Pittsburgh office. That reliance on anonymity cuts both ways, however: As investigators try to identify the location of online criminals, the hackers similarly nose around on the identities of outsiders who are trying to infiltrate the site. Mularski, for example, was outed as an agent when he went undercover to catch Iceman.

While collecting evidence, Mularski and other agents discovered a sophisticated suite of encryption technology Iceman was running on his home computers. Investigators desperately wanted the data stored on those computers and enlisted researchers at Carnegie Mellon University in Pittsburgh to work with FBI agents, leading to a nighttime raid on Butler’s home.

At the time, investigators would usually just pull the plug on seized computers to maintain the state they found them in. But doing so with machines that contain encrypted information risks losing the chance to examine it later, because the data is likely to be scrambled and lost, said Kristopher Rush, deputy director for digital intelligence and investigations at Carnegie Mellon’s Software Engineering Institute (SEI).

Using a “no knock” search warrant, FBI agents and Carnegie Mellon experts carried out a “live capture” on Butler’s machines, said veteran Assistant U.S. Attorney Paul Hull, who helped work the case. Once they cracked Butler’s encryption, investigators found 1.8 million stolen credit card numbers with $86.4 million in charges.

Though Butler was sentenced in 2010 to what was then a record 13-year prison sentence for hacking, Hull won’t go into details about how the Carnegie Mellon experts foiled his encryption. “How we do that is something we don’t want to talk about,” he said. 

Carnegie Mellon’s campus, and its skilled computer scientists, plays a key role in the Justice Department’s burgeoning tech prowess in Pittsburgh. The university is home to the first U.S. CERT — short for computer emergency readiness team — set up in 1988 in response to the first-ever computer virus.

Pittsburgh is also home to the National Cyber-Forensics and Training Alliance, which was set up as a nonprofit organization in 1997 and serves as a venue for law enforcement and industry representatives to share information about cybercriminals. Law enforcement officials in Pittsburgh described the NCFTA as a lucrative resource for technical expertise and intelligence in their investigations.

Perhaps more importantly, Carnegie Mellon’s Software Engineering Institute, established in 1984, is a Defense Department-funded research and development center that works on long-term projects focused on securing computer systems. Last July, the Pentagon renewed its five-year $1.73 billion contract with SEI.

SEI’s research focuses largely on emerging technologies and how they might impact federal law enforcement. Its findings are distributed to clients, including the Pentagon and agents and prosecutors. Even before federal investigators asked for help to crack Iceman’s systems, Rush said, SEI researchers were testing encryption products and their vulnerabilities. When the FBI came knocking, they were ready to go.

If Iceman was the Internet supercriminal of yesterday, today that title arguably belongs to Evgeniy Bogachev, the Russian mastermind behind the GameOver Zeus botnet who is believed to have stolen close to $100 million from businesses and individuals.

Botnets can be used to swamp websites with bogus traffic to take them down — a distributed denial-of-service attack. GameOver Zeus was used mostly to steal banking login credentials from unsuspecting consumers, using malware that infected between 500,000 and 1 million computers before it was dismantled in 2014.

At the time, FBI Executive Assistant Director Robert Anderson called GameOver Zeus the “most sophisticated botnet the FBI and our allies have ever attempted to disrupt.” In Pittsburgh, prosecutors slapped Bogachev with a 14-count indictment and charged him with computer hacking, wire fraud, and money laundering.

But Bogachev remains at large, frustrating Pittsburgh investigators and highlighting U.S. dependency on foreign allies to combat cybercrime’s global reach. While Bogachev’s whereabouts remain unknown, it’s unlikely Russia will return him to the United States for prosecution. One policeman in the hacker’s home in a Black Sea resort town even told reporters he’d just as likely “pin a medal on the guy” as arrest him. The FBI has offered a $3 million reward for information leading to Bogachev’s arrest.

The GameOver Zeus botnet relied on a witches’ brew of encryption, proxies, and sophisticated malware to carry out a large-scale digital heist. These technologies help online criminals cover their tracks and obscure their schemes — giving rise to authorities’ complaints their investigations are going dark.

To track down Bogachev and defeat his security measures, investigators followed a winding trail of servers around the world, relied on tips from informants, executed wiretaps, and monitored his attacks in real time. To take down his botnet, they teamed up with security experts from Dell and CrowdStrike and researchers from Carnegie Mellon and the Georgia Institute of Technology in a wide-ranging probe that also relied on assistance from authorities in more than 10 countries.

But the federal government’s relationship with Carnegie Mellon is one that’s also fraught with controversy.

In May 2014, two Carnegie Mellon researchers posted an abstract of an upcoming talk at the Black Hat hacker conference that claimed they had found a way to reveal the identities of users on Tor, a service that allows individuals to mask their IP addresses. “You don’t have to be the NSA to break Tor,” the researchers bragged. “We know because we tested it, in the wild.”

In November 2014, the FBI’s New York office executed Operation Onymous, a crackdown on online drug marketplaces, including some that used Tor’s hidden services. The illicit sites included Silk Road 2.0, which emerged on the dark web after Silk Road 1.0 was shut down in 2013. In subsequent court filings, the FBI revealed that its investigation relied on information from a “‘university-based research institute’ that operated its own computers on the anonymous network used by Silk Road 2.0.”

It remains unclear whether that “university-based research institute” was in fact SEI, which employed the two researchers responsible for the paper slated to be presented at Black Hat. Tor developers have accused the FBI of paying Carnegie Mellon for the Tor exploit, a charge the university has denied.

In a November 2015 statement, Carnegie Mellon was coy about the connection. “In the course of its work, the university from time to time is served with subpoenas requesting information about research it has performed,” it said. “The university abides by the rule of law, complies with lawfully issued subpoenas and receives no funding for its compliance.”

Academics and civil liberties advocates are furious that the FBI may have been able to obtain a huge trove of Tor user data by subpoenaing academic research, which would have bypassed the legal scrutiny for obtaining a warrant. While Tor can be used to host child porn and drug markets, it is also used by dissidents and human rights activists to hide online from oppressive regimes.

The Carnegie Mellon researchers may have put the safety of the Tor users at risk when they were unmasked. “The CMU researchers acted with total disregard for their subjects,” said Chris Soghoian, the principal technologist at the American Civil Liberties Union.

Eight months after Silk Road 2.0 was crushed, the FBI office in Pittsburgh launched a massive international operation to dismantle a hacker forum known as Darkode, where digital criminals bought and sold malware. It has been speculated that the takedown of Darkode, which was hosted using Tor, was linked to Operation Onymous’s use of Carnegie Mellon data.

Yet prosecutors said the bulk of the Darkode case was built using detective tools from the analog era that have since been adapted for the digital age.

“This was a forum that was infiltrated at the highest levels using more traditional law enforcement techniques,” said Jimmy Kitchen, one of the Pittsburgh-based prosecutors on the case.

Affidavits filed as part of the Darkode takedown show how the FBI relied on confidential informants and undercover agents with access to the password-controlled forum to gather evidence. As it turned out, Darkode was rife with infiltrators, including security journalist Brian Krebs.

When it rolled up the site, the FBI worked with counterparts in 20 countries to arrest dozens of the forum’s members. In announcing the arrests, Hickton described Darkode as “a cyber hornets’ nest of criminal hackers which was believed by many, including the hackers themselves, to be impenetrable.”

The investigation showed how international cooperation is essential — necessary, even — for cybercrime investigations that often reach far beyond U.S. borders. Affidavits in the Darkode case describe how, for example, police in Slovenia raided a home to verify that a suspect had sold access to a botnet to an undercover FBI agent posing as a hacker on the forum.

In a response to that borderless reality, judges now have greater authority to allow police to hack computers whose users try to hide their location. Late last month, the U.S. Supreme Court approved a change to what is known as Rule 41 of U.S. criminal procedure, giving judges the power to issue warrants to seize information on computers located outside their immediate jurisdiction.

Civil liberties advocates fear the change will vastly expand the FBI’s ability to hack into computers. They also argue the extent of the government’s power in this arena remains unclear, as it has refused to reveal guidelines for when law enforcement can use hacking tools.

Justice Department spokesman Peter Carr declined to comment except to note that the hacking tools are court-approved — ensuring the limits of prosecutorial power and ensuring probable cause in investigations.

Hickton welcomed the Rule 41 change. “I love it,” he said.

But when they can, investigators are avoiding hacking tools in favor of ordinary detective work to identify suspects hiding behind a digital wall.

In 2012, the University of Pittsburgh received a flurry of bomb threats delivered through an anonymous email service to local media outlets. More than 100 buildings were evacuated, the campus rattled by the repeated threats of violence. The person responsible for most of the threats — some were also scrawled on bathroom walls — used an anonymizing tool that prevented authorities from easily determining his identity.

“I was told originally that we had about as much chance of identifying the defendant in that case as identifying a single grain of sand on a beach on the East Coast of the United States,” Hickton said.

Anonymizing tools such as remailers, which disguise the origin of an email, and Tor, a program that conceals the IP address of a user, can be powerful tools to shield one’s identity online. But the security they provide is far from perfect.

By serving subpoenas to the Pittsburgh media organizations receiving the threats, Hickton obtained the IP addresses of the emailed threats. From there, he secured the cooperation of what he describes only as “overseas partners” to examine servers the emails had bounced off of in order to shield the identity of the sender.

And that led Hickton and his team to Adam Busby, the now 68-year-old leader of a fringe Scottish nationalist terrorist group. An alleged serial threatener, Busby has also allegedly delivered hoax threats against high-profile British officials, including former Prime Minister Margaret Thatcher, Cherie Blair, and members of the royal family. In October 2015, a Glasgow court found Busby, who had been diagnosed with multiple sclerosis, unfit to stand trial. Busby has reportedly admitted responsibility for making the Pittsburgh threats.

“That was the case where we believed that we could do big-league cyberthreats here,” Hickton said.

To pursue the Chinese hackers who targeted some of Pittsburgh’s flagship companies, including U.S. steel and aluminum giant Alcoa, Hickton took a similar approach, working closely with the companies to understand the PLA officers’ actions. He assigned one team of investigators to collect evidence from the companies and another to determine the hackers’ identities.

To shield their identity, the hackers were bouncing traffic off servers around the world, including one in Kansas, and then on to Shanghai. It quickly became clear to investigators that the hackers were working in Shanghai’s time zone — and even that they lessened their attacks during the proper lunch hour. Hickton wouldn’t directly say how investigators zeroed in on the hackers named in the indictment but noted suspects in similar cases had been identified after they had carried out their hacking while also logged in to their private social media accounts.

U.S. intelligence analysts, with their considerable resources, also played a role in identifying the hackers working on behalf of the People’s Liberation Army. Though the investigations have not concluded in courtroom convictions, and the hackers remain free, industry experts say their detection and indictment carry an important symbolic value as an early shot across Beijing’s bow to warn against wholesale stealing of American corporate secrets.

The United States also threatened to impose sanctions against China for its actions in cyberspace. Last September, U.S. President Barack Obama and Chinese President Xi Jinping struck a landmark agreement to outlaw corporate espionage in cyberspace.

Justin Harvey, the chief security officer at Fidelis Cybersecurity, said his firm has seen a slight decrease in Chinese hacking activity in the months since the agreement. He cautioned, however, that Chinese hackers may merely have altered their methods — and American security researchers have yet to catch on.

Last month, NSA Director Michael Rogers said Chinese hacking against the United States is continuing but at a lower level than before the September agreement. “The million-dollar question is: Is that activity for governmental purposes, or is it being then passed from the government to the private sector?” Rogers said during testimony before the Senate Armed Services Committee. “The jury is still out.”

One cannot draw a straight line between the indictment against the Chinese hackers and the diplomatic agreement that followed. But for Pittsburgh’s cybercrime investigators, the case represented an attack on industries that have defined the city’s history and a statement about its evolution from a steel town to one on the cutting edge of the digital — and criminal — revolution.

Photo credit: Ronald Martinez/Getty Images

Twitter: @EliasGroll

More from Foreign Policy

An illustration shows the Statue of Liberty holding a torch with other hands alongside hers as she lifts the flame, also resembling laurel, into place on the edge of the United Nations laurel logo.
An illustration shows the Statue of Liberty holding a torch with other hands alongside hers as she lifts the flame, also resembling laurel, into place on the edge of the United Nations laurel logo.

A New Multilateralism

How the United States can rejuvenate the global institutions it created.

A view from the cockpit shows backlit control panels and two pilots inside a KC-130J aerial refueler en route from Williamtown to Darwin as the sun sets on the horizon.
A view from the cockpit shows backlit control panels and two pilots inside a KC-130J aerial refueler en route from Williamtown to Darwin as the sun sets on the horizon.

America Prepares for a Pacific War With China It Doesn’t Want

Embedded with U.S. forces in the Pacific, I saw the dilemmas of deterrence firsthand.

Chinese Foreign Minister Wang Yi, seen in a suit and tie and in profile, walks outside the venue at the Belt and Road Forum for International Cooperation. Behind him is a sculptural tree in a larger planter that appears to be leaning away from him.
Chinese Foreign Minister Wang Yi, seen in a suit and tie and in profile, walks outside the venue at the Belt and Road Forum for International Cooperation. Behind him is a sculptural tree in a larger planter that appears to be leaning away from him.

The Endless Frustration of Chinese Diplomacy

Beijing’s representatives are always scared they could be the next to vanish.

Turkey's President Recep Tayyip Erdogan welcomes Crown Prince of Saudi Arabia Mohammed bin Salman during an official ceremony at the Presidential Complex in Ankara, on June 22, 2022.
Turkey's President Recep Tayyip Erdogan welcomes Crown Prince of Saudi Arabia Mohammed bin Salman during an official ceremony at the Presidential Complex in Ankara, on June 22, 2022.

The End of America’s Middle East

The region’s four major countries have all forfeited Washington’s trust.