Social engineering is the perfect way for an attacker to garner information to totally bypass any and all security. No need to develop an exploit when you can get immediate access through an account where you have the proper credentials.
That is exactly what happened when a 15-year-old British teen broke into email accounts of the CIA and DNI chiefs in addition to gaining access to sensitive databases and plans for intelligence operations in Afghanistan and Iran.
Those were just some of the facts Kane Gamble admitted to after he pleaded guilty to ten offenses under the computer misuse act at Leicester crown court in October 2017.
Gamble was part of Crackas With Attitude (CWA), a group of hackers with a pro-Palestinian agenda.
Last week, in preparation for sentencing, Crown Court judge Sir Charles Anthony Haddon-Cave learned of the details of his exploits, which took place between June 2015 to February 2016.
According to the information provided by the prosecutors, Gamble gained access to the Verizon Internet account and private AOL email account of then-CIA Director John Brennan, and extract sensitive information from it.
He did so via phone, by pretending to be a Verizon employee in order to trick the company into sharing personal information about Brennan, then using that information to impersonate Brennan to get AOL to reset the password associated with the email account.
Ultimately, he managed to trick the help desk handlers into changing the security questions and security number. As a result, Gamble was able to gain access to Brennan’s emails, contacts, his iCloud storage account and his wife’s iPad.
Gamble also managed to compromise the Verizon broadband account and personal email account of James Clapper, the U.S. Director of National Intelligence (DNI) at the time. In addition, he impersonated Clapper on the phone and succeeded in making Verizon set up call-forwarding to divert calls made to Clapper’s home phone to the Free Palestine movement.
Gamble’s other victims included:
• Jeh Johnson, the then-Secretary of Homeland Security. Again, Gamble used a similar approach to gain access to Johnson’s phone, and used that access to listen to his voicemails and send texts from his phone.
• Mark Giuliano, FBI’s Deputy Director at the time. Gamble gained access to his home accounts by pretending to be him and then used the information to repeatedly gain to access the FBI’s Law Enforcement Enterprise Portal, even after the password was changed. Gamble used this access to steal and post online personal details of Officer Darren Wilson (who shot and killed black teenager Michael Brown in Ferguson, Missouri).
• John Holdren, the senior science and technology adviser to former U.S. president Barack Obama. With the help of an accomplice, Gamble also managed to get Holdren’s house “swatted.”
• Avril Haines, the White House deputy national security adviser at the time, and FBI Special Agent Amy Hess – he accessed their private calls and emails, and gained access to Hess’s computer.
• The US Department of Justice. Gamble gained access to details about FBI employees and case files.
As the prosecutors pointed out, CWA has incorrectly been referred to as hackers, as they mostly used social engineering to trick call centers or help desks into helping them get access to email accounts, phones, computers and law enforcement portals.
Gamble said his exploits were motivated by annoyance at “how corrupt and cold-blooded the U.S. Government are” and his desire to do something about it.
Sentencing will occur at a later date.