30 July 2018

This Former British Spy Exposed the Russian Hackers


The Justice Department has charged 12 Russian officials with hacking the DNC. Matt Tait helped shine a light on their meddling in 2016. On Friday, July 13, the Justice Department charged 12 Russian military intelligence officials with hacking Democratic National Committee (DNC) email servers as well as leaking stolen documents to outlets such as WikiLeaks, in an effort to influence the 2016 presidential election. Among those least surprised by the charges was former British spy Matt Tait. I first met Tait in the fall of 2017, when he was in Washington, D.C., to be interviewed by Special Counsel Robert Mueller. The cheerful, lanky 29-year-old does not look or act like someone who is being carefully watched by both U.S. and Russian intelligence communities, nor like someone who has traveled the world as a consultant for technology companies and spent four years working at the U.K.’s top digital intelligence agency.

Despite his modest demeanor, Tait was a key player in deciphering Russian election interference. On June 15, 2016, when the first trove of stolen documents from the DNC was leaked online under the pseudonym Guccifer 2.0; before the FBI launched an investigation into election interference; and before the U.S. intelligence community attributed the cyberattacks to the Russian government, Tait used publicly available information to compile incriminating evidence of metadata and technical slip-ups against the Russian intelligence agency GRU, concluding that the attack bore the hallmarks of a classic Russian influence campaign.

The previous day, the Washington Post reported that the cybersecurity firm Crowdstrike claimed the hacks were carried out over several months by two Russian intelligence groups labeled Cozy Bear and Fancy Bear. Tait tells me the concept of a foreign adversary hacking the DNC at first appeared to be routine intelligence gathering. “They want to know who the next president of the United States might be and who’s around her and what her policies are going to be. That’s just ordinary espionage.”

But the dynamic shifted dramatically within a few hours when the Russians, posing as a Romanian hacker, began dumping the stolen documents online. “That was the point where it conspicuously changed from being, ‘This might be about espionage,’ to being ‘This is clearly an influence campaign,’” Tait says.

Using his Twitter account, @pwnallthethings, Tait worked alongside a small group of experts to closely examine the dump and shed light on the motives of its perpetrators. One expert involved, Thomas Rid, then a professor of war studies at King’s College, London, wrote an article for Esquire detailing how the ragtag group collaborated to piece together identifying information about the Russian hackers.

“As soon as Guccifer [2.0]'s files hit the open Internet, an army of investigators—including old-school hackers, former spooks, security consultants, and journalists—descended on the hastily leaked data,” Rid wrote. "The result was an unprecedented open-source counterintelligence operation: Never in history was intelligence analysis done so fast, so publicly, and by so many.” Rid noted that Tait’s work on the issue was “particularly prolific,” pointing specifically to Tait’s astute observations that the username found in the metadata of one document referenced the founder of the Soviet secret police, and that the files had been edited on a computer with Russian language settings.

Tait had also tweeted that the hackers had conducted the attack in support of Trump, adding that the apparent influence operation marked “another data point in Russian [signals intelligence] strategically leaking data to push a particular narrative.”

Rid tells me that many in the intelligence community came to the same conclusions Tait reached, but the former hacker was one of only a few people in a position to share the facts with the general public. “We had still one foot in the InfoSec community, but we could also talk publicly without causing any trouble for ourselves with our employers,” Rid says. U.S. officials, by contrast, were tight-lipped, waiting until October 2017 to share the intelligence community’s assessment that the Russian GRU had been behind the cyberattacks.

Tait recalls being surprised that the hackers didn’t simply call it quits, given how quickly they were exposed. “We kind of expected they would just go away,” says Tait. “Like, they would say, ‘We screwed up. We got caught. This is dreadful. We’ll just pretend that this didn’t happen and go away back into the night.’ ”

Instead, the Russians doubled down and started to release more documents, only this time they manipulated the metadata in ways specifically designed to discredit Tait’s observations. "They intentionally started editing these documents in multiple languages of Microsoft Word,” says Tait. Suddenly, files cropped up pointing to countries like China and Cuba instead of Russia. "It was very interesting, because what that showed was they were, in real time, responding to people doing analysis.”

Tait’s efforts earned him special attention from the Russian government. First, the Guccifer 2.0 account followed him on Twitter. Then, it became clear they were keeping tabs on what he wrote.

"You could see the changes to the documents that they were doing were not generic changes, but specifically targeted at my personal analysis,” he says. At one point, he came to the realization that “they’re actually reading the stuff that I’m writing, and they’re interested in discrediting it.”

Russian spies weren’t the only ones who started following Tait. His Twitter account, previously popular only among a niche audience, took off. He made new connections with people in the cybersecurity field, like Rid, who says the two met for coffee when they realized they were both living in London. “He’s very funny and extremely quick on his feet,” Rid says. “Intimidatingly smart. It’s just good fun to hang out with him, because he’s the best kind of a nerd you can find.”

Tait grew up in the English city of Chester. After graduating in 2008 from Imperial College, London, where he studied computer science and math, Tait joined the U.K.’s top digital intelligence agency, the Government Communications Headquarters (GCHQ). He worked in the Computer Network Exploitation division, which was tasked with hacking operations. His team was only about six people, but it was responsible for a large part of the agency’s portfolio.

Tait recalls working extraordinarily long hours on operations that were “just completely insane ... You can’t even imagine the level of planning and precision and sheer mad schemes that they were putting together. And some of them wouldn’t work, but some of them would, and it was amazing to see them come to fruition.”

What kinds of operations? “All operations,” Tait answers, sidestepping the question. “Most days I was developing software exploits, breaking into computers.”

Asked which computers he targeted, Tait smiles wryly. “Foreign ones.”

He spent four years at the agency before moving to the private sector, where he worked at Google Project Zero and as a consultant for companies such as Amazon and Microsoft. In 2013, Tait started a Twitter account to counter false information during the fierce online privacy debate sparked by the leak of top secret documents stolen from the National Security Agency by former contractor Edward Snowden. At the time, Tait was frustrated by reports that made sensationalist claims contrary to what some of the leaked documents showed.

“It was very upsetting to see people I had worked with both in government, but also technology companies, being accused of things that they couldn’t respond to,” Tait says. His quickly became essentially “the one Twitter account on the entire Internet daring to take the government’s side.”

He kept the account anonymous. “My view was that in the event that I put my name on it, I would get hounded out of my job in Silicon Valley,” Tait says.

Today, he has nearly 130,000 followers and uses his platform to offer intelligence community insights, humorous comments and observations about the news of the day, and in-depth legal commentary; his passion for sharing interesting tidbits from official documents also remains. When Tait first opened the account, he shared quirky Freedom of Information Act requests, such as Central Intelligence Agency cafeteria complaints, and he combed through the many emails from Hillary Clinton’s personal server, offering his followers glimpses into how she ran the State Department.

In the spring of 2016, Tait started contributing to Lawfare, an online national security publication founded by Benjamin Wittes of the Brookings Institution and law professors Jack Goldsmith of Harvard and Robert Chesney of the University of Texas at Austin. As a contributing editor, Tait often writes about the intersection of technology and law enforcement, the DNC hack, and election interference.

In June 2017, he published a bombshell account, “The Time I Got Recruited to Collude with the Russians,” detailing his interactions with Republican activist Peter Smith, who wanted Tait to verify allegedly deleted emails from Hillary Clinton’s personal server that he had learned about on “the Dark Web.” Tait believed that Smith, who touted his relationship with former national security advisor Michael Flynn, was coordinating with the Trump campaign. “In my conversations with Smith and his colleague, I tried to stress this point: If this dark web contact is a front for the Russian government, you really don’t want to play this game,” wrote Tait. “But they were not discouraged.”

Tait’s story sparked intense media attention. “My inbox basically blew up,” he says, and he was invited to appear on nearly every cable news show (requests that he declined). “People tried to meet with my accountant. People tried to contact my family,” Tait tells me. Several reporters even showed up at his house in London.

Tait’s account also caught the attention of Robert Mueller. According to Business Insider, Mueller’s team interviewed Tait during the fall of 2017 about his dealings with Smith, and records show he answered questions from the House Intelligence Committee in October. During our interview, Tait declines to discuss details of the ongoing investigation.

Today, Tait is a professor at the University of Texas at Austin’s Strauss Center for International Security and Law, where he teaches a graduate course, “Cybersecurity Foundations: Introduction to the Relevant Technology for Law and Policy.”

He describes the class as “a technical course for students who are not technical” that tackles questions including why cybersecurity vulnerabilities exist, why developers create vulnerabilities, how software can be defended, and how to clean up after someone has broken into a system. Tait notes that his material does not make moral judgments—“It’s not saying hackers are good and defenders are bad, because of course, depending on the context, it might be the other way ’round.”

The objective is for students to become better prepared if and when they encounter cybersecurity issues in the professional world.

“Matt Tait is almost unique in his ability to speak to all of these audiences very intelligently,” says Chesney, who also serves as director of the Strauss Center. “Maybe it’s his wonderful accent, maybe it’s the personal charm. He’s a very friendly, funny, and positive person, and those are qualities that make for great teaching on any subject.” Chesney argues there is a need for students to gain a firm grasp of the fundamentals of cybersecurity. “They need literacy, not fluency. Fluency is great, but we just need lawyers and policymakers to be literate,” he says.

Chesney discovered Tait the same way everyone else did: online. “He was becoming somebody you would see as a commentator. It was clear he has a good grasp not just on the technology but on the relevant legal and policy aspects.” He thought Tait would be a natural teacher, and invited him to join the faculty in 2016.

Nina Guidice, a technology policy student at the LBJ School of Public Affairs at UT Austin, took Tait’s seminar course in the spring of 2018. She says Tait “taught everything with a sense of humor” and was accessible to students. Another one of Tait’s former students, Justin Laden, a JD candidate, enjoyed learning key interdisciplinary skills from someone with real-world experience in cybersecurity. Tait is “extremely well-versed in the law,” despite not having earned a law degree, he notes.

Asked whether Tait’s students were aware of their professor’s Twitter fame and involvement in the Russia investigation, Chesney laughs. “A few knew, and some others figured it out along the way, but not everyone really did,” he says. “A few were keenly aware what a unique opportunity it is. But especially since he’s not ‘Professor Pwn All the Things,’ he’s just plain ol’ Professor Tait, it’s easy to miss.”

Tait, content to remain in obscurity, says that’s probably for the best.

No comments: