WikiLeaks logo
The Global Intelligence Files,
files released so far...

The Global Intelligence Files

The Global Intelligence Files

On Monday February 27th, 2012, WikiLeaks began publishing The Global Intelligence Files, over five million e-mails from the Texas headquartered "global intelligence" company Stratfor. The e-mails date between July 2004 and late December 2011. They reveal the inner workings of a company that fronts as an intelligence publisher, but provides confidential intelligence services to large corporations, such as Bhopal's Dow Chemical Co., Lockheed Martin, Northrop Grumman, Raytheon and government agencies, including the US Department of Homeland Security, the US Marines and the US Defence Intelligence Agency. The emails show Stratfor's web of informers, pay-off structure, payment laundering techniques and psychological methods.

Re: [CT] DISCUSSION - Anonymous vs Cartels

Released on 2012-03-02 01:00 GMT

Email-ID 168008
Date 2011-10-25 17:35:41
I disagree that Anonymous doesn't matter, but I agree the point of
Tristan's piece is what makes this interesting. innocent people could
die, and that sucks.

On 10/25/11 9:57 AM, Sean Noonan wrote:

No, I didn't say that.

Sometimes we write about things--the most obvious and comparable example
being Wikileaks-- that don't matter and explaining why they don't
matter. Another example being some of the grassroots terrorists who
have been picked up in the US, say Mohamad Osman Mohamad (sp?) for
example. He didn't matter, but we can provide a very good and cogent
explanation of the threats he did and did not offer that few others do
(or maybe no one else).

But I don't think we have the expertise to truly deal with Anonymous and
I don't care to give them more press for not doing much. Tristan's
piece on the other hand gets at a new and developing issue in what they
are trying to do. It's an anomaly i think that is worth covering. It
is probably the first time we will see violence as a result of their

On 10/25/11 9:35 AM, Kerley Tolpolar wrote:

So, until Anonymous doesn't become a national threat we shouldn't
write about it?

On 10/24/11 8:17 PM, Sean Noonan wrote:

There's enough information on what's behind the Aurora attacks to
respond and shut them down.

Change everything I said about SIGINT to CNO combined with
all-source analysis and maybe human investigations. Same point
applies. With the low-level shit, it's usually not investigated.

As far as I'm concerned an attack that matters is something
seriously affects a country's capabilities relative to others. (in
this, intelligence can seriously affect those abilities, as it
allows for them to be countered or become less advtantageous,


From: "Tristan Reed"
To: "Analyst List"
Sent: Monday, October 24, 2011 7:33:59 PM
Subject: Re: [CT] DISCUSSION - Anonymous vs Cartels

As far as Aurora, I haven't followed it closely. Did they ever
identify the attackers or number of attackers? I thought the target
set was the only thing that led people to believe the Chinese
government was responsible.

2. NSA will tell you otherwise. SIGINT is not the NSA's only
responsibility. SIGINT assets do not carry over to investigating
cyber intrusion, unless you are trying to corroborate, in this case
HUMINT is just as significant as SIGINT. A country's SIGINT
capabilities does not indicate its capabilities in tracking hackers.
NSA may have there own department for tracking hackers but it does
not make it SIGINT.

Ok, Please define SIGINT for me.

Wikipedia provides an indepth explanation on SIGINT . But in short,
SIGINT is the capability in exploiting signals provided by
communication devices, and what can be obtained by exploiting the
signals. Combining computer network operations and SIGINT is
innaccurate, because while SIGINT may be used with other
intelligence disciplines in order to identify a hacker, it is not
necessary and is no more related than any other intel discipline.
SIGINT could help you identify a computer devices (not the operator)
emitting a signal (wifi), and cryptanalysis, which is also separate
from SIGINT but often used in conjunction, could help in providing
methods to decrypt messages over a network, but SIGINT wouldn't
obtain those messages.

In order to exploit computer network operations, the operators
involved are specifically trained in computer science disciplines
and technologies tailored specifically for computer activity.

NSA also is the primary agency for cryptanalysis. Because of
technological demands of SIGINT and cryptanalysis, NSA has enormous
resources in R&D, so I can see why the USG would move some CNO to
NSA. But their SIGINT capabilities are not indicators of CNO

Writing the code and hacking was just a small part of necessary
labor for the Stuxnet operation. I also don't think we are
discussing operations on the scale of causing physical damage to
extremely sensitive equipment . Well, this is an example of a cyber
attack that matters, whereeas Anonymous so far has not mattered.
You chose the most prolific example of a cyber attack (which the
whole operation consisted mainly outside of the cyber attack
itself). Anything that falls short of this doesn't matter? Define
what matters. None of anonymous' attacks have physically damaged
secret Iranian nuclear facilities, but I think you are downplaying
too much the significance of exposing corporate secrets, halting
businesses' revenues, and embarrassing State actors by defacing
their websites.

On 10/24/11 5:38 PM, Sean Noonan wrote:

On 10/24/11 5:07 PM, Tristan Reed wrote:

On 10/24/11 3:12 PM, Sean Noonan wrote:

1. Look at the anonymous hackers tacked down already The USG
arrested 10 Russian spies last year, are you willing to say
foreign intel is not capable of conducting espionage
undetected? No, of course not. But I also would not argue
that the SVR is so good to be immune to detection, as you are
arguing with hackers. I'm saying they are more detectable
than you think. There is no such thing as truly anonymous.
Everythign leaves a trail. Will that trail in every instance
lead to a single individual? no. but it can lead to a place,
an organization, and often, an individual.

2. NSA will tell you otherwise. SIGINT is not the NSA's only
responsibility. SIGINT assets do not carry over to
investigating cyber intrusion, unless you are trying to
corroborate, in this case HUMINT is just as significant as
SIGINT. A country's SIGINT capabilities does not indicate its
capabilities in tracking hackers. NSA may have there own
department for tracking hackers but it does not make it

Ok, Please define SIGINT for me.

The question is if the attack is high priority enough. Many
people assume there is no attribution because there is no
response, but I don't think that is accurate. Many people say
this, because no attribution is one reason for no response.
Yes, they do, and if they think that is the primary reason for
lack of response, then I think they are wrong.

3. Your example is short-sighted. You don't just open a new
laptop and start hacking e-mail addresses. A cyber attack
involves much more than a recently bought laptop. In the same
way there is an attack cycle for a terrorist attack or crime,
there is one for a cyber attack. A very simple attack may be
as hard to trace as a nearly-random mugging in the dark in a
neighborhood with much more serious crime and no CCTV
cameras. A more complicated attack, however, involves
pre-operational surveillance, developing exploits, developing
programs and code, gaining access, exploiting that, and
carrying out an attack. Discovering exploits and writing code
can be done entirely offline, out of sight of law enforcement
or intel agencies. Pre-operational surveillance and gaining
access (the point of the exploit you write offline) would fit
in my example. The point is, if you don't link your computer
to identifiable information, you remain anonymous. Just like
people use certain methods to build IEDs, people use certain
mehtods to design programs and code for cyber attacks. Over
time, those methods become identifiable and more and more
attributable. This is, for example, how AURORA is linked back
to the Chinese. and very specific Chinese, I may add. Being
connected or unconnected doesn't matter, eventually you have
to use what you develop, or copy from someone, and all of
those things can be analyzed. And that takes time, giving
more time for your exposure Exposure comes from network
activity with the target, a lot of the pre-operational phase
of an attack can occur without network activity. Look at
everything that went into Stuxnet as a great example, that
couldn't be done with one person with a new laptop. Writing
the code and hacking was just a small part of necessary labor
for the Stuxnet operation. I also don't think we are
discussing operations on the scale of causing physical damage
to extremely sensitive equipment . Well, this is an example of
a cyber attack that matters, whereeas Anonymous so far has not
mattered. All of this activity provides activity and
evidence which helps for attribution. Of course it is always
possible to develop an attack, just like any other operation,
that even the best law enforcement and national intelligence
agencies have trouble or cannot attribute. That's fine. My
point is that it's very difficult for someone to successfully
use Anonymous as a cover and have NSA, GHQ, MID, Aman, etc, be
unable to attribute it. How do you know if NSA or GHQ is
effective in identifying hackers?I don't, but I'm confident
they are far better than you are allowing for. They may not
choose to cover it if it is small scale crime, however.
On 10/24/11 1:38 PM, Tristan Reed wrote:

I wouldn't doubt using Anonymous as a cover for state
sponsored cyber warfare. Not sure the number of benefits in
actually doing that, since you can conduct a cyber attack
without associating with a hacker group and still deny /
cover actions on behalf of the State. An individual
attacking US computer assets from China, may be working by
himself or on behalf of the Chinese government, but unless
the US has other intel on the Chinese government's cyber
warfare activities in order to corroborate there is little
capability to distinguish.

It is very difficult to track down hackers. Computer network
operations do not fall under the discipline of SIGINT.
Assets from SIGINT would not directly help you track an
individual responsible for hacking State run servers. In the
past, I have turned to SIGINT organizations for collections
on computer related material, but this was due to the US
being behind in cyber warfare, and not knowing where to
assign responsibility. However, this has changed
dramatically in the last couple of years.

Online activities, with adequate OPSEC, truly are anonymous.
As an extreme scenario of OPSEC: If I purchase a laptop in
cash, go to a Starbucks with free public wifi, and never
attribute the online activity to something revealing
(accessing personal email accounts, tweeting, entering
personal information to the laptop, etc..), and begin
hacking government email accounts then never use the laptop
again. Unless LEA could get an accurate description of my
appearance from Starbuck's patrons or possible security
cameras, I can not think of way to identify me.

Governments, attempting to track cyber enemies, do not refer
to these enemies as individuals. Instead as generic entities
tied to specific computer-related activities because of the
difficulty in identifying individuals.

I think the most likely way for a "Anonymous cover" to be
blown, would be the chatter in all the IRC channels. But
what if a common participant in "Anonymous" activities, was
working for a State? Anonymous has denounced state
governments before, if that State agent organizes an attack
amongst his IRC / Twitter buddies, what signs could a LEA
look for to distinguish?

On 10/24/11 12:38 PM, Sean Noonan wrote:

In reply to Kerley (my comments on the discussion coming
in a bit)

1. Anonymous has not shown the capability to do anything
actually harmful or devastating. I'm not saying they
can't, but i'm very doubtfoul. Tristan's discussion shows
the first real case where they could do some minor
damage--to individual people, not not to an organization
or anything that would come as a serious or strategic

2. Attribution by the world' leading SIGINT agencies is
actually pretty good. I see the fear of using 'anonymous'
as a cover, but that would be pretty easy to bungle, and
could probably still be attributed if important enough to
those agencies. The recent attack on Sony actually brings
this issue up- Whoever is calling themselves anonymous
denies they did it. And keep in mind how much they have
claimed an publicized attacks in the past, even before
they were carried out. The attack on the Playstation
Network was more sophisticated than anonymous' usual work
(though potentially coordinated with Anonymous' DDOS
attacks that distracted Sony's IT security). But whoever
did it, again, no real damage came of it. Congress is
holding hearings over data security, but this is no
different than the OC groups stealing your credit card
information. LE will go after them, have some success,
but the threat is not that large.
On 10/24/11 11:04 AM, Kerley Tolpolar wrote:

I see the Zetas/Anonymous affairs as a good opportunity
to have a broader piece on Anonymous. I believe our
readers no nothing, or almost nothing about what this
group is and the threat it poses. Reviewing their list
of attacks
(, in
most of the cases, they are the "good" guys, sort of a
Robin Hood of the internet . The interesting thing when
it comes to their interactions with the cartels is the
dubious role they play: at the same time they can be
fighting crime by revealing cartel members/supporters,
but they can also put lives in risk.

However, I believe this is only one of the threats posed
by Anonymous. The idea that states, and anyone else on
Earth, can conduct a cyber attack under "Anonymous" is

If I run an organization, if I am responsible for
government websites, or if I am just a internet user, I
would like to know more about these guys. Who they are?
What are they interested in? How they operate? Who they
have targeted so far? How can I defend myself from them?
In what countries are they active? Should I worry about
them at all? Can I use them to achieve any particular

On 10/24/11 10:22 AM, Colby Martin wrote:

nice. i still think the central focus, and what
everything else can build off of, is that Anonymous
doesn't know the threat they pose to innocent people
caught up in the terror that is Mexico. By focusing
on journalists or taxi drivers they show little
understanding of the situation. This has long term
implications in not just Mexico. They don't consider
the consequences of their actions and they act without
understanding the environment. It was the same when
they released information on the Sony Playstation
network to protest Sony. They hurt innocent people to
prove a point.

On 10/24/11 9:32 AM, Tristan Reed wrote:

Reposting this with a new shorter focus. Instead of
discussing possible cartel responses, the focus is
on what type of threat Anonymous can pose to
cartels. The video released by Anonymous, threatens
revealing personal information on cartels as well as
states a member had been kidnapped. I could not find
any sources outside of Anonymous' claims of the
individual being kidnapped. According to their
facebook sites (Anonymous Mexico and Anonymous
Veracruz) it sounds like it may be an individual
posting flyers in Veracruz as part of the Operation
Paperstorm protest, although that is speculation.

Anonymous, a well-publicized hacker group famous for
distributed denial-of-service (DDOS) attacks on
government websites, lashed out at drug cartels via
the Internet with a statements denouncing Mexico's
criminal cartels, including a video depicting a
masked individual addressing Mexican drug cartels on
October 10? With the most recent video release,
Anonymous makes bold threats towards the criminal
cartels in Mexico. Threats such as releasing
identities of taxi drivers, police, politicians, and
journalists who collude with criminal cartels. The
hacker group demanded Los Zetas release a fellow
kidnapped member otherwise face consequences. In the
Anonymous' video, this coming November 5th was
mentioned as a day cartels could expect Anonymous'
reaction if their demands of releasing a kidnapped
member are not met. The potential of conflict
between Mexico's criminal cartels and hackers,
presents a unique threat towards TCOs. We know of
cartels lashing out at online bloggers, but I
haven't seen any reporting on cartels dealing with
any headaches from hackers before.

What Anonymous brings to the table in a conflict
o Anonymous would not pose a direct
physical security threat to Mexican cartels.
o Anonymous' power base is the ability to
exploit online media
o Anonymous hackers do not have to be in
Mexico to lash out at cartels

While not certain, there is a potential for
Anonymous to pose a threat
o It is unknown if Anonymous's claims to
possess identifiable information on cartel members
o It is unknown what information Anonymous
could acquire on cartels
o Bank accounts, any online transactions or
communications, identifiable information on cartels
members have to be considered in the realm of
possibilities for
o Anonymous has demonstrated it's
ability to reveal illicit online activity (child
pornography rings)

Anonymous hackers likely have not been involved in
the ultra-violent world of drug trafficking in
Mexico. As a result, their understanding of cartel
activities may be limited. Anonymous may act with
confidence when sitting in front of a computer, but
this may blind them to any possible retribution.
They may not even know the impact of any online
assault of cartels.
o Revealing information on taxi drivers and
journalists will cost lives. Anonymous may not
understand some of these individuals are forced to
collude with cartels. Taxi drivers are
often victims of extortion or coerced to act as
halcones. Revealing the identity of these
individuals will not have a significant impact on
cartel operations. Politicans have
been accused of working with cartels (Guerrero &
Veracruz' governor) before, however there has yet to
be any consequences from this.
o Anonymous hackers may not understand the
extent cartels are willing to go protect their
o Any hackers in Mexico are at risk.
o Cartels have reached out to the
computer science community before, coercing computer
science majors into working for them.
o This provides the cartels with the
possibility of discovering hackers within Mexico.

On 10/17/11 10:19 AM, Marc Lanthemann wrote:

Oh man we are threading new ground here - I like
the idea but there are several issues to address
and fix here.

These are the bullets of my main analytical
concern with the discussion:

o we don't know who got kidnapped or why.
that's fine but we can't gloss over that fact
o "hackers" is a blanket term - there's a
difference between stealing bank records from
government computers and overloading main page.
o There's no thought out process of what
sort of information could anon have on the
cartels. What kind of info is kept online and
accessible to potential attacks? You seem to be
talking about identities, whose? If anything it's
dirty cops, politicians and businessmen who need
to worry about what anon is going to be saying.
Think about why the bloggers and media were killed
in previous instances. Was it because they
revealed operational details, because they acted
as informants, because they exposed links with
officials or because they somehow sullied the
cartel's reputation? In short, what kind of
information is damaging to the cartels themselves?
o Once you identify this info - think
about if anon can realistically access it and
disseminate it so it causes a measure of damage.
Anon doesn't have any intelligence capacity except
for the technical ability by a very small number
of its members to infiltrate certain networks and
databases and steal information. Now what kind of
information would a cartel keep on a network that
is connected to the internet (aka no intranet)?
Where else could information be found? Government
databases? Once we know what kind of information
is accessible, we can also know more about the
consequences of dissemination.
o What's the IT capacity of a cartel?
Sufficient to trace back attacks? If it's not,
there risks to be a lot of killings done by people
who may not understand the difference between an
anon hacker and a blogger.

On 10/17/11 9:47 AM, Colby Martin wrote:

wanted to forward Karen's thoughts to analyst

-------- Original Message --------

Subject: Re: [CT] DISCUSSION - Anonymous vs
Date: Mon, 17 Oct 2011 09:28:18 -0500
From: Karen Hooper
Reply-To: CT AOR

you've got some of the issues here, but this is
going to need a lot more work

You need to lay out:

a) What exactly is going on with Anonymous, your
trigger section is unclear
b) what our assessment of the online cartel
presence is, and therefore their vulnerabilities
and capabilities
c) How capable is Anonymous of breaching high
security anything
d) how far the cartels would be willing to
travel to kill anyone who breaches their systems
or exposes their connections

I also just want to point out that we have
reasonable reliable insight that Sinaloa at the
very least has some significant levels of
sophistication in their online presence, to
include the use of cyber currencies and
significant IT capacity. There is no reason to
assume that Los Zetas don't also conduct
business online, in a protected fashion.

Karen Hooper
Latin America Analyst
o: 512.744.4300 ext. 4103
c: 512.750.7234
On 10/17/11 8:46 AM, Renato Whitaker wrote:

On 10/17/11 8:25 AM, Tristan Reed wrote: