The FBI used spyware to catch a man who tried to extort Verizon and Comcast by cutting 18 data- and voice-carrying cables in 2005, documents obtained under the Freedom of Information Act by Wired.com revealed yesterday.
Although the man's name was obscured in the documents provided to the website, their description of the case matches that of Danny M. Kelly, an unemployed engineer who at the time lived in Chelmsford, Mass. According to federal court records, Kelly was accused of cutting a total of 18 above-ground communications cables between November 2004 and February 2005 as part of a plot to extort money from Verizon and Comcast.
"Kelly sent a series of anonymous letters to Comcast and Verizon, in which he took responsibility for the cable cuts and threatened to continue and increase this activity if the companies did not establish multiple bank accounts for him and make monthly deposits into these accounts," the original complaint read.
According to the complaint, Kelly demanded $10,000 (£6,800) monthly from each company, and told the firms to post the bank account information on a private web page he demanded they create.
"Both Comcast and Verizon did create the requested private web pages, in an effort to communicate with the extortionist and to gather information that might identify him," the complaint said. "When Kelly accessed the web pages, he did so via an anonymising website through which he sought to hide the Internet protocol address of the computer he was using and therefore hide his identity."
The documents obtained by Wired.com said that the FBI obtained a warrant to use a program called Computer & Internet Protocol Address Verifier (CIPAV) to identify Kelly's computer as the one that accessed the extortion websites.
Details about CIPAV first surfaced in July 2007 in court records related to a case involving a rash of bomb threats emailed to a Lacey, Wash. high school. In a filing to the court, an FBI Special Agent said that after getting a warrant, the agency planted CIPAV on a 15-year-old's computer via a link posted to his MySpace page.
CIPAV, said the agent in the affidavit, would "cause any computer - wherever located - to send network-level messages containing the activating computer's IP address and/or MAC address, other environmental variables and certain registry-type information to a computer controlled by the FBI."
However, the warrant application did not spell out whether the CIPAV captured keystrokes or injected other code into the compromised system, as do commonplace Trojan downloaders. "The exact nature of [the CIPAV's] commands, processes, capabilities and their configuration is classified as a law enforcement sensitive investigative technique," said the 2007 document.
In Kelly's case, said Wired.com, the FBI was granted a warrant to use CIPAV on 10 February, 2005. Later that year, Kelly pleaded guilty to extortion, and was sentenced to five years probation and ordered to pay Verizon $378,000 (£259,000) for the damage he did.
According to the complaint filed against Kelly, he believed that "companies like Comcast and Verizon were indirectly responsible for his unemployment and dire financial situation because they worked with companies that favoured foreign engineers over their counterparts and because they had indirectly stolen his intellectual property."
As part of his sentence in late 2005, Kelly was also ordered to enter a mental health program.
The court documents related to Kelly's case did not detail how the FBI managed to get CIPAV on his computer, but security researchers commenting on the Washington school bomb threat case speculated that the agency may have used an exploit - one already in circulation or one of its own - to plant the spyware.