Embedding is a basic espionage technique, but when you undertake it on your own, instead of as part of an organized intelligence agency working for a government, you’re not really a “spy” you’re an independent operator embedded in a target of your choosing.
In state-on-state espionage, there is a great deal of focus on “turning” or compromising employees or people in a position to have useful knowledge, to get them to become sources of information. That’s a very dangerous process for both the intelligence officer courting the would-be spy, and for the would-be spy – what if this is just a loyalty test? What if someone from the other side is watching the whole dance? For the cyberinsurgent, the dynamics are completely different: you decide when and how you’re going to penetrate some organization and – if it seems like disclosing a bunch of damaging information is profitable or even just plain fun, go ahead and do it. In state-on-state espionage, an intelligence “asset” has to worry about if there are any traces that might lead counter-intelligence to realize that they are prone to switching sides. For the cyberinsurgent, this may somewhat be a concern, too: you want to be an embedded independent “asset” it’s probably a bad idea if you have a long trail of anti-state Facebook postings or Twitter comments, and then go apply for a job at a state agency.
If you do decide to get play at embedding, plan carefully and think about how any data you collect may be watermarked or logged for exfiltration. Having a plausible cover – like being a system administrator – is a good idea; if you start browsing files all over the place, you may be ringing bells someplace. In general, even the highfalutin’ US intelligence agencies are pretty incompetent at computer-based counter-intelligence. Remember: Aldrich Ames was copying extremely sensitive stuff onto floppy disks and selling them to Soviet intelligence for years and the CIA were too dumb to ask themselves why someone on a GS-12’s salary was living in a nice house and driving a Jaguar. Nowadays virtually all computer system accesses and data ingress/egress are logged to some degree or another. Be very careful, because: the bigger they come, the harder they hit.
If you’re looking for a good target, just remember that corporate email repositories are generally full of heinous, embarrassing stuff. Executives can be mind-bendingly stupid about what they put in email; it’s part of their capitalist “you are elite” training for them to think that they are brilliant. Probably the worst offenders for putting stupid, embarrassing stuff in their emails are police. If you’re looking for a fun place to embed, and can stand working around police, their email and text messaging are great places to start. Don’t browse that kind of data while it’s online – bulk copy it out to a portable device like a smart phone configured to export its storage space as a hard drive via USB, and review it somewhere else. If you decide to disclose anything, make sure you don’t open it in its default application and – if you can – reformat it before you hand it off to the press or whoever you’re sending it to. It’s possible to watermark documents steganographically by altering line-spacing, paragraph line breaks, etc., to produce a unique document that can be traced. A lot of formatting programs, e.g., Microsoft Word and print-to-PDF leave bits of distinctive garbage in output files, which may be intended to serve as fingerprints leading to the source. It is very difficult to be sure you have a completely fingerprint-proof document (if you embed, you’ll have to research techniques for protecting yourself) but one technique that seems OK for now is to open a document on a computer screen and then photograph it using the camera of a smart phone. Not a screenshot; a photograph – screenshots are pixel-perfect copies of a screen but a photograph has to be interpreted back into text from the pixels.
If you decide to embed in an organization, either to liberate information or otherwise cause damage, you are placing yourself in grave danger. If the cause is just and important, it may be worth doing that. If the cause is not important, pick on a smaller target that does not have its own private army and killer drones. You can do a tremendous amount of expensive damage to a company or a state/local agency without risking going up against well-funded and ruthless parts of a hostile intelligence community.
In the history of espionage, a lot of intelligence assets’ cover gets blown by incompetence (or penetration by spies) into the intelligence agency that controls the asset. When Aldrich Ames sold CIA data to the Soviets, one of the things he sold was information about CIA assets operating in Russia. They were tortured and killed. If you’re a solo operator, without an intelligence agency behind you, you’re probably better off operating on your own its than being part of an organization that may be (and probably is) compromised by a hostile intelligence agency. Remember, the FBI specializes in “catching” terrorists by creating them – going on Facebook and pretending to radicals, then luring someone into crossing a legal line that allows them to slap handcuffs on you and score you as a successful take-down. In right-wing/neo-fascist fantasy land, like the book The Turner Diaries, the wanna-be fascist terrorists learn how to operate as “lone wolf” or “stochastic attackers” – what that means is:
- Lone wolf: you have no command structure that can be compromised, so you cannot be rolled up from above by a fake controller (your contact is actually FBI) or otherwise tricked into giving up your identity, as happened to Chelsea Manning
- Stochastic attacks: attacks by lone wolf operators that do not have a trail of planning behind them. If you don’t plan with someone else, and act independently against targets you choose without coordinating with anyone, there is no planning structure that may be detected or compromised by the enemy.
The cyberinsurgent is best if they are also a lone wolf launching stochastic attacks. If you do not believe this, research the sad story of ‘Sabu’ (Javier Montsegur) who was a hacker gang-leader that was compromised by the FBI; they used him to direct his gang against useful (for them) targets in Brazil and meanwhile built a prosecutorial case against his gang. The hackers working with the legendary ‘Sabu’ had no idea that they were being played as suckers by the FBI until their doors were smashed in and they were handcuffed. If you operate as part of a gang, you need to worry about tradecraft and security within your gang. If you’re an army of one, nobody depends on you, and you depend on no-one; you can go active operationally, or remain embedded – it is entirely up to you and only you.
Do not expect whistleblower protections to save you – look at what the US has done to Chelsea Manning: the Obama administration commuted her sentence and the Trump administration came up with a transparent sham of an excuse to throw her back into prison. Remember: part of why you are becoming an insurgent is because you’ve realized that they aren’t going to play by their own rules, so neither are you. The problem is that they make the rules and usually the first rule they make is, “I win.”
If you embed, you’re in the big leagues. I salute you and wish you good fortune.