British teenager hacked top ranking US officials using social engineering

Cyber Chief Magazine brings you the tactics to uncover and neutralize the insider threat

How did British teenager Kane Gamble, who at the time was only 15 years old, manage to break into email accounts of the CIA and DNI chiefs, as well as gain access to a number of sensitive databases and plans for intelligence operations in Afghanistan and Iran?

The answer is social engineering.

hack social engineering

A day in court

Gamble, who was part of Crackas With Attitude (CWA), a group of hackers with a pro-Palestinian agenda, pleaded guilty to ten offenses under the computer misuse act at Leicester crown court in October 2017.

Last week, in preparation for sentencing, Crown Court judge Sir Charles Anthony Haddon-Cave has been informed of the details of his exploits, which took place between June 2015 to February 2016.

According to the information provided by the prosecutors, Gamble managed to gain access to the Verizon internet account and private AOL email account of then-CIA Director John Brennan, and extract sensitive information from it.

He did so via phone, by pretending to be a Verizon employee in order to trick the company into sharing personal information about Brennan, then using that information to impersonate Brennan to get AOL to reset the password associated with the email account. Ultimately, he managed to trick the help desk handlers into changing the security questions and security number. According to The Telegraph, Gamble eventually gained access to Brennan’s emails, contacts, his iCloud storage account and his wife’s iPad.

By employing the same tactics, he also managed to compromise the Verizon broadband account and personal email account of James Clapper, the US Director of National Intelligence at the time. In addition to this, he impersonated Clapper on the phone and succeeded in making Verizon set up call-forwarding to divert calls made to Clapper’s home phone to the Free Palestine movement.

Gamble’s other victims included:

  • Jeh Johnson, the then-Secretary of Homeland Security. Again, Gamble used a similar approach to gain access to Johnson’s phone, and used that access to listen to his voicemails and send texts from his phone.
  • Mark Giuliano, FBI’s Deputy Director at the time. Gamble gained access to his home accounts by pretending to be him and then used the information to repeatedly gain to access the FBI’s Law Enforcement Enterprise Portal, even after the password was changed. Gamble used this access to steal and post online personal details of Officer Darren Wilson (who shot and killed black teenager Michael Brown in Ferguson, Missouri).
  • John Holdren, the senior science and technology adviser to former US president Barack Obama. With the help of an accomplice, Gamble also managed to get Holdren’s house “swatted.”
  • Avril Haines, the White House deputy national security adviser at the time, and FBI Special Agent Amy Hess – he accessed their private calls and emails, and gained access to Hess’s computer.
  • The US Department of Justice. Gamble gained access to details about FBI employees and case files, and later published some of that sensitive information online.

As the prosecutors pointed out, CWA has incorrectly been referred to as hackers, as they mostly used social engineering to trick call centers or help desks into helping them get access to email accounts, phones, computers and law enforcement portals.

Gamble said that his exploits were motivated by annoyance at “how corrupt and cold-blooded the US Government are” and his desire to do something about it.

The date of his sentencing is yet to be fixed.