Cyberwar for sale

Mattathias Schwartz reports: On the morning of May 18, 2014, Violeta Lagunes was perplexed by a series of strange messages that appeared in her Gmail inbox. It was Election Day to choose the leadership of Mexico’s right-wing Partido Acción Nacional, or PAN, and Lagunes, a former federal congresswoman, was holding a strategy meeting in her office in Puebla city. The emails seemed harmless, at least at first. One appeared to come from the account of a trusted colleague. It asked her to download and review a document. Lagunes clicked on the link, but it seemed to be broken, so she wrote back to her colleague and asked him to send it again. Elsewhere in her inbox was an email from Google warning her that someone had tried to log in to her account. Meanwhile, she began to receive phone calls from PAN allies, who claimed that they had received emails from Lagunes’s account that she did not remember sending.

Now Lagunes was worried. Around 1 o’clock, she called the colleague who appeared to have emailed her. She reached him at a restaurant, where he was finishing lunch with other campaign allies. “I did not send you an email,” he insisted. A consultant with the campaign — who asked to remain anonymous in order to preserve his relationships with other candidates — overheard the conversation. He knew of other campaign workers who had been receiving similar messages: emails with vague subject lines, asking the recipient to review a document or click a link. The campaign, he realized, had been hacked.

In the vote for party leader, Lagunes and her allies in Puebla — a two-hour drive southeast from Mexico City — were supporting the challenger, a senator who promised to return the party to its conservative roots. But the incumbent was backed by Puebla’s powerful governor, Rafael Moreno Valle. One of Mexico’s rising political stars, Moreno Valle is close to Mexico’s president, Enrique Peña Nieto, and has forged an alliance between PAN and Nieto’s centrist Partido Revolucionario Institucional, or PRI, long the dominant force in Mexican politics. Since winning the governorship in 2010, Moreno Valle’s opponents say, his ambitions have grown, and he has resorted to increasingly harsh measures to keep Puebla state — including members of his own party — under control. “In the beginning, the governor was low-profile and respectful,” Rafael Micalco, a former leader of PAN in Puebla state, told me. “When he became governor, he transformed. Now he controls the party through threats.”

This race to retain control of the party leadership in 2014 was a crucial test for the governor, who was rumored to be considering a run for Mexico’s presidency in 2018. (This past September, Moreno Valle publicly announced his intent to run.) Clashes between the two camps were especially intense in Puebla, where backers of the challenger, Ernesto Cordero, claimed that the governor was using public money to support the incumbent, Gustavo Madero, though the governor’s office has denied these charges. Shortly before the election, Madero’s campaign manager said that Cordero’s side was trying to undermine the legitimacy of the process. “Their strategy is clear from the outset,” he said in an interview with a Mexican magazine. “ ‘If I win, good. If not, I was cheated.’ ”

After Lagunes’s call on Election Day, her colleagues rushed from the restaurant back to their local headquarters, a hotel conference room that they had nicknamed “the bunker.” All morning, they had been trying to reach their field network, a group of 40 Cordero canvassers who were working to get out the vote in Puebla state. But the field network seemed to have gone dark. Few of the canvassers were even answering their phones. Hackers, the team concluded, must have found the list of the canvassers’ names and phone numbers — widely circulated by email within the campaign — and begun to intimidate them.

“The day before,” the consultant told me, the field network was “motivated and eager to do this work. After the hack, it was very hard to reach them. The few who did answer said that they had received phone calls saying that their lives were at stake. They were worried that if they went out, they or their families would get hurt.”

According to another worker on Cordero’s campaign, who also requested anonymity, citing fear of reprisal, the message to the canvassers was simple and direct: “We know who you are. If you don’t want any trouble, shut down your cellphone and stop your activity.” The worker added: “It’s an authoritarian regime.”

Madero won the election, with 57 percent of the 162,792 votes cast over all. In Puebla, his margin was substantially larger, roughly 74 percent. Cordero’s team decided not to contest the result. They had suspicions about how they were hacked. But it would be another year before any evidence emerged. Their political enemies, leaked documents seemed to show, had built a spying operation using software made by an Italian firm called Hacking Team — just one of many private companies that, largely below public notice, have sprung up to aid governments in surveilling the private lives of individual citizens. The industry claims that its products comply with local laws and are used to fight crime and terror. But in many countries around the world, these tools have proved to be equally adept at political espionage. [Continue reading…]

Print Friendly, PDF & Email