Ep.

11: The Entrepreneur and the Jihadist

DINA TEMPLE-RASTON: Chris Ueland is the kind of guy who actually uses the words “Holy
cow” in the course of a regular conversation.

CHRIS UELAND: Like holy cow, how did this happen?

TEMPLE-RASTON: And his holy-cow-how-did-this-happen moment began about ten years

ago, in April 2012.

And it involved an unexpected hack. This is the first time he’s telling this story to a reporter.

UELAND: You know, we'd kind of kept quiet about it for so long.

TEMPLE-RASTON: Ueland is a serial entrepreneur, and a little more than a decade ago he
started a company called MaxCDN. It was a global content delivery service, so it was loading
content locally to make websites run faster.

It was based in L.A.

UELAND: And we got this very, very weird live chat that we thought was fake at first It was a
gentlemen with a weird name, basically saying that, you know, he was going to hack us.

(THEME MUSIC)

TEMPLE-RASTON: The customer service rep called Ueland over and Ueland is watching the
back-and-forth between his employee and someone with a strangely menacing email
address: [email protected]

UELAND: He was asking for access to specific clients, you know, to presumably infect their
delivery with some kind of malware. And we wouldn't give it to him. And so it escalated from
there where then he asked for a ransom. He asked for $1,337 in Bitcoin.

TEMPLE-RASTON: Do you remember what went through your head?

1
UELAND: We're going to go out of business. That's what went through my head is, like, my
customers — I need to protect them and this is not good. That was just looping through my
head is, like, how deep does this go?

TEMPLE-RASTON: Turns out it went very, very deep — and far beyond this little California
company…

(THEME MUSIC)

TEMPLE-RASTON: I’m Dina Temple-Raston, and this is Click Here, a podcast about all things
cyber and intelligence.

Today, the untold story of a random hack that helped send one of the world’s most
notorious hackers to prison. And what happened after that, well…

UELAND: Holy cow.

TEMPLE-RASTON: Stay with us.

(BREAK)

TEMPLE-RASTON: In June of 2011 — almost a year before the hack at MaxCDN — a

17-year-old from Birmingham, England, was wreaking havoc on the British political scene.

His name was Junaid Hussain, and he and his friends had managed to break into an email
account that belonged to a staffer who was working for the former Prime Minister, Tony
Blair.

(MUSIC)

ARCHIVAL TONY BLAIR: This government, unlike the last government, is actually governing
in the interest of the people…

TEMPLE-RASTON: Tony Blair, you remember him. The youngest British prime minister since
1812, elected in 1997.

2
So Hussain found the staffer’s copy of Blair’s address book, and he thought it would be
funny to publish it. So he set up a website and provided the names, phone numbers and
identifying information on a bunch of people in Blair’s inner circle.

Blair didn’t find it so amusing.

ARCHIVAL BLAIR: What happened in relation to the hacking was, uh, pretty despicable…

TEMPLE-RASTON: But it managed to put Hussain and his hacker friends on the map.
Suddenly, everyone knew the name of this group called TeaMp0isoN.

ARCHIVAL NEWS FOOTAGE: …TeaMp0isoN, an anarchist hacktivist collective…

TEMPLE-RASTON: TeaMp0isoN used to tell this one journalist and hacktivist named Lorraine
Murphy about their antics before they went public.

LORRAINE MURPHY: They would call me and say, we're going to do this. And do you want to
interview us? It'll happen on this day, you can interview us an hour later or whatever.

TEMPLE-RASTON: And Murphy said they thought the Blair address book hack was hilarious.

MURPHY: They were just saying, this is so funny. You are going to love this when it hits.

TEMPLE-RASTON: She and Junaid Hussain had met years earlier on Twitter.

MURPHY: …which is basically where I live. He was very much active in Anonymous activities,
so I came across him on that and had been writing about Anonymous since about 2006.
And we just got chatting, and you know how some people you just click with? I just clicked
with him.

TEMPLE-RASTON: She said he seemed like a nice guy. A sweet guy.

MURPHY: When we would talk, he would say, oh, you sound a little down, sister. Can I
maybe give you some music to make you feel better? And he would give me some music
that I really didn't like (laughs)

TEMPLE-RASTON: Rap Music. She didn’t like his rap music.

3
(MUSIC)

MURPHY: But he was trying. He felt the pain of entire groups.

TEMPLE-RASTON: Murphy said it was that empathetic side of him that seemed to motivate a
lot of the TeaMp0isoN’s hacks.

MURPHY: They had a philosophical basis for all this. TeaMp0isoN really did think that the
government needed to be taken down a peg. They needed to be taught to respect the
privacy of the people. So although they were trolls and although a lot of this was hilarious, it
still had a moral imperative.

TEMPLE-RASTON: Which was, power to the people.

MURPHY: Power to people.

TEMPLE-RASTON: In other words, as they saw it, they weren’t breaking into servers for
money or revenge. They thought they had a nobler purpose. Murphy says TriCk genuinely
believed that all this hacking could draw attention to things that needed to change in the
UK.

MURPHY: The people shouldn't fear the government, the government should fear the
people kind of thing. And that's where they were coming from.

TEMPLE-RASTON: Even a former Prime Minister wasn’t safe from them, their hacks seemed
to say.

MURPHY: From a propaganda position, you have to understand that a successful troll like
that is hugely powerful, not just for you and your team, but for everyone who sees it. It tells
everyone that the target is vulnerable.

TEMPLE-RASTON: And there were lots of vulnerable targets back then. Between 2010 and
2013 the teenagers who made up TeaMp0isoN claimed to have broken into more than 1400
different servers and websites.

They’re believed to have hacked Mark Zuckerberg…

ARCHIVAL ZUCKERBERG: …hack our early identity…

4
TEMPLE-RASTON: French President Nicolas Sarkozy…

(ARCHIVAL SARKOZY SPEECH)

TEMPLE-RASTON: Blackberry…

(BLACKBERRY PING)

TEMPLE-RASTON: Even Scotland Yard’s counter-terrorism hotline…

HOTLINE: You’re constantly blocking our lines…

TEMPLE-RASTON: In that case, they bombarded the switchboard with automated calls until
it crashed.

HOTLINE:. There are people that genuinely need to get through and talk to us. And you’re
blocking these lines — you are!

TEMPLE-RASTON: Not long after the attack, Junaid Hussain gave interview to The Telegraph
newspaper, and he told them that he’d hacked the terrorism hotline because, in his
opinion, terrorism didn’t exist.

He said authorities fabricated it to demonize Islam.

Against that backdrop , the hack on Chris Ueland’s company seemed almost pedestrian.

(MUSIC)

TEMPLE-RASTON: Justin Dorfman on duty when TriCk appeared in the MaxCDN chat.

JUSTIN DORFMAN: I was kind of like on the higher up, uh, more senior level, uh, support
person.

TEMPLE-RASTON: And one of the people on his support team sent him a message saying
some guy named TriCk was threatening to hack their site.

5
DORFMAN: And we were just, like, being very careful with what we said, because he was very
trigger happy and didn't seem that stable, and just very immature.

TEMPLE-RASTON: Yeah, at one point he asked for money and eight seconds later, he says,
have you got my money yet?

DORFMAN: Right. Right. Exactly.

TEMPLE-RASTON: Do you know who I am? The hacker wrote. This is TriCk from TeaMp0isoN.

It meant nothing to Justin. He just kept the guy talking.

TEMPLE-RASTON: It seemed like you were almost like, you know if you have a kidnapper in
the movies…

DORFMAN: Yeah!

TEMPLE-RASTON: …and you try to keep the kidnapper on the line as long as you can…

DORFMAN: Honestly, That's how I kind of felt like it because I knew if we came back at him
hard, it was going to backfire on us.

TEMPLE-RASTON: Just to prove he was serious, TriCk starts defacing their website.

DORFMAN: I was like, okay. You know, obviously this guy, uh, knows what he's doing. So I
didn't really care who it was because he already proved himself.

TEMPLE-RASTON: Then, TriCk suggests that Justin just give him access to some of
MaxCDN’s clients. They could forget the ransom.

Justin said he was particularly interested in something called Stack Overflow, which is
basically an online reference for computer programmers. Programmers use it constantly.

DORFMAN: So if he could get access to that and basically tell that TeaMp0isoN powned and
owned, uh, Stack Overflow, then you know, that's just a feather in his cap.

TEMPLE-RASTON: The problem for TriCk? MaxCDN said no. It wasn’t just the principle of the
thing — there was no way they were going to give hackers access to customer networks.

6
But the truth was MaxCDN didn’t actually host StackOverflow. It just had some of its files.
And there was one other thing about this that was weird: Chris Ueland remembers that
TriCk kept mentioning Syria. Like, the country.

UELAND: Syria wasn't really in the consciousness of things at that time. So it felt like some
kid pretending to be Syrian, pretending to be, you know, with the Syrian Electronic Army.

The Syrian Electronic Army was a group of computer hackers that supported the
government of Syrian President Bashar al-Assad. They first surfaced in 2011.

Why he was mentioning Syria would become clear later. All you need to know right now is
that Ueland and his team reacted like anyone would if they’d been hacked: They started
moving to protect their clients, and they called in the FBI.

UELAND: I’d never done that before. but we called into the FBI. I didn’t expect a lot.

TEMPLE-RASTON: FBI agents showed up to talk to them two days later.

UELAND: ….and met us at an Italian restaurant near the office.

TEMPLE-RASTON: A spot called Miceli’s.

UELAND: It’s actually a really cool place. It’s, uh, singing waiters and waitresses

(SINGING WAITER AT MICELI’S)

UELAND: It's kind of comfort Italian food. It’s like a Hollywood icon.

TEMPLE-RASTON: And were there singing waiters while you were explaining to him?

UELAND: At lunch? (laughs) No. So it's very calm.

TEMPLE-RASTON: So, no singing.

Ueland said the agents tamped down expectations that they’d ever find and punish the
people who had cracked into MaxCDN’s systems. And he thought that was the end of it. But
then…

7
UELAND: It must've been like a couple of months afterwards. We got a call with an update
and it was, Hey, there's a situation. And we're working with the London Metro police, and we want to
share some information.

TEMPLE-RASTON: The Tony Blair hack, the terrorism hotline — a legal case was building.
And they needed Ueland’s help.

UELAND: We were just like, holy cow, how did we wind up in the middle of all this?

(MUSIC)

TEMPLE-RASTON: When we come back, TRICK’s hacktivism takes a darker turn.

This is Click Here.

(BREAK)

TEMPLE-RASTON: By 2012, TriCk and TeaMp0isoN had launched more than a thousand
hacks.

And this wasn’t something they did quietly. They crowed about it. They set up a webpage
listing all their victims, and they kept adding to it — taunting authorities, daring them to
bring them in.

The group seemed so untouchable, even the people who were on the receiving end of their
hacks hesitated to help..

Chris Ueland again.

UELAND: We were very reluctant to help the London police with the actual court case
because of fear of retribution.

TEMPLE-RASTON: But months after the MaxCDN attack, the FBI and UK authorities
convinced Ueland that the information that the MaxCDN team gathered would put an end

8
to TeaMp0isoN’s hacking spree. Initially Ueland had seen TriCk and his crew as kids who
were just showing off their hacking skills.

UELAND: I pictured them as annoying, then I realized it was, you know, dangerous for the
business. Whereas we might've had a customer that got defaced where we would then
replace the website within an hour. Now it's like, okay, my customers are at risk, and there's
nothing I can really do about it.

TEMPLE-RASTON: So right after the hack, the team at MaxCDN got kind of obsessed with
TriCk.
Who was this guy? What was he about? What was this TeaMp0isoN group?

And they started compiling a dossier.

UELAND: So we had detailed logs and detailed information on how he had gotten in and his
IP addresses.

TEMPLE-RASTON: And it was that dossier that the FBI wanted MaxCDN to share with
investigators in the UK.

UELAND: And the whole package that we had put together for the FBI was enough to kind
of pin that on him directly.

TEMPLE-RASTON: A U.K. judge who heard the case determined Hussain was a cyber menace
and sentenced him to six months in prison.

UELAND: It was the biggest thing that I had worked on with law enforcement up until that
point. I would assume it was pretty big for them as well, because it was this seemingly kind
of a situation where we could do nothing about it, that turned into something that helped
kind of the world, right?

TEMPLE-RASTON: But the story doesn’t end there – either for Ueland or for TriCk.

Ueland was so changed by the experience he altered the direction of his business and
started focusing on building cyber security companies

9
UELAND: And I was like all in on, you know, drinking the Kool-Aid on security after this. And I
was determined to make our next company a security company to try to solve these
problems for people

TEMPLE-RASTON: And TriCk, he was headed in a very different direction.

Lorraine Murphy spoke to him shortly before his arrest.

MURPHY: He was in a very dark place then. He was saying that he didn't think Britain could
be saved. He didn't think that it was worth his time, is what he said. And that had been
going on for a few weeks. I mean, when you get arrested, you normally know you're going to
get arrested. You see the police following you, they're questioning your friends and so on.
You can see the noose tightening. And I think that's what was happening with him.

TEMPLE-RASTON: And did he feel like what he was doing was wrong?

MURPHY: No, I don't think he ever felt that. I think he felt when he was arrested, that it was
the system smacking him across the face for doing the right thing.

(MUSIC)

TEMPLE-RASTON: Murphy says when he was released, just four months later, he was a
totally different guy.

MURPHY: When he was in prison, he got more into his religion. That moved him from an
anarchist position to more of an organized religion fundamentalist position.

TEMPLE-RASTON: Which is not terribly unusual, frankly. Once you get into prison,
radicalization happens a lot.

MURPHY: Yeah, but for four months? That was pretty shocking..

TEMPLE-RASTON: But maybe he was primed for that sort of thing.

In hindsight, it’s clear that the hacks he dreamed up had a specific political angle. Like
Operation Free Palestine, a scheme targeting Israeli credit cards. Or the naming and
shaming of members of the far-right English Defense League. TeaMp0isoN allegedly took
aim at NATO and the UK Ministry of Defense.

10
Murphy said their targets were meant to make clear what they thought was wrong with the
U.K: They attacked institutions they hoped they could change.

But after four months in prison, TriCk had clearly decided to take more action. After his
release he appeared in Syria and joined a group that would go on to rock the Middle East.
We would eventually know them as ISIS.

(MUSIC)

TEMPLE-RASTON: As a member of the group, TriCk played to his strengths. He became their
number one hacker – a leading member of ISIS’s so-called Cyber Caliphate.

Among other things, he broke into the U.S. Central Command’s Twitter and YouTube
accounts. He posted soldiers’ addresses and contacts. He started using new techniques to
recruit foreigners into the group.

With his help, ISIS began using the web to spread their message and launch attacks. They
learned to use encrypted apps, social media, and began to produce splashy online
magazines and videos like this one, called “Flames of War.”

FLAMES OF WAR: The ravenous flame continued spreading, roaring in hunger for fuel…

TEMPLE-RASTON: But for all the hacks and the bravado that marked his teenage years, it
seems most people remember more about the way TriCk died than what he did when he
was alive.

He was killed by an American drone strike just outside Raqqa, Syria, on August 25, 2015.

TEMPLE-RASTON: Where were you when you heard that a drone strike had killed him?

UELAND: I don't remember. I think it was on the news, actually. And it was from a link
someone had sent me that was close to it. I don't remember, but I remember feeling like
holy cow, how did this happen? Is this even real? It just felt so ridiculous and unreal and not
possible.

TEMPLE-RASTON: Murphy heard about it where she got a lot of her information: on Twitter

11
MURPHY: Oh, I was very sad. I was shocked because when you’re dead, there's no possibility
of redemption. I always thought, well, he'll get tired of living in a cave in Afghanistan or
wherever. And he'll get tired of all of that. And eventually he'll realize that he's doing harm
and we can get him back. And we never did. We never got that chance.

TEMPLE-RASTON: Junaid Hussein was just 21 years old.

This is Click Here.

(BREAK)

ARCHIVAL FILM: You are the target of those who would trample the liberties of free man.

TEMPLE-RASTON: And this is a film from the 1950s, promoting the Federal Civil Defense Act
— a program intent on preparing the country for attacks.

ARCHIVAL FILM: Train how to fight small fires, knowhow that can help you in any
catastrophe…

(MUSIC)

TEMPLE-RASTON: Now, a major philanthropist hopes to create a more modern equivalent —

a kind of a cyber civil defense force that will prepare the country against cyber attack.

CRAIG NEWMARK: I’m very much a nerd of the 1950s.

TEMPLE-RASTON: That’s Craig Newmark. You may know him as the founder of Craigslist.

NEWMARK: The idea is to defend the country and while we're at it to provide hundreds of
thousands of really good cyber security careers.

TEMPLE-RASTON: Newmark has created some $50 million dollars in grants to do just that.

He wants organizations to build the infrastructure, create policy frameworks and kick start
digital education to make it happen.

And he begins with the Girl Scouts.

12
NEWMARK: Among the groups we’re funding already, are Girls Who Code and the Girl
Scouts, who are already helping train their membership. I have a neighbor who, I think, just
turned eight. She has three cybersecurity merit badges, and I've discussed this at the
highest levels, who point out that she probably will have no trouble getting clearance.

TEMPLE-RASTON: Newmark says the rash of cyberattacks against this country spurred him
to act.

NEWMARK: For the first time in any substantial way, Americans have been attacked for
military purposes on our own soil, in ways that have never happened before. It's up to all of
us to play whatever role that we can.

TEMPLE-RASTON: The grants Newmark announced last week include support to Consumer
Reports.

My intentions are to work with them to help them work on the area of cybersecurity
nutrition labels. You want your baby cam to have been tested in good faith so you can have
some confidence that it will be really hard to hack it. Maybe more importantly, you want a
cyber security safety label on your car because cars are now internet connected. And if a
hacker stopped your car while you were on the freeway, or encouraged your self-driving car
to self-drive you off a cliff, either of those things would ruin your day.

TEMPLE-RASTON: As part of this cyber civil defense fund, Newmark is also throwing his
support behind the Global Cyber Alliance and the Ransomware Task Force at the Institute
for Security and Technology. The Aspen Institute’s digital and technology program, Aspen
Digital, will help manage the effort.

(HEADLINE MUSIC)

TEMPLE-RASTON: Here are the top cyber and intelligence stories of the week.

The Record sat down with the leader of Air Forces Cyber, Lt. General Tim Haugh, last week
and he said that the exercises Cyber command has had with European nations over the
past year have helped paved the way for intelligence and information sharing as Russia
continues its battle in Ukraine.

13
Lt. General Tim HAUGH: Cyber Command has done a really good job of creating exercise
venues where we can bring multiple nations together. We can share, in particular, our
defensive tradecraft, how we approach our ability to partner with an intelligence element to
give us data, how we then use that data to be more effective.

TEMPLE-RASTON: Nation-state hackers appear to have created a roster of custom-made

tools that can help them breach industrial control systems used in some of America’s
critical infrastructure. In an alert released by the Department of Energy, CISA, the NSA and
the FBI on Wednesday, the agencies warned critical infrastructure operators of potential
attacks on their control systems and SCADA devices. The alert says the tools used in the
attacks were designed specifically for particular controllers and called on companies to be
vigilant.

And finally, thanks to researchers from ESET and Microsoft, Ukraine stopped a possible
attack on its power systems and discovered a new variant of Industroyer, an infamous piece
of malware that was used by Russia's Sandworm group in 2016 to cut power in Ukraine.

CERT-UA, the Ukraine’s Computer Emergency Response Team, said the attack used the
malware to target “several infrastructural elements” including high-voltage electrical
substations, computers at a facility, network equipment and server equipment running
Linux operating systems. They didn’t say how close Russia came to shutting down power.

Today’s episode was produced by Will Jarvis and Sean Powers, and it was edited by Karen
Duffin, with fact-checking from Darren Ankrom.

Ben Levingston composed our theme and original music for the episode. We had additional
music from Blue Dot Sessions. Special thanks to Martin Matishak of The Record for his
interview with General Haugh.

Click Here is a production of The Record by Recorded Future.

And we thought we should add, in the interest of full disclosure, Chris Ueland’s latest
company, Security Trails, was purchased by Recorded Future late last year. Recorded Future
had no relationship with Ueland when his brush with TriCk occurred ten years ago.

And finally, we want to hear from you. Please leave us a review and rating wherever you get
your podcasts. And you can connect with us at ClickHereShow.com.

14
I’m Dina Temple-Raston. We’ll be back on Tuesday.

15