[ISN] The Ultimate Insider: FBI Analyst Steals National Secrets

From: InfoSec News (alerts@private)
Date: Thu May 10 2007 - 22:36:51 PDT


http://www.informationweek.com/news/showArticle.jhtml?articleID=199500751

By Sharon Gaudin
InformationWeek
May 10, 2007

On the morning of Aug. 5, 2005, an FBI intelligence analyst sat at his 
desk and accessed the agency's main database. He downloaded a classified 
document, copied it onto a disc and dropped it into a bag beside his 
desk.

Leandro Aragoncillo -- a career Marine who had served under two vice 
presidents in the White House -- was stealing information in an attempt 
to foster a political coup in the Philippines, his home country. He knew 
he had no authorization to take or pass along the information, but, so 
far, it had been so easy.

What Aragoncillo didn't know was that on this particular morning, after 
nearly four years of espionage, the feds were spying on the spy. Agents 
were watching him at his desk via video surveillance. At the end of the 
workday, the man who was set up as the perfect inside threat, took the 
bag with the disc inside and left the office. Agents tailed him as he 
drove home and took the bag, with the stolen classified information, 
inside.

A little more than a month later, federal agents would execute search 
warrants on the houses of Aragoncillo and his U.S.-based conspirator, 
Michael Ray Aquino, a resident of the Philippines who was in the country 
on a visa. Both men were arrested that day after agents found more than 
736 classified documents between the two homes.

The arrests marked the end of what prosecutors called a "criminal 
conspiracy against the United States that spanned the globe, involved 
the theft of classified national defense documents" from the White 
House, the FBI, the Department of Defense and the U.S. State Department. 
The scheme included a group of conspirators who ranged from the former 
Marine turned FBI analyst to an ousted Philippine president to a foreign 
intelligence officer on the lam from double murder charges.

It is the first time in modern history that someone has been charged 
with spying out of the White House.

As it stands today, both Aragoncillo and Aquino have pleaded guilty and 
are awaiting sentencing this summer in U.S. District Court in Newark, 
N.J. Aragoncillo faces a maximum of 15 to 20 years based on his plea 
agreement. Aquino faces a max of 10 years, but after he serves his time 
here, he's expected to be shipped back to the Philippines to face 
various charges there.

It's still unclear what, if anything, will happen to the other 
conspirators, who are not U.S. residents. It's also unclear what steps 
the FBI and the White House have taken to shore up their information 
safeguards and to better vet the people working there.

What is clear is that the technology -- text messages, Web-based e-mail 
accounts and database queries -- that fed their plot also helped the 
government track them down and build an air-tight case against them. The 
e-mails sent, the phone calls made and the stolen information that one 
man actually archived on a set of CDs like a catalogue of wrong-doing 
all left a digital trail that was their ultimate undoing.

"In this particular espionage investigation, the computer forensic work, 
as it relates to tracking Aragoncillo's information to his 
co-conspirators, was critical to prosecuting and ultimately obtaining 
guilty pleas for Aquino and Aragoncillo," said Assistant U.S. Attorney 
Karl Buch, who prosecuted the case, along with Assistant U.S. Attorney 
Michael Buchanan. "The information we were able to derive from searches 
of the e-mail accounts and the home computers provided overwhelming 
evidence of the conspiracy." Aragoncillo, now 48, was born and raised in 
Manila, the capitol of the island nation long fraught with turmoil and 
political battles that have been waged with both words and weapons. He 
moved to the U.S. in the 1980s and soon joined the U.S. Marine Corps. In 
1999, the military awarded Aragoncillo's years of service with a plum 
assignment. He became a staff assistant to the military advisers in the 
Office of the Vice President. He began his service under former Vice 
President Al Gore and remained on and served under Vice President Dick 
Cheney. Aragoncillo was given Top Secret clearance.

According to a sentencing motion, in the summer of 2000 then-President 
of the Philippines Joseph Estrada visited the U.S. and the Clinton 
administration hosted him at a State Dinner at the White House. 
Aragoncillo was in attendance and was introduced to Estrada. He even 
handed out his business card to members of the Philippine delegation.

It was the beginning of a troubled time.

That same fall, Estrada was accused of corruption and he was impeached. 
According to the motion, to steady his newly unstable footing, the 
Philippine president and his cohorts thought of Aragoncillo and his 
proximity to what they hoped would be beneficial information about their 
region. A representative called Aragoncillo and asked him to provide 
them information.

That's all it took. Aragoncillo agreed to do it.

In January of 2001, court papers show that Aragoncillo traveled to the 
Philippines and dined with Estrada at the Malacanang Palace. When he 
returned, he began pilfering and transmitting documents to Estrada and 
other co-conspirators.

The indictment and the sentencing motion both note that Aragoncillo's 
years as a spy was made up of clandestine meetings, an alias, code 
words, and computer misuse. Documents show that he stole classified 
information from the White House and from the famed Situation Room. He 
even was brazen enough to send documents he was not authorized to access 
to his contacts from a White House fax machine.

According to court papers, Aragoncillo walked out of the White House on 
a fairly regular basis with classified documents in a disc in his bag. 
He stole information about the Philippine economy, confidential U.S. 
intelligence sources and even terrorist threats against U.S. military 
personnel stationed in the Philippines.

That information well went dry for the conspirators when Aragoncillo's 
stint at the White House came to a natural end in 2002. He later retired 
from the Marine Corp. in 2004.

However, Aragoncillo wasn't done yet.

Over time, Aragoncillo applied for jobs at the CIA, the National 
Security Agency and the FBI to "maintain regular access to documents and 
information classified for national security," according to the 
indictment.

In July of 2004, he began his new job as an intelligence analyst with 
the FBI. In September, he began searching the FBI's Automated Case 
System, which is the agency's main database, for classified documents 
relating to the Philippines and its new president Gloria Macapagal 
Arroyo. The sentencing motion showed that he began accessing, 
downloading and printing classified documents that belonged to the FBI, 
the Department of Defense, the CIA and the U.S. State Department. Court 
papers noted that many of the stolen documents held national defense 
information.

Aragoncillo's first misstep was when his U.S.-based contact, Aquino, was 
arrested in March of 2005 for overstaying his tourist visa. Aquino has 
quite a history, himself. A trained intelligence officer in the 
Philippines, he was in the U.S. avoiding an investigation that 
implicated him in the kidnapping and murders of a publicist and his 
driver. The bodies had been burned and were only identifiable by their 
dental records.

Instead of lying low, Aragoncillo actually went to the U.S. Immigration 
and Customs Enforcement office and vouched for Aquino, identifying 
himself as an FBI employee.

Immigration agents thought it was odd and reported it to the FBI, which 
soon began to take a look at the queries Aragoncillo had been running. 
When they saw that he had been running searches and downloading 
information that had nothing to do with his job, they began to look 
deeper. The government reported that investigators then found a 
discarded e-mail on his FBI account that referred to one or two Hotmail 
accounts, a Yahoo account and an alias. With court orders, the 
government went to both Hotmail and Yahoo. Once they saw those e-mails, 
they automatically began collecting the e-mail addresses of his 
co-conspirators. That led them to IP addresses and then actual physical 
addresses.

Aquino left three years worth of e-mails -- more than 2,000 messages -- 
in his account. It was a virtual treasure trove of information.

At that point, investigators set up real-time monitoring, gathering a 
mounting pile of evidence against Aragoncillo, Aquino and the other 
conspirators.

In September, while investigators were watching, Aragoncillo downloaded 
and transmitted a document regarding a political coup in another 
country. One of the names on the document was Condoleezza Rice.

The sentencing motion noted that when Aragoncillo e-mailed out the 
information on the coup, he wrote, "The attached info could be used a 
'guidance', if and when you intend to install a military council and 
later transition to a 'civilian cabinet.'" Later in a telephone call 
about the document, Aragoncillo called it a "blueprint on how to" 
execute a coup.

Within a week, the feds descended on Aragoncillo's and Aquino's homes, 
executing search warrants and arresting both men. Documents showed that 
Aragoncillo hadn't even deleted many of his e-mail messages and Aquino 
had neatly stored information on CDs that he kept in his house.

Aragoncillo pleaded guilty last spring. Aquino also cut a deal. Charges 
have not been brought against the other conspirators but the 
investigation continues.

The prosecutor filed a classified brief to the court outlining what the 
government says is the damage done to the United States in the four 
years of espionage that touched two governments, several federal 
agencies and even the White House.


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Thu May 10 2007 - 22:43:18 PDT