Author: Olivia Terragni e Massimiliano Brolli
Pubbication date : 29/10/2021
It is about a hacker who has come to the fore in 2010 with a series of illegal activities (arrested in June 2009), which led to 9 years of imprisonment, after installing malware in the infrastructure of the WB Carrell Memorial Clinic in Texas on a dozen servers, to control them.
Ghost Exodus later said it was aware that hacking of the hospital’s IT infrastructure could affect the facility’s temperature and the treatment and recovery of patients housed in the facility.
Ghost Exodus was also the leader of the black hacker group Electronik Tribulation Army and admitted that he intended to use the compromised computers to launch DDoS attacks on the websites of other rival black hacker groups.
Today Ghost Exodus, whose name is Jesse William McGraw, “did his time” and got the chance to reflect on everything that has happened. RedHotCyber, wanted to meet him to understand what snaps in a hacker’s mind – who by definition is someone able to look beyond, solving problems in an unconventional way – in carrying out illegal activities able to damage other individuals.
RHC: Hi McGraw and thank you for your time and this interview.
As you know RHC is a cybersecurity magazine that aims to make people aware of cyber risks. What do you think about our mission?
McGraw: I think it’s great, especially when you consider the current climate we are in when it comes to cybersecurity awareness. The more people are informed, the more momentum you can cause toward creating motivation to adopt better security practices. What RHC is doing is vital.
RHC: We are well aware of your exploits and also about the problems that the 2010 hacks caused you. The thing that has always fascinated us is to understand what snaps in a hacker’s mind to carry out activities that can harm other people. Obviously, in your case, it was not the economic motivation. What led you to do what you did? Surely you have thought about it, in this long period.
McGraw: For starters, I would like to take a moment to clear the air of any misconceptions that have arisen due to the overly vague Justice Department press releases, which largely drive a narrative of what “could have” occurred if I “would have” done this or that, and less about what I actually did and why I did it.
Let’s start by clarifying that the victim, in this case, wasn’t a hospital. The Carrell Clinic is a private clinic that specializes in Orthopedics and sports medicine.
While this might sound like semantics, the former stirs one to imagine Emergency Rooms, Intensive Care Units, and Pregnancy wards being the possible victims of my actions. This isn’t true. No patient records were accessed and no patient diagnostics were altered. Noone died. These were mentioned as possibilities “IF” I had harbored the motive to pursue them, which is not what I was charged with doing.
It may come as a surprise, but the clinic was not my target. Yes, the actual target was a hacking group, namely a handful of individuals. However, in a nutshell, I installed the botnets on several computers belonging to the clinic as a final act of desperation to take the law into my own hands. At any rate, I wanted to borrow some of their bandwidth to send a few megabytes of packet data, seeing as the botnet pool wasn’t actually that large.
I was being cyber stalked and the lives of my wife and 13 months of baby were being threatened (including my own) by certain threat actors on the internet. While most cases of this nature can be chalked up as juvenile posturing, I felt this had a different tone, and I needed to take the issue seriously.
In several instances, the actors were getting closer to doxing me, and possibly acting on the information they were after. One of my own members also became a victim of stalking and threats against his son, and though he reported it to the police, the police never followed up on the reports. When they came to his home and vandalized it, I really felt I had to go forth and report what was happening to myself too.
So, after months of debating for fear of incriminating myself as the leader of a hacking group, I filed a complaint with the FBI’s Internet Crime Complaint Center (IC3). But no follow-up occurred, and the fear and anxiety really hit me because I had to decide if whether or not I needed to take the law into my own hands to send a message to these individuals to leave us in peace. That’s when I committed my crime, in an effort to silence these individuals, destroy the platforms they used to collaborate, and ultimately stop them from their actions.
RHC: Cybercrime has changed a lot today: while 10 years ago the economic motivation was only a part of the motivational drives, today is attracting many young hackers as the money is quick and easy and the risks are almost zero. What do you think about cybercrime today?
McGraw: Cybercrime is so prolific that it sometimes feels a little overwhelming when you think of the worldwide scope of the sheer number of threats popping up. But we’ve never been more ready for it than any of time in history. I say this because industries are waking up and finally taking cybersecurity seriously, and incident response planning has finally been realized as a vital necessity in knowing how to establish a viable defense and actionable responses in the event that a security incident occurs. People seem less naive than they were. Slowly, security is hardening. We will never eradicate threats, but we are evolving at the same speed as the threats that emerge.
RHC: Ransomware is spreading, becoming geopolitical: a cyberpolitics problem, actually. Knowing the “dark side of the force”, what do you think about a probable dispute between superstates – as US – and a series of cyber gangs who join to harm them?
McGraw: I really feel the United States has been sluggish in staying up to speed with the technological wisdom of older, yet more advanced countries like Russia and China. They have produced some of the most powerful APT units. The United States has a responsibility to step up its game and keep up with its competitors. The U.S. isn’t ready to defend itself upon a digital battlefield against a superstate threat actor. It seems we absorb more attacks than we actually launch them. Or perhaps we issue counter-attacks but don’t brag about them in the media. Whatever the case may be, I think our cyber warfare initiatives are quieter than in other countries.
RHC: What is the state of infrastructure security today? The national security infrastructures of all countries are collapsing under the grip of criminal hackers. What should countries do to survive cybercrime attacks?
McGraw: The reason why any commercial or government cybersecurity infrastructure is failing against the rise of cyber threats is that not every business, private citizen, or governmental department is on the same page. As a country, we should have introduced cybersecurity in our education systems decades ago.
In 2019 I was going through the Dallas Courthouse and saw a computer being used by the U.S. Marshals for booking new inmate arrivals. It was the same exact Windows XP station they used to book me in 2009! I talked to the U.S. Marshal about it being a discontinued operating system and that it stood to jeopardize the integrity of the entire network and every device connected to that network. He laughed off the risk, saying “You know what they say, if It’s not broken, don’t fix it.”
It’s almost as if we need a global authority on cybersecurity. Or a national authority, but it would have to be made up of the best hackers on the planet. However, such systems ultimately could become a trojan horse for tyranny.
RHC: Let’s talk about your infosec writing: you wrote about the importance of Incident Response Planning. How important and effective is?
McGraw: Companies have a responsibility to their customers to have actionable defensive strategies ready to deploy in the event of a cybersecurity incident. When you have a team of specialists ready to go at a moment’s notice, who have rehearsed strategies in responding to incidents, have researched and implemented the latest responses to security threats, it’s effective.
Incident Response planning is critical to the vitality of a company and needs to be thought of it that way. One way or another, a cybercriminal is going to try to break in. It’s only a matter of when.
RHC: We want to get to know you better. What is fair and unfair in our society and what about free press or surveillance?
McGraw: Freedom of the press has become kind of questionable lately because the laws that protected the free press no longer insulate journalists and reporters when certain conditions are met under The Espionage Act, under Title 18, U.S. Code Sections 793 and 798. Take the case of Julian Assange, and journalists with ties to the documents leaked to them by Edward Snowden. It’s a dangerous time to be a journalist and be on the receiving end of a monumental leak that could damage the image of an American business or country.
Look at the American journalist Barrett Brown. His prosecutor sought to get him 105 years in prison for merely receiving a link to a data dump.
RHC: Ghost is a highly sensitive person, you play the violin and the piano. Hacking has always been a subject very close to art. What blends hacking, innovation, art, and music?
McGraw: Music involves emotion, which inspires innovation. Music becomes a conduit for creativity, which helps open the mind, which is really conducive for creating the right conditions for hacking. Hacking isn’t a traditional art form, but it does involve a lot of creativity on the part of the hacker. Take programming, as an example. Each coder his their own style, their own flair, and their own personality that becomes evident in the codes they write.
(Do you know the famous hacker group Cult of the dead cow? CdC became a record label and its founder Grandmaster Ratte was a good guitarist….).
McGraw: Yes. I used to have good friends in the cDc back in the day 🙂
RHC: Heroes don’t come back. Survivors return home: you said you are a survivor. Who is your hero?
McGraw: I have multiple personality disorder. It may be strange to admit, but my alter, GhostExodus, is my hero. GhostExodus isn’t just my screen name. This is a compartmentalized aspect of who I am, and who I became when subjected to trauma; the one who got me through it when I wanted to give up, and the part of me that can somehow survive anything, against insurmountable odds.
RHC: The world is increasingly digitized and today there are no real things in the world that are completely dissociated from the virtual world. Do you believe that the escalation of cyber attacks could lead to an upcoming de-digitalization or rather, to people who want to live without digital?
McGraw: It would be good for societies to know what it’s like to live in an environment without computers. Perhaps more books will be read, and people will become more independent like our ancestors. I’m a little biased. I spent 5 months living off the grid in the wilderness and enjoyed the simplicity of life and the beauty of it that we miss when our focus is so obsessed with internet things. But to answer your question, only time will tell 🙂
Thank you, Ghost!