Comodo hacker says he's protesting U.S. policy

The person (or persons) involved with high-profile intrusion into Comodo's network says he's a 21-year-old cryptographer protesting U.S. foreign policy.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
4 min read

After a hacker obtained fraudulent digital certificates that could be used to impersonate Google, Yahoo, Skype, and other major Web sites, the security company that issued them blamed the Iranian government.

There is only "one conclusion," Comodo, the Jersey City, N.J.-based issuer of digital certificates said in a report tracing the intrusion to Iran. "This was likely to be a state-driven attack."

Well, not quite. The perpetrator claims to be a 21-year-old Iranian patriot--a "single programmer with the experience of 1,000 programmers"--who told CNET he carried out the intrusion in large part to protest the policies of the U.S. government.

As proof, "ComodoHacker" has posted the private half of a digital certificate obtained during the intrusion into the network of GlobalTrust, a Comodo reseller in Italy. (ComodoHacker also uses the aliases "Sun Ich" and "Ichsun," which he says are random.)

That was enough to convince the skeptics. Robert Graham of Errata Security described how he verified the digital certificate, meaning that ComodoHacker did have information that only Comodo, or the perpetrator of the intrusion, would be able to obtain. Even Melih Abdulhayoglu, Comodo's founder and chief executive, now says he's convinced of ComodoHacker's identity: "They've proven themselves," he said.

Of course, that doesn't mean that anything ComodoHacker says about his age, motivation, nationality, and so on is true. And it's also possible that the original perpetrator shared the private half of the digital certificate with third parties, or that it was a group effort in the first place. On the other hand, ComodoHacker has published still more details, including a decompiled file called TrustDLL, about GlobalTrust's systems.

In a series of e-mail messages over the last week, ComodoHacker said that he took over two more Comodo resellers (which the company partially verified).

He said that he compromised "one more" certificate authority besides Comodo, and "if I need I could do more," but declined to identify which one. When asked whether he obtained fraudulent certificates from it, he replied: "Sure."

ComodoHacker says he's never left Iran: "No, I never traveled, I feel so good and safe in my own country." He enjoys visiting, he says, the cities of Mashhad, Shiraz, and Yazd.

Part of the reason he pulled off the hack was, he said, revenge for Stuxnet, which was malware that targeted the Natanz nuclear enrichment plant in Iran and has been linked to the U.S. government or its contractors.

Here's more from ComodoHacker:

On Stuxnet: "USA authorities should understand, they can't do anything they want, they can't look in the world and in internet to find me, but they have no any problem with HBGary CEO which produces malwares to infect people in middle east, they should understand if they sniff emails, I (as 21 years old person) personally can do, we should be equal, I mean CIA and myself. That's the message."

On U.S. foreign policy in the Middle East: "They don't have any policy, their policy is just killing innocent people in Afghanistan and they killed millions in Iraq, just for one this: OIL. The world isn't safe with USA policies, they just attack, they just start wars, they use nuclear weapons (Hiroshima), they don't know anything about talking, see recent USA soldiers scandal in Afghanistan, they kill afghan people for fun. They should learn some basics, first basic thing they should learn is killing and destroying would not solve any of their problem. Killing people with nuclear weapon never solved anything, killing my country's nuclear scientist never solve their problem. I really care about earth future, when a country like USA and Israel with such administration try to rule it. Simply they failed."

On whether he agrees with Mahmoud Ahmadinejad on Israel: "Totally. Israel is 63 years old regime who occupied Palestinian people's land, they should let Palestinian people decide about thier own land, simply they occupied Palestine with help of ENTIRE world, including UK, USA and even Germany and others."

Comodo's CEO hasn't relinquished his belief that ComodoHacker is tied to the Iranian government. He "claims to be pro-government," Abdulhayoglu says. "He's using the media to threaten all the democracy-movement people now."

It's possible that the Iranian government is behind ComodoHacker, who has quickly established a combative online persona that uses Twitter to lament the "stupids" who doubt his exploits and employs hash tags like "#usagovfail" to condemn the West's understanding of Islam and Iran. But that might be attributing too much to a sometimes-brutal regime that the advocacy group Reporters Without Borders says actively censors opposition Web sites, jams satellite broadcasts, and limits Internet connection speeds when criticism of its policies mounts.

Peter Gutmann, a computer scientist at the University of Auckland in New Zealand, offered this salient observation on a Mozilla forum: Comodo "wasn't owned by a nation-state cyberwar agency but by a random script kiddie having some fun."

Related links
Comodo hack may reshape browser security
Full coverage of Comodo hack
Stuxnet expert: Other sites were hit but Natanz was true target