A major Mexican drug cartel insider grassed on his fellow drug-peddlers back in 2018, telling the FBI that a cartel “hacker” was tracking a federal official and using their deep-rooted access to the country’s critical infrastructure to kill informants.
The revelation was made in a new audit of the work the FBI is doing to protect its investigations from technological surveillance.
According to the newly published report, the Sinaloa cartel/El Chapo insider contacted the FBI in 2018 and told it of all the ways in which the cybercrook hired by the cartel helped it track down those who could give up key details about its operation.
The mercenary cybercriminal offered “a menu of services” that included “exploiting mobile phones and other devices,” the report stated.
The individual monitored the comings and goings of various people at the US embassy in Mexico City, identifying “people of interest” to the Sinaloa cartel, or those who could potentially present an existential threat to the gang.
Various individuals were identified through this process, including an FBI official, and an assistant legal attache (ALAT). The FBI said the cybercriminal obtained the ALAT’s phone number and used it to extract various pieces of intel for the cartel, including details about calls made and received and geolocation data of the ALAT’s device.
The hacker-for-hire also had access to Mexico City’s camera system, which allowed them to track the movements of the people of interest, including those who met up with the ALAT while the FBI was investigating Sinaloa.
“According to the case agent, the cartel used that information to intimidate and, in some instances, kill potential sources or cooperating witnesses,” the audit [PDF] stated.
Former leader of the cartel, Joaquín “El Chapo” Guzmán, was arrested for the third time in 2016 (thanks to his sysadmin), having been arrested and imprisoned twice before, escaping from detention both times.
However, despite El Chapo cooling his heels in a SuperMax prison in Colorado, the cartel remains in operation today, despite multiple arrests of key leaders such as Guzmán himself, his son Joaquín Guzmán Lopez (who is alleged to have helped take over after his father’s third arrest), and accused co-founder Ismael “El Mayo” Zambada Garcia.
Immediate concerns
The revelatory audit comes after the Department of Justice identified “immediate concerns regarding the FBl’s management of the Ubiquitous Technical Surveillance (UTS) threat” in 2022.
UTS has been something affecting law enforcement operations for decades, but the audit cited recent advances in commercially available technologies that have exacerbated that threat.
These advancements are making it “easier than ever” for less-sophisticated nations and organizations to exploit vulnerabilities within criminal investigations.
The Office of Inspector General (OIG) told the FBI that its response to the UTS threat was “disjointed and inconsistent,” and that the training agents receive around it must be improved.
The FBI’s response involved raising the internal risk level of the UTS threat to Tier 1 and establishing a red team to identify vulnerabilities and devise a mitigation plan.
A resulting FBI report identified a large number of vulnerabilities, with the actual figure remaining classified, but the DoJ’s audit division was originally unimpressed with its results, namely due to the omission of UTS vulnerabilities identified before the red team was established. Its draft mitigation plan is still under review by FBI management.
The audit division was equally unimpressed with the FBI’s draft plan to improve training.
The report stated: “Although the outline recognizes the need to execute an enterprise-level approach to the UTS threat and to “create an organizational framework with authorities to address UTS,” it does not appear to address the need to assign responsibilities to officials with the authority to execute the strategy or a clear line of authority for responding to UTS-related incidents.
“Additionally, based on the outline, we are concerned that the Strategic Plan will not adequately address how to best leverage the disparate FBI entities with UTS expertise to benefit the entire enterprise.”
The report cited a data breach, the details of which were heavily redacted, that exposed internal policy and procedure gaps related to how the organization responds to such incidents.
Ultimately, the FBI’s response to the concerns raised in 2022 was not satisfactory, and the audit has made a number of additional recommendations for improvements. This includes establishing a clear line of authority for responding to UTS threat-related cases.
The Register contacted the FBI for a response. ®