The sophisticated Sept. 17, 2015 hack on Palo Alto Online and parent company Embarcadero Media appeared designed to inflict significant financial damage on the news group, according to opening-day testimony in federal court in San Jose on Tuesday, May 29, by the company's Information Technology Director Frank Bravo.
Bravo described the havoc the hacking attack wreaked on the news organization and its online websites, including a late-night sweep of the company's Palo Alto headquarters by police officers.
Accused hacker Ross M. Colby, 35, formerly of San Francisco, allegedly took down the online news sites PaloAltoOnline.com, Mountain View Online, Almanac Online, PleasantonWeekly.com and DanvilleSanRamon.com. He is charged with felony intentional damage to a protected computer and felony attempted damage to a protected computer. He is also charged with three misdemeanor counts of intentionally accessing a protected computer without authorization and obtaining information between July and Sept. 17, 2015.
Bravo said he was sleeping at about 11 p.m. on Sept. 17 when Embarcadero Media Publisher and CEO William Johnson called to alert him of the attack. The website had been replaced by an image of Guy Fawkes, a masked icon of the hacker group Anonymous, and the message: "Greetings, this site has been hacked. Embarcadero Media Group (Alamanac) (sic) has failed to remove content that has been harmful to the wellbeing and safety of others. Failure to honor all requests to remove content will lead to the permanent shutdown of all Embarcadero Media websites."
Each of the five websites' URLs had been replaced with the text "Unbalanced journalism for profit at the cost of human right. Brought to you by the Almanac." The message concluded with a partial tagline used by Anonymous: "We do not forgive, we do not forget, we are legion."
Bravo said that, in addition, companywide emails were routed to a different location controlled by the hacker.
"The MX (mail exchange) records were not only wrong, they were gone," he said.
To try to contain the damage, Bravo initially logged in to the company's accounts using his personal email address. But as the attack progressed, he also was locked out. A phone call to domain registrar GoDaddy.com revealed that the domain names for the websites had been deleted or unregistered. Additionally, at least one additional domain was unlocked – the precursor for shutting down a domain.
Potentially, someone else could have then purchased and registered the domain names, he said, though GoDaddy had a wait period before allowing the closed registrations to be sold.
Bravo and IT employee Chris Planessi were the only two company staff members with access to the web server. Both had access from their homes. A third access point was from within the company office. At least two servers had been changed in the internal network, indicating that someone might have been physically in the building.
Given this information, Johnson contacted the Palo Alto Police Department to search of the three-story headquarters. Officers arrived, but no one was found on the premises.
Bravo also found that all of the logs on a router had been wiped off. Someone had gained access to the database, file servers and a web server. They wiped out internal resources that enable advertising scheduling and eliminated a gateway connection for sales staff to gain access to web-based advertising. Fortunately, most of the ads had been saved in data backups, though the backups were several days old, he said.
"We could recreate a lot of the pieces," he said, adding that the company's internet provider had some backups as well, but a few days' worth of work was lost.
Reporters and editors also did not have access to any files. Although the IT department was able to get the website to be operational by mid-morning the next day, it was not fully operational for a couple more days, Bravo said.
As part of his investigation into the hack, Bravo looked at all IP addresses -- a string of numbers identifying internet connections -- to see who had logged in that night from the outside and inside. Bravo began finding strange IP addresses that he and his team did not recognize. These IP addresses, some of which the FBI would eventually link to Colby, accessed the email accounts of Bravo, Planessi and Cesar Torres (a computer system administrator who has since left the company) and gained access to the web servers and other critical IT infrastructure.
Eventually, Bravo said, they discovered someone had gained access to a Google document the IT department regularly shared, called "Things to Remember." The document listed usernames, passwords and email addresses used internally to access the company's corporate-level IT infrastructure settings and router.
At the trial, Vicki Young, Colby's defense attorney, immediately objected to the admission of the Things to Remember document as evidence. Bravo said during his testimony that he had redacted the passwords and email addresses shortly after discovering it had been accessed. He said he gave a screenshot of the redacted Things to Remember document to the FBI.
But Young protested that she wasn't told that the document, which was given to her as part of discovery, was redacted -- even though there were dashes in the spaces where one would expect to find password letters and numbers and email addresses.
Young maintained the dashed document was confusing and didn't allow her to adequately review its contents.
U.S. Prosecutor Joseph Springsteen said that it is obvious that the information was redacted on the face of it and that the actual passwords and email addresses don't change the substance of the evidence.
Young also repeatedly objected to admitting screenshot evidence such as the IP addresses Colby allegedly used because the screenshots were not time stamped. Judge Lucy Koh overruled Young on that issue, however, because Bravo testified he had generated the screenshots.
But Koh did allow Young time to submit an argument regarding the Things to Remember document at another hearing. She instructed prosecutors to replace the dashes with black redaction bars and to leave in symbols such as the "at sign," @, and URL endings such as ".com" as identifiers. Prosecutors would then submit the document to the defense.
During opening statements, Prosecutor Susan Knight said the government would show a trail of IP addresses linked to Colby were used to access Embarcadero Media's accounts and data, including the accounts of the three IT employees more than 200 times.
"This is a case about destruction," she said.
Young made clear during her opening statement that she would attempt to cast doubt on the government's evidence. The case would be about what the government did and what it didn't do, she said.
"We submit that no one is disputing something occurred" regarding Embarcadero Media's websites, she said. But while the government argues it has made connections between Colby and accessing Embarcadero Media employees' email accounts in late July and early August 2015, "they don't tell you what that means in September" when the actual breach occurred. The government has to prove that Ross Colby was responsible for hacking into the GoDaddy account in September, she said.
"Can the government prove beyond a reasonable doubt that Ross Colby did it?" she said.
Young appeared to be focusing on the two felony charges. During evidentiary hearings she had tried to remove Publisher Johnson from the witness list, according to court documents, but the judge ruled his testimony is relevant.
Johnson is set to testify about the financial harm the hacking attack caused to Embarcadero Media. Under Judge Koh's instruction, as part of the first count of intentional damage to a protected computer, the jury must find that the offense caused a loss of $5,000 or more in a year.
For the first count, the jury must also find that Colby knowingly transmitted program code to another computer to cause damage and that he knowingly intended to cause damage that affected communications or the impairment of information.
Jurors must find under the second count (attempted damage to a protected computer) that he transferred or transmitted code with the intention to damage a protected computer and knowingly transmitted the code with the intention to commit damage that would affect commerce or communication.
The three misdemeanor counts of intentionally accessing a protected computer without authorization and obtaining information are related to his access of Torres' account.
The trial will resume on Thursday morning with additional testimony by Bravo.
Read more articles on Colby's trial: