Interview with Colombian hacker Andrés Sepúlveda
Since the 2016 US elections, Americans have been scrambling to understand election interference and social media manipulation. In an October 2016 interview, Colombian hacker Andrés Sepúlveda explained how he manipulated social media and interfered in elections across Latin America.
If you’re not familiar with Sepúlveda’s case, I recommend reading Bloomberg’s investigation titled How to Hack an Election. Andrés Sepúlveda admitted to working with a rotating team of 7 to 15 hackers who manipulated social media and rigged elections throughout Latin America for almost a decade. He is currently serving 10 years in prison for espionage and various computer crimes related to interference in the 2014 Colombian elections, but he and his team also worked on election campaigns in Nicaragua, Panama, Honduras, El Salvador, Mexico, Costa Rica, Guatemala, and Venezuela.
In a Spanish language interview with Colombian media, Sepúlveda explained what he did and how average citizens can identify social media manipulation.
Attorney Germán Realpe (GR) and journalist José Luis Peñarredonda (JLP) from ENTER.CO, interviewed Sepúlveda in Picaleña prison, in Ibagué. Their interview which was published October 4, 2016, is divided into four (Spanish language) videos. I translated the transcribed interview below.
(GR): Do you consider yourself a hacker or a cracker? People who work in computer security say that a hacker is someone who uses their knowledge legally for technical or academic matters.
I never called myself that. On the second day after my arrest, they called me “Sepúlveda the hacker.” Obviously I know the difference between a hacker and a cracker. I didn’t just commit crimes, I developed various projects for other companies, including work for the Fuerza Pública.
So the intention to put a label on me was more political, and it changed depending on who was talking, if it was one side or another. I have no problem being called a hacker or a cracker because I understand very clearly my grasp and knowledge.
(GR): Let’s talk about the techniques you used. Did you use social engineering or malware? Where did you get so much information? What technical tools did you use?
I think there are two kinds of hacking: mass hacking and individual hacking. There are people who are responsible for hacking many people but my objectives were precise and very specific.
I used social engineering like a “patient sniper.” I had all the information I needed to carry out an attack. I knew who a target was, what he liked, what he didn’t like… I had a complete profile and according to the profile I knew what techniques I would use; if I’d use an attack to infect routers, or a direct attack on their cell phone, or an attack to infect their computer. There was never a manual to do it. Simply put it depended on the objective, how easy or difficult it was to attack.
As for techniques, for me the main one was social engineering. Likewise we joined different techniques: brute force attacks, “pineapples” and even SQL injection attacks to obtain certain types of data.
Most of the tools I created were integrating different exploits and existing tools that were obtained on the black market. I was very meticulous with what was done. Therefore most of the time I sought to integrate these “exploits” and tools that were purchased together, so I’d have total control of what was being done.
(GR): Some people say you were really an expert at buying information. What do you think of that?
I think that label was assigned to me because obviously I bought information to get specific data about certain people, as is done in any investigation. The purpose of this information was to understand the victims we were going to attack. And it always worked because there was not a single person we couldn’t hack.
The information that was purchased was strictly for work purposes, hacking so to speak. I didn’t buy information to sell it. I bought information, I processed it and interpreted it according to what I was doing, and that’s how I achieved results. I was not an information trafficker.
(JLP): When you were buying information, was there a red line? Was there a moral or legal limit that you didn’t want to cross? Did you ever turn down an operation?
I never went after journalists or the media, I never attacked people for personal favors, nor a girlfriend or a friend of someone. I wasn’t interested in that type of attack. I also never worked for leftist or dictatorial governments. I always said no to that.
(JLP): You were accused of several crimes: information theft, illegal entry into a computer system and so on. Do you believe that what you did was correct?
At the time, I always thought what I was doing was right. I was always convinced of what I was doing.
(JLP): Do you have any regrets?
I regret getting involved in politics; completely.
(JLP): When you were captured, some of the discs they found were not encrypted. As someone with so much knowledge about computer security, how did you let that happen?
This is the first time anyone asked me that and I will be as honest as possible. At the time of my capture, two things happened. I was presenting some information and preparing a report. In crude terms, they caught me with my pants down; they caught me without any discs encrypted. Everything I had was spread out on a table in that precise moment.
When they arrived nothing was encrypted because everything was in use. I never had the opportunity to remove equipment or anything. During the raid there were more than 50 people, they were armed with weapons aimed at me… Also, the information I had was shared with people inside the office who had provided passwords before the raid and that made it even easier. It was really my own carelessness.
(GR): Your case revealed the manipulation of information in the Colombian presidential elections using social media. What were you and the team you worked with trying to do? What was the main objective?
The main objective was to win the election. Secondary objectives were to create disorder in the other campaigns, sabotage other actions, strengthen what was being done from the campaign, overcome the opposition and above all to misinform.
I’ve always said that when people are sick they don’t go to the doctor, they go to Google. When someone is in a political process, people believe what other people say more than the actual candidate. I was in charge of making information available to everyone; and also to make life difficult for the other campaigns, very difficult. From sabotaging their communications to finding out what they were going to say in a speech in 10 or 15 days.
(GR): What techniques and tools did you use to manipulate and control information in these election campaigns?
I had a platform that I developed myself. We had different providers, Facebook accounts, Gmail, Twitter, Instagram, WhatsApp, Telegram … You could buy any number of accounts, and the program administered each account individually or in groups.
So I could send 200,000 WhatsApp messages in an hour. Or I could send a mention 10,000 times to a Twitter account. The program allowed me to do what I needed. It was relatively easy. The complicated part was to organize the accounts depending on the providers. What I did was centralize all of that so the attacks that were carried out were much more concrete and organized.
(JLP): It’s known that you created black propaganda, but did you also create “white” or positive propaganda for some candidate?
No. White work can be done by anyone. But you have to have certain skills to do black work. I took care of that.
(GR): How did you measure the success of these jobs?
By the amount of rumors that people began to create. Many times, while checking my Twitter or Facebook, I saw people beginning to spread rumors that I had been sowing. That happened especially in the 2014 elections.
The success of what I did was tangible: you could see what people were talking about; and based on that, you see how well your campaign had gone with whatever attack had been launched at the time.
(GR): How can an average person, who has no knowledge of information security, know that they are being manipulated, or that something originated from a fake account?
It is increasingly difficult to tell, because it is very easy to spread a topic to real accounts. Once you manage to spread a theme to real accounts it becomes more difficult. There is no action on the internet that does not have a target. You will never see unemployed people creating a meme about a politician. That doesn’t exist. There’s a working team that is responsible for doing this.
I think the easiest way to know that one is the victim of an attack or exposed to propaganda is to look at the overall context of what is happening. For example, right now we are talking about the peace process, you can see the things on the internet. The opponents are involved in a campaign with their arguments and all of its thematics, and those in favor are also bombarding the internet. Regardless of the side or the target, we will always be passive victims of this propaganda on the internet.
(JLP): Let’s talk about what you are currently doing. How long has it been since you stopped working on elections and manipulation of information?
Since May 5, 2014, the date of my capture.
(JLP): And what are you doing now?
In August 2014 I requested a computer with internet access, which was authorized by the Office of the Attorney General of the Nation. I spent 21 months developing software called Social Media Predator, which I think is my greatest work, because it uses all of my knowledge about both political campaigns and intelligence agencies.
Social Media Predator is a tool based on artificial intelligence and computational vision, which works autonomously in search of the following crimes: extremist content, radicalism — what can be called “cyber jihad”, child pornography, human trafficking, electoral fraud, gang activity, micro-trafficking and organized crime. This program massively detects these types of crime on the internet.
At this moment I have contacts with non-governmental entities, both in Colombia and abroad, in search of implementing this program; and I’m going to put it to use for the general community.
(JLP): Who is helping you create and disseminate this software?
I created the software 100% by myself. I developed it while in prison. And about the diffusion, I am taking advantage of these kinds of interviews to offer Social Media Predator to those who are interested: NGOs, research centers and private sector companies that specialize in these types of crimes.
(GR): Does the software take information from public sources? How is it structured?
It analyzes open sources such as social media and websites. There are models that detect weapons or stolen vehicles or radical groups like ISIS. More than anything it depends on the model in use, but the program’s feed is all with open source data.
(JLP): What motivated you do work on this project?
In my work I always wanted to implement mass detection of crimes. And more than mass detection is the use of facial recognition software. I’ve been working for several years on a program with facial and emotion recognition, and I wanted to take it a step further to create autonomous systems that don’t depend on human interaction. And now I had all the time to do it because I was in prison.
(JLP): Has anyone else seen the software?
For some interviews I’ve given outside of Colombia, there was a group of computer experts who analyzed the source code and saw the program working. There are also intelligence agencies that have seen it working.
(GR): Can such monitoring programs affect privacy? What’s your position about privacy?
Our online life is an extension of our life offline. If you are committing a crime on the internet, you are also committing it physically. I’m not looking for conversations, but strictly crimes. The information that is being looked at is public. I’m not affecting anyone’s privacy, I’m not rummaging around through their emails, but simply what’s on the internet.
(JLP): Is your motivation with this anti-crime program the same as what motivated you to work in electoral campaigns?
I want to make clear that my work in political campaigns I always did based on conviction, besides the money. Why do I say it was based on conviction? Because I didn’t work for certain campaigns that I felt didn’t meet my goals. Social Media Predator I am doing for the common good, moving away from politics and ideals. I’m doing it as a new way to combat that kind of crime and this is a way to show how to use my knowledge, not how many believe it’s simple to commit crimes or sabotage campaigns.
(JLP): Do you expect to receive some benefit in terms of your conviction?
Obviously, I’m also looking for a reduction in penalties for collaborating with the authorities, but that’s not something immediate, but with time. For now it’s something in the pipeline.
(JLP): Let’s talk about your reputation. There are people who say many things about you, not just in the political environment but also in the hacker world…
Man, I give the benefit of the doubt to anyone. Many say that I’m not a hacker because I didn’t use certain programs. Others say I’m not a hacker because I’m bald and wear boots. Others say I’m not a hacker because I didn’t finish college. Regardless of the arguments, I can demonstrate my knowledge with for example a program like Predator or having worked in so many political campaigns in Latin America; and I assure you that if I had been bad at what I did, I would not have charged so much nor would I have worked in those types of campaigns.
Some speak badly of me. I don’t know if it’s envy or resentment. I have never talked about any of them; the vast majority of people don’t know me, and those who know me are involved in the case. Obviously there is too much personal hatred in the middle, but I haven’t lost any sleep over it.
(JLP): Do you believe there are political reasons why Colombian hackers have protested against you?
The problem is that many things are attributed to me. For example, there’s a misinterpretation of a leaked video in which I supposedly say that I hacked a plane from the Southern Command; if you watch the video and listen well, you’ll realize that I didn’t say that. The problem is that the media spread this kind of news. Whoever hears that will know it’s completely false; I didn’t say that, but it’s attributed to me. That kind of thing started to create resentment. But as I said, I don’t loose any sleep over it, nor do I think about how to correct it; I’m not interested.
(GR): Is it easy nowadays to hire a cracker or hacker that can manipulate political information?
There are people who can do things, but that doesn’t mean that they do them well. I always talk about my personal case: when I worked against other campaigns, they had response teams, but they never had an effective response to my attacks.
To do it efficiently and effectively depends on many factors. Some people believe that managing a Twitter account is creating a black propaganda campaign on the internet. There is a series of things that are done to make that a reality.
(JLP): What happened to all the information you collected as part of your work?
The information about the FARC?
(JLP): Yes, everything, the campaigns, the FARC… are you content with the fate of that information? Did you leave something for yourself? Did you leave some kind of life insurance?
I left insurance. Very big, very big.
(JLP): And what has to happen for us to learn it?
If I die. Or feel at risk… I’ll always be in imminent risk while in prison. I have a series of rules that have to happen. I can’t comment but there are two triggers: if I die or if certain things happen to my family.
There are measures that were taken long before I was captured. Fortunately I took them and they have helped me maintain this life insurance.
(JLP): This bomb where could it explode? In political environments? Economic?
Everywhere. Political, economic, and military, a bit of everything.
(GR): People who have certain technical knowledge have dedicated themselves to work with companies, with foundations or to give lectures after completing their time in jail. Where do you see yourself in ten years?
I’m already preparing to leave. Not because I have a short time left, nor more hopefully. The goal of the punishment is to take advantage of the time in prison for when one is free and can reintegrate into society.
What am I doing? While I can, what I did was create a technology. My goal is to continue creating that kind of technology, optimizing it, or making new software, but I’m doing that already in order to detect crimes. I’m already working for the moment of my departure.
(GR): You were convicted of actions typified in the 2009 Law 1273 on computer crimes. Will you repeat these actions in the future?
No. They always ask me if I regret having hacked the FARC. I always say no; I regret having used that information for political purposes and not for military purposes. But what I am doing right now, everything is legal.
Obviously I won’t commit any crime; I don’t want to stay here any longer than necessary. The problem, and this goes for society in general, is that not everything is a crime on the internet. Other things that should be crimes, are not. My only interest is to never again have a conflict with the authorities, and even the technology I’m creating is in favor of the law.
(JLP): Do you think being in jail will prevent you from moving forward?
That’s one of my greatest fears. I worry that I am missing information, because everything is changing and advancing. I constantly ask for documentation. They always bring me many books, many pages but it’s not the same as doing things on a computer.
(GR): What’s a normal day like for Andrés Sepúlveda in jail?
I wake up at 5am. I exercise until 5:30am, when they open the doors, and I continue to exercise for 20 more minutes. I shower and eat breakfast at 7am. Then the close the cells from 7am to 5pm inside with other people. There’s a TV. There are also some weights. I always try to exercise and write a lot and jot down ideas and projects and documentation that my attorneys bring to me.
From 5pm onward I remain in a cell; for almost 13 hours when I go back to exercising and reading. I have problems sleeping. So I try to read a lot. I recently read “The Lost Symbol” by Dan Brown; I spent four days reading it because I have a lot of free time. I try to spend my time exercising and reading. That’s my way of disconnecting from this place. It is quite difficult to be here.
(GR): Do you have any computer access right now?
None. The most advanced technology that I have access to is a radio.
This interview was originally published in Spanish language by ENTER.CO on October 4, 2016.
The Bloomberg investigation How to Hack an Election was published March 31, 2016. In the following (English language) video from CCTV from June 2016 reported that Sepúlveda had his computer access revoked after the Bloomberg report was published and that since then he can no longer work on the software he’s been developing.
