Jackson A. Cosko, a former sysadmin for US Sen. Maggie Hassan, has admitted to breaking into her office after he got fired, installing keyloggers, and using ripped-off employee credentials to get into senators’ Wikipedia entries so as to dox their contact information, the Department of Justice (DOJ) announced on Friday.
Cosko, 27, pleaded guilty to two counts of making public restricted personal information, one count of computer fraud, one count of witness tampering and one count of obstruction of justice related to publicizing the private information of five senators in autumn 2018.
He’s looking at between 30 and 57 months of prison time. The plea agreement also requires Cosko to forfeit computers, cellphones and other equipment he used in the crimes.
Getting fired steamed him
In his plea agreement, Cosko admitted that he was angry after getting fired from his job as a sysadmin at Hassan’s office in May 2018 and knew it would make it tough for him to get a new job.
The office had shut down his work accounts, but that didn’t stop Cosko from burglarizing the senator’s office at least four times. He started his nighttime forays in July, letting himself in with a former colleague’s keys. That former colleague is now themselves a former employee, according to Hassan’s office. At least once, the colleague allegedly had handed Cosko the keys, knowing that Cosko was going to illegally enter the office, according to the plea agreement.
During the burglaries, Cosko carried out what the court filing called “an extraordinarily extensive data theft scheme,” copying entire network drives and then cherry-picking the nuggets of sensitive information he might be able to use later. He stole the data by installing unobtrusive, innocent-looking keyloggers on at least six computers.
The sensitive data included dozens of means of identification, including network credentials, belonging to at least six employees. The dozens of gigabytes worth of data Cosko stole also included employees’ credit card information and taxpayer IDs; the personally identifying information (PII) of hundreds of other people; and tens of thousands of emails and internal documents belonging to Senator Hassan’s office.
Cosko also ripped off the contact information for numerous US senators, including their home addresses and phone numbers.
Then, Cosko sorted at least some of the data. The senators’ PII went into a folder he named “high value.” His next step: on to Wikipedia, to screw with the entries for five senators: GOP Senate Judiciary Committee members Lindsey O. Graham, Mike Lee, Orrin G. Hatch, Rand Paul, and Senate Majority Leader Mitch McConnell.
‘I am the Golden God!’
Cosko says that he got angry while watching some of the participants during the 27 September TV broadcast of Supreme Court Justice Brett Kavanaugh’s confirmation hearing. He reacted by doxxing the personal home addresses and phone numbers of Sens. Graham, Hatch and Lee.
He did it by logging in via a House of Representatives site where the senators’ Wikipedia entries are maintained. Cosko wanted to intimidate the politicians, he admitted, and knew that people would use the contact information to harass them. He didn’t leave it up to chance that the public would stumble on the edited entries, though. Rather, Cosko re-Tweeted posts about his edits.
As news organizations picked up on the doxxings, Sen. Paul called for an investigation into the crime. Cosko’s response: he doxxed the contact information for Sens. Paul and McConnell, again editing their Wikipedia entries. This time around, his edits took on an additional bit of editorializing and boasting, including these statements:
He dares call for an investigation of ME?!?!?!?
I am the Golden God!
Also it’s my legal right as an American to post this info.
We are malicious and hostile.
Send us bitcoins.
Back to the office
That was on 1 October. The next day, his house of cards would collapse. That’s when Cosko got in touch with the former colleague who had given him the keys that he used to carry out his burglaries. The former colleague – identified as “Subject A” in court documents – gave him the keys, allegedly knowing it was for a break-in.
Cosko got to the office around 10:10pm and logged in to a computer using a set of stolen credentials. While he was typing away, an office employee came in and recognized that this was all wrong. Cosko took off, and within a few minutes, he’d sent a threatening email to the employee who discovered him.
The email’s subject header: “I own EVERYTHING.”
It went on:
If you tell anyone I will leak it all. Emails signal conversations gmails. Senators children’s health information and socials.
As the court filing explains, “signal conversations” was a reference to the use of Signal, a popular messaging app. Cosko’s reference to “socials” was a reference to the taxpayer IDs of the senators’ children.
Then, Cosko went home and set about wiping out his tracks. He wrote himself a note, reminding himself to…
Backup all files
Mail backup
Burn aliases
Wipe down comps
The next day, Cosko met with Subject A to return the key and to tell them to wipe the fingerprints off all the computers, keyboards and mice in the office, and to then unplug the computers.
Subject A allegedly was in the process of doing all that when the same employee who discovered Cosko in the office the night before walked in. Subject A got to everything but unplugging the computers, they texted to Cosko that morning:
Np, sorry I couldn’t do everything.
Cosko’s defense lawyer, Brian W. Stolarz, put out a statement blaming his client’s struggles with drugs:
Mr. Cosko takes full responsibility for his actions and is sincerely remorseful. Sadly, Mr. Cosko’s ongoing struggle with drugs contributed to a regrettable course of conduct. He is committed to rehabilitating his life, his reputation and addressing his addiction.
Sneaky little keyloggers
Cosko carried out his crimes using hardware keyloggers. They’re notoriously hard to detect unless physically spotted, making them a common tool for everything from snooping on spouses to bank heists to multiple instances of kids hacking their grades and/or getting their hands on exams and test questions in advance.
They’re literally child’s play to plug in. Keyloggers are cheap, they’re easy, and they’re often undetected at the typical targets – schools, universities, libraries – that all too often have paltry budgets for equipment, software and skilled administrators.
Cosko’s sentencing is scheduled for 13 June.