Introduction

On December 31, cybercriminals launched a mass infection campaign, aiming to exploit reduced vigilance and increased torrent traffic during the holiday season. Our telemetry detected the attack, which lasted for a month and affected individuals and businesses by distributing the XMRig cryptominer. This previously unidentified actor is targeting users worldwide—including in Russia, Brazil, Germany, Belarus and Kazakhstan—by spreading trojanized versions of popular games via torrent sites.

In this report, we analyze how the attacker evades detection and launches a sophisticated execution chain, employing a wide range of defense evasion techniques.

Kaspersky’s products detect this threat as
Trojan.Win64.StaryDobry.*, Trojan-Dropper.Win64.StaryDobry.*, HEUR:Trojan.Win64.StaryDobry.gen.

Initial infection

On December 31, while reviewing our telemetry, we first detected this massive infection. Further investigation revealed that the campaign was initially distributed via popular torrent trackers. Trojanized versions of popular games—such as BeamNG.drive, Garry’s Mod, Dyson Sphere Program, Universe Sandbox, and Plutocracy—were designed to launch a sophisticated infection chain, ultimately deploying a miner implant. These malicious releases were created in advance and uploaded around September 2024.

Infection timeline

Although the malicious releases were published by different authors, they were all cracked the same way.

Malicious torrent available for download

Among the compromised installers are popular simulator and sandbox games that require minimal disk space. Below is the distribution of affected users by game as of January 2025:

Infected users per game (download)

These releases, often referred to as “repacks”, were usually distributed in an archive. Let’s now take a closer look at one of the samples. Upon unpacking the archive, we found a trojanized installer.

Technical details

Trojanized installer

After launching the installer (a Windows 32-bit GUI executable), we were welcomed with a GUI screen showing three options: install the game, choose the language, or quit.

Installer screen

This installer was created with Inno Setup. After decompiling the installer, we examined its code and found an interesting functionality.

Decompiled installer code

This code is responsible for extracting the malicious files used in this attack. First, it decrypts unrar.dll using the DECR function, which is a proxy for the RARExtract function within the rar.dll library. RARExtract decrypts unrar.dll using AES encryption with a hard-coded key,
cls-precompx.dll. Next, additional files from the archive are dropped into the temporary directory, and execution proceeds to the RARGetDllVersion function within unrar.dll.

Unrar.dll dropper

First of all, the sample runs a series of methods to check if it’s being launched in a debugging environment. These methods search for debugger and sandbox modules injected into processes, and also check the registry and filesystem for certain popular software. If such software is detected, execution immediately terminates.

Anti-debug checks example

If the checks are passed, the malware executes cmd.exe to register unrar.dll as a command handler with regsvr32.exe. The sample attempts to query the following list of sites to determine the user’s IP address.
api.myip [.]com
ip-api [.]com
ipapi [.]co
freeipapi [.]com
ipwho [.]is
api.miip [.]my
This is done to identify the infected user’s location, specifically their country. If the malware fails to detect the IP address, it defaults the country code to
CNOrBY (meaning “China or Belarus”). Next, the sample sends a request to hxxps://pinokino[.]fun/donate_button/game_id=%s&donate_text=%s with the following substitutions:

• game_id = appended with DST_xxxx, where x represents digits. This value is passed as an argument from the installer; in this campaign, we discovered the variant DST_1448;
• donate_text = appended with the country code.

After this generic country check, the sample collects a fingerprint of the infected machine. This fingerprint consists of various parameters, forming a unique identifier as follows:
mac|machineId|username|country|windows|meminGB|numprocessors|video|game_id

This fingerprint is then encoded using URL-safe Base64 to be sent successfully over the network. Next, the malware retrieves MachineGUID from HKLM\Software\Microsoft\Cryptography and calculates its SHA256 checksum. It then collects 10 characters starting from the 20^th position (
SHA256(MachineGUID)[20:30]). This hexadecimal sequence is used as the filename for two newly created files: %SystemRoot%\%hash%.dat and %SystemRoot%\%hash%.efi. The first file contains the encoded fingerprint, while the second is an empty decoy. The creation time of the .dat file is spoofed with a random date between 01/01/2015 and 12/25/2021. This file stores the Base64-encoded fingerprint.
After this step, unrar.dll starts preparing to drop the decrypted MTX64.exe to the disk. First, it generates a new filename for the decrypted payload. The malware searches for files in %SystemRoot% or %SystemRoot%\Sysnative. If these directories are empty, the decrypted MTX64.exe is written to the disk as Windows.Graphics.ThumbnailHandler.dll. Otherwise, unrar.dll creates a new file and names it by choosing a random file from the specified directories, taking its name, trimming its extension and appending a random suffix from a predefined list. Besides suffixes, this list contains junk data, most likely added to evade signature-based detection.

Suffix list and junk data

For example, if the malware finds a file named msvc140.dll in %SystemRoot%, it removes the extension and appends the resulting
msvc140 with handler.dll (a random suffix from the list), resulting in msvc140handler.dll. The malware then writes the decrypted payload to the newly generated file in the %SystemRoot% folder.
After that, the sample opens the encrypted MTX64.exe and decrypts it using AES-128 with a hard-coded key,
cls-precompx.dll.
The loader also carries out resource spoofing. First of all, it scans the _res.rc file for DLL property names and values—such as CompanyName, FileVersion and so on—and creates a dictionary of (key, value) pairs. Then it takes a random DLL from the %SystemRoot% folder (exiting if nothing is found), extracts its property values using the VerQueryValueW WinAPI, and replaces the corresponding dictionary values. The resulting resources are embedded into the decrypted MTX64.exe DLL. This file is then saved under the name generated in the previous step. Finally, unrar.dll changes the creation time of the resulting DLL using the same spoofing method as for the fingerprint file.

Spoofed resources

The dropped DLL is installed using the following command:
cmd.exe /C "cd $system32 && regsvr32.exe /s %dropped_name%.dll"

MTX64

This DLL is based on a public project called EpubShellExtThumbnailHandler, a Windows Shell Extension Thumbnail Handler. This stage completely mimics the legitimate behavior up until the actual thumbnail handling. It gets registered as a .lnk (shortcut) file handler, so whenever a .lnk file is opened, the DLL tries to process its thumbnail. However, here the sample implements its own version of the GetThumbnail interface function, and creates a separate thread to perform its malicious activities.

First, this thread writes the current date and month in
dd-mm format to the %TEMP%\time_windows_com.ini file. This stage then retrieves MachineGUID from HKLM\SOFTWARE\Microsoft\Cryptography, calculates SHA256(MachineGUID)[20 : 30], just like unrar.dll did. After that, it checks %SystemRoot% for the .dat file with this name. The presence of this file confirms that the infection is uninterrupted, prompting the DLL to extract the fingerprint and make a query to the hard-coded threat actors’ domain in the following format, where the UID is the fingerprint’s SHA256 hash.hxxps://promouno[.]shop/check/uid=%s
The server sends back a JSON that looks like
{'code':'reg'}. After this, the DLL makes another query to the server with an additional field, data, which is the Base64-encoded fingerprint (uid remains the same):hxxps://promouno[.]shop/check/uid=%s&data=%s
Upon receiving this request, the server also sends a JSON. The malware checks its
code field, which must be equal to either 322 or 200. If it is, the sample proceeds to extract the MD5 checksum from the flmd field in the same JSON and download the next-stage payload from the following link:hxxps://promouno[.]shop/dloadm/uid=%s
Next, the sample calculates the MD5 checksum of the received payload (a kickstarter PE file), and checks this hash against the MD5 checksum from the JSON. If they match, the malware parses the PE structure to locate the Export Address Table, retrieves the
kickstarter function address, and executes it.

Kickstarter running

Kickstarter

The kickstarter PE has an encrypted blob in its resources. This stage reads the blob and stores it in a C++ vector of bytes.

Resource reading

After that, it chooses a random name for the payload using the same method as for MTX64.exe during the execution of unrar.dll. However, there is a difference: if nothing is found in %SystemRoot% or %SystemRoot%\Sysnative, it chooses Unix.Directory.IconHandler.dll as a default file name. The payload is saved to %appdata\Roaming\Microsoft\Credentials\%InstallDate%\. To locate the InstallDate directory, the DLL retrieves the system installation date from the registry subkey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate.

Then the blob is decrypted using the CryptoPP AES-128 implementation. The key consists of the sequence of bytes from
\x00 to \x10. The decrypted contents are written onto the disk. This executable also spoofs its resources using the same method as for MTX64.exe, after which it executes the following command:schtasks /create / tn %s /tr "regsvr32.exe /s %s" / st 00:00 /du 9999:59 / sc once / ri 1 /f
The first argument is the system installation date, while the second one is the path to the dropped DLL. A scheduled task to register a server with regsvr32.exe is created, using the first argument as its name, with a suppressed warning, set to trigger at 00:00. The loader sends a GET request to the hard-coded address
45.200.149[.]58/conf.txt, implicitly setting the request header to User-Agent: StupidSandwichAgent\r\n.
The loader then waits for a response from the server. If the response begins with act, the sample stops execution after creating the scheduled task. If the response is noactive, meaning the targeted device has not been registered previously, the sample tries to delete itself with the following command, which clears everything in the %temp% directory:

Cleanup

Unix.Directory.IconHandler.dll

Subsequently, Unix.Directory.IconHandler.dll creates a mutex named com_curruser_mttx. If this mutex has already been created, execution stops immediately. Then the DLL searches for the %TEMP%\_cache.binary file. If the sample can’t find it, it downloads the binary directly from
45.200.149[.]58 using a GET 44912.f request, with the same StupidSandwichAgent User-Agent header. This file is written to the temporary directory and then decrypted using AES-128 with the same key consisting of the \x00–\x10 byte sequence.
The sample proceeds to open the current process, look for SeDebugPrivilege in the process token, and adjust it if applicable. We believe this is done to inject code into a newly created cmd.exe process. The author chose the easiest way possible, copying the entire open source injector, including its debug strings:

Injector

After injecting the code into the command interpreter, the sample enters an endless loop, continuously checking for taskmgr.exe and procmon.exe in the list of running processes. If either process is detected, the sample is shut down.

Miner implant

This implant is a slightly modified XMRig miner executable. Instead of parsing command-line arguments, it constructs a predefined command line.
xmrig – url =45.200.149[.]58:1448 –algo= rx /0 –user=new-www –donate-level=1 –keepalive – nicehash –background –no-title –pass=x – cpu -max-threads-hint=%d
The last parameter is calculated from the CPU topology: the implant calls the GetSystemInfo API to check the number of processor cores. If there are fewer than 8, the miner does not start. Moreover, the attacker chose to host a mining pool server in their own infrastructure instead of using a public one.

XMRig parses the constructed command line using its built-in functionality. The miner also creates a separate thread to check for process monitors running in the system, using the same method as in the previous stage:

Anti-tracing

Victims

This campaign primarily targets regular users by distributing malicious repacks. Some organizations were also affected, but these seem to be compromised computers inside corporate infrastructures, rather than direct targets.

Most of the infections have been observed in Russia, with additional cases in Belarus, Kazakhstan, Germany, and Brazil.

Attribution

There are no clear links between this campaign and any previously known crimeware actors, making attribution difficult. However, the use of Russian language in the PDB suggests the campaign may have been developed by a Russian-speaking actor.

Conclusions

StaryDobry tends to be a one-shot campaign. To deliver the miner implant, the actors implemented a sophisticated execution chain that exploited users seeking free games. This approach helped the threat actors make the most out of the miner implant by targeting powerful gaming machines capable of sustaining mining activity. Additionally, the attacker’s use of DoH helped conceal communication with their infrastructure, making it harder to detect and trace the campaign.

Indicators of compromise

File hashes

15c0396687d4ff36657e0aa680d8ba42
461a0e74321706f5c99b0e92548a1986
821d29d3140dfd67fc9d1858f685e2ac
3c4d0a4dfd53e278b3683679e0656276
04b881d0a17b3a0b34cbdbf00ac19aa2
5cac1df1b9477e40992f4ee3cc2b06ed

Domains and IPs

45.200.149[.]58
45.200.149[.]146
45.200.149[.]148
hxxps://promouno[.]shop
hxxps://pinokino[.]fun

securelist.com/starydobry-camp…

Microsoft ha annunciato la rimozione della funzione Location History da Windows 10 e 11, eliminando di fatto la possibilità per le applicazioni di accedere alla cronologia delle posizioni del dispositivo. Una decisione che solleva interrogativi nel mondo della cybersecurity: una mossa per rafforzare la privacy o un cambiamento che potrebbe influenzare la sicurezza e la forensic analysis?

Cosa cambia con la rimozione della cronologia delle posizioni?

La funzione Location History consentiva ad applicazioni come Cortana di accedere alla posizione del dispositivo registrata nelle ultime 24 ore. Con la sua rimozione, questi dati non verranno più salvati localmente e l’opzione sparirà dalle impostazioni di Windows (Privacy & Security > Location).

Microsoft ha dichiarato: “Stiamo deprecando e rimuovendo la funzione Location History, un’API che permetteva a Cortana di accedere alle ultime 24 ore di cronologia delle posizioni del dispositivo quando la localizzazione era abilitata.”

L’API Geolocator.GetGeopositionHistoryAsync, che permetteva l’accesso ai dati memorizzati localmente, verrà dismessa. Ciò significa che le app non potranno più recuperare automaticamente le posizioni passate del dispositivo, eliminando un potenziale vettore di attacco ma anche uno strumento di monitoraggio.

Impatto sulla sicurezza e sulla forensic analysis

Questa decisione si inserisce in un trend più ampio di maggiore attenzione alla privacy, seguendo normative come GDPR e CCPA, che impongono restrizioni più severe sulla raccolta e conservazione dei dati personali. Tuttavia, la rimozione di questa funzione potrebbe avere effetti collaterali imprevisti:

• Limitazione delle indagini forensi: gli analisti di sicurezza spesso usano dati di localizzazione per individuare attività sospette o analizzare movimenti legati a minacce informatiche.
• Meno strumenti per le aziende: alcune organizzazioni utilizzano la cronologia delle posizioni per verificare accessi anomali o per migliorare la protezione dei dispositivi aziendali.
• Riduzione del rischio di esfiltrazione: la rimozione della cronologia delle posizioni potrebbe diminuire la superficie di attacco per i cybercriminali che sfruttano questi dati per tracciare utenti o pianificare attacchi mirati.

Microsoft consiglia agli sviluppatori di rivedere le proprie applicazioni e migrare verso nuove soluzioni che non dipendano dalla funzione obsoleta. Per gli utenti, invece, il consiglio è:

1. Disattivare i servizi di localizzazione nelle impostazioni di Windows se non necessari.
2. Cliccare su “Clear” per cancellare eventuali dati di posizione registrati nelle ultime 24 ore.

Privacy o limitazione della sicurezza?

Se da una parte Microsoft si allinea alla crescente richiesta di maggiore privacy e controllo sui dati, dall’altra questa rimozione potrebbe creare disagi a chi sfruttava la cronologia delle posizioni per funzioni avanzate, costringendo sviluppatori e aziende a ripensare le proprie strategie. Sarà interessante vedere quali soluzioni alternative emergeranno per colmare questo vuoto.

In un mondo digitale sempre più complesso e minaccioso, la vera sfida sarà trovare il giusto equilibrio tra tutela della privacy e capacità di difesa dalle minacce informatiche, senza compromettere né la sicurezza né l’innovazione.

L'articolo Microsoft elimina la cronologia delle posizioni su Windows. Scelta di privacy o rischio sicurezza? proviene da il blog della sicurezza informatica.

Logically we understand that the other planets in the solar system, as well as humanity’s contributions to the cosmos such as the Hubble Space Telescope and the International Space Station, are zipping around us somewhere — but it can be difficult to conceptualize. Is Jupiter directly above your desk? Is the ISS currently underneath you?

If you’ve ever found yourself wondering such things, you might want to look into making something like Space Monitor. Designed by [Kevin Assen], this little gadget is able to literally point out the locations of objects in space. Currently it’s limited to the ISS and Mars, but adding new objects to track is just a matter of loading in the appropriate orbital data.

In addition to slewing around its 3D printed indicator, the Space Monitor also features a round LCD that displays the object currently being tracked, as well as the weather. Reading through the list of features and capabilities of the ESP32-powered device, we get the impression that [Kevin] is using it as a sort of development platform for various concepts. Features like remote firmware updates and the ability to point smartphones to the device’s configuration page via on-screen QR aren’t necessarily needed on a personal-use device, but its great practice for when you do eventually send one of your creations out into the scary world beyond your workbench.

If you’re interested in something a bit more elaborate, check out this impressive multi-level satellite tracker we covered back in 2018.

youtube.com/embed/6-wM_a_eX-g?…

hackaday.com/2025/02/18/space-…

Meta ha annunciato il più grande progetto di cavo sottomarino mai realizzato, il Progetto Waterworth , che attraverserà cinque continenti.

Il progetto multimiliardario, che richiederà diversi anni, è stato annunciato sul blog dell’azienda. Meta afferma che rafforzerà la portata e l’affidabilità dell’infrastruttura digitale globale aprendo tre nuovi corridoi oceanici con l’elevata capacità, necessaria per promuovere le tecnologie di intelligenza artificiale.

Secondo l’azienda, l’intelligenza artificiale sta cambiando radicalmente vari ambiti della vita e Meta si impegna a essere all’avanguardia in questo processo tecnologico. Il progetto Waterworth fornirà l’accesso a tecnologie avanzate a milioni di persone in tutto il mondo.

Secondo le dichiarazioni del vicepresidente dell’ingegneria di rete di Meta, Ghai Nagarajan, e il responsabile degli investimenti di rete globali, Alex-Handra Aime, il progetto sarà il più grande progetto di cavo sottomarino nella storia dell’azienda. La sua lunghezza sarà di oltre 50.000 km, ovvero superiore alla circonferenza della Terra.

La rete sottomarina collegherà gli Stati Uniti, l’India, il Brasile, il Sudafrica e altre regioni chiave, promuovendo la cooperazione economica, l’inclusione digitale e lo sviluppo tecnologico. In particolare, il blog sottolinea che il Progetto Waterworth accelererà l’implementazione della strategia digitale dell’India.

Negli ultimi dieci anni Meta ha preso parte allo sviluppo di oltre 20 cavi sottomarini, implementando sistemi con 24 coppie di fibre invece delle standard 8-16. Il nuovo progetto proseguirà questa tendenza, creando la più lunga rete sottomarina ad alta capacità.

L’azienda inoltre prevede di utilizzare Tecniche innovative di posa dei cavi a profondità fino a 7 km e tecniche migliorate di interramento costiero per ridurre al minimo il rischio di danni causati dalle ancore delle navi e da altri pericoli.

Oltre al Progetto Waterworth , Meta sta formando una nuova divisione all’interno di Reality Labs che si concentrerà sullo sviluppo di robot umanoidi alimentati dall’intelligenza artificiale. Andrew Bosworth, CTO di Meta, ha dichiarato in una nota che il nuovo gruppo lavorerà alla creazione di robot per i consumatori utilizzando le capacità del modello Llama.

Inoltre, Meta prevede di espandere la propria presenza al dettaglio aprendo negozi propri, simili al Meta Lab Store , inaugurato a Los Angeles a novembre.

L'articolo Meta rivoluziona il web: Waterworth, il cavo sottomarino da 50.000 km! proviene da il blog della sicurezza informatica.

GameLook riporta che dopo quasi un anno di attesa, secondo le ultime notizie provenienti dai media stranieri, Apple ha presentato una domanda per collaborare con Alibaba allo sviluppo di un grande modello di intelligenza artificiale e attende l’approvazione del governo nazionale. In altre parole, in futuro Apple Intelligence in Cina fornirà agli utenti servizi di intelligenza artificiale pertinenti basati sul modello Tongyi Qianwen di Alibaba.

Sebbene negli ultimi anni la quota di mercato di Apple in Cina sia stata erosa dai marchi nazionali, secondo gli ultimi dati di IDC la quota di mercato di Apple in Cina sarà del 15,6% nel 2024, in calo di due punti percentuali rispetto al 2023.

Ma essendo una delle aziende con il più grande “spazio fantasy” e il più alto valore per l’utente al mondo, chiunque riesca a collaborare con Apple nell’ambito dell’intelligenza artificiale sarà senza dubbio in grado di cogliere l’iniziativa nell’era dell’intelligenza artificiale nell’ecosistema mobile.

Attualmente nei principali mercati esteri, il partner di Apple per questo servizio è ChatGPT di OpenAI.

Mentre i servizi intelligenti di Apple in Cina cominciano a prendere forma, GameLook, in quanto media, si sta anche chiedendo se il tutto sia utile per i comuni utenti cinesi e cosa significhi. Innanzitutto, per quanto riguarda la notizia della cooperazione di Alibaba con Apple, la prima domanda di molte persone debba essere: perché Alibaba e Tongyi Qianwen?

Dovresti sapere che la presenza di Alibaba non è la più forte nel mercato 2C e nel percorso AI. Dopotutto, c’è Doubao di ByteDance (DAU raggiunge i 17 milioni) davanti, e DeepSeek, che è stato recentemente al centro dell’attenzione e ha superato i 40 milioni di utenti attivi al giorno. Infatti, secondo quanto riportato dai media stranieri, Apple avrebbe scelto Alibaba dopo aver valutato i modelli sviluppati da Tencent, ByteDance, Alibaba e DeepSeek.

Secondo GameLook, Alibaba, in quanto fornitore di servizi cloud e azienda leader nel settore Internet nazionale, può fornire servizi più stabili e completi quando si confronta con clienti di grandissime dimensioni come Apple, in particolare nell’ambito della conformità governativa, ambito in cui Alibaba vanta anch’esso una notevole esperienza.

In questo senso, i nuovi arrivati ​​come DeepSeek sono ovviamente inferiori. È impossibile che quando gli utenti Apple domestici chiamano Siri, la risposta che ottengono sia “Il server è occupato, riprova più tardi”. In secondo luogo, Tongyi Qianwen di Alibaba è sempre stato uno dei modelli di intelligenza artificiale su larga scala più capaci in Cina. Oltre al modello di punta, Tongyi Qianwen di Alibaba, come DeepSeek, è sempre rimasto open source per la comunità e pertanto gode di una forte influenza nella comunità open source globale.

Secondo gli ultimi dati pubblicati ufficialmente da Alibaba, il suo ultimo modello Qwen2.5-Max ha ottenuto risultati paragonabili o addirittura superiori a quelli di DeepSeek, Llama, GPT-4o e altri modelli negli attuali test di benchmark sui modelli di grandi dimensioni più diffusi.

L'articolo Apple in Cina Sceglie l’AI Tongyi Qianwen Di Alibaba per Alimentare Siri proviene da il blog della sicurezza informatica.

Patriota con la suit di Omni-Man. Tanto basta per descrivere Mr.Okay. La differenza è che, il nostro, non ha un bisogno emotivo, adulatorio, da parte delle persone, ma le loro manifestazioni d'affetto sono la sua linfa vitale... altrimenti lungi da lui ergersi a protettore della razza umana.

iyezine.com/mr-ok-collettivo-k…

Mr. Ok - Collettivo Korm Ent

Mr. Ok - Collettivo Korm Ent - Patriota con la suit di Omni-Man, Mr. Okay esplora cosa siamo disposti a rinunciare per la pace. Scopri le sue gesta nel libro del collettivo Korm Ent. - Mr. Ok

^{Claudio Frandina (In Your Eyes ezine)}

Se volete farvi un regalo, vi consiglio di ascoltare questa interessantissima puntata de "il Mondo", che ascolto quasi tutte le mattine e trovo molto utile per approfondire alcune notizie.

In questa puntata si parla delle ragioni che hanno portato la #spagna ad essere una delle economie maggiormente in crescita nel 2024, ma c'è anche molto di più.

Nella seconda parte viene esposto un ragionamento sul clima che condivido e trovo interessantissimo, sul ruolo di Musk, sul catastrofico ruolo degli Stati Uniti e sulla generale indifferenza di tutti, cittadini ed istituzioni europee.

Crudo, ma da ascoltare per cominciare a cambiare.

Ascoltate e condividetene tutti 😊

Internazionale

2025-02-17 08:57:09

Nella puntata di oggi del Mondo: l’economia spagnola va sempre meglio. Come far ripartire la lotta al cambiamento climatico. Con Mariangela Paone e Ferdinando Cotugno.

Il Mondo

Il Mondo

Il podcast quotidiano di Internazionale. Tutte le mattine alle 6. 30 con Claudio Rossi Marcelli e Giulia Zoli. Scegli una prospettiva più ampia sul mondo.

^{Internazionale}

If there are to be yet unimagined weapons affecting the balance of military power tomorrow, we want to have the men and the means to imagine them first.
—JAMES KILLIAN, science adviser to Dwight D. Eisenhower, 1956

Science as science should no longer be served; indeed scientists ought to be made to serve.
—WILLIAM H. GODEL, former deputy director of the Advanced Research Projects Agency, 1975

Guns and Money

In June 1961, William Godel set off on a secret mission to Vietnam carrying a briefcase stuffed with cash. At a stopover in Hawaii, he converted some of the cash to traveler’s checks to make space for a small bottle of liquor that he carried with him on business trips. Even that did not quite leave enough room, so he moved some of his secret Pentagon papers to another case to make space for the bottle. The money, $18,000, was for a classified project that would play a critical role in President John F. Kennedy’s plan to battle communism in Southeast Asia.
At thirty-nine years old, Godel still wore the short buzz cut of his Marine Corps days, but his reputation had been forged in the world of intelligence. A drinker, a practical joker, and a master bureaucratic negotiator, Godel was the type of man who could one day offer to detonate a nuclear bomb in the Indian Ocean to make a crater for the National Security Agency’s new radio telescope and the next day persuade the president to launch the world’s first communications satellite to broadcast a Christmas greeting. Colleagues described him as someone you could drop in a foreign country, and a few months later he would emerge with signed agreements in hand, whether it was for secret radar tracking stations— something he did indeed set up in Turkey and Australia —or, in this case, winning the support of South Vietnam’s president for a new American proposal. Bill Bundy, a former CIA official and White House adviser, called Godel an “operator” with a “rather legendary reputation for effectiveness” working overseas.
At five feet ten inches tall, Godel was not a physically imposing figure, but he had a way of impressing both admirers and enemies with his presence. “He was one of the more glamorous people to stride the halls of the Pentagon,” recalled Lee Huff, who was recruited by Godel to the Defense Department. Godel was never the most famous man in the Pentagon, but for several years he was one of its most influential. And by the early 1960s, that influence was focused on Southeast Asia.
Godel arrived to the summer heat of Saigon, a congested city of semi-controlled chaos where cycle rickshaws, bicycles, mopeds, cars, and other motorized contraptions wove through the packed streets like schools of fish in a sea. The city was booming economically and culturally, even as it attracted an increasing number of American military advisers, spooks, and diplomats, who were looking to advise South Vietnam’s president on how best to run his newly independent country.
Parisian-style sidewalk cafés still dotted the main city streets, and the city’s French colonial heritage was reflected in everything from the fresh baguettes in the local bakeries to the city’s grand villas. Vietnamese women dressed in the "áo dài", the formfitting silk dress worn over pantaloons, mixed easily with teenage girls clad in miniskirts. It was still several years before the influx of American troops would provide a boon to the city’s brothels, or frequent Vietcong terrorist attacks in Saigon would drive patrons away from sidewalk cafés, but signs of that unrest were on the horizon. In December of the previous year, the Vietcong bombed the kitchen of the Saigon Golf Club, marking the start of a series of terrorist attacks in the capital. In neighboring Laos, a civil war fueled by Soviet and American involvement was spilling over into Vietnam. More disquieting was that the Vietcong, the communist insurgents in South Vietnam, were getting weapons from North Vietnam, using the Ho Chi Minh Trail, the illicit supply route that snaked through Vietnam’s mountains and jungle, and parts of Laos.
Godel had been traveling frequently to Vietnam for more than a decade. What made this trip unusual was that he was now working for the Advanced Research Projects Agency, known by its acronym, ARPA. Founded in 1958 to get America into space after the Soviets launched the world’s first artificial satellite, ARPA had lost its space mission after less than two years. Now the young organization, hated by the military and distrusted by the intelligence community, was struggling to find a new role for itself. Godel figured if ARPA could not battle the communists in space, perhaps it could beat them in the jungles. President Kennedy had taken office just five months prior and was still in the process of formulating a new policy for Southeast Asia. He had already decided to support South Vietnam’s anticommunist president, Ngo Dinh Diem, a Catholic who hailed from a family of Mandarins, the bureaucrats who ran Vietnam under Chinese rule. The month before Godel’s trip, Vice President Lyndon B. Johnson visited South Vietnam’s president, calling Diem the “Winston Churchill of Asia,” and in April, Kennedy sent four hundred Green Berets to South Vietnam to serve as special advisers, helping to train the South Vietnamese military and the Montagnards, the indigenous tribes who lived in the country’s central plains. Diem was a deeply religious man, a lifelong bachelor who chose politics over the priesthood. Some in Western circles regarded him as an out-of-touch crackpot; others, like Godel, saw him as a flawed but promising leader. In the early 1960s, South Vietnam was already battling a communist insurgency, but it was a war being fought in the shadows; that summer, astronauts and celebrities still dominated the covers of Life and Time magazines. Yet there were hints that this new conflict was beginning to occupy America’s leaders in Washington. The October 27, 1961, cover of Life magazine featured a soldier peering out from jungle underbrush with the caption “GI trains for guerilla warfare.” The cover lines read, “Vietnam: Our Next Showdown.” Guerrilla warfare was precisely why Godel was in Vietnam. The money he carried with him to Saigon was a down payment on an initial $20 million that the American government expected to allocate for a combat center to develop technology suited for fighting insurgents in Vietnam’s jungles. Located in Saigon and run by ARPA, the combat center would be used to help American military advisers and South Vietnam’s military. Godel, however, was not just focused on Vietnam; ARPA’s Combat Development and Test Center was the starting point for a global solution to counterinsurgency, relying on science and technology to guide the way.
The cash in Godel’s bag, and his list of proposals for Diem, would alter the course of events in Vietnam and more broadly lay the groundwork for modern warfare. From stealthy helicopters that would slip over the border of Pakistan on a hunt for Osama bin Laden to a worldwide campaign using drones to conduct targeted killings, Godel’s wartime experiments would later become military technologies that changed the way America wages war. His programs in Vietnam, many of which arose from that meeting with Diem, would be credited with some of the best and worst military innovations of the century. Within just a few months of that trip, Godel would bring over to Vietnam a new gun better suited for jungle warfare, the Armalite AR-15. He would also send social scientists to Vietnam, hoping that a better understanding of the people and culture would stem the insurgency. Some of Godel’s work became infamous, like a plan to relocate Vietnamese peasants to new fortified villages, known as strategic hamlets. That plan became one of the more resounding failures of the war. Similarly, ARPA’s introduction to Vietnam of chemical defoliants, including "Agent Orange", is now held responsible for countless deaths and illnesses among Vietnamese and Americans.
At its height, the ARPA program he established employed hundreds of people spread across Southeast Asia —more than five hundred in Thailand alone—and then expanded later to the Middle East. The program sought to understand the roots of insurgency and develop methods to prevent it so that American forces would not have to get involved in regional wars they were unprepared to fight. ARPA developed new technologies, sponsored social science research, and published books on counterinsurgency warfare that would later influence a new generation of military leaders fighting in Iraq and Afghanistan. More than any single technology, Godel’s single-minded promotion of the need to understand the nature of guerrilla warfare would have an impact decades later, when the army general David Petraeus, and his advisers known as the “strategic whizzes,” found themselves studying the writing of David Galula, whose seminal work, 'Pacification in Algeria', was published in 1963, paid for by ARPA. Four decades before Petraeus made “counterinsurgency” a household phrase, Godel created a worldwide research program dedicated to insurgent warfare that dwarfed anything done in the years after 9/11.
The nascent counterinsurgency program Godel started inadvertently played a critical role in shaping the future agency whose name would become synonymous with innovation. The Vietnam counterinsurgency work eventually became the backbone of ARPA’s "Tactical Technology Office", the seminal division that would produce stealth aircraft, precision weaponry, and drones—the fundamentals of the modern battlefield. The space age might have given birth to ARPA, but Vietnam thrust the agency into the center of Cold War strategic debates, and it was Godel, more than any other ARPA official, who shaped the agency’s future.
Yet it was not all counterinsurgency. In the early 1960s, the esoteric agency Godel helped build was planting the seeds for work that would bear fruit many years later. In the first two years, Godel helped create the agency’s space program, providing cover to the world’s first reconnaissance satellite, a top secret project. He also persuaded the president to launch the world’s first communications satellite and helped build a worldwide network for nuclear test monitoring. By the end of the decade, a descendant of one of ARPA’s first projects, the "Saturn rocket", would launch Neil Armstrong and the other Apollo 11 astronauts on their journey to the moon. And just a month before Godel traveled to Vietnam, ARPA was handed a new assignment in "command and control", which would in less than a decade grow into the ARPANET, the predecessor to the modern Internet. The following year, Godel personally signed off on the first computer-networking study, giving it money from his Vietnam budget.
Godel’s seminal role was largely expunged from the record in later years, and his name rarely mentioned in official materials, forgotten except by a few loyal friends and dedicated enemies. The AR-15, the weapon that Godel personally carried over to Vietnam, eventually became the M16, the standard-issue infantry weapon for the entire U.S. military. The rest of Godel’s Vietnam-era work would be dismissed as a onetime diversion for an agency now more closely associated with high technology than strategic thinking. His story did not fit an agency touted as a model for innovation. Yet the real key to the ARPA legacy lies in understanding how all these varied projects—satellites, drones, and computers— could come to exist in a single agency.
—
The Central Intelligence Agency(CIA) sits on a compound in Langley, Virginia, made famous by countless movies and television shows. The NSA’s massive headquarters is ringed by barbed wire and located on a military base in Maryland. Yet the agency responsible for some of the most important military and civil technologies of the past hundred years resides in relative obscurity behind a generic glass facade at 675 North Randolph Street in Arlington, Virginia. The unremarkable office tower stands across from a dying four-level brown-brick shopping mall that houses a mix of fast-food restaurants and discount stores.
Behind the nondescript exterior of the office building, just beyond the guards, is a panoramic wall display that covers more than fifty years of the agency’s history. It begins in the fall of 1957, when the Soviet Union launched the first man-made satellite into orbit. "Sputnik", as the satellite was called in the West, did little more than emit a simple beep. But that beach-ball-size sphere orbiting harmlessly around the earth touched off a storm of news reports that shook the American people’s feeling of invulnerability by demonstrating that the Soviet Union might soon be able to launch a nuclear-armed missile that could reach the continental United States.
?As the story goes, Sputnik sparked a national hysteria, and the American public demanded that the government take action. In response, President Dwight Eisenhower in early 1958 authorized the establishment of a central research agency independent from the military services, whose bickering had contributed to the Soviet Union’s lead in space. This new agency, called the Advanced Research Projects Agency, was the nation’s first space agency—established eight months before the National Aeronautics and Space Administration, or NASA. The organization today known as DARPA—the D for “Defense” was added in 1972 (and then dropped, and added again in later years)—has grown into an approximately $3-billion-a-year research agency, with projects that have ranged from space planes to cyborg insects. The display in the lobby is a monument to more than fifty years of this unusual government agency, which has produced marvelous and sometimes terrifying technological achievements: precision weapons, drones, robots, and networked computing, to name a few. By thinking about fundamental problems of national security, DARPA created solutions that did far more than give the military a few novel weapons. In some cases, the agency changed the nature of warfare; in others, it helped prevent the nation from going to war.
By thinking about how to deal with Soviet conventional military superiority without resorting to nuclear weapons, it introduced the era of precision weaponry. By looking for ways to detect underground nuclear explosions, it revolutionized the field of seismology and enabled the negotiation of critical arms control treaties. And by exploring ways to improve nuclear command and control, it created the ARPANET, the precursor to the modern Internet.
Not all solutions are so tidy, however. In trying to tackle the problem of communist insurgency, DARPA embarked on a decade-long worldwide experiment that ended in failure. It is tempting to carve out unsuccessful work, like the counterinsurgency programs, by claiming this was an aberration in the agency’s history. Here we argue, however, that DARPA’s Vietnam War work and the ARPANET were not two distinct threads but rather pieces of a larger tapestry that held the agency together. What made DARPA successful was its ability to tackle some of the most critical national security problems facing the United States, unencumbered by the typical bureaucratic oversight and uninhibited by the restraints of scientific peer review. DARPA’s history of innovation is more closely tied to this turbulent period in the 1960s and early 1970s, when it delved into questions of nuclear warfare and counterinsurgency, than to its brief life as a “space agency.” Those two crucial decades represent a time when senior Pentagon officials believed the agency should play a critical role in shaping world events, rather than just develop technological novelties.
The Internet and the agency’s Vietnam War work were proposed solutions to critical problems: one was a world-changing success, and the other a catastrophic failure. That muddied history of Vietnam and counterinsurgency might not fit well with DARPA’s creation story, but it is the key to understanding its legacy. It is also the history that is often the most challenging to get many former agency officials to address. DARPA may brag about its willingness to fail, but that does not mean that it is eager to have those failures examined.
—
DARPA is now more than sixty years old, and much of its history has never been recorded in any systematic way. One effort was made, in 1973, when DARPA approached its fifteenth anniversary. Stephen Lukasik, then the director, commissioned an independent history of the agency to better understand its origins and purpose. The final document was regarded as so sensitive that the authors were only authorized to make six copies, all of which had to be handed over to the government. Although it was supposed to be an unclassified history, the new director was aghast at what he felt was an overly personal account; he stamped the final product as classified and locked it away. It took more than a decade for it to be released.
Agencies, like people, make sense of themselves through stories. And like people, they are selective about the facts that go into their stories, and as time passes, the stories are increasingly suspect and often apocryphal. No other research organization has a history as rich, complex, important, and at times strange as DARPA. Whether it was a mechanical elephant to trudge through the jungles of Vietnam or a jet pack for Special Forces, DARPA’s projects have been ambitious, sometimes to the point of absurdity. Some of these fanciful ideas, like the concept of an invisible aircraft named after a fictional, eight-foot-tall rabbit, actually succeeded, but many more failed. At some point, the successes, and the failures, began to get smaller, because the problems assigned to the agency grew narrower. The key to DARPA’s success in the past was not just its flexibility but also its focus on solving high-level national security problems. DARPA today runs the risk of irrelevancy, creating marvelous innovations that have, unlike previous years, little impact on either the way the military fights or the way we live our lives. The price of success is failure, and the price of an important success is a significant failure, and the consequences of both should be weighed in assessing any institution’s legacy. Conversely, if the stakes are not high, then neither the successes nor the failures matter, and that is where the agency is in danger of heading today, investing in technological novelties that are unlikely to have a significant impact on national security.
Current DARPA officials may disagree with this pessimistic assessment of the agency’s current role or argue about which failures, and successes, should be highlighted. Yet the research for our work is based on thousands of pages of documents, many recently declassified, held in archives around the country, and hundreds of hours of interviews with former DARPA officials. Most past directors share a very similar sentiment: DARPA continues to produce good solutions to problems, but the problems it is assigned, or assigns itself, are no longer critical to national security. To understand why this narrowing of scope happened, it is important to examine the real history of DARPA. The agency’s origins may begin with the space race, but DARPA’s legacy lies elsewhere.
Godel and his trip to Vietnam were seminal to the agency’s history—both its high and its low points. That trip helped create the modern agency and its greatest and worst legacies. Yet Godel’s story is one that DARPA officials today do not talk about, or even know about. It is a story buried in long-forgotten court records and has been nearly written out of the agency’s history, because it no longer fits the narrative of DARPA as an agency dedicated to technological surprise. Yet it is a story that illustrates the true tensions within DARPA, an agency

#ARPA #DARPA #USA #Vietnam #ColdWar #history