Stakkato

Background

Philip Gabriel Pettersson, operating under the alias Stakkato, is a Swedish national from Uppsala, Sweden. He came to the attention of international law enforcement as the alleged perpetrator of a sustained and technically sophisticated cyber intrusion campaign that spanned from at least December 2003 through May 2005.

The Intrusion Campaign

The attacks attributed to Stakkato targeted a broad range of high-profile organizations, including the US Military, White Sands Missile Range, NASA, and several prominent academic institutions. US academic targets known to have been affected include Caltech, Stanford University, the San Diego Supercomputer Center, and the University of Illinois at Urbana-Champaign (UIUC). Non-US academic institutions were also compromised, among them Uppsala University in Sweden and University College Cork in Ireland.

A defining characteristic of the campaign was Stakkato's use of locally based kernel exploits — a technically demanding method that requires advanced knowledge of operating system internals and significant software development capability. By leveraging these exploits, Pettersson was able to elevate user privileges on targeted systems, effectively gaining administrative or root-level control over machines belonging to government agencies and private sector enterprises.

Through the use of stolen login credentials, Stakkato maintained persistent access to compromised systems for well over two years, a duration that underscored both the operational security maintained during the campaign and the difficulty investigators faced in detecting and attributing the intrusions.

Cisco IOS Source Code

One of the most significant outcomes of the campaign was Stakkato's reported access to Cisco Corporation's router Internetwork Operating System (IOS) source code. Obtaining this proprietary code provided a substantial advantage: it allowed the development of custom exploits and rootkits, as well as backdoors that could be used to extend and enhance control over routers across the internet. The implications of this access were considered serious given the central role Cisco routers play in global network infrastructure.

Investigation and Legal Proceedings

Pettersson was approximately 16 years old when he was first questioned by authorities in March 2005 in connection with the attacks. Investigators also searched for possible accomplices in Sweden, Britain, and elsewhere in Europe during this period.

The legal process that followed was lengthy. Pettersson was indicted on five felony counts in May 2009, roughly four years after the initial investigation became public. In February 2010, jurisdiction over his prosecution was formally transferred to Swedish authorities, following a notice from Sweden to the US Department of Justice regarding the possibility of domestic prosecution.

Significance

The Stakkato intrusions are notable within the history of computer security for several reasons: the technical sophistication of the methods employed, the breadth and sensitivity of the targets compromised, the duration over which access was maintained, and the attacker's young age at the time of the campaign. The case was the subject of a technical presentation at CCGrid06 in May 2006, and was documented in security literature including the book Reverse Deception: Organized Cyber Threat Counter-Exploitation (McGraw-Hill, 2012). It is frequently referenced alongside other significant intrusion campaigns of the era, such as Moonlight Maze, Solar Sunrise, and Titan Rain.