CMU ECE student indicted as part of federal hacking bust

In mid-July, the U.S. Department of Justice (DOJ) charged Carnegie Mellon junior electrical and computer engineering major and returning FireEye intern Morgan Culbertson for developing and distributing malware. Culbertson allegedly actively distributed malware on Darkode, a renowned online black market for malicious code. Specializing in Android security exploits, Culbertson’s malware sought mainly to steal user data from mobile phones.

An investigation of Darkode by the Federal Bureau of Investigation led to the arrests of nearly 90 alleged cyber criminals, including Culbertson. Officials allege that Culbertson, one of the youngest among those indicted at only 20 years old, created a piece of Android malware called Dendroid. Dendroid allowed buyers of the software to remotely access Android phones.

Culbertson, who went to Shadyside’s Winchester Thurston Upper School, began developing Dendroid when he was 17. The malware could be purchased through Darkode from Culbertson — under the alias “Android” — for the Bitcoin equivalent of about $300, according to the Pittsburgh City Paper. Culbertson’s father, Robert Culbertson, is a retired Carnegie Mellon professor of entrepreneurship and founder of several successful start-up companies.

Culbertson is not the first notable hacker to come out of Carnegie Mellon. George Hotz, for example — more commonly known as GeoHotz — was well known for creating the first iPhone jailbreak, allowing users to use the phone with providers other than AT&T and install their own software. Hotz also gained recognition for his exploits with the firmware of Sony’s Playstation 3, which culminated in a lawsuit from Sony.

Computer science students at Carnegie Mellon know the word hack — or hacker — very well. A hacker is not necessarily malicious, and in some situations even does good. Hackathons, for example, have co-opted the work “hack” as a term for putting together a good solution quickly, with minimal resources. Hackathons are beneficial competitions that help students learn. For Build18, an annual hackathon held at Carnegie Mellon in the spring, hackers meet in the Jared L. Cohon University Center’s Wiegand Gymnasium. Tartanhacks, another annual hackathon at Carnegie Mellon, is put together by the student organization ScottyLabs.
Carnegie Mellon’s faculty generally trains students against hacking maliciously. In 15-213: Introduction to Computer Systems, for example, a core computer science class that provides “a programmer’s view of how computer systems execute programs, store information, and communicate,” professors stress that the curriculum is meant to teach students how to produce safer code, not exploit poorly written code.

Working for the cybersecurity company FireEye for the second summer in a row, Culbertson was supposed to be practicing that philosophy, but it became clear that he was using techniques learned from the company to develop his malware.
“Mr. Culbertson’s internship has been suspended pending an internal review of his activities. As there are ongoing investigations by external parties and FireEye, we cannot provide any further comment on Mr. Culbertson and his activities,” FireEye spokesperson Kyrk Storer said in a press release.