Kingdom of Lies
Page 7
The newspaper doesn’t say whether the Post paid the ransom, which he assumes means they have. Imagine how much more they might have paid if they thought they were dealing with a serious criminal enterprise? Not some foreign kids who don’t know the difference between “then” and “than.”
Sig sets down the newspaper. Gets out a napkin. Asks the waiter for a pen. Begins to sketch out a plan for a ransomware business.
* * *
Sig is deeply interested in the concept of criminal organizations as business organizations. And as cybercrime goes, it can be one of the most challenging problems to overcome in turning a profit. Imagine a version of any American office, include all the drudgery, paperwork, sniping, and backstabbing, but add to it an entire workforce made up of people with a very loose relationship with the law, and subtract much of the face-to-face interaction.
Sig appreciates the advantages organized cybercrime has over traditional, Mafia-based organized crime. First, there are hardly any laws that robustly prohibit the kinds of crimes they will be committing. This is especially true in the countries of Eastern Europe. It’s not necessary to involve oneself in the messy business of bribing police or prosecutors when nobody’s looking for you.
Second, there is more churn and more opportunities for small, independent criminal groups to form. For those few big shots, like Valery Romanov, who happen to be incarcerated, their ability to run a criminal enterprise ends. That’s because their access to computers is shut off, and unlike the old-school mafiosi, they can’t conduct their business merely by prison phone.
This means new leaders can take their place. Sig is hoping he’s among them because, unlike the Mafia, these individuals don’t need to come from the same family.
* * *
Sig also knows a fair number of ex-criminals who went on to do legitimate work, especially after they did time in prison.
In Sig’s experience, hacking collectives typically resemble start-up businesses more than old-school mafiosi. Divisions of the organization are best left to specific talent classes. Some specialists in arcane, difficult technology disciplines may work autonomously, and hiring them comes at a premium.
In bigger organizations, there are even human resources functions and customer service divisions. Some groups also have cybersecurity divisions of their own, which keep other criminal groups from stealing the illicit intellectual property they are creating and stealing.
Sig loves start-up culture. This is what he seeks to emulate. The new organization he hopes to build will include intelligence specialists to collect reconnaissance and a malware specialist—whom he knows from experience—to help design or alter existing components. He’ll also use specialists who can deliver, exploit, and install the malware on the targets. Guys who are good at operating command and control servers and directing botnets, or large collections of compromised computers and devices.
Once he’s got these pieces in place, Sig will set up a collections department to make sure people pay up. This collections person will be proficient in various clandestine money transfer methods and cryptocurrencies, to facilitate ransom payments from a global series of victims.
Most of the people he has in mind are men in their 20s to 40s from around Eastern Europe.
Finally, he wants a customer service rep. A pretty girl. Someone to temporarily offset all the testosterone that, he knows from experience, will ultimately break the organization apart.
That shouldn’t be too difficult, Sig thinks. He’s never had a problem getting the attention of an attractive woman.
* * *
Caroline is trying to organize her thoughts. She is pregnant with her second child and she can see the writing on the wall—Raykoff’s new organization has no place for someone like her, someone who knows and is friendly with everyone, who is well loved and plugged into many cybersecurity communities. She is, in a word, dangerous.
The breach has slowed many things down, so news of her pregnancy came later than she would have liked. But the conversation with Raykoff was still jarring. She told him about her pregnancy, let him know when she would be taking maternity leave, approximately six months away now. It’s considered polite protocol to not let something like a baby’s arrival sneak up on your boss, and Caroline is congenitally on the right side of protocol. His response was predictable but cast a pall over her nonetheless: “When you get back from leave, you won’t have a job in cybersecurity anymore.”
Not “you won’t be working for me,” or “you won’t be working in my division,” or “you won’t be working in this company.” “You won’t have a job in cybersecurity anymore.” The threat was specific. She felt like he intended to blackball her. Her solace was that although he may have had the power to do this when he worked in government, he did not have the same power over the finance sector.
Still, his reaction has thrown her off. She has been seeking consolation from her vast network of peers. They have her back, as she always had theirs. They are enraged about this turn of events, even more than she is.
Now she sits with Michael Joseph, a former Marine Corps drill sergeant who is one of her closest confidants, and one of her earliest hires. He is filling her in on details of Venice. It’s a Sunday night. Everyone has lost track of time. Their conversation is scored by the sound of quiet typing inside the SOC.
The security analysts detected the trip wire set by the attackers and have observed several terabytes being exfiltrated—taken out of the bank—all by the same perpetrator. As part of the investigation, they have found other problems, other attacks, other exfiltrations. They don’t know yet how much data has been taken or what was in the data. It will be a very long time before they find out who did it. Possibly never.
Raykoff had been going around telling every executive who will listen that this is war. It looks like Chinese influence, he says. Game-changing, he says.
Michael agrees. It is big. And different. Not the sort of thing they have been trained for. They are a team of technologists first, engineers who understand protocols, controls, wonky stuff meant to create a relatively safe-as-possible environment. Michael has spent time on the battlefield in Afghanistan, but that was different. Banks don’t go to war with the enemy, Marines do. When the enemy attacks a bank, Marines step in to control the situation. But there are no troops on the ground here. No NSA. No DHS. The FBI has been in touch, but not to do battle, to help figure out who is behind Venice.
The bank wants to both cooperate politely with and keep the three-letter agencies at bay, as most companies do if they can help it. Keep them vaguely satisfied and cordoned into their own investigative corners. The more agencies, the more leaks. The more agents, the more leakers. And the agencies didn’t have the cyberarmy to help the bank anyway. They simply aren’t set up to deal with cyberattacks spread out across every company in the country, each with its own internal politics and lingo and an unwillingness to share information with the government.
Then there’s Raykoff. He knows something about the current threat. He understands how kinetic warfare can be executed. He understands the threats.
True, he might not have the depth of knowledge about the most current technical landscape. But that isn’t the real problem. The real problem is that, based on his lack of experience in the finance sector and based on his early interactions with bankers, he doesn’t appear to have a good grasp of how a bank works. He doesn’t seem to understand that bankers are unlikely to listen to him since he’s coming from a cost center, and pounding the table won’t change their minds. His connections to the Pentagon no longer matter. Instead of focusing on how to explain what is happening with the breach to his counterparts across the bank, he defaults to Cold War rhetoric and sends frightening emails to employees who might leak to media, which is apparently what happened.
Michael slaps his forehead. “Did you see the article?”
“What article?” Caroline is too depressed to read the news, even about NOW Bank.
He pull
s up a New York Times piece on the breach. An obvious leak from within. Some details of the attack are completely on point, others are totally wrong. One sticks out as being particularly egregious. The reporter says that sources inside the firm say the attack likely originated in northern Italy. They laugh. Italy isn’t known as a hotbed of malicious activity. It is dead wrong. It’s Russia, maybe Israel, possibly China.
Reporters are terrible at telling stories about cybersecurity. The hushed, striking mystery in the writing belies the clunky reality behind the scenes. Michael and Caroline go over the details again, trying to figure out who could have leaked the story. Who could have gotten a detail like that so wrong?
Then Caroline looks up, as if she could see the interaction unfolding in front of her. A confused, nervous internal source. A reporter with no grasp of the subject matter.
“They’re calling it Venice.”
They both laugh out loud, disturbing some of the SOC workers.
It’s 9 p.m. on a Sunday. Somebody knocks on the door.
Prem speed-walks inside. “Dinner’s here!”
The sound of typing finally stops.
6.
The Gig Economy
Three months have passed. In Romania, things are going well with Sig’s new company, which he has decided to call TechSolu. It’s a nonsense term that simply sounds like an Eastern European tech start-up. He stole the logo from a manufacturer of vacuum cleaners. It’s a half sun. Not that it matters.
He creates a meager website describing the company as an IT security service provider and leaves it at that. He manages to hire 10 new employees, all men—boys really—two of them from Poland, one from Russia, the rest from Romania. It is good to have a little diversity, he jokes to his new colleagues, referring to the Poles.
But Sig wants a woman in the office, too. Women keep everyone calm. Things get weird in an office with all men. People steal things. They fight, say racist things. They talk about sex too much, and if they’re not talking about it, they’re thinking about it. They steal intellectual property. Adding at least one woman creates a civil dance. It’s not a perfect solution, but it is a form of risk mitigation.
They have been piecing together ransomware, bought from a variety of kits available on the dark web. It works well.
At the beginning, it was just Sig and the Russian, whose name is Mikael Gunther. Before coming to TechSolu, he had been fiercely independent. He had partnered with a Chinese hacker who was also inclined to solitude.
Together they ransomed grandmothers for their grandkids’ photos, locking them up and asking for $50 or $100 to unlock them with the proper code. The grandmas never suspected what was happening was even a crime, as Gunther made it appear to be some sort of exploitative part of the Windows operating system. They are ethical—they asked the grandmas for their credit card numbers but didn’t steal the numbers, only took the ransom payment. That’s what Sig likes about Gunther. He is an ethical criminal, someone he can trust, at least a little bit.
Gunther reengineered the exploit kit and ultimately sold it on the dark web, cutting out his Chinese partner. He made more money selling the kit to other would-be ransomers than he would doing the ransoming himself. Gunther’s toolkit was exceptional. That’s how Sig found him.
They build a more enterprise-worthy version of Gunther’s model, and that helps jump-start their business through trial and error on small law firms with lucrative clients. It is a relief to Gunther, who finds working with contacts in China to be exhausting.
Chinese, Gunther tells Sig, prefer a smash-and-grab way of doing things. It is antithetical to the Russian approach to hacking, which must always involve some level of stealth. It’s just no fun without the intrigue, he says.
To illustrate this, Gunther talks disparagingly of his Chinese former colleague, who eventually changed his model to a pay-to-play arrangement. The last he’d heard, the partner had tried to get a job consulting with American companies concerned about security at their Asian branches. Gunther scoffs at this. “Sellout,” he says.
Gunther helps Sig bring in other people from his network. Some come to sit with them in Arnica Valka, while others work remotely. The village itself is slowly becoming a destination for criminal hackers. There are many such pockets throughout Eastern Europe, but how many could boast the scenic countryside of Transylvania? A steady stream of curious specialists keep turning up in Arnica Valka. But only a handful of the townies seem to grasp what is going on.
* * *
With his first 10 employees, Sig puts the focus on targeting law firms and consulting firms. The reconnaissance on these is almost scandalously easy. Law firms in particular like to brag about their acquisition of new celebrity clients or their representation of large companies in a merger or acquisition. They send out a press release, swell with pride about it all over LinkedIn, write a pitch article about it for some trade magazine. Press releases provide the information necessary for the easiest and most obvious lures.
Gunther and the team at TechSolu find the firms quickly. In a typical ransomware pass, they execute a well-crafted email that appears to be a congratulatory note to one attorney from a colleague at another firm, based on whatever news was posted.
The note includes a link that, when clicked, allows TechSolu to deploy ransomware onto the machines of the law firm partners, locking them up. Then a frightening-looking green screen appears telling the attorneys that to get back access to their files, they need to pay a ransom of $500 to $5,000, depending on what the law firm can likely afford. That number is based on TechSolu’s intelligence gathering.
Rival ransomers are sending out scattershot emails. Rivals aren’t always unlocking the files after collecting the ransom.
But Sig knows the importance of building up a rock-solid reputation for reliability. This is a start-up, after all. He wants TechSolu to become known among victimized companies as an honest criminal organization, one that their insurance companies will be comfortable with.
This is especially important because now some insurance policies are starting to reimburse law firms for the ransom. If the insurance company is assured that the firm will get its files back in exchange for the ransom payment, they will approve it. And they do, and Sig and his compatriots get paid. And paid well. As their reputation for honesty in these transactions grows, so does their ability to collect higher amounts.
He still needs to find a woman.
Most of their victims require a great deal of convincing to pay up, and the lousy green screen with its dire warnings doesn’t always do the trick. And nobody in the office speaks English as well as Sig. Sometimes the victims need to ask simple questions: “How do I set up a Bitcoin wallet?” Or “Are you able to read the files that you stole?”
Sig’s answer to the last question differs, depending on the company. Because some of these law firms have more interesting information than others. Future mergers. Pending bankruptcies. The answer is always “yes,” but usually he tells them “no” just to keep the transaction moving and pockets the valuable information for later.
Truthfully, Sig hates answering questions. He recognizes that a throwaway phone line with a dedicated customer service representative will go a long way in getting more payments through and increasing the organization’s cachet among victims.
Not victims. Clients. “Clients” sounds much better.
There is another angle. A third TechSolu employee, Jakub Brik, stands out as the only African in the bunch, Polish only by way of Nigeria. He has become quite good at consulting. For the very small businesses, he is able to talk them through the process that will ensure they don’t suffer another ransomware attack.
These small businesses often pay up gratefully at the end of the conversation. Jakub’s consulting is further legitimizing the business, perhaps even enough so that Sig can hire somebody wholly legitimate. One of the pretty waitresses from the restaurant downtown, maybe.
* * *
Caroline hired Charlie
Mack. Although he’s a lawyer and was technically brought on by NOW Bank’s legal department, it was her connections who got the ex–CIA officer and Harvard lawyer into the bank to oversee all of their cybersecurity troubles from a legal point of view.
What Caroline knows and a few select others suspect is that Charlie Mack is a goddamn hero. He’s a corporate lawyer now, sure, but he’s a legend and a bona fide hero. He never brings it up. Just thinks about it sometimes when some executive tries throwing a bad lawyer joke at him. Listen to me, asshole, I’m trying to protect you from yourself. I was raiding Gaddafi’s compound just last year. Do you think I’m being overly fucking careful?
It is helpful to have a guy like Charlie around for crises, and Venice is going to be a big one.
But there are at least two others brewing at the bank. The first involves some of the bank’s law firms. Chinese nationals have been stealing proprietary data on deals for years in order to insider trade. It’s getting worse. They’re starting to share that information with other operatives in other countries. Hundreds of them. Insider trades galore. The Department of Justice is investigating. The Securities and Exchange Commission is investigating. But the law firms are clueless. Then the SEC was hacked, too, by the same people. The cycle continues.
The Chinese are out there smashing and grabbing and they’ve got their mitts on some heady stuff. They treat hacking like a full-time job, a cushy military career, a nine-to-five with on-the-job training. Imagine if safecracking were institutionalized, what would the safecrackers do when they retire? Take up fishing? Not when they can make much more doing the same thing underground.
Many of the attacks, workers in the SOC now know because of some public intelligence reports they’ve received, originate from a gray cement building in Shanghai known as People’s Liberation Army Unit 61398. It’s a sooty place where employees of China’s PLA cyberunit have been hacking U.S. corporations for their intellectual property since at least the early 2000s. In the SOC in New York, the security analysts record electronic pings from the facility throughout the Chinese workday. They see a reprieve only on Chinese holidays.