Kingdom of Lies
Page 8
The Chinese use rudimentary toolkits to break the meager defenses at most U.S. companies and steal swaths of data, most of it useless. Business plans, names of partners, dates, images, corporate charters, movies, embarrassing and incriminating information like names of mistresses and favorite kinks. They are especially interested in visiting businessmen.
Two Chinese schemes running simultaneously involve information from NOW Bank and some of its competitors, data that has been mishandled terribly by their respective law firms. Both schemes concern initial public offerings.
These two law firms deal in data related to mergers, acquisitions, and financing. Some of their divisions also handle Food and Drug Administration approvals and loans for pharmaceutical companies. NOW Bank helps finance these deals, so the information resides with them, but their law firms have access to it as well.
Knowing that an unannounced merger is going to take place or that a drug trial was successful is a great way to get key information in order to execute an insider trade. The term “insider trading” used to refer to corporate insiders, company leaders, nosy bankers, and Wall Street journalists using their access to exploit the markets. But the new insiders are hackers who plunder corporate networks, and they are making hundreds of millions.
These guys get all the benefits of insider trading without having to ever rub shoulders with bankers, lawyers, or government officials.
Luckiest fucks in the world, Charlie says, just to make Caroline laugh.
* * *
It’s now October 2014. Six years earlier, Bolin “Bo” Chou, a bisexual Shanghai expat from a village near the Nepalese border, learned how to create fake credit cards from a younger, less cynical Valery Romanov. This was in the spare time he had away from his job at PLA 61398.
Bo doesn’t like talking about his government work. Not because it is supposed to be secretive. It is. But that’s not the reason.
It’s boring. A boring story. Strapping in, executing code all day, reworking old hashes, trudging home, filling quotas. He likes computer engineering and is pretty good at it. He loves data and what it can do. He is interested in how hackers in other countries operate. White hats and black hats. They are all the same to Bo.
Because what is he? He is good, he wears a white hat, he is fulfilling his duty to country. He is bad, he wears a black hat, he is doing things that are illegal in other countries.
People like Valery Romanov, they probably think they are white hats, too, when everyone else thinks they are pure black. Everything and everyone, all over the world, is gray, in Bo’s opinion.
He loves Valery Romanov, not because he admires him, but because Romanov is pure camp. Romanov, the Russian rock star. Romanov, who posts pictures of himself with stacks of money and fancy cars. Romanov, who identifies with American rappers and calls himself Tupac. It was all so much flashier than Bo’s work at PLA 61398.
Valery is fun and ultra-capitalist with a persona much bigger than anyone working in a Chinese hack farm could ever dream of. Bo doesn’t want to emulate him, mind you. Just enjoy the show. He got into rap because of Romanov. Biggie, Tupac.
Then Romanov disappeared.
Then, it turns out, Romanov got arrested.
Bo, out of the army for a few years now, considers a different career.
In the tech-heavy suburbs of Shanghai, he tries getting into the skin care business for a while, selling pearl lotion to tourists. He moonlights as a tour guide, taking foreigners on tours of factories that make those pearl-based skin care products. He thinks about starting his own line of moisturizers. Then he gets a job washing dishes at one of the fancy hotels near the convention centers. And everything changes again.
Turns out, he loves the excitement of the hotels, the hustle and bustle. It’s all new, fun, sexy to him. It is the polar opposite of the military job. It is different, too, from the cynical, clandestine world of the Russians and newbie cybercriminals and hackers and DEFCON wannabes he’d gotten to know online. It is better than the ill-defined “hacker community,” whatever that means.
Everything else has changed, too. Bo is bi, and he likes to be quiet about that. He’d joined the army and moved to Shanghai in the first place to get away from the traditions of his home life farther west. Traditions with no room for his ambiguous preferences.
Bo thinks the visionary European and American businessmen and -women are attractive and interesting. The Israelis, wily and clever. Even the Australians and Canadians are elegant and sophisticated in their own ways, with their bold and contagious friendliness.
And here he is, struggling with his identity as part of the Chinese contingent of the world’s most boring hackers. Really, more like hammers, brute-force pounding away over and over and over again at infrastructure in the English-speaking world. Pound, smash, grab the pieces, pound, smash, grab the pieces, pound, smash, grab the pieces. Then screech out of there on worn-out tires, so everyone in the neighborhood can hear.
So Bo stays at the hotel job. Gives up the skin care tours in favor of a better racket. He rises to the status of lead doorman, because he can speak English well and remembers every detail about every guest. A nice rollover habit from his army days doing cyber-reconnaissance. He greets taxicabs, takes bags to rooms, helps direct the elegant businessmen and savvy businesswomen to the best restaurants, tailors, plastic surgeons.
* * *
At around the same time Charlie Mack is contemplating the mess in front of him at NOW Bank, Bo discovers even more reasons to love his new job, reasons that promise a beautiful marriage of past and present.
Bo is planning a fascinating evening of cyber-reconnaissance when he is distracted by a harried businessman who has left a satchel with his passport in it in a taxicab that is disappearing out of the hotel’s circular drive.
The taxi driver isn’t paying attention, and screeches out of the driveway. Bo takes off down the road. Running at a full clip for at least a quarter mile. Flat out. Like Jason Fucking Bourne, but in a black suit with a mandarin collar. He catches the taxi as it pulls up to a stoplight and pounds on the door. He manages to open it and jumps inside even as the driver tries to ignore him.
He demands the taxi driver turn around and go back to the hotel. The driver is irritated he has to travel with a passenger without getting paid. Bo promises him he’ll get paid. Bo arrives back at the hotel, and the driver continues ranting and raving out the window. Bo tips the driver extra knowing that getting the American’s passport back is the bigger win.
The businessman is pleased, of course. He tries to tip Bo for his trouble, but with a series of bows, Bo conveys that it is his honor to help the guest and that, if he likes, the guest should send a laudatory note to the hotel’s manager. Bo is a master of keeping his stock in his primary employment high—a necessity, if he wants to keep his side gigs.
Bo wants nothing else from this guy. Did you suspect something insidious? Bo would blush to say it out loud, but he is a firm believer in the mantra of don’t shit where you eat. He leaves the patrons of his own hotel alone.
But he hacks everyone else. Not in some blunt-force Chinese way, or for terrible nation-state reasons, but smoothly, elegantly, like an Israeli would or a good Russian who didn’t care for money like Romanov did. He is never the best hacker. He always tries to be the most stylish, though.
Carding really isn’t for him, too illicit. The Eastern Europeans, with their criminal groups and rules and business structures, are getting too aggressive and difficult to work with from afar.
Since it is data that he loves, he focuses on that. He is obsessive about it, collating it, parsing it, making it look gorgeous. Data is useless without someone with the skills to make sense of it, and the industriousness to do so is rare. He knows he has a niche. Data has become a valuable commodity, the commodity, more valuable than credit card numbers if you know how to present it right.
Every big company says so. Some companies, he knows, like Facebook, are already successfully making money off
of it. He can see it on the back end. But what the general public doesn’t seem to realize is that all of that data is essentially useless. Unless you care about stuff like politics and elections. And Bo does not. Too vulgar.
So Bo has begun working the travelers to the Shanghai convention center for information alongside his hotel gig.
It is exciting, and every week there are new industries—home improvement, medical devices, housewares, paint, computers. The list goes on and on. Financial firms. Nonprofits and NGOs.
The people attending are international business experts, perfect targets. He uses a commonly available type of malware that can help him get as much information on a company as quickly as possible. He delivers it through USB devices that he scatters around the convention center, making it easy for unwitting professionals to pick up and stick right into their computers, computers with all those spreadsheets and proprietary client lists.
Bo finds a great, cheap supplier from down south who sells him thousands of USB storage devices for around $100. One Monday morning, he goes down to the area that sells lots of mass-produced tchotchkes and buys a few beautiful, polished, modern-looking silver bowls.
Then Bo loads malware on each device. He creates a very professional-looking sign, one that mimics whoever is sponsoring the convention in color and font, and puts the USB devices in the beautiful silver bowl. “Free USB Storage. Welcome guests!” He leaves them, surreptitiously, in the lobbies of the hotels or the convention center cafeteria or, if he can slip in, its press room, where all the media outlets take their breaks and meetings.
In the early days of this scheme, convention-goers would pick up the devices and use them much more frequently than they do today. Many people have learned such freebies might be risky, and Bo is fine with that. Because the ones who pick them up are enough. He isn’t greedy.
Once the simple malware loaded onto the USB drives is installed onto their computers, Bo grabs as many spreadsheets—just spreadsheets—as he can from their machines. The malware will probably be caught in a routine scan by some corporate technology team when the travelers get back to New York or San Francisco or London or Brisbane, but by then it will be too late. Bo will have everything he needs, including all of the emails and personal details of the individual’s business contacts. He particularly likes getting business plans, budgets, future merger ideas.
Then, after all this excitement, the denouement. What does Bo do with this valuable information? He has an account on Fiverr, a legitimate, U.S.-based website for freelancers, and he sells this business intelligence to other companies. Companies that love the breadth and depth of his data but have no idea where it came from and know better than to ask.
The platform behind Fiverr is fairly simple. The baseline price is $5, which is where anyone using it to sell goods starts. Bo picks a simple interface, lists his location as Japan, uses a special program and a virtual private network—a program that masks his movements from the Chinese government. To an outside observer, it would look like Bo’s computer is pinging from a Tokyo apartment complex.
From there, he offers “curated” lists made up of “publicly available” corporate information on big players in all the industries that have trade shows in Shanghai. Building materials. Finance. Risk and compliance. Even money laundering. He starts with a $5 price tag for a basic report.
Of course, his intel is so good, the business quickly grows. And he is so good at curating it, business contacts recommend him to others in their industry. He becomes especially popular with salesmen looking for detailed prospect lists. He becomes a master at PowerPoint, making the data even more digestible to his less-than-tech-savvy customers.
The platform helps him get paid in all kinds of currencies—U.S. dollars, euros, cryptos—all of which are far more valuable than his local currency.
But even this is wearing thin. Bo wants to go legit permanently. His love of the business-class lifestyle means he is starting to find the pursuit of illicit gains to be far too vulgar. The problem, of course, is the scheme is so lucrative and so easy he can’t afford to give it up.
7.
The Tryout
Caroline is preparing for a hack-a-thon. It is meant to get young engineers to come to the bank and showcase their skills.
It is an all-night affair. Coding through the wee hours of the night. The kind of opportunity that younger people, seeing promise in working at a bank, might jump at.
They are all college students, a few still in high school. Caroline will put them through their paces, allow them to write new code to fix a variety of problems. She gathers some of the engineers into teams to allow them to maliciously hack one another on a fake bank network.
It is billed as a charity event, but it is really a tryout camp.
Caroline makes sure the results are meticulously recorded. Early on in events like this, one or two rock stars are always evident. Kids who just have it. Perfect 10s.
And she likes to pull those people out of the crowd. Sit them down for a tea. Talk to them about how important cybersecurity is to the financial services sector. How rewarding it is to come work as a hacker for a bank. The bonuses they can make. The importance of a prestigious, marquee name on their resumes. A name like NOW Bank.
But today, despite the excitement of what’s to come, she is really tired and really pregnant. She is a short, petite woman, and being really pregnant is no joke. It means serious balance issues. It means almost constant trips to the bathroom. And to her, it means worrying about her job because it seems like women in the department run by Bob Raykoff are being “managed out.” That is the euphemism in corporate speak for an unspoken but established technique of making one’s work life so unpleasant and unrewarding that one will want to resign voluntarily, thus saving the company severance pay and possible litigation. In her opinion, Bob is a jerk, but not of an outstanding type. This is a standard work challenge, endured by women all over the world, one she’s helped many of her employees through and one she intends to weather with dignity.
But it’s hard. The sighs and wan smiles from people who know she’s not coming back from maternity leave wear her down. So do the congratulations, both parties understanding that she’s just forfeited her bonus for the year. This is Caroline’s second time through this, which is a blessing and a curse. When it’s your first baby, everyone around recalibrates their expectations because they know your loyalties are going to be split in a most significant way. How will she make my project her priority with a baby to worry about? God, she hated that.
She’s comforted because she has her network to lean on. Her former boss, Joe, the Kool-Aid Man, has moved on to a job at an insurance company. Nice and safe out in central New Jersey.
Another of her charges, Frances, the woman she prepared a care package for when her house burned down, gets Caroline an offer from a consulting firm. It would be a huge raise. She turns it down, knowing that what she wants next is something a little quieter.
She tries to tell the kids at the hack-a-thons that the trope of a morally tormented genius like Mr. Robot couldn’t be further from the truth. Most people in this field are just normal, average Joes. Some are even mom types, sitting there, organizing the program, making sure everyone’s on time and under budget. Getting into the field and getting good at it won’t make you cool if you weren’t cool to begin with. And that’s OK. Cool people are frequently unreliable.
When Caroline had her first child, she was 35. She’s now almost 40. Just before giving birth that first time, her doctors discovered a significant and possibly deadly tumor on her thyroid. She brought the baby, a boy, to term, underwent a C-section, and then immediately went into surgery to have her tumor removed on the same day.
She endured cancer treatment while raising her newborn. Then she went back to work at NOW Bank.
And today, she has some government wonk, high on the scent of his own gas, suggesting that her nearly 20-year career in cybersecurity is over? Caroline would use her sig
nificant influence to ensure that Prem takes Raykoff’s job, and Raykoff gets demoted and shuttled into a less influential—and far less risky and damaging—position before she departs. It will be one of her final acts at NOW Bank.
Caroline is sad, but she isn’t afraid.
8.
The Father
Another goddamn, motherfucking hassle, Victor Tanninberg thinks, as he contemplates the 1994 Corvette before him at Padraigh’s place. He looks through his bag for some of his older equipment. Another motherfucking hassle when I leave the house, he thinks.
His phone is ringing. An ancient Samsung flip-phone he found on eBay because he despises Apple and Google. His son is calling.
He says he’s going to a friend’s house; he’s hungry and is going to stop to eat along the way.
The voice Victor uses on the phone is a complete mismatch to the one in his head.
“OK, just be careful. Are you going to take the bus back from Steve’s? All right. Want me to bring you home some Subway? Be careful, OK?”
Then he hangs up. Mutters a string of curse words under his breath. His son is good, shy, with a few friends he keeps close. He’s quickly turning into an accomplished artist, and Victor has taught him to play guitar, one of his own hobbies.
He’s also taught him to specialize in evasive maneuvers, not while driving but while living. Never attend large events in high-value-target locations like Madison Square Garden. Take the subway sparingly, and only to and from stations that are unlikely to be targeted by terrorists. Avoid Grand Central Station and Times Square.