by Kate Fazzini
René will miss the ransomware explosion that she in her own small way helped create. Her jaw tightens involuntarily. She wonders if she has a jaw problem. It aches and she doesn’t know why. She feels something hot. Sig is always saying she seems too anxious. She can feel her jaw tightening, her teeth grinding. Is it nervousness, anxiety? Or maybe it’s something else. What is the medical term for feeling trapped with no way out?
* * *
In Shanghai, Bo Chou is involved in a bit of a flirtation with one of his customers. The businessman is English but working in Senegal. He has a picture as part of his Fiverr profile—so few of them do. They take their conversation offline, flirting over Signal, an encrypted texting application.
But things quickly take a turn, when the client, who works for an oil company, starts asking him questions about where he gets his data. Bo goes with his usual lines, about public sources of information, SEC filings, and so on. But the client doesn’t let up. “This info is too good, too personal, to come from public sources.”
They’d been talking about far sexier things, and Bo’s antenna goes up. He’s only ever a few steps removed from his military training.
“I know for a fact that those email addresses you had for Saudi Aramco aren’t public anywhere,” the client writes.
Bo will drink himself into a stupor that night and go to work at the hotel the next morning hungover. But first he drops the phone on the bed like a hot potato. Then he deletes his chat history over Signal. Then he uninstalls the application. Then he wipes his phone entirely. Then, in a fit of pique, he drops it in the toilet and, after that, smashes it with a hammer.
Can’t be too careful.
12.
The Researcher
It’s nearing the end of spring in Romania, a beautiful June day. The Romanian word for spring is “arc.” Sig likes that. His story and TechSolu’s story are about to take another turn, so it seems appropriate.
Sig is looking over the shoulder of his cousin, a German computer expert named Dieter Reichlin, who looks much more the part of a hacker than Sig does, which amuses him. Dieter is tattooed from wrist to shoulder on both arms, with colorful scenes of outer space and fantasy planets that don’t really exist. He wears a black T-shirt and black jeans and black leather boots, all cheap. His hair is long in the back and thinning a bit on top.
Sig has lured Dieter here so he can learn more about a scam that Dieter has written about but doesn’t have the balls to pull off himself. That’s the difference between the two: Sig is a man of action while Dieter sits on the sidelines and observes.
Dieter seems not to care about making money, which confounds Sig. No matter, Sig thinks. More for me.
* * *
Dieter is a security researcher. A legitimate one. He’s visiting Romania. Doesn’t love it. Doesn’t trust it. Has to get a bunch of burner phones to even enter the airspace.
Security researchers occupy an interesting subsegment in the cybersecurity field. They are typically independent engineers, hackers, or intelligence gatherers. They offer freelance services and promote their work through written articles or blog posts exposing various corporate missteps or new types of cybercrimes.
They often get to know criminals or criminal organizations in order to describe their crimes to the outside world. Dieter is a bit of an anomaly. He is acutely interested in privacy research, and often keeps his findings to himself.
Dieter believes Sig is under the impression that Dieter has no idea that TechSolu is a front for criminal activity. This is fine with Dieter. Sig has been vague about his reasons for moving to Arnica Valka. Sig deflects any conversations related to his current work. Deflect, smile, nod, move on. That’s Sig, a master of deflection.
Dieter is a cousin related not by blood but by proximity. Their mothers were childhood friends, so they had been forced together as playmates and for family trips and had, by necessity, floated in the same general direction their whole lives. Computer camps. Coding classes, which Dieter excelled at and which Sig failed. Attempts at soccer, which Dieter failed and Sig managed better with his tall, lean physique.
But for some reason, despite being taller and much better looking, Sig never did as well with girls. That was always a sticking point, Dieter knew, one he was wary of. Sig’s flashes of anger could be cold and scary, and he preferred to avoid them.
Sig and girls. Dieter had reminisced for the entire three-hour flight here from Helsinki. Girls would flock to Sig in droves, attracted by his good looks and charm, but only days or weeks later they would break up, the girls looking blank-faced and dejected, whispering to friends about Sig in a way that Dieter understood to mean that he was being blackballed in some fashion. And blackballed he was.
Growing up, Sig kept having to move in wider circles, outside their small town to neighboring villages, until those girls were whispering about him, too. Sig moved farther and farther away. Now he is all the way in Romania, and Dieter can’t help but wonder what kind of girl he’s got locked up in that new house he keeps bragging about.
To Dieter’s surprise, when they became teenagers, it was he—short, a bit awkward but warm enough—who managed to do better with girls. For him, they were usually computer geeks, but he always had a pretty girlfriend who would stick around even after the breakup to be friends. Sig sneered at this, but he was clearly jealous. It drove the men apart. Dieter was not a psychologist, so he could not say why.
Dieter didn’t like Sig, but he stayed close to him. This puzzling decision—puzzling even to Dieter himself—would only make sense later. Once Sig became a criminal and Dieter went on to be a researcher, he understood why. Because Sig made a very good specimen, and Dieter, an excellent scientist.
Three years prior to this flight from Helsinki to Bucharest, Dieter married a beautiful ghost-colored girl from Finland and settled there with the goal of having many pale children and quietly hacking computers for the purposes of good.
Around that same time, Sig got into some kind of trouble in Germany and ran off to Eastern Europe, and that’s when the phone calls and visits stopped. Whether the trouble was with girls or computers, Dieter was never sure.
So then Sig was gone. Jet-setting, he said.
Dieter has ghostwritten a few articles in a German computer academic periodical about ransomware and criminal enterprises in Eastern Europe. He writes about social-engineering techniques in particular, the ones that involve people pretending to be someone they aren’t by email, phone, text, even in-person meetings in order to get something from someone else fraudulently.
In one, where he was credited by name, he wrote about a particular ATM cash-out scheme that involved an especially tricky bit of social engineering—in this case, very slick fraud, the kind of work that suits narcissists and sociopaths. That’s when he got an email from Sig, who was impressed with his research and wondered if he’d like to visit Romania. Bucharest is so nice this time of year, he wrote.
Dieter immediately agreed to the trip. Sig believed it was because his long-lost cousin must be bored with his married life and childcare responsibilities, because who would enjoy such things?
Dieter, always the researcher, merely wanted to know what Sig was up to, because Sig was a criminal. And Dieter tracks crimes and likes to write about them.
So around and around they went, making travel arrangements and small talk for a few weeks by phone and email, a light waltz of two oppositely charged magnets.
They settled on a good place to meet—a pub near the Bucharest airport. Dieter lies and says he can only spend the day before he has to return home. The plausible fiction: he must get back to watch the kids while his wife is on a business trip.
“That’s terrible,” Sig says.
“Yes, yes, what can I do? She wants to work, but you know women,” Dieter had whined, his wife laughing silently and giving him the finger from the kitchen.
* * *
Now, here they are, in this pub in Bucharest. Sig watches expectantly as Diet
er describes this new type of crime in detail. ATM cash-outs aren’t particularly novel, but this particular approach takes it to a new level.
“It starts like this,” Dieter says. “Let’s say we are dealing with two locations. Bucharest in Romania and Tallinn in Estonia. You start with research. Banks have different kinds of ATMs, and some of them hold more money than others. Some hold up to $200,000. Most hold around $10,000.
“The $200,000 ATMs have a lot of things in common—they are older, connected with banks that don’t have reasonable hours, and are often in areas where people do a lot of business in cash. These may be popular areas for mob activity or lots of Saudis or something like that. So you find out the First Local Bank of Tallinn has one of these big, overloaded ATMs. More research. When does the ATM get filled, what time of day? What car company brings the cash? When do they depart? Is the bank open or closed at the time? Does it see much traffic on that day?” Dieter pauses.
“You find the optimal location that meets all your criteria. OK, now you have your cash-out target.”
Dieter has created a rudimentary PowerPoint presentation to illustrate this, on a crappy seven-year-old laptop. Sig frowns at it, pokes fun at how bad the PowerPoint is, comments that he knows somebody who could make it better. Dieter takes a drink of lager and ignores him.
“The next step is getting an account. Let’s say you find a nice, small bank, the First Local Bank of Tallinn. It has a branch in Bucharest. So you get a mule, somebody you know well, who looks trustworthy. Like you! Not someone with lots of tattoos and bad clothes like me.”
A sheepish smile from Dieter before he continues. “This good-looking mule opens an account at the First Local Bank of Tallinn in Bucharest and lists a Tallinn P.O. box as their address. They get a checking account with a debit card and a modest deposit and a credit card with a modest limit. The debit card and credit card for the bank are sent to the P.O. box in Tallinn, where you have another person you know, a money mule, pick it up. If you are—or a criminal is—working with a big network of people.”
The next slide is taking a long time to load. Dieter feigns exasperation with the old laptop.
“You know,” he says, “if you don’t like the PowerPoint, I have a video presentation that illustrates this crime—it just won’t play on my piece-of-shit computer.”
Sig sighs, eyeing him cryptically. He reaches into his book bag and gets out a new, expensive laptop.
“Jesus, that thing is beautiful,” says Dieter.
“You need to treat yourself,” says Sig. “I’m sure budgets are limited with a wife and kids. But you need to have the best stuff if you are going to succeed in your business. I hope this woman knows that.” Sig smiles pityingly.
“What can I do?” Dieter shrugs. “You know women.” He tugs at the collar of his $2 T-shirt. His face turns red and his jaw tightens. He does his best to pass it off as shame, but something about Sig’s casual cruelty sparks his anger, and he doesn’t think it’s their history together, not some sort of latent sibling rivalry.
At home, Dieter has a custom-built, state-of-the-art, completely segmented personal network. A fully automated smart home. He has three or four laptops far nicer than the beater he’s using now. His yearly compensation is in the mid six figures, higher if he feels like pushing it. His wife is a successful accountant. Dieter doesn’t need to brag about his wealth. Sig’s weakness is his arrogance. Dieter knows this so he keeps his emotions in check.
Dieter gets a USB drive out of his pocket and sticks it into Sig’s computer. Sig barely notices. Dieter continues praising the computer, its sleek lines and massive memory. He launches the video presentation about the ATM cash-out scheme from the memory stick. Unheard and unseen over Dieter’s praise is the fact that a very specific, very insidious little piece of custom-made malware is already installing itself on Sig’s computer.
* * *
The delicate little waltz between the two cousins continues. The video unfolds as a nice, clean, beautiful presentation, magically queued up right where Dieter had left off.
“So where was I? Oh yes, if you—or the person in question—is working with a criminal network, they will undoubtedly have mules already available in Tallinn for the next step. But if it is a smaller organization, usually someone very close to the criminal or the criminal himself will make the trip. The mule picks up the debit card from the P.O box in Tallinn and activates it, then waits.”
“Waits? How frustrating!” Sig smiles, focused on the video, paying no mind to the USB stick. Some criminal, Dieter thinks.
“Now, the hacking part. Someone needs to install a back door on the bank’s network, but discreetly. This can be accomplished with social engineering, convincing a system administrator at the bank to give up their login or password. Or phishing them. Or otherwise delivering malware that steals credentials. There are a few different ways of achieving it; it’s a part of this particular scam that is not yet terribly well defined. However the method, you get into the bank’s networks. You locate the account associated with the one that the mule just opened.” Dieter pauses the video.
“The target here is the average daily limit for withdrawal and the credit limit of the credit card. You tick both of these up very high, to at least $200,000. Most accounts have a limit on how much you can take out of an ATM in one day, so you have to override that. And obviously, you need to have the highest possible credit limit.”
Sig’s eyes are wide as he focuses on the paused still of the video. Another round of lager arrives. “The bank doesn’t catch the change?” Sig asks.
“They might; it depends. It depends a lot on their employees, who are watching for anomalies. But typically, no, at least not right away. That’s why you do the next part very quickly. The mule in Tallinn takes the credit card, waits for the day the ATM is filled. He brings a burlap bag. Goes at night, with the appropriate clothes, a bit of a disguise. He puts the credit card in, types in some number, something just below $200,000, and the ATM spits it out. He covers the money dispenser with the bag and fills it up, then walks away. Some of them get away with a million in one day.”
“What type of malware for the credentials?”
“There’s one called August Malware that targets Microsoft Word documents, easy for most banks, though not Russian ones. There’s Acecard and GMBot; both of those target the Android operating system.” Dieter shrugs innocently, but he knows everybody uses Android in Romania and that Sig is paying close attention to this.
Sig is smiling softly now, getting a little drunker. He has it scoped out in his mind. He is getting tired of ransomware—too many other organizations are getting involved in it. This seems like a nice new step. And he already knows a pretty, auburn-haired Romanian girl who would make the perfect mule.
Dieter takes the USB stick out deftly and puts it back in his pocket. He feels more relaxed, too, partly because of the alcohol and partly because his malware trick worked. At the very least, it went unnoticed. And he will be on a plane back to Helsinki soon.
They talk about superficialities. Sig never mentions René. Dieter steers every sentence away from his wife and kids. They settle on politics. The upcoming election in France—Sig is sure the far right will win. In the American presidential election, a candidate named Donald Trump, a television star as far as Dieter understands, has just announced he will run.
“The whole thing will be a zoo, that is the only thing that I know,” Dieter says. Sig drunkenly agrees.
“I don’t think the woman who is going to run will be very popular,” Sig says. “It will be interesting to see what the Russians do. They’ve been very active lately.”
“Yes,” Dieter agrees, this time truthfully. He checks his watch. Time to go.
13.
The Volunteers
By 2015, anyone who works in cybersecurity—criminal, good guy, or in between—can see that the Russians are more than active. They are so busy they can’t train their hackers fast enough.
&nbs
p; Cybercriminals are in high demand, especially by government-sponsored intelligence organizations. There are so many hackers in intelligence organizations and intelligence operatives involved in cybercrimes that even those in the know aren’t sure exactly who they are dealing with.
This activity spikes during the lead-up to the 2016 U.S. presidential election, but the participants in Russia are so spread out, in terms of their geographic location, ideology, and backgrounds, that it doesn’t appear like a coordinated effort. At least not to the untrained eye.
By this time, there is no longer a “farm team” from which to pull eager candidates into Russian cyberoperations. Recruitment has taken on a whole new angle.
The people doing bad deeds may have no desire to work for the government. They’ve never signed up for any patriotic mission beyond cheering on Russia in the World Cup. But they are being pressed into service by the government.
These young Russians are a lot like the young students at Caroline’s hack-a-thon at NOW Bank. Instead of a conference room at the bank’s headquarters, they are being recruited from all over Russia. A cup of tea and a recruitment pitch from one of Vladimir Putin’s henchmen is more persuasive than Caroline’s pep talk.
* * *
The recruitment process may be more modern, but one of their primary tasks is age-old. Election interference is an art, one perhaps first perfected by the British.
In 1940, British intelligence officers wanted to stack the American political deck with individuals who would favor U.S. entry into World War II. To do it, they tapped the phones of political candidates and used the deleterious statements they recorded in media campaigns against candidates who did not support their agenda.
