An APT is an advanced persistent threat, one of the most dangerous types of hack because it’s a group effort and it’s patient, organised, complex and intelligent, and usually directed at major corporations to steal data or trade secrets. It’s particularly favoured by Chinese government-directed teams of hackers trying to steal technology from the West. Planning and execution can take months as the website is studied and probed for weaknesses – a phase known as ‘target development’ – before attempts are made to breach it, often using apparently legitimate emails or social media link requests sent to employees.
These typically contain a malware attachment that will provide an access channel once activated, and it only takes one employee to click on the embedded link for the damage to be done. Some APTs have only been detected months after the initial intrusion when huge amounts of sensitive data are picked up leaving the system. By which time, of course, it’s much too late to stop it. Completely cleaning a system after an APT can be difficult. Months after one American company had cleared its network, a printer was found to still be sending messages to a server located in China.
Foster shook his head firmly.
‘This wasn’t an APT,’ he replied. ‘This was the barbarians banging on the gates of Rome. It was crude, basic and short-lived. I think it was just an opportunist attack. These hackers were just seeing if they could force their way inside the system.’
‘Okay. Then you detected a user acting suspiciously. Do you think that intrusion was orchestrated by the same group that tried the brute-force attack?’
‘Good question. Possibly, maybe probably. I wondered if the unsuccessful attack was a kind of diversionary tactic to make us concentrate on them trying to breach the firewall while another hacker used the log-in credentials they’d obtained to get inside. While the attack was still going on, one legitimate employee – a man named Simons – logged on as usual, but then didn’t visit the parts of the system he normally did, which the monitoring software flagged up. Everybody on this system, with just a few exceptions, is restricted to the areas relevant to the job they do, as you’d expect. This user started by typing the command prompt, CMD.EXE, and then began inputting low-level DOS commands to try to change the directory, view the directory structure, copy sections of the drive, things like that. We didn’t shut him down immediately because there are internal barriers and restrictions so we knew he couldn’t do any damage, and just watched him.
‘At the same time we checked his user credentials and permissions. We assumed he was just bored or nosy, but when we found out he was incommunicado in hospital we knew we had a third-party intrusion. We recorded the inputs he was using for a few more minutes, and then locked him out. We blocked the user’s log-in credentials and his password, and as far as we were concerned that was the end of the matter, at least in terms of the breach. We reported it up the line because that’s our standard operating procedure and wrote it up.’
‘So how did your unknown hacker get this man’s credentials?’ Morgan asked.
‘We don’t know, and obviously we’ll be interviewing Simons when he gets back. We’ve already done a thorough check of his computer terminal and working space, just in case he was stupid enough to write his password down on a post-it note and stick it on his monitor or in a drawer or somewhere, but we didn’t find anything like that. We have rules against that kind of thing, obviously, but you’d be amazed how many otherwise sensible and intelligent people think that for some reason those rules don’t apply to them.’
‘So I suppose you’ll be looking at social engineering, something like that?’
‘That’ll be one of our first questions when Simons gets back. Again, it’s staggering how many people will answer the phone, and if the bloke at the other end tells them he’s from technical support and sounds convincing enough they’ll tell him their password or PIN or almost anything else. I’ve talked to a few people who’ve told me they never gave away their entire PIN and have then admitted there was a problem on the line and when the caller asked for the first and third digits he apparently didn’t hear them and then asked for their second and fourth characters, which they cheerfully gave him. It’s just incredible how stupid some people are.’
Morgan nodded.
‘Sometimes it’s not simple stupidity, just that the person doing the social engineering is really good at it. I was involved in bank security in a former life and I remember dealing with one woman, a shop manager so presumably reasonably bright, who’d been contacted by somebody pretending to be from the local branch of her bank. He told her there was a major problem with her account and her credit card and said the matter was so serious and so urgent that they would send a courier round immediately to take her credit card and arrange for a replacement. They also asked her to write down all her personal details – not just her name and address but also her credit card PIN and the numbers of all her bank accounts and the numbers and PINs of all her other credit and debit cards – and give all that information, with the card, to the courier. Twenty minutes later a scruffy man wearing jeans and a leather jacket and riding a battered old motorbike turned up at her door. She handed everything over to him and it was only when he rode away that she even started to have any doubts. They took her for five or six grand, if I remember correctly. And, as I said, she was an intelligent woman, but the caller was so convincing on the phone that she believed the whole story. They’re really clever, these people.’
‘I know,’ Foster agreed. ‘I think that’s probably the most likely explanation for the misuse of Simons’s log-in details, and obviously we will find out what happened in this case. But we have blocked his account, so we won’t see anybody else coming in that way, and he didn’t have anything like the access he would need to set up a backdoor or create a superuser account, so we’re happy that the system wasn’t compromised.’
‘Good,’ Morgan said, standing up ready to leave, ‘but keep your eyes on it. This could be just the start. Npower had an attempted hack as well over the last few days, and the last thing we want is for any of our utility providers to be compromised.’
‘Before you go,’ Foster said, ‘I’ve got a question for you. You told me your outfit, this C-TAC group, is full of anti-terrorism specialists.’
Morgan nodded and sat down again.
‘So I presume you’re not just interested in investigating cyberattacks?’
Morgan nodded again.
‘So let me ask you about the fairly obvious elephant that may or may not be standing in the corner of the room.’
Morgan already had a good idea where this particular conversational thread was likely to be heading.
‘Did you hear about the gas leak that wasn’t in the Palace of Westminster? Or about a collision on the Thames between a police launch and a cabin cruiser?’ Foster asked. ‘There were a few social media posts about it last night and this morning and even a couple of not very clear pictures. Do either of those events have anything to do with the cyberattacks on the utility companies?’
‘Those are good questions,’ Morgan replied, then paused. ‘Before I say something I shouldn’t, I presume you were vetted before you took up this post, so what security clearance do you hold?’
Foster didn’t look surprised by the question. Most people in sensitive positions in either the military or civilian life are frequently asked to confirm this information.
‘I’m BPSS and CTC. That’s Baseline Personnel Security Standard and the Counter Terrorist Check.’
‘I do know what the initials mean,’ Morgan said. He’d already checked Foster’s background. The man had served in the Royal Air Force with distinction, a career path slightly at odds with the man in front of him. He looked bored and Morgan suspected he missed past glories stuck in EDF’s IT department. His answer was more or less what Morgan had expected.
‘Okay, and for your ears only, although no doubt the media will eventually get hold of it, the gas leak was a cover story, and the reason the cabin cruiser
was rammed by the police launch was because the two Middle Eastern gentlemen on board were about to try and do a Guy Fawkes on the Houses of Parliament with a sodding great IED. But as far as we know at the moment, based on what little information and analysis I’ve seen, there’s no direct link between that failed attack and the cyber stuff.
‘However, the one terrorist who survived the collision did give a kind of warning that whichever outfit he worked for had something much bigger planned than blowing up the Houses of Parliament. And because the attack he was involved in was aimed at destroying the Palace of Westminster, the initial analysis from MI5 at Millbank is that they may be going after Western governments. If that’s correct, the next obvious target after Westminster is most likely Washington D.C. Because we know that cyberattacks have been launched in both America and here, it’s possible that there may be a link between destructive hackers on the Internet and physically destructive terrorists on the streets, or in this case on the water. But we don’t know for sure if there is a link, or what that link might be if there is one, because the two worlds are really entirely separate.’
‘If that bomb had gone off,’ Foster asked, ‘would it have destroyed the Palace of Westminster?’
‘It probably wouldn’t have flattened the building, because the epicentre of the explosion would have been too far away, but it would’ve done substantial damage to the structure. We’re talking about collapsing walls here, not just a few bits of broken glass. Millbank and everybody else in the loop thinks they probably had three separate but linked aims. They wanted to cause a massive loss of life, because that’s the hallmark of a radical Islamic attack, which we’re pretty certain this was. But they also wanted to kill as many members of the government as they could, because they would certainly create far more of a national and international sensation by slaughtering a hundred Members of Parliament than by killing a hundred assorted citizens of London. So those two aims kind of morphed into one.
‘The obvious way for them to achieve this would have been to cause massive damage to the Palace of Westminster while Parliament was sitting, and wrecking the building that’s home to the British government was their third aim. We were lucky that the crew of one of the river police boats spotted the cabin cruiser and worked out what the two terrorists were trying to do. That gave us time to evacuate the building so that even if the bomb had exploded the loss of life would have been minimal. If the attack had worked, it would have sent an unmistakable message to what was left of the British government, and you probably know how these terrorist groups like their messages. I’m slightly surprised they weren’t videoing it.’
‘Maybe they were,’ Foster suggested, ‘but they wouldn’t have wanted to broadcast a film of a failed attack.’
‘True enough. Anyway, I think the papers will have it on the front pages by the end of week, but until it’s in the public domain please keep all this to yourself.’
Chapter 21
Near Cheltenham, Gloucestershire, United Kingdom
Dave North collected a pint of bitter from the bar and walked over to a wooden table on one side of the lounge bar of a pub called the Gloucester Old Spot located at Piff’s Elm on the A4019, just north-west of junction 10 of the M5 motorway. The slightly strange name of the location dated from the mid-eighteenth century when the pub, then known as the White Swan, was owned by a member of the Piff family and referred to a vast elm tree, reputedly with a girth of over twenty feet. The name lasted longer than the tree, which was felled in 1845, the process taking a team of nine men two weeks to complete.
It was a typical village pub, with uneven white plastered walls decorated with hunting prints and framed by wooden beams blackened by paint and age and smoke. At one end of the lounge bar was a fireplace that wasn’t quite an inglenook but which certainly had aspirations in that direction, and where a fire had been laid ready for lighting in the early evening.
North sat down opposite Ben Morgan, who already had a drink in front of him, having arrived a few minutes earlier.
Morgan stood up to shake hands, then lifted his glass a foot or so above the table in greeting. ‘Cheers. Good to see you again, Dave. Is this purely social, or was there something else?’
‘Both, really. I wanted to pass something by you before I raised it with the rest of C-TAC at Legoland, just in case I’m tilting at windmills and seeing something that really isn’t there.’
‘Go on,’ Morgan replied, replacing his glass on the table and leaning forward slightly. ‘I assume this is something to do with what happened to your helicopter pilot?’
North nodded.
‘It is. I told you the Ruperts up at Credenhill were going to run checks. They took blood samples from everybody there, from the CO downwards and including me. They had them analysed just in case any of us had the same buckyballs in our bloodstreams, but thankfully none of us had either intact or broken up fullerenes, so we obviously hadn’t been infected. Autopsies on the other three men – the local paper had included Bob O’Brien in the headline figure – showed that they all had broken and empty fullerenes in their blood and traces of the same chemical compounds as O’Brien, so the cause of their deaths was the same.’
‘I assume your officers did an investigation to try to identify the source?’ Morgan suggested.
‘They did. None of the people who died had any unusual habits or hobbies or anything like that, so it was all a bit inconclusive. Eventually the Head Shed came to the conclusion that the most likely source was a local pub, because that was about the only place where any hostile agents could actually get into close contact with SAS personnel. When the SAS hit a boozer they tend to go as a group, nobody usually bothers to keep count and it can get quite noisy. On a typical evening some third party might be able to drop something into a few of the drinks as they were being ferried from the bar to wherever the members of the Regiment were standing or sitting. In each drinking session the troopers talked about, it was just a typical night out on the town, and none of them thought any more about it.’
‘Until you almost ended up in a smoking hole in the ground somewhere in Wiltshire and three other men dropped dead.’
‘Exactly. And then the Ruperts did the obvious. They checked to see if there was any link between the four men apart from a certain fondness for alcoholic beverages.’
‘And?’
‘And there was one link. Or a sort of link, anyway, but it’s a bit tenuous. Have you ever heard of Task Force Black?’
Morgan shook his head.
‘Okay. It was a Sabre Squadron that operated from 2004 to 2008 on a six-month rotation in Iraq after Saddam Hussein was forced to find a hole to hide in. It was based inside the Green Zone in Baghdad in a building known as “the Station” and it was mainly tasked with hunting down and eliminating senior members of al-Qaeda. As it turned out, two of the four men from the Regiment who died had been members of Task Force Black.’
‘So do you think it was a targeted attack?’
‘Possibly, but I’m not convinced for several reasons. First, people in the Regiment try to remain anonymous as much as possible because of the kind of work they do.’
Morgan nodded and grinned.
‘You’ve told me before that most of the people who claim to have been in the SAS almost certainly have never been within fifty miles of Stirling Lines.’
‘Exactly. Mind you, you don’t need to be a rocket scientist to work out that if you walk into a pub somewhere within staggering distance of Credenhill and see a dozen or so young, fit and healthy men talking and drinking together as a group they might very possibly be members of the Regiment. But none of them is ever going to confirm that, and even if somebody did manage to identify a particular soldier as a member of the SAS, finding out what missions and operations he’d been involved in would be impossible. So the chances of some hostile force identifying Task Force Black personnel are somewhere between nil and nil.’
‘But you’ve just told me that two members of that pa
rticular op had been targeted,’ Morgan pointed out.
‘That was the only link the Head Shed found, but it’s a long way from being conclusive. And the third man, and Bob O’Brien for that matter, hadn’t been a part of that op, and they were infected as well. And you have to remember that a Sabre Squadron typically numbers about sixty people, so I think this Task Force Black link is nothing of the sort. It’s just a coincidence. If you randomly picked fifty men from Stirling Lines and checked their operational history you’d find that many of them would have been together on missions in the past, because the SAS is still a small unit. I think what probably happened was a hostile agent identified a group of men in a pub as probably being from the Regiment and somehow managed to spike some of their drinks. And as I said, take any group of men from the SAS and the chances are that some of them would have been involved in one particular operation.’
‘And would that work? Spiking their drinks, I mean?’
‘Not my field,’ North replied, ‘so I don’t know. Nor do the medics, come to that, because nanotechnology is such a new field. But from what Natasha Black was saying, it might be possible to prepare fullerenes that wouldn’t be broken down by stomach acids and would pass into the bloodstream intact and activate later. The bottom line is that nobody knows, but what does seem clear is that those four men all had to have been infected at about the same time. I can’t think of any way that could have happened inside Stirling Lines, so assuming it was down at a local pub or at some other social event does make sense.’
Morgan took another sip of his drink and nodded.
‘So if you’re right and it was nothing to do with Task Force Black, who do you think did it?’
‘It could still have been the Iraqis or other al-Qaeda sympathisers,’ North said. ‘Bearing in mind that the joint operation with the Americans killed hundreds of al-Qaeda personnel and took about three and a half thousand of them off the streets for the loss of just six Regiment soldiers. Maybe al-Qaeda decided to strike back in an unusual way, administering a lethal poison to people they believed to be members of the SAS.’
Cyberstrike Page 14