Book Read Free

The Loyal Nine

Page 15

by Bobby Akart


  East Cambridge, Massachusetts

  Lau orchestrated the systematic and inconspicuous transfer of the Antrim Street Hack House to the Lofts at Kendall Square, a location far better suited to their needs. Situated within convenient walking distance to MIT, the Zero Day Gamers traffic would attract little attention. Besides location, the Lofts had been designed to serve as residences and workspaces. Open floor plans, private balconies and sound-insulated walls were just a few of the key amenities intended to attract engineering and technology professionals. Lau especially appreciated the lack of on-site security. The last thing he needed was a documented log of arrivals and departures. He designated one of the bedrooms as his crash pad and the other as his office. The open spaces had been optimized for the Gamers and their new business venture, which got off to a rocky start.

  Lau and company had received numerous offers via HackersList and two other prominent online services—NeighborhoodHacker.com and HackerForHire.com. Most of the requests were mundane privacy intrusions, with fees ranging from a few hundred to several thousand dollars. Lau and his coconspirators had started to lose hope, when an interesting request hit all of the boards at once.

  We need a raise.

  We need leverage.

  We need justice.

  We need your help.

  Lau stared at the post for hours, trying to decipher its meaning. The words held a particular significance to Lau, because they were his impetus for creating the Zero Day Gamers—raise, leverage, justice, and help. After careful consideration and a long meeting with his partners, Lau reached out to the anonymous poster. The specifics of the request required a meeting. There are criminals, and then there are criminals. The ethical implications of their new business had to be discussed.

  He leaned across the kitchen island, one of the few horizontal surfaces not occupied by electronics equipment, and nodded at his trusted associates.

  “We have a serious offer on the table—mid six figures most likely,” said Lau. “But the offer brings up an issue we haven’t discussed.”

  Lau had their attention. Malvalaha, a Red Bull addict, cracked another can and perked up in his chair.

  “We’ve been contacted by the Culinary Union in Las Vegas,” said Lau. “The CU Local 226 represents nearly sixty thousand casino and hotel workers in Vegas. They also have very strong political ties. For our purposes, they have extremely deep pockets, and I get the sense they will spare no expense to maintain their power over the industries they serve.”

  “Why don’t they just call on their politician friends?” asked Fakhri. “Lining pockets is their job.”

  “True, but in some states, their influence has been significantly diminished. Think Scott Walker in Wisconsin and Brian Sandoval in Nevada,” said Lau.

  “What do they propose?” asked Malvalaha.

  “Contract negotiations with the major casinos of Las Vegas are at a standstill,” said Lau. “Rank-and-file members are living paycheck to paycheck, so they don’t have the stomach for a prolonged strike. The casinos, bolstered by Governor Sandoval, have refused to come to the table. They need our help to gain some leverage over the negotiations, but first they want to send a message,” said Lau.

  “How big of a message?” asked Fakhri.

  “They want us to shut down the casinos,” replied Lau.

  “Shutting down a casino won’t be a problem,” said Malvalaha.

  Lau interlocked his fingers and cracked his knuckles before responding.

  “They want us to shut them all down.”

  Chapter 29

  February 12, 2016

  The Hack House

  Binney Street

  East Cambridge, Massachusetts

  Lau was deep in thought driving down Cambridge Street. The Zero Day Gamers’ first deadline rapidly approached, and they hadn’t identified a foolproof way to achieve the Culinary Union’s desired result—a coordinated takedown of the Las Vegas Strip’s power grid.

  Lau took a right on Fulkerson Street toward their new location on Binney. As he passed the Kennedy-Longfellow School for Children, he read their signage. Real-life curriculum through field experiences. Lau laughed out loud in the car, realizing that his role at the Hack House was similar to the teachers at Kennedy-Longfellow. He was leading his Gamers through some very real-life experiences—for a profit, of course. You better step up today and teach them something, Professor Lau.

  As he waited to turn left onto Binney, Metallica’s “Enter Sandman” blared through the Forester’s speakers. Before the light turned, he pounded the steering wheel with both hands. “Fuck me, of course!”

  Lau squeezed his car into a tight parking space a block away, not wanting to waste the time searching for a rare spot closer to the Lofts. He jumped out of the car and jogged down the street, forgetting to take the keys out of the ignition. He composed himself near the lobby entrance to avoid attracting attention. Why didn’t I think of this before?

  When Lau entered the Hack House, he found everyone clicking away at the tools of their trade.

  “Listen up, everybody. Let’s recap what we know so far. Starting with the obvious. The big prize—the Hoover Dam—is out of reach, because it hasn’t presented us with any Internet-connected vulnerabilities,” he started.

  “Our best option is to create a series of cascading failures. By taking down one major power plant, we can create cascading failures throughout the grid. The hell with the Hoover Dam, right?” Lau stopped to take another deep breath as the Gamers nodded their heads in agreement. This is a teachable moment.

  “Fakhri, we have a primary cascade target, right?” asked Lau.

  “Yes, the Clark Generating Station on the east side of the valley,” said Fakhri. “This is Nevada Energy’s primary power plant, generating one thousand one hundred megawatts from several sources. Electric, natural gas and solar. It’s the valley’s largest energy supplier.”

  “What happens when we take Clark Station offline?” asked Lau.

  “All of Nevada Energy is interconnected,” said Fakhri. “When Clark goes down, nearby grids take up the slack, including the generating stations like Chuck Lenzie in the northern part of Clark County. Our research shows that Lenzie can’t handle the entire load transfer from Clark Station. At a minimum, Las Vegas would experience temporary rolling blackouts. The worst-case scenario, or best case in our view, would be a total blackout—especially if we hit Clark Station at night.”

  “In a perfect world, we would be doing this in the middle of summer, to allow for the added power requirements of air-conditioning units in the one hundred ten degree desert heat,” said Malvalaha.

  “Walthaus, why haven’t you attempted a pen test on the Chuck Lenzie system?” asked Lau.

  “Lenzie has newer technology, and its firewall has proven to be impenetrable,” said Walthaus. “We believe the Lenzie Station primarily services the residential power grid of North Las Vegas. This is just a theory, but we don’t believe Nevada Energy will have the balls to create rolling blackouts along the Strip, on a Saturday night, in order to keep the lights on for North Las Vegas. They’ll drop the suburbs before they drop the Strip.”

  Lau was proud of his class—they have done their homework.

  “Malvalaha, what do we know about the Clark Station operating system?” asked Lau.

  “It appears they have a Trend Micro built system running Windows-based Server 2008 or newer,” said Malvalaha. “Our pen tests have allowed us to sneak a peek, but we didn’t want to prematurely alert them to vulnerability. Getting in is one thing, having fun is another.”

  “There’s an important issue regarding the Clark Station that we haven’t discussed,” said Lau. The room stared at him, not sure if he was asking them a question or if he’d answer it himself. “Didn’t we learn through a press release that Nevada Energy hired OSI Technology for its infrastructure communications network—the SCADA software?”

  “Yes,” replied Malvalaha. “OSI created SCADA, which is an acrony
m for supervisory control and data acquisition. SCADA is used by industrial utilities to provide interconnectivity across various platforms and networks throughout the utilities’ network. In ‘09, Nevada Energy announced an upgrade to its system by incorporating the SCADA network.”

  “How does SCADA work?” asked Lau.

  “The entire network is interconnected,” said Malvalaha. “For example, in the case of a water utility, SCADA interacts with multiple remote terminal units, or RTUs. These RTUs have programmable logic controllers, which process data via sensor signals and communicate the information back to SCADA. In the example of water utility, if there were a major 10-75 alarm fire, significant water resources would be required. The RTU in that sector would detect the increased flow requirement and communicate the information back to SCADA, which in turn would control pump speeds at other RTUs in the utilities’ system to accommodate the increased need.”

  “Exactly!” exclaimed Lau. The room listened in silence, awaiting the basis for their professor’s excitement. “It came to me on the way over here. I heard ‘Enter Sandman’ by Metallica.”

  “Sandman, I’m not familiar with that. Is it a virus?” asked Fakhri.

  “No, no, no!” interrupted Walthaus.

  Lau watched as Walthaus searched furiously through his jacket pockets until he revealed a small spiral notebook that was barely held together. Walthaus frantically thumbed through the book, stopping on one of the stained, crumpled pages. “Yes, yes. Here it is—Sandworm!”

  “Congratulations, Walthaus, you go to the head of the class,” said Lau.

  The kid has potential. Lau turned his Red Sox cap backward and approached his computer station. Game on!

  Chapter 30

  February 13, 2016

  The Hack House

  Binney Street

  East Cambridge, Massachusetts

  The Zero Day Gamers had spent all night studying the technical aspects of the Sandworm malware. Sandworm had been utilized in a Russian cyber-espionage campaign against the European Union, NATO and a broad variety of utilities. Ironically, Sandworm wasn’t a true worm virus. A malware program by nature, it exploited a true zero-day vulnerability, instead of mindlessly copying itself and infecting multiple systems in the same network. Essentially, it was a targeted virus. Sandworm was especially effective in a Windows-based environment, often inserted via PowerPoint files—INF files in particular. INF files were text files that contained components used to install software updates and drivers on PC systems.

  Microsoft developed a patch that blocked applications like PowerPoint from sucking in and launching external files like an INF. The Sandworm malware circumvented the patch.

  “I think we’re ready, Professor,” said Malvalaha.

  Lau walked over to Malvalaha’s desk and motioned for the other Gamers to gather around.

  “Windows will block an attempt by a typical INF file to enter the operating system,” said Malvalaha. “So what we have done is create two files with innocent-looking names, in this case—slides.inf and slide1.gif. I say innocent looking, because they are typical names and extensions used as part of the PowerPoint program itself.”

  Lau stood back to allow the students to inch closer to Malvalaha’s screen.

  “Slide1.gif has been created as an executable program file and slides.inf is designed as an installer file that will rename slide1.gif to slide1.gif.exe,” said Malvalaha. “Once inserted into the Clark Station server, slide1.gif.exe will create a registry entry that will allow activation of the Sandworm program. In this particular case, we will not be able to run the program directly, but the SCADA software will have ingested a yummy PowerPoint GIF-and-INF cocktail.”

  Malvalaha leaned back in his chair to catch his breath.

  “The malware itself is not embedded in our PowerPoint file. Rather, it is retrieved by a drive-by install—the download of updates to Java, Windows, ActiveX or Adobe will trigger the activation. We have obfuscated the malicious code in Sandworm to avoid detection by their antivirus software. When SCADA is used in any capacity today, the malware will activate, and the Clark Station will go offline.”

  “Were you able to use Sandworm to affect the outlying generation plants?” asked Lau.

  “We added an interesting twist to the GIF-and-INF cocktail,” said Fakhri. “We wrote the code to reject requests from the Chuck Lenzie Station as a potential DDoS attack. The normal operating functions of SCADA are compromised to the extent that Clark Station will deny SCADA access from the outlying stations.”

  “There’s one more thing,” interrupted Malvalaha. “All of the major casinos have standby power systems. I’ve done some research on the standby system at Caesars Palace and found it to be typical of the major hotels that have a backup in place.”

  “What is the standby system’s capability?” asked Lau.

  “Most of the buildings have the typical battery-powered security lights that will remain on for an hour or so,” said Malvalaha. “But the batteries will eventually lose their charge. The major casinos claim to be cognizant of guest safety, but they are really more interested in keeping the slots running. They employ a more sophisticated backup system called a paralleling system.”

  Damn.

  “How long will the paralleling system maintain power?” asked Lau, his voice showing obvious concern about this new twist.

  “Fear not, good sir,” said Malvalaha. “We’ve got this.”

  Lau relaxed—a little.

  “The consulting engineers who provided the Cummins Power paralleling system to Caesars Palace were very proud of their work,” said Malvalaha. “The engineers were so proud they detailed the entire project on their website. Here’s what I learned from their dot-com.”

  Malvalaha went on to detail how the paralleling system at Caesars consisted of nine sections of switchgear and two sections of low-voltage controls, including a digital master control.

  “Here is where they failed,” said Malvalaha. “The entire apparatus includes a DMC 300 digital master control, which employs a simple-to-use icon-based touchscreen interface. This simplifies their diagnostics and operation.”

  “So,” started Lau, motioning for him to get to the point.

  “Sooo,” interrupted Malvalaha, “they wired the DMC 300 control panel to the Nevada Energy SCADA system in order to receive instantaneous notice of an outage. Their client insisted that those slot machines never miss a beat.”

  “Hell yes!” exclaimed Lau. “Let me guess, you stirred in a little something for the DMC 300 in the cocktail. When the grid goes down, the backup system will fail as well.”

  “Yes, we did,” said Malvalaha proudly. “We’ve done the same for the rest of the hotels with similar systems.”

  “Let’s get started,” said Lau. “The program will execute at what time?”

  “I have it set for 8:00 p.m. Pacific Time,” said Malvalaha. “It will release the system in exactly forty-eight hours, as requested by the client. This should be an interesting Valentine’s Day weekend for Sin City.”

  “Walthaus, are you ready?” asked Lau.

  Walthaus had gained the respect of his peers and was allowed the honor of generating the keystrokes. He brought up his screen and was inside the Clark Station servers within moments.

  “We have identified the optimal zero-day vulnerability in Windows as the packager.dll file, which is part of OLE, a Windows Object—Linking—Embedding property. Our GIF-and-INF cocktail will be embedded in an OLE object and installed into SCADA. Kudos to Trend Micro for creating a solution to the INF intrusion. Unfortunately, they didn’t consider our workaround. Just like that, SCADA drank up our cocktail and is ready to belch one hot mess tonight at eight.”

  The group briefly exchanged high fives and settled back in their seats—like professionals ready to work on the next task. The Zero Day Gamers were becoming more proficient and expert at cyber espionage. How far can this take them? More importantly, how high, or how low, will they go? All important
questions for later.

  Chapter 31

  February 13, 2016

  Brae Burn Country Club

  West Newton, Massachusetts

  “Come on, girls, hurry up!” Susan Quinn hollered up the stairs for her daughters to pick up the pace. “Dr. Warren and his guest will be here shortly, and I don’t want you running around like wild Indians!”

  “Suze, it’ll be all right,” said Donald. “J.J. won’t care. He loves the girls like a grandfather would.”

  “He’s hardly old enough to be their grandfather,” replied Susan. She pulled a platter of meats and cheeses out of the Thermador refrigerator and placed them on the kitchen island. “I want the girls to learn some responsibility when it comes to being on time—especially when guests come over.”

  “Honey, they’re ten and seven. They’ve barely mastered the concept of cleaning their rooms,” said Donald. As if on cue, however, the girls hopped down the stairs in perfect bunny-rabbit unison until, with one final slap, they reached the marble floor with their feet. “Come here, my gorgeous girls, and let me hold you.”

  “No way, Daddy, we’re dressed and we’ve put our faces on,” said Penny, the Quinns’ oldest child.

  “You have?” asked Susan. “Just where did you get these fabulous faces to put on?” She reached out for both of their mushes and gave them a squeeze, causing the girls to squeal with delight.

  “Remember, Mommy, Uncle J.J. gave us each a make-up set for Christmas,” scolded Rebecca, age seven going on thirty.

  Donald was amazed at how fast they grew up. He knew there would be a time in the not-so-distant future when he would have to scare the bejesus out of their potential suitors. He would be ready for them when the time came.

  “Listen up, girls. We’re going to have some snacks for dinner tonight—meats, cheeses, shrimp and some raw veggies. Would you like to have some of that, or shall I fix you something else to eat?” asked Susan.

 

‹ Prev