by Kate Fazzini
Victor knew the reporter from his post-academic career in the mid-2000s. Then, he was working in arbitrage. In traditional banking, this is the buying and selling of assets in different markets in order to make a profit off of price differences.
But Victor was no banker. And this arbitrage was not the type usually entertained by international financiers.
With a loosely connected group of physicists and mathematicians, he wrote code that took advantage of the growing popularity of online sports betting websites. He wrote bots that continuously parsed the sports betting sites to find arbs—combinations of bets on different websites weighted in such a way that a positive return is guaranteed regardless of which side wins. The ultimate hedge. Their work was landmark but completely under the radar. His group of friends eventually broke up, and he turned his attention to cars.
“So, let’s get back to the cars. Why are cars so much more complicated today?” the reporter asks.
Victor speaks to what he knows of GM cars, and only the very basics. In the 1980s and before, cars were almost entirely mechanical. Electronics, in the form of computers, were introduced as engine control modules (ECM) in the 1990s. Following that, the addition of powertrain and transmission control modules.
By 2006, GM had updated its on-board protocol, allowing for the proliferation of computers far beyond anything in the past, from two to fifteen or more: door-lock control, ABS computers, traction-control modules, and so on. After explaining the history of car computing, Victor has to remind the reporter once again that like most technologists, he’s focused on only one part—the ECM.
Victor hates these questions. He only focuses on car performance, that’s it. Anything nefarious is going to happen in those other control modules, and could be achieved only by someone with the desire to figure out how to work on and spread a nefarious action laterally across the whole network. A microcosm of a big bank, with all its loosely tied together parts. He wants to get the reporter off the phone before he can be bothered more.
People don’t realize, he says, that if they do so much as get bigger tires on their car, the computer will be thrown out of whack. The speedometer will show that they are going 50 miles per hour when they are really going 60. And isn’t that more dangerous on a regular basis, he says, than some hacker figuring out how to steal data from your infotainment system?
He hangs up, vaguely dissatisfied that the reporter didn’t get the message. He gears up to go to work, out in the big, awful world today, much to his further disappointment.
Today, Victor’s got a Camaro in Newark, N.J., that he needs to work on. His customer is Padraigh, who owns a repair shop for high-performance cars. He’s doing fewer and fewer jobs like this these days, preferring to keep his business to mail order. He likes to be in the house, close to his son and his pet rabbit, but he’s making a few final exceptions for his old friend.
At the performance shop, Victor sets cars up and runs them on a dynamometer, which measures functions like horsepower and torque. Using its readings, he’ll tweak the software on the car’s computer so that the car runs better. Some of Padraigh’s customers drag race professionally, and they need to shift the gears on their Corvettes faster. These cars are their babies.
Victor, one of the world’s best hackers of GM cars, whether he calls it that or not, doesn’t worry about people hacking cars. He worries about his stolen credit card. He worries about the aging electrical grid. He is concerned about fearmongering by reporters. And especially about idiots who replace 16-inch wheels with 18-inch wheels without a care in the world.
5.
The Italians
It’s sunny but cool for New York in late July in 2014. There’s been a breach at NOW Bank. In the SOC, doors slam. Workers pull one another into empty conference rooms and whisper, looking both ways before closing the door. Eyes are wide as analysts share the gory details of what happened and how it happened, or how they think it happened.
Caroline is trying to manage the chaos, but first she has to find Bob Raykoff. Bob is missing, and he is needed in a meeting up here immediately. She sends word down to the second floor, where there are several conference rooms. He was supposed to make an appearance at a panel of chief investment officers but never showed.
She asks the conference staff to have someone look out for a tall, gray-haired man walking with purpose in wide circles around the conference floor. Ask for Mr. Raykoff. Just tell him he has a call on the twelfth floor. Caroline presumes he can find his office from there.
While Raykoff is MIA on the second floor, a new team member is moving into the SOC. Caroline is helping to prep him, too. Prem Ramesh is now Raykoff’s number two, in the newly created role of chief of staff. He wasn’t the person Raykoff had wanted to hire. In fact, Prem had competed for Raykoff’s job as the head of cybersecurity. Short, mid-30s, and sleek as a greyhound, Ramesh is nothing like his former rival and new boss. Instead, he was shoe-horned in as Raykoff’s second in command and the leader of the bank’s cybersecurity operations team.
Prem had built a consulting business within one of the country’s biggest defense industrial companies and invented a framework for understanding IT security called the kill chain. It’s been adopted not just by Raykoff and his compatriots but by many cybersecurity professionals as a simple way of describing how criminals commit cybercrime. It’s a convenient soup-to-nuts narrative package for how a cyberattack works, from early reconnaissance to direct action by an attacker.
The philosophy behind it is simple: Interrupt the sequence at the earliest point in order to stop the attack and reduce the damage. Spend money to focus on finding criminals doing reconnaissance before they get all the way to command and control.
But for Prem’s purposes, the lesson is more challenging because whoever has attacked NOW Bank is already on command and control.
* * *
Prem and a communications team are creating a PowerPoint presentation, sketching and resketching, trying to decide how to explain what they know about the intrusion so far in kill-chain terms.
First, it appears the criminals conducted significant research on the bank, reconnaissance at many different levels of the organization. They looked for personal details of employees on LinkedIn and explored the perimeter—the digital part of the bank that exists outside its firewalls—for ways in. They also researched other websites that may connect with the company. NOW Bank runs what is known as a flat network, which means that anyone who gains access to one part of the network can essentially access all of it, across all of those many organizations, all the way up to asset management, investment bank, and beyond.
The criminals take this valuable information and weaponize it. They use all of the data they have gathered to find a way in. They do a custom-made job for NOW Bank or for whoever else they may be targeting.
In one case, the criminals’ research yielded two junior employees, contractors at a university program in Rhode Island, who were socially engineered to give up their credentials. Social engineering describes the variety of ways people can be convinced to give up sensitive information: whether through a clever email or a well-placed, convincing phone call. Sometimes a criminal will pose as a hapless technology worker trying to fix some problem for the target. It’s called social engineering because the technique exploits your natural desire to trust another person; it essentially uses your politeness and willingness to help as a tool against you.
There is another area of entry that the reconnaissance also yielded: a half-marathon website for a yearly event sponsored by NOW Bank. The website itself was built by a third party, an outside public relations agency, at the behest of a discrete community service department within the bank. These types of projects can easily fall through the cracks. Since the race website was built insecurely but was allowed to connect to the bank’s network in order to facilitate the sign-up of participants, anyone who could access the poorly defended race website could gain entry to the rest of the bank’s vast network. C
aroline and her team, and many security executives before her, had been advocating for network segmentation for years, a process that would have created drawbridges between various bank departments, but there was never enough funding.
It’s therefore not much of a challenge for the criminals, who are clearly sophisticated, to deliver a weaponized bundle of malicious software to unsuspecting employees or through the unprotected website. The exploitation and installation portions of the kill chain involve using this conduit to execute the malicious bundle and install programs that allow the criminals to extract the information they want: in this case names, Social Security numbers, and other sensitive banking information belonging to NOW Bank customers who may be especially susceptible to a pushy stock scheme.
With this access now installed throughout the bank, the criminals are able to command and control their various malicious installations to forward all that sensitive information to their servers overseas.
NOW Bank is trying to determine which course of action to take. If they tip off the criminals that they are aware of their presence, it could cause them to take destructive action that could ruin the bank’s servers and burn their trail. The attackers would do this only if they knew their nefarious activity had been discovered. So the SOC team has to work quickly and very quietly.
After three days of working on the kill-chain explainer, the cybersecurity team opts to destroy it before it’s circulated further.
* * *
To continue working the incident quietly, the professionals in the SOC must try to determine what’s being taken and which pipelines they will need to shut off to stop the problem.
There are many other problems that complicate this. First, the bank is using wildly different storage protocols from one department to the next. In a single organization, people in one department may have been saving their documents, reports, client lists, and other critical data to a database shared among similar employees, while in another department, people have the habit of storing these documents in duplicate to their email inboxes or on their desktops. These reports are given names, and those names would also be different across departments. Because of this, determining what is being taken is a monumental task in itself.
There are further complications. NOW Bank, like most large banks in 2018, has a patchwork-quilt network compromised by years of acquisitions. Different systems of storage and data layered on top of data and more data are a legacy hallmark of the 2008 financial crisis, when several failing banks were pushed together rapidly and haphazardly. Like those messy and fast mergers, the merged networks of those banks were equally messy, difficult to navigate, and difficult to secure, contributing yet more headaches for the cybersecurity staff.
In order to talk about the ongoing data breach as quietly as possible, the cybersecurity investigators give the incident a name: Venice. Apropos of nothing, the name is meant as a way to easily discuss what’s happening with the breach in conversation without anyone, including the criminals, catching on to the use of language like “breach” or “intrusion.” This way, the investigators can avoid tipping off the criminals who have taken up residence in their network.
Prem is speed-walking from one meeting to another to discuss Venice. Right now, the bulk of the conversations about the event are happening face-to-face to keep things quiet. Sometimes Raykoff is in the room, but most often he is not.
The focus on privacy will soon become more like an obsession, though. Because someone will start leaking details of the attack to the press.
* * *
About four weeks later, somewhere in what used to be called Transylvania, a German sits at a cafe by the highway, drinking strong coffee and reading The Sydney Morning Herald, an Australian newspaper. The weather is hot and humidity is 100 percent, unlike the cool dry New York July.
Sig Himelman is a six-foot, four-inch hacker. He looks like a businessman. The waiter at the cafe treats him accordingly. Calls him boss. Comments on his good sunglasses.
His suit is crisp, dark navy seersucker, because it’s hot this time of year in Romania and air-conditioning is hard to find. Leather shoes from a small, private shop in London. He’s driving a black BMW, late model. He wants it to look like he bought it and has owned it for a long time. Practical. Not someone who needs to impress. Not someone who leases.
There’s nothing in the paper that interests him. Nothing about Valery Romanov, at least not today. He had heard through the grapevine that Romanov had fired his lawyer. Again. Knowing what Sig knows about Romanov, America might not have enough lawyers to satisfy the man’s ego. He picks up The New York Times and finds something that interests him—an article about something serious possibly happening at NOW Bank. Must have been a leak there. Tied to northern Italy, the paper says. He laughs. Ridiculous. Some Russians, Israelis, Chinese businessmen maybe. Northern Italy? Unlikely.
He contemplates briefly. Italy, if it was true at all, would just be a smokescreen. A server in Venice or Rome set up to receive pings from another server in Tel Aviv and a third in Beirut, a fourth in Japan.
“What’s so funny, boss?” the waiter asks as he takes a seat at the table next to Sig.
“Italians. Reporters.”
“You Italian?”
“Yes.” He says it without hesitation.
“I thought you were German. Your accent is very German.”
“I had a German uncle who taught me English.” Another easy lie.
“You’re not a reporter, too?”
Sig laughs, raises his sunglasses to his head. “Of course not.”
“Reporters, they always lie, no?”
“I don’t think it is that they lie. No, no,” Sig says, settling into his chair. He spreads his arms wide and knits his fingers together behind his head, a gesture of expansive command of the environment. “They are like teenage boys watching pornography. They look and say, ‘See, they are fucking! Now, she’s had an orgasm! Look!’”
The waiter laughs and sips his coffee.
“And in five minutes they are finished. They think they have witnessed the act of sex, that they could describe it to someone else. But they cannot. They see only what the actors and producers and cameraman and Viagra maker and plastic surgeon want them to see. And they talk about the long hairless legs, the perfect fake tits, then they drink beers together and congratulate themselves for being experts on fucking.”
Everything is an illusion. Sig hasn’t hacked a computer in a decade but is regarded as an influential hacker. He has never worn a hooded sweatshirt in his life. He may have a personality disorder, but he definitely doesn’t have emotional problems. He doesn’t need a therapist like this American Mr. Robot. He does not suffer from depression. He does not lack for friends or female company. He is never awkward, but as smooth and soft and familiar as his gently worn leather BMW seats.
Today, he is headed to a new job in a village near Arnica Valka. He already knows a lot of carders who work there, many of whom have made money off Romanov’s instruction and processes. Some of them are very good. He wants to pull them into a more cohesive unit, and they want the same thing. Some people are amenable to having a boss. Start-ups need CEOs. Even criminal ones.
Germany is becoming a surveillance state, he thinks. He traces over a story about the BaFin, Germany’s financial regulator, buried on the back page of the B section. Something about them coming down hard on Deutsche Bank for bad culture. He has insiders at Deutsche Bank. Bad culture. Oh, they have no idea.
BaFin, Sig had real problems with. Regulate this, regulate that, squeeze all the fun and ingenuity out of the entrepreneurial process. Root out insider threats. Give power to whistleblowers. But one man’s insider threat is another man’s whistleblower. Surveil them all!
Criminals are ahead of everyone. He pulls out another Australian paper.
“Newspapers,” the waiter says. “I see you like the newspapers. Newspapers are good. Everyone today with the iPhones.”
“I guess I’m just p
aranoid. Don’t want to be tracked.” Sig smiles. An infectious smile, one that leads to the eyes.
“They can do that, you know. That’s what I’ve heard.” The waiter’s voice is a low whisper. “The Russians.”
“Oh, well, what can you do? I’m not really into these things. I like the feel of the paper on my fingers.” A bigger smile. He orders a slice of spinach and cheese pie and turns back to his reading.
He bought the papers on his commute from Hamburg. He’s been reading nonstop about the burgeoning market for a new kind of financial instrument: ransomware. Malware that locks up a person’s files and generates an encrypted key that the person must then buy in order to access their own files. He’s trying to gauge how it’s perceived in the real world.
It is a flawless business proposition, he believes. The world is filled with little law firms and consulting firms and one-man shops that need to work every day, every hour, gears constantly grinding. They will pay the $500 to get back to work if the gears stop, especially when their yearly revenue is in the millions. They can pay this modest sum again and again, all over the world.
Ransomware is new, and has been percolating quietly, below the surface, for about a year. He hasn’t yet figured out the best way to monetize it. But the market for carding is changing, becoming too crowded, too boring. The fact that Russia allowed Romanov to get extradited proved that whatever the big carders were doing is no longer important, that carding itself is no longer important. And Sig likes to be important.
A widespread ransomware attack had hit media outlets and the Australia Post, a national mail courier based in Melbourne. So of course, they are reporting on it. Inside the second paper is a screenshot of a PowerPoint slide from the ransomware attackers. Sig studies it—green text on a black background. It is spare, rife with misspellings, ugly. “Once you’ve paid, than you can have your files back,” it reads. Sig shakes his head. Hackers can be so inelegant.