A very brief discussion with the mall manager, which had mainly involved Grant Rogers telling the bemused man what was about to happen and why he should keep his mouth shut about it, had been followed by the team being given access to the flat roof of the building. They’d made their way up a set of service stairs and across the roof to a position about thirty feet from the coffee shop where Ganem had taken a seat at an outside table and had begun ‘inspecting’ one of the air-conditioning units mounted on the roof. The mall was only single-storey and an appearance of work was important as they could be seen from the adjacent car park.
One of the pieces of equipment they deployed was a long black tube about the thickness of a broom handle that they mounted near the edge of the roof so that the end of it was pointed at the table occupied by Ganem and the other three men who had appeared at about the same time as the target. This directional microphone, commonly known as a shotgun mic, was intended to record what the four men said and was attached to a small battery-powered digital recorder. Accurate positioning was vital, and one of the agents connected an earpiece to the recorder and minutely adjusted the position of the device until he could hear their voices. Then he had left the mic in place and stepped away from it.
Some seventy yards away in the parking lot opposite, two other FBI agents had stopped their car to use an almost identical mic and recorder, aiming it at their target. The number of pedestrians moving around between them and the coffee shop made it unlikely that they would record much useful conversation, but a belt and braces approach was usually advised in such circumstances. The other thing one of these agents did was to use a Nikon digital camera fitted with variable-power telephoto lens to obtain clear pictures of each of the four men at the table. They needed decent photographs to identify them.
While all this was going on, orders were issued by Rogers for three men to follow each of the unknown contacts when the meeting broke up. He didn’t want to risk using larger teams than that because it was important to make sure the targets didn’t know they were under surveillance. In the meantime, the images obtained by the agent, known as ‘probe photos’ because they had been obtained during a current and open FBI investigation, were emailed direct from the surveillance vehicle to FBI headquarters and then forwarded for analysis by FACE.
FACE is the Facial Analysis, Comparison and Evaluation Services Unit, based in the Criminal Justice Information Services Division at Clarksburg, West Virginia, and uses facial recognition technology and software to try to match such surveillance-derived images with pictures already on file with the FBI and with state and other federal databases.
When the meeting broke up it was late morning and both foot and vehicular traffic had increased and, perhaps not surprisingly, all three of the surveillance teams, forced by their orders to keep some distance from and behind their targets, had eventually lost contact with the unidentified men in the crowds albeit, in one case, under slightly peculiar circumstances.
But Grant Rogers still considered the operation a success. They now had photographs of three more of the people within Karim Ganem’s circle of acquaintances – or possibly conspirators – and with any luck the recordings of the conversation might produce names for the new faces as well as shed more light on what they were up to.
Because at that moment, the FBI still had no idea why Ganem was in America or what he was trying to do. They only knew that he was a person of interest, and that had been enough to spark the surveillance.
Chapter 30
Washington D.C., United States of America
Hacking is in many ways more of an art than a science, as each company or organisation that is the subject of an attack will offer different challenges. Of course, there are pieces of software that will allow the attacker to do things like check for open ports or run brute force attacks to try to crack passwords, but very often it’s the hacker’s intuition that leads to the discovery of a chink in the electronic armour, a chink that can then be levered wide open.
But it is also a fact that only in about five per cent of attacks do the successful hackers manage to breach the security systems of a website from the outside solely using different kinds of attack and hacking tools. In the other roughly ninety-five per cent they have help through inadvertent human error, most commonly by people simply not obeying the rules. For example, by users not changing their passwords regularly, by not having strong enough passwords in the first place or by using the same password on different sites, or through arrogance or stupidity.
Hackers targeting a particular company or organisation won’t usually waste their time trying to suborn a paid employee because that would be unlikely to work, job security and a regular pay cheque being far more attractive than an extremely dodgy one-off payment, and any such approach would very probably result in increased security being applied to the website. Instead, they’ll approach the contract workers on minimum wage, the cleaners, the guards and night watchmen, and ask them to photograph things like post-it notes stuck on the screen of a computer, cards bearing apparently random characters left in unlocked drawers, all that kind of thing, and quite often they will strike gold and identify both a username and password.
Karim Ganem and his fellow hackers in AnArchy An0nym0us didn’t usually even bother with that sort of messing about, because it was too hit and miss and there was always a chance that the cleaner or whoever they approached would have an unexpected streak of loyalty to the company and report what had happened to a security officer or even to the police, and that would lead to potentially unwelcome consequences. Instead, working with other members of his hacking group, he had devised a fairly simple and virtually foolproof way of achieving exactly the same result, of gaining access to protected company websites through their unwitting employees.
What he relied upon could best be described as a combination of technological snobbery and almost juvenile showiness. He had realised that it was almost a given that the most senior employees of any major company would invariably either be provided with the very latest, fastest and thinnest laptops around and the newest and flashiest mobile phones, or they would purchase the same items for themselves.
Ganem wasn’t interested in the laptops, but he knew that the mobile phones could offer a way of getting inside even the most heavily protected computer network. Even if the only call a senior company executive was likely to receive on his mobile at a breakfast meeting was a complaint from his wife about something he had done or equally possibly had failed to do, it was still important to people like that to be seen to be using the very latest mobile when he placed it on the table beside his plate and coffee cup.
And in this Ganem was also helped by the target companies themselves, which often used publicly available corporate documentation to list the names of their senior executives and other people likely to have seats on the main board, or who would at least be in a position to make decisions. The movers and shakers of the organisation, in other words. Who also, by definition, would be more likely to have much more wide-ranging access to the company website than a normal coalface worker.
So Ganem had decided on a two-pronged approach. Working from readily available information, he would compile a list of the full names of every senior member of the target company that he could identify. Then, using inside sources he had cultivated at the biggest couple of telecommunication companies in America, he would cross-reference the names he had obtained with their customer records. That usually produced several pages of names with linked cell phone numbers, and that was all he had needed to begin his attack.
Using a burner phone to ensure that his message would be untraceable, he would send a very brief piece of text – an SMS – to each number he had identified. It was simple, to the point and most importantly was exactly the kind of message that most businessmen would receive on a daily basis and that would not arouse their suspicions. A typical text would read something like: ‘I’ve got an idea I need to run past you. James.’
The
four commonest first names for male children in America are, in order, James, John, Robert and Michael, with William bringing up a distant fifth, and Ganem guessed that almost every recipient of the message would know a ‘James’ somewhere in their organisation. No doubt some slightly confused conversations would follow within the company when a ‘James’ would be contacted by a fellow executive and would have not the slightest idea what they were talking about. But that would probably be mentally written off as a misunderstanding and dismissed as unimportant.
In fact the content of the message was the least important part of the entire process. The simple act of opening the message to read the text was all that was required for the breach to be created. That activated a small piece of software that was immediately transferred to the target phone. That software was designed to do three things. First, it remained entirely hidden and covert to avoid being detected by any antivirus program. These worked primarily on virus signatures, by identifying recognisable lines of coding, and Ganem had been careful to ensure that no part of the code he had written resembled any known virus that he was aware of.
Second, almost everybody these days either uses their mobile to handle their emails, or at the very least they have a duplicate mail program running on their mobile so that if they are away from their desk they can still check their messages. So the tiny program was set up to identify and then access their email account, using an algorithm to record the target’s email address or addresses – business and private – and crack the password. And, third, once the software had done its job, it then created its own SMS which contained only the relevant email addresses and password in plaintext, and which it sent to Ganem’s burner.
This was not a technique that he had developed himself. The basic concept was well over a decade old and had most notoriously been used in 2010 by Chinese government-sponsored hackers who successfully forced their way into Google. This was one of several hacking techniques commonly referred to as brute force attacks, and was both comparatively simple to mount and offered a high probability of success.
The final stage in the operation had been for Ganem to create a suitable internal email, the kind of routine message that every company employee would receive on a daily basis. Many of these were what might be termed housekeeping messages, reminding employees that deep cleaning was scheduled to take place in a particular part of the building or that the parking spaces in the garage were going to be repainted or that the air-conditioning might need to be taken offline to allow it to be serviced. They were the kind of messages that people read and instantly forgot, which was really the point. They were also the kind of messages that employees always opened to read, just in case they were affected by something going on in the company, and also because if they didn’t open them they would remain in their email inbox marked as unread.
For each of the target companies, Ganem tailored a different internal email which shared only a single characteristic: each message contained a brief piece of text and an attachment, something that was innocuous, like a not very important survey form about some aspect of the business, or a notification that the company had been entered for some kind of an industry award, or a flyer relating to something an employee was planning to do. Ganem had gone for forgettable but worth reading.
And, again, it wasn’t the contents of the attachment that mattered but the left click of the mouse when the executive opened it. As they were then already logged on to the company intranet, another small piece of code that Ganem had created extracted their username from the system along with their password. And as soon that had been completed, his software created an invisible email that would send these details directly to him.
As soon as he had this information to hand, he could log in to the company’s intranet pretending to be a particular executive, and once he was inside he could do whatever that executive could do, which could be everything from simply scanning the person’s emails and the company website to creating a backdoor to allow him unrestricted low-level access to bypass the normal system security checks.
Obviously not every executive opened his phishing SMS message or the email or the attachment, but enough did to ensure that he was usually successful. The only real variable was how long it took.
The one thing that had puzzled Ganem about the operation was that once he had managed to breach the security systems of one of the target organisations, Sadir had given him very specific instructions that didn’t really make sense. In Ganem’s experience, once he – or any other hacker he’d spoken to, for that matter – had gained access to an intranet he would always begin looking for information that was saleable on the Dark Web, things like customer names and addresses, credit card details and other financial information. Or alternatively he would create damage of some kind by defacing the site with changed images and altered messages, that kind of thing.
But the Iraqi had told him to navigate to the various system control modules on the intranet and then to begin detailed searches looking for control circuits linked to very specific components. Once he had identified them, he was to analyse the language used to control them and prepare sets of alternate instructions, as specified in detail by Sadir, and hold them ready to implement. Ganem thought he could see the thrust of the Iraqi’s plan, what he was trying to achieve, but what he still didn’t understand was why.
When he got back to his studio flat early that afternoon, he used his VPN, the virtual private network that he’d found to be both reliable and secure, to access one of the anonymous web-based email addresses that he used for his hacking activities and discovered that his small program had identified a further five sets of log-in details from one of the three companies that Sadir wanted him to attack.
And that was good news, because it meant he had another five ways to access that particular company website. And that, perhaps, meant that they were one step closer to achieving their goal. Whatever it was.
Chapter 31
J. Edgar Hoover Building, Pennsylvania Avenue, Washington D.C., United States of America
‘You can’t arrest a man for sitting at a cafe and drinking a cup of coffee. Nor for associating with three other men you don’t happen to like the look of. It’d make our lives a whole lot easier if we could, but we can’t. We’re stuck with due process and probable cause and all the rest of that crap.’
It was early afternoon and the debrief was going more or less as Grant Rogers had expected.
The FBI attracts people who want to make a difference to American society, a bigger difference than they could make if they became police officers, and they regard themselves as members of one of the most elite of American law enforcement organisations. Some of them also tend to regard the law as having a certain degree of flexibility when in pursuit of criminals or suspected criminals, their view being that the end in many such cases is more than sufficient to justify the means.
Grant Rogers didn’t agree with this attitude, mainly because as the agent in charge of the operation he would be signing off on the case and everything he and every member of his team did would be scrutinised, checked and double-checked by the desk-bound upper hierarchy of the Bureau, the seat-shiners. If any corners were cut or the correct procedures not followed Rogers, as the ASAC, the assistant special agent in charge, would be the one facing a disciplinary hearing. And although he had been told that the operation had to remain entirely covert, he was personally convinced that putting a little pressure on the subjects might actually be a good idea. If a target knows he’s attracted the attention of the authorities, he might start making mistakes or do something stupid. But of course he couldn’t say that.
Dave Nicholls, one of the more junior agents assigned to the operation, had just echoed Rogers’s own private views about the surveillance operation that morning.
‘I didn’t say we should arrest them,’ Nicholls protested, his Texas drawl making him sound like a frontiersman though he looked more like a sharp-suited accountant with somewhat pointed featu
res clustered below a thatch of neatly cut black hair. ‘All I said was let’s lean on them a little. Let them see the same guy maybe two or three times the same day, that sort of thing. Nothing close up and personal, just enough to spook them a bit, make them jump at shadows.’
Rogers shook his head.
‘Can’t do that right now,’ he said, ‘because these guys haven’t done anything wrong. About all we can do is take a look at the transcription of whatever the shotgun mics managed to pick up and see if FACE was able to put any names to the three unsubs sitting with the target.’
The operations room they were using had the usual suite of electronic equipment including multiple computers, projection screens, whiteboards, telephones and so on, and Rogers guessed that if any of the three unknown subjects had had their photographs taken for any official purpose while in America, he would have their names within an hour or so. Transcribing the microphone recordings would obviously take a lot longer because of the circumstances.
They had access to voice recognition software that could convert clear speech into a piece of printable text quickly and fairly accurately, but the determining factor was the word ‘clear’. A person in a quiet room speaking into a microphone was one thing, but filtering out the extraneous noises like traffic, the comments from people walking past the cafe and all the other factors that would affect the clarity of the recordings they’d made that morning was going to take some time.
‘There’s something I want to say, Grant.’ The speaker was a fair-haired middle-aged man wearing a dark blue suit and standing at the back of the room. William Clark was a very experienced agent and had been the leader of one of the three-man teams assigned to follow the unsubs. His normally cheerful face looked troubled, perhaps even perplexed.
Cyberstrike Page 20