“Welcome to the twenty-first century.” Jeff ran his hand through his hair, then picked up his coffee. Cold.
Daryl nodded. “So … tell me what you’ve found.”
Jeff filled her in on what he knew so far. US-CERT worked cooperatively with the Cyber Security Industry Alliance, formed by Symantec and McAfee among others, as well as with the Internet-security departments of every major corporation, and computer and software giants such as IBM’s Internet Security Systems and Microsoft. It was in everyone’s interest to cooperate. That was one reason she’d been willing to meet him when he told her he’d run across something unusual. As he spoke, she nodded, taking an occasional sip of water. When he told her about the words to the song “Super Freak,” though, she put her water bottle down.
“I just ran into that same name this morning at Mercy Hospital,” she said when he stopped. “It was spelled S-U-P-E-R-P-H-R-E-A-K.”
It was as if a piece of an especially difficult puzzle had fallen into place. “I haven’t seen the name under any spelling, just the disguised words from the song ‘Super Freak.’”
“I was at Mercy when when you called,” she said, talking more rapidly. “But they didn’t lose some billing or litigation records. Like I told you, four patients were killed. The program modified their medicine records and instruction. Jeff, I think we’re investigating the same virus. Did you hear about the death at a Ford assembly plant?”
He shook his head.
“I can’t be certain, but it appears the plant’s robot software picked up a virus that sat there, waiting. The virus took over without warning, causing the robots to perform in nonscripted ways. We think that’s when the worker was knocked onto the assembly-line railing. In response, the company powered down, then unplugged the robots. Their server was fried. They installed a replacement and are reloading the software. It looks like they’d be all right except for the death, of course, and the loss of about two weeks’ production. The financial cost to them will be in the tens of millions.”
Jeff was puzzled. “I thought industry networks were off-line for security purposes.”
“They mostly are and this one was. I talked to the IT manager again this morning. They traced the original virus to a software engineer’s laptop. He was in the habit of downloading whatever he was working on, then taking it home with him. He picked up the virus there when he used the same laptop to access the Internet. When he hooked it up at work, the worm latched onto the company’s software, planting the virus.”
Jeff thought a moment, then said, “Back to the 787 incident. Is it possible what we’re dealing with could be crafted for avionics software?”
“I don’t know,” she said, looking surprised at the thought. “It seems unlikely, but it highlights one of the problems we’re having. We don’t know what the virus is doing and what it isn’t doing. For that matter there could very well be any number of incidents about which we know nothing. The world is so computer-dependent you can’t always make the connection to one of the viruses when something happens.”
“So what’s Superphreak? Do you have any idea?”
“Not yet. I’ve got my team working on it. It could be almost anything. It could be a word left by a script kitty. It could even be the cracker’s name.” Daryl pushed away her water bottle and started drumming her fingers on the table. “It looks to me as if whoever wrote this used old code, copied and pasted to create this one. I don’t think he realized the word was there. I found parts of Superphreak in three places.”
“I think he’s Russian,” Jeff speculated. “I can’t put my finger on it, but the way some of the code is written just has that look. And, given their track record, this could well be an economic attack of some kind by Russians.”
Daryl stared at Jeff, impressed. “Good guess, Mr. Holmes. I found the word Moscow written in Cyrillic in the code not long before I ran into Superphreak.”
“So that’s it then.” Jeff experienced a moment of elation. Russians. Just as he’d thought. It felt good to have been right. “Do you have any idea how widespread this is?” He wasn’t in a position to know, but Daryl was.
“When I left for the office Monday, we had seven reports that looked suspicious. We’ve picked up more than fifty since then.”
Jeff was astounded. “It’s spreading pretty fast. Who’s working on detection and a fix?”
“I think I can safely say none of the private security companies are at this point, though they’ve been alerted and we’ve given them all the code we have. They report a higher-than-usual flood of former viruses and variants that require their attention. Superphreak hasn’t appeared in any of their honeypots and we can’t prove a connection, so they think we’re overreacting. It’s very frustrating. We’re assuming we won’t be able to figure out the vulnerabilities these things use to spread right away, or get the software companies responsible for them to release fixes anytime soon. So we were hoping to get them onto the problem immediately, but no luck.” Daryl shrugged. “But even if they did respond, the problem is, as you know, that it would take weeks to come up with signatures and patches. And that’s the best case. How long it takes for users to download and install them is another matter altogether.”
“You should push the process,” Jeff said. “You can’t just leave it to agency inertia.” He could have bit his tongue. He knew Daryl was doing everything she could.
“I’m trying.” She looked annoyed.
“Why so pessimistic?”
Daryl glanced around the room, then leaned forward. When she spoke, her voice was subdued but firm. “Because so far we’ve spotted at least ten variations of the code and we aren’t talking knockoffs. These were written with entirely different code, as if by a different cracker, but in the end they all do something very destructive. I have no idea how many variations there are. And not knowing gives me the willies.”
Jeff thought of the airliner falling out of the sky, the hospital deaths, the man killed on the assembly line. Were these just the tip of the iceberg? Mentally, he ran through a list of other dangers: nuclear-power stations, traffic-control systems, defense networks, Wall Street. The list was limitless and suddenly he felt overwhelmed. “What else?”
“It seems to be composed of three functions. The first is the exploit code that gets the virus into the system without detection. The second is the trigger. The third is the payload itself, which causes all the damage. We’ve got three variants of the exploit, five of the virus, and we’ve just started. I have no idea how many others there are.” She sighed. “Two hospitals outside of New York report their medicine distribution systems were also jumbled. We know of eleven deaths nationally so far. A small power station in Connecticut had its sluice gate turned wide open and it couldn’t be closed. By the time they figured out the problem was the computer they use to control their water release and the electricity they produce, they’d lost a significant amount of reserve capacity. It will take them two years to restore it. They didn’t have backup software and are running manually now. It’s almost laughable, but they had to recall a retired worker to show them how the system works without a computer. A nuclear power plant in Iowa had to do a mechanical shutdown to prevent a meltdown. This next one’s been kept out of the news so far, but Tucson International Airport lost its air traffic control system. Fortunately, it was during a slow period and there were no incidents. More and more is coming in every hour, but you can see why I’m not sleeping well.”
Until now, Jeff realized, he’d been focused on his client’s narrow problem. He’d not seen it as part of an expanding, and dangerous, reality. Daryl was scaring the hell out of him, and he experienced a surge of anxiety and fear he’d not felt since those last days before 9/11. “What’s the potential?”
She paused, then said, “Anything’s possible. It looks as if we’re just seeing the surface. Here’s what’s frightening me.” Jeff felt another chill shoot through his body. If Daryl was frightened, then this was even bigger than he feared.
“First, we can’t detect the virus coming in, and that’s going to be a tough egg to crack. We’ve got to get the signatures written, the patches prepared, then out there, and I don’t think there’s enough time. Second, a single signature isn’t going to work. The variants are too different.”
Jeff nodded, took a sip of coffee, then explained what he’d learned, and what he didn’t yet know. When he finished Daryl groaned. “This Superphreak, if that’s the cracker’s cyber handle, could be a Chechen. Or he could be a gun for hire and working for almost anyone. The Russian mob, to name just one.” Neither of them said anything for several minutes as they absorbed what they had learned. “I’ve got more,” she finally said. “There are other propagation methods besides, or in addition to, the worms. My team is reporting they’ve found three of the variants that spread through the address book of each computer they touched, and several of the ones we’ve looked at are polymorphic or metamorphic, so they look different each time they replicate. That’s what I was getting at before.”
“One I found wanted to replicate,” Jeff confirmed. “The system went down so fast I doubt any of it got out, but that was its intention.”
“What if every variant is self-replicating?”
Jeff sat back in his chair. “I hate to bring up more bad news, but have you considered this? Whoever is spreading this virus might be still at it. They could be sending new variants out every day. I’m sorry to add to your misery, but you need to get CERT and DHS serious about this.”
Daryl threw up her hands. “I’m only one person with a small team. We’ve had six directors heading up DHS cyber-security since it was created. Almost none of them have lasted so much as a year, most only a few months. They have no clout in DHS, and if they’re in the driver’s seat when the attack comes, it could end their career.”
“This is all very familiar, isn’t it?” Jeff asked. He’d worked long enough in the government system to know what she was up against.
“I’m afraid so.” Daryl’s beautiful face was creased with worry. “We’re trying to get the industry interested. But we’re way behind the curve on this. We have no idea how many variants there are, or how many others are coming out. I lay awake last night imagining the harm that will come if we’re only seeing a small portion of the Superphreak viruses.”
“Take it easy. We’re probably overevaluating, and it’s not as bad as we fear.”
Daryl wasn’t buying it. “Look at the body count already! Superphreak, if that’s what’s causing this, is already the most deadly virus ever unleashed, and it’s just starting. That’s why I’m in Manhattan. There are dead people here because of this thing. We have no idea of the long-term harm Superphreak can cause.” She paused, then leaned across the table, her blond hair falling forward. “Let me tell you what I think. What we need to do is to stop this at the source.”
“How?” Despite himself, Jeff knew she was right. He’d had the same thought late the night before, but hadn’t wanted to admit it until she’d said it aloud.
“Find the cracker in his home, get distribution stopped at the wellspring, then learn from him or his computers exactly how many variants there are. If we had that information, I could rush through the fix and the antivirus changes, and we could stop this thing in its tracks.”
Jeff smiled. “You have a black-ops team that does that?”
“Hell, no,” Daryl said grimly, “but we sure as hell need one.”
13
LOWER MANHATTAN, NYC
WORLD TRADE CENTER SITE
TUESDAY, AUGUST 15
11:47 A.M.
Exhausted as he was, Jeff wanted nothing so much as to go straight to his hotel room, but there was no denying this. It had to be done.
Two blocks to the west he located a subway, bought a MetroCard, then rode the train downtown. The car was clean, cleaner than he recalled from his summer of weekend trips here that ill-fated year.
For two years, Jeff had been in a serious relationship with Cynthia Wheel. They’d lived in the same complex just outside Richmond, Virginia, and had met at the gym they shared. Petite with raven hair, she’d been a vivacious and bright young woman. It had been easy to settle into the life of an old married couple with her, without ever actually “doing the deed,” as she was fond of saying, especially when naked and about to suggest another bout of sexual play.
Jeff felt a real sense of loss when, in May of 2001, Cynthia’s company, ARM—Account Resources Management—of Richmond, Virginia, had transferred her to Manhattan. Jeff helped her pack, then drove her to her new apartment. “We won’t let this be the end of us,” she assured him just as he prepared to leave. “I promise.” She’d kissed him sweetly on the mouth, stepped back, flashed her winning smile, and said, “Wish me luck.”
In the months that followed, his routine was consistent. He began recording the long hours he normally gave the CIA gratis and left the office at 1:00 p.m. every Friday, to take the shuttle flight to New York City. After spending the weekend with Cynthia, he’d return home late Sunday. In August, she’d flown to see him twice, complaining of the sweltering heat in Manhattan, but by September she was thrilled as the days turned cooler with the prospect of autumn.
That August Jeff had received a disk originally seized from the ruling Taliban by one of the rival Afghan groups. He’d cracked into the disk within minutes of receiving it and saw at once that, despite its provenance, it was not Taliban. It had been prepared by a group called Al Qaeda, “the base.”
Dredging up a vague memory of Al Qaeda, Jeff remembered it was one of a number of terrorist groups on the radar screen of the Company, though it held no significance to him. He checked the terrorist database to which he routinely contributed and was brought up cold. Led by an enormously rich and shadowy figure, Osama bin Laden, Al Qaeda might not be the biggest or best-known terrorist group, but it tended to target Americans with deadly results.
For the next three days Jeff gleaned information from the disk, then carefully analyzed its contents, a role beyond his purview. Checking the master database several times, he found a dozen recent entries that seemed connected.
Next, he drafted a time line. On one side of the program he listed information by date, to analyze the data flow. On the other, he listed events in the order they were to occur. He could scarcely believe what he was seeing. He printed the program, sketched an analysis, then buzzed his boss’s secretary and asked for a meeting as soon as possible.
For the next two hours Jeff reviewed his information, tearing it apart as a critic might. The stark facts remained. Only an idiot, someone too blind to see the obvious, could fail to see what he’d uncovered. With dismay, he realized that was a good description of his boss.
George Carlton was a burly man of average height, turned soft by two decades in government bureaucracy. His sallow skin had become excessively sensitive to daylight over the years and he now burned quite easily. When he came into the office after a weekend in the country or at sea, his face would shine a bright red.
Carlton had begun his career as an FBI desk agent, moving into middle management from there. Then, for reasons never fully explained, he took a position with the CIA as manager of the Cyberterrorism–Computer Forensics Department. The move was unusual, but on paper, at least, it seemed a good fit. At that time computers and their use for terrorism was not a high priority, since there’d been no documented case of a foreign terrorist act within the continental United States, either against the supporting computers of the Internet or by using its resources. With the additions of other functions, including the Computer Science Group and its obscure Cyberterrorism Unit, Carlton’s area of power and presumed expertise steadily grew.
He was a born bureaucrat, adept at evading responsibility for errors while garnering praise for work he’d not performed. He made few enemies over the years, which served him well. But the lack of attention his department received was the greatest boon to his career. Prior to 2001, little was expected of him in the twilight w
orld of counterterrorism in which he’d found a niche. Though he would have preferred an airy corner office on the second or third floor, he was content with his location, far from any window and deep within the center of the ground floor.
Shortly after 4:00 that afternoon Jeff was ushered in, carrying with him the proof he hoped his supervisor would find persuasive. Carlton didn’t rise as he gestured for Jeff to take a seat in front of his desk. “What have you got?” A bad boss is typically characterized as hostile, rude, and dim. Carlton was never, or at least rarely, rude; he’d been in government service too many years to be overtly hostile; and he was not stupid. For the next ten minutes Jeff laid out what he believed was going to take place on September 11, less than two weeks away.
Carlton listened with diminishing enthusiasm, then asked to see the time line. He spent a full minute examining it before commenting, “I’m confused about something. Just where do these supposed targets come from? The Statue of Liberty, the Pentagon, the World Trade Center, the White House, the Capitol, the Sears Tower, the Golden Gate Bridge, the Washington Monument.” He looked up. “Mount Rushmore? I suppose I can see the logic of the Pentagon, the other government buildings even, but Mount Rushmore? I don’t get it.”
“I admit listing all of them as possible targets is speculative, but it’s speculation based on text,” Jeff said. “Those names came from various communiqués. They’re not only after what could be called hard targets, structures connected to our government and military, but also after our economic infrastructure and landmarks.” Jeff’s mouth was dry and he found the words difficult to form. “They’re very into symbolism. And Al Qaeda’s targeted the World Trade Center previously. Their purpose with those truck explosives was to topple one of the buildings into the other, taking them both down like dominoes.”
Carlton snickered. “They were wrong, weren’t they? In fact, Al Qaeda isn’t all that effective, if you look at their track record. And they certainly seem to prefer the Horn of Africa. It’s difficult to see them posing a genuine threat to us from … where are they? Afghanistan, of all places.”
Zero Day Page 8