Then the heart monitor stopped beeping.
Three seconds later, the lights went out.
Chapter 63
Four weeks later
Baltimore, Maryland
“I think we’re ready to begin, Mr. Fife.”
I gave a thumbs-up to the agent. Amir, seated next to me in an ill-fitting gray suit, an arm sling, and his signature Mickey Mouse watch, patted me on the back with his good arm and delivered the proud smile of a father as I rose to take my place behind the podium.
“Good afternoon, everyone.” The agent tapped on the microphone several times to quiet the audience, then continued, “Good afternoon. Today I’m pleased to introduce our speaker, Mr. Alex Fife. Mr. Fife will be briefing our team on the recent Iranian-initiated Florentine cyber-attack. Before we begin, I needn’t remind any of you that this briefing has been classified top secret. Alex,” he smiled at me, “your reputation already precedes you here at the NSA, but for those who have been conducting signal intelligence in Antarctica over the last few years, let me give a brief bio….”
“Thank you, that was very kind,” I said once he finished. I removed a stack of notecards from my suit pocket and walked behind the podium. Before me sat nearly two dozen agents from various three-letter American and Israeli agencies. I smiled at the crowd.
“Hello everyone. I’m excited to be here, and frankly happy to be alive at this point—the past month and a half have been quite harrowing. Before I begin, I’d like to say a few words about your colleague, Doctor Arnold Altschiller. By now, you all probably know that Doctor Altschiller was murdered four weeks ago, while in service to his country. While Doctor Altschiller was obviously one of the world’s, no, the world’s most influential cryptographer, he was also an inspiration and role model. And in fact his career—his discoveries and innovations—are what inspired me to pursue my career in cyber-security. So I owe Doctor Altschiller a great personal debt, as does our country.” I took a sip of water, then cleared my throat and continued.
“Four weeks ago, on Wednesday, September 6, at 9:55 a.m. Pacific Standard Time, the United States and Israel experienced the largest computing outage in the history of the world. As I’ll discuss in more detail shortly, hundreds of millions of computers in our two countries simultaneously reset themselves at this exact moment, creating a major hiccup in cyberspace and temporarily taking large swaths of our nation’s physical infrastructure offline. Of course, as most of you also know by now, I was responsible for this ‘hiccup.’ But in my defense, the alternative would have been much, much worse.”
My host nodded; the rest of the audience stared stoically.
“So how did we get here? My understanding is that you’ve all been briefed on the Russian Florentine document, so I’ll skip over the background and go straight to the timeline.
“As early as six months ago, a leaked SVR software package that granted access to the Florentine system found its way onto the black market. For purposes of clarity, let’s call this software package the ‘Florentine Controller.’ An attacker in possession of the Controller could use it to upload up to ten attack payloads to Microsoft’s update servers, for immediate worldwide distribution and activation via the Florentine back door.
“Shortly after the Controller’s initial availability on the black market, members of the Iranian intelligence services contacted the broker, Mr. Richard Lister, with an offer to purchase it. Their goal? To decimate computing infrastructures of the United States and Israel.
“Okay, so here’s the detailed timeline.” I clicked my presentation remote. The screen cleared and an empty timeline appeared.
“Over the past few years, a small team of hackers led by Iranian operative Arnaz Khalimmy engineered a software payload capable of scrambling the firmware chips of most major computer models.” I clicked my remote and an Iranian flag jutted up from the timeline. “Needless to say, this would turn most PCs and servers into paperweights. The team apparently experimented with using computer viruses, or more likely, worms, to deliver their payload, but quickly found these vectors inadequate. So until their discovery of the Florentine, they had no means of widely distributing their attack.
“By Sunday, September 3, roughly four weeks ago, I had obtained a copy of the Florentine Controller software, and immediately after determining its nature, contacted the NSA. Unfortunately, shortly after my call—”
“Excuse me,” interrupted a man in a dark green cardigan. “Before you continue, can anyone from NSA briefly explain why we didn’t just shut down the Florentine system when Mr. Fife first reported it?”
“I’ll field this one.” Jon Whitehouse raised his hand. “Sorry for the interruption, Mr. Fife. In answer to your question, Phil, at the time Mr. Fife reported the Florentine system to NSA, we had no intel of any in-progress or imminent attacks. Nor could Mr. Fife communicate any details about the system, since he was calling on an insecure line. So when he disappeared, all we could do was dispatch a team into fact-finding mode. Let’s take this one offline, but I can fill you in later if you’d like.”
“I would, thank you,” said the man in the cardigan. “The Senate Subcommittee on Cyber-security is on the verge of conducting an inquisition, and we’d better have our story straight.” He paused a beat for others to comment. “Sorry Mr. Fife, please continue.”
“As I was saying,” I continued with a frown, “shortly after my call to the NSA, Arnaz Khalimmy kidnapped me to obtain a copy of the Controller software. And by late Sunday night, his team had completed a benign, dry-run test of the Controller to ensure its authenticity.”
I clicked my remote and a flag bearing the words “Iranian Dry Run Test Launched” appeared on the timeline at eleven p.m. on Sunday.
“Now, unbeknownst to the Iranian team—and to us at the time—the Russians had embedded a tracking beacon into the Controller software. Not surprising, given its immense strategic value. We now know that this beacon activates and sends geo-location data back to a Russian-controlled server any time a user activates the Controller software.
“By all accounts, the Russians were alerted by this beacon at the time of the Iranian dry run, and by ten-thirty the next morning, an SVR ‘cleaner’ team arrived at Mr. Khalimmy’s base of operations, a safe house in North Hollywood, California. The SVR operatives quickly neutralized the Iranian team, but not before the lead Iranian engineer had uploaded the live firmware-killing payload to the Microsoft Update servers for distribution. I don’t believe the Russian team realized this, and even if they had, they lacked the password required to cancel the attack.”
Another click of my remote caused a flag to appear on the timeline at ten-thirty a.m. Monday, bearing the words “Iranian Live Payload Launched.”
I took a sip of water, scanned the room for questions, and finding no hands, continued.
“So what were the timing and triggering criteria of the live Iranian attack? First, the Iranian team chose a payload trigger time of ten a.m. Wednesday—two days later. This deadline was chosen to ensure ample time—nearly forty-eight hours—for the world’s population of computers to download the attack payload from Microsoft’s Windows Update servers prior to the payload’s trigger deadline. We now know, thanks to assistance from some of your colleagues, that during this forty-eight-hour period, the Florentine system distributed the Iranian attack to nearly one-and-a-quarter-billion computers of all makes and models around the world.”
A hand shot up, this one from a woman dressed in a prim navy skirt and white blouse. “I’m sorry, you said the attack was distributed worldwide? Not just to American and Israeli computers? I thought that the attack was just targeted at computers in our two countries?”
“Good questions. The Florentine was designed to launch large-scale, blitzkrieg-style cyber attacks, not conduct pinpoint cyber espionage. As such, the way the system works is that every Windows computer around the world downloads every available Florentine payload from the Windows Update servers. Once a payload arrives on a
computer, it’s responsible for checking whether the machine meets its criteria, and if so, it activates. If not, the payload silently self-destructs. The Iranian payload checked the language settings of all 1.25 billion computers it landed on, and only launched its firmware attack on those bearing a language setting of American-style English, or Hebrew.”
“Very interesting. Thank you.”
“Not a problem.” I continued. “So at ten a.m. Wednesday, the Iranian payload activated on machines around the world.” I clicked the remote and two laptop computer icons, one labeled “American” and the second labeled “Israeli,” appeared on the timeline. A beat later, a mushroom-cloud graphic rose atop both computer icons.
“Of course, as we all know now, the attack largely failed. However, it did not fail due to any programming errors on the part of the Iranians. Their payload, we now know, was perfectly lethal. Nor did it fail because of SVR intervention.”
A few members of the audience nodded energetically in dawned understanding; others regarded me with confused stares.
“With the help of my good friend, Amir Taheri,” I smiled at Amir in the front row and he returned a gentle wink in return, “I identified a flaw in the Iranian payload’s targeting approach and created my own Florentine payload, an antidote if you will, to stave off the attack. Actually, technically I created two payloads—a two-part antidote.”
I paused a moment for questions, then continued. “So how did my two-part antidote work?”
I clicked the remote and an animated flounder swam onto the screen.
“Of all places, I got the idea from a children’s book on animal camouflage, from the flounder fish—also known by its taxonomic name, Bothus mancus. This remarkable animal is capable of temporarily changing the color and pattern of its skin to match those of the sea floor when it senses danger. This gave me an idea: if the Iranian payload was looking for American and Israeli computers, or to be more precise, computers with English or Hebrew language settings, then why not camouflage all those computers—just prior to the Iranian payload’s trigger time—to look like computers from a different country?
“And that’s exactly what the first part of my antidote did. My first payload, which I called ‘Flounder1,’ started by checking to see if each computer was configured to use either English or Hebrew, the two languages I knew the Iranian payload targeted for its firmware attack. If a computer used either language, my Flounder1 payload first created a backup of the computer’s original language setting so this could be restored later. It then changed the computer’s language setting to Japanese, effectively camouflaging the computer to look like one from Japan rather than one from America or Israel. Finally, Flounder1 forced a reboot of the computer, to ensure the changes took effect. I programmed Flounder1 with a trigger time of 9:55 a.m. Pacific Standard Time on Wednesday morning, ensuring it would run exactly five minutes prior to the Iranian payload’s trigger time.”
I clicked the remote; the large flounder swam off the right side of the screen and the timeline returned. Then a small flounder icon animated at 9:55 a.m., just to the left of the laptop computer icons and mushroom cloud at ten a.m. on the timeline.
I looked around the room for other questions. None came, so I continued.
“The second part of my antidote, my ‘Flounder2’ payload, was responsible for reversing the camouflage. I programmed it to restore each disguised computer’s language from Japanese back to its original setting of either English or Hebrew. I programmed Flounder2 so it would activate at 10:05 a.m. Pacific Standard Time, five minutes after the Iranian attack had triggered.”
I clicked the remote, and a second small flounder icon animated at 10:05 a.m. on the timeline, just right of the two computers and their accompanying mushroom clouds.
“So, in essence, my two antidote payloads were designed to sandwich the Iranian payload in time, temporarily disguising all the targeted computers during the instant of the Iranian attack.
“Unfortunately, as they say, ‘man plans, God laughs.’ While I was able to submit my Flounder1 payload to Microsoft’s update servers, an SVR agent shot me before I could upload Flounder2 for distribution.”
With a click of the remote, the second flounder faded from the timeline.
“Any questions so far?” I scanned the room. “Everyone following?”
Several agents nodded.
“Good. So to recap, that Monday morning, the Iranians used the Controller to post their payload on Microsoft’s update servers, and just hours later, I followed suit, posting my Flounder1 payload.
“Now, within minutes of each payload’s transmission to Microsoft’s servers, Windows computers around the world began downloading them just as they would any newly available, legitimate software update. A substantial fraction, roughly fifty-two percent of the world’s estimated two-point-four-billion computers, connected to Microsoft’s update servers at a rate of roughly fifty million per hour, and by Wednesday at 9:55 a.m., most of them had retrieved both the Iranian payload and my Flounder1 payload. If you do the math, that’s about one-and-a-quarter-billion computers. Of course, some computers only downloaded the Iranian payload, and some just downloaded my payload, but most downloaded both.”
“Only fifty-two percent?” asked a polo-clad, middle-aged man in the back row. “Why so few?”
“That’s what your colleagues estimate,” I responded. “The remaining forty-eight percent were either off, or had no connection to the Internet during the period of time when the payloads were posted. Or,” I said, flipping an imaginary light switch off with my right hand, “it’s possible that these computers simply had their auto-update feature turned off by their owners. Many corporations disable the Windows Update feature on their corporate PCs. They manually distribute new updates to their machines on their own schedule.”
“Interesting. I had expected the percentage to be much higher. Thanks.”
“It surprised me too, frankly.” I paused. “Now at five minutes before ten a.m. Pacific Standard Time, the Florentine back door activated my Flounder1 payload on every one of those 1.25 billion computers. Of these, roughly 304 million computers were American or Israeli computers, and on these computers, my Flounder1 payload proceeded to back up their original language setting and then switch their language to Japanese.” A click of my remote control morphed the captions under the laptops from “American” and “Israeli” to “Japanese” and “Japanese.”
“A microsecond later, Flounder1 rebooted those 304 million computers. Of course, I don’t have to tell any of you about this. That simultaneous reboot caused the blackout most of you experienced firsthand. The Department of Homeland Security recently released an estimate that over seventy-five percent of all US and Israeli power plants, traffic grids, hospitals, and police stations went dark, as both their primary and failsafe computers simultaneously reset. Fortunately for me … and our two countries … these systems quickly came back to life. Over the next few minutes, give or take, those 304 million computers restarted themselves and resumed their normal operation. With one notable exception: all of them now attempted to display their user interface in Japanese rather than English or Hebrew.
“Minutes later, at ten a.m. Pacific Standard Time, the Florentine back door inside those same 1.25 billion computers activated again, this time launching the Iranian payload. But by the time this payload activated, only a minute fraction of the 304 million potential targets still retained their original English or Hebrew personas. All of these uncamouflaged machines predictably suffered an untimely and permanent end—without functional firmware chips, they were turned into paperweights. However, the vast majority of computers—your colleagues estimate as high as 99.8% of the potential targets—escaped destruction due to their new Japanese identity.”
A final click of my remote control caused the mushroom clouds to fade from the screen.
“Of course, my intention was to reset these 304 million computers back to their original English and Hebrew personas with
my Flounder2 payload once the Iranian Angel of Death had ‘passed over,’ but as they say, stuff happens.” The audience chuckled at my euphemism. “As a result, all 304 million of these computers retained their new Japanese identity until either their owners manually switched them back—no doubt with a confused look on their faces and the help of a Japanese-speaking neighbor—or a day later when Microsoft, at the urging of the NSA, released their own traditional Windows Update to restore those computers back to normal.
“Of course, unless you have been holed up in a cave,” I nodded to my host, “you know that rumors have abounded about the cause of the mass outage. My favorite was the space alien-generated computer virus hypothesis in the Enquirer. Oh, and in a moment of supreme irony, the official Iranian Fars News Agency blamed Israeli agents for the outage.
“So where are we now? Well, I’m happy to say that the Florentine system is no longer functional. The weekend after the attack, an NSA team worked around the clock with Microsoft to remove the Florentine back door from their Windows Update servers. Without the update server back door, attacks could no longer be uploaded and distributed, effectively neutering the Florentine system. And, as I understand it, this morning Microsoft released a ‘critical’ patch that they claim addresses a serious flaw in Windows. They have urged users to download and install the patch as soon as possible, lest they be susceptible to a new super virus. The cable news shows are all over the story. Of course, in reality, this patch simply expunges the Florentine back door from Windows.
“So at this time, as far as we know, the world’s computers are safe from further attack.”
Chapter 64
One week later
Los Angeles
“Sit, boy.”
Eyeing the box of fresh doughnuts in my hand, Rusty eased onto his haunches and then, shifting his gaze to my face, fixed me with a pair of sad eyes.
“Don’t worry, I’ll give you one,” I whispered. “Just wait until we get inside.”
The Florentine Deception Page 31