“There’s something wrong, Shen. The success rate shouldn’t be that high on the systems that weren’t probed. The only way that could happen is if those systems had their security disabled somehow.”
“How could that be possible, Kim?” Shen asked.
“I don’t know. Corporate insiders with security training could disable a company’s security, but not at this many sites. Finding and organizing insiders at scores of different businesses throughout the US would be impossible. I have no idea how it was done.”
“I checked the proxy server you set up at HIT to store the captured data, and it had more than seven hundred gigabytes of data, much more than we’d anticipated. I just hope the proxy servers adequately masked our network addresses so we can’t be traced.”
“They should have,” Kim said. “I configured the high-density physical servers with a maze of virtual servers, switches, and firewalls that would make such a trace almost impossible during the attack. Did you download the data to the USB drive?”
“Yes, and then I erased any trace from the servers. I’ll provide it to Flaherty this evening at six. I have our final payments and bonuses. Tell Cai to join us at the Shangri La at seven.”
Shen arrived at the Shangri La shortly before six and asked the desk clerk to call Flaherty’s suite.
“Mr. Flaherty has already checked out, sir. He left last night, but he left a letter for you.”
Shen was confused, but calm, since he had already received their payment. When Kim, Cai, and Lian arrived at the pub, they found Shen sitting in the back drinking a beer.
“How’d your meeting go with Flaherty?” Kim asked. “Did he provide any further instructions?”
“We didn’t meet. He left an envelope that I want to open with everyone here.”
Shen opened the envelope and read the letter inside. It contained the number of a post office box in the state of Virginia where Shen was to send the drive. They were also officially invited to the Munich Cybersecurity Symposium, all expenses paid. Everyone was ecstatic about their bonuses and the symposium except Kim.
“Why are you not happy, Kim?” Cai asked.
“I’m concerned that Flaherty has suddenly left without notice. Don’t send the drive yet, Shen. I have a feeling we may need it. I’m going to see what’s going on with Flaherty.”
Kim pulled his laptop out of his bag and checked Flaherty’s email account. The last email from Flaherty was from the previous day saying that the mission was complete and that he was coming home. Kim went through some previous emails and saw several about the grading of the students. There were others about arrangements that would need to be made for them after the event, which Kim assumed was the exploitation of the American businesses. He found one email in which Nadya said her boss had met with James and the event needed to be implemented sooner than planned. There was also an email from Nadya to Flaherty saying they needed to set up arrangements for Munich before it hits the fan in China.
“I’m not very familiar with American slang, Shen. What does that mean?”
“I don’t know. Let’s ask our favorite bartender. He spent a lot of time in America.”
Shen waved him over to their table. After ordering more drinks, Shen asked him the meaning of the phrase. The bartender laughed. “The complete phrase is ‘before the shit hits the fan,’ and it means before a disaster.” The four of them looked at each other with fear in their eyes and wondered what disaster was going to hit China.
20
Washington, DC, was digging out of one of the biggest snowstorms in years, and Rick was on his third day at James’s condo. He was homesick and especially missed Allison. When Rick met with James after work, he saw a big pile of documents on the dining room table.
“What’s going on, James?”
“I’ve been reviewing all the patches for VSI’s latest firewall and intrusion prevention system product. I led the development effort before leaving VSI.”
“Is there something wrong with the design?”
“Not that I know of. The technology is solid, but I can’t find the patch that Philip described in the Backfire file. Tom also hasn’t been able to find any reference to it in the VSI data management systems.”
“Could Philip have made a mistake? He was human.”
“No, I’m certain the patch exists. Philip left a copy of it in his safe. There’s just no documentation for it at VSI.”
“That’s strange, all right. Why don’t you just analyze the patch Philip included in the Backfire file and see what it does?”
“I plan to, but to do that I’d have to install it on the test hypervisor firewall system in the VSI laboratory. That laboratory is always booked solid. I asked Tom to reserve some time for me tomorrow. I’m waiting to hear back from him.”
“I’d like to go with you, but I have a meeting with Dimitri Vasin tomorrow morning at nine.”
“The guy who identified George Solomon as his boss?”
“Yeah, that’s him. Do you want to come along? You know George better than me, so your presence could be helpful.”
“Sure, and then you can come with me to VSI. I can drop you at your house on the way back.”
“Sounds like a plan. Let’s get some dinner.”
They’d just finished dinner when both their cell phones rang. James saw Barbara’s phone number and answered it.
“James, a serious cybersecurity event is hitting businesses all over the country. It looks like it’s originating from three cities in China. The president is having a meeting with the Chinese ambassador as we speak to express his displeasure.”
“Do you think this has anything to do with what happened to their agent and their opposition to our cyber-attack legislation?”
“We aren’t sure, but the president wants you at the White House for a meeting tomorrow morning at seven. I’ll be there with the director of national intelligence and Shelly Brockner.”
“Okay, I’ll be there, Barbara.”
Rick was just ending his call as well.
“Was that your girlfriend on the phone, Rick?”
“Not hardly, it was Director Brockner. She told me about some Chinese cyber-attacks and wants me to accompany her and the head of the FBI Cyber Division to a meeting with the president. I need to go back to the office to get my spare suit.”
“I’ll drive you. I’m also going to that meeting.”
James and Rick showed up for the meeting at the White House the next morning, and Barbara briefed them on the discussion between the president and the ambassador.
“Ambassador Yang denied any involvement by his government in the cyber attacks. He said the US shouldn’t blame the Chinese government every time our commercial sector is attacked. The meeting ended when he said that we should provide more support to help secure our businesses instead of passing laws to penalize China.”
The president arrived and described the attacks.
“The attacks originated from Beijing, Harbin, and Shanghai and were directed at banks, financial institutions, and commercial research organizations throughout the country. A lot of data was downloaded, but there’s no evidence of any disruptions in business. I’ve gotten calls from the CEOs of these businesses, many of whom are friends who supported me during my campaign. They’re demanding action, including quick passage of the foreign cyber-attack legislation.”
“The initial evidence shows the attacks are originating in China,” Shelly said. “I have a hard time believing the Chinese weren’t involved, Mr. President.”
“I met with Ambassador Yang, and I believe he may not have been aware of the attacks, Shelly. It doesn’t mean the Chinese didn’t do it. He was defensive based on the recent events involving their agent, and he referred to the foreign cyber-attack legislation as the ‘anti-China legislation.’ We need help from all our cybersecurity experts to determine what happened, before things get out of hand.”
The president adjourned the meeting but asked James and Barbara to stay. James t
old Rick he’d meet him later at the FBI.
“We need to analyze the data we’ve gotten on the attacks from the FBI. I want you to postpone your leave of absence and take the lead on this, James.”
“What about the DNI, Mr. President? Shouldn’t he be leading this effort?”
“I invited the DNI as a courtesy since he should know what’s going on. This was an attack on our businesses, not our military. You know our business environment better than the DNI or anyone else in the intelligence community. Having the DNI lead the investigation would also raise the stakes with the Chinese.”
“Okay, Mr. President, I’ll do it. What resources do I have?”
“Any resources you want outside of DoD, unless I’m convinced they need to be involved. We’re treating this as a crime, not a military attack. I’ve put the FBI director and the attorney general on notice to provide any Department of Justice resources you might need.”
“In that case, I’d like to have FBI Special Agent Rick Tanner assist me. He’s an expert in cybersecurity and we work well together.”
“Use whoever you want, James. Just get me some answers.”
James called Rick after his meeting with the president and informed him of his new assignment.
“I already know, James. The president told the director that you’re in charge. She wants to meet with the both of us in her office as soon as you get here.”
“Okay, I’m on my way.”
Director Brockner, Rick, and the head of the FBI’s Cyber Division were waiting in the director’s office when James walked in.
“Welcome back, James. I’m sure you’re getting tired of seeing me.”
“I’m happy to be back, Director. The FBI has become like a second home to me.”
“That’s good, because it looks like you’ll be here until we solve this problem. I’m having all the data from the attacks collected and compiled so that you and your team can go through it. You can have access to anyone in the Cyber Division. Rick can help you identify the personnel and their capabilities. Can you please tell James about the data collection process, Rick?”
“Certainly, Director. The evidence boxes on this conference table are what we have so far. It includes the source network addresses where available, as well as the network addresses that were attacked. We’re collecting any audit data that the businesses were able to provide on prior attacks and probes. In addition, we’re working with the target businesses on identifying the types of systems that were victimized and the security systems used by each victim. It isn’t entirely complete since we’re still gathering data, but as we get more we’ll provide it to the team.”
“How are you correlating the audit data from all the sources?” James asked.
“That’s our main problem,” Rick said. “The data that’s available varies widely as to accuracy, completeness, format, and consistency, which makes comparisons very difficult. We’ll need to correlate much of the data manually and at a lower level of detail than is ideal. This is very much an exercise in finding the lowest common denominator.”
“I’m setting you up in an office near Rick’s. You’ll have access to any personnel and facilities that the Cyber Division can provide. Is there anything else you need, James?”
“Not yet, Director. I’ll let you know if I do.”
Rick took James back to his new office, which was quite large and had a separate conference room.
“Who did they fire to get me this office?”
Rick laughed. “It’s been vacant for a while. The last person who had it died of a heart attack while sitting at that desk. Some people claim it’s haunted.”
“You’re kidding.”
“No, I’m not. I used it for a while and heard some noises. Probably just problems with the heating and cooling vents.”
“Well, if I see any ghosts, I’ll send them to you.”
As they started going through the data, James suggested they use a geographical map.
“We need to see where all the source and destination network addresses are located both in China and the United States.”
“The FBI has a system that will provide that information on a big screen, James.”
“Let’s see it.”
Rick led James to a large room that looked like a small movie theater with a panoramic screen. The large screen depicted the geographical source of the attacks. As they looked at the map, they both saw a pattern.
“All of the source addresses are either on university campuses or nearby in three Chinese cities, James.”
“Yeah, I see that. This indicates to me that the attackers were probably students attending the universities near the source locations. I’m familiar with many of these schools, and they all have highly rated cybersecurity and cyber warfare programs. We need to make a list of the universities so that we can provide this information to the president when he sees the ambassador again.”
“This data on the organizations that were attacked in the US seems to have no pattern. They’re all over the country.”
“Every state in the United States was attacked. That’s a pattern in itself, Rick. In addition, the number of attacks seems to be in proportion to the size of the population in each state. This looks more like a targeting map for a public relations campaign than a cybersecurity attack. Have we gotten any information on the nature and goals of the attack?”
“Yeah, and it’s very strange. It appears that all of the attacks that were successful resulted in data being downloaded. None of the attacks have disabled IT systems or inserted malware for long-term attacks used to deny service, destroy data, or modify and report on system operations. There was also no attempt to conceal the attacks, and the files that were downloaded appear to be random.”
“Why do you think they were random?” James asked.
“The analysis we have gotten so far indicates that the attacks don’t appear to be directed at specific companies, specific industries, or specific types of data. In fact, most of the data that was taken is relatively trivial, with no or little commercial value. We have no idea what the overall goal of the attack was.”
James smiled. “That’s because you’re not looking at the big picture, Rick. It appears that the goal was to attack every state in proportion to its population without doing any damage. The attacks seem to be designed to annoy people and companies as opposed to really damaging them. It looks like somebody used a lot of resources just to piss off a whole bunch of Americans, including the president. The question is, why?”
“I think we should look at the audit data to see which of the targets that were probed were also attacked. That might tell us something.”
“I agree, Rick. We should also identify any IT systems and cybersecurity systems that had an abnormal number of breaches. The system audit data will tell us if there are systems with vulnerabilities that are being exploited.”
“The review of that much audit data will require more resources than we currently have, James. I’ll ask the director for more people to help scan and review the audit files.”
The first group showed up almost immediately from the FBI’s Cyber Division. They were supplemented by FBI contractor personnel from the DC area. All had experience in reviewing audit data at various FBI data-processing, data-center, and security-operations center sites.
“We’re starting to get some meaningful audit analysis data from our FBI personnel, James.”
“I see that. However, your analysis data is revealing a very strange pattern. Slightly more than ten percent of the network addresses that were probed were successfully attacked. I would expect that, but the success rate on addresses that were successfully attacked without first being probed was about eighty-seven percent. That’s impossible.”
“What do you think it means?”
“I’m not sure, Rick. We need to see which security systems were experiencing such poor performance. Let’s have your analysts do a sort on that while I check on some things with Tom.”
&
nbsp; When James returned, the results were compiled and waiting for him and Rick. As James was reading the analysis, he suddenly stopped and blurted, “Oh my God! This can’t be right.”
“What can’t be right, James?”
“This analysis, Rick. It says the latest VSI firewall and intrusion detection technology was the culprit in over ninety percent of the attacks that resulted in the loss of large amounts of data. That technology has been the industry leader since it was first released two years ago. It was the culmination of more than ten years of research that Philip and I led. It’s based on our ideas.”
“Do you think someone sabotaged the VSI systems?”
“How could that be done at all of the sites that were breached? There are too many sites in too many locations all over the country for this to be an insider attack. That would require a huge well-organized conspiracy. None of what we’ve seen indicates that’s even possible.”
“What else could it be?”
James thought for a moment.
“If it isn’t an insider attack, then there would have to be a flaw in the VSI technology that someone discovered. Maybe someone who knew the technology very well and found a way to implement what is commonly referred to as a zero-day exploit. There may be a way a zeroday exploit could be implemented on such a large scale. But to prove it we’ll need to travel to VSI.”
As James left the Hoover Building with Rick, he turned on his cell phone and saw several calls from JoAnn. He called her and she answered immediately.
“Hi, James. Guess who’s the new chairman of the Senate Finance Committee? I’ll give you a hint: it’s someone you’ve slept with.”
“How many guesses do I get? There are so many possibilities.”
“Very funny, James.”
“That’s great, baby! I’m really happy for you.”
“Where’ve you been all day? I’ve been calling all afternoon.”
“I’m sorry. I’ve been locked up in the FBI.”
“What’d you do? Do you need bail money?”
Cyber Countdown Page 28