by Misha Glenny
Yet the emergence of a secondary market on the Net for ‘off-the-shelf’ malware will not alter the fundamental truth that behind any cyber attack – whether it is criminal, corporate espionage or warfare – lies a gifted hacker. Mounting cyber attacks that are genuinely damaging, rather than merely inconvenient, invariably requires highly specialised and technical skills. This means that even if a hacker is working on behalf of a boss (be it a capo, a CEO or a Commander), he will still need to know a great deal about the intended target if he is to design the right product. Whichever team of hackers designed Stuxnet, for example, had to know not just about the Iranian nuclear facilities that were the presumed targets; they also needed to understand the Siemens PLC network that ran it and the very specific compressor designed by Vachon, a Finnish company (although manufactured in China), as well as the Taiwanese company whose RealTek digital certificate was spoofed to fool the Iranian system’s anti-virus program. Anyone smart enough to work on Stuxnet would have been smart enough to work out its intended victim.
In this respect, hackers are the key to cyber security as they hold the solution to the conundrum. Find the hackers and you will have made serious strides towards uncovering the truth.
The overwhelming percentage of funds that governments are now channelling into cyber security are devoted to ‘digital solutions’ – they are fighting the power of gadgets with gadgets. The money going into understanding hackers, their culture, their minds, their intentions and their vulnerabilities is negligible. But how do you find a hacker? And, on the Internet, how do you know if your new-found friend is a hacker, a police spy, an intelligence agent, an Air Force investigator, a prankster, a terrorist or an alien?
Everything revolves around trust. And building trust means being patient and nurturing relationships. Yet time is at a premium in the world of cyber security. Nowhere did the difficulties relating to trust and time become clearer to me than when DarkMarket’s locus shifted away from its origins in Britain, Germany and the United States towards a country whose economic and geo-strategic importance is growing at a rate of knots – Turkey.
Book two
Part I
26
BILAL IN PITTSBURGH
Pittsburgh, Pennsylvania, February 2008
One crisp winter morning in 2008, Inspector Bilal Şen of the Turkish Police stared out of his office window at Pittsburgh’s Hot Metal Bridge. Straddling the Monongahela River a tad east from where it joins the Allegheny to form the majestic Ohio, the bridge used to transport molten metal from the great Eliza furnace on the north side to the rolling mills on the south.
But today he had no time to reflect on Pittsburgh’s snow-clad post-industrial aesthetic. He had just read something disturbing on the DarkMarket boards. According to apparently reliable information coming out of Istanbul, Cha0, the cyber criminal under investigation by Inspector Şen, was ‘one of the big boys, rich and powerful’. For a Turk, the phrase was easy to decode: the target had friends in high places, a Turkish copper’s worst nightmare.
Inspector Şen had been working at the National Cyber Forensics Training Alliance for almost three months. On his first day he had been waiting in reception to be greeted by the organisation’s boss when by chance Agent Keith J. Mularski strolled in, bright and charming as always. He introduced himself and, on learning that Bilal was from Turkey, immediately started telling him everything he knew about Cha0, DarkMarket’s notorious administrator and master criminal. Mularski and Şen were a splendid match.
When he entered the office area on the fourth floor of 2000 Technology Drive, the Turkish policeman was struck by the appearance of the place, which looked more like an insurance company than the frenetic high-tech environment familiar from TV programmes like CSI New York. One room that was tucked away was littered with the tools of computer forensics, machines that offer up the innermost secrets of any digital device. But this tech examination room was barely visible and was sealed to prevent the intrusion of any trojan or other malware from contaminating objects under investigation (as with their organic counterparts, computer viruses are sometimes airborne). That aside, the offices were quiet, orderly and unremarkable.
On that first morning, Keith showed Bilal the whiteboard in his office with the name ‘Cha0’ atop the pyramid of criminals connected to DarkMarket. Inside, the Turkish policeman felt a twinge of shame. With the support of colleagues in Britain and Germany, the Feds had taken down two of DarkMarket’s most energetic administrators, JiLsi and Matrix, six months earlier. Arrests had already been made in Britain, Germany, Canada and France, and further arrests in the United States were being prepared. So the officer from Ankara felt it a stain on his national pride as well as on his personal reputation that his fellow Turk was now among the most-wanted cyber criminals in the world.
Turkish police, and particularly its organised-crime department, had come a long way in the previous decade, and Bilal was determined to prove that even with many fewer resources available to him than to his counterparts in Western Europe and America, the young Cyber Crime Unit based in the Turkish capital, Ankara, was capable of playing in the big league.
Police officers from around the world were always dropping in and out of the FBI offices. They came to learn from their American counterparts, but also to build networks of mutual assistance. Cooperation between police forces from different countries usually groaned under the weight of intolerable bureaucratic procedures, and personal friendship among cops was the quickest way to bypass that.
Bilal had come on a three-month attachment. As a Turk, he was a novel, if potentially very useful contact for the Feds. In 2003 he had been one of the two co-founders of the tiny Cyber Crime Unit in Turkey’s Anti-Smuggling and Organised Crime Division. And compared to the perpetrators, the inspector had no resources.
For his part, Bilal Şen wanted to learn from the FBI. Not that he was inexperienced. He had joined the police as a fifteen-year-old in 1989, signing up for the gruelling eight-year officer training course – the longest in the world. This was odd, as with his small stature and thoughtful manner, Inspector Şen resembled a Turkish Hercule Poirot more than the traditional image of a tough Balkan cop moulded by rural bandits, urban narco syndicates and a brutalised criminal-justice system.
Police college had proved a taxing regime. However, what pained Bilal most were not the spartan quarters and unforgiving assault courses, but the complete absence of computers. From a young age he had taken any opportunity to sneak into the local games arcade in his home town of Eskışehir that sits midway between Istanbul and Ankara in northern Anatolia. He was only about six years old when he came across the game River Raid. Every minute of his spare time was spent flying a two-dimensional fighter plane up a river, firing on tiny helicopters, ships, tanks and dirigibles while trying to refuel at the same time. Gripped by that mysterious fusion of repetition and occasional reward that keeps so many children, adolescents and young adults glued to their computer screens, Bilal had an obsession with games that mirrored that of many proto-hackers at the same age. Equally, he was gripped by the same determination to win.
Perhaps that stubbornness helped the raw recruit through his first posting at a village police station in the middle of Anatolian nowhere. Although this was by now the mid-1990s, the only machine here was an ancient manual typewriter. Taking down witness statements was considered below his dignity as an officer, but Bilal was so determined to improve his typing that he spent many an hour banging on those keys. When he wasn’t doing that, this remarkable autodidact was teaching himself Mandarin.
When he applied to join Ankara’s elite Organised Crime Unit, the chief there asked Bilal why he was learning Chinese. ‘With China opening its doors to the outside world,’ he answered, ‘we are soon going to need Mandarin-speakers in the Department for Organised Crime.’ That reply swung it for him and he landed the job.
Once in the Turkish capital, the
young detective signed up for a Masters at Ankara University, again off his own bat and in his spare time. He selected a topic unknown and unstudied in Turkey – ‘The Opportunities and Risks of E-Government’ – in which he considered the relationship between privacy, civil rights and cybercrime.
Bilal Şen began to monitor the proliferation of Internet crime in his country, one of the few Turkish policeman with the capacity to do so – the only other organs of state already aware of the strategic importance of cyber security were the military and civilian intelligence agencies, but they, of course, never advertised their capabilities or motives.
Together with a colleague, Bilal set himself the Herculean task of persuading the unwieldy Interior Ministry to divert some of its precious funds to the establishment of a Cyber Crime Unit. It took three years of pleading, cajoling and politicking. Fortunately, he had a collaborator who had mastered the Ottoman art of striking the right tone with the appropriate bureaucrats in the Interior Ministry.
As with all the cybercrime units springing up in police forces around the world, Turkey’s new department was able to exploit the fact that virtually nobody else in the ministry understood the dark side of computers. Once given the go-ahead, the two men found themselves oddly free from outside interference, as nobody else had a clue what they were doing and they were hardly a burden on the Exchequer.
While the Inspector’s own government was scarcely aware of his work, his counterparts way across the Atlantic had soon taken note of his achievements. In the summer of 2007 as police in Germany and Britain arrested the DarkMarket administrators, Matrix001 and JiLsi, Turkey’s cybercrime team had put one of the most notorious cyber criminals, Maksik, behind bars. A major player on DarkMarket (he had supplied amongst others the French hacker, Lord Kaisersose in Marseilles with ‘dumps’), Maksym Yastremsky from the north-eastern Ukrainian city of Kharkov had assumed he would be safe in Turkey – not only did no cyber criminal ever get arrested there, but relations between Ukraine and Turkey had never been more cordial, especially in the underworld.
The Ukrainians also adored the country for its gorgeous coast – Antalya’s beautiful beaches had become a de rigueur destination for cyber thieves from both nations.
The US Secret Service had been tracking Maksik for two years. They had successfully stolen the secrets of his laptop in 2006 and then set up meetings between him and an undercover Secret Service agent in Thailand, Dubai and Turkey. In the past, cooperating with the Turkish police had proven awkward, if not downright impossible. But in arresting Maksik while he was languishing in Antalya’s blistering sunshine, Turkish police had sent out a signal that on cybercrime, they were keen to cooperate and they had the know-how to do it.
Although the JiLsis and Matrixes of this world were no longer treading the DarkMarket boards, the rest of the crew were still active – indeed, DarkMarket was again experiencing a surge of criminal activity. Ironically, the key to that revival lay in the arrest of another cyber criminal: Iceman.
In September 2007 US law-enforcement officers had finally tracked down Max Vision at his hideaway apartment in downtown San Francisco. CardersMarket had crumbled with Iceman’s demise and so, while mazafaka controlled the Russian carding scene, DarkMarket was now the unchallenged champion of English-speaking cyber criminals. Directly or indirectly the site was still generating hundreds of thousands of pounds of illegal profits every month and it remained as popular as ever among carders and hackers.
There were now three key players on DarkMarket: Cha0, Master Splyntr and Shtirlitz. The mysterious Lord Cyric would soon join them. Cyric’s presence on the carding scene was generating enmity and adoration in equal measure among carders. Those who loathed him believed him to be the FBI plant, Mularski, although there was also a suspicion that Master Splyntr and Shtirlitz were actually working for, or with, US law enforcement. The one thing that everyone agreed upon, whether cop or hacker, was that the most serious criminal remaining on the board was Cha0.
In contrast to their bulging dossiers on his fellow DarkMarketeers, Mularski and Şen knew just two salient facts about Cha0 himself: he lived in Istanbul; and he had a thriving business selling so-called ‘skimmers,’ that essential tool of the fraudster in the Age of Plastic. But the detectives had no real name for Cha0; no physical address; no IP address and no known associates. Either Cha0 didn’t exist (not impossible) or he never made mistakes.
If it was the latter, then Cha0 would appear to have perfected a system of disguising his digital tracks so that the forensic sleuths found it impossible to home in on his location. Part of that masking system was provided by Grendel, who helped out DarkMarket (against payment) in his spare time. This was ironic as Grendel was also providing the shell system that disguised the location of Mularski’s servers. Grendel had originally been invited to provide these services to DarkMarket by JiLsi – in real life he worked for an IT security company in Germany. It was ironic, but somehow very DarkMarket, that he ended up offering security to criminals and cops alike on the website.
Despite intense efforts, Bilal Şen had failed to match Cha0’s style (or MO, as the police describe it) with any known criminals in Turkey itself. The two fundamental aspects of the Internet’s darkside seemed to coincide in his personality: he was a geek with mesmeric technical skills, but he was also a gifted criminal who attended to every last detail and left nothing to chance. It was also possible that Cha0 was the collective name of a well-organised syndicate, although linguistic analysis strongly suggested that only one person was actually formulating his posts and messages on the Internet.
So when Bilal got the message from Istanbul that Cha0 was ‘one of the big boys’, he was not only worried, but he knew that from now on he would have to tread carefully even in a country that was modernising as fast as Turkey.
After the millennium Turkey had become an increasingly attractive venue for hackers, crackers and cyber criminals. In the late 1990s much cyber criminal activity had clustered in certain regions of the so-called BRIC countries. An economist from Goldman Sachs had conferred this acronym on Brazil, Russia, India and China as the leading countries of the emerging markets, the second tier of global power after the G8 (though, politically, Russia straddles the two).
The BRICs shared important social and economic characteristics. Their economies were moving and opening after several decades of stagnation. They had large populations whose combined efforts registered huge growth rates, while a resurgence in exuberant and sometimes aggressive nationalism accompanied the transition to the status of dynamic global actor. Their education systems offered excellent basic skills. But, combined with extreme inequalities of wealth, this spawned a new class of young men, poor and unemployed, but – in contrast to earlier generations – with great material aspirations as they absorbed the consumer messages that are an intrinsic part of globalisation. To meet these aspirations, a minority started beavering away in Internet cafés, safe from detection by law enforcement or indeed anyone else, where they found myriad online opportunities to educate themselves in the art of hacking.
Turkey qualified as an honorary BRIC, with an economy that, when compared to Russia’s, for example, looked much more dynamic. The country’s population, at around eighty million, and its growth rates were increasing even faster than those of the acknowledged BRICs. Everyone recognised its strategic importance, nestling against the Black Sea and Mediterranean Sea while bordering Bulgaria, Greece, Iran, Iraq, Syria, Armenia: there is barely a neighbour that hasn’t experienced a major upheaval or war in the past two decades. The unpredictable has been ever present in Turkish politics but, as the millennium turned, Turkey’s burgeoning economic power and sophistication emphasised its pivotal role in several vital geo-strategic regions – the Middle East, Central Asia, the Black Sea and the Balkans.
The country had been slow to develop its Internet infrastructure in the 1990s, but in recent years it had begun to catch u
p rapidly. Istanbul, Turkey’s economic engine, hosted an explosion of successful start-ups along with the design, media and service companies that benefited from them.
On the downside, the size of the country, its improving infrastructure and the broadening education of the youthful middle class represented an opportunity for cybercrime. Until Bilal Şen’s unit was properly up and running in 2005, there was little to prevent crackers and hackers from operating on the Web from inside Turkey without fear of detection. The Cyber Crime Unit was beginning to make a difference, but it was an uphill struggle. If Inspector Şen were able to track down Cha0, it would be an important feather in the unit’s cap.
But just before the Inspector was due to return to Turkey from Pittsburgh in mid-March 2008, he received another alert that further complicated his investigation into Cha0. This time his Istanbul contacts provided details of a baffling interview given to a well-known news organisation, Haber 7, by a Turkish hacker named Kier, who confessed that he was a fugitive from the law.
Haber 7’s reputation was based in part on the spiritual backing it received from a huge domestic Islamist movement, called The Gülen Community, which promoted the philosophy of its leader, Fethullah Gülen, who was living in exile in the United States. As a Community news organisation, Haber 7 was broadly sympathetic to the governing AK Party, which was pro-Islamic but democratic.