Trojan Horse Read online

Page 4


  One snowy Sunday Jeff had contemplated just how many days they’d spent apart. He’d pulled out his calendar and made a dismal discovery that only confirmed what he suspected. In the last eighteen months, since they’d been set up here and been fully available for work, he and Daryl had spent a grand total of twenty-three days together. And on most of those days one or both of them had worked. He did not include one frenzied three-month period when they had largely worked from the office together on a special project as there’d been little interaction between them except as related to the job at hand.

  He’d pointed this out to Daryl while she’d hurriedly packed for her next trip and she’d assured him they’d do something about it, that she wanted to do something about it—just as soon as she got back. That had been three weeks ago.

  Jeff finished the tabulation, saved the file, then locked the screen with a sigh. This was no way to run a relationship. He sometimes wondered why he even bothered. Given the reality of their situation, he could only see one outcome.

  Just then his telephone rang. He glanced at the number as he answered. London calling.

  6

  PRAGUE 1, CZECH REPUBLIC

  MYSLIKOVA 23

  9:09 P.M. CET

  Ahmed Hossein al-Rashid left class ahead of the pack, stepped outside the building, and drew a deep breath. The wind flowed down the Vltava River valley, bringing with it the floral fragrance of the countryside. It was spring but there was still a hint of lingering winter in the air. The other students streamed about him, laughing, talking, smoking. He pulled a pack of Marlboro cigarettes from his pocket, turned his back to the wind, then lit up with a Zippo lighter.

  Thirty-eight years old that month, with olive skin, thick black hair and mustache, he was a physically fit man who worked to stay that way despite his love of American cigarettes.

  He liked Prague. Though a European capital, with the narrow, winding streets of the Old City and the ornate coffee shops rich with their pungent aroma, it reminded him of home. Of course, in most ways it was very different. The Czechs were a cold people, not especially friendly to outsiders. No wonder the Slovaks had broken away at the first opportunity.

  Prague was, for all its appeal, a superb example of the decline of the West. The Czechs had given up having children, for one. If it weren’t for immigrants like himself the population would be falling. Then who would there be to tax and pay for the lavish social programs and early retirement every Czech expected as a right of birth? And for all the churches that dotted the city, the Czechs were an atheist people—which in his view was even worse than the polytheism of most Westerners.

  But his primary complaint was that he missed his own culture, the intimacy of his extended family. There were in Prague nearly 300,000 illegals. With a population of just over one million it was impossible to move about without spotting someone from another country. There were, however, no more than two hundred Iranians in the city and Ahmed spent little time among them. Many had a connection to the long-deposed Shah and his regime, and Ahmed had no wish to be involved with them or Iranian politics.

  An attractive blue-eyed, blond Czech, a student in his class, smiled at Ahmed as she passed. He could not recall her name but would make a point to sit with her next time. Some of these Czech girls liked a fling with a darker-skinned, exotic man from the Middle East. He was glad to play his part, though he had to be careful Saliha didn’t find out. He needed to stay on her good side and she didn’t like his roving eye one bit. Their relationship had cooled in recent months, though she was no less possessive.

  Ahmed set out for his apartment, which was in a less desirable, but cheaper, part of the city. Forty minutes later the concierge nodded as he entered his building. A fat man with beady eyes, he rarely shaved or bathed. Ahmed had heard he was Hungarian, though he suspected he was actually a gypsy. He mounted the narrow stairs two at a time to the third floor. He unlocked the door, entered, closed it behind him.

  Tossing his backpack on the coach, he opened the netbook on the table in front of the room’s only window as he lit another cigarette. He checked for messages and there it was. He downloaded the attachment directly onto a new key-ring thumb drive, deleted the message, then for a few minutes scanned news from home.

  Ahmed glanced at his watch, closed the netbook, then quickly made the bed. Saliha was due any minute and she hated dirty sheets, often sniffing at them as if she could detect the odor of another woman. Perhaps she could, if he’d be so foolish as to bring one here.

  He’d just finished when he heard the door open.

  DAY TWO

  FRIDAY, APRIL 10

  GLOBAL COMPUTER NEWS SERVICE

  CYBERWARFARE’S PEARL HARBOR

  By Alice Payton 04/10 11:50 AM EST Updated 1:45 PM EST

  TORONTO, Canada—The mysterious computer worm known as Stuxnet is the malware equivalent to a digital preemptive attack, an increasing number of virus experts say. When first detected in July 2010, it was found to possess the potential to bring industrial society as we know it to a grinding halt. The self-replicating worm has been described as a stealth cyber drone, which seeks out a specific function of industrial software then seizes control. The bit it hunts for is embedded in the programmable-logic controllers, or PLCs, of Siemens programs. No larger than a pack of cards, PLCs tell switches when to switch, make machines turn off or on, and regulate the flow of liquids. In short, PLCs dictate the manual operation of the machinery we depend on. “Once you control the PLCs you are in charge,” says Eugene Atwood, CEO of Digital Activation, Unlimited, in Toronto, Ontario.

  Stuxnet is the largest virus ever unleashed and is also the most sophisticated. It gains access through thumb drives and once within a computer immediately conceals itself. Thereafter it seeks out the exact PLCs it wants, duplicating itself along the way. If it meets a dead end the worm simply sits there and does nothing but take up space. When it finds what it seeks it takes over. It is now believed to have been targeting the Iranian nuclear program from the start and is thought to be responsible for all but bringing that program to a standstill. Several Iranian scientists have reportedly been executed in the false belief they sabotaged the program.

  “It is devilishly clever and fiendishly contrived,” Atwood says. Stuxnet has steadily destroyed Iran’s uranium enrichment effort, along the way infecting perhaps every one of the tens of thousands of computers initially employed in the program. No one knows the author of Stuxnet. Suspicion has been directed at the Israeli Mossad but some experts claim the CIA Cyberterrorism department may have played a key role. “It avoids collateral damage,” Atwood said, “almost as if it was written with a lawyer looking over the designers’ shoulders.”

  “The secrecy associated with Stuxnet is astonishing,” said one expert, speaking on background. “This is especially so when you consider that key aspects of Stuxnet were certainly farmed out to private security experts. Even they didn’t know they were working on this project.” He went on to say that a third rendition of Stuxnet is believed in certain circles to be under development. “If Stuxnet was Pearl Harbor, this next version will be Hiroshima,” he said. “Iran is working against time to get its nuclear bomb detonated and the clock is running out.”

  Regardless of its origin, or whether or not Iran will ever effectively counter it, Stuxnet has been a game changer. “We crossed a threshold with it,” Atwood says. “Malware and cyberwarfare will never be the same. I shudder to think what the future holds for a world increasingly dependent on computers and the Internet.”

  7

  LONDON, UK

  WHITEHALL

  FOREIGN AND COMMONWEALTH OFFICE

  RESEARCH GROUP FOR FAR EAST AFFAIRS

  IT CENTRE

  3:14 P.M. GMT

  Graham Yates finished a review of the steps he and his team had taken with the infected computer. He straightened in his chair and waited for a response as Lloyd Walthrop looked on.

  “Let me review this then,” Jeff said, pressi
ng to overcome his jet lag. “Mr. Walthrop received a document, which initially refused to open and crashed the program. That sent you an alert. On his second attempt, the file executed. The incident was so minor he didn’t report it.”

  “That’s right,” Yates said. He was in his forties, trim, and dressed in the blue pinstripe suit so common to UK government offices. “We noted it, however. We’ve become very proactive in dealing with such events. Like any system that interacts minute to minute through the Internet, we’ve had problems with attempts to implant malware and have been the recipients of ‘spear phishing’ directed at targeted individuals.”

  Jeff had dealt with spear phishing before. It was a technique for spreading malware intended to steal sensitive information. After the recipients opened an infected document, it sought to trick them into disclosing usernames, passwords, and financial information. It did this by masquerading as something trustworthy the target dealt with frequently. It could be an e-mail or instant message. It often directed users to enter details at a fake Web site that looked and felt as if it were legitimate.

  Yates continued, “We think, or strongly suspect, something’s there. Whatever it is has a bug that caused our monitoring of OfficeWorks to alert us to its presence.” He cleared his throat. “This is potentially out of our depth. You are an acknowledged expert in this field and are generally familiar with our system. I should be asking if you’ve encountered contaminated OfficeWorks document files previously.”

  “Not long ago malicious PDFs were used to attack both Google and Adobe utilizing vulnerabilities and flaws in Adobe’s Reader software,” Jeff said. “Another, known as Operation Aurora, targeted Google’s intellectual property. It’s one of the reasons Google had so many issues with their presence in China. The Chinese have an ongoing army cyber warfare operation and Google is apparently a major target. RSA, the gold standard in digital cryptography with presumably the finest security in the world, was the victim of an Advanced Persistent Threat attack, which breached its security and stole very valuable authentication technology. It all but certainly was Chinese in origin.

  “OfficeWorks is nearly universal. It’s the most commonly used word-processing program in the world. The recent version is as bug free as anything anywhere. I’ve not heard of any significant problems with it recently. Is this attack restricted to Mr. Walthrop?”

  “There have been no other incidents. We’ve initiated manual inspection of key servers to look for suspicious activity on the systems or in our network activity without finding anything. We know that hacking techniques are sophisticated enough now to hide in the noise, so to speak, making them very hard to discover.”

  Jeff suppressed a yawn. It had been a long sixteen hours since receiving the telephone call summoning him to London. He had called Daryl to tell her about the assignment. With a sinking heart he couldn’t help but notice how distracted she was by her project when they spoke. It had been in that mood he’d hurriedly packed.

  Since losing his fiancée in the World Trade Center attack, Jeff had initially found it impossible to move on emotionally. Only much later, when circumstances had put him together with Daryl, had he awakened. Their frantic chase to stop the Al Qaeda cyber-attack, putting their lives at risk in the process, had served to bond them in a remarkable way. The early months of physical recovery from their wounds, of buying the town house together and joining forces professionally had been as wonderful and satisfying as any he’d ever known, the ideal joining of a personal and professional life.

  In this war Jeff and Daryl were one team in a million. Jeff was in his midthirties and though he spent most of his time in front of a computer, he’d played rugby at the University of Michigan and still ran almost daily when possible. After university, where he’d obtained his doctorate, he’d taught at Carnegie Mellon, then gone to work for the Cyber Security Division of the CIA. Since 2002, he’d had his own security company.

  He’d first met Daryl Haugen when she’d been with the National Security Agency, then assistant deputy executive director and head of a team at US-CERT working for the National Security Agency, or NSA. Also a Ph.D., she was a year younger than Jeff, just over average height, slender, with a fair complexion and blond, shoulder-length hair.

  When he and Daryl had been brought together two years ago in their pursuit of an Al Qaeda plot to inflect massive damage to computers and the Internet in the Western world their romance had begun. Jeff had not believed he could love again but there it was, as rich, as deep, as fulfilling as before.

  Jeff had rushed to reach Dulles in time for a direct red-eye flight. On the plane he’d done what research was possible on the Internet, then slept fitfully, his thoughts turning repeatedly to Daryl. Was it real? Had it ever been? Did she really feel for him what he felt for her? Or was she going to leave him? Finally, he’d escaped from his thoughts into a restless slumber.

  He’d arrived in London at noon local time, been ushered immediately through immigration and customs, then driven to Whitehall where he’d been greeted by Yates. Jeff had worked with Yates before, when Jeff had been with the CIA. The UK had its own spy agency, GCHQ, which increasingly specialized in cyber operations, but their inability to match industry salaries left them short-staffed, forcing government agencies to frequently bring in outside consultants. Though there were any number of experts in malware, few carried Jeff’s security clearance. For those reasons he’d been summoned to London earlier in the year to deal with a complex infection of a portion of their network. That one turned out to be part of a generic botnet. Yates primarily maintained the intraoffice IT system and had very limited experience with viruses, other than in working to keep them out. His concern was not so much the file in question but the integrity of the system overall. He and his team could very quickly find themselves lost if they tried to tackle virus code itself and it turned out to be something serious. And there’d been enough significant problems in recent years to require that experts be brought in at the first sign of any new malware attack. It was simply too dangerous to allow new code to infect an entire system.

  “Unless there is more, I should get started,” Jeff said.

  “By all means,” Yates said, glancing at Walthrop, who nodded. “We’ve moved Mr. Walthrop’s computer into a free office where you can work undisturbed. This way.”

  Not surprisingly the office was in the basement. Though it made no sense to place IT in desirable offices with expansive views, a window would have been a pleasant change, just once.

  A man of about thirty was waiting inside. He extended his hand and introduced himself. “I’m Elliot Blake,” he said. “I’ve been the one on this bug. I know you by reputation and am delighted at the prospect of working with you. I have a great deal to learn.”

  “Elliot’s my best man,” Yates said. “It was he who alerted me to this and advised against chasing it ourselves. I’ll leave you to it. Don’t hesitate if you require any services, any at all. Elliot can always reach me in seconds. It’s good to see you again.” With that and a light pat on Jeff’s back for luck, he left them alone.

  Blake was a slender man with black hair and glasses. After pointing Jeff to the coffee, teapot, and biscuits he dived in. “We’ve got the latest version of OfficeWorks and we update as a matter of routine. Until now we’ve had no difficulty with it. I’m assuming Mr. Yates briefed you?”

  Jeff nodded.

  “So here it is from my end. None of Mr. Walthrop’s files are corrupted that we can detect. We’re told the contents of the document he received from the UN office in Geneva are reported as altered.” At this Blake made a face as if he had no idea what to believe. “I checked the digital signature and that just doesn’t hold up. It’s the one affixed in Geneva by the author. So I’d say the bloke in Geneva is lying. I ran the usual antivirus scans and came up with nothing. I even ran one for rootkits with no luck.”

  Digital signatures could not be altered. Period. Invented in the late 1970s, they rely on asymmetric cryptograp
hy. In cryptography, a secret code called a key is used to encrypt and decrypt messages, much like how secret decoder rings work. With asymmetric cryptography, a user has two keys that work in conjunction. A message encrypted with one key can decrypt a message encrypted by the other and vice versa. However, a message can’t be decrypted with the same key used to encrypt it. With this scheme, a user can freely distribute one of the keys to enable others to send them encrypted messages that can’t be decrypted by anyone else. The key kept secret is called a private key and the one given out is a public key, as if many decoder rings were able to encrypt messages but only one special decoder ring could decode them.

  When used for digital signing, the signer uses a hashing algorithm to produce a shortened version of the message—essentially a unique summary—they wish to sign, and then encrypts the hash with their private key. This encrypted hash is the message’s digital signature because it’s a way for a user to digitally confirm that the message is authentic. Checking to see if a message is actually the one that the sender signed requires simply regenerating the hash of the received message and seeing if it matches the one obtained from decrypting the digital signature. Any alteration of the message, no matter how small, results in a mismatch. The security of the scheme is assured by the infeasibility of determining the private key from a public key by even the most powerful modern computers.

  Increasingly, governments relied on digital signature software to protect the authenticity of documents and in many cases refused to accept attachments not digitally signed. It was the system by which everyone knew a document was genuine. So it seemed the man in Geneva must be lying.