Russian spy ring needed some serious IT help
- — 01 July, 2010 05:46
The Russian ring charged this week with spying on the United States faced some of the common security problems that plague many companies -- misconfigured wireless networks, users writing passwords on slips of paper and laptop help desk issues that take months to resolve.
In addition, the alleged conspirators used a range of technologies to pass data among themselves and back to their handlers in Moscow including PC-to-PC open wireless networking and digital steganography to hide messages and retrieve them from images on Web sites.
They also employed more traditional methods including invisible ink, Morse Code and ciphers, according to assertions made by federal agents in court papers seeking arrest warrants for the suspected spies.
One of the most glaring errors made by one of the spy defendants was leaving an imposing 27-character password written on a piece of paper that law enforcement officers found while searching a suspect's home. They used the password to crack open a treasure trove of more than 100 text files containing covert messages used to further the investigation.
"[T]he paper said "alt," "control" and set forth a string of 27 characters," the court documents say. "Using these 27 characters as a password, technicians have been able successfully to access a software program ("Steganography Program") stored on those copies of the Password-Protected Disks that were recovered…"
This sticky-note problem is common, says John Pironti, president of IP Architects, a security consulting firm. "Humans don't really do well remembering passwords beyond six characters, so they write them down someplace," he says. The real mistake was thinking that the home was secure enough to leave the password lying around.
Pironti says the use of steganography is also common, taking data and subtly inserting it into images so the changes aren't very noticeable to the naked eye. One notable aspect was that the steganography program used by the Russians is not commercially available, he says.
Without the program and without knowing what images might contain messages, it would have been nearly impossible to find the messages, Pironti says.
But a computer hard drive copied during one of the searches revealed a store of Web sites that agents visited and from which they downloaded images. Running the steganography program on some of those images revealed text files.
A Boston search yielded a hard drive that contained what investigators believe are drafts of messages to be embedded in images. The messages had been deleted, but investigators were able to recover them.
Some of the communications federal agents gathered indicate the spies weren't comfortable with the technology. One message shows a suspected spy trying to figure out how to embed a message in an image, and an audio recording inside one suspects home picked up a voice saying, "Can we attach two files containing messages or not? Let's say four pictures…"
The spy ring had numerous technical problems, including file transfers that hung and wouldn't go through and difficulty replacing laptops when necessary. In one case, an agent was so frustrated by laptop issues that she unwittingly turned it over to an undercover FBI agent.
In another case, replacing a laptop took more than two months. A suspect bought an Asus Eee PC 1005HA-P netbook, flew with it to Rome, picked up a passport in another name, flew on to Moscow and returned with it -- a process that took from January this year to March. Presumably Moscow headquarters configured the device.
When the courier spy delivered it to another suspect, he described what to do if the laptop had problems. "…if this doesn't work we can meet again in six months," one suspect was overheard saying to another, "they don't understand what we go through over here."
Pironti says spies try to use off-the-shelf hardware and software so they don't have to rely on their spymasters for replacements, and with the possible exception of the steganography application, this ring could have done that.
One of the technical issues the ring faced was described by one suspect in a message to Moscow reporting on a meeting between two spies "A" and "M": "Meeting with M went as planned … A passed to M laptop, two flash drives, and $9K in cash. From what M described, the problem with his equipment is due to his laptop "hanging"/"freezing" before completion of the normal program run."
"They must have been running [Windows] XP," Pironti says. "That's all netbooks were running at that time, and who hasn't found running custom stuff on XP to be challenging?"
A spy suspect in New York City used her laptop to communicate with a Russian government official via an ad-hoc, peer-to-peer wireless network on six occasions this year -- always on Wednesdays. She set herself up in a coffeeshop, a book store and other unspecified locations with her laptop. U.S. agents sniffed her wireless network and identified two devices -- the same two MAC addresses each time -- establishing connections that U.S. agents think were used to communicate, the court papers say.
Apparently she was having trouble making connections with the other laptop, and in frustration turned it over to a U.S. undercover agent for repairs.
At a meeting with that undercover agent, she indicated that she was having trouble setting up the wireless connection. "Everything is cool apart from connection," she says on a recording made of the meeting.
The U.S. undercover agent responds, "I am not the technical guy…I don't know how to fix it, but if you tell me, I can pass it up." He then offers to take the laptop to the consulate for repair, and points out that she could take it with her to Moscow when she goes and get it fixed there. "It would be more convenient if I gave you it," she responds.
That was last Saturday. The same day in Washington, D.C., a second undercover U.S. agent -- UC-2 -- met with another suspected Russian spy -- SEMENKO -- and discussed his experience with ad hoc wireless networking. "SEMENKO responded that he wanted UC-2 to "figure out" the problems with the communications via the private wireless network."
Earlier, in describing his reaction to a successful wireless transfer, Semenko said he was, "like … totally happy."
The spies also used radiograms to communicate -- with messages being sent over short-wave frequencies in cipher and then decoded using a key written by hand in a spiral notebook U.S. officials found during a search of a suspect's home.
Audio recordings in one spy suspect's home picked up his voice saying: "I am going to write in invisible," referring to a message he planned to send to Russian officials in South America.