Read The Florentine Deception Online
Authors: Carey Nachenberg
The Florentine Deception (32 page)
I selected the computer's Desktop, and within a few seconds, StegoCrypt had created a new icon called FLORENTINE.ZIP on my home screen. Two additional clicks extracted the ZIP's archived contents, a document file named Florentine.pdf, a data file named Florentine.keys, and a program file named Florentine.exe.
“All right, let's figure out what this thing really is.”
“It's software application.” Tom pointed his finger at the Florentine.exe file listed on the screen.
“Yeah, that's surprising. I'd just expected a document file of some sort, not a program file,” I admitted. “Let's see if the PDF explains what it is.”
I took a sip of coffee and double-clicked on the Florentine.pdf file. The document instantly rendered on the screen.
“What language is that?” I asked.
“Russian,” said Gennady.
“Can you read it?”
“I'm a bit rusty, but it shouldn't be a problem,” he said. “Move.” He tapped me on the shoulder and I vacated the chair.
“Well, this first part is easyâit says âstate secret, top-most level.' Something like top secret.”
“Holy shit. This explains why the Russians are involved.” Things were crystalizing in my mind. “This makes a lot more sense nowâthe spyware on Richard Lister's computer was sending everything he typed to a Russian email address. They were bugging his computer to get the Florentine back. The guy who attacked me in Khalimmy's cellar,” I pointed at my cheek, “was supposedly also Russian.” I paused for a breath. “Khalimmy was trying to buy Russian state secrets from Lister, and the Russians are busy trying to tie up loose ends. They're doing damage control.”
Gennady picked up his gun and turned to Tom. “Go double-check the doors and all the windows.”
Chapter 52
By three a.m., Gennady had completed a translation of the document's first section:
Security Clearance: Top Secret, Level 3
Categorization: Information cyber-warfare
File Number: SVR-11-1078-52
Codename: Florentine
Background
Between 2001 and 2005 the SVR placed six assets within Microsoft's Redmond, Washington and Bangalore, India engineering centers. Since their introduction, these assets introduced back doors into a series of Microsoft products and systems that enable the SVR to covertly broadcast attack commands to Windows computers, worldwide, and then execute these commands on preset trigger dates. This system was designed to enable Russia to launch Internet-scale attacks on hostile nations or blocs, and provides Russia with an unrivaled cyber-warfare capability
.
SVR studies estimate that roughly 85â90% of the world's computers now run on Florentine versions of Windows. Roughly 82%â87% of these computers are permanently or semi-permanently connected to the Internet and may be targeted. This gives Russia control over between 69% and 78% of the world's computing infrastructure and the ability to launch massive-scale digital attacks
.
Due to the immense strategic advantage conferred by the Florentine system, it has been classified at the highest level of secrecy. Disclosure of this document, project, or any related materials to those with less than a Level 3 security clearance has been categorized as an act of high treason under Russian law
.
The remainder of this document describes the technical nature of the Florentine system and provides specific details on the following items:
| 1. | Attack logistics (launching, targeting, and timing attacks, payload creation) |
| 2. | Attack management (monitoring attacks, cancelling attacks) |
| 3. | Florentine distribution statistics, by country |
| 4. | Attack propagation/saturation estimates |
“I'm willing to bet that the Florentine.exe file we found inside the video is a Command and Control program,” I said.
Gennady looked at me questioningly. Tom looked up, shaking his head. “What? Sorry, I'm spent.”
“If what this document says is true, most computers around the world have this back door built into them. So let's say the Russians want to launch an attack. How do they go about doing it? They need some way of contacting all those computers and unlocking their back doors to send them the attack. I'm betting that's what the software on the thumb drives is forâit's a Command and Control program. Some disaffected Russian intelligence guy must have figured he could take an early retirement by selling a copy of it to the highest bidder. I wonder how Richard Lister got hold of itâthis is big-time stuff.”
“If you're right, and the wrong people got control of this thing ⦔ Gennady's voice trailed off.
“We need to get this to the NSA as soon as possible,” I said, glancing over at the clock. “Gennady, do you think you can translate the rest by morning? I can help with any technical terminology that doesn't make sense.”
Gennady nodded warily. “Yeah. Let's do it.”
When I woke up, I found Gennady sitting at Tom's computer desk perusing a stack of printed pages. He looked exhausted. Next to the stack sat his gun, an empty coffee cup, and a half-eaten plate of scrambled eggs.
“What time is it?” I asked, bleary-eyed.
He consulted his watch. “Seven-thirty. You fell asleep around three, and I figured you needed the rest. I finished a rough translation of the rest of the document.” He shook his head wearily. “This is either the world's first digital atomic bomb, or the world's most elaborate hoax. I can't figure out which.”
“Based on recent events, I'm guessing it's the former.”
After using the bathroom and grabbing a plate of cold eggs from the kitchen, I reviewed the rest of Gennady's translation. He was unable to translate some of the more arcane technical terms, but overall, the nature of the Florentine project was crystal clear.
The Florentine's design, frightening in its simplicity, effectively granted the Russians the ability to take control of virtually any and every Windows-based computer on the planetâwithout being discovered and blocked in the process.
“The brief said something about using Windows Update to distribute attacks,” said Gennady. “Does that make sense to you?”
It did. And it scared me. “The Russians knew in order to launch an attack, they couldn't just directly connect to the world's billions of computers and send each of them the attack. That would fail. Most of the computers they'd want to target would be protected by firewalls.”
Gennady looked confused.
“A firewall is the digital equivalent of a security guard. It blocks all unauthorized attempts to contact the computers that it protects. Most computers are shielded behind some type of firewall, so any attempt by the Russians to initiate contact to them would be blocked immediately. Not to mention that to attack that many computers, they'd have to generate an immense volume of network traffic. That would stand out like a sore thumb to the NSA. But it looks like the Russians found a way around both problems by leveraging Windows Update.”
“How?” he asked.
“Microsoft uses the Windows Update system to distribute new updates and fixes to computers around the world. Once per day, at an essentially random time, each Windows computer wakes up and contacts Microsoft's Windows Update website to check for new updates. If it finds any, it downloads and installs them automatically.”
“Okay, but how does that help the Russians?”
“I'm getting to it. While Windows Update was designed to deliver official software updates, the system is in theory capable of sending down any type of data. And if an attackerâfor instance, a Russian mole inside Microsoftâsomehow obtained control over the Windows Update website and could post an attack payload file, all those billions of computers would happily download it along with their legitimate updates.”
Gennady nodded in dawning understanding. “It's like poisoning a waterholeâyou don't have to hunt down the animals, they die when they come to drink.”
“It's a reasonable analogy,” I replied. “When an attack payload makes it down to a computer, the Florentine back door they've built into Windows immediately intercepts it, verifies its authenticity, and detonates it. Based on your translation, these payloads could do anythingâsteal confidential information, delete all your files, anything.”
“Is it realistic?” he asked. “Could that actually work?”
“Unfortunately, yes. Like I thought, that executable file we found in the video is essentially a Controller. It's used to post attack payloads on the Windows Update website. The other file, Florentine.keys, contains the cryptographic authentication keys required to unlock and gain access to the system. Whoever's in possession of these two files can distribute and launch an attack on virtually every Windows computer in the world in less than twenty-four hours.”
The phone rang three times before Rod Sanders, a former ViruTrax colleague in the Washington, DC sales office, picked up.
“Hi Rod, Alex Fife here. Have a minute to chat?”
“Alex Fife. It has been a while. You enjoying your retirement in, where, the Bahamas? Monte Carlo? While the rest of us still have to work to make a living?”
“Sorry to be blunt, Rod, but I've got an emergency.”
The line went silent for a beat. “Shoot.”
“You still work with our special friends over in Baltimore, right?” I was referring to the NSA, who was headquartered in Baltimore, Maryland. Rod, an ex-military officer, had a top-secret security clearance and was one of a handful of ViruTrax engineers with sufficient clearance to consult with the government's three-letter agencies on their internal cyber-security-related affairs.
“Yes.”
“I've got some information that they need to hear about. It's urgent. Would you happen to have a contact there that could get me to the right person, ASAP?”
“Cyber-intel?” asked Rod.
“Yes.”
“And this is urgent? You believe there is a material threat to national security?”
“Yes.”
“Give me a number where I can reach you. I'll make some phone calls and get back to you within the hour.”
I gave him Tom's number and hung up.
Five minutes later the phone rang.
“Hello,” said Gennady and I simultaneously.
“Hello,” responded Rod.
“I'll take it,” I said. Gennady hung up. “Sorry, Rod, I'm at a friend's place.”
“No problem. I chatted with one of my friends in Baltimore and they're going to have someone call you at this number in about ten minutes.” He coughed up some phlegm. “These are good guys. Just tell them what you know and leave it to them.”
“I will. Thanks Rod.”
“No problem. If someone doesn't call you in the next ten minutes, call me back and I'll follow up. And good luck.”
“Thanks.”
The phone rang five minutes later.
“Hello.”
“Hi, I'm calling for Alex Fife.”
“This is Alex.”
“Hi Alex, this is Jon Whitehouse. I've been asked to call you to follow up on some information you have.”
“Thanks for calling so quickly.” I turned on the phone's speakerphone so Gennady and Tom could hear.
“It's my pleasure. Actually, you may not remember but you came to present to my team a few years ago. Your new malware detection method was groundbreaking, and actually influenced some of our data collection approaches.”
“Thank you,” I said, “I'm humbled I was able to help.”
“You did. All right, what did you want to discuss? This is not a secure line, so I'm going to ask you to provide me with only high-level details. Once I understand the nature of your problem we can figure out how to proceed.”
“Okay.” I took a deep breath. “I have credible evidence that the Russian FSB has introduced a back door into Windows that will allow them to control virtually any or every Windows PC and server connected to the Internet within a twenty-four-hour timeframe. It's codenamed Florentine.”
“The FSB? Do you mean the SVR?”
“SVR?” The initials pinged something in my memory, but I couldn't place the reference.
“The Russian Foreign Intelligence Service: Sluzhba Vneshney Razvedki, the SVR.”
“That rings a bell.”
“Okay. And the project's codename is Florentine?”
“Yes.”
“Can you briefly tell me how it works?” Whitehouse paused a beat. “Scratch that, we're not on a secure line. What evidence do you have?”
“I have documentation, written in Russian, describing how the system works, a Command and Control program supposedly capable of launching the attack. And a set of cryptographic keys that can be used to authenticate the Command and Control program to the system.”
“Okay. And how did you obtain access to this system?”
“It's a long story. But the important thing is that the Florentine was being sold on the black market by a guy named Richard Lister. A guy named Arnaz Khalimmy was trying to buy it from himâ”
“Spell that for me, please,” Whitehouse interrupted, “Arnaz what?”
I did, then continued, “But Lister died before completing the sale. Now that I've got hold of it, Khalimmy's after me.”
“Has he obtained control of the system?” Whitehouse asked.
“He's got an encrypted copy of the file, but doesn't have the password. But not for lack of tryingâhe's already murdered at least one person trying to get it.”
“I'll be right back.” I heard a muffled discussion on the other end of the line, then Whitehouse continued: “Okay Alex, here's what I want you to do. Gather up all the computers that hold a copy of the Florentine system and power them off. Unplug them. Gather up all media, thumb drives, portable hard drives, printouts, anything with Florentine data, and keep them safe until we come and pick them up. Make sure you get everything.” He paused. “Any questions?”