The Florentine Deception (40 page)

“Four weeks ago, on Wednesday, September 6, at 9:55 a.m. Pacific Standard Time, the United States and Israel experienced the largest computing outage in the history of the world. As I'll discuss in more detail shortly, hundreds of millions of computers in our two countries simultaneously reset themselves at this exact moment, creating a major hiccup in cyberspace and temporarily taking large swaths of our nation's physical infrastructure offline. Of course, as most of you also know by now, I was responsible for this ‘hiccup.' But in my defense, the alternative would have been much, much worse.”

My host nodded; the rest of the audience stared stoically.

“So how did we get here? My understanding is that you've all been briefed on the Russian Florentine document, so I'll skip over the background and go straight to the timeline.

“As early as six months ago, a leaked SVR software package that granted access to the Florentine system found its way onto the black market. For purposes of clarity, let's call this software package the ‘Florentine Controller.' An attacker in possession of the Controller could use it to upload up to ten attack payloads to Microsoft's update servers, for immediate worldwide distribution and activation via the Florentine back door.

“Shortly after the Controller's initial availability on the black market, members of the Iranian intelligence services contacted the broker, Mr. Richard Lister, with an offer to purchase it. Their goal? To decimate computing infrastructures of the United States and Israel.

“Okay, so here's the detailed timeline.” I clicked my presentation remote. The screen cleared and an empty timeline appeared.

“Over the past few years, a small team of hackers led by Iranian operative Arnaz Khalimmy engineered a software payload capable of scrambling the firmware chips of most major computer models.” I clicked my remote and an Iranian flag jutted up from the timeline. “Needless to say, this would turn most PCs and servers into paperweights. The team apparently experimented with using computer viruses, or more likely, worms, to deliver their payload, but quickly found these vectors inadequate. So until their discovery of the Florentine, they had no means of widely distributing their attack.

“By Sunday, September 3, roughly four weeks ago, I had obtained a copy of the Florentine Controller software, and immediately after determining its nature, contacted the NSA. Unfortunately, shortly after my call—”

“Excuse me,” interrupted a man in a dark green cardigan. “Before you continue, can anyone from NSA briefly explain why we didn't just shut down the Florentine system when Mr. Fife first reported it?”

“I'll field this one.” Jon Whitehouse raised his hand. “Sorry for the interruption, Mr. Fife. In answer to your question, Phil, at the time Mr. Fife reported the Florentine system to NSA, we had no intel of any in-progress or imminent attacks. Nor could Mr. Fife communicate any details about the system, since he was calling on an insecure line. So when he disappeared, all we could do was dispatch a team into fact-finding mode. Let's take this one offline, but I can fill you in later if you'd like.”

“I would, thank you,” said the man in the cardigan. “The Senate Subcommittee on Cyber-security is on the verge of conducting an inquisition, and we'd better have our story straight.” He paused a beat for others to comment. “Sorry Mr. Fife, please continue.”

“As I was saying,” I continued with a frown, “shortly after my call to the NSA, Arnaz Khalimmy kidnapped me to obtain a copy of the Controller software. And by late Sunday night, his team had completed a benign, dry-run test of the Controller to ensure its authenticity.”

I clicked my remote and a flag bearing the words “Iranian Dry Run Test Launched” appeared on the timeline at eleven p.m. on Sunday.

“Now, unbeknownst to the Iranian team—and to us at the time—the Russians had embedded a tracking beacon into the Controller software. Not surprising, given its immense strategic value. We now know that this beacon activates and sends geo-location data back to a Russian-controlled server any time a user activates the Controller software.

“By all accounts, the Russians were alerted by this beacon at the time of the Iranian dry run, and by ten-thirty the next morning, an SVR ‘cleaner' team arrived at Mr. Khalimmy's base of operations, a safe house in North Hollywood, California. The SVR operatives quickly neutralized the Iranian team, but not before the lead Iranian engineer had uploaded the live firmware-killing payload to the Microsoft Update servers for distribution. I don't believe the Russian team realized this, and even if they had, they lacked the password required to cancel the attack.”

Another click of my remote caused a flag to appear on the timeline at ten-thirty a.m. Monday, bearing the words “Iranian Live Payload Launched.”

I took a sip of water, scanned the room for questions, and finding no hands, continued.

“So what were the timing and triggering criteria of the live Iranian attack? First, the Iranian team chose a payload trigger time of ten a.m. Wednesday—two days later. This deadline was chosen to ensure ample time—nearly forty-eight hours—for the world's population of computers to download the attack payload from Microsoft's Windows Update servers prior to the payload's trigger deadline. We now know, thanks to assistance from some of your colleagues, that during this forty-eight-hour period, the Florentine system distributed the Iranian attack to nearly one-and-a-quarter-billion computers of all makes and models around the world.”

A hand shot up, this one from a woman dressed in a prim navy skirt and white blouse. “I'm sorry, you said the attack was distributed worldwide? Not just to American and Israeli computers? I thought that the attack was just targeted at computers in our two countries?”

“Good questions. The Florentine was designed to launch large-scale, blitzkrieg-style cyber attacks, not conduct pinpoint cyber espionage. As such, the way the system works is that every Windows computer around the world downloads every available Florentine payload from the Windows Update servers. Once a payload arrives on a computer, it's responsible for checking whether the machine meets its criteria, and if so, it activates. If not, the payload silently self-destructs. The Iranian payload checked the language settings of all 1.25 billion computers it landed on, and only launched its firmware attack on those bearing a language setting of American-style English, or Hebrew.”

“Very interesting. Thank you.”

“Not a problem.” I continued. “So at ten a.m. Wednesday, the Iranian payload activated on machines around the world.” I clicked the remote and two laptop computer icons, one labeled “American” and the second labeled “Israeli,” appeared on the timeline. A beat later, a mushroom-cloud graphic rose atop both computer icons.

“Of course, as we all know now, the attack largely failed. However, it did not fail due to any programming errors on the part of the Iranians. Their payload, we now know, was perfectly lethal. Nor did it fail because of SVR intervention.”

A few members of the audience nodded energetically in dawned understanding; others regarded me with confused stares.

“With the help of my good friend, Amir Taheri,” I smiled at Amir in the front row and he returned a gentle wink in return, “I identified a flaw in the Iranian payload's targeting approach and created my own Florentine payload, an antidote if you will, to stave off the attack. Actually, technically I created two payloads—a two-part antidote.”

I paused a moment for questions, then continued. “So how did my two-part antidote work?”

I clicked the remote and an animated flounder swam onto the screen.

“Of all places, I got the idea from a children's book on animal camouflage, from the flounder fish—also known by its taxonomic name,
Bothus mancus
. This remarkable animal is capable of temporarily changing the color and pattern of its skin to match those of the sea floor when it senses danger. This gave me an idea: if the Iranian payload was looking for American and Israeli computers, or to be more precise, computers with English or Hebrew language settings, then why not camouflage all those computers—just prior to the Iranian payload's trigger time—to look like computers from a different country?

“And that's exactly what the first part of my antidote did. My first payload, which I called ‘Flounder1,' started by checking to see if each computer was configured to use either English or Hebrew, the two languages I knew the Iranian payload targeted for its firmware attack. If a computer used either language, my Flounder1 payload first created a backup of the computer's original language setting so this could be restored later. It then changed the computer's language setting to Japanese, effectively camouflaging the computer to look like one from Japan rather than one from America or Israel. Finally, Flounder1 forced a reboot of the computer, to ensure the changes took effect. I programmed Flounder1 with a trigger time of 9:55 a.m. Pacific Standard Time on Wednesday morning, ensuring it would run exactly five minutes prior to the Iranian payload's trigger time.”

I clicked the remote; the large flounder swam off the right side of the screen and the timeline returned. Then a small flounder icon animated at 9:55 a.m., just to the left of the laptop computer icons and mushroom cloud at ten a.m. on the timeline.

I looked around the room for other questions. None came, so I continued.

“The second part of my antidote, my ‘Flounder2' payload
, was responsible for reversing the camouflage. I programmed it to restore each disguised computer's language from Japanese back to its original setting of either English or Hebrew. I programmed Flounder2 so it would activate at 10:05 a.m. Pacific Standard Time, five minutes after the Iranian attack had triggered.”

I clicked the remote, and a second small flounder icon animated at 10:05 a.m. on the timeline, just right of the two computers and their accompanying mushroom clouds.

“So, in essence, my two antidote payloads were designed to sandwich the Iranian payload in time, temporarily disguising all the targeted computers during the instant of the Iranian attack.

“Unfortunately, as they say, ‘man plans, God laughs.' While I was able to submit my Flounder1 payload to Microsoft's update servers, an SVR agent shot me before I could upload Flounder2 for distribution.”

With a click of the remote, the second flounder faded from the timeline.

“Any questions so far?” I scanned the room. “Everyone following?”

Several agents nodded.

“Good. So to recap, that Monday morning, the Iranians used the Controller to post their payload on Microsoft's update servers, and just hours later, I followed suit, posting my Flounder1 payload.

“Now, within minutes of each payload's transmission to Microsoft's servers, Windows computers around the world began downloading them just as they would any newly available, legitimate software update. A substantial fraction, roughly fifty-two percent of the world's estimated two-point-four-billion computers, connected to Microsoft's update servers at a rate of roughly fifty million per hour, and by Wednesday at 9:55 a.m., most of them had retrieved both the Iranian payload and my Flounder1 payload. If you do the math, that's about one-and-a-quarter-billion computers. Of course, some computers only downloaded the Iranian payload, and some just downloaded my payload, but most downloaded both.”

“Only fifty-two percent?” asked a polo-clad, middle-aged man in the back row. “Why so few?”

“That's what your colleagues estimate,” I responded. “The remaining forty-eight percent were either off, or had no connection to the Internet during the period of time when the payloads were posted. Or,” I said, flipping an imaginary light switch off with my right hand, “it's possible that these computers simply had their auto-update feature turned off by their owners. Many corporations disable the Windows Update feature on their corporate PCs. They manually distribute new updates to their machines on their own schedule.”

“Interesting. I had expected the percentage to be much higher. Thanks.”

“It surprised me too, frankly.” I paused. “Now at five minutes before ten a.m. Pacific Standard Time, the Florentine back door activated my Flounder1 payload on every one of those 1.25 billion computers. Of these, roughly 304 million computers were American or Israeli computers, and on these computers, my Flounder1 payload proceeded to back up their original language setting and then switch their language to Japanese.” A click of my remote control morphed the captions under the laptops from “American” and “Israeli” to “Japanese” and “Japanese.”

“A microsecond later, Flounder1 rebooted those 304 million computers. Of course, I don't have to tell any of you about this. That simultaneous reboot caused the blackout most of you experienced firsthand. The Department of Homeland Security recently released an estimate that over seventy-five percent of all US and Israeli power plants, traffic grids, hospitals, and police stations went dark, as both their primary and failsafe computers simultaneously reset. Fortunately for me … and our two countries … these systems quickly came back to life. Over the next few minutes, give or take, those 304 million computers restarted themselves and resumed their normal operation. With one notable exception: all of them now attempted to display their user interface in Japanese rather than English or Hebrew.

“Minutes later, at ten a.m. Pacific Standard Time, the Florentine back door inside those same 1.25 billion computers activated again, this time launching the Iranian payload. But by the time this payload activated, only a minute fraction of the 304 million potential targets still retained their original English or Hebrew personas. All of these uncamouflaged machines predictably suffered an untimely and permanent end—without functional firmware chips, they were turned into paperweights. However, the vast majority of computers—your colleagues estimate as high as 99.8% of the potential targets—escaped destruction due to their new Japanese identity.”