Trojan Horse (13 page)

“What do we do about lunch?” Daryl said by way of answer.

“I . . . there’s a cafeteria on this floor, that way. It’s not bad. The cooks are French.”

After Herlicher left, Daryl went for food and brought it back. They ate as they discussed their latest findings. “One of the unique characteristics of this thing,” Daryl said, “is that it retains itself and any documents it copies in the computer’s memory.”

“We didn’t find anything in the memory scans,” Jeff said, biting into a croissant. Why were they always so much better in Europe than back home?

Operating systems like Windows use a technology known as virtual memory. Its effect was to give programs the illusion that the computer had more Random Access Memory, or RAM, than it actually did. It accomplished this by writing out infrequently accessed data and code to a paging file on the disk. When the program accessed that data or code again, the operating system simply read it back into RAM from the paging file.

“There’s no sign of the document, either the original or altered one, in RAM
now,”
Daryl said. “Maybe the operating system wrote a copy of it to the paging file when the virus had it in RAM around the time that it replaced the original in Herlicher’s e-mail, but
before
the Trojan deleted the altered copy from RAM.”

“Now that’s original, and devious. Someone’s put their thinking cap on.”

For the rest of that day, they used a special tool Daryl had previously written for their forensic tool kit. It copied the contents of the paging file, something that wasn’t possible when the operating system was running. They then copied the data to an external disk they connected to their laptops.

“Let’s see,” Daryl said. She launched the scan and a few minutes later discovered pieces of the altered document scattered around the file. This was extraordinary.

“So that was it, smart lady. Who said you were just another pretty face?”

“Yeah, right, smart aleck,” she said, with a laugh. “We’re lucky they didn’t include turning off the computer in their pathetic incident response policy.”

While what they’d found was not direct evidence that the Trojan altered the document, it constituted substantial anecdotal evidence. They also checked copies of the document on the file server and those backups were the original document. The copy on the e-mail server was the altered version, and they discovered more bits and pieces of the alterations in the paging file.

Daryl’s laptop flashed an alert. “Looks like the Company wants to talk.”

PEOPLE’S REPUBLIC OF CHINA

XINJIAN PROVINCE

URUMQI

PLA CYBER WARFARE CENTER

10:43 A.M. CST

C
olonel Jai Feng scanned the three oversized computer monitors at his workstation, taking in the data with a single practiced glance. He lifted another Hongtashan cigarette to his lips and took a long pull, the strong smoke delivering a jolt of nicotine almost immediately. He lifted his cup of coffee, long cold, and drained it.

Feng was dissatisfied with the progress of his team. He was under relentless pressure from Beijing to produce results and it seemed to him everything was going much too slowly. Working for him were the finest computer minds in China. Everyone was proficient in English while a number, though too few for his needs, were fluent. They were highly trained, highly skilled, and dedicated to the work, if not for the greater glory of China, then for the greater advancement of their careers.

The problem, Feng knew, was that he was overextended. When he’d first taken control of the PLA’s Cyber Warfare Center, the operation had been quite modest and expectations low. But as he expanded its scope, and demonstrated time and again the usefulness of what he was doing, both resources and demands had increased.

He’d realized the year before that he needed to reorganize but doing so would be a major interruption in his ongoing operations. This was no time for that. Matters were much too crucial to risk it. And, of course, there were laurels to be had, a promotion to receive if he left things as they were with him in sole charge. But once he split command the inevitable would happen. It was human nature. Those who’d been hired by him, advanced by him, those who owed
everything
to him would slit his bureaucratic throat in an instant to jump over him in promotion. Time enough for that
after
he was made general and relocated to Beijing.

Angry with developments in his two main projects, he pushed himself away from his desk and set off on one of his unpopular lightning tours. The warfare center occupied all five floors of the modern building though the heart of the operation was on the second, third, and fourth floors. The second was dedicated to military penetration. Feng’s unit there enjoyed extraordinary success in penetrating the U.S. Department of Defense databases. Its most recent triumph had been the penetration of the U.S. Pacific Fleet Command computer structure. The fourth floor was where the malware was crafted. Bright—very bright—software engineers were constantly thinking down the road, anticipating the next moves, both theirs and their adversaries, and generating clean, effective product. Feng knew that his long-term success depended on just how good these young minds performed.

Today, Feng took the interior fire-escape stairs and emerged on the third floor. He was preoccupied with cyber operations and that meant this floor. Here, dedicated teams conducted widespread and often very specific information gathering from thousands of crucial targets. Whenever an area vital to China’s interest was involved, a team learned everything they could about those involved. In this increasingly digital world, that was often a great deal indeed. Most helpful had been the development of a Trojan they’d implanted in various telephone networks, giving them access to the in-house tracking of individual numbers. The networks did this routinely to assist them in determining service demand at specific locales.

There were, however, two immediate cyber operations about which Feng was most concerned. Four days earlier, he’d watched an elite team conduct a test of their system implanted in the WAyk5-7863 power grid located in the eastern portion of the state of Washington in America. The Trojan had been meticulously placed there the previous month. His team had run tests until it was certain the malware would work as intended.

This was the most sophisticated power grid Trojan China had ever developed, and was key to Feng’s long-term strategy. Its potential was so enormous that he had not breathed a word of its existence to anyone in authority. He had to be certain it did what he was promised, then it had to be meticulously insinuated into the entire American grid system.

Feng’s work was much like defending against a terrorist attack, he often thought. No matter how many times a nation successfully thwarted such an attack, the terrorists only had to succeed once. In his case, no matter how long his Trojans loitered in the targeted computers, or how successful his mission, he only had to be uncovered once. Then the tree would fall, as his grandmother had often told him, and the monkeys would scatter.

Feng often cautioned his young geniuses to be careful. Youth was impetuous, he knew. Reining in such passions totally was all but certain to be impossible. Mistakes would happen, they had in fact already happened, but none had as yet come back to them. He was satisfied the carefully crafted and planted Trojan would not be detected. So much malware, from any number of sources, already permeated the grid’s software that his in effect hid amid the trash. Through this technique they’d managed to hide and cover their trail, to muddy the waters so to speak, leaving responsibility pointed elsewhere if it came to that.

Or so he hoped.

Feng had selected the hour after midnight in his targeted area for the actual test, a time when the consequences would be minimal. He wanted nothing dramatic to happen. For that reason the test had to be short.

It lasted just fourteen minutes. And the effect had been as comprehensive as Feng had been assured. Yakima and the surrounding region had been plunged into darkness. In crucial areas backup systems had sprung to life but in many cases these had been poorly maintained or untested and they’d failed at the crucial moment.

Feng had been delighted, especially when shown a satellite image of the area, a black blot surrounded by pinpoints of light. Then the reports of deaths and accidents had come in. A train stranded by the power failure had been rear-ended by another. The loss of life was scant as these were freight trains but entire cars had plunged into a canyon. An engineer and four others were killed. And there’d been a hospital death, a patient who died during surgery when the power was extinguished. There’d also been auto collisions, people trapped in elevators—all the things he’d expected. And so far there was not the slightest suspicion that the Chinese had done it.

There was, as well, his UNOG penetration. For more than a year another special unit had labored to crack cyber-security at the United Nations. That itself had not been so difficult, as well as planting the various malware they required for their project. Handling it all with delicacy though demanded great care and restraint. Planning when and where to act was even more daunting.

They were now reproducing the keystrokes of dozens of UN officials and recently, through the use of an amazing bit of word-processing code, had begun to access their files directly. With this information they’d slowly determined the central players.

Now, the latest variation allowed his people to alter files. Just as significantly the digital signature could be delayed and set in place after the revised document was ready. He’d reported this development of necessity, cautioning it should not be used carelessly. Given time his people could cause enormous damage to the United Nations but he was limited in how fast he could perform such work.

Then, with this program barely underway, he’d been ordered to modify the Iran nuclear report. Feng had balked, pointing out that the deception would be discovered at once and his long-term plans thwarted. Though his best people were busy modifying documents within the UN computers in Geneva and New York, they had not yet achieved the desired penetration because he lacked sufficiently skilled technicians able to express themselves in the proper English.

But his objections had been overruled. Someone wanted to delay any military action against Iran, to give them just a bit more time to detonate their first nuclear bomb. Iran had assured them it was imminent. Feng knew better and told his superiors the reality as he understood it. While the Iranians were close they were still hampered by their infected computers. In some cases they’d been reduced to handling issues by hand on a whiteboard. If they could inoculate their computer system from this Stuxnet pestilence the final steps could be accomplished in a few short weeks. As it was . . .

Feng still burned at the thought of the error left in the latest variation of the code they’d embedded in UNOG. When it had followed the path to London it had not worked. A flaw in the exploit code had caused OfficeWorks to crash. That should never have happened. On top of it, they had sent the malware with the altered document. They should have sent it in an unaltered file to avoid drawing attention. Now, the entire project was in jeopardy. Those bright kids had failed.

His protestations to his superiors about employing the software in such an obvious manner were pointless, he realized. The botched work by his team had led to early detection regardless. He’d have to find out who’d made the mistake; Feng’s instructions had been specific.

He just wished he’d had a little more time. Iran’s nuclear program had been brought to a virtual standstill by this Stuxnet worm. His people had devised, then he’d dispatched in stages, countering software to Iran as quickly as it could be developed, and while it had slowed the damage Stuxnet caused, it had not stopped it. The worm was constantly morphing, altering its approach, infecting operational parts of equipment by planting itself within the control computers.

The most frustrating part of the process had been the refusal of those above to allow his team to send these patches digitally. He’d assured them time and again that there were secure e-mail routes or ways to download from the Internet that would never trace back to China. But the role his operation played in assisting Iran was considered highly sensitive, one in which plausible deniability was the paramount consideration. Because of the need for speed he’d persuaded them to allow the first step in transmitting the patches to be electronic. After that a courier, a mule, was used. It added two to three days to the transfer time but Feng had been told the decision was final.

Feng was worried. New versions of Stuxnet were periodically released and he was certain that another had been designed to reinfect any untainted new computers. Only Feng’s software could prevent it. And this needless, senseless, delay of two or three days to give some aging party official a bit of ease only increased the likelihood that an exploit would be implanted. The last version of Stuxnet had been more destructive than the first. He didn’t want to think about what was to come. Despite the best efforts of the Iranians, the strains managed to find a way in.

Iran’s program had already been so damaged and delayed the country had taken the unprecedented step of replacing thirty thousand computers to get a fresh start. Feng had cautioned against this approach before his work on Stuxnet had reached a more developed stage but the Iranians were paranoid about the “air gap” again being penetrated as it had previously been by thumb drives. They refused to wait, convinced they’d solved the problem on their own with stricter precautions.