In February 2012 a dozen young women in heels tottered up the steps of an office building in Monrovia, wearing fixed smiles and colorful sashes bearing the names of their home counties. They were contestants in the Miss Liberia beauty pageant and had been invited to the headquarters of Cellcom Liberia, the event’s sponsor and the country’s second-largest telecommunications company. Inside, Avishai “Avi” Marziano, Cellcom’s chief executive officer, took the microphone. An Israeli with gelled black hair, Marziano was dynamic and had a gift for flashy promotions. “We are all about Liberia,” he said.

Cellcom was owned by a group of adventurous American and Israeli businessmen led by Yoram Cohen, a Miami-based former attorney with shipping interests in the region, and LR Group, an African investment firm run by former Israeli Air Force pilots. Cellcom had grown rapidly since its 2004 creation, its red-and-white logo plastered across shantytowns and marketplaces around the country. Marziano, a trained engineer, seemed to enjoy the attention. After presenting each Miss Liberia hopeful with a new phone and SIM cards loaded with credit, he grinned for the cameras and signed off with his company’s slogan: “With Cellcom, you are always No. 1.”

In terms of market share, though, Cellcom was stuck firmly in second place behind Lonestar, a former monopoly backed by one of Africa’s largest telecommunications groups. Lonestar’s figurehead, chairman, and part owner was Benoni Urey, who’d faced international sanctions because of his links to jailed warlord Charles Taylor. (The sanctions were lifted in 2014.) Urey’s 40% stake in Lonestar made him Liberia’s wealthiest man, one of the country’s few bona fide millionaires.

Across Africa, mobile phone use was soaring, bringing technology to places where few people had access to a computer. The rivalry between Urey’s Lonestar and Marziano’s Cellcom was “cutthroat” from the start, according to Nagbe, the Liberian information minister. When Cellcom announced it would give defecting Lonestar customers a month of free calls, a decade-long price war followed. Under Marziano, Cellcom gave away 100 motorcycles in 100 days, commissioned a pop song for promotional videos, hired comedians as spokespeople, and mocked Lonestar relentlessly in its ads.

Urey complained to the Liberian Telecommunications Authority, as well as to President Ellen Sirleaf, that Cellcom’s giveaways were unfair, to no avail. Cellcom’s market share grew steadily. At its 10-year anniversary party in December 2014, scaled down somewhat because of a deadly Ebola outbreak, Marziano told guests that the company’s development phase was over. Now it was time to dominate. “We aim to be at the top of the telecommunications market in 2015,” he said.

At least part of Marziano’s plan would rely on a man who’d never set foot in Liberia: Daniel Kaye. The CEO and the hacker met for the first time in London in about 2014. They made an odd pairing. Marziano liked to quote Henry Ford’s management aphorisms and spend hours at the gym, taking steroids to get extra ripped. He also entered bodybuilding contests, where he posed for photos in barely-there underpants. Kaye smoked weed and played Skyrim, a swords-and-sorcery computer game. Even so, they hit it off. Kaye saw in Marziano a more stable future with long-term contracts or perhaps a full-time job. Marziano saw in Kaye someone who could solve problems, no questions asked. You’ll deal directly with me, he told Kaye.

One of Kaye’s first tasks was to secure the systems of Cellcom’s sister company in neighboring Guinea. Kaye came up with a tool that could encrypt Cellcom’s data on command in case political instability threatened its operations. For that, Marziano paid $50,000, plus several thousand dollars more for routine security tests. The next bit of business was far less benign. Marziano ordered Kaye to hack into Lonestar’s network to look for evidence of bribery or other misconduct. Kaye couldn’t find anything incriminating, so he downloaded a Lonestar customer database and sent it to Marziano, who appeared to enjoy the subterfuge. “It’s like a drama movie,” he told the hacker.

In 2015, Kaye and Marziano discussed using DDoS attacks to slow down Lonestar’s internet service and irritate its customers into switching. Kaye started small, using a website called “VDos Stresser” that bombarded other sites with traffic for a fee. Leaked messages from a VDos database show an individual using the name “bestbuy,” likely Kaye or an associate, asking about the service on offer. “I need quite a lot more power,” bestbuy wrote.

By now, Kaye was earning enough from Cellcom and other gigs to move to Cyprus, where he rented an apartment with a pool and a sea view. If he could do his job from anywhere with an internet connection, why not do it from somewhere sunny? His fiancée joined him.

Marziano’s future was also looking bright. In January 2016, Orange SA, the French wireless carrier, announced it was buying Cellcom Liberia. With global sales of about €41 billion ($45.6 billion), Orange is a giant, part-owned by the French government. The terms of the deal and identity of the sellers weren’t disclosed, but it would mean a big payday for Cohen and his backers. Orange kept Marziano on as a consultant, but he remained Cellcom’s CEO.

The deal, however, didn’t cool the hostilities between Cellcom and Lonestar. Weeks later, in a press statement that called out Cohen by name, Lonestar accused Cellcom of illegally texting customers to offer its latest promotion. A Cellcom spokesman responded: “Lonestar is a big crybaby, bent on exploiting the Liberian people.”

The strain of malicious software known as Mirai first emerged in 2016. Named, probably, after a Japanese cartoon character, it was created by gamers to wield against other gamers, specifically those playing Minecraft.

Mirai sought out webcams, wireless routers, and other cheap, poorly defended devices that could be hijacked for DDoS attacks against other Minecraft players. It could also seek out fresh targets semiautonomously, spreading itself without human input. In the summer of 2016, the malware doubled its number of infected machines every 76 minutes to create, within a few days, the largest botnet on record.

Before the American college students who wrote the code were arrested, they shared it on hacking forums, providing the basis for dozens of variants. Kaye, who was looking for a superpowered botnet, thought it might be just what he needed. He tweaked the code to exploit a vulnerability in Chinese-made security cameras, made sure his malware blocked other forms of Mirai so no one could take over his botnet, and then, in September 2016, turned his creation loose.

“If it works I should have access to five million cameras that I can use,” Kaye told Marziano using an encrypted messaging service. Marziano agreed to pay him $10,000 a month for the “project.” Later that September, he asked Kaye to test the botnet on a competitor’s website offering cheap international calls – the site, Marziano said, was “killing my international traffic” at Cellcom.

Even Kaye didn’t know exactly how big his botnet had become, so he tested it on a site that measured traffic. Visualized in a graph, its power looked awesome: It could direct about 500 gigabytes’ worth of data – roughly equivalent to downloading Avengers: Endgame 50 times in ultrahigh definition – per second. His target didn’t stand a chance. Liberia’s internet infrastructure was already fragile, dependent on a single undersea fiber-optic cable to connect to the outside world. Faced with a half-million machines sending data all at once, Lonestar’s servers would simply stop functioning. Kaye pulled the trigger again and again, at least 266 times from October 2016 to February 2017. He kept in touch with one of Marziano’s analysts to monitor the impact in Liberia, texting regularly to ask how Lonestar’s network was performing. “Almost dead,” the analyst said one day in November. “Really? Sounds good,” Kaye replied.

Marziano’s company had for years claimed to be Liberia’s fastest network. Now it was undeniable. On Nov. 9 an apparently satisfied Marziano sent a photograph of a newspaper clipping to Kaye. “After crippling cyber attack: Liberia seeks US, UK Aid,” the headline read.

Kaye, though, was alarmed. He’d assumed no one would care about a company in Liberia and hadn’t made much effort to cover his tracks. Security researchers had also noticed his botnet’s unusual power and focus. They christened it Mirai#14. Marcus Hutchins, a British security analyst known as MalwareTech, set up a Twitter account to record the botnet’s targets. Soon afterward, one of the Mirai variants turned its power on Hutchins’s website, knocking it out. He took the attack as a warning to back off. When Kevin Beaumont, another British researcher, tweeted about the botnet, it started sending threatening messages, like “shadows.kill” and “kevin.lies.in.fear.” (Kaye denies targeting Hutchins or Beaumont.) “It got out of control,” Kaye wrote to a friend in Israel.

Then the outbreak spread to Germany. Each camera infected by Mirai#14 was continuously reaching out to other devices, trying to get them to download the software. Instead of joining the botnet, Deutsche Telekom routers simply crashed. It’s not clear whether Kaye was deliberately trying to expand his botnet by targeting German devices, but he certainly didn’t intend for them to stop working. Unlike Liberia, which lacked even basic computer crime laws, Germany’s police force had a formidable technology division. I’m f—ed, Kaye thought. On Nov. 27 his friend in Israel messaged to ask: “What’s happening?” Kaye replied: “I have broken the Internet and am dead afraid but otherwise everything’s hunky dory.”

In an effort to distract attention from what he’d done in Liberia, Kaye decided to share his botnet, just as the original creators of Mirai had done. Working with contacts from hacking forums, he sent out spam messages offering access in return for Bitcoin, with prices ranging from $2,000 to $20,000. Some of his first customers were gamers, who used it against rivals. Others had more ambitious targets.

On Jan. 11, 2017, employees at Lloyds Bank Plc, in the U.K., received emails from someone using the alias “Ibrham Sahil.” Lloyds’s website would be taken offline, the messages said, unless the bank paid a “consultancy fee” in Bitcoin, then worth about £75,000 ($90,000), rising to £150,000 after two days. Lloyds didn’t pay. Twenty minutes later, its website was disrupted by the first of 18 DDoS attacks over 19 hours.

Sahil contacted Barclays Bank Plc the same day. What happened to Lloyds was no glitch, Sahil wrote. Barclays would suffer the same fate unless it paid 75 Bitcoin within 18 hours. “Don’t make us get our money by using well time PUT options on the Barclays share price,” Sahil wrote, threatening to force down the bank’s share price unless it complied. It didn’t, and Barclays’ website was hit a few days later. Both lenders spent about £150,000 each to mitigate the effects of the attacks and keep their sites up and running.

Hutchins, the British researcher monitoring Mirai#14 and other variants, watched the situation unfold. His job, working for a company called Kryptos Logic, was to seek out the internet’s most dangerous malware (worms, bugs, and viruses), which he did from Devon in England’s rural southwest between trips to the beach to surf. He traced Mirai#14 to a server and found contact details for the operator, who was using the alias “popopret.”

There was little Hutchins could do remotely, so he decided to see what would happen if he just asked popopret to stop. He composed a message appealing to the hacker’s conscience. As proof of the real-world consequences, he attached Twitter posts from bank customers stuck without access to funds. To his surprise, the hacker responded and seemed receptive. Although Hutchins didn’t realize it at the time, he was communicating with Kaye—who retained ultimate control of the botnet even as he rented it out—either directly or through one of his associates.

The next day, though, bank websites were still being bombarded. “Wtf?” Hutchins said in a message to popopret, who replied that he was being paid a lot of money by a customer using his botnet. Hutchins tried a different approach. Banks are considered critical infrastructure in the U.K., he said, and protecting them is a matter of national security. Unless you want intelligence agencies coming after you, Hutchins suggested, cut off the customer. It seemed to work. The assault on British lenders stopped. The attacks on Liberia, however, continued.

A few weeks after Hutchins’s warning, Kaye flew from Cyprus to London to meet Marziano and collect his latest monthly payment. Marziano brought his wife and young children, and Kaye brought his fiancée for lunch at a tapas restaurant near Piccadilly Circus. (There’s no evidence their families knew of any wrongdoing.) Over drinks, Kaye congratulated Marziano on the Orange deal. Marziano handed over $10,000 in cash, which Kaye stuffed into his pocket. The CEO and the hacker parted as friends.

Kaye got to Luton Airport for his flight home to Cyprus, and that’s where the police found him.

To be continue

Source: Bloomberg

Related posts: