A spy thriller from the DOJ…for free!

Instead of spending your hard-earned dollars loading your Kindle or iPad with fictional potboilers, head over to Scribd and download the Department of Justice Complaint vs. Russian spies (June 2010).

Why submit yourself to the tedium of ponderous DOJ prose? Aren’t such legal documents boring, repetitive, written in an esoteric English argot meant to confuse lay people? Yes, and this one is no exception. But it also contains fascinating and, at times, amusing insights into the people, scope, and technology of the long term embedding of Russian spies into the US.

Deployed by the SVR, Russia’s spook agency and successor to the fabled KGB, the wannabe saboteurs used carefully built American identities and led “unremarkable” lives. Their exact purpose isn’t clear from the DOJ story. They didn’t seem to be engaged in active spying, they appeared to have been planted “just in case”. This could be evidence of Russia’s very long view, of the SVR’s willingness to make investments for a distant future, or of a plan to build a support base for other agents. We won’t know for awhile, and may never know. The agents have pleaded guilty to activities other than spying, such as money laundering and using false identities…and now they’re gone, handed over in a Vienna trade, just like the Good Old Cold War days.

For us geeks, the amusing part is the collection of hackerdom gems contained in the DOJ file. From social engineering to ad-hoc WiFi networking, MAC-address filtering, steganography, and unsecured passwords, these supposedly “highly trained” individuals looked more like Keystone Spooks than Hollywood superspies.

A good example of social engineering is described when one of the culprits experiences unspecified software problems with a laptop. (Sound familiar? We’ll refrain from the easy jabs.) Enter an FBI agent passing as a Russian Consulate employee, “I’m here to help”, who borrows the laptop with a promise to fix the problem. The machine is broken into, fully explored, and yields a rich trove of unprotected files.

In another case, the Feds, while “inspecting” a home (legally, of course), find a password left in the open, helpfully written down on a plain piece of paper.


Our spies thought steganography provided a safe and effective way to conceal messages inside innocuous-looking documents. Strong cryptography isn’t enough: If the folks at the NSA see an email message or a radio transmission they can’t decode, that alone will raise a red flag, bringing no end of trouble for the sender and receiver. One must have a way to exchange encrypted messages without being seen. Hence the slight of hand: Hide the message in plain sight.

The first known implementation of the idea was the microdot, the invention of the perfectly-named Professor Zapp. In today’s version, the message is embedded inside a picture that’s posted on a Web site.

A digital picture is made of pixels, say 3,000 by 2,000. Each pixel is represented by a number, 8, 12, or 14 bits. Let’s use 12 bits for our example. The picture is a 12-layer mille-feuilles, each layer containing 6 million bits. With a modest amount of software magic, you can replace one of these layers with a new set of 6 million bits—bits that hold your encrypted message.

What happens next? To the human eye, not much. The layer swapping business introduces a modest amount of noise that our eyes and brains easily overlook and correct. Your picture is now on Flickr or Facebook, to be downloaded by someone with software that can extract the right layer and retrieve the message.

It’s a clever technique—but it’s well-known to counterspies. What our brains see as forgivable noise looks like a man-made artifact, a statistical abnormality when it’s scanned by an NSA computer. The message might be inscrutable but the activity is detected. (This assumes that the NSA knows where to look, or that it can scan the billions of pictures—two billion on Facebook alone—that are uploaded every day. If Facebook can process such quantities, perhaps the NSA can as as well, or it can discreetly ask for help.)

The DOJ complaint describes another ingenious way of exchanging messages: An ad-hoc Wifi network between laptops. One spy sits inside a coffee shop, the other is inside a car parked outside, or even driving by. It seems safe because the computers are connected directly to each other—there’s no Internet involved, no public network that can be monitored by counterspies. To add security, they use Mac address filtering instead of the more mundane login and password process. Mac addresses date back to the origins of the Ethernet; every device gets a unique identifier, something like 01-23-45-67-89-ab. Our spies make sure that only two specific Mac addresses are allowed on their ad-hoc network.

(Un)fortunately, the counterspies are in on the scheme. With a simple packet sniffer, such as Nmap, the FBI out-geek the spies and monitor the exchange. This was made particularly easy because the Russians kept re-using the same Mac addresses for their “surreptitious” Wifi network transmissions. They were probably lulled into a sense of false security.

Techies roll their eyes: How gauche! They should have known better than to reuse the same addresses. Mac address spoofing is so easy! With address spoofing you can make up hardware identifiers at will. Nothing necessarily nefarious, here, Powerline Ethernet adapters do it all the time. A couple of command lines in Linux or Mac, or a few Registry entries in Windows and you’re done. You’ve created a different, unpredictable set of network addresses for each exchange. Bury these constantly-changing Mac addresses in an urban environment with its thousands of active WiFi networks…the counterspies wouldn’t know where to look.

The word is the same in Russian: Idiots.

My expert friends go further: Why did these bumblers use laptops? Today, you can easily create a bootable Linux system on a USB drive. With a thumb drive, almost any computer, public, private, borrowed can be used. There’s no need to struggle with “software issues” on an easily compromised laptop. Easy to use, easy to hide or destroy if needed.

These mistakes are strange, almost unexplainable. Russian hackers are considered world-class. Why didn’t the SVR enlist their help? Were the apparatchiks concerned about their native hackers being a little too free, or too clever, or too “market-oriented”? Did they rely on the “safer” but duller techies in their midst?

We’ll see if anything more comes to the surface in the coming weeks and months.

For more juicy espionage summer reading, look up Robert Littell’s books. Some of them are eerily consonant with the DOJ document.

JLG@mondaynote.com

Print Friendly