Darknet Diaries - 64: The Athens Shadow Games
Episode Date: April 28, 2020Vodafone Greece is the largest telecom provider in Greece. But in 2004 a scandal within the company would pin them to be top of the news cycle in Greece for weeks. Hackers got in the network.... And what they were after took everyone by surprise.SponsorsSupport for this episode comes from Okta. Learn more about how you can improve your security posture with the leader in identity-driven security at okta.com/darknet.This episode is supported by PlexTrac. PlexTrac is the purple teaming platform and is designed to streamline reporting, tracking and attestation so you can focus on getting the real cybersecurity work done. Whether you're creating pen test reports on the red team, or tracking and remediating on the blue team, PlexTrac can help.Support for this episode comes from Blinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check out Blinkist.com/DARKNET to start your 7 day free trial and get 25% off when you sign up.
Transcript
Discussion (0)
Do you remember the Olympics of 2004?
It was in Athens, Greece, where the first Olympics ever took place.
It was also just three years after 9-11.
There's always a fear that terrorists may strike at the Olympics.
In the 1972 Olympics, 11 people died in the Munich massacre.
In the 1996 Olympics in Atlanta, Georgia,
a bomb went off in the Centennial Olympic Park,
killing one person and injuring over 100 others.
And in the South Korean Winter Olympics of 2018,
it was a pretty destructive hack
that took down a lot of the Olympic Village.
So how does a country ramp up to protect itself
from terrorism at the Olympics?
And what does an attack even look like
in today's modern world,
where hacks can be conducted silently without anyone knowing?
These are true stories from the dark side of the internet.
I'm Jack Recider.
This is Darknet Diaries.
This episode is sponsored by Delete.me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless.
And it's not a fair fight.
But I realize I don't need to be fighting this alone anymore.
Now I use the help of Delete.me. Delete.me is a subscription service that finds and removes personal information from hundreds of data brokers' websites
and continuously works to keep it off.
Data brokers hate them because Delete.me makes sure your personal profile is no longer theirs to sell.
I tried it and they immediately got busy scouring the internet for my name and gave me reports on what they found.
And then they got busy deleting things.
It was great to have someone on my team when it comes to my privacy. Thank you. And use promo code Darknet at checkout. The only way to get 20% off is to go to joindeleteme.com slash darknetdiaries and enter code darknet at checkout.
That's joindeleteme.com slash darknetdiaries.
Use code darknet.
Wire tapping.
Everyone knows what wire tapping is.
It's one of the oldest hacking techniques out there. Secretly listening in to conversations without permission or an invite. It can be a great
method to get information that you're not supposed to have. When telephone exchanges were manually
operated to connect calls, physical wires were the key to a successful wiretap. If you wanted
to be a master wiretapper, you needed to master the location of the wires,
break out some crocodile clips,
and clip it to the right ones.
As technology advanced, wiretapping did too.
Soon there was a secret little device
you could plant inside telephone handsets.
In May 1972, members of a re-election group
supporting Richard Nixon
broke into the Democratic National Committee's
Watergate offices and wiretapped their phones.
A month later, they returned with a new microphone to get a better listen.
Caught by a security guard, their covert operation was over.
Within a year, it had come to light that Nixon was secretly recording all conversations happening inside the Oval Office.
These acts and the attempt to cover it up ultimately ended his political career.
Today, it's all about the tech. Sure, the wires are still important. There'd be no telephone
switch exchanges without them. But it's the hardware and software that runs a now fully
electronic switch exchange. The ability to interconnect and route calls all over the world
in a fraction of a second.
The thing about wiretapping is that it's a secretive activity by its very nature. If you were supposed to be listening to that call, the caller would know and would have dialed you in.
And there are two types of wiretaps. There's the legal kind done by law enforcement to help solve
crimes using lawful interception technology. And then there's the not-so-legal kind,
the kind that's done by unauthorized parties and not approved,
the kind done by hackers.
30 years ago, a telecom company was created in Greece.
It was called Panaphone, and they were your basic run-of-the-mill company,
running lines to residential buildings and commercial buildings,
routing and connecting calls.
About 10 years after launch, they were acquired by Vodafone, which is a major telecom company based in the UK.
So Panaphone was renamed to Vodafone Panaphone, but it's just better known as Vodafone Grease.
And every time I say Vodafone in this episode, I'm particularly referring to the Vodafone Greece section of Vodafone.
It's like its own unit within Vodafone.
On January 24th, 2005, the system administrators at Vodafone Greece started getting error messages for their telecom switch exchange devices.
The errors were saying that text messages from other carriers weren't being
delivered properly. By this point, Vodafone Greece was pretty big. They had like 1,500 employees.
The error message at Vodafone Greece really concerned the tech teams. They started going
through the error logs and troubleshooting and looking at system data dumps for this fault,
but they couldn't figure out why some text messages weren't getting delivered.
So they contacted their equipment provider, which was Ericsson. Now Ericsson is an enormous company
based in Sweden who's been going well for like 100 years. Ericsson was one of the biggest telephone
equipment manufacturers around. We're talking like 40% of the entire world's cell phone traffic
goes over equipment that Ericsson made. So they're huge.
Being that big and at it for 100 years, they knew this game inside and out. So Vodafone Greece
contacted Ericsson to ask them, what are these error messages? Why can't these text messages
get delivered? And so Ericsson began troubleshooting and looking into it. Things didn't get any better
for Vodafone. In the meantime, They're getting all these complaints from cell phone customers who weren't happy their texts weren't sending.
And to make things worse, on January 31st, Vodafone's network planning manager submits his resignation.
The network planning manager's name was Kostas Salikidis.
And he had been with Vodafone Greece for 11 years.
But he was really wanting to quit his job.
Kostas was good at his job. He was experienced and detailed. He kept notebooks of his networks and put in the extra
hours needed to keep the network running cleanly. He had an engineering degree specializing in
telecommunications and then a master's in computer science. And just the year before this, Greece had
hosted the Summer Olympic Games in Athens, a huge event for the country.
For Vodafone and for Kostas, these months before the opening ceremonies on August 13th
were full of long and tiring days.
They were planning and implementing new systems,
setting up upgraded networks to make sure they could handle the tens of thousands of people
who were going to flood into Greece for the Olympic Games.
Plus, all the extra police and military personnel that needed to be there,
they all needed communication systems too. That was a huge project for Costas. But then,
five months later, he wanted to quit? Vodafone refused to accept his resignation and persuaded
him to take some time off instead. So he took a little break and
then came back to work in the middle of February. Weeks later, on March 4th, Ericsson had some big
news for Vodafone Greece. They'd been digging around on these devices looking for where the
error message was, and they found something they weren't expecting to find. First, they found two files.
And one was a list of cell phone numbers.
They had no idea why this big list of cell phone numbers was stored in this location.
It was unusual, but it is a telecom provider,
so maybe there's just cell phone numbers all over these devices.
But their investigation revealed a pre-compiled binary executable program.
Erickson had no idea why this executable program was there in the switch.
They couldn't tell what these executable files did because they were not human-readable.
But this program existed on the telecom switch, right next to the unusual set of cell phone numbers.
Now Erickson had a line of digital telephone exchanges that they called AXE, AXE.
And these AXE devices were exchanges that Vodafone Greece used.
The software was all written in PLEX code, which is not that common and pretty complicated.
The executable files must have been created using the PLEX code
in order to run on this particular telecom switching system, the AXE.
Ericsson had no idea what this extra code was doing or why it was there, and it perplexed them.
Vodafone Greece had no idea either, so Ericsson decided to try to figure it out.
And to figure out what it was doing, they had to rebuild it in the Plex language, which was not an easy task.
They reverse engineered this executable code and put it back into its original language.
This took a long time.
Ericsson actually outsourced a lot of their software development for the Axe exchange to a local company called Intracom Telecom.
And this company took five weeks and was able to reverse engineer the code and after they
did that they were left with a program that was 6,500 lines long and this rogue program that was
on this telecom switch was using that long list of phone numbers that was also found this meant
the two unusual files were somehow linked. The problem was they didn't write
or authorize this code. So Ericsson goes straight back to Vodafone Greece and asks them,
do you know anything about this code? No, Vodafone doesn't know either. It's not their code,
and it would be unusual for a company like Vodafone to design custom software for one of
these exchanges. Typically, Ericsson's customers only changed the config files on these devices.
So it was really weird that a whole extra piece of executable software
was on Vodafone Greece's telephone exchange systems
without anyone knowing why it was there or how it got there.
Ericsson came to the conclusion,
this is malware, deeply embedded, sophisticated rogue software.
And its function was to secretly use Vodafone Greece's network to wiretap that list of cell phone numbers.
Whoever put it there was listening in to calls of 106 cell phone numbers.
The Vodafone systems had the malware installed in two of their central offices
and four of their switches used for routing cell phone calls, switches that had been provided by
Ericsson. More than that, the malware was using Ericsson's own lawful intercept technology
installed on Vodafone Greece's systems to carry out the wiretaps. And those cell phone numbers it was spying on,
they belonged to some of the most senior government officials in Greece, including
Greece's prime minister and his wife. This was a discovery of epic proportions.
Cell phone calls are supposed to be private. You dial, you connect, you have your conversation,
you hang up. That connection is between your cell phone and the person you be private. You dial, you connect, you have your conversation, you hang up.
That connection is between your cell phone and the person you're calling.
No one is supposed to be listening in, including your cell provider.
But if there's an official warrant signed by a judge that orders them to tap it,
then, and only then, is it legal for someone else to secretly listen in.
This is called lawful intercept.
And it's legal wiretapping that a
telecom provider can do with a judge's approval. It's where law enforcement intercepts the calls
for a specific person or a group of people believed to be involved in serious criminal activity.
It's not just limited to phone calls. Texts, emails, video calls, and instant messaging can
all be intercepted too. For a telecom company like Vodafone, they have no option but to comply when presented with a legal warrant.
It is, put simply, spying on a customer for purposes of criminal investigation.
The telecom's provider can't tell the customer that they're doing it,
and the intercepted data is all sent back to law enforcement.
Lawful intercept isn't the same as
mass surveillance. It's targeted, focused on just one person or a small group of people. And generally
it's looking for specific information and not just trying to capture anything and everything.
Most developed countries now have laws in place to allow wiretapping or lawful intercept. The
terrorist attacks we've seen in the last few years have prompted this kind of standard across the board in many nations. But this story happened back in
2004. And in Greece at that time, the laws for lawful intercept were not in place yet. It was
not legal for authorities to do wiretapping, even with a judge's order. Meetings were held about it
in 2002, and then again in 2003.
And the Greek government discussed how lawful intercept should be implemented in the top
three telecom providers in Greece, which was Vodafone, Cosmote, and Tim.
But when the Olympic Games started in 2004, and when this malware was found in 2005, the
presidential decree had not yet been passed
which implemented and regulated lawful intercept in Greece.
Which means whoever was doing this wiretapping
was doing it illegally.
And it must not have been the Greek authorities.
Now Ericsson sells its exchange systems
in 180 countries all over the world.
And much of it is standardized telecoms equipment.
And it has the same base software and configurations for everyone.
Ericsson's products are used in a lot of countries, and their software needs to facilitate wiretapping
so that telephone providers in countries with lawful intercept can carry out a lawful wiretap.
On the tech side, Ericsson implemented lawful intercept technology directly
into their telephone switches. And there are two parts to this, and this is kind of important,
so listen up. The first part is the remote control equipment subsystem, or RES, which actually does
the wiretapping. And then there's the interception management system, or IMS, which is the user
interface that controls this wiretapping feature. So the authorities can log into IMS, enter the phone number that they're permitted to tap,
and then that communicates to RES, which actually does the actual tapping and then sends that data
back to IMS where the authorities can then capture that data and store it. So I'm going to use this
term RES a lot. So let me repeat it. RES is the feature
on these telephone switches that actually conducts the wiretapping. And the IMS feature is the
interface used to control it. And on this IMS interface, there are logs and permanent records
created whenever a wiretap is conducted through the RES software. At any time later on, they can
check to make sure that there were no unauthorized wiretaps
going on and that both systems match up. This makes the process of lawful intercept easy to do
and make sure there's records of it. So Ericsson implemented this RES technology in a lot of their
telecom switches and it was rolled out all over the place. But in order to use it, you had to pay
an extra licensing fee, which is like tens of thousands of dollars, in order to get the IMS part of it to work.
What happened with Vodafone Greece is that they updated their AXE, the exchange switch,
with Ericsson back in 2003, which included the RES software as standard. They didn't purchase
or activate the front-end IMS system because they didn't have to. Law enforcement was never going to come with a warrant.
It wasn't legal to do in Greece.
So the ARIES system sat there in the background.
It wasn't being used by anyone at Vodafone Greece.
It didn't affect any of the other operating processes and didn't cause any trouble.
But it turned out it was the door that the hackers used to initiate these illegal wiretaps.
Whoever did this essentially hacked their way into Vodafone's systems and secretly activated this software.
They used the software on Vodafone's systems to illegally wiretap the country's top officials
and completely hide the fact that they were doing it from Vodafone.
The hackers realized that RES was the perfect weapon
to conduct these wiretaps with. It was already on the system, they just needed to enable it.
If, of course, the right know-how and malware could be developed and installed to do it.
Ericsson told Vodafone Greece they discovered this malware, and they gave them a list of the
106 cell phone numbers that the system had been wiretapping. That's 106 cell
phone numbers that every time a call was made to or from those numbers, someone else was listening.
A silent third party at the end of the line, listening, recording, note-taking, and archiving.
The two callers had no idea that they were being spied on, nothing sounds different. There were no crackles or delays to
suggest that the conversation wasn't private. You can think of your cell phone as both a transmitter
and receiver. When you use your cell, your handset talks to the nearest cell phone tower, which
connects your phone to a cell switch center. During your call, your speech is encoded to digital data
that's then sent via radio waves to your friend's phone
and converts it back to speech again. The cell switch exchanges like the one Vodafone Grease
had from Ericsson worked by routing your call across various interconnected exchanges to get
to where you wanted to go. The digital speech data is encrypted, but when it goes into the
switching center and when it leaves the center, that bit in between while it's passing through and being routed temporarily is unencrypted.
This is all done electronically and remotely for every call.
So these exchanges are a core part of Vodafone's network and essential to making phone calls.
And for something as big as Vodafone Greece, these exchanges were probably pretty massive.
I couldn't find a picture, but I imagine it to be rows of cabinets with high-tech servers, switches, and miles and miles of wires connecting them all together.
Flashing and blinking lights constantly on the go as they communicate with each other 24-7. The Lawful Intercept RIS software usually works by making a parallel copy of the digital speech data and sending it
off to the law enforcement agency that requested the wiretap. The hackers for Vodafone Greece had
their wiretaps set up in exactly this way, but the data was sent to shadow cell phones instead.
So to get a copy of the call, it would just look like another outgoing call, nothing suspicious. And it sent
a text message to the shadow phones with the metadata of every call, the cell number, the date,
the time, and the call duration. So think about it. You've got the Greek prime minister who picks
up his cell phone and calls the minister of public order. And while he's listening and ringing and
waiting for the minister to answer, another cell phone is ringing at the same time.
A shadow cell phone held by the hackers.
And when the minister picks up and they start chatting,
that cell phone also gets picked up and they start listening.
When the PM disconnects, so does the shadow cell.
And all that data was being recorded,
bundled up and sent to another location where it was being
stored for safekeeping. With multiple numbers being wiretapped like this, one shadow cell is
not going to be enough. What if two of the targets make phone calls at the same time?
So hackers had a total of 14 shadow cell phone lines, which would pick up and listen to any of
the phones that were on that list of
106 phone numbers. If the target makes a call and the first shadow cell is busy, it just jumps to
the next, and then the next, until it gets an open line to listen in on. So when Ericsson told
Vodafone what they found and what it was doing, the Vodafone Greece team started trying to isolate the malware. Three days later, they
managed it. Now, by this point, it was March 8th, 2005. The CEO of Vodafone Greece, Yorgos Karanias,
needed to decide what he was going to do next. And his decision was, let's say, a little sloppy.
When there's an infiltration in any company, even back in 2005,
there's a standard procedure to follow, isolate the malware. And if you're interested in who did
the hack, which in this case, you would definitely be interested in who's listening in on the prime
minister. If that's the case, then you would try to trace it back to the hackers. And you would
also inform the relevant authorities and you'd protect your clients' services and data. The problem Yorgos had was the scale of this attack and all the targets
in it. While the hackers had used Vodafone systems and existing software to do it, it wasn't Vodafone
Greece that they were interested in. It was senior members of the Greek government. This was a serious
attack, one with huge consequences. I mean, this malware was allowing
unknown hackers to probably record calls and listen in on communications from these cell phones.
And what kind of conversations was the Greek prime minister having on his cell? And what about the
head of foreign affairs? Discussions on domestic and foreign policies, trade deals, defense strategies,
and potentially discussions involving state secrets. The kind
of information that could have been intercepted here could have international repercussions for
Greece. It was a disaster on every level, and Vodafone Greece was ground zero. On March 8th,
four days after Vodafone found out they had malware, there were some tense meetings held
in the head offices. Their network staff and Vodafone bosses seemingly had heated and at times angry communications on that day. I can only
imagine the variety of reactions they must have had to this. I mean, it makes perfect sense here
for people to get emotional and even go through the five stages of grief. At first, not believing
they had malware and some hackers were doing it. But then when that was proved without a doubt,
they must have been angry that somebody was doing this. And then when that passed,
they must have felt if only or guilty for letting this happen. And then at some point,
they might have felt depressed or sad that their network was compromised. And only after you get
through those stages, can you then work on accepting the situation
and moving forward towards a solution and next steps.
So nothing was done as a result of the meetings on March 8th.
But on March 9th, Yorgos, the CEO, instructed his team to fully deactivate
and delete the malware from the infected Vodafone systems.
He wanted it stopped in its tracks, cut it off and get rid of it completely so it couldn't do any more damage.
This might seem like a good idea at first, to get rid of the malware ASAP, but incident response
teams typically don't like to do that. Because the moment you delete that malware, it instantly lets
the hackers know they've been discovered. And they can either go on the run and hide all their tracks
or conduct a backup plan, like get another way into the network and snoop on calls a different
way. So a typical incident response team will start by collecting a ton of logs and saving it
and taking snapshots of everything because you run the risk of losing this data as time goes on
and then try to discover exactly how it got infected so that
they could permanently close the doors so that the hackers would not have the ability to come back
and lastly try to find out any clues that lead back to the hackers i mean if they had 14 shuttle
phone lines set up wouldn't it be a lot easier to trace these calls while the phones were active
but the ceo insisted on kicking them out and shutting down these lines
before anything else. So that's what the tech teams did. They deleted the malicious code on
these phone exchanges, and they proceeded to disable all 14 shadow phone lines that were used
to send tapped calls to you. And with that, the malware was gone, and the shadow phone lines were
disabled, and the wiretapping was stopped.
Now, so far, this story's pretty good, right?
Major telecom company gets hacked, and their target is to wiretap calls to and from the heads of state.
Sounds like high stakes and exciting.
Now you probably want to know who would do it and what happened after this.
But the story is about to get totally off the rails.
This is why I love nonfiction, because the truth is so insanely strange sometimes.
So stay with us through the break.
Support for this show comes from Black Hills Information Security.
This is a company that does penetration testing, incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there, and I can vouch they do very good work.
If you want to improve the security of your organization, give them a call. I'm sure they can help. But the
founder of the company, John Strand, is a teacher and he's made it a mission to make Black Hills
Information Security world-class in security training. You can learn things like penetration
testing, securing the cloud, breaching the cloud, digital forensics, and so much more. But get this, the whole thing is pay what you can.
Black Hills believes that great intro security classes do not need to be expensive,
and they are trying to break down barriers to get more people into the security field.
And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range,
which is great for practicing your skills and showing them off to potential employers,
head on over to BlackHillsInfosec.com
to learn more about what services they offer
and find links to their webcasts
to get some world-class training.
That's BlackHillsInfosec.com.
BlackHillsInfosec.com.
Okay, so get this.
On March 9th, they delete the malware.
Okay, fine.
But on March 10th, the very next day,
you remember Kostas Salikidis, right?
He was the network planning manager for Vodafone Greece.
And just two months ago,
he tried to submit his resignation letter, but Vodafone begged him to stay, so he did.
Now, Kostas was a real technical guy, so I'm thinking he was probably aware that this serious
malware issue was happening within Vodafone Greece. Well, Kostas was 38 years old and was
living in a loft apartment just outside Athens. Nice place, about seven miles away from work.
His parents were living in the same building.
And that morning, while the Vodafone CEO, Yorgos, was trying to figure out how he was going to tell
the prime minister of Greece that a wiretapping was going on, Kostas' mother came into his apartment
and found her son hanging from a rope in the bathroom doorway. She instantly panicked. A few minutes later, his brother,
Panagiotis, arrived. He found his mother hysterical in the hallway. He saw Kostas hanging there,
so he cut down his younger brother. Kostas was dead, and he had taken his own life.
Panagiotis, his brother, was in disbelief. Just before he called the police station, he called his wife and asked her to bring his camera to the apartment.
He didn't believe this was suicide.
Costas was recently engaged, and his wedding date was just in three months.
And he had made arrangements to take a vacation in just a few weeks.
He had been making trip plans with his fiancée just the days before.
He was in a happy and settled relationship, and he had no money troubles. There had been no signs of depression
or anything to indicate he was ever contemplating suicide. Peniotis' wife, Kostas' sister-in-law,
spoke to a journalist named Elizabeth Filippouli about his death. Here's that clip. I had never seen such a perfect body lying down dead in my life.
The way of death is written somehow on his body as an expression.
Costas was calm, was smiling.
He had his eyes closed. He had his eyes closed.
He had his mouth closed.
He hadn't any possible
bluish color
like we have seen
in hanging bodies.
It was like a stage thing.
It was as if
somebody had designed something
that worked out perfectly.
Nothing on his face would say that Costas went through any death fight
or any kind of pain, physical pain.
The night before he was found dead, Costas had talked to his fiancée on the phone.
In their phone records show, he called a Vodafone corporate number,
but investigations don't seem to have figured out who
he spoke to. Then he sends a huge email to Vodafone's technical directors at 4.20 in the
morning. It was two pages long and went through all the outstanding work that had to be done
on the different networks. Three hours later, he was found dead. Panagiotis took photographs of Costas that morning. He wanted a
permanent record of how his brother looked just after he had been found. When the police arrived
at the apartment, they took statements from the Costas family. The police didn't take photographs
of the scene. They didn't dust for fingerprints or do any crime scene investigations. They saw
no reason to doubt that Costas' death
was a suicide. There were no signs of forced entry. The apartment was in order and there was
no indication of a struggle. Costas' body was taken to the morgue to get ready for an autopsy
the following day. On that same day, March 10th, Yorgos, the CEO, had arranged to meet with the
director of the political bureau of the prime minister and the political order minister. The prime minister was away at a
terrorism summit. Yorgos sat and explained the wiretapping discovery to the two ministers.
He then handed over a list of cell phone numbers that had been targeted and the incident case
description technical report prepared by Erickson.
Oh, and get this.
On that very same day, a new law went into effect. This was the day that the presidential decree regarding lawful interception in Greece came into effect.
Right in the middle of the biggest telecom provider illegal wiretapping scandal ever seen,
Greece passed a law that created a process for lawful intercept, legal wiretapping scandal ever seen, Greece passed a law that created a process for lawful
intercept, legal wiretapping. The timing was ridiculous. When the prime minister learned of
the wiretapping, he immediately ordered a preliminary parliamentary investigation into
what happened. And on March 11th, the Greek minister of justice, along with the attorney
of the Supreme Court, met with the CEO of Vodafone Greece to get more details on this attack.
The investigation was to be done in secret. They didn't want any details made public yet.
And this would go on to be a huge investigation. They ultimately spent the next 11 months
gathering evidence and hearing testimony from all companies involved and anyone else who thought they might know something. Yorgos, the Vodafone CEO, maintained that he knew nothing of the lawful
intercept RES software. He said he didn't know it was included with the upgrade package that
they received from Ericsson. He also said his company didn't have the knowledge and capability
to do anything like this, even though Ericsson software is what could. The investigation called
for people from Ericsson to come give testimony. Remember, Ericsson is the company that made the
phone switches and devices, and they're the ones who kind of discovered this malware.
Even the CEO of Ericsson flew in to Greece to give testimony. Ericsson said that Vodafone knew
the Aries software was present on these devices when they sold it to them, and that someone from Vodafone Greece even had to sign off confirming that they knew this feature
existed. So the investigation pulled up the receipt to look to see who signed for this,
and guess who it was? Their network planning manager, Kostas, the guy who died.
Yorgos, the CEO of Vodafone, gave testimony too,
and when questioned about Kostas' death,
Yorgos tried to distance himself from it,
saying it was a tragic suicide,
entirely unrelated to the wiretapping ordeal.
They asked him if Kostas knew about the malware.
Yorgos said it was possible that Kostas could have stumbled upon it himself,
since his role was technical enough, and he had that level of access to get into those systems.
As this investigation went on for months and months,
evidence started to disappear at the physical location of where the exchanges were that had malware on them.
There's a little visitor sign-in sheet.
It was Vodafone Greece's policy to destroy these sign-in sheets after six months.
So by the time investigators requested records of who had visited these locations
or on the time of the wiretapping, those sign-in sheets had already been destroyed.
Policy or not, it seemed to be a bit suspicious that this key piece of evidence
in one of the biggest telecom investigations ever
happened to be destroying evidence because of a corporate
policy. These sign-in sheets might have revealed who had been in the facility at the time the malware
was installed. And on top of that, Vodafone upgraded two of the servers that were part of this hack,
and after the upgrade, all access logs to the management server were wiped.
Again, these logs of who accessed these systems, when, and what did they do,
they were all critical logs, but they were gone.
And weirdly, there were no backups of this either.
And then there's the transaction logs of the switch exchanges.
Now, they would have been useful, but nope.
Due to lack of space, Vodafone Greece only kept these logs for five days.
Although Vodafone had clear explanations
of why these actions were taken, the damage they did to the investigation into this hack
was pretty substantial. A proper incident response team would have collected all this
information right away and stored it in safekeeping and did snapshots and kept backups,
but this investigation was not being conducted by a proper incident response team.
But this was in 2005, before good response methodologies had been widely adopted.
On February 2nd, 2006, the Greek government decided to tell the world about this hack.
They held a press conference announcing that this will be an issue of national security.
The Greek government spokesman, the Minister of Justice
and the Minister of Public Order were all in attendance.
The press came in, turned on their cameras and recorders
and listened to the ministers give their talking points.
The title of this case could be phone wiretapping.
Among the phones wiretapped were the Greek prime ministers,
members of the government, an ex-minister,
member of the opposition party, and a number of private phones.
This wiretapping was performed by so far unknown persons
with the use of highly sophisticated technology.
The group of journalists that were there to hear this press conference were all
shocked. They learned for the first time how the discovery was made in March 2005 and that a
preliminary judicial investigation into the hack had now been concluded. More information on who
had been wiretapped came out too. The victims of this wiretapping included the prime minister
and his wife, foreign ministry officials, navy staff,
and members of the ministries of defense, public order, and merchant shipping.
They all had their phones tapped.
The Greek minister of public order did what he could to try to track down those shadow phone lines
and advised they were in fixed locations across Greece.
Here's the Greek minister of public order explaining to the press.
There were 14 to 16 mobile phones operating as shadow devices of the tapped numbers.
When a call was received by the intercepted phone, it was immediately connected with one
of the bug phones through the lawful interception software. Apparently, this shadow phone was taping the conversation into another software.
Okay, so these shadow phone lines were directing the wiretap calls to actual mobile phones.
Investigators were able to track the locations of these mobile phones
based on which cell towers they communicated with at the time when the wiretap calls were made.
Using this method, investigators were able to identify four Vodafone antennas that
had been directing calls to the shadow phones, and the locations of these antennas gave investigators
an idea of what part of town these phones were in when they received these calls. The location
was a two kilometer radius around central Athens in an area called Lycabettus Hill. This preliminary
investigation was now closed. He wasn't able to give any more information at this time.
Everyone in Greece stood up and paid attention to this news. Greek journalists were shocked at
finding this out. The Greek authorities, who should have been informed the moment the hack
was discovered, were shocked that they weren't informed. And the Greek citizens, who were now getting worried about the security and privacy of their
own telephone conversations, were also surprised. When the floor was open for questions, the
reporters immediately asked if a foreign country was behind this attack, because when the targets
were government officials, it just seemed like the logical conclusion. One reporter pointed out
that Lycabettus Hill is where the U.S. and British embassies are located. And if cell phones were
being used in those buildings, it would have hit one of those four towers that were identified
as the towers used by these shadow phones. The ministers advised that no conclusions can be
drawn yet. The investigation was still ongoing, and they recognized this was a pretty sophisticated
malware. To first gain access to a large telecom provider, then to write malware in the Plex coding language,
which required intimate knowledge of both Vodafone's network and Ericsson's devices,
and then to also set up 14 shadow phone lines with automatic recording mechanisms for all incoming calls,
and to top it all off, all this went undetected for like eight months. This is not
something your average cyber criminal will know how to do. It's not something your typical hacktivist
will be capable of. No, no, no, no, no. This is far more advanced. Something that would require
a great deal of time, knowledge, skill, money, and effort to pull off. Not many people would be able to do something this
extraordinary. Costas' brother, Panagiotis, also listened closely to this press conference.
He was deeply concerned. I don't think he knew anything about this hacking incident
until a year after his brother died. He immediately contacted the Athens prosecutor,
who was investigating his brother's death. He wanted the death investigation
expanded to include this wiretapping affair. He wanted to know if there was any connection between
the two. Panagiotis requested the investigators exhume Costas's body because he wanted to look
for further signs of murder. So now it's 2006, over a year since the malware was found and the
news of the wiretapping hack at Vodafone Greece was out.
The Hellenic Authority for the Information and Communication Security and Privacy, or ADAE for short, also began their own investigation.
Officially, the ADAE is the Investigating Body for Information, Communication and and privacy in Greece. They really should have been told as soon as this
hack was discovered because they have the expertise to investigate the technical aspects of this
incident. They have the technical knowledge to collect and preserve the logs and unpack the
malware and figure out how it was all working. So a year after the malware was discovered, the ADAE
began their investigation and they released two preliminary reports in March and April of 2006 with their findings.
Now, these were released in Greek, obviously, and they don't seem to be publicly available.
But there is a fascinating article in the IEEE Spectrum, a technical magazine, which goes over this ADEE report.
It's called The Athens Affair. And two Greek university professors who taught computer
science and technology wrote this IEEE article. And they really got into the technical details
of how the hackers pulled this off. In June and August of 2004, the shadow phones started to be
registered, which was just before the Olympics in Athens. And this was followed by the malware
being installed on three of Vodafone's exchanges on August 4th.
The hackers then set up the target cell phone numbers all in time for the opening ceremonies of the Olympic Games of August 13th.
In October, the malware was installed on a fourth exchange, but it wasn't used for wiretapping any cell phones.
A feature of the Ericsson Axe switches is to be able to install new software without having to
reboot the whole system, because restarting would cause an interruption to Vodafone's services and
users. There would be dropped calls, no connections, messages not sent, whatever. So the perpetrators
liked the fact that a reboot wasn't required to install their rogue software. And this feature
was also great for Vodafone and Ericsson techs.
There's a point in the mobile connections where the voice call is unencrypted so the phone company
can process it. Well, that's the vulnerable point. Both lawful and it turns out unlawful wiretaps
rely on this temporary vulnerability to get a copy of the streamed data they need. This is where it's
picked up, replicated, and sent off to the shadow phones, all without the callers or cell phone providers having any idea.
Now, the RES software on the Vodafone Grease's systems is what has the capability of doing lawful intercepts, or wiretapping by authorities.
This is what the hackers used to conduct their wiretapping, and they bypassed the interface, which would have logged what was going on.
So if anyone looked at the systems, it would show no eavesdropping was conducted.
This malware was really stealthy.
Its activity left no trail, no breadcrumbs,
and hid all its operations to remain entirely invisible across the Vodafone systems.
And it was programmed to modify the commands,
which would list active processes, hiding itself even better.
The hackers also added themselves login credentials so they could get access to these exchange switches at later dates,
and they included a backdoor so they could always get back in and make changes or updates.
This was done by changing the exchange's command parser.
If they entered a command followed by six spaces, this would act as a deactivation tool. It
shut down the exchange's transaction logs and silenced any alarms that would have alerted
Vodafone techs. This way, the commands they had in the malware to operate the RES for the wiretaps
could be executed without raising any flags at all. It was extremely well thought out and very
cleverly programmed. So who would do such a thing?
Stay with us, because after the break, we're going to shine a light on these shadow phones.
This episode is sponsored by Vanta.
Trust isn't just earned, it's demanded.
Whether you're a startup founder navigating your first audit or a seasoned security professional scaling your GRC program,
proving your commitment to security has never been more critical or more complex.
And that's where Vanta comes in. Businesses use Vanta to establish trust by automating compliance needs across over 35 frameworks like SOC 2 and ISO 27001, centralized security
workflows, complete questionnaires up to five times faster, and proactively manage vendor risk.
Vanta helps you start or scale your security program by connecting you with auditors
and experts to conduct your audit and set up your security program quickly.
Plus, with automation and AI throughout the platform,
Vanta gives you time back so you can focus on building your company.
Join over 9,000 global companies like Atlassian, Quora, and Factory
who use Vanta to manage risk and prove security in real time.
For a limited time, listeners get $1,000 off Vanta at Vanta.com slash Darknet.
That's spelled V-A-N-T-A, Vanta.com slash Darknet, for $1,000 off.
The hackers weren't entirely so stealthy. Remember the beginning of this story, how it all
started, that some text messages couldn't get sent and there were errors and that's what triggered
this all? Well, the hackers updated their malware, which was on these telecom switches, but there was
something wrong with the malware and it caused some text messages to not get delivered.
Up to this point, the wiretapping virus caused no impact to Vodafone systems
but this update did have an impact.
And it was with that update to the malware that all this became unraveled.
And so, the timeline is this.
The hackers were in the Vodafone creases network
actively wiretapping calls for a
period of five months. And then when this error message showed up, Ericsson spent five weeks
reverse engineering the rogue software. And once it was determined that illegal wiretapping was
going on, Vodafone Greases CEO called for the immediate removal of the software. In total,
the hackers were wiretapping calls for nine months. Four months after the
public press conference, the investigation into Costas' death was concluded. The Supreme Court
prosecutor reported on June 20, 2006, that there was no evidence of any criminal act against Costas.
His autopsy had shown no injuries to his body. The rope around his neck had been tied with
a standard knot positioned at the back of his head. His hyoid bone, that small bone in the back of
your neck, was still intact. The cause of death was determined as hanging by noose. This was not
a ruling that the Costas family was satisfied with. They all reported he was happy and making
plans for the future, but they did say
that about a month before he died, he sent some text messages to his fiancée with strange comments.
Leaving Vodafone Greece was a matter of, quote, life and death, unquote. Costas's text went on to
say that Vodafone was in trouble and that this was the trouble that, quote, threatened its very existence, unquote.
His fiancee, Sarah, never did find out what he meant by those words. Now, when Costas' family
searched his apartment after his death, they found some pretty interesting stuff. Costas was a
meticulous notekeeper. He had notebooks for all his networks and all that needed to be done and
what was currently working on and what problems he needed to work on next. You get the idea. All notes and diagrams and scribbles. Makes
sense, right? These networks are complicated and the family actually hired independent telecommunications
experts, four of them, to try to decipher these notebooks to see if there was any clues in there.
And they dug up some curious bits of information. So Kostas was the guy who upgraded all of Vodafone Greece's networks
to the 2.5G platforms when they came out.
And now it seemed it was right around the same time that the wiretapping happened
that Costas was working on upgrading everything to 3G.
For him to do that, he had to go around all the base stations and switch centers
and check all the antennas individually.
Pretty painstaking work.
But, meticulous at the same time, which meant Costas may have been in those switches that contained the malware,
and he may have discovered it while there, conducting some upgrades.
In his notebooks, there are references to the RES software,
which meant he knew they were capable of doing wiretapping, and there was a
diagram of two of the switch centers where the malware was discovered, and on his diagram were
two little question marks next to the devices where the malware was discovered. The prosecutor
did say that Costas' suicide was casually linked to the wiretapping affair going on inside Vodafone
at the same time, and the prosecutor also reported that Costas had some knowledge of this malware.
But maybe that means he just found out about it after Vodafone found out about it?
We don't know how much Costas knew about this wiretapping affair.
One month after this ruling, the media began reporting on some surprising events in Italy. In July of 2006, Adamo Bove, who was a network employee at Telecom Italia,
was found dead under a bypass in Naples.
It looked like he had jumped to his death.
Adamo had uncovered a network of illegal wiretaps inside Telecom Italia
and was an informer to the Italian prosecutor looking into the scandal.
He was a whistleblower.
Here's Al Jazeera covering the story.
Hello and welcome to People in Power. I'm Juliana Rufus.
It's July 2006 and Adamo Bova, head of security at Telecom Italia,
falls to his death from a motorway bridge in Naples.
Did he jump or was he pushed?
It's a mysterious death, but the former policeman was working on mysterious cases.
Italian prosecutors had asked Bova to investigate the role of the American and Italian military secret services in the abduction of Egyptian cleric Abu Omar in Milan, 2003.
Tracing mobile phone calls, Bover inadvertently stumbled upon a vast secret call interception system inside Telecom Italia.
Politicians, bankers, businessmen, even footballers and referees were being monitored.
This was a scandal that went right into the nerve center of Italian power.
There are so many similarities between the death of Adamo and the death of Costas.
They both worked for a major telecom provider. Both telecom providers had recently discovered illegal wiretapping going on internally,
and both of their deaths looked really suspicious.
Yet these two cases happened in two totally different countries.
After Adamo's death in Italy, the press continued speculating on the parallels between the two
deaths. And on September 26, after Costas' family appealed the court ruling, the Court of Appeals
once again reached a verdict that Costas died of suicide and his case was closed.
With the ADAE investigations complete, Vodafone and Ericsson were placed on the firing line.
On December 14, 2006, Vodafone was fined 76 million euros by ADAE,
and they blamed the company for not protecting its network well enough.
And it didn't end there.
They said they thought there was an insider at Vodafone
that gained the right access to install the malware.
A year later, in October 2007, they were fined again,
this time 19.1 million euros by the National Telecommunications Regulator
for breaching privacy rules. That brought the total fines to Vodafone Greece in at 95 million euros.
Ericsson didn't escape fines or blame either. The ADAE gave Ericsson a fine for 7.3 million euros based off their belief that the malware couldn't
have been installed or operated without in-depth knowledge of Ericsson's systems.
So Ericsson took some damage for this too. Five years later, Costas's death was officially brought
up again. Still, the family was not convinced it was suicide, and now they
had new evidence. On February 8, 2012, Costas' family presented new evidence to get the investigation
reopened. They had two new coroner's reports from independent experts who cast doubt on the suicide
verdict. The knots on Costas' noose, they were in fact a complex knot, not a simple everyday knot that the first coroner had reported.
And the rope position around Costas' neck and the presence of fluid in his lungs
was more consistent with strangulation than hanging.
There was no evidence of hypostasis where the blood collects in the legs,
which would have been expected in the case of hanging.
The second coroner's report also pointed out features missing which would have been expected in a hanging death.
Projection of the tongue, cyanosis of the face, injuries of the lower body from spasms and limbs
hitting off nearby walls or furniture. Both concluded, although suicide was still possible,
exhuming the body for further examination and testing for poisons would be a positive next step.
A step that the family had wanted authorities to take back in 2006, but were denied.
So two months after that, five years after Costas died, his body was exhumed, dug up, so they could test his body for toxins.
The toxicology report for poisons was negative.
Costas had not been poisoned or drugged before his death.
But now that they had the body to look at again,
they found Costas' hyoid bone was in fact broken.
This is a U-shaped bone in the front of the neck.
But the original autopsy report said it wasn't broken.
A broken hyoid bone is consistent with strangulation and not with death by hanging.
This could have happened after his death, like when he was buried or exhumed,
so it's impossible to know for sure when this hyoid bone was broken.
All this evidence combined resulted in a final report that K Costas' death remained unclarified. But on June
16, 2014, the Athens Court of First Instance closed this second investigation. They did the
same as the last investigation. They upheld the ruling of suicide and allowed the case to be
closed and archived. So despite new evidence, Costas' family were told
he had still taken his own life.
The family took the case
to the European Court of Human Rights.
They were determined
to get a full and proper investigation
for Costas into how he had died
and any connection to his death
with the wiretapping scandal
at Vodafone, Greece.
While they waited at the court's ruling,
an investigation by James Banford for The Intercept suddenly appeared.
He'd been working with the Greek newspaper Katha Marini
and one of their journalists, Agilos Petropoulos,
and what they found out would turn this case on its head.
In September 2014, a journalist named James Banford spent three days in Moscow
interviewing Edward Snowden for a cyber crime documentary that he was producing for PBS.
While there, he spotted some interesting stuff in some of Snowden's unpublished NSA documents
that talked about Greek wiretapping. This was a case that James was following since it
was first publicized back in 2006, so he was curious. He knew about the death of Costas and
decided to do some digging. Joining forces with Agilos Petropoulos at Kathamarini, the pair
uncovered the real story that had stayed in the shadows throughout the case. It all goes back to 2004,
Olympic Games in Athens. This was a huge opportunity for Greece, an honor to host an
important international event. And they spent over 7 billion euros designing building venues and
updating infrastructures in Athens and across Greece. They were doing everything they could
to showcase Greece to the Olympics around the world to ensure their success.
But these Olympics were going to be the first summer games to be held outside the U.S. since 9-11.
Everyone was on high alert.
Now, I really wanted to stick my head in this story and understand this as best as I could.
So I called up one of my listeners who grew up in Greece.
Hey, Jack.
Hello. How's it going? All good. Thanks. How are
you? I don't want to say his name because he is actually connected to the story in some way,
but he didn't want to talk about that publicly. But the thing that you should know is that he's
been following this story all his life. This story kind of broke when I was much younger,
and it was the first kind of introduction I had
into the world of cybersecurity, wiretapping, intelligence, etc. And I followed it from day
one. And I think it's what got me to the place I am today. Yeah. So as an 11 year old, this was
really fascinating to him seeing this on the news, hearing his parents talk about this. And so he was Googling things like wiretapping and how to do wiretapping and different hacking
techniques and things like that. And today he's a penetration tester for some really big companies.
So it's fascinating to see how the story had a ripple effect on him. So I asked him,
what kind of terrorist activity has there been in Athens leading up to the 2004 Athens
Olympics. And he told me about this one terrorist group, which is known as the Gaston Noembre or
17th of November. They were a far left terrorist group formed in some time around 1975. They wanted mainly, they wanted the removal of U.S. military bases from Greece,
and they wanted Turkey out of Cyprus, who had invaded in 1974.
Now, to do this, they had murdered countless U.S. individuals.
They murdered the Athens CIA stationens cia station chief uh richard welch
they attempted to uh murder one of the most prominent greek businessmen uh called
in a failed ie the attack on his armored car um they murdered several Greek police members, including the Greek police chief,
as well as a UK brigadier called Stephen Saunders. And not only that, I think these guys were the
ones that sent the bomb threat to Air Force One when President Bill Clinton came to Greece.
The key members of this November 17th terrorist group
did get caught and it ultimately got them disbanded. But yeah, there was some terrorist
activity before the Greek Olympics, a lot of it. And this gives us a better perspective of what
Greece must have been thinking leading up to these Olympics. Was November 17th going to come together
again and do something? Greece is sort of the border between Western culture and Eastern
culture. It's got a mix of communism and capitalism. And there's a lot of people who feel very
opinionated on which way Greece should swing. So the Greek government was concerned, very concerned
about terrorist attacks. So when James Banford, a journalist for The Intercept, looked over some unreleased NSA documents that Edward Snowden had.
He saw something in it that took him by surprise.
He found documents that showed the NSA has routinely approached host countries of the Olympics
to offer help and support in providing intelligence security.
I mean, the NSA has the experience, the kit, and the expertise
that a lot of these countries don't. And Greece just wasn't ready or capable to carry out any
kind of mass surveillance like this. So according to these Snowden documents, the NSA started working
with the Greek National Intelligence Service in the two years running up to the Games. But according
to Greek law, it was illegal for the government to wiretap phones.
So initially, the Greek government did not want to do this. They were hesitant, at least. But they
were nervous about a potential terrorist attack at the Olympics. And the help of the NSA for the
Greek government was valuable. So the Greek government secretly agreed to let the NSA into the Greek telecom system for the period of the Olympic Games.
James Benford is a seasoned journalist who's exposed the NSA a few times before.
He's been writing about them for years, bringing up a lot of dark things into the light.
He's written for Foreign Policy Magazine, The New York Times, Wired, and The Intercept,
and he's published a few books on the NSA too, all New York Times, Wired, and The Intercept. And he's published a few books
on the NSA too,
all New York Times bestsellers.
So he's pretty familiar
with all what's going on there.
And he has insider sources everywhere.
He gave a talk at a conference
called DeepSec in Vienna, Austria
in November 2015.
And it's amazing.
This YouTube video of his talk is a gem.
He shows us top secret Snowden
docs and so much more. It's been up for four years, but only has 290 views. But let's listen
in on it. So the very first thing is the NSA will come into a country and they'll say, look,
you're going to have the World Cup or you're going to have the Olympics or you're going to
have some big event. Well, you need us because we can tell you when there's going to be a terrorist event
because we can search through all the communications.
So, you know, have us come in, have us bug your whole telecom system, and we can help
you.
You know, we're there to help you.
So that's what they did. They got the permission from the Greek government to come in and do the bugging.
And what this document here from the Snowden archive talks about is they've been doing this for years.
NSA has been going around to various Olympic venues and saying,
we're here to help, and let us come in, bug all your phones,
and after it's over, we'll disappear and you'll never hear from us again.
James goes on to explain that for the NSA to be most effective, they need someone good at
human, which is human intelligence. They needed someone to be inside Vodafone Greece to help with
this malware. So to help with this, James says they used a CIA
agent named William Basil. He was perfect for this. He spoke Greek, he had Greek family,
he was familiar with Greece, and at the same time he was working for the CIA. James believed this
guy Basil posed as the first Secretary of Regional Affairs for the U.S. Embassy, something that might
sound official, but maybe not an actual role.
This guy, Basil, would go around recruiting insiders
to help him out with this hack.
So basically, now you've got the agreement of the government,
you've got the inside person, you've got the malware,
you've got the external intercept operations going.
What now is needed was some way to get that information
after it's been collected, after it's been intercepted, basically,
in Vodafone.
James goes on to explain how the shadow phones were all set up
and how a mobile phone would ring whenever one of the numbers were dialed.
So it was a very good setup.
You got the agreement of the
government. You put them in there, look for terrorists during the Olympics, keep everybody
happy, get an inside person there. You get the malware, then you exfiltrate the intercepted
communications to these untraceable cell phones. And then that puts it in into NSA. Okay well then the Olympics take place
and there were no terrorist attacks during the Olympics so all went well. That's supposed to be
the end of the operation the NSA is supposed to take it all out fly back to Fort Meade and say
goodbye to the to the Greek and the Greek telecom system.
The problem was, according to my confidential source,
they never removed it.
All they did was they turned it off for a day,
and then they turned it back on again.
But now, instead of going after the terrorists,
which is the whole raison d'etre for the operation in the first place.
Now they're secretly turning it on the Greek government. They're turning on the prime minister,
his wife, I don't know why, but they did, and the mayor of Athens. Then James goes on to say that
this is not the only time the NSA has wiretapped a friendly country to listen in on the leader's
phone calls. There was a WikiLeaks article that came out which said that in 2009,
the NSA was wiretapping Angela Merkel's phone in Germany,
as well as 124 other top German officials.
And see, while of course we can assume the NSA is wiretapping countries which are adversaries,
it's just shocking for us to hear that the NSA is wiretapping friendly nations like this.
So this is just standard operating procedure.
I mentioned this to a senior NSA source
and said, you know, is this unusual or what?
He laughed and he says, they never remove it.
Are you kidding?
Once you got it in there, you leave it in there.
So that's just standard operating procedure for NSA.
It's a bait and switch move.
Get the agreement first, then when the people aren't looking, switch the parameters of what you're doing.
And if it hadn't been for that update in January 2005 causing the text message errors, it could have gone on for way longer.
Since the official reports of the ADAE back in 2006, publicly, at least it seemed, little ground had been gained
in figuring out who these hackers were.
Official investigations had gone quiet
with no new information coming to light.
But the Greek authorities
had been working in the background
and they were focused on these shadow phones.
It was the only lead they had
to try to trace these hackers.
They managed to trace some of the signals
from these shadow phones
through four active Vodafone antennas. Even though these phones had been turned off as soon as the malware
was detected, investigators found new clues. They were able to trace the direction of the signals,
which pointed directly to the U.S. embassy in Athens. They also detected nearly 40 calls to
the U.S. embassy that had been made by one of the shadow phones using a SIM card. Plus, they discovered that these shadow phones connected calls to cell towers that were near
NSA's U.S. headquarters in Maryland. The evidence was starting to mount up.
There is one thing which I think kind of has gone over the head of not just yourself,
of everyone that has kind of reported on this issue, which is at the same time as this wiretapping was going on,
there was a massive blimp that was kind of like a Zeppelin,
you know, one of those airships that was flying around.
I think it had a 16-hour flight time.
The blimp was called the Skyship 600, owned by Sky Cruise Switzerland,
which had cameras that were capable of reading license plates.
It had microphones that were capable of picking up phone calls from the air.
They could listen to phone calls on the ground.
They had chemical detectors. And this is also something that
kind of riled up a lot of people who were saying, hey, this is a massive
kind of impeachment on our privacy. We don't want this here.
The Greek authorities managed to identify a cell phone store in the city of Piraeus,
about six miles away from Athens, and it was there that four
of the shadow phones had been purchased. They sat the owner down and showed him photos, and he
recognized someone in one of the photos. She was the wife of the first secretary of regional affair,
which was the title of William Basil, the CIA agent based working out of the U.S. embassy in
Athens. It had been his wife who originally
purchased the shadow phones. And again, it was journalist James Banford who exposed the CIA agent
and what he was doing. In February 2014, nine years after the wiretapping had been discovered,
the Greek government had issued an international arrest warrant for William Basel as a suspected CIA agent working out of the U.S. embassy in
Athens. He was charged with espionage and eavesdropping. This was an unbelievably rare
move for an allied country to take, and one that most of the media, at least outside of Greece,
didn't even catch. But the Greeks were now confident that Basil was deeply involved in this attack on their government.
And by extension, that implicated the U.S. too.
Did he recruit an insider to do this attack?
Did he recruit Costas?
These are questions we'll never know the answers to.
Costas would have been an excellent insider at Vodafone Greece.
He was in the perfect position to access all the networks they needed.
But he could
have also been entirely innocent in all this too. 16 years on and we still don't know. Basil himself
is now nowhere to be found. Right after the hack was discovered, he disappeared from Greece. In
August 2005, he returned at his job in the U.S. Embassy in Athens,
but Basil was first secretary.
He had diplomatic immunity.
He couldn't be arrested.
But in 2014, Basil retired,
which meant he didn't have diplomatic immunity anymore.
So he disappeared.
And now the Greek government can't find him and is still looking for him. The case of Costas' death was reopened
for the third time. The first two investigations were scrutinized. The new coroner's report
raising doubts about his death being suicide were examined and all the information about the wire
tapping was available. So on June 21st, 2018, the Athens prosecutor ruled that Kostas was in fact murdered.
On November 16th, 2017, the European Court of Human Rights ruled in favor of Kostas' family.
The court agreed Kostas' death was not on both occasions investigated fully, despite clear inconsistencies around his death.
The Greek government was ordered to pay the Salakidis family
50,000 euros in damages. An arrest warrant for murder was issued for persons unknown. Kostas
hadn't taken his own life back in March 2005. Someone had killed him and staged his death.
We will never know for certain what role Kostas played in this affair and what exactly happened to him on March 9, 2005.
And maybe his death had nothing to do with this hack.
It's only speculation to believe it did.
But it's very suspicious.
Because, I mean, if Costas got recruited to help stop terrorists,
okay, he might have gone for that.
But then, when the tides changed, and now they're spying on the prime minister, and then when all that was discovered, I could see why Kostas might have wanted to quit
his job. I could see him getting into a panic. And it's not unheard of that the CIA might try
to murder someone. But then, at the same time, the Greek government allowed this illegal wiretapping
to begin with. So maybe the Greek government didn't want to let the cat out, the Greek government allowed this illegal wiretapping to begin with,
so maybe the Greek government didn't want to let the cat out of the bag
because it would make them look bad.
Kostas loved his family, and his job, and his country.
If he was wrapped up in all of this, it would have certainly been stressful for him.
But now he's dead, with no answers as to why.
The hack into Vodafone Greece for their government secrets
has never resurfaced in terms of what information was gained.
Like, was it even worth it?
Whether the malware used here was installed entirely remotely
or maybe it was physically installed on those switches,
we don't know for sure.
There's a reason this case has been called the Greek Watergate.
It's the modern version of
the Richard Nixon Watergate that's so well known, breaking into offices out of hours and installing
hidden microphones to be replaced with sophisticated malware, automated call monitoring, and hidden
identities whose real faces remain in the shadows. And it's still kind of weird to me that Ericsson,
the makers of these telecom switches, was fined 7 million euros.
Because they didn't secure it enough to keep the NSA from developing malware on it?
Because the Greek government secretly allowed the NSA to install the software?
The fine on Ericsson and Vodafone Greece just didn't seem fair at the end of all this.
Because this was approved by the Greek government,
and then the Greek government fined them for it?
Well, I mean, the NSA did switch off the wiretapping tools for one day, but then they
switched them back on and put in a list of 100 plus government officials, you know? And I think
that's why the fine came down. Because if you're Vodafone and you have knowingly put NSA come in to do some wiretapping,
not only would I make sure to wipe it afterwards thoroughly,
but I would probably opt for just burning those switches entirely and buying new ones.
But wait a minute.
So if the NSA went to Greece to get this approval,
they must have met with Greece's National Intelligence Service,
which is known as EYP or APE.
If APE was involved with this wiretapping,
were they also involved with the investigation of this afterwards?
So the chief of APE at the time was an individual called Yanis Karanidis, I believe.
And he testified in front of a parliamentary hearing
that due to the malware being removed,
the deletion of the logs of this and that and the other,
that severely hindered their operation.
Oh, this is endless.
It's so crazy that they specifically said there wasn't
enough evidence to properly investigate this. Of course they would say that because that's a
defense mechanism if they wanted to hide their own tracks. Ah, and this just brings up so many
more questions I have. Like, did the CEO of Vodafone even know that this deal was going on
with the NSA? And what approvals did the NSA get?
Just the authorization to conduct wiretaps, but not actual help from Vodafone to do it?
Did the CIA agent recruit someone inside Vodafone?
Or did the Greek government get someone inside Vodafone to help?
And again, did the CEO of Vodafone have any awareness of any of this?
In court, he said no.
But how could all this go on without him knowing? If approvals were given, then approvals were given. Go ahead. But it just seems like
the Greek government gave the NSA approval to conduct wiretaps, but then didn't give them
any help to get into Vodafone. And that's some shady stuff that the Greek government is conducting
here. Allowing a foreign country to not only
wiretap people, but also hack into its biggest telecom provider to do it, and then find that
telecom provider after it happened? It's just nuts. And mostly because there's a death involved
in this case. Like, what the heck happened to Costas? And let me be clear, there's not many
deaths involved in hacker stories that I can find.
And not only that, but do you remember that Italian guy, Adamo,
where he was found dead after discovering wiretapping was going on in Telecom Italia?
Yeah, well, get this.
That year when Adamo found wiretapping going on in Telecom Italia
was the same year that Italy hosted the Winter Olympics.
And Telecom Italia is the third largest mobile network in Greece,
which makes me wonder, did people in Greece get tapped through Telecom Italia too?
And why didn't any of this come to light or show up in the investigation either?
And I don't even know what happened to Adamo either.
There's so many questions.
But it's been 16 years now since this case opened,
and we still don't have all the answers.
There's still at least two warrants for arrest that are open for espionage, eavesdropping, and murder.
So I'm sure this won't be the last time we'll hear about this case.
The more questions that you ask,
the more questions you're provided with
rather than answers.
You know,
it's kind of like
an endless rabbit hole
that one thing
leads to another
that leads to another
that leads to another.
And I don't think,
honestly,
you will ever find out
what the true,
true extent of the story is. If you liked this episode, you should go check out episode number 48.
It's called Operation Socialist, and it's about another wiretapping affair that happened in Belgium.
This show is made by me, the digital Hermes, Jack Recider.
This episode was written by the sweet Pandia, Fiona Guy.
Sound design by the
opulent Orpheus, Andrew Merriweather. And editing help this episode by the Electrona Demien. Our
theme music is by the exquisite Dedala Crafter, Breakmaster Cylinder. And even though I'm still
waiting for my long lost uncle, who happened to be a Nigerian prince, to send me his inheritance,
this is Darknet Diaries. Thank you.