WEBVTT 00:00:01.990 --> 00:00:07.450 JACK: [GREEK] Do you remember the Olympics of 2004? 00:00:07.450 --> 00:00:11.520 ANNCR: Citizens of the world, welcome to Athens. 00:00:11.520 --> 00:00:16.680 JACK: It was in Athens, Greece where the first Olympics ever took place. 00:00:16.680 --> 00:00:21.680 ANNCR: Olympic Games, welcome back to Greece. 00:00:21.680 --> 00:00:23.100 [CHEERING] [GREEK] 00:00:23.100 --> 00:00:30.210 JACK: [MUSIC] It was also just three years after 9/11 and there’s always a fear that 00:00:30.210 --> 00:00:33.410 terrorists may strike at the Olympics. 00:00:33.410 --> 00:00:38.330 In the 1972 Olympics, eleven people died in the Munich massacre. 00:00:38.330 --> 00:00:44.010 In the 1996 Olympics in Atlanta, Georgia a bomb went off in the Centennial Olympic Park, 00:00:44.010 --> 00:00:47.690 killing one person and injuring over a hundred others. 00:00:47.690 --> 00:00:52.739 In the South Korean winter Olympics of 2018, there was a pretty destructive hack that took 00:00:52.739 --> 00:00:54.530 down a lot of the Olympic village. 00:00:54.530 --> 00:01:01.390 So, how does a country ramp up to protect itself from terrorism at the Olympics? 00:01:01.390 --> 00:01:06.510 What does an attack even look like in today’s modern world where hacks can be conducted 00:01:06.510 --> 00:01:09.580 silently without anyone knowing? 00:01:09.580 --> 00:01:18.369 JACK (INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. 00:01:18.369 --> 00:01:23.610 I’m Jack Rhysider. 00:01:23.610 --> 00:01:27.590 This is Darknet Diaries. 00:01:27.590 --> 00:01:35.860 [INTRO MUSIC ENDS] 00:01:35.860 --> 00:01:42.490 JACK: Wiretapping; everyone knows what wiretapping is. 00:01:42.490 --> 00:01:47.159 It’s one of the oldest hacking techniques out there; secretly listening into conversations 00:01:47.159 --> 00:01:49.469 without permission or an invite. 00:01:49.469 --> 00:01:53.430 It can be a great method to get information that you’re not supposed to have. 00:01:53.430 --> 00:01:57.710 [MUSIC] When telephone exchanges were manually operated to connect calls, physical wires 00:01:57.710 --> 00:01:59.920 were the key to a successful wiretap. 00:01:59.920 --> 00:02:04.420 If you wanted to be a master wiretapper, you needed to master location of the wires and 00:02:04.420 --> 00:02:07.899 break out some crocodile clips and clip it to the right ones. 00:02:07.899 --> 00:02:11.239 As technology advanced, wiretapping did, too. 00:02:11.239 --> 00:02:15.580 Soon there was a secret little device you could plant inside telephone handsets. 00:02:15.580 --> 00:02:20.849 In May 1972, members of a re-election group supporting Richard Nixon broke into the Democratic 00:02:20.849 --> 00:02:24.569 National Committee’s Watergate offices and wiretapped their phones. 00:02:24.569 --> 00:02:29.300 A month later they returned with a new microphone to get a better listen. 00:02:29.300 --> 00:02:32.690 Caught by a security guard, their covert operation was over. 00:02:32.690 --> 00:02:37.489 Within a year it had come to light that Nixon was secretly recording all conversations happening 00:02:37.489 --> 00:02:39.489 inside the Oval Office. 00:02:39.489 --> 00:02:45.100 These acts and the attempt to cover it up ultimately ended his political career. 00:02:45.100 --> 00:02:49.150 Today, it’s all about the tech. 00:02:49.150 --> 00:02:53.260 Sure, the wires are still important; there would be no telephone switch exchanges without 00:02:53.260 --> 00:02:59.409 them but it’s the hardware and software that runs a now fully-electronic switch exchange; 00:02:59.409 --> 00:03:04.050 the ability to interconnect and route calls all over the world in a fraction of a second. 00:03:04.050 --> 00:03:08.299 The thing about wiretapping is that it’s a secretive activity by its very nature. 00:03:08.299 --> 00:03:12.019 If you were supposed to be listening to that call, the caller would know and would have 00:03:12.019 --> 00:03:13.019 dialed you in. 00:03:13.019 --> 00:03:18.340 There are two types of wiretaps; there’s the legal kind done by law enforcement to 00:03:18.340 --> 00:03:24.370 help solve crimes using lawful interception technology and then there’s the not-so-legal 00:03:24.370 --> 00:03:30.950 kind, the kind that’s done by unauthorized parties and not approved, the kind done by 00:03:30.950 --> 00:03:31.950 hackers. 00:03:31.950 --> 00:03:36.590 [MUSIC] Thirty years ago, a telecom company was created in Greece. 00:03:36.590 --> 00:03:38.470 It was called Panafon. 00:03:38.470 --> 00:03:42.319 They were your basic run-of-the-mill company; running lines to residential buildings and 00:03:42.319 --> 00:03:45.200 commercial buildings, routing, and connecting calls. 00:03:45.200 --> 00:03:49.590 About ten years after launch they were acquired by Vodafone which is a major [00:05:00] telecom 00:03:49.590 --> 00:03:51.569 company based in the UK. 00:03:51.569 --> 00:03:58.970 So, Panafon was re-named to Vodafone-Panafon but it’s just better known as Vodafone Greece. 00:03:58.970 --> 00:04:03.530 Every time I say Vodafone in this episode, I’m particularly referring to the Vodafone 00:04:03.530 --> 00:04:05.430 Greece section of Vodafone. 00:04:05.430 --> 00:04:10.890 It’s like its own unit within Vodafone. 00:04:10.890 --> 00:04:16.790 In January 24th, 2005, the system administrators at Vodafone Greece started getting error messages 00:04:16.790 --> 00:04:19.990 for their telecom switch exchange devices. 00:04:19.990 --> 00:04:24.750 The errors were saying that text messages from other carriers weren’t being delivered 00:04:24.750 --> 00:04:25.750 properly. 00:04:25.750 --> 00:04:30.160 By this point, Vodafone Greece was pretty big; they had like, 1,500 employees. 00:04:30.160 --> 00:04:33.690 The error message at Vodafone Greece really concerned the tech teams. 00:04:33.690 --> 00:04:37.789 They started going through the error logs and troubleshooting and looking at system 00:04:37.789 --> 00:04:39.680 data dumps for this fault. 00:04:39.680 --> 00:04:43.870 But they couldn’t figure out why some text messages weren’t getting delivered. 00:04:43.870 --> 00:04:47.410 So, they contacted their equipment provider which was Ericsson. 00:04:47.410 --> 00:04:52.210 Now, Ericsson is an enormous company based in Sweden who’s been going well for like, 00:04:52.210 --> 00:04:53.510 a hundred years. 00:04:53.510 --> 00:04:56.910 Ericsson was one of the biggest telephone equipment manufacturers around. 00:04:56.910 --> 00:05:02.210 We’re talking 40% of the entire world’s cellphone traffic goes over equipment that 00:05:02.210 --> 00:05:03.389 Ericsson made. 00:05:03.389 --> 00:05:05.130 So, they’re huge. 00:05:05.130 --> 00:05:09.350 Being that big and at it for a hundred years, they knew this game inside and out so Vodafone 00:05:09.350 --> 00:05:12.680 Greece contacted Ericsson to ask them what are these error messages? 00:05:12.680 --> 00:05:15.190 Why can’t these text messages get delivered? 00:05:15.190 --> 00:05:17.830 Ericsson began troubleshooting and looking into it. 00:05:17.830 --> 00:05:20.900 Things didn’t get any better for Vodafone in the meantime. 00:05:20.900 --> 00:05:24.650 They’re getting all these complaints from cell phone customers who weren’t happy their 00:05:24.650 --> 00:05:26.490 texts weren’t sending. 00:05:26.490 --> 00:05:33.319 To make things worse, on January 31st, Vodafone’s network planning manager submits his resignation. 00:05:33.319 --> 00:05:37.410 The network planning manager’s name was Kostas Tsalikidis. 00:05:37.410 --> 00:05:42.780 He had been with Vodafone Greece for eleven years but he was really wanting to quit his 00:05:42.780 --> 00:05:43.780 job. 00:05:43.780 --> 00:05:45.690 [MUSIC] Kostas was good at his job. 00:05:45.690 --> 00:05:47.430 He was experienced and detailed. 00:05:47.430 --> 00:05:51.520 He kept notebooks of his networks and put in the extra hours needed to keep the network 00:05:51.520 --> 00:05:52.830 running cleanly. 00:05:52.830 --> 00:05:57.100 He had an engineering degree specializing in telecommunications, and then a Masters 00:05:57.100 --> 00:05:59.120 in Computer Science. 00:05:59.120 --> 00:06:03.840 Just the year before this, Greece had hosted the Summer Olympic Games in Athens, a huge 00:06:03.840 --> 00:06:05.470 event for the country. 00:06:05.470 --> 00:06:10.280 For Vodafone and for Kostas, these months before the opening ceremonies on August 13th 00:06:10.280 --> 00:06:12.639 were full of long and tiring days. 00:06:12.639 --> 00:06:18.120 They were planning and implementing new systems, setting up upgraded networks to make sure 00:06:18.120 --> 00:06:22.630 they could handle the tens of thousands of people who were going to flood into Greece 00:06:22.630 --> 00:06:23.890 for the Olympic Games. 00:06:23.890 --> 00:06:29.630 Plus, all the extra police and military personnel that needed to be there, they all needed communication 00:06:29.630 --> 00:06:30.740 systems, too. 00:06:30.740 --> 00:06:33.000 That was a huge project for Kostas. 00:06:33.000 --> 00:06:36.780 But then five months later he wanted to quit? 00:06:36.780 --> 00:06:42.510 Vodafone refused to accept his resignation and persuaded him to take some time off instead. 00:06:42.510 --> 00:06:48.710 So, he took a little break and then came back to work in the middle of February. 00:06:48.710 --> 00:06:53.570 Weeks later, on March 4th, Ericsson had some big news for Vodafone Greece. 00:06:53.570 --> 00:06:58.710 They’d been digging around on these devices looking for where the error message was and 00:06:58.710 --> 00:07:02.060 they found something they weren’t expecting to find. 00:07:02.060 --> 00:07:07.030 [MUSIC] First, they found two files and one was a list of cell phone numbers. 00:07:07.030 --> 00:07:12.250 They had no idea why this big list of cell phone numbers was stored in this location. 00:07:12.250 --> 00:07:17.300 It was unusual but it is a telecom provider, so maybe there’s just cell phone numbers 00:07:17.300 --> 00:07:18.629 all over these devices. 00:07:18.629 --> 00:07:25.039 But their investigation revealed a pre-compiled binary executable program. 00:07:25.039 --> 00:07:30.300 Ericsson had no idea why this executable program was there in the switch. 00:07:30.300 --> 00:07:35.020 They couldn’t tell what these executable files did because they were not human-readable. 00:07:35.020 --> 00:07:40.500 But this program existed on the telecom switch right next to the unusual set of cell phone 00:07:40.500 --> 00:07:41.500 numbers. 00:07:41.500 --> 00:07:47.900 Now, Ericsson had a line of digital telephone exchanges that they called A-X-E, AXE. 00:07:47.900 --> 00:07:51.949 These AXE devices were exchanges that Vodafone Greece used. 00:07:51.949 --> 00:07:58.860 The software was all written in PLEX code which is not that common and pretty complicated. 00:07:58.860 --> 00:08:03.990 The executable files must have been created using the PLEX code in order to run on this 00:08:03.990 --> 00:08:07.870 particular telecom switching system, the AXE. 00:08:07.870 --> 00:08:13.290 Ericsson had no idea what this extra code was doing or why it was there, and it perplexed 00:08:13.290 --> 00:08:14.290 them. 00:08:14.290 --> 00:08:18.460 Vodafone Greece had no idea either, so Ericsson decided to try to figure it out. 00:08:18.460 --> 00:08:23.590 To figure out what it was doing, they had to rebuild it in the PLEX language which was 00:08:23.590 --> 00:08:25.070 not an easy task. 00:08:25.070 --> 00:08:30.500 They reverse-engineered this executable code and put it back into its original language. 00:08:30.500 --> 00:08:32.520 This took a long time. 00:08:32.520 --> 00:08:36.620 Ericsson actually outsourced a lot of their software development for the AXE exchange 00:08:36.620 --> 00:08:40.140 to a local company called Intracom Telecom. 00:08:40.140 --> 00:08:45.190 This company took five weeks and was able to reverse-engineer the code. 00:08:45.190 --> 00:08:51.740 After they did that, they were left with a program that was [00:10:00] 6,500 lines long. 00:08:51.740 --> 00:08:57.940 This rogue program that was on this telecom switch was using that long list of phone numbers 00:08:57.940 --> 00:09:00.329 that was also found. 00:09:00.329 --> 00:09:04.209 This meant the two unusual files were somehow linked. 00:09:04.209 --> 00:09:09.740 The problem was, they didn’t write or authorize this code so Ericsson goes straight back to 00:09:09.740 --> 00:09:13.529 Vodafone Greece and asks them, do you know anything about this code? 00:09:13.529 --> 00:09:14.529 No. 00:09:14.529 --> 00:09:15.529 Vodafone doesn’t know either. 00:09:15.529 --> 00:09:19.430 It’s not their code and it would be unusual for a company like Vodafone to design custom 00:09:19.430 --> 00:09:21.680 software for one of these exchanges. 00:09:21.680 --> 00:09:26.720 Typically, Ericsson’s customers only change the config files on these devices so it was 00:09:26.720 --> 00:09:33.800 really weird that a whole extra piece of executable software was on Vodafone Greece’s telephone 00:09:33.800 --> 00:09:39.970 exchange systems without anyone knowing why it was there or how it got there. 00:09:39.970 --> 00:09:46.210 Ericsson came to the conclusion this is malware, deeply imbedded, sophisticated rogue software, 00:09:46.210 --> 00:09:52.260 and its function was to secretly use Vodafone Greece’s network to wiretap that list of 00:09:52.260 --> 00:09:54.310 cell phone numbers. 00:09:54.310 --> 00:10:00.150 Whoever put it there was listening in to calls of 106 cell phone numbers. 00:10:00.150 --> 00:10:05.680 [MUSIC] The Vodafone systems had the malware installed in two of their central offices 00:10:05.680 --> 00:10:11.140 and four of their switches used for routing cell phone calls, switches that had been provided 00:10:11.140 --> 00:10:13.279 by Ericsson. 00:10:13.279 --> 00:10:17.970 More than that, the malware was using Ericsson’s own lawful intercept technology installed 00:10:17.970 --> 00:10:22.000 on Vodafone Greece’s systems to carry out the wiretaps. 00:10:22.000 --> 00:10:27.470 Those cell phone numbers it was spying on, they belonged to some of the most senior government 00:10:27.470 --> 00:10:34.100 officials in Greece including Greece’s prime minister and his wife. 00:10:34.100 --> 00:10:38.950 This was a discovery of epic proportions. 00:10:38.950 --> 00:10:40.740 Cell phone calls are supposed to be private. 00:10:40.740 --> 00:10:44.450 You dial, you connect, you have your conversation, you hang up. 00:10:44.450 --> 00:10:48.120 That connection is between your cell phone and the person you’re calling; no one is 00:10:48.120 --> 00:10:51.720 supposed to be listening in, including your cell provider. 00:10:51.720 --> 00:10:56.560 But if there’s an official warrant signed by a judge that orders them to tap it, then 00:10:56.560 --> 00:11:00.560 and only then is it legal for someone else to secretly listen in. 00:11:00.560 --> 00:11:05.901 This is called lawful intercept and it’s a legal wiretapping that a telecom provider 00:11:05.901 --> 00:11:08.200 can do with a judge’s approval. 00:11:08.200 --> 00:11:12.829 It’s where law enforcement intercepts the calls for a specific person or a group of 00:11:12.829 --> 00:11:16.270 people believed to be involved in serious criminal activity. 00:11:16.270 --> 00:11:20.889 It’s not just limited to phone calls; texts, e-mails, video calls, and instant messaging 00:11:20.889 --> 00:11:22.740 can all be intercepted, too. 00:11:22.740 --> 00:11:28.170 For a telecom company like Vodafone, they have no option but to comply when presented 00:11:28.170 --> 00:11:29.880 with a legal warrant. 00:11:29.880 --> 00:11:34.920 [MUSIC] It is, put simply, spying on a customer for purposes of criminal investigation. 00:11:34.920 --> 00:11:38.980 A telecoms provider can’t tell the customer that they’re doing it and the intercepted 00:11:38.980 --> 00:11:41.990 data is all sent back to law enforcement. 00:11:41.990 --> 00:11:44.310 Lawful intercept isn’t the same as mass surveillance. 00:11:44.310 --> 00:11:48.270 It’s targeted, focused on just one person or a small group of people. 00:11:48.270 --> 00:11:53.230 Generally, it’s looking for specific information and not just trying to capture anything and 00:11:53.230 --> 00:11:54.899 everything. 00:11:54.899 --> 00:12:01.000 Most developed countries now have laws in place to allow wiretapping or lawful intercept. 00:12:01.000 --> 00:12:04.320 The terrorist attacks we’ve seen in the last few years have prompted this kind of 00:12:04.320 --> 00:12:10.639 standard across the board in many nations but this story happened back in 2004 and in 00:12:10.639 --> 00:12:15.959 Greece at that time, the laws for lawful intercept were not in place yet. 00:12:15.959 --> 00:12:21.750 It was not legal for authorities to do wiretapping even with a judge’s order. 00:12:21.750 --> 00:12:26.580 Meetings were held about it in 2002 and then again in 2003, and the Greek government discussed 00:12:26.580 --> 00:12:31.600 how lawful intercept should be implemented in the top three telecom providers in Greece 00:12:31.600 --> 00:12:35.390 which was Vodafone, Cosmote, and TIM. 00:12:35.390 --> 00:12:42.260 But when the Olympic Games started in 2004 and when this malware was found in 2005, the 00:12:42.260 --> 00:12:47.519 presidential decree had not yet been passed which implemented and regulated lawful intercept 00:12:47.519 --> 00:12:53.420 in Greece which means whoever was doing this wiretapping was doing it illegally. 00:12:53.420 --> 00:12:57.070 It must not have been the Greek authorities. 00:12:57.070 --> 00:13:03.220 Now, Ericsson sells its exchange systems in 180 countries all over the world and much 00:13:03.220 --> 00:13:05.430 of it is standardized telecoms equipment. 00:13:05.430 --> 00:13:09.089 It has the same base software and configurations for everyone. 00:13:09.089 --> 00:13:13.410 Ericsson’s products are used in a lot of countries and their software needs to facilitate 00:13:13.410 --> 00:13:18.110 wiretapping so that telephone providers in countries with lawful intercept can carry 00:13:18.110 --> 00:13:20.410 out a lawful wiretap. 00:13:20.410 --> 00:13:26.339 On the tech side, Ericsson implemented lawful intercept technology directly into their telephone 00:13:26.339 --> 00:13:27.339 switches. 00:13:27.339 --> 00:13:30.310 There are two parts to this and this is kind of important, so listen up. 00:13:30.310 --> 00:13:36.790 The first part is the remote-control equipment subsystem or RES which actually does the wiretapping. 00:13:36.790 --> 00:13:40.760 Then there’s the interception management system, or IMS, which is the user interface 00:13:40.760 --> 00:13:43.579 that controls this wiretapping feature. 00:13:43.579 --> 00:13:49.110 The authorities can log into IMS, enter the phone number that they’re permitted to tap, 00:13:49.110 --> 00:13:54.070 and [00:15:00] then that communicates to RES which actually does the actual tapping and 00:13:54.070 --> 00:13:59.139 then sends that data back to IMS where the authorities can then capture that data and 00:13:59.139 --> 00:14:00.139 store it. 00:14:00.139 --> 00:14:05.110 I’m gonna use this term RES a lot, so let me repeat it; RES is the feature on these 00:14:05.110 --> 00:14:08.540 telephone switches that actually conducts the wiretapping. 00:14:08.540 --> 00:14:11.990 The IMS feature is the interface used to control it. 00:14:11.990 --> 00:14:16.660 On this IMS interface, there are logs and permanent records created whenever a wiretap 00:14:16.660 --> 00:14:19.279 is conducted through the RES software. 00:14:19.279 --> 00:14:23.960 At any time later on, they can check to make sure that there were no unauthorized wiretaps 00:14:23.960 --> 00:14:26.940 going on and that both systems match up. 00:14:26.940 --> 00:14:31.230 This makes the process of lawful intercept easy to do and makes sure there’s records 00:14:31.230 --> 00:14:32.880 of it. 00:14:32.880 --> 00:14:38.370 Ericsson implemented this RES technology in a lot of their telecom switches and was rolled 00:14:38.370 --> 00:14:42.750 out all over the place, but in order to use it you had to pay an extra licensing fee which 00:14:42.750 --> 00:14:48.709 is tens of thousands of dollars in order to get the IMS part of it to work. 00:14:48.709 --> 00:14:53.160 What happened with Vodafone Greece is that they updated their AXE, the exchange switch, 00:14:53.160 --> 00:14:59.009 with Ericsson back in 2003 which included the RES software as standard. 00:14:59.009 --> 00:15:03.009 They didn’t purchase or activate the front-end IMS system because they didn’t have to; 00:15:03.009 --> 00:15:05.350 law enforcement was never going to come with a warrant. 00:15:05.350 --> 00:15:07.370 It wasn’t legal to do in Greece. 00:15:07.370 --> 00:15:10.290 So, the RES system sat there in the background. 00:15:10.290 --> 00:15:13.519 It wasn’t being used by anyone at Vodafone Greece. 00:15:13.519 --> 00:15:18.160 It didn’t affect any of the other operating processes and didn’t cause any trouble. 00:15:18.160 --> 00:15:25.500 But it turned out it was the door that the hackers used to initiate these illegal wiretaps. 00:15:25.500 --> 00:15:30.260 Whoever did this essentially hacked their way into Vodafone’s systems and secretly 00:15:30.260 --> 00:15:31.850 activated this software. 00:15:31.850 --> 00:15:37.199 They used the software on Vodafone’s systems to illegally wiretap the country’s top officials 00:15:37.199 --> 00:15:40.880 and completely hide the fact that they were doing it from Vodafone. 00:15:40.880 --> 00:15:45.850 The hackers realized that RES was the perfect weapon to conduct these wiretaps with. 00:15:45.850 --> 00:15:51.120 It was already on the system; they just needed to enable it if, of course, the right know-how 00:15:51.120 --> 00:15:55.210 and malware could be developed and installed to do it. 00:15:55.210 --> 00:15:59.040 Ericsson told Vodafone Greece they discovered this malware and they gave them a list of 00:15:59.040 --> 00:16:02.579 the 106 cell phone numbers that the system had been wiretapping. 00:16:02.579 --> 00:16:07.850 That’s 106 cell phone numbers that every time a call was made to or from those numbers, 00:16:07.850 --> 00:16:14.230 someone else was listening, a silent third-party at the end of the line listening, recording, 00:16:14.230 --> 00:16:16.990 note-taking, and archiving. 00:16:16.990 --> 00:16:21.139 The two callers had no idea that they were being spied on. 00:16:21.139 --> 00:16:25.910 Nothing sounds different; there were no crackles or delays to suggest that the conversation 00:16:25.910 --> 00:16:28.220 wasn’t private. 00:16:28.220 --> 00:16:31.010 You can think of your cell phone as both a transmitter and receiver. 00:16:31.010 --> 00:16:35.000 [MUSIC] When you use your cell, your handset talks to the nearest cell phone tower which 00:16:35.000 --> 00:16:37.199 connects your phone to a cell switch center. 00:16:37.199 --> 00:16:42.300 During your call, your speech is encoded to digital data that’s then sent via radio 00:16:42.300 --> 00:16:45.880 waves to your friend’s phone and converts it back to speech again. 00:16:45.880 --> 00:16:50.740 The cell switch exchanges like the one Vodafone Greece had from Ericsson worked by routing 00:16:50.740 --> 00:16:55.380 your call across various interconnected exchanges to get to where you wanted to go. 00:16:55.380 --> 00:17:00.579 The digital speech data is encrypted but when it goes into the switching center and when 00:17:00.579 --> 00:17:05.679 it leaves the center, that bit in between while it’s passing through and being routed 00:17:05.679 --> 00:17:08.740 temporarily is unencrypted. 00:17:08.740 --> 00:17:13.939 This is all done electronically and remotely for every call, so these exchanges are a core 00:17:13.939 --> 00:17:18.520 part of Vodafone’s network and essential to making phone calls. 00:17:18.520 --> 00:17:23.270 For something as big as Vodafone Greece, these exchanges were probably pretty massive. 00:17:23.270 --> 00:17:28.329 I couldn’t find a picture but I imagine it to be rows of cabinets with hi-tech servers, 00:17:28.329 --> 00:17:33.580 switches, and miles and miles of wires connecting them all together; flashing and blinking lights 00:17:33.580 --> 00:17:37.530 constantly on the go as they communicate with each other 24/7. 00:17:37.530 --> 00:17:42.660 The lawful intercept RES software usually works by making a parallel copy of the digital 00:17:42.660 --> 00:17:47.799 speech data and sending it off to the law enforcement agency that requested the wiretap. 00:17:47.799 --> 00:17:52.550 The hackers for Vodafone Greece had their wiretaps set up in exactly this way, but the 00:17:52.550 --> 00:17:57.120 data was sent to shadow cell phones instead. 00:17:57.120 --> 00:18:03.360 So, to get a copy of the call, it would just look like another outgoing call, nothing suspicious. 00:18:03.360 --> 00:18:08.530 It sent a text message to the shadow phones with the metadata of every call; the cell 00:18:08.530 --> 00:18:11.299 number, the date, the time, and the call duration. 00:18:11.299 --> 00:18:15.409 So, think about it, you’ve got the Greek prime minister who picks up his cell phone 00:18:15.409 --> 00:18:19.950 and calls the minister of public order and while he’s listening and ringing and waiting 00:18:19.950 --> 00:18:25.760 for the minister to answer, another cell phone is ringing at the same time, a shadow cell 00:18:25.760 --> 00:18:27.890 phone held by the hackers. 00:18:27.890 --> 00:18:32.010 When the minister picks up and they start chatting, that cell phone also gets picked 00:18:32.010 --> 00:18:34.280 up and they start listening. 00:18:34.280 --> 00:18:41.090 When the PM disconnects, so does this shadow cell and all that data was being recorded, 00:18:41.090 --> 00:18:46.650 bundled up, and sent to another location where it was being stored for safe keeping. 00:18:46.650 --> 00:18:51.180 With multiple numbers being wiretapped like [00:20:00] this, one shadow cell is not going 00:18:51.180 --> 00:18:52.309 to be enough. 00:18:52.309 --> 00:18:55.050 What if two of the targets make phone calls at the same time? 00:18:55.050 --> 00:19:01.260 So, hackers had a total of fourteen shadow cell phone lines which would pick up and listen 00:19:01.260 --> 00:19:05.350 to any of the phones that were on that list of 106 phone numbers. 00:19:05.350 --> 00:19:11.080 If the target makes a call and the first shadow cell is busy, it just jumps to the next and 00:19:11.080 --> 00:19:15.940 then the next until it gets an open line to listen in on. 00:19:15.940 --> 00:19:20.580 When Ericsson told Vodafone what they found and what it was doing, the Vodafone Greece 00:19:20.580 --> 00:19:23.440 team started trying to isolate the malware. 00:19:23.440 --> 00:19:26.470 Three days later they managed it. 00:19:26.470 --> 00:19:30.560 Now, by this point, it was March 8, 2005. 00:19:30.560 --> 00:19:37.030 The CEO of Vodafone Greece, Giorgos Koronias, needed to decide what he was going to do next. 00:19:37.030 --> 00:19:40.400 His decision was, let’s say, a little sloppy. 00:19:40.400 --> 00:19:47.789 When there’s an infiltration in any company, even back in 2005, there’s a standard procedure 00:19:47.789 --> 00:19:49.080 to follow; isolate the malware. 00:19:49.080 --> 00:19:53.429 If you’re interested in who did the hack, which in this case you would definitely be 00:19:53.429 --> 00:19:57.640 interested in who’s listening in on the prime minister, if that’s the case then 00:19:57.640 --> 00:20:02.179 you would try to trace it back to the hackers, and you would also inform the relevant authorities, 00:20:02.179 --> 00:20:05.790 and you’d protect your clients’ services and data. 00:20:05.790 --> 00:20:10.340 The problem Giorgos had was the scale of this attack and all the targets in it. 00:20:10.340 --> 00:20:14.710 While the hackers had used Vodafone’s systems and existing software to do it, it wasn’t 00:20:14.710 --> 00:20:16.570 Vodafone Greece that they were interested in. 00:20:16.570 --> 00:20:19.630 It was senior members of the Greek government. 00:20:19.630 --> 00:20:22.200 This was a serious attack, one with huge consequences. 00:20:22.200 --> 00:20:26.760 I mean, this malware was allowing unknown hackers to probably record calls and listen 00:20:26.760 --> 00:20:29.890 in on communications from these cell phones. 00:20:29.890 --> 00:20:33.520 What kind of conversations was the Greek prime minister having on his cell? 00:20:33.520 --> 00:20:35.659 What about the head of foreign affairs? 00:20:35.659 --> 00:20:41.010 Discussions on domestic and foreign policies, trade deals, defense strategies, and potentially 00:20:41.010 --> 00:20:43.919 discussions involving state secrets. 00:20:43.919 --> 00:20:47.620 The kind of information that could have been intercepted here could have international 00:20:47.620 --> 00:20:49.190 repercussions for Greece. 00:20:49.190 --> 00:20:54.860 It was a disaster on every level and Vodafone Greece was ground zero. 00:20:54.860 --> 00:21:00.260 On March 8, four days after Vodafone found out they had malware, there was some tense 00:21:00.260 --> 00:21:02.340 meetings held in the head offices. 00:21:02.340 --> 00:21:07.630 Their network staff and Vodafone bosses seemingly had heated and at times angry communications 00:21:07.630 --> 00:21:08.630 on that day. 00:21:08.630 --> 00:21:11.640 I could only imagine the variety of reactions they must have had to this. 00:21:11.640 --> 00:21:15.929 I mean, it makes perfect sense here for people to get emotional and even go through the five 00:21:15.929 --> 00:21:21.700 stages of grief; at first not believing they had malware and some hackers were doing it, 00:21:21.700 --> 00:21:25.870 but then when that was proved without a doubt, they must have been angry that somebody was 00:21:25.870 --> 00:21:27.120 doing this. 00:21:27.120 --> 00:21:33.250 Then when that passed, they must have felt ‘if only’ or guilty for letting this happen. 00:21:33.250 --> 00:21:39.090 Then at some point they might have felt depressed or sad that their network was compromised. 00:21:39.090 --> 00:21:44.470 Only after you get through those stages can you then work on accepting the situation and 00:21:44.470 --> 00:21:49.130 moving forward towards a solution and next steps. 00:21:49.130 --> 00:21:52.740 Nothing was done as a result of the meetings on March 8. 00:21:52.740 --> 00:21:59.059 [MUSIC] But on March 9, Giorgos, the CEO, instructed his team to fully deactivate and 00:21:59.059 --> 00:22:02.150 delete the malware from the infected Vodafone systems. 00:22:02.150 --> 00:22:06.620 He wanted it stopped in its tracks; cut it off and get rid of it completely so it couldn’t 00:22:06.620 --> 00:22:08.330 do any more damage. 00:22:08.330 --> 00:22:11.990 This might seem like a good idea at first, to get rid of the malware ASAP. 00:22:11.990 --> 00:22:16.789 But incident response teams typically don’t like to do that because the moment you delete 00:22:16.789 --> 00:22:20.919 that malware it instantly lets the hackers know they’ve been discovered. 00:22:20.919 --> 00:22:26.679 They can either go on the run and hide all their tracks or conduct a backup plan like 00:22:26.679 --> 00:22:30.169 get another way into the network and snoop on calls a different way. 00:22:30.169 --> 00:22:35.380 A typical incident response team will start by collecting a ton of logs and saving it 00:22:35.380 --> 00:22:39.990 and taking snapshots of everything because you run the risk of losing this data as time 00:22:39.990 --> 00:22:41.429 goes on. 00:22:41.429 --> 00:22:46.090 Then try to discover exactly how it got infected so that they could permanently close the doors 00:22:46.090 --> 00:22:49.370 so that the hackers would not have the ability to come back. 00:22:49.370 --> 00:22:52.600 Lastly, try to find out any clues that lead back to the hackers. 00:22:52.600 --> 00:22:56.789 I mean, if they had fourteen shadow phone lines set up, wouldn’t it be a lot easier 00:22:56.789 --> 00:23:00.429 to trace these calls while the phones were active? 00:23:00.429 --> 00:23:05.039 But the CEO insisted on taking them out and shutting down these lines before anything 00:23:05.039 --> 00:23:06.039 else. 00:23:06.039 --> 00:23:08.059 So, that’s what the tech teams did. 00:23:08.059 --> 00:23:12.920 They deleted the malicious code on these phone exchanges and they proceeded to disable all 00:23:12.920 --> 00:23:17.850 fourteen shadow phone lines that were used to send tapped calls to. 00:23:17.850 --> 00:23:23.100 With that, the malware was gone and the shadow phone lines were disabled and the wiretapping 00:23:23.100 --> 00:23:25.660 was stopped. 00:23:25.660 --> 00:23:26.660 So far, this story’s pretty good, right? 00:23:26.660 --> 00:23:31.210 A major telecom company gets hacked and their target is to wiretap calls to and from the 00:23:31.210 --> 00:23:32.210 heads of state. 00:23:32.210 --> 00:23:34.850 Sounds like high stakes and exciting. 00:23:34.850 --> 00:23:39.049 Now you probably want to know who would do it and what happened after this. 00:23:39.049 --> 00:23:41.210 But this story’s about to get totally off the rails. 00:23:41.210 --> 00:23:45.799 This is why I love non-fiction because the truth is so insanely strange sometimes, so 00:23:45.799 --> 00:23:47.450 stay with us through the break. 00:23:47.450 --> 00:23:51.100 [00:25:00] Okay, so get this; on March 9th they delete the malware. 00:23:51.100 --> 00:23:52.100 Okay, fine. 00:23:52.100 --> 00:23:57.870 But on March 10th, the very next day – you remember Kostas Tsalikidis, right? 00:23:57.870 --> 00:24:02.929 He was the network planning manager for Vodafone Greece and just two months ago he tried to 00:24:02.929 --> 00:24:08.370 submit his resignation letter but Vodafone begged him to stay, so he did. 00:24:08.370 --> 00:24:13.590 Kostas was a real technical guy so I’m thinking he was probably aware that this serious malware 00:24:13.590 --> 00:24:16.960 issue was happening within Vodafone Greece. 00:24:16.960 --> 00:24:21.830 Well, Kostas was thirty-eight years old and was living in a loft apartment just outside 00:24:21.830 --> 00:24:25.640 Athens; nice place about seven miles away from work. 00:24:25.640 --> 00:24:30.789 His parents were living in the same building and that morning, while the Vodafone CEO Giorgos 00:24:30.789 --> 00:24:34.500 was trying to figure out how he was going to tell the prime minister of Greece that 00:24:34.500 --> 00:24:41.470 a wiretapping was going on, Kostas’s mother came into his apartment and found her son 00:24:41.470 --> 00:24:44.659 hanging from a rope in the bathroom doorway. 00:24:44.659 --> 00:24:46.730 [MUSIC] She instantly panicked. 00:24:46.730 --> 00:24:50.240 A few minutes later, his brother Panagiotis arrived. 00:24:50.240 --> 00:24:53.140 He found his mother hysterical in the hallway. 00:24:53.140 --> 00:24:57.830 He saw Kostas hanging there so he cut down his younger brother. 00:24:57.830 --> 00:25:00.040 Kostas was dead. 00:25:00.040 --> 00:25:02.000 He had taken his own life. 00:25:02.000 --> 00:25:06.270 Panagiotis, his brother, was in disbelief. 00:25:06.270 --> 00:25:10.190 Just before he called the police station, he called his wife and asked her to bring 00:25:10.190 --> 00:25:12.120 his camera to the apartment. 00:25:12.120 --> 00:25:14.880 He didn’t believe this was suicide. 00:25:14.880 --> 00:25:19.529 Kostas was recently engaged and his wedding date was just in three months. 00:25:19.529 --> 00:25:22.760 He had made arrangements to take a vacation in just a few weeks. 00:25:22.760 --> 00:25:27.520 He had been making trip plans with his fiancé just the days before. 00:25:27.520 --> 00:25:31.350 He was in a happy and settled relationship and he had no money troubles. 00:25:31.350 --> 00:25:37.670 There had been no signs of depression or anything to indicate he was ever contemplating suicide. 00:25:37.670 --> 00:25:43.600 Panagiotis’s wife, Kostas’s sister-in-law, spoke to a journalist named Elizabeth Filipouli 00:25:43.600 --> 00:25:44.600 about his death. 00:25:44.600 --> 00:25:45.600 Here’s that clip. 00:25:45.600 --> 00:25:51.149 SISTER: I had never seen such a perfect body lying down dead in my life. 00:25:51.149 --> 00:26:00.690 The way of death is written somehow on his body as an expression. 00:26:00.690 --> 00:26:05.720 Kostas was calm, was smiling. 00:26:05.720 --> 00:26:07.490 He had his eyes closed. 00:26:07.490 --> 00:26:09.620 He had his mouth closed. 00:26:09.620 --> 00:26:18.620 He hadn’t any possible blueish color like we have seen in hanging bodies. 00:26:18.620 --> 00:26:20.090 It was like a stage thing. 00:26:20.090 --> 00:26:27.620 It was as if somebody had designed something that worked out perfectly. 00:26:27.620 --> 00:26:34.470 Nothing on his face would say that Kostas went through any death-fight or any kind of 00:26:34.470 --> 00:26:36.029 pain, physical pain. 00:26:36.029 --> 00:26:41.169 JACK: The night before he was found dead, Kostas had talked to his fiancé on the phone. 00:26:41.169 --> 00:26:46.740 Their phone records show he called a Vodafone corporate number but investigations don’t 00:26:46.740 --> 00:26:49.250 seem to have figured out who he spoke to. 00:26:49.250 --> 00:26:54.690 Then he sends a huge e-mail to Vodafone’s technical directors at 4:20 in the morning. 00:26:54.690 --> 00:26:59.929 It was two pages long and went through all the outstanding work that had to be done on 00:26:59.929 --> 00:27:01.779 the different networks. 00:27:01.779 --> 00:27:04.740 Three hours later he was found dead. 00:27:04.740 --> 00:27:08.890 [MUSIC] Panagiotis took photographs of Kostas that morning. 00:27:08.890 --> 00:27:13.950 He wanted a permanent record of how his brother looked just after he had been found. 00:27:13.950 --> 00:27:17.480 When the police arrived at the apartment, they took statements from the Kostas family. 00:27:17.480 --> 00:27:20.330 The police didn’t take photographs of the scene. 00:27:20.330 --> 00:27:24.279 They didn’t dust for fingerprints or do any crime scene investigations. 00:27:24.279 --> 00:27:29.010 They saw no reason to doubt that Kostas’s death was a suicide. 00:27:29.010 --> 00:27:31.020 There were no signs of forced entry. 00:27:31.020 --> 00:27:32.620 The apartment was in order. 00:27:32.620 --> 00:27:35.159 There was no indication of a struggle. 00:27:35.159 --> 00:27:40.160 Kostas’s body was taken to the morgue to get [00:30:00] ready for an autopsy the following 00:27:40.160 --> 00:27:41.470 day. 00:27:41.470 --> 00:27:45.760 On that same day, March 10th, Giorgos, the CEO, had arranged to meet with the director 00:27:45.760 --> 00:27:50.720 of the Political Bureau of the Prime Minister and the political order minister. 00:27:50.720 --> 00:27:53.770 The prime minster was away at a terrorism summit. 00:27:53.770 --> 00:27:58.360 Giorgos sat and explained the wiretapping discovery to the two ministers. 00:27:58.360 --> 00:28:03.020 He then handed over a list of cell phone numbers that had been targeted and the incident case 00:28:03.020 --> 00:28:06.279 description technical report prepared by Ericsson. 00:28:06.279 --> 00:28:12.200 Oh, and get this; on that very same day, a new law went into effect. 00:28:12.200 --> 00:28:17.779 This was the day that the presidential decree regarding lawful interception in Greece came 00:28:17.779 --> 00:28:23.299 into effect, right in the middle of the biggest telecoms provider illegal wiretapping scandal 00:28:23.299 --> 00:28:24.700 ever seen. 00:28:24.700 --> 00:28:31.250 Greece passed a law that created a process for lawful intercept; legal wiretapping. 00:28:31.250 --> 00:28:35.440 The timing was ridiculous. 00:28:35.440 --> 00:28:40.600 When the prime minister learned of the wiretapping, he immediately ordered a preliminary parliamentary 00:28:40.600 --> 00:28:42.940 investigation into what happened. 00:28:42.940 --> 00:28:47.900 On March 11th, the Greek minister of justice, along with the attorney of the Supreme Court, 00:28:47.900 --> 00:28:51.750 met with the CEO of Vodafone Greece to get more details on this attack. 00:28:51.750 --> 00:28:54.120 The investigation was to be done in secret. 00:28:54.120 --> 00:28:56.690 They didn’t want any details made public yet. 00:28:56.690 --> 00:28:59.100 This would go on to be a huge investigation. 00:28:59.100 --> 00:29:03.690 They ultimately spent the next eleven months gathering evidence and hearing testimony from 00:29:03.690 --> 00:29:08.019 all companies involved and anyone else who thought they might know something. 00:29:08.019 --> 00:29:13.490 Giorgos, the Vodafone CEO, maintained that he knew nothing of the lawful intercept RES 00:29:13.490 --> 00:29:14.490 software. 00:29:14.490 --> 00:29:17.730 He said he didn’t know it was included with the upgrade package that they received from 00:29:17.730 --> 00:29:18.770 Ericsson. 00:29:18.770 --> 00:29:22.760 He also said his company didn’t have the knowledge and capability to do anything like 00:29:22.760 --> 00:29:26.730 this even though Ericsson software is what could. 00:29:26.730 --> 00:29:30.230 The investigation called for people from Ericsson to come give testimony. 00:29:30.230 --> 00:29:34.450 Remember, Ericsson is the company that made the phone switches and devices, and they’re 00:29:34.450 --> 00:29:36.679 the ones who kind of discovered this malware. 00:29:36.679 --> 00:29:41.010 Even the CEO of Ericsson flew into Greece to give testimony. 00:29:41.010 --> 00:29:45.929 Ericsson said that Vodafone knew the RES software was present on these devices when they sold 00:29:45.929 --> 00:29:50.690 it to him and that someone from Vodafone Greece even had to sign off confirming that they 00:29:50.690 --> 00:29:52.910 knew this feature existed. 00:29:52.910 --> 00:29:57.600 The investigation pulled up the receipt to look to see who signed for this and guess 00:29:57.600 --> 00:29:58.600 who it was? 00:29:58.600 --> 00:30:04.799 Their network planning manager, Kostas, the guy who died. 00:30:04.799 --> 00:30:08.679 Giorgos, the CEO of Vodafone, gave testimony, too. 00:30:08.679 --> 00:30:13.169 When questioned about Kostas’s death, Giorgos tried to distance himself from it, saying 00:30:13.169 --> 00:30:18.300 it was a tragic suicide entirely unrelated to the wiretapping ordeal. 00:30:18.300 --> 00:30:21.210 They asked him if Kostas knew about the malware. 00:30:21.210 --> 00:30:26.780 Giorgos said it was possible that Kostas could have stumbled upon it himself since his role 00:30:26.780 --> 00:30:31.340 was technical enough and he had that level of access to get into those systems. 00:30:31.340 --> 00:30:37.320 As this investigation went on for months and months, evidence started to disappear. 00:30:37.320 --> 00:30:42.120 [MUSIC] At the physical location of where the exchanges were that had malware on them, 00:30:42.120 --> 00:30:44.169 there’s a little visitor’s sign-in sheet. 00:30:44.169 --> 00:30:49.250 It was Vodafone Greece’s policy to destroy these sign-in sheets after six months so by 00:30:49.250 --> 00:30:53.271 the time investigators requested records of who had visited these locations around the 00:30:53.271 --> 00:30:58.100 time of the wiretapping, those sign-in sheets had already been destroyed. 00:30:58.100 --> 00:31:01.850 Policy or not, it seemed to be a bit suspicious that this key piece of evidence in one of 00:31:01.850 --> 00:31:08.120 the biggest telecom investigations ever happened to be destroying evidence because of a corporate 00:31:08.120 --> 00:31:09.120 policy. 00:31:09.120 --> 00:31:13.399 These sign-in sheets might have revealed who had been in the facility at the time the malware 00:31:13.399 --> 00:31:14.399 was installed. 00:31:14.399 --> 00:31:21.059 On top of that, Vodafone upgraded two of the servers that were part of this hack and after 00:31:21.059 --> 00:31:24.830 the upgrade, all access logs to the management server were wiped. 00:31:24.830 --> 00:31:30.740 Again, these logs of who accessed these systems, when and what did they do, they were all critical 00:31:30.740 --> 00:31:32.580 logs, but they were gone. 00:31:32.580 --> 00:31:35.450 Weirdly there were no backups of this, either. 00:31:35.450 --> 00:31:38.210 Then there’s the transaction logs of the switch exchanges. 00:31:38.210 --> 00:31:43.270 Now, they would have been useful but nope; due to lack of space, Vodafone Greece only 00:31:43.270 --> 00:31:45.320 kept these logs for five days. 00:31:45.320 --> 00:31:50.299 Although Vodafone had clear explanations of why these actions were taken, the damage they 00:31:50.299 --> 00:31:54.820 did to the investigation into this hack was pretty substantial. 00:31:54.820 --> 00:31:58.440 A proper incident response team would have collected all this information right away 00:31:58.440 --> 00:32:04.020 and stored it in safe keeping and did snapshots and kept backups, but this investigation was 00:32:04.020 --> 00:32:07.720 not being conducted by a proper incident response team. 00:32:07.720 --> 00:32:14.140 But this was in 2005, before good response methodologies had been widely adopted. 00:32:14.140 --> 00:32:20.610 On February 2nd, 2006, the Greek government decided to tell the world about this hack. 00:32:20.610 --> 00:32:25.360 They held a press conference announcing that this will be an issue of national security. 00:32:25.360 --> 00:32:29.289 [MUSIC] The Greek government spokesman, the minister of justice, and the minister of public 00:32:29.289 --> 00:32:31.559 order were all in attendance. 00:32:31.559 --> 00:32:37.130 The press came in, turned on their cameras and recorders, and listened to the ministers 00:32:37.130 --> 00:32:38.370 give their talking points. 00:32:38.370 --> 00:32:44.530 MINISTER: [FOREIGN] [00:35:00] The title of this case could be Phone Wiretapping. 00:32:44.530 --> 00:32:49.970 Among the phones wiretapped were the Greek prime ministers, members of the government, 00:32:49.970 --> 00:32:55.429 an ex-minister, a member of the Opposition Party, and a number of private phones. 00:32:55.429 --> 00:33:01.809 This wiretapping was performed by so-far unknown persons with the use of highly sophisticated 00:33:01.809 --> 00:33:03.450 technology. 00:33:03.450 --> 00:33:09.389 JACK: The group of journalists that were there to hear this press conference were all shocked. 00:33:09.389 --> 00:33:14.580 They learned for the first time how the discovery was made in March 2005 and that a preliminary 00:33:14.580 --> 00:33:18.519 judicial investigation into the hack had now been concluded. 00:33:18.519 --> 00:33:21.610 More information on who had been wiretapped came out, too. 00:33:21.610 --> 00:33:27.520 The victims of this wiretapping included the prime minister and his wife, foreign ministry 00:33:27.520 --> 00:33:32.679 officials, Navy staff, and members of the ministries of defense, public order, and merchant 00:33:32.679 --> 00:33:33.679 shipping. 00:33:33.679 --> 00:33:35.730 They all had their phones tapped. 00:33:35.730 --> 00:33:40.010 The Greek minister of public order did what he could to try to track down those shadow 00:33:40.010 --> 00:33:44.270 phone lines and advised they were in fixed locations across Greece. 00:33:44.270 --> 00:33:47.500 Here’s the Greek minister of public order explaining to the press. 00:33:47.500 --> 00:33:52.350 MPO: There were fourteen to sixteen mobile phones operating as shadow devices of the 00:33:52.350 --> 00:33:55.779 tapped numbers. 00:33:55.779 --> 00:34:00.429 When a call was received by the intercepted phone, it was immediately connected with one 00:34:00.429 --> 00:34:04.190 of the shadow phones through the lawful interception software. 00:34:04.190 --> 00:34:09.110 Apparently, this shadow phone was taping the conversation into another software. 00:34:09.110 --> 00:34:14.099 JACK: Okay, so these shadow phones lines were directing the wiretapped calls to actual mobile 00:34:14.099 --> 00:34:15.200 phones. 00:34:15.200 --> 00:34:18.750 Investigators were able to track the locations of these mobile phones based on which cell 00:34:18.750 --> 00:34:23.589 towers they communicated with at the time when the wiretapped calls were made. 00:34:23.589 --> 00:34:27.940 Using this method, investigators were able to identify four Vodafone antennas that had 00:34:27.940 --> 00:34:31.570 been directing calls to the shadow phones. 00:34:31.570 --> 00:34:37.550 The locations of these antennas gave investigators an idea of what part of town these phones 00:34:37.550 --> 00:34:40.200 were in when they received these calls. 00:34:40.200 --> 00:34:47.589 The location was a two-kilometer radius around central Athens in an area called Lycabettus 00:34:47.589 --> 00:34:48.589 Hill. 00:34:48.589 --> 00:34:51.440 This preliminary investigation was now closed. 00:34:51.440 --> 00:34:54.780 He wasn’t able to give any more information at this time. 00:34:54.780 --> 00:34:57.609 Everyone in Greece stood up and paid attention to this news. 00:34:57.609 --> 00:35:00.210 Greek journalists were shocked at finding this out. 00:35:00.210 --> 00:35:03.839 The Greek authorities who should have been informed the moment the hack was discovered 00:35:03.839 --> 00:35:05.670 were shocked that they weren’t informed. 00:35:05.670 --> 00:35:10.079 Then the Greek citizens who were now getting worried about the security and privacy of 00:35:10.079 --> 00:35:14.250 their own telephone conversations were also surprised. 00:35:14.250 --> 00:35:18.460 When the floor was open for questions, reporters immediately asked if a foreign country was 00:35:18.460 --> 00:35:23.150 behind this attack because when the targets were government officials, it just seemed 00:35:23.150 --> 00:35:25.260 like the logical conclusion. 00:35:25.260 --> 00:35:29.650 One reporter pointed out that Lycabettus Hill is where the US and British embassies are 00:35:29.650 --> 00:35:30.650 located. 00:35:30.650 --> 00:35:35.010 If cell phones were being used in those buildings, they would have hit one of those four towers 00:35:35.010 --> 00:35:38.710 that were identified as the towers used by these shadow phones. 00:35:38.710 --> 00:35:42.150 [MUSIC] The ministers advised that no conclusions can be drawn yet. 00:35:42.150 --> 00:35:45.940 The investigation was still ongoing and they recognized this was a pretty sophisticated 00:35:45.940 --> 00:35:51.619 malware; to first gain access to a large telecom provider, then to write malware in the PLEX 00:35:51.619 --> 00:35:56.330 coding language which required intimate knowledge of both Vodafone’s network and Ericsson’s 00:35:56.330 --> 00:36:00.510 devices, and then to also set up fourteen shadow phone lines with automatic recording 00:36:00.510 --> 00:36:02.770 mechanisms for all incoming calls. 00:36:02.770 --> 00:36:07.490 To top it all off, all this went undetected for like, eight months. 00:36:07.490 --> 00:36:11.230 This is not something your average cyber-criminal will know how to do. 00:36:11.230 --> 00:36:14.609 It’s not something your typical hacktivist will be capable of. 00:36:14.609 --> 00:36:21.230 No, no, no; this is far more advanced, something that would require a great deal of time, knowledge, 00:36:21.230 --> 00:36:24.970 skill, money, and effort to pull off. 00:36:24.970 --> 00:36:28.640 Not many people would be able to do something this extraordinary. 00:36:28.640 --> 00:36:33.980 Kostas’s brother Panagiotis also listened closely to this press conference. 00:36:33.980 --> 00:36:35.420 He was deeply concerned. 00:36:35.420 --> 00:36:39.369 I don’t think he knew anything about this hacking incident until a year after his brother 00:36:39.369 --> 00:36:40.569 died. 00:36:40.569 --> 00:36:45.580 He immediately contacted the Athens prosecutor who was investigating his brother’s death. 00:36:45.580 --> 00:36:50.220 He wanted the death investigation expanded to include this wiretapping affair. 00:36:50.220 --> 00:36:53.370 He wanted to know if there was any connection between the two. 00:36:53.370 --> 00:36:58.040 Panagiotis requested the investigators exhume Kostas’s body because he wanted to look 00:36:58.040 --> 00:37:00.750 for further signs of murder. 00:37:00.750 --> 00:37:07.410 So now it’s 2006, over a year since the malware was found and the news of the wiretapping 00:37:07.410 --> 00:37:09.200 hack at Vodafone Greece was out. 00:37:09.200 --> 00:37:14.371 The Hellenic Authority for the Information and Communication Security and Privacy, or 00:37:14.371 --> 00:37:18.530 ADAE for short, also began their own investigation. 00:37:18.530 --> 00:37:23.910 Officially, the ADAE is the investigating body for information, communication, and privacy 00:37:23.910 --> 00:37:24.910 in Greece. 00:37:24.910 --> 00:37:29.040 They really should have been told as soon as this hack was discovered because they have 00:37:29.040 --> 00:37:33.040 the expertise to investigate the technical aspects of this incident. 00:37:33.040 --> 00:37:37.109 They have the technical knowledge to collect and preserve the logs and unpack the malware 00:37:37.109 --> 00:37:39.470 and figure out [00:40:00] how it was all working. 00:37:39.470 --> 00:37:44.510 A year after the malware was discovered, the ADAE began their investigation and they released 00:37:44.510 --> 00:37:49.250 two preliminary reports in March and April of 2006 with their findings. 00:37:49.250 --> 00:37:55.210 Now, these were released in Greek, obviously, and they don’t seem to be publically available. 00:37:55.210 --> 00:38:00.130 But there is a fascinating article in the IEEE Spectrum, a technical magazine, which 00:38:00.130 --> 00:38:02.990 goes over this ADAE report. 00:38:02.990 --> 00:38:07.690 It’s called The Athens Affair [MUSIC] and two Greek university professors who taught 00:38:07.690 --> 00:38:11.369 computer science and technology wrote this IEEE article. 00:38:11.369 --> 00:38:15.780 They really got into the technical details of how the hackers pulled this off. 00:38:15.780 --> 00:38:20.819 In June and August of 2004, the shadow phones started to be registered which was just before 00:38:20.819 --> 00:38:22.680 the Olympics in Athens. 00:38:22.680 --> 00:38:27.320 This was followed by the malware being installed on three of Vodafone’s exchanged on August 00:38:27.320 --> 00:38:28.320 4th. 00:38:28.320 --> 00:38:31.540 The hackers then set up the target’s cell phone numbers all in time for the opening 00:38:31.540 --> 00:38:35.619 ceremonies of the Olympic Games of August 13th. 00:38:35.619 --> 00:38:40.190 In October, the malware was installed on a fourth exchange but it wasn’t used for wiretapping 00:38:40.190 --> 00:38:41.510 any cell phones. 00:38:41.510 --> 00:38:46.720 A feature of the Ericsson AXE switches is to be able to install new software without 00:38:46.720 --> 00:38:51.980 having to reboot the whole system because restarting would cause an interruption to 00:38:51.980 --> 00:38:53.329 Vodafone’s services and users. 00:38:53.329 --> 00:38:57.930 There would be dropped calls, no connections, messages not sent, whatever. 00:38:57.930 --> 00:39:03.740 The perpetrators liked the fact that a reboot wasn’t required to install their rogue software. 00:39:03.740 --> 00:39:07.060 This feature was also great for Vodafone and Ericsson texts. 00:39:07.060 --> 00:39:11.030 There’s a point in the mobile connections where the voice call is unencrypted so the 00:39:11.030 --> 00:39:12.510 phone company can process it. 00:39:12.510 --> 00:39:14.770 Well, that’s the vulnerable point. 00:39:14.770 --> 00:39:20.040 Both lawful and it turns out unlawful wiretaps rely on this temporary vulnerability to get 00:39:20.040 --> 00:39:22.650 a copy of the streamed data they need. 00:39:22.650 --> 00:39:27.160 This is where it’s picked up, replicated, and sent off to the shadow phones all without 00:39:27.160 --> 00:39:30.350 the callers or cell phone providers having any idea. 00:39:30.350 --> 00:39:35.420 Now, the RES software on the Vodafone Greece’s systems is what has the capability of doing 00:39:35.420 --> 00:39:38.960 lawful intercepts or wiretapping by authorities. 00:39:38.960 --> 00:39:43.500 This is what the hackers used to conduct their wiretapping and they bypassed the interface 00:39:43.500 --> 00:39:46.800 which would have logged what was going on. 00:39:46.800 --> 00:39:51.790 If anyone looked at the systems, it would show no eavesdropping was conducted. 00:39:51.790 --> 00:39:54.380 This malware was really stealthy. 00:39:54.380 --> 00:39:59.630 Its activity left no trail, no bread crumbs, and hid all its operations to remain entirely 00:39:59.630 --> 00:40:02.609 invisible across the Vodafone systems. 00:40:02.609 --> 00:40:07.450 It was programmed to modify the commands which would list active processes, hiding itself 00:40:07.450 --> 00:40:08.450 even better. 00:40:08.450 --> 00:40:12.540 The hackers also added themselves logging credentials so they could get access to these 00:40:12.540 --> 00:40:15.080 exchange switches at later dates. 00:40:15.080 --> 00:40:19.510 They included a back door so they could always get back in and make changes or updates. 00:40:19.510 --> 00:40:23.050 This was done by changing the exchange’s command parser. 00:40:23.050 --> 00:40:28.220 If they entered a command followed by six spaces, this would act as a deactivation tool. 00:40:28.220 --> 00:40:32.430 It shut down the exchange’s transaction logs and silenced any alarms that would have 00:40:32.430 --> 00:40:34.610 alerted Vodafone texts. 00:40:34.610 --> 00:40:38.829 This way, the commands they had in the malware to operate the RES for the wiretaps could 00:40:38.829 --> 00:40:42.270 be executed without raising any flags at all. 00:40:42.270 --> 00:40:46.770 It was extremely well thought-out and very cleverly programmed. 00:40:46.770 --> 00:40:49.680 So, who would do such a thing? 00:40:49.680 --> 00:40:54.940 Stay with us because after the break we’re gonna shine a light on these shadow phones. 00:40:54.940 --> 00:40:58.430 The hackers weren’t entirely so stealthy. 00:40:58.430 --> 00:41:01.280 [MUSIC] Remember the beginning of this story, how it all started? 00:41:01.280 --> 00:41:05.950 That some text messages couldn’t get sent and there were errors and that’s what triggered 00:41:05.950 --> 00:41:06.950 this all? 00:41:06.950 --> 00:41:11.829 Well, the hackers updated their malware which was on these telecom switches but there was 00:41:11.829 --> 00:41:16.830 something wrong with the malware and it caused some text messages to not get delivered. 00:41:16.830 --> 00:41:21.880 Up to this point, the wiretapping virus caused no impact to Vodafone’s systems but this 00:41:21.880 --> 00:41:28.020 update did have an impact and it was with that update to the malware that all this became 00:41:28.020 --> 00:41:29.020 unraveled. 00:41:29.020 --> 00:41:34.460 So, the timeline is this; the hackers were in the Vodafone Greece’s network actively 00:41:34.460 --> 00:41:38.589 wiretapping calls for a period of five months. 00:41:38.589 --> 00:41:43.070 Then when this error message showed up, Ericsson spent five weeks [00:45:00] reverse-engineering 00:41:43.070 --> 00:41:48.079 the rogue software and once it was determined that illegal wiretapping was going on, Vodafone 00:41:48.079 --> 00:41:51.500 Greece’s CEO called for the immediate removal of the software. 00:41:51.500 --> 00:41:57.510 In total, the hackers were wiretapping calls for nine months. 00:41:57.510 --> 00:42:02.589 Four months after the public press conference, the investigation into Kostas’s death was 00:42:02.589 --> 00:42:03.589 concluded. 00:42:03.589 --> 00:42:09.040 The Supreme Court prosecutor reported on June 20th, 2006 that there was no evidence of any 00:42:09.040 --> 00:42:11.980 criminal act against Kostas. 00:42:11.980 --> 00:42:14.579 His autopsy had shown no injuries to his body. 00:42:14.579 --> 00:42:18.589 The rope around his neck had been tied with a standard knot positioned at the back of 00:42:18.589 --> 00:42:19.589 his head. 00:42:19.589 --> 00:42:23.619 His hyoid bone, that small bone in the back of your neck, was still intact. 00:42:23.619 --> 00:42:28.520 The cause of death was determined as hanging by noose. 00:42:28.520 --> 00:42:32.369 This was not a ruling that the Kostas family was satisfied with. 00:42:32.369 --> 00:42:37.140 They all reported he was happy and making plans for the future, but they did say that 00:42:37.140 --> 00:42:41.890 about a month before he died, he sent some text messages to his fiancé with strange 00:42:41.890 --> 00:42:42.890 comments. 00:42:42.890 --> 00:42:47.790 [MUSIC] Leaving Vodafone Greece was a matter of quote, “life and death.” 00:42:47.790 --> 00:42:48.790 Unquote. 00:42:48.790 --> 00:42:53.070 Kostas’s texts went on to say that Vodafone was in trouble and that this was the trouble 00:42:53.070 --> 00:42:56.660 that quote, “threatened its very existence.” 00:42:56.660 --> 00:42:57.660 Unquote. 00:42:57.660 --> 00:43:02.500 His fiancé Sarra never did find out what he meant by those words. 00:43:02.500 --> 00:43:07.589 Now, when Kostas’s family searched his apartment after his death, they found some pretty interesting 00:43:07.589 --> 00:43:08.589 stuff. 00:43:08.589 --> 00:43:12.860 Kostas was a meticulous note keeper; he had notebooks for all his networks, and all that 00:43:12.860 --> 00:43:16.400 needed to be done, and what was currently working on, and what problems he needed to 00:43:16.400 --> 00:43:17.400 work on next. 00:43:17.400 --> 00:43:18.530 You get the idea. 00:43:18.530 --> 00:43:20.150 All notes and diagrams and scribbles. 00:43:20.150 --> 00:43:21.500 Makes sense, right? 00:43:21.500 --> 00:43:25.829 These networks are complicated and the family actually hired independent telecommunications 00:43:25.829 --> 00:43:30.510 experts, four of them, to try to decipher these notebooks to see if there was any clues 00:43:30.510 --> 00:43:31.510 in there. 00:43:31.510 --> 00:43:33.650 They dug up some curious bits of information. 00:43:33.650 --> 00:43:40.150 So, Kostas was the guy who upgraded all of Vodafone Greece’s networks to the 2.5G platforms 00:43:40.150 --> 00:43:44.750 when they came out and now it seemed it was right around the same time that the wiretapping 00:43:44.750 --> 00:43:49.000 happened that Kostas was working on upgrading everything to 3G. 00:43:49.000 --> 00:43:53.200 For him to do that, he had to go around all the base stations and switch centers and check 00:43:53.200 --> 00:43:55.010 all the antennas individually. 00:43:55.010 --> 00:44:00.740 Pretty painstaking work but meticulous at the same time which meant Kostas may have 00:44:00.740 --> 00:44:05.720 been in those switches that contained the malware and he may have discovered it while 00:44:05.720 --> 00:44:08.510 there conducting some upgrades. 00:44:08.510 --> 00:44:13.790 In his notebooks there are references to the RES software which meant he knew they were 00:44:13.790 --> 00:44:19.530 capable of doing wiretapping and there was a diagram of two of the switch centers where 00:44:19.530 --> 00:44:21.859 the malware was discovered. 00:44:21.859 --> 00:44:27.060 On his diagram were two little question marks next to the devices where the malware was 00:44:27.060 --> 00:44:28.430 discovered. 00:44:28.430 --> 00:44:33.010 The prosecutor did say that Kostas’s suicide was casually linked to the wiretapping affair 00:44:33.010 --> 00:44:35.890 going on inside Vodafone at the same time. 00:44:35.890 --> 00:44:41.480 The prosecutor also reported that Kostas had some knowledge of this malware but maybe that 00:44:41.480 --> 00:44:45.200 means he just found out about it after Vodafone found out about it. 00:44:45.200 --> 00:44:49.119 We don’t know how much Kostas knew about this wiretapping affair. 00:44:49.119 --> 00:44:54.430 One month after this ruling, the media began reporting on some surprising events in Italy. 00:44:54.430 --> 00:45:03.170 In July of 2006, Adamo Bove who was a network employee at Telcom Italia was found dead under 00:45:03.170 --> 00:45:05.740 a bypass in Naples. 00:45:05.740 --> 00:45:08.640 It looked like he had jumped to his death. 00:45:08.640 --> 00:45:18.359 Adamo had uncovered a network of illegal wiretaps inside Telecom Italia and was an informer 00:45:18.359 --> 00:45:22.589 to the Italian prosecutor looking into the scandal. 00:45:22.589 --> 00:45:24.270 He was a whistleblower. 00:45:24.270 --> 00:45:27.660 Here’s Al Jazeera covering the story. 00:45:27.660 --> 00:45:30.910 JULIANA: [MUSIC] Hello, and welcome to People and Power. 00:45:30.910 --> 00:45:31.990 I’m Juliana Ruhfus. 00:45:31.990 --> 00:45:37.349 It’s July 2006 and Adamo Bove, head of security at Telcom Italia, falls to his death from 00:45:37.349 --> 00:45:39.040 a motorway bridge in Naples. 00:45:39.040 --> 00:45:41.290 Did he jump or was he pushed? 00:45:41.290 --> 00:45:47.180 It’s a mysterious death but the former policeman was working on mysterious cases. 00:45:47.180 --> 00:45:51.940 Italian prosecutors had asked Bove to investigate the role of the American and Italian military 00:45:51.940 --> 00:45:58.680 Secret Services in the abduction of Egyptian cleric Abu Omar in Milan, 2003. 00:45:58.680 --> 00:46:03.339 Tracing mobile phone calls, Bove inadvertently stumbled upon a vast secret call interception 00:46:03.339 --> 00:46:05.780 system inside Telecom Italia. 00:46:05.780 --> 00:46:11.770 Politicians, bankers, businessmen, even footballers and referees were being monitored. 00:46:11.770 --> 00:46:15.500 This was a scandal that went right into the nerve center of Italian power. 00:46:15.500 --> 00:46:21.069 JACK: Phew, there’s so many similarities between the death of Adamo and the death of 00:46:21.069 --> 00:46:22.740 Kostas. 00:46:22.740 --> 00:46:27.559 They both worked for a major telecom provider, both telecom providers had recently discovered 00:46:27.559 --> 00:46:33.119 illegal wiretapping going on internally, and both of their deaths looked really suspicious. 00:46:33.119 --> 00:46:38.170 Yet these two cases happened in two totally different countries. 00:46:38.170 --> 00:46:43.839 After Adamo’s death in Italy, the press [00:50:00] continued speculating on the parallels 00:46:43.839 --> 00:46:45.710 between the two deaths. 00:46:45.710 --> 00:46:51.400 On September 26th, after Kostas’s family appealed the court ruling, the court of appeals 00:46:51.400 --> 00:47:00.610 once again reached a verdict that Kostas died of suicide and his case was closed. 00:47:00.610 --> 00:47:10.410 [MUSIC] With the ADAE investigations complete, Vodafone and Ericsson were placed on the firing 00:47:10.410 --> 00:47:11.410 line. 00:47:11.410 --> 00:47:18.150 On December 14th, 2006, Vodafone was fined 76 million euros by ADAE. 00:47:18.150 --> 00:47:21.910 They blamed the company for not protecting its network well enough. 00:47:21.910 --> 00:47:23.400 It didn’t end there. 00:47:23.400 --> 00:47:27.380 They said they thought there was an insider at Vodafone that gained the right access to 00:47:27.380 --> 00:47:28.619 install the malware. 00:47:28.619 --> 00:47:36.141 A year later in October 2007, they were fined again; this time 19.1 million euros by the 00:47:36.141 --> 00:47:41.530 national telecommunications regulator for breaching privacy rules. 00:47:41.530 --> 00:47:47.579 That brought the total fines to Vodafone Greece in at 95 million euros. 00:47:47.579 --> 00:47:51.119 Ericsson didn’t escape fines or blame either. 00:47:51.119 --> 00:47:57.920 The ADAE gave Ericsson a fine for 7.3 million euros based off their belief that the malware 00:47:57.920 --> 00:48:02.730 couldn’t have been installed or operated without in-depth knowledge of Ericsson’s 00:48:02.730 --> 00:48:03.730 systems. 00:48:03.730 --> 00:48:08.490 So, Ericsson took some damage for this, too. 00:48:08.490 --> 00:48:12.849 Five years later, Kostas’s death was officially brought up again. 00:48:12.849 --> 00:48:17.300 Still, the family was not convinced it was suicide and now they had new evidence. 00:48:17.300 --> 00:48:24.070 [MUSIC] On February 8th, 2012, Kostas’s family presented new evidence to get the investigation 00:48:24.070 --> 00:48:25.070 reopened. 00:48:25.070 --> 00:48:29.200 They had two new coroner’s reports from independent experts who cast doubt on the 00:48:29.200 --> 00:48:30.790 suicide verdict. 00:48:30.790 --> 00:48:37.000 The knots on Kostas’s noose, they were in fact a complex knot, not a simple everyday 00:48:37.000 --> 00:48:40.540 knot that the first coroner had reported. 00:48:40.540 --> 00:48:44.660 The rope position around Kostas’s neck and the presence of fluid in his lungs was more 00:48:44.660 --> 00:48:50.250 consistent with strangulation than hanging but there was no evidence of hypostasis where 00:48:50.250 --> 00:48:54.710 the blood collects in the legs which would have been expected in the case of hanging. 00:48:54.710 --> 00:48:58.579 The second coroner’s report also pointed out features missing which would have been 00:48:58.579 --> 00:49:01.520 expected in a hanging death. 00:49:01.520 --> 00:49:06.510 Projecting of the tongue, cyanosis of the face, injuries of the lower body from spasms, 00:49:06.510 --> 00:49:12.010 and limbs hitting off nearby walls or furniture both concluded although suicide was still 00:49:12.010 --> 00:49:17.560 possible, exhuming the body for further examination and testing for poisons would be a positive 00:49:17.560 --> 00:49:24.150 next step, a step that the family had wanted authorities to take back in 2006 but were 00:49:24.150 --> 00:49:25.150 denied. 00:49:25.150 --> 00:49:31.420 Two months after that, five years after Kostas died, his body was exhumed, dug up so they 00:49:31.420 --> 00:49:33.940 could test his body for toxins. 00:49:33.940 --> 00:49:37.760 The toxicology report for poisons was negative. 00:49:37.760 --> 00:49:42.720 Kostas had not been poisoned or drugged before his death but now that they had the body to 00:49:42.720 --> 00:49:48.069 look at again, they found Kostas’s hyoid bone was, in fact, broken. 00:49:48.069 --> 00:49:52.900 This is a U-shaped bone in the front of the neck but the original autopsy report said 00:49:52.900 --> 00:49:53.940 it wasn’t broken. 00:49:53.940 --> 00:50:01.000 A broken hyoid bone is consistent with strangulation and not with death by hanging. 00:50:01.000 --> 00:50:06.369 This could have happened after his death, like when he was buried or exhumed, so it’s 00:50:06.369 --> 00:50:10.619 impossible to know for sure when this hyoid bone was broken. 00:50:10.619 --> 00:50:17.150 All this evidence combined resulted in a final report that Kostas’s death remained unclarified. 00:50:17.150 --> 00:50:24.460 But on June 16th, 2014, the Athens Court of First Instance closed this second investigation. 00:50:24.460 --> 00:50:30.440 They did the same as the last investigation; they upheld the ruling of suicide and allowed 00:50:30.440 --> 00:50:34.619 the case to be closed and archived. 00:50:34.619 --> 00:50:39.990 Despite new evidence, Kostas’s family were told he had still taken his own life. 00:50:39.990 --> 00:50:43.809 The family took the case to the European Court of Human Rights. 00:50:43.809 --> 00:50:49.589 They were determined to get a full and proper investigation for Kostas into how he had died 00:50:49.589 --> 00:50:54.430 and any connection to his death with the wiretapping scandal at Vodafone, Greece. 00:50:54.430 --> 00:50:59.549 While they waited at the court’s ruling, an investigation by James Bamford for The 00:50:59.549 --> 00:51:01.690 Intercept suddenly appeared. 00:51:01.690 --> 00:51:07.150 He’d been working with the Greek newspaper Kathimerini and one of their journalists, 00:51:07.150 --> 00:51:13.559 Angelos Petropoulos, and what they found out would turn this case on its head. 00:51:13.559 --> 00:51:21.359 [MUSIC] In September 2014, a journalist named James Bamford spent three days in Moscow interviewing 00:51:21.359 --> 00:51:26.710 Edward Snowden for a cyber-crime documentary that he was producing for PBS. 00:51:26.710 --> 00:51:32.260 While there, he spotted some interesting stuff in some of Snowden’s unpublished NSA documents 00:51:32.260 --> 00:51:36.400 that talked about Greek wiretapping. 00:51:36.400 --> 00:51:41.590 This was a case that James was following since it was first publicized back in 2006, so he 00:51:41.590 --> 00:51:42.590 was curious. 00:51:42.590 --> 00:51:46.050 [00:55:00] He knew about the death of Kostas and decided to do some digging. 00:51:46.050 --> 00:51:51.920 Joining forces with Angelos Petropoulos at Kathimerini, the pair uncovered the real story 00:51:51.920 --> 00:51:55.200 that had stayed in the shadows throughout the case. 00:51:55.200 --> 00:51:58.850 It all goes back to 2004; Olympic Games in Athens. 00:51:58.850 --> 00:52:04.369 This was a huge opportunity for Greece, an honor to host an important international event 00:52:04.369 --> 00:52:08.790 and they spent over seven billion euros designing, building venues, and updating infrastructures 00:52:08.790 --> 00:52:10.849 in Athens and across Greece. 00:52:10.849 --> 00:52:14.850 They were doing everything they could to showcase Greece to the Olympics around the world to 00:52:14.850 --> 00:52:16.650 ensure their success. 00:52:16.650 --> 00:52:21.839 But these Olympics were going to be the first Summer Games to be held outside the US since 00:52:21.839 --> 00:52:23.380 9/11. 00:52:23.380 --> 00:52:24.510 Everyone was on high alert. 00:52:24.510 --> 00:52:29.410 Now, I really wanted to stick my head in this story and understand this as best as I could. 00:52:29.410 --> 00:52:32.980 So, I called up one of my listeners who grew up in Greece. 00:52:32.980 --> 00:52:33.980 SPKR1: Hey, Jack. 00:52:33.980 --> 00:52:34.980 JACK: Hello. 00:52:34.980 --> 00:52:35.980 How’s it going? 00:52:35.980 --> 00:52:36.980 SPKR1: Oh, good, thanks. 00:52:36.980 --> 00:52:37.980 How are you? 00:52:37.980 --> 00:52:42.579 JACK: I don’t want to say his name because he is actually connected to this story in 00:52:42.579 --> 00:52:45.799 some way but he didn’t want to talk about that publically. 00:52:45.799 --> 00:52:49.650 But the thing that you should know is that he’s been following this story all his life. 00:52:49.650 --> 00:52:57.463 SPKR1: This story kind of broke when I was much younger and it was the first kind of 00:52:57.463 --> 00:53:02.400 introduction I had into the world of cyber-security, wiretapping, and just the culture. 00:53:02.400 --> 00:53:08.650 I followed it from day one and I think it’s what got me to the place I am today. 00:53:08.650 --> 00:53:12.450 JACK: Yeah, so as an eleven-year-old, this was really fascinating to him; seeing this 00:53:12.450 --> 00:53:14.619 on the news, hearing his parents talk about this. 00:53:14.619 --> 00:53:20.349 So, he was Googling things like wiretapping and how to do wiretapping and different hacking 00:53:20.349 --> 00:53:22.370 techniques and things like that. 00:53:22.370 --> 00:53:26.849 Today, he’s a penetration tester for some really big companies. 00:53:26.849 --> 00:53:30.530 It’s fascinating to see how this story had a ripple effect on him. 00:53:30.530 --> 00:53:36.390 I asked him what kind of terrorist activity has there been in Athens leading up to the 00:53:36.390 --> 00:53:38.480 2004 Athens Olympics? 00:53:38.480 --> 00:53:40.960 He told me about this one terrorist group. 00:53:40.960 --> 00:53:47.610 SPKR1: Which is known as the 17th of November. 00:53:47.610 --> 00:53:54.589 They were a far-left terrorist group formed in – sometime around 1975. 00:53:54.589 --> 00:54:01.970 Mainly they wanted the removal of US military bases from Greece and they wanted Turkey out 00:54:01.970 --> 00:54:07.579 of Cyprus who had invaded in 1974. 00:54:07.579 --> 00:54:13.300 Now to do this, they had murdered countless US individuals. 00:54:13.300 --> 00:54:23.251 They murdered the Athens CIA Station Chief Richard Welch, they attempted to murder one 00:54:23.251 --> 00:54:32.760 of the most prominent Greek businessmen called Vardis Vardinogiannis in a failed IED attack 00:54:32.760 --> 00:54:33.890 on his armored car. 00:54:33.890 --> 00:54:42.400 They murdered several Greek police members including the Greek police chief as well as 00:54:42.400 --> 00:54:45.869 a UK brigadier called Stephen Saunders. 00:54:45.869 --> 00:54:49.880 JACK: Not only that; I think these guys were the ones that sent the bomb threat to Air 00:54:49.880 --> 00:54:53.310 Force One when President Bill Clinton came to Greece. 00:54:53.310 --> 00:54:57.970 The key members of this November 17th terrorist group did get caught and it ultimately got 00:54:57.970 --> 00:55:03.070 them disbanded but yeah, there was some terrorist activity before the Greek Olympics; a lot 00:55:03.070 --> 00:55:04.070 of it. 00:55:04.070 --> 00:55:07.650 This gives us a better perspective of what Greece must have been thinking leading up 00:55:07.650 --> 00:55:09.060 to these Olympics. 00:55:09.060 --> 00:55:13.109 Was November 17th going to come together again and do something? 00:55:13.109 --> 00:55:16.390 Greece is sort of the border between western culture and eastern culture. 00:55:16.390 --> 00:55:21.240 It’s got a mix of communism and capitalism and there’s a lot of people who feel very 00:55:21.240 --> 00:55:24.420 opinionated on which way Greece should swing. 00:55:24.420 --> 00:55:30.589 The Greek government was concerned, very concerned, about terrorist attacks. 00:55:30.589 --> 00:55:36.339 When James Bamford, a journalist for The Intercept, looked over some unreleased NSA documents 00:55:36.339 --> 00:55:41.960 that Edward Snowden had, he saw something in it that took him by surprise. 00:55:41.960 --> 00:55:48.670 He found documents that show the NSA has routinely approached host countries of the Olympics 00:55:48.670 --> 00:55:52.440 to offer help and support in providing intelligence security. 00:55:52.440 --> 00:55:57.819 I mean, the NSA has the experience, the kit, and the expertise that a lot of these countries 00:55:57.819 --> 00:55:58.819 don’t. 00:55:58.819 --> 00:56:03.569 Greece just wasn’t ready or capable to carry out any kind of mass surveillance like this. 00:56:03.569 --> 00:56:08.319 According to these Snowden documents, the NSA started working with the Greek National 00:56:08.319 --> 00:56:12.099 Intelligence Service in the two years running up to the games. 00:56:12.099 --> 00:56:17.490 But according to Greek law, it was illegal for the government to wiretap phones. 00:56:17.490 --> 00:56:21.020 Initially, the Greek government did not want to do this. 00:56:21.020 --> 00:56:25.290 They were hesitant at least, but they were nervous about a potential terrorist attack 00:56:25.290 --> 00:56:32.770 at the Olympics and the help of the NSA for the Greek government was valuable, so the 00:56:32.770 --> 00:56:38.941 Greek government secretly agreed to let the NSA into the Greek telecom system for the 00:56:38.941 --> 00:56:41.539 period of the Olympic Games. 00:56:41.539 --> 00:56:46.430 [01:00:00] James Bamford is a seasoned journalist who’s exposed the NSA a few times before. 00:56:46.430 --> 00:56:49.700 He’s been writing about them for years, bringing up a lot of dark things into the 00:56:49.700 --> 00:56:50.700 light. 00:56:50.700 --> 00:56:55.040 He’s written for Foreign Policy magazine, The New York Times, Wired, The Intercept, 00:56:55.040 --> 00:56:58.970 and he’s published a few books on the NSA too, all New York Times best-sellers. 00:56:58.970 --> 00:57:04.470 So, he’s pretty familiar with all what’s going on there and he has insider sources 00:57:04.470 --> 00:57:05.650 everywhere. 00:57:05.650 --> 00:57:10.839 He gave a talk at a conference called DeepSec in Vienna, Austria in November, 2015. 00:57:10.839 --> 00:57:12.640 [BACKGROUND TALK] It’s amazing. 00:57:12.640 --> 00:57:14.970 This YouTube video of his talk is a gem. 00:57:14.970 --> 00:57:18.560 He shows us top-secret Snowden docs and so much more. 00:57:18.560 --> 00:57:22.420 It’s been up for four years but only has 290 views. 00:57:22.420 --> 00:57:23.430 But let’s listen in on it. 00:57:23.430 --> 00:57:27.599 JAMES: The very first thing is the NSA will come into a country and they’ll say look, 00:57:27.599 --> 00:57:34.180 you’re gonna have the World Cup or you’re gonna have the Olympics or you’re gonna 00:57:34.180 --> 00:57:35.180 have some big event. 00:57:35.180 --> 00:57:42.250 Well, you need us because we can tell you when there’s gonna be a terrorist event 00:57:42.250 --> 00:57:45.420 because we can search through all the communications. 00:57:45.420 --> 00:57:50.900 Have us come in, have us bug your whole telecom system, and we can help you. 00:57:50.900 --> 00:57:52.829 We’re there to help you. 00:57:52.829 --> 00:57:59.609 That’s what they did; they got the permission from the Greek government to come in and do 00:57:59.609 --> 00:58:01.740 the bugging. 00:58:01.740 --> 00:58:06.910 What this document here from the Snowden archive talks about is they’ve been doing this for 00:58:06.910 --> 00:58:07.910 years. 00:58:07.910 --> 00:58:15.250 The NSA has been going around to various Olympic venues and saying we’re here to help and 00:58:15.250 --> 00:58:19.809 let us come in and bug all your phones, and after it’s over we’ll disappear and you’ll 00:58:19.809 --> 00:58:20.970 never hear from us again. 00:58:20.970 --> 00:58:25.849 JACK: James goes on to explain that for the NSA to be most effective, they need someone 00:58:25.849 --> 00:58:29.330 good at HUMINT which is human intelligence. 00:58:29.330 --> 00:58:33.530 They needed someone to be inside Vodafone Greece to help with this malware. 00:58:33.530 --> 00:58:40.330 So, to help with this, James says they used a CIA agent named William Basil. 00:58:40.330 --> 00:58:44.970 He was perfect for this; he spoke Greek, he had Greek family, he was familiar with Greece, 00:58:44.970 --> 00:58:47.329 and at the same time, he was working for the CIA. 00:58:47.329 --> 00:58:52.420 James believed this guy Basil posed as the First Secretary of Regional Affairs for the 00:58:52.420 --> 00:58:58.020 US embassy, something that might sound official but may be not an actual role. 00:58:58.020 --> 00:59:03.460 This guy Basil would go around recruiting insiders to help him out with this hack. 00:59:03.460 --> 00:59:09.430 JAMES: Basically, now you’ve got the inside – you’ve got the agreement of the government, 00:59:09.430 --> 00:59:12.579 you’ve got the inside person, you’ve got the malware, you’ve got the external intercept 00:59:12.579 --> 00:59:15.490 operations going. 00:59:15.490 --> 00:59:21.450 What now was needed was some way to get that information after it’s been collected, after 00:59:21.450 --> 00:59:24.510 it’s been intercepted, basically, in Vodafone. 00:59:24.510 --> 00:59:30.070 JACK: James goes on to explain how the shadow phones were all set up and how a mobile phone 00:59:30.070 --> 00:59:32.180 would ring whenever one of the numbers were dialed. 00:59:32.180 --> 00:59:34.869 JAMES: [MUSIC] It was a very good setup. 00:59:34.869 --> 00:59:40.280 You’ve got the agreement of the government, you put them in there, look for terrorists 00:59:40.280 --> 00:59:46.160 during the Olympics, keep everybody happy, get an inside person there, you get the malware, 00:59:46.160 --> 00:59:52.240 then you exfiltrate the intercepting communications to these untraceable cell phones and then 00:59:52.240 --> 00:59:55.000 that puts it into NSA. 00:59:55.000 --> 01:00:01.940 JACK: Okay, well, then the Olympics take place and there were no terrorist attacks during 01:00:01.940 --> 01:00:03.760 the Olympics, so all went well. 01:00:03.760 --> 01:00:05.789 JAMES: That’s supposed to be the end of the operation. 01:00:05.789 --> 01:00:14.319 The NSA is supposed to take it all out, fly it back to Fort Meade and say goodbye to the 01:00:14.319 --> 01:00:17.150 Greek government and the Greek telecom system. 01:00:17.150 --> 01:00:23.740 The problem was, according to my confidential source, they never removed it. 01:00:23.740 --> 01:00:28.950 All they did was they turned it off for a day and then they turned it back on again. 01:00:28.950 --> 01:00:35.579 But now, instead of going after the terrorists which is the whole raison d’être for the 01:00:35.579 --> 01:00:39.849 operation in the first place, now they’re secretly turning it on the Greek government; 01:00:39.849 --> 01:00:42.170 they’re turning it on the prime minister, his wife. 01:00:42.170 --> 01:00:45.750 I don’t know why, but they did, and the mayor of Athens. 01:00:45.750 --> 01:00:49.849 JACK: Then James goes on to say that this is not the only time the NSA has wiretapped 01:00:49.849 --> 01:00:52.950 a friendly country to listen in on the leaders’ phone calls. 01:00:52.950 --> 01:00:57.730 There was a Wikileaks article that came out which said that in 2009, the NSA was wiretapping 01:00:57.730 --> 01:01:02.920 Angela Merkel’s phone in Germany as well as 124 other top German officials. 01:01:02.920 --> 01:01:07.619 See, while of course we can assume the NSA is wiretapping countries which are adversaries, 01:01:07.619 --> 01:01:14.260 it’s just shocking for us to hear that the NSA is wiretapping friendly nations like this. 01:01:14.260 --> 01:01:16.530 JAMES: This is just standard operating procedure. 01:01:16.530 --> 01:01:25.540 I mentioned this to a senior NSA source and said, you know, is this unusual or what? 01:01:25.540 --> 01:01:27.480 He laughed and he says they never remove it. 01:01:27.480 --> 01:01:28.480 Are you kidding? 01:01:28.480 --> 01:01:31.760 Once you got it in there, you leave it in there. 01:01:31.760 --> 01:01:34.010 That’s just standard operating procedure for NSA. 01:01:34.010 --> 01:01:39.450 JACK: Hm, that’s a bait-and-switch move; get the agreement first, then when the people 01:01:39.450 --> 01:01:42.079 aren’t looking, switch the parameters of what you’re doing. 01:01:42.079 --> 01:01:47.099 [01:05:00] If it hadn’t been for that update in January 2005 causing the text message errors, 01:01:47.099 --> 01:01:50.109 it could’ve gone on for way longer. 01:01:50.109 --> 01:01:55.680 Since the official reports of the ADAE back in 2006, publically at least, it seemed little 01:01:55.680 --> 01:01:59.010 ground had been gained in figuring out who these hackers were. 01:01:59.010 --> 01:02:03.089 Official investigations had gone quiet with no new information coming to light. 01:02:03.089 --> 01:02:06.710 But the Greek authorities had been working in the background and they were focused on 01:02:06.710 --> 01:02:08.760 these shadow phones. 01:02:08.760 --> 01:02:11.900 It was the only lead they had to try to trace these hackers. 01:02:11.900 --> 01:02:16.260 They managed to trace some of the signals from these shadow phones through four active 01:02:16.260 --> 01:02:18.200 Vodafone antennas. 01:02:18.200 --> 01:02:22.080 Even though these phones had been turned off as soon as the malware was detected, investigators 01:02:22.080 --> 01:02:23.609 found new clues. 01:02:23.609 --> 01:02:27.920 They were able to trace the direction of the signals which pointed directly to the US embassy 01:02:27.920 --> 01:02:28.920 in Athens. 01:02:28.920 --> 01:02:33.401 They also detected nearly forty calls to the US embassy that had been made by one of the 01:02:33.401 --> 01:02:35.290 shadow phones using a SIM card. 01:02:35.290 --> 01:02:41.040 Plus, they discovered that these shadow phones connected calls to cell towers that were near 01:02:41.040 --> 01:02:44.160 NSA’s US headquarters in Maryland. 01:02:44.160 --> 01:02:46.670 The evidence was starting to mount up. 01:02:46.670 --> 01:02:52.119 SPKR2: There is one thing which I think kind of has gone over the head of – managed itself 01:02:52.119 --> 01:02:58.190 of everyone that was – had reported on this issue which is – at the same time this wiretapping 01:02:58.190 --> 01:03:05.630 was going on there was a massive blimp that was kind of like a Zeppelin, one of those 01:03:05.630 --> 01:03:07.910 air ships, that was flying around. 01:03:07.910 --> 01:03:10.609 I think it had a sixteen-hour flight time. 01:03:10.609 --> 01:03:17.630 The blimp was called Skyship 600 owned by Skycruise Switzerland which had cameras that 01:03:17.630 --> 01:03:21.089 were capable of reading license plates. 01:03:21.089 --> 01:03:27.680 It had microphones that were capable of picking up phone calls from the air. 01:03:27.680 --> 01:03:33.529 They could listen in on all phone calls on the ground. 01:03:33.529 --> 01:03:41.069 They had chemical detectors and this is also something that riled up a lot of people who 01:03:41.069 --> 01:03:47.270 were seeing his massive impeachment on our privacy. 01:03:47.270 --> 01:03:48.360 We don’t want this here. 01:03:48.360 --> 01:03:53.200 JACK: The Greek authorities managed to identify a cell phone store in the city of Piraeus 01:03:53.200 --> 01:03:55.299 about six miles away from Athens. 01:03:55.299 --> 01:03:58.210 It was there that four of the shadow phones had been purchased. 01:03:58.210 --> 01:04:04.000 They sat the owner down and showed him photos, and he recognized someone in one of the photos. 01:04:04.000 --> 01:04:09.470 She was the wife of the First Secretary of Regional Affair which was the title of William 01:04:09.470 --> 01:04:14.619 Basil, the CIA agent based working out of the US embassy in Athens. 01:04:14.619 --> 01:04:19.890 It had been his wife who originally purchased the shadow phones and again, it was journalist 01:04:19.890 --> 01:04:23.819 James Bamford who exposed the CIA agent and what he was doing. 01:04:23.819 --> 01:04:29.480 In February 2014, nine years after the wiretapping had been discovered, the Greek government 01:04:29.480 --> 01:04:36.040 had issued an international arrest warrant for William Basil as a suspected CIA agent 01:04:36.040 --> 01:04:38.540 working out of the US embassy in Athens. 01:04:38.540 --> 01:04:41.849 He was charged with espionage and eavesdropping. 01:04:41.849 --> 01:04:47.410 This was an unbelievably rare move for an ally country to take and one that most of 01:04:47.410 --> 01:04:50.549 the media, at least outside of Greece, didn’t even catch. 01:04:50.549 --> 01:04:55.710 But the Greeks were now confident that Basil was deeply involved in this attack on their 01:04:55.710 --> 01:04:56.790 government. 01:04:56.790 --> 01:05:00.140 By extension, that implicated the US, too. 01:05:00.140 --> 01:05:03.289 Did he recruit an insider to do this attack? 01:05:03.289 --> 01:05:05.180 Did he recruit Kostas? 01:05:05.180 --> 01:05:08.359 These are questions we’ll never know the answers to. 01:05:08.359 --> 01:05:12.059 Kostas would have been an excellent insider at Vodafone Greece. 01:05:12.059 --> 01:05:16.700 He was in the perfect position to access all the networks they needed but he could have 01:05:16.700 --> 01:05:20.109 also been entirely innocent in all this, too. 01:05:20.109 --> 01:05:23.849 Sixteen years on, and we still don’t know. 01:05:23.849 --> 01:05:27.390 Basil himself is now nowhere to be found. 01:05:27.390 --> 01:05:30.780 Right after the hack was discovered, he disappeared from Greece. 01:05:30.780 --> 01:05:37.060 In August 2005, he returned at his job in the US embassy in Athens but Basil was First 01:05:37.060 --> 01:05:39.570 Secretary; he had diplomatic immunity. 01:05:39.570 --> 01:05:41.430 He couldn’t be arrested. 01:05:41.430 --> 01:05:47.280 But in 2014, Basil retired which meant he didn’t have diplomatic immunity anymore. 01:05:47.280 --> 01:05:54.400 [MUSIC] So, he disappeared and now the Greek government can’t find him and is still looking 01:05:54.400 --> 01:05:57.060 for him. 01:05:57.060 --> 01:06:01.609 The case of Kostas’s death was reopened for the third time. 01:06:01.609 --> 01:06:06.029 The first two investigations were scrutinized; the new coroner report raising doubts about 01:06:06.029 --> 01:06:10.260 his death being suicide were examined and all the information about the wiretapping 01:06:10.260 --> 01:06:11.260 was available. 01:06:11.260 --> 01:06:17.720 So, on June 21st, 2018 the Athens prosecutor ruled that Kostas was, in fact, murdered. 01:06:17.720 --> 01:06:25.020 In November 16th, 2017, the European Court of Human Rights ruled in favor of Kostas’s 01:06:25.020 --> 01:06:26.020 family. 01:06:26.020 --> 01:06:30.900 The court agreed Kostas’s death was not on both occasions investigated fully despite 01:06:30.900 --> 01:06:33.220 clear inconsistencies around his death. 01:06:33.220 --> 01:06:39.069 The Greek government was ordered to pay the Tsalikidis family 50,000 euros in damages. 01:06:39.069 --> 01:06:43.819 An arrest warrant for murder was issued for [01:10:00] persons unknown. 01:06:43.819 --> 01:06:47.630 Kostas hadn’t taken his own life back in March 2005. 01:06:47.630 --> 01:06:50.559 Someone had killed him and staged his death. 01:06:50.559 --> 01:06:56.589 We will never know for certain what role Kostas played in this affair and what exactly happened 01:06:56.589 --> 01:06:59.360 to him on March 9th, 2005. 01:06:59.360 --> 01:07:01.650 Maybe his death had nothing to do with this hack. 01:07:01.650 --> 01:07:06.819 It’s only speculation to believe it did but it’s very suspicious because, I mean, 01:07:06.819 --> 01:07:12.220 if Kostas got recruited to help stop terrorists, okay, he might have gone for that. 01:07:12.220 --> 01:07:17.450 But then when the tides changed and now they’re spying on the prime minister, and then when 01:07:17.450 --> 01:07:22.059 all that was discovered, I could see why Kostas might have wanted to quit his job. 01:07:22.059 --> 01:07:24.809 I could see him getting into a panic. 01:07:24.809 --> 01:07:29.950 It’s not unheard of that the CIA might try to murder someone. 01:07:29.950 --> 01:07:35.520 But then at the same time, the Greek government allowed this illegal wiretapping to begin 01:07:35.520 --> 01:07:39.740 with, so maybe the Greek government didn’t want to let the cat out of the bag because 01:07:39.740 --> 01:07:41.800 it would make them look bad. 01:07:41.800 --> 01:07:47.210 Kostas loved his family and his job and his country; if he was wrapped up in all of this, 01:07:47.210 --> 01:07:49.510 it would have certainly been stressful for him. 01:07:49.510 --> 01:07:55.840 But now he’s dead with no answers as to why. 01:07:55.840 --> 01:08:00.470 The hack into Vodafone Greece for their government’s secrets has never resurfaced in terms of what 01:08:00.470 --> 01:08:01.880 information was gained. 01:08:01.880 --> 01:08:03.869 Like, was it even worth it? 01:08:03.869 --> 01:08:08.539 Whether the malware used here was installed entirely remotely or maybe it was physically 01:08:08.539 --> 01:08:11.320 installed on those switches, we don’t know for sure. 01:08:11.320 --> 01:08:14.770 There’s a reason this case has been called the Greek Watergate. 01:08:14.770 --> 01:08:19.580 It’s the modern version of the Richard Nixon Watergate that’s so well-known; breaking 01:08:19.580 --> 01:08:24.520 into offices out of hours and installing hidden microphones to be replaced with sophisticated 01:08:24.520 --> 01:08:25.520 malware? 01:08:25.520 --> 01:08:30.179 Automated call-monitoring and hidden identities whose real faces remain in the shadows? 01:08:30.179 --> 01:08:35.040 It’s still kind of weird to me that Ericsson, the makers of these telecom switches, was 01:08:35.040 --> 01:08:37.580 fined seven million euros. 01:08:37.580 --> 01:08:42.680 Because they didn’t secure it enough to keep the NSA from developing malware on it? 01:08:42.680 --> 01:08:47.409 Because the Greek government secretly allowed the NSA to install the software? 01:08:47.409 --> 01:08:53.350 The fine on Ericsson and Vodafone Greece just didn’t seem fair at the end of all this 01:08:53.350 --> 01:08:58.840 because this was approved by the Greek government and then the Greek government fined them for 01:08:58.840 --> 01:08:59.840 it? 01:08:59.840 --> 01:09:06.120 SPKR2: Well, I mean, the NSA did switch off the wiretapping tools for one day but then 01:09:06.120 --> 01:09:11.480 they switched them back on and put in a list of hundred-plus government officials. 01:09:11.480 --> 01:09:21.870 I think that’s why the fine came down, because if you’re Vodafone and you have knowingly 01:09:21.870 --> 01:09:28.710 put this software onto your systems, you’re not gonna go and do it in-depth post-mortem 01:09:28.710 --> 01:09:31.359 to make sure it’s actually been removed. 01:09:31.359 --> 01:09:32.989 JACK: Yeah, definitely. 01:09:32.989 --> 01:09:38.290 If I was working at Vodafone and I agreed to let the NSA come in to do some wiretapping, 01:09:38.290 --> 01:09:42.920 not only would I make sure to wipe it afterwards thoroughly, but I would probably opt for just 01:09:42.920 --> 01:09:46.730 burning those switches entirely and buying new ones. 01:09:46.730 --> 01:09:53.679 But wait a minute, so if the NSA went to Greece to get this approval, they must have met with 01:09:53.679 --> 01:09:58.100 Greece’s national intelligence service which is known as E-Y-P or EYP. 01:09:58.100 --> 01:10:03.760 If EYP was involved with this wiretapping, were they also involved with the investigation 01:10:03.760 --> 01:10:05.530 of this afterwards? 01:10:05.530 --> 01:10:13.210 SPKR2: The chief of EYP at the time was an individual called Yannis Korantis, I believe, 01:10:13.210 --> 01:10:23.950 and he testified in front of a parliamentary hearing that, due to the malware being removed, 01:10:23.950 --> 01:10:32.110 the deletion of the logs of this and that and the other, that severely hindered their 01:10:32.110 --> 01:10:33.110 operation. 01:10:33.110 --> 01:10:34.340 JACK: Oh, this is endless. 01:10:34.340 --> 01:10:38.850 It’s so crazy that they specifically said there wasn’t enough evidence to properly 01:10:38.850 --> 01:10:39.980 investigate this. 01:10:39.980 --> 01:10:44.000 Of course they would say that because that’s a defense mechanism if they wanted to hide 01:10:44.000 --> 01:10:46.380 their own tracks. Aargh! 01:10:46.380 --> 01:10:50.670 This just brings up so many more questions I have, like did the CEO of Vodafone even 01:10:50.670 --> 01:10:53.980 know that this deal was going on with the NSA? 01:10:53.980 --> 01:10:56.270 What approvals did the NSA get? 01:10:56.270 --> 01:11:01.680 Just the authorization to conduct wiretaps but not actual help from Vodafone to do it? 01:11:01.680 --> 01:11:07.020 Did the CIA agent recruit someone inside Vodafone or did the Greek government get someone inside 01:11:07.020 --> 01:11:08.540 Vodafone to help? 01:11:08.540 --> 01:11:13.070 Again, did the CEO of Vodafone have any awareness of any of this? 01:11:13.070 --> 01:11:17.360 In court he said no, but how could all this go on without him knowing? 01:11:17.360 --> 01:11:20.441 If approvals were given, then approvals were given; go ahead. 01:11:20.441 --> 01:11:26.179 But it just seems like the Greek government gave the NSA approval to conduct wiretaps 01:11:26.179 --> 01:11:29.489 but then didn’t give them any help to get into Vodafone. 01:11:29.489 --> 01:11:34.170 That’s some shady stuff that the Greek government is conducting here. 01:11:34.170 --> 01:11:40.080 Allowing a foreign country to not only wiretap people but also hack into its biggest telecom 01:11:40.080 --> 01:11:41.080 provider to do it? 01:11:41.080 --> 01:11:44.980 And then fine that [01:15:00] telecom provider after it happened? 01:11:44.980 --> 01:11:50.409 It’s just nuts, and mostly because there’s a death involved in this case. 01:11:50.409 --> 01:11:52.380 Like, what the heck happened to Kostas? 01:11:52.380 --> 01:11:58.590 Let me be clear; there’s not many deaths involved in hacker stories that I can find. 01:11:58.590 --> 01:12:03.530 Not only that, but do you remember that Italian guy Adamo, where he was found dead after discovering 01:12:03.530 --> 01:12:05.719 wiretapping was going on in Telecom Italia? 01:12:05.719 --> 01:12:11.480 Yeah, well, get this; that year when Adamo found wiretapping going on in Telecom Italia 01:12:11.480 --> 01:12:16.650 was the same year that Italy hosted the Winter Olympics. 01:12:16.650 --> 01:12:22.051 Telecom Italia is the third-largest mobile network in Greece which makes me wonder, did 01:12:22.051 --> 01:12:26.150 people in Greece get tapped through Telecom Italia, too? 01:12:26.150 --> 01:12:30.630 Why didn’t any of this come to light or show up in the investigation either? 01:12:30.630 --> 01:12:33.110 I don’t even know what happened to Adamo, either. 01:12:33.110 --> 01:12:38.690 There’s so many questions but it’s been sixteen years now since this case opened and 01:12:38.690 --> 01:12:40.330 we still don’t have all the answers. 01:12:40.330 --> 01:12:46.860 There’s still at least two warrants for arrests that are open for espionage, eavesdropping, 01:12:46.860 --> 01:12:47.860 and murder. 01:12:47.860 --> 01:12:51.489 So, I’m sure this won’t be the last time we’ll hear about this case. 01:12:51.489 --> 01:12:56.920 SPKR2: The more questions that you ask, the more questions you’re provided with rather 01:12:56.920 --> 01:12:57.920 than answers. 01:12:57.920 --> 01:13:03.060 It’s kind of like an endless rabbit hole, that one thing leads to another, leads another, 01:13:03.060 --> 01:13:04.330 that leads to another. 01:13:04.330 --> 01:13:21.110 I don’t think, honestly, we’ll ever find out what the true extent of the story is. 01:13:21.110 --> 01:13:41.030 JACK (OUTRO): [OUTRO MUSIC] If you liked this episode, you should go check out Episode 48; 01:13:41.030 --> 01:13:45.670 it’s called Operation Socialist and it’s about another wiretapping affair that happened 01:13:45.670 --> 01:13:48.280 in Belgium. 01:13:48.280 --> 01:13:52.170 This show is made by me, the digital Hermes, Jack Rhysider. 01:13:52.170 --> 01:13:57.670 This episode was written by the sweet Pandea, Fiona Guy, sound design by the opulent Orpheus, 01:13:57.670 --> 01:14:02.219 Andrew Meriwether, and editing help this episode by the Electrona Damienne. 01:14:02.219 --> 01:14:08.840 Our theme music is by the exquisite Daedala crafter Breakmaster Cylinder. 01:14:08.840 --> 01:14:13.630 Even though I’m still waiting for my long-lost uncle who happened to be a Nigerian prince 01:14:13.630 --> 01:14:17.679 to send me his inheritance, this is Darknet Diaries.