The great Greek wiretapping affair

On March 9, 2005 an engineer working for the Greek branch of Vodafone was found dead in his apartment. The next day, the chairman of Vodafone informed the Greek Prime Minister that his telephones, and those of the members of his government and other important people in the country had been tapped. And that was only the beginning… The story of this, probably the greatest phone hacking scandal in Europe, which occurred many years ago, is not widely known – something we will try to amend. Read on.

The mysterious death of an engineer

Costas Tsalikidis worked for the Greek branch of Vodafone for 11 years. From the beginning of his career, he was responsible for planning the architecture of the Company’s GSM, GPRS and UMTS networks. In February 2005, he allegedly handed in his resignation, but his employers persuaded him not to leave. On March 9, 2005, he was found dead in his apartment, with all the evidence pointing to suicide by hanging. His death coincided with the disclosure of the greatest phone hacking scandal in Greece, and probably also in Europe.

Errors in the delivery of messages

The first clue leading to the discovery of this affair was found on January 24, 2005. One of the exchanges, handling customer communications traffic in the Vodafone mobile phone network, generated a series of messages concerning errors, indicating that text messages from another operator had not been properly sent to customers. Unable to diagnose the cause of the error themselves, Vodafone technicians forwarded a dump of the exchange’s software to the company that had produced it, namely Ericsson. Five weeks later, on March 4, 2005, Ericsson sent them an amazing message – unauthorized software had been installed in the exchange and it was this that had caused the errors.

A long list of wiretaps

Over the next three days Vodafone technicians managed to isolate the added code fragment. Inside they found a list of 103 phone numbers, whose calls had been intercepted, tapped and sent on. The analysis of the numbers involved must have caused quite a stir. The list included: the Prime Minister of Greece and his wife, the ministers of defence, justice and internal affairs, the mayor of Athens, the Greek EU Commissioner, senior officials of the ministries of defence, public order, the merchant marine, and foreign affairs, the ruling party, the navy, senior police and special forces officers, representatives of human rights organizations and anti-globalization groups, journalists, Arab businessmen and one of the Greek employees at the US embassy in Athens. The technicians informed Vodafone’s management of the discovery. On March 8, Vodafone Chairman, Giorgos Kornias, ordered the removal of the unauthorized software, a step that made it practically impossible to carry out an effective investigation into the matter. The next day he met with the head of the prime minister’s political office and the minister for public order, informing them of the discovery. The next day, he informed the Prime Minister himself. Why did he not immediately notify the appropriate law enforcement agencies? This is one of the many questions that still lacks an answer.

How are mobile phone networks wiretapped?

To explain how someone could eavesdrop on the most important Greek politicians, we need to begin by discussing how legal wiretaps are made on mobile networks. Without going into the details of how connections are established, the most important area with regard to the process of tapping is the telephone exchange. This was once an enormous panel with lots of cables, but today is simply a large computer, which ensures that call traffic is directed where it needs to be, connecting subscribers within the framework of a single exchange, via another exchange or through a gateway that handles connections to other networks. In 2005 Vodafone was using an AXE exchange produced by Ericsson. As early as 2001 Ericsson introduced wiretapping interfaces complying with the ETSI ES 201 671 standard, as required by the law in many countries. In January 2003, Vodafone’s Greek exchanges installed the R9.1 version software, thus introducing a wiretapping function.

The tapping of a telephone exchange is effected in a quite simple way. One scenario involves the appropriate software making a copy of the entire inbound and outbound call traffic made by a given telephone number and sending this to another phone number. When the person being tapped makes a call, the second telephone number rings and when the call is picked up, the eavesdropper can listen to – or record – the whole conversation conducted by the person being tapped. In addition, information such as the location of the caller, the phone numbers participating in the call, or the call’s duration can be sent to a predetermined phone number in the form of a text message.

As this is a very sensitive area of a phone company’s business, wiretaps are not configured directly in the telephone exchange. This is handled by dedicated software – an Interception Management System, which features appropriate functions for recording all operations performed and for auditing of their correctness.

Ericsson wiretap scheme
Ericsson wiretap scheme

The recording of ordered wiretaps both at telephone exchange and IMS system level makes it possible to compare records and confirm that all wiretaps actually operating were ordered in accordance with the proper procedure. Vodafone’s problem however, consisted in the fact that while its AXE exchange already featured software enabling such eavesdropping, Vodafone had not yet purchased a system for wiretap management. Theoretically, this meant that no one could configure a wiretap – until they took control of the telephone exchange…

How long had this eavesdropping been going on?

The wiretapping was discovered in March 2005, but how long had it been in place? The investigation showed that malicious software, allowing unauthorized eavesdropping on conversations, had been installed on the first three exchanges, operating in the Vodafone network under the names MEAKS, MEAKF and MEAPS, between August 4 and August 10, 2004. Preparations for this operation had no doubt been underway much earlier.

The first 5 of the 14 prepaid cards that were used to receive (and probably record) intercepted calls were activated in the first days of June 2004. A further nine such cards appeared online on August 4. Between 9 and 11 of August the lists of numbers which were to be tapped were configured. Why on those days precisely? We do not know, but maybe some of you remember that the Olympic Games began in Athens on August 13, 2004. Should these two events be linked together? There is no direct evidence for this, but there is a very high probability that the primary purpose of the organization behind the wiretaps was to obtain first-hand information during the Olympics.

How not to catch perpetrators red-handed

Following the conclusion of the Olympics the wiretaps were not removed. Moreover, in October unauthorized software was installed on MEAP – the fourth telephone exchange. On January 24, 2005, this was used for the first time to eavesdrop a single telephone number. This operation led to problems with sending and delivery of text messages, which led to the detection of this affair. The wiretapping continued until March 8, 2005, when the chairman of Vodafone, on being informed about unauthorized software being found in the telephone exchange, ordered its removal. This operation had a disastrous effect on the investigation, which was instituted a few days later. The eavesdroppers, noticing that their program had stopped working, immediately guessed that they could be unmasked and so turned off all 14 phones that were illegally picking up and diverting calls. In this way, the investigators lost any chance of tracing the exact location of each of the phones used for wiretaps. Current technology, using triangulation techniques and measurements of signal strength, makes it possible to locate an active phone to within a few feet. However, it is not possible to locate a phone once it is turned off.

The location of phones – a coincidence?

However, not all was lost – the 14 phones with prepaid cards that had tapped calls left standard information about their location recorded in Vodafone’s systems. This was not detailed enough to identify the building or other place in which they were to be found, but it did not escape journalists’ attention that the central area of Athens, where the sought after handsets were located, is also the location of the US Embassy and the operating ranges of the bugged telephone exchanges overlap above its territory.

Location of phones used to receive wiretapped signal
Location of phones used to receive wiretapped signal

What the phone records tell us

Investigators also very carefully looked through the phone billing records of the 14 numbers generated during the illegal wiretapping operations. They found they only contained incoming calls and – where the caller’s identification was possible – they interrogated the callers. It turned out, however, that the practice of returning unused prepaid numbers to the pool of numbers could cause the users to make calls mistakenly thinking that the number they were calling, still belonged to someone else – and in the meantime had already been bought by the organizers of the wiretap.

In the phone billing records investigators also came across very brief calls, lasting just a few seconds. These may mean that the phones recording calls were remotely controlled by their owners – a few seconds being enough to send a command, for example to transfer recorded calls to a server. The handsets themselves could for instance have been in an empty, rented apartment. Unfortunately, neither analysis of the billing records nor location data or the top-ups of the phone accounts led to any conclusions apart from a suspicion that Americans were involved in the scandal.

Phone records also helped determine how the system was configured to receive forwarded calls. 103 tapped numbers were diverted to just 14 other numbers. This disparity stems from the eavesdroppers taking advantage of the fact of it being pretty unlikely that all 103 tapped numbers would make calls at the same time. However, the eavesdroppers also secured against a situation where the eavesdropping number received a second call during the first, and configured an appropriate redirection of the call, so even if the first number was unable to answer, a second, third and so on would do so.

Do you code in PLEX?

Let’s return for a moment to the AXE exchange. What do we know about the unauthorized software that was found in it? Let’s start with the fact that writing software for Ericsson exchange systems is no trivial task. It requires not only access to an identical exchange together with the entire testing environment, the costs of which are huge, but also knowledge of the PLEX computer language. As you can guess, the number of PLEX programmers is quite limited – this language is only used for programming the exchanges of this one manufacturer.

The program used to conduct the wiretaps had to fulfil many functions. First, it had to operate all the time, enabling both call forwarding and modifying its parameters in case of such a necessity. Secondly, it had to conceal the operations being carried out, in particular, prevent their recoring in the system logs. Thirdly, it had to be perfectly concealed from both Vodafone’s and Ericsson’s administrators. Fourthly, its installation could in no way interrupt the operations of the exchange. How were these goals achieved? Above all, the malware program perfectly utilized the mechanisms created by Ericsson for ensuring the continuity of the exchange’s operation.

AXE exchanges were designed in a way that allowed modification of the software without having to restart the whole installation. Their code was divided into separate blocks stored in a central processor memory. The 2004 software version used approximately 1,760 such blocks. Each block has a special area intended for amendments to the code. The operation of the code is modified by loading a new code into this special area and amending the appropriate countermand, so that the new code comes into force. The authors of the illegal software modified 29 blocks of the original software this way. In addition, they reserved part of the exchange’s memory, concealing it from other processes, and there they stored the list of numbers they intended to tap.

How did the malware work (source: Vassilis Prevelakis)
How did the malware work (source: Vassilis Prevelakis)

There’s nothing like a good rootkit

To conceal these modifications, the software worked like a traditional rootkit. Among other things modified was the command that displays a list of the exchange’s active processes so as to conceal malware’s threads. It could also be detected during a software upgrade – the standard procedure in such cases being to verify the checksum of each particular block. Probably this function was modified as well to conceal the presence of the unauthorized code. Of course, the software also included a clever backdoor that provides its authors easy access to the system later on. It was sufficient to enter any system command and end it with six spaces for the rootkit to deactivate the system logs and the associated alarms and also it had features for management of the illegal wiretaps. It was probably the first ever rootkit dedicated to a specific device.

When on January 24, 2005, the failed update of the spyware caused problems with delivering text messages on one of the infected exchanges, Ericsson specialists asked for periodical dumps of the installation’s memory to be made. Only when analyzing these outside the installation did they first encounter the list of intercepted numbers, and later on the compiled code, purpose of which was still unknown. Labour-intensive reconstruction of the software program, created in the PLEX language, indicated that it had approximately 6,500 lines of code and was undoubtedly the result of work by high-class professionals. Analysis of historical dumps of the telephone exchange’s memory made it possible to determine the course of events and compile a complete list of intercepted numbers.

Who wrote and installed it?

Who could create such a complex software program in such an exotic language? Curiously enough, it was in none other than Greece that for several years a large part of the Ericsson software was created. The Intracom Telecom Company handled its development. The malware program could have been created by its current or former employees.

How could this break-in have been achieved? Unfortunately, we don’t have any answer to that question – but we have two basic theories. One of these assumes participation of Ericsson personnel in installing the unauthorized software – supposedly only three employees of that company knew the password necessary to install amendments to the wiretapping module. The second theory suggests that there were (or still are) backdoors to the Ericsson telephone exchange, placed in the code for servicing purposes. On the web one can find information claiming that a backdoor existed in the demon telnetd code and that it was enough to set one of the environment variables to an appropriate value in order to obtain root privileges upon a connection attempt. Without a doubt, installation of the software must have been done by someone who had physical access to all four infected exchanges.

Incompetence on the part of the investigators or deliberate sabotage?

You are no doubtly thinking – why didn’t they check the logs? Well, the matter is not so simple, and the evidence in the case disappeared before anyone could examine it. The first major problem was the removal of illegal software from the exchange before notifying the law enforcement agencies, which made it practically impossible to trace the handsets used to receive the intercepted calls. This, however, was only the beginning of a slew of adverse circumstances.

In July 2005, during the investigation, Vodafone updated the software on the servers responsible for managing access to its telephone exchanges. This update erased their historical records and contrary to company policy, no backups were saved. Shortly afterwards, so-called guest books, containing the records of all those entering and exiting the buildings housing the exchanges were destroyed. These books were destroyed because their 6-month period of retention had expired. In turn, the transaction logs of the telephone exchanges, which could have provided more details concerning the burglary, were only kept for 5 days, due to lack of disk space. Thus virtually all the key evidence that could have led to identifying the perpetrators disappeared. Why was this destroyed by Vodafone? Why wasn’t this evidence previously made safe by the law enforcement agencies? Possible answers include both chance and clumsiness (law enforcement authorities had not previously dealt with such complex technical criminal offences), or else bad will. Unfortunately, despite investigations conducted by five different institutions, the perpetrators have failed to be identified.

Despite the actions of the deceased Vodafone network planning manager’s family (including the recent exhumation of his body) no link has been found between his alleged suicide and the events at Vodafone. The investigation itself in this case was conducted in a way that can hardly be described as reliable. In view of the lack of any signs of forced entry into the apartment where the body was found, no autopsy was carried out and no fingerprints were collected from the room in which it was found. Investigators even failed to take the rope on which Tsalikidis hung, which according to the family, was tied with a sailor’s knot that the deceased could not have tied himself.

The investigation itself was conducted in total secrecy. The public learned about the affair almost a year after its discovery. When at the end of January 2006 the Greek newspaper Ta Nea published materials from the investigation, a few days later the government held a press conference and informed the public about the wiretaps. Previously, the case had been kept in total secrecy, a fact that probably also made it difficult to carry out the investigation properly.

Theories about the perpetrators

Since no evidence could be found leading directly to identification of the perpetrators, let’s look at the evidence, and above all, who could have benefited from the crime.

The first candidate is the Intracom company, which not only created the AXE exchange’s code for Ericsson, but was also the main IT hardware supplier for OTE, the largest telecom operator in Greece. OTE’s majority shareholder is the Greek state, so Intracom may have been interested in monitoring the situation concerning contracts concluded back at the time of the previous government, which derived from the other side of the Greek political scene. The argument for for Intracom employees participation in the scandal is supported by the fact that one of the exchanges infected was located precisely on this company’s premises. Each potential perpetrator, in order to access the room housing the exchange, would therefore have to be registered in two guest books – firstly Intracom’s and then Vodafone’s. Vodafone’s guest books were destroyed, but Intracom’s records have been preserved, though no suspicious entries have been found for the day, when the malware was installed. This means that the installation could have been carried out by a company employee, who would not have had to enter himself in the register of guests.

Another likely culprit is the US secret services. This theory assumes that the US did not trust the Greeks and their capabilities to prevent terrorist attacks during the Olympics, which is why they preferred to keep an eye on things themselves. The USA had recently suffered the attacks of September 11, nor can we forget about the Palestinian terrorist attack during the 1972 Olympics in Munich. This theory would also explain the presence of Arab businessmen, and likewise the representatives of anti-globalization organizations and the Greek employee of the US Embassy on the list of intercepted calls. The list of intercepted calls also included an electrician, whose brother-in-law was involved in the murder in 1975 of Richard Welch, the CIA station chief in Athens. US secret services undoubtedly had at their command the technical abilities for an illegal wiretap project, and the locations of the handsets used in the operation indicated that area where the US embassy in Athens is situated.

A third theory involves the actions of Vodafone’s employees themselves. Its justification lies in the suicidal death of the Company’s engineer in the face of the scandal being revealed. However, there are no indications why Vodafone should want to eavesdrop on its own customers.

Who was the real culprit? As with many a spy affair, we will probably never know the answer. The long drawn out investigation by many agencies has not yielded any answer. Its only result has been three fines levied. The Greek equivalent of the Inspector General imposed a fine of EUR 76 million on Vodafone for intentional obstruction of justice, and a EUR 7.36 million fine for Ericsson, and in turn, the Greek equivalent of the Office of Electronic Communications fined Vodafone EUR 19 million.

In preparing this article, we primarily made use of the following sources:

Leave a Reply

Your email address will not be published. Required fields are marked *