IEEE Spectrum July, 2007 - 20

an inside Job?

By Steven Cherry
& Harry Goldstein

No mystery novel is complete without
the reader finding out "who done it," but
real life is usually messier than fiction. In
the Athens affair, we can only speculate
about who may have been behind the most
spectacular cell-system penetration ever.
The hackers' facility with the esoteric
art of programming the Ericsson AXE
central-office switch convinced some that
the criminals were either employees of
Vodafone Greece or of Intracom Telecom.
Intracom has aroused suspicion
because it provided key software to
Ericsson and because the Greek company
is a major telecommunications equipment
supplier to Greece's dominant carrier, OTE
Group. Given that the majority of OTE's
shares are owned by the Greek state, a
business having large dealings with OTE
would have had a strong incentive to tap
the phones of the ruling party in order
to check on whether any of the deals it
or OTE had set up under the previous
government were in danger of being
derailed. Under this theory, phone taps for
Arabs and members of antiauthoritarian
groups were installed to send investigators
on a wild goose chase.
But what really raised eyebrows was
the fact that one of the hacked Vodafone
exchanges was located on the campus
of the main Intracom facility. Anyone
wishing to enter that particular Vodafone
facility would have had to go through the
Intracom gates, meaning that visitors to
the Vodafone exchange would have been

The investigators ran the modules in
simulated environments to better under-
stand their behavior. The result of all this
investigative effort was the discovery of
the data areas holding the tapped numbers
and the time stamps of recent intercepts.
With this information on hand, the
investigators could go back and look at ear-
lier dumps to establish the time interval
during which the wiretaps were in effect
and to get the full list of intercepted num-
bers and call data for the tapped conver-
sations-who called whom, when, and for
how long. (The actual conversations were
not stored in the logs.)
While the hack was complex, the taps
themselves were straightforward. When
the prime minister, for example, initiated
or received a call on his cellphone, the
exchange would establish the same kind

IEEE Spectrum | July 2007 | NA

logged twice. Unfortunately, the visitor
records for the exchange were destroyed
by Vodafone in accord with routine procedures, despite the extraordinary circumstances. So investigators had only the
Intracom visitor records, which would not
record any visits to the Vodafone exchange
by Intracom personnel.
The leading cause for suspecting the
employees of Vodafone Greece is the
suicide of its head of network planning,
Costas Tsalikidis. yet the deceased's family questions whether it was a suicide at
all. The family's attorney, Themistokles
Sofos, has stated, "I am certain that Costas
Tsalikidis did not commit suicide, and that
makes me believe he probably gained
knowledge of the phone tapping through
his diligence with all matters professional."
Thus, speculation is divided between theories that say Tsalikidis committed suicide
because his involvement was about to
be discovered and those that argue that
Tsalikidis was murdered because he had
discovered, or was about to discover, who
the perpetrators were.
Another popular theory posits that the
U.S. National Security Agency, Central
Intelligence Agency, or some other U.S. spy
agency did it. The location of the monitored
phones correlates nicely with apartments
and other property under the control of the
U.S. Embassy in Athens.
Under this theory, phone taps of Arabs
and members of antiauthoritarian groups
were installed because of fears of a terrorist attack on the Athens Olympics. It is
widely believed that these U.S. agencies,
particularly the NSA, have all the necessary tools and expertise for mounting such
an attack.
n

of connection used in a lawful wiretap-
a connection to a shadow number allow-
ing it to listen in on the conversation.
Creating the rogue software so that it
would remain undetected required a lot of
expertise in writing AXE code, an esoteric
competency that isn't readily available in
most places. But as it happens, for the past
15 years, a considerable part of Ericsson's
software development for the AXE has
been done under contract by a Greek com-
pany based in Athens, Intracom Telecom,
part of Intracom Holdings. The necessary
know-how was available locally and was
spread over a large number of present and
past Intracom developers. So could this
have been an inside job?
The early stages of the infiltration would
have been much easier to pull off with the
assistance of someone inside Vodafone,

but there is no conclusive evidence to
support that scenario. The infiltration
could have been carried out remotely and,
indeed, according to a state report, in the
case of the failed text messages where the
exact time of the event is known, the last
person to access the exchange had been
issued a visitor's badge.
Similarly, we may never know whether
Tsalikidis had anything to do with the
wiretaps. Many observers have found
the timing of his death highly suggestive,
but to this day no connection has been
uncovered. Nor can observers do more
than speculate as to the motives of the
infiltrators. [See the sidebar, "An Inside
Job?" for a summary of the leading specu-
lation; we can neither endorse nor refute
the theories presented.]
Just as we cannot now know for certain
who was behind the Athens affair or what
their motives were, we can only specu-
late about various approaches that the
intruders may have followed to carry out
their attack. That's because key material
has been lost or was never collected. For
instance, in July 2005, while the investiga-
tion was taking place, Vodafone upgraded
two of the three servers used for accessing
the exchange management system. This
upgrade wiped out the access logs and,
contrary to company policy, no backups
were retained. Some time later a six-month
retention period for visitor sign-in books
lapsed, and Vodafone destroyed the books
corresponding to the period where the
rogue software was modified, triggering
the text-message errors.
Traces of the rogue software installation
might have been recorded on the exchange's
transaction logs. However, due to a paucity
of storage space in the exchange's man-
agement systems, the logs were retained
for only five days, because Vodafone
considers billing data, which competes
for the same space, a lot more important.
Most crucially, Vodafone's deactivation of
the rogue software on 7 March 2005 almost
certainly alerted the conspirators, giving
them a chance to switch off the shadow
phones. As a result investigators missed
the opportunity of triangulating the loca-
tion of the shadow phones and catching the
perpetrators in the act.

so whaT can This affair teach us about
how to protect phone networks?
Once the infiltration was discov-
ered, Vodafone had to balance the need
for the continued operation of the net-
work with the discovery and prosecution
of the guilty parties. Unfortunately, the
responses of Vodafone and that of Greek
www.spectrum.ieee.org

http://www.spectrum.ieee.org

Table of Contents for the Digital Edition of IEEE Spectrum July, 2007