Back in 2004, when the Olympic Games were held place in Athen, Vodafone needed to upgrade their entire network, to be able to withstand a rush of additional mobile network users. They installed a lot of new cell towers and network equipments for the ten thousands of people coming to Athen.
Ericsson, their provider of network equipment, supplied them with the neccessary products for creating and maintaining such a huge network as Vodafone Greece.
Around 5 months after the Olympic Games finished, the Vodafone mobile network suddenly struggled with sending SMS messages. Vodafone did not know why SMS messages were often not sent and struggeled finding the root of the problem. Hence, they asked their supplier Ericsson, which has over 100 years of experience regarding communication services and telephones, what the issue is and if they could fix it. After initial research, they discovered a weird file in middle of all other system-neccessary files, which is not supposed to be there. To be exact, it was a file which should not even exist. It was a text file containing 106 telephone numbers of government officials.
After digging more into the file system, they found another file, which is not from Ericsson nor from Vodafone. The file they found is an executeable file written in the plex language, but it was encoded into machine language. Ericsson took both files to their headquarter in sweden for further analysis.
After 5 weeks of hard work and re-coding the file to its original state (it was encoded into machine language and was hard to reverse-engineer), they found out what the file was doing.
It took all 106 phone numbers from that other document, and wiretapped them.
In case you do not know what wiretapping means, it essentially means that your telecommunications service provider can, with government allowance, record calls and the metadata of calls for lawful reasons.
So, both, the caller and the called person, the spoken words, the duration of the call and the time and date of the call. In some cases even approximate locations of both wiretapped people.
Vodafone panicked. They did not know what to do as something like this has never happened to them. What makes matters even worse, at that time, wiretapping is generally forbidden, nor does the government allow it at all. They did not even force companies to do it, because the required laws to do so did not exist yet.
So Vodafone had a few issues sneaking up to them. They were breached, not knowing from whom, 106 government officials, including the prime minister and his wife were wiretapped for at least 9 months and wiretapping was not even allowed – so Vodafone had Software which they did not own the rights to possess in the first place – and indirectly, they even used it!
Vodafone decided to keep this information secret for some time, until they figured out how the file got there. They checked ALL different logs and they even checked the proccesses running in the background of their servers. But nothing. First and foremost, the logs did not show any indication of a breach or successful login-attempts from not-internal IP-Addresses.
Next, the proccess explorer would not show the program running, which is another reason why it has been only found 9 months after it has been installed. The program used various techniquies to hide itself from being detected as a running progress and even edited the error-logs to not show it.
This means, the person or the group of people who installed this programm knew how to sneak around Vodafones security measures.
Their backup server, which instantly saves every log on any server they have and which can not be accessed, except you have physical access to it, unfortunately did not show anything useful as well, as someone set the duration of saving the logs to only 5 days.
Coincidentally, about a week after Vodafone found out about the files, a Vodafone technician seemingly committed suicide. His family came home, just to find him hanging from the ceiling in their bathroom and his neck bound in a rope.
The family instantly called the police and asked them to investigate it, because they could not believe he has hung himself.
According to the family members, he had no reason to kill himself, as he was engaged and getting married in 3 months, had a great job he loved, earning a lots of money and owned a own house. Furthermore, he never seemed sad or depressed – quite the opposite actually.
When the police arrived to start the investigation, they quickly concluded it was suicide and stopped searching for hints that this could have been a murder instead. No fingerprint-searches where done nor any other forensical anylses of the bathroom.
The family hired 4 experts to take a look at his house and tell them what he was working at before he killed himself. After gathering all neccessary information, the experts concluded that he was, according to his notes, not aware of the hack and there were not any major issues within the company he was aware of too.
Clearly, this “suicide” seems unrelated to the story, but I will come back to it later.
Remembered when I said, that Vodafone asked Ericsson to take a look at their systems because SMS sometimes were not sent? It turned out, this program was the reason behind it. But why did it start blocking SMS of a lot of random customers after 9 months, but before it did not?
The program has a built in back-door which allowed the hacker(group) to access logs of the program, even if they lost their main way to enter the system. Furthermore, they installed an update-proccess, which enabled them to update the program thorugh an external server. After they did an update to that program about 8 months after initially installing it, a coding error, which abused Vodafones Software to wiretap calls, randomly rejected some sent SMS messages.
About 2 weeks after Vodafone found out about it, they finally decided to take action on it… but they decided wrongly.
Their decision was: delete all files related to the program and the program itself. What a mistake. This instantly tells the hacker(group) that their file has been found and that an investigation might be on its way, potentially giving them enough time preparing an escape plan to other countries.
One week after the deletion, Vodafone decided to urengtly contact the prime minister and ask him for an also urgent meeting. The CEO of Vodafone Greece told the prime minister everything.
But also the prime minister decided to not take immediate action.
What he did instead was to initiate a secret investigation.
A team of skilled police-technicians investigated the case, but also came to the conclusion that all logs are useless. Unfortunately for Vodafone, they noticed two things: their possession of software they should not have (even though THEY did not use it), and the fact that they only kept un-changeable logs for 5 days. This will have consequences for Vodafone, which I will come back to later on.
A month later, the prime minister held a press conference, announcing the breach at Vodafone and urging all affected government workers to change their phone numbers. State-secrets, plans, new laws or simply spying could have been the result of this huge hack, which shocked the government officials. Some of them were not even informed when the greece prime minister first received the information. They only found out about it when he held a conference about it, which was also a small scandal.
The press asked the minister, if this could have possibly been an attack from other countries, but he could not answer, because the original program-file was gone. The police could have tracked back the IP on which new program updates were transmitted, to possibly find out from which country this hack was coming from, but Vodafone wanted to delete it as quickly as possible, destroying any evidence they had.
Later, Vodafone was sued twice, for a total of 59 million Euros, while Ericsson also received a sue over 6 million.
Vodafone’s sue was way higher, because they decided to delete the file before investigation could be done, because they kept logs for only 5 days and because they possesed software they should not have.
But Vodafone also lost a lot of trust into their customers. They had every right to switch to another provider, because a lot of them thought, that their data is not safe at their current provider. A huge public backlash was the result of all of this.
Meanwhile, the family fought in front of court for a proper inspection of the worker’s dead body. There, the inspectors concluded, once again, that a murder was impossible, as there are no wounds and all of his bones were intact. A sign of murder would be, if a specific bone in his neck broke. This would be a sign of him getting strangeled. But the bone was perfectly intact, according to the police.
A few years went by… the family still was not happy with the work of the greek police and went into European Court for Human Rights. The court then initiated another inspection. His coffin was un-buried and the corpse was inspected once more. This time, a group of independet experts concluded that the bone in the neck, which breaks if someone gets strangeled to death, was indeed broken.
This conclusion started another mini-investigation, with no result. It has been so many years that any evidence is completely gone. Furthermore, it can not be said for sure if the bone only recently broke, when the corpse was put into the coffin.
A few years later, something similar happened in Italy.
A telecom italia worker allegedly jumped from a bridge, briefly prior to a similar hack to telecom italia became public. But again: it is not sure whether this was suicide or murder.