True Faith and Allegiance

47

By eight Jack was already sitting in the conference room holding his third cup of coffee of the morning and leaning over a computer, his workspace all but covered with handwritten notes, printed sheets, and books, and his one laptop had turned into three.

Jack had been spending night and day studying the attacks in America, one by one, trying to find out how his unknown adversary put all the pieces of the puzzles together from the Office of Personnel Management records and open-source intelligence.

For Jack it had become nothing less than an obsession. At the office all day with Gavin sitting across from him, then home, a beer on his coffee table as he sat on the floor with his laptop in front of him. He dug through books on OSINT methods, marveling at what was out there, lamenting the fact most average people couldn’t imagine how much of their lives was available to anyone who wanted to investigate.

For many of the recent attacks he’d had to look no further than the business networking website LinkedIn to determine how the identity intelligence expert working on behalf of the Islamic State had been able to connect the OPM data to current intelligence community employees. Their names and often their pictures were listed, along with their education and work history, identifying themselves as workers in the intelligence field at CENTCOM or Fort Bragg or for public and private organizations in the D.C. area. So far three of the victims and one more intended victim had a profile that made it obvious they were involved with human intelligence and targeting operations in the Middle East, and Jack had no doubt in his mind several of America’s best and brightest minds in this field were now dead because of their decision to network on LinkedIn.

With a little more work, Jack could see how even clandestine employees of the government, most of whom had no online identities to speak of, were still vulnerable via family and friends letting information slip.

Gavin entered with his own cup of coffee, gave Ryan a nod, and then took his regular seat at the conference table.

As soon as he sat he said, “I’ve come bearing gifts.”

Jack didn’t even look his way. “You don’t eat donuts anymore, so I doubt that there’s anything you have that I’m interested—”

Jack stopped abruptly. He looked up now. “You talked to your friend at NSA. The guy with the back door to Reddit?”

Gavin corrected him. “I didn’t say he was a friend, and I didn’t say he had a back door. But I did get into the private message sent by the user you mentioned.”

Ryan snatched a pen off the table and scrambled to find a blank page in a notebook nearly filled with scrawl.

Gavin looked at his computer. “5Megachopper5’s message reads as follows: ‘I’ve been following your story, my friend, and I think I can help. If you truly want to do that which you claim, I will provide you with all the information you need to make it happen. I am prepared to prove myself to you, and I want nothing in return other than to see that justice is done for Stepan’s life.’”

Jack just said, “Wow.”

“He provides an address that can only be accessed by TOR for Rechkov to use to communicate if he is interested. It’s a dead link now. And then, the day he sent the PM, the guy we are after shut his Reddit identity down. I assume that means Rechkov did make contact with him.”

“So… we’re screwed,” Jack said. “Right back where we started.”

“Not at all,” replied Gavin. “I’ve been going through the contents of Rechkov’s hard drive, just like a dozen other forensics investigators, but unlike them, I am the only one who knows about the URL, and the date of the communication on Reddit. All this information was logged on his hard drive by the date. Remember, Rechkov was a fledgling computer scientist himself, so he has tens of thousands of pages of code saved as text files, all part of his studies, and it’s kept haphazardly all over his drive. But it occurred to me Rechkov might have tried to get some info on this person communicating with him, at least just to make sure it wasn’t the U.S. government trying to catch him in a sting. I found a few pages of code in a txt format saved on Evernote, a note-taking app, that he’d put there in the days after the Reddit communication, so I went through it, line by line, late last night.”

Gavin waited to be prompted by Jack.

“And?”

“And Rechkov left a clue as to who he was communicating with. In the code was the creator’s username, Polygeist999.”

Jack just said, “You lost me.”

“Rechkov determined this username was affiliated with the person who set up the dark website.”

“I thought 5Megachopper5 did that.”

“Nah, that’s a throwaway name he used on Reddit. Polygeist999 is another name he used.”

Jack scratched his head. “So… Rechkov figured out he was talking to someone online associated with another username. How?”

“Maybe something this guy sent him, or by hacking into a service this guy revealed he was a member of. No way to know, but it’s nice that that asshole Rechkov left us a clue.”

“How is that a clue?”

Gavin said, “I used link analysis on Polygeist999, to see if it, or a version close to it, shows up in other places online. It’s been used hundreds of times in different permutations. ‘Padding,’ it’s called. It could be 1Polygeist999, or Polygeist9991 or he might throw an ampersand in there or something else. Computer people often use variations, depending on what they are working on, and they are different enough that it takes high-level link analysis to figure out that all the different permutations are one and the same person. I went to my friend at the NSA, you know, the one who doesn’t exist, and had him run some reports for me. The Polygeist username first showed up in March of last year on an apartment service in Romania. After that it was everywhere, different types of computer and technical sites, coding, hacking, illegal downloads, et cetera.”

Jack said, “Romania?”

“Yes,” Gavin confirmed. “And the link analysis gives us other usernames that show up multiple times along with Polygeist. Dozens and dozens of uses of this name and others linked to it, all tied to e-mails, computer code, domain registrations, et cetera.”

Together Jack and Gavin began entering the different names into search engines and databases to try to find something that would stick out. Their target inhabited dozens of different online personas, and he was all over different sites, many having to do with obtaining open-source intelligence. But they needed more. They needed to link him to a real identity. Moreover, they were looking to find some way this character had some relationship with the jihadists, a relationship with the intelligence community of any nation in the world, or something that would show them that this person who contacted Rechkov with intel from the Office of Personnel Management and a plan to kill a Navy commander had some motive for doing so.

As they came up with new information, they put it in their shared link-analysis database. This led to more names, all associated with the initial username Polygeist999 and its permutations.

It was slow, arduous, and complicated work, but less than an hour and a half into it, Gavin called across the table. “Are you seeing what I’m seeing?”

“That no matter what you do, you can’t trace back any of these usernames before March of last year?”

“Yeah. It’s like he was born that month. I wonder why he just started in March and exploded like he had been doing this sort of thing his whole life.”

Jack looked up slowly from the computer. “It began with him joining an apartment-hunting website in Romania, right?”

“Yes. Maybe he was trying to hack into it, or he was researching someone who lived in Romania and did business on the website. Maybe he could have been looking up a floor plan of one of his intended identity theft victims. We don’t know.”

Jack said, “I interpret that information more literally. I think he needed a place to stay, so he joined the site.”

Gavin hadn’t even considered the fact there might be a straightforward and benign reason for the person’s actions. He said, “Why do you think he needed a place to stay? You think he’s actually Romanian?”

Jack said, “Yes, and he needed an apartment, because he just got out of prison.”

“Prison? Where the hell are you getting this?”

“There is no online activity for any accounts, usernames, e-mails, et cetera, et cetera, that take place before March nineteenth of last year. What if he’d been locked up, without computer access? You know a guy like this doesn’t just appear out of nowhere online. His skills take years and years to develop, but the link analysis with websites and usernames just begins, as if the man is a fully formed computer and OSINT expert on day one. We have enough data here to cast a wide net, and we aren’t finding anything from more than sixteen months ago.”

“It is a possibility,” Gavin allowed.

“Do we have a way to look into Romanian prison records?”

“With some work I can do that, but we don’t know when he got out exactly, and it would still be a needle in a haystack.”

Jack said, “Yeah, but it’s a smaller haystack than we had yesterday.”

Gavin chuckled. “You’re right about that. I’ll get to work on the Romanian government networks and swim downstream into the prison records. It’s going to take me a couple of hours.”

In the end, it took less than four minutes before Gavin shouted in the conference room, startling Jack. “I’ve got him!”

“You found Polygeist? How the hell did you do that so fast?”

“Because I didn’t have to hack into the Romanian network. Instead, I just ran a search of U.S. government DoJ records of Interpol convictions. I got a list of cases the DoJ was involved with in Romania. There are a hundred thirty-eight of them, but only seventy-one led to conviction. Of those, only twenty-eight have been released. Of those released, only twenty-one were released on or before March nineteenth of last year.”

Jack was impressed, but he was about to be a lot more impressed. “Message me those names and I’ll start to—”

Gavin kept talking. “Of those twenty-one released on or before March nineteenth, exactly one of them was released on March nineteenth.”

Jack stood from his chair. “You’ve got a Romanian cybercrime personality released on the day the Polygeist entities started cropping up around the Web?”

“I do indeed. The prisoner’s name is Alexandru Dalca. He was held in Jilava Prison for a term of five years, ten months, and sixteen days. Before he went in he had his own online cyberfraud network, bilked customers out of millions.”

Gavin read a portion of the complaint from the U.S. Department of Justice. “He was an expert in social engineering passwords. A confidence man.”

Jack slowly sat back down behind his laptop. “That doesn’t explain how he got so good at compromising these targets with open-source intel.”

Gavin shrugged. “Prison, Jack. You can learn all sorts of bad stuff in prison, because that is where all the bad people are.”

“Not all the bad people, Gav. We run into a shitload of them out here on the outside.”

“Okay. You got me there.”

“What’s he doing now?” Jack asked.

“Beats me.”

Jack typed his name in a Romanian search engine. Seconds later he said, “I’ll be damned. He works at a company in Bucharest called Advanced Research Technological Designs.”

Gavin was typing now, looking the company up in a database he kept on computer hackers. Even before he finished inputting the name he said, “Wait, I know those guys. Son of a bitch!”

“Who are they?”

“They are damn good hackers, but that’s just the start of it.” Now he looked at results in his database, reading through details of the company. “Yeah… they started out selling prescription pain pills online for a while, then they branched out into online fraud. They got bigger and bigger, attracted a deeper bench of hacker talent because their social engineers had gotten so damn good at getting passwords and admin access to websites.”

“How do you know about them?”

“They’ve done some sweet social media scams to get information on bankers, mostly in Europe, but it made the news.”

Jack cocked his head. He’d never heard of this. “What news?”

Gavin looked up from his monitor. “News in my world, Ryan. Not on Entertainment Tonight or whatever you watch when you leave here.”

Jack just closed his eyes for a moment and let Gavin’s snarky comment roll off his back.

“Yeah,” Gavin said as he read some more about ARTD. “I remember now, three or four years ago at the Black Hat conference. It’s a get-together of all the world’s hackers.”

“I know what the Black Hat conference is. Must have been on ET.”

“Right. Anyway, a guy did a presentation on a hack this company in Romania carried out on the largest cell-phone provider in Holland. Ripped personal ID info from hundreds of thousands. They could never pin it on ARTD but one of their former employees claimed their hackers pulled it off.”

Jack said, “Are they good enough to do this thing at OPM?”

“Talent-wise, I don’t think so. Plus, they’ve never gone after government networks like this in the past. Still… this Dalca guy clearly works for them, and he clearly communicated with Vadim Rechkov, passing the intel about Hagen.”

Jack launched to his feet. “Good enough for me. See ya.”

“Wait! Where are you going?”

“I’m going to Romania.” He turned and rushed out of the conference room, racing toward the elevators.

Gavin Biery moved slower, but he did move. “Not without me you aren’t!”