Listen

Malicious Life, episode 16 - The Trojan Horse Affair

The early 2000s were an interesting time in Information Security. This is roughly the period when malware transitioned from viruses written by teenagers for fun, to cybercrime tools in the hands of sophisticated criminals. The story I’m about to tell--a true story, out of Israel--took place in that time frame - and was a kind of early warning for that transition. It is also a cautionary tale about power and temptation.

Hosted By

Ran Levi

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 10 million downloads as of Aug. 2017.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Episode transcript:

The Trojan Horse Affair

 

Hello, and welcome to Malicious Life. I’m Ran Levi.

 

This episode is a bit unique – different from most of our previous episodes – so let me set the stage for you. Last October I was invited to Boston to give a talk at an Information Security conference called Deep 2017. The topic I chose for the talk was a story that took place some 15 years ago in Israel – a story that I feel deserves to be made into a movie one day… It has all the ingredients of a box office hit: a thrillers novelist who becomes a character in one of his own plots – check! Revenge and blind hatred – check! Former cops turned rouge – check! Industrial espionage in top tier businesses – check, check, double check…

 

As a side note, I had the honor – really, amazing honor – to interview on stage in the same event none other than Steven Wozniak, the Woz. Sadly, I couldn’t tape this interview, but just so you know, Woz did write at least two computer viruses for the Apple II back in the day. When he understood the devastating potential of those programs, he says, he deleted them immediately, and destroyed the source codes… he’s an amazingly interesting guy.

 

Anyway, enjoy the episode.

 

 

Thank you for listening! Visit our website–Malicious-DOT-Life–to subscribe to our podcast, read full transcripts and download other episodes. If you’d like to leave me some feedback, suggest a future topic for the show or just say thanks – you can find me on twitter at @ranlevi. If you like the show, leave us a 5-star review on iTunes then visit our site–again, Malicious-DOT-Life–and we’ll send you a free t-shirt. Malicious Life is produced by P.I.Media. Thanks again to Cybereason for underwriting the production. Learn more at Cybereason.com. Bye bye.

 

Hi.

My name is Ran Levi. I’m an author, writing mostly about science & technology, and also the host of a podcast called Malicious.Life, about the history, present & future of Information Security.

 

The early 2000s were an interesting time in Information Security. This is roughly the period when malware transitioned from viruses written by teenagers for fun, to cybercrime tools in the hands of sophisticated criminals. The story I’m about to tell–a true story, out of Israel–took place in that time frame – and was a kind of early warning for that transition. It is also a cautionary tale about power and temptation.

 

Amnon Jackont is an Israeli author, whose books – thrillers, mostly – have become best sellers. Basically, he’s the Israeli John Grisham. He is also married to a psychologist named Varda, herself a very familiar radio personality to the Israeli public.

 

Around August 2004, Amnon noticed a strange phenomenon in his e-mail inbox: some new emails would disappear before he could read them, and others were marked as opened and read even when he himself had not opened them.

 

Amnon’s first guess was that there was some problem with his ISP, but a short while later the same phenomenon was repeated in another e-mail box that he held at Tel Aviv University computers, and then in another on Hotmail. Amnon then understood that this was not a technical malfunction, since these were three unrelated email services. He began to suspect that someone had broken into his email accounts, and hurried to change his passwords. Fixing that, he hoped, would solve the problem.

A few days later, though, Amnon discovered that his mailboxes had been hacked again, and the anonymous hacker continued reading his letters. He changed his passwords once more but, of course, these too were hacked only two or three days later. Amnon contacted his ISP and the university’s IT department, but they could offer him no help. Having no choice, he decided to stop using these mailboxes.

 

In the same month, false and slanderous information about Amnon began appearing on various websites, such as Wikipedia: accusations that he dodged the military service, or that he doesn’t pay his parking tickets. Amnon also noticed that some of his colleagues at the Tel Aviv University were evading him. When he asked them what was wrong, he discovered to his horror that someone had sent an e-mail in his name to all faculty members in which he “admitted” that he plagiarized a research paper. In some cases, these mysterious defamations were accompanied with personal documents taken from his personal computer.

 

The culmination of the smear campaign against Amnon was a focused attempt to hurt the sales of his new book, with many dozens of negative reviews on various websites, and plot spoilers as well. The negative campaign had a significant impact, with the novel selling only a few hundred copies – a rare failure for Amnon, whose books generally sold 20,000 copies or more.

 

But this is where the mysterious hacker made a critical mistake. When Amnon read the negative reviews, he noticed a nickname chosen by one of the respondents: “The doll Yemima.” This was very strange because it was also Amnon’s password for his private HotMail mailbox. Coincidence? Amnon was convinced it was not. The phrase ‘The Doll Yemima’ was a private joke shared with his closest family and friends. Another reviewer called himself “The Twin Falafels”. This too was also very familiar to Amnon – The Twin Falafels is a famous restaurant, and Amnon knew someone who lived not far from it. That someone also had an excellent reason to harass him.

 

Michael Haephrati was born in 1964. He is a very talented & skillful person: according to his blog, at the age of five he was already able to write and read in Hebrew and English, and later learned to play the piano and composed original music. In the army, he served in an elite unit, and when the first personal computers appeared in the 1980s, Michael developed software for composing music.

 

His wife, Ruth, also has an impressive resume. She graduated from high-school at age 16 and was an officer in the military. Later she became an HR manager for a large high-tech company, where she met Michael. Although she didn’t have a formal college degree, Ruth describes herself as an avid autodidact and has accumulated impressive knowledge in various computer fields.

 

Michael was previously married to Amnon’s daughter. After the divorce, an ugly family feud developed over custody of the children. Amnon took an active part in the dispute and initiated legal proceedings that ultimately forced Michael and Ruth, his new wife, to flee Israel and move to Germany. In short, Michael and Ruth had a very good reason to hate Amnon.

 

Amnon and Varda approached Michael’s mother and asked her to warn the Haephrati couple to stop whatever it was that they were doing. When the attacks did not stop, they filed a formal complaint at the Police. They had little hope for this course of action: the police officer who wrote the complaint had no idea what they were talking about, and how someone could break into a computer remotely…

 

And then, in November 2004 – about three months after filing the complaint – Amnon found a CD in the mail. On the CD’s cover, it was written: “Following our conversation, see the manuscript attached. Alex.” Now, Amnon was indeed corresponding at the time with an aspiring author named Alex.  And yet, something about the way the CD was sent to him, without any prior notification, raised suspicion. He returned to the police and handed them the CD.

 

That same evening, a police officer called him on the phone. “We found something on the disc,” he told the surprised author, “don’t open your computer … and do not talk to reporters.”

 

Let’s go back in time, to the late 1990s. Michael Haephrati was vice president of business development at an Israeli high-tech company when one day he had an interesting idea:

 

“Every once in a while I would walk among my employees, to see what everyone was doing … I thought that it would be nice to see on my computer screen … mini screens with screenshots of an employee’s computer. [This would allow me] to manage the employees remotely, even if they were working from home or abroad. “

 

This preliminary idea matured into a software called TargetEye, which Michael developed from 2000 onwards. TargetEye was able to take screenshots, do keylogging and even record external sounds via a computer’s microphone – all secretly and without the user’s knowledge. If he wanted to, the operator could completely take over the victim’s computer and run it as if he were sitting in front of it: move the mouse, open and close files, etc. TargetEye may not have been the very first monitoring software, but it was perhaps one of the most advanced.

 

Michael tried to sell the software to many governmental and security organizations, such as the police, the Mossad – Israel’s secret service, the Israeli IRS and others. But as we all know, bureaucratic organizations like these tend to move rather slowly, and the sales negotiations for TargetEye moved at a snail’s pace. So in the meantime, Michael and Ruth offered the software to private investigators. The investigators were quick to understand its potential in a very lucrative field of their work: Industrial Espionage.

 

There was, however, the “small” problem of installing the monitoring software on the computer of the person being spied on…for that purpose, Michael and Ruth modified TargetEye to disguise it as some other legitimate software. This action turned TargetEye from a legitimate monitoring tool into a Trojan Horse malware.

 

While Michael was in charge of the software’s development, Ruth was in direct contact with private investigators and handled their demands. The private investigators would give Ruth details on the subject of their investigations, and which computers should be infiltrated – for example, a personal computer in the victim’s house or office – and Ruth would modify the software according to their needs. She then helped sneak the malware into the victim’s computer by, for example, masking it as an attachment in an email sent from a well-known friend, or in a CD containing a restaurant’s delivery menus. Often she sent the e-mails with the infected files herself, or pretended to be a customer on the phone to make sure that a disk sent by regular mail or by courier had indeed reached its destination.

 

When TargetEye was successfully installed on the target computer it began sending the information it obtained over the Internet to several servers. When police detectives analyzed the contents of the CD that Amnon brought in, they followed the route of the information sent by the malware and reached the servers where the stolen information was stored. The policemen expected to find only documents and screenshots from Amnon’s computer, but what they discovered in those servers shook a whole country.

 

On the servers, the police found sensitive documents from some of the most prominent and well-known companies in the Israeli market, in many and diverse business sectors: think of the Verizon’s and HBO’s and Hershey’s of Israel. This was not a minor business espionage affair among a few marginal companies. Almost all the businesses involved were the market leaders in their fields: established and respected companies that were not likely to be involved in such blatant criminal offenses. The discovery had shaken many in Israel because it exposed some very crooked business norms, especially among its main players.

 

For six months the police conducted a covert investigation. Michael and Ruth were also placed under surveillance in Germany.

On May 25th, 2005, the investigation became public. The Haephrati couple were arrested in London and a few months later were extradited to Israel. Police raided the homes and offices of all the private investigators involved. Senior business executives and CEOs of large companies were arrested or investigated in connection with the espionage affair.

For many days reports on the matter filled the headlines throughout Israeli media, and opened every newscast on television and on the radio. ‘Earthquake’ was a common expression used by journalists covering it. The public was exposed for the first time to the brave new world of Trojan horses, spyware and other malicious software.

 

The Trojan Horse Affair raises a serious question that requires an answer. None of those involved in the Trojan horse affair were ‘criminals’ in the conventional sense of the word. Michael and Ruth Haephrati were well-educated people with successful careers in the high-tech industry. Many of the private investigators who purchased TargetEye were former senior police officers, who certainly knew very well that spying and information theft are clear criminal offenses. The CEOs and executives who ordered the espionage were clearly driven and motivated businessmen, but far from “Mafia bosses”. How, then, did all these good and talented people get involved in such an ugly affair?

 

One possible answer is that power corrupts. The beginning of the 21st century is when malware transformed from a toy into a tool, with significant practical and economic potential. If in the past one had to break into a rival company’s office to steal classified documents, TargetEye now let you do it conveniently from your desktop computer, and the information it brought was much more voluminous and useful. This newfound power dazzled its clients, seduced them, and sent them down a slippery slope to delinquency.

 

And the statement ‘power corrupts’ is doubly correct for Michael and Ruth Haerafi. TargetEye gave the couple enormous power: the ability to spy on the activities of others remotely, from a different country, and (almost) without risk. This power, coupled with significant financial benefit, enticed them to cooperate with private investigators in what was clearly a violation of the law. Most of all, it is their use of TargetEye as part of their revenge campaign against Amnon Jackont that attests to their power craze.

 

Another possible explanation to the question of why did Michael, Ruth and the private detectives allowed themselves to get mixed up is such illegal activities is that somehow, committing cyber crime feels different than a committing a similar crime in the real world. Most of the people involved probably wouldn’t have dreamt of breaking into someone’s house – but breaking into someone’s computer from afar seemed, for some reason, to be a different matter. The Trojan Horse Affair seems to me a lesson in how limited the human mind is in making sense of matters of cyber security.

 

Michael Haephrati was sentenced to two years in prison. Ruth, his wife, who played a more active role in working with private investigators, was sentenced to four years. The private investigators also received heavy sentences: imprisonment for periods of six months to three years, heavy fines, and the revocation of their licenses. The only ones who escaped the wrath of the law were the businessmen who ordered the espionage–the prosecution found it difficult to prove that they were aware of the criminal offenses committed on their behalf.

 

The Trojan Horse Affair was an early example of the power of malicious software, and perhaps a warning sign for the central role that these programs were about to have in the world of crime. It is also an example of the corrupting power these powerful tools have: to drive ordinary, law-abiding people, who would never dream of breaking into an apartment to rob someone, into committing real, equivalent crimes in the virtual world. This is the blessing, and the curse, of this brave new cyberworld..