The Greek wiretapping case from 2004-2005 (Athens Affair) proves to be a tragic tale of not so long ago of a rare opportunity to get a glimpse of one of the most elusive cyber crimes.
Starting off quite sensationally, the story gets more serious from a tragic, technical, governmental, and managerial perspective.
On 9 March 2005, a 38-year-old electrical engineer for Vodafone named Kostas Tsalikidis was found hanged in his Athens loft apartment, on first look it seemed apparent suicide.
“It’s not easy to talk about such a loss,” says his sister in law, Eleni, her eyes brimming with tears,“We still feel kind of guilty for being unable – through no fault of our own – to get answers. I’d like to believe that there are people who will choose to talk one day.”
On March 9, 2005, Kostas’ brother, Panagiotis, dropped by the his brother’s apartment to have coffee before a business meeting scheduled for that morning.
As he entered the building, he found his mother
running up and down the hall yelling for help.
“Cut him down!” she was saying. “Cut him down!”
Panagiotis rushed inside his brother’s apartment and saw Kostas hanging from a rope tied tied to the radiator pipes over his bathroom door, and an old wooden chair nearby.
Both in shock, he and his mother cut the rope and laid Kostas down on the bed.
The inanimate body of her son, had been hanging in front of the bathroom door.
Kostas, who was always consistent in his work, had not yet left the apartment that day, and his mother called him on the phone with the thought that he had been sleeping.
His father, George, a building contractor, suffered from his disability on one leg, making his move difficult, so he lived near his on the same floor, but in different apartments.
His mother had her own key, a entered to awaken Kostas.
It made no sense, he was engaged and to be married in just 3 months.
His brother, Panayiotis noted, “He had met the woman of his life and they were planning to get married really soon. And for that reason, they were looking to get a house and they had already started buying things that they could use in their new household. Kostas was happy and optimistic and things had been working out really good for him.” says Panayiotis today.
“I immediately called my wife and asked her to bring a high-definition camera so I could take some pictures on the spot, because I didn’t believe it was a suicide,” said Panayiotis .
“I thought there was no reason to commit suicide,” although he acknowledged Kostas had been under more pressure than usual.
“In the last year of his life, he was working very hard because Greece hosted the Olympic Games of 2004,” he said, “and that meant a lot of hours at work and a lot of planning to beef up the networks.”
Things suddenly began to change.
Kostas told his brother he wanted to quit.
“He wrote his resignation to the company, but it wasn’t accepted,”
Given the massive amount of journalists and tourists who were planning to attend the events, all wanting to communicate, Kostas’ workload increased enormously in the months before the began.
Kostas Tsalikidis worked at Vodafone for 11 years and in 2001 was promoted to Network Manager.
From the beginning of his career, he was responsible for planning the architecture of the Vodafone’s GSM, GPRS and UMTS networks.
Eventually, the technical infrastructure created by the Athens Olympics Organizing Committee for staff and media involved more than 11,000 computers, 23,000 fixed-line telephone devices, and 9,000 mobile phones.
The first clue leading to the discovery of this affair was found on January 24, 2005. One of the exchanges, handling customer communications traffic in the Vodafone mobile phone network, generated a series of messages concerning errors, indicating that text messages from another operator had not been properly sent to customers.
Unable to diagnose the cause of the error themselves, Vodafone technicians forwarded a dump of the exchange’s software to the company that had produced it, namely Ericsson.
By February 2005, Kostas Tsalikidis allegedly handed in his resignation, but his employers persuaded him not to leave.
A few weeks later, on March 4, 2005, Ericsson sent them an amazing message – unauthorized software had been installed in the exchange and it was this that had caused the errors.
“He wanted to get out.” And he sent a text to his fiancée, Sara Galanopoulou, saying he had to leave his job, adding that it was a “matter of life and death.”
But the Olympics ended more than six months before Kostas’ death, so investigators thought there had to be another reason.
On March 9, 2005, when he was found dead in his apartment. His death coincided with the disclosure of the greatest phone hacking scandal in Greece, and what seemed Europe.
The day before his death, investigators had found rogue software installed on the Vodafone Greece phone network by parties unknown.
It targeted the conversations of more than 100 specific, highly placed government and military officials, including then Prime Minister Kostas Karamanlis ,the mayor of Athens and members of the Ministerial Cabinet were all vulnerable parties in the wire tapping.
The question was, who did it?
Prime Minister Kostas Karamanlis and the country’s political and military elite, were among a considerable number of people whose mobile phones were tapped for months around the time of the 2004 Athens Olympics.
The list included, Prime Minister Kostas Karamanlis ‘ family members, most phones of the top officers at the Ministry of Defense, the Ministry of Foreign Affairs, the Ministry for Public Order, members of the ruling party, ranking members of the opposition Panhellenic Socialist Movement party (PASOK), the Hellenic Navy General Staff, the previous Minister of Defense, the Greek EU Commissioner, and one phone of a locally hired Greek American employee of the American Embassy. Phones of Athens-based Arab businessmen were also tapped.
Unauthorised installed software allowed calls to and from a considerable amount of mobile phones to be recorded from June 2004 until March 2005.
It stopped when Vodafone discovered the incident and reported it to authorities, Reuters reported at the time.
Who was behind the wiretap was unclear, at the time.
Some extraordinarily knowledgeable people either penetrated the network from outside or subverted it from within, aided by an agent or mole.
In either case, the software at the heart of the phone system, investigators later discovered, was reprogrammed with a finesse and sophistication rarely seen before or since.
Vodafone Greece, the country’s largest cellular service provider; Tsalikidis was in charge of network planning.
A connection seemed obvious.
The illegal software had been deleted from Vodafone’s systems one day before Tsalikidis’ death.
On March 8th, 2005; Tsalikidis had moreover been informed about the phone tapping case the very same day at a Vodafone managerial meeting, of which no minutes were kept.
As newspaper then reported, about a month before his death Tsalikidis had also mentioned to one of his colleagues that he needed to leave Vodafone because it was “a matter of life and death.”
A few weeks before March 9th, he said to the same colleague that “Vodafone was in danger of shutting down completely.”
At a February 2006 press conference, three government ministers, Theodore Rousopoulos, George Voulgarakis, and Anastasios Papaligouras, appeared determined to speak with all the formalities notified the public of the phone tapping scandal, a “serious matter of national security “ and the reason for this “suicide” was the espionage scandal, which the then prime minister, Kostas Karamanlis, had been informed eleven months before, on 10 March 2005, the day after Tsalikidis’ death when the president and chief Vodafone consultant George Koronias had met with the director of his office, Yiannis Angelou.
Two days earlier, that is, a day before Tsalikidis’ death, the intruderful illegal software that allowed escorts and had fallen into the Vodafone centers had been removed.
Several first details of the malicious program code found in many Vodafone digital centers explained George Voulgarakis with sleeves raised, making drawings with a blue marker on a whiteboard.
There is certainly no definitive list of those who have watched, but the names that have been seen are extended by Kostas Karamanlis, George Papandreou and Petros Molyviatis as members of civil movements, terrorist-related people, journalists, trade unionists and Arabs.
It has not been ascertained how many things Kostas Tsalikidis might have known about the spy business.
If he knew all the details, even the guilty ones, or if he only knew the existence of the software intruder.
While it was not officially ruled out that he could be totally ignorant, the fact is that as a network designer, he had access to all areas of Vodafone’s call centers.
In addition, he had the technical knowledge to understand every detail and was responsible for dealing with the fatal upgrades of the network, as well as, in August 2004 introducing the illegal code and that a few months later with which it was deleted.
Through illegal software installed by Vodafone, about 100 phones had been monitored during the span of 2004 to 2005 using 14-16 prepaid “shadow-phones,” which recorded talks in and around the American Embassy.
The case was nevertheless closed in 2008.
It was reopened and revisited two years later when new information emerged regarding the involvement of the US National Security Agency, without, however, clarification of the circumstances of Tsalikidis’ death.
A decade later, Kostas’ death was still caught up in an investigation into what now appears to have been a U.S. covert operation in Greece and , Greek authorities took the extraordinary step of issuing an international arrest warrant for a CIA official.
The Greeks believe he was a key figure in the operation while based in Athens.
Unnoticed by the U.S. press, the warrant was a nearly unprecedented action by an allied country.
The intelligence official, identified was William George Basil, and he was accused of espionage and eavesdropping.
Major network penetrations of any kind are exceedingly uncommon.
They are hard to pull off, and equally hard to investigate.
The Athens affair stands out, because it may have involved state secrets, and it targeted individuals—a combination that, if it had ever occurred before, was not disclosed publicly.
The most notorious penetration to compromise state secrets was “Cuckoo’s Egg,” a name given by the network administrator who pursued a German programmer in 1986 who had been selling secrets about the U.S. Strategic Defense Initiative (“Star Wars”) to the Soviet KGB.
Basically in the Athens case, the hackers broke into a telephone network and subverted its built-in wiretapping features for their own purposes.
That could have been done with any phone account, not just cellular ones.
Nevertheless, there are some elements of the Vodafone Greece system that were unique and crucial to the way the crime was pulled off.
The Intercept reported – As Kostas Tsalikidis and his colleagues at Vodafone worked constant overtime in the months leading up to the games, thousands of miles away another group was also getting ready for the Summer Olympics in Greece: members of the U.S. National Security Agency.
But rather than communicating, they were far more interested in listening.
According to previously undisclosed documents from the Snowden archive, NSA had a long history of tapping into Olympic Games, both overseas and within the U.S.
During the 2002 Winter Olympics in Salt Lake City, the focus was on counter terrorism, and NSA acted largely in support of the FBI in a fusion cell known as the Olympics Intelligence Center (OIC).
In 2004, for the first time since the 9/11 attacks of 2001, the Summer Olympic Games would be held outside the U.S., and thus the difficulties would be far greater.
“Several factors made the Athens Olympics vastly different,” the document continued, “not the least of which is the fact these Olympics will not be held at a domestic location.
Also different is that the security organization that NSA supported is the Greek National Intelligence Service or EYP.
The NSA gathered information if needed would tip off the EYP of possible terrorist or criminal actions.
Without a doubt, the communication between NSA and EYP took some coordination, and for that reason preparations were already underway.”
According to a former senior U.S. intelligence official involved with the operation, there was close cooperation between NSA and the Greek government.
“The Greeks identified terrorist nets, so the NSA put these devices in there and they told the Greeks, OK, when it’s done we’ll turn it off,” said the source.
“They put them in the Athens communications system, with the knowledge and approval of the Greek government for sevurity reasons.
The Olympic Games ran smoothly— there were no serious terrorist threats and Greece had its best medal tally in more than a century.
On August 29, 16 days after the games began, closing ceremonies were held at the Athens Olympic Stadium.
As 70,000 people watched, Greek performers displayed traditional dances, a symbolic lantern was lit with the Olympic Flame, and the president of the International Olympics Committee, gave a short speech and then officially closed the games.
Two weeks later, the Paralympics ended, and at that point, keeping their promise to the Greek government, the NSA employees should have quietly disconnected their hardware and deleted their software from the local telecommunications systems, packed up their bugging equipment, and boarded a plane for Fort Meade.
The problem was, they didn’t.
Instead, they secretly kept the spying operation active, but instead of terrorists, they targeted top Greek officials.
According to the former U.S. intelligence official involved with the operation, the NSA began conducting the operation secretly, without the approval or authorization of the CIA chief of station in Athens, the U.S. ambassador, or the Greek government.
“We had a huge problem right after the Greek Olympics,” the source said.
“They [NSA] said when the Olympics is over, we’ll turn it off and take it away.
And after the Olympics they turned it off but they didn’t take it away and they turned it back on and the Greeks discovered it.
They triangulated some signals, anonymous signals, and it all pointed back to the embassy.”
Illegally implanted software, which was found in Vodafone’s Greek switches, created parallel streams of digitized voice for the tapped phone calls.
One stream was the ordinary one, between the two calling parties.
The other stream, an exact copy, was directed to other cellphones, allowing the tappers to listen in on the conversations on the cellphones, and probably also to record them.
The software also routed location and other information about those phone calls to these shadow handsets via automated text messages.
Five weeks after the first messaging failures, on 4 March 2005, Ericsson alerted Vodafone that unauthorized software had been installed in two of Vodafone’s central offices.
Three days later, Vodafone technicians isolated the rogue code.
The next day, 8 March, the CEO of Vodafone Greece, Giorgos Koronias, ordered technicians to remove the software.
Within weeks of the initial discovery of the tapping scheme, Greek government and independent authorities launched five different investigations aimed at answering three main questions:
1 Who was responsible for the bugging?
2 Was Tsalikidis’s death related to the scandal?
3 And how did the perpetrators pull off this audacious scheme?
The base station’s activities are governed by a base station controller, a special-purpose computer within the station that allocates radio channels and helps coordinate handovers between the transceivers under its control.
This controller in turn communicates with a mobile switching center that takes phone calls and connects them to call recipients within the same switching center, other switching centers within the company, or special exchanges that act as gateways to foreign networks, routing calls to other telephone networks (mobile or landline).
The mobile switching centers are particularly important to the Athens affair because they hosted the rogue phone-tapping software, and it is there that the eavesdropping originated. They were the logical choice, because they are at the heart of the network; the intruders needed to take over only a few of them in order to carry out their attack.
Both the base station controllers and the switching centers are built around a large computer, known as a switch, capable of creating a dedicated communications path between a phone within its network and, in principle, any other phone in the world.
Switches are holdovers from the 1970s, an era when powerful computers filled rooms and were built around proprietary hardware and software. Though these computers are smaller nowadays, the system’s basic architecture remains largely unchanged.
Like most phone companies, Vodafone Greece uses the same kind of computer for both its mobile switching centers and its base station controllers—Ericsson’s AXE line of switches.
A central processor coordinates the switch’s operations and directs the switch to set up a speech or data path from one phone to another and then routes a call through it.
Logs of network activity and billing records are stored on disk by a separate unit, called a management processor.
The key to understanding the hack at the heart of the Athens affair is knowing how the Ericsson AXE allows lawful intercepts—what are popularly called “wiretaps.”
Though the details differ from country to country, in Greece, as in most places, the process starts when a law enforcement official goes to a court and obtains a warrant, which is then presented to the phone company whose customer is to be tapped.
Nowadays, all wiretaps are carried out at the central office. In AXE exchanges a remote-control equipment subsystem, (RES,) carries out the phone tap by monitoring the speech and data streams of switched calls.
It is a software subsystem typically used for setting up wiretaps, which only law officers are supposed to have access to.
When the wiretapped phone makes a call, the RES copies the conversation into a second data stream and diverts that copy to a phone line used by law enforcement officials.
Ericsson optionally provides an interception management system (IMS), through which lawful call intercepts are set up and managed. When a court order is presented to the phone company, its operators initiate an intercept by filling out a dialog box in the IMS software.
The optional IMS in the operator interface and the RES in the exchange each contain a list of wiretaps: wiretap requests in the case of the IMS, actual taps in the RES. Only IMS-initiated wiretaps should be active in the RES, so a wiretap in the RES without a request for a tap in the IMS is a pretty good indicator that an unauthorized tap has occurred.
An audit procedure can be used to find any discrepancies between them.
It turns out Vodafone had not purchased the lawful intercept option at the time of the illegal wiretaps, and the IMS phone-tapping management software was not installed on Vodafone’s systems. But in early 2003, Vodafone technicians upgraded the Greek switches to release R9.1 of the AXE software suite.
That upgrade included the RES software, according to a letter from Ericsson that accompanied the upgrade. So after the upgrade, the Vodafone system contained the software code necessary to intercept calls using the RES, even though it lacked the high-level user interface in the IMS normally used to facilitate such intercepts.
That odd circumstance would turn out to play a role in letting the Athens hackers illegally listen in on calls and yet escape detection for months and months.
The spectrum organization did a story in which VASSILIS PREVELAKIS, an IEEE member, is an assistant professor of computer science at Drexel University, in Philadelphia explains :
It took guile and some serious programming chops to manipulate the lawful call-intercept functions in Vodafone’s mobile switching centers. The intruders’ task was particularly complicated because they needed to install and operate the wiretapping software on the exchanges without being detected by Vodafone or Ericsson system administrators.
From time to time the intruders needed access to the rogue software to update the lists of monitored numbers and shadow phones.
These activities had to be kept off all logs, while the software itself had to be invisible to the system administrators conducting routine maintenance activities.
The intruders achieved all these objectives.
They took advantage of the fact that the AXE allows new software to be installed without rebooting the system, an important feature when any interruption would disconnect phone calls, lose text messages, and render emergency services unreachable.
To let an AXE exchange run continuously for decades, as many of them do, Ericsson’s software uses several techniques for handling failures and upgrading an exchange’s software without suspending its operation.
These techniques allow the direct patching of code loaded in the central processor, in effect altering the operating system on the fly.
Modern GSM systems, such as Vodafone’s, secure the wireless links with a sophisticated encryption mechanism.
A call to another cellphone will be re-encrypted between the remote cellphone and its closest base station, but it is not protected while it transits the provider’s core network.
For this reason—and for the ease of monitoring calls from the comfort of their lair—the perpetrators of the Vodafone wiretaps attacked the core switches of the Vodafone network.
Encrypting communications from the start of the chain to its end—as banks, for example, do—makes it very difficult to implement legal wiretaps.
To simplify software maintenance, the AXE has detailed rules for directly patching software running on its central processor. The AXE’s existing code is structured around independent blocks, or program modules, which are stored in the central processor’s memory.
The release being used in 2004 consisted of about 1760 blocks. Each contains a small “correction area,” used whenever software is updated with a patch.
A software patch works by replacing an instruction at the area of the code to be fixed with an instruction that diverts the program to a memory location in the correction area containing the new version of the code.
The challenge faced by the intruders was to use the RES’s capabilities to duplicate and divert the bits of a call stream without using the dialog-box interface to the IMS, which would create auditable logs of their activities.
The intruders pulled this off by installing a series of patches to 29 separate blocks of code, according to Ericsson officials who testified before the Greek parliamentary committee that investigated the wiretaps.
This rogue software modified the central processor’s software to directly initiate a wiretap, using the RES’s capabilities. Best of all, for them, the taps were not visible to the operators, because the IMS and its user interface weren’t used.
The full version of the software would have recorded the phone numbers being tapped in an official registry within the exchange.
And, as we noted, an audit could then find a discrepancy between the numbers monitored by the exchange and the warrants active in the IMS. But the rogue software bypassed the IMS.
Instead, it cleverly stored the bugged numbers in two data areas that were part of the rogue software’s own memory space, which was within the switch’s memory but isolated and not made known to the rest of the switch.
That by itself put the rogue software a long way toward escaping detection. But the perpetrators hid their own tracks in a number of other ways as well. For example, they could have taken a listing of all the blocks, which would show all the active processes running within the AXE—similar to the task manager output in Microsoft Windows or the process status (ps) output in Unix.
They then would have seen that some processes were active, though they shouldn’t have been.
But the rogue software apparently modified the commands that list the active blocks in a way that omitted certain blocks—the ones that related to intercepts—from any such listing.
Two investigations were made to investigate the causes of death:
The first between 2005-2006, which concluded that death resulted from hanging.
In 2006 and 2007, Vodafone Greece was fined a total of €95 million by Greek regulators for breaching privacy rules.
A supplementary survey was conducted during 2012-2014, which confirmed the findings of the former, namely that it was suicide.
On 19 November 2014 his family has took his case to the top human rights court in Europe known as European Court of Human Rights (ECHR)..
The ECHR in Strasbourg unanimously condemned Greece for violating Article 2 (Right to Life) of the European Convention of Human Rights, on the case of the death of Kostas Tsalikidis finding, on two occasions, Greek judicial authorities erroneously ruled out foul play – by “inconsistencies” identified in the technical expertise reports made at the request of the applicants.
These include other inconsistencies such as the lack of suicidal motivation confirmed by the psychiatric report.
Thanks to the courage of his own family , the European Court comes to admit essentially that this is a murder was masked.
The evidence they have managed to painstakingly gather over the years, together with the written statements of the judicial authorities who worked on the case, clearly suggest that Kostas Tsalikidis’s death is inextricably linked to the bugging through the Vodafone network of the phones of high-ranking government officials during the administration of Kostas Karamanlis, including the prime minister himself.
No spasms or injuries or anxiety on the face.
It seemed to have been suicidal, but had troubled the authorities since he was found.
The night before, planning to go on a weekend trip with his fiance’ and asking his mother to wake him up in the morning, yet ending his life with hanging?
For some odd reason, the case was too quickly to ruled suicide and went into the record, along with his own “ripped their garments”, but still the authorities did not take any special action,
The family enem initially understood, Kostas Tsalikidis’s death deemed suicide was inseparably linked to a case in which deep state, economic and business interests were involved.
In fact, Kostas Tsalikidis’ family when listening to them discuss the case was made aware, it was related to the loss of their own Kostas , so they sent photographs taken by his brother when he found him hanging to the London Royal College of Medicine, Stephen Kars and since Coroner George Dielernia, though in Greece it previously ruled suicide, without even completing an autops, because “there was no reason“.
Professor Kars drew up an expert report that seems to invalidate the estimations of the Greek forensic scientists as he wrote:
“The critical data on the height and weight of the deceased and the temperature of the body and the room were not taken into account, nor was it attempted to determine the exact time of death “.
The final conclusion of Steven Kars’s report was that Kostas Tsalikidis was either drugged and / or poisoned and hung after death.
In a November 2017 The ECHR stated,
“The Court considers that the national authorities failed to carry out an adequate and effective investigation into the circumstances surrounding the death of Mr Tsalikidis,” the Strasbourg-based court said in a ruling dated Nov. 16.
“The Court observes, in particular, that the difficulty in determining whether there was any substance in the applicants’ claim that their relative was unlawfully killed rests with the failure of the authorities adequately to investigate the circumstances of the death,”
The ECHR faulted Greece for failing to fully investigate the death of a telecoms engineer in 2005 during a scandal over wiretapping of the country’s political leadership and ordered Greece to pay Tsalikidis’s family €50,000 in damages for the state’s failure to clarify circumstances surrounding his death.
After the ruling , a Greek prosecutor would investigate whether the case needed to be reopened, Greek court sources told Reuters.
By June 30, 2018, Tsalikidis’ doubtful “suicide” was deemed a murder, almost 13 years after the mysterious death of Kostas Tsalikidis by the Greek Department of Justice.
It was the 3rd investigation of the case, in a series of examinations by the prosecution authorities, began in November of 2017 immediately after the European Court of Human Rights (ECHR) unanimously condemned Greece’s faulty investigation into the causes of Tsalikidis’ death.
According to the District Attorney’s Office, criminal charges for intentional manslaughter have now been brought against unidentified suspects for intentional manslaughter by District Attorney Sotiria Papageorgakopoulou, at the request of the Chief Prosecutor of the Court of Appeal, Grigoris Peponis.
- A death in Athens by James Bamford
- A fantastic report submitted by the IEEE magazine, based on the reports of the Greek inquiry
- Transcripts of hearings
- betabug website, describing the events from the perspective of a Swiss national living in Greece
- HASTOUKI BY THE EUROPEAN COURT OF JUSTICE
- Reporter James Bamford, international publication Intercept in this joint investigation with Kathimerini, explains how the wiretaps were organised and performed in Athens.
- A column in The Nation about the political consequences of wiretaps
- Ericsson training materials found on the quintessenz website
- Post on ECHR ruling by Omar Tarif
- A collection of articles from a website devoted to the memory of the deceased engineer