- Introduction
- Challenge 1
- Challenge 2
- Challenge 3
- Challenge 4
- Challenge 5
- Challenge 6
- Challenge 7
- Challenge 8
Harry,
We have a new mission for you and your team, and I think you are going to like it. Here is the background.
Last May a small container ship from Singapore disappeared off the port of Salalah. Last communications with the ship didn’t suggest any problems but the Omani Coastguard lost track of it in a fog bank and after two days Coastguard cutters were sent out to search for it. They were joined in the hunt by a UK Naval destroyer on exercises, but, despite the pretty sophisticated equipment they carried, neither the ship nor wreckage were found. The local authorities added the ship to a list of potential piracy cases, but no ransom was demanded for the vessel. Last week the ship was found drifting, with no crew or passengers, near the location where it was last spotted. The ship was impounded and searched and the British Embassy were called in when they found a cabin full of UK sourced high tech comms gear. The Omani government assumed it was part of a UK listening op spying on them, but we pointed out that we wouldn’t have abandoned the ship so close to a foreign power and we agreed to pool intelligence in an effort to trace the ship’s movements and to figure out what it was doing there.
A full search revealed an extensive network of fast computers hidden behind fake bulkheads and cooled by seawater. They also found a high powered aerial giving weight to the Omani fears that this was a listening post. Strangely there were also some signs that part of the superstructure had been cut loose.
Most of the files on the server have been overwritten several times, but we did find one thumb drive containing an encrypted email archive and the local GCHQ team had some success decrypting a few of the messages. I’m not sure if this is good news or bad, but it appears that this ship was being used by the Flag Day Associates.
Hackers with their own Navy is a new one on me - I have no idea why they would want or need one. We are going to need your help to figure out what this means. I tried to get hold of Charlie in the hope that she would help, but she has gone off grid so I hope you and your team are available.
All the best,
Mark
We have a new mission for you and your team, and I think you are going to like it. Here is the background.
Last May a small container ship from Singapore disappeared off the port of Salalah. Last communications with the ship didn’t suggest any problems but the Omani Coastguard lost track of it in a fog bank and after two days Coastguard cutters were sent out to search for it. They were joined in the hunt by a UK Naval destroyer on exercises, but, despite the pretty sophisticated equipment they carried, neither the ship nor wreckage were found. The local authorities added the ship to a list of potential piracy cases, but no ransom was demanded for the vessel. Last week the ship was found drifting, with no crew or passengers, near the location where it was last spotted. The ship was impounded and searched and the British Embassy were called in when they found a cabin full of UK sourced high tech comms gear. The Omani government assumed it was part of a UK listening op spying on them, but we pointed out that we wouldn’t have abandoned the ship so close to a foreign power and we agreed to pool intelligence in an effort to trace the ship’s movements and to figure out what it was doing there.
A full search revealed an extensive network of fast computers hidden behind fake bulkheads and cooled by seawater. They also found a high powered aerial giving weight to the Omani fears that this was a listening post. Strangely there were also some signs that part of the superstructure had been cut loose.
Most of the files on the server have been overwritten several times, but we did find one thumb drive containing an encrypted email archive and the local GCHQ team had some success decrypting a few of the messages. I’m not sure if this is good news or bad, but it appears that this ship was being used by the Flag Day Associates.
Hackers with their own Navy is a new one on me - I have no idea why they would want or need one. We are going to need your help to figure out what this means. I tried to get hold of Charlie in the hope that she would help, but she has gone off grid so I hope you and your team are available.
All the best,
Mark
Challenge 1 A
Mark,
Thanks for bringing me in on this one, seems like a fascinating case.
I have three questions:
Why would the Flag Day Associates want a SHIP?
Why would they want THIS ship?
Why would they want this ship NOW?
Having read the attached document I suspect that the answers are all related to the question of what exactly she and her Flag Day Associate Crew were trying to survey.
I am guessing that you already checked out the onboard GPS system for information about her movements, but if you did find anything I would be fascinated to hear about it. In the meantime I am pretty sure that you know more about the Flag Day Associates than you have told me, so a briefing would be much appreciated.
All the best,
Harry
Thanks for bringing me in on this one, seems like a fascinating case.
I have three questions:
Why would the Flag Day Associates want a SHIP?
Why would they want THIS ship?
Why would they want this ship NOW?
Having read the attached document I suspect that the answers are all related to the question of what exactly she and her Flag Day Associate Crew were trying to survey.
I am guessing that you already checked out the onboard GPS system for information about her movements, but if you did find anything I would be fascinated to hear about it. In the meantime I am pretty sure that you know more about the Flag Day Associates than you have told me, so a briefing would be much appreciated.
All the best,
Harry
Challenge 1 B
Report on the Trojan Project
Having drugged the crew we were able to take the ship with essentially no resistance. The crew were handed to the Somali pirates at the deep water rendezvous as planned, and we began the survey.
Just after midnight the radar showed an approaching vessel, which our database identified as a Coastguard cutter. We headed south to avoid detection with all ship lights off. We then completed the survey in the new location after dawn.
With the listening post installed we began assembling the equipment for phase two of the operation keeping a watch for further patrols in the sky and on the water.
Having drugged the crew we were able to take the ship with essentially no resistance. The crew were handed to the Somali pirates at the deep water rendezvous as planned, and we began the survey.
Just after midnight the radar showed an approaching vessel, which our database identified as a Coastguard cutter. We headed south to avoid detection with all ship lights off. We then completed the survey in the new location after dawn.
With the listening post installed we began assembling the equipment for phase two of the operation keeping a watch for further patrols in the sky and on the water.
Challenge 2 A
Dear Mark,
Thanks for the latest report from the on-site team. It shows that the shipboard GPS system was completely scrambled so we are not going to be able to trace her movements from that. Do we have any odd traces from onshore radar that give a hint of where she might have been?
The comment in the last message that the pirates completed the survey even though they had moved south to avoid detection should have told me that the survey was not geographic. At first I thought it might have been referring to a telecoms survey since you mentioned the long aerial, but actually the attached message is very revealing. Still not sure what the survey was for though, and how that is connected to the missing superstructure. Can you get me any pictures?
Harry
Thanks for the latest report from the on-site team. It shows that the shipboard GPS system was completely scrambled so we are not going to be able to trace her movements from that. Do we have any odd traces from onshore radar that give a hint of where she might have been?
The comment in the last message that the pirates completed the survey even though they had moved south to avoid detection should have told me that the survey was not geographic. At first I thought it might have been referring to a telecoms survey since you mentioned the long aerial, but actually the attached message is very revealing. Still not sure what the survey was for though, and how that is connected to the missing superstructure. Can you get me any pictures?
Harry
Challenge 2 B
Calm weather allowed us to complete the hull survey and establish its integrity. No major remedial works were required and the pumps and extra bulkheads were installed out in deep waters over the next five days. We are now testing the system for reliability and safety before moving on to phase three of the operation. Operation Trojan remains on target.
Challenge 3 A
Harry,
You asked me about the Flag Day Associates. They are a trans-national hacking group dedicated to the overthrow of western capitalism. They have been implicated in several major protests, including an attempt to take over the UK National Grid, attacks on reservoir systems and interference in bank trading networks.
It looks like the FDA carried out fairly extensive modifications to the ship. They did a good job too. We hadn’t noticed the added bulkheads until we compared the layout with the plans from Lloyd’s Register. They seem to be there to add rigidity, though there is one additional panel at the stern that doesn’t fit the pattern and we will be removing that tonight to see what it is there for. We would have done it this afternoon but decided we should conduct our own hull survey in case there is a booby trap.
You asked me about the Flag Day Associates. They are a trans-national hacking group dedicated to the overthrow of western capitalism. They have been implicated in several major protests, including an attempt to take over the UK National Grid, attacks on reservoir systems and interference in bank trading networks.
It looks like the FDA carried out fairly extensive modifications to the ship. They did a good job too. We hadn’t noticed the added bulkheads until we compared the layout with the plans from Lloyd’s Register. They seem to be there to add rigidity, though there is one additional panel at the stern that doesn’t fit the pattern and we will be removing that tonight to see what it is there for. We would have done it this afternoon but decided we should conduct our own hull survey in case there is a booby trap.
Challenge 3 B
Phase Three: The Nautilus system was fully tested last night with complete success. We sailed within four hundred metres of the target and monitored all radio traffic for two hours with no sign that we were being watched or were even noticed.
We then conducted a full radar sweep of the area and found three dead spots where we could work on the ship without detection.
As planned, we converted the two adjacent empty containers in the middle of the stack into a large workshop area and carried out a full inspection drill. Now, even if we are boarded, our work should remain undetected.
We retrieved Seahorse from the third container and carried out stage one of the assembly.
We then conducted a full radar sweep of the area and found three dead spots where we could work on the ship without detection.
As planned, we converted the two adjacent empty containers in the middle of the stack into a large workshop area and carried out a full inspection drill. Now, even if we are boarded, our work should remain undetected.
We retrieved Seahorse from the third container and carried out stage one of the assembly.
Challenge 4 A
Harry,
We completed the survey and you are not going to believe what we found. Behind the false bulkhead in the stern there was a large pumping station connected to a number of sea-facing outlets. It looks like a scuttling valve system similar to the ones used on u-boats in World War two. I can’t understand why they would go to so much effort when they could have scuttled her at any time with a small quantity of plastic explosive. The team back at NSA have run some analytics on the remaining text files we extracted from the servers onboard. These ciphers are going to be pretty hard to crack. The attached report has frequency analysis matching usual English text so we can assume that the sender was a native speaker. Did you have any thoughts on what the Nautilus system might have been, or what it was for?
We completed the survey and you are not going to believe what we found. Behind the false bulkhead in the stern there was a large pumping station connected to a number of sea-facing outlets. It looks like a scuttling valve system similar to the ones used on u-boats in World War two. I can’t understand why they would go to so much effort when they could have scuttled her at any time with a small quantity of plastic explosive. The team back at NSA have run some analytics on the remaining text files we extracted from the servers onboard. These ciphers are going to be pretty hard to crack. The attached report has frequency analysis matching usual English text so we can assume that the sender was a native speaker. Did you have any thoughts on what the Nautilus system might have been, or what it was for?
Challenge 4 B
Phase Four: The decks were cleared by two am, and the mounting plates were prepared and measured. Mounting points were assembled by four am, though owing to the approaching dawn deployment of Seabird was postponed and we embarked on stage two of Seahorse assembly. With camouflage plates installed we set to cruising in case of air or sea surveillance, following standard routes to avoid suspicion. Monitoring of airwaves gave no cause for concern, but we have raised security levels and are using a column transposition cipher for this communication with keyword Seabird. Future comms will rely on even more security. Tonight will be used for more sea trials of the nautilus system while the assembly crew rest, and the survey team carry out further mapping. We will resume the Seahorse build at dusk tomorrow.
Challenge 5 A
Harry,
I cracked that last message for myself and noticed something really odd. The text said it was encrypted using a column transposition with keyword Seabird, but it was enciphered using a railfence cipher. I can only assume that the text we retrieved was an archive of the original message re-encrypted for safety. Whoever the Flag Day Associates are, they have a pretty sophisticated operation if they are filing messages like this. More like one of the major terrorist groups than the usual hacker collective.
The tech guys took a look at the aerial from the boat and they tell me that it is a drag wire, usually used to communicate with a submarine when submerged. It carried an acoustic transducer array as well as a short wave transmitter and listening gear.
One thing that puzzles me now is why we were allowed to find the ship floating at all. Surely they must have planned to sink her using the scuttling equipment, otherwise what was it for? They seem too smart to leave it floating for us to find. Any thoughts?
Mark
PS, Just before I sent this the cipher clerk came in with a decrypt of the attached. Columnar transposition keyword has length six- think it answers some of our questions about the Nautilus system.
I cracked that last message for myself and noticed something really odd. The text said it was encrypted using a column transposition with keyword Seabird, but it was enciphered using a railfence cipher. I can only assume that the text we retrieved was an archive of the original message re-encrypted for safety. Whoever the Flag Day Associates are, they have a pretty sophisticated operation if they are filing messages like this. More like one of the major terrorist groups than the usual hacker collective.
The tech guys took a look at the aerial from the boat and they tell me that it is a drag wire, usually used to communicate with a submarine when submerged. It carried an acoustic transducer array as well as a short wave transmitter and listening gear.
One thing that puzzles me now is why we were allowed to find the ship floating at all. Surely they must have planned to sink her using the scuttling equipment, otherwise what was it for? They seem too smart to leave it floating for us to find. Any thoughts?
Mark
PS, Just before I sent this the cipher clerk came in with a decrypt of the attached. Columnar transposition keyword has length six- think it answers some of our questions about the Nautilus system.
Challenge 5 B
Phase Five: Seahorse is ready for trials and the Nautilus system is fully functional. We engaged the mechanism and lowered the deck to three feet above sea level, approaching the shore by the radar station. At all times signals from their communications were monitored, and no sign was given that our approach had been monitored or even noticed. We backed off, the deck was raised by two feet and the approach attempted again. Once more our incursion was unnoticed. Overnight we conducted a range of tests and mapped the radar coverage. On three separate occasions there seems to have been a flurry of activity, and our modeling suggests that the ship’s masts may have triggered brief alarms. On all occasions the automatic dive systems cut in, correctly lowering the decks to sea level, and the alarms were cancelled. The Seahorse deployment system will be fully mounted tonight and we will conduct a battery of tests on the deployment and emergency recovery systems over the next two nights assuming that sea and air traffic remains low.
Challenge 6 A
Mark,
The last message told us a lot: the scuttling equipment is designed to pump water in and out of the vessel like a submarine dive control, but clearly they weren’t planning to turn a container ship into a sub! This ship is a large-scale version of something I have seen in the Caribbean. Drug runners use a similar technique to get below radar coverage for inshore runs, sinking the vessel so that the deck remains just below the wave tops. The FDA pirates seem more interested in staying away from shore but getting close enough to track and record electronic communications without detection. I am guessing this scuttling system is what they call Nautilus in their log, but I am still baffled by the references to Seahorse. The next page of the log looks harder to crack, but the cipher clerk tells me it is a Hill cipher, and that they must have been in a hurry or have been enciphering by hand since they just used a two by two matrix. Actually, we have been pretty lax with our security and I think the next message I send will use a Vigenere cipher. Given that we are using secure cables I don't think we have too much to worry about so I will keep the keyword short - say three characters?
More later,
Harry
The last message told us a lot: the scuttling equipment is designed to pump water in and out of the vessel like a submarine dive control, but clearly they weren’t planning to turn a container ship into a sub! This ship is a large-scale version of something I have seen in the Caribbean. Drug runners use a similar technique to get below radar coverage for inshore runs, sinking the vessel so that the deck remains just below the wave tops. The FDA pirates seem more interested in staying away from shore but getting close enough to track and record electronic communications without detection. I am guessing this scuttling system is what they call Nautilus in their log, but I am still baffled by the references to Seahorse. The next page of the log looks harder to crack, but the cipher clerk tells me it is a Hill cipher, and that they must have been in a hurry or have been enciphering by hand since they just used a two by two matrix. Actually, we have been pretty lax with our security and I think the next message I send will use a Vigenere cipher. Given that we are using secure cables I don't think we have too much to worry about so I will keep the keyword short - say three characters?
More later,
Harry
Challenge 6 B
Phase six: Seahorse operated exactly as planned, with good forward visibility at the trial depths. The crew managed several tasks requiring concentration and dexterity and we plan to run a full test overnight on dummy cables dropped from the ship. The software seems to be operating as designed but there are still bugs in the firmware that need ironing out before we deploy. The collective is working full time to hunt them down and remove them though we are all getting tired. Mistakes are easy to make and could be fatal. Time is no longer on our side though and we are still planning to launch the final phase of the operation in three days time.
Challenge 7 A
Dear Mark,
Things are a lot clearer now. I flew out to inspect the ship myself last night and took a good look around. The reason the ship was not scuttled was that the valves had jammed. It looks like the driftwood was pulled into the mechanism and blocked the inlet. Presumably the crew had already abandoned the vessel, which was lucky for us. Without the ship we would have had no idea that the FDA had been operating in these waters.
Seahorse is no longer a mystery. The cutaway on the starboard side cleared an area of around five meters square, with a distinctive pattern of bolts fastened to reinforced deck plates. I saw something like this on a sub rescue mission a couple of years ago when they fitted a local ship with a jury-rigged inspection system. The deck plates can carry a crane designed to deploy an ROV – a remote operated vehicle designed for undersea operations.
I was already concerned about the reference to the cables in the last part of the FDA log, but the next section has me really worried. It is encrypted with a more secure modified AMSCO transposition cipher and tells us what they were really up to. What I don’t understand is how the whole assembly is powered, the sort of computing they must be doing is really intensive, and would burn through a battery in days. In that time their intercept might not catch anything useful. But they can hardly have hijacked a local socket in the middle of the ocean! Can you get me a chart showing the deep-sea cables in the region? I don’t imagine the US will be a problem, but it may need some diplomacy to get the full coverage maps from the Omani government. If I am right it is in their best interests to play along. We all have a lot to lose here.
Things are a lot clearer now. I flew out to inspect the ship myself last night and took a good look around. The reason the ship was not scuttled was that the valves had jammed. It looks like the driftwood was pulled into the mechanism and blocked the inlet. Presumably the crew had already abandoned the vessel, which was lucky for us. Without the ship we would have had no idea that the FDA had been operating in these waters.
Seahorse is no longer a mystery. The cutaway on the starboard side cleared an area of around five meters square, with a distinctive pattern of bolts fastened to reinforced deck plates. I saw something like this on a sub rescue mission a couple of years ago when they fitted a local ship with a jury-rigged inspection system. The deck plates can carry a crane designed to deploy an ROV – a remote operated vehicle designed for undersea operations.
I was already concerned about the reference to the cables in the last part of the FDA log, but the next section has me really worried. It is encrypted with a more secure modified AMSCO transposition cipher and tells us what they were really up to. What I don’t understand is how the whole assembly is powered, the sort of computing they must be doing is really intensive, and would burn through a battery in days. In that time their intercept might not catch anything useful. But they can hardly have hijacked a local socket in the middle of the ocean! Can you get me a chart showing the deep-sea cables in the region? I don’t imagine the US will be a problem, but it may need some diplomacy to get the full coverage maps from the Omani government. If I am right it is in their best interests to play along. We all have a lot to lose here.
Challenge 7 B
Phase Seven: We approached the cable junction under cover of night with Nautilus at an elevation of three feet, towing Seahorse to starboard. Comms interception showed that we remained undetected and Seahorse was deployed at operating depth. The various layers of armoured protection were removed from the cable, and, as expected, once the steel jacket was removed the other layers provided little resistance. The divers entered the water and cut into the core to insert the optical repeaters, linking them back to the man-in-the-middle unit which was powered up and fully tested. Initial tests showed that it was operating as expected and three keys have already been recovered from the Omani transmissions. With daylight approaching the remaining tests were postponed for the following night and the ship returned to deeper waters where it remained at low deck height. The divers were left at Seahorse to decompress slowly and will be recovered tomorrow once the final tests have been concluded.
Challenge 8 A
Mark,
I cracked what appears to be the final document about the Trojan deployment and I think I have an idea about how to deal with it and with the Flag Day Associates. The principal weakness of any system like the one they have installed is the need to provide large quantities of power. The FDA came up with an ingenious solution, but it is very vulnerable. Special forces could take it out for us, but that would tell the FDA that we have cracked their ciphers, so instead I suggest we let them destroy Trojan for us. We will need: cooperation from the Omani government, an armed fighter jet and the flight control systems from a drone.
Meanwhile we need to ensure two things: one, that we do not send critical information across the Bab Al-Mandab Strait and two that we use a non-critical key generation protocol on that channel.
Given the level of commitment the FDA have shown in developing this plan I am sure that they will reinstate the power supply within a few months, but with luck they will not guess that we know about it and we will put it out of business for long enough to come up with a plan of our own to exploit it.
In the meantime we now know that their highest security communications are encrypted using a Cadenus cipher, so we can start hunting through the database for other intercepts we can crack.
This may be the breakthrough we have been looking for in the fight against the FDA, let’s not screw it up.
All the best,
Harry
I cracked what appears to be the final document about the Trojan deployment and I think I have an idea about how to deal with it and with the Flag Day Associates. The principal weakness of any system like the one they have installed is the need to provide large quantities of power. The FDA came up with an ingenious solution, but it is very vulnerable. Special forces could take it out for us, but that would tell the FDA that we have cracked their ciphers, so instead I suggest we let them destroy Trojan for us. We will need: cooperation from the Omani government, an armed fighter jet and the flight control systems from a drone.
Meanwhile we need to ensure two things: one, that we do not send critical information across the Bab Al-Mandab Strait and two that we use a non-critical key generation protocol on that channel.
Given the level of commitment the FDA have shown in developing this plan I am sure that they will reinstate the power supply within a few months, but with luck they will not guess that we know about it and we will put it out of business for long enough to come up with a plan of our own to exploit it.
In the meantime we now know that their highest security communications are encrypted using a Cadenus cipher, so we can start hunting through the database for other intercepts we can crack.
This may be the breakthrough we have been looking for in the fight against the FDA, let’s not screw it up.
All the best,
Harry
Challenge 8 B
Final Report:
Insertion of the hardware is complete and our tests have concluded. There is no sign from the signal traffic that the security services have any knowledge of Trojan.
The onshore solar panels are running reliably and providing more power than needed by the existing server, so we are exploring the possibility of developing a local server farm to process data as it arrives. This will also give us additional power if the NSA changes its encryption scheme.
The plan to carry power and data to and from shore via the insulated steel jacket of the cable seems to be working better than expected. The error correcting codes we are using are highly efficient and the man in the middle server is reliably intercepting around one in fifteen thousand of the American transmissions across the Bab Al-Mandab Strait.
We have been harvesting the public keys for analysis, and, while it is not immediately clear what information this might provide, any bias in their key generator is potentially exploitable. Our client in the Middle East seems satisfied with the intelligence it provides and the additional income provided by key harvesting is funding daily operations.
Our initial contract to provide a man in the middle attack server to disrupt US communications remains the highest priority and first forays have allowed us to intercept communications between the Omani and US governments. These carry detailed and useful information about a forthcoming trade delegation, and planned US aircraft movements in the region.
We had not expected this level of detail at such an early stage, and would propose downing one of the aircraft as a proof of principle for potential buyers of our services.
Insertion of the hardware is complete and our tests have concluded. There is no sign from the signal traffic that the security services have any knowledge of Trojan.
The onshore solar panels are running reliably and providing more power than needed by the existing server, so we are exploring the possibility of developing a local server farm to process data as it arrives. This will also give us additional power if the NSA changes its encryption scheme.
The plan to carry power and data to and from shore via the insulated steel jacket of the cable seems to be working better than expected. The error correcting codes we are using are highly efficient and the man in the middle server is reliably intercepting around one in fifteen thousand of the American transmissions across the Bab Al-Mandab Strait.
We have been harvesting the public keys for analysis, and, while it is not immediately clear what information this might provide, any bias in their key generator is potentially exploitable. Our client in the Middle East seems satisfied with the intelligence it provides and the additional income provided by key harvesting is funding daily operations.
Our initial contract to provide a man in the middle attack server to disrupt US communications remains the highest priority and first forays have allowed us to intercept communications between the Omani and US governments. These carry detailed and useful information about a forthcoming trade delegation, and planned US aircraft movements in the region.
We had not expected this level of detail at such an early stage, and would propose downing one of the aircraft as a proof of principle for potential buyers of our services.