Arsenal thinks there's only one possible explanation: someone detached the hard drive, attached it to another computer, and copied the files.
Image: John Bolesky/Getty
Turkish Journalist Jailed for Terrorism Was Framed, Forensics Report Shows
New analysis of Barış Pehlivan's computer finds a very rare, targeted malware called Ahtapot. It only gets stranger from there.
Turkish investigative journalist Barış Pehlivan spent 19 months in jail, accused of terrorism based on documents found on his work computer. But when digital forensics experts examined his PC, they discovered that those files were put there by someone who removed the hard drive from the case, copied the documents, and then reinstalled the hard drive.The attackers also attempted to control the journalist's machine remotely, trying to infect it using malicious email attachments and thumb drives. Among the viruses detected in his computer was an extremely rare trojan called Ahtapot, in one of the only times it's been seen in the wild.
"We have never seen a computer attacked as ferociously as Barış's. The attackers seemed to pull everything out of their bag of tricks," Mark Spencer, digital forensics expert at Arsenal Consulting, said.Pehlivan went to jail in February of 2011, along with six of his colleagues, after electronic evidence seized during a police raid in 2011 appeared to connect all of them to Ergenekon, an alleged armed group accused of terrorism in Turkey.It is not clear who perpetrated the attack, but the sophistication of the malware used, the tightly-targeted way Ahtapot works, and the timing of Pehlivan's arrest suggests a highly-coordinated, well-funded attack. The incident is a pivotal one for both the infosecurity field and for press freedom in a country where, as one human rights group put it, there's currently a "witch hunt against journalists." At least 78 journalists, media workers and owners have been jailed in Turkey since the coup attempt that took place on July 15.The website Pehlivan works for, OdaTV, has often been critical of the government and the Gülen Movement, which was accused by Turkish president Recep Tayyip Erdoğan of orchestrating the recent attempted coup. The journalists were released from prison on September 14, 2012, but the terrorism trial continues."We are not guilty," Barış Pehlivan told me. "The files were put into our computers by a virus and by [attackers] entering the OdaTV office secretly. None of us has seen those documents before the prosecutor showed them to us."
A paper recently published by computer expert Mark Spencer in Digital Forensics Magazine sheds light into the case after several other reports have acknowledged the presence of malware.
Spencer said no other forensics expert noticed the Ahtapot trojan in the OdaTV case, nor has determined accurately how those documents showed up on the journalist's computer. However, almost all the reports have concluded that the incriminating files were planted.Three infosec professionals from different companies have reviewed Spencer's paper for us, and said it is reliable and well-founded, provided the data acquired from the journalist's computer is accurate."Yes, [the report] definitely raises eyebrows," Taneli Kaivola, senior security consultant at F-Secure, said.***"It takes an impressive level of conviction to locally attack a computer four times, and remotely attack it seven times [between January 1, 2011 and February 11, 2011], as well as a certain level of technical skill to set up the infrastructure for those attacks, which included document forgery and date and time manipulation".What baffled Spencer the most during the investigation was an unusual malware, one he hasn't seen before. It was installed on Pehlivan's computer on the evening of February 11, 2011, a Friday. The police raid took place on the following Monday morning.Spencer called Gabor Szappanos, principal researcher at Sophos, who has been analyzing computer viruses for over two decades. They worked together to find out what happened.
This malware appeared to be in unfinished beta development. It was a Remote Access Trojan (RAT), a malicious software that allows attackers to control a computer without having physical access.This RAT is now known as Ahtapot, the Turkish word for "octopus." There are clues to suggest the malware is Turkish in origin, including Turkish words in Ahtapot's code, yet security experts are almost always uncomfortable talking about attribution."Ahtapot was an outlier. We have never encountered Ahtapot apart from this incident," Szappanos said.The Sophos researcher believes this Remote Access Trojan was rushed into use out of desperation, after several attacks failed to deliver expected results. "Looking at the code revealed some mistakes that are typical at the beginning of development processes [of a malware]," Gabor Szappanos said.The attackers tried to copy Ahtapot onto Pehlivan's hard drive together with incriminating documents. However, the malware did not install properly. A vital component could not be created, as one file had the same name as a component from a previous RAT they used.Prior to bringing in Ahtapot, the attackers relied on more common malware. First, they tried to infect Pehlivan's computer with the Turkojan RAT through a thumb drive. Email attachments were also used.
***Spencer, who also studied computers and other devices related to the Boston Marathon bombers, said he and his team at Arsenal Consulting examined Barış Pehlivan's computer using a technique they developed to deal with sophisticated tampering of evidence.
It's called "Anchors in Relative Time," which means putting events logged by computers such as startups and shutdowns in chronological order, regardless of any associated dates and times that might had been altered by attackers. Forensics experts can then identify suspicious activity, even if someone has manipulated the dates and times when they happened.Spencer used the technique and saw an anomaly on the evenings of February 9 and 11. None of the OdaTV journalists was at the office at that time, according to Pehlivan.The journalist's computer booted after 10 PM, only to shut down a minute after. Even stranger, the incriminating documents were created while the PC was turned off, right before it booted. Arsenal thinks there's only one possible explanation: someone detached the hard drive, attached it to another computer, and copied the files.Then, attackers briefly booted the PC each night to confirm they reattached the hard drive correctly, and allow the malware they put in with the documents to be properly dropped.Apparently, Spencer said, attackers copied both malware and incriminating documents to Pehlivan's hard drive the nights of February 9 and 11, to cover their bases in case they won't be able to control the computer remotely using the malware.
They were smart enough to forge the dates associated with these documents, Spencer said. The key to his investigation was constructing the true timeline of the events.He suspects the journalist's PC was attacked locally during those two evenings of February 9 and 11, because previous attempts to remotely infect it with malware failed."It was the last two local attacks that were successful in terms of delivering the incriminating documents used by the prosecution," he said.Arsenal studied Pehlivan's computer after being contacted by the Turkish defense attorney. According to Mark Spencer, it was a pro bono case.Spencer and Szappanos drew several conclusions after studying Barış Pehlivan's computer."There were about a dozen different malware samples found. Analyzing them in detail revealed that these were not independent incidents, we could find connection between them," Szappanos said.He believes this was an expensive targeted attack, which used malware samples and command and control servers dedicated to this case alone."The data suggests that these Trojans and domains were used only in this incident, infecting only 1-2 computers. That is not a typical crimeware scenario, and even APT groups target a wider range of victims. The very narrow scope indicates an attacker with a very specific agenda," he said.Most infosec professionals refrain from saying who the attacker is, as attribution is usually difficult to establish in the cyberworld. "We think it was developed by a Turkish speaking person/people. Internal texts found in the malware samples were all in the Turkish language," Szappanos said.
There are more than a dozen computer forensics reports on OdaTV computers. Experts from three universities in Turkey and the US-based Data Devastation company acknowledged the existence of malware and suggested the journalists had nothing to do with the files found on their PCs.Even a report written by the Turkey's TÜBİTAK agency confirmed the presence of malware. It said: "Viruses were detected in the examined computers. However, we did not detect anything about whether the documents were transferred with viruses or not."The reports arrive to slightly different conclusions, and many researchers focus on just a couple of malware samples. "Every report is going to be a little bit different," Taneli Kaivola, a senior security consultant at F-Secure, said. "[T]he amount of data can be overwhelming. You have to pick the relevant bits and draw meaningful conclusions."Kaivola said everything hangs on the skills of the analysts doing the job, and the data they select.Meanwhile in Turkey, Barış Pehlivan is getting ready for his next hearing, scheduled for September 21. He believes the trial could end this year, and hopes to be acquitted.During his career as an investigative journalist, Pehlivan has often been a critic of both the government and the Gülen Movement, which allegedly organized the recent coup attempt in Turkey.Had the coup succeeded, he believes he might had been jailed again. "Or I might had been killed," Pehlivan said.