Criminal intent

In the small hours of Monday 28 February this year, a white van pulled off the A339 in Basingstoke, passing the BP garage and Mercedes car showroom before turning in to the deserted industrial estate on Hamilton Close.

The sledgehammer-wielding crooks in the van might have been tempted to hit the fine-wine warehouse or the furnishings distribution centre. Instead, the van pulled up to an unassuming, unmarked building at the south-east corner of estate and the thieves set about their work.

By the time the police arrived at the scene several hours later, any early risers that live around the M4 corridor may have already been alerted to the consequences of the break-in – especially if their mobile contract was with Vodafone. The thieves had targeted one of Vodafone’s technical facilities, which housed essential mobile telephony equipment, crippling parts of the mobile giant’s network. It took more than a day to fully restore services.

As the initial police investigation got under way, detective sergeant Lee McClellan confirmed they were working on the presumption that this was “a targeted attack”. The raiders evidently knew what they would find inside the unmarked building and had come prepared to move the hefty equipment. Opportunist crooks would have looked for easier pickings.

This was far from an isolated case. In May, rival mobile operator O2 had equipment stolen from its east London data centre, which interrupted service to customers in the region. As was the case with the raid on Vodafone, this was
“a well organised theft”, O2 confirmed.

In 2007, in an elaborate attack on a London data centre owned by Verizon Business, a group of thieves dressed up as policemen and conned their way into the building before tying up staff and stealing computer equipment. Other firms, such as Cable & Wireless, have been hit too.

So what’s behind these attacks on data centres? According to Simon Neal, chief operating officer at secure data centre operator The Bunker, thieves are often just looking for copper. As copper prices have spiked on global commodity markets, theft of copper cables has increased.

But the price of copper does not justify the elaborate, targeted operations that are sometimes launched against data centres. In these cases, thieves are looking for high-end telecommunications equipment.

In April, three men from Ilford were convicted of stealing millions of pounds’ worth of Cisco kit from a bank-owned facility in London’s Square Mile. According to detective chief inspector Dave Evans of City of London police, this was an “organised, well-equipped and determined” gang, that used a lock-up in east London to store the goods. The police seized hardware with a value of more than £2 million, along with a £70,000 Porsche bought with money from the sale of some of the stolen kit.

Incidents such as this raise the question, where does demand for stolen telecommunications equipment come from? Finding a fence for stolen copper is relatively easy; finding a handler for carrier-grade telecoms equipment does not happen by chance.

According to one source, who spoke on the condition of anonymity, most of the stolen equipment ends up abroad, resold to often unsuspecting businesses.

This is largely made possible by the existence of the legitimate secondary market for data centre equipment, in which bona fide businesses strip data centres of obsolete infrastructure – either because the kit is being upgraded or because the firm has stopped trading – and offer it for resale.

Between the legitimate secondary market and the criminal cartels, there is a grey market. Here, resellers abuse the channel incentives put in place by technology vendors. Equipment that is subject to promotion and discounts in one country is then sold with a big mark-up elsewhere. According to the consultancy firm Deloitte, this grey market is worth $1.4 billion a year.

The Metropolitan Police Service’s long-running Operation Grafton was set up to tackle serious and organised crime around Heathrow Airport, with a specific focus on freight crime for amounts above £10,000. One criminal group fitting into this category was arrested in 2007 following investigations into multiple data centre burglaries in which Cisco hardware was once again targeted.

According to the Met, investigations carried out in conjunction with Operation Grafton have demonstrated a clear link between hijack and robbery offences relating to computer equipment and multimillion-pound carousel frauds – a type of VAT-related fraud with strong links to the grey market.

The cartels behind these crimes have connections across Europe, Africa, the Americas and the Far East: wherever there is demand for cheap, powerful data centre kit, they can supply it. Typically, the stolen goods go through several traders before being sold on as legitimate equipment.

NEXT>> The illicit data centre trade’s KGB roots

Page 2 of 2

Some experts believe the recent spate of break-ins at telecom operators points to a new method being used by criminal gangs: stealing equipment on demand.

The equipment stolen from Vodafone, for example, is thought to have included computers designed to recognise SIM cards, and others that route calls across the mobile network. The specialist nature of this kit suggests it may have been stolen to order.

One possible reason for this is that exports of certain telecommunications systems from the UK and other countries are restricted. Some destinations, such as Iran and Somalia, are off-limits altogether. These restrictions create an opportunity for criminal suppliers.

Illicit networks for trading computing equipment have been around for almost as long as the IT industry itself.
CIA files confirm that in 1970 the KGB established an operating arm known as Line X, which was charged with stealing technology secrets from US firms and government. When, in 1973, the Nixon administration introduced export controls on powerful mainframe computers and encryption technology, Line X expanded its remit beyond stealing sensitive data to obtaining physical equipment.

In 1975, the US Department of Commerce uncovered a Line X plot to obtain a restricted computer through a dummy corporation. Officials intercepted the shipping container in which the plotters planned to transport the computer and substituted its contents, leaving the KGB with nothing more than sandbags as their prize.

The Cold War export restrictions provided the blueprint for the global trade in stolen computers, which is now littered with bogus firms, suspect shipments and forged paperwork. Now, though, perpetrators are more likely to use burglary and violence than espionage and intrigue.

Insider threat

So how can firms hope to protect the mission-critical assets in their data centres? One logical step is to beef up the physical security surrounding facilities. Another critical element is to consider the level of insider threat.
Thieves need information about the contents and security of data centre facilities to know which ones to target and how to break in. The most likely source of this information is people who work at the facilities or for the organisation that operates them.  

However, rarely do gangs get their information by planting stooges in those organisations. More often, they extract the information from unsuspecting staff.

At The Bunker, Neal only employs former members of the police and armed services to staff the facilities to ensure solid protection against the insider threat. “What these people bring is a level of awareness about potential threats,” he explains.

Neal believes that businesses are gradually waking up to the value of staffing their business-critical facilities with security-minded personnel. And while that might add a little to operating costs, it is surely better than waking up to find your business in pieces.

Henry Catchpole

Henry Catchpole runs Inform Direct, a company records management software company which simplifies the process of dealing with Companies House. The business was set up in 2013.

Related Topics