Greek wiretapping case 2004–05
The Greek wiretapping case of 2004-2005, also referred to as Greek Watergate, involved the illegal tapping of more than 100 mobile phones on the Vodafone Greece network belonging mostly to members of the Greek government and top-ranking civil servants. The taps began sometime near the beginning of August 2004 and were removed in March 2005 without discovering the identity of the perpetrators.
The phones tapped included those of the Prime Minister Kostas Karamanlis and members of his family, the Mayor of Athens, Dora Bakoyannis, most phones of the top officers at the Ministry of Defense, the Ministry of Foreign Affairs, the Ministry for Public Order, members of the ruling party, ranking members of the opposition Panhellenic Socialist Movement party (PASOK), the Hellenic Navy General Staff, the previous Minister of Defense and one phone of a locally hired Greek American employee of the American Embassy. Phones of Athens-based Arab businessmen were also tapped.
Foreign and Greek media have raised United States intelligence agencies as the main suspects. AFP reported that one Greek official stated on background that the likely initial penetration occurred during the run-up to the 2004 Athens Olympics, stating: "it is evident that the wiretaps were organized by foreign intelligence agencies, for security reasons related to the 2004 Olympic Games." The leader of the PASOK socialist opposition George Papandreou said that the Greek government itself had pointed towards the US as responsible for the wiretaps by giving up the zone of listening range, in which the US embassy was included. In 2015, after an investigation lasting 10 years, Greek investigators have found conclusive evidence linking the wiretapping to the US Embassy in Athens. As a result of the investigation, Greek authorities have issued an arrest warrant for a certain William George Basil, a NSA operative from a Greek immigrant background.
Exploitation of Vodafone's network
The Ericsson switches used by Vodafone Greece were compromised and unauthorized software was installed that made use of legitimate tapping modules, known as "lawful interception", while bypassing the normal monitoring and logging that would take place when a legal tap is set up. This software was eventually found to be installed on four of Vodafone's Ericsson AXE telephone exchanges.
In modern mobile telecommunication networks, legal wiretaps, known as lawful interceptions, are performed at the switch. Ericsson AXE telephone exchanges support lawful intercepts via the remote-control equipment subsystem (RES), which carries out the tap, and the interception management system (IMS), software used for initiating addition of the tap to the RES database. In a fully operating lawful interception system the RES and IMS both create logs of all numbers being tapped, allowing system administrators to perform audits in order to find unauthorized taps.
To successfully wiretap phone numbers without detection, as the intruders did, a special set of circumstances had to be present. The RES had to be active on the exchange, but the IMS had to be unused. At the time of the illegal wiretaps, Vodafone had not yet purchased the lawful intercept options, meaning the IMS was not present on their systems. However, an earlier exchange software upgrade had included the RES. In addition, the intruders needed to continue to have access to the exchange software to change tapped numbers, without alerting system administrators that the exchange had been modified. Normally, all changes to exchange software would be logged. To get around this, the intruders installed a rootkit on the exchange, a piece of software that would modify the exchange software on the fly to hide all changes and, in case of an audit, to make the exchange appear as though it had been untouched.
When one of the tapped phones made or received a phone call, the exchange, or switch, sent a duplication of the conversation to one of fourteen anonymous prepaid mobile phones. As these phones are not associated with a contract, retrieving details of their owners is very difficult. About half of the intercepting phones were activated between June and August 2004. The base stations that serviced those phones were in an area near the center of Athens.
Discovery of illegal taps
On January 24, 2005, an intruder update of exchange software resulted in customer text messages not being sent. Vodafone Greece sent firmware dumps of the affected exchanges to Ericsson for analysis. On March 4, 2005, Ericsson located the rogue code, 6500 lines of code written in the PLEX programming language used by Ericsson AXE switches. Writing such sophisticated code in a very esoteric language required a high level of expertise. Much of Ericsson's software development for AXE had been done by an Athens-based company named Intracom Telecom, so the skills needed to write the rogue software were likely available within Greece.
On March 7, 2005, Ericsson notified Vodafone of the existence of rogue wiretaps and software in their systems. The next day the general manager of the Greek Vodafone branch, George Koronias, asked for the software to be removed and deactivated. Because the rogue software was removed before law enforcement had an opportunity to investigate, the perpetrators were likely alerted that their software had been found and had ample opportunity to turn off the "shadow" phones to avoid detection. According to the head of Greece's intelligence service, Ioannis Korantis: "From the moment that the software was shut down, the string broke that could have lead [sic] us to who was behind this."
On March 9, the Network Planning Manager for Vodafone Greece, Kostas Tsalikidis, was found dead in an apparent suicide. According to several experts questioned by the Greek press, Tsalikidis was a key witness in the investigation of responsibility of the wiretaps. Family and friends believe there are strong indications he was the person who first discovered that highly sophisticated software had been secretly inserted into the Vodafone network. Tsalikidis had been planning for a while to quit his Vodafone job but told his fiancée not long before he died that it had become "a matter of life or death" that he leave, says the family's lawyer, Themis Sofos. There is speculation that either he committed suicide because of his involvement in the tapping of the phones, or he was murdered because he had discovered, or was about to discover, who the perpetrators were. After a four-month investigation of his death, Supreme Court prosecutor Dimitris Linos said that the death of Tsalikidis was directly linked to the scandal. "If there had not been the phone tapping, there would not have been a suicide," he said.
In November, 2007, press reports in Greece quoted the Tsalikidis family attorney, Themistokles Sofos, as saying they had commenced legal action against Vodafone, "suspect[ing] he was poisoned".
On March 10 Koronias asked to meet Prime Minister Karamanlis to discuss matters of national security. At 20:00 on the same day he presented the facts to the Minister of Public Order and the Prime Minister's chief of staff, and on the next day he presented them to the Prime Minister.
A preliminary judicial investigation was carried out, which, due to the complexity of the case, lasted until February 1, 2006. The preliminary investigation did not point out any persons connected with the case. The investigation was hindered by the fact that Vodafone disabled the interception system, and therefore locating the intercepting phones was no longer possible (the phones were apparently switched off), and that Vodafone had incorrectly purged all access logs. Police rounded up and questioned as suspects persons who called the monitoring phones, but all callers claimed they called these phones because their number was previously used by another person.
Ericsson has checked their equipment in other markets world-wide and has not found the illegal software installed anywhere else. "As far as Ericsson knows, this is a unique incident. We have never discovered anything like this before or since." Vodafone spokesman Ben Padovan said.
The investigation into the matter was further hampered when Greek law enforcement officials began to make accusations at both Vodafone and Ericsson, which forced experts on the defensive.
In December 2006 Vodafone Greece was fined €76 million by the Communications Privacy Protection Authority, a Greek privacy watchdog group, for the illegal wiretapping of 106 cellphones. The fine was calculated as €500,000 for each phone that was eavesdropped on, as well as a €15 million fine for impeding their investigation.
On October 19, 2007, Vodafone Greece was again fined €19 million by EETT, the national telecommunications regulator, for alleged breach of privacy rules.
On September 2011, new evidence emerged indicated the US Embassy in Athens was behind the telephone interceptions. The key evidence of complicity was that out of the 14 anonymous prepaid mobile phones used for the interception, three had been purchased by the same person at the same time as a fourth one. The fourth phone called mobile phones and landlines registered with the US Embassy in Athens. With a sim card registered to the US Embassy, it also called two telephone numbers in Ellicott City and Cantonsville, Maryland, both NSA bedroom communities. A criminal investigation was launched, and in February 2015, Greek investigators were finally able to finger a suspect, William George Basil, a NSA operative from a Greek immigrant background. Greek authorities have issued a warrant for Basil's arrest, who has since gone into hiding.
- National Committee of Telecommunications and Post
- Kostas Tsalikidis
- NSA warrantless surveillance controversy
- Covert listening device (includes other cases)
- The Cuckoo's Egg
- Kyriakidou, Dina (March 2, 2006). ""Greek Watergate" Scandal Sends Political Shockwaves". Reuters. Retrieved 2007-11-24.[permanent dead link]
- Galpin, Richard (March 24, 2006). "Death muddies Greek spy probe". BBC. Retrieved 2007-11-24.
- Bryan-Low, Cassell (June 21, 2006). "Vodafone, Ericsson Get Hung Up In Greece's Phone-Tap Scandal". The Wall Street Journal. Retrieved 2007-11-24.
- "Watergrec: à qui profite l'écoute?" (in French). Le Figaro. February 3, 2006. Retrieved 2007-11-24.
- Bamford, James (September 28, 2015). "A death in Athens: Did a Rogue NSA Operation Cause the Death of a Greek Telecom Employee?". The Intercept. Retrieved October 4, 2015.
- "Vodafone Greece rogue phone taps: details at last". Heise Security. July 16, 2007. Retrieved 2007-11-24.
- Cherry, Steven; Goldstein, Harry (July 2007). "An Inside Job". IEEE Spectrum Magazine. Retrieved 2007-11-24.
- Leyden, John (July 11, 2007). "Greek mobile wiretap scandal unpicked". The Register. Retrieved 2007-11-24.
- Smith, Helena (June 23, 2006). "Death of Vodafone engineer linked to Greek Watergate". The Guardian. Retrieved 2007-11-24.
- Doward, Jamie (November 24, 2007). "Vodafone faces court case in 'bugging' row". The Guardian. Retrieved 2007-11-25.
- Poropudas, Timo (December 16, 2006). "Vodafone fined EUR 76 million in Greece". Nordic Wireless Watch. Retrieved 2007-11-25.
- Carr, John; Judge, Elizabeth (October 20, 2007). "Phone-tapping scandal in Greece costs Vodafone new €19m fine". London: The Times. Retrieved 2007-11-24.
- "Translation: USA Espionage against Greece", WikiLeaks Press, September 23, 2013
- "Courtcase Evidence: USA Espionage against Greece", WikiLeaks Press, September 23, 2013. Retrieved 2013-09-23
- "Wiretapping Ring Revealed". Athens News Agency. February 2, 2006.
- International Herald Tribune: Greek cell phones tapped
- Athens News Agency: Gov't: Unprecedented mobile phone-tapping plot uncovered
- Greek Government Press Briefing, 06-02-02, partial English translation
- The Athens Affair by Vassilis Prevelakis and Diomidis Spinellis, IEEE Spectrum, 44(7):26–33, July 2007