The gangs of IT: Violent crime in the datacentre

A recent court case exposed the work of criminal gangs who have terrorised UK IT departments over the past three years. Paul...

A recent court case exposed the work of criminal gangs who have terrorised UK IT departments over the past three years. Paul Kunert delves into the increasingly dangerous and murky world of organised crime and supercomputer theft. In the late afternoon of 20 November 2000 as the City was busily trading, three men dressed in...

black designer suits strolled into Deutsche Bank's headquarters. They headed for the server room, ripped out £1.7m worth of Sun circuit boards, placed them in a holdall and coolly sauntered out through the main reception area. The audacity of the crime, which was the fourth against a financial institution in the Square Mile in three weeks, left the police scratching their heads. But it was not until early 2002, when the level of supercomputer theft reached epidemic proportions, that Operation Sundance was launched by the National Crime Squad and the National Hi-Tech Crime Unit to investigate the crimes. Using CCTV and tip-offs, the investigation led to a man called Gbenga Biobaku, referred to by the police as Mr Big and already known as an organised crime leader not afraid to use violence. It was Biobaku who told the gangs where to hit and organised the distribution of stolen IT goods to black markets in Africa and Eastern Europe. The investigation also found that Biobaku had forged links with ex-Sun employee Kevin Leslie and paid a total of £35,000 for inside information on the suppliers' customers. Biobaku and nine of his henchmen were jailed for a total of 30 years and nine months after they were convicted in April this year. The gang was part of a wider network of London-based cells that terrorised up to 30 IT departments across the country. In a two-year reign of fear, this one gang alone cost businesses tens of millions of pounds in insured losses, lost business and increased security costs. Even under the cloak of anonymity, IT managers still reeling from their ordeal are somewhat reluctant to talk about the incidents, for fear of bad publicity. Firms in the Square Mile are understandably wary of talking about anything that might damage their business, but one spokesman from a City institution admitted that the security budget at his company had "significantly increased" in the aftermath of the attacks. Richard Jack, the detective chief inspector at City of London police who was initially charged with hunting down the gangs, says they started off targeting smaller Sun systems at small and medium-sized enterprises. "They were little groups of burglars with good links to organised crime in London," he says. But as their confidence grew, the gangs set their sights on larger organisations and businesses including universities, media firms, telecoms companies, councils and banking institutions, which all use heavy-duty computing equipment. As the size of targets grew, so did the gangs' propensity for violence. "The attacks were often aggravated," says Jack. "They would pretend to do a delivery and then handcuff the security guards and knock them about a bit." On one occasion, in the early hours of 13 March 2001 at BT's Salisbury branch, four men dressed in black and wearing ski masks forced their way into the building before taping up and assaulting four members of staff. They rifled through the server room and made off with £1.8m worth of Sun equipment. However, in the past year there has been a noticeable decline in the level of supercomputer crime. There were smaller regional gangs operating in the North East, attacking universities, but police say they have also been arrested and are awaiting trial . Mick Bamber, detective inspector at the NCS, believes the popularity of supercomputer theft has waned. "As far as we are aware, there have only been one or two offences involving premises containing Sun equipment since the arrests." Other officers agree. Jack believes the spate of thefts in 2000 coincided with the growth of demand for hardware in the emerging IT markets of Africa and Eastern Europe. This has since tailed off, although businesses have been made more aware of the threat posed by organised crime. Sun Security, the arm of Sun Microsystems which investigates thefts with the help of customers and police agencies, believes supercomputer theft has declined because of increased customer vigilance. Although Sun claims to have tracked down stolen products, it declined to give details of where, when and who was accepting the equipment. A Sun Security spokesman says prevention is better than cure and customers have now realised the value of their computer infrastructures and taken measures to protect them. "The cost of tightening security and implementing appropriate security policies is generally recognised as manageable in comparison to the potential disruption of a theft," he says. At the Control Risks Group, an organisation that advises businesses on the best preventive action to take in deterring thieves, experts believe the crimes were specialised and that the gangs needed to have highly organised networks in which to sell the goods and retain up to 50% of their value. CRG's deputy director Peter Yapp says, "I would not have thought the products would stay in this country because the infrastructure is more formalised. With serial numbers and maintenance checks the machines are more detectable." But while supercomputer theft may have abated, shoring up existing security precautions is no bad idea because, like fashions, crimes have an awful habit of coming around again. The nine men arrested by the NCS are serving sentences of between two and seven years and the market for stolen-to-order supercomputers may have tapered, but Jack describes the situation as a "ticking timebomb". Chip theft is the crime that companies need to be most aware of. Memory modules and processors became desirable high-ticket items as soon as the industry took off, but the losses are being felt more acutely by suppliers at the moment given the current economic downturn. The most popular method of stealing chips was from wholesaler warehouses in ram-raid attacks, but the pattern emerging over the past year seems to favour nabbing the products in transit at airports . Such was the scale of the problem in and around Heathrow that Operation Grafton, a specialist 18-man team, was formed by Metropolitan, Surrey and Thames Valley Police in March this year. There have been a series of raids in the past eight months which experts believe are inside jobs. In October 2002, £2.8m worth of Samsung memory modules were simply loaded into a van near the Heathrow cargo service centre and driven away. A similar incident happened earlier this year when an American Airlines truck was taken after it was left unattended for a few minutes. More than £6m worth of Pentium chips were stolen, although some were later recovered after the gang was disturbed while transferring the goods. Some of these gangs are also prepared to use violence. In one of the more menacing incidents on 2 March, a £7m consignment of processors was hijacked by three men after it had left the Heathrow cargo centre. The men ran at the driver and threatened him with claw hammers before pulling him from the truck. Again, the thieves were spotted moving the goods into their own vehicle and fled empty handed. The transportation of chips is so problematic that insurers are becoming increasingly edgy about underwriting the cargo. David Abbott, director at Abbott and Bramwell, one of four companies worldwide that specialises in shipping chips, says there is a "complete lack of appetite for this type of risk". "It is unattractive because the levels of crime involved have increased so much, it is like moving gold bullion around - you could easily have £1m worth of chips in a small consignment." Airport freight forwarders have become targets as security at distribution warehouses becomes more militarised. But as police sources confirm, the "whole method of shipping high-value goods needs to be looked at in terms of advertising loads and internal procedures". Abbott says there is always the possibility that the crimes mentioned above were perpetrated with the help of insiders. "This removes the need to take a gun. You go in with bogus paperwork or inside knowledge," he says. Craig McKinley, detective inspector at Heathrow CID, also suspects the use of insiders because the criminals seem to know about the movement of goods. He believes they must be perpetrated by organised gangs because of the scale and professionalism of the jobs. But where do all these stolen chips go? Granted, they are not specialist items like £200,000 Sun circuit boards and do not need to be sold through specialist channels, but the sheer volume of product must mean they have to be disposed of quickly and reasonably locally. McKinley says he was informed by IT industry sources that the stolen Samsung memory modules taken last year were on the grey market in the Netherlands three days after the theft but never found. One million pounds worth of chips may sound like a large amount but, according to Abbott, they could be traded without too much difficulty. "The products have serial numbers but they are still very difficult to track. Operating in an open market means they could easily go to Hong Kong or Dubai," he says. Investigations are ongoing and police are following forensic leads, but as yet there have been no arrests. However, if history is anything to go by, the thieves could be right on your doorstep. Following an "extensive and dangerous" undercover operation to infiltrate a gang involved in ram-raids and robberies, codenamed Operation Midas, a police raid in July 2001 turned up some surprising individuals with close links to the computer industry. Of the seven people later found guilty at Reading Crown Court of conspiring to handle stolen goods from a number of robberies, two had been company directors of an IT distributor that had gone into liquidation in 1999. Before their arrest the men were trading the stolen goods through online mail order company, Silverplus, based at a warehouse in Slough. They sold the stolen hardware at just below existing market prices so as not to raise suspicion. Ray Blythe, a detective inspector with Surrey Police, says the likelihood is that the products were going back into the UK processor market. "They probably ended up going into smaller businesses and less scrupulous suppliers. A £200 chip can be sold for £180 by someone that is well versed in handling stolen goods," he says. Worryingly for IT departments, Blythe says some stolen components could find their way into systems that might not be supported by a manufacturer should they fail. The advice from Intel, a company significantly affected by the crimes because it holds 80% of the worldwide processor market, is to buy from an authorised source and save yourself the headache. With organised criminals still casting a keen eye over developments in the IT industry, one wonders what sector will be next. Jack says criminal gangs will move to "whatever is current and wherever there is demand". So lock up your systems and watch what you buy. Don't have nightmares.

How to make your server room a strong room   

The cost of installing CCTV is between £500 and £10,000. Smokecloak alarms may require an investment of up to £2,500 and steel doors will set you back at least £2,000. But safeguarding your IT is priceless.  

Peter Yapp, deputy director for network forensics IT security at Control Risks Group, says you can spend as little as £500 on a basic CCTV system but costs will vary from firm to firm.  

Prevention is better than cure, he says, so keep the villains at bay with intruder-detection and panic alarm facilities, together with CCTV that covers the entrance.  

Newly built properties with a solid construction are preferable, while the room should be windowless and the walls made of bricks and mortar as opposed to demountable partitions.   

Doors need to be equal to the risk but should be of solid core construction, fitted with a high-quality lock. Steel lining and multipoint locking may be appropriate.  Access control should be provided in the form of a swipe card or proximity reader associated with a keypad and PIN.  

Prices of these deterrents may vary:  

  • 3mm-thick steel security cases, bolted to the floor with lever locks - £1,200 to £7,000 
  • Intruder alarm linked to remote monitoring facility - £1,000 
  • Steel shutters on the IT room windows and security doors - £2,500.

Read more on IT risk management