Investigators close Nokia extortion probe without finding a motive or making an arrest

New details of €2m blackmail of Nokia in 2007 emerge as Finland’s NBI calls a halt to its investigation

This article can also be found in the Premium Editorial Download: CW Nordics: CW Nordics: Sweden eyes geo-fencing to protect against terror attacks

Finland’s National Bureau of Investigation (NBI/ Keskusrikospoliisi) has closed its investigation into a blackmail of Nokia in 2007, when extortionists claimed to have acquired the digital encryption key for the company’s Symbian operating system.

In just over a decade of investigation, no motive for the alleged crime was ever found or any arrest made.

The targeting of Nokia by unknown extortionists in October 2007 remains a particularly painful event in the Finnish mobile technology company’s history. Even today, Nokia’s top management would rather forget than re-live the incident, which caused widespread internal panic at a time when the company was at the peak of its international powers.

The €2m blackmail had been buried deep within the corporation’s memory vaults until April of this year, when the famously unsolved ransom demand – known within Nokia as Operation Polarbear – re-entered the limelight with the NBI officially declaring the case closed after a prolonged and unfruitful investigation.  

From a global perspective, the extortion of Nokia is all the more intriguing because of the nature of the threat, the demands made, and the fact that the perpetrators were never identified or brought to justice.

The gravity of the threat against Nokia became instantly clear in the initial email communication from the group orchestrating the attack. The extortionists, who warned Nokia not to contact the police, claimed to possess the encryption key for Symbian and, by association, the company’s leading mobile devices.

To make matters worse, Nokia’s Symbian operating system was also licensed to other phone manufacturers. The encryption key’s main function was to prevent Nokia phones from running unauthorised applications.

The email sent to Nokia contained the dire warning that if the €2m cash demand was not paid, the encryption codes would be released to “hackers” in Finland and abroad by posting them online.

The rather peculiar composition and sophistication of the demand baffled the NBI and Nokia’s own security chiefs. The group demanded that the payment be made in two parts. Nokia was instructed to drop off the first instalment, €1.6m, at an isolated inland marina in central Finland. It was then directed to donate the second payment of €400,000 to two charitable foundations in Finland.

Extortionists’ demands met

Adopting a strategy endorsed by the NBI, and fearful of potential investor panic if news of the blackmail went public, Nokia quickly decided to meet the extortionists’ demands in full. It had very good reason to want to avoid alarming the markets by publicly disclosing the threat it faced.

In 2007, Nokia was the world’s leading producer of mobile phones, with revenues of €51bn and record profits of €8.2bn in that year. At that time, four out of 10 mobile phones sold worldwide were made by Nokia.

Alerting the stock market to news of an extortion attack, with the inevitable hysteria around the theft of critical encryption codes, could have ignited a fright-and-flight scenario among investors. Announcing to the world that the company had fallen victim to possible system breaches, and had become a target of software security extortion, was a situation Nokia wanted to avoid at all costs.

Significantly, Nokia not only asked the NBI to assist with the cash drop-off, but asked the bureau not to launch an active investigation into the affair until the company had had the opportunity to address security issues and change the encryption codes across its entire range of mobile devices and associated manufacturing systems.

By the time the drop-off was due to happen, the NBI had traced the email IP address used by the extortionists to communicate with Nokia. The bureau was also able to identify the mobile phone used to contact the phone company.

Information kept secret

So close was Nokia’s relationship with the NBI, not to mention the national interest of protecting Finland’s brightest stock market star, that information about the extortion did not enter the public domain until 2014. By that time, Nokia had overhauled its group-wide security protocols and encryption coding systems.

The NBI continued its investigation from 2014 until the first quarter of 2018, when it formally acknowledged that its lengthy enquiry had produced neither motive nor any arrests connected with the crime.   

The termination of the NBI’s investigation has come with valuable new information and insights into how the extortion was organised and executed. In the first instance, the blackmailers chose a random Nokia employee to relay the initial threat to. That first communication indicated that the extortion “group” had obtained, through clandestine means, the Symbian OS digital encryption key for Nokia’s mobile devices, a file comprising just a couple of kilobytes.

Nokia’s chief concern at that juncture was the very real danger that the extortionists would carry out their threat to distribute the digital key to innumerable hackers if the company failed to comply with the blackmail demands.

For Nokia, the likely result of rejecting the criminals’ demands was a security meltdown, with hackers potentially taking control of millions of Nokia mobile devices. Using the digital key, hackers would have been able to access Nokia devices, bypassing security mechanisms to sign, install malware and run their own applications.

Major vulnerability problems

In particular, such a security breach would have caused major vulnerability problems for Nokia phones operating the third edition of Series 60. This was a hardened version of Nokia’s proprietary Symbian OS 9.1 and widely used in E- and N-series phones.

NBI chiefs have variously used words like slick, confident, skilful, masterly, professional and knowledgeable to describe the 2007 extortion attack on Nokia. A Nokia 6691, bought at a second-hand phone store in Helsinki, was used to relay ransom instructions in SMS-text message format to the Operation Polarbear team. The blackmailers then selected a remote marina in Tampere, Finland’s second-biggest municipality, as the drop-off point for a carrier bag weighing 30kg and holding €1.6m in cash.

Although the NBI organised a “sting” operation in a bid to catch the criminals at the marina, police soon lost contact with the suspects, who escaped along the many small country roads that criss-cross heavily forested terrain in central Finland. What has now become clear from disclosures about the NBI’s investigation is the high degree of local knowledge and confidence shown by the culprits at all stages of the attack against Nokia.

Other revelations from the NBI investigation have shed light on the €400,000 “donation” to two Finnish charities that was demanded by the extortionists. Nokia complied fully with this demand, wiring the first €200,000 to the Arvo and Lea Ylppö Foundation, which supports paediatric neurology research, and giving the second €200,000 to Lasentautien Tutkimussäätiö, a Helsinki-based childhood diseases research foundation.

Read more on IT suppliers

Data Center
Data Management