Ecuador’s cyber security is among the world’s worst so why doesn’t anyone want to fix it?
By David Morrill
Give Vadim Avdeev two minutes and he can steal your cell phone number and call you from it.
Give him five and he can shut down the accounts of thousands of Cuenca internet and utility customers and erase any evidence that they ever existed.
With a little more time, he can grant you permanent residency or a driver’s license or eliminate the ones you already have. He can also access a local bank account other than his own or the flight control system at the Quito International Airport.
Hacks like these are easy for Avdeev, a Russian-trained cyber security and cryptography expert. What’s harder is convincing those responsible for protecting Ecuador’s government and corporate online systems of the alarming vulnerability. “I am trying to spread the warning,” he says. “I want the people to understand the danger they are in and care enough to fix it,” he says. “Even for amateur hackers, Ecuador’s cyber security is almost non-existent. The systems are like open doors.”
His claim is backed up the Global Cyber Security Index which ranks Ecuador only behind Venezuela and Bolivia in South America and in the bottom 20 for worst internet security in the world.
Avdeev has been demonstrating the ease of hacking Ecuadorian government, corporate and personal data since he and his family moved to Cuenca from Russia in 2017. He has met with officials from the Attorney General’s office and the Interior Ministry. He has conducted demonstrations for internet service providers, banks and public utility companies. He has also met with agents of the U.S. Central Intelligence Agency and FBI.
He has alerted various system managers of ongoing Russian hacks of government data bases and banks. “These are happening right now and the people in charge are either unaware of them or covering them up so people don’t know about it.”
On several occasions, Avdeev’s warnings have proven prophetic. Two weeks after he told Attorney General officials that email and social media accounts of top government officials were easy to hack, embarrassing personal cell phone photos of President Lenin Moreno were reposted on several internet sites. A month later, after he warned the same officials that the personal information of all residents was unprotected, the data of 17 million Ecuadorians was exposed to the world through an unsecured server in Miami. Days later, another mass breach occurred when a German server was hacked.
“The government blamed it on a big criminal conspiracy. They blamed it on [former president Rafael] Correa,” Avdeev says. “Instead of taking responsibility for having terrible security, they blamed it on other people. If there was anything criminal about the breaches it was the government’s irresponsibility for not protecting its data.”
Although he is more than willing to offer his expertise as a public service, Avdeev makes it clear that he is available for hire on a consultation basis and he is not shy about touting his cryptography and online security credentials. “I have world-class skills and am willing to work on the right projects. And, I need a job.” He has, in fact, worked on cyber security projects for an Ecuadorian bank and Cuenca utility company.
Avdeev was a member of the Russian Red Team, the elite group responsible for managing and protecting the country’s cyber systems. As a captain in the Russian army, Avdeev was recruited by the national intelligence agency and his clearances included working with nuclear weapon systems. In addition, he became an expert in monitoring and navigating the Darknet, the underground internet used by those who want to be anonymous and untraceable, including journalists, government hackers and criminals. “This was part of my job for protecting Russian systems — to keep track of the bad guys.”
What prompted Avdeev to leave his job — and Russia — were the increasing demands to interfere in the online networks and accounts of foreign governments, organizations and private individuals. “Although almost all countries do it, Russia has one of the most extensive operations for infiltrating and manipulating foreign systems. Subverting elections is just one of the things they do.” He adds: “This was not the kind of work I wanted to be involved in and I decided to leave.”
Leaving, however, has not been easy and Avdeev says his activities continue to be tracked by Russian agents. He regularly receives threats from anonymous sources. “They could come from anywhere but they’re probably from Russia.”
Recently, he received an email with an attached photo of a severed human head.
Getting the deaf ear
In almost all cases in which he has conducted on-site demonstrations in Ecuador, those in charge appeared at first to be genuinely alarmed about the vulnerabilities and wanted to make the necessary fixes. But soon, Avdeev says, they either lost interest or become more worried that citizens and customers would find out about the lax security. “They go into damage control mode and forget about fixing the problems,” he says.
According to Avdeev’s wife, Eugenia, who assists Vadim in his contacts and meetings, the experience with Ecuador’s Attorney General’s office is a case in point of the often baffling official reaction. “At the Cuenca fiscalia’s office, I was in contact with a manager who was very interested in knowing about the threats. But later, he stopped answering our emails and refused to see us. I don’t know what happened but he probably had orders from someone above not to talk to us.”
Cease and desist
It’s not just the government that seems reluctant to face cyber security vulnerabilities.
Shortly after he moved to Cuenca, Avdeev noticed how easy it was to hack internet provider Puntonet’s accounts. “It was the worst security I had ever seen. They use the same modem login for all their accounts and don’t allow account-holders to have their own. I showed them how easy it is to hack their system.” He assumed the company would want to fix the problem.
Instead, Avdeev received a letter from a top Puntonet official saying that there was, in fact, no problem with Puntonet’s security and that all its customers were fully protected. “It seemed like they decided that I was the problem,” he says.
Soon after, Avdeev received another letter from Puntonet, this one threatening legal action if he did not remove a report on the provider’s vulnerability posted on his Facebook page. “Obviously, they didn’t want their customers to know they have no security. They were embarrassed by what I showed them and didn’t want anyone else to know.”
Later, when he met with an officer of one of Ecuador’s largest bank — a Puntonet customer — and showed him how easy it was to hack into bank accounts, the officer said he was about to leave on vacation and would contact Avdeev when he returned. He never did.
Plenty of ‘black hats’
While officials and managers of government and businesses are reluctant to enlist Avdeev’s help, the bad guys beat a path to his door. “They know me by reputation, find me on the Darknet and want my help to hack bank accounts and government data bases. I could make a lot of money if I wanted to wear a black hat.”
Among those who sought Avdeev’s services was Paul Ceglia, the U.S. fugitive who, according the authorities, attempted to defraud Mark Zuckerberg out of 50 percent ownerships of Facebook (see article). In addition to seemingly legitimate projects, Ceglia, who introduced himself to Avdeev as Silas Quinn, wanted help hacking into Cuenca’s security camera system and setting up an arms trading operation on the Darknet.
“I got suspicious when he told me he wanted to sell guns to foreign organizations,” Avdeev says. “I wondered who the guy was.”
Avdeev lifted Ceglia’s finger print from a water glass and, checking databases, discovered his real identity and the fact that he was on the Interpol list of U.S. fugitives. As a result of his and Eugenia’s efforts, Ceglia was arrested after months of foot-dragging by U.S. and Ecuadorian authorities. “When I talked to the U.S. embassy, the FBI and CIA, they were more interested in who I was than the fact I had information about one of their top fugitives,” Eugenia says. “I kept wondering, why don’t they want to catch the bad guy?”
Avdeev was stunned when he learned that Ceglia had been released from prison by the government. Anonymous sources in the Ministry of the Interior reported that Moreno were angered that the U.S. would not swap Ceglia for two Ecuadorian fugitives living in Miami. “I don’t know much about the Facebook case,” Avdeev says. “What I know for a fact is that his interests are to conduct illegal operations at the expense of the government and businesses. The interior ministry cared more about saving face than protecting the interests of the country.”
Avdeev can’t say whether his is a case of shooting the messenger or simply ignoring him, although he suspects the latter. “Those responsible for the country’s networks are so unsophisticated and backward they don’t understand the danger,” he says. “What is hard to understand is that they’re not willing to use experts to fix the problem.”
The takeaway, Avdeev believes, is that he has become a threat to Ecuadorian interests not because he could become a hacker himself but because his knowledge of system vulnerabilities could embarrass top officials. “They seem more interested in keeping the information away from the public than finding solutions,” he says. “They look at it as a public relations problem.”
Avdeev is trying to the put the frustration of his wasted whistle-blower efforts behind him. In recent months he has participated, without pay, in several university-sponsored cyber security conferences in Cuenca, Loja and Ambato and is considering organizing classes for technology students. He is also working on a project to provide secure networks for private and corporate clients.
His big dream, however, is to develop a secure, encrypted network that would operate beyond government control. “It would be an alternative internet,” he says. “It’s something I have thought about for years and have done quite a lot of work on lately. My objective right now is to raise money to develop it.” In addition to looking for investors, he is considering crowdfunding.
Vadim Avdeev can be reached at firstname.lastname@example.org.