The Undeclared War (2022) s01e01 Episode Script
Episode 1
(GRUNTS)
(TYPING)
(SINGING IN FOREIGN LANGUAGE)
(INTENSE MUSIC PLAYING)
(VIBRATO INTENSIFYING)
(DIALLING)
(DIGITAL BEEPING)
(SIGHS)
(BELL RINGING)
- (CROWD APPLAUDING)
- MAN: Well done, Gabriel.
I think that's the fastest
it's ever been done.
Congratulations.
(ALL APPLAUDING)
(INDISTINCT CHATTERING)
I like your pens.
They are in spectrum order.
And before you say that
pink is in the wrong place,
pink has nothing to do with red.
It's actually white absent green.
Well done on the challenge.
They are obviously going to take you.
You were incredibly fast.
If we're going to talk, I should warn
you, I'm not very good at noticing
when people want to speak
or change the subject.
So, the conversation could last
a half an hour or several days.
It's OK. It's OK.
I'm Saara, by the way.
I'm Gabriel.
(KEYS JANGLING)
- AMINA: It's high time
- Hello, Ami.
Oh, my God. What are you doing here?
Why didn't you ring? Is everything OK?
I'm fine. I was just passing.
Just passing? What
are you talking about?
London's over an hour away.
- You'll stay for some
- Where's Abu?
Sorry. Is he still at work?
He is in his den.
He's off work again.
(INDISTINCT CHATTERING)
SAARA: Abu?
Hey!
So have you heard?
I got it.
Ah. (CHUCKLES)
- (SPEAKING URDU)
- (CHUCKLES)
Ah, yes.
You haven't told your mother?
You know she wouldn't understand.
Of course not.
They don't know anything about it.
Good.
Come. Sit. Sit.
Mum said you are off work
again, Abu. Are you OK?
I'm fine. I was a bit
down, but I'm fine now.
I'll be back on Monday.
Down like last time?
No, nothing like that.
Anyway, when I see you, I feel better.
How long can you stay?
I'm sorry, Abu I
have to get back tonight.
You have got classes in the morning.
I'm really sorry.
Oh, don't be ridiculous.
Classes are important.
But you have time for a quick game?
- Of course.
- Excellent!
(BOTH CHUCKLE)
(AHMED EXCLAIMS)
You do think it's OK,
Abu, what I'm doing.
Oh, this girl You'll be spending
a year learning to defend our country,
and at the end, you
go back to university.
What could be wrong with that? Huh?
(SINGING IN FOREIGN LANGUAGE)
AHMED: Ha!
Hey. You'll be brilliant.
(TYPING)
Yeah.
We're in. Happy for us
to move to the next step?
- RICH: Go.
- FINN: OK, let's get some resilience.
They're inside.
- They've broken in.
- ZAHIR: How?
It doesn't matter how. We'll
work it out later. Get going.
I want them out.
ZAHIR: I told you this is a bad idea.
(SIGHS)
(TYPING)
We've accessed credentials for
your Ops and Management system.
- CHRISSIE: What?
- OK to proceed?
They've got the passwords.
They're about to log in.
ZAHIR: Wait.
CHRISSIE: Zahir?
(ALARMS GOING OFF)
Zahir?
I'm seeing red lights,
Tahmid. What's going on?
(POWER SHUTTING DOWN)
WOMAN: We're down.
- What the fuck
- (TELEPHONE RINGING)
What did you do?
Er, nothing.
We're just logging into the system now.
(POWER SHUTTING DOWN)
(INDISTINCT MURMURING)
Finn?
(FINN EXCLAIMS)
(KEYBOARD CLACKING)
(SMACKS LIPS)
Yeah, er, looks like the Internet.
What do you mean, "the Internet"?
FINN: I think we are offline.
Cannot be.
CHRISSIE: Do you know
what? Pull out now.
I want you completely
disconnected from our estate.
(INCOMING CALL)
Hey, my line just went
down. What's going on?
You'd better get up here.
MAX: Sorry to keep you waiting.
I'm Max.
Hi.
Er, we're not shaking
hands at the moment.
Oh. Of course. Sorry.
Welcome to GCHQ.
DANNY: Tell me.
CHRISSIE: We have a serious problem.
Your stress test just took
down half our infrastructure.
Whatever you did, you
need to undo it right now,
before it starts to
impact on public safety.
- Rich?
- Can't be us, boss.
We never got beyond the admin platform.
(DANNY SIGHS)
OK.
(INDISTINCT CHATTER)
(LAUGHTER)
SAARA: Sorry, I'm totally overdressed.
MAX: Oh, don't worry.
We all make that
mistake on our first day.
We're very glad to have you.
As you can see, we're
hideously male, stale and pale.
Sorry?
Old and white.
Like me.
I hope that's not why you picked me.
Because I've got a brown face.
No, of course not.
Where are you going?
PHIL: We've been summoned.
Why don't you come?
You might find this interesting.
DANNY: Erm, BT Openreach provides the
infrastructure for most
of the UK's Internet.
At 0907 this morning, whilst we
were stress-testing their systems,
they experienced a partial shutdown,
impacting as far as we can tell,
about 55% of Internet provision.
Oh, Chrissie, have you met
Max? He is our head of malware.
Hi, how you doing?
DANNY: Now, erm, we're
still checking, obviously,
but so far it looks like
National Grid's ICS is OK.
Same with gas and water.
Rail signalling is down
Are you sure it's OK for me to be here?
- (DANNY CONTINUES INDISTINCTLY)
- Why not?
You're DV cleared, aren't you?
Air Traffic Control is still up,
but it seems most of
the flights have stopped
because they use the Internet to
control aircraft on the ground.
Er, online banking is down and some
of their core comms are affected,
so most of the cash
machines are offline.
WOMAN: What about smartphones?
Sorry, Caroline Fitch, Number 10.
DAVID: Chrissie, can
smartphones get online?
Chrissie is head of security at BT.
Yeah, as far as we can tell.
But a lot of the systems,
their access are affected,
so there's not much they can do.
(INHALES) Erm,
some of the big email servers are down.
There's no Zoom, no Teams, which has taken
out all the new hospital appointments.
Er, there's no online shopping.
But, er, social media is
unaffected, interestingly.
All in all, quite cleverly targeted
to cause significant disruption without
actually putting that many lives at risk.
CAROLINE: So, it's a cyber attack?
That's what you're saying?
DANNY: We think so. Yeah.
Virgin was also affected,
which rules out the stress test
as the cause or any
hardware problems within BT.
That only leaves malware, and
using the stress-test as a cover.
KATHY: Can I jump in?
DAVID: Er, yeah, go ahead.
Kathy is one of our analysts,
on attachment from the NSA.
So, the Russian bots
are already retweeting,
and it is mostly about
how all the ATMs are down.
Er, "Another fuck-up by this
shit-for-brains government."
"Just another scam by the
elite to steal our money."
"The bankers are
screwing us over again."
Yada-yada.
(SMACKS LIPS) It's a bit
quick, don't you think?
I mean, it's almost like
they knew it was coming.
(TELEPHONE RINGING FAINTLY)
Thanks.
So is that it?
The malware.
Yep.
SAARA: Mind if I take a look?
(BEEP)
(PHIL CLEARS THROAT)
(SCROLLING MOUSE)
(TYPING)
SAARA: What's all this garbage?
I don't understand.
It's obfuscated.
Some kind of FinFisher thing.
(DOOR OPENS)
(DOOR CLOSES)
- Hey.
- MAX: It's, er, Kathy, right?
Yeah. Erm, NSA would like
to take a look at the code.
MAX: Well, has Danny approved it?
Well, he told me to update them.
Yeah, but did he say that
you could give them the code?
(SIGHS)
So you want me to walk all
the way back down the hall?
- Really?
- Absolutely.
That's the way we do it here.
KATHY: You do know that
they're only trying to help.
We're on the same team, guys.
(DOOR CLOSES)
51st State.
(PEOPLE CHUCKLING LIGHTLY)
(KEYBOARD CLACKING)
(CLICKS)
- PHIL: You see these jumps?
- SAARA: Mmhmm.
They hop over the garbage.
Oh, so it's never actually read.
That's right.
So what's it there for?
To confuse the look of the code
so the anti-virus software
won't recognise it as malware.
OK. How do we get around it?
We find a reverser that
locates all the garbage,
and then we write a
program to delete it.
Is that what you're doing now?
- Amongst other things.
- Can I help?
No.
(CLICKS)
So what do you want me to do?
We have a test environment.
Do you mean a sandbox?
Paste in the code and see if
you can get it to run in there.
It's isolated, so you can't do any harm.
And we might learn something.
I'd really prefer to
help with the reversing.
(TYPING)
(DANNY SIGHS)
(RINGTONE CHIMES)
Danny. It's the Foreign Secretary.
ELIZABETH: Well, can we schedule
a conversation before then?
Yes, I'd like that.
Thanks.
DANNY: Elizabeth.
How are you holding up?
(SMACKS LIPS) Er, I have
had better days. And nights.
Interesting timing, don't you think?
Right in the middle of
an election campaign.
Yeah. Will it have much of an impact?
People not being able to get online?
Absolutely. Feeds straight
into the populist agenda.
The government's crap, can't
organise a piss up in a brewery.
Plus, Labour does most
of its campaigning online,
so the Internet going down
looks very convenient for us.
So now we're corrupt
as well as incompetent.
(SCOFFS)
Anyway, where are we?
Er, we are currently about 35% restored.
It's not straightforward, unfortunately.
There's a lot of anti-debugging
tricks in the code, so.
I imagine you're assuming it's Russia.
Well, (SIGHS) as you know, we try to
avoid making attributions prematurely.
Erm, anything in the code,
which suggests a particular
team could be a misdirection.
And as soon as we point the finger,
then there's pressure to retaliate
and we're into tit-for-tat escalation.
But what's your gut?
(SIGHS)
(SUCKS TEETH)
That it's probably
Russia, most likely FSB.
OK.
Because according to
our embassy in Moscow,
the lights have been flashing on and off
in Putin's office for the last half hour.
Really?
- So that's nothing to do with you then?
- No.
But, erm, if it's true,
then that's pretty funny.
Yes, hysterical.
As long as it's not us or
anyone acting as our proxy,
- can you check, please, Danny?
- Yes.
(TYPING)
(TELEPHONE RINGING)
I don't understand.
it ran inside BT's computers.
Why won't it run here?
You can write malware, so it
knows when it's in a sandbox.
It searches for normal
computer activity.
If it can't find any, it deactivates.
Is there a workaround?
You could paste in some Word documents,
scroll around a bit.
That could make it think that
it's in a real environment,
but it's not always a guarantee.
Can I use this?
Do you always change
the subject like that?
- Sorry, I
- Why do you need it?
If there's something you don't
understand, you can just ask me.
It's not about work.
I need to make an outside call.
I didn't know they were going to
take my phone off me at reception.
Yeah, it's nine, and then the number.
Paste in those Word
documents, all right?
(DIALLING)
CAMPBELL: (ON TV) Prime Minister,
throughout this election campaign,
you made a great deal of the fact
that you are Britain's
first Black Prime Minister
and that you understand
ordinary working people.
But your father was an incredibly
wealthy Nigerian businessman.
and you spent your childhood in
one of Britain's top public schools.
ANDREW: Come on, Campbell,
not that old chestnut.
Look, I don't think that's what
people are worrying about at all.
- I think they're worrying about
- Isn't it, Prime Minister?
This country's in the middle
of the deepest recession
AHMED: (OVER PHONE) Hello, this is Ahmed.
Please leave a message after the tone.
Thank you.
(AHMED SPEAKING URDU)
(BEEP)
Hi, Abu. Er, it's me.
Just checking in to
see how you're feeling.
You can't really ring me back
here, but I'll try again later.
Love you.
ANDREW: I don't know
what you're implying, Campbell,
but I live here too,
and this recession has nothing to do
with Brexit, which is a huge success.
DANNY: Kathy, have you got a moment?
Sure. What do you need?
Er, the "Jolly Roger"?
Jolly Roger.
(TYPING)
- "You've been Rogered."
- (CHUCKLES SOFTLY)
Subtle.
KATHY: Oh.
He blames Russia for the attack
and he says that he's retaliating.
Calls himself "the patriotic hacker."
Right. That's all we need.
KATHY: Yeah.
This has nothing to do with any of you?
- No. No. Not at all. Nothing.
- No? No one's encouraged him?
Well. (SUCKS TEETH)
How do you think he
knows that it's Russia?
He doesn't. He's just grandstanding.
But this is all anyone's
going to remember.
When we come out with
the official attribution,
no-one's going to be listening.
(TAKES DEEP BREATH)
- All right, thanks, Kathy.
- Oh, er, did you get my message?
Er, no, I don't think I did?
NSA's asked to see the
malware code. Is that cool?
Er, yeah. Why not?
- Thanks.
- So, what's the problem?
- No, there's no problem.
- OK.
REPORTER: (ON TV) Almost certainly
not the image party election managers
wanted on your TV screens tonight.
The Prime Minister being aggressively
heckled while campaigning in Bristol.
And, as a precaution, I'll be chairing
a COBR meeting on Sunday at 10:00 a.m.
In the meantime
- (PEOPLE CLAMOURING)
- In the meantime,
in the face of this criminal
and unprovoked cyber attack,
I have instructed security
forces to do whatever is necessary
to find out who's responsible.
(CONTINUES CLAMOURING)
To ensure your services and
access to your bank account
and your hard-earned savings
are absolutely safe
(INAUDIBLE)
Thank you. Thank you.
(ALL CHEERING)
Extraordinary scenes here.
The Prime Minister has rarely been seen
outside the Westminster bubble
since, as a junior minister,
not even in the Cabinet,
he ousted Boris Johnson
in a particularly bloody
"palace coup" 15 months ago.
But with the Conservatives running
six points behind in the polls,
this campaign is confronting
him with a very real anger
some feel about the economic crisis.
And just how deep the disillusionment
with authority in general now runs.
(SCROLLING MOUSE)
(CONTINUES SCROLLING)
SAARA: Phil.
I still couldn't get it
to run in the sandbox,
so I thought I'd take a
look at the code itself.
I hope you don't mind. I think
I might've found something.
(CHUCKLES SOFTLY)
Well, that's OK. We've all done it.
Done what?
Tried to reverse a library.
It's boilerplate code.
It's just there to avoid
the coder having to write
some common functions from scratch.
It's the one that you don't
need to bother reversing.
I know what a library is.
I think there's something
else hidden in there.
(CLICKS)
Probably thought we
wouldn't bother checking.
(VIBRATO INTENSIFYING)
Saara found it.
One of our work-experience students.
DANNY: Thanks.
(EXHALES)
It's a dropper, right?
Yeah. Tiny.
That's why we missed
it the first time round.
- If you run it, it raises a flag.
- (SIGHS)
What's the flag?
Saara?
Er, a "like"
on this Facebook page.
I suppose someone somewhere
must be monitoring it.
It's a tripwire.
If they see a "like" on the story,
then they know we've
downloaded the payload.
I presume you've managed to
pull it down without tripping it.
- I think so.
- And?
I'm not sure yet. It's
obfuscated like the last one.
(EXHALES SHARPLY)
(TYPING)
(CHIMES)
DAVID: Danny.
There's a second virus
hidden inside the first.
I think we should upgrade
to a Level One attack.
- Level One? Really?
- Yeah, I think so.
This degree of sophistication.
And maybe we should call JSTAT,
get them to raise the
threat level to critical.
We don't know what
this new one does yet.
OK, I'll call Number 10.
Thanks. Right. Shut it down.
OK, and find out what it was
meant to do. Quick as you can.
MAX: Yes. Got it.
(SIGHS)
Well done, Saara.
- (HELICOPTER WHIRRING)
- (PEOPLE SHOUTING INDISTINCTLY)
SAARA: Excuse me.
(MOBILE PHONE RINGING)
- Hi.
- AMINA: Where are you?
Why didn't you call back?
Why? What's wrong?
Abu's had an accident
on the tracks.
SAARA: What?
He's in the hospital.
You need to come.
I can't.
Not right now.
- Just
- He's asking for you, Saar.
You need to get back here.
I will.
I'll get a train as
soon as this is done.
- I'll be there soon.
- Pass please, ma'am.
MAX: Thought we'd lost you. Are you OK?
SAARA: My dad's not well.
Do you need to go?
No, it's OK.
(INTENSE MUSIC PLAYING)
MAX: Plug in, they're about to start.
DANNY: Saara.
Do you want to follow me?
Go on, then.
Leave it. You won't need it.
(INDISTINCT CONVERSATION)
Andy.
Good to see you. We'll
catch up after the meeting.
Home Secretary, nice to see you.
(INDISTINCT CHATTERING)
Do you wanna sit down? Sit there.
(INDISTINCT CONVERSATION)
DANNY: As you all know, from the
CRIP, we've located the malware
within BT's systems and with
some round the clock work,
its code has been 70%
reverse engineered.
Based on what we've learned,
I'm confident we can
have most of the Internet
back up and running by midnight tonight.
(SIGHS IN RELIEF) Good.
Er, as far as we can tell, this virus
has never been seen in the wild before.
Which means it was specially written
to take down sections of the B
and Virgin infrastructures,
which is quite a feat,
considering the
built-in safety features.
Perhaps most notably, it
doesn't seem to be communicating
with any sort of home base,
which is, erm, unusual.
ANDREW: Really?
Is that the most notable thing?
Because I'd say, it's
the devastating effect
it's having on our economy,
which is already in recession.
And which I can tell you
from personal experience,
is going down with voters
like a bucket of cold sick.
It could have been
worse, Prime Minister.
How?
Well, if the attack had
happened on Monday morning,
instead of on Friday.
Which is, in fact, exactly what
would have happened, Prime Minister,
if it hadn't been for the sharp eyes
of one of our work-experience students,
who spotted something else,
hidden inside the malware code.
Danny.
Yeah, at 9:00 a.m. tomorrow morning, a
second stage attack was set to activate,
this time taking out the entire Internet
with potentially catastrophic results.
The whole country,
including vital services,
would have been left unable to get online,
just as the Monday morning rush began.
And this is the young student who
spotted it. (WHISPERS) Stand up.
Do we know who's responsible?
For the attack?
We're still working on that.
Well, Jolly Roger seems
to know judging by the way
he's flashing the lights
off and on in Putin's office.
(ELIZABETH CLEARS THROAT)
Perhaps we're relying on him
for our cyber responses nowadays.
(ALL TITTERING)
I'm sorry to interrupt this
happy moment, Prime Minister,
but I'd be glad of some
clarification, if that's OK.
You say the second malware was spotted
by this young woman. What's her name?
Saara Parvin.
RICHARD: And she's a student?
DANNY: Yes, that's right.
And the rest of GCHQ just
missed it.
I'm sorry. Is that something
we're supposed to applaud?
I mean, it's hardly reassuring, is it?
If she hadn't been doing her work
experience or whatever it was,
the entire panoply of our
cyber security apparatus
would have missed an
extremely dangerous attack,
paralysing commercial life in this
country for the second time in four days.
If a student could find this
thing and the rest of you didn't,
how do we know there isn't
something else hiding in there,
waiting to go off at 11:00 a.m.
tomorrow? Or 2:00 p.m. or whenever?
I think you'd better go back
and take another look, don't you?
See what else you've missed.
And let's have some options for an
offensive cyber attack on Russia.
I'd like to know what
we could do to retaliate.
(INTENSE MUSIC PLAYING)
DANNY: OK.
Get everybody back tonight.
10:00 p.m., bring them all in.
(VIBRATO INTENSIFYING)
(CHILD CRYING)
(INDISTINCT CHATTER)
- YASMIN: Where have you been?
- How is he?
- Where have you been, Saara?
- I got here as quickly as I could.
(YASMIN SNIFFLES, CRIES)
What's happened?
Tell me.
SAJID: Abu died.
About half an hour ago.
(YASMIN CONTINUES CRYING)
AMINA: It's OK, Ami.
It's OK.
(MELANCHOLY MUSIC PLAYING)
(INDISTINCT CHATTER)
(MACHINE BEEPING)
Are you sure you want to do this?
(VOICE BREAKING) What was
he doing on the tracks?
They're not sure.
There's going to have
to be an investigation.
(SOBS)
(SNIFFLES)
(BREATHING UNSTEADILY)
(SAARA CRYING)
(SNIFFLES)
(CONTINUES CRYING)
(CLOCK TICKING)
(DOOR CLOSES)
They're withholding his body.
What?
What? Why?
There's going to have
to be a post mortem.
(AMINA SIGHS)
YASMIN: So we can't bury him?
The police won't let us. Not yet.
SAARA: Why?
- Is it because it might be suicide?
- Saara!
- I'll get you some tea.
- YASMIN: No!
Saara can get it.
AMINA: Oh, it's fine,
Ami. I'm not an invalid.
YASMIN: Why don't you just go?
- If you're in such a hurry
- (ANGRILY) Enough, Ami!
Give her a break!
- None of this is her fault.
- No.
I won't give her a break.
Her father has just died
and she shows nothing.
She looks at her watch!
All she ever thinks about is herself.
Why are you so selfish?
Tell me. Because I don't understand!
- AMINA: That's not fair, Mum.
- SAARA: I'm sorry, I can't do this.
(SHOUTING) That's right,
leave, like you always do!
(DOOR SLAMS)
(INTENSE MUSIC PLAYING)
Right, for those of you that don't
know, we've just returned from London
where we were comprehensively
beaten up at COBR.
Erm (CHUCKLES)
Yeah, but just because it was unpleasant
doesn't mean it wasn't justified.
There was a Level One attack
on the Internet on Friday.
And all of our focus
has been on isolating
the malware responsible
and disabling it.
(INHALES DEEPLY) With the pressure
to get everything back up and running,
it's hardly surprising
that we weren't looking
as carefully as we should for
extra functionality in the code.
Erm, the fact that it was one of our
work-experience students that found it
in a place we wouldn't
ordinarily be looking,
probably doesn't reflect that
well on us, if I'm honest.
Certainly not in the opinion of
some of the members of COBR, anyway.
(ALL CHUCKLING)
So we're going to be going back
over the malware code line by line.
- Let's see what else is hiding in there.
- (ALL CHATTERING INDISTINCTLY)
It's a big task and it's urgent.
We cannot afford to be caught out again.
Malware will be leading this.
And some of you will be
reassigned for a bit to help out.
- (ALL EXCLAIMING)
- And shifts will be extended again,
I'm afraid, until this gets sorted.
OK. Sorry about that. Let's get to it.
(INDISTINCT CHATTERING)
(SLOW INSTRUMENTAL MUSIC PLAYING)
DANNY: Saara?
Hey, listen, I'm sorry about what
I put you through at COBR today.
I didn't see that coming.
You should go home. You look exhausted.
SAARA: No, I'm fine, honestly.
No, I'm serious, Saara.
You look terrible.
I can't.
Everyone else is working.
Go home. OK?
You did a really good job today.
And it will still be here in
the morning, I promise you.
(SINGING IN FOREIGN LANGUAGE)
ANDREW: (ON TV) A completely
illegal and irresponsible attack,
which could have been far worse
if it hadn't been for the
carefully prepared strategies
- we brought into play on Friday.
- (DOOR CLOSES)
Everything will be fully back
up and running by midnight.
In fact, many services
have already been restored.
All our online banking, all
our major transport links.
(CONTINUES INDISTINCTLY)
Our allies around the world have been
quick to condemn this outrageous attack
on UK's sovereignty and
to offer their support,
- countries like the United States
- Hey.
countries like France,
Spain, Germany and many others,
which believe in and
are prepared to stand
What incredible timing for
your first day. (CHUCKLES)
I thought they'd never let you out.
How was it?
(ANDREW CONTINUES INDISTINCTLY ON TV)
What is it? What's wrong?
Saar?
My father died this evening.
I am so sorry, Saar.
What?
When? When? What happened?
SAARA: You're probably hungry.
Countries like the United States.
Countries like France, Spain, Germany
and many others, which believe
in and are prepared to stand up
for the rule of law,
and I can assure you that
we will respond to the attack
within the law
and at a time and in a
manner of our choosing.
(RINGTONE CHIMING)
The rules based International
- DANNY: Hi.
- You watching?
Yeah.
DAVID: And how are we
getting on with his options?
Er, we're not. It's a really bad idea.
We have to do this, Danny.
DANNY: Right.
And to hell with the escalation?
Because that's where this leads.
You know that.
(SIGHS)
OK.
(CHIMES)
Finn, get up here.
Yes, boss.
ANDREW: which we have to do it in the
world, can claim a similar legitimacy.
But just because this is a democracy,
it doesn't mean we are weak.
Or lack the will or the
capability to defend ourselves.
And we will defend ourselves with
all the force available to us,
within the law.
Thank you.
(THEME MUSIC PLAYING)
(TYPING)
(SINGING IN FOREIGN LANGUAGE)
(INTENSE MUSIC PLAYING)
(VIBRATO INTENSIFYING)
(DIALLING)
(DIGITAL BEEPING)
(SIGHS)
(BELL RINGING)
- (CROWD APPLAUDING)
- MAN: Well done, Gabriel.
I think that's the fastest
it's ever been done.
Congratulations.
(ALL APPLAUDING)
(INDISTINCT CHATTERING)
I like your pens.
They are in spectrum order.
And before you say that
pink is in the wrong place,
pink has nothing to do with red.
It's actually white absent green.
Well done on the challenge.
They are obviously going to take you.
You were incredibly fast.
If we're going to talk, I should warn
you, I'm not very good at noticing
when people want to speak
or change the subject.
So, the conversation could last
a half an hour or several days.
It's OK. It's OK.
I'm Saara, by the way.
I'm Gabriel.
(KEYS JANGLING)
- AMINA: It's high time
- Hello, Ami.
Oh, my God. What are you doing here?
Why didn't you ring? Is everything OK?
I'm fine. I was just passing.
Just passing? What
are you talking about?
London's over an hour away.
- You'll stay for some
- Where's Abu?
Sorry. Is he still at work?
He is in his den.
He's off work again.
(INDISTINCT CHATTERING)
SAARA: Abu?
Hey!
So have you heard?
I got it.
Ah. (CHUCKLES)
- (SPEAKING URDU)
- (CHUCKLES)
Ah, yes.
You haven't told your mother?
You know she wouldn't understand.
Of course not.
They don't know anything about it.
Good.
Come. Sit. Sit.
Mum said you are off work
again, Abu. Are you OK?
I'm fine. I was a bit
down, but I'm fine now.
I'll be back on Monday.
Down like last time?
No, nothing like that.
Anyway, when I see you, I feel better.
How long can you stay?
I'm sorry, Abu I
have to get back tonight.
You have got classes in the morning.
I'm really sorry.
Oh, don't be ridiculous.
Classes are important.
But you have time for a quick game?
- Of course.
- Excellent!
(BOTH CHUCKLE)
(AHMED EXCLAIMS)
You do think it's OK,
Abu, what I'm doing.
Oh, this girl You'll be spending
a year learning to defend our country,
and at the end, you
go back to university.
What could be wrong with that? Huh?
(SINGING IN FOREIGN LANGUAGE)
AHMED: Ha!
Hey. You'll be brilliant.
(TYPING)
Yeah.
We're in. Happy for us
to move to the next step?
- RICH: Go.
- FINN: OK, let's get some resilience.
They're inside.
- They've broken in.
- ZAHIR: How?
It doesn't matter how. We'll
work it out later. Get going.
I want them out.
ZAHIR: I told you this is a bad idea.
(SIGHS)
(TYPING)
We've accessed credentials for
your Ops and Management system.
- CHRISSIE: What?
- OK to proceed?
They've got the passwords.
They're about to log in.
ZAHIR: Wait.
CHRISSIE: Zahir?
(ALARMS GOING OFF)
Zahir?
I'm seeing red lights,
Tahmid. What's going on?
(POWER SHUTTING DOWN)
WOMAN: We're down.
- What the fuck
- (TELEPHONE RINGING)
What did you do?
Er, nothing.
We're just logging into the system now.
(POWER SHUTTING DOWN)
(INDISTINCT MURMURING)
Finn?
(FINN EXCLAIMS)
(KEYBOARD CLACKING)
(SMACKS LIPS)
Yeah, er, looks like the Internet.
What do you mean, "the Internet"?
FINN: I think we are offline.
Cannot be.
CHRISSIE: Do you know
what? Pull out now.
I want you completely
disconnected from our estate.
(INCOMING CALL)
Hey, my line just went
down. What's going on?
You'd better get up here.
MAX: Sorry to keep you waiting.
I'm Max.
Hi.
Er, we're not shaking
hands at the moment.
Oh. Of course. Sorry.
Welcome to GCHQ.
DANNY: Tell me.
CHRISSIE: We have a serious problem.
Your stress test just took
down half our infrastructure.
Whatever you did, you
need to undo it right now,
before it starts to
impact on public safety.
- Rich?
- Can't be us, boss.
We never got beyond the admin platform.
(DANNY SIGHS)
OK.
(INDISTINCT CHATTER)
(LAUGHTER)
SAARA: Sorry, I'm totally overdressed.
MAX: Oh, don't worry.
We all make that
mistake on our first day.
We're very glad to have you.
As you can see, we're
hideously male, stale and pale.
Sorry?
Old and white.
Like me.
I hope that's not why you picked me.
Because I've got a brown face.
No, of course not.
Where are you going?
PHIL: We've been summoned.
Why don't you come?
You might find this interesting.
DANNY: Erm, BT Openreach provides the
infrastructure for most
of the UK's Internet.
At 0907 this morning, whilst we
were stress-testing their systems,
they experienced a partial shutdown,
impacting as far as we can tell,
about 55% of Internet provision.
Oh, Chrissie, have you met
Max? He is our head of malware.
Hi, how you doing?
DANNY: Now, erm, we're
still checking, obviously,
but so far it looks like
National Grid's ICS is OK.
Same with gas and water.
Rail signalling is down
Are you sure it's OK for me to be here?
- (DANNY CONTINUES INDISTINCTLY)
- Why not?
You're DV cleared, aren't you?
Air Traffic Control is still up,
but it seems most of
the flights have stopped
because they use the Internet to
control aircraft on the ground.
Er, online banking is down and some
of their core comms are affected,
so most of the cash
machines are offline.
WOMAN: What about smartphones?
Sorry, Caroline Fitch, Number 10.
DAVID: Chrissie, can
smartphones get online?
Chrissie is head of security at BT.
Yeah, as far as we can tell.
But a lot of the systems,
their access are affected,
so there's not much they can do.
(INHALES) Erm,
some of the big email servers are down.
There's no Zoom, no Teams, which has taken
out all the new hospital appointments.
Er, there's no online shopping.
But, er, social media is
unaffected, interestingly.
All in all, quite cleverly targeted
to cause significant disruption without
actually putting that many lives at risk.
CAROLINE: So, it's a cyber attack?
That's what you're saying?
DANNY: We think so. Yeah.
Virgin was also affected,
which rules out the stress test
as the cause or any
hardware problems within BT.
That only leaves malware, and
using the stress-test as a cover.
KATHY: Can I jump in?
DAVID: Er, yeah, go ahead.
Kathy is one of our analysts,
on attachment from the NSA.
So, the Russian bots
are already retweeting,
and it is mostly about
how all the ATMs are down.
Er, "Another fuck-up by this
shit-for-brains government."
"Just another scam by the
elite to steal our money."
"The bankers are
screwing us over again."
Yada-yada.
(SMACKS LIPS) It's a bit
quick, don't you think?
I mean, it's almost like
they knew it was coming.
(TELEPHONE RINGING FAINTLY)
Thanks.
So is that it?
The malware.
Yep.
SAARA: Mind if I take a look?
(BEEP)
(PHIL CLEARS THROAT)
(SCROLLING MOUSE)
(TYPING)
SAARA: What's all this garbage?
I don't understand.
It's obfuscated.
Some kind of FinFisher thing.
(DOOR OPENS)
(DOOR CLOSES)
- Hey.
- MAX: It's, er, Kathy, right?
Yeah. Erm, NSA would like
to take a look at the code.
MAX: Well, has Danny approved it?
Well, he told me to update them.
Yeah, but did he say that
you could give them the code?
(SIGHS)
So you want me to walk all
the way back down the hall?
- Really?
- Absolutely.
That's the way we do it here.
KATHY: You do know that
they're only trying to help.
We're on the same team, guys.
(DOOR CLOSES)
51st State.
(PEOPLE CHUCKLING LIGHTLY)
(KEYBOARD CLACKING)
(CLICKS)
- PHIL: You see these jumps?
- SAARA: Mmhmm.
They hop over the garbage.
Oh, so it's never actually read.
That's right.
So what's it there for?
To confuse the look of the code
so the anti-virus software
won't recognise it as malware.
OK. How do we get around it?
We find a reverser that
locates all the garbage,
and then we write a
program to delete it.
Is that what you're doing now?
- Amongst other things.
- Can I help?
No.
(CLICKS)
So what do you want me to do?
We have a test environment.
Do you mean a sandbox?
Paste in the code and see if
you can get it to run in there.
It's isolated, so you can't do any harm.
And we might learn something.
I'd really prefer to
help with the reversing.
(TYPING)
(DANNY SIGHS)
(RINGTONE CHIMES)
Danny. It's the Foreign Secretary.
ELIZABETH: Well, can we schedule
a conversation before then?
Yes, I'd like that.
Thanks.
DANNY: Elizabeth.
How are you holding up?
(SMACKS LIPS) Er, I have
had better days. And nights.
Interesting timing, don't you think?
Right in the middle of
an election campaign.
Yeah. Will it have much of an impact?
People not being able to get online?
Absolutely. Feeds straight
into the populist agenda.
The government's crap, can't
organise a piss up in a brewery.
Plus, Labour does most
of its campaigning online,
so the Internet going down
looks very convenient for us.
So now we're corrupt
as well as incompetent.
(SCOFFS)
Anyway, where are we?
Er, we are currently about 35% restored.
It's not straightforward, unfortunately.
There's a lot of anti-debugging
tricks in the code, so.
I imagine you're assuming it's Russia.
Well, (SIGHS) as you know, we try to
avoid making attributions prematurely.
Erm, anything in the code,
which suggests a particular
team could be a misdirection.
And as soon as we point the finger,
then there's pressure to retaliate
and we're into tit-for-tat escalation.
But what's your gut?
(SIGHS)
(SUCKS TEETH)
That it's probably
Russia, most likely FSB.
OK.
Because according to
our embassy in Moscow,
the lights have been flashing on and off
in Putin's office for the last half hour.
Really?
- So that's nothing to do with you then?
- No.
But, erm, if it's true,
then that's pretty funny.
Yes, hysterical.
As long as it's not us or
anyone acting as our proxy,
- can you check, please, Danny?
- Yes.
(TYPING)
(TELEPHONE RINGING)
I don't understand.
it ran inside BT's computers.
Why won't it run here?
You can write malware, so it
knows when it's in a sandbox.
It searches for normal
computer activity.
If it can't find any, it deactivates.
Is there a workaround?
You could paste in some Word documents,
scroll around a bit.
That could make it think that
it's in a real environment,
but it's not always a guarantee.
Can I use this?
Do you always change
the subject like that?
- Sorry, I
- Why do you need it?
If there's something you don't
understand, you can just ask me.
It's not about work.
I need to make an outside call.
I didn't know they were going to
take my phone off me at reception.
Yeah, it's nine, and then the number.
Paste in those Word
documents, all right?
(DIALLING)
CAMPBELL: (ON TV) Prime Minister,
throughout this election campaign,
you made a great deal of the fact
that you are Britain's
first Black Prime Minister
and that you understand
ordinary working people.
But your father was an incredibly
wealthy Nigerian businessman.
and you spent your childhood in
one of Britain's top public schools.
ANDREW: Come on, Campbell,
not that old chestnut.
Look, I don't think that's what
people are worrying about at all.
- I think they're worrying about
- Isn't it, Prime Minister?
This country's in the middle
of the deepest recession
AHMED: (OVER PHONE) Hello, this is Ahmed.
Please leave a message after the tone.
Thank you.
(AHMED SPEAKING URDU)
(BEEP)
Hi, Abu. Er, it's me.
Just checking in to
see how you're feeling.
You can't really ring me back
here, but I'll try again later.
Love you.
ANDREW: I don't know
what you're implying, Campbell,
but I live here too,
and this recession has nothing to do
with Brexit, which is a huge success.
DANNY: Kathy, have you got a moment?
Sure. What do you need?
Er, the "Jolly Roger"?
Jolly Roger.
(TYPING)
- "You've been Rogered."
- (CHUCKLES SOFTLY)
Subtle.
KATHY: Oh.
He blames Russia for the attack
and he says that he's retaliating.
Calls himself "the patriotic hacker."
Right. That's all we need.
KATHY: Yeah.
This has nothing to do with any of you?
- No. No. Not at all. Nothing.
- No? No one's encouraged him?
Well. (SUCKS TEETH)
How do you think he
knows that it's Russia?
He doesn't. He's just grandstanding.
But this is all anyone's
going to remember.
When we come out with
the official attribution,
no-one's going to be listening.
(TAKES DEEP BREATH)
- All right, thanks, Kathy.
- Oh, er, did you get my message?
Er, no, I don't think I did?
NSA's asked to see the
malware code. Is that cool?
Er, yeah. Why not?
- Thanks.
- So, what's the problem?
- No, there's no problem.
- OK.
REPORTER: (ON TV) Almost certainly
not the image party election managers
wanted on your TV screens tonight.
The Prime Minister being aggressively
heckled while campaigning in Bristol.
And, as a precaution, I'll be chairing
a COBR meeting on Sunday at 10:00 a.m.
In the meantime
- (PEOPLE CLAMOURING)
- In the meantime,
in the face of this criminal
and unprovoked cyber attack,
I have instructed security
forces to do whatever is necessary
to find out who's responsible.
(CONTINUES CLAMOURING)
To ensure your services and
access to your bank account
and your hard-earned savings
are absolutely safe
(INAUDIBLE)
Thank you. Thank you.
(ALL CHEERING)
Extraordinary scenes here.
The Prime Minister has rarely been seen
outside the Westminster bubble
since, as a junior minister,
not even in the Cabinet,
he ousted Boris Johnson
in a particularly bloody
"palace coup" 15 months ago.
But with the Conservatives running
six points behind in the polls,
this campaign is confronting
him with a very real anger
some feel about the economic crisis.
And just how deep the disillusionment
with authority in general now runs.
(SCROLLING MOUSE)
(CONTINUES SCROLLING)
SAARA: Phil.
I still couldn't get it
to run in the sandbox,
so I thought I'd take a
look at the code itself.
I hope you don't mind. I think
I might've found something.
(CHUCKLES SOFTLY)
Well, that's OK. We've all done it.
Done what?
Tried to reverse a library.
It's boilerplate code.
It's just there to avoid
the coder having to write
some common functions from scratch.
It's the one that you don't
need to bother reversing.
I know what a library is.
I think there's something
else hidden in there.
(CLICKS)
Probably thought we
wouldn't bother checking.
(VIBRATO INTENSIFYING)
Saara found it.
One of our work-experience students.
DANNY: Thanks.
(EXHALES)
It's a dropper, right?
Yeah. Tiny.
That's why we missed
it the first time round.
- If you run it, it raises a flag.
- (SIGHS)
What's the flag?
Saara?
Er, a "like"
on this Facebook page.
I suppose someone somewhere
must be monitoring it.
It's a tripwire.
If they see a "like" on the story,
then they know we've
downloaded the payload.
I presume you've managed to
pull it down without tripping it.
- I think so.
- And?
I'm not sure yet. It's
obfuscated like the last one.
(EXHALES SHARPLY)
(TYPING)
(CHIMES)
DAVID: Danny.
There's a second virus
hidden inside the first.
I think we should upgrade
to a Level One attack.
- Level One? Really?
- Yeah, I think so.
This degree of sophistication.
And maybe we should call JSTAT,
get them to raise the
threat level to critical.
We don't know what
this new one does yet.
OK, I'll call Number 10.
Thanks. Right. Shut it down.
OK, and find out what it was
meant to do. Quick as you can.
MAX: Yes. Got it.
(SIGHS)
Well done, Saara.
- (HELICOPTER WHIRRING)
- (PEOPLE SHOUTING INDISTINCTLY)
SAARA: Excuse me.
(MOBILE PHONE RINGING)
- Hi.
- AMINA: Where are you?
Why didn't you call back?
Why? What's wrong?
Abu's had an accident
on the tracks.
SAARA: What?
He's in the hospital.
You need to come.
I can't.
Not right now.
- Just
- He's asking for you, Saar.
You need to get back here.
I will.
I'll get a train as
soon as this is done.
- I'll be there soon.
- Pass please, ma'am.
MAX: Thought we'd lost you. Are you OK?
SAARA: My dad's not well.
Do you need to go?
No, it's OK.
(INTENSE MUSIC PLAYING)
MAX: Plug in, they're about to start.
DANNY: Saara.
Do you want to follow me?
Go on, then.
Leave it. You won't need it.
(INDISTINCT CONVERSATION)
Andy.
Good to see you. We'll
catch up after the meeting.
Home Secretary, nice to see you.
(INDISTINCT CHATTERING)
Do you wanna sit down? Sit there.
(INDISTINCT CONVERSATION)
DANNY: As you all know, from the
CRIP, we've located the malware
within BT's systems and with
some round the clock work,
its code has been 70%
reverse engineered.
Based on what we've learned,
I'm confident we can
have most of the Internet
back up and running by midnight tonight.
(SIGHS IN RELIEF) Good.
Er, as far as we can tell, this virus
has never been seen in the wild before.
Which means it was specially written
to take down sections of the B
and Virgin infrastructures,
which is quite a feat,
considering the
built-in safety features.
Perhaps most notably, it
doesn't seem to be communicating
with any sort of home base,
which is, erm, unusual.
ANDREW: Really?
Is that the most notable thing?
Because I'd say, it's
the devastating effect
it's having on our economy,
which is already in recession.
And which I can tell you
from personal experience,
is going down with voters
like a bucket of cold sick.
It could have been
worse, Prime Minister.
How?
Well, if the attack had
happened on Monday morning,
instead of on Friday.
Which is, in fact, exactly what
would have happened, Prime Minister,
if it hadn't been for the sharp eyes
of one of our work-experience students,
who spotted something else,
hidden inside the malware code.
Danny.
Yeah, at 9:00 a.m. tomorrow morning, a
second stage attack was set to activate,
this time taking out the entire Internet
with potentially catastrophic results.
The whole country,
including vital services,
would have been left unable to get online,
just as the Monday morning rush began.
And this is the young student who
spotted it. (WHISPERS) Stand up.
Do we know who's responsible?
For the attack?
We're still working on that.
Well, Jolly Roger seems
to know judging by the way
he's flashing the lights
off and on in Putin's office.
(ELIZABETH CLEARS THROAT)
Perhaps we're relying on him
for our cyber responses nowadays.
(ALL TITTERING)
I'm sorry to interrupt this
happy moment, Prime Minister,
but I'd be glad of some
clarification, if that's OK.
You say the second malware was spotted
by this young woman. What's her name?
Saara Parvin.
RICHARD: And she's a student?
DANNY: Yes, that's right.
And the rest of GCHQ just
missed it.
I'm sorry. Is that something
we're supposed to applaud?
I mean, it's hardly reassuring, is it?
If she hadn't been doing her work
experience or whatever it was,
the entire panoply of our
cyber security apparatus
would have missed an
extremely dangerous attack,
paralysing commercial life in this
country for the second time in four days.
If a student could find this
thing and the rest of you didn't,
how do we know there isn't
something else hiding in there,
waiting to go off at 11:00 a.m.
tomorrow? Or 2:00 p.m. or whenever?
I think you'd better go back
and take another look, don't you?
See what else you've missed.
And let's have some options for an
offensive cyber attack on Russia.
I'd like to know what
we could do to retaliate.
(INTENSE MUSIC PLAYING)
DANNY: OK.
Get everybody back tonight.
10:00 p.m., bring them all in.
(VIBRATO INTENSIFYING)
(CHILD CRYING)
(INDISTINCT CHATTER)
- YASMIN: Where have you been?
- How is he?
- Where have you been, Saara?
- I got here as quickly as I could.
(YASMIN SNIFFLES, CRIES)
What's happened?
Tell me.
SAJID: Abu died.
About half an hour ago.
(YASMIN CONTINUES CRYING)
AMINA: It's OK, Ami.
It's OK.
(MELANCHOLY MUSIC PLAYING)
(INDISTINCT CHATTER)
(MACHINE BEEPING)
Are you sure you want to do this?
(VOICE BREAKING) What was
he doing on the tracks?
They're not sure.
There's going to have
to be an investigation.
(SOBS)
(SNIFFLES)
(BREATHING UNSTEADILY)
(SAARA CRYING)
(SNIFFLES)
(CONTINUES CRYING)
(CLOCK TICKING)
(DOOR CLOSES)
They're withholding his body.
What?
What? Why?
There's going to have
to be a post mortem.
(AMINA SIGHS)
YASMIN: So we can't bury him?
The police won't let us. Not yet.
SAARA: Why?
- Is it because it might be suicide?
- Saara!
- I'll get you some tea.
- YASMIN: No!
Saara can get it.
AMINA: Oh, it's fine,
Ami. I'm not an invalid.
YASMIN: Why don't you just go?
- If you're in such a hurry
- (ANGRILY) Enough, Ami!
Give her a break!
- None of this is her fault.
- No.
I won't give her a break.
Her father has just died
and she shows nothing.
She looks at her watch!
All she ever thinks about is herself.
Why are you so selfish?
Tell me. Because I don't understand!
- AMINA: That's not fair, Mum.
- SAARA: I'm sorry, I can't do this.
(SHOUTING) That's right,
leave, like you always do!
(DOOR SLAMS)
(INTENSE MUSIC PLAYING)
Right, for those of you that don't
know, we've just returned from London
where we were comprehensively
beaten up at COBR.
Erm (CHUCKLES)
Yeah, but just because it was unpleasant
doesn't mean it wasn't justified.
There was a Level One attack
on the Internet on Friday.
And all of our focus
has been on isolating
the malware responsible
and disabling it.
(INHALES DEEPLY) With the pressure
to get everything back up and running,
it's hardly surprising
that we weren't looking
as carefully as we should for
extra functionality in the code.
Erm, the fact that it was one of our
work-experience students that found it
in a place we wouldn't
ordinarily be looking,
probably doesn't reflect that
well on us, if I'm honest.
Certainly not in the opinion of
some of the members of COBR, anyway.
(ALL CHUCKLING)
So we're going to be going back
over the malware code line by line.
- Let's see what else is hiding in there.
- (ALL CHATTERING INDISTINCTLY)
It's a big task and it's urgent.
We cannot afford to be caught out again.
Malware will be leading this.
And some of you will be
reassigned for a bit to help out.
- (ALL EXCLAIMING)
- And shifts will be extended again,
I'm afraid, until this gets sorted.
OK. Sorry about that. Let's get to it.
(INDISTINCT CHATTERING)
(SLOW INSTRUMENTAL MUSIC PLAYING)
DANNY: Saara?
Hey, listen, I'm sorry about what
I put you through at COBR today.
I didn't see that coming.
You should go home. You look exhausted.
SAARA: No, I'm fine, honestly.
No, I'm serious, Saara.
You look terrible.
I can't.
Everyone else is working.
Go home. OK?
You did a really good job today.
And it will still be here in
the morning, I promise you.
(SINGING IN FOREIGN LANGUAGE)
ANDREW: (ON TV) A completely
illegal and irresponsible attack,
which could have been far worse
if it hadn't been for the
carefully prepared strategies
- we brought into play on Friday.
- (DOOR CLOSES)
Everything will be fully back
up and running by midnight.
In fact, many services
have already been restored.
All our online banking, all
our major transport links.
(CONTINUES INDISTINCTLY)
Our allies around the world have been
quick to condemn this outrageous attack
on UK's sovereignty and
to offer their support,
- countries like the United States
- Hey.
countries like France,
Spain, Germany and many others,
which believe in and
are prepared to stand
What incredible timing for
your first day. (CHUCKLES)
I thought they'd never let you out.
How was it?
(ANDREW CONTINUES INDISTINCTLY ON TV)
What is it? What's wrong?
Saar?
My father died this evening.
I am so sorry, Saar.
What?
When? When? What happened?
SAARA: You're probably hungry.
Countries like the United States.
Countries like France, Spain, Germany
and many others, which believe
in and are prepared to stand up
for the rule of law,
and I can assure you that
we will respond to the attack
within the law
and at a time and in a
manner of our choosing.
(RINGTONE CHIMING)
The rules based International
- DANNY: Hi.
- You watching?
Yeah.
DAVID: And how are we
getting on with his options?
Er, we're not. It's a really bad idea.
We have to do this, Danny.
DANNY: Right.
And to hell with the escalation?
Because that's where this leads.
You know that.
(SIGHS)
OK.
(CHIMES)
Finn, get up here.
Yes, boss.
ANDREW: which we have to do it in the
world, can claim a similar legitimacy.
But just because this is a democracy,
it doesn't mean we are weak.
Or lack the will or the
capability to defend ourselves.
And we will defend ourselves with
all the force available to us,
within the law.
Thank you.
(THEME MUSIC PLAYING)