WEBVTT 00:00:00.380 --> 00:00:03.419 JACK: So, throughout my life, I’ve had this recurring dream. 00:00:03.419 --> 00:00:09.460 It starts out with me being in my front yard, and coming down the street is a wild bull. 00:00:09.460 --> 00:00:14.130 [MUSIC] It’s typically white in color, and it’s just on a terror. 00:00:14.130 --> 00:00:19.280 It’s running around the neighborhood, smashing up cars, knocking down trees, trampling everything 00:00:19.280 --> 00:00:20.800 in its path. 00:00:20.800 --> 00:00:21.800 Nothing can stop it. 00:00:21.800 --> 00:00:29.050 Then, it for some reason turns and looks at me, and I can tell it’s coming for me. 00:00:29.050 --> 00:00:34.420 I mean, it’s so wild; it’s falling down, tumbling, running into houses and stuff, trying 00:00:34.420 --> 00:00:36.640 to turn to come towards me. 00:00:36.640 --> 00:00:41.011 So, I quickly run into the house, slam the door shut, lock it, and then go to the window 00:00:41.011 --> 00:00:42.480 to look to see what’s going on. 00:00:42.480 --> 00:00:46.440 But the bull just runs right up to my house, hits the front door, and just busts through 00:00:46.440 --> 00:00:47.800 it like it’s paper. 00:00:47.800 --> 00:00:51.469 It’s suddenly in my house and it’s trying hard to turn corners and navigate through 00:00:51.469 --> 00:00:56.450 my house to get to me, but it’s falling down and smashing into walls and furniture, 00:00:56.450 --> 00:01:00.981 and I’m frantically trying to find a safe place to go, but every room I go into, it 00:01:00.981 --> 00:01:04.890 just smashes through those doors or windows to get to where I am. 00:01:04.890 --> 00:01:09.760 I keep going into room after room, shutting doors, locking it, but it just keeps getting 00:01:09.760 --> 00:01:11.080 in. 00:01:11.080 --> 00:01:13.590 I usually wake up around here, heart racing. 00:01:13.590 --> 00:01:15.190 I’m in a panic. 00:01:15.190 --> 00:01:20.299 What I often feel after this dream is helplessness, complete vulnerability. 00:01:20.299 --> 00:01:23.100 There’s no place that feels safe. 00:01:23.100 --> 00:01:28.610 It doesn’t matter how many locked doors I have or hiding places I know of; that bull 00:01:28.610 --> 00:01:32.759 always finds me and smashes its way to me. 00:01:32.759 --> 00:01:38.810 I tell you this because after listening to today’s story, I get that same feeling of 00:01:38.810 --> 00:01:41.510 feeling afraid and helpless. 00:01:41.510 --> 00:01:50.360 (INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. 00:01:50.360 --> 00:01:55.060 I’m Jack Rhysider. 00:01:55.060 --> 00:01:58.140 This is Darknet Diaries. 00:01:58.140 --> 00:02:04.110 [INTRO MUSIC ENDS] 00:02:04.110 --> 00:02:16.460 JACK: Okay, y’all have seen this talk at the STICK Conference earlier this year, right? 00:02:16.460 --> 00:02:18.540 OMAR: [SPANISH] 00:02:18.540 --> 00:02:24.040 JACK: I don’t speak Spanish, so I have to use YouTube to auto-translate for me, but, 00:02:24.040 --> 00:02:25.040 hm. 00:02:25.040 --> 00:02:30.519 Now that I’m looking at it, there are only 115 views on this video, so, no, you absolutely 00:02:30.519 --> 00:02:31.750 have not seen this talk. 00:02:31.750 --> 00:02:33.400 Okay, let me find another. 00:02:33.400 --> 00:02:34.650 Okay, what about this one? 00:02:34.650 --> 00:02:41.010 This is a talk from Hack the Box meetup in Santo Domingo in the Caribbean Sea. 00:02:41.010 --> 00:02:45.270 OMAR: [SPANISH] 00:02:45.270 --> 00:02:48.060 JACK: You know what? 00:02:48.060 --> 00:02:52.680 This video only has 500 views, so, no, you did not see this video, either. 00:02:52.680 --> 00:02:57.319 Well, both of these talks are by a guy named Omar Avilez, and he’s talking about the 00:02:57.319 --> 00:02:59.140 worst day of his life. 00:02:59.140 --> 00:03:04.549 It’s a chilling story, but since you haven’t seen this talk, I really want you to hear 00:03:04.549 --> 00:03:08.959 it, and since it’s in Spanish, I’m gonna call up Omar to see if he can tell us the 00:03:08.959 --> 00:03:09.959 story in English. 00:03:09.959 --> 00:03:17.720 OMAR: This story starts much earlier than we even knew that something was happening. 00:03:17.720 --> 00:03:22.250 So, this started May 2022 in Costa Rica. 00:03:22.250 --> 00:03:26.569 JACK: Okay, so this is Omar and he lives in the Dominican Republic, which is an island 00:03:26.569 --> 00:03:27.700 in the Caribbean Sea. 00:03:27.700 --> 00:03:31.959 Across the Caribbean Sea, next to Panama, is Costa Rica. 00:03:31.959 --> 00:03:34.920 What Omar saw happening in Costa Rica struck his curiosity. 00:03:34.920 --> 00:03:40.159 HOST1: The new president of Costa Rica has declared his country is at war with a ransomware 00:03:40.159 --> 00:03:43.870 group which has been carrying out cyber attacks on the country’s government. 00:03:43.870 --> 00:03:49.159 The cyber-criminal gang known as Conti has disabled agencies across the government since 00:03:49.159 --> 00:03:51.390 April using ransomware attacks. 00:03:51.390 --> 00:03:55.480 JACK: Whoa, that’s kinda dramatic, isn’t it; declared war? 00:03:55.480 --> 00:03:56.480 Seriously? 00:03:56.480 --> 00:04:01.790 You go in to deploy troops and send fighter jets because someone put ransomware on your 00:04:01.790 --> 00:04:02.790 computers? 00:04:02.790 --> 00:04:04.620 Does Costa Rica even have fighter jets? 00:04:04.620 --> 00:04:09.540 Anyway, because Omar is in part of Latin America, he was watching this story unfold. 00:04:09.540 --> 00:04:17.000 OMAR: Let me introduce myself before I start talking about that day’s events. 00:04:17.000 --> 00:04:23.889 So, I used to work in the Dominican Republic National CSIRT, which is the National Cyber 00:04:23.889 --> 00:04:25.810 Security Incident Response Team. 00:04:25.810 --> 00:04:30.380 JACK: Sorry, I had a bad connection with Omar when we were talking, so let me repeat that 00:04:30.380 --> 00:04:31.380 for you. 00:04:31.380 --> 00:04:34.550 Omar worked in the CSIRT for the Dominican Republic. 00:04:34.550 --> 00:04:40.580 CSIRT is an acronym which stands for Cyber Security Incident Response Team, and this 00:04:40.580 --> 00:04:45.000 CSIRT unit falls under the Department of Defense in the Dominican Republic. 00:04:45.000 --> 00:04:49.639 So, when cyber-attacks threaten national security, Omar was there to review it. 00:04:49.639 --> 00:04:54.460 But what’s more is the Dominican Republic CSIRT is part of a community of other incident 00:04:54.460 --> 00:04:56.460 response teams within Latin America. 00:04:56.460 --> 00:05:02.220 OMAR: So, when the incident in Costa Rica happened, they contact us just to ask for 00:05:02.220 --> 00:05:03.220 help. 00:05:03.220 --> 00:05:08.600 JACK: What he saw was that twenty different government organizations in Costa Rica were 00:05:08.600 --> 00:05:11.090 hit with this Conti ransomware. 00:05:11.090 --> 00:05:15.410 This was a very widespread problem within their government, so it’s no wonder they 00:05:15.410 --> 00:05:18.289 were reaching out for help anywhere they could. 00:05:18.289 --> 00:05:22.980 Many parts of the Costa Rican government came to a halt, and they were frantic over there. 00:05:22.980 --> 00:05:28.110 But this gave Omar the ability to research and understand this Conti ransomware better. 00:05:28.110 --> 00:05:32.760 OMAR: It was a massive malware campaign in Costa Rica. 00:05:32.760 --> 00:05:36.680 They were attacking government organizations through phishing, exposing vulnerabilities, 00:05:36.680 --> 00:05:40.230 but they compromised all the departments separately. 00:05:40.230 --> 00:05:42.930 JACK: Wow, that’s really remarkable. 00:05:42.930 --> 00:05:47.250 See, when I hear that twenty departments were hit, I immediately think that there must be 00:05:47.250 --> 00:05:51.660 some central connection that allowed the malware to spread internally. 00:05:51.660 --> 00:05:55.220 You know, like if you can get in through the front door, now you can take a tunnel to all 00:05:55.220 --> 00:05:56.450 the other buildings or something? 00:05:56.450 --> 00:06:02.520 But, no; what Omar saw was that each of these twenty departments were infected separately, 00:06:02.520 --> 00:06:05.880 some of which were infected through phishing e-mails and some from malware put right on 00:06:05.880 --> 00:06:07.710 systems that were connected to the internet. 00:06:07.710 --> 00:06:12.520 But just because the malware got inside each of these places, it didn’t actually turn 00:06:12.520 --> 00:06:14.300 on until the right time. 00:06:14.300 --> 00:06:18.490 It was coordinated that when enough systems got infected, it would trigger the ransomware 00:06:18.490 --> 00:06:22.360 to lock all the computers at once and demand payment to unlock them. 00:06:22.360 --> 00:06:26.320 Now, the motive behind putting ransomware on systems like this is typically just to 00:06:26.320 --> 00:06:27.320 make money. 00:06:27.320 --> 00:06:32.440 I believe they were asking for $20 million to unlock Costa Rica’s systems. 00:06:32.440 --> 00:06:36.680 So, whoever did this seemed to be there only for financial gain. 00:06:36.680 --> 00:06:40.420 Costa Rica got their systems fixed up, and I don’t think they paid the ransom. 00:06:40.420 --> 00:06:45.539 They had backups and restored, but Omar saw how this malware operated and worked, and 00:06:45.539 --> 00:06:49.620 he saw the methods they used to get in, and took this new knowledge to scan the Dominican 00:06:49.620 --> 00:06:54.270 Republic’s national computer infrastructure to see if anything matched what was on Costa 00:06:54.270 --> 00:06:55.270 Rica’s systems. 00:06:55.270 --> 00:06:59.070 [MUSIC] After all, the malware seemed to be present in Costa Rica’s network for a while 00:06:59.070 --> 00:07:00.500 before it actually executed. 00:07:00.500 --> 00:07:06.300 So, he looked through computer after computer and scanned lots of systems looking for things 00:07:06.300 --> 00:07:08.920 that matched what he saw in Costa Rica. 00:07:08.920 --> 00:07:13.850 He didn’t find anything, actually, which seemed like the Conti ransomware gang wasn’t 00:07:13.850 --> 00:07:16.670 targeting the Dominican Republic, which was good. 00:07:16.670 --> 00:07:22.020 But then, while looking for malware in the network, he noticed something. 00:07:22.020 --> 00:07:25.240 Someone had defaced a Dominican Republic government’s website. 00:07:25.240 --> 00:07:29.950 They found a vulnerability on the web server and changed the pictures and text to something 00:07:29.950 --> 00:07:30.950 else. 00:07:30.950 --> 00:07:33.030 So, he zoomed into this to investigate. 00:07:33.030 --> 00:07:37.000 OMAR: We found an implant, a piece of malware. 00:07:37.000 --> 00:07:42.160 JACK: Now, typically when someone defaces a website, it’s a small-time hacker. 00:07:42.160 --> 00:07:46.120 Being able to show your friends that you changed the text on a government website makes you 00:07:46.120 --> 00:07:48.150 look cool in some hacker circles. 00:07:48.150 --> 00:07:53.639 But it wasn’t this person who defaced the website that put the malware on that computer. 00:07:53.639 --> 00:07:58.400 See, when Omar was investigating the defacement, he checked to see if any malware was left 00:07:58.400 --> 00:08:01.560 behind, and it was, just not by this person. 00:08:01.560 --> 00:08:05.420 One of the places Omar likes to look for malware is in the temp directory. 00:08:05.420 --> 00:08:09.930 The temp directory is used by programs to temporarily hold data, and it’s kind of 00:08:09.930 --> 00:08:13.360 a free space for any app to use to dump data in there if it needs it. 00:08:13.360 --> 00:08:18.849 So, this directory often has open permissions; anyone can read or write to it. 00:08:18.849 --> 00:08:24.120 Not many directories are like that on a computer, so that’s why Omar looked in the temp directory, 00:08:24.120 --> 00:08:27.180 and that’s where he saw that someone had stuck this malware in there. 00:08:27.180 --> 00:08:33.500 OMAR: But the malware, the implant was on the system from ten to eleven months ago. 00:08:33.500 --> 00:08:38.769 JACK: So, someone had exploited this system ten months ago, stuck some malware in there, 00:08:38.769 --> 00:08:40.690 and then left quietly. 00:08:40.690 --> 00:08:45.720 When someone else came and defaced the site, that’s when he discovered that it was there. 00:08:45.720 --> 00:08:52.010 Just imagine that sinking feeling for a moment; malware had been here for ten months and nobody 00:08:52.010 --> 00:08:53.010 noticed. 00:08:53.010 --> 00:08:55.769 Your worst fears start racing through your head at this point. 00:08:55.769 --> 00:08:56.959 Did they steal anything? 00:08:56.959 --> 00:08:58.970 Did they access stuff they shouldn’t? 00:08:58.970 --> 00:09:01.130 Did they jump around to other computers? 00:09:01.130 --> 00:09:05.589 OMAR: It was a malware that did privilege escalation. 00:09:05.589 --> 00:09:13.079 So, we spotted a Windows vulnerability that was unknown to Windows — to the Windows 00:09:13.079 --> 00:09:14.079 people. 00:09:14.079 --> 00:09:15.519 So, we may call that a zero-day. 00:09:15.519 --> 00:09:17.540 JACK: Okay, this just got worst. 00:09:17.540 --> 00:09:22.070 A zero-day means that not even Microsoft knows about this vulnerability, and the reason why 00:09:22.070 --> 00:09:26.600 it’s worse is because whoever left this here must have access to some pretty advanced 00:09:26.600 --> 00:09:27.600 malware. 00:09:27.600 --> 00:09:32.200 It’s not easy to find a zero-day exploit because if it was, Microsoft would find it, 00:09:32.200 --> 00:09:33.860 too, and put a fix out for it. 00:09:33.860 --> 00:09:36.010 So, it’s supposed to be secret. 00:09:36.010 --> 00:09:41.220 Now, specifically, this malware’s purpose was to escalate privileges, so that means 00:09:41.220 --> 00:09:46.329 if you get on a system as a low-level user, it’ll promote you to a user with administrator 00:09:46.329 --> 00:09:47.329 rights. 00:09:47.329 --> 00:09:50.700 So, now you can do anything you want on that system, kind of like if you were to just walk 00:09:50.700 --> 00:09:54.470 into the front door of a prison and convince the guards that you actually own the prison 00:09:54.470 --> 00:09:56.550 and to give you all the keys. 00:09:56.550 --> 00:10:01.000 Being able to escalate your privileges is a crucial step at getting full control of 00:10:01.000 --> 00:10:04.589 a computer, and this could be the beginning of a big deal. 00:10:04.589 --> 00:10:07.710 Just as Omar was about to tell someone about this, news broke out. 00:10:07.710 --> 00:10:11.279 HOST2: [MUSIC] The Dominican Republic’s agricultural department has suffered a ransomware 00:10:11.279 --> 00:10:13.570 attack by the Quantum ransomware group. 00:10:13.570 --> 00:10:18.380 The attack disrupted multiple services by encrypting four physical and eight virtual 00:10:18.380 --> 00:10:23.370 servers, compromising most of the information including databases, e-mail, and applications. 00:10:23.370 --> 00:10:25.730 JACK: [MUSIC] Wait, Quantum ransomware? 00:10:25.730 --> 00:10:28.630 Gosh, a totally different group hit them? 00:10:28.630 --> 00:10:32.170 It makes me want to make a meme out of all this ransomware news. 00:10:32.170 --> 00:10:34.010 SAMUEL: Enough is enough! 00:10:34.010 --> 00:10:35.010 I’ve had it with… 00:10:35.010 --> 00:10:39.300 JACK: I’ve had it with this mother-flippin’ ransomware on these mother-flippin’ computers! 00:10:39.300 --> 00:10:43.500 Just when you tune your eyes to be able to see and detect a certain kind of malware, 00:10:43.500 --> 00:10:46.960 you get blindsided by a totally different kind. 00:10:46.960 --> 00:10:51.320 Whatever that malware was that Omar found on that web server, that had nothing to do 00:10:51.320 --> 00:10:52.850 with this Quantum ransomware. 00:10:52.850 --> 00:11:00.100 OMAR: They exploited a vulnerability, a Fortinet firewall that allowed them to have VPN access 00:11:00.100 --> 00:11:02.120 to the infrastructure. 00:11:02.120 --> 00:11:10.490 So, with the VPN access, they managed to compromise the entire organization and then tried to 00:11:10.490 --> 00:11:11.490 ransom the organization. 00:11:11.490 --> 00:11:16.270 JACK: Luckily, they detected this quite quickly and called Omar in very early. 00:11:16.270 --> 00:11:19.800 He got in his car and drove down to the data center that was infected, and when he got 00:11:19.800 --> 00:11:24.190 on the systems there, he was able to see the people who were behind the Quantum ransomware 00:11:24.190 --> 00:11:27.079 typing out commands, infecting more systems. 00:11:27.079 --> 00:11:31.120 So, because he reacted so quickly, he was able to stop the spread of it from getting 00:11:31.120 --> 00:11:34.880 on more machines, and this is a stressful situation. 00:11:34.880 --> 00:11:39.920 I don’t know if you’ve ever gotten your computer or phone infected, but any time this 00:11:39.920 --> 00:11:44.560 happens, you have to wonder, did you clean your device good enough? 00:11:44.560 --> 00:11:47.320 Are they still in there? 00:11:47.320 --> 00:11:48.779 You never actually know. 00:11:48.779 --> 00:11:53.160 You sort of have to cross your fingers and hope the attackers will let you know if they’re 00:11:53.160 --> 00:11:54.430 in there still. 00:11:54.430 --> 00:11:58.889 Even though he’s kicked them out of this one system, it’s hard to tell if they just 00:11:58.889 --> 00:12:03.060 come right back in or what other systems they may have access to. 00:12:03.060 --> 00:12:07.899 It’s like trying to build a dam in the dark with just sticks and rocks. 00:12:07.899 --> 00:12:16.570 OMAR: So, that’s when the Republic – so, on the investigation, we found out the attackers 00:12:16.570 --> 00:12:23.690 got into the network via a phishing attack, but that didn’t tell us much information. 00:12:23.690 --> 00:12:30.380 So, we concluded the investigation or the report without any attribution; so, we just 00:12:30.380 --> 00:12:33.180 know that somebody compromised the system. 00:12:33.180 --> 00:12:38.950 JACK: No attribution on the final report for the Quantum ransomware infection. 00:12:38.950 --> 00:12:41.209 Okay, hm. 00:12:41.209 --> 00:12:44.280 Attribution means figuring out who did this, and they couldn’t figure it out. 00:12:44.280 --> 00:12:46.699 There just simply wasn’t enough clues. 00:12:46.699 --> 00:12:52.149 It seemed to be fairly common malware with no clear path leading to anyone in particular. 00:12:52.149 --> 00:12:54.769 All it seemed was that it was financially motivated. 00:12:54.769 --> 00:12:57.700 They wanted money and that’s the whole reason why they did this. 00:12:57.700 --> 00:13:01.490 I think there’s three main categories for the different types of attackers. 00:13:01.490 --> 00:13:06.209 There’s the hacktivist type people who are hacking into things just for fun or to make 00:13:06.209 --> 00:13:10.690 a point, like those defacing websites, and then there are people who are financially 00:13:10.690 --> 00:13:15.180 motivated; they’re only there to make money, and then there are more sophisticated groups 00:13:15.180 --> 00:13:18.690 there trying to steal state secrets or something. 00:13:18.690 --> 00:13:22.579 I mean, they might even have spies on the ground of the place they’re trying to break 00:13:22.579 --> 00:13:23.579 into. 00:13:23.579 --> 00:13:28.209 If you know who your adversary is, you can combat against that particular threat more 00:13:28.209 --> 00:13:29.209 effectively. 00:13:29.209 --> 00:13:33.510 You can prepare better and be more alert, so it’s important to understand the landscape 00:13:33.510 --> 00:13:38.370 of who can and who is and who should and who would be attacking you. 00:13:38.370 --> 00:13:42.029 When you’re dealing with ransomware, you’re typically up against someone who just wants 00:13:42.029 --> 00:13:45.950 money, and if you don’t pay it or make it really hard for them, they’ll probably just 00:13:45.950 --> 00:13:47.790 move on to an easier target. 00:13:47.790 --> 00:13:50.630 So, after this attack, things settled down. 00:13:50.630 --> 00:13:53.140 Omar went back to his normal duties. 00:13:53.140 --> 00:14:02.230 OMAR: One day, we got a tool to analyze all the DNS queries that the organization made. 00:14:02.230 --> 00:14:10.000 So, we implemented that technology all around all government organizations so we can have 00:14:10.000 --> 00:14:12.949 a whole visibility of why — what’s happening on the government. 00:14:12.949 --> 00:14:18.250 JACK: Okay, so, they got a new tool to look at the domains that each organization is reaching 00:14:18.250 --> 00:14:21.519 out to and each domain that’s connecting into the government’s network. 00:14:21.519 --> 00:14:27.000 Now, they took this data and cross-referenced it with known malicious domains in the world. 00:14:27.000 --> 00:14:28.190 This is called threat intelligence. 00:14:28.190 --> 00:14:32.400 There are companies out there that try to classify every single IP address and domain 00:14:32.400 --> 00:14:35.230 name to try to determine if it’s malicious or not. 00:14:35.230 --> 00:14:41.270 So, if you see computers on your network contacting known malicious domains, then you can double-click 00:14:41.270 --> 00:14:42.769 on that and see what’s going on. 00:14:42.769 --> 00:14:46.510 While he’s scanning the network, I want to take a quick ad break, but stay with us 00:14:46.510 --> 00:14:49.860 because you’re gonna want to hear what he found. 00:14:49.860 --> 00:14:54.630 Omar was scanning the Dominican Republic’s DNS queries to see if anything unusual was 00:14:54.630 --> 00:14:55.630 going on. 00:14:55.630 --> 00:15:02.690 OMAR: So, we cover a C2 server that was utilized by Conti. 00:15:02.690 --> 00:15:09.019 JACK: [MUSIC] Oh no, a computer within the Dominican Republic government was connecting 00:15:09.019 --> 00:15:14.250 to a command and control server — otherwise known as a C2 server — that is known to 00:15:14.250 --> 00:15:18.330 control systems infected by the Conti ransomware. 00:15:18.330 --> 00:15:19.570 This is bad. 00:15:19.570 --> 00:15:24.079 This indicates that the government is about to get hit. 00:15:24.079 --> 00:15:28.240 Someone has them in their crosshairs and just needs to pull the trigger, and perhaps they’re 00:15:28.240 --> 00:15:31.220 gonna get hit as hard as Costa Rica got hit. 00:15:31.220 --> 00:15:36.509 Whoever was behind that attack on Costa Rica clearly had a lot of time and resources to 00:15:36.509 --> 00:15:42.589 make a very deep and wide impact there, crippling their systems and government. 00:15:42.589 --> 00:15:47.329 But lucky that Omar has such a keen eye and is tuned into the threats of his government 00:15:47.329 --> 00:15:48.899 so he can detect this early. 00:15:48.899 --> 00:15:54.980 So, he zoomed into this alert and he saw that, yes, in fact, a system did get infected and 00:15:54.980 --> 00:15:59.810 it reached out to the command and control server to download Cobalt Strike. 00:15:59.810 --> 00:16:02.690 Cobalt Strike is a full suite of hacker tools. 00:16:02.690 --> 00:16:08.370 It’s equivalent to finding a bad guy in your building and also finding his huge sack 00:16:08.370 --> 00:16:10.649 of tactical spy tools. 00:16:10.649 --> 00:16:17.200 But because they spotted this as it was unfolding, they were able to delete those tools and clean 00:16:17.200 --> 00:16:21.430 that system and start hardening that system so it doesn’t get infected again. 00:16:21.430 --> 00:16:26.259 On top of that, with this newfound activity on their network, knowing that they’re in 00:16:26.259 --> 00:16:31.910 the crosshairs of somebody, it was important to start alerting the users in the government 00:16:31.910 --> 00:16:32.910 agencies. 00:16:32.910 --> 00:16:36.510 Be on alert; we are seeing some bad weather on the horizon. 00:16:36.510 --> 00:16:42.120 Be very cautious of any phishing e-mails, and please, please, please report anything 00:16:42.120 --> 00:16:44.529 suspicious to the security team. 00:16:44.529 --> 00:16:45.529 Thank you. 00:16:45.529 --> 00:16:51.050 OMAR: [MUSIC] So, that’s when everybody start to send us — sending out e-mails and 00:16:51.050 --> 00:16:53.380 e-mails and e-mails. 00:16:53.380 --> 00:16:57.529 We analyzed hundreds of e-mails, literally hundreds of e-mails. 00:16:57.529 --> 00:17:02.889 So, there were things about these e-mails, that they were written in perfect Spanish. 00:17:02.889 --> 00:17:06.180 They were not English, but perfect Spanish. 00:17:06.180 --> 00:17:07.780 Like, perfect Spanish. 00:17:07.780 --> 00:17:14.990 JACK: Okay, wow; so, they were seeing a lot of phishing attempts, e-mails posing as someone 00:17:14.990 --> 00:17:20.760 else trying to get users to click links, open zip files or attachments, and in every one 00:17:20.760 --> 00:17:25.339 of these e-mails, the attacker spoke perfect Spanish. 00:17:25.339 --> 00:17:29.940 This is really curious since a lot of these ransomware gangs would be coming from Eastern 00:17:29.940 --> 00:17:31.350 Europe or Russia. 00:17:31.350 --> 00:17:35.790 They wouldn’t have the ability to speak perfect Spanish on such a large scale with 00:17:35.790 --> 00:17:37.660 hundreds of phishing e-mails being written. 00:17:37.660 --> 00:17:40.990 OMAR: At that time, it was June 2022. 00:17:40.990 --> 00:17:48.420 We had over 500 to 600 e-mails, different e-mails, and all of them were different. 00:17:48.420 --> 00:17:51.950 So, we didn’t have one single e-mail that was the same. 00:17:51.950 --> 00:17:59.540 But all of them share one thing; all the same were about banking transactions or money or 00:17:59.540 --> 00:18:02.340 payment, something related to money. 00:18:02.340 --> 00:18:12.470 Also, all of them had a backdoor the attackers were using, which was a band – a backdoor 00:18:12.470 --> 00:18:14.800 known as Bandook. 00:18:14.800 --> 00:18:16.350 JACK: Bandook. 00:18:16.350 --> 00:18:21.900 Okay, if I google ‘Bandook malware’, I immediately get an article saying that this 00:18:21.900 --> 00:18:26.799 malware gives remote access to a computer, and it was written by someone named Prince 00:18:26.799 --> 00:18:29.500 Ali who’s from Lebanon in the Middle East. 00:18:29.500 --> 00:18:34.940 More specifically, the Bandook malware has been known to be used by a group called Dark 00:18:34.940 --> 00:18:35.940 Caracal. 00:18:35.940 --> 00:18:40.039 Well, that’s what the EFF named them, at least, and while we aren’t sure exactly 00:18:40.039 --> 00:18:44.960 who they are, there are quite a bit of clues that lead us to believe that the Lebanese 00:18:44.960 --> 00:18:48.980 government is somehow behind this Dark Caracal group. 00:18:48.980 --> 00:18:54.950 I want to paint a clear picture for you; hundreds of phishing e-mails are flooding into different 00:18:54.950 --> 00:18:59.400 government agencies in the Dominican Republic, all of which are trying to get the recipient 00:18:59.400 --> 00:19:04.690 to open an attachment or click a link which will infect them with this Bandook malware, 00:19:04.690 --> 00:19:10.039 which typically seems to be the work of this threat actor group called Dark Caracal. 00:19:10.039 --> 00:19:14.650 As Omar looked at these e-mails coming in, he noticed something even more scary. 00:19:14.650 --> 00:19:18.870 OMAR: They compromised a company, so it was an important target. 00:19:18.870 --> 00:19:23.080 JACK: [MUSIC] So, what happened here is that the attackers knew that the Dominican Republic 00:19:23.080 --> 00:19:28.290 was doing business with a certain company, and they infiltrated that company just to 00:19:28.290 --> 00:19:33.700 pose as people from there in order to trick the victims in the Dominican Republic government 00:19:33.700 --> 00:19:35.060 to open attachments. 00:19:35.060 --> 00:19:41.690 OMAR: What they did is that they used a user that was having a conversation with the system 00:19:41.690 --> 00:19:42.690 administrator. 00:19:42.690 --> 00:19:51.549 So, the system administrator was waiting for that user to send him an attachment. 00:19:51.549 --> 00:19:55.309 So, he used a type of the legitimate attachment — the system administrator will see the 00:19:55.309 --> 00:19:56.309 backdoor. 00:19:56.309 --> 00:20:03.310 JACK: I mean, this seems to be the start of a horror story, where it feels like you’re 00:20:03.310 --> 00:20:08.920 home alone at night and someone is throwing rocks at your window, at all your windows 00:20:08.920 --> 00:20:14.990 at once, constantly pinging them, and you just know at any moment one of those windows 00:20:14.990 --> 00:20:16.080 is going to break. 00:20:16.080 --> 00:20:20.540 But there’s just no way to secure everything at once. 00:20:20.540 --> 00:20:26.420 It just takes one user in an agency to get infected, and then the attacker can jump off 00:20:26.420 --> 00:20:29.260 their machine to infect the whole agency. 00:20:29.260 --> 00:20:35.850 For dozens of agencies to be attacked at the same time is horrifying. 00:20:35.850 --> 00:20:39.650 On top of that, the attackers are scanning web servers, looking for vulnerabilities, 00:20:39.650 --> 00:20:42.440 trying to find an exploit to get into the network that way. 00:20:42.440 --> 00:20:48.380 So, it’s like endless banging on the doors and you know they’re not gonna hold. 00:20:48.380 --> 00:20:52.100 Where do you even put your attention in a situation like this? 00:20:52.100 --> 00:20:58.260 The bull is trying to get in your house and there’s nothing you can do to stop it. 00:20:58.260 --> 00:21:03.000 OMAR: We found out something — I was very terrified for us. 00:21:03.000 --> 00:21:08.840 Over thirty government organizations were compromised by that campaign. 00:21:08.840 --> 00:21:10.940 Like, really big organizations. 00:21:10.940 --> 00:21:19.010 JACK: The hacker group Dark Caracal had successfully made their way into thirty different government 00:21:19.010 --> 00:21:24.460 agencies, and each came in through a different entry point, too. 00:21:24.460 --> 00:21:29.679 To see that this was coming, to know the bull was headed towards you but to have no ability 00:21:29.679 --> 00:21:36.770 to stop it, has got to be one of the most terrifying feelings, the feeling of helplessness, 00:21:36.770 --> 00:21:40.419 despair, vulnerability. 00:21:40.419 --> 00:21:46.090 Suddenly a huge portion of the Dominican Republic government’s network is now in the control 00:21:46.090 --> 00:21:52.049 of someone else, someone you have no idea who they are but may be related to the Lebanese 00:21:52.049 --> 00:21:53.049 government? 00:21:53.049 --> 00:21:58.590 OMAR: Let me tell you, it was not just government organizations but also critical infrastructure. 00:21:58.590 --> 00:22:03.610 JACK: Holy flip, critical infrastructure is things like power plants, water treatment 00:22:03.610 --> 00:22:05.470 facilities, or dams. 00:22:05.470 --> 00:22:10.429 Disrupting or destroying these systems would absolutely bring this country to its knees. 00:22:10.429 --> 00:22:13.450 OMAR: Yeah, it was a very complicated moment. 00:22:13.450 --> 00:22:15.330 We didn’t know what to do. 00:22:15.330 --> 00:22:19.299 JACK: Now, of course, Omar isn’t working by himself on this when he says that he did 00:22:19.299 --> 00:22:24.110 all these things; it was obviously a team effort, and his team consisted of seven or 00:22:24.110 --> 00:22:25.110 eight people. 00:22:25.110 --> 00:22:28.720 But then, every agency in the government has their own IT department, and some, of course, 00:22:28.720 --> 00:22:32.350 are bigger than others, but everyone was working extra hours to help out. 00:22:32.350 --> 00:22:35.380 But it just makes me wonder, you know? 00:22:35.380 --> 00:22:39.860 How robust is the Dominican Republic’s cyber security? 00:22:39.860 --> 00:22:45.270 They may not be able to afford the most up-to-date network infrastructure, and they may be running 00:22:45.270 --> 00:22:46.780 old systems in place. 00:22:46.780 --> 00:22:52.300 They may not have the funds to employ high-quality employees to react to this. 00:22:52.300 --> 00:22:59.289 But when you’re on the internet, it means you’re only one click away for every threat 00:22:59.289 --> 00:23:00.630 actor in the world. 00:23:00.630 --> 00:23:07.340 So, you absolutely need to secure your government’s networks just as well as the largest governments 00:23:07.340 --> 00:23:08.340 in the world. 00:23:08.340 --> 00:23:13.440 Just because you’re a small island doesn’t mean you get to skimp on cyber security. 00:23:13.440 --> 00:23:19.530 You need to be just as good as everyone else, and it feels asymmetric in so many ways. 00:23:19.530 --> 00:23:26.029 You have to be prepared for the most sophisticated threat actors in the world, and I just wonder, 00:23:26.029 --> 00:23:29.100 how advanced was the cyber security of the Dominican Republic? 00:23:29.100 --> 00:23:36.720 OMAR: Well, after they did some things on the system, they now downloaded or installed 00:23:36.720 --> 00:23:43.190 a second malware, which was a Cobalt Strike implant which was communicating to Conti’s 00:23:43.190 --> 00:23:44.190 C2. 00:23:44.190 --> 00:23:48.500 JACK: [MUSIC] A C2 means command and control server, but, I mean, what? 00:23:48.500 --> 00:23:53.940 You’re telling me that some advanced adversary who may be in the Middle East is now starting 00:23:53.940 --> 00:23:57.080 to install the Conti ransomware on these systems? 00:23:57.080 --> 00:24:01.940 This is boggling because Conti has been widely-attributed to be from Russia. 00:24:01.940 --> 00:24:06.100 So, first of all, why are these two groups even allies or working together? 00:24:06.100 --> 00:24:13.950 Second, holy crap, you now have two sophisticated attack teams working together to attack your 00:24:13.950 --> 00:24:18.700 entire country, national agencies, and critical infrastructure? 00:24:18.700 --> 00:24:22.480 Just when you thought you were in the thick of the storm, the storm got worse. 00:24:22.480 --> 00:24:29.640 OMAR: It was – man, that moment, we wanted to disappear. 00:24:29.640 --> 00:24:33.350 JACK: Then he got alerted of another problem. 00:24:33.350 --> 00:24:37.520 OMAR: A big bank — overnight, it stopped working for over a month. 00:24:37.520 --> 00:24:43.970 So, if that bank cannot operate, all the people that have the money in that bank, what — how 00:24:43.970 --> 00:24:48.860 they are going to get the money out, or how that thing affected the government or the 00:24:48.860 --> 00:24:49.860 economy? 00:24:49.860 --> 00:24:53.580 So, that was something big, and we both — even more people can investigate. 00:24:53.580 --> 00:24:58.730 JACK: The Dominican Republic was in trouble, and Omar’s job was to help. 00:24:58.730 --> 00:25:05.060 OMAR: So, one of the first things that I did or I tried to do was call the people in Costa 00:25:05.060 --> 00:25:07.380 Rica, because that happened to them. 00:25:07.380 --> 00:25:10.921 I wanted to know all about the incident. 00:25:10.921 --> 00:25:14.550 JACK: Now, this is what I love about Omar, is his awareness and his social skills. 00:25:14.550 --> 00:25:18.900 I used to work for a company doing incident response, and guess how much cyber security 00:25:18.900 --> 00:25:21.000 news my boss paid attention to? 00:25:21.000 --> 00:25:22.000 None. 00:25:22.000 --> 00:25:25.770 Guess how many other companies my boss interacted with to understand what threats they were 00:25:25.770 --> 00:25:28.070 facing? None. 00:25:28.070 --> 00:25:33.270 The attitude in our company was to put your head down and do your work, not look around 00:25:33.270 --> 00:25:38.050 to see what everyone else is doing or meet other people in the field, and I hated that. 00:25:38.050 --> 00:25:43.330 I can’t stress this enough, that having allies in this business and going to conferences 00:25:43.330 --> 00:25:48.230 and meeting people and sharing stories with them will help you do your job so much better. 00:25:48.230 --> 00:25:55.140 So, please, IT managers, stop thinking you’re in some silo and your problems are just yours. 00:25:55.140 --> 00:26:01.220 Encourage and support your IT employees to go to conference, meetups, talks, and workshops. 00:26:01.220 --> 00:26:03.240 It will help your business. 00:26:03.240 --> 00:26:04.490 Trust me. 00:26:04.490 --> 00:26:06.370 Omar has gone to conferences. 00:26:06.370 --> 00:26:09.950 You heard two of his talks at the beginning of this episode, even, and he’s gone to 00:26:09.950 --> 00:26:13.399 meetups and he’s made friends across the sea, in Costa Rica. 00:26:13.399 --> 00:26:16.679 Specifically, it was the conference called FIRST where he met them, and you can learn 00:26:16.679 --> 00:26:18.169 more about this at first.org. 00:26:18.169 --> 00:26:24.740 OMAR: FIRST is a forum for incident response, so all the incident response teams that own 00:26:24.740 --> 00:26:31.720 the work just have a conference once or twice a year, so we all go to that conference in 00:26:31.720 --> 00:26:36.690 which other — so, if anybody needs help, so we know who we can call. 00:26:36.690 --> 00:26:39.190 JACK: Well, FIRST is just one conference in the world. 00:26:39.190 --> 00:26:41.850 There are so many more going on these days. 00:26:41.850 --> 00:26:46.390 In fact, I think any given week you can find two or three security conferences going on 00:26:46.390 --> 00:26:47.480 somewhere in the world. 00:26:47.480 --> 00:26:52.190 So, just google ‘cyber security conference near me’, and see what’s coming up near 00:26:52.190 --> 00:26:53.190 you. 00:26:53.190 --> 00:26:56.540 Having these connections were very valuable in this situation. 00:26:56.540 --> 00:26:58.720 It was a force multiplier, even. 00:26:58.720 --> 00:27:03.020 Dominican Republic doesn’t have the biggest cyber security incident response team in the 00:27:03.020 --> 00:27:07.740 world, and so, knowing who to tap for help creates a battalion of people who can help 00:27:07.740 --> 00:27:09.250 you in different ways. 00:27:09.250 --> 00:27:13.870 One thing they did was compare their malware and indicators with other countries in Latin 00:27:13.870 --> 00:27:16.870 America to see who else has seen anything like this. 00:27:16.870 --> 00:27:21.830 Then he started creating a playbook with help from other nations to start remediating this. 00:27:21.830 --> 00:27:26.179 Of course, he was also calling up security vendors, the people who made the software 00:27:26.179 --> 00:27:28.630 that was supposed to be securing his network. 00:27:28.630 --> 00:27:33.800 He’d call up and say things like, hey, we pay you to block these attacks and you didn’t. 00:27:33.800 --> 00:27:35.480 Please help us fix it. 00:27:35.480 --> 00:27:39.600 Of course, the security vendors want to make their tools better, so they wanted a sample 00:27:39.600 --> 00:27:43.640 of the malware and what methods they used to get in, and were working quickly to fix 00:27:43.640 --> 00:27:47.950 their software so they would be able to block these attacks from continuing. 00:27:47.950 --> 00:27:50.480 This was happening on Windows machines. 00:27:50.480 --> 00:27:53.740 They were getting infected even though they were fully patched and updated. 00:27:53.740 --> 00:27:58.399 So, a call to Microsoft was important to show them what they were dealing with and to ask, 00:27:58.399 --> 00:27:59.779 how can you fix this? 00:27:59.779 --> 00:28:03.280 They were calling out to other network vendors, too, because their systems were compromised. 00:28:03.280 --> 00:28:07.780 By the way, when you call up one of these companies to try to report a zero-day exploit, 00:28:07.780 --> 00:28:10.039 it’s not easy. 00:28:10.039 --> 00:28:14.419 The first person that you get, the first-tier support, tells you stupid things like, okay 00:28:14.419 --> 00:28:16.590 sir, did you try rebooting the system? 00:28:16.590 --> 00:28:20.390 You’re like, come on, please, please, please connect me to somebody who knows what they’re 00:28:20.390 --> 00:28:23.260 doing over there, and they simply cannot. 00:28:23.260 --> 00:28:27.570 So, you need to ask for a manager, and then the manager doesn’t know how to fix it, 00:28:27.570 --> 00:28:31.120 and they don’t want to admit that their software has vulnerabilities in it. 00:28:31.120 --> 00:28:34.480 So, you go back and forth, trying to troubleshoot it for days. 00:28:34.480 --> 00:28:39.510 It’s tedious and time-consuming before they escalate it to the next tier support, and 00:28:39.510 --> 00:28:44.570 eventually you get an engineer or a developer who knows the system inside and out and can 00:28:44.570 --> 00:28:48.610 recognize the problem and replay it and fix it right away. 00:28:48.610 --> 00:28:52.809 It’s just that that person is behind like, eight layers of support tiers before you can 00:28:52.809 --> 00:28:53.809 get to them. 00:28:53.809 --> 00:28:58.789 Now, there’s this quote from Bruce Schneier that has frustrated me but also educated me 00:28:58.789 --> 00:29:00.730 on the reality of cyber security. 00:29:00.730 --> 00:29:04.269 The quote goes like this; “You can’t defend. 00:29:04.269 --> 00:29:05.660 You can’t protect. 00:29:05.660 --> 00:29:10.360 The only thing you can do is detect and respond.” 00:29:10.360 --> 00:29:15.650 I get frustrated from that quote because I feel like we should be able to defend and 00:29:15.650 --> 00:29:16.650 protect. 00:29:16.650 --> 00:29:19.880 Why don’t we have secure software that can do that? 00:29:19.880 --> 00:29:25.559 How many more years and technical advancements do we need before we can defend our networks? 00:29:25.559 --> 00:29:28.680 But the sad truth is we may never get there. 00:29:28.680 --> 00:29:34.610 So, what Bruce is saying is we need to be assuming we’re breached and to work on improving 00:29:34.610 --> 00:29:38.570 our ability to detect and respond to cyber threats. 00:29:38.570 --> 00:29:42.630 Somewhere in the middle of the storm, Omar realized that, too. 00:29:42.630 --> 00:29:46.260 Instead of trying to build those walls up higher and higher to stop people from getting 00:29:46.260 --> 00:29:50.149 in, he needed to get better at detecting when they did get in. 00:29:50.149 --> 00:29:55.289 [MUSIC] So, he started installing more monitoring tools into the network so that he could watch 00:29:55.289 --> 00:30:01.309 more closely what was going on in there, and this allowed him to understand where Cobalt 00:30:01.309 --> 00:30:07.039 Strike was and spot it, and the Bandook malware and Conti ransomware and Dark Caracal, and 00:30:07.039 --> 00:30:11.059 where it was in the network and how it was moving around, giving him a beautiful view 00:30:11.059 --> 00:30:12.840 into which systems were infected. 00:30:12.840 --> 00:30:21.279 OMAR: We found out that the threat actor was on the systems over ten months ago. 00:30:21.279 --> 00:30:24.140 JACK: They were in these agencies for ten months? 00:30:24.140 --> 00:30:25.140 Geez. 00:30:25.140 --> 00:30:31.140 OMAR: So, when we discovered that, we tried to get to somebody else that may have more 00:30:31.140 --> 00:30:35.580 information than us, and we get to our partners. 00:30:35.580 --> 00:30:44.440 So, when — we reach out to them and we show them all the information that we have, and 00:30:44.440 --> 00:30:49.360 they told us something that made me very afraid. 00:30:49.360 --> 00:30:55.510 So, they told us that it was not just Dark Caracal; it was not just Conti, but also it 00:30:55.510 --> 00:30:58.510 was — Russia was also involved. 00:30:58.510 --> 00:31:01.740 JACK: Russia as in the Russian government. 00:31:01.740 --> 00:31:07.980 OMAR: It was very strange for me why Russia would compromise the Dominican Republic in 00:31:07.980 --> 00:31:08.980 that way. 00:31:08.980 --> 00:31:11.580 What interest they would have here? 00:31:11.580 --> 00:31:16.650 Because in the Dominican Republic, we have a lot of Russians, like, a lot of Russians 00:31:16.650 --> 00:31:18.700 living here. 00:31:18.700 --> 00:31:21.029 What would be their intention? 00:31:21.029 --> 00:31:28.140 What that organization told us is that they were trying to experiment with some countries, 00:31:28.140 --> 00:31:30.610 something that they may do in a bigger scale. 00:31:30.610 --> 00:31:37.520 So, they could not target some more mature countries like the United States or United 00:31:37.520 --> 00:31:39.500 Kingdom because they have better defense. 00:31:39.500 --> 00:31:42.440 So, they were trying to do it in this part of the world. 00:31:42.440 --> 00:31:47.950 So, what happened in Costa Rica, even though it’s not public — and I’m not saying 00:31:47.950 --> 00:31:53.250 that on behalf of any government; it’s just my opinion and what I know from what happened 00:31:53.250 --> 00:31:56.139 and for what I learned on the process. 00:31:56.139 --> 00:32:00.779 What happened in Costa Rica was part of that and what was happening in the Dominican Republic 00:32:00.779 --> 00:32:06.429 was part of that, and it was not just Costa Rica and the Dominican Republic, but also, 00:32:06.429 --> 00:32:10.580 all the countries in the Latin American region were in both on that. 00:32:10.580 --> 00:32:16.860 So, we — as soon as we knew that, we started reaching out to those countries to let them 00:32:16.860 --> 00:32:24.460 know that this was happening, to share indicators of compromise — or that way, they find out 00:32:24.460 --> 00:32:28.960 even earlier that, oh, that something dangerous was happening in their country. 00:32:28.960 --> 00:32:35.870 So, they were able to — those things before something really bad happened. 00:32:35.870 --> 00:32:41.519 JACK: There’s now a third threat actor involved in this attack? 00:32:41.519 --> 00:32:47.710 Now, just before all this happened in the Dominican Republic, there was some crazy drama 00:32:47.710 --> 00:32:50.059 going on in the Conti ransomware gang. 00:32:50.059 --> 00:32:57.220 So, Conti, we know, is based in Russia, and they came out publicly in support of Russia’s 00:32:57.220 --> 00:32:58.240 invasion of Ukraine. 00:32:58.240 --> 00:33:05.320 Well, I guess someone close to Conti did not like this and decided to publicly leak 60,000 00:33:05.320 --> 00:33:08.350 messages between the Conti group and other people. 00:33:08.350 --> 00:33:13.289 These leaked messages showed that the Russian government had been hacking into places that 00:33:13.289 --> 00:33:15.490 just seemed to be in poor taste, you know? 00:33:15.490 --> 00:33:17.320 Like, hacking medical researchers. 00:33:17.320 --> 00:33:23.559 So, it’s not far-fetched to think that Conti may be working with the Russian government 00:33:23.559 --> 00:33:28.830 or that the Russian government would be attacking smaller countries, sort of as a testing ground 00:33:28.830 --> 00:33:31.860 to practice their hacking skills. 00:33:31.860 --> 00:33:39.690 But I mean, an infiltration at this level really can pose as a whole new type of ransomware. 00:33:39.690 --> 00:33:44.960 Just hypothetically, imagine a phone call from Putin to the president of the Dominican 00:33:44.960 --> 00:33:48.990 Republic where Putin could say something like, listen, we want you to support our war with 00:33:48.990 --> 00:33:52.960 Ukraine, and if you don’t, we’ll turn your whole country off. 00:33:52.960 --> 00:33:57.279 Because they can; with their hand in so many agencies’ networks and critical infrastructure, 00:33:57.279 --> 00:34:03.090 they could just shut down the Dominican Republic, and that would be a form of ransomware, wouldn’t 00:34:03.090 --> 00:34:04.090 it be? 00:34:04.090 --> 00:34:05.090 Now, this is just a hypothetical. 00:34:05.090 --> 00:34:08.839 I have no idea if Putin has any relations with the Dominican Republic. 00:34:08.839 --> 00:34:15.679 At some point, does — do you contact the president and say, hey, we’ve got a really 00:34:15.679 --> 00:34:21.190 big deal; it’s not just your normal malware, but this is just a geopolitical problem? 00:34:21.190 --> 00:34:22.330 OMAR: Yes, we did. 00:34:22.330 --> 00:34:28.610 So, we call a national meeting with the big persons for the government. 00:34:28.610 --> 00:34:34.849 So, we informed the president and the intelligence agencies about what we discovered. 00:34:34.849 --> 00:34:39.330 JACK: Of course, attribution is very hard when it comes to cyber-attacks. 00:34:39.330 --> 00:34:43.560 It’s incredibly easy to hide in the shadows on the internet. 00:34:43.560 --> 00:34:49.220 So, even though there are some things that point to this being Russia and Dark Caracal, 00:34:49.220 --> 00:34:55.010 how confident can you really be, especially when you’re on the phone briefing the president? 00:34:55.010 --> 00:35:00.090 Maybe someone else just got ahold of the Bandook malware or Conti ransomware. 00:35:00.090 --> 00:35:04.160 Maybe someone wants you to think that it was those threat actors attacking you just to 00:35:04.160 --> 00:35:09.490 throw you off the scent, because we’ve seen threat actors put in fake clues to do just 00:35:09.490 --> 00:35:11.079 that before. 00:35:11.079 --> 00:35:16.530 For this situation, there were a lot more questions than there were answers. 00:35:16.530 --> 00:35:22.960 If Dark Caracal is Lebanese-based, why would they be working with Russia or Conti? 00:35:22.960 --> 00:35:26.570 Was this financially motivated or politically motivated? 00:35:26.570 --> 00:35:30.100 This attribution wasn’t exactly clear, and neither are the motives. 00:35:30.100 --> 00:35:35.920 OMAR: Yeah, so they’re not supposed to work together, so nothing went over our head. 00:35:35.920 --> 00:35:39.770 Over and over, we overthink it, so, why, why, why? 00:35:39.770 --> 00:35:43.210 JACK: Does Lebanon and Dominican Republic have any relations? 00:35:43.210 --> 00:35:44.900 OMAR: We do. 00:35:44.900 --> 00:35:48.810 So, our current president, his family is from Lebanon. 00:35:48.810 --> 00:35:50.270 JACK: What? 00:35:50.270 --> 00:35:54.190 Hold on, how can the president of the Dominican Republic be from Lebanon? 00:35:54.190 --> 00:35:56.099 Let me look this up. 00:35:56.099 --> 00:36:01.360 Okay, his grandfather was born in Lebanon and moved to the Dominican Republic in the 00:36:01.360 --> 00:36:02.460 1800s. 00:36:02.460 --> 00:36:08.310 It’s not clear to me, at least, if he’s still tied to Lebanon in any way shape or 00:36:08.310 --> 00:36:09.310 form. 00:36:09.310 --> 00:36:12.120 I mean, I couldn’t even find out if he’s — can speak Lebanese, you know? 00:36:12.120 --> 00:36:17.790 But it seems like only weeks after he was elected as president is when this attack happened. 00:36:17.790 --> 00:36:22.510 So, maybe this has something to do with Lebanon sending a message to the president? 00:36:22.510 --> 00:36:26.849 My mind is spinning here, and I don’t want to make any wild assumptions. 00:36:26.849 --> 00:36:31.880 At the very least, I’m reminded of how Costa Rica’s president declared war on Conti, 00:36:31.880 --> 00:36:36.609 and now I can see that that’s not so far-fetched of an idea anymore. 00:36:36.609 --> 00:36:41.230 At this point, Omar had a very good understanding of this campaign and malware, and he even 00:36:41.230 --> 00:36:44.840 reversed-engineered some of the malware and inspected it for clues and looked at their 00:36:44.840 --> 00:36:48.730 command and control servers, and had a full map of where the infections were and how they 00:36:48.730 --> 00:36:49.950 were moving around the network. 00:36:49.950 --> 00:36:54.160 On top of that, vendors started to improve their systems, showing patches and updates 00:36:54.160 --> 00:36:55.680 and better ways to detect this. 00:36:55.680 --> 00:37:01.359 So, he got together with all the teams inside the agencies that were infected and explained 00:37:01.359 --> 00:37:03.550 the remediation process. 00:37:03.550 --> 00:37:08.120 Step by step, he walked them through how to remove this and stop this from happening again, 00:37:08.120 --> 00:37:13.020 and he also called the ISP to have them block certain domains, and he was actively cleaning 00:37:13.020 --> 00:37:14.480 up the mess. 00:37:14.480 --> 00:37:18.700 [MUSIC] Of course, any good threat actor’s not gonna go down without a fight, so while 00:37:18.700 --> 00:37:23.569 they’d block a domain or a command and control server, a new one would just spin up, and 00:37:23.569 --> 00:37:27.020 they had to keep blocking and updating their detection methods. 00:37:27.020 --> 00:37:32.160 You know, the goal for security isn’t always to stop all the threats permanently, but instead 00:37:32.160 --> 00:37:37.130 just to make it as hard as you can for the bad guys to get in, because it takes work 00:37:37.130 --> 00:37:38.440 to spin up new domains. 00:37:38.440 --> 00:37:42.700 It takes work to pull out a new zero-day to infect more systems, and it takes work to 00:37:42.700 --> 00:37:45.270 regain access once you get kicked out. 00:37:45.270 --> 00:37:51.680 So, having this coordinated effort to shut them out started to exhaust the attackers’ 00:37:51.680 --> 00:37:52.680 resources. 00:37:52.680 --> 00:37:57.420 Do they really want to put a lot more work and effort into getting back in or just move 00:37:57.420 --> 00:37:59.200 on to the next target? 00:37:59.200 --> 00:38:03.740 There’s a concept called the pyramid of pain when defending a network, and it’s 00:38:03.740 --> 00:38:08.210 basically the more painful you can make it for the attackers to get in, the less likely 00:38:08.210 --> 00:38:09.720 they’ll actually do it. 00:38:09.720 --> 00:38:14.140 You never will become fully secure, but at least you can make them work for it. 00:38:14.140 --> 00:38:19.170 So, after a massive coordinated effort to clean up the government agencies and a big 00:38:19.170 --> 00:38:24.010 bank and critical infrastructure, they were able to successfully clear everything off 00:38:24.010 --> 00:38:25.730 and keep it off. 00:38:25.730 --> 00:38:30.750 In fact, they seemed to have stopped the Conti ransomware attack before it actually triggered 00:38:30.750 --> 00:38:32.340 ransomware on any systems. 00:38:32.340 --> 00:38:36.490 It was only staging the ransom, but never actually executed it. 00:38:36.490 --> 00:38:40.660 Omar also looked to see if any data got exfiltrated from the network, but it didn’t. 00:38:40.660 --> 00:38:46.540 So, it doesn’t seem like Russia or Dark Caracal stole any information out of the government. 00:38:46.540 --> 00:38:49.030 Did they disrupt critical infrastructure? 00:38:49.030 --> 00:38:55.630 OMAR: They tried to but they could not. 00:38:55.630 --> 00:39:00.390 The critical infrastructure works — what we call the OT, which is operational technology. 00:39:00.390 --> 00:39:05.880 JACK: Yeah, to control a dam or a water pump or a electrical transformer, it doesn’t 00:39:05.880 --> 00:39:08.380 use a typical Windows computer or something. 00:39:08.380 --> 00:39:12.720 It’s a different system called OT, which is operational technology, which is opposed 00:39:12.720 --> 00:39:14.900 to IT, information technology. 00:39:14.900 --> 00:39:18.980 OT takes a completely different skill set, and it sounds like whoever got into these 00:39:18.980 --> 00:39:24.220 systems didn’t quite have the skill set to control OT systems, which was good that 00:39:24.220 --> 00:39:26.420 they didn’t get disrupted. 00:39:26.420 --> 00:39:29.790 What a whirlwind story this was, huh? 00:39:29.790 --> 00:39:35.000 To have a government completely cracked open like that with no way to stop the attackers, 00:39:35.000 --> 00:39:40.110 in my opinion, at least, but then to gain back control of it and lock them out. 00:39:40.110 --> 00:39:44.110 Omar likes sharing this story with others so that they could be aware that this kind 00:39:44.110 --> 00:39:45.780 of stuff goes on in the world. 00:39:45.780 --> 00:39:50.240 In fact, as I’m looking things up here, it seems like Venezuela also got targeted 00:39:50.240 --> 00:39:52.730 with the same group or groups. 00:39:52.730 --> 00:39:59.310 So, in 2022, Latin American countries were hit hard with these huge coordinated-attack 00:39:59.310 --> 00:40:05.620 campaigns that may have been unstoppable due to the sophistication and breadth of the attack. 00:40:05.620 --> 00:40:08.430 I wonder if Haiti got hit, you know? 00:40:08.430 --> 00:40:13.130 The president of Haiti has been assassinated and the place has a barely-functioning government, 00:40:13.130 --> 00:40:15.670 and it’s kinda been taken over by gangs. 00:40:15.670 --> 00:40:20.170 Would you expect their cyber security posture to be strong or lacking? 00:40:20.170 --> 00:40:27.450 I mean, if Russia infiltrated Haiti’s networks, is there anyone there to even notice it and 00:40:27.450 --> 00:40:29.490 clean it up? 00:40:29.490 --> 00:40:33.020 I just wonder about Haiti, because they share the same island as the Dominican Republic. 00:40:33.020 --> 00:40:38.310 I don’t know, in some ways I hate that our world is so vulnerable digitally still, that 00:40:38.310 --> 00:40:41.849 our most critical systems are still susceptible to attack. 00:40:41.849 --> 00:40:46.170 My knee-jerk reaction is to say something like, take your systems offline if you can’t 00:40:46.170 --> 00:40:50.390 secure them properly, but that’s the opposite of technological progress, so that kind of 00:40:50.390 --> 00:40:53.220 attitude or strategy just isn’t gonna fly today. 00:40:53.220 --> 00:40:58.520 I just feel like when our systems get too complicated, they become insecure, and we 00:40:58.520 --> 00:41:03.450 certainly live in a very complicated network of computers now, don’t we? 00:41:03.450 --> 00:41:10.069 But the thing is, even in my dreams, I still can’t find a safe place to hide. 00:41:10.069 --> 00:41:20.140 (OUTRO): [OUTRO MUSIC] A huge thank-you to Omar Avilez for coming on the show and sharing 00:41:20.140 --> 00:41:21.140 this story with us. 00:41:21.140 --> 00:41:24.900 The easiest way to find Omar to connect with him is by looking him up on LinkedIn. 00:41:24.900 --> 00:41:27.990 I’ll have a link to his LinkedIn in the show notes. 00:41:27.990 --> 00:41:31.780 In this episode we talked about the threat actor Dark Caracal, and I actually did a full 00:41:31.780 --> 00:41:33.950 episode on them a while back, and that’s Episode 38. 00:41:33.950 --> 00:41:37.380 It’s a really fascinating group, so go check out that episode. 00:41:37.380 --> 00:41:41.680 Just as a reminder, this show is now on a monthly release schedule, so look for new 00:41:41.680 --> 00:41:43.750 episodes on the first Tuesday of every month. 00:41:43.750 --> 00:41:47.360 I also have a store where you can buy cool shirts to support the show. 00:41:47.360 --> 00:41:51.181 It’s not all branded with Darknet Diaries logos; there are some there, but there are 00:41:51.181 --> 00:41:55.510 a ton of shirts that I just know you’ll absolutely love the design and want to wear 00:41:55.510 --> 00:41:56.510 these shirts. 00:41:56.510 --> 00:42:01.750 So, please go visit shop.darknetdiaries.com, and thanks for supporting the show. 00:42:01.750 --> 00:42:06.710 This show is made by me, the bull fighter, Jack Rhysider, editing help this episode by 00:42:06.710 --> 00:42:10.980 the bipedal Tristan Ledger, mixing done by Proximity Sound, and our theme music was created 00:42:10.980 --> 00:42:14.421 by the mysterious Breakmaster Cylinder, who just released a new album, and I’ll have 00:42:14.421 --> 00:42:16.720 a link in the show notes if you want to take a listen. 00:42:16.720 --> 00:42:21.079 Now, even though when I see people rate this show a 10, I always assume it’s in binary 00:42:21.079 --> 00:42:23.210 and they’re really giving it a 2. 00:42:23.210 --> 00:42:35.699 This is Darknet Diaries.