WEBVTT 00:00:00.420 --> 00:00:02.050 JACK: Hackers in the Olympics? 00:00:02.050 --> 00:00:05.410 Yeah, it’s happened in the fencing competition of all places. 00:00:05.410 --> 00:00:07.899 Have you watched modern fencing lately? 00:00:07.899 --> 00:00:12.389 If you watch it, I have one tip for you; don’t blink. 00:00:12.389 --> 00:00:13.870 Fencing is extremely fast. 00:00:13.870 --> 00:00:15.549 The blades are whipping through the air. 00:00:15.549 --> 00:00:19.279 [MUSIC] As a spectator, you’re trying to see who hit who first, keeping your eyes on 00:00:19.279 --> 00:00:20.640 two different swords at once. 00:00:20.640 --> 00:00:21.939 It’s impossible to tell. 00:00:21.939 --> 00:00:27.539 In fact, it’s impossible for the judges to tell, too, so they’ve adopted technology 00:00:27.539 --> 00:00:28.539 to help. 00:00:28.539 --> 00:00:30.770 Now, I’m not talking about some high-speed camera. 00:00:30.770 --> 00:00:32.750 No, it’s more technical than that. 00:00:32.750 --> 00:00:34.329 There’s circuitry involved. 00:00:34.329 --> 00:00:40.649 In order to score a point, your foil or sword needs to apply 0.75 kilograms of pressure 00:00:40.649 --> 00:00:44.100 to the opponent’s target area which is their head or chest. 00:00:44.100 --> 00:00:46.680 You have to directly poke with the foil. 00:00:46.680 --> 00:00:50.210 Slashing or hitting the target with the side of the foil doesn’t count. 00:00:50.210 --> 00:00:55.140 To help the judges figure out who struck who first with enough force, they’ve added electronic 00:00:55.140 --> 00:00:58.120 components to the sword and protective gear. 00:00:58.120 --> 00:01:02.690 Basically, there are wires going up the center of the sword and at the tip is a little pressure 00:01:02.690 --> 00:01:08.400 plate so when you push the tip of the sword with 0.75 kilograms of pressure, it completes 00:01:08.400 --> 00:01:10.210 the circuit of the sword. 00:01:10.210 --> 00:01:15.549 Each fencer has a helmet and chest protector which is wired to the same electronic circuit. 00:01:15.549 --> 00:01:19.940 Basically, to add it all up, when the sword is pressed into the opponent’s chest or 00:01:19.940 --> 00:01:25.940 helmet at 0.75 kilograms of pressure or more, an electronic circuit is complete and a point 00:01:25.940 --> 00:01:26.940 is scored. 00:01:26.940 --> 00:01:32.930 It’s a fairly simple but technical way of scoring in fencing, but this means electronics 00:01:32.930 --> 00:01:36.299 and computers are now the judges. 00:01:36.299 --> 00:01:38.600 You see where I’m going with this, right? 00:01:38.600 --> 00:01:45.079 In the 1976 Olympics in Montreal, Quebec, this got exploited. 00:01:45.079 --> 00:01:50.399 Fencing competitor Boris Onischenko, representing the Soviet Union, rigged his sword. 00:01:50.399 --> 00:01:54.920 He hacked it and added a button on the grip so that he could push it and complete the 00:01:54.920 --> 00:01:57.110 circuit whenever he wanted. 00:01:57.110 --> 00:02:02.820 His plan was to swing at the opponent, push the button, and the computer judge would count 00:02:02.820 --> 00:02:05.030 it as a hit. 00:02:05.030 --> 00:02:10.610 He went up against a British opponent and did just that; he lunged, missed, pushed the 00:02:10.610 --> 00:02:13.620 button, and a point was scored for Boris. 00:02:13.620 --> 00:02:14.780 Genius. 00:02:14.780 --> 00:02:18.630 The judges didn’t catch it and he was now in the lead. 00:02:18.630 --> 00:02:24.280 But his British opponent protested and said he didn’t feel the hit at all, and asked 00:02:24.280 --> 00:02:26.380 the judges to inspect the sword. 00:02:26.380 --> 00:02:32.470 That’s when they found Boris’ button and disqualified him from the event for hacking. 00:02:32.470 --> 00:02:35.280 The British team that exposed him went on to win the gold medal. 00:02:35.280 --> 00:02:38.010 Yeah, hackers in the Olympics. 00:02:38.010 --> 00:02:46.849 (INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. 00:02:46.849 --> 00:02:52.099 I’m Jack Rhysider. 00:02:52.099 --> 00:02:55.800 This is Darknet Diaries. 00:02:55.800 --> 00:03:03.500 [INTRO MUSIC ENDS] 00:03:03.500 --> 00:03:12.110 JACK: For this episode, we’re gonna visit with our old friend Andy Greenberg. 00:03:12.110 --> 00:03:17.440 We had Andy on before to tell us the story of NotPetya back in Episode 54 and as you 00:03:17.440 --> 00:03:21.920 may recall, Andy wrote a book called Sandworm which went into great detail about the NotPetya 00:03:21.920 --> 00:03:22.920 attack. 00:03:22.920 --> 00:03:26.930 He’s an amazing investigative journalist and today Andy is going to talk to us about 00:03:26.930 --> 00:03:28.500 hacking the Olympics. 00:03:28.500 --> 00:03:33.330 ANDY: My name is Andy Greenberg and I – did you ask me my title? 00:03:33.330 --> 00:03:36.200 My title is Senior Writer at Wired. 00:03:36.200 --> 00:03:40.730 But I guess for the purposes of this interview, I’m still the author of Sandworm because 00:03:40.730 --> 00:03:42.500 this is a story from Sandworm. 00:03:42.500 --> 00:03:48.000 JACK: [MUSIC] The story takes place in the Winter Olympics in 2018 which was in South 00:03:48.000 --> 00:03:50.390 Korea in the city of Pyeongchang. 00:03:50.390 --> 00:03:52.579 The opening ceremony was on February 8th. 00:03:52.579 --> 00:03:57.390 The city was well below freezing at that time and volunteers donned face masks to protect 00:03:57.390 --> 00:04:00.720 themselves from the icy wind blowing through the stadium. 00:04:00.720 --> 00:04:06.299 Sang-jin Oh, the man running IT for the Olympics, was sitting in a plastic chair a few dozen 00:04:06.299 --> 00:04:10.769 rows above the stadium waiting for the opening ceremony to start. 00:04:10.769 --> 00:04:14.880 A lot of preparations took place to get to this point and you might not think about how 00:04:14.880 --> 00:04:20.280 many IT preparations there are for the Olympics, but there are a ton. 00:04:20.280 --> 00:04:22.750 Sang-jin Oh managed it all. 00:04:22.750 --> 00:04:28.199 Just to start out, he had 150 employees to manage the IT infrastructure for these Olympics. 00:04:28.199 --> 00:04:30.430 That’s a pretty big IT staff. 00:04:30.430 --> 00:04:34.430 I mean, it’s bigger than the size of some Fortune 500 IT teams. 00:04:34.430 --> 00:04:37.720 It’s that big because there’s a ton of things to manage. 00:04:37.720 --> 00:04:42.780 There’s restricted areas which require electronic key cards to access, there are phone apps 00:04:42.780 --> 00:04:47.570 to help spectators enjoy their experience, there’s ticketing systems, WiFi in stadiums, 00:04:47.570 --> 00:04:51.820 fields, and around the villages, and a ton of other systems to help people get from one 00:04:51.820 --> 00:04:52.840 place to another. 00:04:52.840 --> 00:04:57.530 Of course, there’s many stadiums, courses, and buildings where all this IT infrastructure 00:04:57.530 --> 00:04:58.530 has to work. 00:04:58.530 --> 00:05:03.479 They set up a data center [00:05:00] with a 24/7 network operation center monitoring 00:05:03.479 --> 00:05:05.360 everything that was going on. 00:05:05.360 --> 00:05:08.949 Oh felt like everything was ready for the games to begin. 00:05:08.949 --> 00:05:13.110 He sat in the stadium to watch the opening ceremony. 00:05:13.110 --> 00:05:17.259 This was the pinnacle of his career, or so he thought. 00:05:17.259 --> 00:05:20.030 The lights dimmed, everyone went quiet. 00:05:20.030 --> 00:05:23.500 The ceremony was starting. 00:05:23.500 --> 00:05:33.419 ANDY: Ten seconds before 8:00 PM, this choir of Korean children begins to do this countdown, 00:05:33.419 --> 00:05:38.889 this ten-second countdown to the beginning of the opening ceremony. 00:05:38.889 --> 00:05:48.440 [CHILDREN COUNTING] Just as they’re counting down in Korean, and this is reverberating 00:05:48.440 --> 00:05:52.620 across the stadium, [PHONE NOTIFICATIONS] Sang-jin Oh looks down at his phone and sees 00:05:52.620 --> 00:05:59.850 that he has this flood of text messages telling him that all of the domain controllers in 00:05:59.850 --> 00:06:06.530 the Olympics’ data centers in Seoul are being wiped one by one. 00:06:06.530 --> 00:06:13.789 JACK: [MUSIC] These domain controllers were incredibly important. 00:06:13.789 --> 00:06:19.780 They controlled authentication and authorization for everything from the WiFi onsite to the 00:06:19.780 --> 00:06:20.780 Olympic app. 00:06:20.780 --> 00:06:25.740 The app managed everything that athletes, visiting dignitaries, staff, and tens of thousands 00:06:25.740 --> 00:06:30.340 of attendees needed for finding their way around, handling their tickets and gaining 00:06:30.340 --> 00:06:34.370 access to secure locations, and even check-in to the hotels. 00:06:34.370 --> 00:06:39.590 Basically, all the stuff that would allow anyone to get access to anything was on the 00:06:39.590 --> 00:06:40.590 fritz. 00:06:40.590 --> 00:06:42.110 ANDY: But he starts responding to his subordinates. 00:06:42.110 --> 00:06:47.560 He starts texting them back and then he realizes that he needs to get to the technology operation 00:06:47.560 --> 00:06:51.789 center in Gangneung, so he [MUSIC] gets up, he runs out of the opening ceremony. 00:06:51.789 --> 00:06:56.430 As he’s leaving, he can already hear journalists complaining that the WiFi isn’t working 00:06:56.430 --> 00:07:01.810 in the stadium, the IPTV systems are down across the facility and other facilities around 00:07:01.810 --> 00:07:04.300 the whole Olympic campus in Pyeongchang. 00:07:04.300 --> 00:07:10.061 The app seems to be failing as well; people are trying to get into the stadium and they’re 00:07:10.061 --> 00:07:12.740 unable to access tickets, it turns out. 00:07:12.740 --> 00:07:18.030 This is perhaps the worst possible news that you could get at this exact moment as you’re 00:07:18.030 --> 00:07:21.760 hoping to watch this event come to fruition that you’ve been working on for three years. 00:07:21.760 --> 00:07:26.361 HOST1: One hundred medal events, so a little bit of history is being made during these 00:07:26.361 --> 00:07:27.780 games in 2018. 00:07:27.780 --> 00:07:31.660 HOST2: I wonder how the organizers are feeling right at this moment. 00:07:31.660 --> 00:07:38.940 They have worked so hard to get to this stage; hours, days, years, and this is the culmination. 00:07:38.940 --> 00:07:40.020 This is it. 00:07:40.020 --> 00:07:41.410 This is the start. 00:07:41.410 --> 00:07:43.080 This is the big, big moment. 00:07:43.080 --> 00:07:47.210 ANDY: As all of this is happening, Oh is running out of the stadium. 00:07:47.210 --> 00:07:50.650 He meets up with two of the people who work for him on his staff and they get into an 00:07:50.650 --> 00:07:55.360 SUV and they start this long drive to Gangneung, this neighboring town. 00:07:55.360 --> 00:08:00.940 [MUSIC] Well, when he arrives, the staff is in such a state of – I wouldn’t say panic 00:08:00.940 --> 00:08:05.440 but sort of disarray; that they’re standing up and talking to each other in clumps. 00:08:05.440 --> 00:08:07.539 They can’t even access their e-mail. 00:08:07.539 --> 00:08:08.990 All of their systems seem to be down. 00:08:08.990 --> 00:08:13.280 JACK: When we say that all their systems seem to be down, you have to understand just how 00:08:13.280 --> 00:08:15.850 massive the infrastructure of these games were. 00:08:15.850 --> 00:08:23.120 We’re talking 10,000 PCs, 20,000 mobile devices, 6,300 WiFi routers, and 300 servers 00:08:23.120 --> 00:08:27.930 which existed in two different data centers in Seoul, all this being managed by a team 00:08:27.930 --> 00:08:29.470 of 150 IT staffers. 00:08:29.470 --> 00:08:35.070 ANDY: We find out later, in fact, the ticketing system which is integrated into the Olympics 00:08:35.070 --> 00:08:38.979 app was broken too, and that some people had been locked out of the opening ceremony. 00:08:38.979 --> 00:08:40.710 JACK: But that was later. 00:08:40.710 --> 00:08:42.830 In this particular moment, it was chaos. 00:08:42.830 --> 00:08:46.340 It’s hard to focus and troubleshoot one thing when there’s a million things going 00:08:46.340 --> 00:08:47.540 wrong at once. 00:08:47.540 --> 00:08:52.920 The pressure that the whole world is watching right now makes the stress so much worse. 00:08:52.920 --> 00:08:58.769 Now, Oh had followed best practices for setting up the IT infrastructure of the Olympics. 00:08:58.769 --> 00:09:02.339 His team had done its best to prepare in case something bad happened. 00:09:02.339 --> 00:09:08.000 ANDY: Their cyber-security advisory group had met twenty times since 2015 and they had 00:09:08.000 --> 00:09:12.610 done drills for fires and earthquakes, and even cyber-attacks. 00:09:12.610 --> 00:09:18.300 But then when the actual moment hit, when the disaster actually came, it was still very 00:09:18.300 --> 00:09:19.300 shocking. 00:09:19.300 --> 00:09:24.040 No drills can prepare you for an actual destructive cyber-attack of this scale. 00:09:24.040 --> 00:09:28.360 They know that if they can’t fix all of this before the end of the opening ceremony 00:09:28.360 --> 00:09:35.590 in two hours, then a kind of chaos will unfold where 35,000 people leave the stadium and 00:09:35.590 --> 00:09:39.640 can’t figure out where to go next, that it’ll be this massive embarrassment in one 00:09:39.640 --> 00:09:41.240 of the world’s most wired countries. 00:09:41.240 --> 00:09:46.269 JACK: The team frantically created a workaround to get the official Olympic app working which 00:09:46.269 --> 00:09:50.310 would allow visitors to get in and out of the opening ceremony. 00:09:50.310 --> 00:09:54.810 But their domain controllers and many other parts of the network remained down throughout 00:09:54.810 --> 00:09:58.880 the entire opening ceremony, causing a lot of problems. 00:09:58.880 --> 00:10:00.620 Embarrassing, yes. 00:10:00.620 --> 00:10:02.360 Frustrating, yes. 00:10:02.360 --> 00:10:07.400 But now that the opening ceremony was [00:10:00] over, a new clock started. 00:10:07.400 --> 00:10:13.171 The IT staff knew they had all night to evict the hackers, rebuild the systems, and try 00:10:13.171 --> 00:10:18.709 to get the network back up and operational again by the time the first competition started 00:10:18.709 --> 00:10:19.740 in the morning. 00:10:19.740 --> 00:10:26.320 ANDY: [MUSIC] Then these poor IT staffers spend the entire night battling to rebuild 00:10:26.320 --> 00:10:28.690 the entire backbone of the Olympics. 00:10:28.690 --> 00:10:33.150 They initially bypass all of their domain controllers which are down. 00:10:33.150 --> 00:10:37.639 That allows them to bring some services back online but they know that that’s not a stable 00:10:37.639 --> 00:10:40.300 or a secure way to maintain a network. 00:10:40.300 --> 00:10:44.960 Then they spend hours and hours trying to rebuild everything, but they find that as 00:10:44.960 --> 00:10:49.290 they’re rebuilding domain controllers, for instance, they’re being wiped again by some 00:10:49.290 --> 00:10:50.680 piece of malware in their system. 00:10:50.680 --> 00:10:55.130 They are able to figure out that it’s this one malicious file called winlogon.exe. 00:10:55.130 --> 00:10:58.430 JACK: Ugh, I hate it when hackers do this. 00:10:58.430 --> 00:11:04.390 The malware was called winlogon.exe which is also the name of a real process within 00:11:04.390 --> 00:11:08.899 Windows; a normal, benign, critical process that’s required for your operating system 00:11:08.899 --> 00:11:09.940 to work. 00:11:09.940 --> 00:11:13.470 I hate it because when you’re going through the computer looking for malware, you’re 00:11:13.470 --> 00:11:17.220 not gonna notice that’s the malware because it has the same name of a process that should 00:11:17.220 --> 00:11:18.589 be running. 00:11:18.589 --> 00:11:24.149 But this malicious winlogon.exe was a worm that would first try to spread itself to as 00:11:24.149 --> 00:11:30.029 many other machines as it could and then begin wiping the entire system it infected; deleting 00:11:30.029 --> 00:11:35.320 configurations, settings, applications, files, and it would even screw up the operating system, 00:11:35.320 --> 00:11:38.540 rendering the core servers of the Winter Olympics unusable. 00:11:38.540 --> 00:11:44.930 ANDY: There’s this kind of fog of war where they don’t know what is erasing their work 00:11:44.930 --> 00:11:46.170 as they go. 00:11:46.170 --> 00:11:50.870 Their domain controllers are being wiped repeatedly so eventually they resort to actually taking 00:11:50.870 --> 00:11:56.510 their whole network offline around midnight which results in even their website going 00:11:56.510 --> 00:11:57.510 down. 00:11:57.510 --> 00:12:02.070 This is a pretty extreme measure because they think that the hackers somehow are still maintaining 00:12:02.070 --> 00:12:04.310 remote access to their systems. 00:12:04.310 --> 00:12:09.330 [MUSIC] Only around 5:00 AM are they able to – with the help of this Korean security 00:12:09.330 --> 00:12:14.620 company AhnLab – isolate and create a signature for this automated piece of malware. 00:12:14.620 --> 00:12:20.899 At 6:30 AM, they think that they’ve essentially eradicated this malware and they reset every 00:12:20.899 --> 00:12:26.560 staffer’s password in the hopes of locking out the hackers from any further access. 00:12:26.560 --> 00:12:32.230 Just before 8:00 AM, twelve hours after the cyber-attack began, they finally finish reconstructing 00:12:32.230 --> 00:12:37.070 the entire IT back end, rebuilding all the servers from backups and restarting everything. 00:12:37.070 --> 00:12:38.320 Amazingly, this works. 00:12:38.320 --> 00:12:42.420 This is kind of a feat of IT heroics. 00:12:42.420 --> 00:12:48.980 JACK: They just barely got the network back up in time for visitors, competitors, and 00:12:48.980 --> 00:12:53.579 staffers to pour into the stadiums and fields and Olympic villages that morning. 00:12:53.579 --> 00:12:56.070 But what happened here? 00:12:56.070 --> 00:13:00.540 Malware ripped through the IT infrastructure of the Winter Olympics in South Korea at the 00:13:00.540 --> 00:13:03.449 exact moment the opening ceremony started. 00:13:03.449 --> 00:13:05.279 Was this sabotage? 00:13:05.279 --> 00:13:07.040 A targeted attack? 00:13:07.040 --> 00:13:09.870 Some teenage hacktivists making a statement? 00:13:09.870 --> 00:13:14.000 It was unclear but there was no time to stop and think about that. 00:13:14.000 --> 00:13:18.440 The IT teams were exhausted and they had to make sure the games continued without any 00:13:18.440 --> 00:13:19.460 more problems. 00:13:19.460 --> 00:13:25.170 The heroic effort of the IT teams that put in to keeping that network stable paid off. 00:13:25.170 --> 00:13:29.380 For the rest of that Olympic games, there were no more cyber-attacks. 00:13:29.380 --> 00:13:34.630 ANDY: But when I spoke to Sang-jin Oh, the director of the Olympics’ IT staff, he remains 00:13:34.630 --> 00:13:37.980 today almost traumatized by these events. 00:13:37.980 --> 00:13:43.450 He knows that they were just minutes or hours, at the very least, from disaster and that 00:13:43.450 --> 00:13:48.649 it took a kind of enormous effort to save these Pyeongchang Olympics from utter digital 00:13:48.649 --> 00:13:53.509 chaos and he’s still very angry that someone would dare to launch this cyber-attack against 00:13:53.509 --> 00:13:56.600 an actual global and peaceful event. 00:13:56.600 --> 00:14:02.130 It’s always a kind of test of a country’s organizational capabilities to run an event 00:14:02.130 --> 00:14:03.170 this big. 00:14:03.170 --> 00:14:09.519 It would have been a kind of black mark on the Olympics forever that it had been digitally 00:14:09.519 --> 00:14:11.050 broken. 00:14:11.050 --> 00:14:19.120 JACK: [MUSIC] We have a major attack on a major sporting event the world is all watching. 00:14:19.120 --> 00:14:21.269 Who are the usual suspects here? 00:14:21.269 --> 00:14:22.910 Who would want to attack the Olympics like this? 00:14:22.910 --> 00:14:27.670 ANDY: I guess this was maybe my first thought, was that this was probably North Korea because 00:14:27.670 --> 00:14:34.240 North Korea has a history of these kind of wanton, irrational cyber-attacks against South 00:14:34.240 --> 00:14:35.240 Korea in particular. 00:14:35.240 --> 00:14:40.329 They might be incentivized just to try to embarrass their neighbors who they’re always 00:14:40.329 --> 00:14:44.460 – they remain, actually, formally at war with South Korea. 00:14:44.460 --> 00:14:48.830 This is an opportunity to throw a wrench in the works and humiliate their South Korean 00:14:48.830 --> 00:14:49.830 neighbors. 00:14:49.830 --> 00:14:51.339 JACK: Okay, that makes sense. 00:14:51.339 --> 00:14:53.620 North Korea definitely has a motive. 00:14:53.620 --> 00:14:58.470 They’ve attacked South Korea numerous times and have the capability to do such a thing 00:14:58.470 --> 00:14:59.470 like this. 00:14:59.470 --> 00:15:04.410 But it’s just shocking to me to think that this is a nation state-sponsored attack because 00:15:04.410 --> 00:15:08.399 the Olympics are supposed to be a peaceful event where we can celebrate the world coming 00:15:08.399 --> 00:15:11.459 together for a friendly sporting competition. 00:15:11.459 --> 00:15:15.470 [00:15:00] But North Korea was not the only suspect. 00:15:15.470 --> 00:15:20.240 There was one country that didn’t get invited to the Winter Olympics that year, a country 00:15:20.240 --> 00:15:24.620 who’s highly competitive and always wins gold medals every Olympics. 00:15:24.620 --> 00:15:29.839 [MUSIC] See, the Winter Olympics just before this was in Sochi, Russia. 00:15:29.839 --> 00:15:35.190 There, a bunch of Russians won gold medals and were tested for using steroids and other 00:15:35.190 --> 00:15:37.389 illegal drugs to enhance their performance. 00:15:37.389 --> 00:15:40.740 But the tests all came back negative for the Russians. 00:15:40.740 --> 00:15:41.839 They were all clean. 00:15:41.839 --> 00:15:47.660 But an investigation years later discovered that some of the tests and samples were swapped 00:15:47.660 --> 00:15:52.560 before being sent to the lab which returned a negative result even if the athlete was 00:15:52.560 --> 00:15:53.830 doping. 00:15:53.830 --> 00:15:59.200 The Worldwide Anti-Doping Agency and the International Olympic Committee discovered that Russia was 00:15:59.200 --> 00:16:01.920 doping and faking the drug tests. 00:16:01.920 --> 00:16:07.720 Because of that, they banned Russia from competing in the 2018 Olympics in South Korea. 00:16:07.720 --> 00:16:11.980 Russia denied that any doping took place and was furious with this ban. 00:16:11.980 --> 00:16:15.259 ANDY: Russia had been banned from these Olympics for doping. 00:16:15.259 --> 00:16:19.350 Russia had, in fact, already been carrying out a hacking campaign against the Worldwide 00:16:19.350 --> 00:16:26.440 Anti-Doping Agency, stealing and leaking documents that were designed to embarrass the agency 00:16:26.440 --> 00:16:31.230 and to show that they were biased and that their investigation of Russia’s doping efforts 00:16:31.230 --> 00:16:36.500 – which were very real and organized – to show that that investigation was somehow fraudulent 00:16:36.500 --> 00:16:38.139 or unfair. 00:16:38.139 --> 00:16:44.690 JACK: For Russia to be banned from the Olympics and then hack into the Worldwide Anti-Doping 00:16:44.690 --> 00:16:49.720 Agency and International Olympic Committee to publish private e-mails as retaliation; 00:16:49.720 --> 00:16:56.120 yeah, it’s definitely sounding like Russia has the motive, capability, and know-how to 00:16:56.120 --> 00:16:58.970 wage an attack on the Winter Olympics like this. 00:16:58.970 --> 00:17:02.579 ANDY: But once we look at the forensics, then that’s where it starts to get weirder ‘cause 00:17:02.579 --> 00:17:03.700 China comes up as well. 00:17:03.700 --> 00:17:04.860 There’s all three. 00:17:04.860 --> 00:17:08.780 JACK: [MUSIC] Oh great, now China’s a suspect, too. 00:17:08.780 --> 00:17:13.030 Why can’t it ever be easy to figure out who’s behind these attacks? 00:17:13.030 --> 00:17:17.160 As people began analyzing this malware, they saw that parts of the code were written by 00:17:17.160 --> 00:17:18.600 Chinese hackers. 00:17:18.600 --> 00:17:24.010 Specifically, this section of the code appeared in previous attacks done by China and no other 00:17:24.010 --> 00:17:26.640 attacking team used code like that. 00:17:26.640 --> 00:17:32.309 Now, when Oh’s IT team was busily trying to defeat this malware, someone uploaded it 00:17:32.309 --> 00:17:34.100 to VirusTotal. 00:17:34.100 --> 00:17:37.970 VirusTotal is a website where you can upload malware and it’ll tell you information about 00:17:37.970 --> 00:17:38.970 that malware. 00:17:38.970 --> 00:17:42.180 It’s a great tool to help you understand what you’re dealing with. 00:17:42.180 --> 00:17:46.450 But this malware was new and VirusTotal had no information on it. 00:17:46.450 --> 00:17:52.880 Now, when new malware gets uploaded to VirusTotal, premium members can get a copy of it to analyze 00:17:52.880 --> 00:17:53.880 it. 00:17:53.880 --> 00:17:59.470 When Oh’s team uploaded it, a bunch of threat research companies downloaded it and started 00:17:59.470 --> 00:18:01.179 analyzing it. 00:18:01.179 --> 00:18:04.440 One of those teams who took a look was Cisco Talos. 00:18:04.440 --> 00:18:08.260 This is a threat intelligence team within Cisco which is a company that makes networking 00:18:08.260 --> 00:18:09.490 equipment. 00:18:09.490 --> 00:18:15.690 Cisco Talos analyzed winlogon.exe, that malicious file that wiped the computers, and it was 00:18:15.690 --> 00:18:19.470 Talos that gave this worm a name; Olympic Destroyer. 00:18:19.470 --> 00:18:26.520 ANDY: [MUSIC] The basic components of Olympic Destroyer were a password-stealing tool and 00:18:26.520 --> 00:18:32.060 then a component that would use those stolen passwords with remote access features to spread 00:18:32.060 --> 00:18:37.380 among computers and destroy all of the data on them essentially by deleting the boot configuration 00:18:37.380 --> 00:18:42.310 from infected machines and then disabling all of their Windows services and shutting 00:18:42.310 --> 00:18:44.820 the computer down so it couldn’t be rebooted. 00:18:44.820 --> 00:18:48.039 In some ways, those components looked very familiar. 00:18:48.039 --> 00:18:54.830 Their basic form resembled two other pieces of disruptive malware; NotPetya and Bad Rabbit, 00:18:54.830 --> 00:19:00.650 both of which were these worms released in Ukraine and very widely believed to be Russian 00:19:00.650 --> 00:19:01.650 in origin. 00:19:01.650 --> 00:19:07.120 Both of those attacks also had contained password-stealing tools to spread and then a destructive wiper 00:19:07.120 --> 00:19:09.230 as their payload. 00:19:09.230 --> 00:19:12.049 JACK: Interesting that this resembled NotPetya. 00:19:12.049 --> 00:19:17.320 [MUSIC] If you don’t know about NotPetya, I highly recommend listening to Episode 54 00:19:17.320 --> 00:19:22.860 because NotPetya was a major cyber-attack waged on Ukraine, knocking a huge portion 00:19:22.860 --> 00:19:30.309 of Ukraine’s network offline which could absolutely be seen as an act of cyber-war. 00:19:30.309 --> 00:19:34.320 Once again, that’s an indicator that this could have been a state-sponsored attack from 00:19:34.320 --> 00:19:40.970 Russia but strangely enough, Russia denied this cyber-attack on the South Korean Olympics 00:19:40.970 --> 00:19:43.059 before it happened. 00:19:43.059 --> 00:19:46.669 ANDY: The Russian government had actually made a statement about the fact that they 00:19:46.669 --> 00:19:50.770 had not done a cyber-attack against the Olympics before the Olympics began. 00:19:50.770 --> 00:19:55.620 They said that we will be accused of doing a cyber-attack against the Olympics but there 00:19:55.620 --> 00:20:00.679 will be no evidence which was a very weird thing, and everybody who saw that I think 00:20:00.679 --> 00:20:02.840 was like, what? 00:20:02.840 --> 00:20:04.870 We haven’t even said anything yet. 00:20:04.870 --> 00:20:09.440 Why are you trying to deny having done an attack that has not even occurred yet? 00:20:09.440 --> 00:20:10.440 It was very weird. 00:20:10.440 --> 00:20:12.950 JACK: Yeah, who knows what to make of that? 00:20:12.950 --> 00:20:16.790 [00:20:00] It’s certainly fishy, but then you look at the code and there’s one big 00:20:16.790 --> 00:20:17.790 problem. 00:20:17.790 --> 00:20:22.720 ANDY: Although it kind of had that same shape, it was also rewritten from scratch. 00:20:22.720 --> 00:20:28.059 Olympic Destroyer didn’t seem to actually share any code with NotPetya or Bad Rabbit. 00:20:28.059 --> 00:20:32.870 JACK: Cisco Talos published their analysis and it was not what the forensic researchers 00:20:32.870 --> 00:20:33.870 were expecting. 00:20:33.870 --> 00:20:37.960 ANDY: [MUSIC] Researchers are always looking for answers to this attribution problem; who 00:20:37.960 --> 00:20:41.210 is behind this cyber-attack, because it’s often very difficult. 00:20:41.210 --> 00:20:46.680 But there are fingerprints, there are code links, like similar code used in different 00:20:46.680 --> 00:20:49.590 pieces of malware or infrastructure links. 00:20:49.590 --> 00:20:54.200 Like, they’re using the same servers as the command and control infrastructure for 00:20:54.200 --> 00:20:55.900 the attack, that sort of thing. 00:20:55.900 --> 00:21:00.590 Here, it wasn’t that there were no clues to provide those answers; it was that there 00:21:00.590 --> 00:21:03.910 were too many and they pointed in every different direction. 00:21:03.910 --> 00:21:07.809 There were, for instance, code matches with malware from the North Korean group called 00:21:07.809 --> 00:21:13.200 Lazarus that’s responsible for the Sony attack and lots of other high-profile attacks. 00:21:13.200 --> 00:21:20.590 This Olympic Destroyer malware had some of the same wiper code as had been used by those 00:21:20.590 --> 00:21:22.350 Lazarus hackers. 00:21:22.350 --> 00:21:29.330 Both wiping components, for instance, deleted files by destroying the first 4,096 bytes, 00:21:29.330 --> 00:21:33.390 for instance, which seems like a real giveaway that this was North Korea. 00:21:33.390 --> 00:21:39.860 JACK: Oh, I see; the technique the Koreans used to wipe systems in previous attacks were 00:21:39.860 --> 00:21:44.289 the same techniques used in the Olympic Destroyer malware. 00:21:44.289 --> 00:21:50.980 Nobody else used that technique, so that shifts the focus back to North Korea. 00:21:50.980 --> 00:21:54.820 Threat research groups continued to analyze this malware to look for clues. 00:21:54.820 --> 00:21:59.890 ANDY: But then at the same time, a security firm called Intezer pointed out that a chunk 00:21:59.890 --> 00:22:05.520 of the password-stealing code in Olympic Destroyer matched with a different hacker group called 00:22:05.520 --> 00:22:08.920 APT3 which is widely understood to be Chinese. 00:22:08.920 --> 00:22:11.780 So, was it North Korea or was it China? 00:22:11.780 --> 00:22:16.710 Meanwhile, the security firm CrowdStrike found similarities in parts of Olympic Destroyer 00:22:16.710 --> 00:22:22.510 with a piece of ransomware that Russian hackers had used called XData. 00:22:22.510 --> 00:22:28.299 [MUSIC] It was just a kind of tingle of forensics with clues pointing in every direction and 00:22:28.299 --> 00:22:34.070 as soon as you thought that you had come to a conclusion, there was another hypothesis 00:22:34.070 --> 00:22:35.070 to undermine it. 00:22:35.070 --> 00:22:40.010 There was just a kind of unprecedented scenario where it seems like the hackers, instead of 00:22:40.010 --> 00:22:46.990 trying to simply cover their tracks, they had built-in tracks pointing in every direction 00:22:46.990 --> 00:22:47.990 at once. 00:22:47.990 --> 00:22:53.990 JACK: What a wild concept; to build in tracks which leads to many different sources of who 00:22:53.990 --> 00:22:56.340 this attacker could be. 00:22:56.340 --> 00:22:58.340 Were all these false flags? 00:22:58.340 --> 00:22:59.770 Red herrings? 00:22:59.770 --> 00:23:01.000 Distractions from the truth? 00:23:01.000 --> 00:23:04.950 ANDY: There was a whole collection of them. 00:23:04.950 --> 00:23:09.710 At first glance at least, it was impossible to figure out what was a real clue and what 00:23:09.710 --> 00:23:10.710 was a false flag. 00:23:10.710 --> 00:23:14.450 JACK: As you can imagine, this type of thing happens a lot; hackers typically don’t like 00:23:14.450 --> 00:23:18.700 being discovered and will hide their tracks with distracting clues and false evidence 00:23:18.700 --> 00:23:19.700 all the time. 00:23:19.700 --> 00:23:24.279 Like, they’ll use another foreign language in the code to throw people off, make them 00:23:24.279 --> 00:23:27.020 think they’re from a different country than they’re actually from. 00:23:27.020 --> 00:23:32.559 But what was different about this was just the sheer number of false flags and the sophistication 00:23:32.559 --> 00:23:33.559 of it. 00:23:33.559 --> 00:23:38.250 ANDY: One researcher, Silas Cutler at CrowdStrike at the time, described it to me as psychological 00:23:38.250 --> 00:23:45.691 warfare on reverse-engineers, that it was like every researcher has one clue that they 00:23:45.691 --> 00:23:50.890 look for as the tell about who is truly responsible for a piece of malware. 00:23:50.890 --> 00:23:55.400 In this case, you would find that thing and it would still be a lie. 00:23:55.400 --> 00:24:00.500 There were false clues planted far deeper than anyone had ever seen before. 00:24:00.500 --> 00:24:04.940 JACK: How do you find a real clue in a haystack of planted clues? 00:24:04.940 --> 00:24:10.150 Kaspersky, a Russian cyber-security firm, started looking at the file’s Rich Headers, 00:24:10.150 --> 00:24:13.809 the part of the files metadata that tells you what kind of programming tools were used 00:24:13.809 --> 00:24:14.850 to make it. 00:24:14.850 --> 00:24:17.450 That finally got researchers on the right track. 00:24:17.450 --> 00:24:23.220 ANDY: Kaspersky tried comparing the Olympic Destroyer header with its database of other 00:24:23.220 --> 00:24:24.990 malware samples and their headers. 00:24:24.990 --> 00:24:31.309 It found that there was a perfect match with North Korea’s Lazarus hackers and one of 00:24:31.309 --> 00:24:34.270 their pieces of data-wiping malware. 00:24:34.270 --> 00:24:36.820 At first, that seemed like confirmation; this really was North Korea. 00:24:36.820 --> 00:24:38.970 JACK: Or was it? 00:24:38.970 --> 00:24:45.200 One Kaspersky researcher, Igor Sumenkov, happened to have an expertise in these types of Rich 00:24:45.200 --> 00:24:48.400 Headers, and he took the analysis a step further. 00:24:48.400 --> 00:24:53.669 ANDY: [MUSIC] He checked whether this header actually made sense with the contents of the 00:24:53.669 --> 00:24:59.240 malware and he could see pretty quickly that no, it – this metadata didn’t actually 00:24:59.240 --> 00:25:00.820 match the data. 00:25:00.820 --> 00:25:06.820 Someone had forged the Rich Header which is kind of remarkable because it’s like hiding 00:25:06.820 --> 00:25:12.510 a fake fingerprint in the most obscure possible place in the hopes that some extremely [00:25:00] 00:25:12.510 --> 00:25:16.400 diligent detective is gonna look in that corner and find it. 00:25:16.400 --> 00:25:17.890 It almost worked. 00:25:17.890 --> 00:25:22.760 What Igor Sumenkov had found though was that this means someone was trying to make it look 00:25:22.760 --> 00:25:24.380 like North Korea. 00:25:24.380 --> 00:25:30.390 Underneath all of these layers of false flags, he had found one false flag that was provably 00:25:30.390 --> 00:25:36.350 false, that was clearly forged, and that was an indication that it probably was not North 00:25:36.350 --> 00:25:43.960 Korea because it would just be too bizarre to imagine that North Korea had forged their 00:25:43.960 --> 00:25:46.970 own Rich Header to implicate themselves. 00:25:46.970 --> 00:25:51.390 In some ways, this was the first clue about who might really be responsible. 00:25:51.390 --> 00:25:54.299 JACK: Gosh, this is a mind game. 00:25:54.299 --> 00:25:58.840 North Korea has been known to do some pretty bizarre stuff but I think this is still a 00:25:58.840 --> 00:26:01.679 little too bizarre even for them to do. 00:26:01.679 --> 00:26:06.330 This made researchers believe this probably wasn’t North Korea. 00:26:06.330 --> 00:26:07.730 But who was it? 00:26:07.730 --> 00:26:11.570 To figure that out, researchers would have to look beyond the malicious file. 00:26:11.570 --> 00:26:18.140 ANDY: The real unraveling of Olympic Destroyer only began when an analyst named Michael Matonis, 00:26:18.140 --> 00:26:21.200 who worked for FireEye, began to look into it. 00:26:21.200 --> 00:26:23.340 He took a different approach still. 00:26:23.340 --> 00:26:28.539 Rather than looking at the code or the header or the malware at all, he looked at the delivery 00:26:28.539 --> 00:26:29.760 mechanism for it. 00:26:29.760 --> 00:26:36.669 He looked at the infected Word documents that he pulled from VirusTotal that had been used 00:26:36.669 --> 00:26:40.860 as the vehicle to initially infect the Olympic targets. 00:26:40.860 --> 00:26:47.890 It turns out that as early as November of 2017, prior to the Olympics, months earlier, 00:26:47.890 --> 00:26:51.070 the hackers behind Olympic Destroyer were seeding out the malware. 00:26:51.070 --> 00:26:56.700 They were doing the typical thing that state-sponsored hackers do to gain a foothold; sending out 00:26:56.700 --> 00:27:03.860 infected Word documents, attachments designed to give them some sort of code execution on 00:27:03.860 --> 00:27:06.160 a computer inside a target network. 00:27:06.160 --> 00:27:12.650 Matonis was able to pull one of those malware-laced Word documents from VirusTotal and examine 00:27:12.650 --> 00:27:13.650 it. 00:27:13.650 --> 00:27:18.789 [MUSIC] As researchers typically do, he started searching through his own archive of malware 00:27:18.789 --> 00:27:21.300 trying to find anything that matched it, and he couldn’t find anything. 00:27:21.300 --> 00:27:25.799 There was nothing; no kind of clear match, but he did find that there was a collection 00:27:25.799 --> 00:27:33.320 of files that roughly resembled it that used some of the same hacking tools that seemed 00:27:33.320 --> 00:27:36.529 to be obfuscated in the same way. 00:27:36.529 --> 00:27:43.990 When he started to pull apart how that obfuscation worked for each of these suspicious attachments, 00:27:43.990 --> 00:27:48.720 he saw that they had been created with the same tool called Malicious Macro Generator. 00:27:48.720 --> 00:27:53.669 JACK: It looked like the initial infection of the Olympic network began with a phishing 00:27:53.669 --> 00:27:54.669 e-mail. 00:27:54.669 --> 00:27:58.390 There was a document sent to a bunch of staffers and if you opened that document, it ran a 00:27:58.390 --> 00:28:01.679 malicious script or set of macros. 00:28:01.679 --> 00:28:05.570 Antivirus and operating systems should have stopped the macros from running but these 00:28:05.570 --> 00:28:11.030 macros were created with a tool called Malicious Macro Generator which tricks the computer 00:28:11.030 --> 00:28:16.450 into thinking the commands are perfectly fine and allowed and not dangerous. 00:28:16.450 --> 00:28:20.710 Matonis examined these phishing e-mails and attachments in further detail. 00:28:20.710 --> 00:28:25.960 ANDY: He was able to narrow down this big pile of attachments to just a few that all 00:28:25.960 --> 00:28:27.950 shared these characteristics. 00:28:27.950 --> 00:28:33.120 Once he started to look at those documents, they began to look rather familiar in their 00:28:33.120 --> 00:28:34.120 targeting. 00:28:34.120 --> 00:28:38.390 One seemed to target Ukrainian LGBT activist groups. 00:28:38.390 --> 00:28:42.730 Others were targeting Ukrainian companies and Ukrainian government agencies. 00:28:42.730 --> 00:28:48.500 That was the first real red alert moment, something very ominously familiar for him 00:28:48.500 --> 00:28:55.130 because I think we all know by now that Ukraine is the favorite hacking target of Russia, 00:28:55.130 --> 00:29:00.799 that Ukraine, in fact, has been digitally and physically abused by Russia for years 00:29:00.799 --> 00:29:04.930 now since the beginning of the Russian invasion in Ukraine in 2014. 00:29:04.930 --> 00:29:10.409 Matonis was beginning to find some solid evidence that whoever was behind the Olympic attack 00:29:10.409 --> 00:29:15.370 had targeted these Ukrainians in the months prior. 00:29:15.370 --> 00:29:18.820 That is probably not North Korea and it’s probably not China. 00:29:18.820 --> 00:29:24.760 JACK: [MUSIC] Matonis was getting closer to figuring out who did this, but the clue that 00:29:24.760 --> 00:29:29.990 finally closed the case appeared when Matonis started looking at the IP addresses that these 00:29:29.990 --> 00:29:34.270 malicious Word documents used to communicate with their command and control servers. 00:29:34.270 --> 00:29:38.929 ANDY: He would check the domains that these Word documents were designed to phone home 00:29:38.929 --> 00:29:44.700 to, but then also check every IP address that domain had ever lived at to kind of create 00:29:44.700 --> 00:29:48.470 this branching forensic chart. 00:29:48.470 --> 00:29:55.470 A few steps down that tree of connections, he found this one domain, account-loginserve.com. 00:29:55.470 --> 00:30:00.780 For Matonis who has a kind of photographic memory, this immediately just lit up for him 00:30:00.780 --> 00:30:01.780 like neon. 00:30:01.780 --> 00:30:03.380 He recognized that domain immediately. 00:30:03.380 --> 00:30:09.500 HOST3: Russian hacking of the 2016 campaign went a lot deeper than previously known. 00:30:09.500 --> 00:30:14.290 That’s what current and former counterintelligence officials [00:30:00] told congress today. 00:30:14.290 --> 00:30:19.900 HOST4: As of right now, we have evidence of twenty-one states or election-related systems 00:30:19.900 --> 00:30:22.410 in twenty-one states that were targeted. 00:30:22.410 --> 00:30:28.470 JACK: In 2016, Russians hacked the US State Board of Elections in a number of states including 00:30:28.470 --> 00:30:30.340 Arizona and Illinois. 00:30:30.340 --> 00:30:34.309 The hackers accessed voter rolls for hundreds of thousands of voters. 00:30:34.309 --> 00:30:37.430 A year later, the FBI put out an alert for this group. 00:30:37.430 --> 00:30:42.279 ANDY: The FBI was warning, in this case, that those same hackers were now sending out phishing 00:30:42.279 --> 00:30:48.840 e-mails and that the domain that they were using was account-loginserve.com. 00:30:48.840 --> 00:30:54.309 Matonis immediately remembered this and that was the moment for him when all of this came 00:30:54.309 --> 00:30:55.309 together. 00:30:55.309 --> 00:31:01.779 JACK: Both hacks had used the same domain; account-loginserve.com. 00:31:01.779 --> 00:31:06.760 This meant that whoever owned that domain was responsible for both the hacks on the 00:31:06.760 --> 00:31:11.670 US State Boards of Election and the 2018 Winter Olympics. 00:31:11.670 --> 00:31:14.480 This was the smoking gun that tied it all together. 00:31:14.480 --> 00:31:19.639 ANDY: Now he could see that the same hackers had shared infrastructure with the attackers 00:31:19.639 --> 00:31:23.929 who had targeted the 2016 US presidential election. 00:31:23.929 --> 00:31:29.649 JACK: This seemed to tip the evidence in one direction; the Russian government was responsible 00:31:29.649 --> 00:31:31.410 for creating Olympic Destroyer. 00:31:31.410 --> 00:31:36.250 There may have been clues implicating North Korea and China like IP addresses routed through 00:31:36.250 --> 00:31:40.980 North Korean servers and code and functionality linked to the Chinese hacking groups, [MUSIC] 00:31:40.980 --> 00:31:46.220 but fingerprints that matched the targeting of Ukrainian LGBT groups and voter rolls in 00:31:46.220 --> 00:31:53.240 the US elections; this means more fingers point to Russia than any other suspect. 00:31:53.240 --> 00:31:58.080 If that’s the case, it meant this was the same group that conducted NotPetya, one of 00:31:58.080 --> 00:32:01.600 the most extreme cyber-attacks the world has ever seen. 00:32:01.600 --> 00:32:04.400 This was the hacking group known as Sandworm. 00:32:04.400 --> 00:32:13.389 ANDY: It’s quite ironic but in this most-deceptive-ever piece of malware ultimately were the clues 00:32:13.389 --> 00:32:19.490 that not only identified the perpetrators of this attack as Russian, but also contained 00:32:19.490 --> 00:32:24.529 in them the identity that would allow the cyber-security community to tie everything 00:32:24.529 --> 00:32:33.809 from NotPetya to the 2015 and 2016 blackouts in Ukraine to this one group, Sandworm. 00:32:33.809 --> 00:32:38.900 Olympic Destroyer actually contains in it the seeds of the answer to that larger mystery. 00:32:38.900 --> 00:32:45.690 Now you can see that in fact this whole chain of Russian cyber-attacks, cyber-war, in fact, 00:32:45.690 --> 00:32:49.710 has been tied to this one GRU unit. 00:32:49.710 --> 00:32:54.510 That ultimately is the best working theory we had for a long time about who Sandworm 00:32:54.510 --> 00:32:55.510 was. 00:32:55.510 --> 00:33:01.090 JACK: It was a good theory because in July 2018, the US Department of Justice indicted 00:33:01.090 --> 00:33:08.030 twelve Russian GRU hackers for interfering with the 2016 US elections. 00:33:08.030 --> 00:33:11.929 In that indictment, they mention that there were two units within GRU that these hacks 00:33:11.929 --> 00:33:18.380 were carried out from; Unit 26165 and Unit 74455. 00:33:18.380 --> 00:33:23.980 The first was blamed for hacking the DNC and the second was blamed for hacking state boards 00:33:23.980 --> 00:33:25.370 of election. 00:33:25.370 --> 00:33:27.690 That was the missing piece of the puzzle. 00:33:27.690 --> 00:33:31.840 Matonis had already connected that whoever hacked the State Boards of Election also conducted 00:33:31.840 --> 00:33:37.370 Olympic Destroyer, but he did not know which GRU unit did it. 00:33:37.370 --> 00:33:43.990 Right there in the Mueller Report, it was the first time we learned that Unit 74455 00:33:43.990 --> 00:33:45.050 was Sandworm. 00:33:45.050 --> 00:33:49.840 There was also a Washington Post story that came out which said that anonymous sources 00:33:49.840 --> 00:33:54.289 told them that Russia hacked the Olympics and tried to make it look like North Korea 00:33:54.289 --> 00:33:58.210 did it which is just another finger pointing in that direction. 00:33:58.210 --> 00:34:03.990 So, almost two years after this happened, still no government has said who was behind 00:34:03.990 --> 00:34:07.549 this or blamed Russia for attacking a peaceful sporting event. 00:34:07.549 --> 00:34:11.190 ANDY: [MUSIC] This is the most vexing part of this story for me. 00:34:11.190 --> 00:34:13.119 I don’t know, it’s flabbergasting. 00:34:13.119 --> 00:34:21.710 I don’t understand why a group of hackers were allowed to carry out a sabotage of global, 00:34:21.710 --> 00:34:25.349 peaceful events, and just essentially get away with it. 00:34:25.349 --> 00:34:30.770 When it comes to this attack on the Olympics, there has never even been a public statement 00:34:30.770 --> 00:34:33.960 from a government saying who was responsible. 00:34:33.960 --> 00:34:41.280 JACK: So Andy wrote a follow up piece to this story, an OpEd in the Washington Post titled, 00:34:41.280 --> 00:34:47.500 We need to hold the Kremlin responsible for its 2018 cyberattack on the Olympics 00:34:47.500 --> 00:34:53.310 ANDY: And one of the points I made in that OpEd, if nobody condemns this, if nobody shames 00:34:53.310 --> 00:34:57.859 Russia for this, then we are basically inviting them to try again in 2020. 00:34:57.859 --> 00:35:03.530 JACK: Well, as you know 2020 had different plans for all of us. 00:35:03.530 --> 00:35:08.480 The Olympics were canceled due to coronavirus, but even if they had been held, Russia was 00:35:08.480 --> 00:35:12.460 not allowed to compete because they are still banned for doping in Sochi. 00:35:12.460 --> 00:35:17.839 So now that we’ve gone through all the technical stuff and figured out who did this, I’m 00:35:17.839 --> 00:35:21.070 still not sure if I fully understand why they did this. 00:35:21.070 --> 00:35:22.230 ANDY: They tried to cover their tracks. 00:35:22.230 --> 00:35:25.150 They weren’t even trying to send a message. 00:35:25.150 --> 00:35:28.740 They were trying to make sure that a message was not sent, that nobody could trace this 00:35:28.740 --> 00:35:29.740 back to them. 00:35:29.740 --> 00:35:33.010 JACK: Yeah, ‘cause if you’re going to conduct something like this, all you’re 00:35:33.010 --> 00:35:34.440 doing is making a statement. 00:35:34.440 --> 00:35:39.040 You’re essentially saying we don’t like that you banned us, but then you try to hide 00:35:39.040 --> 00:35:41.460 the fact that you made this statement? 00:35:41.460 --> 00:35:44.310 ANDY: Was it really just as petty as it seems? 00:35:44.310 --> 00:35:50.000 [MUSIC] I can’t think of another instance myself when a country has carried out a destructive 00:35:50.000 --> 00:35:55.790 cyber-attack like this with real global impact just out of a pure toddler emotion. 00:35:55.790 --> 00:35:58.589 JACK: Heh, toddler emotion. 00:35:58.589 --> 00:36:00.950 Is that too strong a way to put it? 00:36:00.950 --> 00:36:03.840 I thought so, ya, maybe. 00:36:03.840 --> 00:36:08.480 But then some major news broke last week. 00:36:08.480 --> 00:36:10.480 DOJ: Good afternoon. 00:36:10.480 --> 00:36:16.130 Today we announce criminal charges against a conspiracy of Russian military intelligence 00:36:16.130 --> 00:36:23.420 officers who stand accused of conducting the most disruptive and destructive series of 00:36:23.420 --> 00:36:27.680 computer attacks ever attributed to a single group. 00:36:27.680 --> 00:36:32.430 JACK: This announcement was delivered by John Demers, the Assistant Attorney General of 00:36:32.430 --> 00:36:35.819 the united states, an FBI director, a US Attorney, and an FBI special agent. 00:36:35.819 --> 00:36:41.680 DOJ: The defendants in this case were all members of the military unit 74455 of the 00:36:41.680 --> 00:36:45.220 Russia main intelligence directorate, known as the GRU. 00:36:45.220 --> 00:36:52.240 DOJ: Six current and former officers in unit 74455 are accused of the following deceptive 00:36:52.240 --> 00:36:54.870 and destructive alleged in the indictment. 00:36:54.870 --> 00:37:01.020 In December 2015 and 2016 the conspirators launched destructive malware attacks against 00:37:01.020 --> 00:37:03.250 the electric power grid in the Ukraine. 00:37:03.250 --> 00:37:08.079 From there the conspirators destructive path widened to encompass virtually the whole world. 00:37:08.079 --> 00:37:13.360 In what is commonly referred to as the most destructive and costly cyber attack ever. 00:37:13.360 --> 00:37:17.650 The conspirators unleashed the NotPetya malware. 00:37:17.650 --> 00:37:21.900 Rather than express remorse for the damage they inflicted against victims worldwide, 00:37:21.900 --> 00:37:27.490 the conspirators callously celebrated their success. 00:37:27.490 --> 00:37:31.070 Next the conspirators turned their sights on the winter Olympics. 00:37:31.070 --> 00:37:36.240 The conspirators feeling the embarrassment of international penalties related to Russia’s 00:37:36.240 --> 00:37:43.680 state sponsored doping program, that is cheating, took it upon themselves to undermine the games. 00:37:43.680 --> 00:37:48.300 Their cyber attack combined the emotional maturity of a petulant child with the resources 00:37:48.300 --> 00:37:49.599 of a nation state. 00:37:49.599 --> 00:37:50.880 JACK: Ooooh, dang. 00:37:50.880 --> 00:37:55.069 The DOJ whipping out name calling. 00:37:55.069 --> 00:37:59.700 And I thought it was harsh when Andy called this an emotional response of a toddler, now 00:37:59.700 --> 00:38:05.930 the Assistant Attorney General says that Sandworm has the emotional maturity of a petulant child. 00:38:05.930 --> 00:38:08.100 Oh wow. 00:38:08.100 --> 00:38:10.520 But it, it’s true. 00:38:10.520 --> 00:38:15.770 I’m desperately trying to think of another way to view this, but I can’t. 00:38:15.770 --> 00:38:18.450 Because all of the planning that had to happen here. 00:38:18.450 --> 00:38:23.270 An attack like this wasn’t just a snap decision, flick of a switch, knee jerk reaction. 00:38:23.270 --> 00:38:29.859 No, there were meetings to discuss whether or not to do this, because I’m sure Sandworm 00:38:29.859 --> 00:38:31.700 has other work to do too. 00:38:31.700 --> 00:38:36.050 So this was prioritized over all the other stuff they had to do. 00:38:36.050 --> 00:38:39.550 Then they had to assign a team of people to do this. 00:38:39.550 --> 00:38:44.710 That team spent lots of time creating phishing emails, identifying targets, and constructing 00:38:44.710 --> 00:38:45.880 the malware. 00:38:45.880 --> 00:38:50.990 And while the technical capabilities of the malware wasn’t all that sophisticated, it 00:38:50.990 --> 00:38:55.050 was very sophisticated in all the false flags it had in it. 00:38:55.050 --> 00:39:01.680 Extracting bits of code from different nations malware and putting in fake footsteps. 00:39:01.680 --> 00:39:07.080 This took months of preparations and cost a significant amount of resources. 00:39:07.080 --> 00:39:08.690 All for what? 00:39:08.690 --> 00:39:10.950 Just to get back at them or something? 00:39:10.950 --> 00:39:15.950 I mean if you put this in any other context it would absolutely seem crazy. 00:39:15.950 --> 00:39:20.920 Imagine someone got banned from your local restaurant for stealing food there and after 00:39:20.920 --> 00:39:25.030 they were kicked out they spent months exacting revenge, and spending a lot of time trying 00:39:25.030 --> 00:39:27.710 to make the restaurant fail. 00:39:27.710 --> 00:39:32.609 We wouldn’t think that person is not ok mentally, right? 00:39:32.609 --> 00:39:38.109 I want to give Russia the benefit of the doubt and that this wasn’t an insane thing to 00:39:38.109 --> 00:39:43.530 do, but I can’t find a good reason to believe otherwise. 00:39:43.530 --> 00:39:47.470 So Andy, what was your reaction when you saw this news? 00:39:47.470 --> 00:39:55.170 ANDY: Well, uh, it was kind of bizarre kind of gratifying, it was closure in a way. 00:39:55.170 --> 00:40:05.230 Not only is this the first real accountability that any government has tried to create for 00:40:05.230 --> 00:40:07.600 Russia after carrying out this attack on the Olympics. 00:40:07.600 --> 00:40:11.170 It’s the first time that we’ve seen most of these faces, of my book Sandworm, this 00:40:11.170 --> 00:40:19.550 group of characters that we’ve been tracking for 5 or 6 years, so it’s the coda to the 00:40:19.550 --> 00:40:20.819 story for me in some ways. 00:40:20.819 --> 00:40:25.880 JACK: Ya so this indictment lists the names and photos of 6 of the people who carried 00:40:25.880 --> 00:40:27.700 out this attack. 00:40:27.700 --> 00:40:31.390 It’s really wild to see pictures of the people who did this. 00:40:31.390 --> 00:40:38.829 ANDY: This is one of those remarkable times where you see the extent of the US or five 00:40:38.829 --> 00:40:45.750 eyes intelligence collection reach that they’re able to get inside of these people’s networks, 00:40:45.750 --> 00:40:52.240 to hack the hackers, I imagine, to the degree they are able to come up with names and photos 00:40:52.240 --> 00:40:56.069 and to know exactly who coded what parts of the malware. 00:40:56.069 --> 00:41:01.000 You know, they, really are up in these people’s systems it seems. 00:41:01.000 --> 00:41:02.720 JACK: So this indictment. 00:41:02.720 --> 00:41:04.589 What does it mean, how does it change anything? 00:41:04.589 --> 00:41:10.460 ANDY: Well it’s the first time any government anywhere in the world has expclitly called 00:41:10.460 --> 00:41:18.400 out Sandworm for this attack on the Olympics, and tried to condemn them, hold them accountable 00:41:18.400 --> 00:41:23.580 in some ways, and it’s huge, it’s what has been lacking for more than 2 years. 00:41:23.580 --> 00:41:27.720 JACK: The indictment released last week is 50 pages long. 00:41:27.720 --> 00:41:32.520 It has interesting details of how the hacks took place, and what were all the targets. 00:41:32.520 --> 00:41:37.100 ANDY: The thing that really struck me that among Sandworm’s targets, that we didn’t 00:41:37.100 --> 00:41:43.760 know about previously, were two timekeeping partners of the Olympics, that were responsible 00:41:43.760 --> 00:41:46.829 for the actual timekeeping of Olympic events. 00:41:46.829 --> 00:41:54.099 So what that implies to me is that Sandworm was trying to corrupt the actual sporting 00:41:54.099 --> 00:42:01.869 events, and not just the WiFi, and ticketing systems and display screens around the venues, 00:42:01.869 --> 00:42:08.349 they were actually messed with the results of the games, which is kind of almost poetic 00:42:08.349 --> 00:42:13.660 given how they tried to mess with the results of doping over so many years, this is kind 00:42:13.660 --> 00:42:16.400 of the digital spoiler equivalent. 00:42:16.400 --> 00:42:24.800 JACK: So, they were banned from doping in the Olympics, um, don’t you think with this 00:42:24.800 --> 00:42:29.119 indictment coming out this will lengthen that ban or make it worse for them? 00:42:29.119 --> 00:42:30.920 ANDY: Ya, I have to imagine that’s true. 00:42:30.920 --> 00:42:36.800 I mean they have suffered bans from every other cheating they’ve attempted. 00:42:36.800 --> 00:42:42.510 And it kind of just goes to show how petty and short sighted these tactics are. 00:42:42.510 --> 00:42:49.130 Like, I thought since I started reporting on this story, this is not a smart strategy. 00:42:49.130 --> 00:42:52.390 You know, Russia doesn’t get anything out of this, they weren’t even sending a message 00:42:52.390 --> 00:42:53.390 as I said. 00:42:53.390 --> 00:43:00.220 So it’s just a kind of emotional, knee jerk response, like less mess up this event if 00:43:00.220 --> 00:43:06.530 we can’t be part of it, and I don’t think they’ll get what they want out of that. 00:43:06.530 --> 00:43:10.319 JACK: Some other news came out on the same day as this press conference. 00:43:10.319 --> 00:43:17.530 ANDY: We just learned that US intelligence, and UK intelligence, had been tracking attempts, 00:43:17.530 --> 00:43:22.970 reconnaissance who were preparing to carry out a similar sabotage of the 2020 Olympics 00:43:22.970 --> 00:43:28.760 in Tokyo, which is what you expect if nobody holds them responsible or shame them for the 00:43:28.760 --> 00:43:29.760 first one. 00:43:29.760 --> 00:43:35.640 And that cyber attack may have been avoided only because the Tokyo Olympics were delayed 00:43:35.640 --> 00:43:36.859 because of the global pandemic. 00:43:36.859 --> 00:43:43.150 JACK: So is calling them a petulant child enough to stop them from attacking next year’s 00:43:43.150 --> 00:43:45.470 Olympics? I hope so. 00:43:45.470 --> 00:43:49.020 Because the US can’t go into Russia and arrest these people, it’s just impossible, 00:43:49.020 --> 00:43:53.540 I mean Russia doesn’t cooperate with the US like that, and especially when the people 00:43:53.540 --> 00:43:57.940 are working for the Russian government conducting official orders. 00:43:57.940 --> 00:44:02.420 But if there is any attack on next year’s Olympics, Russia will certainly be the first 00:44:02.420 --> 00:44:04.190 suspect to be investigated. 00:44:04.190 --> 00:44:10.480 ANDY: What’s scary to me about the Olympic cyber-attack is not just that it [MUSIC] almost 00:44:10.480 --> 00:44:17.130 threw this huge, globally-observed event into chaos, but also that it shows a evolution 00:44:17.130 --> 00:44:18.680 in deception. 00:44:18.680 --> 00:44:22.809 Sandworm has been evolving its disruptive capabilities but it’s also been evolving 00:44:22.809 --> 00:44:24.480 its deceptive capabilities. 00:44:24.480 --> 00:44:30.630 This was the moment when they were experimenting, trying out wearing not just the mask, but 00:44:30.630 --> 00:44:36.869 layers of masks to try to make it truly impossible to forensically determine who was behind this 00:44:36.869 --> 00:44:37.869 attack. 00:44:37.869 --> 00:44:41.980 I think that it’s just gonna get worse, that we’re going to see more innovation 00:44:41.980 --> 00:44:43.730 and false flags in years to come. 00:44:43.730 --> 00:44:49.339 It may come to a point where we are, at some point, truly fooled so we can’t get a definitive 00:44:49.339 --> 00:44:52.290 answer about who was responsible for an attack. 00:44:52.290 --> 00:44:53.920 JACK: Hmm, imagine that. 00:44:53.920 --> 00:44:59.849 A false flag so good that a country falls for it, and blames the wrong country for the 00:44:59.849 --> 00:45:00.849 attack. 00:45:00.849 --> 00:45:05.579 And what kind of consequences would come from accusing a nation of doing something they 00:45:05.579 --> 00:45:07.430 didn’t actually do. 00:45:07.430 --> 00:45:13.940 Get ready, our future is going to be weird. 00:45:13.940 --> 00:45:26.849 (OUTRO): [OUTRO MUSIC] A very big thank-you to Andy Greenberg for sharing the research 00:45:26.849 --> 00:45:28.109 he’s conducted on this. 00:45:28.109 --> 00:45:32.640 But this story is actually part of a bigger story around the hacking group Sandworm. 00:45:32.640 --> 00:45:34.890 Andy wrote a whole book about this hacking group. 00:45:34.890 --> 00:45:39.050 The book is called Sandworm and the paperback version just came out this month. 00:45:39.050 --> 00:45:41.980 I read every page and I just couldn’t put it down. 00:45:41.980 --> 00:45:43.270 I absolutely loved it. 00:45:43.270 --> 00:45:46.650 If you like this podcast, you will love the book [00:45:21] Sandworm. 00:45:46.650 --> 00:45:49.710 I’ll have an affiliate link to the book in the show notes. 00:45:49.710 --> 00:45:52.980 This show is made by me, the good rabbit, Jack Rhysider. 00:45:52.980 --> 00:45:56.270 This episode was produced by Eileen Guo and Ilana Strauss. 00:45:56.270 --> 00:46:00.450 Original score and sound design by Garrett Tiedemann, editing help this episode by the 00:46:00.450 --> 00:46:01.810 super-duper Damienne. 00:46:01.810 --> 00:46:05.599 Our theme music is by the mysterious Breakmaster Cylinder. 00:46:05.599 --> 00:46:10.020 Even though a few hours of trial and error will always save you a few minutes of looking 00:46:10.020 --> 00:46:20.869 at the manual, this is Darknet Diaries.