WEBVTT

00:00:00.000 --> 00:00:01.890
JACK: Today we’re talking with Andrew.

00:00:01.890 --> 00:00:05.175
ANDREW: I’m a District Forensics and Incident Response Consultant.

00:00:05.175 --> 00:00:08.730
JACK: Andrew works on a team that does incident response. Once malware

00:00:08.730 --> 00:00:11.700
is detected on the network it’s up to him to go in, study the malware,

00:00:11.700 --> 00:00:14.880
and remove it. Andrew, do you like doing this kind of work?

00:00:14.880 --> 00:00:23.850
ANDREW: I love it. It’s wonderful. It’s very exciting work. There are many positions where

00:00:23.850 --> 00:00:30.510
you can be working on a client’s system and actually – the threat act is on there

00:00:30.510 --> 00:00:34.800
at the same time as you, trying to move files around. You are trained to thwart

00:00:34.800 --> 00:00:40.650
them in a toe-to-toe scenario. It can be very exciting. It can be very exciting.

00:00:40.650 --> 00:00:47.330
JACK (INTRO): [INTRO MUSIC] This is Darknet Diaries, true stories

00:00:47.330 --> 00:00:54.490
from the dark side of the internet. I’m Jack Rhysider. [INTRO MUSIC ENDS]

00:00:54.490 --> 00:01:01.540
JACK: Andrew works for a security assessment and digital forensics company. Other companies hire

00:01:01.540 --> 00:01:05.620
his team to come in and do security work. It’s actually pretty common for a company

00:01:05.620 --> 00:01:09.760
to outsource their security team to someone else. It’s expensive and hard to maintain

00:01:09.760 --> 00:01:14.350
an internal group of security experts. Andrew is often seen travelling around,

00:01:14.350 --> 00:01:19.540
taking care of threats in his clients’ networks. He wants to share an interesting story with us

00:01:19.540 --> 00:01:24.820
today about the time he faced a hacker in a company that develops cutting-edge technology.

00:01:24.820 --> 00:01:34.090
ANDREW: The client is a global firm; it’s a technology firm. We were looking at –

00:01:34.090 --> 00:01:40.930
we had to go on-site in their European – one of their European bases to work with a team there.

00:01:40.930 --> 00:01:45.460
JACK: We won’t give the name of the company but this company in particular spends a lot of time

00:01:45.460 --> 00:01:50.500
and money developing new technology. They have a full R&D department and is working on

00:01:50.500 --> 00:01:54.310
cutting-edge tech. In fact, they’re developing tech that no other company is developing,

00:01:54.310 --> 00:01:59.050
so one of their most precious assets is intellectual property, or otherwise known

00:01:59.050 --> 00:02:03.760
as IP. The company wants to make sure there aren’t any hackers stealing this information.

00:02:03.760 --> 00:02:09.400
ANDREW: It started off as a compromise assessment.

00:02:09.400 --> 00:02:11.800
JACK: Sometimes companies hire a security team to

00:02:11.800 --> 00:02:15.220
examine the network to see if there’s any evidence that a hacker is in the network.

00:02:15.220 --> 00:02:20.140
ANDREW: They wanted us to go in, put some stuff in their

00:02:20.140 --> 00:02:23.980
network. We put some stuff on their end-points, just have a look around,

00:02:23.980 --> 00:02:31.240
used the intel that we’d already built up in the team during the engagements

00:02:31.240 --> 00:02:38.660
that we’d done previously. Just basically have a look around and see what came out.

00:02:38.660 --> 00:02:42.890
JACK: The team starts examining the logs and the network,

00:02:42.890 --> 00:02:45.953
and they look at different security devices and network activity.

00:02:45.953 --> 00:02:51.260
ANDREW: [ELECTRONIC MUSIC] Their security assessment involved using intel that my

00:02:51.260 --> 00:02:58.460
colleagues had seen elsewhere in other engagements for APT groups. They spotted

00:02:58.460 --> 00:03:05.150
a few pieces of evidence which, I’m not sure exactly what it was,

00:03:05.150 --> 00:03:10.880
it may have been specific malware that continued elsewhere, but they were able

00:03:10.880 --> 00:03:16.580
to identify that there was an active threat act in that client’s environment.

00:03:16.580 --> 00:03:22.580
JACK: [DARK MUSIC] He mentioned APT and threat actor. This is the worst kind of hacker to find

00:03:22.580 --> 00:03:26.450
in your network. The term threat actor is just a fancy way to describe someone who

00:03:26.450 --> 00:03:32.480
poses a threat to your network, but an APT stands for Advanced Persistent Threat. It

00:03:32.480 --> 00:03:36.620
describes a group of highly-skilled and motivated hackers that have a specific

00:03:36.620 --> 00:03:41.000
goal of what they want to accomplish. But what’s more is they often have significant

00:03:41.000 --> 00:03:45.770
resources such as being sponsored by a nation state, or simply well-funded.

00:03:45.770 --> 00:03:51.560
ANDREW: So I’ve been told, it’s state-sponsored. It’s in the east,

00:03:51.560 --> 00:04:01.970
I guess. The group itself has been known to infiltrate other technology companies.

00:04:01.970 --> 00:04:07.610
JACK: To be attacked by an APT means you’re facing a very skilled and serious attacker who likely

00:04:07.610 --> 00:04:12.890
won’t go away easily. [00:05:00] It’s extremely difficult to detect an APT in the network. Someone

00:04:12.890 --> 00:04:17.570
has to have studied that APT for months or maybe years to understand the malware they use in their

00:04:17.570 --> 00:04:23.360
tactics, and then publish that data to the world. Then if we detect certain malware in the network,

00:04:23.360 --> 00:04:28.490
we may be able to link it back to that specific APT but the problem is once that report gets

00:04:28.490 --> 00:04:33.050
published, other people have access to those techniques, too. The APT group may change their

00:04:33.050 --> 00:04:37.520
tactics to be more covert. In this case the malware found in the network matched exactly

00:04:37.520 --> 00:04:42.650
the same malware that someone had published in a report which linked it back to that APT group.

00:04:42.650 --> 00:04:50.380
ANDREW: We spun it up to – the company that I work for spun it up to a follow incident

00:04:50.380 --> 00:04:56.230
response engagement. I came in as part of the team that was doing some of the forensics work,

00:04:56.230 --> 00:05:01.480
so they would ask us to take a look at the data that they were collecting.

00:05:01.480 --> 00:05:08.350
JACK: This process is fascinating to me. The forensics team first identifies and isolates

00:05:08.350 --> 00:05:13.420
the malware and they study it. They develop a profile for that malware; things like file size,

00:05:13.420 --> 00:05:17.740
files names, and the activity the malware is doing. Is it reaching out to the internet?

00:05:17.740 --> 00:05:22.630
Is it trying to access something internal? Is it using specific ports? All this gets

00:05:22.630 --> 00:05:28.660
collected and so now we know the indicators have compromise, or IOCs. This is given to

00:05:28.660 --> 00:05:33.340
another security team which they can use to look for those IOCs in the logs, which would

00:05:33.340 --> 00:05:37.750
then reveal more places this malware has been in the network. These teams would continue to

00:05:37.750 --> 00:05:42.580
feed each other information to learn and detect more and more about this APT in their network.

00:05:42.580 --> 00:05:45.340
ANDREW: That went on for a few months.

00:05:45.340 --> 00:05:48.670
JACK: Why not remove the malware right away?

00:05:48.670 --> 00:05:55.840
ANDREW: That’s a good question. We do get asked a lot why we don’t immediately remediate. The

00:05:55.840 --> 00:06:02.380
client environment, it’s a global company. They have a lot of satellite offices, quite a complex

00:06:02.380 --> 00:06:13.120
infrastructure. What we would do, and this is quite common for all IR companies, is you’ll

00:06:13.120 --> 00:06:23.110
have like a monitoring period or a discovery phase where you will look for where the threat

00:06:23.110 --> 00:06:28.930
actor is active in the environment, what tools they are using, try and identify how many back

00:06:28.930 --> 00:06:37.300
doors these people have into their environment. We wanted to get as accurate a picture as possible

00:06:37.300 --> 00:06:41.560
as to where they were active, where they were coming in, where their ingress points were,

00:06:41.560 --> 00:06:50.500
where they were moving data out, ‘cause we had seen that. Just so when we came to remediation,

00:06:50.500 --> 00:06:58.150
it wasn’t the case that we were removing some of their infrastructure only for them to come

00:06:58.150 --> 00:07:03.620
back in the following week somewhere else that we hadn’t seen. The other concern there is that

00:07:03.620 --> 00:07:08.510
they know that we’re onto them. Once you do that remediation, once you do that kick out,

00:07:08.510 --> 00:07:15.410
they know you’re onto them and they will change their tools and their tactics and

00:07:15.410 --> 00:07:24.500
their procedures. That makes you blind, I guess, depending on what else you implemented. For a

00:07:24.500 --> 00:07:32.870
threat actor or for any adversary to know that you are – that you’re onto them, and you remove what

00:07:32.870 --> 00:07:38.930
they have used in an environment, if they have a backup plan, they’ll go to that. And whether

00:07:38.930 --> 00:07:46.610
that’s immediately or over a period of time, they might let time lapse before they come back in.

00:07:46.610 --> 00:07:50.360
JACK: The team spends a few months researching this hacking group and

00:07:50.360 --> 00:07:54.860
what they’re doing. What was discovered confirms the company’s worst fears.

00:07:54.860 --> 00:08:00.680
ANDREW: They were looking for R&D systems. They were looking

00:08:00.680 --> 00:08:06.080
to exfiltrate and they did exfiltrate some intellectual property. [MUSIC]

00:08:06.080 --> 00:08:12.780
JACK: This hacking group not only successfully broke into the network but they’re successfully

00:08:12.780 --> 00:08:18.300
exfiltrating or stealing the latest cutting-edge technology from the company. For a tech company

00:08:18.300 --> 00:08:22.470
that’s this advanced, having their intellectual property stolen is a

00:08:22.470 --> 00:08:26.535
huge problem which may have millions of dollars of impact to the company.

00:08:26.535 --> 00:08:34.800
ANDREW: I don’t have a financial amount but there was a lot of concern simply because they were

00:08:34.800 --> 00:08:48.120
working on next-gen killer tech, I guess, which if in a competitor’s hands or in any other company’s

00:08:48.120 --> 00:08:54.570
hands, would obviously affect the performance of their company quite significantly. It’s the

00:08:54.570 --> 00:08:59.940
same with every client that we’ve ever worked with. They don’t want any kind of exfil at all

00:08:59.940 --> 00:09:07.644
but this specific one we saw quite intensive interest in their R&D department. [00:10:00]

00:09:07.644 --> 00:09:14.220
JACK: The company was terrified that their IP was being stolen and wanted

00:09:14.220 --> 00:09:18.210
the malware removed immediately but the security team still needed to understand

00:09:18.210 --> 00:09:21.390
the threat and study it further. They weren’t ready to remove it.

00:09:21.390 --> 00:09:27.540
ANDREW: We saw that they were active and we did a lot of forensic work. We did a lot of

00:09:27.540 --> 00:09:33.930
deployment into different areas. Like I said, we built that knowledge package up

00:09:33.930 --> 00:09:41.280
for remediation. Now, we were able to – so this was – I became involved in 2015

00:09:41.280 --> 00:09:51.990
and the earliest evidence that we found was in 2010. That wasn’t the entry point;

00:09:51.990 --> 00:09:57.180
that was just the earliest sign of activity that we could find, was 2010. We had evidence

00:09:57.180 --> 00:10:08.160
to suggest that the threat act had been in there for five years at least. The evidence we found,

00:10:08.160 --> 00:10:17.730
I think it was some file activity on one of the drives which somebody had dated as 2010,

00:10:17.730 --> 00:10:26.760
which could have been planting something. I don’t know the details of it more than the date, I’m

00:10:26.760 --> 00:10:33.630
afraid. I remember sitting in the board room with the client in their office and there was a team of

00:10:33.630 --> 00:10:41.670
us there. We broke it to them that 2010 was the earliest we could find. It hit home that they’ve

00:10:41.670 --> 00:10:48.600
had, for half a decade somebody has had access to their environment without their awareness.

00:10:48.600 --> 00:10:52.710
JACK: How did the client take this kind of news?

00:10:52.710 --> 00:10:59.550
ANDREW: It was a mixed response; some of the people there got angry and wanted to know why

00:10:59.550 --> 00:11:05.880
we weren’t remediating immediately, which comes back to your original question. Then

00:11:05.880 --> 00:11:14.220
there were others who were on board; how do we progress this? What are we seeing? What do

00:11:14.220 --> 00:11:23.760
we do next? Then there was fear, obviously, ‘cause like I said, it’s a technology firm;

00:11:23.760 --> 00:11:27.900
they have their R&D and they want to be the best in the market. They want to know what’s

00:11:27.900 --> 00:11:34.680
being filtered out the door but if we’re only coming into their environment in – I think it

00:11:34.680 --> 00:11:42.420
was early 2015, it was before I started. Like I said, that’s half a decade that this entity could

00:11:42.420 --> 00:11:49.530
have been moving data out. It was a mixed bag of emotions and all completely understandable.

00:11:49.530 --> 00:11:56.670
At the end of the day we’re strangers sitting in a room telling them that they’ve been owned

00:11:56.670 --> 00:12:01.650
for a long time, but that we’re not in a position yet to remediate because we’re

00:12:01.650 --> 00:12:09.690
not ready. It’s a difficult subject to – it’s a difficult topic to discuss with any client.

00:12:09.690 --> 00:12:14.160
JACK: The security team goes back to studying the APT to collect even more data.

00:12:14.160 --> 00:12:19.860
ANDREW: We were still seeing activity during the examinations, during the monitoring phase

00:12:19.860 --> 00:12:28.380
and during the discovery phase. [MUSIC] It was quite interesting because they were active. We

00:12:28.380 --> 00:12:33.180
could see lateral movement, we could see them doing things like basically logging in to make

00:12:33.180 --> 00:12:37.560
sure that their stuff was still sitting on these end-points, that they could reach out

00:12:37.560 --> 00:12:49.830
to certain – see to communications, updating their tools. It’s interesting to see them do

00:12:49.830 --> 00:12:54.540
it because these guys in the background who are logging in and making sure that

00:12:54.540 --> 00:13:04.080
their malware is still running and deploying newer versions, it was – I don’t really want

00:13:04.080 --> 00:13:07.770
to say it was interesting to watch ‘cause obviously this is a company’s livelihood

00:13:07.770 --> 00:13:15.930
but from a detached perspective, watching how they functioned was very interesting.

00:13:15.930 --> 00:13:22.050
JACK: Now that a few months have gone by the forensics team feels confident enough

00:13:22.050 --> 00:13:26.580
that they’ve collected enough information that they can remove the APT from the network once

00:13:26.580 --> 00:13:31.740
and for all. They’ve discovered the potential ways [00:15:00] it got in, and what log-ins it’s used,

00:13:31.740 --> 00:13:36.780
and where it’s gone, and what it’s done. It’s time to remediate and finally kick

00:13:36.780 --> 00:13:42.600
this hacking group off the network but all of a sudden the activity from the APT stopped.

00:13:42.600 --> 00:13:49.110
ANDREW: In the weeks up to the remediation the threat act had gone quiet, had gone very

00:13:49.110 --> 00:13:53.820
quiet. We weren’t seeing any movement. We weren’t seeing anything, really,

00:13:53.820 --> 00:14:04.110
which usually means that they’ve either succeeded in what they came to do or something else.

00:14:04.110 --> 00:14:08.490
JACK: Andrew and his team are all ready to clean this off the network but he

00:14:08.490 --> 00:14:12.540
has to fly to the office location to do the remediation so he packs his things

00:14:12.540 --> 00:14:16.620
and heads to the airport. He’s scheduled to do the remediation in just two days.

00:14:16.620 --> 00:14:21.540
ANDREW: I was sitting in the airport waiting to fly out and my colleague phoned me. He was

00:14:21.540 --> 00:14:26.520
supposed to have been coming out with me but he had some last minute issues and couldn’t be out

00:14:26.520 --> 00:14:32.700
there. There was a few of us going out but he couldn’t make it with me but he phoned me up

00:14:32.700 --> 00:14:42.030
and he said, “Have you seen the news?” It wasn’t headline news; it was just financial news where

00:14:42.030 --> 00:14:51.510
the firm that we were working for had been the subject of a buy-out, a very expensive buy-out

00:14:51.510 --> 00:14:59.280
attempt by a company that was from the same part of the world that we believed the threat actor

00:14:59.280 --> 00:15:06.000
was from. As soon as my colleague phoned me in the airport and I told everyone else

00:15:06.000 --> 00:15:13.470
that I was flying out with, it was kind of a oh, I wonder, penny-dropped kind of thing.

00:15:13.470 --> 00:15:20.580
This is obviously – it’s a what-if, right, that we don’t know for sure. But the timing

00:15:20.580 --> 00:15:28.350
to me seemed awfully convenient and like I said, for the last couple of weeks the threat act had

00:15:28.350 --> 00:15:36.210
gone quiet and then all of a sudden out of the blue came this attempt at a buy-out. It was for

00:15:36.210 --> 00:15:43.530
a phenomenal amount of money, a phenomenal amount of money. It came as a surprise to

00:15:43.530 --> 00:15:49.980
everyone but when I actually told the people I was working with, there was that kind of, yeah,

00:15:49.980 --> 00:16:00.000
I wonder if that was what was going on. That got me thinking about how these companies – they get

00:16:00.000 --> 00:16:06.420
compromised by these state-sponsored groups as a means of due diligence,

00:16:06.420 --> 00:16:13.140
I guess. Has the company – how much are they worth? What kind of IT do they have? What’s their

00:16:13.140 --> 00:16:21.240
R&D department look like? As a means of, should we buy them? Can we make money off it? The client

00:16:21.240 --> 00:16:30.120
has designed something where it could be the next big thing. It really could be the next big thing.

00:16:30.120 --> 00:16:36.990
It just makes me wonder whether or not they are the subject of these compromises as a means of

00:16:36.990 --> 00:16:45.320
some other third party conducting due diligence because there have been a couple of things in

00:16:45.320 --> 00:16:52.100
the media where companies are being genuinely purchased, have inflated their figures prior

00:16:52.100 --> 00:17:03.950
to acquisition. If you’re getting – if you’re compromised and they’re in there looking at your

00:17:03.950 --> 00:17:11.240
accounts, I guess, and what you’ve got going on there, that’s a perfect opportunity to get what

00:17:11.240 --> 00:17:22.100
a company is worth and feed this back to whoever. That was my train of thought on that. As far as

00:17:22.100 --> 00:17:33.980
remediation goes it was very quiet, touch wood. We didn’t hear anything after that. Once you do

00:17:33.980 --> 00:17:43.220
a remediation you’re kind of on high-alert for some kind of activity afterwards where the threat

00:17:43.220 --> 00:17:49.250
actor realizes you’ve closed them out of the environment and then try and make their way back

00:17:49.250 --> 00:17:54.950
in. That’s a good opportunity to look for stuff that was – there’s no other way of putting it,

00:17:54.950 --> 00:18:03.230
stuff that was missed during the monitoring phase, the discovery phase. But that one was very quiet.

00:18:03.230 --> 00:18:06.560
JACK: So, did they accept the buy-out offer?

00:18:06.560 --> 00:18:16.880
ANDREW: Yes, they succeeded in buying the company, yeah. It just gets you thinking. Hacking is like a

00:18:16.880 --> 00:18:22.070
business. For everything I’ve seen, I’ve never worked on an engagement where there’s been any

00:18:22.070 --> 00:18:32.120
destruction to data, any corruption, any deletion. There’s been no – [00:20:00] whilst theft in

00:18:32.120 --> 00:18:38.810
itself is malicious, I’ve not seen anything beyond theft. I’ve never seen cyber-vandalism

00:18:38.810 --> 00:18:45.350
or the hacktivism or anything like that. I’ve always seen it – it’s always been attempts

00:18:45.350 --> 00:18:51.110
at theft and intellectual property. I think that’s a business. I think in the real world,

00:18:51.110 --> 00:18:58.370
in the above board world of business, people steal ideas every day. I just think this is another form

00:18:58.370 --> 00:19:10.580
of it. I think companies need to think differently to the way they are right now about how these

00:19:10.580 --> 00:19:16.822
groups and their sponsors are thinking. It’s all about money. It’s all about money.

00:19:16.822 --> 00:19:23.450
JACK (OUTRO): [OUTRO MUSIC] You’ve been listening

00:19:23.450 --> 00:19:27.590
to Darknet Diaries. For show notes and links, check out darknetdiaries.com.