WEBVTT

00:00:03.747 --> 00:00:10.400
JACK: A lot of hackers act alone, do it solo, and treat it like an art form. They plan their attack,

00:00:10.400 --> 00:00:15.600
feel for what to do next, attempt to exploit the system. They rely on their intuition to conduct

00:00:15.600 --> 00:00:20.240
a hack but Ira does it differently. IRA: I specialize in putting together teams

00:00:20.240 --> 00:00:25.040
of former Special Forces and intelligence officers to go after organizations.

00:00:25.040 --> 00:00:30.000
JACK: Ira is methodical, follows a playbook, and works with highly trained people. The

00:00:30.000 --> 00:00:35.840
jobs Ira does are bigger than what one person is capable of. He needs a crew of specialized people,

00:00:35.840 --> 00:00:41.360
each one with a different mastery of their craft. He’s assembled one of the most elite hacking teams

00:00:41.360 --> 00:00:46.720
in the country. Each member is incredibly skilled. They rely more on their training and what steps

00:00:46.720 --> 00:00:52.000
are required to accomplish the task and less on intuition. The plan of attack is structured

00:00:52.000 --> 00:00:52.960
and methodical. IRA: Yeah.

00:00:52.960 --> 00:00:57.280
JACK: Think of it like Ocean’s Eleven. IRA: I don’t even want to call it Ocean’s Eleven

00:00:57.280 --> 00:01:01.920
‘cause that’s kind of amateurish hours. JACK: This team is about to embark on a mission

00:01:01.920 --> 00:01:06.080
where over a billion dollars are at stake. IRA: The first time you steal a billion dollars,

00:01:06.080 --> 00:01:10.320
it’s a bit of a rush. After you’ve done this so many times,

00:01:10.320 --> 00:01:16.080
it’s almost expected. JACK (INTRO): [INTRO MUSIC]

00:01:16.080 --> 00:01:22.240
These are true stories from the dark side of the internet.

00:01:22.240 --> 00:01:41.520
I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]

00:01:41.520 --> 00:02:49.360
JACK: I’ve been told that some of my listeners are nine year olds. Crazy, huh?

00:02:49.360 --> 00:02:53.600
So hey, what’s up, kids? But because of this I’m gonna have to give warnings as needed

00:02:53.600 --> 00:03:00.000
and in this particular episode it does have bad language. Sorry, kids. You’ve been warned.

00:03:00.000 --> 00:03:02.480
I want you to meet Ira Winkler. IRA: Hey there.

00:03:02.480 --> 00:03:06.560
JACK: Eight years ago I heard Ira talk at a security conference and he blew me away.

00:03:06.560 --> 00:03:11.120
It’s one of those talks that I’ll never forget and I’m very excited to be able to talk to him again

00:03:11.120 --> 00:03:16.080
because he leads a very interesting life. Ira looks at the world differently than you or I.

00:03:16.080 --> 00:03:21.200
He’s quick to see a vulnerability either in a person or a building or a computer and exploit

00:03:21.200 --> 00:03:26.160
it. He’s good at this because of his background. He was fascinated early on by the human brain so

00:03:26.160 --> 00:03:30.480
he got a college degree in psychology. After getting a degree he had a hard time finding

00:03:30.480 --> 00:03:35.120
a job. He thought maybe the US government would hire him so he took their aptitude test.

00:03:35.120 --> 00:03:42.000
IRA: Did really well; basically, if I got a clearance I got a job. I got the clearance. They

00:03:42.000 --> 00:03:46.080
said wow, you have really good computer aptitude. You want a computer internship? I’m like no,

00:03:46.080 --> 00:03:49.600
I hate computers. I want nothing to do with them. They’re like, what about cryptanalysis?

00:03:49.600 --> 00:03:54.080
It’ll be like playing games. I’m like I don’t want to look at ones and zeros all day.

00:03:54.080 --> 00:03:58.160
JACK: But he didn’t see any better option. IRA: Finally I took a job as an Intelligence

00:03:58.160 --> 00:04:01.760
Analyst for the National Signals Intelligence Operations Center

00:04:01.760 --> 00:04:06.240
which was known as NSTOC which was the only room that actually looks cool in NSA.

00:04:06.240 --> 00:04:11.200
JACK: Part of this job was to decipher encrypted messages. This is called cryptanalysis.

00:04:11.200 --> 00:04:16.080
Here within the walls of the NSA he was learning about computer security. He was understanding what

00:04:16.080 --> 00:04:22.080
encryption is secure and what isn’t in a very real world, hands-on way. He taught himself

00:04:22.080 --> 00:04:26.960
how to program to do his job better but… IRA: Ironically I hated cryptanalysis. I hated

00:04:26.960 --> 00:04:33.680
computers. My first technical computer job was programming super computers to

00:04:33.680 --> 00:04:38.640
do cryptanalysis so that was bizarre. JACK: He eventually moved to another department,

00:04:38.640 --> 00:04:41.840
this time doing research and development for a tactical signals intelligence.

00:04:41.840 --> 00:04:45.520
IRA: It’s where I was running around Europe helping people

00:04:45.520 --> 00:04:52.080
in little green trucks do stuff. JACK: Do stuff. Ira is secretive about what he

00:04:52.080 --> 00:04:57.200
did at the NSA because he has to be. The Signal’s Intelligence is collecting information from the

00:04:57.200 --> 00:05:02.000
enemy and the enemies are everywhere. There’s always a threat [00:05:00] brooding somewhere,

00:05:02.000 --> 00:05:06.400
possibly in other countries planning an attack on us, or terrorist groups meeting to discuss

00:05:06.400 --> 00:05:11.200
their next steps. Signal’s intelligence is knowing what the enemy is up to. You do this

00:05:11.200 --> 00:05:16.000
by finding where they are and then figure out a way to intercept those conversations.

00:05:16.000 --> 00:05:21.040
While running around in Europe helping people in little green trucks, Ira became more worldly and

00:05:21.040 --> 00:05:28.320
started to learn how spies operate. But eventually he left the NSA and joined a contracting company.

00:05:28.320 --> 00:05:32.480
He did various IT tasks but then one day a new contract job was given to him.

00:05:32.480 --> 00:05:37.200
IRA: They were like well, we have a contract to find out as much about the company as possible

00:05:37.200 --> 00:05:39.280
without breaking into their computer systems.

00:05:39.280 --> 00:05:43.200
JACK: Basically the contract was to use social engineering against an investment bank

00:05:43.200 --> 00:05:48.160
to see if he could get access to it. Now keep in mind this is the early 90s so not a lot was known

00:05:48.160 --> 00:05:52.880
about social engineering at the time. IRA: I just started going ahead and basically,

00:05:52.880 --> 00:05:58.000
my intelligence background – having worked in NSA, working with a bunch of other intelligence

00:05:58.000 --> 00:06:04.000
agencies along the way and stuff, I just used essentially basic human elicitation techniques

00:06:04.000 --> 00:06:08.800
to lie to people over the phone. JACK: Human elicitation is the act of getting

00:06:08.800 --> 00:06:12.800
someone to tell you a piece of information. With his experience and intelligence-gathering

00:06:12.800 --> 00:06:17.440
at the NSA and being a psychology major, Ira took an interest to this and did pretty good

00:06:17.440 --> 00:06:20.960
at getting people to tell him information they shouldn’t be telling him. For instance,

00:06:20.960 --> 00:06:24.800
he might start out by simply asking an employee for a phone number and getting it,

00:06:24.800 --> 00:06:29.440
and then slowly asking for more and more stuff until he has a whole phone directory. Eventually

00:06:29.440 --> 00:06:32.560
the person’s giving him loads of information that they shouldn’t be giving him.

00:06:32.560 --> 00:06:38.000
IRA: I’d get them to slowly give away information and then I started getting

00:06:38.000 --> 00:06:43.686
lots of login IDs and passwords. I even got the investment bank to send me a computer

00:06:43.686 --> 00:06:47.680
preconfigured for their VPN. That was fun. JACK: Getting people to tell him information

00:06:47.680 --> 00:06:51.600
they shouldn’t be telling him came naturally and he realized he was good at this.

00:06:51.600 --> 00:06:57.680
IRA: By the end of three days I had supposedly used their IDs and logins

00:06:57.680 --> 00:07:01.520
to make financial transactions. JACK: By using just a phone and his wits,

00:07:01.520 --> 00:07:06.160
Ira was eventually able to take over the bank. He gave a talk at a security conference and wrote an

00:07:06.160 --> 00:07:11.280
article about how he did this. People responded in ways he didn’t see coming. They were so

00:07:11.280 --> 00:07:15.920
impressed with his methods and abilities. IRA: Then when it got really well-publicized and

00:07:15.920 --> 00:07:19.520
people started coming to me to do weirder and weirder stuff, they were like well, we want

00:07:19.520 --> 00:07:24.560
you to come into our company as a temporary employee and rob us blind. So I did.

00:07:24.560 --> 00:07:28.960
JACK: That’s how Ira’s career got started as a social engineer and penetration tester.

00:07:28.960 --> 00:07:32.480
He was paid to test whether he could access places he shouldn’t be allowed to access,

00:07:32.480 --> 00:07:36.240
or get information he shouldn’t be allowed to get because this is what bad guys will

00:07:36.240 --> 00:07:40.480
try to do and companies wanted to protect themselves. As the jobs got weirder and

00:07:40.480 --> 00:07:45.120
weirder he got better and better at gaining unauthorized access. He eventually started

00:07:45.120 --> 00:07:50.560
getting so many jobs that he started his own security consulting company. [MUSIC]

00:07:50.560 --> 00:07:55.600
But here’s where things get totally crazy. Ira has a background in national intelligence

00:07:55.600 --> 00:08:01.520
and is very familiar with how spies operate. Like, real military-trained spies. He met many of them

00:08:01.520 --> 00:08:06.320
at his time working for the government so when he started doing his own penetration testing he would

00:08:06.320 --> 00:08:11.440
ask some of his spy friends to help him on certain missions. Over time Ira was able to build a crack

00:08:11.440 --> 00:08:17.520
team of highly trained special agents to help him break into buildings and steal information.

00:08:17.520 --> 00:08:21.600
Ira started taking on bigger jobs and using his crew to get into some of the most secure

00:08:21.600 --> 00:08:27.360
buildings, buildings such as nuclear reactor facilities and banks. Ira became known as one of

00:08:27.360 --> 00:08:31.680
the best to hire to do penetration testing because he brings a team like nobody else can.

00:08:31.680 --> 00:08:36.640
IRA: I like to call them more espionage simulations. I specialize in putting together

00:08:36.640 --> 00:08:42.880
teams of former Special Forces and intelligence officers to actually go after organizations like

00:08:42.880 --> 00:08:47.520
real high-level adversaries would. JACK: Yeah. The media has called him the

00:08:47.520 --> 00:08:52.240
modern-day James Bond. Depending on the job, he’ll put together an elite team for the task.

00:08:52.240 --> 00:08:57.040
For instance, there’s Stu. IRA: Stu’s a former Navy seal.

00:08:57.040 --> 00:09:02.480
JACK: He’s extremely fit, agile, tactical, and has years of training in espionage and raiding. Yeah,

00:09:02.480 --> 00:09:07.280
raiding. He knows where to look for weak points in a structure, knows how to use a grappling hook,

00:09:07.280 --> 00:09:11.360
and he’s good at going undetected by security. He helps Ira whenever there’s

00:09:11.360 --> 00:09:16.320
a need for physical intrusions. IRA: Stu has an innate nature.

00:09:16.320 --> 00:09:19.920
Frankly one time, he took advantage of a situation much quicker than

00:09:19.920 --> 00:09:25.440
– I’m mad at myself I didn’t do this. But we were once in a security room

00:09:25.440 --> 00:09:31.040
having our pictures taken for badges and the guard walks out. He’s like I’ve got to go to the other

00:09:31.040 --> 00:09:36.640
room and pick up the badges. Stu’s like, Ira, lean against the door for a second.

00:09:36.640 --> 00:09:43.200
So I go lean against the door. Stu goes behind the desk and pulls up a bunch of blank badges,

00:09:43.200 --> 00:09:48.240
like valid security badges, and grabs them. JACK: These are some of the things Ira

00:09:48.240 --> 00:09:54.800
tests for. Him and Stu look for physical vulnerabilities like this and report them.

00:09:54.800 --> 00:09:58.000
[MUSIC] Then there’s Tony. IRA: Former Army counterintelligence

00:09:58.000 --> 00:09:59.360
officer. JACK: Tony has been

00:09:59.360 --> 00:10:02.960
trained to look for threats against his [00:10:00] country. He’s good at collecting this information

00:10:02.960 --> 00:10:07.600
by using traditional spying techniques; gaining physical access to a building, stealing documents,

00:10:07.600 --> 00:10:12.160
or simply doing social engineering. IRA: Tony is also good on the physical side

00:10:12.160 --> 00:10:18.160
but we primarily used him for the telephone social engineering. He would be an intelligence

00:10:18.160 --> 00:10:22.080
specialist in human intelligence. He was trained in counterintelligence so

00:10:22.080 --> 00:10:28.480
he would know how to conduct interviews, he would know how to elicit information, and so on.

00:10:28.480 --> 00:10:33.440
JACK: Tony has been trained to follow a process to get someone to divulge information that would in

00:10:33.440 --> 00:10:38.400
essence, betray their own country. He’s tricky and clever and extremely good at what he does.

00:10:38.400 --> 00:10:43.920
IRA: There’s a process of establishing a relationship and elevating the relationship to

00:10:43.920 --> 00:10:49.600
the point where you get people to slowly divulge non-important information to where you slowly

00:10:49.600 --> 00:10:54.880
raise the stake of what level of information they give out ‘til at some point they’re pretty much

00:10:54.880 --> 00:10:58.800
over the hump and they’re screwed. JACK: Tony comes across as a nice guy

00:10:58.800 --> 00:11:02.480
in every man, someone who you might think as a good, wholesome gentleman.

00:11:02.480 --> 00:11:06.480
He’s calm and courteous which comes in handy when you’re trying to get information from

00:11:06.480 --> 00:11:11.200
every day, normal people who might not even know they have valuable information to divulge,

00:11:11.200 --> 00:11:16.640
like say, the front desk receptionist. IRA: He has this nice – you know, just a slow

00:11:16.640 --> 00:11:23.200
speaker. He’s kind of like you expect to see when you’re driving through Kansas

00:11:23.200 --> 00:11:30.080
and stop to ask for directions. You would swear he was a good old country boy.

00:11:30.080 --> 00:11:31.920
JACK: Then there’s Stan. Stan is kind

00:11:31.920 --> 00:11:34.320
of my favorite. IRA: Stan was a Colonel

00:11:34.320 --> 00:11:39.040
in the GRU before he defected over. JACK: The GRU is Russia’s foreign intelligence

00:11:39.040 --> 00:11:44.080
agency similar to the CIA. They’re often trained to follow spies or be deployed in foreign lands

00:11:44.080 --> 00:11:48.320
and collect information. Stan has extensive training in intelligence-gathering.

00:11:48.320 --> 00:11:51.680
IRA: Stan’s background, besides him being a Russian

00:11:51.680 --> 00:11:59.360
operative, his primary target while he was in the GRU was against China. He speaks fluent Mandarin.

00:11:59.360 --> 00:12:06.800
He also reads Chinese and all that before he came to the US where he was obviously focused on

00:12:06.800 --> 00:12:12.400
targeting US intelligence-type stuff. JACK: Stan came to the US to collect data on

00:12:12.400 --> 00:12:17.600
US government and report it back to Russia. He’s a masterful spy. He would often go to Washington

00:12:17.600 --> 00:12:22.160
DC and hang out in bars. He’d ask someone for a cigarette and start a conversation.

00:12:22.160 --> 00:12:27.360
He’d learn they work for a government agency; no surprise in Washington DC. But over time Stan

00:12:27.360 --> 00:12:30.880
would build trust with that person and get them to divulge government secrets.

00:12:30.880 --> 00:12:38.160
IRA: Stan was referred to me as one of the most successful GRU agents targeting the US in history.

00:12:38.160 --> 00:12:42.240
Stan literally gets people to betray his country under penalty of death,

00:12:42.240 --> 00:12:48.720
which is a different level of social engineering than getting somebody to give up a password.

00:12:48.720 --> 00:12:53.680
We use him to target an organization the way a real foreign operative would,

00:12:53.680 --> 00:12:58.320
because everybody thinks of spying like James Bond but the actual traditional espionage is

00:12:58.320 --> 00:13:04.240
done by spies like Stan. What they try to do is they try to find access to people with information

00:13:04.240 --> 00:13:10.880
and get them to divulge it either knowingly or unknowingly to him. This is kind of like,

00:13:10.880 --> 00:13:14.960
I don’t even want to call it Ocean’s Eleven ‘cause that’s kind of amateurish hours.

00:13:14.960 --> 00:13:19.520
JACK: Stu, Tony, and Stan have had training in some of the most advanced places in the world

00:13:19.520 --> 00:13:23.920
and have enough experience to have mastered their craft. This is just some of the members

00:13:23.920 --> 00:13:27.520
of Ira’s team. Their combined skills make them potentially one of the most

00:13:27.520 --> 00:13:31.600
advanced hacking teams in the world. IRA: I just know them from my intelligence

00:13:31.600 --> 00:13:37.200
background but here’s the difference between somebody who goes around, I’m a social engineer;

00:13:37.200 --> 00:13:43.440
it’s like you know these people if they get caught they just give the get out of jail free card.

00:13:43.440 --> 00:13:49.520
You’re talking about Stan, who was in China being monitored, who had radioactive powder put on his

00:13:49.520 --> 00:13:56.560
doorknob so it was easier to track him. Stan knew any moment in time he could be pulled off the

00:13:56.560 --> 00:14:04.000
street, tortured, and killed. Stu, Navy seal; he knows any point in time, he gets captured,

00:14:04.000 --> 00:14:13.040
he’s dead. We’re talking about people who have a fundamental aversion to be captured, not because

00:14:13.040 --> 00:14:17.440
they’re afraid they’ll have to pull out their get out of jail free card and it’ll be embarrassing.

00:14:17.440 --> 00:14:21.040
We’re talking people who know to do this because their lives depended

00:14:21.040 --> 00:14:25.760
on it. JACK: [MUSIC]

00:14:25.760 --> 00:14:30.480
As Ira’s reputation went up as an elite pen tester, he got a contract from one of the

00:14:30.480 --> 00:14:32.880
biggest companies in the world. IRA: Global 5 company.

00:14:32.880 --> 00:14:36.400
JACK: They wanted him to do an espionage simulation against them

00:14:36.400 --> 00:14:41.520
to see how vulnerable they are. Now, a Global 5 company is worth hundreds of billions of dollars

00:14:41.520 --> 00:14:45.440
which means the company has a lot to lose. One thing in particular that would cause

00:14:45.440 --> 00:14:49.120
a lot of financial damage is all the research and development information.

00:14:49.120 --> 00:14:52.800
It’s the stuff like the source code for their systems or all the technology they’re

00:14:52.800 --> 00:14:56.480
coming out with in the next few years. IRA: That was our primary target, to prove we

00:14:56.480 --> 00:15:00.400
could get access to all the RND data. JACK: If this were to be stolen by another

00:15:00.400 --> 00:15:04.160
competitor [00:15:00] or government it could cost them billions of dollars.

00:15:04.160 --> 00:15:08.080
Ira’s job was to find as many weaknesses as possible to help secure them.

00:15:08.080 --> 00:15:13.600
IRA: Primarily it was just, I hate to say it, grab ‘em by the balls and squeeze.

00:15:13.600 --> 00:15:18.160
JACK: Ira started researching and planning the mission. He first figured out the location of

00:15:18.160 --> 00:15:24.000
the RND department which turned out to be in a small town in the middle of nowhere. He

00:15:24.000 --> 00:15:28.320
used Google Maps and other tools to learn more. There was a fence around the whole property

00:15:28.320 --> 00:15:32.800
and stationed guards to restrict people from being able to drive in. He determined the building was

00:15:32.800 --> 00:15:37.200
going to be locked and the data he was looking for would be in their computer operations center.

00:15:37.200 --> 00:15:40.880
He was able to make some phone calls and figure all this out pretty quickly. As he sized up the

00:15:40.880 --> 00:15:46.240
job he knew he was gonna need some help so he assigned Stu, Tony, and Stan to the mission. All

00:15:46.240 --> 00:15:50.160
four of them fly to the small town where the research and development office was located.

00:15:50.160 --> 00:15:55.440
The team arrives one by one; the ex-NSA agent, the Navy seal, the Army counterintelligence

00:15:55.440 --> 00:16:00.160
officer, and the Russian spy. IRA: Tony ironically was responsible

00:16:00.160 --> 00:16:04.880
for following Russian spies around Europe while he was in the army. It was kind of funny to have

00:16:04.880 --> 00:16:11.200
him stay and working on the project together. I flew in late at night and all I wanted was a

00:16:11.200 --> 00:16:18.080
stupid bottle of water that the hotel didn’t have so I’m driving around trying to – in this little

00:16:18.080 --> 00:16:22.800
strip mall type of place and all of a sudden, I’m driving around late at night, and I look in

00:16:22.800 --> 00:16:27.520
my rear-view mirror and there’s a car behind me. I was driving pretty slow, which is unusual for

00:16:27.520 --> 00:16:33.680
me ‘cause I was looking to see what stores might be open. Anyway, I moved over to let the car go

00:16:33.680 --> 00:16:40.000
by me and then the car moves over with me. Then it’s like, am I being followed? So I switched

00:16:40.000 --> 00:16:47.760
lanes once again and the car follows me again. I’m like, I’m being followed. [MUSIC]

00:16:47.760 --> 00:16:54.000
Most people think okay, speed off. That’s not what you do when you’re being followed

00:16:54.000 --> 00:17:02.240
in the real world. One of the gas station – open up with a little Quick Mark in it.

00:17:02.240 --> 00:17:09.200
Basically I’m driving and I do make the sharp turn like I’m gonna drive past,

00:17:09.200 --> 00:17:15.120
and I make the sharp turn into the gas station, pull my car up to where I can

00:17:15.120 --> 00:17:20.320
get out of the car and go straight into the door of the Quick Mark, blocking everything.

00:17:20.320 --> 00:17:26.080
What happened was the car pulls behind me. It turns out to be an unmarked police car.

00:17:26.080 --> 00:17:30.960
I’m kind of relieved it’s a police car. The cop gets out. I go what the hell were you following

00:17:30.960 --> 00:17:34.720
me for? He’s like, why were you cutting over? I go ‘cause I was being followed.

00:17:34.720 --> 00:17:39.840
The guy couldn’t argue with me. He goes well, you were driving kind of, you know, you were

00:17:39.840 --> 00:17:46.880
driving below the – I go when is driving below the speed limit an area of concern? Like, a crime?

00:17:46.880 --> 00:17:51.600
It was kind of funny but I was calling out the cop for following me.

00:17:51.600 --> 00:17:56.560
JACK: The squad begins the mission. First they scout the building and watch what people are

00:17:56.560 --> 00:18:01.600
wearing as they come and go. They notice which points of entries there are and how traffic flows.

00:18:01.600 --> 00:18:05.680
Then they regroup to put clothes on to physically blend in with other employees.

00:18:05.680 --> 00:18:09.600
Ira puts on a shirt with the corporate logo on it. They suited up and got ready

00:18:09.600 --> 00:18:15.440
and at last, they’re all set. It’s now go time. All four of them get in

00:18:15.440 --> 00:18:19.680
the car and drive to the building. IRA: We ended up going there. They had a

00:18:19.680 --> 00:18:24.080
campus-like setting for their RND center. JACK: There was a guard gate to get onto the

00:18:24.080 --> 00:18:27.840
campus with actual guards checking everyone coming through. But there

00:18:27.840 --> 00:18:31.200
was a lot of traffic that morning. IRA: Everybody was just lined up coming off

00:18:31.200 --> 00:18:35.600
the main road and stuff. You hold up something that looks like a badge and they don’t check.

00:18:35.600 --> 00:18:41.520
Nobody wants to slow down the morning rush hour. They just waved us through.

00:18:41.520 --> 00:18:45.840
We knew where their computer operation center was so this was like day one.

00:18:45.840 --> 00:18:52.720
Drove everybody in and then we’re like okay, let’s get in. I told everybody yeah, hold on a

00:18:52.720 --> 00:18:57.600
second. Let’s just stand here by the door. JACK: The team waits around acting inconspicuous

00:18:57.600 --> 00:19:03.520
while Ira forms a plan. He tries the door; it’s locked. He thinks maybe he can tailgate someone in

00:19:03.520 --> 00:19:07.440
and waits for someone to come out. IRA: Then I started hearing somebody come

00:19:07.440 --> 00:19:11.600
out. There was a crypto-lock on the door and I just started acting like I’m pressing buttons.

00:19:11.600 --> 00:19:17.360
The guy goes out, holds the door open for me, I and my team go in. They quickly orient themselves

00:19:17.360 --> 00:19:22.000
in the building and start heading to the computer operations center. They act like they belong,

00:19:22.000 --> 00:19:26.880
walking deliberately but not too fast, scanning the room but careful not to be obvious.

00:19:26.880 --> 00:19:31.040
They try to blend in and go unnoticed. They eventually found the room they were looking

00:19:31.040 --> 00:19:36.800
for and gained access to it. Once there… IRA: We find out that all their critical servers

00:19:36.800 --> 00:19:46.160
were left logged on as admin. Pretty much, we just added a new .rhost entry for when we had control

00:19:46.160 --> 00:19:51.200
over, so we were able to basically get a trusted relationship on all of the critical servers

00:19:51.200 --> 00:19:59.120
within the room without causing any significant damage. Then the technical operation was done.

00:19:59.120 --> 00:20:02.640
While we were walking around though, [00:20:00] Stan was walking – he’s like what are these

00:20:02.640 --> 00:20:07.280
Chinese-American dictionaries doing on the shelf here? I’m like have you seen

00:20:07.280 --> 00:20:14.080
US colleges lately, Stan? Sarcastically. Stan’s like I’ll look into this. Anyway,

00:20:14.080 --> 00:20:18.800
we were done day one where Stu and I were like, we physically compromised

00:20:18.800 --> 00:20:23.600
every – the critical information we needed. JACK: They head back to the car with the feeling

00:20:23.600 --> 00:20:28.160
of mission accomplished. But Ira’s done this so much he doesn’t really get excited anymore.

00:20:28.160 --> 00:20:33.360
IRA: Well, the first time you steal a billion dollars it’s a bit of a rush.

00:20:33.360 --> 00:20:39.440
After you’ve done this so many times it’s almost expected. Frankly, it was really

00:20:39.440 --> 00:20:43.680
unclimactic to actually take over control of all their computers in the RND center.

00:20:43.680 --> 00:20:47.840
JACK: There were still a couple more objectives that the team wanted to do. Tony made some phone

00:20:47.840 --> 00:20:51.680
calls and was trying to get people to tell him usernames and passwords over the phone.

00:20:51.680 --> 00:20:56.000
IRA: Of course, Tony was able to get information right and left.

00:20:56.000 --> 00:20:59.600
JACK: Stan was doing what spies do; he was going around town doing a

00:20:59.600 --> 00:21:04.880
counterintelligence assessment. Basically he was looking around for anything suspicious.

00:21:04.880 --> 00:21:09.520
Ira began compiling his findings in a report, showing exactly how much damage he could have done

00:21:09.520 --> 00:21:14.000
to the company with what he found. But because the team finished early they had a few days with

00:21:14.000 --> 00:21:18.160
nothing to do in this small town. IRA: We had time to kill. We drove around,

00:21:18.160 --> 00:21:22.560
looked at different restaurants and so on, and figure out where we’re gonna go.

00:21:22.560 --> 00:21:27.680
A couple days later, after I go – I remember, I’m like done. I moved on to a different project while

00:21:27.680 --> 00:21:33.280
Stan was doing his counterintelligence assessment of the area. Calls me up two days later, goes Ira,

00:21:33.280 --> 00:21:38.640
there are black duck eggs on the menu. I’m like, what the fuck? Is this what we’re paying you for?

00:21:38.640 --> 00:21:45.040
He’s like Ira, my naïve American friend, he goes don’t you know black duck eggs, delicacy China.

00:21:45.040 --> 00:21:49.120
Then you start putting it together. He goes Ira I go to Chinese restaurant number

00:21:49.120 --> 00:21:54.880
one that we drive past. Chinese restaurant number one; people friendly, food not so good.

00:21:54.880 --> 00:22:02.000
I go, Chinese restaurant number two, walk in, menu written only in Chinese. Delicacies you can’t get

00:22:02.000 --> 00:22:08.000
in San Francisco let alone this little piece of shit town in the middle of nowhere. I start

00:22:08.000 --> 00:22:13.360
talking to them in Mandarin and they get very, very worried. What funny Russian guy

00:22:13.360 --> 00:22:19.280
doing talking fluent Mandarin? Then he’s like Ira, this special menu only Chinese people would

00:22:19.280 --> 00:22:24.400
appreciate. Number two, you hold meeting there. They give you free meeting room

00:22:24.400 --> 00:22:28.080
and then they give you big discount if you want to hold meeting there.

00:22:28.080 --> 00:22:32.800
I’m sure there must be recordings. JACK: Stan started adding up all the signs.

00:22:32.800 --> 00:22:36.960
This restaurant was very unusual but only someone fluent in Chinese culture would

00:22:36.960 --> 00:22:40.400
recognize how unusual it was. IRA: Stan essentially found the

00:22:40.400 --> 00:22:43.120
Chinese intelligence operation operating across the street.

00:22:43.120 --> 00:22:47.360
JACK: A Chinese intelligence operation in the middle of this small town,

00:22:47.360 --> 00:22:52.320
directly across the street from the research and development center of a Global 5 company

00:22:52.320 --> 00:22:57.200
led Ira and the team to one conclusion; it’s a high probability that this Chinese restaurant

00:22:57.200 --> 00:23:02.640
was there to steal trade secrets from the company and send them back to China’s government agencies.

00:23:02.640 --> 00:23:05.760
This restaurant may have been used to recruit employees of the company and

00:23:05.760 --> 00:23:09.760
help gather information. Often temp employees are converted to spies,

00:23:09.760 --> 00:23:14.160
being there for only a short time means you’re less likely to get caught. Or perhaps they would

00:23:14.160 --> 00:23:18.640
simply record all conversations that took place in that restaurant, hoping to catch secrets

00:23:18.640 --> 00:23:22.560
or something more sinister. IRA: What they do is they set up a social

00:23:22.560 --> 00:23:28.240
situation where people come in, see that they can read the special menu. They talk to them, say

00:23:28.240 --> 00:23:33.200
my friend, I see you like our special menu. Are you from China? Are you here on a VISA? Do you

00:23:33.200 --> 00:23:38.720
have family back there? Would you like your family to stay alive? Is your loyalty to this temporary

00:23:38.720 --> 00:23:44.480
employer or is your loyalty to your motherland? You know, a whole bunch of stuff like that.

00:23:44.480 --> 00:23:50.000
That’s how Chinese intelligence operations acts and there’s been multiple times Stan has found

00:23:50.000 --> 00:23:55.280
Chinese intelligence operations operating out of Chinese social clubs in different areas and so on.

00:23:55.280 --> 00:24:01.600
Stan comes up with these what-the-fuck moments but he’s good at what he does.

00:24:01.600 --> 00:24:04.080
Oh yeah, and he goes oh, by the way, I was followed.

00:24:04.080 --> 00:24:08.000
I go how do you know you were followed? He goes oh, they were not very good. I go

00:24:08.000 --> 00:24:12.400
why weren’t they very good? He’s like well, I think I find them, I start making lots of right

00:24:12.400 --> 00:24:18.480
turns and they keep following me around the block. Then I made a U-turn and they’re not very good. I

00:24:18.480 --> 00:24:22.640
go why aren’t they very good? They hit a pole when they went to make a U-turn to follow me.

00:24:22.640 --> 00:24:29.440
I go I just hope they weren’t corporate security or we’re screwed. [MUSIC] We reported it to the

00:24:29.440 --> 00:24:37.120
security manager and the CSO and the CSO was like what the fuck am I supposed to do about China?

00:24:37.120 --> 00:24:40.880
I’m taking care of their computers. JACK: This Chief Security Officer has seen

00:24:40.880 --> 00:24:45.760
a lot of pen test reports, but not even in his wildest imagination was a Chinese intelligence

00:24:45.760 --> 00:24:48.960
operation even a possibility. IRA: We’re like well, you should talk

00:24:48.960 --> 00:24:56.000
to the FBI, find out if the FBI knows this or whatever. The guy was like, I don’t know. Stan,

00:24:56.000 --> 00:25:00.560
because of his situation, he obviously has to stay in touch with the FBI so Stan informed the

00:25:00.560 --> 00:25:05.040
FBI [00:25:00] about the operation. JACK: But there’s one last step,

00:25:05.040 --> 00:25:08.560
the biggest one. Ira needs to present his findings to the CEO

00:25:08.560 --> 00:25:13.120
in a way that the CEO can understand. IRA: In this case what happened was, after

00:25:13.120 --> 00:25:18.720
three days I’m like okay, here’s your mergers and acquisitions data which is worth billions because

00:25:18.720 --> 00:25:24.560
of the negotiation points that you would have. If other companies knew what you were targeting

00:25:24.560 --> 00:25:32.080
and so on, again, it could ruin things. Here’s your new technologies coming out in three years,

00:25:32.080 --> 00:25:37.760
we have full control of your entire network. Again, I was showing him the business value of

00:25:37.760 --> 00:25:42.880
all the loss of the vulnerabilities found. ‘Cause there’s a difference between finding

00:25:42.880 --> 00:25:49.200
vulnerabilities and demonstrating the potential cost of the vulnerabilities that matters.

00:25:49.200 --> 00:25:52.960
JACK: This is another thing that impresses me about Ira; he doesn’t simply put in the

00:25:52.960 --> 00:25:57.120
report what is vulnerable but he gives a clear dollar amount to the CEO of how much a theft

00:25:57.120 --> 00:26:02.400
like this could cost the company. When the CEO sees vulnerabilities in terms of dollar amounts,

00:26:02.400 --> 00:26:06.160
action happens much quicker because they’re speaking the same language.

00:26:06.160 --> 00:26:11.360
IRA: In this case all the research and development, frankly China would have loved to

00:26:11.360 --> 00:26:16.080
get their hands on it if they didn’t already have it. If you were going to ask me, I’ll bet China

00:26:16.080 --> 00:26:20.560
did have it by that point in time. JACK: Years later the company gets a new

00:26:20.560 --> 00:26:24.000
CSO and Ira asks him about the Chinese intelligence operation

00:26:24.000 --> 00:26:28.640
across the street. The CSO told Ira… IRA: Oh yeah, we actually made a dozen

00:26:28.640 --> 00:26:32.880
arrests out of that restaurant. JACK: The FBI was able to dismantle this Chinese

00:26:32.880 --> 00:26:37.680
intelligence operation. This could have went on for years if it wasn’t for Ira and his team,

00:26:37.680 --> 00:26:41.600
a squad so good that they can blend into their surroundings anywhere in the world,

00:26:41.600 --> 00:26:46.960
disappearing into crowds, gathering information. Not acting like James Bond and shooting up the

00:26:46.960 --> 00:26:51.520
place and making a scene, but instead they’re more stealthy and they might be the one asking you for

00:26:51.520 --> 00:26:57.040
a smoke at the bar or calling you up and asking for help. Perhaps the next time you go out you can

00:26:57.040 --> 00:27:02.320
start looking for anything out of place. Someone might be acting too nice but also asking a lot

00:27:02.320 --> 00:27:07.280
of questions or you might notice that guy in the corner of the Chinese restaurant eating alone with

00:27:07.280 --> 00:27:20.800
a Russian accent. The spies are among us. JACK (OUTRO): [OUTRO MUSIC] You’ve been listening

00:27:20.800 --> 00:27:24.480
to Darknet Diaries. If you liked Ira’s story and want to hear more, you’re in luck.

00:27:24.480 --> 00:27:28.880
He wrote numerous books. Spies Among Us is one of the books he wrote which has great stories just

00:27:28.880 --> 00:27:33.360
like this one. He tells the story about how his team was able to steal nuclear reactor plans in

00:27:33.360 --> 00:27:37.600
under three hours. He’s currently in the process of updating that book so look for a newer version

00:27:37.600 --> 00:27:42.000
of that soon. If you want to know more of how to protect your company from attacks like this,

00:27:42.000 --> 00:27:44.720
check out the book Advanced Persistent Security.

00:27:44.720 --> 00:27:49.040
You can also go to securementum.com to learn more about what Ira does. If you want to know

00:27:49.040 --> 00:27:54.000
more about Stan check out the book Through the Eyes of the Enemy. It’s Stan’s autobiography and

00:27:54.000 --> 00:27:58.480
Ira actually helped co-author the book. Links to these will be in the show notes. This show

00:27:58.480 --> 00:28:03.200
is made by me, Jack Rhysider. Story editing is by Stephanie Jenz. Some songs were made

00:28:03.200 --> 00:28:09.200
by Wesley Slover and the theme music is made by the esoteric Breakmaster Cylinder. Also please

00:28:09.200 --> 00:28:19.200
visit darknetdiaries.com/donate to help support this show. It really means a lot to me. Thank you.