WEBVTT 00:00:00.669 --> 00:00:04.089 JACK: Hey, before we get started, check out the episode right before this one. 00:00:04.089 --> 00:00:05.220 It’s called Shadow Brokers. 00:00:05.220 --> 00:00:08.510 It kind of sets you up for this one. 00:00:08.510 --> 00:00:14.629 [MUSIC] This is the story of NotPetya and it took place in the spring of 2017. 00:00:14.629 --> 00:00:17.689 There was some weird tension between the US and Russia during that time. 00:00:17.689 --> 00:00:21.960 Donald Trump was President of the US and it’s widely-known that the Russians used the internet 00:00:21.960 --> 00:00:23.230 to meddle with the election. 00:00:23.230 --> 00:00:26.980 I mean, the FBI has indicted twelve hackers who were working with the Russian government 00:00:26.980 --> 00:00:31.810 that have allegedly hacked the DNC and Clinton’s e-mail servers which had a critical role in 00:00:31.810 --> 00:00:33.120 the 2016 election. 00:00:33.120 --> 00:00:38.920 The relationship between Trump and Putin is weird and mysterious; a ton of allegations 00:00:38.920 --> 00:00:43.899 are floating around that a lot of back channel support is given to Trump from Russia. 00:00:43.899 --> 00:00:47.480 But what is clear is that Russia likes to quarrel with Ukraine. 00:00:47.480 --> 00:00:51.809 They’ve been fighting over things for a long time but in the last eight years, things 00:00:51.809 --> 00:00:53.070 have really heated up. 00:00:53.070 --> 00:00:57.739 Russia decided to take a territory of land from Ukraine called Crimea and besides that, 00:00:57.739 --> 00:01:01.899 Russia has been deploying troops into Ukraine, pretty much occupying the area. 00:01:01.899 --> 00:01:04.940 The stuff going on in the Donbass region is just crazy. 00:01:04.940 --> 00:01:08.280 This made tensions between Russia and Ukraine even more elevated. 00:01:08.280 --> 00:01:13.100 Now, for the last six years, Russian troops are still occupying places of Ukraine. 00:01:13.100 --> 00:01:17.570 This was the most blatant land-grab in Europe since World War II and it all happened in 00:01:17.570 --> 00:01:19.119 the last half decade. 00:01:19.119 --> 00:01:23.570 But taking over a large region of Ukraine and occupying them with troops was not the 00:01:23.570 --> 00:01:25.790 extent of what Russia did to Ukraine. 00:01:25.790 --> 00:01:30.680 There’s so much more terrifying and scary stuff that Russia has done to Ukraine over 00:01:30.680 --> 00:01:31.680 the internet. 00:01:31.680 --> 00:01:38.509 In fact, in this rare case, I’ll even go so far as to say this is a cyber-war. 00:01:38.509 --> 00:01:46.100 JACK (INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. 00:01:46.100 --> 00:01:51.329 I’m Jack Rhysider. 00:01:51.329 --> 00:01:54.920 This is Darknet Diaries. 00:01:54.920 --> 00:02:01.820 [INTRO MUSIC ENDS] 00:02:01.820 --> 00:02:10.190 JACK: I recently read the book Sandworm. 00:02:10.190 --> 00:02:11.190 It just came out. 00:02:11.190 --> 00:02:15.400 It’s so good; so good that I wanted to have the author come on the show. 00:02:15.400 --> 00:02:19.860 ANDY: Yeah, I’m Andy Greenberg and I’m a senior writer for Wired Magazine and I’m 00:02:19.860 --> 00:02:21.080 the author of this book, Sandworm. 00:02:21.080 --> 00:02:24.710 JACK: A few years back, Wired asked Andy to investigate whether or not there’s been 00:02:24.710 --> 00:02:28.170 a hack so devastating that it would be considered a cyber-war. 00:02:28.170 --> 00:02:31.690 Andy found some very interesting stuff going on in Ukraine at that time and decided to 00:02:31.690 --> 00:02:32.690 look there. 00:02:32.690 --> 00:02:36.770 He got to work researching this and was finding the story was just getting deeper and bigger 00:02:36.770 --> 00:02:38.170 than he expected. 00:02:38.170 --> 00:02:42.530 He found so much stuff that he decided to not just write a magazine article about it, 00:02:42.530 --> 00:02:43.920 but instead a whole book. 00:02:43.920 --> 00:02:49.819 ANDY: I’ve been working on this book Sandworm since about late 2016. 00:02:49.819 --> 00:02:53.840 It tells the unfolding story of this cyber-war in Ukraine. 00:02:53.840 --> 00:03:00.280 In the midst of that, NotPetya happens, this biggest cyber-attack in history. 00:03:00.280 --> 00:03:08.250 I was kind of primed to investigate that and then I spent probably nine months of the book 00:03:08.250 --> 00:03:15.380 research time digging into NotPetya specifically, trying to find really everyone who was willing 00:03:15.380 --> 00:03:23.330 to talk about the experience of witnessing NotPetya unfold, being a victim of this global 00:03:23.330 --> 00:03:29.490 cyber-attack, experts who pulled apart the code, forensic analysts who tied it back to 00:03:29.490 --> 00:03:31.830 known hacker crews. 00:03:31.830 --> 00:03:35.520 This is really the story at the heart of the book that I’ve been working on for about 00:03:35.520 --> 00:03:36.520 three years. 00:03:36.520 --> 00:03:40.950 JACK: Let’s get into what Andy found in his years of research which led him to NotPetya, 00:03:40.950 --> 00:03:42.640 the biggest cyber-attack in history. 00:03:42.640 --> 00:03:47.130 Now, I’m pretty sure the goal of this was to create a devasting worm. 00:03:47.130 --> 00:03:51.630 A worm is a virus that will self-replicate and spread among many other computers in the 00:03:51.630 --> 00:03:53.250 network, infecting them, too. 00:03:53.250 --> 00:03:57.880 Then, after it spread, they wanted to take that computer offline permanently, basically 00:03:57.880 --> 00:04:00.770 destroying it and everything on it. 00:04:00.770 --> 00:04:03.230 To accomplish this, they needed a few hacker tools. 00:04:03.230 --> 00:04:07.650 Now, these hackers had a plan for how to get their worm onto computers initially, and we’ll 00:04:07.650 --> 00:04:09.050 get into that later. 00:04:09.050 --> 00:04:13.090 But now let’s think; once you get your worm onto just one computer [00:05:00] in a network, 00:04:13.090 --> 00:04:16.079 how can you get it to spread to many others? 00:04:16.079 --> 00:04:19.859 Whatever method you use, you want it to work very well, meaning you don’t want it to 00:04:19.859 --> 00:04:23.979 be stopped by someone who’s just patched their computer or has Antivirus on. 00:04:23.979 --> 00:04:29.620 No, this worm has to cut through all of that, so the hackers used a tool called Mimikatz. 00:04:29.620 --> 00:04:33.870 [MUSIC] Mimikatz is crazy and amazing and one of the most frustrating things I’ve 00:04:33.870 --> 00:04:34.870 ever seen. 00:04:34.870 --> 00:04:36.600 I could talk about Mimikatz for hours. 00:04:36.600 --> 00:04:37.600 It’s nuts. 00:04:37.600 --> 00:04:43.550 But the skinny of it is this; on Windows computers is a program called lsass.exe. 00:04:43.550 --> 00:04:48.270 This process is one that’s responsible for enforcing security on Windows computers. 00:04:48.270 --> 00:04:53.720 Yeah, well, get this; when someone logs into a Windows computer, LSASS stores your username 00:04:53.720 --> 00:04:56.850 and password in clear text in the memory. 00:04:56.850 --> 00:05:01.270 Now, this is so LSASS can authenticate that person to other things like shared drives, 00:05:01.270 --> 00:05:05.419 e-mail, SharePoint, etc, without having to ask the user for their password again and 00:05:05.419 --> 00:05:06.419 again. 00:05:06.419 --> 00:05:11.729 This is all fine and good until a French researcher named Benjamin Delpy, or the gentilkiwi, took 00:05:11.729 --> 00:05:13.130 a look in the memory. 00:05:13.130 --> 00:05:18.350 He used a tool to examine what LSASS put in the memory and was amazed to see it storing 00:05:18.350 --> 00:05:23.199 usernames and passwords in clear text, not encrypted at all. 00:05:23.199 --> 00:05:27.190 He built a tool to extract this username and password to display it to anyone who wants 00:05:27.190 --> 00:05:28.370 to see it. 00:05:28.370 --> 00:05:33.770 That tool he made is called Mimikatz and he made it open-source for anyone to use it. 00:05:33.770 --> 00:05:37.710 He kept building on it, teaching it how to trick Windows and authenticating in so many 00:05:37.710 --> 00:05:40.330 other ways like passing hashes and tokens. 00:05:40.330 --> 00:05:45.389 It’s incredibly powerful and insanely successful because get this; suppose you break into a 00:05:45.389 --> 00:05:47.970 computer or sit down at someone else’s computer. 00:05:47.970 --> 00:05:52.330 If you download and run Mimikatz, you can suddenly see every single user who’s logged 00:05:52.330 --> 00:05:55.009 into that computer since it was rebooted. 00:05:55.009 --> 00:05:58.310 Not just their username, but you can see their full password, too. 00:05:58.310 --> 00:06:03.120 On a shared computer like a central jump server, you can potentially get the passwords to a 00:06:03.120 --> 00:06:07.440 huge number of employees and possibly an admin account, too. 00:06:07.440 --> 00:06:11.750 The thing that frustrates me the most about Mimikatz is that for years, Microsoft refused 00:06:11.750 --> 00:06:12.750 to fix this problem. 00:06:12.750 --> 00:06:15.310 They just didn’t acknowledge it or understand it. 00:06:15.310 --> 00:06:20.240 In recent versions of Windows, they have fixed some of it, but Mimikatz continues to evolve, 00:06:20.240 --> 00:06:23.440 getting around whatever fix Microsoft comes up with. 00:06:23.440 --> 00:06:28.690 Even today, on a brand-new Windows computer, it’s not secure against Mimikatz by default. 00:06:28.690 --> 00:06:31.759 This is why it’s such a powerful exploit. 00:06:31.759 --> 00:06:36.690 Now, once the worm infects a computer and spreads, the last thing it needs to do is 00:06:36.690 --> 00:06:38.520 destroy that computer. 00:06:38.520 --> 00:06:42.570 The goal of this attack was to permanently destroy as many computers as possible. 00:06:42.570 --> 00:06:46.750 The best way to do that remotely is to encrypt everything on it, make it useless unless you 00:06:46.750 --> 00:06:48.360 have the decryption key. 00:06:48.360 --> 00:06:52.590 This is typically known as ransomware but I don’t think these hackers had any intension 00:06:52.590 --> 00:06:53.770 on making money off this. 00:06:53.770 --> 00:06:58.419 Their goal was to destroy computers and ransomware was just the perfect tool to do that. 00:06:58.419 --> 00:07:02.930 The name of the ransomware they decided to use was a modified version of Petya. 00:07:02.930 --> 00:07:07.509 It’ll infect the system at the master boot record, instruct the machine to reboot, and 00:07:07.509 --> 00:07:12.310 upon rebooting it’ll encrypt that file system, preventing it from working at all anymore. 00:07:12.310 --> 00:07:16.020 It’ll then show this screen saying your files have been encrypted and you need to 00:07:16.020 --> 00:07:18.280 pay to get it unencrypted. 00:07:18.280 --> 00:07:22.910 Now you combine these two tools into a worm and instruct it to spread through the network. 00:07:22.910 --> 00:07:26.259 It’s very effective just this by itself. 00:07:26.259 --> 00:07:29.430 Computers that are fully-patched and updated can get their passwords taken from memory 00:07:29.430 --> 00:07:32.830 and use that to spread to other computers quite easily. 00:07:32.830 --> 00:07:37.060 The more systems it gets into, the more usernames and passwords it collects, and it just becomes 00:07:37.060 --> 00:07:39.220 unstoppable at some point. 00:07:39.220 --> 00:07:44.909 It could potentially encrypt all hard drives in a network but even though that’s a powerful 00:07:44.909 --> 00:07:48.210 one-two combo, it might not be a knockout blow. 00:07:48.210 --> 00:07:52.240 What if those computers it initially infects didn’t have any extra passwords to steal 00:07:52.240 --> 00:07:53.919 or something? 00:07:53.919 --> 00:07:58.960 Hm, so another tool was added to this worm, something called EternalBlue. 00:07:58.960 --> 00:08:04.690 ANDY: [MUSIC] EternalBlue was probably the most powerful of all of the hacking tools 00:08:04.690 --> 00:08:09.080 dumped onto the internet by this very mysterious group called the Shadow Brokers. 00:08:09.080 --> 00:08:14.690 The Shadow Brokers appeared in the summer of 2016 and just started periodically leaking 00:08:14.690 --> 00:08:17.370 NSA hacking tools onto the internet. 00:08:17.370 --> 00:08:20.729 These are full, working, zero-day exploits in some cases. 00:08:20.729 --> 00:08:25.449 JACK: Yeah, in the previous episode we heard all about what the Shadow Brokers did, but 00:08:25.449 --> 00:08:29.760 it was their last dump where they handed the world a devastating hacker tool. 00:08:29.760 --> 00:08:36.019 ANDY: It included this hacking tool called EternalBlue which exploited a vulnerability 00:08:36.019 --> 00:08:42.330 in a Windows function called Server Message Block that allows machines to essentially 00:08:42.330 --> 00:08:45.870 share information between themselves. 00:08:45.870 --> 00:08:53.399 By exploiting that SMB vulnerability, EternalBlue could basically run code remotely on any Windows 00:08:53.399 --> 00:08:58.550 machine that was vulnerable anywhere in the world. 00:08:58.550 --> 00:09:04.190 It turned out that the NSA had actually worked with Microsoft to try to warn everyone about 00:09:04.190 --> 00:09:07.110 this zero-day when the Shadow Brokers first appeared. 00:09:07.110 --> 00:09:12.959 There was a patch for this SMB vulnerability but of course, as with [00:10:00] all patches, 00:09:12.959 --> 00:09:16.950 it was kind of an epidemiological problem trying to get people all around the world 00:09:16.950 --> 00:09:18.440 to implement this patch. 00:09:18.440 --> 00:09:24.240 When EternalBlue went public, there were still countless thousands, or hundreds of thousands 00:09:24.240 --> 00:09:25.960 of machines, really, that were still vulnerable. 00:09:25.960 --> 00:09:30.670 JACK: With EternalBlue in the hands of every hacker, the world was about to be sucker-punched 00:09:30.670 --> 00:09:32.640 in ways it never imagined. 00:09:32.640 --> 00:09:35.630 EternalBlue is an exploit to get into Windows computers. 00:09:35.630 --> 00:09:39.970 It just bypasses the username and password altogether and lets the hacker right in. 00:09:39.970 --> 00:09:44.579 From there, they can look at files, upload things, issue commands, do whatever they want. 00:09:44.579 --> 00:09:50.140 Yeah, while Windows had a patch for this, not everyone was applying their patches, so 00:09:50.140 --> 00:09:55.630 the chances of this working – they’re still high, probably twenty to fifty percent, 00:09:55.630 --> 00:10:00.940 and that just might be enough to get that worm through some difficult places that Mimikatz 00:10:00.940 --> 00:10:02.190 couldn’t get into. 00:10:02.190 --> 00:10:07.870 Here’s the combo for this hack; [MUSIC] first, if the worm could get onto a system 00:10:07.870 --> 00:10:11.940 somehow and then run Mimikatz to get all the usernames and passwords that have logged into 00:10:11.940 --> 00:10:16.840 that computer, then it could take those usernames and passwords and try to log into all its 00:10:16.840 --> 00:10:21.010 neighbors’ computers to see maybe it can get into those too, and collect more usernames 00:10:21.010 --> 00:10:22.540 and passwords along the way. 00:10:22.540 --> 00:10:27.640 By golly, with a list of usernames and passwords to try, it would be able to successfully get 00:10:27.640 --> 00:10:30.620 into a lot of computers to infect them, too. 00:10:30.620 --> 00:10:35.490 But if it couldn’t login like that, it would then try to use EternalBlue to see if that 00:10:35.490 --> 00:10:38.740 system was unpatched and exploit it that way. 00:10:38.740 --> 00:10:45.029 The worm would try two very powerful and dangerous ways to get into every computer on the network. 00:10:45.029 --> 00:10:51.149 Once the virus tried to spread as far as it could, it would then infect it with ransomware, 00:10:51.149 --> 00:10:56.880 encrypting the whole thing, making it useless, and then rebooting the machine so it’s unusable. 00:10:56.880 --> 00:11:02.730 This would be an extremely powerful combo that certainly could be a knockout blow. 00:11:02.730 --> 00:11:06.839 Now, the target of this attack was Ukraine and the goal was to take out as many computers 00:11:06.839 --> 00:11:11.110 as possible in Ukraine; businesses, government agencies, doesn’t matter. 00:11:11.110 --> 00:11:12.110 Everything. 00:11:12.110 --> 00:11:14.520 Take down all of Ukraine’s network. 00:11:14.520 --> 00:11:17.820 But how can you target an entire country? 00:11:17.820 --> 00:11:21.000 This is both a wide-scale attack but it’s also limited in size. 00:11:21.000 --> 00:11:24.770 They didn’t want it to spread through the whole world, just Ukraine. 00:11:24.770 --> 00:11:29.430 Hm, this is a very interesting question and something I bet the hackers thought a long 00:11:29.430 --> 00:11:30.550 time about. 00:11:30.550 --> 00:11:35.270 They ultimately chose to target a small company called Linkos Group. 00:11:35.270 --> 00:11:42.649 ANDY: Linkos Group is a pretty small family-run software business based in a building in western 00:11:42.649 --> 00:11:49.110 Kiev, the capital of Ukraine, in this nondescript building in a kind of dingy neighborhood on 00:11:49.110 --> 00:11:53.741 the edges of Podil, a kind of hipster neighborhood in Kiev. 00:11:53.741 --> 00:11:59.810 In the third floor of that building is a server room full of these pizza box-sized servers 00:11:59.810 --> 00:12:00.959 stacked up. 00:12:00.959 --> 00:12:07.589 One of them was responsible for sending updates to MeDoc, this accounting software that Linkos 00:12:07.589 --> 00:12:08.589 Group sold, their flagship product. 00:12:08.589 --> 00:12:16.030 It’s really like the QuickBooks or TurboTax of Ukraine. 00:12:16.030 --> 00:12:20.510 Anyone who files taxes in Ukraine or really who wants to do business in Ukraine uses this 00:12:20.510 --> 00:12:21.560 software, MeDoc. 00:12:21.560 --> 00:12:24.870 JACK: Hm, you see where this is going? 00:12:24.870 --> 00:12:28.620 MeDoc is like TurboTax but for Ukraine. 00:12:28.620 --> 00:12:33.310 People who need to file their taxes in Ukraine use this software, so if the hackers could 00:12:33.310 --> 00:12:39.050 infect MeDoc with this worm, a spreading, replicating virus, then the attack would only 00:12:39.050 --> 00:12:41.579 hit people who have to do taxes in Ukraine. 00:12:41.579 --> 00:12:48.920 ANDY: In June of 2017, a group of hackers took over that update server and they hijacked 00:12:48.920 --> 00:12:53.690 MeDoc’s update mechanism to push out their own malware. 00:12:53.690 --> 00:12:58.970 Everyone everywhere in the world who had MeDoc installed suddenly has NotPetya, this worm, 00:12:58.970 --> 00:13:00.240 installed as well. 00:13:00.240 --> 00:13:05.830 JACK: We don’t know how, but they got into that MeDoc update server; maybe a phishing 00:13:05.830 --> 00:13:07.519 e-mail or something. 00:13:07.519 --> 00:13:08.570 But it didn’t matter. 00:13:08.570 --> 00:13:13.579 The stage was set and the biggest cyber-attack in history was about to be launched. 00:13:13.579 --> 00:13:21.079 [MUSIC] On Tuesday, June 27th, 2017, the virus was placed on the MeDoc update server and 00:13:21.079 --> 00:13:26.070 an update was sent to thousands of computers in Ukraine. 00:13:26.070 --> 00:13:30.310 Each and every one of those computers were infected by this virus. 00:13:30.310 --> 00:13:33.570 The seed was planted and was instantly spreading. 00:13:33.570 --> 00:13:38.589 As soon as someone got the update, they were infected, and immediately the worm spread 00:13:38.589 --> 00:13:43.449 to another machine, and another machine, and another, grabbing usernames and trying to 00:13:43.449 --> 00:13:47.510 log into its neighbor, and then using those passwords it would get along the way to spread 00:13:47.510 --> 00:13:52.389 to as many computers as it could in the network, as well as using EternalBlue to get into computers 00:13:52.389 --> 00:13:54.190 it didn’t have the password for. 00:13:54.190 --> 00:13:58.769 As soon as it was infecting a computer, it was rebooting it and encrypting it, rendering 00:13:58.769 --> 00:13:59.769 it useless. 00:13:59.769 --> 00:14:05.550 In a matter of minutes, entire organizations were seeing their networks just go down, like 00:14:05.550 --> 00:14:08.660 a shadow being cast on all the computers. 00:14:08.660 --> 00:14:14.130 Now, all this happened on the day before Ukraine’s [00:15:00] constitution day which is the day 00:14:14.130 --> 00:14:17.220 Ukraine celebrates their independence from Russia. 00:14:17.220 --> 00:14:21.180 What was typically supposed to be a slow day leading up to a holiday was a day that some 00:14:21.180 --> 00:14:23.170 people will never forget. 00:14:23.170 --> 00:14:28.930 ANDY: Oleksiy Yasinskiy, this forensic analyst and incident responder for a company in Ukraine 00:14:28.930 --> 00:14:34.529 called Information System Security Partners, described the experience of going to one of 00:14:34.529 --> 00:14:40.190 their clients early that morning, one of the very first victims of NotPetya, Oschadbank, 00:14:40.190 --> 00:14:44.930 this former national bank of Ukraine. 00:14:44.930 --> 00:14:49.089 As he went in, he described entering a building where everyone seemed to be in a kind of state 00:14:49.089 --> 00:14:53.269 of shock because all of their systems had been shut down simultaneously. 00:14:53.269 --> 00:14:57.829 [MUSIC] Around ninety percent of all of the computers in Oschadbank had been hit with 00:14:57.829 --> 00:15:00.310 this mysterious ransomware worm. 00:15:00.310 --> 00:15:05.889 It looked at first like a normal piece of ransomware which encrypts all of your files. 00:15:05.889 --> 00:15:09.750 In fact, in this case, encrypts the entire operating system of the computer. 00:15:09.750 --> 00:15:16.279 There was a message on the screens of Oschadbank’s PCs demanding $300 in Bitcoin as a ransom 00:15:16.279 --> 00:15:20.250 before the attackers would unlock the computers. 00:15:20.250 --> 00:15:25.500 But Oleksiy Yasinskiy says that he pretty quickly, as he was doing incident response 00:15:25.500 --> 00:15:30.209 for Oschadbank, could tell that this was something unusual, at least in the sense that it was 00:15:30.209 --> 00:15:32.450 extremely virulent. 00:15:32.450 --> 00:15:37.120 The worm had essentially rampaged through Oschadbank’s network until it got access 00:15:37.120 --> 00:15:39.149 to an administrator’s credentials. 00:15:39.149 --> 00:15:43.650 Then it had used those credentials to jump out to every machine that that administrator 00:15:43.650 --> 00:15:50.029 had access to, very quickly just saturating the entire network and shutting it down. 00:15:50.029 --> 00:15:53.050 JACK: That day the bank could not do business. 00:15:53.050 --> 00:15:56.679 The people came to work but their terminals were all encrypted and frozen. 00:15:56.679 --> 00:16:00.139 Customers and employees were both very upset that systems were down. 00:16:00.139 --> 00:16:04.960 ANDY: Every one of these computers that had been hit was completely locked and showing 00:16:04.960 --> 00:16:09.920 this ransomware screen demanding $300 in Bitcoin before the hackers would decrypt it and give 00:16:09.920 --> 00:16:15.200 Oschadbank’s staff back access to that machine. 00:16:15.200 --> 00:16:24.069 But Oleksiy Yasinskiy and ISSP, over the next hours, would very quickly come to the conclusion 00:16:24.069 --> 00:16:25.990 that this was not really ransomware. 00:16:25.990 --> 00:16:30.180 It was a destructive worm posing as ransomware. 00:16:30.180 --> 00:16:33.779 Even if you paid that $300 in Bitcoin, you were not going to get your files back. 00:16:33.779 --> 00:16:38.420 That was just a kind of thin ruse hiding an act of cyber-war. 00:16:38.420 --> 00:16:43.340 JACK: As incident responders investigated this, they found that the ransomware was similar 00:16:43.340 --> 00:16:45.329 to the Petya ransomware. 00:16:45.329 --> 00:16:49.870 It was originally thought to be Petya but some additional research went into it and 00:16:49.870 --> 00:16:52.740 found this is a new strain. 00:16:52.740 --> 00:16:54.769 It was not Petya. 00:16:54.769 --> 00:16:59.870 Since there was so many people saying that it was not Petya, that’s the name that stuck 00:16:59.870 --> 00:17:01.500 for this virus. 00:17:01.500 --> 00:17:05.350 This would become known as the NotPetya attack on Ukraine. 00:17:05.350 --> 00:17:09.970 After the break, we’ll hear just how destructive NotPetya became. 00:17:09.970 --> 00:17:14.360 NotPetya was not just hitting this one bank; it was initially infecting networks through 00:17:14.360 --> 00:17:18.579 the MeDoc software update and then spreading into hundreds of networks, hitting thousands 00:17:18.579 --> 00:17:20.860 of computers through the whole country of Ukraine. 00:17:20.860 --> 00:17:25.730 ANDY: At the same time as Oschadbank was being taken down by NotPetya, it in fact was spreading 00:17:25.730 --> 00:17:27.750 across the entire country of Ukraine. 00:17:27.750 --> 00:17:33.360 JACK: [MUSIC] In just a short time, in a matter of hours, a massive amount of networks and 00:17:33.360 --> 00:17:37.170 computers were permanently down, infected by NotPetya. 00:17:37.170 --> 00:17:41.230 One researcher claimed that over three hundred companies were brought down in Ukraine over 00:17:41.230 --> 00:17:42.230 this attack. 00:17:42.230 --> 00:17:46.480 Pretty much the whole country was infected by this in some way; either you personally 00:17:46.480 --> 00:17:50.610 were down, or your supplier was down, or your neighbor was down, or your client was down. 00:17:50.610 --> 00:17:52.049 It was a catastrophe. 00:17:52.049 --> 00:17:56.740 ANDY: But NotPetya didn’t stop spreading at the borders of Ukraine. 00:17:56.740 --> 00:18:02.059 I mean, no cyber-attack cares about borders, obviously. 00:18:02.059 --> 00:18:08.429 Really, any multinational company that had MeDoc installed was also instantly infected 00:18:08.429 --> 00:18:09.570 with NotPetya. 00:18:09.570 --> 00:18:15.539 That included FedEx, Maersk, the world’s largest [00:20:00] shipping firm, Merck, the 00:18:15.539 --> 00:18:21.470 New Jersey-based pharmaceutical company, Saint-Gobain, the French construction firm, Reckitt Benckiser, 00:18:21.470 --> 00:18:28.539 this UK manufacturing firm, Mondelez, the food company that owns Nabisco and Cadbury, 00:18:28.539 --> 00:18:29.600 and countless others. 00:18:29.600 --> 00:18:33.850 We just knew that initial list that I just named because they were the ones who were 00:18:33.850 --> 00:18:37.340 public companies that had to declare their damages to shareholders. 00:18:37.340 --> 00:18:42.400 But we may never know the full extent of all of the companies that were hit by NotPetya. 00:18:42.400 --> 00:18:47.049 JACK: Of course, if these companies either had MeDoc or were connected to networks of 00:18:47.049 --> 00:18:52.500 companies in Ukraine, or were sharing computers with infected companies, they were also getting 00:18:52.500 --> 00:18:54.780 infected with NotPetya, too. 00:18:54.780 --> 00:18:59.159 ANDY: Counterintuitively, NotPetya also spread into Russia and did really serious damage 00:18:59.159 --> 00:19:06.570 there to the state oil company Rosneft, to the steel maker EVRAZ, to the medical technology 00:19:06.570 --> 00:19:08.190 firm In Vitro. 00:19:08.190 --> 00:19:13.340 Really, everyone who touched Ukraine in any way which of course includes Russia, suffered 00:19:13.340 --> 00:19:14.429 damages from this. 00:19:14.429 --> 00:19:19.260 JACK: Companies all over were scrambling to figure out what happened. 00:19:19.260 --> 00:19:20.260 How do we fix this? 00:19:20.260 --> 00:19:24.179 Is there a way to recover or undo this? 00:19:24.179 --> 00:19:25.909 How do we get stuff working again? 00:19:25.909 --> 00:19:30.850 ANDY: All across Ukraine, essentially, people were figuring out that it was better just 00:19:30.850 --> 00:19:37.830 to shut down your entire network, turn everything off, than watch it be devoured by NotPetya. 00:19:37.830 --> 00:19:42.309 Really, every government agency; the postal service, all of these companies, they were, 00:19:42.309 --> 00:19:46.080 in many cases, shutting down their own networks but usually it was too late. 00:19:46.080 --> 00:19:49.929 NotPetya had often infected the majority of their systems before they could even pull 00:19:49.929 --> 00:19:50.929 the plug. 00:19:50.929 --> 00:19:55.670 JACK: With so many computers down all over the city and country, the feeling must have 00:19:55.670 --> 00:19:56.670 been surreal. 00:19:56.670 --> 00:20:02.510 ANDY: The personal experience of being in the middle of this; I heard it best from this 00:20:02.510 --> 00:20:07.690 guy Pavlo Bondarenko who was an IT administrator at the Ukrainian Health Ministry. 00:20:07.690 --> 00:20:13.169 He had, very early in the day, figured out that they needed to pull the ministry’s 00:20:13.169 --> 00:20:14.169 network offline. 00:20:14.169 --> 00:20:19.190 That probably spared the Health Ministry from some terrible damage but nonetheless, he spent 00:20:19.190 --> 00:20:24.299 the whole day fighting off NotPetya and then at the end of the day, he left the office 00:20:24.299 --> 00:20:32.620 to go home, tried to get on the subway [BEEPING], found that NotPetya had actually destroyed 00:20:32.620 --> 00:20:37.860 the contactless payment system that he usually used to swipe in to get onto the Kiev metro. 00:20:37.860 --> 00:20:42.980 [MUSIC] He had to go out to find an ATM where he could get cash to buy a token. 00:20:42.980 --> 00:20:48.030 All of the ATMs that he tried were also paralyzed by NotPetya, one after another. 00:20:48.030 --> 00:20:55.030 [BEEPING] Until he found one ATM that was still working but had a very small cash limit 00:20:55.030 --> 00:20:57.350 and this long line of people trying to get cash. 00:20:57.350 --> 00:21:02.530 He waited in line, got the cash, bought the token, got onto the subway, went to his neighborhood, 00:21:02.530 --> 00:21:05.620 got out, and tried to go grocery shopping. 00:21:05.620 --> 00:21:09.260 [BEEPING] Found that the payment system at the grocery store was down. 00:21:09.260 --> 00:21:15.170 He had to get more cash ‘cause he had run out, so he had to find another ATM among all 00:21:15.170 --> 00:21:18.809 of the paralyzed ATMs where he could take cash out again. 00:21:18.809 --> 00:21:25.480 Pavlo described that experience as not just being kind of annoying but being disorienting. 00:21:25.480 --> 00:21:30.510 He had found himself in a world where everything was suddenly broken. 00:21:30.510 --> 00:21:38.060 [BEEPING] He described it as a natural disaster except that it was entirely man-made and that 00:21:38.060 --> 00:21:43.220 things had gone very quickly from just seeing what was new on Facebook to asking questions 00:21:43.220 --> 00:21:47.549 like, did he have enough money to buy food for the next week? 00:21:47.549 --> 00:21:51.580 People were asking did they have the medicines that they needed? 00:21:51.580 --> 00:21:54.870 Would they be able to get to work and back? 00:21:54.870 --> 00:22:02.419 It was a kind of fundamental cyber-attack against the basic infrastructure of people’s 00:22:02.419 --> 00:22:05.210 lives that we had really never seen before. 00:22:05.210 --> 00:22:09.960 JACK: This really scares me. 00:22:09.960 --> 00:22:15.960 This is a major disaster unlike anything any country has ever seen. 00:22:15.960 --> 00:22:19.090 For so much of the country’s infrastructure to be down like this? 00:22:19.090 --> 00:22:20.330 It’s chaos. 00:22:20.330 --> 00:22:25.250 I am not prepared for something like this to happen where I live; to suddenly and without 00:22:25.250 --> 00:22:29.630 notice to not be able to get gas, food, or money? 00:22:29.630 --> 00:22:32.950 To have hospitals turning away people because their network is down? 00:22:32.950 --> 00:22:36.460 In disasters, there isn’t enough emergency crews to help everyone. 00:22:36.460 --> 00:22:40.750 You’re on your own or you’re at the whim or someone else willing to help you. 00:22:40.750 --> 00:22:46.659 I just think of how connected our whole world is now and to see it so fragile like this 00:22:46.659 --> 00:22:54.299 where one well-crafted, well-timed, well-executed virus can do such an enormous amount of destruction? 00:22:54.299 --> 00:22:55.570 I’m shaken. 00:22:55.570 --> 00:23:01.480 ANDY: I would say that the cyber-war began in Ukraine much earlier. 00:23:01.480 --> 00:23:08.700 [MUSIC] As soon as Ukraine came under repeated, sustained, disruptive cyber-attacks starting 00:23:08.700 --> 00:23:14.799 in the fall of 2015, culminating in two blackouts in late 2015 [00:25:00] and then late 2016, 00:23:14.799 --> 00:23:22.179 that was cyber-war but this was kind of a new stage of the cyber-war, a kind of carpet 00:23:22.179 --> 00:23:24.930 bombing of the whole country’s digital systems. 00:23:24.930 --> 00:23:31.190 In terms of what is cyber war, I would say that Richard Clarke got it right in his book 00:23:31.190 --> 00:23:37.429 in 2009, I think it was, his book Cyber War where he basically defined it as an act by 00:23:37.429 --> 00:23:45.789 a nation state’s hackers designed to disrupt an adversary’s systems. 00:23:45.789 --> 00:23:50.740 I think that that’s at least the most basic definition for cyber-war. 00:23:50.740 --> 00:23:58.289 I think other things that make something a cyber-war are that it affects critical infrastructure, 00:23:58.289 --> 00:24:06.710 that it is massive in scale, that it takes place in the midst of a physical war. 00:24:06.710 --> 00:24:11.340 All of those things are true of – in fact, the entire campaign of cyber-attacks carried 00:24:11.340 --> 00:24:17.410 out against Ukraine but especially NotPetya, this kind of climax of that whole series of 00:24:17.410 --> 00:24:18.410 attacks. 00:24:18.410 --> 00:24:20.460 JACK: Okay, alright. 00:24:20.460 --> 00:24:22.740 I’m back now. 00:24:22.740 --> 00:24:28.340 I had to pause there for a second and go build my 72-hour kit because this is freaking me 00:24:28.340 --> 00:24:29.340 out. 00:24:29.340 --> 00:24:30.340 I don’t know what to think of this. 00:24:30.340 --> 00:24:32.120 I guess I’m just lucky this didn’t hit the US. 00:24:32.120 --> 00:24:36.610 ANDY: Yeah, I mean, I think a lot of people see what happened to Ukraine and they think 00:24:36.610 --> 00:24:39.059 phew, that could have been us. 00:24:39.059 --> 00:24:40.059 That’s scary. 00:24:40.059 --> 00:24:44.929 But in fact, what I keep trying to emphasize is that NotPetya did hit us, too. 00:24:44.929 --> 00:24:49.529 It didn’t hit us at the same national scale as Ukraine but it hit American companies. 00:24:49.529 --> 00:24:56.980 It hit western companies; FedEx, I’m talking about FedEx and Merck in New Jersey, and Maersk’s 00:24:56.980 --> 00:24:59.530 Terminal also in New Jersey. 00:24:59.530 --> 00:25:02.010 Somehow New Jersey got a lot of damage here. 00:25:02.010 --> 00:25:04.760 But this was not a Ukrainian attack. 00:25:04.760 --> 00:25:08.970 This was an attack that spilled out from Ukraine to the entire world and immediately included 00:25:08.970 --> 00:25:09.970 us, too. 00:25:09.970 --> 00:25:11.380 JACK: Okay, so let’s talk about Maersk. 00:25:11.380 --> 00:25:14.440 Maersk is not a Ukrainian company; it’s a Danish company. 00:25:14.440 --> 00:25:18.360 They’ve been the largest shipping company in the world for the last three decades. 00:25:18.360 --> 00:25:22.899 Picture those huge container ships at sea carrying tons of those big metal container 00:25:22.899 --> 00:25:24.679 boxes full of goods. 00:25:24.679 --> 00:25:29.140 They’re headquartered in Copenhagen in Denmark, but they were impacted by this, too. 00:25:29.140 --> 00:25:34.300 ANDY: Maersk had one office in Odessa on the Black Sea coast on the south of Ukraine. 00:25:34.300 --> 00:25:38.970 In that office they had one computer, that I know about at least, that had MeDoc installed. 00:25:38.970 --> 00:25:43.110 That was all that it took for Maersk’s entire global network to be infected. 00:25:43.110 --> 00:25:49.480 [MUSIC] At Maersk’s global headquarters in Copenhagen, this beautiful, blue-windowed 00:25:49.480 --> 00:25:57.049 building on the Copenhagen harbor’s promenade, staff just noticed all of a sudden on the 00:25:57.049 --> 00:26:03.520 afternoon of June 27th, that screens around the whole building were just turning black. 00:26:03.520 --> 00:26:08.890 One staffer described seeing a wave of screens turning black all around him; black, black, 00:26:08.890 --> 00:26:09.890 black. 00:26:09.890 --> 00:26:13.279 Some staffers started to crowd around the Help Desk in the basement of the building 00:26:13.279 --> 00:26:18.419 but very soon it was clear that this was much larger than that, that every computer in the 00:26:18.419 --> 00:26:19.899 building was being infected. 00:26:19.899 --> 00:26:25.740 IT administrators were soon running down hallways, unplugging computers, running into meeting 00:26:25.740 --> 00:26:30.470 rooms to unplug computers in the middle of meetings, jumping over turnstiles because 00:26:30.470 --> 00:26:34.690 even the turnstiles that control the physical security of the building had been paralyzed 00:26:34.690 --> 00:26:37.010 by this attack. 00:26:37.010 --> 00:26:41.169 They were rushing to really turn off all of the systems because they knew that every second 00:26:41.169 --> 00:26:45.990 meant hundreds or even thousands of more machines that would be compromised. 00:26:45.990 --> 00:26:52.539 But that was really just the digital part of the attack on Maersk. 00:26:52.539 --> 00:26:59.970 Maersk runs this massive global shipping machine with these container ships the size of the 00:26:59.970 --> 00:27:03.720 Empire State Building with another Empire State Building’s worth of cargo on top of 00:27:03.720 --> 00:27:04.720 them. 00:27:04.720 --> 00:27:09.419 All around the world, those ships were starting to arrive at Maersk-owned terminals everywhere 00:27:09.419 --> 00:27:14.580 in the world, and their systems had been shut down so that nobody even knew what was on 00:27:14.580 --> 00:27:16.070 these gargantuan ships. 00:27:16.070 --> 00:27:19.510 They couldn’t even figure out how to unload them. 00:27:19.510 --> 00:27:25.500 Meanwhile, the real choke point’s at seventeen terminals that were shut down by this. 00:27:25.500 --> 00:27:31.120 Seventeen ports, essentially, all around the world were the gates outside where the trucks 00:27:31.120 --> 00:27:36.020 lined up at the Elizabeth New Jersey APM Terminal owned by Maersk. 00:27:36.020 --> 00:27:42.480 It’s a full square mile-size patch of land in the harbor. 00:27:42.480 --> 00:27:48.529 These massive ships pull up but so do thousands of trucks every day, and they come to this 00:27:48.529 --> 00:27:55.960 checkpoint outside the terminal where they’re told over this voiceover IP system where to 00:27:55.960 --> 00:28:03.330 go, what to pick up or drop off, and all of that on June 27th instantly shut down. 00:28:03.330 --> 00:28:09.640 [MUSIC] Trucks were arriving at that gate outside the terminal and nobody was talking 00:28:09.640 --> 00:28:10.640 to them. 00:28:10.640 --> 00:28:11.640 They were locked out. 00:28:11.640 --> 00:28:13.130 They had no idea what was going on. 00:28:13.130 --> 00:28:16.400 Maersk couldn’t [00:30:00] even send them an e-mail to explain. 00:28:16.400 --> 00:28:21.320 The trucking companies were entirely in the dark, people were getting furious, the port 00:28:21.320 --> 00:28:25.669 police started to tell them you need to turn your truck around and leave, but they had 00:28:25.669 --> 00:28:31.750 stuff that they had to ship somehow for just-in-time manufacturing processes and perishable goods 00:28:31.750 --> 00:28:33.000 that had to be refrigerated. 00:28:33.000 --> 00:28:41.110 It was just a fiasco and soon, tens of thousands of trucks were lining up at seventeen of Maersk’s 00:28:41.110 --> 00:28:45.250 terminals all around the world from Los Angeles to New Jersey. 00:28:45.250 --> 00:28:46.250 JACK: Tens of thousands? 00:28:46.250 --> 00:28:48.490 ANDY: Tens of thousands of trucks in total, yeah, certainly. 00:28:48.490 --> 00:28:54.299 Each one of these terminals had lines of trucks that were miles long. 00:28:54.299 --> 00:29:00.929 From Los Angeles to New Jersey to Algeciras in Spain to the Rotterdam in the Netherlands 00:29:00.929 --> 00:29:08.850 to Mumbai in India; this was a significant chunk of the entire physical operation of 00:29:08.850 --> 00:29:12.680 the world’s largest shipping conglomerate just shut down in an instant. 00:29:12.680 --> 00:29:14.750 JACK: That’s so frightening. 00:29:14.750 --> 00:29:21.710 ANDY: Yeah, I mean, it’s hard to get your head around the scale of this in physical 00:29:21.710 --> 00:29:22.710 terms. 00:29:22.710 --> 00:29:26.260 It’s interesting in part because we’ve always been scared, or I’ve always been 00:29:26.260 --> 00:29:31.570 scared of these attacks that directly interact with physical infrastructure like Stuxnet. 00:29:31.570 --> 00:29:35.049 Some of the Ukraine attacks were like that too, the ones that turned off the power and 00:29:35.049 --> 00:29:39.690 utilities, causing the first-ever blackouts caused by hackers. 00:29:39.690 --> 00:29:45.860 But it turns out that if you just destroy tens and tens of thousands of computers, just 00:29:45.860 --> 00:29:51.370 the computers around the world, you can maybe do more physical disruption just by taking 00:29:51.370 --> 00:29:54.270 out all of that digital equipment. 00:29:54.270 --> 00:30:00.039 The data alone, just paralyzing the brains of a corporation like Maersk can do more physical 00:30:00.039 --> 00:30:02.590 disruption than directly attacking the physical equipment. 00:30:02.590 --> 00:30:06.169 I don’t know if that’s an idea you really care about, but it’s… 00:30:06.169 --> 00:30:09.330 JACK: Yeah, it puts me in deep thought, this whole thing. 00:30:09.330 --> 00:30:14.090 Everything is on those shipping things, everywhere from diapers to food to medical supplies. 00:30:14.090 --> 00:30:15.159 ANDY: Yeah, yeah. 00:30:15.159 --> 00:30:16.310 What did their ships contain? 00:30:16.310 --> 00:30:21.570 It was just absolutely everything that the modern economy runs on, from manufacturing 00:30:21.570 --> 00:30:27.880 components to food, consumer goods that are part of a just-in-time supply chain. 00:30:27.880 --> 00:30:33.820 I mean, Maersk is really at the heart of the global economy and its operations just kind 00:30:33.820 --> 00:30:37.399 of instantaneously winked out of existence. 00:30:37.399 --> 00:30:42.350 JACK: Hearing this just reminds me about where we were in 2008. 00:30:42.350 --> 00:30:45.769 Certain banks were facing financial crisis in the US and they were deemed too big to 00:30:45.769 --> 00:30:48.980 fail because they were so integrated into our lives. 00:30:48.980 --> 00:30:52.929 The US government bailed them out, giving them billions of dollars to re-stabilize the 00:30:52.929 --> 00:30:53.929 nation. 00:30:53.929 --> 00:30:59.240 I’m starting to think that Maersk is also so interconnected into the US that they might 00:30:59.240 --> 00:31:00.740 also be too big to fail. 00:31:00.740 --> 00:31:06.710 Each ship has one million items on it, crucial items that we need in order to live, but as 00:31:06.710 --> 00:31:11.200 far as I know, the US government or any government did not help Maersk. 00:31:11.200 --> 00:31:16.260 Yeah, the FBI called them to investigate the case but that’s about it. 00:31:16.260 --> 00:31:20.419 Maersk could not solve this problem by themselves and the citizens of the US would suffer until 00:31:20.419 --> 00:31:22.760 Maersk could get back on their feet. 00:31:22.760 --> 00:31:27.130 Because not just the US; the whole world relies on deliveries from Maersk. 00:31:27.130 --> 00:31:29.710 They have shipping yards all over the planet. 00:31:29.710 --> 00:31:33.760 NotPetya had a clear global impact. 00:31:33.760 --> 00:31:35.580 Maersk absolutely needed help. 00:31:35.580 --> 00:31:41.309 Something like 49,000 of their computers were down worldwide which was 100% of the Windows 00:31:41.309 --> 00:31:43.370 computers they had in their network. 00:31:43.370 --> 00:31:45.210 100% of them. 00:31:45.210 --> 00:31:49.360 The only computers that weren’t encrypted were either Linux or Unix systems, or the 00:31:49.360 --> 00:31:53.870 ones that were down before this attack or were offline for this attack. 00:31:53.870 --> 00:31:58.380 Because their network would periodically sync to backups, all their backups and disaster 00:31:58.380 --> 00:32:00.679 recovery centers were wiped, too. 00:32:00.679 --> 00:32:02.370 Their e-mails were down, phones were down. 00:32:02.370 --> 00:32:05.650 You couldn’t even see your contact list on your mobile phone because that relied on 00:32:05.650 --> 00:32:07.309 exchange being up. 00:32:07.309 --> 00:32:08.440 Maersk was in trouble. 00:32:08.440 --> 00:32:12.820 [MUSIC] It wasn’t clear to them at first who was threatening them or what, or why. 00:32:12.820 --> 00:32:16.740 There was so much chaos everywhere, you just didn’t know who all the victims were yet. 00:32:16.740 --> 00:32:21.169 But they called up Microsoft right away and spoke to someone very high up there to discuss 00:32:21.169 --> 00:32:22.340 options. 00:32:22.340 --> 00:32:26.490 Microsoft got busy trying to find solutions to this and they heard lots of complaints 00:32:26.490 --> 00:32:27.779 from other people, too. 00:32:27.779 --> 00:32:33.010 A few days later, they had some news; Microsoft called back Maersk and told them they cracked 00:32:33.010 --> 00:32:38.280 a decryption key to decrypt the ransomware but the bad news was is they only cracked 00:32:38.280 --> 00:32:40.070 the decryption key for one computer. 00:32:40.070 --> 00:32:45.340 The other problem is that it took them 22,000 compute hours to crack that single key for 00:32:45.340 --> 00:32:47.059 one computer. 00:32:47.059 --> 00:32:51.019 Maersk had 49,000 computers so this wouldn’t work. 00:32:51.019 --> 00:32:54.630 There was no choice; Maersk had lost everything, with no help in sight. 00:32:54.630 --> 00:32:57.559 They didn’t seem to have any way to recover. 00:32:57.559 --> 00:33:00.059 Everything was gone, all backups, too. 00:33:00.059 --> 00:33:01.730 Ransomware was holding it all hostage. 00:33:01.730 --> 00:33:06.890 Now, I heard from a few places that Maersk got in contact with the hackers who made this 00:33:06.890 --> 00:33:11.419 ransomware and there was discussion about prices on it and how much it would cost to 00:33:11.419 --> 00:33:13.500 unlock all of Maersk’s computers. 00:33:13.500 --> 00:33:17.460 [00:35:00] This conversation went back and forth between the hackers and Maersk for a 00:33:17.460 --> 00:33:18.640 little while. 00:33:18.640 --> 00:33:22.889 The story goes is that the hackers said themselves that they didn’t expect this to spread so 00:33:22.889 --> 00:33:24.360 far, so quickly. 00:33:24.360 --> 00:33:28.440 It sounds like even the hacker was impressed by how effective it was. 00:33:28.440 --> 00:33:32.400 Ultimately, Maersk decided not to pay for a number of reasons. 00:33:32.400 --> 00:33:37.490 For one, it paints a target on Maersk’s back as someone who pays ransoms but also, 00:33:37.490 --> 00:33:41.299 security researchers were suggesting that this isn’t a ransomware; it’s a wiper 00:33:41.299 --> 00:33:45.390 and that even if you had the decryption keys, you’re not gonna get your data back. 00:33:45.390 --> 00:33:48.049 There was doubt that this could even be recovered this way. 00:33:48.049 --> 00:33:52.610 But more importantly, Maersk knew they needed to rebuild their network anyway. 00:33:52.610 --> 00:33:57.410 Even with decryption keys, they still needed to go through every computer, unlock it, reconfigure 00:33:57.410 --> 00:34:01.909 it, secure it, check it for any tampering or misconfigurations, and get it back to working 00:34:01.909 --> 00:34:02.990 again. 00:34:02.990 --> 00:34:06.930 They opted just to ignore the ransom and start from scratch. 00:34:06.930 --> 00:34:11.149 But still, this meant a lot of work to do. 00:34:11.149 --> 00:34:14.460 Where do you even start to recover a network this big? 00:34:14.460 --> 00:34:20.899 Well, stay with us because after the break, we’ll hear how they got their cargo moving 00:34:20.899 --> 00:34:23.220 again. 00:34:23.220 --> 00:34:27.879 Maersk was screwed without a functioning network so the only option they had was to rebuild 00:34:27.879 --> 00:34:31.970 everything from scratch, their entire network infrastructure. 00:34:31.970 --> 00:34:36.109 They hired Deloitte, a consulting company, to come and help them do incident response. 00:34:36.109 --> 00:34:41.020 ANDY: But they also set up their own emergency recovery center in this building outside of 00:34:41.020 --> 00:34:44.879 London in this town called Maidenhead. 00:34:44.879 --> 00:34:52.099 That building just was swarming with everyone who vaguely worked in IT for Maersk anywhere 00:34:52.099 --> 00:34:59.089 in the world who were all kind of shipped in within days to work 24/7, more or less, 00:34:59.089 --> 00:35:01.300 to rebuild Maersk’s global network. 00:35:01.300 --> 00:35:04.720 JACK: Because everyone’s computers weren’t working and they wanted to get people stood 00:35:04.720 --> 00:35:09.800 up again quickly, they came up with a few different plans to get everyone back online. 00:35:09.800 --> 00:35:15.190 They decided to deploy USB sticks to employees with operating systems installed. 00:35:15.190 --> 00:35:20.270 With this, the IT team could stick a bootable operating system on a USB drive, then hand 00:35:20.270 --> 00:35:24.530 it to an employee, and they could just boot to the USB drive and have a working computer. 00:35:24.530 --> 00:35:27.400 Of course, it doesn’t have all their stuff, but at least it’s something. 00:35:27.400 --> 00:35:31.780 If that computer went down, they could just grab a new USB stick and boot up, and they’re 00:35:31.780 --> 00:35:32.780 online again. 00:35:32.780 --> 00:35:35.620 It’s a quick band-aid to get some systems back up. 00:35:35.620 --> 00:35:40.099 It’s a good idea, so Maersk tried to buy three thousand USB drives. 00:35:40.099 --> 00:35:44.910 But this was a problem because even big-box stores like Staples or Best Buy, they only 00:35:44.910 --> 00:35:48.060 have a couple dozen in stock and they needed thousands. 00:35:48.060 --> 00:35:52.270 They quickly wiped the USB supply of anyone who was willing to sell it to them, and then 00:35:52.270 --> 00:35:56.200 they began buying directly from the manufacturer to get them in bulk. 00:35:56.200 --> 00:35:58.170 How long is that gonna take, right? 00:35:58.170 --> 00:36:00.170 Days? Weeks? 00:36:00.170 --> 00:36:03.580 This was slowly getting individual users back online but they still needed to rebuild the 00:36:03.580 --> 00:36:07.210 entire IT infrastructure, all the servers and stuff. 00:36:07.210 --> 00:36:11.680 ANDY: As Maersk started that recovery process, really throwing everything they had into that 00:36:11.680 --> 00:36:16.580 Maidenhead building where people were trying to rebuild their network from scratch, the 00:36:16.580 --> 00:36:21.360 very first hurdle that they encountered was that they didn’t have a backup copy of their 00:36:21.360 --> 00:36:27.290 domain controllers which are a kind of core backbone of their network. 00:36:27.290 --> 00:36:31.730 [MUSIC] Maersk has more than a hundred domain controllers and each of them is designed to 00:36:31.730 --> 00:36:35.720 kind of backup to each other. 00:36:35.720 --> 00:36:39.190 If one goes down, it’s no big deal because it’s backed up to all the other ones. 00:36:39.190 --> 00:36:44.150 It’s this massive redundancy system but what they hadn’t planned for is a situation 00:36:44.150 --> 00:36:47.450 where every single domain controller is wiped at the same time. 00:36:47.450 --> 00:36:49.520 That is exactly what NotPetya did. 00:36:49.520 --> 00:36:54.050 JACK: All of their domain controllers were ruined, wiped, destroyed. 00:36:54.050 --> 00:36:55.599 It was catastrophic. 00:36:55.599 --> 00:37:00.060 This is the heart of the network, the thing that knows everyone’s profile and logins, 00:37:00.060 --> 00:37:03.190 and passwords, and permissions, and so, so much more. 00:37:03.190 --> 00:37:04.950 [00:40:00] It was totally gone. 00:37:04.950 --> 00:37:10.440 Now, typically, you’re gonna have backups for this and they did have backups and redundancy, 00:37:10.440 --> 00:37:15.840 but this worm infected their backups and redundant domain controllers too, so they were gone. 00:37:15.840 --> 00:37:20.650 Maybe in a company this big, you might want to do some sort of weekly snapshot and then 00:37:20.650 --> 00:37:25.740 take that snapshot to some offsite location so in case something like this does happen, 00:37:25.740 --> 00:37:29.630 you can at least go back a week and get something from there. 00:37:29.630 --> 00:37:34.560 But it didn’t seem like they had any of this and they were stuck with pretty much 00:37:34.560 --> 00:37:35.950 no network. 00:37:35.950 --> 00:37:40.420 ANDY: These frantic IT administrators are calling around to every Maersk facility everywhere 00:37:40.420 --> 00:37:43.720 in the world looking for any backup of the domain controllers. 00:37:43.720 --> 00:37:49.720 They finally found it in one place; it was in a datacenter in Ghana that had experienced 00:37:49.720 --> 00:37:57.589 electrical blackouts, just a normal loss of electricity, but the result was that that 00:37:57.589 --> 00:38:00.250 one domain controller had had its data preserved. 00:38:00.250 --> 00:38:03.880 It hadn’t been infected by NotPetya ‘cause it wasn’t online. 00:38:03.880 --> 00:38:08.420 JACK: One domain controller in Ghana is still working. 00:38:08.420 --> 00:38:12.900 This could be the domain controller that could help stand up all of Maersk’s network. 00:38:12.900 --> 00:38:19.270 It became a critical mission to get this domain controller to the disaster recovery center. 00:38:19.270 --> 00:38:23.320 ANDY: They had to get that data from Ghana to Maidenhead. 00:38:23.320 --> 00:38:28.670 They first tried to set up a secure remote connection but the bandwidth of the Ghanaian 00:38:28.670 --> 00:38:34.640 data center wasn’t fast enough so they tried to fly someone from Ghana to London, but the 00:38:34.640 --> 00:38:39.240 Ghanaians didn’t have the right VISAs, so they had to do this kind of crazy relay race 00:38:39.240 --> 00:38:44.030 thing where people flew from London to Nigeria. 00:38:44.030 --> 00:38:48.240 The Ghanaians flew to Nigeria too, and they handed off the data on some sort of physical 00:38:48.240 --> 00:38:52.599 medium and then carried it back to London, drove to Maidenhead, and that was the beginning 00:38:52.599 --> 00:38:57.510 of this weeks and ultimately months-long process of rebuilding Maersk’s network. 00:38:57.510 --> 00:39:04.020 JACK: With this one domain controller, they were able to start restoring the network. 00:39:04.020 --> 00:39:05.480 Phew. 00:39:05.480 --> 00:39:07.470 Maersk needed even more help, though. 00:39:07.470 --> 00:39:11.700 They didn’t have a functioning network so they asked partners and clients if they could 00:39:11.700 --> 00:39:13.190 use their network. 00:39:13.190 --> 00:39:17.900 But of course, nobody wanted Maersk on their network since Maersk had a horrible virus. 00:39:17.900 --> 00:39:23.359 Maersk tried hiring more IT people but they couldn’t find anyone qualified or available, 00:39:23.359 --> 00:39:27.569 so they called up whatever companies that were partners and clients and friends of theirs 00:39:27.569 --> 00:39:30.700 and asked could they just hire their IT staff? 00:39:30.700 --> 00:39:32.550 These companies were like, no. 00:39:32.550 --> 00:39:37.470 But they did loan out a few of the IT staff to Maersk; forty engineers, analysts, and 00:39:37.470 --> 00:39:43.400 IT experts were loaned to Maersk and flown in to help recover the network. 00:39:43.400 --> 00:39:49.119 After about nine days of working on it 24/7, they were able to have a functioning network 00:39:49.119 --> 00:39:50.119 again. 00:39:50.119 --> 00:39:55.220 This ultimately cost Maersk 350 million dollars. 00:39:55.220 --> 00:39:59.050 That’s just the story of how Maersk handled this problem. 00:39:59.050 --> 00:40:03.240 There were over three hundred other organizations that were also hit. 00:40:03.240 --> 00:40:06.550 ANDY: It would hit pretty much every Ukrainian government agency. 00:40:06.550 --> 00:40:13.470 The Minister of Infrastructure, Volodymyr Omelyan, told me that the government was dead 00:40:13.470 --> 00:40:16.050 and it spread to the postal service. 00:40:16.050 --> 00:40:20.460 The entire postal service of Ukraine shut down which includes all of their payment systems 00:40:20.460 --> 00:40:26.240 for sending money, their functions for handing out pensions to people in the country, newspaper 00:40:26.240 --> 00:40:27.240 delivery. 00:40:27.240 --> 00:40:30.080 JACK: But there’s also 74,000 employees at the post office. 00:40:30.080 --> 00:40:33.660 How are those checks going to be issued when all the computers are down? 00:40:33.660 --> 00:40:37.530 Ukraine’s Ministry of Health thought they were going to be infected so they just unplugged 00:40:37.530 --> 00:40:42.470 their entire network, forcing themselves to go down which is unthinkable; to unplug yourself 00:40:42.470 --> 00:40:43.560 on purpose. 00:40:43.560 --> 00:40:50.839 ANDY: Twenty-two banks were shut down by NotPetya, six power companies, two airports, four hospitals 00:40:50.839 --> 00:40:59.300 in Kiev alone, the card payment systems in the metro in Kiev and other cities, all of 00:40:59.300 --> 00:41:00.700 the ATMs across the country. 00:41:00.700 --> 00:41:05.760 This was the kind of, I don’t know what you would call it, a kind of full-spectrum 00:41:05.760 --> 00:41:11.800 cyber-war that had really never been seen anywhere else before and it hit Ukraine at 00:41:11.800 --> 00:41:12.800 a national scale. 00:41:12.800 --> 00:41:18.780 JACK: This was a national disaster, an epidemic that caused panic and chaos everywhere. 00:41:18.780 --> 00:41:27.200 Yeah, this is an intentional man-made disaster, an attack that someone wanted to inflict on 00:41:27.200 --> 00:41:29.369 the country of Ukraine. 00:41:29.369 --> 00:41:36.980 Yeah, I think this is a cyber-war which is the first time I’ve ever admitted to saying 00:41:36.980 --> 00:41:38.730 that myself. 00:41:38.730 --> 00:41:47.470 ANDY: [MUSIC] About a week after NotPetya hit, vans full of these militarized Ukrainian 00:41:47.470 --> 00:41:56.480 police pulled up to the Linkos Group headquarters and poured out into the building, up the stairs 00:41:56.480 --> 00:42:01.589 as if they were raiding the Bin Laden compound, pointing semi-automatic rifles at staff, kicking 00:42:01.589 --> 00:42:02.849 down a door. 00:42:02.849 --> 00:42:08.820 [00:45:00] It was all to grab this one server on the third floor of the building that had 00:42:08.820 --> 00:42:13.730 been, in some ways, the genesis of the NotPetya attack. 00:42:13.730 --> 00:42:18.930 But of course, what’s very ironic about that is that it was not the genesis of the 00:42:18.930 --> 00:42:20.800 attack; it was just an instrument of it. 00:42:20.800 --> 00:42:26.700 The real source of that attack was somewhere far away across the internet, ultimately, 00:42:26.700 --> 00:42:30.770 almost certainly in Moscow, hundreds of miles from Kiev. 00:42:30.770 --> 00:42:35.589 JACK: Ah, yes, now we get into the who would do such a thing part of our story. 00:42:35.589 --> 00:42:40.000 Andy here thinks it’s Moscow but that’s no easy conclusion to get to. 00:42:40.000 --> 00:42:42.369 Just because Russia and Ukraine are enemies isn’t enough. 00:42:42.369 --> 00:42:44.550 You need more evidence than just that. 00:42:44.550 --> 00:42:47.350 I mean, it might have just been a criminal group of hackers. 00:42:47.350 --> 00:42:52.570 An investigation began on trying to find out what the evidence was behind who did this. 00:42:52.570 --> 00:42:56.700 Of course, that Linkos Group server and their network was analyzed to see what the intrusion 00:42:56.700 --> 00:42:57.700 there looked like. 00:42:57.700 --> 00:43:00.090 Were there any clues left behind with that? 00:43:00.090 --> 00:43:01.500 How did they get in? 00:43:01.500 --> 00:43:04.880 The virus was also analyzed to see if any notes were left on there. 00:43:04.880 --> 00:43:08.750 Maybe some comments or variable names or documentation might give us a clue. 00:43:08.750 --> 00:43:13.309 The virus was analyzed over and over and you can also look at compile times. 00:43:13.309 --> 00:43:15.490 At what time of day was the virus made? 00:43:15.490 --> 00:43:19.500 Like, 1:00 p.m. in Moscow is 5:00 a.m. in the US. 00:43:19.500 --> 00:43:22.740 All these things are worth investigation and writing down. 00:43:22.740 --> 00:43:30.329 ANDY: [MUSIC] Within days of NotPetya hitting, the Slovakian cyber-security firm ESET had 00:43:30.329 --> 00:43:35.240 started to pull together forensic evidence that tied NotPetya to the earlier waves of 00:43:35.240 --> 00:43:40.040 attacks against Ukraine that included the data-destructive attacks against Ukrainian 00:43:40.040 --> 00:43:46.020 companies and government agencies and the blackout attacks that had hit in late 2015, 00:43:46.020 --> 00:43:47.020 late 2016. 00:43:47.020 --> 00:43:50.309 Those attacks, in turn, had been tied to this group Sandworm. 00:43:50.309 --> 00:43:55.619 JACK: The security company ESET got ahold of a copy of NotPetya and studied it extensively. 00:43:55.619 --> 00:44:00.839 They published a report showing all of the evidence that ties this to Sandworm. 00:44:00.839 --> 00:44:07.431 ANDY: Sandworm, this little company iSIGHT Partners had found in 2014, had a Russian 00:44:07.431 --> 00:44:12.740 language how-to manual for using their trojan on an open directory of their command and 00:44:12.740 --> 00:44:13.740 control server. 00:44:13.740 --> 00:44:19.650 If you follow that forensic line all the way back to 2014, it’s pretty clear, first of 00:44:19.650 --> 00:44:24.600 all, that who else is gonna be attacking Ukraine for years on end other than the country that 00:44:24.600 --> 00:44:29.230 has also launched a physical invasion into the east of the country and seized Crimea? 00:44:29.230 --> 00:44:35.160 That’s just common sense but also, we know that this group was Russian-speaking because 00:44:35.160 --> 00:44:39.250 of that file found on the open directory. 00:44:39.250 --> 00:44:43.619 Within days of NotPetya, it was pretty clear to me that this was part of the larger Russian 00:44:43.619 --> 00:44:48.410 cyber-war against Ukraine; that this was not a criminal act, that it was in fact the climax 00:44:48.410 --> 00:44:55.680 of a nation state-sponsored, escalating series of cyber-attacks against a military target. 00:44:55.680 --> 00:45:01.660 For almost nine months I was kind of going crazy trying to understand why none of these 00:45:01.660 --> 00:45:06.569 victims were naming Russia; no government had actually named Russia, NATO had not said 00:45:06.569 --> 00:45:07.760 anything. 00:45:07.760 --> 00:45:12.250 It was weird enough that we had watched this Russian cyber-war unfold in Ukraine for years 00:45:12.250 --> 00:45:16.120 but now it had even hit these multinational companies, many of which were based in the 00:45:16.120 --> 00:45:24.440 west, and still nobody was calling out Russia for this worst-ever-in-history cyber-attack. 00:45:24.440 --> 00:45:29.990 Until finally, nine months after NotPetya hit, the White House put out a statement, 00:45:29.990 --> 00:45:34.690 a very, very short statement that just said yes, NotPetya was the worst cyber-attack in 00:45:34.690 --> 00:45:39.740 history and it was deployed by the Russian military against Ukraine and that there will 00:45:39.740 --> 00:45:41.710 be consequences. 00:45:41.710 --> 00:45:46.740 That statement was in turn backed up with similar statements from all the four other 00:45:46.740 --> 00:45:52.540 Five Eyes, English-speaking nations’ intelligence agencies. 00:45:52.540 --> 00:45:56.770 The US, Canada, New Zealand, Australia, and the UK all simultaneously called out Russia 00:45:56.770 --> 00:45:58.950 as the perpetrator of NotPetya. 00:45:58.950 --> 00:46:03.460 There are still people, and in particular Russians, who question whether NotPetya was 00:46:03.460 --> 00:46:10.750 really a Russian state act but I don’t think we’ve ever had all five Five Eyes agree 00:46:10.750 --> 00:46:13.150 publically to call out someone like this before. 00:46:13.150 --> 00:46:16.020 I don’t think there’s really much room for doubt. 00:46:16.020 --> 00:46:20.430 JACK: The FBI also did their own investigation working with some of these international companies 00:46:20.430 --> 00:46:22.680 and Ukrainian companies to learn more. 00:46:22.680 --> 00:46:28.710 But still today, we have no idea what the FBI found in their investigation but for Andy, 00:46:28.710 --> 00:46:34.690 he wanted to learn more about what happened there, so he packed his bags and flew to Ukraine 00:46:34.690 --> 00:46:35.800 to investigate. 00:46:35.800 --> 00:46:43.109 ANDY: [MUSIC] When I was in Ukraine, I talked to the SBU, the Ukrainian equivalent of the 00:46:43.109 --> 00:46:52.400 NSA, and they had told me flat-out that Sandworm was Fancy Bear, APT28, this other Russian 00:46:52.400 --> 00:47:00.030 hacker group that had been named for years as linked to the GRU, Russia’s military 00:47:00.030 --> 00:47:01.819 intelligence agency. 00:47:01.819 --> 00:47:06.790 [00:50:00] I had suspected for a long time, and I’ve heard this from American sources 00:47:06.790 --> 00:47:12.630 too, but it was kind of unsubstantiated that Sandworm was likely the GRU and they were 00:47:12.630 --> 00:47:18.020 the most likely candidate because they’re part of Russia’s military, Russia’s military 00:47:18.020 --> 00:47:22.220 was invading Ukraine, the GRU had been very active in that invasion. 00:47:22.220 --> 00:47:27.330 But when the Five Eyes said that the Russian military had carried out NotPetya, that for 00:47:27.330 --> 00:47:29.440 me was ultimately the confirmation. 00:47:29.440 --> 00:47:35.720 I should give some credit here also to the Washington Post who, in a story before that 00:47:35.720 --> 00:47:39.340 announcement, said simply that NotPetya was carried out by the GRU. 00:47:39.340 --> 00:47:43.060 JACK: The GRU is Russia’s military intelligence agency. 00:47:43.060 --> 00:47:45.750 Within the GRU are hackers. 00:47:45.750 --> 00:47:52.069 In fact, the FBI has indicted twelve GRU hackers from meddling with the 2016 US election for 00:47:52.069 --> 00:47:53.570 hacking into the DNC. 00:47:53.570 --> 00:47:57.750 Robert Mueller is who brought this indictment forward and I read through it; it’s twenty-six 00:47:57.750 --> 00:48:03.470 pages and it explains a lot of details about the GRU and how they hacked the 2016 election. 00:48:03.470 --> 00:48:07.270 It even lists the street address of where these hackers work out of. 00:48:07.270 --> 00:48:11.900 It’s a fascinating read but so far nobody has been indicted for NotPetya and there’s 00:48:11.900 --> 00:48:14.000 been no FBI report for that, either. 00:48:14.000 --> 00:48:21.030 The GRU hackers behind the 2016 election hacking, that hacking group has been called Fancy Bear 00:48:21.030 --> 00:48:25.490 but this group that did NotPetya, something was a little different here. 00:48:25.490 --> 00:48:32.500 It didn’t have the same MO as Fancy Bear so a different name was given to them; Sandworm. 00:48:32.500 --> 00:48:34.240 It might be the same group as Fancy Bear. 00:48:34.240 --> 00:48:35.339 We don’t know. 00:48:35.339 --> 00:48:39.319 My guess is that it’s another hacker team just down the hall from Fancy Bear, or on 00:48:39.319 --> 00:48:42.849 another floor working in the same building as Fancy Bear. 00:48:42.849 --> 00:48:47.589 But what we believe is that both Sandworm and Fancy Bear are hacking groups both working 00:48:47.589 --> 00:48:51.100 for Russia’s GRU in Moscow. 00:48:51.100 --> 00:48:54.980 With the address in hand from the earlier indictment, Andy decided to take a trip to 00:48:54.980 --> 00:48:56.970 Moscow to learn more. 00:48:56.970 --> 00:49:00.830 He went right up to the tower that GRU works out of and looked at it. 00:49:00.830 --> 00:49:08.770 ANDY: When I went to Moscow and stood there in the shadow of the tower, this glass building 00:49:08.770 --> 00:49:17.880 on the Moscow canal in northern Moscow that maybe I believed housed Sandworm, the hackers 00:49:17.880 --> 00:49:24.610 responsible for all of this destruction, I had a feeling of futility; that I was so close 00:49:24.610 --> 00:49:30.839 physically to the perpetrators of these attacks and yet I wasn’t gonna get any closer. 00:49:30.839 --> 00:49:37.691 Just as distance had not been a kind of defense against NotPetya, proximity wasn’t really 00:49:37.691 --> 00:49:40.859 enough to bring me any closer to these attackers. 00:49:40.859 --> 00:49:46.270 They were behind a locked gate with armed security guards. 00:49:46.270 --> 00:49:49.280 I knew that I couldn’t just ask for an interview. 00:49:49.280 --> 00:49:53.320 As close as I was to these hackers, that was kind of the end of the story for me and I 00:49:53.320 --> 00:49:58.579 don’t know if I will ever get any closer. 00:49:58.579 --> 00:50:10.630 JACK: [MUSIC] The estimated damages from this attack totaled ten billion dollars. 00:50:10.630 --> 00:50:13.750 This is why this is the largest cyber-attack in history. 00:50:13.750 --> 00:50:17.170 No attack has come close to this amount of damage ever. 00:50:17.170 --> 00:50:21.470 Ten billion dollars; this was catastrophic, enormous. 00:50:21.470 --> 00:50:25.260 It set new records and was very scary. 00:50:25.260 --> 00:50:29.690 It’s scary that all this was done with hacking tools that anyone had access to. 00:50:29.690 --> 00:50:33.180 There was no super-secret hacking tool used here. 00:50:33.180 --> 00:50:37.910 Mimikatz is open-source for anyone to use and EternalBlue was dumped by the Shadow Brokers 00:50:37.910 --> 00:50:40.170 just six months before. 00:50:40.170 --> 00:50:43.250 You could slap any good ransomware on top of it and there you go. 00:50:43.250 --> 00:50:49.260 But wait a minute, this makes me think if Russia were the ones behind Shadow Brokers 00:50:49.260 --> 00:50:54.540 and Russia’s the one that did NotPetya, then why wouldn’t they just keep EternalBlue 00:50:54.540 --> 00:50:55.710 to themselves? 00:50:55.710 --> 00:51:00.020 I wondered this and asked Jake Williams from the last episode. 00:51:00.020 --> 00:51:05.589 Why would they give away EternalBlue and then use it to hack Ukraine, right? 00:51:05.589 --> 00:51:06.589 You would keep that. 00:51:06.589 --> 00:51:08.349 JAKE: Oh, see, I disagree with that. 00:51:08.349 --> 00:51:11.839 I’ve thought a lot about this as well. 00:51:11.839 --> 00:51:17.720 You know, if you look at the NotPetya attack, I’m not sure that when – a couple things; 00:51:17.720 --> 00:51:23.290 first off, I’m positive that they got better return on investment if it wasn’t information 00:51:23.290 --> 00:51:27.480 operation releasing it and then using it than they would have just using it as an 0-day. 00:51:27.480 --> 00:51:32.710 I think as an 0-day it would have caused absolute panic and honestly the damage from it would 00:51:32.710 --> 00:51:35.609 have been so much more outside of Ukraine. 00:51:35.609 --> 00:51:41.840 I personally don’t believe that the Russians anticipated the level of damage outside of 00:51:41.840 --> 00:51:43.130 Ukraine that actually occurred. 00:51:43.130 --> 00:51:46.880 Honestly, I don’t think the InfoSec community did, either. 00:51:46.880 --> 00:51:51.540 I think that the why did they use it down the road was out there. 00:51:51.540 --> 00:51:54.040 Why give it up in the first place? 00:51:54.040 --> 00:51:58.240 I think a couple things; first off, I have no doubt that they have a similar capability 00:51:58.240 --> 00:52:04.349 or we said at the time, had a similar capability remotely exploited with SMB [00:55:00] vulnerability. 00:52:04.349 --> 00:52:05.349 I think that’s one. 00:52:05.349 --> 00:52:08.631 JACK: Oh, that’s an interesting – I got your theory right away on that, ‘cause if 00:52:08.631 --> 00:52:13.600 they publically post it, then they don’t have to expose their zero-day but they can 00:52:13.600 --> 00:52:15.329 expose NSA’s zero-day. 00:52:15.329 --> 00:52:17.400 JAKE: Exactly, exactly. 00:52:17.400 --> 00:52:23.250 Separately from that, they take out – suppose that in April when they go to release this, 00:52:23.250 --> 00:52:25.480 they don’t know that they’re gonna do NotPetya, right? 00:52:25.480 --> 00:52:29.770 I think that’s actually, I have to tell you, I think that that’s a reasonable assertion 00:52:29.770 --> 00:52:31.890 at that point. 00:52:31.890 --> 00:52:33.349 I think they know they’re gonna do something. 00:52:33.349 --> 00:52:36.590 I don’t think anybody’s got – I know, at that point, I think it’s clear they know 00:52:36.590 --> 00:52:41.080 they’re doing a destructive cyber-attack around MeDoc in Ukraine but I don’t think 00:52:41.080 --> 00:52:42.910 it’s clear they’re gonna worm anything. 00:52:42.910 --> 00:52:47.339 I don’t think that was ever part of the decision calculus for release. 00:52:47.339 --> 00:52:51.980 But taking NotPetya completely out of it for a minute; if you are a nation state operation, 00:52:51.980 --> 00:52:58.069 so roll back to the blog post that I was pushing where I was like hey, it is likely – basically, 00:52:58.069 --> 00:53:03.810 whoever this is, is operating in the interest of Russia where they are effectively shutting 00:53:03.810 --> 00:53:10.750 down or – I say shutting down; they’re effectively taking control of the InfoSec/technology 00:53:10.750 --> 00:53:12.809 news cycle with these releases. 00:53:12.809 --> 00:53:16.970 JACK: Hm, besides that, it throws NSA into chaos, right? 00:53:16.970 --> 00:53:21.740 As soon as Shadow Brokers dumps their stuff, there has to be a mad scramble at NSA to try 00:53:21.740 --> 00:53:25.190 to look around at what got dumped and who did it and why and what. 00:53:25.190 --> 00:53:30.579 At the same time, it makes NSA look bad which gives the GRU some top cover to move into 00:53:30.579 --> 00:53:35.410 position and stage a massive attack while the world was dealing with EternalBlue. 00:53:35.410 --> 00:53:40.000 [MUSIC] Gosh, what a future we have set for ourselves, because I don’t think the world 00:53:40.000 --> 00:53:41.310 has learned from this lesson. 00:53:41.310 --> 00:53:45.960 There are still hundreds of thousands of Windows computers still vulnerable to EternalBlue 00:53:45.960 --> 00:53:47.599 out there right now. 00:53:47.599 --> 00:53:50.250 You can just update this any moment and protect yourself. 00:53:50.250 --> 00:53:54.730 But Microsoft, Microsoft still hasn’t patched Mimikatz. 00:53:54.730 --> 00:53:56.470 I mean, they have, okay? 00:53:56.470 --> 00:54:00.579 They’ve fixed it but more people just find more flaws in the authentication of Windows 00:54:00.579 --> 00:54:02.540 and Mimikatz works again. 00:54:02.540 --> 00:54:05.130 From what I’ve been told, this will never be fixed. 00:54:05.130 --> 00:54:07.960 Not that Microsoft isn’t working hard on it; they are. 00:54:07.960 --> 00:54:09.819 They release fixes all the time. 00:54:09.819 --> 00:54:14.280 They’ve created this tool called the Microsoft Windows Credential Guard which protects against 00:54:14.280 --> 00:54:15.280 this. 00:54:15.280 --> 00:54:17.750 But if that’s the case, then why isn’t that enabled by default? 00:54:17.750 --> 00:54:22.390 Or why can’t the defaults just be secure and then a system admin is the one who has 00:54:22.390 --> 00:54:24.820 to click the button to make it insecure? 00:54:24.820 --> 00:54:27.520 Insecure by default is never a solution. 00:54:27.520 --> 00:54:31.531 The reason why Mimikatz isn’t just fixed once and for all is because there’s something 00:54:31.531 --> 00:54:35.680 inherently flawed with the way Windows authentication works just as a whole. 00:54:35.680 --> 00:54:40.450 It’s like every door or window in your house; these are the weak points by design because 00:54:40.450 --> 00:54:44.180 they’re literally holes in your house that things can go in and out of. 00:54:44.180 --> 00:54:48.950 Mimikatz just makes me really mad because it’s still a problem and it was used in 00:54:48.950 --> 00:54:53.410 this attack that brought down Ukraine and cost the world ten billion dollars. 00:54:53.410 --> 00:54:59.260 I mean, is there a scenario that’s so devastating to the world that somebody finally does something 00:54:59.260 --> 00:55:01.829 about Windows authentication to make it secure? 00:55:01.829 --> 00:55:05.260 I don’t know, and this is what really makes me mad. 00:55:05.260 --> 00:55:07.530 Aah! I will not fear. 00:55:07.530 --> 00:55:09.400 Fear is the mind-killer. 00:55:09.400 --> 00:55:13.510 I will let this pass over me. 00:55:13.510 --> 00:55:19.940 Okay, so while this is the story of NotPetya, it’s just a small part of the story. 00:55:19.940 --> 00:55:24.220 Andy Greenberg, our guest in this episode, just published this book called Sandworm which 00:55:24.220 --> 00:55:26.319 goes into great detail about it. 00:55:26.319 --> 00:55:30.510 I mean, the guy flew to Ukraine and Moscow to get to the bottom of all this. 00:55:30.510 --> 00:55:35.170 This is not the only cyber-attack Russia has done to Ukraine; the book outlines so many 00:55:35.170 --> 00:55:40.460 more attacks that are equally as serious and scary you should be aware of. 00:55:40.460 --> 00:55:45.630 In fact, I want to say that this episode only covered like, a fifth of the book, so go get 00:55:45.630 --> 00:55:51.270 Sandworm in any bookstore right now, or get the audiobook and dive in and enjoy because 00:55:51.270 --> 00:56:31.619 it’s fantastic. 00:56:31.619 --> 00:58:28.420 JACK (OUTRO): [OUTRO MUSIC] A big 00:58:28.420 --> 00:58:30.000 thank you to Andy Greenberg. 00:58:30.000 --> 00:58:33.369 Your book is amazing, the story is amazing, and I appreciate all the research you’ve 00:58:33.369 --> 00:58:41.800 done and coming on the show to tell us this story. 00:58:41.800 --> 00:58:47.540 To learn more about Andy, visit andygreenberg.net or find him on Twitter as @a_greenberg. 00:58:47.540 --> 00:58:52.119 I’ll also have affiliate links to the Sandworm book in the show notes. 00:58:52.119 --> 00:58:54.250 Thanks to Jake Williams once again. 00:58:54.250 --> 00:58:57.190 This show is made by me, harkonen, Jack Rhysider. 00:58:57.190 --> 00:59:02.089 Sound design was done by the dual-eared Andrew Meriwether, editing help this episode by the 00:59:02.089 --> 00:59:07.240 clip-happy Damienne, and our theme music is by the bouncing Breakmaster Cylinder. 00:59:07.240 --> 00:59:11.319 Even though people turn off their phone, yank the battery out, and go sit in that corner 00:59:11.319 --> 00:59:23.490 of their house that gets no WiFi every time I say it, this is Darknet Diaries.