WEBVTT

00:00:00.000 --> 00:00:08.040
JACK: Imagine James Bond. [MUSIC] Before Bond goes on a mission he gets some vital equipment from Q.

00:00:08.040 --> 00:00:13.920
On one mission he got a special ring that had a way to emit at ultra-high frequency which when

00:00:13.920 --> 00:00:20.280
put up to a window, shattered the glass. On this mission, Bond snuck into North Korea undetected

00:00:20.280 --> 00:00:27.390
but imagine what kind of consequences there would be if he lost the ring while in North Korea? If

00:00:27.390 --> 00:00:31.230
the North Korean government found the ring they would analyze it and they would discover its

00:00:31.230 --> 00:00:36.210
cutting-edge technology and possibly be able to reproduce that technology for themselves,

00:00:36.210 --> 00:00:41.580
essentially putting the technology in the wrong hands. When analyzing the ring, they may even

00:00:41.580 --> 00:00:47.010
be able to track down its origins to MI5. This would mean that just by finding the ring alone,

00:00:47.010 --> 00:00:52.440
North Korea could deduct that there was a British spy in their country. This could cause numerous

00:00:52.440 --> 00:00:58.050
problems, maybe even a war. In the internet world where governments hack other governments,

00:00:58.050 --> 00:01:02.040
it’s crucial to not let the enemy know you’re there or capture your

00:01:02.040 --> 00:01:06.660
hacking techniques ‘cause if they do, it could have devastating consequences.

00:01:06.660 --> 00:01:13.550
JACK (INTRO): [INTRO MUSIC] This is Darknet Diaries, true stories

00:01:13.550 --> 00:01:20.360
from the dark side of the internet. I’m Jack Rhysider. [INTRO MUSIC ENDS]

00:01:20.360 --> 00:01:26.420
JACK: Guys, guys, listen. This episode is pretty serious. It makes all other episodes seem like

00:01:26.420 --> 00:01:31.940
child’s play to me. I’m even nervous to tell it. I don’t think I’m on any FBI watch-lists now but

00:01:31.940 --> 00:01:36.740
I probably will be after this episode. Let me ask you this; who is the most sophisticated

00:01:36.740 --> 00:01:43.400
hacking team in the world? It’s a team comprised of graduates from MIT and Carnegie Mellon, a team

00:01:43.400 --> 00:01:47.990
that has created the most cutting-edge hacking tools, a team that can utilize an almost unlimited

00:01:47.990 --> 00:01:52.670
amount of resources. Resources like language interpreters, huge data centers, and super

00:01:52.670 --> 00:01:57.800
computers, a team that has a history of creating encryption methods and building the internet.

00:01:57.800 --> 00:02:04.880
Yes, the hacking groups that are inside government agencies, otherwise known as Nation State Actors.

00:02:04.880 --> 00:02:09.380
Most of what they do is considered top secret, so getting one of them to talk on this show is

00:02:09.380 --> 00:02:14.720
a very special privilege. Nation State Actors are an exceptional group of hackers because they

00:02:14.720 --> 00:02:20.090
essentially have a license to hack. They work without the fear of legal retribution. They are

00:02:20.090 --> 00:02:25.070
often tasked with stealing secrets or disrupting the target through connected networks. It’s

00:02:25.070 --> 00:02:30.200
important that all of what they do goes entirely under the radar and is invisible to the target.

00:02:30.200 --> 00:02:35.150
Don’t ask me how I found this and don’t ask me who, but on this episode we will hear a story from

00:02:35.150 --> 00:02:40.010
a person who has been in the innermost bowels of one of the most elite hacking teams in the world.

00:02:40.010 --> 00:02:44.660
NSA: Yeah, I spent almost fifteen years with the US government running offensive

00:02:44.660 --> 00:02:48.080
cyber operations so I have many, many stories.

00:02:48.080 --> 00:02:51.590
JACK: The only way they would agree to be interviewed for this show was if I kept them

00:02:51.590 --> 00:02:55.820
anonymous and disguised their voice, so what you’ll hear is actually a voice actor reading

00:02:55.820 --> 00:03:00.290
the transcript of the conversation I had with them. You might wonder whether their story is

00:03:00.290 --> 00:03:03.740
true or not, and I’ll tell you what I know. I’ve been an InfoSec professional for over

00:03:03.740 --> 00:03:08.630
ten years and at one point, my employer sent me to a Threat Intelligence Training. There I

00:03:08.630 --> 00:03:12.170
learned all kinds of tactics, techniques, and procedures that some of the most sophisticated

00:03:12.170 --> 00:03:17.300
hackers use. While listening to this person tell their story, the tactics, techniques,

00:03:17.300 --> 00:03:21.620
and procedures they use match up exactly with what I learned in class. I can vouch

00:03:21.620 --> 00:03:26.630
for that part being true, but for the rest of the story, I don’t know. I’ll let you decide.

00:03:26.630 --> 00:03:31.750
[MUSIC] But you’ll need some additional information. Pretty much all governments

00:03:31.750 --> 00:03:36.100
have an Intelligence Department. The US has the Central Intelligence Agency and the National

00:03:36.100 --> 00:03:40.450
Security Agency and others. The goal of the Intelligence Department is to get information on

00:03:40.450 --> 00:03:45.520
enemies regarding threats to the nation. This is done in the name of national security. In short,

00:03:45.520 --> 00:03:50.770
governments spy on each other. This shouldn’t be news to you. It’s been happening for centuries. In

00:03:50.770 --> 00:03:56.140
the past spies would go undercover and physically break into places to extract secret data. They

00:03:56.140 --> 00:04:01.270
were highly trained at being stealthy, being able to escape and evade, and are often excellent

00:04:01.270 --> 00:04:07.150
drivers. But now the governments rely on computers to communicate, store data, and create plans.

00:04:07.150 --> 00:04:12.070
[00:05:00] This exposes a whole new attack surface. Instead of physically breaking into

00:04:12.070 --> 00:04:17.020
a building to steal documents, hackers can steal documents from the other side of the globe. They

00:04:17.020 --> 00:04:22.090
do this to learn about an upcoming attack, or gain knowledge of where the military’s going, or

00:04:22.090 --> 00:04:27.970
to steal plans of a top-secret weapon. Governments are actively hacking into other governments. This

00:04:27.970 --> 00:04:33.070
is the new norm. Governments have to take their cyber defense seriously if for nothing else,

00:04:33.070 --> 00:04:38.050
than to protect their data from other governments. But what is it really like when a government hacks

00:04:38.050 --> 00:04:42.910
into another government? Well that’s the story we’re about to hear. So let’s ride shotgun along

00:04:42.910 --> 00:04:47.410
with our Nation State Actor to hear exactly how they hack into another government. This

00:04:47.410 --> 00:04:52.225
should be exciting so strap in and let’s go for a ride. First, let’s get the mission.

00:04:52.225 --> 00:04:57.310
NSA: A couple years ago we had a tasking to go after a network that belonged to a

00:04:57.310 --> 00:05:02.920
foreign government agency. Our task was to get access to it and gather specific information.

00:05:02.920 --> 00:05:08.304
The way the Nation State Operations work is that the cyber elements of a nation

00:05:08.304 --> 00:05:12.340
state don’t derive requirements unto themselves. They get it from someone

00:05:12.340 --> 00:05:17.800
else. Someone else in the government or in the agency says we think this information

00:05:17.800 --> 00:05:23.320
exists on that network. Go get access to the network. But that’s usually all the task is.

00:05:23.320 --> 00:05:28.180
JACK: This task seems to only have a tiny amount of information. We’re only given a foreign

00:05:28.180 --> 00:05:34.180
government agency’s name, some IP addresses, and a general idea of what data to grab. This is

00:05:34.180 --> 00:05:38.650
nowhere near enough information to get started hacking into that network. We don’t know what

00:05:38.650 --> 00:05:43.580
tools to use, or what computers to target once we’re in. We’re going to need more information.

00:05:43.580 --> 00:05:46.610
NSA: Really, the big thing for nation states in particular,

00:05:46.610 --> 00:05:51.800
we’re – not only the goal is, of course, to get access and collect your information,

00:05:51.800 --> 00:05:55.940
but overriding that goal is – you need to stay clandestine.

00:05:55.940 --> 00:05:59.180
JACK: Not only do we need more information but we need to get it

00:05:59.180 --> 00:06:03.005
secretly. There are many reasons to stay hidden when doing this mission. First…

00:06:03.005 --> 00:06:05.150
NSA: There could be political blowback.

00:06:05.150 --> 00:06:09.980
JACK: Another country could become furious if they caught us hacking into it. Another reason

00:06:09.980 --> 00:06:13.910
not to get caught is because of the equities of our tools, exploits, and infrastructure.

00:06:13.910 --> 00:06:18.740
Just like James Bond can’t afford to lose his top-secret spying technology, a Nation State

00:06:18.740 --> 00:06:23.510
Actor also uses cutting-edge hacking techniques that they don’t want the target to be aware of.

00:06:23.510 --> 00:06:29.180
These hacking techniques can be very expensive and sometimes takes years of research and are

00:06:29.180 --> 00:06:34.760
worth millions of dollars. It’s imperative that we stay as invisible as possible while conducting

00:06:34.760 --> 00:06:39.890
this entire mission. Oh, and for this story, let’s pick a random country to use as an example target.

00:06:39.890 --> 00:06:44.810
NSA: Let’s go with the Peruvian Ministry of Foreign Affairs.

00:06:44.810 --> 00:06:47.810
JACK: The actual target will remain anonymous. The military

00:06:47.810 --> 00:06:51.500
sometimes uses the term ‘kill chain’ to describe how an attack takes place.

00:06:51.500 --> 00:06:54.050
NSA: The military calls this the preparation

00:06:54.050 --> 00:06:57.350
of the battlefield but the cyber equivalent to that is…

00:06:57.350 --> 00:07:02.840
JACK: The cyber kill chain. This describes the different phases of a cyber-attack. I’m going

00:07:02.840 --> 00:07:07.340
to explain what that means as we walk through this story. There are seven phases to the cyber

00:07:07.340 --> 00:07:12.710
kill chain that must be conducted to complete an attack. Phase one is reconnaissance. [MUSIC] In

00:07:12.710 --> 00:07:18.530
this phase we need to gather information about the target. Like I said, we have no idea what

00:07:18.530 --> 00:07:23.420
type of exploit to use or what systems to attack. We begin by collecting information.

00:07:23.420 --> 00:07:27.890
NSA: Now I’ve got to figure out a way in, so now it’s things like passive

00:07:27.890 --> 00:07:32.090
reconnaissance and mapping. Start figuring out what can we learn about

00:07:32.090 --> 00:07:35.810
this network without letting them know that we’re trying to learn stuff about

00:07:35.810 --> 00:07:42.920
it? Questions like how big is the network? What kind of systems are on it? Hardware,

00:07:42.920 --> 00:07:48.440
software? What kind of antivirus is deployed there? What is my access vector?

00:07:48.440 --> 00:07:51.860
JACK: The team does a scan against the target network to see what is

00:07:51.860 --> 00:07:55.590
exposed to the internet. They begin mapping what’s visible to the world.

00:07:55.590 --> 00:08:00.540
NSA: They have a website. They’re hosting the web server that’s within their environment. That’s a

00:08:00.540 --> 00:08:05.760
box on the internet with like, Apache Tomcat running on it. Okay, so that’s good to know.

00:08:05.760 --> 00:08:10.860
Now I know that it’s probably a Linux box and a web server that potentially has vulnerabilities

00:08:10.860 --> 00:08:16.110
I can exploit. That’s pretty interesting. We find a couple of things like that.

00:08:16.110 --> 00:08:20.970
JACK: Normally most governments and organizations keep their internet-facing devices up to date.

00:08:20.970 --> 00:08:26.220
This is important to do because an out-of-date system has a lot more security holes than one

00:08:26.220 --> 00:08:29.790
that’s been updated. But in this case the web server was not fully patched,

00:08:29.790 --> 00:08:33.540
which means the team can use a known vulnerability to access it.

00:08:33.540 --> 00:08:36.450
NSA: We start to come up with some potential avenues.

00:08:36.450 --> 00:08:40.710
JACK: Now we have a potential point of entry into this government’s network but that’s

00:08:40.710 --> 00:08:45.270
still not enough information. It’s important to try to understand what exactly is in their

00:08:45.270 --> 00:08:49.830
network and it would be nice if we had a map of where to go once we get in. It would also

00:08:49.830 --> 00:08:54.030
be nice if we know who the people were that work in that office to get a sense of the

00:08:54.030 --> 00:08:58.590
team that’s defending that network. There are some tricky ways of figuring this out.

00:08:58.590 --> 00:09:04.830
NSA: The way we can do that is that IT and InfoSec people at large are pretty friendly,

00:09:04.830 --> 00:09:10.350
open, and somewhat stupid, often. [00:10:00] Let’s go with the Peruvian Ministry of Foreign Affairs.

00:09:10.350 --> 00:09:16.410
Between Facebook and LinkedIn and whatever local Peruvian version of Facebook exists down there,

00:09:16.410 --> 00:09:21.660
I can probably find somewhere between fifty to a hundred, to hundreds of people that work at

00:09:21.660 --> 00:09:28.380
that organization that have profiles on those networks. I can start to collect full names and

00:09:28.380 --> 00:09:34.140
e-mail addresses and maybe even position titles of people that work in there. I care about the IT

00:09:34.140 --> 00:09:38.970
infrastructure, the technical infrastructure, so I’m looking for their IT people and their

00:09:38.970 --> 00:09:44.920
security people. I bet I can find the system’s administrator or database administrator or

00:09:44.920 --> 00:09:49.810
someone that does IT in that organization who has announced on the internet that they exist.

00:09:49.810 --> 00:09:56.410
This is their name and e-mail address and this is what they do for that organization. Once I

00:09:56.410 --> 00:10:00.340
start compiling all of that, I’m going to start looking for things that allow me to tie them to

00:10:00.340 --> 00:10:06.460
the organization, to the things they’re using. The best places to do that are Google but more

00:10:06.460 --> 00:10:11.920
specifically, Reddit is amazing for this. Then the technical forums that belong to products,

00:10:11.920 --> 00:10:18.670
for example, if I found on LinkedIn or Facebook that Bob is an IT Administrator at the Peruvian

00:10:18.670 --> 00:10:25.330
Ministry of Foreign Affairs, this gives me Bob’s full name and e-mail address. I can

00:10:25.330 --> 00:10:29.500
then use Google to search his name and e-mail address. I find things like Bob’s posting on

00:10:29.500 --> 00:10:35.560
this sysadmin subreddit asking questions about why his Windows 2012 server is acting the way it is,

00:10:35.560 --> 00:10:41.980
or him asking questions like I’m running a Windows 2008 R2 box. That’s my domain controller.

00:10:41.980 --> 00:10:48.580
Do I really need to update or not? I don’t really want to but what does everybody think,

00:10:48.580 --> 00:10:53.560
should I do that? When I find postings like that I can link them back to Bob.

00:10:53.560 --> 00:10:57.040
I can confirm things like oh, shit, they’re running a domain controller

00:10:57.040 --> 00:11:06.100
on a Windows 2008 R2 box. That’s fantastic. We find things in antivirus and security forums.

00:11:06.100 --> 00:11:09.130
JACK: Since our target is to get specific data out of the network,

00:11:09.130 --> 00:11:14.230
it’s likely that data exists in a database somewhere. So the team looks to the people

00:11:14.230 --> 00:11:17.365
who work there to try to find the database administrator, or DBA.

00:11:17.365 --> 00:11:24.160
NSA: I found the DBA on Facebook or LinkedIn and he’s a Senior DBA. He noted that he’s an expert on

00:11:24.160 --> 00:11:31.300
Oracle 11g. Cool, so I can assume that they’re probably running Oracle, roughly 11g inside

00:11:31.300 --> 00:11:35.710
their network. I have a team of people – I have like, fifteen people who do nothing other than

00:11:35.710 --> 00:11:41.650
spend eight hours a day for six to eight weeks, searching, scouring the internet to collect the

00:11:41.650 --> 00:11:47.760
names, e-mail addresses, and phone numbers of the people that work for my target organization. Slim

00:11:47.760 --> 00:11:53.190
that number down to the ones that work there in the particular roles that I care about, and then

00:11:53.190 --> 00:11:57.570
scour the internet for everything they publically put out there that has to do with anything

00:11:57.570 --> 00:12:02.716
technical. That gives us little tidbits about what we can expect to find in the environment.

00:12:02.716 --> 00:12:10.800
JACK: [MUSIC] After looking at the data we’ve collected so far,

00:12:10.800 --> 00:12:13.950
we have discovered an incredibly important piece of information.

00:12:13.950 --> 00:12:16.740
NSA: I know the Oracle database that they have in

00:12:16.740 --> 00:12:19.230
their environment likely has the data that I’m supposed to be collecting.

00:12:19.230 --> 00:12:24.120
JACK: After fifteen people have worked full-time for two months gathering as much information as

00:12:24.120 --> 00:12:28.950
they can on the target, we now have a very detailed report. We know who works there,

00:12:28.950 --> 00:12:33.660
what their roles are, what kind of systems they run, all the way down to the version of software

00:12:33.660 --> 00:12:36.900
on those systems. We now have a pretty good picture of their environment. Great,

00:12:36.900 --> 00:12:42.135
so Phase One is complete. We now move on to Phase Two of the cyber kill chain; weaponization.

00:12:42.135 --> 00:12:47.700
NSA: I can now go to my leadership, my management, the ones who ostensibly own the

00:12:47.700 --> 00:12:53.510
equities that I want to now use and I can ask them for approval to do what I’m going to do.

00:12:53.510 --> 00:12:56.580
JACK: The equities are hacking techniques used to access a network,

00:12:56.580 --> 00:13:01.560
or exploits. Some hacking techniques are known to the public and are easier to get approval for

00:13:01.560 --> 00:13:05.850
because they cost nothing to acquire and if you’re caught using the exploit it’s hard to

00:13:05.850 --> 00:13:10.770
trace it back to us since anyone in the world has access to that exploit. But some exploits

00:13:10.770 --> 00:13:15.330
are expensive and top-secret. These are harder to get approval for because if you get caught,

00:13:15.330 --> 00:13:21.090
the enemy could learn how to use your exploit but if you’re caught using an exploit that nobody in

00:13:21.090 --> 00:13:25.530
the world knows about, it narrows down who could possibly have an exploit like that,

00:13:25.530 --> 00:13:29.310
which could result in the attempted break-in to be traced back to us.

00:13:29.310 --> 00:13:34.290
NSA: I go to leadership and I say I have this tasking from these people to go after this

00:13:34.290 --> 00:13:38.580
network. Here’s everything we know about the network. These are the systems administrators,

00:13:38.580 --> 00:13:42.480
these re the security people, these are the names, e-mail addresses,

00:13:42.480 --> 00:13:48.750
and phone numbers. Based on data points a, b, c, d, and e, we believe they’re using this sort of

00:13:48.750 --> 00:13:55.230
antivirus and this sort of hardware. We know they run web servers using Tomcat. We know, based on

00:13:55.230 --> 00:14:01.330
some other forum postings that they’ve got Oracle database instances running on the inside so we put

00:14:01.330 --> 00:14:05.740
all that together and with those data points, I derive the tools and exploits that I need to use.

00:14:05.740 --> 00:14:11.530
Knowing that, [00:15:00] before I get in, I can get approval to use implant X with exploit Y

00:14:11.530 --> 00:14:18.730
that are specific to Oracle 11g. Once I build out that case, I can get approval and that approval

00:14:18.730 --> 00:14:25.480
is based on the risk posed to those equities given what I know about the environment. When

00:14:25.480 --> 00:14:30.520
I say I know that they’re probably running this antivirus and these security tools,

00:14:30.520 --> 00:14:35.530
I can say that I have these tools and these exploits and that I’m going to deploy in the

00:14:35.530 --> 00:14:41.410
network that are not detected by that antivirus and the security system that they have. I had

00:14:41.410 --> 00:14:47.170
now mitigated the biggest risk of getting caught, right, which is AV or security systems flagging

00:14:47.170 --> 00:14:53.350
my tools or me throwing exploits. If I can do that, then I can get approvals to proceed and

00:14:53.350 --> 00:15:00.250
actually execute my operation. Sixty days, ninety days go by. I built what’s called a targeting

00:15:00.250 --> 00:15:04.810
package and I’ve got operational approval to use the equities to complete the task.

00:15:04.810 --> 00:15:09.460
JACK: We now have a point of entry, a map of the inside, and know who to expect to be there

00:15:09.460 --> 00:15:14.950
when we arrive. We also have all the specific exploits we need to execute this task. This

00:15:14.950 --> 00:15:20.860
marks the end of our weaponization phase. Phase Three of the cyber kill chain is delivery. We

00:15:20.860 --> 00:15:25.750
need to actually send the exploit to the system in the network. This is where the mission begins

00:15:25.750 --> 00:15:31.660
to be dangerous. From here on out, any misstep could have terrible consequences because it could

00:15:31.660 --> 00:15:36.970
mean being caught. If we were James Bond we’d now be fully geared up and ready for action.

00:15:36.970 --> 00:15:42.400
NSA: So we’ve figured out here is the internet-facing box. The web server that

00:15:42.400 --> 00:15:47.860
they’re using was not patched, wasn’t updated, so I was able to actually use

00:15:47.860 --> 00:15:52.840
the known exploit to gain the right access to that machine. [MUSIC] Once I did that,

00:15:52.840 --> 00:15:59.740
I put an implant down on that machine because it was pretty safe. It was actually a Linux

00:15:59.740 --> 00:16:05.650
server and the nice thing about Linux is no antivirus, right? I’m not super concerned.

00:16:05.650 --> 00:16:11.710
Especially because it’s a web server, I don’t worry about a user seeing the screen and using

00:16:11.710 --> 00:16:18.520
it and see something weird going on. But anyway, so I get down on that box,

00:16:18.520 --> 00:16:23.830
sit there for a little bit. Everything looks pretty good. There’s not much to see; it’s

00:16:23.830 --> 00:16:29.890
a web server and it’s got a website on it, got a database back end to it. Not a whole lot going on.

00:16:29.890 --> 00:16:35.140
JACK: We are now in the foreign government’s network. We have successfully infiltrated it.

00:16:35.140 --> 00:16:40.000
It’s like we’ve snuck in the building but we’re only in the hallway. Using the data

00:16:40.000 --> 00:16:43.840
we’ve collected in the last few months, we know we need to find the administrator’s

00:16:43.840 --> 00:16:48.370
computer to gain control of it. This leads us to the next phase of the cyber kill chain;

00:16:48.370 --> 00:16:53.410
exploitation, because if we can get on the admin’s computer, chances are they have all

00:16:53.410 --> 00:16:57.790
the keys to the kingdom. By using their machine we can access anything we want.

00:16:57.790 --> 00:17:04.210
NSA: The nice thing about landing on a server like that is one thing that servers do have, is admins

00:17:04.210 --> 00:17:10.210
logging into them to administer them. That admin is going to log in and I’m probably going to be

00:17:10.210 --> 00:17:14.950
able to capture his credentials or that admin is going to establish an authenticated session

00:17:14.950 --> 00:17:21.730
between that server, in this case the web server, and the admin’s machine. I’m probably going to be

00:17:21.730 --> 00:17:26.590
able to float across that authenticated session and move laterally to the admin’s machine. There’s

00:17:26.590 --> 00:17:31.660
a variety of ways that you can do that but suffice to say, it’s either I’m capturing his credentials

00:17:31.660 --> 00:17:36.820
because he’s going to log into administer, or I’m just going to use his authenticated session

00:17:36.820 --> 00:17:43.120
to move laterally over. The nice thing in this case was that we knew the admin.

00:17:43.120 --> 00:17:47.770
Like I said, we had done a month of open-sourced research. Because we knew

00:17:47.770 --> 00:17:52.840
we were going to be exploiting the web server, we knew who their website administrator was,

00:17:52.840 --> 00:17:57.400
we knew the team of people inside the network that were responsible for maintaining the website,

00:17:57.400 --> 00:18:01.990
the database that sat behind the website, all the code associated with the website.

00:18:01.990 --> 00:18:08.060
We knew all these people. Web developers are like, the worst. IT people post a lot

00:18:08.060 --> 00:18:12.650
of stuff on the internet. Security post a little bit less stuff on the internet

00:18:12.650 --> 00:18:18.620
but developers and web administrators and web admin, they post everything on the internet.

00:18:18.620 --> 00:18:24.860
It’s ridiculous. We found all of them and all their content and we knew them all by name.

00:18:24.860 --> 00:18:30.950
We had pictures of all the guys associated with the website, we knew all these guys.

00:18:30.950 --> 00:18:36.770
What was great was that once we exploited the web server, we pretty much knew it was going

00:18:36.770 --> 00:18:41.480
to be one of three people that were going to log in and administer it. The plan was

00:18:41.480 --> 00:18:46.520
to simply sit and wait for one of those three people to log in. We thought we knew how they

00:18:46.520 --> 00:18:50.480
were going to log in because again, we were familiar with the systems they had deployed.

00:18:50.480 --> 00:18:55.250
We could tell by the configuration on the web server how we could expect to

00:18:55.250 --> 00:19:00.050
see them log into that machine. Really, it just became a waiting game for us.

00:19:00.050 --> 00:19:10.010
JACK: Sometimes waiting for an admin to log in can take a long time; days, weeks,

00:19:10.010 --> 00:19:15.170
months. One trick I’ve heard that hackers do is to sometimes cause a problem on the web server,

00:19:15.170 --> 00:19:21.320
like make the CPU spike or crash an application. But why do this? Well if the web server is

00:19:21.320 --> 00:19:26.240
acting problematic it will result in an admin logging in to troubleshoot it. When they do,

00:19:26.240 --> 00:19:32.180
pow. [00:21:00] They’ve just walked into the trap. But in our case the waiting wasn’t that long.

00:19:32.180 --> 00:19:39.540
NSA: One of the admins logs in. We see it happen. [MUSIC] We get the information that

00:19:39.540 --> 00:19:44.850
we need and move laterally onto his machine and we put the implant on his machine.

00:19:44.850 --> 00:19:52.320
JACK: You just heard the fifth phase of the cyber kill chain; installation. We’ve just installed an

00:19:52.320 --> 00:19:58.500
implant on the target system. An implant is a bug, a Trojan, a remote access tool that allows us to

00:19:58.500 --> 00:20:02.295
pretty much take ownership of that computer. For those of you familiar with Metasploit…

00:20:02.295 --> 00:20:07.770
NSA: Just imagine basically something like Metasploit on lots and lots of steroids.

00:20:07.770 --> 00:20:12.690
JACK: The next phase of the cyber kill chain is command and control. Just because the implant

00:20:12.690 --> 00:20:16.680
is on the machine doesn’t mean it’s going to do anything. Someone needs to tell it

00:20:16.680 --> 00:20:21.060
what to do. In this case we now have the ability to remotely access the network

00:20:21.060 --> 00:20:25.950
admin’s computer. This is our command and control over the target computer. We are

00:20:25.950 --> 00:20:30.210
now very close to finishing our mission. All that’s left is for us to take control

00:20:30.210 --> 00:20:34.230
of the admin’s computer and then access the database and take the data we need.

00:20:34.230 --> 00:20:39.270
So we wait a little while before getting into the admin’s computer to not look suspicious.

00:20:39.270 --> 00:20:44.130
NSA: We waited about a day, day and a half to go interactive on the box,

00:20:44.130 --> 00:20:49.920
actually be using it interactively. Once we were using it interactively, while the other

00:20:49.920 --> 00:20:55.830
person was using it, we were logged on when they were which is generally the way that works. We

00:20:55.830 --> 00:21:01.710
started looking at screenshots of the desktop and we saw a browser open and we saw dozens

00:21:01.710 --> 00:21:06.300
of tabs open in the browser. We started going through a lot of the screenshots and seeing the

00:21:06.300 --> 00:21:12.030
contents of the tabs. It was the person Googling this weird behavior that Windows was doing.

00:21:12.030 --> 00:21:15.120
JACK: The administrator’s computer that we had infiltrated was acting

00:21:15.120 --> 00:21:18.930
strange. It was displaying lots of errors and certain programs were

00:21:18.930 --> 00:21:23.100
crashing. It definitely looked like this admin had a virus of some kind.

00:21:23.100 --> 00:21:29.850
NSA: At first we saw that, we were thinking well, that’s weird. I wonder if these problems

00:21:29.850 --> 00:21:36.450
on his computer predate our presence there. We didn’t really know but we had the sneaking

00:21:36.450 --> 00:21:45.810
suspicion that it had something to do with us. Unbeknownst to us, and the time from when we

00:21:45.810 --> 00:21:49.980
collected our information initially through the open source and when we put the implant down,

00:21:49.980 --> 00:21:55.230
he had upgraded his operating system. He’d upgraded Windows essentially to the next

00:21:55.230 --> 00:22:00.630
version. Normally the worst case scenario is that your implant doesn’t work because

00:22:00.630 --> 00:22:06.210
it’s not compatible, right, for whatever reason. It’s not compatible and doesn’t work,

00:22:06.210 --> 00:22:12.870
and that sucks and you’re really upset by that. I would have preferred that to be the outcome here.

00:22:12.870 --> 00:22:19.020
Instead, the implant worked from the extent of it went down, installed where it should have,

00:22:19.020 --> 00:22:23.940
and began operating as expected. The problem was that it wasn’t playing well with the newer version

00:22:23.940 --> 00:22:30.510
of Windows that was on that box and unfortunately started causing very odd Windows behavior. That

00:22:30.510 --> 00:22:36.690
very odd behavior took on the worst possible version which was things that were very visible

00:22:36.690 --> 00:22:42.630
to the user. Now that we’re on the box and we know exactly what version of windows it was,

00:22:42.630 --> 00:22:48.450
we recreated it in our own lab environment. I know what version of Windows it is and I know

00:22:48.450 --> 00:22:53.430
the hardware. I basically rebuilt that same exact machine in our environment and tossed

00:22:53.430 --> 00:22:59.040
our implant on it and saw that our implant was causing this weird behavior. This was really,

00:22:59.040 --> 00:23:07.740
really bad news for us because this is how you get caught. It was terrifying.

00:23:07.740 --> 00:23:13.590
From the standpoint of political blowback, these things get – notifications of this

00:23:13.590 --> 00:23:17.790
sort of stuff goes up to the most senior levels of government because when you get

00:23:17.790 --> 00:23:23.520
caught on a network like this you have Prime Ministers calling each other. If things got

00:23:23.520 --> 00:23:27.060
bad enough we would have to be informing all the way up through the leadership of

00:23:27.060 --> 00:23:31.950
the agencies and all the way up [00:25:00] into the senior leadership of government. Everybody

00:23:31.950 --> 00:23:37.920
was very concerned at this point because we had already been on the web server. We’d done a lot

00:23:37.920 --> 00:23:42.600
of work already. We felt pretty comfortable so we were already deploying pretty sophisticated

00:23:42.600 --> 00:23:48.840
big implants onto the network. This one that was causing these problems was not a Stage 1 loader.

00:23:48.840 --> 00:23:54.510
This was a relatively sophisticated – actually pretty sophisticated fully featured implant at

00:23:54.510 --> 00:23:59.190
this point that we couldn’t afford to lose nor could we afford to get caught on the network.

00:23:59.190 --> 00:24:06.780
[MUSIC] Once we realized what was happening, this is again the government so all the alarms

00:24:06.780 --> 00:24:11.280
start going off. You have to start telling a lot of people. You have to start writing a lot

00:24:11.280 --> 00:24:16.140
of memos and going to a lot of meetings to try to get everyone up to speed on what’s happening,

00:24:16.140 --> 00:24:22.980
what the risks are, and what we’re going to do. Of course now, the first instinct is to delete

00:24:22.980 --> 00:24:30.590
it or remove your implant. Unfortunately because it was already causing so many stability issues,

00:24:30.590 --> 00:24:35.210
the concern was if we try to get to it to delete it, it might make it even worse.

00:24:35.210 --> 00:24:43.370
We didn’t know so the risk was don’t do anything, and right now he just thought

00:24:43.370 --> 00:24:47.720
that he was having technical problems, not that there was a security issue so we thought okay.

00:24:47.720 --> 00:24:53.780
The risk is either stay with what we’ve got and ride out the technical stuff and hope he

00:24:53.780 --> 00:24:57.230
doesn’t figure out that it’s not actually a technical problem, it’s a security problem,

00:24:57.230 --> 00:25:02.510
or we try to delete it and cause some other weird thing to happen that makes it even worse. Then

00:25:02.510 --> 00:25:10.400
we’re totally screwed. We decided to leave it and not delete it and take that bet. It got worse for

00:25:10.400 --> 00:25:17.240
about a week because not only do we watch them from Googling for solutions to the problem,

00:25:17.240 --> 00:25:23.450
like Googling the symptoms that he’s seeing in Windows, we’re reading his e-mails and seeing

00:25:23.450 --> 00:25:28.430
his chats with IT people, telling them what was going on and putting in trouble tickets.

00:25:28.430 --> 00:25:33.230
We saw the chat with this IT guy that was like hey, can you come to my desk at 2:00 to take a

00:25:33.230 --> 00:25:39.470
look? Everyone started getting very concerned at that point, more than we already were.

00:25:39.470 --> 00:25:46.190
JACK: Things are not going well at this point. It’s very tense and concerning

00:25:46.190 --> 00:25:51.470
in the office. The implant being used was expensive and secret. If it was discovered

00:25:51.470 --> 00:25:55.610
it could result in tracing it back to the attackers and losing this expensive and

00:25:55.610 --> 00:26:00.050
secret implant. But at this point we have successfully completed six out of the seven

00:26:00.050 --> 00:26:05.270
phases of the cyber kill chain. There’s only one phase left and that’s doing the action on

00:26:05.270 --> 00:26:10.190
the objective. In our case, our objective is to use the administrator’s computer to

00:26:10.190 --> 00:26:15.560
get the data out of the Oracle database but the team is hesitant about finishing the job.

00:26:15.560 --> 00:26:20.030
NSA: The problem was that it was a big network and we knew the database that we

00:26:20.030 --> 00:26:24.770
wanted. We knew that there was a database of a particular type that we wanted to get

00:26:24.770 --> 00:26:29.960
access to but we didn’t know exactly where it was on the network. At this point we have a

00:26:29.960 --> 00:26:34.310
high risk of getting caught. The problem is we’re watching them troubleshooting this and

00:26:34.310 --> 00:26:37.970
if they’re troubleshooting and troubleshooting and troubleshooting and then at some point they figure

00:26:37.970 --> 00:26:42.050
out that there’s something really wrong here and we need to call in the security people and start

00:26:42.050 --> 00:26:47.510
looking a little bit closer. The last thing we would want would be to have a wider presence on

00:26:47.510 --> 00:26:52.610
the network. Even if it’s on other machines elsewhere on the network that can’t, at the

00:26:52.610 --> 00:26:58.460
moment that your incident response gets involved and starts locking things down, we’re screwed.

00:26:58.460 --> 00:27:03.980
At that point we want to minimize our presence to the least amount of exposure that we can without

00:27:03.980 --> 00:27:09.350
losing our access. For now, that minimization was this computer that we’re on that’s having

00:27:09.350 --> 00:27:15.590
the problem and the web server. That was it. The very, very clear without even any debate,

00:27:15.590 --> 00:27:22.040
decision was sit, stay quite. Don’t do anything. Let this play out because nobody

00:27:22.040 --> 00:27:25.940
wanted to increase the risk profile until we knew how this was going to turn out.

00:27:25.940 --> 00:27:32.600
JACK: The team waits and watches. Days go by. Administrators trying to troubleshoot

00:27:32.600 --> 00:27:38.480
the errors they’re seeing. A week goes by. He continues to troubleshoot and in

00:27:38.480 --> 00:27:41.390
the second week, the admin asks for help from IT.

00:27:41.390 --> 00:27:47.990
NSA: Yeah, so second week the IT people are coming in and they’re looking at the computer and we know

00:27:47.990 --> 00:27:53.240
that they’re coming to the person’s desk because we see them setting up appointments. We reached

00:27:53.240 --> 00:27:58.190
this point where we can tell in the nature of the trouble ticket, that they’ve hit a dead-end. They

00:27:58.190 --> 00:28:02.570
can’t figure out why. They can’t figure out what’s happening. They can’t figure out the reason for

00:28:02.570 --> 00:28:09.530
what’s happening. They can’t locate the cause and it seems nondeterministic to them. We know why

00:28:09.530 --> 00:28:14.420
it’s happening. I know what the implant is doing and why it’s causing Windows to behave that way,

00:28:14.420 --> 00:28:19.280
but since they don’t know the implant’s there, to them the behavior is entirely

00:28:19.280 --> 00:28:26.690
nondeterministic. Because it’s nondeterministic they can’t devise the technical solution for it.

00:28:26.690 --> 00:28:31.610
Ultimate solution that they came to was to [00:30:00] just wipe it and start over. It was

00:28:31.610 --> 00:28:39.010
a fancy implant but it was just user level and it was on the hard drive so at the moment they wiped

00:28:39.010 --> 00:28:47.830
the drive and reimaged it, we were fine. They removed our implant and we were good. It was a

00:28:47.830 --> 00:28:56.650
significant relief. Thank God it’s over but holy shit, are we all getting fired? Which is anyone’s

00:28:56.650 --> 00:29:01.330
reasonable reaction to workplace events like that, where things have gone horribly wrong.

00:29:01.330 --> 00:29:09.520
You’re essentially in charge of that group where things went wrong. It was all on me. There was

00:29:09.520 --> 00:29:15.640
that moment of you know, I guess I’ll get a box and pack up my desk. But a) it’s the government

00:29:15.640 --> 00:29:21.790
so no one gets fired and b) that really wasn’t the outcome. [MUSIC] There’s a whole post mortem that

00:29:21.790 --> 00:29:27.520
we did after this to look at what happened, how it happened, why it happened, how to prevent it.

00:29:27.520 --> 00:29:34.810
The determination after the fact was there was no negligence at play. No one did anything wrong.

00:29:34.810 --> 00:29:40.870
This is just what happened. The chance of us doing two months of research, taking thirty days

00:29:40.870 --> 00:29:46.240
to make decisions and have meetings and then executing the operation in that thirty days,

00:29:46.240 --> 00:29:52.030
one of the admins upgrading Windows. That’s not a super high chance of that happening and we

00:29:52.030 --> 00:30:01.120
just got unlucky. Unfortunately those two stars crossed in the sky and that happened. If it had

00:30:01.120 --> 00:30:06.490
been six months and we didn’t try to re-update our information and make it fresher, the outcome would

00:30:06.490 --> 00:30:11.860
likely have been well, you waited too long. Right, you should have known that. Too much can change in

00:30:11.860 --> 00:30:17.320
six months. But thirty days was reasonable because again, it’s the government. It takes thirty days

00:30:17.320 --> 00:30:22.000
to push the paperwork and get meetings and just do the administrative stuff you need to do.

00:30:22.000 --> 00:30:26.860
The fact that that happened in thirty days, that guy updated the Windows box; that was

00:30:26.860 --> 00:30:32.890
seen as acceptable. The only other fallout was when we moved laterally onto that machine,

00:30:32.890 --> 00:30:38.910
should we have done anything tactically before we put the implant down on that box? There was

00:30:38.910 --> 00:30:44.520
this debate on that. Should we have captured the credentials and just interactively interacted

00:30:44.520 --> 00:30:49.680
with that machine just to capture things like its OS and antivirus and all that? That was an

00:30:49.680 --> 00:30:55.020
operational decision that we made at the time, a very tactical decision. But because we had done

00:30:55.020 --> 00:31:02.070
the open source and we knew what was there, there were seemingly less cause to do it. That was it.

00:31:02.070 --> 00:31:04.290
JACK: With the implant cleaned off the machine,

00:31:04.290 --> 00:31:09.540
the team can relax knowing their cover isn’t going to be blown and their expensive exploit

00:31:09.540 --> 00:31:14.010
won’t be discovered. What about that initial objective to get access to the database?

00:31:14.010 --> 00:31:18.900
NSA: We actually never got access to the database. Not because of this,

00:31:18.900 --> 00:31:23.700
it actually just ended up being that the network was configured in such a way that our path to get

00:31:23.700 --> 00:31:27.780
there was extremely complicated from where we were on the network to where we needed to get

00:31:27.780 --> 00:31:33.930
to. Like any other business environment we had competing requirements. At some point,

00:31:33.930 --> 00:31:40.770
probably a month and a half after this incident, after this small incident, we came to this point

00:31:40.770 --> 00:31:47.010
where okay, I know where the Oracle server is. I know who the admins are but our ability to get to

00:31:47.010 --> 00:31:52.860
it is complicated. It’s going to take a little while. We can do it, but do we want to do it?

00:31:52.860 --> 00:31:59.040
At the same time I had three other requirements that I had to satisfy. Those requirements required

00:31:59.040 --> 00:32:02.640
some of the same people that I was currently using to work on this one, so it was like,

00:32:02.640 --> 00:32:10.980
what do we do? Do we just cut bait and walk away or do we just all-in and go for it? We decided

00:32:10.980 --> 00:32:16.110
to cut bait and walk away. That happened all the time. Because I think any hacker,

00:32:16.110 --> 00:32:22.110
whether you’re a nation state ABT or you’re a kid in your mom’s basement, everyone knows

00:32:22.110 --> 00:32:28.590
that it’s a lot of luck that stuff works. Only so much thought and intelligence goes into it.

00:32:28.590 --> 00:32:33.870
It’s a lot of luck at the end of the day and I’d say statistically in my years doing it,

00:32:33.870 --> 00:32:40.530
the luck isn’t there or runs out more than half of the amount of time because it’s hard

00:32:40.530 --> 00:32:44.880
and getting harder because people are just in general more aware of cyber security and

00:32:44.880 --> 00:32:50.070
information security. They’re slightly smarter, just enough to know maybe not

00:32:50.070 --> 00:32:54.600
to click on a link or maybe not to visit that website from work, or from your work computer,

00:32:54.600 --> 00:32:59.370
and maybe don’t click OK when it says Flash Needs to Update. There’s just enough people

00:32:59.370 --> 00:33:05.492
that are just enough smarter where this is getting that much harder every single day.

00:33:05.492 --> 00:33:14.220
JACK (OUTRO): [OUTRO MUSIC] You’ve been listening to Darknet Diaries. For show notes

00:33:14.220 --> 00:33:44.010
and links check out darknet diaries.com. Music is provided by Ian Alex Mac and Kevin MacLeod.