WEBVTT

00:00:00.649 --> 00:00:04.880
JACK: [MUSIC] One of my favorite adventurous activities I used to like doing when I was younger

00:00:04.880 --> 00:00:11.520
was exploring abandoned buildings. I’ve been in abandoned schools, banks, industrial plants,

00:00:11.520 --> 00:00:17.040
churches, hotels, mines, tunnels, and office buildings. It’s pretty dangerous but I liked

00:00:17.040 --> 00:00:21.920
it. This one time I was exploring an old hospital with a friend and as we were walking through it,

00:00:21.920 --> 00:00:26.080
we heard a noise in one of the rooms. We looked inside and there was a cat sitting

00:00:26.080 --> 00:00:33.760
there, slowly waving its tail back and forth, staring at us. Right in the middle of the room

00:00:33.760 --> 00:00:40.160
was an empty cat food bowl. The cat seemed to be living there and someone was feeding it.

00:00:40.160 --> 00:00:46.560
It was strange but we kept walking down the long corridor of this abandoned hospital. We heard a

00:00:46.560 --> 00:00:52.800
noise behind us. I quickly turned around and I swore I saw a door swing closed way at the end

00:00:52.800 --> 00:00:59.920
of the hallway. But it was so far away and it was so quick that maybe I didn’t see it.

00:00:59.920 --> 00:01:03.040
A lot of the windows were broken in this building and the wind was blowing

00:01:03.040 --> 00:01:07.120
so I just stood there in the middle of the hall and I stared down it,

00:01:07.120 --> 00:01:12.400
frozen, looking to see if any of the doors would just swing open or closed by themselves

00:01:12.400 --> 00:01:19.440
but nothing. No movement. No sound. Did I see someone or was this my imagination?

00:01:19.440 --> 00:01:23.840
This creeped us out so we went back down the hallway to leave. When we got to the room

00:01:23.840 --> 00:01:30.480
where that cat was, we looked in it. The cat food bowl was now filled but the cat was nowhere to be

00:01:30.480 --> 00:01:36.640
found. A few other doors that were open are now closed. Without seeing anyone at all, we knew for

00:01:36.640 --> 00:01:43.680
sure someone was in this abandoned building with us. They probably saw us and were watching us.

00:01:43.680 --> 00:01:48.000
We got out of there pretty quick after that and drove home. Have you ever been in a situation

00:01:48.000 --> 00:01:52.960
like this though? Where you’re positive that something or someone was there watching you

00:01:52.960 --> 00:01:59.760
but you couldn’t quite figure it out? JACK (INTRO): [INTRO MUSIC]

00:01:59.760 --> 00:02:06.560
These are true stories from the dark side of the internet.

00:02:06.560 --> 00:02:10.560
I’m Jack Rhysider. This is Darknet

00:02:10.560 --> 00:02:25.840
Diaries. [INTRO MUSIC ENDS] JACK:

00:02:25.840 --> 00:02:30.080
We have a big story here and there’s a lot to cover so let’s just get right into it and meet our

00:02:30.080 --> 00:02:33.120
guest. What’s your name and what do you do? COOPER: One second.

00:02:33.120 --> 00:02:38.800
JACK: It’s not a hard question. COOPER: [LAUGHTER]

00:02:38.800 --> 00:02:43.680
I got to think about which name I want to use. No, no, I actually needed a drink of water

00:02:43.680 --> 00:02:46.400
all of a sudden. JACK: Oh, okay.

00:02:46.400 --> 00:02:52.400
COOPER: I’m Cooper Quinton. I am a senior staff technologist on EFF’s Threat Lab.

00:02:52.400 --> 00:02:54.880
JACK: Threat Lab? There’s a Threat Lab at EFF?

00:02:54.880 --> 00:03:01.600
COOPER: Yeah. Electronic Frontier Foundation has a new project called Threat Lab. Our mission is

00:03:01.600 --> 00:03:10.800
to research and help stop targeted threats against at-risk populations. This is like lawyers, human

00:03:10.800 --> 00:03:18.800
rights lawyers, activists, journalists around the world that are being targeted with malware

00:03:18.800 --> 00:03:23.680
or other digital surveillance techniques. JACK: Let’s back up here for a minute. The EFF

00:03:23.680 --> 00:03:28.240
is the Electronic Frontier Foundation. It’s a non-profit organization and it has a goal

00:03:28.240 --> 00:03:32.560
of protecting our civil liberties online. We have them to thank for standing up for us when

00:03:32.560 --> 00:03:36.480
our digital rights are being threatened. It’s a great group of people, full of [00:05:00] lawyers

00:03:36.480 --> 00:03:40.560
and activists and researchers, and Cooper here is working with them in their Threat

00:03:40.560 --> 00:03:45.440
Lab. But the Threat Lab is actually a brand-new thing within the EFF and there’s an interesting

00:03:45.440 --> 00:03:51.840
story about how all that came to be and it all starts with Operation Manul?

00:03:51.840 --> 00:03:56.000
COOPER: Yes, Operation Manul. JACK: What’s a manul?

00:03:56.000 --> 00:04:01.280
COOPER: It’s named after the manul cat, or Pallas cat which is native

00:04:01.280 --> 00:04:04.800
to the steps of Kazakhstan. JACK: Okay, so there’s a cat on

00:04:04.800 --> 00:04:08.080
the steps of Kazakhstan. COOPER: It’s a really expressive

00:04:08.080 --> 00:04:11.840
amazing cat and I highly recommend looking up pictures of the manul.

00:04:11.840 --> 00:04:14.560
JACK: This is great. There’s like, exotic creatures and places in

00:04:14.560 --> 00:04:21.040
this story already. I love it. Go on. COOPER: Operation Manul started when the EFF was

00:04:21.040 --> 00:04:28.320
representing a woman named Irina Petrushova who is the Editor in Chief of Independent Newspaper

00:04:28.320 --> 00:04:34.720
which is formally out of Kazakhstan called Respublika. Respublika had been Kazakhstan’s

00:04:34.720 --> 00:04:38.480
only source of independent journalism. JACK: Right. Here’s the first person of our story,

00:04:38.480 --> 00:04:43.680
Irina Petrushova. Not only is she a reporter for Respublika but she’s also the founder of

00:04:43.680 --> 00:04:48.720
this independent news source in Kazakhstan. Specifically, she was writing stories and doing

00:04:48.720 --> 00:04:53.600
reporting on the corruption that goes on within the government of Kazakhstan. There were a series

00:04:53.600 --> 00:04:57.920
of financial scandals that she wrote about and the president often hires family and friends to fill

00:04:57.920 --> 00:05:02.240
certain roles even though there are people much more qualified and willing to fill those roles.

00:05:02.240 --> 00:05:05.520
You should know a little about the President of Kazakhstan. This is the first

00:05:05.520 --> 00:05:10.080
President of Kazakhstan ever. He came to power in 1990 and he stayed there

00:05:10.080 --> 00:05:16.560
until he retired this year. Yeah, there were ‘elections’ but they didn’t appear to be free

00:05:16.560 --> 00:05:22.400
or fair at all. Some even go so far as to say Kazakhstan is an authoritarian regime.

00:05:22.400 --> 00:05:27.200
When Irina published articles exposing the corruption of this authoritarian regime,

00:05:27.200 --> 00:05:32.960
somebody really didn’t like this and wanted to do everything they could to keep Irina quiet.

00:05:32.960 --> 00:05:38.880
COOPER: [MUSIC] Okay, so first they kill her dog and leave the head of the dog at

00:05:38.880 --> 00:05:42.720
the front door of the building where they published Respublika from.

00:05:42.720 --> 00:05:47.920
JACK: Jeez. COOPER: Then they leave a human skull

00:05:47.920 --> 00:05:55.280
in front of her office building with a note pinned to it saying, “There will be no next time.”

00:05:55.280 --> 00:06:01.520
Then they followed that up with fire-bombing her office. The office burned to the ground and that’s

00:06:01.520 --> 00:06:06.000
when she finally left Kazakhstan. JACK: She fled the country and moved to

00:06:06.000 --> 00:06:11.280
Russia. She thought maybe the government of Kazakhstan was behind these personal threats

00:06:11.280 --> 00:06:17.280
but she didn’t stick around to find out. She was scared for her life. But she

00:06:17.280 --> 00:06:22.320
continued to write for Respublika and publish articles about the government of Kazakhstan

00:06:22.320 --> 00:06:27.120
and one day a big story showed up. COOPER: This giant dump of e-mails appeared

00:06:27.120 --> 00:06:34.080
online on a website called Kazaword. [MUSIC] These were e-mails leaked from Kazakhstan’s

00:06:34.080 --> 00:06:39.040
government from Kazakhstan’s president. JACK: When this giant dump of e-mails showed up

00:06:39.040 --> 00:06:43.600
on another website, Irina published stories about it. The Kazakhstan

00:06:43.600 --> 00:06:48.160
government was very upset again with Irina and decided to try to silence her.

00:06:48.160 --> 00:06:54.320
COOPER: The government of Kazakhstan sued Respublika and Irina Petrushova in New

00:06:54.320 --> 00:07:01.040
York district court, claiming that they were responsible for this Kazaword dump of documents

00:07:01.040 --> 00:07:07.360
and tried to get their – Respublika’s reporting on this dump of documents

00:07:07.360 --> 00:07:09.920
taken down from the internet. JACK: The case gets under way in New

00:07:09.920 --> 00:07:14.880
York. Irina needed some help with this. COOPER: At this time Irina contacted us for

00:07:14.880 --> 00:07:19.760
legal help and we started representing her in court because this would obviously be

00:07:19.760 --> 00:07:23.360
a violation of the First Amendment. JACK: Yeah, it is a violation. Journalists

00:07:23.360 --> 00:07:28.880
are allowed to publish documents that are factual in nature. This judge looked favorably on Irina

00:07:28.880 --> 00:07:34.240
and the EFF and said Respublika does not need to take down the articles about the leaked e-mails

00:07:34.240 --> 00:07:39.280
which was a victory for Irina and the EFF, and perhaps historically the EFF would have stopped

00:07:39.280 --> 00:07:44.880
there and that would have been the end of the case. But the EFF has a new interest in malware

00:07:44.880 --> 00:07:51.520
that is associated to things like this now. COOPER: At that same time, she and her brother who

00:07:51.520 --> 00:08:01.760
is also an editor started receiving spear phishing e-mails which were designed to look like they were

00:08:01.760 --> 00:08:09.280
coming from other activists in Kazakhstan and human rights lawyers working with Kazak people.

00:08:09.280 --> 00:08:16.800
The spear phishing e-mails contained attachments that looked like Word docs or PDFs

00:08:16.800 --> 00:08:21.040
but which were, in fact, malware. JACK: One of the things the EFF does is educate

00:08:21.040 --> 00:08:25.040
people on the dangers of being a journalist that might be a target for hackers.

00:08:25.040 --> 00:08:31.760
COOPER: Yes, exactly. We had given her some security training and when she got these

00:08:31.760 --> 00:08:38.800
e-mails, she thought they were a little bit suspicious. She sent them to us. [00:10:00] We

00:08:38.800 --> 00:08:43.360
started looking at them quickly, figured out that the attachments were malware, and then

00:08:43.360 --> 00:08:49.120
started taking apart the malware to figure out what might be the source of this.

00:08:49.120 --> 00:08:54.640
JACK: This team from EFF started investigating these Word docs and PDF docs. They found that

00:08:54.640 --> 00:08:59.280
when you open these attachments it will go download a piece of malware called jRat.

00:08:59.280 --> 00:09:04.480
COOPER: You imbed an exploit in a PDF or a Word doc that the person opens and

00:09:04.480 --> 00:09:11.040
then that exploit goes and downloads and installs jRat. Then once jRat is running

00:09:11.040 --> 00:09:18.080
it can do a lot of different things. It can turn on your camera, it can capture your screen,

00:09:18.080 --> 00:09:24.480
it can record audio ambiently in the room, it can go through your files on your computer and

00:09:24.480 --> 00:09:31.520
create files or delete files or download files. You can spawn a shell to remotely run commands on

00:09:31.520 --> 00:09:40.400
the computer, and a bunch more stuff. The neat thing about jRat is that it works on Windows,

00:09:40.400 --> 00:09:46.640
Linux, and Mac computers. JACK: The Rat part of this jRat malware stands

00:09:46.640 --> 00:09:52.320
for Remote Access Trojan which means when a user gets infected with jRat the hacker can then remote

00:09:52.320 --> 00:09:57.840
control that computer, allowing them to download stuff or interact with that computer. At the time

00:09:57.840 --> 00:10:03.360
you could buy this piece of malware at jrat.io for about forty dollars in Bitcoin. This wasn’t

00:10:03.360 --> 00:10:08.240
a sophisticated or expensive piece of malware at all. But a few more e-mails came in with

00:10:08.240 --> 00:10:12.640
more attachments and a second piece of malware which also was discovered called Bandook.

00:10:12.640 --> 00:10:17.440
COOPER: Specifically, Bandook was developed by a guy who goes by the name Prince Ali.

00:10:17.440 --> 00:10:21.680
JACK: We’ll learn more about Prince Ali later but Bandook did a lot of the same things that

00:10:21.680 --> 00:10:26.480
jRat did. Now, as Cooper and the team at EFF discovered this, they knew they were

00:10:26.480 --> 00:10:31.360
dealing with something more serious. COOPER: [MUSIC] The first reaction is like

00:10:31.360 --> 00:10:39.360
wow; we really have something here. This isn’t just crimeware. This isn’t somebody trying to

00:10:39.360 --> 00:10:46.160
steal her credit cards. This is actually somebody trying to undertake digital espionage, right, this

00:10:46.160 --> 00:10:51.840
is somebody actually trying to spy on her. JACK: See, there are a few types of hackers out

00:10:51.840 --> 00:10:56.400
there; there’s the common crimeware hackers which usually are a spray-and-pray kind of

00:10:56.400 --> 00:10:59.680
hacking. They’ll just scan the whole internet looking for vulnerabilities or they’ll send

00:10:59.680 --> 00:11:04.240
out thousands of phishing e-mails. But then there are the targeted hackers. These people

00:11:04.240 --> 00:11:09.360
have a specific objective on a target. Because these phishing e-mails were crafted just for

00:11:09.360 --> 00:11:14.320
Irina personally, and the malware wasn’t like a Bitcoin miner or ransomware or anything,

00:11:14.320 --> 00:11:20.560
then this likely means somebody was actively trying to spy on her. It’s scary and dangerous

00:11:20.560 --> 00:11:25.360
to be the target of a hacker like this. COOPER: We inform her and she informs her

00:11:25.360 --> 00:11:32.960
friends and her family and her staff. They start sending us more suspicious e-mails.

00:11:32.960 --> 00:11:39.440
We get a bunch and we get a bunch that all contain jRat or the other malware called Bandook.

00:11:39.440 --> 00:11:43.840
JACK: Her brother started getting phishing e-mails, her family, other people at Respublika,

00:11:43.840 --> 00:11:48.960
and she was getting more e-mails too. This was getting more serious now.

00:11:48.960 --> 00:11:54.880
COOPER: [MUSIC] We started looking into the malware and we find the command and

00:11:54.880 --> 00:12:02.000
control servers. These are the servers that the malware actually talks to. These are

00:12:02.000 --> 00:12:06.160
the servers that the malware sends any files that it gets back to. Basically,

00:12:06.160 --> 00:12:11.280
these are the servers that let the person running the malware tell the malware what to do.

00:12:11.280 --> 00:12:17.200
JACK: With malware like this, there’s often an intermediary computer that files are staged on,

00:12:17.200 --> 00:12:22.160
uploaded to, and connections are made. That’s what this command and control server is.

00:12:22.160 --> 00:12:27.200
When you open a PDF, your computer will then download the malware from that server

00:12:27.200 --> 00:12:31.680
and when you get infected, your computer will upload data to that server.

00:12:31.680 --> 00:12:36.480
You need the server in order for the malware to be successful. The team at EFF discovered

00:12:36.480 --> 00:12:41.680
eight different domain names used by this malware and two different command and control servers.

00:12:41.680 --> 00:12:46.560
Each of them were hosted by companies notorious for hosting possibly illegal content

00:12:46.560 --> 00:12:52.400
and protecting its users. Yeah, again, this doesn’t seem like your typical crimeware.

00:12:52.400 --> 00:12:59.040
COOPER: We figured that at least the people who were going after Respublika and after

00:12:59.040 --> 00:13:08.160
Irina Petrushova were likely doing this on behalf of the government of Kazakhstan. The

00:13:08.160 --> 00:13:15.360
government of Kazakhstan is clearly after her. They’re clearly very upset with her for posting

00:13:15.360 --> 00:13:19.120
negative things about the government. JACK: But see, it’s hard to tell for sure.

00:13:19.120 --> 00:13:24.320
There just isn’t any smoking gun. It’s kind of like a puzzle where most of the pieces

00:13:24.320 --> 00:13:28.080
are all together and you can pretty much tell what the puzzle’s going to look like

00:13:28.080 --> 00:13:35.680
but you still need that final few pieces to really know for sure. Okay, remember those

00:13:35.680 --> 00:13:39.760
e-mails [00:15:00] that got leaked which were the official Kazakhstan government e-mails?

00:13:39.760 --> 00:13:42.880
One of them stood out to Cooper. COOPER: One of the things we learned from

00:13:42.880 --> 00:13:50.880
the dump of e-mails is that the President of Kazakhstan had taken out a contract

00:13:50.880 --> 00:13:57.600
with a private intelligence company called Arcanum Global Intelligence to perform what

00:13:57.600 --> 00:14:05.520
they called a surveillance data extraction and full spectrum cyber-operation mission to surveil

00:14:05.520 --> 00:14:14.840
Kazakhstan’s only opposition politician whose name is Ablyazov. His last name is Ablyazov.

00:14:14.840 --> 00:14:18.880
JACK: We just got started. We haven’t even got to the good stuff yet and already I’m just blown away

00:14:18.880 --> 00:14:25.440
by the magnitude this whole thing is. COOPER: Oh, it’s crazy. This is the deepest

00:14:25.440 --> 00:14:29.280
rabbit hole I’ve ever been down. JACK: Okay, so there’s sort of a smoking gun that

00:14:29.280 --> 00:14:34.160
says Kazakhstan has historically hired independent hacking teams to spy on the enemy.

00:14:34.160 --> 00:14:40.400
COOPER: The interesting thing and sort of the thesis that I want to get at is that it’s not

00:14:40.400 --> 00:14:44.960
that Kazakhstan has any cyber-skill. I hate using that word but let’s go with it.

00:14:44.960 --> 00:14:46.400
JACK: Okay. COOPER: It’s not that

00:14:46.400 --> 00:14:54.400
they have any – I’m sure there are many fine hackers in Kazakhstan, right, but

00:14:54.400 --> 00:15:05.120
the government does not have a cyber-war unit. They don’t have what is it, Israel’s…

00:15:05.120 --> 00:15:12.720
JACK: 8200? Mossad? COOPER: Yeah, 8200, exactly. But

00:15:12.720 --> 00:15:20.000
what they have is companies that do have this capability that are more than happy to sell it to

00:15:20.000 --> 00:15:23.680
any nation state that will pay. JACK: These for-hire hacking teams

00:15:23.680 --> 00:15:27.840
really fascinate me and that’s something I’m gonna have to dig into for a future episode

00:15:27.840 --> 00:15:31.840
because there are a lot of groups like this which will carry out hacks or spying or doing

00:15:31.840 --> 00:15:35.360
signals intelligence for clients. COOPER: Because we know this is something

00:15:35.360 --> 00:15:41.120
that – digital surveillance, digital extraction missions, is the term they use, we know that that

00:15:41.120 --> 00:15:48.400
is something Kazakhstan is interested in. All of that spear phishing e-mails seem to demonstrate a

00:15:48.400 --> 00:15:57.440
pretty good knowledge of Kazakhstan; of politics in Kazakhstan and what might entice Kazak

00:15:57.440 --> 00:16:06.880
activists to click through and open e-mails. The majority of the targets that we found were either

00:16:06.880 --> 00:16:12.240
embroiled in legal disputes with the government of Kazakhstan or are the family members or associates

00:16:12.240 --> 00:16:18.800
of people involved in those disputes. We feel like we have a pretty good link to Kazakhstan although

00:16:18.800 --> 00:16:25.280
no – it’s all circumstantial evidence. JACK: They also discovered some malware activity

00:16:25.280 --> 00:16:28.720
on mobile phones. What they found were… COOPER: Files that looked like they were

00:16:28.720 --> 00:16:34.560
uploaded from mobiles phones which led us to believe that there was probably

00:16:34.560 --> 00:16:41.440
a mobile component to this campaign, although we never actually found, at the time of publishing,

00:16:41.440 --> 00:16:45.360
we never found the mobile malware. JACK: Eva Galperin was also a big part of

00:16:45.360 --> 00:16:50.000
this research. You might know her from Twitter as @evacide. Cooper and Eva

00:16:50.000 --> 00:16:53.760
put this data together and put it in a report called Operation Manul.

00:16:53.760 --> 00:16:57.920
Again, manul being a native cat to Kazakhstan, and they just like cats

00:16:57.920 --> 00:17:01.840
so why not? The report was published and they gave a presentation at Black Hat,

00:17:01.840 --> 00:17:05.920
a big security conference in Las Vegas. HOST: Our talk today is presented by Cooper

00:17:05.920 --> 00:17:11.360
Quinton and Eva Galperin. [APPLAUSE] EVA:

00:17:11.360 --> 00:17:16.000
Hi there. Welcome to When Governments Attack, also known as I Got A Letter

00:17:16.000 --> 00:17:19.920
from the Government the Other Day Because I Couldn’t Resist A Public Enemy Reference.

00:17:19.920 --> 00:17:23.120
We’re gonna be talking a little bit about… JACK: People were a little freaked out with

00:17:23.120 --> 00:17:27.600
this report, concerned about how easy it is for Kazakhstan to ramp

00:17:27.600 --> 00:17:34.080
up a cyber-espionage program by outsourcing it. People wondered how far does this spying go?

00:17:34.080 --> 00:17:38.480
At the end of the Black Hat talk, Eva said… EVA: I’m fairly certain that Cooper and I

00:17:38.480 --> 00:17:44.080
are less good at this than many of the people who are in this room right now.

00:17:44.080 --> 00:17:48.960
I beg you to go look at our report and see the many loose ends that we have left,

00:17:48.960 --> 00:17:53.440
the many areas in which more research is needed. It would not be that difficult for

00:17:53.440 --> 00:18:00.960
people with more skills than us and more resources than us to be helpful.

00:18:00.960 --> 00:18:05.680
JACK: [MUSIC] This call for help worked. A few new people saw this report and looked into it and

00:18:05.680 --> 00:18:16.320
found some things that they could help with. When we come back, we’ll hear what they found.

00:18:16.320 --> 00:18:25.360
COOPER: Unbeknownst to us, two researchers at Lookout, the mobile security company, took an

00:18:25.360 --> 00:18:33.360
interest in this report. Specifically, they took an interest in the part of the report that said

00:18:33.360 --> 00:18:38.960
we believe that there are [00:20:00] mobile components to this based on exfiltrated mobile

00:18:38.960 --> 00:18:43.760
files that we found but we weren’t able to find the samples. Lookout, being a mobile

00:18:43.760 --> 00:18:52.480
security company, has a big database of mobile malware and of the samples and of the domains

00:18:52.480 --> 00:18:58.720
that they’ve seen, the malicious domains that they’ve seen. Mike and Andrew, the researchers at

00:18:58.720 --> 00:19:06.400
Lookout, start coming through their database and after a little while they find some malware

00:19:06.400 --> 00:19:14.880
which is talking to the same domains that we had discovered in the Operation Manul report.

00:19:14.880 --> 00:19:18.640
[MUSIC] At this point they reach out to us and they say hey, we have this

00:19:18.640 --> 00:19:22.880
interesting mobile malware. We would love for you guys to take a look at it. We think

00:19:22.880 --> 00:19:27.360
that it’s related to Operation Manul. JACK: The team at Lookout called this mobile

00:19:27.360 --> 00:19:33.600
malware Pallas, P-A-L-L-A-S, which is the other name for the manul cat. They decided to get

00:19:33.600 --> 00:19:37.280
together and come to an agreement. COOPER: Our arrangement was okay,

00:19:37.280 --> 00:19:42.880
they will look into the mobile malware. We will sort of consult with them and think,

00:19:42.880 --> 00:19:48.640
write a blog post together, and think about what this might mean geopolitically.

00:19:48.640 --> 00:19:55.280
JACK: The team at EFF and the team at Lookout, they team up and they find a couple of new things

00:19:55.280 --> 00:19:58.480
related to this whole campaign. COOPER: We were about to publish a small

00:19:58.480 --> 00:20:08.880
blog post saying hey, we found some more mobile malware related to Operation Manul. Here it is and

00:20:08.880 --> 00:20:17.440
that’s all, folks. When I remembered that several months ago when I was researching Operation Manul,

00:20:17.440 --> 00:20:23.760
we had found all the uploaded files from the malware, from people’s infected computers

00:20:23.760 --> 00:20:29.200
on the command and control servers. JACK: When Cooper was investigating Operation

00:20:29.200 --> 00:20:34.880
Manul, he watched how the malware behaved and he noticed that it does things like take screenshots,

00:20:34.880 --> 00:20:40.080
and then uploads that to the command and control server. It puts them in a specific directory.

00:20:40.080 --> 00:20:45.040
Well, it just so happens that that directory was visible to anyone on the internet.

00:20:45.040 --> 00:20:51.520
COOPER: In other words, the data was in a location on the file system that you could visit with a

00:20:51.520 --> 00:20:58.560
web browser without authentication or anything, without even an index file

00:20:58.560 --> 00:21:12.240
that would hide the file names. One of the servers was example.com and you would go to

00:21:12.240 --> 00:21:15.600
example.com/forwardlettercampaignid/pictures and you would see the list of every picture

00:21:15.600 --> 00:21:20.880
that had been uploaded by that infection. JACK: Whoa, this is a big deal. Cooper had the

00:21:20.880 --> 00:21:25.760
ability to view and download all the data that this hacking crew had stolen from its victims.

00:21:25.760 --> 00:21:29.040
This is what Cooper used to build his report on but forgot to mention

00:21:29.040 --> 00:21:33.200
it to the Lookout team until just now. COOPER: I went to Lookout. They said oh hey,

00:21:33.200 --> 00:21:39.440
do you think that it might be useful to look at some of this exfiltrated data? Their jaws

00:21:39.440 --> 00:21:45.200
dropped and they were like are you kidding me? Yes! Why didn’t you say this months ago?

00:21:45.200 --> 00:21:52.640
Yes, Jesus, give us the URLs. This was like, two days before we were gonna publish this little blog

00:21:52.640 --> 00:21:57.760
post, right. I showed them the data. We started looking at the data and we were like oh wait,

00:21:57.760 --> 00:22:03.040
there’s actually something much bigger going on here. This looks like a totally new target.

00:22:03.040 --> 00:22:03.550
JACK: It was a target that wasn’t Kazakhstan-related, is

00:22:03.550 --> 00:22:04.880
that what you’re saying? COOPER: Exactly. It was a target that wasn’t

00:22:04.880 --> 00:22:18.960
Kazakhstan-related. We start downloading all the data that we could find and we end up with several

00:22:18.960 --> 00:22:26.240
gigabytes’ worth of data. It’s pretty similar data from what we got before; audio recordings,

00:22:26.240 --> 00:22:34.400
video recordings, files, but we also found SMS messages, call records, WhatsApp, Telegram,

00:22:34.400 --> 00:22:39.760
and Skype databases, and WiFi details. JACK: This data provides the Lookout team a lot

00:22:39.760 --> 00:22:44.400
more information to investigate but not only that. There appears to be more victims since

00:22:44.400 --> 00:22:50.000
the report was published. The teams decided not to publish a blog post because the investigation

00:22:50.000 --> 00:22:52.880
just got a lot more interesting. COOPER: Exactly. That’s exactly what

00:22:52.880 --> 00:23:00.080
happened. This is way bigger than what you’re looking at. We start looking into this new data

00:23:00.080 --> 00:23:05.680
and we quickly discover that most of the infections are infections of people

00:23:05.680 --> 00:23:15.440
in Lebanon [MUSIC] or on the border of Lebanon and Syria. Looking through it, it appears to be

00:23:15.440 --> 00:23:26.320
mostly Lebanese civilians. There’s also some military people in there, there’s

00:23:26.320 --> 00:23:33.920
some activists in there, just a really wide swath of Lebanese society.

00:23:33.920 --> 00:23:41.040
JACK: Okay. [00:25:00] When you see okay, Lebanon; this is getting bigger.

00:23:41.040 --> 00:23:47.280
What is going through your mind now? COOPER: Yeah, so now it’s a real mystery because

00:23:47.280 --> 00:23:57.680
previously we had assumed that this was the work of a company working on behalf of Kazakhstan,

00:23:57.680 --> 00:24:04.560
right? But why would the government of Kazakhstan be spying on Lebanese civilians?

00:24:04.560 --> 00:24:07.520
JACK: What’s the relation between Kazakhstan and Lebanon?

00:24:07.520 --> 00:24:15.200
COOPER: There’s not much of a relationship, actually. Or vice versa, if this is the Lebanese

00:24:15.200 --> 00:24:20.320
why would they be spying on Kazak citizens? JACK: Hm. This is kind of blowing the theory now

00:24:20.320 --> 00:24:24.560
that the hackers behind this might be from the Kazakhstan government. All of a sudden,

00:24:24.560 --> 00:24:28.880
the motives and signals just don’t add up. The teams keep analyzing the data,

00:24:28.880 --> 00:24:34.400
poring through gigs of photos and text messages and e-mails and keystrokes and WiFi hotspot data

00:24:34.400 --> 00:24:38.160
and more. Everything this malware would upload to the server the team would then

00:24:38.160 --> 00:24:44.640
download and take a look at it. Then they found another victim; a Vietnamese cigarette importer

00:24:44.640 --> 00:24:50.160
and this confused them even more. Around this time Lookout positively identifies the mobile malware

00:24:50.160 --> 00:24:56.560
being used in this hacking campaign. COOPER: The malware itself is pretty standard

00:24:56.560 --> 00:24:59.600
spyware stuff. JACK: Typical spyware

00:24:59.600 --> 00:25:04.800
mobile malware will enable the microphone, copy text messages, e-mails, turn the camera on, read

00:25:04.800 --> 00:25:09.360
your private messages, that sort of thing. COOPER: But what’s interesting about it is that it

00:25:09.360 --> 00:25:17.600
is masquerading as encrypted messaging applications.

00:25:17.600 --> 00:25:30.480
The malware is disguised as copies of WhatsApp, Signal, Telegram, Tor, and Threema.

00:25:30.480 --> 00:25:37.440
The attackers have actually set up a website called secureandroid.info that has the back door

00:25:37.440 --> 00:25:43.360
to Trojanized copies of all of these apps. JACK: Doing a little bit more investigation,

00:25:43.360 --> 00:25:46.960
the teams figured out how this whole thing went down. [MUSIC] The

00:25:46.960 --> 00:25:51.120
hackers would send an e-mail or a text to an Android phone user saying hey, we need to

00:25:51.120 --> 00:25:56.080
talk but let’s do it in a secure way. Download WhatsApp from this URL and then we can have a

00:25:56.080 --> 00:26:01.440
secure chat. The link to download the app would be to the hacker’s version of WhatsApp.

00:26:01.440 --> 00:26:08.080
COOPER: The really interesting thing is these were all, in addition to being spyware,

00:26:08.080 --> 00:26:14.000
working versions of the app still. When you downloaded this fake version of WhatsApp or this

00:26:14.000 --> 00:26:20.960
fake version of Signal you would be able to use it like the real version of WhatsApp or of Signal but

00:26:20.960 --> 00:26:26.320
it would also be spying on you in the background, decrypting your encrypted messages, and sending

00:26:26.320 --> 00:26:30.880
them to the command and control server. JACK: The teams at Lookout and EFF kept seeing

00:26:30.880 --> 00:26:34.880
more and more data being uploaded to the command and control servers which gave them

00:26:34.880 --> 00:26:38.720
so much more stuff to go through. They were seeing many more than six domain names that

00:26:38.720 --> 00:26:43.840
were being run by this hacker crew. COOPER: We found over twenty domains that were

00:26:43.840 --> 00:26:55.120
connected with this campaign. The domains were things like adobeair.net, tweetsfb.com,

00:26:55.120 --> 00:27:05.840
of course secureandroid.info which is hilarious to this day because all it had was insecure android.

00:27:05.840 --> 00:27:11.920
Arablivenews.com, and the one I mentioned before, axroute.com,

00:27:11.920 --> 00:27:16.800
skypeupdate.com, and a bunch more. JACK: Each of these sites had a different

00:27:16.800 --> 00:27:20.400
purpose in this attack. For instance, secureandroid.info

00:27:20.400 --> 00:27:24.240
was where e-mails would point the victim to download the malicious program

00:27:24.240 --> 00:27:30.080
and tweetsfb.com had exact replicas of the Twitter and Facebook login pages which were

00:27:30.080 --> 00:27:34.000
probably used to trick users to enter their username and password in order to steal their

00:27:34.000 --> 00:27:39.760
logins. Some of these other domains were used to upload the stolen data to. The whole time, tons

00:27:39.760 --> 00:27:45.600
more victims are being hit with this which means tons more data is being uploaded to these servers,

00:27:45.600 --> 00:27:52.400
data which Cooper and the team can see. COOPER: We find just a massive amount of data.

00:27:52.400 --> 00:27:56.720
We found 81 gigabytes of data just on adobeair.net.

00:27:56.720 --> 00:28:06.720
JACK: Oh my gosh. It’s all adding up in my head now. You have behind the scenes access to all the

00:28:06.720 --> 00:28:13.360
files these hackers are stealing and it’s tons of data and it’s very sensitive, private stuff. Are

00:28:13.360 --> 00:28:24.400
you downloading it all and looking at it? COOPER: Yeah, and I’ll tell you Jack, it’s heavy

00:28:24.400 --> 00:28:31.280
stuff to look at because you have to look through all this data to figure out who the victims are,

00:28:31.280 --> 00:28:38.720
who the threat actors are. You’re really looking through people’s very [00:30:00] personal data.

00:28:38.720 --> 00:28:43.280
You start looking through the pictures uploaded from people’s phones and you see pictures of

00:28:43.280 --> 00:28:49.200
people’s kids and pictures from war zones. You have to find ways to look through all

00:28:49.200 --> 00:28:54.960
these things to try to figure out what’s going on here and try to figure out are these victims

00:28:54.960 --> 00:28:58.960
related to each other in some way? Why are they being spied on?

00:28:58.960 --> 00:29:06.640
It’s awful. You feel like a terrible human being and you have to stop.

00:29:06.640 --> 00:29:11.120
JACK: The team combs through the data photo by photo, text by text and they would piece

00:29:11.120 --> 00:29:15.280
together the puzzle. They would figure out how the victim got infected by looking for

00:29:15.280 --> 00:29:20.480
suspicious text messages of people asking them to download an app. They’d try to find info on

00:29:20.480 --> 00:29:24.560
this victim like where they are in the world and what their job was, and why they might be the

00:29:24.560 --> 00:29:30.560
target for this kind of spyware attack. COOPER: Exactly. At some point what we did was

00:29:30.560 --> 00:29:36.960
just started to write a script that would take the IP addresses of all the victims

00:29:36.960 --> 00:29:41.760
and map them out in the world. JACK: [MUSIC]

00:29:41.760 --> 00:29:47.040
Using GeoIP Lookup tools you can see what city that IP comes from in the world. The

00:29:47.040 --> 00:29:52.640
map they made displayed victims being all over the world, not just Kazakhstan and Lebanon

00:29:52.640 --> 00:29:59.440
but so many more countries. COOPER: In this map we’ve got victims in

00:29:59.440 --> 00:30:09.360
Lebanon, Kazakhstan, the United States, China, France, Germany, India, Italy, Jordan, Nepal,

00:30:09.360 --> 00:30:17.200
the Netherlands, Pakistan, the Philippines, Qatar, Russia, Saudi Arabia, South Korea, Switzerland,

00:30:17.200 --> 00:30:22.560
Syria, Thailand, Venezuela, and Vietnam. JACK: Holy cow.

00:30:22.560 --> 00:30:25.760
COOPER: All over the world.