WEBVTT

00:00:02.044 --> 00:00:07.040
JACK: [MUSIC] In 2009 around Christmastime something terrible was lurking in the network

00:00:07.040 --> 00:00:13.360
at Google. Google is the most popular website on the internet. It’s so popular that many people

00:00:13.360 --> 00:00:17.760
just think Google is the internet. Google hires many of the most talented minds and

00:00:17.760 --> 00:00:22.800
has been online since the 90s. Hacking into Google is practically impossible. There is

00:00:22.800 --> 00:00:27.440
a team of security engineers who test and check all the configurations of the site before they go

00:00:27.440 --> 00:00:33.920
live and Google has teams of security analysts and technicians watching the network 24/7 for attacks,

00:00:33.920 --> 00:00:41.120
intrusions, and suspicious activity. Security plays a vital role at Google and everything has to

00:00:41.120 --> 00:00:47.360
have the best protections but this attack slipped past all that. Hackers had found a way into the

00:00:47.360 --> 00:00:52.400
network. They compromised numerous systems and burrowed their way deep into Google’s servers

00:00:52.400 --> 00:00:58.080
and were trying to get data that they shouldn’t be allowed to have. Google detected this activity

00:00:58.080 --> 00:01:02.640
and realized pretty quickly they were dealing with an attack more sophisticated than anything

00:01:02.640 --> 00:01:07.600
they’ve ever seen. JACK (INTRO): [MUSIC]

00:01:07.600 --> 00:01:16.960
These are true stories from the dark side of the internet. I’m Jack Rhysider.

00:01:16.960 --> 00:01:33.200
This is Darknet Diaries. [INTRO MUSIC ENDS] JACK:

00:01:33.200 --> 00:01:37.040
Once Google detected the attack they were able to stop it pretty quickly and clean it off the

00:01:37.040 --> 00:01:43.120
network. On January 12th, 2010, Google made a blog post telling everyone about the attack.

00:01:43.120 --> 00:01:47.600
They said this attack was more sophisticated than any attack they’ve seen. The virus that was

00:01:47.600 --> 00:01:53.280
used was not detected by any antivirus software so McAfee, an antivirus company got a copy of

00:01:53.280 --> 00:01:59.280
the malware and began studying it. [MUSIC] Hours after the announcement from Google another company

00:01:59.280 --> 00:02:05.600
posted another announcement, this one from Adobe, the makers of Photoshop and PDF readers.

00:02:05.600 --> 00:02:09.440
Adobe admitted that they too, got hacked over the winter holidays.

00:02:09.440 --> 00:02:14.720
After that it was clear that even more companies were hit by this attack at the same time; Yahoo,

00:02:14.720 --> 00:02:19.520
Rackspace, Microsoft, Juniper Networks, and Dow Chemicals to name a few.

00:02:19.520 --> 00:02:23.600
Google had detected that over twenty companies were victim to this attack.

00:02:23.600 --> 00:02:30.240
Some reports said as high as two hundred companies were attacked. Something big was going on.

00:02:30.240 --> 00:02:38.080
The victim’s companies, security companies, and law enforcement all began a full investigation.

00:02:38.080 --> 00:02:42.240
After looking through logs and analyzing the malware, researchers learned exactly how the

00:02:42.240 --> 00:02:47.360
attack took place. When McAfee reverse-engineered the malware they found that when the hacker

00:02:47.360 --> 00:02:51.440
executed the attack they ran it out of a folder called Aurora.

00:02:51.440 --> 00:02:54.160
Because the attacker had their malware in that folder,

00:02:54.160 --> 00:03:00.800
McAfee called this attacked Operation Aurora. Here’s how the hackers got in;

00:03:00.800 --> 00:03:04.400
first they would pick their target, an employee of a company they want to attack,

00:03:04.400 --> 00:03:09.120
even better if they can find a developer or someone with extra access to the network.

00:03:09.120 --> 00:03:12.240
Then they would research that person, figure out what their e-mail address is,

00:03:12.240 --> 00:03:16.400
who they talk to, and what some of those e-mails look like between the two of them.

00:03:16.400 --> 00:03:20.480
Then they would send a phishing e-mail to the target. This isn’t some stupid looking e-mail from

00:03:20.480 --> 00:03:26.320
the Prince of Nigeria telling you you have a large inheritance. This one is much, much more clever.

00:03:26.320 --> 00:03:30.880
The hackers knew who that person would e-mail normally and what those e-mails would look like

00:03:30.880 --> 00:03:35.040
so the hacker spoofed an e-mail to make it look like it came from that co-worker

00:03:35.040 --> 00:03:38.560
and made it look like an important e-mail wanted them to click a link.

00:03:38.560 --> 00:03:43.040
These e-mails were so well-crafted that it would be very hard for even a seasoned security expert

00:03:43.040 --> 00:03:48.640
to detect. The victims clicked the link which takes them to a website that has malware on it.

00:03:48.640 --> 00:03:52.320
No big deal though, because the victim has patched their internet explorer browser so [00:05:00] the

00:03:52.320 --> 00:03:57.040
malware shouldn’t have any effectiveness but here’s where things start to get more serious.

00:03:57.040 --> 00:04:02.080
The malware was not known by Microsoft so it was still able to exploit a fully-patched

00:04:02.080 --> 00:04:07.520
internet explorer. It was using what’s known as a zero-day exploit. It’s called a zero-day

00:04:07.520 --> 00:04:11.440
because that’s how many number of days that Microsoft has been aware of this exploit.

00:04:11.440 --> 00:04:15.040
Since Microsoft wasn’t aware of it, the exploit worked.

00:04:15.040 --> 00:04:20.720
When the victim visited the malicious website it executed some commands on the victim’s computer.

00:04:20.720 --> 00:04:25.600
The commands that were sent to the victim’s computer downloaded a program and ran it. Here’s

00:04:25.600 --> 00:04:30.480
where things get even more sophisticated; the program that was downloaded and ran was a Trojan

00:04:30.480 --> 00:04:36.000
and it was a brand new, freshly-made Trojan so it bypassed any antivirus software and it was able

00:04:36.000 --> 00:04:42.000
to infect a fully-patched version of Windows. This Trojan was very sophisticated, too. The

00:04:42.000 --> 00:04:47.040
encryption was strong and it was stealthy. This Trojan opened up a tunnel back to the hackers

00:04:47.040 --> 00:04:52.800
so they could control the victim’s computer. It was designed to look like regular web traffic.

00:04:52.800 --> 00:05:01.280
All this would happen within seconds of someone clicking the link.

00:05:01.280 --> 00:05:05.120
What makes this attack so sophisticated? Google gets attacked all day,

00:05:05.120 --> 00:05:09.760
every day but most of the people attacking Google are using well-known exploits,

00:05:09.760 --> 00:05:14.720
something you can learn by watching a YouTube video or reading a blog post. This attack was

00:05:14.720 --> 00:05:19.360
using multiple exploits that weren’t known to anyone and it’s rare to see attacks that use

00:05:19.360 --> 00:05:24.720
zero-day exploits. The hackers either had a lot of money to buy these zero-day exploits or they

00:05:24.720 --> 00:05:29.280
had a research and development team to help them make it. The other scary part is how much research

00:05:29.280 --> 00:05:33.600
the attackers did on their victims before sending them e-mails in the hopes they would click on it.

00:05:33.600 --> 00:05:37.680
It appears the attackers specifically picked Christmas and New Year’s holidays to attack,

00:05:37.680 --> 00:05:42.000
knowing that it would be a skeleton crew defending the network at that time.

00:05:42.000 --> 00:05:46.160
These advanced methods and techniques the hackers used isn’t new. The government sees

00:05:46.160 --> 00:05:52.000
sophisticated attacks like this fairly often. Banking industries and utility companies do too,

00:05:52.000 --> 00:05:56.720
but commercial businesses have never seen an attack this advanced waged against them.

00:05:56.720 --> 00:06:01.840
This would forever change the threat landscape for commercial companies.

00:06:01.840 --> 00:06:06.320
Google looked further into the logs and tried to trace where the attacker went and what they

00:06:06.320 --> 00:06:11.440
were trying to do. They saw the attackers were trying to access two specific pieces of data;

00:06:11.440 --> 00:06:16.400
first was access to Gmail accounts. It’s presumed the attackers wanted to read someone’s e-mails

00:06:16.400 --> 00:06:21.680
but not just anyone’s e-mails, specifically human rights activists’ e-mails. But not just any human

00:06:21.680 --> 00:06:27.360
rights activists’ e-mails, they were after Chinese human rights activists’ Gmail accounts.

00:06:27.360 --> 00:06:31.680
Whoever did this attack really wanted to see what those people were planning and organizing around

00:06:31.680 --> 00:06:36.320
China’s human rights movement. But when Google looked more closely at these accounts they noticed

00:06:36.320 --> 00:06:41.440
another connection. All of the accounts that were attempted to be accessed all had court orders.

00:06:41.440 --> 00:06:45.920
United States law enforcement had requested access to those specific Gmail accounts

00:06:45.920 --> 00:06:50.240
and these attackers were looking at those same exact accounts. This was really odd

00:06:50.240 --> 00:06:53.920
and has baffled a lot of people as to why someone would be trying to get into Gmail

00:06:53.920 --> 00:06:59.280
accounts of Chinese human rights activists that have already been subject to court orders.

00:06:59.280 --> 00:07:03.600
Perhaps this was some government espionage or a way to check how much the government

00:07:03.600 --> 00:07:09.120
can see into Gmail accounts. Google was able to stop the attackers from seeing any e-mails.

00:07:09.120 --> 00:07:13.040
The attackers were only able to tell when the account was created.

00:07:13.040 --> 00:07:18.960
The second piece of data the attackers were after in Google was their source code.

00:07:18.960 --> 00:07:22.640
Google is a company that makes software and usually they don’t want anyone to see the source

00:07:22.640 --> 00:07:27.280
code to it because that’s intellectual property. If someone had the source code they could create

00:07:27.280 --> 00:07:32.480
a competing site or find bugs in the source code to exploit later. The source code needs to be kept

00:07:32.480 --> 00:07:38.320
in a secure location. Source code is often kept in something like Git but for large companies

00:07:38.320 --> 00:07:42.080
it’s stored in what’s called Software Configuration Management Systems.

00:07:42.080 --> 00:07:46.400
Companies that make this kind of software are Perforce, Concurrent Versions Systems,

00:07:46.400 --> 00:07:52.720
Microsoft Visual SourceSafe, and IBM Rational. At Google, their source code was kept in Perforce but

00:07:52.720 --> 00:07:57.520
as they researched this attack they found numerous problems with Perforce. The attackers knew exactly

00:07:57.520 --> 00:08:02.880
where the Perforce servers were and used yet another unknown bug to get into Perforce.

00:08:02.880 --> 00:08:07.600
But that may not have mattered. After this attack McAfee looked into Perforce and found it to be

00:08:07.600 --> 00:08:13.520
insecure by default. McAfee found the following problems in Perforce; anyone can go and create

00:08:13.520 --> 00:08:19.200
their own user account, no need for an admin to set one up for you. The passwords are unencrypted.

00:08:19.200 --> 00:08:24.160
It’s easy to gather data on Perforce without any privileges. All communication to Perforce is

00:08:24.160 --> 00:08:29.200
unencrypted. It’s easy to bypass authentication altogether, it’s prone to directory traversal

00:08:29.200 --> 00:08:35.520
attacks, and all files are stored in clear text. It’s unknown how Perforce was set up in Google but

00:08:35.520 --> 00:08:40.320
it’s clear that it takes a lot of work to lock it down and secure it. Even then, it’s not very

00:08:40.320 --> 00:08:45.600
secure. These attackers had a strong knowledge of Perforce and once they were in Google’s network

00:08:45.600 --> 00:08:50.400
they were able to easily access Perforce and take some of the source code from Google, possibly the

00:08:50.400 --> 00:08:54.000
source code for the Chrome browser. [00:10:00] The other companies that were

00:08:54.000 --> 00:08:58.800
also compromised by this attack did not give any details as to what was taken or accessed

00:08:58.800 --> 00:09:02.080
but it’s speculated that the source code was targeted for them, too.

00:09:02.080 --> 00:09:06.960
Sophisticated attacks like this often work in stages so it’s possible the attackers were just

00:09:06.960 --> 00:09:11.120
gathering information in this attack to be used for a bigger attack later.

00:09:11.120 --> 00:09:15.040
For instance, if they had the source code for how Adobe handles PDFs they could find

00:09:15.040 --> 00:09:20.560
new ways to create malicious PDFs so they can create new viruses to infect someone else.

00:09:20.560 --> 00:09:25.200
Upon discovering these vulnerabilities Microsoft issued an emergency patch for the browser and

00:09:25.200 --> 00:09:30.480
operation system. McAfee antivirus created new signatures to detect these attacks as well.

00:09:30.480 --> 00:09:34.720
It’s interesting that so many companies were attacked with the same exploit all at once.

00:09:34.720 --> 00:09:39.120
Once the Aurora exploit was known, companies could patch and detect it so it appears this

00:09:39.120 --> 00:09:43.520
hacker group was attacking as many places as it could and sort of letting the exploit

00:09:43.520 --> 00:09:48.800
become known in the process. But it also indicates that an attack at this scale would require dozens

00:09:48.800 --> 00:09:53.440
of people to conduct it; a team to develop the exploit, a team to research the attack,

00:09:53.440 --> 00:09:58.400
and a team to conduct the attack and remotely access those source code repositories. Further

00:09:58.400 --> 00:10:04.400
analysis of this attack and Trojan revealed more information. The attacks were seen coming from two

00:10:04.400 --> 00:10:10.320
different schools in China; the Shanghai Jiao Tong University and Lanxiang Vocational School.

00:10:10.320 --> 00:10:14.400
Both of these schools are legitimate, well-established, and respectable. If you go there

00:10:14.400 --> 00:10:18.880
you see students walking around campus and it looks like an average school. The school might not

00:10:18.880 --> 00:10:23.520
have anything to do with this as the attackers may have just used a server within the school to wage

00:10:23.520 --> 00:10:28.640
their attacks, but then again maybe there’s some hidden basement full of hackers and this school

00:10:28.640 --> 00:10:35.040
is just some kind of screen. Because this was a major incident hitting dozens of US companies, the

00:10:35.040 --> 00:10:40.000
FBI and the US government began investigating the attacks. It’s really difficult to figure out who

00:10:40.000 --> 00:10:44.480
conducted a cyber-attack because of how anonymous and hidden you are on the internet.

00:10:44.480 --> 00:10:48.960
A few pieces of information began to add up, though. The attackers wanted into those e-mail

00:10:48.960 --> 00:10:53.440
accounts of Chinese human rights activists and the attack originated from two schools

00:10:53.440 --> 00:10:58.880
in China, and the malware that was used had a checksum algorithm that’s only used in China.

00:10:58.880 --> 00:11:03.040
Rumors started to circulate that China was likely behind this attack. As the

00:11:03.040 --> 00:11:07.520
US government investigated, then Secretary of State Hillary Clinton addressed the media.

00:11:07.520 --> 00:11:13.120
CLINTON: We are obviously very concerned about Google’s announcement

00:11:13.120 --> 00:11:20.480
regarding a campaign that the company believes originated in China to collect the passwords

00:11:20.480 --> 00:11:26.480
of Google e-mail account holders. These allegations are very serious. We take

00:11:26.480 --> 00:11:30.240
them seriously. We’re looking into them. JACK: Some news outlets were even taking this

00:11:30.240 --> 00:11:31.440
a step further. REPORTER: ‘Cause it’s

00:11:31.440 --> 00:11:33.200
basically an act of war. REPORTER2: Yeah.

00:11:33.200 --> 00:11:35.680
REPORTER: Especially if it is really tied to the army

00:11:35.680 --> 00:11:40.000
and the government; it’s an act of war. JACK: Personally I think this is espionage, not an

00:11:40.000 --> 00:11:44.960
act of war. This is just theft of information. A spokesperson for the Chinese foreign ministry had

00:11:44.960 --> 00:11:51.360
a reply. [CHINESE] “Blaming China is unacceptable. The Chinese government places great importance

00:11:51.360 --> 00:11:55.600
on the computer and internet security and controls the internet according to law and

00:11:55.600 --> 00:12:01.360
demands that internet users respect relevant laws and regulations when using the internet.”

00:12:01.360 --> 00:12:06.240
As Google investigated this more, it became more certain that China was behind this.

00:12:06.240 --> 00:12:10.240
An attack with this level of sophistication hitting this many companies at once

00:12:10.240 --> 00:12:12.800
had to be done by a group that’s very advanced.

00:12:12.800 --> 00:12:16.800
They must have had dozens of people working on this attack. They’re well-funded and they were

00:12:16.800 --> 00:12:21.600
given extra privileges on China’s internet infrastructure. This isn’t the work of some

00:12:21.600 --> 00:12:28.960
amateurs or even Google competitors. This was far more advanced with far more capabilities.

00:12:28.960 --> 00:12:34.240
To understand what happens next we need to go back five years to 2005.

00:12:34.240 --> 00:12:39.360
In 2005 Google started building google.cn which was going to be a version of Google for people

00:12:39.360 --> 00:12:44.640
in China. See, the people in China can’t get to many of the sites we can. The Chinese government

00:12:44.640 --> 00:12:49.760
blocks anyone in China from getting to sites like Twitter, Facebook, Pinterest, most porn sites,

00:12:49.760 --> 00:12:55.280
YouTube, and yes, google.com. [MUSIC] But since China is the country with the largest population

00:12:55.280 --> 00:13:00.080
in the world, Google wanted to build a local version in China that would be allowed.

00:13:00.080 --> 00:13:04.480
The Chinese government [00:15:00] required Google to have a license to operate in China, and they

00:13:04.480 --> 00:13:10.160
got it. They started building their offices, hiring their top talent, and creating google.cn

00:13:10.160 --> 00:13:14.960
but while they were building it China decided to cancel the license. Google had to spend another

00:13:14.960 --> 00:13:20.400
eighteen months negotiating with the Chinese government to get the license to operate in China.

00:13:20.400 --> 00:13:24.080
One of the requirements was to censor certain search results.

00:13:24.080 --> 00:13:28.640
For instance they wanted no results if you searched for Tiananmen Square protests.

00:13:28.640 --> 00:13:33.440
Google executives weren’t happy about all this censorship but still wanted to get in the Chinese

00:13:33.440 --> 00:13:39.520
market so they complied with all the censorship requirements. In 2007 an agreement was made and

00:13:39.520 --> 00:13:46.480
google.cn finally came up and online. Millions of people began using the site

00:13:46.480 --> 00:13:51.040
but then the Olympics took place in 2008 in China. Ramping up for that,

00:13:51.040 --> 00:13:55.360
the Chinese government started requesting even more search terms to be censored,

00:13:55.360 --> 00:14:01.200
some that were very broad. The US executives at Google were very unhappy with this and expressed

00:14:01.200 --> 00:14:05.840
their frustrations but eventually complied thinking this new censorship was only temporary

00:14:05.840 --> 00:14:10.800
until the Olympics were over, but the censorship didn’t end after the Olympics ended. In fact,

00:14:10.800 --> 00:14:15.360
China requested even more broader search terms to be censored after the Olympics.

00:14:15.360 --> 00:14:19.920
Scary stuff too, like anything sexual in nature was banned and anything that

00:14:19.920 --> 00:14:25.120
criticized the Chinese government or politicians was banned search terms in google.cn.

00:14:25.120 --> 00:14:29.760
The Google executives were even more angry with this. They thought they were now helping this

00:14:29.760 --> 00:14:36.800
country conduct their oppression and it made them dissatisfied with China.

00:14:36.800 --> 00:14:43.280
When these attacks happened in late 2009, Google created a massive war room not only to combat

00:14:43.280 --> 00:14:49.760
the attack technically but to determine what to do next. Sergey Brand, a co-founder of Google,

00:14:49.760 --> 00:14:54.720
was extremely upset with China over these attacks. He specifically was upset that the

00:14:54.720 --> 00:14:59.920
attackers tried to get into the Chinese civil rights activists’ accounts and that the Chinese

00:14:59.920 --> 00:15:05.280
government was censoring so much from its people. Sergey reminded the executives that the motto at

00:15:05.280 --> 00:15:10.960
Google is Don’t Be Evil and by helping China be oppressive they were, in fact, being evil.

00:15:10.960 --> 00:15:15.280
Eric Schmidt, the Executive Chairman, did not agree. He reminded Sergey that they

00:15:15.280 --> 00:15:19.600
always complied with local laws in any country they operate in and that’s just part of doing

00:15:19.600 --> 00:15:25.360
business internationally. A very passionate and internal debate waged among the Google executives

00:15:25.360 --> 00:15:31.200
for almost four months trying to determine what to do about China. Eventually Larry Page,

00:15:31.200 --> 00:15:36.400
the other co-founder of Google, agreed with Sergey and the debate was over. Google had

00:15:36.400 --> 00:15:42.080
decided to shut down their google.cn website and close most of their offices in China. They

00:15:42.080 --> 00:15:47.760
redirected all their traffic to google.com.hk which is a version of Google built in Hong Kong

00:15:47.760 --> 00:15:52.240
because Hong Kong maintains a totally separate body of government with different laws.

00:15:52.240 --> 00:15:56.960
Now when people in China went to google.cn they were able to search for sexual content and the

00:15:56.960 --> 00:16:02.240
Tiananmen Square protests because it was going through the Hong Kong version of Google. This was

00:16:02.240 --> 00:16:09.440
a huge deal for Google to shut down google.cn and pull out of China. China has the most population

00:16:09.440 --> 00:16:15.040
of any country in the world and Google is the most popular website in the world. There are

00:16:15.040 --> 00:16:20.320
more than twice as many people on the internet in China that there are total people in the US.

00:16:20.320 --> 00:16:26.480
Leaving a market this size will make a noticeable impact upon Google’s traffic and revenue but even

00:16:26.480 --> 00:16:31.760
more importantly it meant that Google would quit their fight over Chinese censorship laws.

00:16:31.760 --> 00:16:39.680
Silence fell on all Google employees who read the memo. The news of shutting down the google.cn

00:16:39.680 --> 00:16:45.040
office was dropped at 6:00 a.m. Beijing time. Many of the Google employees in China learned

00:16:45.040 --> 00:16:50.560
about the announcements by co-workers calling them and waking them up. Panicked employees

00:16:50.560 --> 00:16:56.320
flooded the Google office in China with questions and concerns but management just told everyone to

00:16:56.320 --> 00:17:02.720
leave and gave them all tickets to go see the movie Avatar which had just came out.

00:17:02.720 --> 00:17:07.680
The next day employees came back to the Google office in China and Sergey himself

00:17:07.680 --> 00:17:13.760
had a teleconference call with all of them to explain the situation. It didn’t go well.

00:17:13.760 --> 00:17:18.720
Emotions were high and employees felt that they were abandoned by the generals overseas

00:17:18.720 --> 00:17:24.800
in the middle of a war. A few months after that China blocked its people from being able to

00:17:24.800 --> 00:17:30.640
get to all Google sites including google.cn and google.com.hk. According to the website

00:17:30.640 --> 00:17:37.840
greatfire.org China has been blocking Google ever since. The major search engine that is

00:17:37.840 --> 00:17:42.560
used in China is called Baidu which if you search Tiananmen Square protests in there,

00:17:42.560 --> 00:17:49.360
you see stories about how the protests are a myth and didn’t happen. Ever since Operation Aurora,

00:17:49.360 --> 00:17:54.080
Google and many others have had to step up their defenses, knowing that more sophisticated attacks

00:17:54.080 --> 00:17:59.120
can hit even commercial companies. This attack forever changed how we see our adversaries

00:17:59.120 --> 00:18:05.760
when defending commercial networks. [00:20:00] Security researchers at Symantec, Del

00:18:05.760 --> 00:18:10.160
Secure Works, and CrowdStrike dove further into Operation Aurora to try to understand the group

00:18:10.160 --> 00:18:15.200
behind these attacks. When Symantec investigated the malware further they found the code frequently

00:18:15.200 --> 00:18:20.480
used a variable with the name Elderwood so they called this hacking group Elderwood. CrowdStrike

00:18:20.480 --> 00:18:25.200
came up with a different name which was Sneaky Panda and Del called them the Beijing Group. I

00:18:25.200 --> 00:18:29.840
like Elderwood the most, so let’s stick with that one. Security researchers created a big list of

00:18:29.840 --> 00:18:34.480
everything that’s known about Operation Aurora and started building a dossier on the Elderwood group.

00:18:34.480 --> 00:18:38.480
For years after the attack researchers would examine other big hacks and breaches to try to

00:18:38.480 --> 00:18:42.560
find if there’s any connection with the Elderwood hacking group. Some connections were made;

00:18:42.560 --> 00:18:46.240
either the same Trojan was used, or the same command and control servers were used,

00:18:46.240 --> 00:18:50.000
or comments in the code were similar. In the three years after Operation Aurora

00:18:50.000 --> 00:18:55.040
the Elderwood group was suspected to be behind seven different attack campaigns.

00:18:55.040 --> 00:18:59.520
[MUSIC] Each campaign resulted in numerous companies being hacked. The next attack

00:18:59.520 --> 00:19:05.520
they conducted after Operation Aurora contained a zero-day exploit using Adobe Flash. This is really

00:19:05.520 --> 00:19:10.640
interesting because during Operation Aurora they hacked into Adobe so we can speculate that maybe

00:19:10.640 --> 00:19:15.760
they did take the source code for Flash from Adobe and used it to build new exploits, because if you

00:19:15.760 --> 00:19:20.480
have the source code it’s much easier to find a vulnerability. In fact, they had five different

00:19:20.480 --> 00:19:25.360
zero-day exploits for Adobe Flash and were able to breach many companies using these exploits.

00:19:25.360 --> 00:19:30.160
This group had immense capabilities. They seemed to be growing more powerful over time,

00:19:30.160 --> 00:19:35.120
stealing more source code from places like Google, Adobe, Oracle, and Microsoft and building more

00:19:35.120 --> 00:19:39.440
zero-day exploits with them. It seemed like the Elderwood hacking group had endless amounts

00:19:39.440 --> 00:19:44.800
of zero-day exploits it can use. Hacking using zero-day exploits is not actually that common.

00:19:44.800 --> 00:19:49.760
In 2011 there were only eight reported breaches that used a zero-day exploit in the attack,

00:19:49.760 --> 00:19:54.320
but four of those exploits was from the Elderwood group so you can see how this group was dominating

00:19:54.320 --> 00:19:58.800
the hacker scene. What else is strange about the Elderwood group is that they have this uncanny

00:19:58.800 --> 00:20:03.520
ability to know when their zero-day exploits is about to be discovered or fixed. When they

00:20:03.520 --> 00:20:07.920
get wind that it’s going to be patched they burn their zero-day by trying to hack as many places as

00:20:07.920 --> 00:20:12.800
they can all at once to get the most of it. They may have access to an internal bug-tracking

00:20:12.800 --> 00:20:18.320
tool within Google or Microsoft or Adobe and they may have someone inside tipping them off.

00:20:18.320 --> 00:20:22.800
After Operation Aurora the Elderwood group changed their initial entry tactics. Instead of getting

00:20:22.800 --> 00:20:26.960
people to click the phishing e-mail they used what’s known as a watering-hole attack. This

00:20:26.960 --> 00:20:31.440
would hack into a popular website, put malware on it, and wait for users to visit the site to become

00:20:31.440 --> 00:20:35.840
infected. As soon as the victim’s computer would be infected, the hacking group would have full

00:20:35.840 --> 00:20:41.520
access to that computer. They also changed their targets. While attacking Microsoft, Google, and

00:20:41.520 --> 00:20:45.760
Adobe will help them find new exploits, it doesn’t look like that’s their primary objective.

00:20:45.760 --> 00:20:49.760
They seem to be mostly interested in gaining access to defense companies,

00:20:49.760 --> 00:20:54.560
companies like Lockheed Martin, Raytheon, Boeing, and General Dynamics to name a few.

00:20:54.560 --> 00:20:59.920
These companies supply tanks, weapons, and planes to the US military. They presumably want access to

00:20:59.920 --> 00:21:04.880
these companies to gain information on the latest weapons and military technology, maybe also get

00:21:04.880 --> 00:21:09.520
a glimpse as to what the military has in stock. This would certainly be valuable information for

00:21:09.520 --> 00:21:15.040
a super power like China. But the Elderwood group doesn’t attack these companies directly. Instead

00:21:15.040 --> 00:21:19.280
they’re almost always seen hacking into suppliers and third party companies that deal directly with

00:21:19.280 --> 00:21:24.480
the top-tier defense companies. They’re also seen hacking into the suppliers of suppliers because if

00:21:24.480 --> 00:21:29.520
they can infect the supply chain and that software gets into the defense company, then it’s just as

00:21:29.520 --> 00:21:34.000
good as hacking into the defense company. It’s easier and sneakier because those third party

00:21:34.000 --> 00:21:40.000
companies don’t have nearly the security defenses as a top-tier defense contractor. Elderwood would

00:21:40.000 --> 00:21:43.840
possibly study all the parts that are used in a specific weapon or tank and figure out

00:21:43.840 --> 00:21:48.320
which companies supply those parts or software and figure out which websites those companies visit to

00:21:48.320 --> 00:21:53.600
do their work. One website they infected was the Center for Defense Information in Washington, DC.

00:21:53.600 --> 00:21:57.520
This is a non-profit organization that posts information on military matters.

00:21:57.520 --> 00:22:01.680
People who visit this site are likely to be military or those working in the defense industry.

00:22:01.680 --> 00:22:05.920
Even if it’s a third party to a contractor, infecting them can be very valuable.

00:22:05.920 --> 00:22:12.960
From there you can implant malware into software and that can make its way into bigger companies.

00:22:12.960 --> 00:22:16.560
Details aren’t given as to what companies were specifically hit by Elderwood.

00:22:16.560 --> 00:22:19.760
Symantec doesn’t release that information and those companies that are breached

00:22:19.760 --> 00:22:22.800
aren’t always required to publically disclose it so all we can tell from

00:22:22.800 --> 00:22:26.960
Symantec is the way the attacks happened and what types of companies were targeted.

00:22:26.960 --> 00:22:31.600
The second-biggest target for the Elderwood hacking group are human rights organizations.

00:22:31.600 --> 00:22:36.240
It’s suspected that the same group that did Operation Aurora in 2010 were also responsible

00:22:36.240 --> 00:22:40.800
for placing zero-day Flash exploits on the website for Amnesty International Hong Kong.

00:22:40.800 --> 00:22:44.240
Users have visited that site, have become infected, and this group could then access

00:22:44.240 --> 00:22:48.480
their computers to see anything they wanted to see on that computer. Other sites that had zero-day

00:22:48.480 --> 00:22:53.120
exploits on them were International Institute for Counter-Terrorism and The Cambodian Institute of

00:22:53.120 --> 00:22:58.480
Foreign Affairs. Users who visited those websites in May of 2012 had a high likelihood of being

00:22:58.480 --> 00:23:03.200
infected and having their systems controlled by the Elderwood group. [00:25:00] Some researchers

00:23:03.200 --> 00:23:07.200
believe that there must be hundreds if not thousands of people working for this group.

00:23:07.200 --> 00:23:10.480
There would be a team of developers to comb through the stolen source code to

00:23:10.480 --> 00:23:14.720
develop exploits, then there’s a team to gather information on the targets and do open-source

00:23:14.720 --> 00:23:19.040
intelligence gathering, then there’s a team that puts together the attacks and plans a way to get

00:23:19.040 --> 00:23:23.200
into places, then there’s a team to conduct the attack and sit there waiting for the infected

00:23:23.200 --> 00:23:27.120
machines to show up. Then there are people talented at knowing certain software to be

00:23:27.120 --> 00:23:31.440
able to grab the data they need and navigate around. Then there’s a team of analysts to

00:23:31.440 --> 00:23:36.080
make sense of the data once it’s stolen, then there must also be interpreters and spies and

00:23:36.080 --> 00:23:41.520
website developers and instructors and labs and commanders. The Elderwood group is well-funded,

00:23:41.520 --> 00:23:46.400
highly trained, and very advanced. A group like this doesn’t just show up overnight.

00:23:46.400 --> 00:23:50.880
I suspect they probably have been working together for years, if not decades before being discovered

00:23:50.880 --> 00:23:57.600
like this. But still, we can only guess as to who they are based on the footprints they leave.

00:23:57.600 --> 00:24:01.440
Research papers have been published outlining the tactics, techniques, and procedures of the

00:24:01.440 --> 00:24:06.320
Elderwood group. Since then it appears they’ve changed their tactics to avoid being connected.

00:24:06.320 --> 00:24:10.080
Some researchers also believe they’ve broken up into smaller groups specifically designed

00:24:10.080 --> 00:24:15.200
for certain attacks such as spying on people or hacking into certain sectors. The hacking activity

00:24:15.200 --> 00:24:22.720
we continue to see from China today remains to be one of the most advanced, persistent threats.

00:24:22.720 --> 00:24:28.000
In 2015, US President Barack Obama and Chinese President Xi Jinping

00:24:28.000 --> 00:24:33.440
met to discuss cyber-attack diplomacy. They had dinner together and came to an agreement.

00:24:33.440 --> 00:24:36.880
The two presidents stood side-by-side on the White House lawn

00:24:36.880 --> 00:24:40.000
to explain what they agreed on. OBAMA: I raised, once again, our very

00:24:40.000 --> 00:24:45.680
serious concerns about growing cyber threats to American companies and American citizens.

00:24:45.680 --> 00:24:51.200
I indicated that it has to stop. The United States government does not engage in cyber

00:24:51.200 --> 00:24:57.200
economic espionage for commercial gain and today I can announce that our two countries have reached

00:24:57.200 --> 00:25:02.560
a common understanding on the way forward. We’ve agreed that neither the US or the Chinese

00:25:02.560 --> 00:25:08.320
government will conduct or knowingly support cyber-enabled theft of intellectual property

00:25:08.320 --> 00:25:13.520
including trade secrets or other confidential business information for commercial advantage.

00:25:13.520 --> 00:25:18.400
In addition we’ll work together and with other nations to promote international rules of the road

00:25:18.400 --> 00:25:23.280
for appropriate conduct in cyber space. JACK: If I can break character for a second here;

00:25:23.280 --> 00:25:27.440
this is what I love about having a career in InfoSec. I can turn on the nightly news and

00:25:27.440 --> 00:25:32.080
sometimes see the president talking my lingo. It’s just amazing to see what I’m passionate

00:25:32.080 --> 00:25:38.320
about being talked about on the world stage like this. It’s awesome. Anyway, this agreement was

00:25:38.320 --> 00:25:44.640
likely a direct result from the project Aurora attacks. Then again in 2017, US President Donald

00:25:44.640 --> 00:25:49.760
Trump and the Chinese President Xi Jinping met at Mar-a-Lago and renewed the same truce that neither

00:25:49.760 --> 00:25:54.240
country would attack commercial sectors to steal intellectual property for commercial gain.

00:25:54.240 --> 00:25:58.960
Personally I don’t think this truce has much value as both countries continue to do what they can to

00:25:58.960 --> 00:26:03.440
gather details from each other. Hacking into commercial companies to steal source code to

00:26:03.440 --> 00:26:08.960
develop new vulnerabilities is simply a part of that process. For instance China is suspect to be

00:26:08.960 --> 00:26:13.200
behind the virus found in CCleaner, a popular Windows clean-up tool, which that attack got

00:26:13.200 --> 00:26:18.240
them access to data at Microsoft and Google. China denied its involvement but even if it

00:26:18.240 --> 00:26:22.640
did admit to it they could just say that the data stolen wasn’t used for commercial gain.

00:26:22.640 --> 00:26:26.960
This agreement between the two is just weak and unenforceable. Now that we know the

00:26:26.960 --> 00:26:31.680
Elderwood hacking group is capable of targeting commercial sectors now, companies should take this

00:26:31.680 --> 00:26:36.400
as a cautionary tale, especially companies that supply to defense contractors.

00:26:36.400 --> 00:26:40.000
If this attacking group knows that a defense company uses your product

00:26:40.000 --> 00:26:45.440
they might try hacking you to get into the defense company because it’s easier and sneakier.

00:26:45.440 --> 00:26:51.120
By taking on a defense company as a client it significantly increases your threat landscape.

00:26:51.120 --> 00:26:55.840
This is the modern-day arms race. Foreign countries will continuously be trying to hack

00:26:55.840 --> 00:27:00.720
into our government and defense companies to gather as much information as they can.

00:27:00.720 --> 00:27:04.720
At the same time our government is trying to gather information about foreign governments

00:27:04.720 --> 00:27:09.280
by hacking them as well. This makes it difficult to understand governments.

00:27:09.280 --> 00:27:14.160
If the NSA finds a bug in Microsoft they might not tell Microsoft but instead they’ll keep it

00:27:14.160 --> 00:27:18.640
to themselves and potentially use it in a cyber-attack because they want to be one

00:27:18.640 --> 00:27:24.160
step ahead of the enemy. We’re seeing the US and foreign governments are keeping zero-day exploits

00:27:24.160 --> 00:27:28.720
just for themselves. Governments hacking into other governments or companies in other countries

00:27:28.720 --> 00:27:36.480
is now the new normal. Spyware vs. spyware, ghosts in the wire, cyber-patriots. This is the current

00:27:36.480 --> 00:27:43.360
battlefront that is secret and hidden from all of us until something goes wrong or gets sloppy

00:27:43.360 --> 00:27:56.000
or until someone wants us to see something. JACK (OUTRO): [OUTRO MUSIC]

00:27:56.000 --> 00:27:59.600
You’ve been listening to Darknet Diaries. This episode is made by me,

00:27:59.600 --> 00:28:03.760
Jack Rhysider, with theme music [00:30:00] from the mysterious Breakmaster Cylinder.

00:28:03.760 --> 00:28:07.840
Okay, so a lot of you want more episodes of this show and I’ll make a deal with you.

00:28:07.840 --> 00:28:13.840
I’ll go back to producing two episodes a month if you can help me reach 3,000 followers on Facebook.

00:28:13.840 --> 00:28:18.000
Deal? Okay, if you’re in go to facebook.com/darknetdiaries

00:28:18.000 --> 00:28:22.160
and follow the page. Tell your friends to follow it too. I also posted a preview of

00:28:22.160 --> 00:28:29.840
the next episode on Facebook for you to check out right now so come on, let’s go do this.