WEBVTT

00:00:00.599 --> 00:00:04.110
JACK: Imagine being at work in the office and all of a sudden the server you’re working

00:00:04.110 --> 00:00:09.610
on goes down, the phones stop working, the screens go blank, and as you investigate you

00:00:09.610 --> 00:00:11.630
realize the company has been hacked.

00:00:11.630 --> 00:00:16.180
[MUSIC] The virus is so bad and it’s spreading so fast that you frantically start unplugging

00:00:16.180 --> 00:00:19.010
Ethernet cables in an attempt to stop the attack.

00:00:19.010 --> 00:00:22.320
You’re forced to sever your connection to the internet altogether.

00:00:22.320 --> 00:00:27.310
Yeah, that did happen and I want to tell you about it.

00:00:27.310 --> 00:00:35.909
JACK (INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet.

00:00:35.909 --> 00:00:40.469
I’m Jack Rhysider.

00:00:40.469 --> 00:00:44.559
This is Darknet Diaries.

00:00:44.559 --> 00:00:53.379
[INTRO MUSIC ENDS]

00:00:53.379 --> 00:00:59.899
JACK: Imagine you’re taking a nice gondola ride through a canal.

00:00:59.899 --> 00:01:04.770
[MUSIC] This is one of those boats where you hire someone to stand up on it and paddle

00:01:04.770 --> 00:01:05.770
for you.

00:01:05.770 --> 00:01:10.450
It’s nice and slow, relaxing, something you do as a tourist and it can be romantic;

00:01:10.450 --> 00:01:13.380
except, you’re not in Italy.

00:01:13.380 --> 00:01:15.770
You’re in the middle of the desert.

00:01:15.770 --> 00:01:20.380
This is the scene from within the Venetian, a hotel casino in Las Vegas, Nevada.

00:01:20.380 --> 00:01:21.820
But it’s not just any hotel.

00:01:21.820 --> 00:01:25.439
It’s a luxury resort, a massive resort with over 4,000 rooms.

00:01:25.439 --> 00:01:29.720
In fact, it was the largest hotel in the world up until 2015.

00:01:29.720 --> 00:01:32.229
If you go to Vegas you can’t miss it.

00:01:32.229 --> 00:01:34.229
The Venetian looks just like Italy.

00:01:34.229 --> 00:01:36.560
It’s amazing to look at and explore.

00:01:36.560 --> 00:01:42.140
On top of it being a hotel, they have a 120,000 square foot casino, a monster of a gaming

00:01:42.140 --> 00:01:45.100
hall which is where they make a ton of their money.

00:01:45.100 --> 00:01:49.289
In 1988 Sheldon Adelson bought the Sands Hotel and Casino in Vegas.

00:01:49.289 --> 00:01:53.619
Three years later he got married to his second wife and took a honeymoon to Venice, Italy.

00:01:53.619 --> 00:01:57.939
There’s where he got the inspiration to bring Italy to Las Vegas, so he did.

00:01:57.939 --> 00:02:03.340
He came back home and spent 1.5 billion dollars building the Venetian and then imploded the

00:02:03.340 --> 00:02:07.130
Sands Hotel and built more Venetian hotel rooms on top of it.

00:02:07.130 --> 00:02:11.600
Sheldon had a strong desire to succeed as a hotel casino investor and he did succeed.

00:02:11.600 --> 00:02:15.580
His casino was very successful and now he controls ten different properties.

00:02:15.580 --> 00:02:19.390
The parent company of this empire is the Las Vegas Sands which is what I’m going to refer

00:02:19.390 --> 00:02:21.760
to as LVS a lot in this episode.

00:02:21.760 --> 00:02:26.360
LVS is the company that owns The Venetian and Palazzo in Vegas, and another Venetian

00:02:26.360 --> 00:02:29.060
in China, and the Marina Bay Sands in Singapore.

00:02:29.060 --> 00:02:32.960
That’s the one that looks like it has a cruise ship on the top of the buildings, and

00:02:32.960 --> 00:02:35.270
another Sands Casino Resort in Bethlehem.

00:02:35.270 --> 00:02:41.140
The Las Vegas Sands has over 50,000 employees worldwide and is ranked 418th on The Fortune

00:02:41.140 --> 00:02:42.140
500 list.

00:02:42.140 --> 00:02:46.800
It’s a massive corporation today and its founder, owner, and CEO Shelden Adelson.

00:02:46.800 --> 00:02:50.670
We’re going to learn a lot more about Sheldon in a minute but I’m fascinated with the

00:02:50.670 --> 00:02:54.620
IT infrastructure of a major global business like this.

00:02:54.620 --> 00:02:58.790
[MUSIC] You may have seen Ocean’s Eleven at this point so you can probably take a guess

00:02:58.790 --> 00:03:03.540
as to how secure their physical infrastructure is to protect those millions of dollars that

00:03:03.540 --> 00:03:05.850
are transacted each night in the casinos.

00:03:05.850 --> 00:03:07.740
But those are all physical securities.

00:03:07.740 --> 00:03:11.350
I want to know what their IT security looks like so I did some snooping.

00:03:11.350 --> 00:03:14.900
If you want to know what’s in a company’s network and they’re not really telling you

00:03:14.900 --> 00:03:17.260
what’s in there, there’s two easy ways to figure this out.

00:03:17.260 --> 00:03:20.050
First is their career page and the job openings.

00:03:20.050 --> 00:03:23.650
On the Las Vegas Sands website, you see job openings for things like Network Security

00:03:23.650 --> 00:03:27.310
Engineer 1, Network Security Engineer 2, Network Security Engineer 3.

00:03:27.310 --> 00:03:31.480
To qualify for these roles you have to be proficient in Sysco routers, Aruba wireless

00:03:31.480 --> 00:03:36.430
controllers, Checkpoint firewalls, Paulo Alto firewalls, Blue Coat web proxies, and F5 load

00:03:36.430 --> 00:03:38.450
[00:05:00] balancers, and VPN servers.

00:03:38.450 --> 00:03:39.450
You know what?

00:03:39.450 --> 00:03:42.830
These are all the technologies that I would expect to see in a large Fortune 500 company’s

00:03:42.830 --> 00:03:46.130
network so nothing’s really out of ordinary here.

00:03:46.130 --> 00:03:49.660
The second place I look to get a good idea of what’s in their network is LinkedIn.

00:03:49.660 --> 00:03:53.880
A couple of simple searches here and I’m finding hundreds of IT people claiming that

00:03:53.880 --> 00:03:58.980
they work at the Las Vegas Sands, ranging everywhere from cyber security project manager

00:03:58.980 --> 00:04:02.810
to a whole army of cyber security engineers, and analysts, and administrators.

00:04:02.810 --> 00:04:05.300
I think this paints a good enough picture for me.

00:04:05.300 --> 00:04:08.730
With a few other Google searches, I’ve got a pretty good idea what their internal network

00:04:08.730 --> 00:04:10.580
is like and what their staff is like.

00:04:10.580 --> 00:04:13.970
The IT security team at Las Vegas Sands seems to be pretty big.

00:04:13.970 --> 00:04:18.680
I’m guessing somewhere between 200 and 1,000 engineers, technicians, analysts, investigators,

00:04:18.680 --> 00:04:20.230
directors, and more.

00:04:20.230 --> 00:04:25.150
The IT security peoples’ job is to understand, find, detect, stop, and remove threats from

00:04:25.150 --> 00:04:26.150
the network.

00:04:26.150 --> 00:04:27.150
You know what?

00:04:27.150 --> 00:04:30.130
These are the good guys in our story, the people who work tirelessly to keep that network

00:04:30.130 --> 00:04:35.090
up and safe, to keep the company running smoothly in the middle of any kind of cyber-attack.

00:04:35.090 --> 00:04:39.430
Las Vegas Sands has multiple data centers and it houses hundreds and hundreds of servers

00:04:39.430 --> 00:04:40.430
in each.

00:04:40.430 --> 00:04:41.830
The network of these casinos is huge.

00:04:41.830 --> 00:04:45.450
There are like, thousands of slot machines that all need Ethernet connections and then

00:04:45.450 --> 00:04:49.240
there’s public WiFi for the guests, there’s retail sales networks, there’s online booking

00:04:49.240 --> 00:04:53.280
servers for their ten different properties, each guest room has an electronic door lock;

00:04:53.280 --> 00:04:54.980
that’s gotta be connected to something.

00:04:54.980 --> 00:04:58.960
Then there’s the hotel reservation systems and the television network in each room, and

00:04:58.960 --> 00:05:01.740
a whole bunch of security cameras everywhere.

00:05:01.740 --> 00:05:05.550
That’s a lot of stuff in their network to keep up and operational.

00:05:05.550 --> 00:05:10.230
It’s a massive and complex network but this is typical for what I’d expect a Fortune

00:05:10.230 --> 00:05:11.230
500 company to have.

00:05:11.230 --> 00:05:14.610
Now, I outlined their network to you because I really want you to get a sense of who’s

00:05:14.610 --> 00:05:15.610
working there.

00:05:15.610 --> 00:05:18.470
These IT and security people have a lot at stake to secure.

00:05:18.470 --> 00:05:22.620
Of course, there’s millions of dollars of actual cash to secure but there’s also thousands

00:05:22.620 --> 00:05:26.560
of customers to keep happy every minute of the day, 24/7.

00:05:26.560 --> 00:05:28.100
Las Vegas never sleeps.

00:05:28.100 --> 00:05:32.010
The IT and security team has to work their butt off to keep the network up and operating

00:05:32.010 --> 00:05:34.520
effectively and they can never sleep, either.

00:05:34.520 --> 00:05:39.430
Someone’s always there 24/7, 365 in the security operation center watching threats

00:05:39.430 --> 00:05:40.430
in the network.

00:05:40.430 --> 00:05:43.650
They’re just looking for packing threats and then a whole other team monitoring the

00:05:43.650 --> 00:05:46.700
surveillance cameras; all 24/7.

00:05:46.700 --> 00:05:49.600
A network this big comes with a lot of hazards of things breaking.

00:05:49.600 --> 00:05:52.480
It’s just the nature of having a large network.

00:05:52.480 --> 00:05:55.930
Cables go bad, upgrades fail, patches introduce new bugs, yadda, yadda, yadda.

00:05:55.930 --> 00:06:00.990
Of course, there’s network attackers, hackers that are trying to push malware onto the network

00:06:00.990 --> 00:06:05.610
and through their websites and under the wireless network to maybe try to figure out a way in

00:06:05.610 --> 00:06:07.740
getting some of that casino cash.

00:06:07.740 --> 00:06:12.760
I’m sure that running a casino attracts thieves like garbage attracts flies.

00:06:12.760 --> 00:06:15.860
The security team at Las Vegas Sands has done a great job.

00:06:15.860 --> 00:06:20.110
They’ve deployed state-of-the-art infrastructure and hired top-notch talent to keep the place

00:06:20.110 --> 00:06:21.110
secure.

00:06:21.110 --> 00:06:23.680
It seems like they’ve thought of everything that can possibly go wrong and they have a

00:06:23.680 --> 00:06:25.430
plan in case that happens.

00:06:25.430 --> 00:06:30.060
But as you might guess, something does go wrong that they didn’t expect.

00:06:30.060 --> 00:06:32.750
[MUSIC] Alright, let’s go back to Sheldon now.

00:06:32.750 --> 00:06:34.940
What do we know about to Sheldon Adelson?

00:06:34.940 --> 00:06:37.920
Well, the man has money, lots of money.

00:06:37.920 --> 00:06:42.660
Las Vegas Sands is the biggest casino operator in the world and this CEO owns over half of

00:06:42.660 --> 00:06:43.660
it.

00:06:43.660 --> 00:06:48.900
The Bloomberg Billionaires Index has Sheldon with a net worth of 36 billion dollars.

00:06:48.900 --> 00:06:51.880
That’s the kind of money I can’t even wrap my head around.

00:06:51.880 --> 00:06:55.699
He’s a self-made billionaire whose wealth just keeps growing.

00:06:55.699 --> 00:06:59.940
Sheldon started young, growing up in a low-income family in Boston and he had his eyes on making

00:06:59.940 --> 00:07:02.130
money and he set out to do just that.

00:07:02.130 --> 00:07:05.860
He created business after business; some were more successful than others.

00:07:05.860 --> 00:07:07.600
Then he found gold.

00:07:07.600 --> 00:07:12.560
In the 1970s when personal computers started to become popular, he created Comdex.

00:07:12.560 --> 00:07:16.699
This is a computer trade show which brought all the top tech companies together to showcase

00:07:16.699 --> 00:07:17.970
their latest technologies.

00:07:17.970 --> 00:07:21.160
The Comdex Tech Conference was a major success.

00:07:21.160 --> 00:07:26.360
To give you an idea of how well it did, in 1979 Sheldon held Comdex at the MGM Grand

00:07:26.360 --> 00:07:31.370
Hotel in Vegas, the most famous and luxurious hotel casino in the world at the time.

00:07:31.370 --> 00:07:35.389
Within ten years, business had exploded for Comdex and became the largest trade show in

00:07:35.389 --> 00:07:39.210
Las Vegas, earning an excess of 20 million dollars each year.

00:07:39.210 --> 00:07:43.240
Listen to this reporter coming at you live from the 1993 Comdex Trade Show.

00:07:43.240 --> 00:07:47.210
REPORTER: There may be a recession going on out there somewhere but you certainly couldn’t

00:07:47.210 --> 00:07:53.750
tell here in Las Vegas as over 2,000 exhibitors, more than 140,000 attendees are here at a

00:07:53.750 --> 00:07:56.070
bigger-than-ever fall Comdex.

00:07:56.070 --> 00:07:59.990
Lots of new product introductions from the big guys like Microsoft and Intel.

00:07:59.990 --> 00:08:04.250
Also new products from smaller companies with names you’ve probably never even heard of.

00:08:04.250 --> 00:08:06.040
JACK: 140,000 attendees.

00:08:06.040 --> 00:08:07.229
That’s mindboggling.

00:08:07.229 --> 00:08:13.960
I mean, the E3 Convention that was in Las Vegas last year only brought in 69,000 attendees.

00:08:13.960 --> 00:08:17.040
The success of Comdex made Sheldon Adelson a multi-millionaire.

00:08:17.040 --> 00:08:24.940
He sold Comdex in 1995 for 860 million dollars to focus his attention and wealth on the Las

00:08:24.940 --> 00:08:26.120
Vegas Sands.

00:08:26.120 --> 00:08:31.160
The Venetian in Las Vegas, his mega-project that he developed to replicate Venice, Italy,

00:08:31.160 --> 00:08:35.919
was soon the first privately-owned and largest convention facility space in the US, not to

00:08:35.919 --> 00:08:37.990
mention [00:10:00] a casino heaven for gamblers.

00:08:37.990 --> 00:08:42.979
You can see how Sheldon has emerged as a dominant figure and behind his businesses he’s outspoken

00:08:42.979 --> 00:08:47.129
and not shy at all about using his money to bolster up the causes he believes in.

00:08:47.129 --> 00:08:51.360
The sheer scale of donations to the Republican Party in the US alone has kept him in the

00:08:51.360 --> 00:08:52.360
spotlight.

00:08:52.360 --> 00:08:58.600
We’re talking donations of 120 million dollars in the 2012 Presidential Campaign and 82 million

00:08:58.600 --> 00:09:01.819
dollars in the 2016 Presidential Campaign.

00:09:01.819 --> 00:09:03.649
All this went to the Republican Party.

00:09:03.649 --> 00:09:07.470
These are colossal amounts to us but small change to Sheldon.

00:09:07.470 --> 00:09:11.290
Considering he’s a mega-donor, some question what kind of influence that sort of money

00:09:11.290 --> 00:09:12.290
buys you.

00:09:12.290 --> 00:09:14.410
But he’s not just interested in US policy.

00:09:14.410 --> 00:09:18.029
He’s also very concerned with the rising online gambling phenomenon.

00:09:18.029 --> 00:09:20.519
He wants to protect his casino empire.

00:09:20.519 --> 00:09:22.389
His reach doesn’t stop there, though.

00:09:22.389 --> 00:09:26.389
He’s a strong and vocal supporter of Israel and a good friend to the Israeli Prime Minister

00:09:26.389 --> 00:09:28.300
Benjamin Netanyahu.

00:09:28.300 --> 00:09:32.999
Sheldon also owns two Israeli newspapers; the Israel Today and Makor Rishon.

00:09:32.999 --> 00:09:37.589
He also owns a newspaper in Las Vegas, The Review Journal, so Sheldon has a fair share

00:09:37.589 --> 00:09:41.709
of the media market in both Israel and Nevada, right where he wants it.

00:09:41.709 --> 00:09:45.720
Hearing this, I’m reminded of the great newspaper mogul, William Randolph Hearst,

00:09:45.720 --> 00:09:49.740
who once said, “You furnish the pictures, I’ll furnish the war.”

00:09:49.740 --> 00:09:53.879
Meaning a newspaper has a powerful way to shape general opinion and belief.

00:09:53.879 --> 00:09:57.279
But I’m not gonna go into whether or not Sheldon’s newspapers are slanted one way

00:09:57.279 --> 00:10:01.740
or another, but for a person who’s so involved in politics, it certainly wouldn’t be a

00:10:01.740 --> 00:10:02.740
surprise.

00:10:02.740 --> 00:10:07.420
In his private life Sheldon has a powerhouse of a wife who’s equally supportive of Israel.

00:10:07.420 --> 00:10:11.629
Israeli-born Miriam Adelson says her heart remains in Israel and is clearly an influence

00:10:11.629 --> 00:10:14.050
on Sheldon’s strong pro-Israel stance.

00:10:14.050 --> 00:10:17.649
Miriam is a medical doctor who specializes in drug addiction, research, and treatment,

00:10:17.649 --> 00:10:20.449
and has a very nice career of her own.

00:10:20.449 --> 00:10:24.490
This husband and wife team stand firmly together when it comes to donating their money and

00:10:24.490 --> 00:10:27.480
supporting political candidates and Israeli causes.

00:10:27.480 --> 00:10:32.809
Direct, confident, and a little arrogant, Sheldon Adelson is a man with money, influence,

00:10:32.809 --> 00:10:36.079
and connections, and he’s not a figure who sits quietly in the background.

00:10:36.079 --> 00:10:41.449
When a CEO of a large corporation like this has such strong political character traits,

00:10:41.449 --> 00:10:43.399
it can sometimes lead to trouble.

00:10:43.399 --> 00:10:49.449
In October 22, 2013, Sheldon Adelson was the guest of honor at the prominent Jewish Yeshiva

00:10:49.449 --> 00:10:51.220
University in New York.

00:10:51.220 --> 00:10:55.300
The rabbi who led the panel questioned Sheldon on his thoughts on whether America should

00:10:55.300 --> 00:10:56.709
negotiate with Iran.

00:10:56.709 --> 00:10:58.850
Here’s what Sheldon’s response was.

00:10:58.850 --> 00:11:04.579
RABBI: Alright, so you would support negotiations with Iran currently so long as they first

00:11:04.579 --> 00:11:06.870
seized all enrichment of uranium?

00:11:06.870 --> 00:11:08.040
SHELDON: No.

00:11:08.040 --> 00:11:10.160
What do you mean support negotiations?

00:11:10.160 --> 00:11:12.179
What are we negotiating about?

00:11:12.179 --> 00:11:18.550
What I would say is listen, you see that desert out there?

00:11:18.550 --> 00:11:19.999
I want to show you something.

00:11:19.999 --> 00:11:25.540
You pick up your cell phone and you call somewhere in Nebraska and you say okay, let it go.

00:11:25.540 --> 00:11:30.749
There’s an atomic weapon goes over ballistic missiles in the middle of the desert that

00:11:30.749 --> 00:11:35.139
doesn’t hurt a soul, maybe a couple of rattlesnakes and scorpions or whatever.

00:11:35.139 --> 00:11:36.180
Then you say see?

00:11:36.180 --> 00:11:40.209
The next one is in the middle of Tehran.

00:11:40.209 --> 00:11:45.579
JACK: The CEO of Las Vegas Sands, a multi billion-dollar company, just casually suggests

00:11:45.579 --> 00:11:50.360
that the US should send nuclear weapons into the Iranian desert as a warning shot, following

00:11:50.360 --> 00:11:56.879
up with a message that the next one will be aimed straight for Tehran, the capital.

00:11:56.879 --> 00:11:57.879
[BACKGROUND CONV.]

00:11:57.879 --> 00:11:59.809
[APPLAUSE] It’s bold, blunt, unashamed.

00:11:59.809 --> 00:12:03.079
Sheldon had just dropped a verbal bombshell.

00:12:03.079 --> 00:12:07.069
While the collection of students at the talk seemed to respond warmly to his comments,

00:12:07.069 --> 00:12:10.529
Philip Weiss was in the audience recording the response on video.

00:12:10.529 --> 00:12:15.279
Philip runs a website called Mondoweiss which some say is controversial.

00:12:15.279 --> 00:12:20.320
Many critics have said the stories posted to Mondoweiss are anti-sematic and cause controversy.

00:12:20.320 --> 00:12:26.069
It’s possible that if Philip wasn’t there recording this, this story would have ended

00:12:26.069 --> 00:12:27.069
right here.

00:12:27.069 --> 00:12:32.199
But because Philip was there and he caught this on video and he’s a popular journalist,

00:12:32.199 --> 00:12:34.399
the story does not stop here.

00:12:34.399 --> 00:12:38.379
[MUSIC] He posted his video to his website Mondoweiss the following day.

00:12:38.379 --> 00:12:41.110
The national media ate it right up.

00:12:41.110 --> 00:12:45.689
The Washington Post, Huffington Post, The Atlantic, Mother Jones, and Buzzfeed news

00:12:45.689 --> 00:12:49.559
all picked up this story and had it up on their website within hours.

00:12:49.559 --> 00:12:52.870
Most reports featured the full video, enabling readers to listen for themselves.

00:12:52.870 --> 00:12:56.220
It turned out it wasn’t just the general public who were listening.

00:12:56.220 --> 00:13:01.259
A month after the comments aired, the Supreme Leader of Iran responded directly and he told

00:13:01.259 --> 00:13:07.350
students in Tehran that America should quote, “Slap these parading people and crush their

00:13:07.350 --> 00:13:09.350
mouths.” Unquote.

00:13:09.350 --> 00:13:12.120
The Iranians were not happy with Sheldon Adelson.

00:13:12.120 --> 00:13:18.709
One of Sheldon’s properties is called Sands Bethlehem but this is not the Bethlehem that’s

00:13:18.709 --> 00:13:19.709
in Palestine.

00:13:19.709 --> 00:13:22.369
Sands Bethlehem is in Pennsylvania, United States.

00:13:22.369 --> 00:13:24.800
It’s about two hours north of Philadelphia.

00:13:24.800 --> 00:13:29.519
This casino is nowhere near the Las Vegas mega resorts but it still has 300 rooms and

00:13:29.519 --> 00:13:31.230
3,000 slot machines.

00:13:31.230 --> 00:13:36.050
Two months after Sheldon’s comments about Iran were broadcast, the IT team in the Sands

00:13:36.050 --> 00:13:42.149
[00:15:00] Bethlehem resort saw some worrying activity on their computer network.

00:13:42.149 --> 00:13:47.980
[MUSIC] Someone had scanned their network to see what Sands Bethlehem had on the internet.

00:13:47.980 --> 00:13:51.949
They found the usual stuff that you’d see a company has; web access to e-mail, and external

00:13:51.949 --> 00:13:55.089
websites for customers, and a VPN.

00:13:55.089 --> 00:13:59.189
This VPN was for remote workers who could securely connect into the network and then

00:13:59.189 --> 00:14:01.009
they’d get access to the internal network.

00:14:01.009 --> 00:14:06.509
If a hacker could get into this VPN, they’d have inside access to the network.

00:14:06.509 --> 00:14:10.819
The hackers started trying to guess the passwords to some VPN users.

00:14:10.819 --> 00:14:16.149
They tried route, admin, password1, Sands, and a bunch of common passwords.

00:14:16.149 --> 00:14:20.639
When that didn’t work they tried more complicated passwords like using special characters and

00:14:20.639 --> 00:14:21.639
numbers.

00:14:21.639 --> 00:14:26.089
They tried hundreds and hundreds of password combinations to try to get into this VPN but

00:14:26.089 --> 00:14:28.329
so far they were unsuccessful.

00:14:28.329 --> 00:14:30.999
The Sands IT security team is good, top-notch.

00:14:30.999 --> 00:14:34.959
Like hawks, okay; they saw this, they noticed the brute-force password attack and they took

00:14:34.959 --> 00:14:35.959
action.

00:14:35.959 --> 00:14:38.249
They enabled two factor authentication for VPN users.

00:14:38.249 --> 00:14:42.110
This would completely remove the ability for a brute force attack to be successful because

00:14:42.110 --> 00:14:47.589
you need not only the password but you also need that token code that only the VPN users

00:14:47.589 --> 00:14:49.339
would have on their phone.

00:14:49.339 --> 00:14:53.680
This brute-force attack went on for a while and eventually died down.

00:14:53.680 --> 00:14:54.939
The attackers weren’t done.

00:14:54.939 --> 00:14:58.310
They looked to see what else Sands Bethlehem had on the internet.

00:14:58.310 --> 00:15:00.980
They found a curious server was online.

00:15:00.980 --> 00:15:04.959
When new updates would go onto the official website for Sands Bethlehem, they’d first

00:15:04.959 --> 00:15:06.819
pass through a staging server.

00:15:06.819 --> 00:15:11.399
This looks like an exact replica of the live site but it’s where new changes can be staged

00:15:11.399 --> 00:15:13.560
and is there for testing purposes.

00:15:13.560 --> 00:15:17.929
The attackers found this server and they attempted to see if that staging server was vulnerable

00:15:17.929 --> 00:15:19.360
to some exploits.

00:15:19.360 --> 00:15:22.679
The hackers exploited that server and gained access to it.

00:15:22.679 --> 00:15:24.079
They were in.

00:15:24.079 --> 00:15:29.230
[MUSIC] But just getting into one server usually isn’t enough; you now need to figure out

00:15:29.230 --> 00:15:33.199
how to laterally move or escalate your privileges and find something else.

00:15:33.199 --> 00:15:36.899
The hackers saw some other servers to try to get into but they didn’t have any usernames

00:15:36.899 --> 00:15:38.879
or passwords to try to log in.

00:15:38.879 --> 00:15:41.499
They used a tool called Mimikatz.

00:15:41.499 --> 00:15:45.040
Mimikatz is an incredible hacking tool and here’s how it works.

00:15:45.040 --> 00:15:50.489
On a Windows computer, when you log into it, it stores your password in clear text in the

00:15:50.489 --> 00:15:51.489
RAM.

00:15:51.489 --> 00:15:52.489
That’s just by design.

00:15:52.489 --> 00:15:56.459
That’s Windows normal behavior and Mimikatz knows exactly where to look to dig that password

00:15:56.459 --> 00:15:57.739
out of memory.

00:15:57.739 --> 00:16:01.839
What this means is that if you run Mimikatz on a vulnerable Windows computer you will

00:16:01.839 --> 00:16:06.399
get a list of all users and their clear text passwords that have ever logged into that

00:16:06.399 --> 00:16:08.970
computer since it’s been rebooted.

00:16:08.970 --> 00:16:10.679
This is huge.

00:16:10.679 --> 00:16:15.999
I don’t know why but for some reason Microsoft refused to fix this vulnerability for years.

00:16:15.999 --> 00:16:20.149
There was literally nothing you could do about it so these hackers ran Mimikatz on this web

00:16:20.149 --> 00:16:24.069
development server and from there they were able to see the usernames and passwords of

00:16:24.069 --> 00:16:27.589
web developers and IT admins for Sands Bethlehem.

00:16:27.589 --> 00:16:32.060
These are the people who probably have access to a lot of IT infrastructure within the network.

00:16:32.060 --> 00:16:35.171
This gave the hackers access to a lot of the network.

00:16:35.171 --> 00:16:39.439
They quickly discovered that Sands Bethlehem was completely isolated from the main Las

00:16:39.439 --> 00:16:41.459
Vegas Sands network in Nevada.

00:16:41.459 --> 00:16:48.319
They could not find any tunnels or connectivity between the two locations.

00:16:48.319 --> 00:16:52.060
The hackers were on some kind of mission and access to the Sands Bethlehem network was

00:16:52.060 --> 00:16:53.199
just not good enough.

00:16:53.199 --> 00:16:57.429
They needed access to the main data center for all of Las Vegas Sands.

00:16:57.429 --> 00:17:01.149
They looked at the usernames and passwords that they harvested through Mimikatz and started

00:17:01.149 --> 00:17:02.949
trying to see what they had.

00:17:02.949 --> 00:17:07.539
They found that for remote users to get in the Las Vegas data center, there was a VPN

00:17:07.539 --> 00:17:09.059
for them to connect to.

00:17:09.059 --> 00:17:12.769
The hackers tried these usernames and passwords they had from the staging server to try to

00:17:12.769 --> 00:17:16.240
connect to the main data center VPN in Vegas.

00:17:16.240 --> 00:17:17.799
Sure enough, one worked.

00:17:17.799 --> 00:17:23.000
[MUSIC] A senior Sands IT administrator had visited the Bethlehem site and did some work

00:17:23.000 --> 00:17:24.000
there recently.

00:17:24.000 --> 00:17:27.829
Now that the hackers had that person’s login information, they were able to use it to get

00:17:27.829 --> 00:17:30.130
into the main Las Vegas network.

00:17:30.130 --> 00:17:34.230
From here the hackers analyzed the network and established a firm foothold in it.

00:17:34.230 --> 00:17:38.340
They gave themselves a persistent connection to it in case that password was to change.

00:17:38.340 --> 00:17:42.620
The hackers continued to analyze the network in building a map of what was there, and they

00:17:42.620 --> 00:17:46.231
were very quiet the whole time and were careful not to raise any alarms.

00:17:46.231 --> 00:17:55.080
A few weeks later on February 10th, 2014 the hackers made their move.

00:17:55.080 --> 00:17:59.659
Inside the LVS network they set off a piece of code custom-written in visual basic, a

00:17:59.659 --> 00:18:01.950
wiper code with the goal of destruction.

00:18:01.950 --> 00:18:08.260
[MUSIC] It worked its way through the network, accessing, copying, and deleting all the data

00:18:08.260 --> 00:18:09.260
as it went.

00:18:09.260 --> 00:18:13.620
The data wiped from the hard drive was replaced with useless nonsense code, making it almost

00:18:13.620 --> 00:18:15.940
impossible to recover.

00:18:15.940 --> 00:18:21.549
While the wiper code silently crept through the network, staff computers started crashing.

00:18:21.549 --> 00:18:25.679
Phone systems stopped working and IT teams were flooded with calls telling them the same

00:18:25.679 --> 00:18:27.870
thing from frantic staff members.

00:18:27.870 --> 00:18:33.289
For a network the size of LVS where they had thousands of staff and computers and communication

00:18:33.289 --> 00:18:38.649
systems, this was probably the absolute worst nightmare [00:20:00] for the IT security team.

00:18:38.649 --> 00:18:44.610
Computer systems at LVS were in total chaos.

00:18:44.610 --> 00:18:48.769
The cyber incident responders who worked at LVS kicked into action.

00:18:48.769 --> 00:18:52.049
The analysts were sent off to figure out where the attack was coming from and how to block

00:18:52.049 --> 00:18:53.049
its path.

00:18:53.049 --> 00:18:56.740
Hundreds of IT staff at Las Vegas Sands were working together try to try to protect the

00:18:56.740 --> 00:19:00.690
valuable servers, the data centers, the networks, and LVS itself.

00:19:00.690 --> 00:19:05.669
By the afternoon of February 10th, IT security staff realized that hackers were in the network.

00:19:05.669 --> 00:19:09.350
File logs told them that sensitive files were being compressed and downloaded.

00:19:09.350 --> 00:19:12.980
Not only had the networks been breached and firewalls been knocked through and servers

00:19:12.980 --> 00:19:17.580
exposed, but hackers were now actively downloading the data on customers and guests and staff

00:19:17.580 --> 00:19:21.990
and gamblers, like the exclusive Invitation Only members list; it was stolen.

00:19:21.990 --> 00:19:25.409
Social security numbers were stolen, drivers license details were stolen.

00:19:25.409 --> 00:19:26.890
The list goes on and on.

00:19:26.890 --> 00:19:30.870
But while sensitive data was being stolen, what the IT security engineers had to focus

00:19:30.870 --> 00:19:36.470
on was keeping those critical systems up so that the casino and hotel could stay operational.

00:19:36.470 --> 00:19:40.660
The gaming tables and slot machines and access to hotel rooms and electronic door codes and

00:19:40.660 --> 00:19:45.510
the retail outlets and the elevators leading to the fifty different floors, payment stations,

00:19:45.510 --> 00:19:49.220
card machines, and all that relies on a stable and functioning network.

00:19:49.220 --> 00:19:53.559
But the network was crumbling away like a sand castle falling over.

00:19:53.559 --> 00:19:58.019
Las Vegas Sands, the biggest casino operator in the world, had to consider that they might

00:19:58.019 --> 00:20:02.049
have to stop everything and tell their visitors to leave and close the doors.

00:20:02.049 --> 00:20:07.460
At this point, realizing the scale of the hack and the seriousness of it, Sands President

00:20:07.460 --> 00:20:12.769
Michael Leven ordered IT systems staff to sever LVS from the internet entirely.

00:20:12.769 --> 00:20:16.370
This was a desperate bid to stop the attack and limit the damage.

00:20:16.370 --> 00:20:19.909
The ten websites owned by LVS did not escape the hackers’ attention.

00:20:19.909 --> 00:20:24.370
In the blink of an eye the Las Vegas Sands websites were morphed into something entirely

00:20:24.370 --> 00:20:25.539
more sinister.

00:20:25.539 --> 00:20:29.970
The LVS websites had a message emblazoned across it saying, “Encouraging the use of

00:20:29.970 --> 00:20:33.919
weapons of mass destruction under any condition is a crime.”

00:20:33.919 --> 00:20:35.940
Another website said, “Damn, eh?

00:20:35.940 --> 00:20:39.570
Don’t let your tongue cut your throat.”

00:20:39.570 --> 00:20:45.299
By now there was no question that this cyber-attack was personal.

00:20:45.299 --> 00:20:48.750
While all this was happening behind the scenes, the functioning of the Venetian and Palazzo

00:20:48.750 --> 00:20:54.559
in Vegas did continue with guests in and gamblers blissfully unaware of what was going on.

00:20:54.559 --> 00:20:58.490
Because the determined efforts of the security IT staff and the fact that hackers missed

00:20:58.490 --> 00:21:03.539
the IBM mainframe, guests were able to continue gaming, access their hotel rooms, and purchase

00:21:03.539 --> 00:21:04.970
things from the retail stores.

00:21:04.970 --> 00:21:08.940
But the IT staff made a strategic move to go to the data center and start unplugging

00:21:08.940 --> 00:21:13.169
key servers entirely to stop this wiper virus from spreading to them.

00:21:13.169 --> 00:21:17.980
The network engineers began frantically pulling Ethernet cables from servers.

00:21:17.980 --> 00:21:22.880
This wiper virus was on a mission to infect and spread to as many systems as it could

00:21:22.880 --> 00:21:27.010
and delete the data on those computers, targeting just Windows machines.

00:21:27.010 --> 00:21:32.070
This meant that user’s computers were going down and servers that run Windows like SharePoint

00:21:32.070 --> 00:21:34.840
and e-mail and shared drives were probably going down.

00:21:34.840 --> 00:21:39.820
Early on in this attack the wiper virus hit the active directory server in Las Vegas and

00:21:39.820 --> 00:21:41.259
completely wiped it out.

00:21:41.259 --> 00:21:45.870
It then tried to spread to the Sands properties in China and Singapore to wipe them out too

00:21:45.870 --> 00:21:51.130
but by knocking out the active directory server in Las Vegas, it completely severed the connections

00:21:51.130 --> 00:21:53.679
to China and Singapore.

00:21:53.679 --> 00:21:57.960
By complete accident it made those networks safe from this attack.

00:21:57.960 --> 00:22:04.149
This destruction was confined to just Sands Bethlehem and the main network in Las Vegas.

00:22:04.149 --> 00:22:07.870
The next day the Las Vegas Sands websites were just offline entirely.

00:22:07.870 --> 00:22:11.440
Physical hardware had been disconnected, cables were pulled out of machines, and the LVS servers

00:22:11.440 --> 00:22:12.840
were compromised.

00:22:12.840 --> 00:22:17.610
It took the IT security team which might be as high as 1,000 members strong almost a full

00:22:17.610 --> 00:22:22.470
week to re-establish connection securely to get Las Vegas back up and running fully.

00:22:22.470 --> 00:22:26.460
This outage was noticed by some people so publically the company spokesperson had to

00:22:26.460 --> 00:22:29.169
say something to reassure their customers if nothing else.

00:22:29.169 --> 00:22:33.630
They chose to play down the attack by announcing it was just vandalism targeted at their websites

00:22:33.630 --> 00:22:36.870
and some damage to the background office systems and e-mails.

00:22:36.870 --> 00:22:39.830
But when the hackers heard this it didn’t sit well with them.

00:22:39.830 --> 00:22:43.910
The hackers responded with a ten-minute long YouTube video highlighting Sheldon’s exact

00:22:43.910 --> 00:22:48.510
comments and showing a number of files, and folders, and passwords, and details that they

00:22:48.510 --> 00:22:50.409
had accessed and stolen during the attack.

00:22:50.409 --> 00:22:54.679
They wanted the world to know that what they were doing is much more than mere vandalism

00:22:54.679 --> 00:22:58.389
and the reasons why they were doing it but that video was removed by law enforcement

00:22:58.389 --> 00:23:02.789
very soon after it was uploaded, but not before it had been viewed a few thousand times.

00:23:02.789 --> 00:23:07.659
The cyber-attack on LVS was clearly designed to immobilize and destroy as much of their

00:23:07.659 --> 00:23:10.440
server and network capacity as possible.

00:23:10.440 --> 00:23:13.960
The goal here was to hit Sheldon Adelson right where it hurt the most.

00:23:13.960 --> 00:23:15.559
So who did it?

00:23:15.559 --> 00:23:19.580
The messages left on the defaced LVS website provide the first obvious clue.

00:23:19.580 --> 00:23:23.429
Sheldon’s comments about nuclear weapons in Iran clearly provoked some anger there.

00:23:23.429 --> 00:23:28.509
In 2015, a year after the attack, US Director of National Intelligence, James Clapper, addressed

00:23:28.509 --> 00:23:30.830
this exact hack in a senate hearing.

00:23:30.830 --> 00:23:31.830
Here he is.

00:23:31.830 --> 00:23:36.601
JAMES: 2014 saw for the first time destructive cyber-attacks carried out on [00:25:00] US

00:23:36.601 --> 00:23:42.139
soil by nation state entities marked first by the Iranian attack against the Las Vegas

00:23:42.139 --> 00:23:47.669
Sands Casino Corporation a year ago this month, and a North Korean attack against Sony in

00:23:47.669 --> 00:23:48.820
November.

00:23:48.820 --> 00:23:54.129
These destructive attacks demonstrate that Iran and North Korea are motivated and unpredictable

00:23:54.129 --> 00:23:55.129
cyber-actors.

00:23:55.129 --> 00:23:58.570
JACK: Whoa, whoa, this is crazy.

00:23:58.570 --> 00:24:03.560
While LVS itself refused to address that this cyber-attack even occurred publicly, here

00:24:03.560 --> 00:24:08.440
we have through an official channel that not only was LVS a victim to a cyber-attack but

00:24:08.440 --> 00:24:13.300
James Clapper is saying that the people who did it was the Iranian government itself.

00:24:13.300 --> 00:24:18.230
Not just some activists, but this was carried out by the Iranian military or something.

00:24:18.230 --> 00:24:23.090
This raises all kinds of new questions; why would a government spend resources to attack

00:24:23.090 --> 00:24:24.110
a private company?

00:24:24.110 --> 00:24:28.169
Was this the same wiper virus that Iran used to attack Saudi Aramco?

00:24:28.169 --> 00:24:31.450
Why didn’t the Iranian government take credit for this attack?

00:24:31.450 --> 00:24:35.800
But then on top of that, Director Clapper said that this was the first ever destructive

00:24:35.800 --> 00:24:40.090
cyber-attack on US soil that was conducted by a nation state actor.

00:24:40.090 --> 00:24:42.179
I think the keyword here must be destructive.

00:24:42.179 --> 00:24:47.620
In Episode 19 I go over an attack that China did on Google back in 2009.

00:24:47.620 --> 00:24:51.980
You can even go back thirty years ago to an attack called Moonlight Maze which was Russia

00:24:51.980 --> 00:24:54.320
hacking into a US Air Force base.

00:24:54.320 --> 00:24:57.389
But I guess those weren’t destructive in nature.

00:24:57.389 --> 00:25:02.649
Maybe this was the first ever destructive cyber-attack on US soil done by a nation state

00:25:02.649 --> 00:25:03.649
actor.

00:25:03.649 --> 00:25:08.080
But if the Iranian government is behind this, it’s interesting because Stuxnet was a US

00:25:08.080 --> 00:25:09.510
attack on Iranian soil.

00:25:09.510 --> 00:25:14.440
Maybe this is Iran kind of flexing a little, showing that they have cyber-attack capabilities

00:25:14.440 --> 00:25:16.820
and this is kind of a response to Stuxnet.

00:25:16.820 --> 00:25:20.390
But if that’s the case, it’s really troubling that a private company has to face the wrath

00:25:20.390 --> 00:25:21.870
of a nation state actor.

00:25:21.870 --> 00:25:25.830
But it’s really hard to know exactly what the motives are behind this attack.

00:25:25.830 --> 00:25:29.049
Was it just a simple provocation that Sheldon did?

00:25:29.049 --> 00:25:32.919
Was there something more to this?

00:25:32.919 --> 00:25:36.740
For LVS, even though we know where the hack came from, I still can’t get over the fact

00:25:36.740 --> 00:25:42.370
that the CEO of a Fortune 500 company managed to talk himself into this huge amount of destruction

00:25:42.370 --> 00:25:43.370
and damage.

00:25:43.370 --> 00:25:48.500
The attack on Las Vegas Sands wiped out almost 75% of the company’s networks and servers,

00:25:48.500 --> 00:25:53.139
rendering much of their equipment and workstations useless and valuable data was just wiped.

00:25:53.139 --> 00:25:58.230
But the damage went deeper than some crashed computers; Sands President Michael Leven confirmed

00:25:58.230 --> 00:26:02.509
it took more than forty million dollars to fix the damage by building new systems and

00:26:02.509 --> 00:26:04.039
recovering from the data lost.

00:26:04.039 --> 00:26:08.330
This was no small cyber-attack and if the hackers’ intention was to disrupt and destroy,

00:26:08.330 --> 00:26:09.720
they achieved their aim.

00:26:09.720 --> 00:26:13.980
Las Vegas Sands were keen to keep the details of this attack under wraps which they managed

00:26:13.980 --> 00:26:15.570
to do so for almost a year.

00:26:15.570 --> 00:26:20.429
But there was an article in Bloomberg Businessweek that exposed the hack and laid bare the true

00:26:20.429 --> 00:26:25.390
scale of this attack, but neither Sheldon Adelson or any LVS spokesperson commented

00:26:25.390 --> 00:26:27.309
on this article at all.

00:26:27.309 --> 00:26:30.980
People kept pressuring LVS to say something about the remarks that Sheldon said about

00:26:30.980 --> 00:26:35.260
Iran, so a spokesperson did say something in the Las Vegas Review Journal which is a

00:26:35.260 --> 00:26:37.299
newspaper that Sheldon owns.

00:26:37.299 --> 00:26:41.420
The spokesperson said that Adelson’s comments were not meant to be taken literally; he was

00:26:41.420 --> 00:26:45.250
simply trying to say that actions speak louder than words.

00:26:45.250 --> 00:26:48.899
But I think the moral of the story here is that words matter.

00:26:48.899 --> 00:26:52.909
Las Vegas Sands did eventually confirm that they suffered a large-scale cyber-attack in

00:26:52.909 --> 00:26:57.580
February 2014 and named its computer networks in the US as the target.

00:26:57.580 --> 00:27:02.710
In their annual report of 2014 it said both the FBI and the US government were investigating

00:27:02.710 --> 00:27:07.480
this sophisticated cyber-attack and were working with IT system experts to investigate what

00:27:07.480 --> 00:27:08.480
had happened.

00:27:08.480 --> 00:27:12.110
In the year since this hack, LVS has made no further comments.

00:27:12.110 --> 00:27:15.720
The IT security teams like the one at the Las Vegas Sands have their work cut out for

00:27:15.720 --> 00:27:20.269
them for battling against such sophisticated threats and hackers who seek to destroy rather

00:27:20.269 --> 00:27:21.450
than steal.

00:27:21.450 --> 00:27:26.070
When the CEO of a company speaks publically and gives such incendiary remarks, there are

00:27:26.070 --> 00:27:29.240
risk assessors within the company that might tip off the security team to let them know

00:27:29.240 --> 00:27:33.340
the risk profile is higher than normal and they need to secure the networks and servers

00:27:33.340 --> 00:27:35.470
to be a little bit more tighter and protected.

00:27:35.470 --> 00:27:40.340
But when the hackers are playing the long game, watching and monitoring and lying in

00:27:40.340 --> 00:27:44.909
wait, and when they do get in and wreak the kind of destruction and havoc they did here,

00:27:44.909 --> 00:27:50.190
it leaves an almighty mess for even the biggest and best IT security teams to clean up.

00:27:50.190 --> 00:27:56.929
JACK (OUTRO): [OUTRO MUSIC] You’ve been listening to Darknet Diaries.

00:27:56.929 --> 00:28:01.009
If this show brings value to you please consider donating to it through Patreon.

00:28:01.009 --> 00:28:04.549
There you can get a bonus episode, an ad-free feed, and stickers.

00:28:04.549 --> 00:28:08.700
This episode was created by me, just a plain old sock monkey, Jack Rhysider.

00:28:08.700 --> 00:28:12.801
I got some writing and research help this episode from Fiona Guy, and the theme music

00:28:12.801 --> 00:28:15.240
is created by the beat farmer, Breakmaster Cylinder.

00:28:15.240 --> 00:28:16.219
See you in two weeks.