WEBVTT 00:00:00.179 --> 00:00:03.560 JACK: Before we get started, if you haven’t already, go back and listen to Episode 28 00:00:03.560 --> 00:00:05.230 and 29 before this one. 00:00:05.230 --> 00:00:08.310 It’s a little series on the Middle East here and it’s meant to be listened to in 00:00:08.310 --> 00:00:09.310 that order. 00:00:09.310 --> 00:00:13.350 There are some hacker stories that really scare me and this is one of them. 00:00:13.350 --> 00:00:17.120 This one had a potential of causing a worldwide economic crisis. 00:00:17.120 --> 00:00:21.250 The world’s governments are growing in sophistication and they’re training their troops to hack 00:00:21.250 --> 00:00:23.570 and they’re building cyber-weapons. 00:00:23.570 --> 00:00:27.949 While governments are hacking into other governments, sometimes governments hack into private companies 00:00:27.949 --> 00:00:29.800 or a city’s infrastructure. 00:00:29.800 --> 00:00:34.700 Our electrical grid and food supplies weren’t built to withstand a fighter jet bombing them 00:00:34.700 --> 00:00:39.850 but should they be built to withstand a nation state actor trying to hack into them and destroy 00:00:39.850 --> 00:00:42.150 them? Maybe. 00:00:42.150 --> 00:00:50.540 JACK (INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. 00:00:50.540 --> 00:00:54.950 I’m Jack Rhysider. 00:00:54.950 --> 00:00:58.829 This is Darknet Diaries. 00:00:58.829 --> 00:01:03.780 [INTRO MUSIC ENDS] 00:01:03.780 --> 00:01:13.670 JACK: So you know what’s funny? 00:01:13.670 --> 00:01:17.670 Not too long ago we heard the news that Apple was the first company to have a net worth 00:01:17.670 --> 00:01:19.160 of one trillion dollars. 00:01:19.160 --> 00:01:21.210 It’s funny ‘cause it’s not true. 00:01:21.210 --> 00:01:25.140 Apple’s worth that much but it’s not the first company to be worth one trillion dollars. 00:01:25.140 --> 00:01:28.729 There’s another company that’s worth two to ten times more than Apple. 00:01:28.729 --> 00:01:30.729 What is it? Saudi Aramco. 00:01:30.729 --> 00:01:35.740 You may not ever have heard of Saudi Aramco before and neither did I until I started researching 00:01:35.740 --> 00:01:38.580 this story and that’s because they don’t sell to consumers. 00:01:38.580 --> 00:01:42.840 Instead they sell to manufacturers and distributors so what do they do? 00:01:42.840 --> 00:01:46.640 Saudi Aramco is one of the largest oil and natural gas producers in the world. 00:01:46.640 --> 00:01:49.150 It controls massive amounts of oil reserves. 00:01:49.150 --> 00:01:51.220 It drills it and ships it all over the world. 00:01:51.220 --> 00:01:56.670 Saudi Aramco may be the most profitable company in existence and produces 25% of the global 00:01:56.670 --> 00:01:57.670 oil. 00:01:57.670 --> 00:02:00.979 It’s not a publically trading company though, so we really don’t know how much it’s 00:02:00.979 --> 00:02:01.979 worth. 00:02:01.979 --> 00:02:06.400 Because Saudi Aramco is huge and operating globally, it has a lot of computers. 00:02:06.400 --> 00:02:10.649 There are pump stations, plants, shipping terminals, logistics centers, laboratories, 00:02:10.649 --> 00:02:12.680 research and development centers, and storage facilities. 00:02:12.680 --> 00:02:15.010 Let’s not forget the teams it takes to run it. 00:02:15.010 --> 00:02:18.939 There’s an HR department, IT department, marketing, truck drivers, mechanics, engineers, 00:02:18.939 --> 00:02:21.909 public relations, finance, drilling teams, and advisors. 00:02:21.909 --> 00:02:27.379 Add all that up and Saudi Aramco has over 50,000 employees. 00:02:27.379 --> 00:02:32.019 Imagine how many computers there are at a company that has 50,000 employees. 00:02:32.019 --> 00:02:35.430 Not only do a lot of them have individual computers to work on but there’s a lot of 00:02:35.430 --> 00:02:40.319 servers; domain controllers, e-mail servers, SharePoint systems, files servers, and more. 00:02:40.319 --> 00:02:44.769 In 2012 Saudi Aramco had over 40,000 computers in their network worldwide. 00:02:44.769 --> 00:02:50.590 Now I say 2012 because that was when the most profitable company in the world was hit with 00:02:50.590 --> 00:02:57.140 the most devastating cyber-attack any company has ever seen. 00:02:57.140 --> 00:03:00.989 To really get into this attack I brought in Chris Kubecka and we’ll understand more 00:03:00.989 --> 00:03:05.109 about her and her role in this attack later but for now we’ll have her explain what 00:03:05.109 --> 00:03:06.109 happened. 00:03:06.109 --> 00:03:11.870 CHRIS: Saudi Aramco, like any other oil and gas and energy company, their primary jewels, 00:03:11.870 --> 00:03:16.329 what makes them money, is their industrial control systems pumping out oil and crude 00:03:16.329 --> 00:03:17.610 out of the ground. 00:03:17.610 --> 00:03:22.959 When your primary profit is driven by that, that’s where you put your security, that’s 00:03:22.959 --> 00:03:24.919 where you put your attention. 00:03:24.919 --> 00:03:30.689 Unfortunately they did not put very much of any real attention on the IT side. 00:03:30.689 --> 00:03:36.059 However, what happens is IT and industrial control systems are connected. 00:03:36.059 --> 00:03:40.809 In the case of Aramco and at that time, it was okay for an extremely flat network across 00:03:40.809 --> 00:03:41.809 all of that. 00:03:41.809 --> 00:03:46.089 JACK: Think of a flat network like the hull of a ship but it’s just one big empty space 00:03:46.089 --> 00:03:50.219 in the hull, so if the boat hit a rock and made a hole in the hull, the water would fill 00:03:50.219 --> 00:03:53.169 up the entire hull and sink the ship. 00:03:53.169 --> 00:03:57.560 But some boats are designed with compartmentalized hulls so if water were to get into one section 00:03:57.560 --> 00:04:02.119 of the hull it couldn’t possibly fill up the rest of the boat and still stay afloat. 00:04:02.119 --> 00:04:06.180 In your network it’s good practice to compartmentalize it so if a hacker gets into one section of 00:04:06.180 --> 00:04:10.930 the network they only have access to that section and in the case of Saudi Aramco, because 00:04:10.930 --> 00:04:16.289 their network was flat, once you got into any part of the network you could get to anything, 00:04:16.289 --> 00:04:17.289 anywhere. 00:04:17.289 --> 00:04:24.220 CHRIS: Saudi Aramco has offices and locations 60 plus around the world in far flung locations. 00:04:24.220 --> 00:04:29.090 There’s one location you have to take a ferry for eight hours in Indonesia to go to 00:04:29.090 --> 00:04:30.669 an island. 00:04:30.669 --> 00:04:35.010 The attack hit in August but they had already gotten into the systems around April to May. 00:04:35.010 --> 00:04:37.780 JACK: The attackers likely got in through a phishing e-mail. 00:04:37.780 --> 00:04:41.730 This is where they’d send a specific employee an e-mail with an interesting attachment or 00:04:41.730 --> 00:04:42.730 link. 00:04:42.730 --> 00:04:45.580 Since the employees had no security training, it was probably not that hard to get one of 00:04:45.580 --> 00:04:48.349 them to click a link or open an attachment. 00:04:48.349 --> 00:04:51.919 The other part of this equation is that the employee’s computer had to not be fully 00:04:51.919 --> 00:04:52.919 patched. 00:04:52.919 --> 00:04:56.199 For instance, the attackers would hope they’re running an older version of Microsoft Word 00:04:56.199 --> 00:04:59.580 or Adobe Acrobat that has known vulnerabilities. 00:04:59.580 --> 00:05:03.169 When the user would open the Word [00:05:00] document, the file would attempt to exploit 00:05:03.169 --> 00:05:06.340 one of these known vulnerabilities to gain access to the computer. 00:05:06.340 --> 00:05:10.370 If successful, it would open up a reverse terminal back to the attacker. 00:05:10.370 --> 00:05:14.290 When the attackers got into Saudi Aramco, they were able to move around with ease. 00:05:14.290 --> 00:05:15.599 This is the problem with a flat network. 00:05:15.599 --> 00:05:19.629 Their next step is to gain access to a system that communicates to all the other computers 00:05:19.629 --> 00:05:21.770 in the network, a domain controller. 00:05:21.770 --> 00:05:26.220 The system is used for authentication onto the network and it provides a map so computers 00:05:26.220 --> 00:05:28.080 can find other computers. 00:05:28.080 --> 00:05:33.110 The attackers focused on these domain controllers but these systems were not very secure. 00:05:33.110 --> 00:05:39.550 CHRIS: [MUSIC] Because of extremely weak infrastructure you could reset a domain administrator password 00:05:39.550 --> 00:05:43.310 on the internal system of their HTTP, so completely clear text. 00:05:43.310 --> 00:05:47.320 That’s a domain administrator password so that gives you an idea. 00:05:47.320 --> 00:05:52.030 JACK: At this point the attackers had access to Saudi Aramco’s network and had administrative 00:05:52.030 --> 00:05:56.349 privileges to the domain controllers, essentially giving them keys to the kingdom. 00:05:56.349 --> 00:06:02.810 CHRIS: Now what was unusual was the Houston Operation Center had actually picked up on 00:06:02.810 --> 00:06:05.050 unusual activity. 00:06:05.050 --> 00:06:10.499 Even though they had no security people they thought it was unusual for 250 different devices 00:06:10.499 --> 00:06:15.889 to be logged in at the same time by the one domain administrator. 00:06:15.889 --> 00:06:22.669 They were picking up on highly suspect activity. 00:06:22.669 --> 00:06:27.009 Because they didn’t know perhaps how to phrase it, and perhaps it was not well-accepted 00:06:27.009 --> 00:06:29.910 Saudi, there was not an incident created. 00:06:29.910 --> 00:06:34.900 At the time, the person who ran the security operation center decided, it was his opinion; 00:06:34.900 --> 00:06:38.840 he would not open an incident for the report from Houston. 00:06:38.840 --> 00:06:43.219 JACK: Now that the attackers had the crown jewels of the network and nobody was going 00:06:43.219 --> 00:06:47.139 to stop them, they spent the next three months building their perfect attack. 00:06:47.139 --> 00:06:52.440 At this point in 2012 August rolls around, which seems to be the perfect time to attack 00:06:52.440 --> 00:06:53.449 Saudi Aramco. 00:06:53.449 --> 00:06:56.479 What’s special about August 2012 in Saudi Arabia? 00:06:56.479 --> 00:06:58.599 It’s the holy month of Ramadan. 00:06:58.599 --> 00:07:03.110 In the US, offices are almost completely empty around Christmastime and that’s what it’s 00:07:03.110 --> 00:07:04.599 like during Ramadan in Saudi Arabia. 00:07:04.599 --> 00:07:08.810 CHRIS: It was a typical company policy that that was the slow period. 00:07:08.810 --> 00:07:14.699 The majority of Muslim staff believes what’s usually left, or what at the time was usually 00:07:14.699 --> 00:07:17.919 left, was a skeleton crew of Western staff at the most. 00:07:17.919 --> 00:07:22.129 JACK: This would be the perfect time to wage an attack against the company to do the most 00:07:22.129 --> 00:07:23.129 damage. 00:07:23.129 --> 00:07:26.240 There would be nobody to stop it and the reaction time would be very delayed. 00:07:26.240 --> 00:07:27.639 That’s just what happened. 00:07:27.639 --> 00:07:32.669 On the 15th of August a warning was sent but it would be a warning that Saudi Aramco would 00:07:32.669 --> 00:07:33.669 not notice. 00:07:33.669 --> 00:07:40.590 CHRIS: [MUSIC] The day of the attack at 9:08 a.m. a Pastebin was posted up that said we, 00:07:40.590 --> 00:07:46.270 the internet users of the world, are bringing basically to the world’s attention that 00:07:46.270 --> 00:07:50.159 there is blood on your hands, the regimes of Saudi Arabia and all this. 00:07:50.159 --> 00:07:55.300 But we know how you fund your regime is through Saudi Aramco so what we have done is we have 00:07:55.300 --> 00:08:02.129 attacked European computer systems to get into the Saudi Aramco systems and have destroyed 00:08:02.129 --> 00:08:04.419 30,000 computers. 00:08:04.419 --> 00:08:07.729 It will go off in two hours. 00:08:07.729 --> 00:08:13.720 JACK: The Pastebin was signed by someone calling themselves The Cutting Sword of Justice and 00:08:13.720 --> 00:08:15.849 Saudi Aramco didn’t get the message. 00:08:15.849 --> 00:08:19.069 They weren’t scouring Pastebin looking for things like this and their staff was mostly 00:08:19.069 --> 00:08:24.169 gone anyway so this warning was never received, so they had no idea this was coming. 00:08:24.169 --> 00:08:28.309 CHRIS: At 11:08 a.m. things started shutting down. 00:08:28.309 --> 00:08:34.839 JACK: At the exact same time, all across the Saudi Aramco office, computers were starting 00:08:34.839 --> 00:08:37.289 to display burning American flags. 00:08:37.289 --> 00:08:42.479 Each computer was corrupted with a nasty virus set to delete everything on that system. 00:08:42.479 --> 00:08:47.350 CHRIS: Because what was happening is the wiper virus that got into it, when it would eventually 00:08:47.350 --> 00:08:51.510 get down to some of the Windows files that were pertinent and the master boot record, 00:08:51.510 --> 00:08:56.550 it would then force a shut down and if you tried to restart it you lost your master boot 00:08:56.550 --> 00:09:01.070 record so you couldn’t immediately pull everything back up. 00:09:01.070 --> 00:09:02.600 Things started shutting down. 00:09:02.600 --> 00:09:06.590 JACK: This wiper virus would be known as the Shamoon virus. 00:09:06.590 --> 00:09:11.290 CHRIS: It was a logic bomb set to go off at a particular time on a particular day. 00:09:11.290 --> 00:09:16.310 JACK: A logic bomb is a virus or program that’s set to trigger when a certain condition occurs. 00:09:16.310 --> 00:09:21.860 This logic bomb was set to trigger at 11:08 a.m. on August 15, 2012, with the instructions 00:09:21.860 --> 00:09:26.010 to wipe the hard drives, rendering them unusable. 00:09:26.010 --> 00:09:30.630 Since the network was flat and not very secure, a lot of computers were hit with this logic 00:09:30.630 --> 00:09:31.630 bomb. 00:09:31.630 --> 00:09:33.029 CHRIS: About 35,000 systems. 00:09:33.029 --> 00:09:36.740 85% of their IT infrastructure was taken out. 00:09:36.740 --> 00:09:44.250 JACK: 35,000 computers had become completely unusable all at the same time. 00:09:44.250 --> 00:09:48.740 [MUSIC] This is the most destructive malware to ever hit a single company. 00:09:48.740 --> 00:09:53.089 If you lined up 35,000 computers in a row, it would be six miles of computers. 00:09:53.089 --> 00:09:56.970 When you tried to reboot the computer it would simply say Operating System Not Found because 00:09:56.970 --> 00:10:00.080 it had been completely wiped. 00:10:00.080 --> 00:10:03.060 Imagine if something like this [00:10:00] happened where you work, where everyone’s 00:10:03.060 --> 00:10:05.000 computers were suddenly unusable. 00:10:05.000 --> 00:10:09.779 This isn’t just a network down or an e-mail down; everyone’s computers wouldn’t boot 00:10:09.779 --> 00:10:10.779 at all. 00:10:10.779 --> 00:10:12.259 There was no operating system. 00:10:12.259 --> 00:10:13.279 All saved files were gone. 00:10:13.279 --> 00:10:17.980 All software was deleted and many of the backup servers were obliterated, too. 00:10:17.980 --> 00:10:20.870 This was devastating. 00:10:20.870 --> 00:10:23.740 This virus specifically targeted machines running Windows. 00:10:23.740 --> 00:10:30.290 CHRIS: Anything connected to them that relies on them like Windows DNS, Windows THCP, the 00:10:30.290 --> 00:10:36.399 voIP that would also rely on any Windows server, Windows backup servers, the auto truck loading 00:10:36.399 --> 00:10:42.570 system, and the payment systems also were inoperable as well as all the middleware so 00:10:42.570 --> 00:10:45.069 they couldn’t access contracts. 00:10:45.069 --> 00:10:51.500 In addition they had gone to green and fully digital so all of their contact lists, people 00:10:51.500 --> 00:10:54.690 that they could call were on SharePoint, they didn’t even have SharePoint. 00:10:54.690 --> 00:10:56.150 They had no employee list. 00:10:56.150 --> 00:10:58.130 They couldn’t even look at a roster. 00:10:58.130 --> 00:11:00.209 JACK: There were no e-mails. 00:11:00.209 --> 00:11:01.209 Phones didn’t work. 00:11:01.209 --> 00:11:04.300 There were no shared data sources like SharePoint or file servers. 00:11:04.300 --> 00:11:08.089 This was a massive disruption to the most profitable company in the world. 00:11:08.089 --> 00:11:14.040 85% of their computers were down permanently. 00:11:14.040 --> 00:11:18.610 But this virus did not attack the industrial control systems found at pumping plants, pipelines, 00:11:18.610 --> 00:11:19.610 or drilling sites. 00:11:19.610 --> 00:11:22.480 Oil production was still completely operable. 00:11:22.480 --> 00:11:26.681 That’s because the company focused their security on these systems but also, the attack 00:11:26.681 --> 00:11:28.760 did not target industrial systems. 00:11:28.760 --> 00:11:32.941 But the problem was there were no computers to say who to ship the oil to or where it 00:11:32.941 --> 00:11:33.941 was supposed to go. 00:11:33.941 --> 00:11:38.709 They had no contact information for anyone either to notify customers of the outage. 00:11:38.709 --> 00:11:42.620 At this point Saudi Aramco was scrambling to figure out what had happened and they were 00:11:42.620 --> 00:11:46.970 afraid this virus would spread to more systems and take out oil production. 00:11:46.970 --> 00:11:50.740 Emergency meetings were being set up like war rooms in the Aramco offices. 00:11:50.740 --> 00:11:52.610 The CEO was also present. 00:11:52.610 --> 00:11:56.430 As they realized the size of this destruction, an extreme decision was made. 00:11:56.430 --> 00:12:00.310 CHRIS: They rapidly started unplugging everything. 00:12:00.310 --> 00:12:04.990 They took the decision – they did not want it to spread so they decided a very severe 00:12:04.990 --> 00:12:10.699 decision and I think the first time ever, Saudi Aramco completely disconnected themselves 00:12:10.699 --> 00:12:18.029 from the internet which also had other consequences such as when you’re dealing with industrial 00:12:18.029 --> 00:12:25.160 control systems, say Honeywell or Siemens, they remotely monitor and maintain that equipment 00:12:25.160 --> 00:12:26.760 under their maintenance contracts. 00:12:26.760 --> 00:12:31.350 They were also disconnected because they did not want anything to spread or for them to 00:12:31.350 --> 00:12:33.180 be the pivot point to anyone else. 00:12:33.180 --> 00:12:37.730 JACK: The CEO made the decision to take one of the largest companies in the world offline. 00:12:37.730 --> 00:12:41.200 This is never an easy decision to make but is probably the right one. 00:12:41.200 --> 00:12:45.740 On one hand, shutting down like this has potential worldwide effects and can cause the company 00:12:45.740 --> 00:12:47.470 tons of money. 00:12:47.470 --> 00:12:51.360 But on the other hand, not shutting down is potentially more severe and can potentially 00:12:51.360 --> 00:12:52.920 cause even more loss of money. 00:12:52.920 --> 00:12:58.529 CHRIS: Saudi Aramco provides about 25% of the world’s energy. 00:12:58.529 --> 00:13:04.190 So what would happen if 25% of the world’s oil market is taken out in one day? 00:13:04.190 --> 00:13:08.610 JACK: This is why this story scares me; a single hack like this has the potential to 00:13:08.610 --> 00:13:10.709 wreak havoc on the world. 00:13:10.709 --> 00:13:14.460 Imagine if gas prices quadrupled overnight or imagine if there was a worldwide shortage 00:13:14.460 --> 00:13:17.230 of petroleum-based products like plastics or fertilizer? 00:13:17.230 --> 00:13:21.980 The reverberating effects of this one incident could put the globe in a panic. 00:13:21.980 --> 00:13:27.190 CHRIS: In addition, Qatar, the country, their national oil company is called RasGas. 00:13:27.190 --> 00:13:33.440 RasGas was also affected and disrupted in a similar manner but they do not discuss it 00:13:33.440 --> 00:13:35.910 whatsoever. 00:13:35.910 --> 00:13:40.019 They have about 14% of the world’s energy market, especially with natural gas. 00:13:40.019 --> 00:13:44.569 You couple that with Saudi Aramco, 25% of the world’s energy, that’s in a two week 00:13:44.569 --> 00:13:47.569 time period. 00:13:47.569 --> 00:13:49.510 That was the risk to the rest of the world. 00:13:49.510 --> 00:13:51.279 It could have obliterated financial markets. 00:13:51.279 --> 00:13:55.411 JACK: Strangely enough, when Cutter’s Oil Company was hit with the same virus, their 00:13:55.411 --> 00:13:59.740 version did not have a burning American flag on it which raises a lot of questions. 00:13:59.740 --> 00:14:04.550 But these two companies combined supplied 40% of the world’s oil and natural gas. 00:14:04.550 --> 00:14:12.829 Whoever waged this attack was trying to cause financial ruin to a lot of people and companies. 00:14:12.829 --> 00:14:20.430 [MUSIC] When the Shamoon logic bomb hit Saudi Aramco it took out a huge portion of their 00:14:20.430 --> 00:14:24.380 computers but didn’t impact their drilling sites or pipelines. 00:14:24.380 --> 00:14:27.560 The scene was chaotic there, and confusing. 00:14:27.560 --> 00:14:31.600 Nobody knew what trucks to load up with what oil and where to send it so the decision was 00:14:31.600 --> 00:14:35.420 made to load up any trucks with any oil you had and ship it out. 00:14:35.420 --> 00:14:39.350 Oil continued to flow to supply the world even if it meant giving it away free, which 00:14:39.350 --> 00:14:40.990 is what they did at times. 00:14:40.990 --> 00:14:45.449 But because of the chaos and outages it was really slow filling their trucks up. 00:14:45.449 --> 00:14:48.810 Saudi Aramco made a public Facebook post announcing the attack. 00:14:48.810 --> 00:14:49.810 It said… 00:14:49.810 --> 00:14:55.680 CHRIS: We are suffering from some sort of digital or cyber-attack and we have chosen 00:14:55.680 --> 00:15:02.620 to disconnect from our business operations and production from the [00:15:00] internet. 00:15:02.620 --> 00:15:04.920 At that point in time you could not send an e-mail to them. 00:15:04.920 --> 00:15:06.779 It kept bouncing back. 00:15:06.779 --> 00:15:09.339 It just snowballed from there. 00:15:09.339 --> 00:15:13.629 JACK: As the company scrambled to understand the impact and get things operational again, 00:15:13.629 --> 00:15:14.910 they knew they needed more help. 00:15:14.910 --> 00:15:19.220 They simply didn’t have a good security IT team to handle this kind of incident. 00:15:19.220 --> 00:15:23.759 Before this attack in 2012, Saudi Arabia simply didn’t take security very seriously. 00:15:23.759 --> 00:15:27.060 There were no government branches focusing on cyber-defense. 00:15:27.060 --> 00:15:30.350 They had a Saudi CERT but it was crude and inefficient. 00:15:30.350 --> 00:15:34.420 When the government ignores the importance of security it trickles down to many other 00:15:34.420 --> 00:15:36.770 companies within the country. 00:15:36.770 --> 00:15:40.100 Security simply wasn’t a big industry in Saudi Arabia at the time. 00:15:40.100 --> 00:15:43.950 Saudi Aramco was trying to hire as many security consultants as they could but they ran out 00:15:43.950 --> 00:15:48.269 of people quick, so they started hiring vendors but there were problems with this too and 00:15:48.269 --> 00:15:49.930 they needed even more help than that. 00:15:49.930 --> 00:15:54.300 They decided they needed an outsider, someone who’s secured global network before and 00:15:54.300 --> 00:15:56.829 someone who they could hire to be part of the Aramco team. 00:15:56.829 --> 00:15:58.769 That’s when they called Chris Kubecka. 00:15:58.769 --> 00:16:01.750 CHRIS: [MUSIC] Yes, they called me out of the blue. 00:16:01.750 --> 00:16:08.509 It was very odd because I had never imagined myself working for that type of organization. 00:16:08.509 --> 00:16:12.089 I was coming back from a holiday from Tanzania. 00:16:12.089 --> 00:16:17.779 I was transiting in Istanbul and I was hoping that I could get in the lounge ‘cause I 00:16:17.779 --> 00:16:19.970 was so tired, good food. 00:16:19.970 --> 00:16:26.600 My phone rang and usually I won’t answer my phone when roaming but I did anyway. 00:16:26.600 --> 00:16:30.959 They’re like hey, this is Aramco. 00:16:30.959 --> 00:16:32.360 We would like to talk to you. 00:16:32.360 --> 00:16:33.560 We would like to hire you. 00:16:33.560 --> 00:16:34.610 I’m like, okay? 00:16:34.610 --> 00:16:38.149 ‘Cause I’m not sure that this is a legitimate call at this point. 00:16:38.149 --> 00:16:39.270 It’s out of the blue. 00:16:39.270 --> 00:16:41.139 I’ve never applied for that. 00:16:41.139 --> 00:16:44.110 I’m like alright, so tell me about the role. 00:16:44.110 --> 00:16:48.259 They’re like well, Aramco, we’ve been under attack and we need to get all of our 00:16:48.259 --> 00:16:50.879 security ramped up as quickly as possible. 00:16:50.879 --> 00:16:52.720 I’m like, okay. 00:16:52.720 --> 00:16:57.060 CHRIS: Chris Kubecka is a well-connected, respected, and experienced security professional. 00:16:57.060 --> 00:17:01.110 She’s given a few talks at various conferences around Europe which is how Saudi Aramco knew 00:17:01.110 --> 00:17:03.480 of her, but her profile is very impressive. 00:17:03.480 --> 00:17:07.470 She’s been using computers since she was a young child and then joined the US Air Force 00:17:07.470 --> 00:17:11.900 and then joined the US Space Command to work on communications systems to space. 00:17:11.900 --> 00:17:15.230 From there she did consulting work and started leading security teams and eventually worked 00:17:15.230 --> 00:17:19.410 her way over to being a security consultant for a very large financial services company 00:17:19.410 --> 00:17:21.940 in the Netherlands which is where she was living. 00:17:21.940 --> 00:17:25.640 She is experienced with securing large networks and handling large-scale incidents. 00:17:25.640 --> 00:17:29.100 Throughout all this Chris had gathered a lot of connections and made a lot of friends in 00:17:29.100 --> 00:17:33.130 the security industry; not to mention her global experience that she’s had traveling 00:17:33.130 --> 00:17:36.020 the world and even picking up a few languages on the way. 00:17:36.020 --> 00:17:39.430 Choosing her for this role of bringing one of the largest companies in the world back 00:17:39.430 --> 00:17:41.860 online was a good choice. 00:17:41.860 --> 00:17:47.190 The problem was Chris already had a job leading the security team for a large financial services 00:17:47.190 --> 00:17:51.460 company in the Netherlands so she wasn’t interested in another job. 00:17:51.460 --> 00:17:55.050 CHRIS: They go well, we just need to know a price. 00:17:55.050 --> 00:17:57.420 Can you give us a price? 00:17:57.420 --> 00:18:03.150 I go okay; picked a price which I didn’t think that they would agree to and I said 00:18:03.150 --> 00:18:04.150 here’s my price. 00:18:04.150 --> 00:18:06.050 He goes we’ll get back to you. 00:18:06.050 --> 00:18:07.050 Okay. 00:18:07.050 --> 00:18:09.470 I was like, that’s an odd phone call. 00:18:09.470 --> 00:18:12.600 JACK: Chris literally pulled a number out of the air, one that was much higher than 00:18:12.600 --> 00:18:14.340 she would expect anyone to accept. 00:18:14.340 --> 00:18:20.320 CHRIS: They called me back a week and a half later and said well, the board was convened 00:18:20.320 --> 00:18:22.540 and they actually raised your price by 20%. 00:18:22.540 --> 00:18:23.680 I’m like, the board? 00:18:23.680 --> 00:18:27.640 Yes, the Saudi Aramco board. 00:18:27.640 --> 00:18:31.680 It was about that time that I kind of realized that that was the most powerful organization 00:18:31.680 --> 00:18:37.410 in the world and they convened a board and gave me an additional bump up from what I 00:18:37.410 --> 00:18:40.410 had asked for and they definitely wanted me. 00:18:40.410 --> 00:18:44.620 It was also at that point I said I know my name is Chris, I know I don’t have a very 00:18:44.620 --> 00:18:48.180 high voice but you do know I’m a woman, right? 00:18:48.180 --> 00:18:51.130 They’re like yes, yes, yes, we do, we do! 00:18:51.130 --> 00:18:53.630 I’m like, okay. 00:18:53.630 --> 00:18:55.570 I go, I have a position. 00:18:55.570 --> 00:18:59.150 They go well, don’t say no. 00:18:59.150 --> 00:19:00.150 Just say maybe. 00:19:00.150 --> 00:19:01.820 I go okay. 00:19:01.820 --> 00:19:05.890 JACK: Chris listened to the Saudi Aramco team and heard firsthand the total destruction 00:19:05.890 --> 00:19:07.070 that was caused. 00:19:07.070 --> 00:19:09.700 The recruiters were so happy she was considering the role. 00:19:09.700 --> 00:19:14.770 CHRIS: They had basically said you can hire whoever you want, you can basically have an 00:19:14.770 --> 00:19:20.700 unlimited budget, they can have 20,000 euros every year for training so that they’re 00:19:20.700 --> 00:19:22.470 always trained up. 00:19:22.470 --> 00:19:29.710 I was very excited to be able to build a world-class team to tackle this chaos. 00:19:29.710 --> 00:19:34.650 I thought it was a fantastic opportunity, which it was. 00:19:34.650 --> 00:19:39.950 JACK: [MUSIC] Chris took the job and got right to work building her team. 00:19:39.950 --> 00:19:41.830 She pulled out her contact list and began recruiting. 00:19:41.830 --> 00:19:45.530 It’s hard to find good security talent today because there isn’t enough talented people 00:19:45.530 --> 00:19:47.640 to go around and all the good ones are taken. 00:19:47.640 --> 00:19:50.960 But with a massive budget, lots of training dollars, and the excitement of working on 00:19:50.960 --> 00:19:54.540 one of the largest hacks in history, she was able to find some pretty great people. 00:19:54.540 --> 00:20:00.130 CHRIS: I looked for all the rock stars that I had already written up on a bit of a dream 00:20:00.130 --> 00:20:03.120 list and I got [00:20:00] seven out of ten. 00:20:03.120 --> 00:20:07.060 JACK: One of the biggest incentives was that massive training budget for each analyst. 00:20:07.060 --> 00:20:11.070 This alone is a great lure, since most security professionals are excited to learn about latest 00:20:11.070 --> 00:20:16.110 technology so knowing that the company is going to invest in their expertise was exciting. 00:20:16.110 --> 00:20:20.180 Not only that, but she also gave each person 10% of their time to work on their own projects. 00:20:20.180 --> 00:20:24.560 When you have really talented people sitting around with free time in their hands, they 00:20:24.560 --> 00:20:26.650 end up making tools that make the team more effective. 00:20:26.650 --> 00:20:34.920 CHRIS: Many of these folks also spoke multiple languages so I had Dutch, Romanian, Cypriots, 00:20:34.920 --> 00:20:40.380 I had Indian, I had Italian. 00:20:40.380 --> 00:20:44.630 JACK: When defending a global company such as this, you need many languages in your security 00:20:44.630 --> 00:20:49.020 staff to be able to communicate effectively between organizations and teams but also be 00:20:49.020 --> 00:20:51.400 able to identify threats in various regions. 00:20:51.400 --> 00:20:55.460 When Chris assembled a team she made it a point to not overwork anyone and give everyone 00:20:55.460 --> 00:20:56.510 adequate breaks. 00:20:56.510 --> 00:21:01.410 Her average work week was 36 hours per week and this made them less stressed and excited 00:21:01.410 --> 00:21:02.410 to get back to work. 00:21:02.410 --> 00:21:07.200 CHRIS: I always had rested alert analysts and they enjoyed what they did. 00:21:07.200 --> 00:21:09.120 They got to do projects that were related. 00:21:09.120 --> 00:21:11.920 They were doing fantastic things. 00:21:11.920 --> 00:21:17.750 They were able to not feel constrained and they were always taught on the newest and 00:21:17.750 --> 00:21:18.750 greatest stuff. 00:21:18.750 --> 00:21:23.680 I did not want a group of analysts who had training from last year looking at today’s 00:21:23.680 --> 00:21:25.370 threats because that just doesn’t work. 00:21:25.370 --> 00:21:34.780 Our threat actors are nation state, cyber-criminal, hacktivists, anything and everything in between. 00:21:34.780 --> 00:21:37.440 Our threat profile is extremely high. 00:21:37.440 --> 00:21:42.530 We needed the best of the best, not someone who got a CERT five years ago and hasn’t 00:21:42.530 --> 00:21:43.530 taken a course since. 00:21:43.530 --> 00:21:47.030 JACK: While Chris was busy building her team and getting them up to speed, Saudi Aramco 00:21:47.030 --> 00:21:49.000 had began rebuilding the infrastructure. 00:21:49.000 --> 00:21:53.660 CHRIS: Basically what they did was, they have so much money and they also own the largest 00:21:53.660 --> 00:21:56.150 private fleet of aircraft. 00:21:56.150 --> 00:22:01.880 They sent their private fleet to the factory lines in Southeast Asia to buy up the world’s 00:22:01.880 --> 00:22:06.420 supply of hard drives immediately to replace all the hard drives at Saudi Aramco. 00:22:06.420 --> 00:22:10.510 JACK: Some of the hard drives were slightly damaged from this attack and the company didn’t 00:22:10.510 --> 00:22:15.040 want to reformat them and start over because maybe they could recover some data on them. 00:22:15.040 --> 00:22:19.930 Since Saudi Aramco had enough money they just decided to buy tons of hard drives as fast 00:22:19.930 --> 00:22:21.180 as they could. 00:22:21.180 --> 00:22:23.540 This took months to fully purchase the number they needed. 00:22:23.540 --> 00:22:28.080 CHRIS: It was 85% of their IT infrastructure which you’re also talking about backup servers, 00:22:28.080 --> 00:22:29.450 all of this type of stuff. 00:22:29.450 --> 00:22:34.780 You’re talking about many more than 35,000 hard drives, for instance. 00:22:34.780 --> 00:22:36.790 JACK: That’s a lot of hard drives. 00:22:36.790 --> 00:22:40.960 A single manufacturer could not produce that many hard drives to fulfill the demand so 00:22:40.960 --> 00:22:45.170 Saudi Aramco would fly their jets to a few different manufacturers at once to get them 00:22:45.170 --> 00:22:47.590 as soon as they came off the factory floor. 00:22:47.590 --> 00:22:51.540 As if this wasn’t bad enough for the world’s supply of hard drives, at the same time, a 00:22:51.540 --> 00:22:55.300 massive typhoon hit Asia, halting production for some of the hard drive facilities. 00:22:55.300 --> 00:23:03.710 CHRIS: If you bought a hard drive between September 2012 and January 2013 you will notice 00:23:03.710 --> 00:23:08.360 that there was a rise in worldwide hard drive prices because Saudi Aramco bought the supply 00:23:08.360 --> 00:23:13.400 and everyone else was paying a tax, basically. 00:23:13.400 --> 00:23:18.090 JACK: Chris was based in a city in the Netherlands called The Hague and this is where she built 00:23:18.090 --> 00:23:19.600 the security operation center. 00:23:19.600 --> 00:23:23.880 Immediately she knew she needed to integrate her team into the Saudi Aramco culture so 00:23:23.880 --> 00:23:28.320 she began rotating each of her analysts to go work in Saudi Arabia for a while. 00:23:28.320 --> 00:23:32.160 In exchange, she’d get someone from IT from Saudi Arabia to come work in her operations 00:23:32.160 --> 00:23:33.680 center in The Hague. 00:23:33.680 --> 00:23:37.380 She didn’t want a repeat of how Houston, Texas detected this attack four months earlier 00:23:37.380 --> 00:23:39.960 but couldn’t communicate it effectively to Aramco. 00:23:39.960 --> 00:23:42.970 Integrating her team into the culture was a great success. 00:23:42.970 --> 00:23:45.870 Her first task was to gain visibility into the network. 00:23:45.870 --> 00:23:49.230 CHRIS: [MUSIC] Because otherwise you can’t see if another attack is coming through. 00:23:49.230 --> 00:23:55.540 That was a huge challenge because there was a whole segment where there was zero visibility 00:23:55.540 --> 00:23:57.040 and that was a huge issue. 00:23:57.040 --> 00:24:01.030 That was number one, absolute number one. 00:24:01.030 --> 00:24:07.250 Number two was looking at the best practices because my team, the minimum level of experience 00:24:07.250 --> 00:24:11.130 in the SOC was five years so all of us were highly experienced. 00:24:11.130 --> 00:24:13.780 We were bringing over best practices. 00:24:13.780 --> 00:24:19.230 In the mix there were a lot of foreign contractors who were put into roles until the Saudi people 00:24:19.230 --> 00:24:22.370 could get up to their capabilities. 00:24:22.370 --> 00:24:26.980 JACK: Chris and her team began triaging the network to make it more secure. 00:24:26.980 --> 00:24:31.520 They did things like audit the network, help IT secure systems better, monitor for attacks, 00:24:31.520 --> 00:24:33.210 and harden the network. 00:24:33.210 --> 00:24:37.370 While Chris’ role was important there were many other security teams worldwide also helping 00:24:37.370 --> 00:24:38.850 to resolve this incident. 00:24:38.850 --> 00:24:42.520 Both internal and external people were helping to get things back on track. 00:24:42.520 --> 00:24:47.910 In fact even a few other countries helped out to get things operational again. 00:24:47.910 --> 00:24:52.750 At this point oil trucks started getting backed up at pumping stations and drill sites, like 00:24:52.750 --> 00:24:54.080 ridiculous backups. 00:24:54.080 --> 00:24:58.000 Picture the worst traffic backup you’ve ever seen and that was the situation. 00:24:58.000 --> 00:25:00.950 A journalist saw this and took a picture of an endless amount of trucks [00:25:00] in 00:25:00.950 --> 00:25:04.530 a row with no oil and wondered what was going on here. 00:25:04.530 --> 00:25:09.400 At this point the news was starting to spread that Aramco was hit hard with something big. 00:25:09.400 --> 00:25:15.530 CHRIS: [MUSIC] The attackers continued to attack the infrastructure and Saudi Aramco 00:25:15.530 --> 00:25:19.860 had to disconnect from the internet three times. 00:25:19.860 --> 00:25:23.420 They thought that they were up, they got everything up and running, and then the attackers launched 00:25:23.420 --> 00:25:26.820 a massive DDoS attack against them. 00:25:26.820 --> 00:25:32.550 Then at the same time, they were able to get back in again because when they had first 00:25:32.550 --> 00:25:39.870 put up the first better security appliances on the perimeter, I’m not sure who did this, 00:25:39.870 --> 00:25:44.630 I think it was one of their contractors, had left some of the stuff with default usernames 00:25:44.630 --> 00:25:47.650 and passwords on the network and security appliances. 00:25:47.650 --> 00:25:51.290 The attackers were able to get back in, briefly. 00:25:51.290 --> 00:25:57.610 They posted this because it was very taunting and they were able to get the new password 00:25:57.610 --> 00:26:02.460 and e-mail address for the CEO of Saudi Aramco and the executive board and they pasted it 00:26:02.460 --> 00:26:06.030 on Pastebin and said we’re not through with you yet. 00:26:06.030 --> 00:26:10.530 JACK: This Pastebin was also signed by The Cutting Sword of Justice. 00:26:10.530 --> 00:26:14.240 This is when Saudi Aramco started noticing not only this Pastebin but also the previous 00:26:14.240 --> 00:26:16.520 ones posted on the day of the attack. 00:26:16.520 --> 00:26:20.300 Chris and her team continued to defend the network and find any vulnerabilities and patch 00:26:20.300 --> 00:26:21.300 them. 00:26:21.300 --> 00:26:23.450 This took a lot of work to get things operational again. 00:26:23.450 --> 00:26:27.380 CHRIS: About three and a half months to really get back to normal. 00:26:27.380 --> 00:26:32.290 JACK: That three and a half months was basically working with an unlimited budget to get things 00:26:32.290 --> 00:26:34.940 back on track and oil flowing properly. 00:26:34.940 --> 00:26:38.130 If this company didn’t have a budget like that, this would have either destroyed the 00:26:38.130 --> 00:26:40.840 company or degraded it for years. 00:26:40.840 --> 00:26:44.790 Another thing worth mentioning here is that Saudi Aramco is very adamant about not buying 00:26:44.790 --> 00:26:46.520 any Israeli-based software. 00:26:46.520 --> 00:26:50.730 For instance, firewalls made by Check Point are never an option for securing the network 00:26:50.730 --> 00:26:54.570 because Saudi Arabia really doesn’t like what Israel has done to Palestine, and since 00:26:54.570 --> 00:26:59.640 Checkpoint firewalls are made in Israel and started by a former member of the Unit 8200, 00:26:59.640 --> 00:27:01.880 the Saudi government won’t buy their products. 00:27:01.880 --> 00:27:06.230 I suppose it makes sense if you know a country is spying on you and former military spies 00:27:06.230 --> 00:27:10.260 make a firewall, you probably don’t want to buy that firewall for your network. 00:27:10.260 --> 00:27:14.570 But even when Saudi Aramco had things back up and operational there were still problems 00:27:14.570 --> 00:27:15.570 that would occur. 00:27:15.570 --> 00:27:21.200 CHRIS: The employees, this was one thing I found very unusual, because there had not 00:27:21.200 --> 00:27:27.270 been any say, security awareness training for them before the attack, when the employees 00:27:27.270 --> 00:27:31.420 came back they didn’t really want to touch a computer. 00:27:31.420 --> 00:27:32.420 They were kind of afraid. 00:27:32.420 --> 00:27:37.600 They’re like oh my god, what if I’m the one that opens the e-mail attachment and then 00:27:37.600 --> 00:27:40.430 brings the system down because of a phishing attack? 00:27:40.430 --> 00:27:43.740 There were people who didn’t really want to use the systems. 00:27:43.740 --> 00:27:46.460 I can understand. 00:27:46.460 --> 00:27:51.380 It also took time after the attack; you then have to start – you need the people on the 00:27:51.380 --> 00:27:55.690 computer systems not in the security awareness programs but you also need them in there. 00:27:55.690 --> 00:27:56.690 Which do you do? 00:27:56.690 --> 00:28:04.900 Do you get your operations back for these people who are like, I’m not opening that 00:28:04.900 --> 00:28:05.900 e-mail. 00:28:05.900 --> 00:28:06.900 You have to open my e-mail. 00:28:06.900 --> 00:28:07.900 No! 00:28:07.900 --> 00:28:12.880 It’s almost like they got post-traumatic stress disorder from the cyber-attack. 00:28:12.880 --> 00:28:14.660 It was very, very unusual. 00:28:14.660 --> 00:28:18.960 If I was a psychologist I would love to do some sort of paper on the topic. 00:28:18.960 --> 00:28:23.550 JACK: Once things started settling down, Saudi Aramco government began looking into who conducted 00:28:23.550 --> 00:28:24.770 this attack. 00:28:24.770 --> 00:28:29.160 The Pastebin messages were signed by The Cutting Sword of Justice which appeared to be an activist 00:28:29.160 --> 00:28:32.570 group but some of the messaging in there was suspicious. 00:28:32.570 --> 00:28:37.080 The Shamoon virus was also analyzed thoroughly to look at traces of information that could 00:28:37.080 --> 00:28:38.750 lead to who wrote it. 00:28:38.750 --> 00:28:42.010 Combine this with the additional logs and forensics data, and the picture started to 00:28:42.010 --> 00:28:43.010 become clear. 00:28:43.010 --> 00:28:47.380 CHRIS: According to the Saudi Arabian government, it was the country of Iran. 00:28:47.380 --> 00:28:52.290 JACK: [MUSIC] There are a few theories as to who was behind this attack. 00:28:52.290 --> 00:28:55.770 It could have just been a group of people wanting to drive up oil prices or actually 00:28:55.770 --> 00:28:58.390 an activist group mad at Saudi Arabia. 00:28:58.390 --> 00:29:02.660 We don’t know all the details or exactly who and why but some security researchers 00:29:02.660 --> 00:29:07.070 believe this was a retaliation from Iran because of the Stuxnet attack that hit their nuclear 00:29:07.070 --> 00:29:08.070 facilities. 00:29:08.070 --> 00:29:12.720 But if the US and Israel attacked Iran with Stuxnet, why would Iran attack Saudi Arabia 00:29:12.720 --> 00:29:14.880 in retaliation? 00:29:14.880 --> 00:29:16.290 This is a very complicated question. 00:29:16.290 --> 00:29:20.680 The first clue is that the Shamoon virus had a burning American flag on it, and Saudi Aramco 00:29:20.680 --> 00:29:23.090 was actually started by an American company. 00:29:23.090 --> 00:29:27.000 First it was started by the Standard Oil Company of California and then it eventually changed 00:29:27.000 --> 00:29:31.580 its name to Aramco which is short for the Arabian American Oil Company. 00:29:31.580 --> 00:29:35.630 From there the Saudi government saw how profitable it was and fully took over the company and 00:29:35.630 --> 00:29:39.140 today this is where the bulk of Saudi government money comes from. 00:29:39.140 --> 00:29:44.790 You can see Saudi Aramco has a deep connection with the US but the US relies heavily on oil 00:29:44.790 --> 00:29:50.010 from Saudi Arabia so impacting the oil supply to America could cause financial ruin to the 00:29:50.010 --> 00:29:53.070 US, bringing a lot of businesses to a halt. 00:29:53.070 --> 00:29:57.320 Additionally, Iran and Saudi Arabia have longstanding feuds between them. 00:29:57.320 --> 00:30:01.650 They often argue about politics and religion but the thing is the [00:30:00] Iranian government 00:30:01.650 --> 00:30:03.780 never took credit for this attack. 00:30:03.780 --> 00:30:08.020 If they did this as a show of force or some kind of saber rattling, why wouldn’t they 00:30:08.020 --> 00:30:09.440 take credit for it? 00:30:09.440 --> 00:30:12.830 There were some news articles that stated Saudi Arabia captured and arrested dozens 00:30:12.830 --> 00:30:15.320 of Iranian spies not long after this attack. 00:30:15.320 --> 00:30:19.850 It’s unclear but it’s possible these spies were somehow part of this hack, possibly doing 00:30:19.850 --> 00:30:24.010 reconnaissance or doing some sort of social engineering to get internal information about 00:30:24.010 --> 00:30:25.320 Saudi Aramco. 00:30:25.320 --> 00:30:30.340 Over in Iran is the Islamic Revolutionary Guard Corps, or IRGC. 00:30:30.340 --> 00:30:33.710 This is one of Iran’s armed forces and it has over 100,000 people. 00:30:33.710 --> 00:30:38.310 In the IRGC is the intelligence-gathering units which is where we presume are a number 00:30:38.310 --> 00:30:41.330 of hackers working for the Iranian military. 00:30:41.330 --> 00:30:45.531 In fact one IRGC general stated that they have the fourth biggest cyber-army in the 00:30:45.531 --> 00:30:46.531 world. 00:30:46.531 --> 00:30:51.100 But there’s also a group called the Iranian Cyber Army and this isn’t a military group 00:30:51.100 --> 00:30:54.130 but rumors say it was started by the IRGC. 00:30:54.130 --> 00:30:58.260 This hacker group has pledged their allegiance to the Supreme Leader of Iran and they conduct 00:30:58.260 --> 00:31:00.030 hacks to help Iran out. 00:31:00.030 --> 00:31:04.880 It’s a very secretive group but it’s possible they do some of the more dirty work for the 00:31:04.880 --> 00:31:08.740 IRGC so the Iranian government can claim that they didn’t do it. 00:31:08.740 --> 00:31:12.130 This incident with Saudi Aramco is known as the Shamoon Attacks 1. 00:31:12.130 --> 00:31:17.720 CHRIS: There’s now Shamoon Attacks 2 and 3 that are still ongoing against Saudi Aramco 00:31:17.720 --> 00:31:24.130 and Saudi Arabia, especially hitting Saudi Arabian critical infrastructures, and airports 00:31:24.130 --> 00:31:25.890 have been affected. 00:31:25.890 --> 00:31:26.920 It is still ongoing. 00:31:26.920 --> 00:31:30.980 JACK: The thing is, is that nations aren’t even at the point yet of being able to talk 00:31:30.980 --> 00:31:35.240 about what cyber-capabilities they have, much less be able to have an open conversation 00:31:35.240 --> 00:31:38.630 of how to conduct cyber-warfare between nations. 00:31:38.630 --> 00:31:42.290 Many countries are developing cyber-capabilities and they’re watching big players like the 00:31:42.290 --> 00:31:45.540 US on how to conduct themselves in this space. 00:31:45.540 --> 00:31:49.440 Seeing things like Stuxnet leak and the US denying it just makes these countries follow 00:31:49.440 --> 00:31:52.720 suit and also conduct ultra-secret missions. 00:31:52.720 --> 00:31:57.111 We’re still in the first generation of this new weapon and when things are this new, there 00:31:57.111 --> 00:31:59.020 aren’t any rules or regulations yet. 00:31:59.020 --> 00:32:02.030 There isn’t any playbook or proper way to conduct yourself. 00:32:02.030 --> 00:32:04.690 Because of all that it will be abused. 00:32:04.690 --> 00:32:08.410 Nations will do whatever they want, whenever they want, because that’s just how it is 00:32:08.410 --> 00:32:09.410 right now. 00:32:09.410 --> 00:32:13.270 It’s naïve to think nations aren’t constantly spying and infiltrating on each other using 00:32:13.270 --> 00:32:17.840 cyber-weapons which is probably why when there’s an attack this, it’s not treated like an 00:32:17.840 --> 00:32:22.170 act of war because we don’t know what a cyber act of war looks like yet. 00:32:22.170 --> 00:32:26.830 When we see mass casualties from a hack and a nation claims responsibility for it, then 00:32:26.830 --> 00:32:28.250 I think that’ll be one. 00:32:28.250 --> 00:32:33.810 But in this case some computers were damaged and an unknown group claimed responsibility. 00:32:33.810 --> 00:32:37.510 Somehow this didn’t cause a worldwide panic in oil prices and everything went back to 00:32:37.510 --> 00:32:39.390 normal in a few months. 00:32:39.390 --> 00:32:43.350 Before this event the Saudi government didn’t put a lot of effort into their cyber-security 00:32:43.350 --> 00:32:44.350 program. 00:32:44.350 --> 00:32:48.130 To me it’s crazy to think of a nation such as this not paying that much attention to 00:32:48.130 --> 00:32:49.680 online security. 00:32:49.680 --> 00:32:56.120 But since then in 2017, 2017 is when they launched their Saudi National Cybersecurity 00:32:56.120 --> 00:32:59.920 Center which is a government-ran organization built to protect their critical infrastructure 00:32:59.920 --> 00:33:02.480 and government from cyber-attacks. 00:33:02.480 --> 00:33:05.920 This has a great trickle-down effect to the whole nation because security really does 00:33:05.920 --> 00:33:10.080 have to start at the top of any organization, including an entire nation. 00:33:10.080 --> 00:33:14.160 Now many more organizations are also taking security seriously because the Saudi government 00:33:14.160 --> 00:33:15.160 did. 00:33:15.160 --> 00:33:19.650 [MUSIC] The operations center that Chris built in The Hague is still up and monitoring Saudi 00:33:19.650 --> 00:33:24.040 Aramco but she’s since moved on to higher profile projects and here’s a bit of advice 00:33:24.040 --> 00:33:27.030 from her on how to prepare yourself for an incident like this. 00:33:27.030 --> 00:33:31.540 CHRIS: Digitization is fantastic but in an emergency you always need a paper copy of 00:33:31.540 --> 00:33:32.540 contacts. 00:33:32.540 --> 00:33:33.540 That’s a very good idea. 00:33:33.540 --> 00:33:38.880 We also carried coded contact information cards in our wallets in case of emergency 00:33:38.880 --> 00:33:41.350 so that we could have a very, very quick response. 00:33:41.350 --> 00:33:45.620 That was one of the big things that was lost during the attack because you couldn’t even 00:33:45.620 --> 00:33:50.190 get a phone number, also printed-out playbooks so in case of emergency. 00:33:50.190 --> 00:33:54.790 It’s a calming factor that you can hold something in your hand to look at. 00:33:54.790 --> 00:34:01.730 Even though it’s not going to match up perfectly it helps you from losing your sanity and you 00:34:01.730 --> 00:34:03.500 can go off of that. 00:34:03.500 --> 00:34:10.609 Having those printed out and contact cards are invaluable in the case of any incident. 00:34:10.609 --> 00:34:20.329 JACK (OUTRO): [OUTRO MUSIC] You’ve been listening to Darknet Diaries. 00:34:20.329 --> 00:34:25.069 A big thanks goes to Chris Kubecka for sharing her story and if you want to learn more from 00:34:25.069 --> 00:34:26.069 Chris, guess what? 00:34:26.069 --> 00:34:27.069 You can! 00:34:27.069 --> 00:34:28.069 She has two books out now. 00:34:28.069 --> 00:34:31.269 Her first one is called Down the Rabbit Hole, an Osint Journey, and her newest one which 00:34:31.269 --> 00:34:34.869 should be out in a few days, is called Hack the World with Osint. 00:34:34.869 --> 00:34:38.149 I have a copy of the first one right here and it’s packed full of labs you can do 00:34:38.149 --> 00:34:42.149 to gather personal and private information on companies and governments that are leaving 00:34:42.149 --> 00:34:45.129 their data right there in the open for anyone to see. 00:34:45.129 --> 00:34:49.510 She demonstrates how to gather publically available yet sensitive data related to Panama 00:34:49.510 --> 00:34:53.750 papers, the Democratic National Party, Trump’s websites, the Republican National Party, and 00:34:53.750 --> 00:34:55.700 even the Dutch voting system. 00:34:55.700 --> 00:34:59.119 If you want to get better at open source intelligence-gathering, check these books out. 00:34:59.119 --> 00:35:00.869 I’ll link to them in the show notes. 00:35:00.869 --> 00:35:03.539 [00:35:00] Please consider donating to this show through Patreon. 00:35:03.539 --> 00:35:06.210 Very soon I’ll be giving bonus episodes to supporters there. 00:35:06.210 --> 00:35:09.770 This show is made by me, the dull blade of mischief, Jack Rhysider. 00:35:09.770 --> 00:35:13.559 The intro song and the song you’re hearing right now is made by the shrouded Breakmaster 00:35:13.559 --> 00:35:14.199 Cylinder.