WEBVTT

00:00:00.558 --> 00:00:05.700
JACK: Hey, it’s Jack, host of the show. Listen, you might not be ready for this episode. There’s

00:00:05.700 --> 00:00:10.020
a few prerequisites I recommend you do first. First, we’re gonna be talking about the Shadow

00:00:10.020 --> 00:00:15.840
Brokers in this episode and I already covered them in Episode 53, so I highly encourage you

00:00:15.840 --> 00:00:20.700
to check that episode out first – which is just called Shadow Brokers – before this one. Second,

00:00:20.700 --> 00:00:24.960
I made Episode 71, 72, and 73 to be listened to in that order,

00:00:24.960 --> 00:00:31.380
and since this is Episode 73, maybe check out the two episodes before this first. Of course,

00:00:31.380 --> 00:00:34.200
you don’t have to; this episode still stands on its own anyway,

00:00:34.200 --> 00:00:40.080
but that’s my recommendation. Okay, so with that out of the way, let’s jump right into it.

00:00:40.080 --> 00:00:45.840
TONY: My name is Tony Bleetman. I’m an emergency physician and in 2017,

00:00:45.840 --> 00:00:52.140
I was working as a freelance senior emergency physician in a number of hospitals in the UK.

00:00:52.140 --> 00:00:56.460
JACK: Why did I take up this physician’s precious time to come on a show which talks

00:00:56.460 --> 00:01:01.440
about hacking? [MUSIC] Because he was at the center of one of the biggest ransomware attacks

00:01:01.440 --> 00:01:08.880
in history. The date was May 12, 2017, which is a date Dr. Bleetman will remember for a long time.

00:01:08.880 --> 00:01:16.440
TONY: I remember pitching up for a shift at a hospital in London at about noon. As

00:01:16.440 --> 00:01:23.880
I walked into the office, the WannaCry screen had come up on the computers.

00:01:23.880 --> 00:01:29.820
JACK: Specifically, the computers in the hospital were stuck on a red screen which said, ‘Oops,

00:01:29.820 --> 00:01:35.820
your files have been encrypted. Send $300 worth of Bitcoin to this address to decrypt

00:01:35.820 --> 00:01:41.040
them.’ This is a typical ransomware message. See, if your files get encrypted and you don’t

00:01:41.040 --> 00:01:45.960
have the key to decrypt them, your files are no longer readable. Some hacker gained

00:01:45.960 --> 00:01:51.360
control over the hospital’s computers and was demanding Bitcoin to unlock them. Now,

00:01:51.360 --> 00:01:55.200
this ransomware which was encrypting the files was called WanaCrypt,

00:01:55.200 --> 00:02:01.020
spelled W-A-N-A, but people quickly just started calling this ransomware WannaCry.

00:02:01.020 --> 00:02:08.640
TONY: I just walked into the situation and within a very short time, people understood

00:02:08.640 --> 00:02:13.440
that this was a cyber-attack affecting the health service,

00:02:13.440 --> 00:02:18.900
and communication between friends and hospitals confirmed that.

00:02:18.900 --> 00:02:22.740
JACK: This WannaCry ransomware not only took over the computers in this hospital,

00:02:22.740 --> 00:02:28.920
but was hitting other hospitals in UK’s NHS, their National Health Service.

00:02:28.920 --> 00:02:36.360
TONY: My take on this is quite simple; that when the technology lets us down in any circumstance,

00:02:36.360 --> 00:02:45.780
we have to fall back on old fashioned, well-worn, well-proven basic medical techniques. We just had

00:02:45.780 --> 00:02:51.900
to rely more on clinical judgment and rely a lot less on information systems.

00:02:51.900 --> 00:02:55.260
JACK: The NHS had to make a lot of adjustments to stay operational.

00:02:55.260 --> 00:02:59.640
TONY: If you think about the process of a patient attending an emergency department,

00:02:59.640 --> 00:03:06.960
someone has to register them, someone has to order blood tests, and someone has to order x-rays

00:03:06.960 --> 00:03:11.880
and CT scans. Someone has to communicate with their own family doctor once they’ve finished,

00:03:11.880 --> 00:03:19.860
and one has to transfer information around the hospital. When that’s all missing, you have no

00:03:19.860 --> 00:03:26.040
computerized registration of patients, your IC package that tells you where patients are at any

00:03:26.040 --> 00:03:31.980
time is not working, so we had to compensate for all these things by doing old fashioned things.

00:03:31.980 --> 00:03:39.300
When a patient came in, they were registered on paper. We had a big whiteboard on the wall and so,

00:03:39.300 --> 00:03:46.020
we could write down the names of patients and identify their location within a rather large

00:03:46.020 --> 00:03:52.500
department. Because we didn’t have computerized blood results from blood tests from the lab,

00:03:52.500 --> 00:03:58.260
every half an hour we sent a runner to the labs to have a manual printout of the blood

00:03:58.260 --> 00:04:03.000
tests and deliver them to the department by hand. We had to look at x-rays on portable

00:04:03.000 --> 00:04:08.460
machines because we couldn’t see them on computers. Things that involved hi-tech

00:04:08.460 --> 00:04:13.920
interventions were suspended or we found old fashioned alternatives.

00:04:13.920 --> 00:04:17.820
JACK: Now, this ransomware was targeting Windows computers and specifically,

00:04:17.820 --> 00:04:23.100
Windows computers that were connected to the network. Not all Windows computers in the hospital

00:04:23.100 --> 00:04:30.300
are actually part of the network, [MUSIC] partly because of this exact reason. Some systems like CT

00:04:30.300 --> 00:04:35.520
scanners were just not plugged into the network with an ethernet cord or anything like that.

00:04:35.520 --> 00:04:42.960
TONY: Well, one of the things that we learned is that when your computers are not networked – I

00:04:42.960 --> 00:04:48.660
mean, a CT scan had its own internal hard drive, so we relied on that. It was limited

00:04:48.660 --> 00:04:56.460
to a certain amount of memory every day, so we had to restrict the number of scans that we ordered.

00:04:56.460 --> 00:05:02.580
What it meant was, because – we had to [00:05:00] fall back on machines that were not connected to

00:05:02.580 --> 00:05:08.460
the network, so standalone diagnostic machines that were not connected to the network were

00:05:08.460 --> 00:05:16.140
unaffected, so we could run some basic blood tests on isolated machines, and we could run CT scans on

00:05:16.140 --> 00:05:24.240
machines that were not affected by the virus. It was quite useful. If machines are autonomous and

00:05:24.240 --> 00:05:29.280
not connected to the wider network, which we used to think was a hindrance than a problem,

00:05:29.280 --> 00:05:34.980
it actually saved their function because they were not taken out by the WannaCry virus.

00:05:34.980 --> 00:05:40.740
JACK: The NHS had to cancel 6,912 appointments because of this. But as of right now,

00:05:40.740 --> 00:05:45.180
it doesn’t look like anyone died due to this attack. While battling with this problem,

00:05:45.180 --> 00:05:48.360
the hospital was learning how wide-spread this was.

00:05:48.360 --> 00:05:53.640
TONY: We switched on the news and we spoke to friends in other hospitals, and it was obvious

00:05:53.640 --> 00:05:59.820
very, very early on that this was a national – if not international – problem across the

00:05:59.820 --> 00:06:08.820
country. Some of the things that we relied upon; trauma centers were temporarily closed, so we had

00:06:08.820 --> 00:06:15.180
to deal with any trauma cases coming in because the surgeons in the trauma centers were unhappy

00:06:15.180 --> 00:06:20.700
to operate without CT scans that they could see in the operating room. For a short while,

00:06:20.700 --> 00:06:26.040
trauma centers weren’t receiving patients, or some of them weren’t, and half the trauma

00:06:26.040 --> 00:06:30.540
centers were also not receiving patients because they were computerized as well.

00:06:30.540 --> 00:06:36.600
JACK: The BBC was playing an interview with Amber Rudd, the Home Secretary of the UK. Here’s a clip.

00:06:36.600 --> 00:06:42.240
AMBER: We’re working very hard to make sure that we help the NHS put their systems back

00:06:42.240 --> 00:06:47.160
in order. So far, we’ve had reassurance from them that no patient data has been

00:06:47.160 --> 00:06:52.860
compromised. The National Cyber Security Center is working with them to end the disruption,

00:06:52.860 --> 00:06:55.680
to contain it, and to make sure that we learn lessons from it.

00:06:55.680 --> 00:06:59.160
HOST: Can you give us the figures as you understand them at this

00:06:59.160 --> 00:07:02.040
stage about how many hospitals, how many trusts are affected?

00:07:02.040 --> 00:07:08.760
AMBER: Well, we understand that forty-five have been affected out of several hundred. Most of them

00:07:08.760 --> 00:07:13.140
are being very cautious about this. Some of them are making changes, some of them aren’t. Some of

00:07:13.140 --> 00:07:18.540
them are managing to carry on with their daily work despite these difficulties. But can I also

00:07:18.540 --> 00:07:23.400
just point out that this particular attack, this cyber-attack, hasn’t been particularly

00:07:23.400 --> 00:07:28.620
focused on the NHS? It’s been a worldwide attack. It’s affected a hundred countries,

00:07:28.620 --> 00:07:34.000
different organizations, but it’s just in the UK that it’s been particularly impacted on our NHS.

00:07:34.000 --> 00:07:38.700
JACK: [INTRO MUSIC] The WannaCry ransomware that was unleashed on the world was ripping

00:07:38.700 --> 00:07:44.520
through thousands of computers, causing destruction everywhere. This is the

00:07:44.520 --> 00:07:53.000
moment that all IT and security teams both fear and prepare for.

00:07:53.000 --> 00:08:01.260
(INTRO): These are true stories from the dark side of the internet. I’m

00:08:01.260 --> 00:08:19.160
Jack Rhysider. This is Darknet Diaries.

00:08:19.160 --> 00:08:20.160
JACK:

00:08:20.160 --> 00:08:25.620
Okay, so what do we know at this point? It’s May 12th, 2017 and the world is being hit by

00:08:25.620 --> 00:08:29.460
a huge ransomware campaign. The NHS is one of the bigger networks to be hit by

00:08:29.460 --> 00:08:34.560
this. The new is reporting on this. Now, when something hits the world on a scale like this,

00:08:34.560 --> 00:08:38.880
it gets the attention of a lot of security researchers. The whole security community is

00:08:38.880 --> 00:08:44.310
buzzing about this. For instance, FireEye was one of the companies that began researching WannaCry.

00:08:44.310 --> 00:08:50.160
JOHN: My name is John Hultquist. I’m the senior director for intelligence analysis at FireEye.

00:08:50.160 --> 00:08:54.000
JACK: FireEye is a threat intelligence company. They spend all day, every day,

00:08:54.000 --> 00:08:59.760
investigating emerging threats and they provide many tools and services to help companies detect

00:08:59.760 --> 00:09:04.380
and respond to cyber-attacks. FireEye is a major player in this space and have been called to

00:09:04.380 --> 00:09:09.480
investigate many high-profile cases. Now, by this time, Twitter was going crazy talking about this.

00:09:09.480 --> 00:09:14.400
This was a huge attack, hitting companies all over the world. While companies like FireEye

00:09:14.400 --> 00:09:19.200
can’t investigate every new piece of malware, this one was big enough to pay attention to.

00:09:19.200 --> 00:09:26.160
JOHN: Yeah, I think that there was good evidence to believe that this was hitting

00:09:26.160 --> 00:09:32.280
several organizations simultaneously. We had reason to believe it was going to hit even more

00:09:32.280 --> 00:09:39.120
of our customers. Usually, in circumstances like that, we spin up a community and protection event.

00:09:39.120 --> 00:09:45.720
That’s where we basically bring all the power of FireEye, [MUSIC] all the different divisions

00:09:45.720 --> 00:09:52.020
together literally into a single chatroom, and we start trying to break down the problem

00:09:52.020 --> 00:09:58.380
as fast as we can. One big piece of that with this was getting our hands on the malware and

00:09:58.380 --> 00:10:02.820
starting to – have the reverse-engineers start ripping it [00:10:00] apart to look for clues

00:10:02.820 --> 00:10:08.700
as to what was going on, because we thought that this was ransomware. We didn’t know who

00:10:08.700 --> 00:10:15.840
it belonged to. We were just trying to figure out why it was moving so quickly at some point.

00:10:15.840 --> 00:10:20.400
We were essentially asking a bunch of questions that took us a while to answer.

00:10:20.400 --> 00:10:24.660
JACK: Now, FireEye wasn’t the only group looking into this. When something like this hits,

00:10:24.660 --> 00:10:29.280
a lot of companies have to investigate. For instance, this was looking like it was hitting

00:10:29.280 --> 00:10:34.140
Windows machines specifically, so Microsoft would absolutely have to investigate this,

00:10:34.140 --> 00:10:38.820
too. But think about all the antivirus companies or threat detection systems that are out there.

00:10:38.820 --> 00:10:43.320
These companies would all pay attention to an attack like this so that they can find a way

00:10:43.320 --> 00:10:48.600
to detect and block stuff like this from happening to their customers. Dozens of major companies were

00:10:48.600 --> 00:10:53.220
all scrambling to get a copy of the WannaCry ransomware. On top of that, you have a lot of

00:10:53.220 --> 00:10:58.800
independent security researchers who are good at reverse-engineering who also try taking a look.

00:10:58.800 --> 00:11:03.480
This was an exciting time for the security research community. This was something brand-new,

00:11:03.480 --> 00:11:08.400
and it was hitting hard and spreading fast. It’s exciting, like when your favorite author

00:11:08.400 --> 00:11:12.960
publishes a new book or a favorite video game launches a new level to try. There’s

00:11:12.960 --> 00:11:17.700
this magical moment in time where there’s just no blog posts about this, there’s no news stories,

00:11:17.700 --> 00:11:21.960
and nobody understands what’s happening. So, people everywhere are racing to get

00:11:21.960 --> 00:11:26.760
some answers. Since nobody knows anything about this malware, everyone has to start from square

00:11:26.760 --> 00:11:32.580
one. You might be the one who finds the hidden key that unlocks this whole mysterious malware.

00:11:32.580 --> 00:11:37.560
It’s adventurous and exciting to be part of the investigation even if you’re just an

00:11:37.560 --> 00:11:42.660
independent researcher. Now, another person who was researching this was Matt Suiche.

00:11:42.660 --> 00:11:48.780
MATT: My name is Matt Suiche. I’m the founder of Comae Technology. It’s a

00:11:48.780 --> 00:12:00.360
small startup focused on incident response. Back in May 2017, most of people in InfoSec,

00:12:00.360 --> 00:12:04.680
we also – that there was a ransomware that was targeting a bunch of companies,

00:12:04.680 --> 00:12:11.160
and people were all posting screenshots all over Twitter. Then the first thing

00:12:11.160 --> 00:12:15.390
everyone was trying to do was to get samples of that ransomware.

00:12:15.390 --> 00:12:20.820
JACK: Matt is a French security researcher, also an entrepreneur. He’s developed a few

00:12:20.820 --> 00:12:24.060
companies at this point, but the one he’s building now is called Comae.

00:12:24.060 --> 00:12:29.100
It specializes in memory forensics. This new ransomware interested Matt,

00:12:29.100 --> 00:12:31.920
and he grabbed a sample of the malware and began investigating.

00:12:31.920 --> 00:12:38.580
MATT: Well, the thing to keep in mind for malware and especially ransomware; they’re very easy to

00:12:38.580 --> 00:12:43.740
analyze because they are very redundant. What they do is always the same thing. Most of the

00:12:43.740 --> 00:12:48.420
time there is no obfuscation. You can get a clear idea of what malware or ransomware is doing fairly

00:12:48.420 --> 00:12:55.920
quickly, like around an hour. It’s not like you have to analyze a root key, anything like this.

00:12:55.920 --> 00:13:02.820
You can get a very good idea of the big picture of what they do. The idea was just trying to

00:13:02.820 --> 00:13:08.160
understand what it was doing to be able to write a short writeup, because everyone was

00:13:08.160 --> 00:13:15.420
panicking around it. Usually, when it’s something like this, especially as a small startup, it’s

00:13:15.420 --> 00:13:23.460
interesting to release something before everyone else because large companies will not be able to

00:13:23.460 --> 00:13:33.960
publish blog posts as quickly because of their own internal cycles for publishing anything. That one,

00:13:33.960 --> 00:13:39.360
the idea was first to analyze what it was doing, how it works, kind of like what it was doing.

00:13:39.360 --> 00:13:44.760
JACK: Now, malware like this is precompiled which means if you look at the program itself,

00:13:44.760 --> 00:13:48.780
it just looks like gibberish. It’s machine code. A computer understands what to do with it,

00:13:48.780 --> 00:13:53.400
but it’s not human-readable. You have to use a reverse-engineer tool like IDA

00:13:53.400 --> 00:13:57.900
Pro or Ghidra [MUSIC] to convert it to assembly link which is human-readable,

00:13:57.900 --> 00:14:03.060
but it’s very rudimentary. Like, put this data in the memory, then move it from here to there,

00:14:03.060 --> 00:14:08.640
and then remove the data from the memory. You don’t see if L-statements and things that make

00:14:08.640 --> 00:14:12.900
sense, so because it’s so low-level, it requires a lot of skill to know how to

00:14:12.900 --> 00:14:17.400
reverse-engineer a program to figure out what it does, which in my opinion is pretty hard

00:14:17.400 --> 00:14:22.440
to do. But Matt’s good at this, so he dove into the code and saw something remarkable.

00:14:22.440 --> 00:14:33.480
MATT: On the exploitation bot, so, what was pretty interesting is – and having even before analyzing

00:14:33.480 --> 00:14:40.800
it, people had a strong suspicion around it anyway – is oh, it was using the DoublePulsar on

00:14:40.800 --> 00:14:44.640
EternalBlue that was leaked a few months before by the Shadow Brokers.

00:14:44.640 --> 00:14:49.980
JACK: The exploit this malware was using was EternalBlue. Now, let’s back up a second;

00:14:49.980 --> 00:14:55.920
one month before this WannaCry outbreak, the Shadow Brokers gave the world

00:14:55.920 --> 00:15:01.020
EternalBlue. You remember Shadow Brokers, right? If not, go check out Episode 53. But

00:15:01.020 --> 00:15:06.300
the [00:15:00] story goes that someone hacked into the NSA and stole hacking tools and exploits the

00:15:06.300 --> 00:15:13.200
NSA uses, then slowly released these tools to the public. Now, what’s strange here is a month before

00:15:13.200 --> 00:15:19.260
EternalBlue was released, Microsoft patched it. We’re not sure if NSA warned Microsoft

00:15:19.260 --> 00:15:24.660
or if Microsoft found it themselves. Regardless, the patch came out and then Shadow Brokers gave

00:15:24.660 --> 00:15:29.700
this exploit to the world to use however they want. Now, we still don’t know who the Shadow

00:15:29.700 --> 00:15:34.260
Brokers were, but they would send messages sometimes. At one point, they called out

00:15:34.260 --> 00:15:41.520
MalwareJake for being part of Equation Group, or NSA. But there was more to that tweet. It read…

00:15:41.520 --> 00:15:46.380
MATT: The Shadow Brokers is not in habit of outing Equation Group members,

00:15:46.380 --> 00:15:53.820
but had made exception for Big Mouth. It was to MalwareJake and then it was saying,

00:15:53.820 --> 00:15:56.520
‘Keep talking shit. M. Suiche, you’re next.’

00:15:56.520 --> 00:16:04.080
JACK: Yeah, the Shadow Brokers had mentioned Matt by name in the very tweet they practically doxxed

00:16:04.080 --> 00:16:09.480
MalwareJake as being part of Equation Group. Was this also saying Matt was part of Equation Group?

00:16:09.480 --> 00:16:12.120
MATT: That one, yeah, was nothing. I was like well,

00:16:12.120 --> 00:16:14.280
that’s kind of flattering but I’m French, you know?

00:16:14.280 --> 00:16:20.460
JACK: Matt is not former-NSA or Equation Group, and he didn’t even have to explain

00:16:20.460 --> 00:16:24.960
this since the Shadow Brokers later clarified this in a tweet saying yeah, they know he’s

00:16:24.960 --> 00:16:31.320
not ex-NSA since he’s French-born. Why were the Shadow Brokers talking about him? Well,

00:16:31.320 --> 00:16:35.280
it’s kind of a mystery, actually. First of all, [MUSIC] Matt was really fascinated with

00:16:35.280 --> 00:16:38.160
the Shadow Brokers and what they were releasing to the world. So,

00:16:38.160 --> 00:16:42.840
he was screenshotting everything the Shadow Brokers posted, and was blogging about it a

00:16:42.840 --> 00:16:47.940
lot. During the whole Shadow Brokers ordeal, Matt gave a talk at Black Hat about them.

00:16:47.940 --> 00:16:53.460
MATT: Before we start, please raise your hand if you have never heard of the Shadow Brokers.

00:16:53.460 --> 00:16:57.840
JACK: On top of that, Matt has a fairly large Twitter following, so it’s possible the Shadow

00:16:57.840 --> 00:17:02.340
Brokers were just seeing what people were saying about them. They saw Matt’s post and liked him.

00:17:02.340 --> 00:17:06.540
MATT: I was flattered though about it because it’s like oh, it’s kind of cool that they’re

00:17:06.540 --> 00:17:11.220
mentioning me because it means everything; all my blog posts, all the analysis I did of all

00:17:11.220 --> 00:17:14.760
their release – because that’s how they would know me. Otherwise, there is no way they would

00:17:14.760 --> 00:17:22.860
have mentioned me. Even at some point, they were kind of saying – I know they’re calling me French.

00:17:22.860 --> 00:17:30.960
Oh yeah, because I gave a keynote at Black Hat the same year. I was giving an overview of what the

00:17:30.960 --> 00:17:39.240
Shadow Brokers were doing. I was saying oh, you should come, we should have a beer. He’s like oh,

00:17:39.240 --> 00:17:49.080
I will only come if you speak at Defcon. I will be in the first row. An interested part of me still

00:17:49.080 --> 00:17:57.960
do thinks they are American, but it’s kind of hard to prove. But yeah, they were friendly. They’re

00:17:57.960 --> 00:18:08.220
like oh, Suiche seems to be a friendly guy. They were definitely very entertaining. Also, a lot

00:18:08.220 --> 00:18:14.940
of the way they speak – because the grammatical mistakes, you can tell they are completely fake.

00:18:14.940 --> 00:18:18.600
JACK: Well, the way they type might be a fake accent or something,

00:18:18.600 --> 00:18:24.960
but the Shadow Brokers releasing EternalBlue to the world was not fake. It was a very

00:18:24.960 --> 00:18:29.160
serious vulnerability which exploited the way Windows file sharing works,

00:18:29.160 --> 00:18:33.540
or SMB. [MUSIC] If you have a vulnerable version of SMB running on your computer,

00:18:33.540 --> 00:18:39.120
a person could easily take remote control of that computer. So, exactly one month after

00:18:39.120 --> 00:18:46.080
EternalBlue was released, WannaCry was launched which used that exploit, which is one reason

00:18:46.080 --> 00:18:51.240
why this ransomware infected so many machines; because it was using a wicked-good exploit that

00:18:51.240 --> 00:18:57.420
just came out not too long ago. What’s more is that this ransomware was a self-propagating worm.

00:18:57.420 --> 00:19:03.000
When it would infect one computer, it would then look to try to infect every other computer in

00:19:03.000 --> 00:19:07.740
that local network. This meant if it could just get a small foothold in a network, it could then

00:19:07.740 --> 00:19:13.800
spread to a large amount of computers inside your network. A worm like this using a vulnerability

00:19:13.800 --> 00:19:21.000
like that is going to spread quickly, and it did. Now, again, this exploit was patched in Windows

00:19:21.000 --> 00:19:26.040
about two months earlier, so anyone who had automatic updates on or were installing the latest

00:19:26.040 --> 00:19:31.740
security patches for Windows were not affected by this. But as it turns out, a lot of Windows

00:19:31.740 --> 00:19:36.780
computers in the world don’t update as frequently as they should, and this creates a problem.

00:19:36.780 --> 00:19:44.580
JOHN: Yeah, it’s really interesting. There were patching issues; people hadn’t caught up with the

00:19:44.580 --> 00:19:49.920
patching cycle. There’s no doubt about that. But there are some places that were targeted – or,

00:19:49.920 --> 00:19:56.460
not necessarily targeted, but that were hit that patching was difficult.

00:19:56.460 --> 00:20:05.520
I think that probably the most well-known target was the [00:20:00] NHS in the UK.

00:20:05.520 --> 00:20:10.620
People who work in the medical arena will tell you there’s a lot of equipment there that is just

00:20:10.620 --> 00:20:19.740
old and it can’t be patched, or can’t be patched because it simply will not function correctly.

00:20:19.740 --> 00:20:22.560
It’s not always as simple as just patch.

00:20:22.560 --> 00:20:26.700
JACK: [MUSIC] In fact, this got so big and impacted so many old computers that

00:20:26.700 --> 00:20:31.980
Microsoft released even more patches. At this point, Windows XP was no longer supported by

00:20:31.980 --> 00:20:36.720
Microsoft and they stopped making security patches for it. But a few days after WannaCry came out,

00:20:36.720 --> 00:20:43.080
Microsoft released a patch for XP, which is very, very rare for them to release patches after they

00:20:43.080 --> 00:20:47.280
stopped supporting that version entirely. Now, when ransomware hits your computer,

00:20:47.280 --> 00:20:53.760
it encrypts all the files on it and asks you to pay to unlock them. Some victims were paying the

00:20:53.760 --> 00:21:00.240
$300 or $600 in Bitcoin to get their files back. But there was a problem. This didn’t seem to work.

00:21:00.240 --> 00:21:06.480
A lot of people were reporting they paid but didn’t get a valid key to decrypt their files. In

00:21:06.480 --> 00:21:11.520
fact, if you analyzed the malware, it just didn’t seem to contain the proper methods for restoring

00:21:11.520 --> 00:21:18.060
the files at all. These victims who were paying were getting burned twice. Now, at this point,

00:21:18.060 --> 00:21:23.100
security researchers were starting to think maybe this isn’t ransomware. Maybe this is

00:21:23.100 --> 00:21:27.420
disguised as ransomware and really has other intentions like destroying

00:21:27.420 --> 00:21:32.280
a target or a network or something. A lot of questions were starting to rise up. Do

00:21:32.280 --> 00:21:36.240
you have any – do you have some general tips for if someone gets hit with ransomware like this?

00:21:36.240 --> 00:21:41.100
JOHN: I think every situation is different. It’s important,

00:21:41.100 --> 00:21:48.780
I think, if possible, to have a sense of who’s doing that, right? In this case,

00:21:48.780 --> 00:21:53.040
it was pretty clear it looked like nobody was going to get their machines

00:21:53.040 --> 00:22:01.560
unlocked. Obviously, the tip in that case is don’t pay because it would be an absolute waste

00:22:01.560 --> 00:22:09.540
of money. But there are a handful of operators that we know pretty well and I think they all

00:22:09.540 --> 00:22:18.540
behave differently. You have different prospects based on who you’re dealing with and what your

00:22:18.540 --> 00:22:25.320
specific situation is. Usually, the advice is consult an expert on your specific situation.

00:22:25.320 --> 00:22:27.600
JACK: Were there any of your customers that

00:22:27.600 --> 00:22:30.780
were trying to consult you that were big companies that were getting hit?

00:22:30.780 --> 00:22:36.720
JOHN: Oh, absolutely. I think at the time we were advising that this is

00:22:36.720 --> 00:22:41.640
not something that a; a criminal actor that we’re familiar with,

00:22:41.640 --> 00:22:49.620
and there didn’t seem to be a payment – the payment mechanism didn’t seem fully operational.

00:22:49.620 --> 00:22:53.760
JACK: At this point, John’s team had developed a way to detect and block

00:22:53.760 --> 00:22:58.080
this activity in their clients’ networks. They understood this malware fairly well,

00:22:58.080 --> 00:23:00.046
but they still had more to figure out.

00:23:00.046 --> 00:23:05.160
JOHN: [MUSIC] I think at that point we were – I mean, from my side, I’m the intelligence guy – we

00:23:05.160 --> 00:23:13.380
were really trying to determine who’s doing this? What’s the motive behind this? Is this

00:23:13.380 --> 00:23:21.180
a state actor? Is this a destructive attack? Can we find some sort of breadcrumbs that will take us

00:23:21.180 --> 00:23:26.400
back to other incidents? That’s usually what we’re looking for. We’re trying to take your one, single

00:23:26.400 --> 00:23:34.680
incident and connect it to a cluster. Hopefully, we can learn from a cluster of other incidents.

00:23:34.680 --> 00:23:40.920
Sometimes they’ve made mistakes in their other incidents, they’ve taught us something about them,

00:23:40.920 --> 00:23:45.870
they’ve not – they’ve used infrastructure that maybe we recognize there and then we

00:23:45.870 --> 00:23:54.840
can tie them back even further. We’re working diligently to find those clues.

00:23:54.840 --> 00:23:59.280
JACK: Well, John and his team were busy trying to figure out who did

00:23:59.280 --> 00:24:09.420
it. I think at this time, Matt was trying to figure out how to decrypt

00:24:09.420 --> 00:24:19.260
the file somehow. Some other people were looking into different parts of the code for other things.

00:24:19.260 --> 00:24:25.020
Another security researcher named Marcus Hutchins was looking at the malware and saw something

00:24:25.020 --> 00:24:30.300
that’s fairly unusual for ransomware. He found that upon infecting a machine,

00:24:30.300 --> 00:24:35.400
one of the first things this ransomware does is try to go to a specific URL,

00:24:35.400 --> 00:24:41.940
a website. It’s a forty-character-long URL which just looks like gibberish. WannaCry would check

00:24:41.940 --> 00:24:48.180
if that URL exists and if it did, it would stop running immediately. It would not encrypt the

00:24:48.180 --> 00:24:53.040
computer. It would not try to propagate. It would just halt. This is called a kill switch.

00:24:53.040 --> 00:24:58.800
Whoever made this ransomware wanted a way to stop it if they had to, and I can imagine a

00:24:58.800 --> 00:25:02.820
scenario where this could be useful. Suppose whoever wrote this malware was working for

00:25:02.820 --> 00:25:07.380
a nation state and if they released this to the world and it accidentally infected their

00:25:07.380 --> 00:25:12.840
own country, yeesh, what a mess they’d have. If that started happening, the [00:25:00] hackers

00:25:12.840 --> 00:25:19.380
had a way to halt the entire thing worldwide by just making that URL active. [MUSIC] But

00:25:19.380 --> 00:25:24.660
when Marcus Hutchins found this URL in the code, he did a WHOIS lookup on it to see who owned it,

00:25:24.660 --> 00:25:31.800
and the domain was not registered. This was odd. You would think that whoever wrote this

00:25:31.800 --> 00:25:37.620
malware would have registered the kill switch in case they needed to use it. But it wasn’t

00:25:37.620 --> 00:25:49.500
owned by anyone. What’s Marcus do? He registers the domain himself and makes the URL active.

00:25:49.500 --> 00:25:55.440
Instantaneously, the ransomware stopped infecting machines worldwide because as soon as a new

00:25:55.440 --> 00:26:00.420
computer would be infected, it would check to see if this domain was up. If so, it would stop. Any

00:26:00.420 --> 00:26:04.560
computers that were already infected were still infected, and any computers that couldn’t get

00:26:04.560 --> 00:26:09.900
to the URL would still become infected, but the number of new computers getting their hard drives

00:26:09.900 --> 00:26:17.940
encrypted almost completely stopped. Registering this kill switch turned off this attack. Marcus

00:26:17.940 --> 00:26:23.460
single-handedly stopped one of the largest ransomware outbreaks in history. He saved the

00:26:23.460 --> 00:26:29.460
world from hundreds of thousands more infections and billions of dollars more in damages. He became

00:26:29.460 --> 00:26:35.040
a bit of a legend for doing this. Here’s Marcus in an interview with The Telegraph a few days later.

00:26:35.040 --> 00:26:39.660
MARCUS: I’ve had people sort of inundating with messages thanking me, saying I’m a hero. I mean,

00:26:39.660 --> 00:26:44.820
I sort of just registered this domain for tracking and I didn’t intend for it to blow up and me to

00:26:44.820 --> 00:26:49.080
be all over the media. I was just doing my job and I don’t really think that I’m a hero at all.

00:26:49.080 --> 00:26:53.880
JACK: Quite suddenly, all this stopped. The malware completely lost its teeth and

00:26:53.880 --> 00:26:59.880
was just fizzling out quite abruptly. But a few days after that, a new variant of

00:26:59.880 --> 00:27:03.780
WannaCry started spreading, infected one computer after another, and spreading in

00:27:03.780 --> 00:27:08.700
the same manner the first variant did. Matt Suiche immediately jumped on this version.

00:27:08.700 --> 00:27:15.480
MATT: I got the sample from @benkow_, analyzed it in a text like, less than a

00:27:15.480 --> 00:27:18.960
minute, because once you’re familiar with the malware, it’s quite a straightforward thing.

00:27:18.960 --> 00:27:22.380
JACK: Matt had a hunch that in order to start this ransomware back up,

00:27:22.380 --> 00:27:26.220
all they would have to do is just change the domain name of the kill switch and it would start

00:27:26.220 --> 00:27:30.780
working again. This would be easy to change. He wouldn’t even have to recompile the code;

00:27:30.780 --> 00:27:36.060
just change one character in the binary. So, this was one of the first things Matt looked for,

00:27:36.060 --> 00:27:40.560
whether the kill switch was there and what domain was it using? Sure enough,

00:27:40.560 --> 00:27:46.440
the kill switch was there, but this time it had a new domain name. Still a long forty-character

00:27:46.440 --> 00:27:52.080
string, but just a couple letters had changed. Well, Matt checked to see if that domain was

00:27:52.080 --> 00:27:56.566
registered, and to his astonishment, it wasn’t. So, he quickly got to work.

00:27:56.566 --> 00:28:00.060
MATT: [MUSIC] Extract the domain name and registered it, then I started to

00:28:00.060 --> 00:28:07.140
also build a platform around it to be able to collect data on the infection.

00:28:07.140 --> 00:28:11.520
JACK: Very quickly, he started seeing computers hitting his domain, checking if the kill switch

00:28:11.520 --> 00:28:15.960
was on or not. So, he began collecting data on this which gave him a firsthand

00:28:15.960 --> 00:28:19.980
look of what this malware was doing, where it was infecting machines, and how big it was getting.

00:28:19.980 --> 00:28:27.840
MATT: It is quite cool but the thing is, that one was not the main one. Even though it got

00:28:27.840 --> 00:28:35.880
registered very early, no major infection happened. I think it was between – even

00:28:35.880 --> 00:28:42.120
below one hundred at that point. It was in the low-hundred infection hit.

00:28:42.120 --> 00:28:46.860
JACK: Because Matt was paying close attention and knew where to look in the code, this malware

00:28:46.860 --> 00:28:53.760
didn’t have a chance to spread exponentially. Matt stopped it before it did any significant damage.

00:28:53.760 --> 00:28:58.860
But two days after that, another variant was released, and this time it was a security team

00:28:58.860 --> 00:29:03.600
at a company called Check Point that saw the new kill switch and nobody had registered that domain,

00:29:03.600 --> 00:29:07.800
either. So, Check Point registered it. Quite quickly too, which meant not many machines

00:29:07.800 --> 00:29:12.420
got infected with that version, either. Then, a few days later, a fourth variant showed up,

00:29:12.420 --> 00:29:16.860
and this time it did not have a kill switch which meant there was no easy way to stop it.

00:29:16.860 --> 00:29:22.140
This one had the potential of ripping through millions of computers and infecting them,

00:29:22.140 --> 00:29:27.180
but I don’t think this one was very aggressive because we didn’t really see it do anything.

00:29:27.180 --> 00:29:32.820
It never really got in the wild and spread. I guess by the time this variant was released,

00:29:32.820 --> 00:29:36.780
antivirus companies had already detected it and put out signatures for it,

00:29:36.780 --> 00:29:40.800
and people were patching their computers more, or at least closed that port on the network. So,

00:29:40.800 --> 00:29:45.420
even without a kill switch, this new variant did not have a substantial impact. Since then,

00:29:45.420 --> 00:29:50.760
this malware has significantly died down. We have the people who found these kill switches

00:29:50.760 --> 00:29:56.760
and registered them to thank for stopping this from engulfing a large portion of the internet.

00:29:56.760 --> 00:30:07.320
MATT: But that kill switch, I kept for around a year. It had a few million hits pretty easily,

00:30:07.320 --> 00:30:16.200
enough that one of us – well, I don’t really want to just manage it [00:30:00] on my own because the

00:30:16.200 --> 00:30:22.080
platform and everything. I was like well, I’m not really sure of what to do with this data anymore

00:30:22.080 --> 00:30:27.840
at this point because I don’t think it’s of any interest for anyone. I reached out to Microsoft

00:30:27.840 --> 00:30:35.880
Domestic Team, and I was like oh, do you guys want that kill switch from WannaCry? I think it would

00:30:35.880 --> 00:30:44.820
be in better hands if it’s with you, you know? Just so you can keep archiving it or something.

00:30:44.820 --> 00:30:51.540
They were okay for it. Actually, they had to step back and say well, the legal department

00:30:51.540 --> 00:30:58.200
says it’s too much of a risk. We cannot take it. At the end of the day, they didn’t take it.

00:30:58.200 --> 00:31:04.500
The people from the Chronicle security at Google said to take it and then I just gave it to them.

00:31:04.500 --> 00:31:10.426
But I thought it was quite funny that Microsoft could not take it because of legal, you know?

00:31:10.426 --> 00:31:14.280
JACK: [MUSIC] The estimate is that WannaCry infected 230,000

00:31:14.280 --> 00:31:21.120
computers in 150 countries. How many of those infected people paid up? 330 which,

00:31:21.120 --> 00:31:30.360
added up, means whoever did this made $140,000 worth of Bitcoin.

00:31:30.360 --> 00:31:35.940
Who did this? Well, let’s listen to a statement given by the US Department of Justice.

00:31:35.940 --> 00:31:42.060
DOJ: We have unsealed criminal charges against a North Korean computer programmer for participating

00:31:42.060 --> 00:31:48.360
in a conspiracy that conducted sophisticated cyber-attacks around the world on behalf of

00:31:48.360 --> 00:31:54.240
the North Korean government. Members of the conspiracy are responsible for some of the

00:31:54.240 --> 00:32:01.140
most damaging and most well-known cyber intrusions in history including the cyber-attack targeting

00:32:01.140 --> 00:32:08.580
Sony Pictures, the cyber-heist of Bangladesh Bank, and creating the WannaCry ransomware.

00:32:08.580 --> 00:32:13.320
JACK: There you go; North Korea did this. Specifically,

00:32:13.320 --> 00:32:17.400
they’re charging the same person for the Sony hack, Bangladesh Bank hack,

00:32:17.400 --> 00:32:23.700
and this WannaCry ransomware. Park Jin Hyok is the person named in the indictment. In fact,

00:32:23.700 --> 00:32:29.100
he’s now one of FBI’s Cyber’s Most Wanted. As people investigated this further, they

00:32:29.100 --> 00:32:34.320
found there were earlier versions of WannaCry that hadn’t been effective because they weren’t using

00:32:34.320 --> 00:32:41.340
EternalBlue which hadn’t been released yet. But on May 9th of 2017, a company called RiskSense

00:32:41.340 --> 00:32:47.340
published a proof-of-concept using EternalBlue as an exploit. They even included source code and

00:32:47.340 --> 00:32:55.140
explained how to use it. Three days later, the new version of WannaCry with EternalBlue was released.

00:32:55.140 --> 00:33:00.180
It looks like the same code was used in this malware, so it seems to me that someone in

00:33:00.180 --> 00:33:05.160
North Korea saw the blog post by RiskSense, copied the code from it into their existing

00:33:05.160 --> 00:33:09.240
WannaCry ransomware, and released it on the world three days later.

00:33:09.240 --> 00:33:14.820
It’s hard to point fingers here. Yeah, North Korea is who pulled the trigger on all this. Okay,

00:33:14.820 --> 00:33:20.580
but they may not have done that if they didn’t see the blog post by Risk Sense. But Risk Sense

00:33:20.580 --> 00:33:24.240
wouldn’t have published that blog post if it wasn’t for the Shadow Brokers releasing

00:33:24.240 --> 00:33:27.600
EternalBlue to the world. But Shadow Brokers wouldn’t have released

00:33:27.600 --> 00:33:32.040
EternalBlue if it wasn’t for the NSA creating it to begin with, and EternalBlue would have

00:33:32.040 --> 00:33:36.960
never existed if Microsoft just would have caught the bug during development and testing.

00:33:36.960 --> 00:33:41.760
It’s a weird series of events that led up to this massive ransomware campaign,

00:33:41.760 --> 00:33:46.560
but then was ultimately stopped because they forgot to register the domain of the

00:33:46.560 --> 00:33:51.360
kill switch. [MUSIC] The Department of Justice showed how they found artifacts in the different

00:33:51.360 --> 00:33:57.060
variants of the WannaCry malware which led them to believe it was launched by someone in North Korea.

00:33:57.060 --> 00:34:01.380
But I’m willing to bet that they’re leaving out some key evidence which squarely points

00:34:01.380 --> 00:34:07.380
to North Korea behind this. The thing is, if the US shows what evidence they have, it might burn

00:34:07.380 --> 00:34:13.980
their spy channels into North Korea. They have to be very careful on how much they reveal. The

00:34:13.980 --> 00:34:20.220
indictment reads like a typical digital forensic analysis; you see IP addresses, malware analyzed,

00:34:20.220 --> 00:34:25.020
user agents, and so many more details that they were able to collect. When the DOJ followed

00:34:25.020 --> 00:34:32.220
all these threads, it led them to North Korea. Who’s this Park Jin Hyok guy in the indictment?

00:34:32.220 --> 00:34:36.840
Well, a journalist for ZDNet, Catalin Cimpanu, really helped me understand

00:34:36.840 --> 00:34:40.680
this better because he mapped it out and started connecting the dots. This

00:34:40.680 --> 00:34:46.080
guy Park went from North Korea to China in 2013 to study programming. Specifically,

00:34:46.080 --> 00:34:52.620
Java, PHP, and Visual C++. At the time, Park was working for a company called Chosun Expo Joint

00:34:52.620 --> 00:34:58.020
Ventures which is supposedly a company handling e-Commerce and lottery services for North Korea.

00:34:58.020 --> 00:35:04.440
In 2014, Park returned to North Korea and shortly after his return, North Korea launched a bunch of

00:35:04.440 --> 00:35:09.180
hacking campaigns. Not to mention, most of the malware used in North Korea was written

00:35:09.180 --> 00:35:13.320
in the same programming language Park had studied in China. [00:35:00] Now,

00:35:13.320 --> 00:35:17.100
to carry out these attacks, the hackers had to get servers to use for command and control.

00:35:17.100 --> 00:35:22.320
Obviously, they didn’t want to use a server in North Korea, so they rented a server from

00:35:22.320 --> 00:35:27.300
somewhere else in the world. Now, to rent the server, you had to have an e-mail address. So, the

00:35:27.300 --> 00:35:31.980
Department of Justice began submitting warrants to figure out what e-mail addresses were registering

00:35:31.980 --> 00:35:37.260
these servers. On top of that, there were some phishing attacks which also used e-mails. The

00:35:37.260 --> 00:35:43.560
DOJ was able to get these details and compile all these e-mail addresses during their investigation.

00:35:43.560 --> 00:35:47.760
Let’s take a look at these e-mail addresses. I count thirty different e-mail addresses in the

00:35:47.760 --> 00:35:54.000
indictment. Most of them are Gmail accounts, with a few being Hotmail and AOL. Well, since

00:35:54.000 --> 00:35:59.460
Google is a US-based company, the DOJ can get a warrant and then ask Google for information about

00:35:59.460 --> 00:36:04.800
these Gmail accounts. From there, they’re able to see what accounts they were connected to and what

00:36:04.800 --> 00:36:09.060
IP addresses were logging into them, and what browsers were used, and all this kind of stuff.

00:36:09.060 --> 00:36:15.000
Six of these accounts had used the name Kim Hyon Woo. As you dig into that,

00:36:15.000 --> 00:36:20.940
you start seeing connections to Park. Like, both Kim and Park’s accounts had access to the same

00:36:20.940 --> 00:36:27.300
files and sent mail between each other. The DOJ saw enough evidence to believe that Kim Hyon Woo

00:36:27.300 --> 00:36:34.020
was an alias of Park Jin Hyok. So, Kim wasn’t even a real person. Then when they followed the clues,

00:36:34.020 --> 00:36:39.180
they saw that Kim was the person who registered so many of these servers and sent phishing e-mails.

00:36:39.180 --> 00:36:43.200
They know this because they see commonalities in IP addresses and access to those Gmail accounts,

00:36:43.200 --> 00:36:46.920
and the browsers used to access them, and connected accounts. All these

00:36:46.920 --> 00:36:52.080
things together make it clear that the same person owned all these e-mail addresses. So,

00:36:52.080 --> 00:36:57.780
it seems that over the course of four years during which Park used thirty different e-mail addresses,

00:36:57.780 --> 00:37:04.800
he made a few mistakes where he accidentally connected his real name to his fake persona.

00:37:04.800 --> 00:37:10.980
That’s how the feds figured out who was behind this. The FBI also followed the money. All that

00:37:10.980 --> 00:37:15.420
Bitcoin, where did it go? Well, it was held in a crypto-wallet at first and then transferred to a

00:37:15.420 --> 00:37:19.980
Bitcoin exchange. I’m assuming the FBI got logs from the exchange which showed them that whoever

00:37:19.980 --> 00:37:25.620
accessed the wallet was running Firefox Version 52.0 on Windows 7. At the Bitcoin exchange,

00:37:25.620 --> 00:37:30.660
they transferred the Bitcoin to Monero, which is another type of cryptocurrency. This has

00:37:30.660 --> 00:37:35.520
extra security features like the amount of coins sent are hidden and a random one-time address is

00:37:35.520 --> 00:37:40.620
created for each transaction. Once the money is converted to Monero, it’s extra-hard to track,

00:37:40.620 --> 00:37:45.180
if not impossible. What else do we really know about these North Korean hackers?

00:37:45.180 --> 00:37:49.740
Well, it’s hard to get any good information out of there since it’s so secluded, but I looked

00:37:49.740 --> 00:37:54.540
into this and found some extra stuff. First, the intelligence agency of North Korea is known as the

00:37:54.540 --> 00:37:59.820
Reconnaissance General Bureau. This is a military branch that conducts clandestine operations. Now,

00:37:59.820 --> 00:38:04.260
within the Reconnaissance General Bureau is another branch called Bureau 121,

00:38:04.260 --> 00:38:10.200
and Bureau 121 is where we believe North Korean hackers are working from. People in the security

00:38:10.200 --> 00:38:15.360
community call the North Korean hackers The Lazarus Group. There are a couple North Korean

00:38:15.360 --> 00:38:20.400
defectors that have helped us understand what goes on there in pretty good detail. First is

00:38:20.400 --> 00:38:25.560
Kim Hueng-kwang. He was a professor at the university at the capital. He says students

00:38:25.560 --> 00:38:31.440
study computer hacking in this school and then are hand-picked to go to work at Bureau 121.

00:38:31.440 --> 00:38:36.300
There’s also a defector named Jang Se-yul. He went to school to study computer science

00:38:36.300 --> 00:38:42.660
at the same college where Bureau 121 recruits people from. He says Bureau 121 has about 1,800

00:38:42.660 --> 00:38:47.400
people working in it, and those people are considered elite members of the military.

00:38:47.400 --> 00:38:52.320
They’re trained just like any other hacker would be; they learn how different operating systems

00:38:52.320 --> 00:38:57.780
work, how to program, how to use attack tools, and everything in between. North Korean’s main

00:38:57.780 --> 00:39:03.660
attack targets seem to be South Korea, Japan, and the United States. But as you heard, they

00:39:03.660 --> 00:39:09.240
have no problem unleashing huge attacks in other parts of the world. Now, when North Korean hackers

00:39:09.240 --> 00:39:14.640
wage their attacks, they often physically travel out of North Korea to do it. They’ll go to Nepal,

00:39:14.640 --> 00:39:20.400
India, Kenya, Mozambique, or China to wage their attacks because the internet in North Korea is

00:39:20.400 --> 00:39:26.100
pretty locked down, and there’s so many people watching what goes in and out of North Korea.

00:39:26.100 --> 00:39:30.960
Stuff can just be easily tracked if they do anything from there so they physically get

00:39:30.960 --> 00:39:36.360
out of the country, then proxy around from there. There are actually quite a few North Koreans who

00:39:36.360 --> 00:39:40.320
are able to leave the country. I mean, North Korea competes in the Olympics and has a whole

00:39:40.320 --> 00:39:45.540
cheering squad and everything. North Korea attends United Nations meetings. North Korea has dozens of

00:39:45.540 --> 00:39:50.640
embassies all over the world, [MUSIC] and North Korea also sends hackers to other countries to

00:39:50.640 --> 00:39:58.140
hack. Currently, India seems to be the preferred place from which to launch their attacks.

00:39:58.140 --> 00:40:03.000
North Korea always fascinates me which is why I wanted to do this three-part series

00:40:03.000 --> 00:40:08.640
on them. At the same time, I think places like the US are trying to hack into North Korea too,

00:40:08.640 --> 00:40:12.480
mainly to see how advanced their weapons systems are and to monitor that.

00:40:12.480 --> 00:40:17.160
[00:40:00] But it’s just so weird to think about the differences of why the US hacks North Korea

00:40:17.160 --> 00:40:22.560
and why North Korea hacks the US. The US is hacking into North Korea to keep an eye on

00:40:22.560 --> 00:40:27.480
their intercontinental ballistic missiles, but North Korea hacks into the US to try

00:40:27.480 --> 00:40:33.060
to stop a movie from being made which makes fun of North Korea. Whenever we see a cyber-attack,

00:40:33.060 --> 00:40:37.620
the hackers usually fall into one of three categories. It’s either hacktivism, like

00:40:37.620 --> 00:40:43.080
doing it for a bigger cause, cyber-crime, which is doing it to make money, or nation state hacking,

00:40:43.080 --> 00:40:49.500
like, doing it to spy. But the motives for North Korea seems to fall squarely in the

00:40:49.500 --> 00:40:57.540
center of all three of these. The Lazarus Group are hacktivists, criminals, and spies.

00:40:57.540 --> 00:41:03.000
But I think this is the perfect military strategy for North Korea. I mean, they’ve

00:41:03.000 --> 00:41:07.500
made millions of dollars from their hacking activities, and they’ve gotten away with it.

00:41:07.500 --> 00:41:12.360
They cause lots of damages to their enemies. Look how much damage they did to Sony,

00:41:12.360 --> 00:41:18.180
all without firing a single bullet or missile. The whole time, they can deny they did anything.

00:41:18.180 --> 00:41:23.880
Hacking seems to be the perfect weapon for North Korea since they can do it all remotely,

00:41:23.880 --> 00:41:29.160
hide under the cover of the internet, face a lot less consequences for their actions,

00:41:29.160 --> 00:41:37.980
and do it all at a fraction of the cost of kinetic warfare. In July 2020, the European Union imposed

00:41:37.980 --> 00:41:43.020
sanctions on North Korea. The report specifically mentioned that the Lazarus Group is who carried

00:41:43.020 --> 00:41:48.360
out the attacks on Sony, did the Bangladesh Bank heist, and conducted WannaCry. It says

00:41:48.360 --> 00:41:52.800
that there’s now a travel ban in effect because of that, as well as some assets being frozen.

00:41:52.800 --> 00:41:57.960
This is the first time ever that the EU has imposed sanctions on another country

00:41:57.960 --> 00:42:03.540
because of a cyber-attack. While I think it’s totally insane what North Korea has done,

00:42:03.540 --> 00:42:08.460
trying to steal billions of dollars, trying to threaten the free speech of a movie studio, and

00:42:08.460 --> 00:42:14.460
trying to destroy a large number of computers with WannaCry, I actually think this isn’t peak-crazy

00:42:14.460 --> 00:42:21.600
for what North Korea might do next. My guess is that I think we’ll see even more destructive

00:42:21.600 --> 00:42:27.360
attacks that may even result in loss of life. They obviously have the capability to cause

00:42:27.360 --> 00:42:32.100
some serious destruction, and they never seem to have any remorse for the damage they cause.

00:42:32.100 --> 00:42:36.720
We know they can be provoked to carry out physical attacks, so I think it’s just a matter

00:42:36.720 --> 00:42:44.340
of time before we see them unleash some kind of cyber-attack that causes major physical havoc.

00:42:44.340 --> 00:42:50.460
2017 was a busy year for information security professionals; to go from the

00:42:50.460 --> 00:42:54.900
Shadow Brokers releasing EternalBlue, then seeing WannaCry use it like this,

00:42:54.900 --> 00:43:00.720
and then the very next month, in June, is when NotPetya hit Ukraine which also used

00:43:00.720 --> 00:43:07.140
EternalBlue. The month after that, Equifax was breached. Hopefully these major attacks help

00:43:07.140 --> 00:43:12.120
us wake up to the dangers that many companies face while doing business online. Hopefully,

00:43:12.120 --> 00:43:16.140
we all learn from this and take our security a little bit more seriously,

00:43:16.140 --> 00:43:22.200
because we never know how crazy the hacker might be on the other end of that connection.

00:43:22.200 --> 00:43:29.760
(OUTRO): [OUTRO MUSIC]

00:43:29.760 --> 00:43:34.680
A big thank you to Dr. Tony Bleetman for coming on the show and telling us his story. Thanks John

00:43:34.680 --> 00:43:39.540
Hultquist, the senior director for intelligence and analysis at FireEye, and thanks Matt Suiche,

00:43:39.540 --> 00:43:44.520
CEO of Comae. You can find links to these people and what research they’ve done in the show notes

00:43:44.520 --> 00:43:49.020
or at darknetdiaries.com. Please remember, a lot of time and energy goes into making

00:43:49.020 --> 00:43:53.220
these episodes and I bring them all to you for free. If you’re getting value by listening,

00:43:53.220 --> 00:43:57.000
please consider donating to the show through Patreon. By supporting the show,

00:43:57.000 --> 00:44:00.960
it ensures we have enough resources to continue to bring you more great content.

00:44:00.960 --> 00:44:05.220
Oh, and as a thank-you, if you join Patreon, you get access to bonus episodes,

00:44:05.220 --> 00:44:12.240
too. So, check those out. Learn more at patreon.com/darknetdiaries. Thanks. Also,

00:44:12.240 --> 00:44:16.020
you’re invited to the Darknet Diaries Discord where you can chat with other listeners of the

00:44:16.020 --> 00:44:23.820
show. I like to pop in on there sometimes, too. To join us, visit discord.gg/darknetdiaries. This

00:44:23.820 --> 00:44:31.140
show is made by me, the slow coder, Jack Rhysider. Sound design and original music was created by the

00:44:31.140 --> 00:44:35.400
always-encrypted Garrett Tiedemann, editing help this episode by the devilish Damienne,

00:44:35.400 --> 00:44:40.740
and our theme music is by the raucous Breakmaster Cylinder. Even though when I meet up with my

00:44:40.740 --> 00:44:46.920
other tinfoil hat-wearing friends, I secretly use aluminum foil, this is Darknet Diaries.