WEBVTT 00:00:00.650 --> 00:00:02.730 JACK: Hey there, did I surprise you? 00:00:02.730 --> 00:00:05.069 I release episodes of this show every other week. 00:00:05.069 --> 00:00:06.490 That’s two episodes a month, right? 00:00:06.490 --> 00:00:09.290 So, why do we have an episode here, in the off-week? 00:00:09.290 --> 00:00:14.550 Well, there’s this company called Cybereason who are big fans of this show and they wanted 00:00:14.550 --> 00:00:16.910 to bring you an extra episode. 00:00:16.910 --> 00:00:21.970 So, a deal was made which means this entire episode is brought to you by Cybereason. 00:00:21.970 --> 00:00:26.180 I’ve never done anything like this before and so I want to be clear; this episode is 00:00:26.180 --> 00:00:28.970 only here because Cybereason sponsored it. 00:00:28.970 --> 00:00:33.840 But I’m excited because it’s a fantastic story that links back to one of my most popular 00:00:33.840 --> 00:00:34.840 episodes. 00:00:34.840 --> 00:00:38.770 You’re gonna hear from their CEO who has quite the back story and later in the episode, 00:00:38.770 --> 00:00:42.590 we’re gonna hear a story from their threat research team who investigates and uncovers 00:00:42.590 --> 00:00:46.500 malicious activity, and they’ll tell us about a time when they found a threat actor 00:00:46.500 --> 00:00:48.620 lurking in someone’s e-mails. 00:00:48.620 --> 00:00:54.590 They spent months tracking that threat actor which they called Molerats in the Cloud. 00:00:54.590 --> 00:01:02.699 (INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. 00:01:02.699 --> 00:01:07.939 I’m Jack Rhysider. 00:01:07.939 --> 00:01:11.640 This is Darknet Diaries. 00:01:11.640 --> 00:01:19.340 [INTRO MUSIC ENDS] 00:01:19.340 --> 00:01:26.200 JACK: Okay, so let’s get started. 00:01:26.200 --> 00:01:28.850 Can you just tell us your name and who are you? 00:01:28.850 --> 00:01:33.710 LIOR: Hi, I’m Lior Div, the CEO and co-founder of Cybereason. 00:01:33.710 --> 00:01:37.380 JACK: Yeah, I got the CEO of Cybereason on for this. 00:01:37.380 --> 00:01:39.770 I’m not messing around here; going right to the top. 00:01:39.770 --> 00:01:43.590 But the reason why I wanted to talk with Lior is not so much to hear about his company, 00:01:43.590 --> 00:01:46.549 but I’m fascinated with what he did before that. 00:01:46.549 --> 00:01:51.570 LIOR: Basically, my story starts at the age of sixteen. 00:01:51.570 --> 00:01:54.860 For years I really wanted to be a combat pilot. 00:01:54.860 --> 00:01:59.960 JACK: Here’s the thing; Lior grew up in Israel and it’s mandatory for everyone in 00:01:59.960 --> 00:02:02.320 Israel to serve in the military. 00:02:02.320 --> 00:02:06.920 So, he knew he was going in and was hoping he would be picked to fly jets. 00:02:06.920 --> 00:02:11.900 LIOR: So basically, there is a very rigorous kind of list of tests that you need to go 00:02:11.900 --> 00:02:12.900 through. 00:02:12.900 --> 00:02:19.930 So, at the beginning, we were I think probably a thousand people that – doing the first 00:02:19.930 --> 00:02:20.930 test. 00:02:20.930 --> 00:02:28.819 I did not – knew back then kind of the test is for which unit or for what occupation specifically. 00:02:28.819 --> 00:02:33.940 After that, they cut it by half and it was five hundred people, then from the five hundred 00:02:33.940 --> 00:02:36.690 they cut it again to a hundred people. 00:02:36.690 --> 00:02:40.830 From the hundred people, they choose twenty people and out of the twenty, they choose 00:02:40.830 --> 00:02:41.830 four. 00:02:41.830 --> 00:02:44.930 JACK: He did not get assigned to become a combat pilot, though. 00:02:44.930 --> 00:02:47.640 Lior was assigned to work in Unit 8200. 00:02:47.640 --> 00:02:56.000 LIOR: At the beginning, I was very disappointed because I had a very clear vision of what 00:02:56.000 --> 00:02:57.500 I want to do. 00:02:57.500 --> 00:03:06.190 Hindsight 20/20, I’m super happy that I was chosen to go to the 8200 Unit and not 00:03:06.190 --> 00:03:07.480 to do other things. 00:03:07.480 --> 00:03:15.350 I think that in a sense, they knew better than I am – what I am better at and direct 00:03:15.350 --> 00:03:17.140 me to this direction. 00:03:17.140 --> 00:03:20.599 I think that after all the tests that they did, they know you very well. 00:03:20.599 --> 00:03:25.060 I’m joking sometimes when I’m saying probably they know you better than you know yourself. 00:03:25.060 --> 00:03:29.160 JACK: So, no matter what you’re assigned to do in the Israeli military, you must first 00:03:29.160 --> 00:03:30.209 do basic training. 00:03:30.209 --> 00:03:33.801 You have to wear the military gear, do your push-ups and running, and learn how to use 00:03:33.801 --> 00:03:35.430 a weapon and that sort of thing. 00:03:35.430 --> 00:03:41.280 But once all that’s done, he reported for duty with Unit 8200 which is sort of like 00:03:41.280 --> 00:03:42.980 Israeli’s version of the NSA. 00:03:42.980 --> 00:03:48.519 LIOR: Back then, I did not – knew that – were talking about the 8200 Unit. 00:03:48.519 --> 00:03:49.750 It was super classified. 00:03:49.750 --> 00:03:55.890 This is before the days that you could read all about this unit on Wikipedia. 00:03:55.890 --> 00:04:03.450 [MUSIC] I think that only a month after I joined the army, I realized that we’re talking 00:04:03.450 --> 00:04:09.000 about this unit and kind of starting to understand what the unit is all about. 00:04:09.000 --> 00:04:13.810 This unit is basically focusing on the field of signal intelligence. 00:04:13.810 --> 00:04:17.310 JACK: So, he joined Unit 8200 back in the late 90s. 00:04:17.310 --> 00:04:20.170 Yeah, it was a very secret organization back then. 00:04:20.170 --> 00:04:24.810 Not only did the world not know about it but even people who worked in 8200 could not even 00:04:24.810 --> 00:04:28.250 tell their family what unit they were working in. 00:04:28.250 --> 00:04:33.060 As a kid, Lior was fascinated with wireless technology and especially how cell phones 00:04:33.060 --> 00:04:34.060 worked. 00:04:34.060 --> 00:04:37.850 LIOR: For me, it was fascinating because it’s like, all those things that I was fascinated 00:04:37.850 --> 00:04:43.169 as a kid to really understand how things – works and try to manipulate them. 00:04:43.169 --> 00:04:49.820 Suddenly there is a full unit that’s focusing on this field, very smart people and very 00:04:49.820 --> 00:04:50.820 creative. 00:04:50.820 --> 00:04:55.370 But the story is not ending there; it’s just starting there. 00:04:55.370 --> 00:05:04.229 The unit have a very unique way to take people right out of high school and basically teach 00:05:04.229 --> 00:05:09.150 them all the things that they need to do in order to be an expert in something. 00:05:09.150 --> 00:05:15.140 At the beginning you are not an expert but you gain your knowledge, so in my case it 00:05:15.140 --> 00:05:24.100 basically was six months of very, very rigorous training, that every week we were learning 00:05:24.100 --> 00:05:26.669 something different. 00:05:26.669 --> 00:05:29.650 In the end of this week, you need to have a test. 00:05:29.650 --> 00:05:31.970 If you pass the test, you can go home. 00:05:31.970 --> 00:05:34.949 If not, you stay and you need to pass the test. 00:05:34.949 --> 00:05:37.169 There is no option not to pass it. 00:05:37.169 --> 00:05:45.229 You’re ending up to have a very, very large understanding and knowledge when it’s come 00:05:45.229 --> 00:05:50.780 to technology, everything from how a cellular network works, how the internet works. 00:05:50.780 --> 00:05:55.419 You know, how a computer works and what do you need to know in order to write a Python 00:05:55.419 --> 00:05:58.360 script, write code, and so on so forth. 00:05:58.360 --> 00:06:03.690 JACK: He can’t go into specifics about what he did there but what’s public knowledge 00:06:03.690 --> 00:06:09.479 about Unit 8200 is that they’re the signals intelligence branch of the Israeli military. 00:06:09.479 --> 00:06:12.970 So, they’re code-makers and code-breakers. 00:06:12.970 --> 00:06:17.639 In the modern era, they’re using computers and technology to collect intelligence which 00:06:17.639 --> 00:06:20.900 sometimes means hacking into the adversary. 00:06:20.900 --> 00:06:26.430 Lior was part of an advanced persistent threat, or nation state actor. 00:06:26.430 --> 00:06:30.960 From the inside he was learning a lot about how cyber-attacks work. 00:06:30.960 --> 00:06:33.479 He spent six years in Unit 8200. 00:06:33.479 --> 00:06:37.740 The requirement is only to stay a year or two but Lior was really into it, so he stayed 00:06:37.740 --> 00:06:38.740 longer. 00:06:38.740 --> 00:06:41.630 He was promoted to officer and even captain before leaving. 00:06:41.630 --> 00:06:44.729 LIOR: The 8200, that was kind of the beginning of my career. 00:06:44.729 --> 00:06:50.039 After six years in the army, I went to the university. 00:06:50.039 --> 00:06:54.060 Over there, it’s kind of in the reverse; over there, you are getting your knowledge 00:06:54.060 --> 00:06:58.380 or the theoretical knowledge that you need but probably you already know the majority 00:06:58.380 --> 00:07:00.780 of it because of your hands-on experience. 00:07:00.780 --> 00:07:05.370 JACK: From there he got a job at a tech startup which got bought out by a larger company. 00:07:05.370 --> 00:07:09.680 LIOR: Then, basically I established my own company. 00:07:09.680 --> 00:07:16.950 This company eventually was a company that focused in the field of hacking, cracking, 00:07:16.950 --> 00:07:19.750 reverse-engineering, you name it. 00:07:19.750 --> 00:07:26.570 Eventually, this company was providing services to different government agencies. 00:07:26.570 --> 00:07:31.980 JACK: This company would provide services for intelligence agencies in Israel. 00:07:31.980 --> 00:07:37.229 So, Lior got to work with some pretty secret and classified missions there, learning advanced 00:07:37.229 --> 00:07:42.319 ways to hack, crack, reverse-engineer, and more, and providing these services to intelligence 00:07:42.319 --> 00:07:43.319 agencies. 00:07:43.319 --> 00:07:51.259 LIOR: So, the work that we used to do is – sometimes I’m joking about it – is take things that 00:07:51.259 --> 00:07:55.900 by definition that they are impossible and make them possible. 00:07:55.900 --> 00:08:01.310 Usually what’s happening – you have a mission that you need to get information or 00:08:01.310 --> 00:08:08.000 you need to manipulate information or you need to gain access to a specific type of 00:08:08.000 --> 00:08:13.389 knowledge and in order to get it, first you have to understand where this knowledge is 00:08:13.389 --> 00:08:14.400 – exist. 00:08:14.400 --> 00:08:21.830 But then once you understand that thing, you have to plan and execute an operation basically 00:08:21.830 --> 00:08:22.930 soup to nuts. 00:08:22.930 --> 00:08:29.130 [MUSIC] For example, you will have a team that focus in deception, meaning that if it 00:08:29.130 --> 00:08:35.220 wants to go into an asset and collect information – but you know that they are gonna protect 00:08:35.220 --> 00:08:36.390 themselves very good. 00:08:36.390 --> 00:08:41.450 JACK: Okay, I find this interesting; when hackers use deception as part of their methods. 00:08:41.450 --> 00:08:45.790 Lior’s team had a mission to get into someone’s computer but if he just launches an attack 00:08:45.790 --> 00:08:49.970 from his office, that can easily be traced back to him so he doesn’t want to do that. 00:08:49.970 --> 00:08:54.440 The target can’t know who he is, so he has to be tricky. 00:08:54.440 --> 00:08:58.290 One way to be deceptive is to get his team to distract the target. 00:08:58.290 --> 00:09:02.829 LIOR: Let’s say that they are doing a massive DDoS attack on them; they will think that 00:09:02.829 --> 00:09:09.140 this is what’s happening but on the back end of this DDoS attack, actually there is 00:09:09.140 --> 00:09:14.990 the real hacking going on and somebody has managed to install let’s say a piece of 00:09:14.990 --> 00:09:18.220 software on one of their machines and have the initial access. 00:09:18.220 --> 00:09:21.110 JACK: Ah, that’s an interesting way to do it. 00:09:21.110 --> 00:09:25.339 When you’re breaking into an adversary’s computer, you want to be as quiet and sneaky 00:09:25.339 --> 00:09:26.880 as possible, right? 00:09:26.880 --> 00:09:29.940 Well, Lior here decided to do the opposite. 00:09:29.940 --> 00:09:34.279 He wanted to ring alarms but he wanted to ring so many alarms that when he did break 00:09:34.279 --> 00:09:38.910 into the computer, he would just be able to hide in the noise which is one way to get 00:09:38.910 --> 00:09:39.910 in undetected. 00:09:39.910 --> 00:09:44.180 LIOR: But usually, most of the stories are stopping when we’re talking about the initial 00:09:44.180 --> 00:09:50.329 access but in reality the penetration, the first act of going in and have a foothold 00:09:50.329 --> 00:09:54.160 in an environment, this is just the beginning of an operation. 00:09:54.160 --> 00:09:56.041 That’s not the end. 00:09:56.041 --> 00:10:02.260 Usually from that point there is a very lengthy process that you have to do in order to first 00:10:02.260 --> 00:10:08.269 understand where did you land, what asset do you have, and then to – the ability to 00:10:08.269 --> 00:10:12.740 move from one machine to another machine in order to keep – map the environment. 00:10:12.740 --> 00:10:17.880 The most important piece is to really locate the data that you need and start to collect 00:10:17.880 --> 00:10:19.060 it. 00:10:19.060 --> 00:10:23.720 Even once you find the data and you manage to collect it, the operation is not ended 00:10:23.720 --> 00:10:29.330 because then you have to exfiltrate the data outside of organization and that’s, by itself, 00:10:29.330 --> 00:10:35.560 can be a separate operation to do because just to get the data, this is one thing but 00:10:35.560 --> 00:10:39.250 the ability to take it out, it’s another thing. 00:10:39.250 --> 00:10:46.070 But this is another false notion that people think that the operation is starting and ending 00:10:46.070 --> 00:10:51.680 and then hackers goes out and that’s it, but in reality when you talk about government 00:10:51.680 --> 00:10:56.930 against government, once you manage to go in, you want to stay in. 00:10:56.930 --> 00:11:02.550 You don’t want to go out and you want to have the ability to keep collecting information 00:11:02.550 --> 00:11:07.180 and you want the ability to keep doing it. 00:11:07.180 --> 00:11:11.360 Even if somebody finds you and you need to clear the environment and go out, you want 00:11:11.360 --> 00:11:16.680 to make sure that you have backdoors to go in every time again and again. 00:11:16.680 --> 00:11:20.750 JACK: According to Lior’s bio, it says he’s an expert in hacking operations, forensics, 00:11:20.750 --> 00:11:23.279 reverse-engineering, malware analysis, cryptography, and evasion. 00:11:23.279 --> 00:11:30.950 Yeah, evasion; that’s the practice of not being caught or stopped, like evading antivirus 00:11:30.950 --> 00:11:33.980 detections and hiding your tracks and being unseen in the network. 00:11:33.980 --> 00:11:38.820 But yeah, looking back at the experience he got from being in Unit 8200 and then formal 00:11:38.820 --> 00:11:43.100 studies of computer science at a university and then working with intelligence agencies 00:11:43.100 --> 00:11:47.630 to conduct secret missions, yeah, I’d say Lior is an expert hacker. 00:11:47.630 --> 00:11:59.399 LIOR: As part of my time in those different units, I received a medal of honor for one 00:11:59.399 --> 00:12:06.870 of – it was a very strategic operation that we needed to plan and execute. 00:12:06.870 --> 00:12:10.450 Needless to say that we cannot go through the details of it. 00:12:10.450 --> 00:12:18.240 Maybe one day we will be but for me, it was fascinating to understand that with enough 00:12:18.240 --> 00:12:26.830 creativity and ingenuity, you can manipulate almost any network that exists out there and 00:12:26.830 --> 00:12:31.060 almost bend physics to your benefits. 00:12:31.060 --> 00:12:38.600 For me, to be part of this type of capabilities, it’s kind of proving to yourself. 00:12:38.600 --> 00:12:43.380 But it’s not just about me; it’s about the team, that we were working together, that 00:12:43.380 --> 00:12:49.490 if you really want to achieve something and you have the time and resources and creativity, 00:12:49.490 --> 00:12:52.070 you can almost bend physics to your benefit. 00:12:52.070 --> 00:12:56.620 I think that in that situation, we managed to do that. 00:12:56.620 --> 00:13:01.960 I was super proud of the team and the execution of the mission back then. 00:13:01.960 --> 00:13:06.750 JACK: What’s interesting is Lior was helping the Israeli intelligence units when Stuxnet 00:13:06.750 --> 00:13:07.840 was going on. 00:13:07.840 --> 00:13:10.510 If you’re not familiar with Stuxnet, check out Episode 29. 00:13:10.510 --> 00:13:14.860 But this was an attack on an Iranian nuclear enrichment facility in order to thwart their 00:13:14.860 --> 00:13:16.490 enrichment process. 00:13:16.490 --> 00:13:21.279 This virus literally made its way into the centrifuges to degrade them which is just 00:13:21.279 --> 00:13:25.820 phenomenal because nothing in the enrichment facility was connected to the internet, so 00:13:25.820 --> 00:13:29.680 how could hackers get all the way into the centrifuges and then have this malware run 00:13:29.680 --> 00:13:32.290 all by itself without any remote control? 00:13:32.290 --> 00:13:33.290 That’s just incredible. 00:13:33.290 --> 00:13:39.290 Now, of course Stuxnet is classified super tight, but the circumstantial evidence shows 00:13:39.290 --> 00:13:42.660 that the US and Israel were behind this attack. 00:13:42.660 --> 00:13:46.800 So, I just wonder if Lior had anything to do with that. 00:13:46.800 --> 00:13:50.149 But of course, I can’t ask him. 00:13:50.149 --> 00:13:52.899 But he does think that Stuxnet changed the world. 00:13:52.899 --> 00:13:59.529 LIOR: I think that Stuxnet was the first time that people got a real demonstration of how 00:13:59.529 --> 00:14:06.959 you can leverage software and code in order to achieve military or government goals. 00:14:06.959 --> 00:14:13.790 That was the first time that people managed to see in the large scale the ability to leverage 00:14:13.790 --> 00:14:22.000 in order to create a link between the cyber world into the physical world and actually 00:14:22.000 --> 00:14:27.399 to achieve results in the physical world while you’re leveraging software. 00:14:27.399 --> 00:14:32.800 ‘Til that point, it was no real big demonstration of this capability. 00:14:32.800 --> 00:14:34.230 It was a lot of theoretical one. 00:14:34.230 --> 00:14:39.970 If we’re talking about an isolated network, air gapped and it has no connection to the 00:14:39.970 --> 00:14:42.850 internet, then it’s become almost like magic. 00:14:42.850 --> 00:14:52.850 The fascinating thing was that this virus or worm was not manually operated, meaning 00:14:52.850 --> 00:14:58.560 it was dormant and once it’s understood that it’s on the target machine, it started 00:14:58.560 --> 00:15:02.310 to run automatically and do whatever it’s – need to do. 00:15:02.310 --> 00:15:05.160 Zero communication to the outside world. 00:15:05.160 --> 00:15:09.839 The combination of all those things together kind of created – I believe sparked the 00:15:09.839 --> 00:15:18.769 imagination of people and for me and my two co-founder, we just knew that from that moment 00:15:18.769 --> 00:15:23.750 people will understand that there is a different type of problem out there, that we’re not 00:15:23.750 --> 00:15:29.699 talking about IT security anymore, that when there is attackers that – kind of really 00:15:29.699 --> 00:15:33.530 determined to go after a target, they will be able to do that. 00:15:33.530 --> 00:15:40.410 We knew from our personal background that this is the reality and it’s not a mystery. 00:15:40.410 --> 00:15:48.029 So, for us, we decided that this is time to basically do something because we knew to 00:15:48.029 --> 00:15:54.139 – that – kill that moment, the adversary has an advantage and we said to ourselves 00:15:54.139 --> 00:15:56.720 we have to reverse the adversary advantage. 00:15:56.720 --> 00:16:01.459 We have to give back the power to the defenders in order to do something. 00:16:01.459 --> 00:16:07.149 In order to do that, we said look, we’re gonna take the massive amount of years that 00:16:07.149 --> 00:16:13.699 we have and really understand how hackers – works, like really, by viewing it from 00:16:13.699 --> 00:16:20.220 the first-row seat and take all the knowledge that we have and – to be able to create 00:16:20.220 --> 00:16:22.029 something new, a new mindset. 00:16:22.029 --> 00:16:27.210 JACK: What he determined is defenders don’t have enough indicators to detect attacks. 00:16:27.210 --> 00:16:31.790 I mean, if Lior was able to bypass antivirus, evade intrusion detection tools and then plant 00:16:31.790 --> 00:16:36.569 himself in a system for a long period of time without being detected, then yeah, he knows 00:16:36.569 --> 00:16:41.779 defenders are unable to detect him and what’s more, he knows exactly where to look to be 00:16:41.779 --> 00:16:43.040 detected. 00:16:43.040 --> 00:16:47.170 While traditionally defending teams look for indicators of compromise which could be a 00:16:47.170 --> 00:16:52.510 known bad IP address or malicious packets or malware present, Lior and his team started 00:16:52.510 --> 00:16:57.720 looking for malicious indicators of behavior which are signs that a malicious actor is 00:16:57.720 --> 00:16:59.540 conducting their operation. 00:16:59.540 --> 00:17:05.839 LIOR: Basically, we invented the new method and the method is operation-centric. 00:17:05.839 --> 00:17:10.300 We call it the Malop, the malicious operation approach. 00:17:10.300 --> 00:17:15.240 The Malop approach; basically assume that the hackers has many steps to do in an environment. 00:17:15.240 --> 00:17:20.110 This is not just the act of penetrating into the environment, and we are gonna meet the 00:17:20.110 --> 00:17:22.209 hackers whenever they are. 00:17:22.209 --> 00:17:26.820 So, every step that they are gonna do, we are gonna anticipate the step and we’re 00:17:26.820 --> 00:17:29.901 gonna be there and collect the information before they are doing anything. 00:17:29.901 --> 00:17:35.980 In a sense, think about it that you just put the camera in every room, every door, and 00:17:35.980 --> 00:17:37.600 you record everything. 00:17:37.600 --> 00:17:42.160 You know that if you’re starting to see a behavior that is bad, you can say hey, right 00:17:42.160 --> 00:17:44.350 now there is a malicious operation going on here. 00:17:44.350 --> 00:17:49.510 So, it’s not about the malware; it’s about the Malop that you want to find. 00:17:49.510 --> 00:17:53.140 It’s not about the gun; it’s about the people that’s using the gun. 00:17:53.140 --> 00:17:54.360 JACK: I like this. 00:17:54.360 --> 00:17:57.970 This sounds like user behavior analytics to me, and this is where you watch to see what 00:17:57.970 --> 00:18:01.990 users typically do and then alert when they do something that’s out of their typical 00:18:01.990 --> 00:18:02.990 activity. 00:18:02.990 --> 00:18:06.919 Like, if Charles from accounting typically accesses the same six systems every day to 00:18:06.919 --> 00:18:11.380 do his work and then suddenly starts trying to connect to some other peoples’ computers 00:18:11.380 --> 00:18:16.140 that he’s never connected to before ever, this behavior is abnormal and worth looking 00:18:16.140 --> 00:18:17.140 into. 00:18:17.140 --> 00:18:19.990 LIOR: [MUSIC] Basically what you need – you need the ability to collect massive amount 00:18:19.990 --> 00:18:26.309 of data in real time and then analyze the data as that data is coming through the system 00:18:26.309 --> 00:18:33.640 and to make quick decision that can rely on a lot of data that we collected from the past. 00:18:33.640 --> 00:18:41.450 But this technology was not exist, so basically between 2012 to May 2015, we invested heavily 00:18:41.450 --> 00:18:44.280 of building a new technology. 00:18:44.280 --> 00:18:51.160 This is a in-memory graph processing technology, that this is kind of the secrets behind Cybereason. 00:18:51.160 --> 00:18:57.230 Many people think that we are just an endpoint company but in reality, if you look behind 00:18:57.230 --> 00:19:03.039 the curtain, we are a big data analytic company that can really analyze massive amount of 00:19:03.039 --> 00:19:08.900 data in real time and to find malicious operation in organization and not just the malware. 00:19:08.900 --> 00:19:10.790 JACK: So, Cybereason was born. 00:19:10.790 --> 00:19:14.520 Lior and his co-founders developed this method for collection and analysis. 00:19:14.520 --> 00:19:18.799 In order for this to work effectively, he needs to install a little tool on every computer 00:19:18.799 --> 00:19:22.220 in a company to collect data and send it to Cybereason. 00:19:22.220 --> 00:19:23.920 This is called endpoint detection. 00:19:23.920 --> 00:19:28.540 Actually, I think they call it endpoint protection because the tool doesn’t just detect but 00:19:28.540 --> 00:19:30.330 also stops attacks. 00:19:30.330 --> 00:19:31.500 They got this thing up and running. 00:19:31.500 --> 00:19:35.220 Cybereason was officially ready and they started telling people about their solution. 00:19:35.220 --> 00:19:41.340 LIOR: It was a big cellular network that approached us and said look, we think that we are under 00:19:41.340 --> 00:19:43.470 attack. We’re not sure. 00:19:43.470 --> 00:19:44.820 We see artifact. 00:19:44.820 --> 00:19:50.220 We have every technology that exist out there but we cannot point a finger of what’s really 00:19:50.220 --> 00:19:51.220 going on. 00:19:51.220 --> 00:19:52.440 JACK: Okay, their first customer. 00:19:52.440 --> 00:19:56.070 They were seeing some weird activity and they think a hacker was in the network but they 00:19:56.070 --> 00:19:57.070 couldn’t find him. 00:19:57.070 --> 00:19:59.000 So, it was go-time for Cybereason. 00:19:59.000 --> 00:20:00.820 This was the first real test. 00:20:00.820 --> 00:20:05.059 Time to get in the network, install this software on every computer in the whole company, and 00:20:05.059 --> 00:20:08.150 see if this method of detection actually works. 00:20:08.150 --> 00:20:09.440 But this was a big company. 00:20:09.440 --> 00:20:16.299 LIOR: It took us a few days to deploy 50,000 sensor on every basically machine that they 00:20:16.299 --> 00:20:21.330 have on-premise, in the Cloud, everything that they owned. 00:20:21.330 --> 00:20:25.179 The system’s starting to run and for us, that was kind of the first demonstration to 00:20:25.179 --> 00:20:27.370 see it’s live. 00:20:27.370 --> 00:20:32.039 JACK: They got everything installed and were collecting tons of data from this company 00:20:32.039 --> 00:20:33.289 and analyzing it. 00:20:33.289 --> 00:20:34.789 But all was quiet. 00:20:34.789 --> 00:20:42.470 LIOR: The first days after we installed the system, we did not – saw anything. 00:20:42.470 --> 00:20:46.080 We asked them; it’s like, did you guys install it on every machine that you have? 00:20:46.080 --> 00:20:50.190 It took them a while to admit that they did not install it everywhere. 00:20:50.190 --> 00:20:54.770 JACK: [MUSIC] Ah, right; I get a kick out of this because some companies only focus 00:20:54.770 --> 00:20:58.049 their security on certain systems in the network. 00:20:58.049 --> 00:20:59.900 This reminds me of a personal story. 00:20:59.900 --> 00:21:03.650 For a while, I was a security engineer and I was collecting logs and analyzing them for 00:21:03.650 --> 00:21:05.050 malicious activity. 00:21:05.050 --> 00:21:09.360 I found this one system was showing signs of infection and I reported it to the IT team. 00:21:09.360 --> 00:21:10.929 You know what they said? 00:21:10.929 --> 00:21:14.900 That’s impossible, because that IP doesn’t exist on our network. 00:21:14.900 --> 00:21:18.750 So, I traced the packets all the way back to where the system was and I showed them 00:21:18.750 --> 00:21:20.290 where it was, and they still didn’t believe me. 00:21:20.290 --> 00:21:24.039 They didn’t take any action on fixing this infected system because they were sure there 00:21:24.039 --> 00:21:27.050 was no such computer in their network with that IP. 00:21:27.050 --> 00:21:32.020 But after a few weeks of insisting that it does exist, they finally took a look and found 00:21:32.020 --> 00:21:33.020 it. 00:21:33.020 --> 00:21:37.750 It was a computer that was not authorized to be plugged into the network and it wasn’t 00:21:37.750 --> 00:21:42.100 using the IP scheme the company uses, and that’s a big problem that some companies 00:21:42.100 --> 00:21:46.880 face; they have no idea what computers are even in their network. 00:21:46.880 --> 00:21:51.419 Anyway, Lior was able to convince this company they needed to install the endpoint software 00:21:51.419 --> 00:21:52.900 on all the computers. 00:21:52.900 --> 00:21:58.380 LIOR: Once they decided to deploy it everywhere, immediately we’re starting to see those 00:21:58.380 --> 00:22:03.169 artifacts of hacking operation or malicious operation going on. 00:22:03.169 --> 00:22:09.900 For us, it was massive excitement because that was the first time that we saw a large-scale 00:22:09.900 --> 00:22:12.049 attack on a massive network. 00:22:12.049 --> 00:22:14.220 Think about it; there’s 50,000 endpoints connected. 00:22:14.220 --> 00:22:17.900 It’s a cellular network so it’s very big. 00:22:17.900 --> 00:22:24.669 We were ecstatic because we knew that this is not just the proof that the system works; 00:22:24.669 --> 00:22:30.409 this is the proof that the method of finding malicious operation is better than just to 00:22:30.409 --> 00:22:36.870 try to find this tool or that tool, because they saw the tools that the hackers used but 00:22:36.870 --> 00:22:41.909 they could not tailor it to a story in order to be able to say hey, this is the story of 00:22:41.909 --> 00:22:43.179 what’s going on right now. 00:22:43.179 --> 00:22:48.529 In a sense, the malicious operation for us is the ability to tell a story of what hackers 00:22:48.529 --> 00:22:51.110 are doing inside your environment. 00:22:51.110 --> 00:22:54.980 The most important thing is to prevent them of doing it. 00:22:54.980 --> 00:22:59.600 JACK: Were you on that call when you called to tell them okay, we found a hacker in your 00:22:59.600 --> 00:23:00.600 network? 00:23:00.600 --> 00:23:01.600 LIOR: Yeah, it’s… 00:23:01.600 --> 00:23:02.870 JACK: Well, how did that go? 00:23:02.870 --> 00:23:10.240 LIOR: The call with them, it was a very interesting call because we basically told them look, 00:23:10.240 --> 00:23:13.419 we know that there is adversarial activity right now. 00:23:13.419 --> 00:23:18.150 By then, we managed to prove that this is a group from China doing it. 00:23:18.150 --> 00:23:23.830 It’s reached to the point that we knew who is the person that write the code. 00:23:23.830 --> 00:23:29.660 The people that wrote the code, they made a major mistake and in one of the files that 00:23:29.660 --> 00:23:37.970 they compiled, that – they leave the debugs, basically comments, and we managed to reverse-engineer 00:23:37.970 --> 00:23:40.770 and see all their comments. 00:23:40.770 --> 00:23:46.100 That enabled us to tie it back to a company in China that later on, it’s enabled us 00:23:46.100 --> 00:23:51.039 to tie it back to a specific individual that was the owner of it, and then we managed to 00:23:51.039 --> 00:23:55.380 prove that it was the Chinese government behind this attack. 00:23:55.380 --> 00:23:58.400 [MUSIC] For us, it was fascinating. 00:23:58.400 --> 00:24:04.230 On the call, we kind of came with the full presentation of hey, this is the group that’s 00:24:04.230 --> 00:24:05.230 attacking you. 00:24:05.230 --> 00:24:06.230 This is what they are doing. 00:24:06.230 --> 00:24:08.260 This is how they are doing it. 00:24:08.260 --> 00:24:12.840 They kind of at the beginning did not really – believed us. 00:24:12.840 --> 00:24:20.320 I think that the turning point in the conversation was when Yonatan, my co-founder, said to them 00:24:20.320 --> 00:24:24.140 look, we know that they stole the key to the castle. 00:24:24.140 --> 00:24:31.179 Basically, they have the password, the admin password for every system that you have. 00:24:31.179 --> 00:24:37.230 They started to laugh and they said look, we replaced the admin password two days ago. 00:24:37.230 --> 00:24:38.270 It can’t be. 00:24:38.270 --> 00:24:43.799 Basically, he gave them the password and then I think that it was almost three minutes of 00:24:43.799 --> 00:24:51.830 quiet in the call and then they realized that it’s not just we managed to find this group 00:24:51.830 --> 00:24:57.040 of hackers; we really managed to identify every step of the thing that they did all 00:24:57.040 --> 00:25:02.520 the way to understand which password they are using, and this is kind of the hackers 00:25:02.520 --> 00:25:07.080 use, and they, in that point of time, they just understood that they were owned. 00:25:07.080 --> 00:25:08.950 JACK: This was a success. 00:25:08.950 --> 00:25:10.370 Their first customer. 00:25:10.370 --> 00:25:14.920 Not only did they find this adversary but they were also able to figure out who, why, 00:25:14.920 --> 00:25:17.490 and what data was touched in the network. 00:25:17.490 --> 00:25:22.370 Cybereason had spent three years getting to this point and now they knew their product 00:25:22.370 --> 00:25:27.030 worked, and started building all kinds of extra tools and services on top of that. 00:25:27.030 --> 00:25:30.910 Like, not only do they have a tool to detect what malicious activity is happening in the 00:25:30.910 --> 00:25:35.900 network but they also have a full response team to go in and fix those issues, too. 00:25:35.900 --> 00:25:40.409 Then on top of that, they have a threat intelligence team to do research on emerging threats. 00:25:40.409 --> 00:25:43.899 LIOR: We are not just – know what’s going on out there, meaning what’s going on with 00:25:43.899 --> 00:25:46.159 each and every one of the attacker. 00:25:46.159 --> 00:25:52.590 What we are trying to do in a very aggressive way is to find how they are hacking, to find 00:25:52.590 --> 00:25:57.140 their tactics and techniques and to expose them to the world. 00:25:57.140 --> 00:26:03.970 Because once you do something like this, you basically throw the attackers back sometimes 00:26:03.970 --> 00:26:06.070 half a year, sometimes a year. 00:26:06.070 --> 00:26:07.780 Depends what you manage to find. 00:26:07.780 --> 00:26:13.450 So, don’t be surprised that it’s like, every once in a while Cybereason is releasing 00:26:13.450 --> 00:26:21.640 major research that basically kill the ability of this group to operate now for another year. 00:26:21.640 --> 00:26:29.529 We’re a big believer it does make our customers’ base safer but it’s – make the world a 00:26:29.529 --> 00:26:31.320 safer world. 00:26:31.320 --> 00:26:37.120 This is kind of part of the mission of Cybereason, is to reverse the adversary advantage. 00:26:37.120 --> 00:26:41.390 JACK: We’ll take a quick break here but stay with us because after the break, we’ll 00:26:41.390 --> 00:26:45.909 hear a story from their threat research team and how they discovered a new piece of malware 00:26:45.909 --> 00:26:48.169 that’s really interesting. 00:26:48.169 --> 00:26:53.700 Now, it’s always fascinating to me when a security company exposes a certain threat 00:26:53.700 --> 00:26:55.799 actor in the world because it’s always a good story. 00:26:55.799 --> 00:27:00.080 There’s some shady activity group going on and a security company finds it, researches 00:27:00.080 --> 00:27:03.110 it, figures out what happens, and then lets the world know about it. 00:27:03.110 --> 00:27:07.190 Cybereason has so many of these stories where they faced off against adversaries. 00:27:07.190 --> 00:27:10.450 So, I asked Assaf to come on to tell us one of these stories. 00:27:10.450 --> 00:27:12.050 ASSAF: My name is Assaf Dahan. 00:27:12.050 --> 00:27:15.830 I am heading the Nocturnus Threat Research Team at Cybereason. 00:27:15.830 --> 00:27:20.080 JACK: [MUSIC] There’s this team inside Cybereason which is called Nocturnus. 00:27:20.080 --> 00:27:24.409 The Nocturnus team are security researchers who hunt through the massive data they’ve 00:27:24.409 --> 00:27:27.010 collected to try to find new threats nobody’s ever seen before. 00:27:27.010 --> 00:27:31.500 So, for instance, suppose some computer is demonstrating indicators of malicious behavior 00:27:31.500 --> 00:27:37.340 but an antivirus scan can’t find any vulnerabilities, so they narrow down what app or process of 00:27:37.340 --> 00:27:42.559 that system is doing bad stuff, and that might lead them to discover an unknown piece of 00:27:42.559 --> 00:27:47.880 malware, malware that was just created by an adversary recently that has never been 00:27:47.880 --> 00:27:50.370 seen before in the security community. 00:27:50.370 --> 00:27:52.809 This is what the Nocturnus team lives for. 00:27:52.809 --> 00:27:57.409 Now, they’ll reverse-engineer that and dissect every part of the malware to try to figure 00:27:57.409 --> 00:28:00.270 out everything about it; who made it? 00:28:00.270 --> 00:28:01.270 Where did it come from? 00:28:01.270 --> 00:28:02.419 What does it do? 00:28:02.419 --> 00:28:06.559 So, this is where Assaf enters the scene and begins to investigate. 00:28:06.559 --> 00:28:12.630 Just – I’m curious; how many languages do you speak? 00:28:12.630 --> 00:28:15.090 ASSAF: Okay, I speak ten languages. 00:28:15.090 --> 00:28:22.310 Not all at – on the same level or the same level of fluency but yeah, I speak ten languages. 00:28:22.310 --> 00:28:25.250 JACK: Ten – and how does that fit into doing threat research? 00:28:25.250 --> 00:28:28.700 ASSAF: Actually, it fits in quite well. 00:28:28.700 --> 00:28:34.880 I think one of the most important things to keep in mind when working in the field of 00:28:34.880 --> 00:28:40.860 threat intelligence or threat research is that beyond the technical aspect of how a 00:28:40.860 --> 00:28:47.899 certain malware works or uncovering an infrastructure, you have to tie it to a global context or 00:28:47.899 --> 00:28:55.650 a geopolitical context for instance, in that matter, or other research papers that we publish. 00:28:55.650 --> 00:29:02.980 So, the ability to have firsthand, almost unmediated linguistic capabilities is quite 00:29:02.980 --> 00:29:04.500 helpful. 00:29:04.500 --> 00:29:10.140 In our team, we – I think if we combine all the languages, we speak like fifteen languages. 00:29:10.140 --> 00:29:14.260 I’m accounting for ten of those, but – so, it helps, yeah. 00:29:14.260 --> 00:29:21.430 It really helps, especially if you go on the darknet, there are different hacking forums, 00:29:21.430 --> 00:29:29.860 there is some slang that is unique for hackers, or just reading documents whether it’s phishing 00:29:29.860 --> 00:29:36.490 lure content and others, so it really gives you some understanding or better grasp of 00:29:36.490 --> 00:29:41.929 what is actually going on beyond the technical aspects of how the bits and bytes of how a 00:29:41.929 --> 00:29:43.179 certain malware works. 00:29:43.179 --> 00:29:48.510 JACK: Assaf has been with Cybereason for five years now and back in early 2020 is when he 00:29:48.510 --> 00:29:52.200 saw something interesting, a loose thread worth tugging at. 00:29:52.200 --> 00:29:57.540 ASSAF: [MUSIC] Back then, we started noticing some interesting-looking phishing lures that 00:29:57.540 --> 00:30:02.779 were quite politically-charged, targeted Middle Eastern entities. 00:30:02.779 --> 00:30:09.179 Let’s call it that way, and they were very much focused on targeting Arabic speakers. 00:30:09.179 --> 00:30:14.289 JACK: The phishing e-mails were written in Arabic and they were from a group called The 00:30:14.289 --> 00:30:19.029 Popular Front of the Liberation of Palestine, which I don’t understand Middle Eastern 00:30:19.029 --> 00:30:23.690 cultural politics all that much, but from Wikipedia it looks like this is a group that’s 00:30:23.690 --> 00:30:25.550 fighting to retake Palestine back. 00:30:25.550 --> 00:30:29.950 So, this group sent out phishing e-mails with malicious software attached. 00:30:29.950 --> 00:30:32.559 Or did they? 00:30:32.559 --> 00:30:38.399 Upon closer analysis, it looks like the e-mails didn’t actually come from that group but 00:30:38.399 --> 00:30:42.649 it was made to look like it was coming from them in order to get their targets to read 00:30:42.649 --> 00:30:45.020 the e-mails and open the attachment. 00:30:45.020 --> 00:30:51.250 ASSAF: We believe – it’s our assessment that they targeted political figures within 00:30:51.250 --> 00:30:57.930 the Palestinian authority that associated with Fatah, with the Fatah movement, as well 00:30:57.930 --> 00:31:00.990 as other political entities in the Middle East. 00:31:00.990 --> 00:31:06.950 So, that was back in February 2020 and that’s where we – when we discovered the Spark 00:31:06.950 --> 00:31:07.950 backdoor. 00:31:07.950 --> 00:31:11.330 JACK: Hold on, I’m reading more on Wikipedia here and I’m finding this fascinating. 00:31:11.330 --> 00:31:16.090 Palestine is a sovereign state that controls the Gaza Strip and West Bank which both border 00:31:16.090 --> 00:31:17.090 Israel. 00:31:17.090 --> 00:31:21.740 Yes, there are many land disputes between Israel and Palestine but there’s also internal 00:31:21.740 --> 00:31:24.049 disputes just within Palestine itself. 00:31:24.049 --> 00:31:27.870 I mean, look at what happened in 2007 at the Battle of Gaza. 00:31:27.870 --> 00:31:32.860 At the time, the Gaza Strip was controlled by Fatah, but Hamas, another faction within 00:31:32.860 --> 00:31:38.730 Palestine, waged a military-style attack against Palestine itself in an attempt to take over 00:31:38.730 --> 00:31:39.730 the state. 00:31:39.730 --> 00:31:45.120 So, you had Fatah and Hamas fighting to the death over who would be in control of the 00:31:45.120 --> 00:31:46.120 Gaza Strip. 00:31:46.120 --> 00:31:49.659 It was bloody and Hamas took over. 00:31:49.659 --> 00:31:53.850 You see, the geopolitical aspect of all this is complicated. 00:31:53.850 --> 00:32:00.530 But Assaf grew up in Israel with multicultural parents and speaks ten languages, so he understands 00:32:00.530 --> 00:32:01.970 this pretty well. 00:32:01.970 --> 00:32:03.090 Again, he said… 00:32:03.090 --> 00:32:08.549 ASSAF: They targeted political figures within the Palestinian authority that associated 00:32:08.549 --> 00:32:13.470 with the Fatah movement as well as other political entities in the Middle East. 00:32:13.470 --> 00:32:15.549 JACK: The e-mails say things like… 00:32:15.549 --> 00:32:21.880 ASSAF: For instance, it shows details; ‘Crown prince held secret meeting with Israeli prime 00:32:21.880 --> 00:32:27.899 minister’, or ‘Details of the crown prince meeting with the US secretary of state’. 00:32:27.899 --> 00:32:31.809 JACK: So, just from looking at the contents of these e-mails alone, we can already see 00:32:31.809 --> 00:32:37.389 that having a strong geopolitical understanding has a role in doing this threat research. 00:32:37.389 --> 00:32:42.320 [MUSIC] But anyway, they examine these e-mails and the e-mails have an attachment which is 00:32:42.320 --> 00:32:49.320 an executable file, but the filename ends in .doc.exe and it has an icon which looks 00:32:49.320 --> 00:32:51.940 like a regular Microsoft Word document. 00:32:51.940 --> 00:32:58.110 But when you double-click on that, it actually installs the backdoor or malware, and then 00:32:58.110 --> 00:33:02.200 it actually opens a Word doc, a decoy document, as they say. 00:33:02.200 --> 00:33:07.070 This wasn’t really using any advanced vulnerability to get the malware installed on the system 00:33:07.070 --> 00:33:12.950 but the Cybereason endpoint monitoring tools spotted this backdoor which they called Spark. 00:33:12.950 --> 00:33:14.539 ASSAF: It’s a malware. 00:33:14.539 --> 00:33:20.799 It’s a fully-fledged application that runs on the victim’s endpoints, usually – could 00:33:20.799 --> 00:33:29.289 be laptops or a desktop and it gives the attacker pretty much full access to the computer or 00:33:29.289 --> 00:33:30.760 the endpoint. 00:33:30.760 --> 00:33:37.409 They can run different commands, they can use it to steal information, to control in 00:33:37.409 --> 00:33:44.049 a – if they choose to, they can also control the machine, they can download additional 00:33:44.049 --> 00:33:51.130 payloads, secondary payloads, which we see often, and basically harvest any information. 00:33:51.130 --> 00:33:56.450 This is – it’s actually more of a – when you think about it, it’s more of a spyware, 00:33:56.450 --> 00:33:57.450 actually. 00:33:57.450 --> 00:34:03.409 It’s a tool that enables the attackers to carry out espionage attacks on their target. 00:34:03.409 --> 00:34:07.570 JACK: When they discover malware like this, they first check to see if this has been documented 00:34:07.570 --> 00:34:08.570 before. 00:34:08.570 --> 00:34:11.919 One popular malware repository is virustotal.com. 00:34:11.919 --> 00:34:15.159 You could send it there and they’ll tell you if they’ve ever seen it before. 00:34:15.159 --> 00:34:20.990 But that doesn’t work very well for Arabic-written malware, so they checked other sources and 00:34:20.990 --> 00:34:23.860 they determined they were dealing with a brand-new piece of malware. 00:34:23.860 --> 00:34:26.990 ASSAF: That happened in February 2020. 00:34:26.990 --> 00:34:35.220 Around let’s say October, November 2020, we started noticing new activity. 00:34:35.220 --> 00:34:41.879 [MUSIC] We’ve been monitoring them since the discovery of Spark. 00:34:41.879 --> 00:34:49.869 They’ve had different campaigns going on at the same time but around October, November, 00:34:49.869 --> 00:34:57.950 we also noticed new tools that were never used or seen before being used in this specific 00:34:57.950 --> 00:34:59.510 campaign. 00:34:59.510 --> 00:35:03.589 What drew our attention was actually the geopolitical context. 00:35:03.589 --> 00:35:11.150 We started seeing different phishing lure documents pertaining to the Israeli peace 00:35:11.150 --> 00:35:19.980 process normalization between these – well, Israel and the Saudis, the Emirates, and other 00:35:19.980 --> 00:35:26.480 content that is more related to internal Palestinian domestic affairs. 00:35:26.480 --> 00:35:31.470 JACK: When doing threat research, you sometimes pull on a string and a whole fishing net comes 00:35:31.470 --> 00:35:32.810 up with it. 00:35:32.810 --> 00:35:37.869 The Cybereason Nocturnus team was uncovering a whole bunch of this threat actor’s infrastructure. 00:35:37.869 --> 00:35:42.589 It wasn’t just phishing e-mails and the Spark malware, but now they’re seeing different 00:35:42.589 --> 00:35:46.730 kinds of malware and more e-mail addresses of interest and watching how the hackers were 00:35:46.730 --> 00:35:50.390 communicating with this malware, and so many more things to look into. 00:35:50.390 --> 00:35:53.440 ASSAF: Basically, we started following a trail of evidence. 00:35:53.440 --> 00:36:01.970 [MUSIC] So, we know that the operators sent a phishing PDF to their victims. 00:36:01.970 --> 00:36:08.810 That PDF contained a simple link to either a Dropbox or a Google Drive archive file that 00:36:08.810 --> 00:36:12.760 was stored on either of those platforms. 00:36:12.760 --> 00:36:19.590 That archive file, whether it’s a zip or arj, it doesn’t matter, contained the backdoors. 00:36:19.590 --> 00:36:21.420 One backdoor was Spark. 00:36:21.420 --> 00:36:27.160 The other backdoor was SharpStage which I’m gonna talk about later, and the third one 00:36:27.160 --> 00:36:28.450 was DropBook. 00:36:28.450 --> 00:36:30.320 JACK: Okay, interesting. 00:36:30.320 --> 00:36:34.180 Whoever these hackers were, were not using the same malware for every target. 00:36:34.180 --> 00:36:38.930 They had three different backdoors that they were trying to get installed on their victims’ 00:36:38.930 --> 00:36:41.610 computers; Spark, SharpStage, and DropBook. 00:36:41.610 --> 00:36:46.810 These would all allow hackers to take full control over their victims’ computers. 00:36:46.810 --> 00:36:51.380 This gave them even more stuff to reverse-engineer and to look for clues and what other tools 00:36:51.380 --> 00:36:53.850 the hackers might be using, and who they were. 00:36:53.850 --> 00:36:55.820 Now, these viruses were interesting. 00:36:55.820 --> 00:36:57.790 Let’s first look at SharpStage. 00:36:57.790 --> 00:37:03.880 ASSAF: [MUSIC] Basically, once it’s installed on the victim’s machine, they can control 00:37:03.880 --> 00:37:09.600 the machine, they can run arbitrary commands, fetch information, but what’s interesting 00:37:09.600 --> 00:37:17.140 about it is the exfiltration method is using a Dropbox client, so they – the code itself, 00:37:17.140 --> 00:37:21.540 in the code itself we found an implementation of a Dropbox client. 00:37:21.540 --> 00:37:25.599 JACK: Once the hacker gets the information they needed from that computer they’re in, 00:37:25.599 --> 00:37:27.920 they need to download that data. 00:37:27.920 --> 00:37:32.481 You want to do that secretly so nobody notices you’re doing it, so how do you hide in the 00:37:32.481 --> 00:37:33.740 shadows of the wires? 00:37:33.740 --> 00:37:39.470 Well, they used Dropbox and sometimes Google Drive because so many people use Dropbox; 00:37:39.470 --> 00:37:43.609 it would look like normal traffic and blend right in without detection. 00:37:43.609 --> 00:37:44.670 Pretty clever. 00:37:44.670 --> 00:37:50.930 ASSAF: Another interesting thing that we saw is that the backdoor itself was targeting 00:37:50.930 --> 00:37:56.300 Arabic-speaking users, so one of the first things that the malware does was to check 00:37:56.300 --> 00:38:00.630 whether Arabic language was installed on the infected machine. 00:38:00.630 --> 00:38:06.560 If it wasn’t installed, the malware wouldn’t work, so it also – it’s also a clever 00:38:06.560 --> 00:38:14.690 way to avoid most sandboxes, so if you uploaded it to VirusTotal or other online sandboxes, 00:38:14.690 --> 00:38:21.250 it simply wouldn’t run because that default language is English, something that I think 00:38:21.250 --> 00:38:29.470 people need to be more aware of ‘cause sometimes files may seem benign or they may seem like 00:38:29.470 --> 00:38:35.390 they’re not doing much but once you dive into the code, you can see the reason behind 00:38:35.390 --> 00:38:40.210 it. That was SharpStage. 00:38:40.210 --> 00:38:44.810 The second backdoor that we discovered was DropBook and I think this is by far – I 00:38:44.810 --> 00:38:46.400 think the most interesting one. 00:38:46.400 --> 00:38:51.119 JACK: Okay, so this malware called DropBook was very similar. 00:38:51.119 --> 00:38:55.000 Once it’s installed, it gives the hacker remote backdoor access into that computer 00:38:55.000 --> 00:38:57.410 and it exfiltrates that data through Dropbox. 00:38:57.410 --> 00:39:01.960 But what’s interesting with this one is how the hackers were able to control it remotely. 00:39:01.960 --> 00:39:07.810 See, every piece of malware must get instructions on what it should do once it’s installed. 00:39:07.810 --> 00:39:12.030 Sometimes it’s hard-coded in the malware itself but other times, malware reaches out 00:39:12.030 --> 00:39:16.329 to another system to get those commands, asking what should I do? 00:39:16.329 --> 00:39:19.250 That remote system will then tell them what to do. 00:39:19.250 --> 00:39:24.250 You might think these remote systems issuing commands to backdoor viruses are some secret 00:39:24.250 --> 00:39:26.740 and elaborate server somewhere, right? 00:39:26.740 --> 00:39:32.500 Well, as it turned out with DropBook, it was just using Facebook to send commands to the 00:39:32.500 --> 00:39:33.500 malware. 00:39:33.500 --> 00:39:39.590 ASSAF: They actually used a Facebook fake account, so they created fake accounts on 00:39:39.590 --> 00:39:40.590 Facebook. 00:39:40.590 --> 00:39:44.619 Literally, when you look at the account, as you can see in our blog, there are – I mean, 00:39:44.619 --> 00:39:50.900 these accounts don’t have any friends, interests, almost like zero details. 00:39:50.900 --> 00:39:59.849 But what they do have is – they have posts that contain very obscure content. 00:39:59.849 --> 00:40:11.240 Some of it is let’s say it could be encryption keys or it could be a Dropbox API key, but 00:40:11.240 --> 00:40:17.680 we also found Windows commands that – to run for creating persistence and other things 00:40:17.680 --> 00:40:18.730 like that. 00:40:18.730 --> 00:40:25.349 So, that was I think one of the most I guess striking or shocking pieces that we uncovered 00:40:25.349 --> 00:40:28.780 during this investigation. 00:40:28.780 --> 00:40:34.441 Not only they were using let’s say Dropbox or Google Drive to hide in plain sight, if 00:40:34.441 --> 00:40:39.500 you will, but that – I mean, a lot of threat actors do that but they actually implemented 00:40:39.500 --> 00:40:48.869 a C2 communication channel using Facebook fake accounts which I think is pretty cool. 00:40:48.869 --> 00:40:51.092 JACK: He calls it pretty cool. 00:40:51.092 --> 00:40:55.900 It’s weird how defenders have a certain respect for the attackers and how they work, 00:40:55.900 --> 00:40:58.960 because there really are so many similarities between the two, you know? 00:40:58.960 --> 00:41:01.740 Both the hackers and defenders love technology. 00:41:01.740 --> 00:41:03.410 They’re both computer geeks. 00:41:03.410 --> 00:41:06.450 They love learning about ways to exploit systems. 00:41:06.450 --> 00:41:11.750 The only thing that’s different is their motive on what to use computers for. 00:41:11.750 --> 00:41:17.090 To be able to hunt for bad guys all day and to try to unravel their entire plot and expose 00:41:17.090 --> 00:41:18.500 them, that’s pretty exciting. 00:41:18.500 --> 00:41:26.569 ASSAF: [MUSIC] Well, first of all, the geopolitical aspect was quite interesting because as an 00:41:26.569 --> 00:41:34.960 Israeli, you can’t be – you can’t stay indifferent, I guess, to what was going on 00:41:34.960 --> 00:41:35.960 at the same time. 00:41:35.960 --> 00:41:40.840 If we’re talking about October, November 2020, it was right around the same time where 00:41:40.840 --> 00:41:48.710 Israel, with the help of the US, were signing peace accords or normalizations agreements 00:41:48.710 --> 00:41:51.710 with Arab countries like the Emirates. 00:41:51.710 --> 00:41:55.440 There were talks with the Saudis and so on. 00:41:55.440 --> 00:42:02.819 So, you read about it in the news which is exciting on its own coming from my part of 00:42:02.819 --> 00:42:10.819 the world, but once you see an actual attack that abuses this and you see that there are 00:42:10.819 --> 00:42:19.059 political entities, let’s call it that way, that are trying to get intelligence, using 00:42:19.059 --> 00:42:29.589 those backdoors as spyware to carry out espionage campaigns, about that topic made it super 00:42:29.589 --> 00:42:30.589 interesting. 00:42:30.589 --> 00:42:36.780 I mean, when we find something that is that exciting, we pull all-nighters, we sometimes 00:42:36.780 --> 00:42:39.020 work weekends. 00:42:39.020 --> 00:42:44.540 Not because I’m a slave driver or I make anyone put in extra hours; it’s just, it’s 00:42:44.540 --> 00:42:47.109 so exciting and we’re on it. 00:42:47.109 --> 00:42:51.270 As I told before, I’ve been in this business for over fifteen years now. 00:42:51.270 --> 00:42:56.650 I still – when I wake up in the morning, I have this – I guess curiosity. 00:42:56.650 --> 00:42:58.340 I think that’s the main drive. 00:42:58.340 --> 00:43:01.790 It’s to solve problems, to solve mysteries. 00:43:01.790 --> 00:43:07.120 To me, really uncovering new activity is very exciting. 00:43:07.120 --> 00:43:11.130 JACK: They spent about ten months at this point tracking this threat actor, connecting 00:43:11.130 --> 00:43:15.880 dots, watching activity, and they have a fairly good understanding of what this group is doing, 00:43:15.880 --> 00:43:18.400 what their motivation is, and what tools they use. 00:43:18.400 --> 00:43:22.970 Once Assaf and his team gets to this stage, they can use the research they just did to 00:43:22.970 --> 00:43:28.010 enrich the Cybereason tools to make it so their endpoint detection tools can spot the 00:43:28.010 --> 00:43:30.349 activity much quicker and more effectively. 00:43:30.349 --> 00:43:33.600 Of course, they consult with the customer too to let them know that they found this 00:43:33.600 --> 00:43:37.990 activity and this is what was going on, but the Nocturnus team doesn’t just stop there. 00:43:37.990 --> 00:43:43.130 They’re a curious bunch of people, and so the question on everyone’s mind is who would 00:43:43.130 --> 00:43:44.790 do such a thing? 00:43:44.790 --> 00:43:49.190 Who exactly is behind this targeted hacking campaign? 00:43:49.190 --> 00:43:52.130 Now, the victims appear to be highly targeted. 00:43:52.130 --> 00:43:55.819 [MUSIC] This is not the result of some massive spam campaign. 00:43:55.819 --> 00:44:01.810 No; specific individuals were sent these phishing e-mails to lure them into opening the attachment. 00:44:01.810 --> 00:44:05.700 One way to try to figure out who’s behind an attack is to take everyone who could possibly 00:44:05.700 --> 00:44:08.960 have done this and put them all together on a spreadsheet or something. 00:44:08.960 --> 00:44:12.620 Eliminate all the ones that seem unlikely, so for instance, you might get a list of the 00:44:12.620 --> 00:44:16.940 usual suspects here; cyber-criminals, hacktivists, governments around the world, mercenaries 00:44:16.940 --> 00:44:18.910 for hire, and other APT groups. 00:44:18.910 --> 00:44:20.359 But now what? 00:44:20.359 --> 00:44:25.510 Well, the hacks didn’t seem to be financially motivated, and cyber-criminals typically are 00:44:25.510 --> 00:44:27.250 in it to make money. 00:44:27.250 --> 00:44:29.950 You can sort of rule out that whole group. 00:44:29.950 --> 00:44:35.119 Next, you’re starting to look at who would have interest in these Arabic-speaking political 00:44:35.119 --> 00:44:36.119 figures. 00:44:36.119 --> 00:44:40.600 Well, there’s probably a bunch of nations around the world who simply don’t have any 00:44:40.600 --> 00:44:44.130 interest with Palestine, so you can probably rule them out. 00:44:44.130 --> 00:44:48.880 Now you’re left looking for who would have the motivation and the ability to hack into 00:44:48.880 --> 00:44:52.329 these people, and it narrows down the list even further. 00:44:52.329 --> 00:44:56.730 Now, again, you see why it’s so important to have geopolitical awareness to sort through 00:44:56.730 --> 00:44:57.730 all this. 00:44:57.730 --> 00:45:01.930 I can’t imagine the mental calculus that must go into figuring this out. 00:45:01.930 --> 00:45:04.930 Just asking the question who would want to attack Palestine? 00:45:04.930 --> 00:45:08.270 Well, a lot of people, including people in Palestine themselves. 00:45:08.270 --> 00:45:13.930 I mean, just in 2007 they had a coup where Hamas used force to take over part of Palestine. 00:45:13.930 --> 00:45:16.990 I’m sure that left a lot of unhappy residents there. 00:45:16.990 --> 00:45:20.109 So, this gets pretty sticky to figure out. 00:45:20.109 --> 00:45:24.080 But there were some clues that led Cybereason to believe they were dealing with a threat 00:45:24.080 --> 00:45:26.250 actor called a Molerat. 00:45:26.250 --> 00:45:33.390 ASSAF: [MUSIC] We knew that they’re a Arabic-speaking, politically-motivated group that has operated 00:45:33.390 --> 00:45:36.490 in the Middle East since 2012. 00:45:36.490 --> 00:45:43.490 They mostly targeted the Middle East and North Africa region but we’ve seen them also target 00:45:43.490 --> 00:45:47.390 parliaments, for instance, in the US and Europe. 00:45:47.390 --> 00:45:55.960 But most of their agenda seems around government entities, political activists, politician 00:45:55.960 --> 00:45:56.960 diplomats. 00:45:56.960 --> 00:46:01.339 JACK: Because the team at Cybereason understood the threat actors in this geopolitical space, 00:46:01.339 --> 00:46:05.150 they started looking more into what this Molerat group does. 00:46:05.150 --> 00:46:13.680 ASSAF: Molerats is quite a well-defined activity group and – or, some would call it adversary, 00:46:13.680 --> 00:46:14.680 right? 00:46:14.680 --> 00:46:20.770 The profile that – there have been reports on them for years, okay, so there’s a lot 00:46:20.770 --> 00:46:29.190 of information about their modus operandi, like how they work, what malware do they use, 00:46:29.190 --> 00:46:30.190 who are their targets. 00:46:30.190 --> 00:46:33.079 JACK: Okay, so let’s look at some of those reports. 00:46:33.079 --> 00:46:38.920 FireEye calls this group Molerats but Kaspersky calls this same group the Gaza Cyber Gang. 00:46:38.920 --> 00:46:42.660 According to FireEye, their first attack was against the Israeli government where they 00:46:42.660 --> 00:46:46.350 were able to take down the internet for the Israeli police force. 00:46:46.350 --> 00:46:50.720 That campaign looked a lot like this one; a highly interesting e-mail was sent to a 00:46:50.720 --> 00:46:55.010 specific target with the attachment that looked like a Word doc, and when you opened it, it 00:46:55.010 --> 00:46:56.680 installed the backdoor. 00:46:56.680 --> 00:47:00.970 It was a different backdoor they used back then but still, their tactics, techniques, 00:47:00.970 --> 00:47:03.140 and procedures were the same. 00:47:03.140 --> 00:47:08.119 But looking from there, I count fifty-one different threat intelligence reports by various 00:47:08.119 --> 00:47:11.920 security companies who have investigated Molerats in the last nine years. 00:47:11.920 --> 00:47:15.599 When you have a bunch of reports that lists a lot of different targets and you can see 00:47:15.599 --> 00:47:21.030 who the threat actors were trying to hack into, it starts to paint a picture as to who 00:47:21.030 --> 00:47:22.030 they might be. 00:47:22.030 --> 00:47:27.119 [MUSIC] They have mostly targeted people in Palestine and Israel but they’ve also targeted 00:47:27.119 --> 00:47:29.770 the US and UK and a few other countries. 00:47:29.770 --> 00:47:35.040 But I did my best to look through these reports and never once do I see them list members 00:47:35.040 --> 00:47:39.760 of Hamas as their targets, but they do target Fatah. 00:47:39.760 --> 00:47:45.060 Hamas is the current acting government party of the Gaza Strip, a part of Palestine. 00:47:45.060 --> 00:47:48.750 Fatah controls the West Bank, the other part of Palestine. 00:47:48.750 --> 00:47:53.400 But Hamas and Fatah both struggle for power in Palestine. 00:47:53.400 --> 00:48:01.210 So, from my research, my conclusion is that Molerats is somehow allied with Hamas. 00:48:01.210 --> 00:48:04.480 Now, Hamas doesn’t have many allies. 00:48:04.480 --> 00:48:09.180 I think only Qatar and Turkey have showed public support for them, but this activity 00:48:09.180 --> 00:48:14.000 doesn’t lend way for me to believe that Molerats is from Qatar or Turkey. 00:48:14.000 --> 00:48:18.990 Cybereason didn’t want to get into the specifics of who Molerats are exactly or who they might 00:48:18.990 --> 00:48:24.099 even be, because nobody knows for sure and they don’t want to suggest something that’s 00:48:24.099 --> 00:48:25.099 incorrect. 00:48:25.099 --> 00:48:30.280 So, I’m not sure to what degree Molerats might be connected with Hamas, if at all. 00:48:30.280 --> 00:48:34.089 But the evidence does suggest that they have aligned adversaries. 00:48:34.089 --> 00:48:42.520 ASSAF: So, once we looked at the evidence of this new campaign and we correlate it to 00:48:42.520 --> 00:48:49.730 our previous discoveries and we correlate it to other intelligence reports that were 00:48:49.730 --> 00:48:55.370 published in the threat intel community and you look at the victims and you look at – you 00:48:55.370 --> 00:49:01.569 consider geopolitical events, you can say that with, I don’t know, moderate to high 00:49:01.569 --> 00:49:08.510 confidence that it’s likely Molerats who is behind it. 00:49:08.510 --> 00:49:16.020 But again, I’ll state that there’s never or there – it’s very rare to have 100% 00:49:16.020 --> 00:49:19.280 attribution if you’re not in intelligence agencies. 00:49:19.280 --> 00:49:24.339 That’s why we always leave a margin for errors. 00:49:24.339 --> 00:49:34.420 But that’s true for almost any intelligence report that you read that comes out of a vendor. 00:49:34.420 --> 00:49:40.240 JACK: So, it’s fascinating to me that Molerats were targeting high-up Fatah officials and 00:49:40.240 --> 00:49:42.359 stealing and collecting information from them. 00:49:42.359 --> 00:49:50.240 ASSAF: In this context, the intelligence may give them leverage in certain negotiations 00:49:50.240 --> 00:49:56.260 or let’s say if you’re not invited to the table, right, to take part of the discussion, 00:49:56.260 --> 00:50:03.579 you want to know what’s going on on that – on the table, what was said there. 00:50:03.579 --> 00:50:10.880 There could be many reasons why a certain entity would want to carry out an espionage 00:50:10.880 --> 00:50:12.210 operation. 00:50:12.210 --> 00:50:20.210 It could be to – but definitely to give them the advantage of knowing what they shouldn’t 00:50:20.210 --> 00:50:27.960 know, and then they can do different things with that knowledge. 00:50:27.960 --> 00:50:32.780 JACK: [MUSIC] That’s some shady, underhand, bad-guy behavior for sure; to hack into political 00:50:32.780 --> 00:50:37.980 opponents’ computers just to spy on them, but that’s what so many governments around 00:50:37.980 --> 00:50:39.760 the world are doing now. 00:50:39.760 --> 00:50:44.400 It’s common knowledge that the NSA hacks into foreign governments all the time. 00:50:44.400 --> 00:50:49.920 I guess the point is don’t trust anyone online, friends or enemies. 00:50:49.920 --> 00:50:54.300 So, it’s fascinating to see how Cybereason is able to track these groups and publish 00:50:54.300 --> 00:50:58.750 reports on them, and this helps make the world more secure because in their report, they 00:50:58.750 --> 00:51:03.319 show tons of different indicators and signs that you might have Molerats in your network. 00:51:03.319 --> 00:51:07.530 So, antivirus companies all over can create new signatures in their products and security 00:51:07.530 --> 00:51:09.670 companies can detect their presence much quicker. 00:51:09.670 --> 00:51:15.210 But on top of that, all this research makes Cybereason, the detection tools, more enriched 00:51:15.210 --> 00:51:18.299 and robust at detecting bad behavior in the network. 00:51:18.299 --> 00:51:22.990 ASSAF: Our product is, first and foremost of all – don’t kill me for the buzzwords, 00:51:22.990 --> 00:51:29.940 right – but is AI-based using machine learning algorithms and mostly behavior – is based 00:51:29.940 --> 00:51:32.130 on behavioral detection. 00:51:32.130 --> 00:51:41.670 There are teams in Cybereason that are – I mean, that’s their daily job, to write detection 00:51:41.670 --> 00:51:44.790 rules based off behavior. 00:51:44.790 --> 00:51:52.359 The Nocturnus team, my team, as an intelligence team, we would pinpoint or we flag certain 00:51:52.359 --> 00:51:57.410 techniques as let’s say more relevant or more interesting than others, but there are 00:51:57.410 --> 00:52:03.640 a lot of teams that work together in Cybereason to make sure that we are able to detect things 00:52:03.640 --> 00:52:09.329 behaviorally regardless to whether it’s a known or unknown threat. 00:52:09.329 --> 00:52:11.970 LIOR: This is not just a big data analytic platform. 00:52:11.970 --> 00:52:14.400 JACK: This is Lior again, the CEO of Cybereason. 00:52:14.400 --> 00:52:22.859 LIOR: Today, Cybereason is operating in the EPP world; EDR, XDR, and NDR. 00:52:22.859 --> 00:52:29.799 Basically, everything that related to detection and response anywhere in a big enterprise 00:52:29.799 --> 00:52:36.250 environment, we know how to find and understand if there is hacking activity over there and 00:52:36.250 --> 00:52:38.430 then basically prevent it. 00:52:38.430 --> 00:52:42.730 So today, Cybereason has – we call it the Defense Platform. 00:52:42.730 --> 00:52:47.050 It’s the most comprehensive platform that exists. 00:52:47.050 --> 00:52:49.900 Really cover – enterprises. 00:52:49.900 --> 00:52:52.710 We call it from endpoint to everywhere. 00:52:52.710 --> 00:52:59.610 Really, the ability to see everything that hackers can do in an environment, monitor 00:52:59.610 --> 00:53:07.220 it 24 by 7 and finding those malicious operation with the operation-centric approach. 00:53:07.220 --> 00:53:13.580 We found out that the organization that – implementing and using this approach, basically they are 00:53:13.580 --> 00:53:21.460 not just more safer; they are basically future-ready to deal with any attack. 00:53:21.460 --> 00:53:22.940 JACK: Okay, yeah. 00:53:22.940 --> 00:53:25.410 Tell me about the products you have and what solutions you have. 00:53:25.410 --> 00:53:29.880 LIOR: Today we have full protection on the endpoint. 00:53:29.880 --> 00:53:34.990 The way that Cybereason think about protecting an organization; we call it from endpoint 00:53:34.990 --> 00:53:40.690 to everywhere, so it started by deploying the sensor on every endpoint that the company 00:53:40.690 --> 00:53:41.690 has. 00:53:41.690 --> 00:53:48.359 Over there, we have everything from antivirus, next-gen antivirus, anti-ransomware, anti-virus 00:53:48.359 --> 00:53:54.890 attack, really the ability to prevent everything that is malicious on those endpoints. 00:53:54.890 --> 00:53:56.150 But we’re not stopping there. 00:53:56.150 --> 00:53:57.930 This is just the beginning. 00:53:57.930 --> 00:54:03.309 Then we know how to collect data from each and every one of those system in real time. 00:54:03.309 --> 00:54:10.099 We collect all the data, unfiltered, send this data into our Cloud architecture, and 00:54:10.099 --> 00:54:14.410 over there we’re running the graph processing in real time. 00:54:14.410 --> 00:54:20.549 Basically, we collect data from every endpoint that the organization has and then we’re 00:54:20.549 --> 00:54:22.790 analyzing all the data in real time. 00:54:22.790 --> 00:54:28.619 Basically, what we are doing; we are creating – building the network of relationship between 00:54:28.619 --> 00:54:29.990 everything to everything. 00:54:29.990 --> 00:54:34.359 So, every process that’s communicating with another process, every connection that’s 00:54:34.359 --> 00:54:36.810 going in and out of the environment. 00:54:36.810 --> 00:54:44.990 Think about it as a big graph that we’re basically painting while the data is flowing. 00:54:44.990 --> 00:54:50.450 So, this has really enabled us to really understand the interaction of every process, every machine, 00:54:50.450 --> 00:54:54.930 every user with the world and within the inner groups. 00:54:54.930 --> 00:55:01.590 So, every deviation from abnormality, we know how to identify and we call it evidence. 00:55:01.590 --> 00:55:08.309 So, let’s say that the process usually communicated with x amount of processes and suddenly it’s 00:55:08.309 --> 00:55:10.690 deviating from the normality. 00:55:10.690 --> 00:55:12.250 We’re – mark it as evidence. 00:55:12.250 --> 00:55:17.720 Let’s say that there is a connection between two computers that usually are not communicated; 00:55:17.720 --> 00:55:19.680 started to become communicated. 00:55:19.680 --> 00:55:22.349 We’re gonna mark it as evidence as well. 00:55:22.349 --> 00:55:28.559 So, the system is collecting endless amount of evidence as the data flows through the 00:55:28.559 --> 00:55:34.270 system, and then try to evolve the evidence to suspicions, basically to correlate multiple 00:55:34.270 --> 00:55:37.260 evidence together to a suspicion. 00:55:37.260 --> 00:55:43.789 Once there is enough suspicions, then we collect them and correlate them to a malicious operation. 00:55:43.789 --> 00:55:48.940 When Cybereason is triggering hey, there is a malicious operation right now and we stopped 00:55:48.940 --> 00:55:53.680 it, we can tell the full story of what’s happened, so this has really enabled us to 00:55:53.680 --> 00:56:00.099 go back and show you all the points and everything that the hackers did in order to be able to 00:56:00.099 --> 00:56:06.030 really understand what they did, then we show how we blocked it, and then you can basically 00:56:06.030 --> 00:56:10.329 improve your capability in order to do better in the future. 00:56:10.329 --> 00:56:13.980 JACK: So, are you still disappointed you didn’t get to fly fighter jets? 00:56:13.980 --> 00:56:21.309 LIOR: Running Cybereason every day, it’s like flying a jet every day. 00:56:21.309 --> 00:56:23.859 So, you don’t need to do it in reality. 00:56:23.859 --> 00:56:28.450 You can do it in the cyber world. 00:56:28.450 --> 00:56:36.670 (OUTRO): [OUTRO MUSIC] A big thank-you to Cybereason for sponsoring this episode. 00:56:36.670 --> 00:56:40.520 They obviously have a very sharp and skilled team over there which is doing a great job 00:56:40.520 --> 00:56:42.190 at making their customers more secure. 00:56:42.190 --> 00:56:45.309 Remember their first customer they had when they found a whole bunch of malicious activity 00:56:45.309 --> 00:56:46.309 in the network? 00:56:46.309 --> 00:56:49.339 Yeah, well, all these years later, they’re still a customer of Cybereason. 00:56:49.339 --> 00:56:52.030 Cybereason doesn’t just operate in the Middle East. 00:56:52.030 --> 00:56:57.440 They have offices all over the world; Boston, Tokyo, London, Tel Aviv, and France. 00:56:57.440 --> 00:57:02.589 If you’re interested in learning more or even want a demo of their products, visit 00:57:02.589 --> 00:57:03.589 cybereason.com. 00:57:03.589 --> 00:57:06.100 This show is made by me, the pizza rat, Jack Rhysider. 00:57:06.100 --> 00:57:10.319 Sound design this episode by the memory-intensive Andrew Meriwether, editing help this episode 00:57:10.319 --> 00:57:15.079 by the backlit Damienne, and our theme music is by the perpetual machine known as Breakmaster 00:57:15.079 --> 00:57:16.079 Cylinder. 00:57:16.079 --> 00:57:19.339 Even though when I was a little kid I used to watch cartoons where bears lived up in 00:57:19.339 --> 00:57:23.420 the clouds, but the reality is Molerats live in the Clouds. 00:57:23.420 --> 00:57:25.489 This is Darknet Diaries.