Darknet Diaries - 113: Adam
Episode Date: March 22, 2022Adam got a job doing IT work at a learning academy. He liked it and was happy there and feeling part of the team. But a strange series of events took him in another direction, that definitely... didn’t make him happy.SponsorsSupport for this show comes from Axonius. Securing assets — whether managed, unmanaged, ephemeral, or in the cloud — is a tricky task. The Axonius Cybersecurity Asset Management Platform correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy — all while eliminating manual, repetitive tasks. Visit axonius.com/darknet to learn more and try it free.Support for this podcast comes from Cybereason. Cybereason reverses the attacker’s advantage and puts the power back in the defender’s hands. End cyber attacks. From endpoints to everywhere. Learn more at Cybereason.com/darknet.Support for this show comes from Varonis. Do you wonder what your company’s ransomware blast radius is? Varonis does a free cyber resilience assessment that tells you how many important files a compromised user could steal, whether anything would beep if they did, and a whole lot more. They actually do all the work – show you where your data is too open, if anyone is using it, and what you can lock down before attackers get inside. They also can detect behavior that looks like ransomware and stop it automatically. To learn more visit www.varonis.com/darknet.
Transcript
Discussion (0)
One time, when I was in middle school, my mom bought some cookies at the store and put them in the cupboard.
After school one day, I saw the box, and it wasn't opened yet.
I opened it up and took two cookies.
They were so good, so I went back and got two more.
And I was still hungry, so I went and got four more and ate them too.
At this point, I looked, and over half the box was gone.
And I thought, oh no, I'm going to be in trouble for eating over half a box was gone. And I thought, oh no, I'm going to be in trouble
for eating over half a box of cookies.
I didn't like getting in trouble.
So I stood there and looked at the box
and tried thinking what I could do.
But there was no way to undo it.
So my 12-year-old self came up with the idea
that maybe if the whole box is completely gone,
like box and all, then maybe my mom will just forget she bought it all together.
And so I took the whole box out of the cupboard,
covered the area with some other food so it didn't look like anything was missing,
and I ate them all.
And then I threw the empty box away in the outside trash bin,
covered it up with some more trash.
And you know what? It worked.
She didn't notice.
At least she never mentioned to me anything about the cookies.
And I didn't get in any trouble.
I think she really did forget that she bought them.
And so my plan worked.
And I tell you this story because in this episode, you'll hear a similar story.
But one with much higher stakes.
And it doesn't end so well.
These are true stories from the dark side of the internet.
I'm Jack Recider.
This is Darknet Diaries.
This episode is sponsored by Delete Me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless.
And it's not a fair fight.
But I realize I don't need to be fighting this alone anymore.
Now I use the help of Delete.me.
Delete.me is a subscription service that finds and removes personal information
from hundreds of data brokers' websites and continuously works to keep it off.
Data brokers hate them because Delete.me makes sure your personal profile
is no longer theirs to sell.
I tried it, and they immediately got busy scouring the internet for my name
and gave me reports on what they found.
And then they got busy deleting things. It was great to have someone on my team when it
comes to my privacy. Take control of your data and keep your private life private by signing up for
Delete Me. Now at a special discount for Darknet Diaries listeners. Today, get 20% off your Delete
Me plan when you go to joindeleteme.com slash darknet Diaries and use promo code Darknet at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash Darknet Diaries and enter code Darknet at checkout.
That's JoinDeleteMe.com slash Darknet Diaries.
Use code Darknet.
Support for this show comes from Black Hills Information Security. Thank you. Give them a call. I'm sure they can help. But the founder of the company, John Strand, is a teacher.
And he's made it a mission to make Black Hills Information Security world-class in security training.
You can learn things like penetration testing, securing the cloud, breaching the cloud, digital forensics, and so much more.
But get this, the whole thing is pay what you can.
Black Hills believes that great intro security classes do not need to be expensive. And they are trying to break down barriers to get more people into the security field. Thank you. blackhillsinfosec.com, to learn more about what services they offer and find links to their webcasts
to get some world-class training.
That's blackhillsinfosec.com.
blackhillsinfosec.com.
In 2016, Adam applied for his first proper IT job
at what we'll call the Academy.
So it's essentially a high school.
I think it's private, spaced in a small town, not too far from me.
There was kids right down to Staten High School,
all the way up to just before they're ending high school.
The only difference is, I think some of the students are private.
That's pretty much the only way I can describe it.
He'd been looking for a job for a while and was excited to start work at this fancy UK high school.
I started my first day.
Now in that first day, I got paperwork, as you do when you join a new company.
And in that paperwork, it said, please tick here if you've lived overseas before.
So I ticked that box.
And then on the next page, it said, please go to this
box down here and it says,
are you willing to pay for a criminal record check
in the country you were previously in?
And I went, oh, okay.
This was a problem for
Adam. He did have a criminal
record from a past life
in another country and
wasn't sure how they'd react to this.
He wondered if this would keep him from getting the job.
Are you smoking a cigarette?
Yeah, sorry.
No, that's fine.
Adam's dad is from the UK and his mother is from Thailand,
but he was born in Australia.
And growing up, he always liked computers.
His dad owned a computer repair shop
and he loved learning how things worked
and loved playing games like RuneScape
and eventually figured out a way to hack the game
in order to get it to do things it wasn't supposed to.
And I think it did start with RuneScape for me,
the first game I ever played.
So there was a battlefield where you could play single player
and I started getting into modifying it
so there could be more people, more AI players against me
and that's when I started liking it more,
if that makes sense.
But when Adam starts high school,
some unlucky things happen to him.
Some older kids decide to pick on him.
I would have to go and get my dad's milk and bread
from the shop after he'd come home from work
and after I got home from school.
That's when I'd usually bump into them. And most of the time, they would take the money that my
dad had given me to go get bread and milk or whatever he wanted me to get. It started off
with, can I have a dollar to give me a dollar to, right, you're going to give me everything in your
wallet. Adam knew this wasn't right, but wasn't sure what to do. These kids were much bigger than him,
so standing up to them might mean he gets hurt.
But he was sick of getting his stuff stolen over and over,
so he went to the police.
The police would put me in the back of the police car,
drive down to where these kids were that were bullying me,
make me get out of the police car,
and basically get them to say sorry to me,
which obviously made things a lot worse.
So I lost my faith in the police
because obviously it did make things worse.
It started getting physical.
That move backfired pretty badly.
Stopped being more, so give me your money
and started being, give me your money
or I'm going to, you know, punch your face in.
And eventually it got to that point where, you know, it all kicking me,
kicking me on the floor, chasing me down alleyways and everything.
He gets to the point where he's scared just to go walk through his neighborhood.
Adam says his coping strategy was just to stop going to school.
He would spend time at home on his computer.
Eventually, he gets called into the principal's office about his attendance.
He tries to explain that he's being bullied and doesn't want to come to school.
I just, at that point, had enough of it.
You know, I was even scared to go around the corners to the corner shop by myself in my own area where I lived.
So I would rather just be on the computer.
I guess having friends over the internet was a lot easier than trying to go out
and make friends in person at the time.
So the result of that was they thought
that I was just, I guess, a trouble student
and just, yeah, expelled me
and sent me to a behavior school.
A behavior school in Australia
is the place where troublemaking teenagers go
as a last chance at education.
We call them alternative schools here in the US.
The one he got sent to was far
away from home, which also meant
it was far away from those bullies.
It was a really fresh start and
I made a lot of friends. Now obviously
they didn't know anything about what I
was like in my previous high school
or what I'm like in my local area, but
I found it very easy to get along with them
and get involved in things that I never expected to get involved in.
So, you know, I started hanging out with them,
smoking cigarettes, drinking alcohol,
ended up eventually, you know, getting into fights with people.
And it just became, I guess, normal for me.
But it was like a fresh start, if that makes sense.
Adam's mother is from Thailand, which makes him half Thai,
which means he was hanging out with the other Asian kids at school.
But some of these kids were smoking cigarettes and drinking alcohol.
And it turns out that some of them were in an Asian high school gang.
There was this little Chinese red envelope that they gave me,
and they said, if you want to join us, put $1 in here
and then give it to this guy who was meant to be our boss
at the end of the day after school.
Adam took this really seriously.
To be honest, looking back, I find it a little bit funny,
but I went to the teacher in the school and I said,
hey, these guys approached me and they said I should join this gang.
What should I do and I mean at the time I thought it was a good idea because you know from all the bullying and not being liked in high school and you know being
scared of you know going around the corner to go buy food in my own area to now having what I thought
at the time was really really powerful friends and you, no one's going to mess with me anymore.
The main reason it started was because naturally I'm a very quiet and shy person.
So I've always been very shy around people.
So in groups, I'm not one to really talk a lot, if that makes sense.
From being the kid that everyone used to pick on, who was too scared to leave the house, he finds strength in being part of a group. Now he was someone to be scared of,
which gives him a sense of power and strength and safety, and perhaps overly confident,
because he's starting to get into fights at school fairly frequently and starts selling
marijuana too, because this
wasn't just a little high school gang. It was actually connected to a larger one.
So our boss who sort of looked after all of us young guys, most of us were under 16,
17 years old. I think at the time I was one of the oldest ones. He was, I think, 18. And then
his boss was, I think, 24, 25.
And then he had a boss above him who we never saw,
but apparently he was in his 40s, come over from China or something,
and he was involved in a more heavier gang,
but was also running the drug side of this gang.
This gang was trafficking drugs and using the high schoolers to try to sell it.
They'd hand him some weed and say, hey, go sell this.
And we'd have like two ways to sell it.
If we didn't sell it, we'd get taxed for not selling it. So it's worth, I think, off the top of my head, it was worth $200.
We'd have to sell it for $350.
If we didn't sell it, we'd then have to pay the $350 to our boss as a tax and punishment.
Of course, Adam didn't want to be punished,
so he found ways to sell the weed as a 16-year-old.
And this goes on for a while.
But then, one day, someone told Adam a made-up story about another kid
and that this other kid was hurting girls.
And that made Adam mad and went looking for this guy
and found him and beat him up pretty
badly. And one of the people that Adam was with took the guy's phone. And this resulted in Adam
getting arrested. The law is over there that if it's a serious assault and then someone picks up
a mobile phone and puts it in their pocket, so steals a mobile phone, it's then classified as
robbery and company.
And that is quite a serious charge to have over there,
which is what essentially I got charged with and resulted in me ending up in prison.
After Adam gets out of prison, his family decides to move to the UK for a fresh start.
His behavior had been hard on his parents and he didn't want to cause them any more problems. So when I got out in Australia, one of the main reasons we wanted to move over here was that, you know, I didn't know how to make normal friends because a normal person to me from the
last four or five years was someone who wanted to get into a fight every weekend. And I didn't want
to get back into that because I didn't want to get taken away or, you know, I didn't want to put
myself in a position where I was taken away to prison again.
And I was just like, you know what, I can't do this anymore.
Because if I keep doing this, I'm going to either end up dead or back in prison for the rest of my life, in and out.
So it was hard for Adam to integrate himself into society.
A lot was different for him.
He had just come out of prison.
He had just moved to the UK.
And he didn't have any friends.
And wasn't even sure what kind of friends he wanted to make. Life was weird for a while. I ended up doing some
warehouse work and going back and forth between different jobs. I ended up as a debt collector at
one point and eventually led to, I think it was 2016, when I eventually sort of said, you know
what, I got skills in computers and IT and my dad's been for years telling me to get a job in IT.
So I took the plunge, and I jumped straight into an apprenticeship,
which was very bad money.
But at the end of it, I would have got my foot in the door within the IT industry.
This apprenticeship was where they asked him about his criminal record.
The job was to do IT work at the
academy. Think of it like a private high school, maybe 1,000 students, and it wasn't too far from
where he was living at the time with his parents. He didn't think they'd be interested in him, but
he applied anyway, and they called him in for an interview. They liked him during the interview and
offered him a job. He took it and was really excited about it. But it was only then, when he was getting onboarded
and he had to fill out some paperwork,
that he saw this question,
are you willing to pay for a criminal record check?
At no point did any of this come up before.
He put his pen down and met with one of the people who interviewed him.
So I went and I spoke to one of the,
I think it was an assistant principal or something at the time,
and I said, look, I really got to speak to someone who's really important.
She listened to his story, and he told her all about the assault in Australia
and how he beat someone up and got arrested.
She turned around and she said, okay, that's fine.
Well, let's apply for your criminal record check, and we'll go.
Yeah, nothing to worry about.
Now, she didn't put any of that in
writing, but yeah. While the criminal record was still being processed, Adam started working at
the academy thinking they must have known and thought it was okay anyway. So he starts getting
training and doing general IT support for the school, things like resetting passwords, replacing
broken keyboards and installing software. He liked doing IT support and felt like he was part of the team and the school spirit and was getting
to know some of the students and staff. He was doing good and learning fast. Now, this school
had a lot of computers. They were in the classrooms and computer labs and in the library and the
office, and teachers had some too. And he was tasked with going around these computers and
fixing any issues they might have. Now, if a computer was connected to the network, he could just log into it with his
username and password. But some computers weren't connected to the network. And for those, Adam had
to use the local admin username and password to get into them. Now, this is different than the
domain admin password, which can control everything. The local admin password theoretically only lets you into that one computer.
But the way the academy set it up is that all the computers use the same local admin password.
All the student computers throughout every classroom in the academy
had a particular password for the local admin account.
Adam noticed this pattern, which actually is a security issue.
If all the computers use the same local admin password,
then having that one password pretty much gets you into everything.
But this made Adam wonder, wait a minute,
could this local password also be the global domain admin password too?
This was probably about a week and a half into the job.
So the computers in the classrooms had a particular password.
And I pretty much, from that particular password,
because it was the same on every single computer in the school,
I pretty much figured out what it might be.
And I asked this guy who I was working with,
who was more senior than me, and he kind of smiled.
And that's when I figured out what the password was.
A week and a half into his role as an IT apprentice, and he guessed what the domain admin password was.
This is not good.
Junior employees should probably not have this kind of access early on.
There's a concept in IT called least privilege, which means you should not give users access to more than what's necessary
for them to do their job. While it's true that nobody gave Adam the global admin password,
he was able to easily guess what it was based on patterns of what he saw in the first week there.
This really is bad practice too, since the admin password should be the most guarded and protected
password on the network and not so easily guessable. As far as I'm aware, there was one admin account which had full access across the entire network
infrastructure that had one particular password. And then every employee had one particular
password, which is very easy to guess. The all day network was set up in a way with a
certain prefix that was used for everyone.
Oh, right. Sometimes schools will assign passwords, which is a combination of, like, your name
and birthday or something. And so if you just know someone's name and you know the pattern,
all you got to do is find out their birthday, and now you can have access to their account.
A better method is to force users to pick a password when they sign up for their account.
This way, there's just no default password at all.
As time goes on, Adam becomes more aware of these issues and the passwords,
but he's still too new to really do anything about it.
Part of him doesn't really know if this is a problem,
and part of him doesn't really know how to fix it.
And part of him just wants to follow what he's supposed to do
and not call the current system crap.
Stay with us,
because after the break, these passwords become a big problem. What if I start a podcast? My focus was on finding a catchy name, some cool stories, and working out the best way to record.
But oh, so much more goes into making a podcast than that.
If you're thinking, what if I start my own business?
Don't be scared off.
Because with Shopify, you can make it a reality.
Shopify makes it simple to create your brand,
open for business, and get your first sale. Get your store online easily with thousands of customizable drag-and-drop templates.
And Shopify helps you manage your growing sale. Get your store online easily with thousands of customizable drag and drop templates and Shopify helps you manage your growing business. Shipping, taxes, and payments are all visible from one dashboard allowing you to focus on the important stuff. So what happens if you don't
act now and someone beats you to the idea? The best time to start your new business is now with
Shopify. Your first sale is closer than you think. Established in 2025. That has a nice ring to it, doesn't it?
Sign up for your $1 per month trial period at shopify.com slash darknet.
Go to shopify.com slash darknet and start selling with Shopify today.
Shopify.com slash darknet.
Adam was working at this academy for a few months at this point
and getting familiar with the systems there and the people.
But that's when the school finally got his criminal record back
and took a look at it.
When they got it back, they then turned around
and pulled me into the office, this time the principal,
and she said, you didn't declare this.
And I said, well, yes, I did.
I spoke to you, spoke to this lady. And she said, don't worry. And she said, well, yes, I did. I spoke to you, spoke to this lady.
And she said, don't worry.
And she said, was that her exact words?
And I said, yes.
And she was like, well, you're going to have to worry.
Unfortunately, we can't keep you here.
You're sacked, basically.
The school didn't want people who had a criminal record
for assault working around children.
But to Adam, who'd been trying his best to make a new life,
this felt like a betrayal.
For them to turn around and say,
right, we can't have you here, I was angry.
From my perspective, at the time,
I'd wasted the last month or two months or whatever it was
trying to learn and getting used to the school,
making friends with the IT department, the teachers,
for them to turn around and just say,
no, we don't care whether you changed
or you've done things to make yourself better.
End of the day, you can't be here.
Adam was angry.
He wanted to do something,
but there was nothing to do about it.
It's not okay to lash out on someone
just for firing him over this.
So begrudgingly, he moves on.
He gets a different IT job, and this one they're fine with his past.
It was never an issue for them,
and he picks up a lot of new IT skills at this job.
He learned about domain controllers, Active Directory, Office 365,
and managing computers and using Microsoft tools.
At the same time, he liked playing first-person shooter games online,
and this led him into the online game cheat community,
and that led him into learning more about hacking and exploiting computers.
But all that was just innocent stuff, though.
After a while, he took his newly acquired skills
and went and got an even better IT job, this time as a senior technician, which taught him even more new skills.
And after a few years of working in IT, Adam's life was looking up. He had a job as a senior
technician, he had a relationship, and after being scared to get to know people for so long,
he really put himself out there and started to make friends. But all this changes after a bad breakup in October of 2020.
I guess it really was crushing.
I got into a really deep depression.
I wasn't too pleased with the job that I was in
because I felt at the time that I was being heavily underpaid
for what I was actually doing.
And I don't think everything was, at the time and even now,
things weren't very good.
His personal problems made him restless,
and he was starting to grow frustrated at work.
One of his supervisors was always giving him a hard time about something.
All this added up, and it made it hard for him to sleep at night.
So he spends a lot of late nights playing video games
and looking at hacker websites and forums,
learning about malware and how to break into systems,
and what you could do if you did break into something,
like how to read other people's emails or cover your tracks
or read messages on Teams and Slack without people knowing.
And late one night in January of 2021,
after watching a film,
he goes to check his email before bed
and notices something.
My email address in the autofill
for the Academy popped up.
And I thought, oh, you know,
I think there's a lot of curiosity
just to see if they'd changed it
because it's been a long time now.
Obviously, the first thought in my mind is,
yeah,
they've definitely changed the password to the admin Office 365 account.
The Academy fired him four years ago,
but he still had that local admin password memorized for the computers there.
Now that he knows a lot more about computers,
he was curious to see, one, if that was still a valid password,
and two, if it was also the domain admin password.
So he goes to the Office 365 login screen, which is just office.com.
And this is the tool the academy used to manage the school's network, like usernames and email boxes and that sort of thing.
He goes to the Office 365 login screen.
He types in the school's domain,
then the admin username and the admin password,
which he still had memorized all this time.
And what do you know?
It worked.
First try, even.
He was logged into the school's admin portal
on Office 365.
I felt like it was an achievement at the time
because I was more surprised that it worked
because obviously it's been so many years now
I would have thought from working in IT
that you change passwords more often if that makes sense
it felt like an achievement getting in
and then it kind of progressed on to being motivated
to find out how much more I can get to
From within the Office 365 portal,
one could potentially configure and view the computers in the network.
You could see what users there are, reset their passwords,
look at what email accounts there are, configure Skype,
see SharePoint sites, and look at and configure the Active Directory settings.
It's the heart of the network.
This is what makes everything else function at the school.
He hadn't really thought about the academy that much since being fired,
and he learned so much since then.
And specifically, he now really knew his way around Office 365.
But since he got into the academy's admin panel,
he was curious to see what was their setup like.
How good was their security?
And he decides to poke around.
But just looking, though, no touching.
So the account I was on, I only had access to some things like changing users' passwords. Now,
this was what I can understand was just sort of like the lower level IT guys' account that they
used. And I wanted to get access to more permissions. So I had looked through the
groups and I found three accounts in particular, which had super administrator permissions. So I had to look through the groups and I found three accounts in particular
which had super administrator access.
So essentially giving me free reign
over the entire Office 365 side of things.
And I identified who they were.
One of the first things I'd done after I'd done that
was I went into, they call it eDiscovery
on Office 365. And I went in there and just made e-discovery on Office 365,
and went in there and just made sure that there was no alerts.
This is something Adam had learned on his own time
since getting fired at the academy.
He knew what kind of security alerts would generate just by being there
and was watching to see if he was triggering any of them.
Then I changed passwords for one of the accounts
that had super administrator rights,
changed password and logged into it and went through some of the emails,
just having a look around, seeing what other things they had on.
They set up the domains that were connected to Office 365.
Oh, well, this is no longer just looking anymore.
He's changed a super user's password and logged in as them and is reading their emails.
He's done what's called privilege escalation.
The first login didn't have all the permissions he wanted, so he switched to this account,
which did give him all the control and access he wanted.
So now he's basically in God mode.
With a click of a button, he could bring down the whole network if he wanted, but he didn't want to.
He was still just curious and wanted
to look around.
So I think at the time my thought process
was just I want to
find out as much as possible
without doing as much damage.
So changing this one particular password
I firstly
looked at that account just to see if it was being used.
So after I checked that there was no alerts,
I then set delegated mailbox access to that account
so I could check the inbox and see if anyone had been using it,
you know, sending emails or reading emails, which they hadn't.
I'd figured that no one was using it, no one's going to care, you know.
If someone tries to log in it in five or six weeks,
they'll just say, oh, I've got the password and change it.
At this point, it's now one o'clock in the morning,
and specifically it's Saturday morning, January 16th, 2021.
So far, Adam has full super user access to Office 365 for the academy.
But this is a cloud portal.
And while the computers in the academy get their configuration
and authorization from this cloud portal, he's not actually in the school's network or any of their computers in the academy get their configuration and authorization from the cloud portal,
he's not actually in the school's network or any of their computers in the school.
And he's curious to see if he can actually get in there.
He remembers there was a way for the IT staff to VPN into the school from home.
A VPN is a secure private connection to the internal school network.
So his curiosity is leading him to see if he can find VPN access into the internal school network. So his curiosity is leading him to see
if he can find VPN access into the school's network. He starts looking through emails to
try to find a VPN password. I happened to come across on one of the help desk accounts had sent
an email out to someone basically with a file, a VPN file, and told them to use a certain prefix and characters for their password, which I,
at that point, then switched from Office 365, so the website, closed that down. And I was very
determined to get into their network no matter what. So I didn't know what password it was. I
didn't know what account I had to use. I spent maybe the next two hours trying to get into it. And they had a
method of sending passwords, which again surprised me that they'd kept the same method. But it was
quite simple. Once I'd guessed the Office 365 one to follow the pattern. After a few hours at guessing
VPN passwords, he finally gets it. He successfully VPNs into the school's network, which means he's
connected to the school as if he's inside the school itself. But he's at home. And he hasn't
hidden his tracks at all. He's made all these connections to Office 365 and the VPN directly
from his home's network connection. Adam realized that. And it was like that moment when I ate that half box of cookies
and I realized I had gone too far.
Adam had crossed the line
and all his activity could easily be traced back to him.
And he had to think about what he should do.
When I did get into it,
I think this is where the turning point was,
where I thought, right,
I've not done anything to hide myself at all.
And this has turned from just me being curious
to more malicious now.
And I've got myself in trouble, basically.
There's no way around it,
that they're going to easily find this person logged in
from this IP address at this time.
Who's that person?
Don't know who they are.
Let's report it to the police.
So I think that's when the tables are turned more destruction.
He gets up out of his chair and does something else for a little bit
just to think about the situation.
His real IP, which is registered under his real name,
is what he used to do all this with.
And yeah, he crossed the line a few times with what he's done already.
Changing passwords, reading emails,
and brute forcing his way into the VPN.
He thought surely he's going to be in trouble for this.
I know what's going to happen.
There's a 50% chance they'll come in and they'll say,
oh, why isn't this password working anymore?
Who's changed this?
They'll do a little internal investigation
and they'll conclude that someone's been on the network
and they'll just change passwords.
Or there's a 50% chance that they'll look deeper into it
and call the police.
Calling the police is what I wanted to avoid,
so I couldn't avoid it.
So my next thoughts were, right,
let's try and get rid of as much as possible
to try and cover my tracks.
So he's in the network, but doesn't know which computer he's on.
He wants to learn more about the network
and uses an IP scanner to get a lay of the land,
which gives him a list of all the computers in the network.
He figures out he's on the main computer that everyone logs into from home,
but there's nothing good on this computer.
The main infrastructure with all the good stuff is where he wants to get into, but that's
on a different part of the network. So he consults the spreadsheet of all the computers
he found earlier and picks his next target.
So I found a computer which was in the, I believe it was in the IT workshop somewhere.
And I had thought that maybe if I can get into that computer,
then there might be an RDP icon saved with saved credentials
that I might get into the domain controller.
What he's doing is a classic example of lateral movement,
which is the foundation of a lot of cyber attacks.
It's when the attacker manages to get a foothold in one system
and then pivots around the network, hopping from one system to another
until they find what they're looking for.
At each step, there's a vulnerability that can be used to get closer to the target.
Adam kept hopping from one system to another to try to get to the computer he wanted,
and not having strong passwords in a network really helped him get around a lot easier.
Eventually, Adam was able to remote desktop to a computer.
And from there, remote desktop to another computer,
which was in the IT workshop.
And then from there, as I'd thought might be the case,
there was sort of saved credentials.
I think there was domain controller one, domain controller two.
There was a backup server.
I think there was a gateway server and and a couple other servers as well.
I think at that point, I'd realized how far I'd come in to the network.
I basically had access to everything from now.
Just from knowing the school's domain and guessing the admin password
that he thought he knew years ago,
Adam has worked his way into the entire infrastructure in just a few hours.
From what I remember was once I'd gained access to all the infrastructure, I then started
the process of wiping the entire servers that I was on.
As I was doing that, I went on to office.com and I saw a list of devices.
He sees a list of all the devices connected to the mail server.
Now, this is thousands of mobile devices.
It's every phone and tablet that had email access.
Now, most of these were devices owned by either teachers,
students, or parents,
which had all connected to Office 365 to get their emails and files.
I highlighted the box to select all,
and I clicked the Wipe button.
When you log in to Outlook from your personal device,
you'll get a prompt saying,
do you want to add this organization to your device?
But what you might not know is doing so
can give the administrator the power
to fully wipe your entire mobile device.
And this is actually a security feature.
If you lose your
phone, the IT admin can wipe the device, which makes it so nobody can see what was on that phone
because you don't want the wrong person seeing sensitive information. But what's crazy is the
IT admin can wipe thousands of devices with just a few clicks. And Adam had just attempted to wipe 2,947 devices
through his access that he had on Office 365.
People would be waking up to their phone being factory reset.
All their pictures, texts, and files completely gone.
Once that was done, Adam took a look at the domain controller itself
to see what he can do on that.
There was a command that we'd used in the company that I was working with a couple of times to just do a complete wipe.
Essentially, the command makes the computer or server not be able to boot because it deletes everything.
So it's to take ownership of all folders and then it deletes all folders, basically.
And I ran that on, I think, the domain controller.
Okay, so this isn't just wiping your tracks.
You knew this.
This is wiping out the entire,
I mean, the heart of the infrastructure.
Yeah, and I think at this point it was,
well, if I'm going to get caught,
I might as well get them back for what they've done to me. I think that that was my thinking
at the time. So very destructive, malicious actions. It was like, right, let's just release
all anger, everything that I've had against them and just wipe everything. Make their life as difficult as it can be on Monday morning.
What about backups?
There was a backup server and a secondary backup server
that I started running the commands on.
It was at that point that I found this IP address
just on this spreadsheet and it had nothing written next to it.
So there was two IP addresses with a username and password in that document,
which was completely separate username and password from any of the methods I'd
used to get in previously.
So I was a bit interested to find out what it was.
And then surprisingly, when I logged into it, it was a hypervisor basically.
And it had two hypervisors.
What he logged into was a virtual machine host.
That is, this one computer housed and controlled
many other computers inside it.
And it was from this host machine
that he could do whatever he wanted to the subsystems,
such as delete them entirely.
And it was on this virtual machine
where the backups were for this network.
The backups were completely wiped as well.
I mean, all of these actions were really stupid.
And I think at the time, I just thought,
this is their backup server.
This is probably everything they have.
From here, he works his way backwards, out of the network,
deleting, destroying, or degrading every computer
that he could log into on his way out.
And when he tries to log back into some servers,
all he sees is a black screen.
And the last thing he deletes were all the user accounts,
making it so nobody had a valid login anymore.
Adam was letting out a lifetime of anger.
And I don't think it was just from how this school treated him,
but it was from how previous schools treated him and how bullies treated him. And this recent breakup
made him feel and the anger he was getting from his current job. There have been multiple times
in his life where he felt like a victim and was powerless and even went to the police for help
when he was a kid, which didn't actually help at all. And then there was a time when he joined a
gang and saw a glimpse of power and strength in numbers,
but that escalated out of control,
and he wound up in prison.
But now that sense of power has returned.
Power over the network.
Power over those who have wronged him.
And he was exercising that power
with great vengeance and furious anger.
What's it like at the end of all this?
Because, I mean, by the time you're done,
you're just leaving like a wreckage of smoldering, you know,
you've ruined everything.
What's that feeling like at the end of all that?
It was more, so getting towards the end of doing what I'd done,
it was more panic.
And I guess I wanted to go to sleep, but I also wanted to process what I'd actually just done.
So it was all kind of went very quickly.
There wasn't really much thought process or time to think about what I was doing other than just do it, just get it over and done with.
So I finished up and I think I went to sleep.
This attack was pretty devastating for the school.
The UK was on lockdown due to the pandemic at the time,
and the students were remote learning from home.
Adam had obliterated the academy's whole infrastructure,
meaning students couldn't connect to school,
and there were no shared drives.
SharePoint was down, emails were down,
and absolutely none of the logins worked.
But it hadn't just wiped out the school's infrastructure. Many of the students' and
teachers' devices that connected to the school were also wiped too. Hundreds, maybe thousands
of devices were screwed up from this. And somewhere around 5 a.m., he crashes for the night.
The next day, he wakes up and checks back in.
It's bad.
The servers are all offline still.
But he finds a few more things that are still up
and he logs into them
and uninstalls some key software on those systems too.
Then he logs out of everything altogether
and just thinks about what happened.
I was worried about what was going on.
I was searching on Google
to see if there had been any news about the school going down.
So I was really, really panicking about what's happened.
I did think about wiping my computer, but at that point I thought I couldn't get into the firewall to wipe the logs.
So no matter what I do, they're going to come for me.
They know who I am as soon as they look into it.
The days after that are a fog of paranoia for me. They know who I am as soon as they look into it. The days after that are a fog of paranoia
for him. He calls in sick to his current job because he's too anxious to work. Were you living
with your mom and dad? Yes, yeah. Did they have any clue? No, no. I mean, my dad sort of suspected
something was up when I kept looking out the window. That's an interesting picture.
I hear you're looking out the window a lot.
And your dad's like, is everything all right?
Yeah, there was definitely a lot of paranoia.
I take the dog out for a walk twice a day.
And I'm walking outside, leave the house,
and I'm looking left, looking right,
seeing if there's any police cars around.
Because obviously in Australia,
I have a little bit of experience of what the police are like.
And I was looking around for anything out of place.
And it was just very, very paranoid couple of days.
So Monday, he calls in sick.
He doesn't go to work at all.
Tuesday, he calls in sick again.
Wednesday, he calls in sick again. Wednesday, he calls in sick still. The anxiety, stress, paranoia of all this
just makes it so he cannot concentrate on anything work-related.
Thursday, he sleeps in and wakes up
and goes to take the dog for a walk.
As I was going in the front door,
I sort of turned around because I noticed something on the corner of my eye
and there was a car parked sort of across the road
and there was two guys in the car,
and I thought, oh, that's a bit weird.
I've never seen them before.
And the way out, they were looking at me.
But as soon as I shut the door and got inside the house,
walked into the living room, took the lead off the dog,
I heard really, really loud knocks on the door,
and I knew instantly, yeah, this is the police.
And my mum went to go get the door,
and there was about 10 or 15 police officers.
Adam calmly lets them in and tells them straight up.
I said, you know what, I know what this is about.
Everything you need is in here.
Nothing's been wiped.
Let's get it over and done with.
He leads them to his room
and shows them where he did everything from
and confesses to it all.
In Australia, with my experience with the police
when I was arrested and everything
I didn't want to go through
lying about what had happened. It was
very, very obvious. Working in
IT it's very, very obvious that
there was enough evidence to
convict me for it so I'm not going to
make their life harder
because that would just make my life harder as well.
Did they handcuff you?
No, no, they were actually really, really good.
And so we walked upstairs.
I showed them all my computer equipment, where my phone was,
gave them all the passwords to the computer and my phone.
And they basically said, yeah, you can have a cigarette or a smoke before you go.
We had a little chat about, interestingly, they were very interested in my setup
and they were asking what sort of components I had in my computer.
And then we literally walked outside, got in the car,
and they drove me to the police station.
The police had brought 15 officers, so they were prepared for a struggle.
Adam, being so cooperative, caught them off guard.
They did say that usually the majority
of the cases that they come across with cybercrime, they never catch the people that are involved in
these attacks on schools and businesses. So this was kind of a first for the particular officer
who arrested me as well. The attack was so destructive, the police were actually asking
Adam to help make sense of what happened so they can help get the school's servers back up and running again.
The main thing that they wanted was the commands that I'd run and what servers I'd run them on.
Because from what I was told, they only had the logs of me getting into that first VPN computer.
And without restoring the servers that I'd destroyed, basically,
they couldn't get the logs off them servers.
So we went through a list together.
One or two times, I went to the police station, sat down with them,
and they listed out all the servers and asked me to sort of map out
in which way I went and what command I'd run on each server.
To make matters worse, the head of IT and senior technician
were actually off work recovering from COVID.
This had left the most junior technician in the school
scrambling around to try to work out while these systems were down.
The school even got Microsoft involved at some point
and paid them 15,000 pounds to help restore the systems.
But yeah, I mean, to try to restore from a whole network with no backups,
yeah, starting from scratch
is, oh my gosh, it's
with no data in there
to review or to look
back on or
configurations, oh my goodness.
Yeah, so it's quite
bad. I think it was about a week
to immediately get everything back up,
everything that was down back up to a running state and for the students
and the teachers to use the system again. But from what I'm told,
it took almost a month from start to finish to actually
get everything back into a stable place.
Okay, so did they say how they caught you?
No, I mean, I pretty much assumed.
So I said in the car, in the drive back from the police station,
one of the investigating officers,
the main officer in charge of the investigation,
I said to him, so you obviously caught me via my IP address.
And he turned around and gave me a little smile and he said,
you know, I can't answer that.
While he did try to destroy all the logs, he wasn't able to clear everything.
He never was able to get into the firewall, which would show what IP was his.
And my guess is that the school saw what IP had logged in or they asked Microsoft, what
IP logged in Office 365 that night?
And then they handed that IP address to the UK police, who could then get a warrant from the ISP and figure out who had that IP at the time, which would then lead directly to Adam
and his address. Adam lived with his parents, but he had a separate internet connection just in his
own name. When the police found his IP and looked him up and found he was an aggrieved former
employee, you can imagine it was a pretty open and shut case.
But after he's questioned and processed,
they release him from custody to go home and wait for his court case,
which was scheduled for March of 2021.
He tries to go back to work, but it's rough.
He's calling in sick a lot
due to the stress of what he did at the academy.
There's COVID in the air,
so maybe he's sick from that too.
So he's just not attending work
very much at all in this time.
I had a disagreement with my employer, and it was about money.
Over here we have what we call a furlough scheme.
The furlough scheme in the UK was where the government would pay 80% of the employees' wages
for people who couldn't work during COVID, and the employer only had to pay 20%.
And as Adam tells it, his employer decides to let him go
and refuses to pay him furlough.
On top of that, the company gave Adam permission
to buy a new laptop for work, but when he did,
they claimed he used the company's money without permission.
The company claims they took his corporate credit card away
and he bought something else with it after that.
Adam denies this and said everything he bought,
he either had permission to buy or made an agreement to pay it back. That really, really, really made me angry.
And the following steps to that was that I had thought, you know, let's send them a message.
Now, they weren't very smart in the way after they sort of got rid of me,
changing passwords and everything. Oh, no. This doesn't sound good.
Adam is really upset at this company for firing him
and blaming him for things he didn't do.
And he has privileged access to their network and knows his way around it.
You can guess where this is headed.
He waits until late one night on a weekend
and tries to log into their network.
He uses the domain admin credentials that he still had written down somewhere to log into
this company's Office 365 portal. And from there, he gets access to the global administrator account.
And from there, he spiders around to get access to more systems. Then he starts uninstalling
software on various computers. And it appears he was
specifically targeting his supervisors and managers, uninstalling software on some IT support
systems, and then getting into the accounts of the IT director and senior IT staff. And he changed
their passwords so they couldn't log in anymore. He tried uninstalling some more software and then
logged out. Overall, it wasn't nearly as destructive as he was with the academy,
but it was still over the line and criminal,
and the company knew immediately who might have done this
and reported the IP address to the police along with Adam's name.
The police was, you know, I was on their radar already,
so when the report went into the police,
the subcrime unit picked up on it and arrested me for it.
The same officers came to his house.
But this time, he wasn't as cooperative.
To begin with, he denied doing it.
So they handcuffed him and took him to custody for two days.
He figured this time, there's actually plausible deniability.
But the police already knew his M.O. from the Academy case.
And he ends up admitting that, yeah, he did get in there and change passwords.
But his employer also claimed he made thousands of pounds of unauthorized purchases from the company credit card.
So I did spend it, but there was a civil agreement between me and the director of the company.
So essentially what happened was there was a civil agreement between us.
So I spent the money. I went to him. I said, look, I spent the money.
Are you OK with me paying this back out of my wages? And he said, yes. But what he had then done is when these
passwords were changed is he's gone to the police and he said to the police, he used it fraudulently.
I never gave him permission to do so. I want him charged for this. So what Adam describes as a loan
dispute gets dropped from this case because there's just not enough evidence. But this court case with his employer
and the court case from the academy
get rolled up into one big case.
Basically, the judge had indicated
that it will be a prison sentence.
As it stands,
with no other mitigating circumstances.
So if he had sentenced me on that day,
he would have sentenced me to prison.
But I think because of my cooperation
with the police and how open I was as soon as they came, didn't make it hard for them.
He wanted to give my defense teams and my solicitors and lawyers the opportunity to
get as much mitigating circumstances as possible. His lawyers say there's a 50-50 chance that he'll
get prison time or a suspended sentence. And if he goes to prison, it'll probably
be between six months to three years. He's 28 years old now and spends a lot of time thinking
about the upcoming sentencing. I am pretty worried. I mean, from the start when the police turned up,
I've been very open to owning up to this mistake that I made. So I don't like thinking about, you know,
what's going to happen
because I'm just taking it day by day at the moment.
Yeah, I think you might have spoiled the soup here
because, you know, if this is what you want to do,
you're very knowledgeable of this stuff.
It sounds like you want to make a career in this. But I mean, fighting in the schoolyard, I've been in the hiring seat before,
and I would have said, no, that's fine. You can still come in here. Just don't fight anybody in
here. But sabotaging two different networks that you worked for previously, your previous employers, there's no way I would hire you anymore.
Like, you're done, I think.
Yeah, yeah.
In February of 2022, Adam appeared before the court to be sentenced.
The judge looked at his case and sentenced Adam to 21 months in prison.
He was not able to reach out after the sentence to give me any updates. They immediately escorted
him to a holding cell and transferred him to a prison. He's due to be released sometime in 2023.
The moral of the story is you should always change your admin passwords
when someone from IT leaves the company, maybe even twice.
And this should be standard best practices for all organizations
because if you don't, you now have someone outside your company
who has privileged access into your company.
And in Adam's case, it was four years after he left the academy
that he used the domain admin to log in,
a password that he was never supposed to have in the first place
but was able to guess it in the first week of being there.
But I think on a more personal level,
you should also change your passwords
when you break up with someone who's close to you,
like a girlfriend or boyfriend.
I've seen so many stories where someone took their ex's password
and got into their accounts after a breakup and caused significant damage.
So anytime you think someone may have seen your password
or could have guessed it or actually did have it,
you really should change that password when that relationship ends,
whether it's work or personal relationships.
A big thank you to Adam for sharing the story with us. As a reminder, you can get an ad-free
version of this show and bonus episodes. You can do this by either subscribing to Darknet Diaries
Plus on Apple Podcasts or by visiting patreon.com slash darknetdiaries.
And if you do, it'll also support the show quite a lot.
So thank you very much.
The show is made by me, Captain Jack Recider.
This episode was produced by the warm-blooded Elizabeth Winter.
Mixing is done by Proximity Sound.
Sound design by the foot shuffling Andrew Merriweather. And our theme music is by the beautiful Breakmaster Cylinder.
Do you know the name of the chemical that's released in your brain
after you see funny cat pictures on the internet?
It's called dopamine.
This is Darknet Diaries.