Darknet Diaries - Ep 10: Misadventures of a Nation State Actor
Episode Date: January 1, 2018In today's world of intelligence gathering, governments hack other governments. This episode takes you on a ride with a nation state actor to see exactly how it's done. ...
Transcript
Discussion (0)
Imagine James Bond.
Before Bond goes on a mission, he gets some vital equipment from Q.
On one mission, he got a special ring that had a way to emit an ultra-high frequency,
which when put up to a window, shattered the glass.
On this mission, Bond snuck into North Korea undetected.
But imagine what kind of consequences there would be if he lost the ring while in North Korea.
If the North Korean government found the ring, they would analyze it.
And they would discover its cutting-edge technology.
And possibly be able to reproduce that technology for themselves.
Essentially putting the technology in the wrong hands.
And when analyzing the ring, they may even be able to track down its origins to MI5.
This would mean that just by finding the ring, they may even be able to track down its origins to MI5. This would mean that just
by finding the ring alone, North Korea could deduct that there was a British spy in their
country. This could cause numerous problems, maybe even a war. In the internet world where
governments hack other governments, it's crucial to not let the enemy know you're there or capture
your hacking techniques, because if they do, it could have devastating consequences.
This is Darknet Diaries.
True stories from the dark side of the internet.
I'm Jack Recider.
This episode is sponsored by Delete Me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless.
And it's not a fair fight.
But I realize I don't need to be fighting this alone anymore.
Now I use the help of DeleteMe.
DeleteMe is a subscription service that finds and removes personal information from hundreds
of data brokers' websites, and continuously works to keep it off.
Data brokers hate them, because DeleteMe makes sure your personal profile is no longer theirs
to sell.
I tried it and they immediately got busy scouring the internet for my name and gave me reports on what they found. And then they got busy deleting things.
It was great to have someone on my team when it comes to my privacy. Take control of your data
and keep your private life private by signing up for Delete Me. Now at a special discount for
Darknet Diaries listeners. Today, get 20% off your Delete Me plan when you go to join deleteme.com
slash darknetdiaries and use promo code darknet at checkout. The only way to get 20% off is you go to join delete me.com slash darknet diaries and use promo code darknet at
checkout. The only way to get 20% off is to go to join delete me.com slash darknet diaries and
enter code darknet at checkout. That's join delete me.com slash darknet diaries. Use code Darknet.
Support for this show comes from Black Hills Information Security.
This is a company that does penetration testing,
incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there, and I can vouch they do very good work.
If you want to improve the security of your organization, give them a call.
I'm sure they can help.
But the founder of the company, John Strand, is a teacher, and he's made it a mission to make Black Hills Information Security world-class in security training. You can learn things like penetration testing,
securing the cloud, breaching the cloud, digital forensics, and so much more. But get this,
the whole thing is pay what you can. Black Hills believes that great intro security classes do not need to be expensive,
and they are trying to break down barriers to get more people into the security field.
And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range,
which is great for practicing your skills and showing them off to potential employers.
Head on over to BlackHillsInfosec.com to learn more about what services they offer and find links to their webcasts to get some world-class training.
That's BlackHillsInfosec.com.
BlackHillsInfosec.com.
Guys, guys, listen.
This episode is pretty serious.
It makes all other episodes seem like child's play to me.
I'm even nervous to tell it.
I don't think I'm on any FBI watch list now, but I probably will be after this episode.
Let me ask you this.
Who is the most sophisticated hacking team in the world?
It's a team comprised of graduates from MIT and Carnegie Mellon,
a team that has created the most cutting-edge hacking tools, a team that can utilize an almost unlimited amount of resources, resources
like language interpreters, huge data centers, and supercomputers, a team that has a history
of creating encryption methods and building the internet.
Yes, the hacking groups that are inside government agencies, otherwise known as nation-state
actors.
And most of what they do is considered
top secret, so getting one of them to talk on this show is a very special privilege.
Nation-state actors are an exceptional group of hackers because they essentially have a
license to hack. They work without the fear of legal retribution. They are often tasked
with stealing secrets or disrupting the target through connected networks. And it's important that all of what they do goes entirely under the radar and is invisible to the target.
Don't ask me how I found this and don't ask me who.
But on this episode, we will hear a story from a person who has been in the innermost bowels of one of the most elite hacking teams in the world.
Yeah, I spent almost 15 years with the U.S. government running offensive cyber operations.
So I have many, many stories.
The only way they would agree to be interviewed for this show was if I kept them anonymous and disguised their voice.
So what you'll hear is actually a voice actor reading the transcript of the conversation I had with them.
You might wonder whether their story is true or not.
And I'll tell you what I know.
I've been an infosec professional for over 10 years.
And at one point, my employer sent me
to a threat intelligence training.
There, I learned all kinds of tactics,
techniques, and procedures
that some of the most sophisticated hackers use.
And while listening to this person tell their story,
the tactics, techniques, and procedures they use
match up exactly with what I learned in class.
So I can vouch for that part being true.
But for the rest of the story, I don't know. I'll
let you decide. But you'll need some additional information. Pretty much all governments have an
intelligence department. The U.S. has the Central Intelligence Agency and the National Security
Agency and others. The goal of the intelligence department is to get information on enemies
regarding threats to the nation. This is done in the name of national security.
In short, governments spy on each other.
This shouldn't be news to you.
It's been happening for centuries.
In the past, spies would go undercover and physically break into places to extract secret data.
They were highly trained at being stealthy,
being able to escape and evade,
and are often excellent drivers.
But now, governments rely on computers to communicate, store data, and create plans.
This exposes a whole new attack surface.
Instead of physically breaking into a building to steal documents,
hackers can steal documents from the other side of the globe.
They do this to learn about an upcoming attack,
or gain knowledge of where the military is going,
or to steal plans of a top-secret weapon.
Governments are actively hacking into other governments. This is the new norm. Governments
have to take their cyber defense seriously, if for nothing else, than to protect their data
from other governments. But what is it really like when a government hacks into another government?
Well, that's the story we're about to hear. So let's ride shotgun, along with our nation-state
actor, to hear exactly how they hack into another government. This should be exciting. So let's ride shotgun along with our nation state actor to hear exactly how
they hack into another government. This should be exciting. So strap in and let's go for a ride.
First, let's get the mission. A couple years ago, we had a tasking to go after a network that
belonged to a foreign government agency. Our task was to get access to it and gather specific
information. And the way the nation state operations work is that the
cyber elements of a nation state don't derive requirements unto themselves, they get it from
someone else. You know, someone else in the government or an agency says, we think this
information exists on that network, go get access to the network. But that's usually all the task
is. This task seems to only have a tiny amount of information.
We're only given a foreign government agency's name, some IP addresses,
and a general idea of what data to grab.
This is nowhere near enough information to get started hacking into that network.
We don't know what tools to use or what computers to target once we're in.
We're going to need more information.
And really the big thing for nation states in particular,
where not only the goal is, of course, to get access and collect your information,
but overriding that goal is your need to stay clandestine.
So not only do we need more information, but we need to get it secretly.
There are many reasons to stay hidden when doing this mission.
First, there could be political blowback.
Another country could become furious if they caught us hacking into it.
Another reason not to get caught is because of the equities of our tools, exploits, and infrastructure.
Just like James Bond can't afford to lose his top-secret spying technology,
a nation-state actor also uses cutting-edge hacking techniques that they don't want the target to be aware of.
These hacking techniques can they don't want the target to be aware of. These hacking
techniques can be very expensive and sometimes takes years of research and are worth millions
of dollars. So it's imperative that we stay as invisible as possible while conducting this entire
mission. Oh, and for this story, let's pick a random country to use as an example target.
So let's go with the Peruvian Ministry of Foreign Affairs.
The actual target will remain anonymous. The military sometimes uses the term So let's go with the Peruvian Ministry of Foreign Affairs.
The actual target will remain anonymous.
The military sometimes uses the term kill chain to describe how an attack takes place. So the military calls this the preparation of the battlefield.
But the cyber sort of equivalent to that is the cyber kill chain.
This describes the different phases of a cyber attack.
I'm going to explain what that means as we walk through this story.
There are seven phases to the cyber kill chain
that must be conducted to complete an attack.
Phase one is reconnaissance.
In this phase, we need to gather information
about the target.
Like I said, we have no idea what type of exploit to use
or what systems to attack.
So we begin by collecting information.
Now I've got to figure out a way in,
so now it's things like passive reconnaissance and mapping.
So start figuring out what can we learn about this network
without letting them know that we're trying to learn stuff about it.
Questions like, how big is the network?
What kind of systems are on it?
Hardware? Software?
What kind of antivirus is deployed there?
What is my access vector?
So the team does a scan against the target network to see what is exposed to the internet.
And they begin mapping what's visible to the world.
They have a website.
They're hosting a web server that's within their environment.
So that's a box on the internet with like Apache Tomcat running on it.
Okay, so that's good to know.
So now I know that it's probably a Linux box and a web server that potentially has vulnerabilities I can exploit.
That's pretty interesting.
We find a couple of things like that.
Normally, most governments and organizations keep their internet facing devices up to date.
This is important to do because an out ofof-date system has a lot more security holes
than one that's been updated. But in this case, the web server was not fully patched,
which means the team can use a known vulnerability to access it.
And we start to come up with some potential avenues.
So now we have a potential point of entry into this government's network.
But that's still not enough information. It's important to try to understand what exactly is
in their network. And it would be nice if we had a important to try to understand what exactly is in their network.
And it would be nice if we had a map of where to go once we get in.
It would also be nice if we know who the people were that work in that office
to get a sense of the team that's defending that network.
And there are some tricky ways of figuring this out.
The way we can do that is that IT and InfoSec people at large
are pretty friendly, open, and somewhat stupid often.
So let's go with the Peruvian Ministry of Foreign Affairs.
Between Facebook and LinkedIn and whatever local Peruvian version of Facebook exists down there,
I can probably find somewhere between 50 to 100 to hundreds of people that work at that organization
that have profiles on those networks.
So I can start to collect full names and email addresses and maybe even position titles of people that work in there. So I care about the IT infrastructure, the technical infrastructure.
So I'm looking for their IT people and their security people. I bet I can find the systems
administrator or database administrator or someone that does IT in that organization,
who has announced on the internet that they exist.
This is their name and email address,
and this is what they do for that organization.
So once I start compiling all of that,
I'm going to start looking for things that allow me to tie them to the organization,
to the things they're using.
The best places to do that are, I mean,
Google, but more specifically Reddit is amazing for this. And then the technical forums that belong to products. For example, if I found on LinkedIn or Facebook that Bob is an IT administrator
at the Peruvian Ministry of Foreign Affairs, this gives me Bob's full name and email address.
I can then use Google to search his name and email
address I find things like Bob's posting on the sysadmin subreddit asking questions about why his
Windows 2012 server is acting the way it is or him asking questions like I'm running a Windows 2008
R2 box that's my domain controller do I really really need to update or not? I don't really
want to, but what does everybody think? Should I do that? And when I find postings like that,
I can link them back to Bob. I can confirm things like, oh shit, they're running a domain controller
on a Windows 2008R2 box. That's fantastic. We find things in like antivirus and security forums.
Since our target is to get specific data out of the network, it's likely that data exists in a database somewhere.
So the team looks through the people who work there to try to find the database administrator or DBA.
I found a DBA on Facebook or LinkedIn and he's a senior DBA.
He noted that he's an expert on Oracle 11G. Cool. So I can assume
that they're probably running Oracle roughly 11G inside their network. And I have a team of people,
I have like 15 people who do nothing other than spend eight hours a day for six to eight weeks
searching, scouring the internet to collect the names, email addresses, and phone numbers of the people that work for my target organization.
Slim that number down to the ones that work there in the particular roles that I care about.
And then scour the internet for everything they publicly put out there that has to do with anything technical.
And that gives us little tidbits about what we can expect to find in the environment.
And after looking at the data we've collected so far, we have discovered an incredibly important piece of information. I know the Oracle database that they have in their environment likely has
the data that I'm supposed to be collecting. So after 15 people have worked full-time for
two months gathering as much information as they can on the target, we now have a very detailed report. We know who works there, what their roles
are, what kind of systems they run, all the way down to the version of software on those systems.
We now have a pretty good picture of their environment. Great. So phase one is complete.
We now move on to phase two of the cyber kill chain, weaponization. I can now go to my leadership, my management,
the ones who ostensibly own the equities that I want to now use, and I can ask them for approval
to do what I'm going to do. The equities are hacking techniques used to access a network
or exploits. Some hacking techniques are known to the public and are easier to get approval for
because they cost nothing to acquire. And if you're caught using the exploit, it's hard to trace it back to us since anyone in the world has access to that exploit.
But some exploits are expensive and top secret. These are harder to get approval for, because if
you get caught, the enemy could learn how to use your exploit, but if you're caught using an exploit
that nobody in the world knows about, it narrows down who could possibly have an exploit
like that, which could result in the attempted break-in to be traced back to us. So I go to
leadership and I say, I have this tasking from these people to go after this network. Here's
everything we know about the network. These are the systems administrators. These are the security
people. These are the names, email addresses, and phone numbers. Based on data points, A, B, C, D, and E, we believe they're using this sort of antivirus and this sort of hardware.
We know they run, you know, web servers using Tomcat. We know based on some other forum postings
that they got Oracle database instances running on the inside. So we put all that together. And
with those data points, I derive the tools and exploits that I need to use.
Knowing that before I get in, I can get approval to use implant X with exploit Y that are specific
to a lyrical 11G.
So once I build out that case, I can get approval.
And that approval is based on the risk posed to those equities, given what I know about
the environment. So when I say I know that
they are probably running this antivirus and these security tools, I can say that I have these tools
and these exploits and that I'm going to deploy in the network that are not detected by that
antivirus and the security system that they have. I had now mitigated the biggest risk of getting caught, right? Which is AV or security systems flagging my tools or me throwing exploits.
And if I can do that, then I can get approvals to proceed and actually execute my operation.
So 60 days, 90 days go by.
I built what's called a targeting package.
And I've got operational approval to use the equities to complete the task.
So we now have a point of entry, a map of the inside, and know who to expect to be there when we arrive. We also have all the specific exploits we need to execute this task. This marks the end
of our weaponization phase. Phase three of the cyber kill chain is delivery. We need to actually
send the exploit to the system in the network. This is where the mission begins to be dangerous.
From here on out, any misstep could have terrible consequences
because it could mean being caught.
If we were James Bond, we'd now be fully geared up and ready for action.
So we figured out here is the internet facing box.
The web server that they're using was not patched, wasn't updated. So I was able to
actually use the known exploit to gain the right access to that machine. Once I did that, I put an
implant down on that machine because it was pretty safe. It was actually a Linux server. And the nice
thing about Linux is that, you know, no antivirus, right? So I'm not super concerned.
And especially because it's a web server, I don't worry about a user seeing the screen using it and see something weird going on.
But anyway, so I get down on that box, sit there for a little bit.
Everything looks pretty good.
I mean, there's not much to see.
It's a web server and it's got a website on it.
Got a database backend to it.
Not a whole lot going on.
We are now in the foreign government's network.
We have successfully infiltrated it.
It's like we've snuck in the building, but we're only in the hallway.
Using the data we've collected in the last few months,
we know we need to find the administrator's computer to gain control of it.
This leads us to the next phase of the cyber kill chain,
exploitation.
Because if we can get on the admin's computer,
chances are they have all the keys to the kingdom.
And by using their machine,
we can access anything we want.
The nice thing about landing on a server like that
is one thing that servers do have
is admins logging into them to administer them.
And that admin is going to log in and I'm probably going to be able to capture his credentials or
that admin is going to establish an authenticated session between that server, in this case,
the web server and the admin's machine. And I'm probably going to be able to float across that
authenticated session and move laterally to the admin's machine.
There's a variety of ways that you can do that, but suffice to say it's either I'm capturing his credentials because he's going to log in to administer, or I'm just going to use his authenticated session to move laterally over.
So the nice thing in this case was that we knew the admin.
You know, like I said, we had done a month of open source research. Because we knew we were going to be exploiting the web server, we knew
who their website administrator was. We knew the team of people inside that network that were
responsible for maintaining the website, the database that sat behind the website, all the
code associated with the website. We knew all these people. Web developers are like the
worst, right? Like IT people post a lot of stuff on the internet. Security people post a little bit
less stuff on the internet, but developers and web administrators and web admin, they post everything
on the internet. It's ridiculous. So we found all of them and all their content and we knew them all by name.
We had pictures of all the guys associated with the website.
We knew all these guys.
So what was great was that once we exploited the web server, we pretty much knew it was going to be one of three people that were going to log in and administer it.
So the plan was to simply sit and wait for one of those three people to log in.
We thought we knew how they three people to log in.
We thought we knew how they were going to log in because, again, we were familiar with the systems they had deployed.
We could tell by the configuration on the web server how we could expect to see them log into that machine.
So really, it just became a waiting game for us. Thank you. how much stolen identity data criminals have at their disposal, from credentials to cookies to PII.
Knowing what's putting you and your organization at risk and what to remediate is critical for protecting you
and your users from account takeover,
session hijacking, and ransomware.
SpyCloud exists to disrupt cybercrime
with a mission to end criminals' ability to profit from stolen data.
With SpyCloud, a leader in identity threat protection,
you're never in the dark about your company's exposure from third-party breaches,
successful phishes, or info-stealer infections.
Get your free Darknet Exposure Report at spycloud.com slash darknetdiaries.
The website is spycloud.com slash darknetdiaries Sometimes waiting for an admin to log in can take a long time.
Days, weeks, months.
One trick I've heard that hackers do is to sometimes cause a problem on the web server.
Like make the CPU spike or crash an application.
But why do this?
Well, if the web server is acting problematic,
it will result in an admin logging in to troubleshoot it.
And when they do, pow, they've just walked into the trap.
But in our case, the waiting wasn't that long.
So one of the admins logs in.
We see it happen.
We get the information that we need.
We move laterally onto his machine.
And we put the implant on his machine.
You just heard the fifth phase of the cyber kill chain.
Installation.
We've just installed an implant on the target system.
An implant is a bug, a trojan, a remote access tool
that allows us to pretty much take ownership of that computer.
For those of you familiar with Metasploit...
Just imagine basically something like Metasploit on lots and lots of steroids.
The next phase of the cyber kill chain is command and control.
Just because the implant is on the machine doesn't mean it's going to do anything.
Someone needs to tell it what to do.
And in this case, we now have the ability to remotely access the network admin's computer.
This is our command and control over the target computer.
We are now very close to finishing our mission.
All that's left is for us to take control of the admin's computer
and then access the database and take the data we need.
So we wait a little while before getting into the admin's computer to not look suspicious.
We waited about a day,
day and a half to go interactive on the box, actually be using it interactively.
Once we were using it interactively while the other person was using it, we were logged on
when they were, which is generally the way that works. We started looking at screenshots of the
desktop and we saw a browser open and we saw dozens of tabs open in the browser. We started looking at screenshots of the desktop and we saw a browser open and we saw dozens of tabs open in the browser.
We started going through a lot of the screenshots and seeing the contents of the tabs.
And it was the person Googling this weird behavior that Windows was doing.
The administrator's computer that we have infiltrated was acting strange.
It was displaying lots of errors and certain programs were crashing.
It definitely looked like this admin had a virus of some kind.
And at first we saw that, we were thinking, well, that's weird.
I wonder if these problems on his computer predate our presence there.
We didn't really know.
But we had the sneaking suspicion that it had something to do with us.
So unbeknownst to us and the time from when we collected our information initially through the open source and when we put the implant down, he had upgraded his operating system. He'd upgraded
Windows essentially to the next version. Normally the worst case scenario is that your implant
doesn't work because it's not compatible, right, for whatever reason.
It's not compatible and just doesn't work and that sucks and you're really upset by that.
I would have preferred that to be the outcome here.
Instead, the implant worked from the extent of it went down, installed where it should have, and began operating as expected.
The problem was that it wasn't playing well with the newer version of Windows that was on that box,
and unfortunately started causing very odd Windows behavior.
And that very odd behavior took on the worst possible version, which was things that were very visible to the user.
So now that we're on the box and we know exactly what version of Windows
it was, we recreated it in our own lab environment. So I know what version of Windows it is and I know
the hardware. I basically rebuilt that same exact machine in our environment and tossed our implant
on it and saw that our implant was causing this weird behavior. So this was really, really bad
news for us because this is how you get
caught, right? It was terrifying from the standpoint of political blowback. These things
get like notifications of this sort of stuff goes up to the most senior levels of government,
right? Because when you get caught on a network like this, you have prime ministers calling each other. So if things got bad enough, we would have to be informing all the way up
through the leadership of the agencies and all the way up into the senior leadership of government.
So everybody was very concerned at this point because we had already been on the web server.
We had done a lot of work already. We felt pretty comfortable. So we were
already deploying pretty sophisticated, big implants onto the network. This one that was
causing these problems was not a stage one loader. This was a relatively sophisticated,
actually pretty sophisticated, fully featured implant at this point that we couldn't afford
to lose, nor could we afford to get caught on the network so once we realized what was happening
you know this is again the government right so all the alarms start going off you have to start
telling a lot of people i have to start writing a lot of memos and going to a lot of meetings to
try to get everyone up to speed on what's happening what the risks are and what we're
going to do and of course now the first
instinct is to delete it or removed in your implant
unfortunately because it was already causing so many stability issues the
concern was if we try to get to it to delete it it might make it even worse we
didn't know so the risk was don't do anything and right now he just thought that he was having
technical problems not that there was a security issue so we thought okay the risk is either stay
with what we've got and write out the technical stuff and hope he doesn't figure out that it's
not actually a technical problem it's a security problem or we try to delete it and cause some
other weird thing to happen that makes it even worse.
And then we're totally screwed.
So we decided to leave it and not delete it and sort of take the bet.
And it got worse for about a week.
Because not only do we watch them from Googling for solutions to the problem, like Googling the symptoms that he's seeing in Windows.
We actually were reading his emails and seeing his chats with IT people, telling them what was going on and putting in trouble tickets.
And, you know, we saw the chat with his IT guy that was like, hey, can you come to my
desk at like two o'clock to take a look?
And I mean, we started, you know, that everyone started getting very concerned at that point
more than we already were.
Things are not going well at this point. It's very tense and concerning in the office.
The implant being used was expensive and secret. If it was discovered, it could result in tracing
it back to the attackers and losing this expensive and secret implant. But at this point, we have
successfully completed six out of the seven phases of the
CyberKill chain. There's only one phase left, and that's doing the action on the objective.
In our case, our objective is to use the administrator's computer to get the data
out of the Oracle database. But the team is hesitant about finishing the job.
Well, so the problem that it was a big network, and we knew the database that we wanted. We knew that there was a
database of a particular type that we want to get access to, but we didn't know exactly where it was
on the network. And at this point, we have a high risk of getting caught. And the problem is, you
know, we're watching them troubleshooting this. And if they're troubleshooting and troubleshooting
and troubleshooting, and then at some point they figure out that there's something really wrong
here and we need to call on the security people and start looking a little bit
closer. The last thing we would want to would be to have a wider presence on the network.
Even if it's on other machines elsewhere on the network that can at the moment that your
incident response gets involved and starts locking things down, we're screwed. So at that point we
want to minimize our presence to the
least amount of exposure that we can without losing our access. So for now, that minimization
was this computer that we're on that's having the problem and the web server. That was it.
And the very, very clear without even any debate decision was sit, stay quiet, don't do anything.
Let this play out because nobody wanted to
increase the risk profile until we knew how this was going to turn out so the
team waits and watches days go by administrators trying to troubleshoot
the errors are seen a week goes by he continues to troubleshoot and in the
second week the admin asks for help from IT.
Yeah, so second week, the IT people are coming in, and they're looking at the computer,
and we know that they're coming to the person's desk because we see them setting up appointments,
and we reach this point where we can tell in the nature of the trouble ticket that they've hit a dead end.
They can't figure out why. They can't figure out what's happening.
They can't figure out the reason for what's happening. They can't locate the cause
and it seems non-deterministic to them. We know why it's happening. I know what the implant is
doing and why it's causing windows to behave that way. But since they don't know the implants there,
to them the behavior is entirely non-deterministic.
So because it's non-deterministic, they can't devise the technical solution for it,
and the ultimate solution that they came to was to just wipe it and start over. It was a fancy implant, but it was just user level, and it was on the hard drive.
So at the moment they wiped the drive and re-imaged it, we were fine.
They removed our implant and we were good.
It was a significant relief.
Thank God it's over, but you know, holy shit,
are we all getting fired?
Which is anyone's reasonable reaction
to workplace events like that
where things have gone horribly wrong. You're essentially in charge of events like that where things have gone horribly
wrong. You're essentially in charge of that group that where things went wrong. It was all on me.
So there was that moment of, you know, I guess I'll get a box and pack up my desk. But A, it's
the government, so no one gets fired. And B, that really wasn't the outcome. There's a whole post-mortem that we did
after this to look at what happened, how it happened, why it happened, how to prevent it.
And, you know, the determination after the fact was there, there was no negligence at play.
No one did anything wrong. This is just what happened. A chance of us doing two months of
research, taking 30 days to make decisions and have meetings and then executing the operation in that 30 days.
One of the admins upgrading Windows.
That's not a super high chance of that happening.
And we just got unlucky, right?
Unfortunately, like those two stars crossed in the sky and that happened. You know, if it had been six months and we didn't
try to re-update our information and make it fresher, the outcome would likely have been,
you waited too long, right? You should have known that six months, too much can change in six months.
But 30 days was reasonable because, I mean, again, it's the government. It takes 30 days to push the
paperwork and get meetings and just do the administrative stuff you need to do. So the fact that that happened in 30 days, that guy updated
the Windows box, that was seen as acceptable. The only other fallout was when we moved laterally
onto that machine, you know, should we have done anything tactically before we put the implant down
on that box? And there was this debate on that. Should we have captured the credentials
and just interactively interacted with that machine
just to capture things like its OS and antivirus and all that?
That was an operational decision that we made at the time,
a very tactical decision.
But because we had done the open source and we knew what was there,
there were seemingly less cause to do it.
And that was it.
So with the implant cleaned off the machine, the team can relax,
knowing their cover isn't going to be blown,
and their expensive exploit won't be discovered.
But what about that initial objective to get access to the database?
We actually never got access to the database.
Not because of this.
It actually just ended up being that the network
was configured in such a way that our path to get there was extremely complicated from where we were
on the network to where we needed to get to. And like any other business environment, we had
competing requirements. So, you know, at some point, probably, I don't know, a month and a half
after this incident, after this small incident, You know, we came to this point where,
okay, I know where the Oracle server is.
I know who the admins are,
but our ability to get to it is complicated.
It's going to take a little while.
We can do it, but do we want to do it?
And at the same time,
I had three other requirements that I had to satisfy.
And those requirements required some of the same people
that I was currently using to work on this one. So it was sort of like, what do we do? Do we just,
you know, cut bait and walk away? Or do we just all in and go for it? We decided to cut bait and
walk away. And that happened all the time. Just because I think any hacker, whether you're a
nation state ABT, or, you know, you're a kid in your mom's basement,
everyone knows that it's a lot of luck that stuff works. Only so much thought and intelligence
goes into it. It's a lot of luck at the end of the day. And I'd say statistically in my years doing
it, the luck isn't there or runs out more than half of the amount of time. Just because it's
hard, right? And getting harder because people are just in general more aware of cybersecurity and information
security. And they're slightly smarter, just enough to know maybe not to click on a link,
or maybe not to visit that website from work or from your work computer and maybe don't click
okay when it says Flash needs to update. so there's just enough people that are just enough smarter where this is getting just that much harder every single day
you've been listening to darknet diaries for show notes and links check out darknetdiaries.com
music is provided by he and alex mac and kevin clode