Darknet Diaries - Ep 11: Strictly Confidential
Episode Date: January 15, 2018What happens when an innovative tech company, that's trying to develop the next big thing, detects a hacker in their network? We hear the story from a digital forensics investigator which has... a surprising result.
Transcript
Discussion (0)
Today, we're talking with Andrew.
And I'm a digital forensics and incident response consultant.
Andrew works on a team that does incident response.
Once malware is detected on the network, it's up to him to go in, study the malware, and remove it.
Andrew, do you like doing this kind of work?
I love it. It's wonderful. It's very exciting work. There aren't many positions where you can be working on a client system and actually the threat actors on there at the same time as you trying to move files around and you are trying to thwart them in a toe-to-toe scenario.
It can be very exciting.
It can be very exciting.
This is Darknet Diaries. True stories from the dark side of the internet.
I'm Jack Recider.
This episode is sponsored by Delete Me. I know a bit too much about how scam callers work.
They'll use anything they can find about you online
to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work,
what kind of car you drive, it's endless.
And it's not a fair fight.
But I realized I don't need to be fighting this alone anymore.
Now I use the help of Delete Me.
Delete Me is a subscription service
that finds and removes
personal information from hundreds of data brokers' websites and continuously works to keep it off.
Data brokers hate them because Delete.me makes sure your personal profile is no longer theirs
to sell. I tried it and they immediately got busy scouring the internet for my name and gave me
reports on what they found. And then they got busy deleting things. It was great to have someone on
my team when it comes to my privacy. Take control of your data and keep your private life private
by signing up for Delete Me. Now at a special discount for Darknet Diaries listeners. Today,
get 20% off your Delete Me plan when you go to joindeleteme.com slash darknetdiaries and use
promo code darknet at checkout. The only way to get 20% off is to go to join delete me.com slash
darknet diaries and enter code darknet at checkout. That's join delete me.com slash
darknet diaries. Use code darknet. Support for this show comes from Black Hills Information
Security. This is a company that does penetration testing,
incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there, and I can vouch they do very good work.
If you want to improve the security of your organization, give them a call.
I'm sure they can help.
But the founder of the company, John Strand, is a teacher,
and he's made it a mission to make Black Hills Information Security world-class in security training. You can learn things like penetration testing,
securing the cloud, breaching the cloud, digital forensics, and so much more. But get this,
the whole thing is pay what you can. Black Hills believes that great intro security classes do not
need to be expensive, and they are trying to break down barriers to get more people into the security field. And if you decide to pay over $195, you get six months access to the MetaCTF
Cyber Range, which is great for practicing your skills and showing them off to potential employers.
Head on over to BlackHillsInfosec.com to learn more about what services they offer and find
links to their webcasts to get some world-class training. That's BlackHillsInfosec.com. BlackHillsInfosec.com.
Andrew works for a security assessment and digital forensics company. Other companies hire his team
to come in and do security work. It's actually pretty common for a company to outsource their security team to someone else. It's expensive and hard to maintain an internal
group of security experts. So Andrew is often seen traveling around taking care of threats in his
clients networks. And he wants to share an interesting story with us today about the time
he faced a hacker in a company that develops cutting edge technology. The client is a global firm. It's a technology firm. We were looking at,
we had to go on site on their European, one of their European bases to work with their team there.
We won't give the name of the company, but this company in particular spends a lot of time and money developing new technology.
They have a full R&D department and is working on cutting edge tech.
In fact, they're developing tech that no other company is developing.
So one of their most precious assets is intellectual property, or otherwise known as IP.
So the company wants to make sure there aren't any hackers stealing this information.
It started off as a compromise assessment.
Sometimes companies hire a security team to examine the network
to see if there's any evidence that a hacker is in the network.
They wanted us to go in, put some stuff in their network,
put some stuff on their endpoints, just have a look around,
use the intel that we'd already built up in the team
during the engagements that we'd done previously,
and just basically have a look around and see what came out.
So the team starts examining the logs in the network,
and they look at different security devices and network activity.
The security assessment involved using intel that my colleagues had seen elsewhere in other engagements for APT groups.
And they spotted a few pieces of evidence, which I'm not sure exactly what it was.
It may have been specific malware
that they'd seen used elsewhere. But they were able to identify that there was an active threat
actor in that client's environment. He mentioned APT and threat actor. This is the worst kind of
hacker to find in your network. The term threat actor is just a fancy way to describe someone who poses a threat to your network. But an APT stands for advanced persistent
threat. And it describes a group of highly skilled and motivated hackers that have a specific goal
of what they want to accomplish. But what's more is they often have significant resources,
such as being sponsored by a nation state or simply well-funded.
So I've been told it's state-sponsored.
I mean, it's in the east, I guess.
The group itself has been known to, you know, infiltrate other technology companies.
To be attacked by an APT means you're facing a very skilled and serious attacker who likely won't go away easily. It's extremely difficult to detect an APT in the
network. Someone has to have studied that APT for months or maybe years to understand the malware
they use and their tactics and then publish that data to the world. Then if we detect certain
malware in the network, we may be able to link it back to that specific APT.
But the problem is once that report gets published, other people have access to those techniques too.
And the APT group may change their tactics to be more covert.
In this case, the malware found in the network matched exactly the same malware that someone had published in a report, which linked it back to that APT group. So we spun it up to, the company that I work for,
spun it up to a full incident response engagement.
And I came in as part of the team that was doing some of the forensics work,
so they would ask us to take a look at the data that they were collecting.
This process is fascinating to me.
The forensics team first identifies and isolates the malware,
and they study it, and they develop a profile for that malware.
Things like file size, file names, and the activity the malware is doing.
Is it reaching out to the internet?
Is it trying to access something internal?
Is it using specific ports?
All this gets collected, and so now we know the indicators of compromise, or IOCs.
This is given to another
security team, which they can use to look for
those IOCs in the logs,
which would then reveal more places this
malware has been in the network. These teams
would continue to feed each other information
to learn and detect more and more
about this APT in their network.
And then that went on for a few
months.
Why not remove the malware right away?
And it's a good question.
We do get asked a lot
why we don't immediately remediate.
The client environment,
it's a global company.
They have a lot of satellite offices,
quite a complex infrastructure.
So what we would do, and this is quite common for all IR companies,
is that you'll have like a monitoring period or a discovery phase
where you will look for where the threat actor is active in the environment,
what tools they are using,
try and identify how many backdoors these people have into their environment.
We wanted to get as accurate a picture as possible
as to where they were active, where they were coming in,
where their ingress points were,
where they were moving data out out because we had seen that.
Just so when we came to remediation, it wasn't a case of we were removing some of their
infrastructure only for them to come back in the following week somewhere else that
we hadn't seen.
The other concern there is that they know that we are on to them once we once you do that
remediation once you do that kick it they know you're on to them and they will change their
tools and their tactics and their procedures and that makes you blind I guess depending on what
else you've implemented so for a threat actor or for any adversary
to know that you're onto them
and you remove what they have used in an environment,
if they have a backup plan, they'll go to that.
And whether that's immediately or over a period of time
that they leave laps before they come back in.
So the team spends a few months researching this hacking group and what they're doing.
And what was discovered confirms the company's worst fears.
So they were looking for R&D systems.
So they were looking to exfiltrate and they did exfiltrate some intellectual property.
This hacking group not only successfully broke into the network, but they're successfully
exfiltrating or stealing the latest cutting-edge technology from the company. For a tech company
that's this advanced, having their intellectual property stolen is a huge problem, which may have millions of dollars of impact to the company.
I don't have a financial amount, but there was a lot of concern simply because they were working on
sort of next-gen killer tech, I guess, which if in a competitor's hands or in any other company's hands
would obviously affect the performance of their company quite significantly.
But I mean, it's the same with every client that we've ever worked with.
They don't want any kind of exfil at all.
But this specific one, we saw quite intensive interest in their R&D department.
This episode is sponsored by Shopify.
The new year is a great time to ask yourself, what if?
When I was thinking, what if I start a podcast?
My focus was on finding a catchy name, some cool stories, and working out the best way to record.
But oh, so much more goes into making a podcast than that.
If you're thinking, what if I start my own business?
Don't be scared off.
Because with Shopify, you can make it a reality.
Shopify makes it simple to create your brand,
open for business, and get your first sale.
Get your store online easily with thousands of customizable drag-and-drop templates.
And Shopify helps you manage your growing sale. Get your store online easily with thousands of customizable drag and drop templates and Shopify helps you manage your growing business. Shipping, taxes, and payments are all visible from one dashboard allowing you to focus on the important stuff. So what happens if you don't
act now and someone beats you to the idea? The best time to start your new business is now with
Shopify. Your first sale is closer than you think. Established in 2025. That has a nice ring to it, doesn't it?
Sign up for your $1 per month trial period at shopify.com slash darknet. Go to shopify.com
slash darknet and start selling with Shopify today. Shopify.com slash darknet.
The company was terrified that their IP was being stolen and wanted the malware removed immediately.
But the security team still needed to understand the threat and study it further.
They weren't ready to remove it.
So we saw that they were active and we did a lot of forensic work.
We did a lot of deployment into different areas.
And like I said, we built that knowledge package up for remediation.
Now, we were able to, so this was, I became involved in 2015.
And the earliest evidence that we found was in 2010.
And that wasn't the entry point.
That was just the earliest sign of activity that we could find was 2010.
So we had evidence to suggest that the Threat Act had been in there for five years at least.
The evidence we found I think was, it was some file activity on one of the drives, which somebody had dated as 2010, which could have been planting something.
I don't know the details of it, more than the date, I'm afraid, because I remember sitting in the boardroom with the client in their office and there was a team of us there and we kind of broke it to them
that 2010 was the earliest we could find.
And, you know, it kind of hits home that they've had for half a decade, you know.
Somebody has had access to their environment without their awareness.
How did the client take this kind of news?
It was a mixed response so that some of them you know some of the people there got angry uh and wanted to know why we weren't
remediating immediately which comes back to your original question um and then there were others
who were uh on board how do we you know how do we progress this?
What are we seeing? What do we do next?
And there was fear, obviously, because, like I said, it's a technology firm.
They have their R&D and they want to be the best in the market and they want to know what's
being filtered out the door. But if we're only
coming into their environment in,
I think it was early 2015, before I started, you know, like I said,
that's half a decade that this entity could have been moving data out.
So it was a mixed bag of emotions and all completely understandable.
At the end of the day, we're strangers sitting in a room telling them that they've been
owned for a long time, but that we are not in a position yet to remediate because we're
not ready.
It's a difficult subject.
It's a difficult topic then to discuss with any client.
So the security team goes back to studying the APT to collect even more data.
We were still seeing activity during the examinations, during the monitoring phase, during the discovery phase.
And it was quite interesting because they were active.
You know, we could see lateral movement, we could see them doing things like basically logging in
to make sure that their stuff was
still sitting on these endpoints, that
they could reach out to certain
C2
communications, updating
their tools.
It's
interesting
to see them do it because
these guys in the background who are logging in and
making sure that their malware is you know still running and and uh you know deploying newer
versions it was it was it was i don't really want to say it was interesting to watch because
obviously this is a this is a company's livelihood but it you know from, from a detached perspective, watching how they functioned was very interesting.
So now that a few months have gone by, the forensics team feels confident enough that they've collected enough information that they can remove the APT from the network once and for all.
They've discovered the potential ways it got in, and what logins it's used,
and where it's gone, and what it's done.
So it's time to remediate,
and finally kick this hacking group off the network.
But all of a sudden, the activity from the APT stopped.
In the weeks up to the remediation,
the threat act had gone quiet.
Had gone very quiet.
We weren't seeing any kind of movement. We weren't seeing anything really, which usually means that they've either succeeded in what they
came to do or, you know, something else. So Andrew and his team are all ready to
clean this off the network, but he has to fly to the office location to do the remediation.
So he packs his things and heads to the airport.
He's scheduled to do the remediation in just two days.
I was sitting in the airport waiting to fly out
and my colleague phoned me
and he was supposed to have been coming up with me
but he had some last minute issues
and couldn't be out there.
So I was kind of,
there was a few of us going up
but he couldn't make it with me.
But he phoned me up and he said, have you seen the news?
And it wasn't headline news.
It was just kind of financial news where the firm that we were working for had been the subject of a buyout, a very expensive buyout attempt by a company that was from
the same part of the world that we believed the threat actor was from.
As soon as my colleague phoned me in the airport and I kind of told everyone else that I was
flying out with, and it was kind of a, ah i wonder you know penny drops kind of thing and
i know this is obviously i mean this is it's a what if right that we we don't know for sure
but the timing to me seemed you know awfully convenient and like i said for the last couple
of weeks the threat act had gone quiet and then then all of a sudden, out of the blue came this attempt at a buyout.
And it was for a phenomenal amount of money, a phenomenal amount of money.
And it came as a surprise to everyone.
But when I actually told the people I was working with, there was that kind of, yeah,
I wonder if that was what was going on
and that got me thinking about how these companies they get compromised by these by
these state-sponsored groups as a as a means of due diligence i guess you know has the company
how much are they worth what kind of ip do they have what kind of you know, has the company, how much are they worth? What kind of IP do they have? What kind of, you know, what's their R&D department look like as a means of, should we buy them?
Can we make money off it? And it's, the client has designed something where it could be the
next big thing. It could be that really could be the next big thing. and it just makes me wonder whether or not they are they are the subject
of these compromises as a as a means of some other third party conducting due diligence um
because there have been a couple of of things in the media where companies that are being
genuinely purchased um have inflated their figures prior to acquisition.
And, you know, if you're getting, if you're compromised and they're in there looking at
your accounts, I guess, and your, you know, what you've got going on there, I mean, that's
a perfect opportunity to get what a company is worth um you know and
feed that back to whoever so that that was that was my trainer thought on that
as far as remediation goes it was very quiet touch words um we we didn't hear anything after that. We were, you know, once you do a remediation,
you're kind of on high alert for some kind of activity afterwards
where the threat actor realizes you've closed them out of the environment
and then try and make their way back in.
And that's a good opportunity to look for stuff that was, you know,
there's no other way of putting it.
It's stuff that was missed during the monitoring phase,
the discovery phase.
But that one was very quiet.
So did they accept the buyout offer?
Yes, they succeeded in buying the company.
Yeah. It just gets you thinking.
Hacking, it's like a business.
For everything I've seen, I've never worked on an engagement
where there's been any destruction to data, any corruption, any deletion.
There's been no – whilst theft whilst theft i guess in itself is malicious
i've not seen anything beyond theft i've never seen you know the cyber vandalism or the
the hacktivism or anything like that i've always seen it as it's always been attempts at theft
of intellectual property and i i think that's a business i I think in the real world, in the above board world of business, people steal ideas every day. And I just think this is another form of it. And I think companies need to think differently to the way they are right now about how these groups and their sponsors are thinking.
It's all about money.
It's all about money.
You've been listening to Darknet Diaries.
For show notes and links, check out darknetdiaries.com.