Darknet Diaries - Ep 19: Operation Aurora

Episode Date: August 1, 2018

In 2009, around Christmas time, something terrible was lurking in the network at Google. Google is the most popular website on the Internet. It’s so popular many people just think Google is... the Internet. Google hires many of the most talented minds and has been online since the 90s. Hacking into Google is no easy task. There’s a team of security engineers who test and check all the configurations on the site before they go live. And Google has teams of security analysts and technicians watching the network 24/7 for attacks, intrusions, and suspicious activity. Security plays a very vital role at Google, and everything has to have the best protections. But this attack slipped past all that. Hackers had found their way into the network. They compromised numerous systems, burrowed their way into Google’s servers, and were trying to get to data they shouldn’t be allowed to have. Google detected this activity. And realized pretty quickly they were dealing with an attack more sophisticated than anything they’ve ever seen.Podcast recommendation: Twenty Thousand Hertz

Transcript
Discussion (0)
Starting point is 00:00:00 In 2009, around Christmas time, something terrible is lurking in the network at Google. Google is the most popular website on the internet. It's so popular that many people just think Google is the internet. Google hires many of the most talented minds and has been online since the 90s. Hacking into Google is practically impossible. There's a team of security engineers who test and check all the configurations of the site before they go live. And Google has teams of security analysts and technicians watching the network 24-7 for attacks, intrusions, and suspicious activity. Security plays a vital role at Google, and everything has to have the best protections.
Starting point is 00:00:43 But this attack slipped past all that. Hackers had found a way into the network. They compromised numerous systems and burrowed their way deep into Google's servers and were trying to get data that they shouldn't be allowed to have. Google detected this activity and realized pretty quickly they were dealing with an attack more sophisticated than anything they've ever seen. These are true stories from the dark side of the internet. I'm Jack Recider.
Starting point is 00:01:37 This is Dark by Delete Me. I know a bit too much about how scam callers work. They'll use anything they can find about you online to try to get at your money. And our personal information is all over the place online. Phone numbers, addresses, family members, where you work, what kind of car you drive. It's endless and it's not a fair fight. But I realize I don't need to be fighting this alone anymore. Now I use the help of Delete.me. Delete.me is a subscription service that finds and removes personal information from hundreds of data brokers websites and continuously works to keep it off.
Starting point is 00:02:06 Data brokers hate them because Delete.me makes sure your personal profile is no longer theirs to sell. I tried it and they immediately got busy scouring the internet for my name and gave me reports on what they found. And then they got busy deleting things. It was great to have someone on my team when it comes to my privacy. Take control of your data and keep your private life private by signing up for Delete Me. Now at a special discount for Darknet Diaries listeners.
Starting point is 00:02:29 Today, get 20% off your Delete Me plan when you go to joindeleteme.com slash darknetdiaries and use promo code darknet at checkout. The only way to get 20% off is to go to joindeleteme.com slash darknetdiaries and enter code darknet at checkout. That's join delete me dot com slash darknet diaries. Use code darknet.
Starting point is 00:02:56 Support for this show comes from Black Hills Information Security. This is a company that does penetration testing, incident response and active monitoring to help keep businesses secure. I know a few people who work over there, and I can vouch they do very good work. If you want to improve the security of your organization, give them a call. I'm sure they can help. But the founder of the company, John Strand, is a teacher. And he's made it a mission to make Black Hills Information Security world-class in security training.
Starting point is 00:03:23 You can learn things like penetration testing, securing the cloud, breaching the cloud, digital forensics, and so much more. But get this, the whole thing is pay what you can. Black Hills believes that great intro security classes do not need to be expensive, and they are trying to break down barriers to get more people into the security field.
Starting point is 00:03:41 And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range, which is great for practicing your skills and showing them off to potential employers. Head on over to BlackHillsInfosec.com to learn more about what services they offer and find links to their webcasts to get some world-class training.
Starting point is 00:04:00 That's BlackHillsInfosec.com. BlackHillsInfosec.com. BlackHillsInfosec.com. Once Google detected the attack, they were able to stop it pretty quickly and clean it off the network. On January 12, 2010, Google made a blog post telling everyone about the attack. They said this attack was more sophisticated than any attack they've seen. The virus that was used was not detected by any antivirus software. So McAfee, an antivirus company, got a copy of the malware and began studying it. Hours after the announcement from Google, another company posted another announcement. This one from Adobe, the makers of Photoshop and
Starting point is 00:04:42 PDF readers. Adobe admitted that they too got hacked over the winter holidays. And after that, it was clear that even more companies were hit by this attack at the same time. Yahoo, Rackspace, Microsoft, Juniper Networks, and Dow Chemicals, to name a few. Google had detected that over 20 companies were victim to this attack. And some reports said as high as 200 companies were attacked. Something big was going on. The victims' companies, security companies, and law enforcement all began a full investigation. After looking through logs and analyzing the malware, researchers learned exactly how the attack took place. When McAfee reverse engineered the malware, they found that when the
Starting point is 00:05:25 hacker executed the attack, they ran it out of a folder called Aurora. Because the attacker had their malware in that folder, McAfee called this attack Operation Aurora. Here's how the hackers got in. First, they would pick their target, an employee of a company they want to attack. Even better if they could find a developer or someone with extra access to the network. Then they would research that person, figure out what their email address is, who they talk to, and what some of those emails look like between the two of them. Then they would send a phishing email to the target. This isn't some stupid looking email from the prince of Nigeria
Starting point is 00:05:59 telling you you have a large inheritance. This one is much, much more clever. The hackers knew who that person would email normally and what those emails would look like. So the hackers spoofed an email to make it look like it came from that co-worker and made it look like an important email and wanted them to click a link. These emails were so well crafted that it would be very hard for even a seasoned security expert to detect. So the victims clicked the link, which takes them to a website that
Starting point is 00:06:25 has malware on it. No big deal though, because the victim has patched their Internet Explorer browser, so the malware shouldn't have any effectiveness. But here's where things start to get more serious. The malware was not known by Microsoft, so it was still able to exploit a fully patched Internet Explorer. It was using what's known as a zero-day exploit. It's called a zero-day because that's how many number of days that Microsoft has been aware of this exploit. Since Microsoft wasn't aware of it, the exploit worked. When the victim visited the malicious website, it executed some commands on the victim's computer. The commands that were sent to the victim's computer downloaded a program and ran it. And here's where things get even more sophisticated.
Starting point is 00:07:06 The program that was downloaded and ran was a Trojan, and it was a brand new, freshly made Trojan. So it bypassed any antivirus software, and it was able to infect a fully patched version of Windows. This Trojan was very sophisticated too. The encryption was strong, and it was stealthy. This Trojan opened up a tunnel back to the hackers,
Starting point is 00:07:27 so they can control the victim's computer. And it was designed to look like regular web traffic. All this would happen within seconds of someone clicking the link. What makes this attack so sophisticated? Google gets attacked all day, every day. But most of the people attacking Google are using well-known exploits, something you can learn by watching a YouTube video or reading a blog post. This attack was using multiple exploits that weren't known to anyone, and it's rare to see attacks that use zero-day exploits. So the hackers either had a lot of
Starting point is 00:08:00 money to buy these zero-day exploits, or they had a research and development team to help them make it. The other scary part is how much research the attackers did on their victims before sending them emails in hopes they would click on it. And it appears the attackers specifically picked Christmas and New Year's holidays to attack knowing that it would be a skeleton crew defending the network at that time. These advanced methods and techniques the hackers used isn't new. Governments see sophisticated attacks like this fairly often. Banking industries and utility companies do too. But commercial businesses have never seen an attack this advanced waged against them.
Starting point is 00:08:34 This would forever change the threat landscape for commercial companies. Google looked further into the logs and tried to trace where the attacker went and what they were trying to do. They saw the attackers were trying to access two specific pieces of data. First was access to Gmail accounts. It's presumed the attackers wanted to read someone's emails, but not just anyone's emails, specifically human rights activists' emails. But not just any human rights activists' emails.
Starting point is 00:09:01 They were after Chinese human rights activists' Gmail accounts. Whoever did this attack really wanted to see what those people were planning and organizing around China's human rights movement. But when Google looked more closely at these accounts, they noticed another connection. All of the accounts that were attempted to be accessed all had court orders. United States law enforcement had requested access to those specific Gmail accounts, and these attackers were looking at those same exact accounts. This is really odd, and has baffled a lot of people as to why someone would be trying to get into Gmail accounts of Chinese human rights activists that have already been subject to court orders. Perhaps this was some government espionage, or a way to
Starting point is 00:09:40 check how much the government can see into Gmail accounts. Google was able to stop the attackers from seeing any emails. The attackers were only able to tell when the account was created. The second piece of data the attackers were after in Google was their source code. Google is a company that makes software, and usually they don't want anyone to see the source code to it because that's intellectual property. If someone had the source code, they could create a competing site or find bugs in the source code to exploit later. So the source code needs to be kept in a secure location. Source code is often kept in something like Git, but for large companies, it's stored in what's called software configuration management
Starting point is 00:10:19 systems. Companies that make this kind of software are Perforce, Concurrent Version Systems, Microsoft Visual SourceSafe, and IBM Rational. At Google, their source code was kept in Perforce. But as they researched this attack, they found numerous problems with Perforce. The attackers knew exactly where the Perforce servers were and used yet another unknown bug to get into Perforce. But that may not have mattered. After this attack, McAfee looked into Perforce and found it to be insecure by default. McAfee found the following problems in Perforce, but that may not have mattered. After this attack, McAfee looked into Perforce and found it to be insecure by default. McAfee found the following problems in Perforce.
Starting point is 00:10:50 Anyone can go and create their own user account. No need for an admin to set one up for you. Passwords are unencrypted. It's easy to gather data on Perforce without any privileges. All communication to Perforce is unencrypted. It's easy to bypass authentication altogether, it's prone to directory traversal attacks, and all files are stored in clear
Starting point is 00:11:09 text. It's unknown how Perforce was set up in Google, but it's clear that it takes a lot of work to lock it down and secure it, and even then it's not very secure. These attackers had a strong knowledge of Perforce, and once they were in Google's network, they were able to easily access Perforce and take some of the source code from Google, possibly the source code for the Chrome browser. The other companies that were also compromised by this attack did not give any details as to what was taken or accessed, but it's speculated that the source code was targeted for them too. Sophisticated attacks like this often work in stages, so it's possible the attackers
Starting point is 00:11:44 were just gathering information in this attack to be used for a bigger attack later. For instance, if they had the source code for how Adobe handles PDFs, they could find new ways to create malicious PDFs so they can create new viruses to infect someone else. Upon discovering these vulnerabilities, Microsoft issued an emergency patch for the browser and operating system. McAfee Antivirus created new signatures to detect these attacks as well. It's interesting that so many companies were attacked with the same exploit all at once. Once the Aurora exploit was known, companies could patch and detect it. So it appears this hacker group was attacking as many places as it could
Starting point is 00:12:19 and sort of letting the exploit become known in the process. But it also indicates that an attack at this scale would require dozens of people to conduct it. A team to develop the exploit, a team to research the attack, and a team to conduct the attack and remotely access those source code repositories. Further analysis of this attack in Trojan revealed more information. The attacks were seen coming from two different schools in China, the Shanghai Zhaotong University and the Lengxing Vocational School. Both of these schools are legitimate, well-established, and respectable. If you go there, you see students walking around campus,
Starting point is 00:12:54 and it looks like an average school. So the school might not have anything to do with this, as the attackers may have just used a server within the school to wage their attacks. But then again, maybe there is some hidden basement full of hackers, and the school is just some kind of screen. Because this was a major incident hitting dozens of U.S. companies, the FBI and the U.S. government began investigating the attacks. It's really difficult to figure out who conducted a cyber attack because of how anonymous and hidden you are on the internet. A few pieces of information began to add up, though. The attackers wanted into those email accounts of Chinese human rights activists,
Starting point is 00:13:29 and the attack originated from two schools in China, and the malware that was used had a checksum algorithm that's only used in China. Rumors started to circulate that China was likely behind this attack. As the U.S. government investigated, then Secretary of State Hillary Clinton addressed the media. We are obviously very concerned about Google's announcement regarding a campaign that the company believes originated in China to collect the passwords of Google email account holders. These allegations are very serious. We take them seriously. We're looking into them. Some news outlets were even taking this a step further. Because it's basically an act of war. Yeah. And especially if it is really tied to the army and the government, it's an act
Starting point is 00:14:15 of war. Personally, I think this is espionage, not an act of war. This is just theft of information. A spokesperson for the Chinese foreign ministry had a reply. Blaming China is unacceptable. The Chinese government places great importance on the computer and internet security and controls the internet according to law and demands that internet users respect relevant laws and regulations when using the internet. As Google investigated this more, they became more certain that China was behind this. An attack with this level of sophistication, hitting this many companies at once, had to be done by a group that's very advanced. They must have had dozens of people working on this attack, and they're
Starting point is 00:14:53 well-funded, and they were given extra privileges on China's internet infrastructure. This isn't the work of some amateurs, or even Google competitors. This was far more advanced, with far more capabilities. Thank you. cybercrime with a mission to end criminals' ability to profit from stolen data. With SpyCloud, a leader in identity threat protection, you're never in the dark about your company's exposure from third-party breaches, successful phishes, or info-stealer infections. Get your free Darknet Exposure Report at spycloud.com slash darknetdiaries. The website is spycloud.com. To understand what happens next, we need to go back five years to 2005. In 2005, Google started building Google.cn, which was going to be a version of Google for people in China. See, the people in China can't get to many of the sites we can. The Chinese
Starting point is 00:16:25 government blocks anyone in China from getting to sites like Twitter, Facebook, Pinterest, most porn sites, YouTube, and yes, Google.com. But since China is the country with the largest population in the world, Google wanted to build a local version in China that would be allowed. The Chinese government required Google to have a license to operate in China, and they got it. So they started building their offices, hiring the top talent, and creating Google.cn. But while they were building it, China decided to cancel the license. Google had to spend another 18 months negotiating with the Chinese government to get the license to operate in China. One of the requirements was to censor certain search results. For instance, they wanted no results if you searched for Tiananmen Square protests. Google executives weren't happy about
Starting point is 00:17:11 all this censorship, but still wanted to get in the Chinese market, so they complied with all the censorship requirements. In 2007, an agreement was made and Google.cn finally came up and online, and millions of people began using the site. But then the Olympics took place in 2008 in China. Ramping up for that, the Chinese government started requesting even more search terms to be censored. Some that were very broad. The U.S. executives at Google were very unhappy with this and expressed their frustrations, but eventually complied, thinking this new censorship was only temporary until the Olympics were over. But the censorship didn't end after the Olympics ended. In fact, China requested even more broader
Starting point is 00:17:53 search terms to be censored after the Olympics. Scary stuff too, like anything sexual in nature was banned, and anything that criticized the Chinese government or politicians was banned search terms in Google.cn. The Google executives were even more angry with this. They thought they were now helping this country conduct their oppression. And it made them dissatisfied with China. So when these attacks happened in late 2009, Google created a massive war room. Not only to combat the attack technically,
Starting point is 00:18:25 but to determine what to do next. Sergey Brin, the co-founder of Google, was extremely upset with China over these attacks. He specifically was upset that the attackers tried to get into the Chinese civil rights activists' accounts, and that the Chinese government was censoring so much from its people. Sergey reminded the executives that the motto at Google is don't be evil, and by helping China be oppressive, they were in fact being evil. Eric Schmidt, the executive chairman, did not agree. He reminded Sergei that they always comply with local laws in any country they operate in, and that's just part of doing business internationally.
Starting point is 00:19:02 A very passionate and internal debate waged among the Google executives for almost four months trying to determine what to do about China. Eventually, Larry Page, the other co-founder of Google, agreed with Sergey, and the debate was over. Google had decided to shut down their google.cn website and close most of their offices in China. They redirected all their traffic to google.com.hk, which is a version of Google built in Hong Kong, because Hong Kong maintains a totally separate body of government with different laws. Now when people in China went to google.cn,
Starting point is 00:19:35 they were able to search for sexual content in the Tiananmen Square protests, because it was going through the Hong Kong version of Google. Now this was a huge deal for Google to shut down google.cn and pull out of China. China has the most population of any country in the world and Google is the most popular website in the world. And there are more than twice as many people on the internet in China that there are total people in the U.S. Leaving a market this size will make a noticeable impact upon Google's traffic and revenue. But even more importantly, it meant that Google would quit their fight over Chinese censorship laws. Silence fell on all Google employees who read the memo.
Starting point is 00:20:17 The news of shutting down the Google.cn office was dropped at 6 a.m. Beijing time. Many of the Google employees in China learned about the announcements by co-workers calling them and waking them up. Panicked employees flooded the Google office in China with questions and concerns. But management just told everyone to leave and gave them all tickets to go see the movie Avatar,
Starting point is 00:20:40 which had just came out. The next day, employees came back to the Google office in China, and Sergei himself had a teleconference call with all of them to explain the situation. It didn't go well. Emotions were high, and employees felt that they were abandoned by the generals overseas in the middle of a war. A few months after that, China blocked its people from being able to get to all Google sites, including google.cn and google.com.hk. According to the website greatfire.org, China has
Starting point is 00:21:13 been blocking Google ever since. The major search engine that is used in China is called Baidu, which if you search Tiananmen Square protests in there, you see stories about how the protests are a myth and didn't happen. Ever since Operation Aurora, Google and many others have had to step up their defenses knowing that more sophisticated attacks can hit even commercial companies. This attack forever changed how we see our adversaries when defending commercial networks. Security researchers at Symantec, Dell Secureworks, and CrowdStrike dove further into Operation Aurora to try to understand the group behind these attacks. When Symantec investigated the malware further, they found the code frequently used a variable with the name Elderwood.
Starting point is 00:21:58 So they called this hacking group Elderwood. CrowdStrike came up with a different name, which was Sneaky Panda, and Dell called them the Beijing Group. I like Elderwood the most, so let's stick with that one. Security researchers created a big list of everything that's known about Operation Aurora and started building a dossier on the Elderwood Group. For years after the attack, researchers would examine other big hacks and breaches to try to find if there's any connection with the Elderwood Hacking Group. Some connections were made. Either the same Trojan was used, or the same command and control servers were used, or comments in the code were similar. In the three years after Operation Aurora, the Elderwood group was suspected to be behind seven
Starting point is 00:22:33 different attack campaigns, and each campaign resulted in numerous companies being hacked. The next attack they conducted after Operation Aurora contained a zero-day exploit using Adobe Flash. This is really interesting because during Operation Aurora contained a zero-day exploit using Adobe Flash. This is really interesting because during Operation Aurora, they hacked into Adobe. So we can speculate that maybe they did take the source code for Flash from Adobe and used it to build new exploits. Because if you have the source code, it's much easier to find a vulnerability. In fact, they had five different zero-day exploits for Adobe Flash and were able to breach many companies using these exploits.
Starting point is 00:23:06 This group had immense capabilities. They seemed to be growing more powerful over time, stealing more source code from places like Google, Adobe, Oracle, and Microsoft, and building more zero-day exploits with them. It seemed like the Elderwood hacking group had endless amounts of zero-day exploits they can use. Hacking using zero-day exploits is not actually that common. In 2011, there were only eight reported breaches that used a zero-day exploit in the attack. But four of those exploits was from the Elderwood group. So you can see how this group was dominating the hacker scene. What else is strange about the Elderwood group is that they have this uncanny ability to know when their zero-day exploits is about to be discovered or
Starting point is 00:23:43 fixed. When they get wind that it's going to be patched, they burn their zero-day exploits is about to be discovered or fixed. When they get wind that it's going to be patched, they burn their zero-day by trying to hack as many places as they can all at once to get the most of it. They may have access to an internal bug tracking tool within Google or Microsoft or Adobe, and they may have someone inside tipping them off. After Operation Aurora, the Elderwood group changed their initial entry tactics. Instead of getting people to click the phishing email, they used what's known as a watering hole attack. This would hack into a
Starting point is 00:24:08 popular website, put malware on it, and wait for users to visit the site to become infected. As soon as the victim's computer would be infected, the hacking group would have full access to that computer. They also changed their targets. While attacking Microsoft, Google, and Adobe will help them find new exploits, it doesn't look like that's their primary objective. They seem to be mostly interested in gaining access to defense companies. Companies like Lockheed Martin, Raytheon, Boeing, and General Dynamics to name a few. These companies supply tanks, weapons, and planes to the U.S. military. They presumably want access to these companies to gain information on the latest weapons and military technology,
Starting point is 00:24:49 and maybe also get a glimpse as to what the military has in stock. This would certainly be valuable information for a superpower like China. But the Elderwood Group doesn't attack these companies directly. Instead, they're almost always seen hacking into suppliers and third-party companies that deal directly with the top-tier defense companies. And they're also seen hacking into the suppliers of suppliers. Because if they can infect the supply chain and that software gets into the defense company, then it's just as good as hacking into the defense company. And it's easier and sneakier because those third-party companies
Starting point is 00:25:15 don't have nearly the security defenses as a top tier defense contractor. So Elderwood would possibly study all the parts that are used in a specific weapon or tank and figure out which companies supply those parts or software, then figure out which websites those companies visit to do their work. One website they infected was the Center for Defense Information in Washington, D.C. This is a non-profit organization that posts information on military matters.
Starting point is 00:25:38 People who visit the site are likely to be military or those working in the defense industry. Even if it's a third party to a contractor, infecting them can be very valuable. From there, you can implant malware into software and that can make its way into bigger companies. Details aren't given as to what companies were specifically hit by Elderwood. Symantec doesn't release that information and those companies that are breached aren't always required to publicly disclose it. So all we can tell from Symantec is the way the attacks happened, what types of companies were targeted. The second biggest target for the Elderwood hacking group are human rights organizations. It's suspected that the same group that did Operation Aurora in 2010 were also responsible
Starting point is 00:26:17 for placing zero-day flash exploits on the website for Amnesty International Hong Kong. So users who visited that site would become infected and this group could then access their computers to see anything they wanted to see on that computer. Other sites that had zero-day exploits on them were International Institute for Counterterrorism and the Cambodian Institute of Foreign Affairs. Users who visited those websites in May of 2012 had a high likelihood of being infected and having their systems controlled by the Elderwood group. Some researchers believe that there must be hundreds, if not thousands, of people working for this group. There would be a team of developers to comb through the stolen source code to develop exploits. Then there's a team to gather information on the targets and do open source intelligence gathering.
Starting point is 00:26:57 And then there's a team that puts together the attacks and plans a way to get into places. Then there's a team to conduct the attack and sit there waiting for the infected machines to show up. Then there are people talented at knowing certain software to be able to grab the data they need and navigate around. And then there's a team of analysts to make sense of the data once it's stolen. And there must also be interpreters and spies and website developers and instructors and labs and commanders. The Elderwood group is well-funded, highly trained, and very advanced. And a group like this doesn't just show up overnight. I suspect they probably have been working together for years, if not decades, before being discovered like this.
Starting point is 00:27:32 But still, we can only guess as to who they are based on the footprints they leave. Research papers have been published outlining the tactics, techniques, and procedures of the Elderwood Group. And since then, it appears they've changed their tactics to avoid being connected. Some researchers also believe they've broken up into smaller groups specifically designed for certain attacks, such as spying on people or hacking into certain sectors. The hacking activity we continue to see from China today remains to be one of the most advanced persistent threats. In 2015, U.S. President Barack Obama and Chinese President Xi Jinping met to discuss cyber attack diplomacy. They had dinner together and came to an agreement. The two presidents stood side by side on the White House lawn to explain what they agreed on.
Starting point is 00:28:19 I raised once again our very serious concerns about growing cyber threats to American companies and American citizens. I indicated that it has to stop. The United States government does not engage in cyber economic espionage for commercial gain. And today, I can announce that our two countries have reached a common understanding on the way forward. We've agreed that neither the U.S. or the Chinese government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage. In addition, we'll work together and with other nations to promote international rules of the road for appropriate conduct in cyberspace. If I can break character for a second here, this is what I love about having a career in InfoSec. I can turn on the nightly news and sometimes see the president talking my lingo. It's just amazing to see what I'm passionate about being talked about on the
Starting point is 00:29:14 world stage like this. It's awesome. Anyway, this agreement was likely a direct result from the Project Aurora attacks. And then again, in 2017, U.S. President Donald Trump and the Chinese President Xi Jinping met at Mar-a-Lago and renewed the same truth, that neither country would attack commercial sectors to steal intellectual property for commercial gain. Personally, I don't think this truth has much value, as both countries continue to do what they can to gather details from each other. And hacking into commercial companies to steal source code to develop new vulnerabilities is simply a part of that process. For instance, China is suspect to be behind the virus found in CCleaner, a popular Windows cleanup tool, which that attack got them
Starting point is 00:29:54 access to data at Microsoft and Google. China denied its involvement, but even if it did admit to it, they could just say that the data was stolen wasn't used for commercial gain. So this agreement between the two is just weak and unenforceable. Now that we know the Elderwood hacking group is capable of targeting commercial sectors now, companies should take this as a cautionary tale, especially companies that supply to defense contractors. If this attacking group knows that a defense company uses your product, they might try hacking you to get into the defense company because it's easier and sneakier. So by taking on a defense company as a client, it significantly increases your threat
Starting point is 00:30:30 landscape. This is the modern day arms race. Foreign countries will continuously be trying to hack into our government and defense companies to gather as much information as they can. At the same time, our government is trying to gather information about foreign governments by hacking them as well. This makes it difficult to understand governments. If the NSA finds a bug in Microsoft, they might not tell Microsoft, but instead they'll keep it to themselves and potentially use it in a cyber attack because they want to be one step ahead of the enemy. So we are seeing the US and foreign governments are keeping zero-day exploits just for themselves. Governments hacking into other governments or companies in other countries is now the new normal. Spyware versus spyware. Ghosts in the wire. Cyber patriots.
Starting point is 00:31:16 This is the current battlefront that is secret and hidden from all of us. Until something goes wrong, or gets sloppy, or until someone wants us to see something. You've been listening to Darknet Diaries. This episode is made by me, Jack Recider, with theme music from the mysterious Breakmaster Cylinder. Okay, so a lot of you want more episodes of this show, and I'll make a deal with you. I'll go back to producing two episodes a month if you can help me reach 3,000 followers on Facebook. Deal? Okay, if you're in, go to facebook.com slash darknetdiaries and follow the page. And tell your friends to follow it too. I also posted a preview of the next episode on Facebook for you to check out right now.
Starting point is 00:32:06 So come on, let's go do this.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.