Darknet Diaries - Ep 19: Operation Aurora
Episode Date: August 1, 2018In 2009, around Christmas time, something terrible was lurking in the network at Google. Google is the most popular website on the Internet. It’s so popular many people just think Google is... the Internet. Google hires many of the most talented minds and has been online since the 90s. Hacking into Google is no easy task. There’s a team of security engineers who test and check all the configurations on the site before they go live. And Google has teams of security analysts and technicians watching the network 24/7 for attacks, intrusions, and suspicious activity. Security plays a very vital role at Google, and everything has to have the best protections. But this attack slipped past all that. Hackers had found their way into the network. They compromised numerous systems, burrowed their way into Google’s servers, and were trying to get to data they shouldn’t be allowed to have. Google detected this activity. And realized pretty quickly they were dealing with an attack more sophisticated than anything they’ve ever seen.Podcast recommendation: Twenty Thousand Hertz
Transcript
Discussion (0)
In 2009, around Christmas time, something terrible is lurking in the network at Google.
Google is the most popular website on the internet.
It's so popular that many people just think Google is the internet.
Google hires many of the most talented minds and has been online since the 90s.
Hacking into Google is practically impossible.
There's a team of security engineers who test and check all the configurations of the site before they go live.
And Google has teams of security analysts and technicians watching the network 24-7 for attacks, intrusions, and suspicious activity.
Security plays a vital role at Google, and everything has to have the best protections.
But this attack slipped past all that.
Hackers had found a way into the network.
They compromised numerous systems and burrowed their way deep into Google's servers
and were trying to get data that they shouldn't be allowed to have.
Google detected this activity and realized pretty quickly
they were dealing with an attack more sophisticated than anything they've ever seen.
These are true stories from the dark side of the internet.
I'm Jack Recider.
This is Dark by Delete Me.
I know a bit too much about how scam callers work. They'll use anything they can find about you online to try to get at your money.
And our
personal information is all over the place online. Phone numbers, addresses, family members, where you
work, what kind of car you drive. It's endless and it's not a fair fight. But I realize I don't need
to be fighting this alone anymore. Now I use the help of Delete.me. Delete.me is a subscription
service that finds and removes personal information from hundreds of data brokers websites
and continuously works to keep it off.
Data brokers hate them because Delete.me makes sure your personal profile is no longer theirs to sell.
I tried it and they immediately got busy scouring the internet for my name
and gave me reports on what they found.
And then they got busy deleting things.
It was great to have someone on my team when it comes to my privacy.
Take control of your data and keep your private life private
by signing up for Delete Me.
Now at a special discount for Darknet Diaries listeners.
Today, get 20% off your Delete Me plan
when you go to joindeleteme.com slash darknetdiaries
and use promo code darknet at checkout.
The only way to get 20% off is to go to
joindeleteme.com slash darknetdiaries
and enter code darknet at checkout.
That's join delete me dot com slash darknet diaries.
Use code darknet.
Support for this show comes from Black Hills Information Security.
This is a company that does penetration testing,
incident response and active monitoring to help keep businesses secure.
I know a few people who work over there, and I can vouch they do very good work.
If you want to improve the security of your organization, give them a call.
I'm sure they can help.
But the founder of the company, John Strand, is a teacher.
And he's made it a mission to make Black Hills Information Security world-class in security training.
You can learn things like penetration testing,
securing the cloud, breaching the cloud,
digital forensics, and so much more.
But get this, the whole thing is pay what you can.
Black Hills believes that great intro security classes
do not need to be expensive,
and they are trying to break down barriers
to get more people into the security field.
And if you decide to pay over $195,
you get six months access to the MetaCTF Cyber Range,
which is great for practicing your skills
and showing them off to potential employers.
Head on over to BlackHillsInfosec.com
to learn more about what services they offer
and find links to their webcasts
to get some world-class training.
That's BlackHillsInfosec.com. BlackHillsInfosec.com.
BlackHillsInfosec.com.
Once Google detected the attack, they were able to stop it pretty quickly and clean it off the network.
On January 12, 2010, Google made a blog post telling everyone about the attack.
They said this attack was more sophisticated than any attack they've seen.
The virus that was used was not detected by any antivirus software. So McAfee, an antivirus
company, got a copy of the malware and began studying it. Hours after the announcement from
Google, another company posted another announcement. This one from Adobe, the makers of Photoshop and
PDF readers. Adobe admitted that they too got hacked over the winter holidays.
And after that, it was clear that even more companies were hit by this attack at the same time.
Yahoo, Rackspace, Microsoft, Juniper Networks, and Dow Chemicals, to name a few.
Google had detected that over 20 companies were victim to this attack.
And some reports said as high as 200 companies were attacked.
Something big was going on. The victims' companies, security companies, and law enforcement all began a full
investigation. After looking through logs and analyzing the malware, researchers learned exactly
how the attack took place. When McAfee reverse engineered the malware, they found that when the
hacker executed the attack, they ran it out of a folder called Aurora. Because the attacker had
their malware in that folder, McAfee called this attack Operation Aurora. Here's how the hackers
got in. First, they would pick their target, an employee of a company they want to attack.
Even better if they could find a developer or someone with extra access to the network.
Then they would research that person, figure out what their email address is,
who they talk to, and what some of those emails look like between the two of them.
Then they would send a phishing email to the target.
This isn't some stupid looking email from the prince of Nigeria
telling you you have a large inheritance.
This one is much, much more clever.
The hackers knew who that
person would email normally and what those emails would look like. So the hackers spoofed an email
to make it look like it came from that co-worker and made it look like an important email and
wanted them to click a link. These emails were so well crafted that it would be very hard for even
a seasoned security expert to detect. So the victims clicked the link, which takes them to
a website that
has malware on it. No big deal though, because the victim has patched their Internet Explorer browser,
so the malware shouldn't have any effectiveness. But here's where things start to get more serious.
The malware was not known by Microsoft, so it was still able to exploit a fully patched Internet
Explorer. It was using what's known as a zero-day exploit. It's called a zero-day because
that's how many number of days that Microsoft has been aware of this exploit. Since Microsoft
wasn't aware of it, the exploit worked. When the victim visited the malicious website, it executed
some commands on the victim's computer. The commands that were sent to the victim's computer
downloaded a program and ran it. And here's where things get even more sophisticated.
The program that was downloaded and ran was a Trojan,
and it was a brand new, freshly made Trojan.
So it bypassed any antivirus software,
and it was able to infect
a fully patched version of Windows.
This Trojan was very sophisticated too.
The encryption was strong, and it was stealthy.
This Trojan opened up a tunnel back to the hackers,
so they can control the victim's computer.
And it was designed to look like regular web traffic.
All this would happen within seconds of someone clicking the link.
What makes this attack so sophisticated?
Google gets attacked all day, every day.
But most of the people attacking Google are using well-known exploits, something you can learn by watching a YouTube video or
reading a blog post. This attack was using multiple exploits that weren't known to anyone,
and it's rare to see attacks that use zero-day exploits. So the hackers either had a lot of
money to buy these zero-day exploits, or they had a research and development team to help them make
it. The other scary part is how much research the attackers did on their victims before
sending them emails in hopes they would click on it. And it appears the attackers specifically
picked Christmas and New Year's holidays to attack knowing that it would be a skeleton crew defending
the network at that time. These advanced methods and techniques the hackers used isn't new.
Governments see sophisticated attacks like this fairly often.
Banking industries and utility companies do too.
But commercial businesses have never seen an attack this advanced waged against them.
This would forever change the threat landscape for commercial companies.
Google looked further into the logs and tried to trace where the attacker went
and what they were trying to do.
They saw the attackers were trying to access two specific pieces of data.
First was access to Gmail accounts.
It's presumed the attackers wanted to read someone's emails,
but not just anyone's emails, specifically human rights activists' emails.
But not just any human rights activists' emails.
They were after Chinese human rights activists' Gmail accounts.
Whoever did this attack really wanted to see what those people were planning and organizing around China's human
rights movement. But when Google looked more closely at these accounts, they noticed another
connection. All of the accounts that were attempted to be accessed all had court orders. United States
law enforcement had requested access to those specific Gmail accounts, and these attackers
were looking at those same exact accounts. This is really odd, and has baffled a lot of people as to
why someone would be trying to get into Gmail accounts of Chinese human rights activists that
have already been subject to court orders. Perhaps this was some government espionage, or a way to
check how much the government can see into Gmail accounts. Google was able to stop the attackers from seeing any emails.
The attackers were only able to tell when the account was created.
The second piece of data the attackers were after in Google was their source code.
Google is a company that makes software,
and usually they don't want anyone to see the source code to it because that's intellectual property.
If someone had the source code, they could create a competing site or find bugs in the source code to exploit later.
So the source code needs to be kept in a secure location. Source code is often kept in something
like Git, but for large companies, it's stored in what's called software configuration management
systems. Companies that make this kind of software are Perforce, Concurrent Version Systems, Microsoft Visual SourceSafe, and IBM Rational.
At Google, their source code was kept in Perforce.
But as they researched this attack, they found numerous problems with Perforce.
The attackers knew exactly where the Perforce servers were and used yet another unknown bug to get into Perforce.
But that may not have mattered.
After this attack, McAfee looked into Perforce and found it to be insecure by default. McAfee found the following problems in Perforce, but that may not have mattered. After this attack, McAfee looked into Perforce
and found it to be insecure by default.
McAfee found the following problems in Perforce.
Anyone can go and create their own user account.
No need for an admin to set one up for you.
Passwords are unencrypted.
It's easy to gather data on Perforce
without any privileges.
All communication to Perforce is unencrypted.
It's easy to bypass authentication
altogether, it's prone to directory traversal attacks, and all files are stored in clear
text.
It's unknown how Perforce was set up in Google, but it's clear that it takes a lot
of work to lock it down and secure it, and even then it's not very secure. These attackers
had a strong knowledge of Perforce, and once they were in Google's network, they were
able to easily access Perforce and take some of the source code from Google, possibly the source code for the
Chrome browser. The other companies that were also compromised by this attack did not give any
details as to what was taken or accessed, but it's speculated that the source code was targeted for
them too. Sophisticated attacks like this often work in stages, so it's possible the attackers
were just
gathering information in this attack to be used for a bigger attack later. For instance, if they
had the source code for how Adobe handles PDFs, they could find new ways to create malicious PDFs
so they can create new viruses to infect someone else. Upon discovering these vulnerabilities,
Microsoft issued an emergency patch for the browser and operating system. McAfee Antivirus
created new signatures to detect these attacks as well. It's interesting that so many companies
were attacked with the same exploit all at once. Once the Aurora exploit was known, companies could
patch and detect it. So it appears this hacker group was attacking as many places as it could
and sort of letting the exploit become known in the process. But it also indicates that an attack at this scale would require dozens of people to conduct it.
A team to develop the exploit, a team to research the attack,
and a team to conduct the attack and remotely access those source code repositories.
Further analysis of this attack in Trojan revealed more information.
The attacks were seen coming from two different schools in China,
the Shanghai Zhaotong University and the Lengxing Vocational School.
Both of these schools are legitimate, well-established, and respectable.
If you go there, you see students walking around campus,
and it looks like an average school.
So the school might not have anything to do with this,
as the attackers may have just used a server within the school to wage their attacks.
But then again, maybe there is some hidden basement full of hackers, and the school is just some kind of screen.
Because this was a major incident hitting dozens of U.S. companies, the FBI and the U.S. government
began investigating the attacks. It's really difficult to figure out who conducted a cyber
attack because of how anonymous and hidden you are on the internet. A few pieces of information
began to add up, though. The attackers wanted into those email accounts of Chinese human rights activists,
and the attack originated from two schools in China, and the malware that was used had a
checksum algorithm that's only used in China. Rumors started to circulate that China was likely
behind this attack. As the U.S. government investigated, then Secretary of State Hillary Clinton addressed the
media. We are obviously very concerned about Google's announcement regarding a campaign
that the company believes originated in China to collect the passwords of Google email account
holders. These allegations are very serious. We take them seriously. We're looking
into them. Some news outlets were even taking this a step further. Because it's basically an
act of war. Yeah. And especially if it is really tied to the army and the government, it's an act
of war. Personally, I think this is espionage, not an act of war. This is just theft of information.
A spokesperson for the Chinese foreign ministry had a reply.
Blaming China is unacceptable. The Chinese government places great importance on the computer and internet security and controls the internet according to law and demands that
internet users respect relevant laws and regulations when using the internet.
As Google investigated this more, they became more certain that China was behind this.
An attack with this
level of sophistication, hitting this many companies at once, had to be done by a group
that's very advanced. They must have had dozens of people working on this attack, and they're
well-funded, and they were given extra privileges on China's internet infrastructure. This isn't the
work of some amateurs, or even Google competitors. This was far more advanced, with far more capabilities. Thank you. cybercrime with a mission to end criminals' ability to profit from stolen data.
With SpyCloud, a leader in identity threat protection, you're never in the dark about your company's exposure from third-party breaches, successful phishes, or info-stealer
infections.
Get your free Darknet Exposure Report at spycloud.com slash darknetdiaries.
The website is spycloud.com. To understand what happens next, we need to go back five years to 2005.
In 2005, Google started building Google.cn, which was going to be a version of Google for people in China.
See, the people in China can't get to many of the sites we can. The Chinese
government blocks anyone in China from getting to sites like Twitter, Facebook, Pinterest, most
porn sites, YouTube, and yes, Google.com. But since China is the country with the largest population
in the world, Google wanted to build a local version in China that would be allowed. The
Chinese government required Google to have a license to operate in China,
and they got it. So they started building their offices, hiring the top talent, and creating Google.cn. But while they were building it, China decided to cancel the license. Google had to spend
another 18 months negotiating with the Chinese government to get the license to operate in China.
One of the requirements was to censor certain search results. For instance, they wanted
no results if you searched for Tiananmen Square protests. Google executives weren't happy about
all this censorship, but still wanted to get in the Chinese market, so they complied with all the
censorship requirements. In 2007, an agreement was made and Google.cn finally came up and online,
and millions of people began using the site.
But then the Olympics took place in 2008 in China. Ramping up for that, the Chinese government
started requesting even more search terms to be censored. Some that were very broad. The U.S.
executives at Google were very unhappy with this and expressed their frustrations, but eventually
complied, thinking this new censorship was only temporary until the Olympics were over.
But the censorship didn't end after the Olympics ended. In fact, China requested even more broader
search terms to be censored after the Olympics. Scary stuff too, like anything sexual in nature
was banned, and anything that criticized the Chinese government or politicians was banned
search terms in Google.cn.
The Google executives were even more angry with this.
They thought they were now helping this country conduct their oppression.
And it made them dissatisfied with China.
So when these attacks happened in late 2009, Google created a massive war room.
Not only to combat the attack technically,
but to determine what to do next. Sergey Brin, the co-founder of Google, was extremely upset
with China over these attacks. He specifically was upset that the attackers tried to get into
the Chinese civil rights activists' accounts, and that the Chinese government was censoring
so much from its people. Sergey reminded the executives that the motto at Google is don't be evil,
and by helping China be oppressive, they were in fact being evil.
Eric Schmidt, the executive chairman, did not agree.
He reminded Sergei that they always comply with local laws in any country they operate in,
and that's just part of doing business internationally.
A very passionate and internal debate waged among the
Google executives for almost four months trying to determine what to do about China. Eventually,
Larry Page, the other co-founder of Google, agreed with Sergey, and the debate was over.
Google had decided to shut down their google.cn website and close most of their offices in China.
They redirected all their traffic to google.com.hk,
which is a version of Google built in Hong Kong,
because Hong Kong maintains a totally separate body of government with different laws.
Now when people in China went to google.cn,
they were able to search for sexual content in the Tiananmen Square protests,
because it was going through the Hong Kong version of Google.
Now this was a huge deal for Google to shut down google.cn and pull out of China. China has the most population of any country in the
world and Google is the most popular website in the world. And there are more than twice as many
people on the internet in China that there are total people in the U.S. Leaving a market this
size will make a noticeable impact upon Google's traffic and
revenue. But even more importantly, it meant that Google would quit their fight over Chinese
censorship laws. Silence fell on all Google employees who read the memo.
The news of shutting down the Google.cn office was dropped at 6 a.m. Beijing time.
Many of the Google employees in China
learned about the announcements
by co-workers calling them and waking them up.
Panicked employees flooded the Google office in China
with questions and concerns.
But management just told everyone to leave
and gave them all tickets to go see the movie Avatar,
which had just came out.
The next day, employees came back to the Google office in China,
and Sergei himself had a teleconference call with all of them to explain the situation.
It didn't go well.
Emotions were high, and employees felt that they were abandoned
by the generals overseas in the middle of a war.
A few months after that, China blocked its people from being able to get to all
Google sites, including google.cn and google.com.hk. According to the website greatfire.org, China has
been blocking Google ever since. The major search engine that is used in China is called Baidu,
which if you search Tiananmen Square protests in there, you see stories about how the protests are a myth and didn't happen. Ever since Operation Aurora, Google and many others
have had to step up their defenses knowing that more sophisticated attacks can hit even commercial
companies. This attack forever changed how we see our adversaries when defending commercial networks.
Security researchers at Symantec, Dell Secureworks, and CrowdStrike
dove further into Operation Aurora to try to understand the group behind these attacks.
When Symantec investigated the malware further,
they found the code frequently used a variable with the name Elderwood.
So they called this hacking group Elderwood.
CrowdStrike came up with a different name, which was Sneaky Panda,
and Dell called them the Beijing Group. I like Elderwood the most, so let's stick with that one. Security researchers
created a big list of everything that's known about Operation Aurora and started building a
dossier on the Elderwood Group. For years after the attack, researchers would examine other big
hacks and breaches to try to find if there's any connection with the Elderwood Hacking Group.
Some connections were made. Either the same Trojan was used, or the same command and control servers were used, or comments in the code were similar.
In the three years after Operation Aurora, the Elderwood group was suspected to be behind seven
different attack campaigns, and each campaign resulted in numerous companies being hacked.
The next attack they conducted after Operation Aurora contained a zero-day exploit using Adobe
Flash. This is really interesting because during Operation Aurora contained a zero-day exploit using Adobe Flash.
This is really interesting because during Operation Aurora, they hacked into Adobe.
So we can speculate that maybe they did take the source code for Flash from Adobe and used it to
build new exploits. Because if you have the source code, it's much easier to find a vulnerability.
In fact, they had five different zero-day exploits for Adobe Flash and were able to breach many
companies using these exploits.
This group had immense capabilities.
They seemed to be growing more powerful over time, stealing more source code from places like Google, Adobe, Oracle, and Microsoft, and building more zero-day exploits with them.
It seemed like the Elderwood hacking group had endless amounts of zero-day exploits they can use.
Hacking using zero-day exploits is not actually that
common. In 2011, there were only eight reported breaches that used a zero-day exploit in the
attack. But four of those exploits was from the Elderwood group. So you can see how this group
was dominating the hacker scene. What else is strange about the Elderwood group is that they
have this uncanny ability to know when their zero-day exploits is about to be discovered or
fixed. When they get wind that it's going to be patched, they burn their zero-day exploits is about to be discovered or fixed. When they get wind that it's going to be patched,
they burn their zero-day by trying to hack as many places as they can
all at once to get the most of it.
They may have access to an internal bug tracking tool
within Google or Microsoft or Adobe,
and they may have someone inside tipping them off.
After Operation Aurora, the Elderwood group changed their initial entry tactics.
Instead of getting people to click the phishing email, they used what's known as a watering hole attack. This would hack into a
popular website, put malware on it, and wait for users to visit the site to become infected. As
soon as the victim's computer would be infected, the hacking group would have full access to that
computer. They also changed their targets. While attacking Microsoft, Google, and Adobe will help
them find new exploits, it doesn't look like that's their primary objective. They seem to be mostly interested in gaining
access to defense companies. Companies like Lockheed Martin, Raytheon, Boeing, and General
Dynamics to name a few. These companies supply tanks, weapons, and planes to the U.S. military.
They presumably want access to these companies to gain information on the latest weapons and
military technology,
and maybe also get a glimpse as to what the military has in stock. This would certainly be valuable information for a superpower like China. But the Elderwood Group doesn't attack
these companies directly. Instead, they're almost always seen hacking into suppliers and third-party
companies that deal directly with the top-tier defense companies. And they're also seen hacking
into the suppliers of suppliers. Because if they can infect the supply chain
and that software gets into the defense company,
then it's just as good as hacking into the defense company.
And it's easier and sneakier
because those third-party companies
don't have nearly the security defenses
as a top tier defense contractor.
So Elderwood would possibly study all the parts
that are used in a specific weapon or tank
and figure out which companies supply those parts or software,
then figure out which websites those companies visit to do their work.
One website they infected was the Center for Defense Information in Washington, D.C.
This is a non-profit organization that posts information on military matters.
People who visit the site are likely to be military or those working in the defense industry.
Even if it's a third party to a contractor, infecting them can be very valuable. From there, you can implant malware into software
and that can make its way into bigger companies. Details aren't given as to what companies were
specifically hit by Elderwood. Symantec doesn't release that information and those companies that
are breached aren't always required to publicly disclose it. So all we can tell from Symantec is
the way the attacks happened, what types of companies were targeted.
The second biggest target for the Elderwood hacking group are human rights organizations.
It's suspected that the same group that did Operation Aurora in 2010 were also responsible
for placing zero-day flash exploits on the website for Amnesty International Hong Kong.
So users who visited that site would become infected and this group could then access their computers to see anything they wanted to see on that computer.
Other sites that had zero-day exploits on them were International Institute for Counterterrorism
and the Cambodian Institute of Foreign Affairs. Users who visited those websites in May of 2012
had a high likelihood of being infected and having their systems controlled by the Elderwood group.
Some researchers believe that there must be hundreds, if not thousands, of people working for this group.
There would be a team of developers to comb through the stolen source code to develop exploits.
Then there's a team to gather information on the targets and do open source intelligence gathering.
And then there's a team that puts together the attacks and plans a way to get into places.
Then there's a team to conduct the attack and sit there waiting for the infected machines to show up. Then there are people talented at knowing certain software to be
able to grab the data they need and navigate around. And then there's a team of analysts
to make sense of the data once it's stolen. And there must also be interpreters and spies
and website developers and instructors and labs and commanders. The Elderwood group is well-funded,
highly trained, and very advanced. And a group like this doesn't just show up overnight.
I suspect they probably have been working together for years,
if not decades, before being discovered like this.
But still, we can only guess as to who they are based on the footprints they leave.
Research papers have been published outlining the tactics, techniques, and procedures of the Elderwood Group.
And since then, it appears they've changed their tactics to avoid being connected. Some researchers also believe they've
broken up into smaller groups specifically designed for certain attacks, such as spying on people or
hacking into certain sectors. The hacking activity we continue to see from China today remains to be
one of the most advanced persistent threats. In 2015, U.S. President Barack Obama and Chinese President
Xi Jinping met to discuss cyber attack diplomacy. They had dinner together and came to an agreement.
The two presidents stood side by side on the White House lawn to explain what they agreed on.
I raised once again our very serious concerns about growing cyber threats to American companies and American citizens. I indicated that it has to stop. The United States government
does not engage in cyber economic espionage for commercial gain. And today, I can announce
that our two countries have reached a common understanding on the way forward. We've
agreed that neither the U.S. or the Chinese government will conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information for commercial advantage.
In addition, we'll work together and with other nations to promote international rules of the road for appropriate conduct in cyberspace.
If I can break character for a second here, this is what I love about
having a career in InfoSec. I can turn on the nightly news and sometimes see the president
talking my lingo. It's just amazing to see what I'm passionate about being talked about on the
world stage like this. It's awesome. Anyway, this agreement was likely a direct result from the
Project Aurora attacks. And then again, in 2017, U.S. President Donald
Trump and the Chinese President Xi Jinping met at Mar-a-Lago and renewed the same truth,
that neither country would attack commercial sectors to steal intellectual property for
commercial gain. Personally, I don't think this truth has much value, as both countries continue
to do what they can to gather details from each other. And hacking into commercial companies to
steal source code to develop new vulnerabilities is simply a part of that process. For instance, China is suspect to
be behind the virus found in CCleaner, a popular Windows cleanup tool, which that attack got them
access to data at Microsoft and Google. China denied its involvement, but even if it did admit
to it, they could just say that the data was stolen wasn't used for commercial gain. So this
agreement between the two is just weak and unenforceable. Now that we know the Elderwood hacking group is
capable of targeting commercial sectors now, companies should take this as a cautionary tale,
especially companies that supply to defense contractors. If this attacking group knows
that a defense company uses your product, they might try hacking you to get into the defense
company because it's easier and
sneakier. So by taking on a defense company as a client, it significantly increases your threat
landscape. This is the modern day arms race. Foreign countries will continuously be trying
to hack into our government and defense companies to gather as much information as they can.
At the same time, our government is trying to gather information about foreign
governments by hacking them as well. This makes it difficult to understand governments.
If the NSA finds a bug in Microsoft, they might not tell Microsoft, but instead they'll keep it
to themselves and potentially use it in a cyber attack because they want to be one step ahead of
the enemy. So we are seeing the US and foreign governments are keeping zero-day exploits just for themselves. Governments hacking into other governments or companies in other
countries is now the new normal. Spyware versus spyware. Ghosts in the wire. Cyber patriots.
This is the current battlefront that is secret and hidden from all of us. Until something goes wrong,
or gets sloppy, or until someone wants us to see something.
You've been listening to Darknet Diaries. This episode is made by me, Jack Recider,
with theme music from the mysterious Breakmaster Cylinder. Okay, so a lot
of you want more episodes of this show, and I'll make a deal with you. I'll go back to producing
two episodes a month if you can help me reach 3,000 followers on Facebook. Deal? Okay, if you're
in, go to facebook.com slash darknetdiaries and follow the page. And tell your friends to follow
it too. I also posted a preview of the next episode on Facebook for you to check out right now.
So come on, let's go do this.