Hacked - Supply and Command
Episode Date: June 29, 2021Or, spooky tech stories with Jordan and Scott, in which we discuss the SecureID hack, and riding into important places on the bottom of important shoes. If you like the show and want to make sure we ...can keep making it, please subscribe and if you can visit https://www.patreon.com/hackedpodcast and show us some love. Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
So there have been these stories over the last few years, and they all kind of go the same way.
There's this big organization, like a company or a government, and they spend a ton of money on cybersecurity.
And they put all of this time and energy into erecting these really tall walls around all of their cool, cool stuff.
But they're modern companies, and modern companies have to use software.
So they have to let some stuff through the really tall wall.
They have to have a little door to pull software updates and all that stuff.
So say you're a really, really ambitious person,
and you're trying to break into Microsoft or Intel or the Pentagon.
You can try and break into the Pentagon hard.
Or you can look at all the people that the Pentagon lets through that little door in the wall.
You can look at the software that your target uses, accounting or project management or IT.
and you can just break into that and hitch a free ride in, which is easier.
It's called a supply chain attack.
And a lot of the big famous hacks over the last couple years have been supply chain attacks.
Solar winds in 2020, Microsoft Exchange Server in 2021.
But there's this one way back in 2011 that precedes all of them.
This sort of like warning flare that went up.
And it involves a company called RSA.
and that's what we're going to talk about today.
Pick and fight with the big boys, eh?
Because earlier this year, a 10-year non-disclosure agreement finally expired.
So we finally know what happened during one of the first modern attacks of its kind.
This is some name I haven't come up with yet.
This is spooky shit by Jordan.
This is spooky tech stories with Jordan and Scott.
RSA is the most notorious security company for sure.
When you say notorious.
Notorious in a good way.
They are based in academia, came out of like MIT.
Interesting.
Very well respected.
The head of the company was like a cryptography professor.
And like they created the tokens, like the security fob tokens, which I feel like we're about to talk about.
and really cool company.
Lots of respect in the industry.
Very well respected, I think professionally and academically.
Even on the far side of this, you still get the sense,
it's like, oh, this company is still used by large organizations.
And when you hear what happens, the fact that they're still the big one
speaks to the fact that they do know what they're doing.
Even though all this happened.
Yeah, they're definitely somebody that I would take seriously.
Yeah, I think the people that took them,
I think the people that did this took them pretty seriously.
They're also the maker of the tall walls.
So it's less of a supply chain attack through like some, you know,
ancillary vendors.
I feel like we're about to talk about a hack through a security solution.
Yeah, we'll get there.
For anyone who doesn't know, what does two-factor authentication, Scott?
Well, it means you have to authenticate twice, essentially.
So password one, then it wants you to verify that you were actually the person trying to log in
so that if your password, typically a password, if your password is correct, you know,
it's not being used by somebody that shouldn't be.
So they go to a second factor.
We've talked about this in numerous episodes, you know, whether it's a text message to your phone
that has a code or whether it's, you know, a two-factor authentication app on your phone.
You know, there's lots of those these days, as well as other things, emails, calls, et cetera, et cetera.
And tokens that have big, crazy random numbers on them.
I think most people's experiences, yeah.
You go to log in and they text you a number,
so you have your username, your password,
and then this kind of other verification method,
this code or something.
Yeah.
You brought this up a little bit earlier,
but have you ever seen a secure ID token?
Hundreds of the times.
What does it look like for anyone that doesn't know?
It looks like a USB key
with a tiny little LCD screen on it.
Yeah, it's almost like a little pager.
Yeah.
It's essentially,
if you've ever used a two-factor authentication app,
typically it just has a random number generated inside of it
this is kind of like the first version of that
that was a physical thing
instead of getting text to the confirmation code
it's displayed on that little pageer
so you have to physically be in control of this fob
makes sense
on that little fob with the little screen
where do you think that number comes from most people it gets texted
from somewhere we have no idea where that number is produced
how it's produced on that little key
it's not internet connected where does that number come from
Yeah, so the, this has always been the point of, you're, you're trying to dig into something that I've always found fascinating.
So I know, might know a bit more than you expect about it is, uh, the server time and the fob time have to be essentially in perfect sync.
So you, you can assume that the algorithm uses something to do with time because that's the thing that's common between both of the items.
What it does with that time and how it hashes that into the code, who knows?
but it is time-based.
The code is generated in real-time, unique to your little device.
And it's unique in that it's generated based on this unique seed number
on the device that the company creates when you buy one.
The company keeps a copy, the customer has their copy,
and when you log in, they check them against each other and cool, you're done.
And to make it extra fun, like you said,
the code changes based on the time,
based on a clock inside the device and a clock on the server.
30-second interval or something.
In every 30 seconds, 60 seconds, whatever the device says,
both the pager and the company generate a new code
based on these seed numbers and the clocks on both devices.
This algorithm or hash or whatever it is
generates the codes based on the seeds that they share in common
and every machine and server kind of uses that one process
for generating a code based on the script.
But the seed, that's what's unique.
So it's really, really important in the security of all of this stuff
because if you have it, you could theoretically reverse-engineer the code out of it
because they're all using the same process.
So for context, secure ID still sold.
It's by all accounts of very well-regarded secondary validation method.
It was one of the first.
It was maybe the first.
They may be invented two-vector authentication with it.
And it was wildly successful.
You couldn't work for a major government or be a vendor to a major government.
without having a secure ID tag.
And in 2011, some stuff went down with it.
Then I'm sure they've fixed.
Like, I know this is a company that takes this really seriously.
And I'm sure that they've gone on to make systems
where this could never happen again.
But it did happen, and we now know it happened.
So now we're going to talk about it.
Well, I think they almost certainly fix it.
And I would say that the fact that there was a 10-year NDA period
is indicative of, you know, security through obfuscation.
where they needed a period to fix the problem
because it was so widely rolled out
that if it had become widely known
that these things were hackable quite easily,
you would have had a much larger issue globally.
So back in 2011, on March 8th,
the systems administrator notices that there's an employee user account
on the system acting bizarrely.
Their permissions have changed in a weird way
and they've started using a new device
they've never been on before.
So the admin runs it up the line to their bosses.
And the veteran engineers are like, piss off.
We're working on like cryptography algorithms, this is very high level stuff.
This is in RSA.
We're too busy to worry about this.
But the admin is like a pain and they insist, no, like something is actually going on here.
And so the engineers take it seriously.
They start to look at it and it's admittedly pretty weird.
So they start to dig around into this user's behavior,
looking at what devices the user is accessing and what they're doing.
and for the last couple days, this user has just gone off the rails.
They finally go, okay, we need to look into this.
First thought, oh, just delete the user's account.
That was my thought at least, which ignores the fact that they've already had like five days.
Yeah, that's a terrible idea.
Because you essentially delete the breadcrumbs to see what they've been up to.
This is why I'm not an engineer at one of the best security operations in the world.
And they're trying to parse through what this user's been doing.
And stuff that looked kind of weird, starts looking like very, just outright insidious.
And the more that they comb through it, the more it starts to get worse and worse and worse.
So they start to piece it all together.
And they build out what is to become a war room within RSA because this is about to become a war.
And it seems this is what happened.
This hacker, this actor, crew, whatever they are, starts by getting access to a single employee's credentials,
who we're going to call the Australian.
What would be the most unremarkable way
that they could have gotten this one Australian employee's credentials?
For as complex as this is all going to become,
what would be the simplest way to get that first set of login credentials?
You find it?
He forgets it somewhere, leaves it in a bar at the beach, the cafe.
Wrote it down on a sticky note, and they just saw it with their eyes.
Well, you've got to assume that they were probably using secure ID tokens for access.
So he probably had to gain access to his secure ID token,
which might have been just him finding it.
They sent the guy an Excel spreadsheet labeled 2011 recruitment plan
that he opened, and it had a script that exploited a zero-day vulnerability in flash.
That's very 2011-y.
Just fission.
Yeah, just like a basic macro inside of an Excel spreadsheet to hack your system.
And they use that to install a more useful piece of software called Poison Ivy.
They gave the hacker the ability to do key logging and remote accuracy.
access, get a bunch of classic control stuff, and they're just off to the races.
Once they had control of the Australians PC, they used a different tool that pulled credentials
out of the machine's memory and then reuse those usernames and passwords to log into other machines
on the network. They would scrape those computer's memories for more usernames and passwords
until they found some belonging to a person with even more privileged power.
Of course.
And they just worked their way up until eventually they got to
a server containing hundreds of user credentials and they were free.
And this technique, I was reading about this of combing and hopscotching, combing and hopscotching
is like very, very, very common now.
That's a recurring theme in this.
But back in 2011, in all of these like disclosure or like interviews, a lot of the engineers
are talking about this was pretty novel to watch someone just run through a network this way
of finding the credentials and working their way up to better ones each time.
It was quite strange to be watching someone doing this apparently.
So by the time the RSA war room catches up,
the hacker has basically unfettered access to their entire network.
And they're moving around freely.
And the hacker would go here, and like a second later,
RSA would see them and like shut that down,
but they'd already be gone to something else.
When you have so many accounts,
you either have to shut your whole company down and evaluate from there or, you know.
Yeah, wouldn't it be wild if that's where this ends up.
So the question starts to emerge in this RSA war room.
This is like a lot of effort for this hacker.
There's got to be multiple people doing it because they're running 24 hours.
Like they're just chasing after them.
So like why?
Like where are these people going?
What are they looking for?
Are they looking for something in particular?
And I bet you can guess where this is going.
Russia?
Close-ish.
And we're brought back to those seeds that I mentioned at the start of the show.
Yeah.
The seed that is unique to eat.
each token and each server.
They're looking for the Excel spreadsheet of seeds.
The seeds that you have them kind of just rips a huge hole into the pocket of everyone
using one of these little security tokens.
Well, at that point, they've probably seen the source code for the tokens themselves,
understand the algorithm that hashes and generates the number, et cetera, et cetera.
A product that if it was compromised isn't great for a cybersecurity company to have been compromised
by a hacker, just PR-wise?
It's a big definitively.
Bad for national security too, because I'm sure a secure idea was used throughout all of the American and probably European security forces and etc., government agencies.
100%.
So my question was, how did RSA store those seats?
Tell me unencrypted an Excel file on a shared drive.
Do it.
Tell me that.
Do it.
Tell me that.
The D drive slash don't share with anybody.
slash encrypted seeds
Super Private underscore Confidential.xels.
It was on the desktop, on a folder named desktop,
inside of another folder named desktop.
So you've seen my desktop.
Precisely.
Air gaping for anyone that doesn't know, Scott.
Yes.
Air gaping is to literally never plug a computer into the internet.
It is air-gapped.
Air-gapping less cool now with Wi-Fi
because technically that's over the air-gapping.
air, but air gaping just used to mean not plugging an Ethernet cable into your computer.
Sure.
A non-networked computer.
Yeah, generally never has seen the network.
So you buy a new one.
You set it up completely independent and you never put it on the network.
It's what you do with things that you definitively never want to see the internet.
They called it the seed warehouse.
And it's this totally air-gapped set of computers.
It's the most cordoned off part of their system.
And it's just for these seed values.
except
Sometimes
It's a tiny little door
Users needed to be able to get their seeds from RSA
so that they could set up their own servers
and it's their property they're allowed to have a copy of it
And the way that RSA handled this
was with this one networked computer
Its job was to pull the seeds that the customers wanted a copy of
so that they could burn them to a CD and ship them off to them
And every 15 minutes, this computer would connect to the seed warehouse, download the appropriate seeds, and send them off to manufacturing to be printed to a CD.
Weird.
There was a firewall.
IT was very aware of this and really locked that computer down.
And people that are really, really good at locking computers down, they saw this, they saw the vulnerability, and they were very, very serious about it.
But it was technically this one way in.
It's very surprising to me because you've literally set up an automated process to extract these confidential seed values.
So there's clearly like an API or something that programmatically you're talking to this air-gapped system, which is not air-gapped at that point.
And you're saying, hey, these 12 clients want their seed values, send them to me.
And then it probably sends an unencrypted batch of them to you to burn onto a CD.
But it's like you've literally set up a find and retrieve process for these hyper-confidential things that are never supposed to be found or retrieved.
It seems madness, maybe.
And I'm sure that the complexity of that process is like underrepresented in these interviews and discussions.
I'm sure it would have been maddening for these hackers to get through that one little access point.
But they did.
As RSA is watching this hacker and trying to follow them and trying to keep them out of stuff,
one of the engineers in the war room notices, oh no, that one computer that usually accesses the seeds every 15 minutes to print CDs is now logging thousands of continuous requests for data every single second.
And they're pulling the seeds and amalgamating some of them over here and pulling more and doing them over here and merging those together and moving that over here.
And this increasingly large file of these seeds is just jumping around their network now.
more added to it, more added to it, more added to it.
It's like that, what was that game,
Qatari or whatever, where the ball rolled around and just got bigger and bigger?
Oh, Catamari Domesi, but like seeds that allow you to get into like the Pentagon and stuff.
Totally. That's exactly what it is. Just rolling bigger and bigger and bigger.
Capturing a chair and a school bus and a 100%.
It's like, hey, I got the Pentagon. I got the U.S. military. We got the CIA.
You know.
Until they had pilfered and recombined them into what appeared to be the full database of every seed
RSA had stored in the warehouse. So even with the company of some of the best minds in the world
following behind them, in just a few steps, they'd use this little connection to extract all the
seeds and run off with a copy of them. It hopscotched first onto the hacker's remote server
and then vanished onto a device somewhere and it was gone. Brutal. Where in the world it went
and what happened next? We're going to get to right after the break. Think about the last time you
heard a breach story on this show. It always starts the same way. Someone somewhere saw something
too late. An alert buried, a signal missed, an SOC that just couldn't keep up. Arctic Wolf set out to
solve that problem by rebuilding security operations from the ground up for a world where attackers
are already using AI. They created the Aurora Super Intelligence Platform, a fully agentic system
powered by the swarm of experts. Instead of single-purpose bots or lucky-guess LLMs, this
Swarm is full of deterministic agents that handle whole entire workflows.
Humans stay in the loop and on the loop to validate the critical decisions and keep everything
trustworthy. And all of this is just off running on their secure operations graph.
A constantly updating intelligence engine fueled by more than 9 trillion telemetry events every
week and over a decade of real world incident response. The system reasons on real signals and
real context not synthetic training data. And the result is the new Aurora agent SOC.
It's the first SSC that is agent led by design.
You get agents that coordinate, agents that investigate, agents that respond at machine speed,
and hundreds more that automate the repetitive work that normally buries human analysts.
Arctic Wolf didn't try and bolt AI onto an old model.
They rebuilt the model entirely.
What makes it even more effective is how it works with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform
so every AI-driven decision reflects your environment instead of generic assumptions.
The automation frees your concierge security team to focus on higher value strategy and proactive risk reductions while the agents handle the grind.
If you want to see what trustworthy, production-ready AI and security operations actually looks like,
go to ArcticWolf.com slash hacked.
Never feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking year for major breaches, from sophisticated ransomware operators to AI-enabled to
attacks that turn defenses on their head. Organizations around the world saw headlines they never
expected and cybersecurity teams were tested like never before, but here's the thing. These incidents
aren't just news headlines. They're learning opportunities. And that's why Arctic Wolf is hosting a
live webinar on February 5th diving the most impactful breaches of 2025. Their field CTO and security
leaders are going to unpack not just what happened, but why these attacks succeeded. And most
importantly, what businesses can do to fortify their defenses for it's too late. You're in a
walk away with real insights in how threat actors are evolving, how defenders are responding,
and what strategies can help you stay ahead of the next big breach. It's not fearmongering. It's practical,
actionable, intelligence from experts in the trenches. Register now at arcticwolf.com
slash hacked. And like the other thing is too is once you've got a hacker running rampant
through your network and you're chasing him around like a puppy, air gap the seed computer.
Like literally unplug the network cable.
that connects it to the one computer that is on the network,
like just completely be like, okay, we have a problem here.
What is the most valuable thing we have?
It's that.
Let's protect the shit out of that.
Because, and the fact that they had an API set up,
because if they were running recursive, like, fetches or queries to the seed database,
the fact that they were, the fact that that was possible is insane.
And like I said, I know, it's like I'm getting this from one,
cybersecurity firms reporting and then the wire coverage on that for secondary verification.
Okay, this is what happened.
But it's like I know that I'm sanding off corners of like I'm sure that was a really complicated
process.
A million percent.
But enough of the people like point to be like that's how they got them was through that
connection.
That means that connection existed which that was the vulnerability.
And by the time you've got a war room set up, you've had enough time to respond by
unplugging the one
Ethernet cable
and none of this problem
would have happened.
On the topic of unplugging
some Ethernet cables,
if this was you,
and you're in the room.
You're in the room.
You just watch the hackers
dip with all of these seats,
these really sensitive seats.
Sure.
My letter resignation has been written
or...
I was going to say,
what would your next step be?
Yeah, write the letter resignation.
Or I at least put it in the envelope
and drop it on my boss's desk.
So their next step,
were to then rip all the Ethernet cables out of the wall.
Which is too late.
It's far too late.
Not just the ones to the warehouse.
They're like, we need to get everything offline right now.
Because if they can get anything else out of our system,
they might be able to start getting the login credentials that are stored.
And then it's not a question of you have part of the puzzle,
you have the whole thing.
Yeah.
So they had the right response just too late by the sounds of it.
So the engineering team walks into the data center
and they just start ripping cables out of the wall, air-gapping kind of the whole company,
cutting off the company's connections to manufacturing, custom orders, and even their website.
They just go offline.
One employee later described it as like crippling the entire company in order to stop any potential further release of data.
They go dark.
So the hacker has the seeds.
RSA backpedals and tries as best they can to just turn their whole system offline
and in doing so turning off their business because now no one can log in with their stuff.
Well, so the crazy thing is, is like, you don't know a ton about network infrastructure and stuff,
but most big businesses like that will have two, maybe three internet connections.
So they'll have redundancies and failovers and stuff,
and they'll have it all criss-cross through switches and stuff.
But you can pretty much disconnect a large physical company,
so like a building with a company in it, which is probably what RSA had,
with like three Ethernet plugs.
It's like, you know, it's pretty, it's pretty,
easy. Like, it's pretty, like a kid could do it accidentally.
Like you trip and turn it. Yeah, you trip and, yeah, exactly.
We're like ripping every single cable out of a switch would just be madness. But like,
you know, it would have been the second you had, like, I think we've seen it before or
our sense that when, you know, a big hack happens, some companies will just go dark.
They'll just be like, oh, we have a problem. And their response is to just completely
isolate themselves, which is great.
Makes sense.
An external attacker coming in through the wires, if you disconnect the wires, all of a sudden, you're like, okay, what was the problem? We can have time to fix and patch and plug, shut the little doors. And, you know, that's a great thing to do when you do it early enough.
You turn a privacy and security crisis into a PR crisis, but that's a more manageable crisis.
100%, especially when you can blame it on whatever you feel like.
Nobody has to know that you've pulled the pin because of, you know, the Russians.
You're going to owe some Russians, some apologies.
Yeah, sorry, Russians. Estonians.
So they've gone dark, and they all look at each other and they just go,
we do need to tell the CEO right now.
If the CEO didn't know already, that would be shocking.
The CEO knew that something was going on.
So they go to tell the CEO, this guy named Art Coveyllo.
And Art had been following it.
He knew there was something up, something unfolding, and it wasn't great, but the engineers are handling it.
The team knows.
You've got a brilliant group of people.
They'll get an update if anything happens.
And here comes the update that something has happened.
And one of the engineers trudges upstairs to deliver the news to the CEO in person.
They have not handled it.
Whoever this person is, they've got the seeds.
It's a bad situation.
In the hours that followed, RSA's executives had this big debate about how to go podcast.
public with this. One person in legal suggested they did not need to tell their customers.
And to the CEO's credit, tells they got to piss off.
Yeah.
Another guy named Joe Tucci, CEO of the parent company that owns RSA, gets brought into this
discussion, quickly suggests, hey, we have lots of money.
Let's just replace all 40 million of these little secure ID tokens right now, and we're done.
But RSA didn't have anywhere near enough of them sitting around.
Manufactured, yeah.
And since the breach had forced them to.
shut down their manufacturing capacity, they couldn't actually make more.
So basically they were stranded.
And the only solution to all of this, which is going offline, made it so they couldn't
start solving any of the ways that they were stranded.
They're just floating in the dark.
Well, but not only that, but, you know, to talk about little doors, if the system itself
had some form of reset functionality, that would become a vulnerability.
So they probably didn't include anything like that because they thought they could
keep, you know, all of the honey in the pot. And when they didn't, you really have no other
choices, probably. So March 17th, they go public and they post an open letter to their customers.
How many days was it between the hack and the thing?
They first noticed the Australian's weird activity on March 8th.
Oh, so pretty, pretty fast. Pretty quick.
That's good. Kudos to you.
The letter read, recently our security systems identified in
extremely sophisticated cyber attack in progress.
While at this time we are confident that the information extracted does not enable a
successful direct attack on any of our customers, this information could potentially be used
to reduce the effectiveness of a current two-factor authentication implementation as part of a
broader attack.
It's quite a diplomatic way of putting what has occurred here.
I think the other perk is that it is a second factor, so it's not the whole thing.
It's not the whole piece.
If it was the password and the
would be worse.
The 2FA, it would be a big deal.
But the whole story starts with showing just how easy it can be
to get someone's username and password.
That's very true.
So the company seeks this rotating crew of 90 staffers on a weeks long day-night process
of having one-on-one calls with every single customer
working from like a script and a call center,
just trying to handle the response to this.
And the public responds about how you would imagine.
like their customer base is very high-level people.
They are angry.
And the government responds about how you'd imagine.
Very, very curious.
They want to know what is going on here.
So the NSA swoops in and the FBI swoops in.
Well, they're probably all clients too.
Northrop Grumman like swoops.
Like all these big players suddenly get very interested in what is occurring in this war room at RSA.
Basically, the place, this is outside the bounds of the cybersecurity and more just the social response, which I found interesting.
Apparently, people who work there said the physical office briefly,
normally a pretty good place to work, just descends into this very paranoid chaos
because they don't know who's responsible for it.
They're papering up executives' windows in case people have viewfinders to see passwords
that were written on stuff because, again, they don't know.
They're sweeping for bugs, which some executives in the interviews claimed they found.
It's this very intense little two months that follows.
They're getting new phones, and they're not trying to.
trusting the old phones and they're sharing paper documents hand to hand and there's
cybersecurity companies. They have air gap communications. FBI is afraid that there's an accomplice
inside of RSA's ranks because of the level of knowledge that these intruders showed.
And they start doing background checks on these, again, very high level people. It's wild.
And so they're trying to rebuild this whole company back to back with people that they don't want
to turn their back on. It's not a good situation. And there's this natural question that all of it
raises, which is, hey, once those seeds jumped off our servers onto the cloud servers down
into some laptop somewhere in the world, what happened to them? Two months has gone by. We
haven't heard anything. In case it wasn't clear, the wall metaphor from the top of the show,
RSA is not the company with the walls. They're the one that all the companies let through the
little door, obviously. Because as an authentication service, RSA got to go through some very, very,
very, very fancy doors. And two months later, we find out which door the hackers had hitched a ride
through. This tech blog called cringley.com, later verified by the New York Times, reported on a
hack. The article was based on a tip from a source inside of like a major defense contractor
who had told Cringley that the company was responding to an attack by hackers, who seemed to have
stolen RSA seed values to get into the company.
And right at the same time, everyone at this big unnamed defense contractor gets contacted by
RSA saying, hey, you need to have your secure ID tokens replaced right now.
And all of a sudden, this breach that RSA had kind of said, you know, something might happen.
It's a five, starting to look like kind of a 10 for at least this one very large defense
contractor.
Can I guess who it was?
Please.
Lockheed Martin.
Two days later, Reuters reveals the name of the company, a little tiny little upstart.
called Lockheed Martin.
A company that held behind those walls a wealth of very, very secret of stuff.
Yeah, the number one DARPA contractor in the world.
Which kind of explains the speed at which, like the FBI and NSA just rocketed in there.
It's like, what do you guys do here?
It's like, I don't know, we make drones and stuff.
Why are those important?
So the Lockheed Martin story goes public and everyone realizes that they use the RSA seats to do it.
And all the good PR that they've been building for the last two months just goes right out of the way.
window. Okay, wait, so can I change all the rush of things to North Korea? Is it too late?
You're getting closer. Oh, okay. One employee described it as a healing scab being ripped off.
You know, we're getting, we're getting better, we're earning back some, just ripped it right off.
There's some conflict about how bad the fallout from the Lockheed Martin's hack actually was.
RSA has denied that security had anything to do with it. Lockheed Martin says, no, it was
explicitly RSA's fault in a briefing to the Senate Armed Service.
as committee a year after NSA's director said that the RSA hack did lead to at least one large
U.S. defense contractor being victimized by actors. So take it as it will.
A bunch of lawyers trying to pass liability. Which is all to say that some people hitched
to ride through some pretty fancy walls using RSA as their vehicle. And the question,
Russia, North Korea, who did this? Who done it? Who done it?
Who done it?
dot IT.gov.
Let's think about this.
The hacker picks RSA to hack,
and they make their way into RSA system,
and they go digging around.
And they're looking very explicitly for these seeds.
Seeds that compromise this two-factor authentication method
used by world governments and Fortune 500 companies
and some of the best targets in the world.
And the attack was this very complex, high-level operation
with some large team of hackers executing
a military-precise operation in tandem
to avoid RSA's response,
just to get this key to all of these secrets.
And we didn't really know who it was until 2013.
And I think it's worth remembering that in 2013,
the idea of state-sponsored hacking
was nowhere near what it is now,
and just in the cultural imagination.
It was going on, but we didn't really have a sense of it.
I think Sony in 2014 was when most people got the sense,
oh, governments do this to each other.
Yeah, yeah, yeah.
This is new war.
Today we understand it as that, like you said,
of New War. But back then, it was kind of a novel ID. And in 2013, this security research firm
called Mandiant published this very, like, groundbreaking report about this hacking group that
they've been following, and indexing and trying to map out and figure out kind of who they were
and what they did, a group that they named APT1, Advanced Persistent Threat Number One. But that went
by this other name, Unit 6-1-398,
of the People's Liberation Army of China.
China.
Damn it.
You're closer.
You were inching closer.
It's getting closer.
Their victims, over the five years preceding this report,
include the U.S. government, the Canadian government,
South Korean government, and a little company, you know them.
You love them.
RSA.
Poor guys.
And on May 19th, 2014,
U.S. Department of Justice announced a federal grand jury
had returned an indictment of five APT-1 officers,
on charges of theft of confidential business information and intellectual property.
And quite obviously, those officers remain, I don't know if you can even call it at large.
They're fine.
And then I think if you're, if you work or own, if you're being attacked by the Chinese government,
I could see papering up your walls and I could see interviewing every one of your staff.
Yeah.
Especially with such a complicated hack and such a unique point of entrance to the data.
So like the fact that you'd, because I'm sure everything's in DMZs and like there's probably so much network security layered in.
But it would take you so much time just to kind of putts around and find your way around the network unless you kind of knew how it was set up in advance.
And if you knew how it was set up in advance, you could probably do it at a much faster pace.
So I could see how the FBI was like, you know what, there might be some accomplices in here.
And when you're dealing with the Chinese government, you know, there might have been some accomplices in there.
The paranoia in those two months that follows makes a lot more sense.
I think there's an interesting shift in the story, which is at the start of it, RSA is the giant.
They're one of the biggest cybersecurity manufacturers in the world.
They're the best at it.
Yeah, they seem like they're the Goliath that some little David,
is coming after.
And then when you find out who that David is,
it's like,
that's just too Goliath's fighting.
And I think the second one's actually a little bit bigger.
Yeah, for sure.
This group has a bunch of different nicknames,
and they're all interesting for different reasons.
Mandy and nickname them APT1,
which is interesting because the phrase advanced persistent threat
has since then entered into the lexicon,
and they are functionally the first one.
Yeah.
For reasons, quite literally the first,
for reasons that become clear in a second.
The other is Biontine Candor.
Cool name, Star Wars name.
It's a code name based on U.S. intelligence agencies
since they first discovered the group in 2002,
which tells you a lot about how long this group has really been going,
that they were really the first advanced persistent threat in this ecosystem.
So last December, when the story broke that Russian spies had hacked solar winds,
I think a certain corner of the tech community opened their eyes to this technique of
supply chain attacks. They knew it happened, but I think that kind of really codified it.
People said, we need to start thinking of this as its own thing.
The Kremlin operatives who hacked Solar Winds then hid malicious code inside of an IT management
tool called Orion, which is used by like 18,000 companies around the world.
And the hacker used that software to ride into all kinds of good targets.
That technique for a lot of people in this industry, they have described it as really starting
with RSA.
And it's kind of like when a person invents a new way of doing anything.
It's like a new way of building something or growing something, creating something.
At first the technique is new and novel and everyone pays attention to it.
But eventually people go, well, this is so much better.
Why would we ever do it in any other way whatsoever?
We talked about this before.
Like when we talked about, God, I can't remember what episode it was,
but we talked about state-sponsored stuff.
And, you know, if you can put a backdoor in a firewall,
then it's better than hacking a firewall.
people don't expect it.
And you leave no traces.
If you can put a backdoor in management software,
IT management software,
if you can put a backdoor in exchange server,
if you can hack in and insert your own little door,
then you can come and go as you please.
Like imagine, like, you know,
we talk about password managers, which I use now.
Congratulations.
Thank you.
But if you had a backdoor in that,
like think about, like, what is a password?
if you can just walk through people's password management software.
And it's like, yeah, I think, I think picking, if I was a state, I would pick targets of high
value like that.
I would go after stuff like that.
That when you succeed once, you actually succeed hundreds of thousands of times.
Like, you've got to imagine how secure Microsoft is being the number one commercial platform.
Like, you know, it's the number one server platform and stuff like that.
Imagine how intense this.
security measures to get into their code base are because if anybody could do it or if you could hack
your way to that literally Windows 10 is on everything everything in every company and every government
so yeah high value high value yeah for the very tiny club of people who are in the business of hacking
governments and multinationals it's just the smarter way to get at those high value targets
Right.
So I think my takeaway in this is the next time I see one of these hacks in the news,
one of these big, dramatic operations in cyberspace,
I'm going to start by asking what kind of accounting software or email client
or two-factor authentication tool they used,
because that's probably what tracked the hackers in on the bottom of their shoe,
that or an Australian guy.
Big shout out to our new June Patreon supporters.
The June goons.
June goons include Gene Stover, Guy and Mike Ferraro.
Your support means just the world to me.
Thank you so much.
If you found the story interesting,
there's some really, really cool new coverage out on it right now.
Andy Greenberg's Rwriters is a great place to start.
Lots of really cool stuff.
Very interesting story.
This was kind of a little bit of a crazy episode to put together.
I am moving right now, so I appreciate your patience.
We're going to be back at it next month.
If you like the show, if you want to support the show,
Patreon.com slash hacked podcast.
Best way to support the show.
Comment, subscribe, share it, tell people about it.
You can follow us on Twitter at Hack Podcast.
Thank you, as always, so much for listening.