Episode Show Notes
[START OF RECORDING]
JACK: Today we're talking with Andrew.
ANDREW: I'm a District Forensics and Incident Response Consultant.
JACK: Andrew works on a team that does incident response. Once malware is detected on the network it's up to him to go in, study the malware, and remove it. Andrew, do you like doing this kind of work?
ANDREW: I love it. It's wonderful. It's very exciting work. There are many positions where you can be working on a client's system and actually -- the threat act is on there at the same time as you, trying to move files around. You are trained to thwart them in a toe-to-toe scenario. It can be very exciting. It can be very exciting.
JACK (INTRO): [INTRO MUSIC] This is Darknet Diaries, true stories from the dark side of the internet. I'm Jack Rhysider. [INTRO MUSIC ENDS]
JACK: Andrew works for a security assessment and digital forensics company. Other companies hire his team to come in and do security work. It's actually pretty common for a company to outsource their security team to someone else. It's expensive and hard to maintain an internal group of security experts. Andrew is often seen travelling around, taking care of threats in his clients' networks. He wants to share an interesting story with us today about the time he faced a hacker in a company that develops cutting-edge technology.
ANDREW: The client is a global firm; it's a technology firm. We were looking at -- we had to go on-site in their European -- one of their European bases to work with a team there.
JACK: We won't give the name of the company but this company in particular spends a lot of time and money developing new technology. They have a full R&D department and is working on cutting-edge tech. In fact, they're developing tech that no other company is developing, so one of their most precious assets is intellectual property, or otherwise known as IP. The company wants to make sure there aren't any hackers stealing this information.
ANDREW: It started off as a compromise assessment.
JACK: Sometimes companies hire a security team to examine the network to see if there's any evidence that a hacker is in the network.
ANDREW: They wanted us to go in, put some stuff in their network. We put some stuff on their end-points, just have a look around, used the intel that we'd already built up in the team during the engagements that we'd done previously. Just basically have a look around and see what came out.
JACK: The team starts examining the logs and the network, and they look at different security devices and network activity.
ANDREW: [ELECTRONIC MUSIC] Their security assessment involved using intel that my colleagues had seen elsewhere in other engagements for APT groups. They spotted a few pieces of evidence which, I'm not sure exactly what it was, it may have been specific malware that continued elsewhere, but they were able to identify that there was an active threat act in that client's environment.
JACK: [DARK MUSIC] He mentioned APT and threat actor. This is the worst kind of hacker to find in your network. The term threat actor is just a fancy way to describe someone who poses a threat to your network, but an APT stands for Advanced Persistent Threat. It describes a group of highly-skilled and motivated hackers that have a specific goal of what they want to accomplish. But what's more is they often have significant resources such as being sponsored by a nation state, or simply well-funded.
ANDREW: So I've been told, it's state-sponsored. It's in the east, I guess. The group itself has been known to infiltrate other technology companies.
JACK: To be attacked by an APT means you're facing a very skilled and serious attacker who likely won't go away easily. [00:05:00] It's extremely difficult to detect an APT in the network. Someone has to have studied that APT for months or maybe years to understand the malware they use in their tactics, and then publish that data to the world. Then if we detect certain malware in the network, we may be able to link it back to that specific APT but the problem is once that report gets published, other people have access to those techniques, too. The APT group may change their tactics to be more covert. In this case the malware found in the network matched exactly the same malware that someone had published in a report which linked it back to that APT group.
ANDREW: We spun it up to -- the company that I work for spun it up to a follow incident response engagement. I came in as part of the team that was doing some of the forensics work, so they would ask us to take a look at the data that they were collecting.
JACK: This process is fascinating to me. The forensics team first identifies and isolates the malware and they study it. They develop a profile for that malware; things like file size, files names, and the activity the malware is doing. Is it reaching out to the internet? Is it trying to access something internal? Is it using specific ports? All this gets collected and so now we know the indicators have compromise, or IOCs. This is given to another security team which they can use to look for those IOCs in the logs, which would then reveal more places this malware has been in the network. These teams would continue to feed each other information to learn and detect more and more about this APT in their network.
ANDREW: That went on for a few months.
JACK: Why not remove the malware right away?
ANDREW: That's a good question. We do get asked a lot why we don't immediately remediate. The client environment, it's a global company. They have a lot of satellite offices, quite a complex infrastructure. What we would do, and this is quite common for all IR companies, is you'll have like a monitoring period or a discovery phase where you will look for where the threat actor is active in the environment, what tools they are using, try and identify how many back doors these people have into their environment. We wanted to get as accurate a picture as possible as to where they were active, where they were coming in, where their ingress points were, where they were moving data out, 'cause we had seen that. Just so when we came to remediation, it wasn't the case that we were removing some of their infrastructure only for them to come back in the following week somewhere else that we hadn't seen. The other concern there is that they know that we're onto them. Once you do that remediation, once you do that kick out, they know you're onto them and they will change their tools and their tactics and their procedures. That makes you blind, I guess, depending on what else you implemented. For a threat actor or for any adversary to know that you are -- that you're onto them, and you remove what they have used in an environment, if they have a backup plan, they'll go to that. And whether that's immediately or over a period of time, they might let time lapse before they come back in.
JACK: The team spends a few months researching this hacking group and what they're doing. What was discovered confirms the company's worst fears.
ANDREW: They were looking for R&D systems. They were looking to exfiltrate and they did exfiltrate some intellectual property. [MUSIC]
JACK: This hacking group not only successfully broke into the network but they're successfully exfiltrating or stealing the latest cutting-edge technology from the company. For a tech company that's this advanced, having their intellectual property stolen is a huge problem which may have millions of dollars of impact to the company.
ANDREW: I don't have a financial amount but there was a lot of concern simply because they were working on next-gen killer tech, I guess, which if in a competitor's hands or in any other company's hands, would obviously affect the performance of their company quite significantly. It's the same with every client that we've ever worked with. They don't want any kind of exfil at all but this specific one we saw quite intensive interest in their R&D department. [00:10:00]
JACK: The company was terrified that their IP was being stolen and wanted the malware removed immediately but the security team still needed to understand the threat and study it further. They weren't ready to remove it.
ANDREW: We saw that they were active and we did a lot of forensic work. We did a lot of deployment into different areas. Like I said, we built that knowledge package up for remediation. Now, we were able to -- so this was -- I became involved in 2015 and the earliest evidence that we found was in 2010. That wasn't the entry point; that was just the earliest sign of activity that we could find, was 2010. We had evidence to suggest that the threat act had been in there for five years at least. The evidence we found, I think it was some file activity on one of the drives which somebody had dated as 2010, which could have been planting something. I don't know the details of it more than the date, I'm afraid. I remember sitting in the board room with the client in their office and there was a team of us there. We broke it to them that 2010 was the earliest we could find. It hit home that they've had, for half a decade somebody has had access to their environment without their awareness.
JACK: How did the client take this kind of news?
ANDREW: It was a mixed response; some of the people there got angry and wanted to know why we weren't remediating immediately, which comes back to your original question. Then there were others who were on board; how do we progress this? What are we seeing? What do we do next? Then there was fear, obviously, 'cause like I said, it's a technology firm; they have their R&D and they want to be the best in the market. They want to know what's being filtered out the door but if we're only coming into their environment in -- I think it was early 2015, it was before I started. Like I said, that's half a decade that this entity could have been moving data out. It was a mixed bag of emotions and all completely understandable. At the end of the day we're strangers sitting in a room telling them that they've been owned for a long time, but that we're not in a position yet to remediate because we're not ready. It's a difficult subject to -- it's a difficult topic to discuss with any client.
JACK: The security team goes back to studying the APT to collect even more data.
ANDREW: We were still seeing activity during the examinations, during the monitoring phase and during the discovery phase. [MUSIC] It was quite interesting because they were active. We could see lateral movement, we could see them doing things like basically logging in to make sure that their stuff was still sitting on these end-points, that they could reach out to certain -- see to communications, updating their tools. It's interesting to see them do it because these guys in the background who are logging in and making sure that their malware is still running and deploying newer versions, it was -- I don't really want to say it was interesting to watch 'cause obviously this is a company's livelihood but from a detached perspective, watching how they functioned was very interesting.
JACK: Now that a few months have gone by the forensics team feels confident enough that they've collected enough information that they can remove the APT from the network once and for all. They've discovered the potential ways [00:15:00] it got in, and what log-ins it's used, and where it's gone, and what it's done. It's time to remediate and finally kick this hacking group off the network but all of a sudden the activity from the APT stopped.
ANDREW: In the weeks up to the remediation the threat act had gone quiet, had gone very quiet. We weren't seeing any movement. We weren't seeing anything, really, which usually means that they've either succeeded in what they came to do or something else.
JACK: Andrew and his team are all ready to clean this off the network but he has to fly to the office location to do the remediation so he packs his things and heads to the airport. He's scheduled to do the remediation in just two days.
ANDREW: I was sitting in the airport waiting to fly out and my colleague phoned me. He was supposed to have been coming out with me but he had some last minute issues and couldn't be out there. There was a few of us going out but he couldn't make it with me but he phoned me up and he said, "Have you seen the news?" It wasn't headline news; it was just financial news where the firm that we were working for had been the subject of a buy-out, a very expensive buy-out attempt by a company that was from the same part of the world that we believed the threat actor was from. As soon as my colleague phoned me in the airport and I told everyone else that I was flying out with, it was kind of a oh, I wonder, penny-dropped kind of thing.
This is obviously -- it's a what-if, right, that we don't know for sure. But the timing to me seemed awfully convenient and like I said, for the last couple of weeks the threat act had gone quiet and then all of a sudden out of the blue came this attempt at a buy-out. It was for a phenomenal amount of money, a phenomenal amount of money. It came as a surprise to everyone but when I actually told the people I was working with, there was that kind of, yeah, I wonder if that was what was going on. That got me thinking about how these companies -- they get compromised by these state-sponsored groups as a means of due diligence, I guess. Has the company -- how much are they worth? What kind of IT do they have? What's their R&D department look like? As a means of, should we buy them? Can we make money off it? The client has designed something where it could be the next big thing. It really could be the next big thing.
It just makes me wonder whether or not they are the subject of these compromises as a means of some other third party conducting due diligence because there have been a couple of things in the media where companies are being genuinely purchased, have inflated their figures prior to acquisition. If you're getting -- if you're compromised and they're in there looking at your accounts, I guess, and what you've got going on there, that's a perfect opportunity to get what a company is worth and feed this back to whoever. That was my train of thought on that. As far as remediation goes it was very quiet, touch wood. We didn't hear anything after that. Once you do a remediation you're kind of on high-alert for some kind of activity afterwards where the threat actor realizes you've closed them out of the environment and then try and make their way back in. That's a good opportunity to look for stuff that was -- there's no other way of putting it, stuff that was missed during the monitoring phase, the discovery phase. But that one was very quiet.
JACK: So, did they accept the buy-out offer?
ANDREW: Yes, they succeeded in buying the company, yeah. It just gets you thinking. Hacking is like a business. For everything I've seen, I've never worked on an engagement where there's been any destruction to data, any corruption, any deletion. There's been no -- [00:20:00] whilst theft in itself is malicious, I've not seen anything beyond theft. I've never seen cyber-vandalism or the hacktivism or anything like that. I've always seen it -- it's always been attempts at theft and intellectual property. I think that's a business. I think in the real world, in the above board world of business, people steal ideas every day. I just think this is another form of it. I think companies need to think differently to the way they are right now about how these groups and their sponsors are thinking. It's all about money. It's all about money.
JACK (OUTRO): [OUTRO MUSIC] You've been listening to Darknet Diaries. For show notes and links, check out darknetdiaries.com.
[OUTRO MUSIC ENDS]
[END OF RECORDING]
Transcription performed by Leah Hervoly