Transcription performed by LeahTranscribes
[START OF RECORDING]
JACK: So, throughout my life, I’ve had this recurring dream. It starts out with me being in my front yard, and coming down the street is a wild bull. [MUSIC] It’s typically white in color, and it’s just on a terror. It’s running around the neighborhood, smashing up cars, knocking down trees, trampling everything in its path. Nothing can stop it. Then, it for some reason turns and looks at me, and I can tell it’s coming for me. I mean, it’s so wild; it’s falling down, tumbling, running into houses and stuff, trying to turn to come towards me. So, I quickly run into the house, slam the door shut, lock it, and then go to the window to look to see what’s going on. But the bull just runs right up to my house, hits the front door, and just busts through it like it’s paper. It’s suddenly in my house and it’s trying hard to turn corners and navigate through my house to get to me, but it’s falling down and smashing into walls and furniture, and I’m frantically trying to find a safe place to go, but every room I go into, it just smashes through those doors or windows to get to where I am. I keep going into room after room, shutting doors, locking it, but it just keeps getting in. I usually wake up around here, heart racing. I’m in a panic. What I often feel after this dream is helplessness, complete vulnerability. There’s no place that feels safe. It doesn’t matter how many locked doors I have or hiding places I know of; that bull always finds me and smashes its way to me. I tell you this because after listening to today’s story, I get that same feeling of feeling afraid and helpless.
(INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]
JACK: Okay, y’all have seen this talk at the STICK Conference earlier this year, right?
JACK: I don’t speak Spanish, so I have to use YouTube to auto-translate for me, but, hm. Now that I’m looking at it, there are only 115 views on this video, so, no, you absolutely have not seen this talk. Okay, let me find another. Okay, what about this one? This is a talk from Hack the Box meetup in Santo Domingo in the Caribbean Sea.
JACK: You know what? This video only has 500 views, so, no, you did not see this video, either. Well, both of these talks are by a guy named Omar Avilez, and he’s talking about the worst day of his life. It’s a chilling story, but since you haven’t seen this talk, I really want you to hear it, and since it’s in Spanish, I’m gonna call up Omar to see if he can tell us the story in English.
OMAR: This story starts much earlier than we even knew that something was happening. So, this started May 2022 in Costa Rica.
JACK: Okay, so this is Omar and he lives in the Dominican Republic, which is an island in the Caribbean Sea. Across the Caribbean Sea, next to Panama, is Costa Rica. What Omar saw happening in Costa Rica struck his curiosity.
HOST1: The new president of Costa Rica has declared his country is at war with a ransomware group which has been carrying out cyber attacks on the country’s government. The cyber-criminal gang known as Conti has disabled agencies across the government since April using ransomware attacks.
JACK: Whoa, that’s kinda dramatic, isn’t it; declared war? Seriously? You go in to deploy troops and send fighter jets because someone put ransomware on your computers? Does Costa Rica even have fighter jets? Anyway, because Omar is in part of Latin America, he was watching this story unfold.
OMAR: Let me introduce myself before I start talking about that day’s events. So, I used to work in the Dominican Republic National CSIRT, which is the National Cyber Security Incident Response Team.
JACK: Sorry, I had a bad connection with Omar when we were talking, so let me repeat that for you. Omar worked in the CSIRT for the Dominican Republic. CSIRT is an acronym which stands for Cyber Security Incident Response Team, and this CSIRT unit falls under the Department of Defense in the Dominican Republic. So, when cyber-attacks threaten national security, Omar was there to review it. But what’s more is the Dominican Republic CSIRT is part of a community of other incident response teams within Latin America.
OMAR: So, when the incident in Costa Rica happened, they contact us just to ask for help.
JACK: What he saw was that twenty different government organizations in Costa Rica were hit with this Conti ransomware. This was a very widespread problem within their government, so it’s no wonder they were reaching out for help anywhere they could. Many parts of the Costa Rican government came to a halt, and they were frantic over there. But this gave Omar the ability to research and understand this Conti ransomware better.
OMAR: It was a massive malware campaign in Costa Rica. They were attacking government organizations through phishing, exposing vulnerabilities, but they compromised all the departments separately.
JACK: Wow, that’s really remarkable. See, when I hear that twenty departments were hit, I immediately think that there must be some central connection that allowed the malware to spread internally. You know, like if you can get in through the front door, now you can take a tunnel to all the other buildings or something? But, no; what Omar saw was that each of these twenty departments were infected separately, some of which were infected through phishing e-mails and some from malware put right on systems that were connected to the internet. But just because the malware got inside each of these places, it didn’t actually turn on until the right time. It was coordinated that when enough systems got infected, it would trigger the ransomware to lock all the computers at once and demand payment to unlock them. Now, the motive behind putting ransomware on systems like this is typically just to make money. I believe they were asking for $20 million to unlock Costa Rica’s systems.
So, whoever did this seemed to be there only for financial gain. Costa Rica got their systems fixed up, and I don’t think they paid the ransom. They had backups and restored, but Omar saw how this malware operated and worked, and he saw the methods they used to get in, and took this new knowledge to scan the Dominican Republic’s national computer infrastructure to see if anything matched what was on Costa Rica’s systems. [MUSIC] After all, the malware seemed to be present in Costa Rica’s network for a while before it actually executed. So, he looked through computer after computer and scanned lots of systems looking for things that matched what he saw in Costa Rica. He didn’t find anything, actually, which seemed like the Conti ransomware gang wasn’t targeting the Dominican Republic, which was good. But then, while looking for malware in the network, he noticed something. Someone had defaced a Dominican Republic government’s website. They found a vulnerability on the web server and changed the pictures and text to something else. So, he zoomed into this to investigate.
OMAR: We found an implant, a piece of malware.
JACK: Now, typically when someone defaces a website, it’s a small-time hacker. Being able to show your friends that you changed the text on a government website makes you look cool in some hacker circles. But it wasn’t this person who defaced the website that put the malware on that computer. See, when Omar was investigating the defacement, he checked to see if any malware was left behind, and it was, just not by this person. One of the places Omar likes to look for malware is in the temp directory. The temp directory is used by programs to temporarily hold data, and it’s kind of a free space for any app to use to dump data in there if it needs it. So, this directory often has open permissions; anyone can read or write to it. Not many directories are like that on a computer, so that’s why Omar looked in the temp directory, and that’s where he saw that someone had stuck this malware in there.
OMAR: But the malware, the implant was on the system from ten to eleven months ago.
JACK: So, someone had exploited this system ten months ago, stuck some malware in there, and then left quietly. When someone else came and defaced the site, that’s when he discovered that it was there. Just imagine that sinking feeling for a moment; malware had been here for ten months and nobody noticed. Your worst fears start racing through your head at this point. Did they steal anything? Did they access stuff they shouldn’t? Did they jump around to other computers?
OMAR: It was a malware that did privilege escalation. So, we spotted a Windows vulnerability that was unknown to Windows — to the Windows people. So, we may call that a zero-day.
JACK: Okay, this just got worst. A zero-day means that not even Microsoft knows about this vulnerability, and the reason why it’s worse is because whoever left this here must have access to some pretty advanced malware. It’s not easy to find a zero-day exploit because if it was, Microsoft would find it, too, and put a fix out for it. So, it’s supposed to be secret. Now, specifically, this malware’s purpose was to escalate privileges, so that means if you get on a system as a low-level user, it’ll promote you to a user with administrator rights. So, now you can do anything you want on that system, kind of like if you were to just walk into the front door of a prison and convince the guards that you actually own the prison and to give you all the keys. Being able to escalate your privileges is a crucial step at getting full control of a computer, and this could be the beginning of a big deal. Just as Omar was about to tell someone about this, news broke out.
HOST2: [MUSIC] The Dominican Republic’s agricultural department has suffered a ransomware attack by the Quantum ransomware group. The attack disrupted multiple services by encrypting four physical and eight virtual servers, compromising most of the information including databases, e-mail, and applications.
JACK: [MUSIC] Wait, Quantum ransomware? Gosh, a totally different group hit them? It makes me want to make a meme out of all this ransomware news.
SAMUEL: Enough is enough! I’ve had it with…
JACK: I’ve had it with this mother-flippin’ ransomware on these mother-flippin’ computers! Just when you tune your eyes to be able to see and detect a certain kind of malware, you get blindsided by a totally different kind. Whatever that malware was that Omar found on that web server, that had nothing to do with this Quantum ransomware.
OMAR: They exploited a vulnerability, a Fortinet firewall that allowed them to have VPN access to the infrastructure. So, with the VPN access, they managed to compromise the entire organization and then tried to ransom the organization.
JACK: Luckily, they detected this quite quickly and called Omar in very early. He got in his car and drove down to the data center that was infected, and when he got on the systems there, he was able to see the people who were behind the Quantum ransomware typing out commands, infecting more systems. So, because he reacted so quickly, he was able to stop the spread of it from getting on more machines, and this is a stressful situation. I don’t know if you’ve ever gotten your computer or phone infected, but any time this happens, you have to wonder, did you clean your device good enough? Are they still in there? You never actually know. You sort of have to cross your fingers and hope the attackers will let you know if they’re in there still. Even though he’s kicked them out of this one system, it’s hard to tell if they just come right back in or what other systems they may have access to. It’s like trying to build a dam in the dark with just sticks and rocks.
OMAR: So, that’s when the Republic – so, on the investigation, we found out the attackers got into the network via a phishing attack, but that didn’t tell us much information. So, we concluded the investigation or the report without any attribution; so, we just know that somebody compromised the system.
JACK: No attribution on the final report for the Quantum ransomware infection. Okay, hm. Attribution means figuring out who did this, and they couldn’t figure it out. There just simply wasn’t enough clues. It seemed to be fairly common malware with no clear path leading to anyone in particular. All it seemed was that it was financially motivated. They wanted money and that’s the whole reason why they did this. I think there’s three main categories for the different types of attackers. There’s the hacktivist type people who are hacking into things just for fun or to make a point, like those defacing websites, and then there are people who are financially motivated; they’re only there to make money, and then there are more sophisticated groups there trying to steal state secrets or something. I mean, they might even have spies on the ground of the place they’re trying to break into. If you know who your adversary is, you can combat against that particular threat more effectively. You can prepare better and be more alert, so it’s important to understand the landscape of who can and who is and who should and who would be attacking you. When you’re dealing with ransomware, you’re typically up against someone who just wants money, and if you don’t pay it or make it really hard for them, they’ll probably just move on to an easier target. So, after this attack, things settled down. Omar went back to his normal duties.
OMAR: One day, we got a tool to analyze all the DNS queries that the organization made. So, we implemented that technology all around all government organizations so we can have a whole visibility of why — what’s happening on the government.
JACK: Okay, so, they got a new tool to look at the domains that each organization is reaching out to and each domain that’s connecting into the government’s network. Now, they took this data and cross-referenced it with known malicious domains in the world. This is called threat intelligence. There are companies out there that try to classify every single IP address and domain name to try to determine if it’s malicious or not. So, if you see computers on your network contacting known malicious domains, then you can double-click on that and see what’s going on. While he’s scanning the network, I want to take a quick ad break, but stay with us because you’re gonna want to hear what he found. Omar was scanning the Dominican Republic’s DNS queries to see if anything unusual was going on.
OMAR: So, we cover a C2 server that was utilized by Conti.
JACK: [MUSIC] Oh no, a computer within the Dominican Republic government was connecting to a command and control server — otherwise known as a C2 server — that is known to control systems infected by the Conti ransomware. This is bad. This indicates that the government is about to get hit. Someone has them in their crosshairs and just needs to pull the trigger, and perhaps they’re gonna get hit as hard as Costa Rica got hit. Whoever was behind that attack on Costa Rica clearly had a lot of time and resources to make a very deep and wide impact there, crippling their systems and government. But lucky that Omar has such a keen eye and is tuned into the threats of his government so he can detect this early. So, he zoomed into this alert and he saw that, yes, in fact, a system did get infected and it reached out to the command and control server to download Cobalt Strike.
Cobalt Strike is a full suite of hacker tools. It’s equivalent to finding a bad guy in your building and also finding his huge sack of tactical spy tools. But because they spotted this as it was unfolding, they were able to delete those tools and clean that system and start hardening that system so it doesn’t get infected again. On top of that, with this newfound activity on their network, knowing that they’re in the crosshairs of somebody, it was important to start alerting the users in the government agencies. Be on alert; we are seeing some bad weather on the horizon. Be very cautious of any phishing e-mails, and please, please, please report anything suspicious to the security team. Thank you.
OMAR: [MUSIC] So, that’s when everybody start to send us — sending out e-mails and e-mails and e-mails. We analyzed hundreds of e-mails, literally hundreds of e-mails. So, there were things about these e-mails, that they were written in perfect Spanish. They were not English, but perfect Spanish. Like, perfect Spanish.
JACK: Okay, wow; so, they were seeing a lot of phishing attempts, e-mails posing as someone else trying to get users to click links, open zip files or attachments, and in every one of these e-mails, the attacker spoke perfect Spanish. This is really curious since a lot of these ransomware gangs would be coming from Eastern Europe or Russia. They wouldn’t have the ability to speak perfect Spanish on such a large scale with hundreds of phishing e-mails being written.
OMAR: At that time, it was June 2022. We had over 500 to 600 e-mails, different e-mails, and all of them were different. So, we didn’t have one single e-mail that was the same. But all of them share one thing; all the same were about banking transactions or money or payment, something related to money. Also, all of them had a backdoor the attackers were using, which was a band – a backdoor known as Bandook.
JACK: Bandook. Okay, if I google ‘Bandook malware’, I immediately get an article saying that this malware gives remote access to a computer, and it was written by someone named Prince Ali who’s from Lebanon in the Middle East. More specifically, the Bandook malware has been known to be used by a group called Dark Caracal. Well, that’s what the EFF named them, at least, and while we aren’t sure exactly who they are, there are quite a bit of clues that lead us to believe that the Lebanese government is somehow behind this Dark Caracal group. I want to paint a clear picture for you; hundreds of phishing e-mails are flooding into different government agencies in the Dominican Republic, all of which are trying to get the recipient to open an attachment or click a link which will infect them with this Bandook malware, which typically seems to be the work of this threat actor group called Dark Caracal. As Omar looked at these e-mails coming in, he noticed something even more scary.
OMAR: They compromised a company, so it was an important target.
JACK: [MUSIC] So, what happened here is that the attackers knew that the Dominican Republic was doing business with a certain company, and they infiltrated that company just to pose as people from there in order to trick the victims in the Dominican Republic government to open attachments.
OMAR: What they did is that they used a user that was having a conversation with the system administrator. So, the system administrator was waiting for that user to send him an attachment. So, he used a type of the legitimate attachment — the system administrator will see the backdoor.
JACK: I mean, this seems to be the start of a horror story, where it feels like you’re home alone at night and someone is throwing rocks at your window, at all your windows at once, constantly pinging them, and you just know at any moment one of those windows is going to break. But there’s just no way to secure everything at once. It just takes one user in an agency to get infected, and then the attacker can jump off their machine to infect the whole agency. For dozens of agencies to be attacked at the same time is horrifying. On top of that, the attackers are scanning web servers, looking for vulnerabilities, trying to find an exploit to get into the network that way. So, it’s like endless banging on the doors and you know they’re not gonna hold. Where do you even put your attention in a situation like this? The bull is trying to get in your house and there’s nothing you can do to stop it.
OMAR: We found out something — I was very terrified for us. Over thirty government organizations were compromised by that campaign. Like, really big organizations.
JACK: The hacker group Dark Caracal had successfully made their way into thirty different government agencies, and each came in through a different entry point, too. To see that this was coming, to know the bull was headed towards you but to have no ability to stop it, has got to be one of the most terrifying feelings, the feeling of helplessness, despair, vulnerability. Suddenly a huge portion of the Dominican Republic government’s network is now in the control of someone else, someone you have no idea who they are but may be related to the Lebanese government?
OMAR: Let me tell you, it was not just government organizations but also critical infrastructure.
JACK: Holy flip, critical infrastructure is things like power plants, water treatment facilities, or dams. Disrupting or destroying these systems would absolutely bring this country to its knees.
OMAR: Yeah, it was a very complicated moment. We didn’t know what to do.
JACK: Now, of course, Omar isn’t working by himself on this when he says that he did all these things; it was obviously a team effort, and his team consisted of seven or eight people. But then, every agency in the government has their own IT department, and some, of course, are bigger than others, but everyone was working extra hours to help out. But it just makes me wonder, you know? How robust is the Dominican Republic’s cyber security? They may not be able to afford the most up-to-date network infrastructure, and they may be running old systems in place. They may not have the funds to employ high-quality employees to react to this. But when you’re on the internet, it means you’re only one click away for every threat actor in the world. So, you absolutely need to secure your government’s networks just as well as the largest governments in the world. Just because you’re a small island doesn’t mean you get to skimp on cyber security. You need to be just as good as everyone else, and it feels asymmetric in so many ways. You have to be prepared for the most sophisticated threat actors in the world, and I just wonder, how advanced was the cyber security of the Dominican Republic?
OMAR: Well, after they did some things on the system, they now downloaded or installed a second malware, which was a Cobalt Strike implant which was communicating to Conti’s C2.
JACK: [MUSIC] A C2 means command and control server, but, I mean, what? You’re telling me that some advanced adversary who may be in the Middle East is now starting to install the Conti ransomware on these systems? This is boggling because Conti has been widely-attributed to be from Russia. So, first of all, why are these two groups even allies or working together? Second, holy crap, you now have two sophisticated attack teams working together to attack your entire country, national agencies, and critical infrastructure? Just when you thought you were in the thick of the storm, the storm got worse.
OMAR: It was – man, that moment, we wanted to disappear.
JACK: Then he got alerted of another problem.
OMAR: A big bank — overnight, it stopped working for over a month. So, if that bank cannot operate, all the people that have the money in that bank, what — how they are going to get the money out, or how that thing affected the government or the economy? So, that was something big, and we both — even more people can investigate.
JACK: The Dominican Republic was in trouble, and Omar’s job was to help.
OMAR: So, one of the first things that I did or I tried to do was call the people in Costa Rica, because that happened to them. I wanted to know all about the incident.
JACK: Now, this is what I love about Omar, is his awareness and his social skills. I used to work for a company doing incident response, and guess how much cyber security news my boss paid attention to? None. Guess how many other companies my boss interacted with to understand what threats they were facing? None. The attitude in our company was to put your head down and do your work, not look around to see what everyone else is doing or meet other people in the field, and I hated that. I can’t stress this enough, that having allies in this business and going to conferences and meeting people and sharing stories with them will help you do your job so much better. So, please, IT managers, stop thinking you’re in some silo and your problems are just yours. Encourage and support your IT employees to go to conference, meetups, talks, and workshops. It will help your business. Trust me. Omar has gone to conferences. You heard two of his talks at the beginning of this episode, even, and he’s gone to meetups and he’s made friends across the sea, in Costa Rica. Specifically, it was the conference called FIRST where he met them, and you can learn more about this at first.org.
OMAR: FIRST is a forum for incident response, so all the incident response teams that own the work just have a conference once or twice a year, so we all go to that conference in which other — so, if anybody needs help, so we know who we can call.
JACK: Well, FIRST is just one conference in the world. There are so many more going on these days. In fact, I think any given week you can find two or three security conferences going on somewhere in the world. So, just google ‘cyber security conference near me’, and see what’s coming up near you. Having these connections were very valuable in this situation. It was a force multiplier, even. Dominican Republic doesn’t have the biggest cyber security incident response team in the world, and so, knowing who to tap for help creates a battalion of people who can help you in different ways. One thing they did was compare their malware and indicators with other countries in Latin America to see who else has seen anything like this. Then he started creating a playbook with help from other nations to start remediating this. Of course, he was also calling up security vendors, the people who made the software that was supposed to be securing his network. He’d call up and say things like, hey, we pay you to block these attacks and you didn’t. Please help us fix it. Of course, the security vendors want to make their tools better, so they wanted a sample of the malware and what methods they used to get in, and were working quickly to fix their software so they would be able to block these attacks from continuing.
This was happening on Windows machines. They were getting infected even though they were fully patched and updated. So, a call to Microsoft was important to show them what they were dealing with and to ask, how can you fix this? They were calling out to other network vendors, too, because their systems were compromised. By the way, when you call up one of these companies to try to report a zero-day exploit, it’s not easy. The first person that you get, the first-tier support, tells you stupid things like, okay sir, did you try rebooting the system? You’re like, come on, please, please, please connect me to somebody who knows what they’re doing over there, and they simply cannot. So, you need to ask for a manager, and then the manager doesn’t know how to fix it, and they don’t want to admit that their software has vulnerabilities in it. So, you go back and forth, trying to troubleshoot it for days. It’s tedious and time-consuming before they escalate it to the next tier support, and eventually you get an engineer or a developer who knows the system inside and out and can recognize the problem and replay it and fix it right away. It’s just that that person is behind like, eight layers of support tiers before you can get to them. Now, there’s this quote from Bruce Schneier that has frustrated me but also educated me on the reality of cyber security.
The quote goes like this; “You can’t defend. You can’t protect. The only thing you can do is detect and respond.” I get frustrated from that quote because I feel like we should be able to defend and protect. Why don’t we have secure software that can do that? How many more years and technical advancements do we need before we can defend our networks? But the sad truth is we may never get there. So, what Bruce is saying is we need to be assuming we’re breached and to work on improving our ability to detect and respond to cyber threats. Somewhere in the middle of the storm, Omar realized that, too. Instead of trying to build those walls up higher and higher to stop people from getting in, he needed to get better at detecting when they did get in. [MUSIC] So, he started installing more monitoring tools into the network so that he could watch more closely what was going on in there, and this allowed him to understand where Cobalt Strike was and spot it, and the Bandook malware and Conti ransomware and Dark Caracal, and where it was in the network and how it was moving around, giving him a beautiful view into which systems were infected.
OMAR: We found out that the threat actor was on the systems over ten months ago.
JACK: They were in these agencies for ten months? Geez.
OMAR: So, when we discovered that, we tried to get to somebody else that may have more information than us, and we get to our partners. So, when — we reach out to them and we show them all the information that we have, and they told us something that made me very afraid. So, they told us that it was not just Dark Caracal; it was not just Conti, but also it was — Russia was also involved.
JACK: Russia as in the Russian government.
OMAR: It was very strange for me why Russia would compromise the Dominican Republic in that way. What interest they would have here? Because in the Dominican Republic, we have a lot of Russians, like, a lot of Russians living here. What would be their intention? What that organization told us is that they were trying to experiment with some countries, something that they may do in a bigger scale. So, they could not target some more mature countries like the United States or United Kingdom because they have better defense. So, they were trying to do it in this part of the world. So, what happened in Costa Rica, even though it’s not public — and I’m not saying that on behalf of any government; it’s just my opinion and what I know from what happened and for what I learned on the process. What happened in Costa Rica was part of that and what was happening in the Dominican Republic was part of that, and it was not just Costa Rica and the Dominican Republic, but also, all the countries in the Latin American region were in both on that. So, we — as soon as we knew that, we started reaching out to those countries to let them know that this was happening, to share indicators of compromise — or that way, they find out even earlier that, oh, that something dangerous was happening in their country. So, they were able to — those things before something really bad happened.
JACK: There’s now a third threat actor involved in this attack? Now, just before all this happened in the Dominican Republic, there was some crazy drama going on in the Conti ransomware gang. So, Conti, we know, is based in Russia, and they came out publicly in support of Russia’s invasion of Ukraine. Well, I guess someone close to Conti did not like this and decided to publicly leak 60,000 messages between the Conti group and other people. These leaked messages showed that the Russian government had been hacking into places that just seemed to be in poor taste, you know? Like, hacking medical researchers. So, it’s not far-fetched to think that Conti may be working with the Russian government or that the Russian government would be attacking smaller countries, sort of as a testing ground to practice their hacking skills.
But I mean, an infiltration at this level really can pose as a whole new type of ransomware. Just hypothetically, imagine a phone call from Putin to the president of the Dominican Republic where Putin could say something like, listen, we want you to support our war with Ukraine, and if you don’t, we’ll turn your whole country off. Because they can; with their hand in so many agencies’ networks and critical infrastructure, they could just shut down the Dominican Republic, and that would be a form of ransomware, wouldn’t it be? Now, this is just a hypothetical. I have no idea if Putin has any relations with the Dominican Republic. At some point, does — do you contact the president and say, hey, we’ve got a really big deal; it’s not just your normal malware, but this is just a geopolitical problem?
OMAR: Yes, we did. So, we call a national meeting with the big persons for the government. So, we informed the president and the intelligence agencies about what we discovered.
JACK: Of course, attribution is very hard when it comes to cyber-attacks. It’s incredibly easy to hide in the shadows on the internet. So, even though there are some things that point to this being Russia and Dark Caracal, how confident can you really be, especially when you’re on the phone briefing the president? Maybe someone else just got ahold of the Bandook malware or Conti ransomware. Maybe someone wants you to think that it was those threat actors attacking you just to throw you off the scent, because we’ve seen threat actors put in fake clues to do just that before. For this situation, there were a lot more questions than there were answers. If Dark Caracal is Lebanese-based, why would they be working with Russia or Conti? Was this financially motivated or politically motivated? This attribution wasn’t exactly clear, and neither are the motives.
OMAR: Yeah, so they’re not supposed to work together, so nothing went over our head. Over and over, we overthink it, so, why, why, why?
JACK: Does Lebanon and Dominican Republic have any relations?
OMAR: We do. So, our current president, his family is from Lebanon.
JACK: What? Hold on, how can the president of the Dominican Republic be from Lebanon? Let me look this up. Okay, his grandfather was born in Lebanon and moved to the Dominican Republic in the 1800s. It’s not clear to me, at least, if he’s still tied to Lebanon in any way shape or form. I mean, I couldn’t even find out if he’s — can speak Lebanese, you know? But it seems like only weeks after he was elected as president is when this attack happened. So, maybe this has something to do with Lebanon sending a message to the president? My mind is spinning here, and I don’t want to make any wild assumptions. At the very least, I’m reminded of how Costa Rica’s president declared war on Conti, and now I can see that that’s not so far-fetched of an idea anymore. At this point, Omar had a very good understanding of this campaign and malware, and he even reversed-engineered some of the malware and inspected it for clues and looked at their command and control servers, and had a full map of where the infections were and how they were moving around the network. On top of that, vendors started to improve their systems, showing patches and updates and better ways to detect this.
So, he got together with all the teams inside the agencies that were infected and explained the remediation process. Step by step, he walked them through how to remove this and stop this from happening again, and he also called the ISP to have them block certain domains, and he was actively cleaning up the mess. [MUSIC] Of course, any good threat actor’s not gonna go down without a fight, so while they’d block a domain or a command and control server, a new one would just spin up, and they had to keep blocking and updating their detection methods. You know, the goal for security isn’t always to stop all the threats permanently, but instead just to make it as hard as you can for the bad guys to get in, because it takes work to spin up new domains. It takes work to pull out a new zero-day to infect more systems, and it takes work to regain access once you get kicked out. So, having this coordinated effort to shut them out started to exhaust the attackers’ resources.
Do they really want to put a lot more work and effort into getting back in or just move on to the next target? There’s a concept called the pyramid of pain when defending a network, and it’s basically the more painful you can make it for the attackers to get in, the less likely they’ll actually do it. You never will become fully secure, but at least you can make them work for it. So, after a massive coordinated effort to clean up the government agencies and a big bank and critical infrastructure, they were able to successfully clear everything off and keep it off. In fact, they seemed to have stopped the Conti ransomware attack before it actually triggered ransomware on any systems. It was only staging the ransom, but never actually executed it. Omar also looked to see if any data got exfiltrated from the network, but it didn’t. So, it doesn’t seem like Russia or Dark Caracal stole any information out of the government. Did they disrupt critical infrastructure?
OMAR: They tried to but they could not. The critical infrastructure works — what we call the OT, which is operational technology.
JACK: Yeah, to control a dam or a water pump or a electrical transformer, it doesn’t use a typical Windows computer or something. It’s a different system called OT, which is operational technology, which is opposed to IT, information technology. OT takes a completely different skill set, and it sounds like whoever got into these systems didn’t quite have the skill set to control OT systems, which was good that they didn’t get disrupted. What a whirlwind story this was, huh? To have a government completely cracked open like that with no way to stop the attackers, in my opinion, at least, but then to gain back control of it and lock them out. Omar likes sharing this story with others so that they could be aware that this kind of stuff goes on in the world. In fact, as I’m looking things up here, it seems like Venezuela also got targeted with the same group or groups. So, in 2022, Latin American countries were hit hard with these huge coordinated-attack campaigns that may have been unstoppable due to the sophistication and breadth of the attack.
I wonder if Haiti got hit, you know? The president of Haiti has been assassinated and the place has a barely-functioning government, and it’s kinda been taken over by gangs. Would you expect their cyber security posture to be strong or lacking? I mean, if Russia infiltrated Haiti’s networks, is there anyone there to even notice it and clean it up? I just wonder about Haiti, because they share the same island as the Dominican Republic. I don’t know, in some ways I hate that our world is so vulnerable digitally still, that our most critical systems are still susceptible to attack. My knee-jerk reaction is to say something like, take your systems offline if you can’t secure them properly, but that’s the opposite of technological progress, so that kind of attitude or strategy just isn’t gonna fly today. I just feel like when our systems get too complicated, they become insecure, and we certainly live in a very complicated network of computers now, don’t we? But the thing is, even in my dreams, I still can’t find a safe place to hide.
(OUTRO): [OUTRO MUSIC] A huge thank-you to Omar Avilez for coming on the show and sharing this story with us. The easiest way to find Omar to connect with him is by looking him up on LinkedIn. I’ll have a link to his LinkedIn in the show notes. In this episode we talked about the threat actor Dark Caracal, and I actually did a full episode on them a while back, and that’s Episode 38. It’s a really fascinating group, so go check out that episode. Just as a reminder, this show is now on a monthly release schedule, so look for new episodes on the first Tuesday of every month. I also have a store where you can buy cool shirts to support the show. It’s not all branded with Darknet Diaries logos; there are some there, but there are a ton of shirts that I just know you’ll absolutely love the design and want to wear these shirts. So, please go visit shop.darknetdiaries.com, and thanks for supporting the show. This show is made by me, the bull fighter, Jack Rhysider, editing help this episode by the bipedal Tristan Ledger, mixing done by Proximity Sound, and our theme music was created by the mysterious Breakmaster Cylinder, who just released a new album, and I’ll have a link in the show notes if you want to take a listen. Now, even though when I see people rate this show a 10, I always assume it’s in binary and they’re really giving it a 2. This is Darknet Diaries.
[END OF RECORDING]