Episode Show Notes

							
			

[FULL TRANSCRIPT]

JACK: Before we get started, if you haven’t already, go back and listen to Episode 28 and 29 before this one. It’s a little series on the Middle East here and it’s meant to be listened to in that order. There are some hacker stories that really scare me and this is one of them. This one had a potential of causing a worldwide economic crisis. The world’s governments are growing in sophistication and they’re training their troops to hack and they’re building cyber-weapons. While governments are hacking into other governments, sometimes governments hack into private companies or a city’s infrastructure. Our electrical grid and food supplies weren’t built to withstand a fighter jet bombing them but should they be built to withstand a nation state actor trying to hack into them and destroy them? Maybe.

JACK (INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]

JACK: So you know what’s funny? Not too long ago we heard the news that Apple was the first company to have a net worth of one trillion dollars. It’s funny ‘cause it’s not true. Apple’s worth that much but it’s not the first company to be worth one trillion dollars. There’s another company that’s worth two to ten times more than Apple. What is it? Saudi Aramco. You may not ever have heard of Saudi Aramco before and neither did I until I started researching this story and that’s because they don’t sell to consumers. Instead they sell to manufacturers and distributors so what do they do? Saudi Aramco is one of the largest oil and natural gas producers in the world. It controls massive amounts of oil reserves. It drills it and ships it all over the world. Saudi Aramco may be the most profitable company in existence and produces 25% of the global oil. It’s not a publically trading company though, so we really don’t know how much it’s worth. Because Saudi Aramco is huge and operating globally, it has a lot of computers.

There are pump stations, plants, shipping terminals, logistics centers, laboratories, research and development centers, and storage facilities. Let’s not forget the teams it takes to run it. There’s an HR department, IT department, marketing, truck drivers, mechanics, engineers, public relations, finance, drilling teams, and advisors. Add all that up and Saudi Aramco has over 50,000 employees. Imagine how many computers there are at a company that has 50,000 employees. Not only do a lot of them have individual computers to work on but there’s a lot of servers; domain controllers, e-mail servers, SharePoint systems, files servers, and more. In 2012 Saudi Aramco had over 40,000 computers in their network worldwide. Now I say 2012 because that was when the most profitable company in the world was hit with the most devastating cyber-attack any company has ever seen. To really get into this attack I brought in Chris Kubecka and we’ll understand more about her and her role in this attack later but for now we’ll have her explain what happened.

CHRIS: Saudi Aramco, like any other oil and gas and energy company, their primary jewels, what makes them money, is their industrial control systems pumping out oil and crude out of the ground. When your primary profit is driven by that, that’s where you put your security, that’s where you put your attention. Unfortunately they did not put very much of any real attention on the IT side. However, what happens is IT and industrial control systems are connected. In the case of Aramco and at that time, it was okay for an extremely flat network across all of that.

JACK: Think of a flat network like the hull of a ship but it’s just one big empty space in the hull, so if the boat hit a rock and made a hole in the hull, the water would fill up the entire hull and sink the ship. But some boats are designed with compartmentalized hulls so if water were to get into one section of the hull it couldn’t possibly fill up the rest of the boat and still stay afloat. In your network it’s good practice to compartmentalize it so if a hacker gets into one section of the network they only have access to that section and in the case of Saudi Aramco, because their network was flat, once you got into any part of the network you could get to anything, anywhere.

CHRIS: Saudi Aramco has offices and locations 60 plus around the world in far flung locations. There’s one location you have to take a ferry for eight hours in Indonesia to go to an island. The attack hit in August but they had already gotten into the systems around April to May.

JACK: The attackers likely got in through a phishing e-mail. This is where they’d send a specific employee an e-mail with an interesting attachment or link. Since the employees had no security training, it was probably not that hard to get one of them to click a link or open an attachment. The other part of this equation is that the employee’s computer had to not be fully patched. For instance, the attackers would hope they’re running an older version of Microsoft Word or Adobe Acrobat that has known vulnerabilities. When the user would open the Word [00:05:00] document, the file would attempt to exploit one of these known vulnerabilities to gain access to the computer. If successful, it would open up a reverse terminal back to the attacker. When the attackers got into Saudi Aramco, they were able to move around with ease. This is the problem with a flat network. Their next step is to gain access to a system that communicates to all the other computers in the network, a domain controller. The system is used for authentication onto the network and it provides a map so computers can find other computers. The attackers focused on these domain controllers but these systems were not very secure.

CHRIS: [MUSIC] Because of extremely weak infrastructure you could reset a domain administrator password on the internal system of their HTTP, so completely clear text. That’s a domain administrator password so that gives you an idea.

JACK: At this point the attackers had access to Saudi Aramco’s network and had administrative privileges to the domain controllers, essentially giving them keys to the kingdom.

CHRIS: Now what was unusual was the Houston Operation Center had actually picked up on unusual activity. Even though they had no security people they thought it was unusual for 250 different devices to be logged in at the same time by the one domain administrator. They were picking up on highly suspect activity. Because they didn’t know perhaps how to phrase it, and perhaps it was not well-accepted Saudi, there was not an incident created. At the time, the person who ran the security operation center decided, it was his opinion; he would not open an incident for the report from Houston.

JACK: Now that the attackers had the crown jewels of the network and nobody was going to stop them, they spent the next three months building their perfect attack. At this point in 2012 August rolls around, which seems to be the perfect time to attack Saudi Aramco. What’s special about August 2012 in Saudi Arabia? It’s the holy month of Ramadan. In the US, offices are almost completely empty around Christmastime and that’s what it’s like during Ramadan in Saudi Arabia.

CHRIS: It was a typical company policy that that was the slow period. The majority of Muslim staff believes what’s usually left, or what at the time was usually left, was a skeleton crew of Western staff at the most.

JACK: This would be the perfect time to wage an attack against the company to do the most damage. There would be nobody to stop it and the reaction time would be very delayed. That’s just what happened. On the 15th of August a warning was sent but it would be a warning that Saudi Aramco would not notice.

CHRIS: [MUSIC] The day of the attack at 9:08 a.m. a Pastebin was posted up that said we, the internet users of the world, are bringing basically to the world’s attention that there is blood on your hands, the regimes of Saudi Arabia and all this. But we know how you fund your regime is through Saudi Aramco so what we have done is we have attacked European computer systems to get into the Saudi Aramco systems and have destroyed 30,000 computers. It will go off in two hours.

JACK: The Pastebin was signed by someone calling themselves The Cutting Sword of Justice and Saudi Aramco didn’t get the message. They weren’t scouring Pastebin looking for things like this and their staff was mostly gone anyway so this warning was never received, so they had no idea this was coming.

CHRIS: At 11:08 a.m. things started shutting down.

JACK: At the exact same time, all across the Saudi Aramco office, computers were starting to display burning American flags. Each computer was corrupted with a nasty virus set to delete everything on that system.

CHRIS: Because what was happening is the wiper virus that got into it, when it would eventually get down to some of the Windows files that were pertinent and the master boot record, it would then force a shut down and if you tried to restart it you lost your master boot record so you couldn’t immediately pull everything back up. Things started shutting down.

JACK: This wiper virus would be known as the Shamoon virus.

CHRIS: It was a logic bomb set to go off at a particular time on a particular day.

JACK: A logic bomb is a virus or program that’s set to trigger when a certain condition occurs. This logic bomb was set to trigger at 11:08 a.m. on August 15, 2012, with the instructions to wipe the hard drives, rendering them unusable. Since the network was flat and not very secure, a lot of computers were hit with this logic bomb.

CHRIS: About 35,000 systems. 85% of their IT infrastructure was taken out.

JACK: 35,000 computers had become completely unusable all at the same time. [MUSIC] This is the most destructive malware to ever hit a single company. If you lined up 35,000 computers in a row, it would be six miles of computers. When you tried to reboot the computer it would simply say Operating System Not Found because it had been completely wiped. Imagine if something like this [00:10:00] happened where you work, where everyone’s computers were suddenly unusable. This isn’t just a network down or an e-mail down; everyone’s computers wouldn’t boot at all. There was no operating system. All saved files were gone. All software was deleted and many of the backup servers were obliterated, too. This was devastating. This virus specifically targeted machines running Windows.

CHRIS: Anything connected to them that relies on them like Windows DNS, Windows THCP, the voIP that would also rely on any Windows server, Windows backup servers, the auto truck loading system, and the payment systems also were inoperable as well as all the middleware so they couldn’t access contracts. In addition they had gone to green and fully digital so all of their contact lists, people that they could call were on SharePoint, they didn’t even have SharePoint. They had no employee list. They couldn’t even look at a roster.

JACK: There were no e-mails. Phones didn’t work. There were no shared data sources like SharePoint or file servers. This was a massive disruption to the most profitable company in the world. 85% of their computers were down permanently. But this virus did not attack the industrial control systems found at pumping plants, pipelines, or drilling sites. Oil production was still completely operable. That’s because the company focused their security on these systems but also, the attack did not target industrial systems. But the problem was there were no computers to say who to ship the oil to or where it was supposed to go. They had no contact information for anyone either to notify customers of the outage. At this point Saudi Aramco was scrambling to figure out what had happened and they were afraid this virus would spread to more systems and take out oil production. Emergency meetings were being set up like war rooms in the Aramco offices. The CEO was also present. As they realized the size of this destruction, an extreme decision was made.

CHRIS: They rapidly started unplugging everything. They took the decision – they did not want it to spread so they decided a very severe decision and I think the first time ever, Saudi Aramco completely disconnected themselves from the internet which also had other consequences such as when you’re dealing with industrial control systems, say Honeywell or Siemens, they remotely monitor and maintain that equipment under their maintenance contracts. They were also disconnected because they did not want anything to spread or for them to be the pivot point to anyone else.

JACK: The CEO made the decision to take one of the largest companies in the world offline. This is never an easy decision to make but is probably the right one. On one hand, shutting down like this has potential worldwide effects and can cause the company tons of money. But on the other hand, not shutting down is potentially more severe and can potentially cause even more loss of money.

CHRIS: Saudi Aramco provides about 25% of the world’s energy. So what would happen if 25% of the world’s oil market is taken out in one day?

JACK: This is why this story scares me; a single hack like this has the potential to wreak havoc on the world. Imagine if gas prices quadrupled overnight or imagine if there was a worldwide shortage of petroleum-based products like plastics or fertilizer? The reverberating effects of this one incident could put the globe in a panic.

CHRIS: In addition, Qatar, the country, their national oil company is called RasGas. RasGas was also affected and disrupted in a similar manner but they do not discuss it whatsoever. They have about 14% of the world’s energy market, especially with natural gas. You couple that with Saudi Aramco, 25% of the world’s energy, that’s in a two week time period. That was the risk to the rest of the world. It could have obliterated financial markets.

JACK: Strangely enough, when Cutter’s Oil Company was hit with the same virus, their version did not have a burning American flag on it which raises a lot of questions. But these two companies combined supplied 40% of the world’s oil and natural gas. Whoever waged this attack was trying to cause financial ruin to a lot of people and companies. [MUSIC] When the Shamoon logic bomb hit Saudi Aramco it took out a huge portion of their computers but didn’t impact their drilling sites or pipelines. The scene was chaotic there, and confusing. Nobody knew what trucks to load up with what oil and where to send it so the decision was made to load up any trucks with any oil you had and ship it out. Oil continued to flow to supply the world even if it meant giving it away free, which is what they did at times. But because of the chaos and outages it was really slow filling their trucks up. Saudi Aramco made a public Facebook post announcing the attack. It said…

CHRIS: We are suffering from some sort of digital or cyber-attack and we have chosen to disconnect from our business operations and production from the [00:15:00] internet. At that point in time you could not send an e-mail to them. It kept bouncing back. It just snowballed from there.

JACK: As the company scrambled to understand the impact and get things operational again, they knew they needed more help. They simply didn’t have a good security IT team to handle this kind of incident. Before this attack in 2012, Saudi Arabia simply didn’t take security very seriously. There were no government branches focusing on cyber-defense. They had a Saudi CERT but it was crude and inefficient. When the government ignores the importance of security it trickles down to many other companies within the country. Security simply wasn’t a big industry in Saudi Arabia at the time. Saudi Aramco was trying to hire as many security consultants as they could but they ran out of people quick, so they started hiring vendors but there were problems with this too and they needed even more help than that. They decided they needed an outsider, someone who’s secured global network before and someone who they could hire to be part of the Aramco team. That’s when they called Chris Kubecka.

CHRIS: [MUSIC] Yes, they called me out of the blue. It was very odd because I had never imagined myself working for that type of organization. I was coming back from a holiday from Tanzania. I was transiting in Istanbul and I was hoping that I could get in the lounge ‘cause I was so tired, good food. My phone rang and usually I won’t answer my phone when roaming but I did anyway. They’re like hey, this is Aramco. We would like to talk to you. We would like to hire you. I’m like, okay? ‘Cause I’m not sure that this is a legitimate call at this point. It’s out of the blue. I’ve never applied for that. I’m like alright, so tell me about the role. They’re like well, Aramco, we’ve been under attack and we need to get all of our security ramped up as quickly as possible. I’m like, okay.

CHRIS: Chris Kubecka is a well-connected, respected, and experienced security professional. She’s given a few talks at various conferences around Europe which is how Saudi Aramco knew of her, but her profile is very impressive. She’s been using computers since she was a young child and then joined the US Air Force and then joined the US Space Command to work on communications systems to space. From there she did consulting work and started leading security teams and eventually worked her way over to being a security consultant for a very large financial services company in the Netherlands which is where she was living. She is experienced with securing large networks and handling large-scale incidents. Throughout all this Chris had gathered a lot of connections and made a lot of friends in the security industry; not to mention her global experience that she’s had traveling the world and even picking up a few languages on the way. Choosing her for this role of bringing one of the largest companies in the world back online was a good choice. The problem was Chris already had a job leading the security team for a large financial services company in the Netherlands so she wasn’t interested in another job.

CHRIS: They go well, we just need to know a price. Can you give us a price? I go okay; picked a price which I didn’t think that they would agree to and I said here’s my price. He goes we’ll get back to you. Okay. I was like, that’s an odd phone call.

JACK: Chris literally pulled a number out of the air, one that was much higher than she would expect anyone to accept.

CHRIS: They called me back a week and a half later and said well, the board was convened and they actually raised your price by 20%. I’m like, the board? Yes, the Saudi Aramco board. It was about that time that I kind of realized that that was the most powerful organization in the world and they convened a board and gave me an additional bump up from what I had asked for and they definitely wanted me. It was also at that point I said I know my name is Chris, I know I don’t have a very high voice but you do know I’m a woman, right? They’re like yes, yes, yes, we do, we do! I’m like, okay. I go, I have a position. They go well, don’t say no. Just say maybe. I go okay.

JACK: Chris listened to the Saudi Aramco team and heard firsthand the total destruction that was caused. The recruiters were so happy she was considering the role.

CHRIS: They had basically said you can hire whoever you want, you can basically have an unlimited budget, they can have 20,000 euros every year for training so that they’re always trained up. I was very excited to be able to build a world-class team to tackle this chaos. I thought it was a fantastic opportunity, which it was.

JACK: [MUSIC] Chris took the job and got right to work building her team. She pulled out her contact list and began recruiting. It’s hard to find good security talent today because there isn’t enough talented people to go around and all the good ones are taken. But with a massive budget, lots of training dollars, and the excitement of working on one of the largest hacks in history, she was able to find some pretty great people.

CHRIS: I looked for all the rock stars that I had already written up on a bit of a dream list and I got [00:20:00] seven out of ten.

JACK: One of the biggest incentives was that massive training budget for each analyst. This alone is a great lure, since most security professionals are excited to learn about latest technology so knowing that the company is going to invest in their expertise was exciting. Not only that, but she also gave each person 10% of their time to work on their own projects. When you have really talented people sitting around with free time in their hands, they end up making tools that make the team more effective.

CHRIS: Many of these folks also spoke multiple languages so I had Dutch, Romanian, Cypriots, I had Indian, I had Italian.

JACK: When defending a global company such as this, you need many languages in your security staff to be able to communicate effectively between organizations and teams but also be able to identify threats in various regions. When Chris assembled a team she made it a point to not overwork anyone and give everyone adequate breaks. Her average work week was 36 hours per week and this made them less stressed and excited to get back to work.

CHRIS: I always had rested alert analysts and they enjoyed what they did. They got to do projects that were related. They were doing fantastic things. They were able to not feel constrained and they were always taught on the newest and greatest stuff. I did not want a group of analysts who had training from last year looking at today’s threats because that just doesn’t work. Our threat actors are nation state, cyber-criminal, hacktivists, anything and everything in between. Our threat profile is extremely high. We needed the best of the best, not someone who got a CERT five years ago and hasn’t taken a course since.

JACK: While Chris was busy building her team and getting them up to speed, Saudi Aramco had began rebuilding the infrastructure.

CHRIS: Basically what they did was, they have so much money and they also own the largest private fleet of aircraft. They sent their private fleet to the factory lines in Southeast Asia to buy up the world’s supply of hard drives immediately to replace all the hard drives at Saudi Aramco.

JACK: Some of the hard drives were slightly damaged from this attack and the company didn’t want to reformat them and start over because maybe they could recover some data on them. Since Saudi Aramco had enough money they just decided to buy tons of hard drives as fast as they could. This took months to fully purchase the number they needed.

CHRIS: It was 85% of their IT infrastructure which you’re also talking about backup servers, all of this type of stuff. You’re talking about many more than 35,000 hard drives, for instance.

JACK: That’s a lot of hard drives. A single manufacturer could not produce that many hard drives to fulfill the demand so Saudi Aramco would fly their jets to a few different manufacturers at once to get them as soon as they came off the factory floor. As if this wasn’t bad enough for the world’s supply of hard drives, at the same time, a massive typhoon hit Asia, halting production for some of the hard drive facilities.

CHRIS: If you bought a hard drive between September 2012 and January 2013 you will notice that there was a rise in worldwide hard drive prices because Saudi Aramco bought the supply and everyone else was paying a tax, basically.

JACK: Chris was based in a city in the Netherlands called The Hague and this is where she built the security operation center. Immediately she knew she needed to integrate her team into the Saudi Aramco culture so she began rotating each of her analysts to go work in Saudi Arabia for a while. In exchange, she’d get someone from IT from Saudi Arabia to come work in her operations center in The Hague. She didn’t want a repeat of how Houston, Texas detected this attack four months earlier but couldn’t communicate it effectively to Aramco. Integrating her team into the culture was a great success. Her first task was to gain visibility into the network.

CHRIS: [MUSIC] Because otherwise you can’t see if another attack is coming through. That was a huge challenge because there was a whole segment where there was zero visibility and that was a huge issue. That was number one, absolute number one. Number two was looking at the best practices because my team, the minimum level of experience in the SOC was five years so all of us were highly experienced. We were bringing over best practices. In the mix there were a lot of foreign contractors who were put into roles until the Saudi people could get up to their capabilities.

JACK: Chris and her team began triaging the network to make it more secure. They did things like audit the network, help IT secure systems better, monitor for attacks, and harden the network. While Chris’ role was important there were many other security teams worldwide also helping to resolve this incident. Both internal and external people were helping to get things back on track. In fact even a few other countries helped out to get things operational again. At this point oil trucks started getting backed up at pumping stations and drill sites, like ridiculous backups. Picture the worst traffic backup you’ve ever seen and that was the situation. A journalist saw this and took a picture of an endless amount of trucks [00:25:00] in a row with no oil and wondered what was going on here. At this point the news was starting to spread that Aramco was hit hard with something big.

CHRIS: [MUSIC] The attackers continued to attack the infrastructure and Saudi Aramco had to disconnect from the internet three times. They thought that they were up, they got everything up and running, and then the attackers launched a massive DDoS attack against them. Then at the same time, they were able to get back in again because when they had first put up the first better security appliances on the perimeter, I’m not sure who did this, I think it was one of their contractors, had left some of the stuff with default usernames and passwords on the network and security appliances. The attackers were able to get back in, briefly. They posted this because it was very taunting and they were able to get the new password and e-mail address for the CEO of Saudi Aramco and the executive board and they pasted it on Pastebin and said we’re not through with you yet.

JACK: This Pastebin was also signed by The Cutting Sword of Justice. This is when Saudi Aramco started noticing not only this Pastebin but also the previous ones posted on the day of the attack. Chris and her team continued to defend the network and find any vulnerabilities and patch them. This took a lot of work to get things operational again.

CHRIS: About three and a half months to really get back to normal.

JACK: That three and a half months was basically working with an unlimited budget to get things back on track and oil flowing properly. If this company didn’t have a budget like that, this would have either destroyed the company or degraded it for years. Another thing worth mentioning here is that Saudi Aramco is very adamant about not buying any Israeli-based software. For instance, firewalls made by Check Point are never an option for securing the network because Saudi Arabia really doesn’t like what Israel has done to Palestine, and since Checkpoint firewalls are made in Israel and started by a former member of the Unit 8200, the Saudi government won’t buy their products. I suppose it makes sense if you know a country is spying on you and former military spies make a firewall, you probably don’t want to buy that firewall for your network. But even when Saudi Aramco had things back up and operational there were still problems that would occur.

CHRIS: The employees, this was one thing I found very unusual, because there had not been any say, security awareness training for them before the attack, when the employees came back they didn’t really want to touch a computer. They were kind of afraid. They’re like oh my god, what if I’m the one that opens the e-mail attachment and then brings the system down because of a phishing attack? There were people who didn’t really want to use the systems. I can understand. It also took time after the attack; you then have to start – you need the people on the computer systems not in the security awareness programs but you also need them in there. Which do you do? Do you get your operations back for these people who are like, I’m not opening that e-mail. You have to open my e-mail. No! It’s almost like they got post-traumatic stress disorder from the cyber-attack. It was very, very unusual. If I was a psychologist I would love to do some sort of paper on the topic.

JACK: Once things started settling down, Saudi Aramco government began looking into who conducted this attack. The Pastebin messages were signed by The Cutting Sword of Justice which appeared to be an activist group but some of the messaging in there was suspicious. The Shamoon virus was also analyzed thoroughly to look at traces of information that could lead to who wrote it. Combine this with the additional logs and forensics data, and the picture started to become clear.

CHRIS: According to the Saudi Arabian government, it was the country of Iran.

JACK: [MUSIC] There are a few theories as to who was behind this attack. It could have just been a group of people wanting to drive up oil prices or actually an activist group mad at Saudi Arabia. We don’t know all the details or exactly who and why but some security researchers believe this was a retaliation from Iran because of the Stuxnet attack that hit their nuclear facilities. But if the US and Israel attacked Iran with Stuxnet, why would Iran attack Saudi Arabia in retaliation? This is a very complicated question. The first clue is that the Shamoon virus had a burning American flag on it, and Saudi Aramco was actually started by an American company. First it was started by the Standard Oil Company of California and then it eventually changed its name to Aramco which is short for the Arabian American Oil Company. From there the Saudi government saw how profitable it was and fully took over the company and today this is where the bulk of Saudi government money comes from.

You can see Saudi Aramco has a deep connection with the US but the US relies heavily on oil from Saudi Arabia so impacting the oil supply to America could cause financial ruin to the US, bringing a lot of businesses to a halt. Additionally, Iran and Saudi Arabia have longstanding feuds between them. They often argue about politics and religion but the thing is the [00:30:00] Iranian government never took credit for this attack. If they did this as a show of force or some kind of saber rattling, why wouldn’t they take credit for it? There were some news articles that stated Saudi Arabia captured and arrested dozens of Iranian spies not long after this attack. It’s unclear but it’s possible these spies were somehow part of this hack, possibly doing reconnaissance or doing some sort of social engineering to get internal information about Saudi Aramco.

Over in Iran is the Islamic Revolutionary Guard Corps, or IRGC. This is one of Iran’s armed forces and it has over 100,000 people. In the IRGC is the intelligence-gathering units which is where we presume are a number of hackers working for the Iranian military. In fact one IRGC general stated that they have the fourth biggest cyber-army in the world. But there’s also a group called the Iranian Cyber Army and this isn’t a military group but rumors say it was started by the IRGC. This hacker group has pledged their allegiance to the Supreme Leader of Iran and they conduct hacks to help Iran out. It’s a very secretive group but it’s possible they do some of the more dirty work for the IRGC so the Iranian government can claim that they didn’t do it. This incident with Saudi Aramco is known as the Shamoon Attacks 1.

CHRIS: There’s now Shamoon Attacks 2 and 3 that are still ongoing against Saudi Aramco and Saudi Arabia, especially hitting Saudi Arabian critical infrastructures, and airports have been affected. It is still ongoing.

JACK: The thing is, is that nations aren’t even at the point yet of being able to talk about what cyber-capabilities they have, much less be able to have an open conversation of how to conduct cyber-warfare between nations. Many countries are developing cyber-capabilities and they’re watching big players like the US on how to conduct themselves in this space. Seeing things like Stuxnet leak and the US denying it just makes these countries follow suit and also conduct ultra-secret missions. We’re still in the first generation of this new weapon and when things are this new, there aren’t any rules or regulations yet. There isn’t any playbook or proper way to conduct yourself. Because of all that it will be abused. Nations will do whatever they want, whenever they want, because that’s just how it is right now.

It’s naïve to think nations aren’t constantly spying and infiltrating on each other using cyber-weapons which is probably why when there’s an attack this, it’s not treated like an act of war because we don’t know what a cyber act of war looks like yet. When we see mass casualties from a hack and a nation claims responsibility for it, then I think that’ll be one. But in this case some computers were damaged and an unknown group claimed responsibility. Somehow this didn’t cause a worldwide panic in oil prices and everything went back to normal in a few months. Before this event the Saudi government didn’t put a lot of effort into their cyber-security program. To me it’s crazy to think of a nation such as this not paying that much attention to online security. But since then in 2017, 2017 is when they launched their Saudi National Cybersecurity Center which is a government-ran organization built to protect their critical infrastructure and government from cyber-attacks.

This has a great trickle-down effect to the whole nation because security really does have to start at the top of any organization, including an entire nation. Now many more organizations are also taking security seriously because the Saudi government did. [MUSIC] The operations center that Chris built in The Hague is still up and monitoring Saudi Aramco but she’s since moved on to higher profile projects and here’s a bit of advice from her on how to prepare yourself for an incident like this.

CHRIS: Digitization is fantastic but in an emergency you always need a paper copy of contacts. That’s a very good idea. We also carried coded contact information cards in our wallets in case of emergency so that we could have a very, very quick response. That was one of the big things that was lost during the attack because you couldn’t even get a phone number, also printed-out playbooks so in case of emergency. It’s a calming factor that you can hold something in your hand to look at. Even though it’s not going to match up perfectly it helps you from losing your sanity and you can go off of that. Having those printed out and contact cards are invaluable in the case of any incident.

JACK (OUTRO): [OUTRO MUSIC] You’ve been listening to Darknet Diaries. A big thanks goes to Chris Kubecka for sharing her story and if you want to learn more from Chris, guess what? You can! She has two books out now. Her first one is called Down the Rabbit Hole, an Osint Journey, and her newest one which should be out in a few days, is called Hack the World with Osint. I have a copy of the first one right here and it’s packed full of labs you can do to gather personal and private information on companies and governments that are leaving their data right there in the open for anyone to see. She demonstrates how to gather publically available yet sensitive data related to Panama papers, the Democratic National Party, Trump’s websites, the Republican National Party, and even the Dutch voting system. If you want to get better at open source intelligence-gathering, check these books out. I’ll link to them in the show notes. [00:35:00] Please consider donating to this show through Patreon. Very soon I’ll be giving bonus episodes to supporters there. This show is made by me, the dull blade of mischief, Jack Rhysider. The intro song and the song you’re hearing right now is made by the shrouded Breakmaster Cylinder.

[OUTRO MUSIC ENDS]

[END OF RECORDING]

Transcription performed by LeahTranscribes