Episode Show Notes



JACK: Imagine being at work in the office and all of a sudden the server you’re working on goes down, the phones stop working, the screens go blank, and as you investigate you realize the company has been hacked. [MUSIC] The virus is so bad and it’s spreading so fast that you frantically start unplugging Ethernet cables in an attempt to stop the attack. You’re forced to sever your connection to the internet altogether. Yeah, that did happen and I want to tell you about it.

JACK (INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]

JACK: Imagine you’re taking a nice gondola ride through a canal. [MUSIC] This is one of those boats where you hire someone to stand up on it and paddle for you. It’s nice and slow, relaxing, something you do as a tourist and it can be romantic; except, you’re not in Italy. You’re in the middle of the desert. This is the scene from within the Venetian, a hotel casino in Las Vegas, Nevada. But it’s not just any hotel. It’s a luxury resort, a massive resort with over 4,000 rooms. In fact, it was the largest hotel in the world up until 2015. If you go to Vegas you can’t miss it. The Venetian looks just like Italy. It’s amazing to look at and explore. On top of it being a hotel, they have a 120,000 square foot casino, a monster of a gaming hall which is where they make a ton of their money. In 1988 Sheldon Adelson bought the Sands Hotel and Casino in Vegas. Three years later he got married to his second wife and took a honeymoon to Venice, Italy. There’s where he got the inspiration to bring Italy to Las Vegas, so he did. He came back home and spent 1.5 billion dollars building the Venetian and then imploded the Sands Hotel and built more Venetian hotel rooms on top of it.

Sheldon had a strong desire to succeed as a hotel casino investor and he did succeed. His casino was very successful and now he controls ten different properties. The parent company of this empire is the Las Vegas Sands which is what I’m going to refer to as LVS a lot in this episode. LVS is the company that owns The Venetian and Palazzo in Vegas, and another Venetian in China, and the Marina Bay Sands in Singapore. That’s the one that looks like it has a cruise ship on the top of the buildings, and another Sands Casino Resort in Bethlehem. The Las Vegas Sands has over 50,000 employees worldwide and is ranked 418th on The Fortune 500 list. It’s a massive corporation today and its founder, owner, and CEO Shelden Adelson. We’re going to learn a lot more about Sheldon in a minute but I’m fascinated with the IT infrastructure of a major global business like this. [MUSIC] You may have seen Ocean’s Eleven at this point so you can probably take a guess as to how secure their physical infrastructure is to protect those millions of dollars that are transacted each night in the casinos. But those are all physical securities. I want to know what their IT security looks like so I did some snooping.

If you want to know what’s in a company’s network and they’re not really telling you what’s in there, there’s two easy ways to figure this out. First is their career page and the job openings. On the Las Vegas Sands website, you see job openings for things like Network Security Engineer 1, Network Security Engineer 2, Network Security Engineer 3. To qualify for these roles you have to be proficient in Sysco routers, Aruba wireless controllers, Checkpoint firewalls, Paulo Alto firewalls, Blue Coat web proxies, and F5 load [00:05:00] balancers, and VPN servers. You know what? These are all the technologies that I would expect to see in a large Fortune 500 company’s network so nothing’s really out of ordinary here. The second place I look to get a good idea of what’s in their network is LinkedIn. A couple of simple searches here and I’m finding hundreds of IT people claiming that they work at the Las Vegas Sands, ranging everywhere from cyber security project manager to a whole army of cyber security engineers, and analysts, and administrators. I think this paints a good enough picture for me.

With a few other Google searches, I’ve got a pretty good idea what their internal network is like and what their staff is like. The IT security team at Las Vegas Sands seems to be pretty big. I’m guessing somewhere between 200 and 1,000 engineers, technicians, analysts, investigators, directors, and more. The IT security peoples’ job is to understand, find, detect, stop, and remove threats from the network. You know what? These are the good guys in our story, the people who work tirelessly to keep that network up and safe, to keep the company running smoothly in the middle of any kind of cyber-attack. Las Vegas Sands has multiple data centers and it houses hundreds and hundreds of servers in each. The network of these casinos is huge. There are like, thousands of slot machines that all need Ethernet connections and then there’s public WiFi for the guests, there’s retail sales networks, there’s online booking servers for their ten different properties, each guest room has an electronic door lock; that’s gotta be connected to something. Then there’s the hotel reservation systems and the television network in each room, and a whole bunch of security cameras everywhere.

That’s a lot of stuff in their network to keep up and operational. It’s a massive and complex network but this is typical for what I’d expect a Fortune 500 company to have. Now, I outlined their network to you because I really want you to get a sense of who’s working there. These IT and security people have a lot at stake to secure. Of course, there’s millions of dollars of actual cash to secure but there’s also thousands of customers to keep happy every minute of the day, 24/7. Las Vegas never sleeps. The IT and security team has to work their butt off to keep the network up and operating effectively and they can never sleep, either. Someone’s always there 24/7, 365 in the security operation center watching threats in the network. They’re just looking for packing threats and then a whole other team monitoring the surveillance cameras; all 24/7. A network this big comes with a lot of hazards of things breaking. It’s just the nature of having a large network. Cables go bad, upgrades fail, patches introduce new bugs, yadda, yadda, yadda.

Of course, there’s network attackers, hackers that are trying to push malware onto the network and through their websites and under the wireless network to maybe try to figure out a way in getting some of that casino cash. I’m sure that running a casino attracts thieves like garbage attracts flies. The security team at Las Vegas Sands has done a great job. They’ve deployed state-of-the-art infrastructure and hired top-notch talent to keep the place secure. It seems like they’ve thought of everything that can possibly go wrong and they have a plan in case that happens. But as you might guess, something does go wrong that they didn’t expect. [MUSIC] Alright, let’s go back to Sheldon now. What do we know about to Sheldon Adelson? Well, the man has money, lots of money. Las Vegas Sands is the biggest casino operator in the world and this CEO owns over half of it. The Bloomberg Billionaires Index has Sheldon with a net worth of 36 billion dollars. That’s the kind of money I can’t even wrap my head around. He’s a self-made billionaire whose wealth just keeps growing.

Sheldon started young, growing up in a low-income family in Boston and he had his eyes on making money and he set out to do just that. He created business after business; some were more successful than others. Then he found gold. In the 1970s when personal computers started to become popular, he created Comdex. This is a computer trade show which brought all the top tech companies together to showcase their latest technologies. The Comdex Tech Conference was a major success. To give you an idea of how well it did, in 1979 Sheldon held Comdex at the MGM Grand Hotel in Vegas, the most famous and luxurious hotel casino in the world at the time. Within ten years, business had exploded for Comdex and became the largest trade show in Las Vegas, earning an excess of 20 million dollars each year. Listen to this reporter coming at you live from the 1993 Comdex Trade Show.

REPORTER: There may be a recession going on out there somewhere but you certainly couldn’t tell here in Las Vegas as over 2,000 exhibitors, more than 140,000 attendees are here at a bigger-than-ever fall Comdex. Lots of new product introductions from the big guys like Microsoft and Intel. Also new products from smaller companies with names you’ve probably never even heard of.

JACK: 140,000 attendees. That’s mindboggling. I mean, the E3 Convention that was in Las Vegas last year only brought in 69,000 attendees. The success of Comdex made Sheldon Adelson a multi-millionaire. He sold Comdex in 1995 for 860 million dollars to focus his attention and wealth on the Las Vegas Sands. The Venetian in Las Vegas, his mega-project that he developed to replicate Venice, Italy, was soon the first privately-owned and largest convention facility space in the US, not to mention [00:10:00] a casino heaven for gamblers. You can see how Sheldon has emerged as a dominant figure and behind his businesses he’s outspoken and not shy at all about using his money to bolster up the causes he believes in. The sheer scale of donations to the Republican Party in the US alone has kept him in the spotlight. We’re talking donations of 120 million dollars in the 2012 Presidential Campaign and 82 million dollars in the 2016 Presidential Campaign. All this went to the Republican Party. These are colossal amounts to us but small change to Sheldon. Considering he’s a mega-donor, some question what kind of influence that sort of money buys you.

But he’s not just interested in US policy. He’s also very concerned with the rising online gambling phenomenon. He wants to protect his casino empire. His reach doesn’t stop there, though. He’s a strong and vocal supporter of Israel and a good friend to the Israeli Prime Minister Benjamin Netanyahu. Sheldon also owns two Israeli newspapers; the Israel Today and Makor Rishon. He also owns a newspaper in Las Vegas, The Review Journal, so Sheldon has a fair share of the media market in both Israel and Nevada, right where he wants it. Hearing this, I’m reminded of the great newspaper mogul, William Randolph Hearst, who once said, “You furnish the pictures, I’ll furnish the war.” Meaning a newspaper has a powerful way to shape general opinion and belief. But I’m not gonna go into whether or not Sheldon’s newspapers are slanted one way or another, but for a person who’s so involved in politics, it certainly wouldn’t be a surprise. In his private life Sheldon has a powerhouse of a wife who’s equally supportive of Israel.

Israeli-born Miriam Adelson says her heart remains in Israel and is clearly an influence on Sheldon’s strong pro-Israel stance. Miriam is a medical doctor who specializes in drug addiction, research, and treatment, and has a very nice career of her own. This husband and wife team stand firmly together when it comes to donating their money and supporting political candidates and Israeli causes. Direct, confident, and a little arrogant, Sheldon Adelson is a man with money, influence, and connections, and he’s not a figure who sits quietly in the background. When a CEO of a large corporation like this has such strong political character traits, it can sometimes lead to trouble. In October 22, 2013, Sheldon Adelson was the guest of honor at the prominent Jewish Yeshiva University in New York. The rabbi who led the panel questioned Sheldon on his thoughts on whether America should negotiate with Iran. Here’s what Sheldon’s response was.

RABBI: Alright, so you would support negotiations with Iran currently so long as they first seized all enrichment of uranium?

SHELDON: No. What do you mean support negotiations? What are we negotiating about? What I would say is listen, you see that desert out there? I want to show you something. You pick up your cell phone and you call somewhere in Nebraska and you say okay, let it go. There’s an atomic weapon goes over ballistic missiles in the middle of the desert that doesn’t hurt a soul, maybe a couple of rattlesnakes and scorpions or whatever. Then you say see? The next one is in the middle of Tehran.

JACK: The CEO of Las Vegas Sands, a multi billion-dollar company, just casually suggests that the US should send nuclear weapons into the Iranian desert as a warning shot, following up with a message that the next one will be aimed straight for Tehran, the capital. [BACKGROUND CONV.] [APPLAUSE] It’s bold, blunt, unashamed. Sheldon had just dropped a verbal bombshell. While the collection of students at the talk seemed to respond warmly to his comments, Philip Weiss was in the audience recording the response on video. Philip runs a website called Mondoweiss which some say is controversial. Many critics have said the stories posted to Mondoweiss are anti-sematic and cause controversy. It’s possible that if Philip wasn’t there recording this, this story would have ended right here. But because Philip was there and he caught this on video and he’s a popular journalist, the story does not stop here. [MUSIC] He posted his video to his website Mondoweiss the following day. The national media ate it right up. The Washington Post, Huffington Post, The Atlantic, Mother Jones, and Buzzfeed news all picked up this story and had it up on their website within hours.

Most reports featured the full video, enabling readers to listen for themselves. It turned out it wasn’t just the general public who were listening. A month after the comments aired, the Supreme Leader of Iran responded directly and he told students in Tehran that America should quote, “Slap these parading people and crush their mouths.” Unquote. The Iranians were not happy with Sheldon Adelson. One of Sheldon’s properties is called Sands Bethlehem but this is not the Bethlehem that’s in Palestine. Sands Bethlehem is in Pennsylvania, United States. It’s about two hours north of Philadelphia. This casino is nowhere near the Las Vegas mega resorts but it still has 300 rooms and 3,000 slot machines. Two months after Sheldon’s comments about Iran were broadcast, the IT team in the Sands [00:15:00] Bethlehem resort saw some worrying activity on their computer network. [MUSIC] Someone had scanned their network to see what Sands Bethlehem had on the internet. They found the usual stuff that you’d see a company has; web access to e-mail, and external websites for customers, and a VPN. This VPN was for remote workers who could securely connect into the network and then they’d get access to the internal network.

If a hacker could get into this VPN, they’d have inside access to the network. The hackers started trying to guess the passwords to some VPN users. They tried route, admin, password1, Sands, and a bunch of common passwords. When that didn’t work they tried more complicated passwords like using special characters and numbers. They tried hundreds and hundreds of password combinations to try to get into this VPN but so far they were unsuccessful. The Sands IT security team is good, top-notch. Like hawks, okay; they saw this, they noticed the brute-force password attack and they took action. They enabled two factor authentication for VPN users. This would completely remove the ability for a brute force attack to be successful because you need not only the password but you also need that token code that only the VPN users would have on their phone. This brute-force attack went on for a while and eventually died down. The attackers weren’t done. They looked to see what else Sands Bethlehem had on the internet. They found a curious server was online. When new updates would go onto the official website for Sands Bethlehem, they’d first pass through a staging server. This looks like an exact replica of the live site but it’s where new changes can be staged and is there for testing purposes.

The attackers found this server and they attempted to see if that staging server was vulnerable to some exploits. The hackers exploited that server and gained access to it. They were in. [MUSIC] But just getting into one server usually isn’t enough; you now need to figure out how to laterally move or escalate your privileges and find something else. The hackers saw some other servers to try to get into but they didn’t have any usernames or passwords to try to log in. They used a tool called Mimikatz. Mimikatz is an incredible hacking tool and here’s how it works. On a Windows computer, when you log into it, it stores your password in clear text in the RAM. That’s just by design. That’s Windows normal behavior and Mimikatz knows exactly where to look to dig that password out of memory. What this means is that if you run Mimikatz on a vulnerable Windows computer you will get a list of all users and their clear text passwords that have ever logged into that computer since it’s been rebooted. This is huge.

I don’t know why but for some reason Microsoft refused to fix this vulnerability for years. There was literally nothing you could do about it so these hackers ran Mimikatz on this web development server and from there they were able to see the usernames and passwords of web developers and IT admins for Sands Bethlehem. These are the people who probably have access to a lot of IT infrastructure within the network. This gave the hackers access to a lot of the network. They quickly discovered that Sands Bethlehem was completely isolated from the main Las Vegas Sands network in Nevada. They could not find any tunnels or connectivity between the two locations. The hackers were on some kind of mission and access to the Sands Bethlehem network was just not good enough. They needed access to the main data center for all of Las Vegas Sands. They looked at the usernames and passwords that they harvested through Mimikatz and started trying to see what they had. They found that for remote users to get in the Las Vegas data center, there was a VPN for them to connect to. The hackers tried these usernames and passwords they had from the staging server to try to connect to the main data center VPN in Vegas.

Sure enough, one worked. [MUSIC] A senior Sands IT administrator had visited the Bethlehem site and did some work there recently. Now that the hackers had that person’s login information, they were able to use it to get into the main Las Vegas network. From here the hackers analyzed the network and established a firm foothold in it. They gave themselves a persistent connection to it in case that password was to change. The hackers continued to analyze the network in building a map of what was there, and they were very quiet the whole time and were careful not to raise any alarms. A few weeks later on February 10th, 2014 the hackers made their move. Inside the LVS network they set off a piece of code custom-written in visual basic, a wiper code with the goal of destruction. [MUSIC] It worked its way through the network, accessing, copying, and deleting all the data as it went. The data wiped from the hard drive was replaced with useless nonsense code, making it almost impossible to recover. While the wiper code silently crept through the network, staff computers started crashing.

Phone systems stopped working and IT teams were flooded with calls telling them the same thing from frantic staff members. For a network the size of LVS where they had thousands of staff and computers and communication systems, this was probably the absolute worst nightmare [00:20:00] for the IT security team. Computer systems at LVS were in total chaos. The cyber incident responders who worked at LVS kicked into action. The analysts were sent off to figure out where the attack was coming from and how to block its path. Hundreds of IT staff at Las Vegas Sands were working together try to try to protect the valuable servers, the data centers, the networks, and LVS itself. By the afternoon of February 10th, IT security staff realized that hackers were in the network. File logs told them that sensitive files were being compressed and downloaded. Not only had the networks been breached and firewalls been knocked through and servers exposed, but hackers were now actively downloading the data on customers and guests and staff and gamblers, like the exclusive Invitation Only members list; it was stolen.

Social security numbers were stolen, drivers license details were stolen. The list goes on and on. But while sensitive data was being stolen, what the IT security engineers had to focus on was keeping those critical systems up so that the casino and hotel could stay operational. The gaming tables and slot machines and access to hotel rooms and electronic door codes and the retail outlets and the elevators leading to the fifty different floors, payment stations, card machines, and all that relies on a stable and functioning network. But the network was crumbling away like a sand castle falling over. Las Vegas Sands, the biggest casino operator in the world, had to consider that they might have to stop everything and tell their visitors to leave and close the doors. At this point, realizing the scale of the hack and the seriousness of it, Sands President Michael Leven ordered IT systems staff to sever LVS from the internet entirely. This was a desperate bid to stop the attack and limit the damage. The ten websites owned by LVS did not escape the hackers’ attention.

In the blink of an eye the Las Vegas Sands websites were morphed into something entirely more sinister. The LVS websites had a message emblazoned across it saying, “Encouraging the use of weapons of mass destruction under any condition is a crime.” Another website said, “Damn, eh? Don’t let your tongue cut your throat.” By now there was no question that this cyber-attack was personal. While all this was happening behind the scenes, the functioning of the Venetian and Palazzo in Vegas did continue with guests in and gamblers blissfully unaware of what was going on. Because the determined efforts of the security IT staff and the fact that hackers missed the IBM mainframe, guests were able to continue gaming, access their hotel rooms, and purchase things from the retail stores. But the IT staff made a strategic move to go to the data center and start unplugging key servers entirely to stop this wiper virus from spreading to them. The network engineers began frantically pulling Ethernet cables from servers. This wiper virus was on a mission to infect and spread to as many systems as it could and delete the data on those computers, targeting just Windows machines.

This meant that user’s computers were going down and servers that run Windows like SharePoint and e-mail and shared drives were probably going down. Early on in this attack the wiper virus hit the active directory server in Las Vegas and completely wiped it out. It then tried to spread to the Sands properties in China and Singapore to wipe them out too but by knocking out the active directory server in Las Vegas, it completely severed the connections to China and Singapore. By complete accident it made those networks safe from this attack. This destruction was confined to just Sands Bethlehem and the main network in Las Vegas. The next day the Las Vegas Sands websites were just offline entirely. Physical hardware had been disconnected, cables were pulled out of machines, and the LVS servers were compromised. It took the IT security team which might be as high as 1,000 members strong almost a full week to re-establish connection securely to get Las Vegas back up and running fully. This outage was noticed by some people so publically the company spokesperson had to say something to reassure their customers if nothing else.

They chose to play down the attack by announcing it was just vandalism targeted at their websites and some damage to the background office systems and e-mails. But when the hackers heard this it didn’t sit well with them. The hackers responded with a ten-minute long YouTube video highlighting Sheldon’s exact comments and showing a number of files, and folders, and passwords, and details that they had accessed and stolen during the attack. They wanted the world to know that what they were doing is much more than mere vandalism and the reasons why they were doing it but that video was removed by law enforcement very soon after it was uploaded, but not before it had been viewed a few thousand times. The cyber-attack on LVS was clearly designed to immobilize and destroy as much of their server and network capacity as possible. The goal here was to hit Sheldon Adelson right where it hurt the most. So who did it? The messages left on the defaced LVS website provide the first obvious clue. Sheldon’s comments about nuclear weapons in Iran clearly provoked some anger there. In 2015, a year after the attack, US Director of National Intelligence, James Clapper, addressed this exact hack in a senate hearing. Here he is.

JAMES: 2014 saw for the first time destructive cyber-attacks carried out on [00:25:00] US soil by nation state entities marked first by the Iranian attack against the Las Vegas Sands Casino Corporation a year ago this month, and a North Korean attack against Sony in November. These destructive attacks demonstrate that Iran and North Korea are motivated and unpredictable cyber-actors.

JACK: Whoa, whoa, this is crazy. While LVS itself refused to address that this cyber-attack even occurred publicly, here we have through an official channel that not only was LVS a victim to a cyber-attack but James Clapper is saying that the people who did it was the Iranian government itself. Not just some activists, but this was carried out by the Iranian military or something. This raises all kinds of new questions; why would a government spend resources to attack a private company? Was this the same wiper virus that Iran used to attack Saudi Aramco? Why didn’t the Iranian government take credit for this attack? But then on top of that, Director Clapper said that this was the first ever destructive cyber-attack on US soil that was conducted by a nation state actor. I think the keyword here must be destructive. In Episode 19 I go over an attack that China did on Google back in 2009. You can even go back thirty years ago to an attack called Moonlight Maze which was Russia hacking into a US Air Force base. But I guess those weren’t destructive in nature. Maybe this was the first ever destructive cyber-attack on US soil done by a nation state actor.

But if the Iranian government is behind this, it’s interesting because Stuxnet was a US attack on Iranian soil. Maybe this is Iran kind of flexing a little, showing that they have cyber-attack capabilities and this is kind of a response to Stuxnet. But if that’s the case, it’s really troubling that a private company has to face the wrath of a nation state actor. But it’s really hard to know exactly what the motives are behind this attack. Was it just a simple provocation that Sheldon did? Was there something more to this? For LVS, even though we know where the hack came from, I still can’t get over the fact that the CEO of a Fortune 500 company managed to talk himself into this huge amount of destruction and damage. The attack on Las Vegas Sands wiped out almost 75% of the company’s networks and servers, rendering much of their equipment and workstations useless and valuable data was just wiped. But the damage went deeper than some crashed computers; Sands President Michael Leven confirmed it took more than forty million dollars to fix the damage by building new systems and recovering from the data lost. This was no small cyber-attack and if the hackers’ intention was to disrupt and destroy, they achieved their aim.

Las Vegas Sands were keen to keep the details of this attack under wraps which they managed to do so for almost a year. But there was an article in Bloomberg Businessweek that exposed the hack and laid bare the true scale of this attack, but neither Sheldon Adelson or any LVS spokesperson commented on this article at all. People kept pressuring LVS to say something about the remarks that Sheldon said about Iran, so a spokesperson did say something in the Las Vegas Review Journal which is a newspaper that Sheldon owns. The spokesperson said that Adelson’s comments were not meant to be taken literally; he was simply trying to say that actions speak louder than words. But I think the moral of the story here is that words matter. Las Vegas Sands did eventually confirm that they suffered a large-scale cyber-attack in February 2014 and named its computer networks in the US as the target. In their annual report of 2014 it said both the FBI and the US government were investigating this sophisticated cyber-attack and were working with IT system experts to investigate what had happened.

In the year since this hack, LVS has made no further comments. The IT security teams like the one at the Las Vegas Sands have their work cut out for them for battling against such sophisticated threats and hackers who seek to destroy rather than steal. When the CEO of a company speaks publically and gives such incendiary remarks, there are risk assessors within the company that might tip off the security team to let them know the risk profile is higher than normal and they need to secure the networks and servers to be a little bit more tighter and protected. But when the hackers are playing the long game, watching and monitoring and lying in wait, and when they do get in and wreak the kind of destruction and havoc they did here, it leaves an almighty mess for even the biggest and best IT security teams to clean up.

JACK (OUTRO): [OUTRO MUSIC] You’ve been listening to Darknet Diaries. If this show brings value to you please consider donating to it through Patreon. There you can get a bonus episode, an ad-free feed, and stickers. This episode was created by me, just a plain old sock monkey, Jack Rhysider. I got some writing and research help this episode from Fiona Guy, and the theme music is created by the beat farmer, Breakmaster Cylinder. See you in two weeks.



Transcription performed by LeahTranscribes