Today, we're talking with Andrew. And I'm a digital forensics and incident response consultant. Andrew works on a team that does incident response. Once malware is detected on the network, it's up to him to go in, study the malware, and remove it. Andrew, do you like doing this kind of work? I love it. It's wonderful. It's very exciting work. There aren't many positions where you can be working on a client system and actually
The threat act is on there at the same time as you're trying to move files around and you are trying to thwart them in a toe-to-toe scenario. It can be very exciting. This is Darknet Diaries. True stories from the dark side of the internet. I'm Jack Recider.
Andrew works for his security assessment and digital forensics company. Other companies hire his team to come in and do security work. It's actually pretty common for a company to outsource their security team to someone else. It's expensive and hard to maintain an internal group of security experts. So Andrew is often seen traveling around, taking care of threats in his clients networks. And he wants to share an interesting story with us today about the time he faced a hacker in a company that develops cutting edge technology.
The client is a global firm, it's a technology firm. We were looking at, we had to go on site in the European, one of the European bases.
to work with a team there. We won't give the name of the company, but this company in particular spends a lot of time and money developing new technology. They have a full R&D department and is working on cutting edge tech. In fact, they're developing tech that no other company is developing. So one of their most precious assets is intellectual property or otherwise known as IP. So the company wants to make sure there aren't any hackers stealing this information.
It started off as a compromise assessment. Sometimes companies hire a security team to examine the network to see if there's any evidence that a hacker is in the network. They wanted us to go in, put some stuff in their network, put some stuff on their endpoints, just have a look around, use the intel that we'd already built up in the
in the team during the engagements that we'd done previously and just basically have a look around and see what came out. So the team starts examining the logs in the network and they look at different security devices and network activity. The security assessment involves using Intel that my colleagues had seen elsewhere and in other engagements for
for ABT groups, and they spotted a few pieces of evidence, which I'm not sure exactly where I was. It may have been a specific mile where they'd seen you elsewhere, but they were able to identify that there was an active threat actor in that client's environment.
He mentioned APT and threat actor. This is the worst kind of hacker to find in your network. The term threat actor is just a fancy way to describe someone who poses a threat to your network. But an APT stands for advanced persistent threat. And it describes a group of highly skilled and motivated hackers that have a specific goal of what they want to accomplish. But what's more is they often have significant resources, such as being sponsored by a nation state or simply well funded.
So I've been told it's state sponsored. I mean, it's in the east, I guess. The group itself has been known to infiltrate other technology companies.
To be attacked by an APT means you're facing a very skilled and serious attacker who likely won't go away easily. It's extremely difficult to detect an APT in the network. Someone has to have studied that APT for months or maybe years to understand the malware they use in their tactics and then publish that data to the world. Then if we detect certain malware in the network, we may be able to link it back to that specific APT.
But the problem is once that report gets published, other people have access to those techniques too, and the APT group may change their tactics to be more covert. In this case, the malware found in the network matched exactly the same malware that someone had published in a report, which linked it back to that APT group. So we spun it up to the company that I work for, spun it up to a
a follow incident response engagement. And I came in as part of the team that was doing some of the forensics work, so they would ask us to take a look at the data that they were collecting.
This process is fascinating to me. The forensic team first identifies and isolates the malware, and they study it, and they develop a profile for that malware. Things like file size, file names, and the activity the malware is doing. Is it reaching out to the internet? Is it trying to access something internal?
Is it using specific ports? All this gets collected, and so now we know the indicators of compromise, or IOCs. This is given to another security team, which they can use to look for those IOCs in the logs, which would then reveal more places this malware has been in the network. These teams would continue to feed each other information to learn and detect more and more about this APT in the network. And then that went on for a few months. Why not remove the malware right away?
And it's a good question. We do get asked a lot why we don't immediately remediate. The client environment, it's a global company. They have a lot of satellite offices, quite a complex infrastructure. So what we would do, and this is quite common for all I.R. companies, is that you'll have like a monitoring period or a discovery phase where you will
look for where the threat actor is active in the environment, what tools they are using, try and identify how many back doors these people have into their environment. We wanted to get as accurate a picture as possible as to where they were active, where they were coming in, where their ingress points were, where they were moving data out, because we had seen that.
Um, just so when we came to remediation, it wasn't the case that we were removing some of their, um, their infrastructure only for them to come back in the following week somewhere else that we hadn't seen. Um, the other concern there is that they know that we are onto them. Once we do, once you do that remediation, once you do that kick out, um, they know you're onto them and they will.
change their tools and their tactics and their procedures and that makes you blind, I guess, depending on what else you implemented. So, for a threat actor, or for any adversary,
to know that you are that you're on to them and you remove what they have used in an environment. If they have a backup plan, they'll go to that and whether that's immediately or over a period of time that they leave laps before they come back in. So the team spends a few months researching this hacking group and what they're doing and what was discovered confirms the company's worst fears.
So they were looking for R&D systems, so they were looking to exfiltrate and they did exfiltrate some intellectual property.
This hacking group not only successfully broke into the network, but they're successfully exfiltrating or stealing the latest cutting edge technology from the company. For a tech company that's this advanced, having their intellectual property stolen is a huge problem, which may have millions of dollars of impact to the company. I don't have a financial amount, but there was a lot of concern simply because they were working on, you know, sort of next gen
killer tech, I guess, which if in a competitor's hands or in any other company's hands would obviously affect the performance of their company quite significantly. But I mean, it's the same with every client that we've ever worked with. They don't want any kind of ex-felt at all. But this specific one, we saw quite intensive interest in their R&D department.
The company was terrified that their IP was being stolen and wanted the malware removed immediately. But the security team still needed to understand the threat and study it further. They weren't ready to remove it. So we saw that they were active and we did a lot of forensic work. We did a lot of deployment into different areas.
And like I said, we built that knowledge package up for remediation. Now, we were able to, so this was, I became involved in 2015, and the earliest evidence that we found was in 2010, and that wasn't the
That wasn't the entry point. That was just the earliest sign of activity that we could find was 2010. So we had evidence to suggest that the threat acted being in there for five years, at least. The evidence we found, I think, was it was some file activity on one of the drives, which somebody had dated as 2010.
which could have been planting something. I don't know the details of it more than the date, I'm afraid, because I remember sitting in the boardroom with the client in their office, and there was a team of us there, and we kind of broke it, and 2010 was the earliest we could find. It kind of hits home that they've had for half a decade. Somebody has had access to their environment without their awareness.
How did the client take this kind of news? It was a mixed response. Some of the people there got angry and wanted to know why we weren't remediating immediately, which comes back to your original question. Then there were others who were on board. How do we progress this? What are we seeing? What do we do next?
There was fear, obviously, because, like I said, a technology firm, they have their R&D, and they want to be the best in the market, and they want to know what's being filtered at the door. But if we're only coming into their environment in, I think it was early 2015, before I started, like I said, that's half a decade when that this entity could have been moving data out.
So it was a mixed bag of emotions and all completely understandable. It's at the end of the day, we're strangers sitting in a room telling them that they've been leaving on for a long time, but that we are not in a position yet to remediate because we're not ready. It's a difficult subject. It's a difficult topic and to discuss with any client. So the security team goes back to studying the APT to collect even more data.
We were still seeing activity during the examinations, during the monitoring phase, during the discovery phase. And it was quite interesting because they were active. We could see lateral movement. We could see them doing things like basically logging in to make sure that their stuff was still sitting on the end points, that they could reach out to certain C2 communications, updating their tools.
It's interesting to see them do it because these guys in the background who are logging in and making sure that they're always still running and deploying newer versions. I don't really want to say it was interesting to watch because obviously this is a company's livelihood, but from a
from a detached perspective watching how they functioned was very interesting. So now that a few months have gone by, the forensics team feels confident enough that they've collected enough information that they can remove the APT from the network once and for all.
They've discovered the potential ways it got in and what logins it's used and where it's gone and what it's done. So it's time to remediate and finally kick this hacking group off the network. But all of a sudden, the activity from the APT stopped. In the weeks up to the remediation, the threat act had gone quiet, had gone very quiet. We weren't seeing any kind of movement. We weren't seeing anything really.
which usually means that they either succeeded in what they came to do or, you know, something else. So Andrew and his team are all ready to clean this off the network, but he has to fly to the office location to do the remediation. So he packs his things and heads to the airport. He's scheduled to do the remediation in just two days.
I was sitting in the airport waiting to fly out and my colleague for me and he was supposed to have been coming out with me but he had some last minute issues and couldn't be out there so I was kind of, there was a few of us going up but he couldn't make it with me but he, he formed me up and he said, have you, have you seen the news? And it was, it wasn't headline news, it was just a kind of financial news where
the firm that we were working for had been the subject of a buyout, a very expensive buyout attempt by a company that was from the same part of the world that we believed the threat that was from. As soon as my colleague formed me in the airport and I kind of told everyone else that I was flying out with and it was kind of a
Ah, I wonder, you know, penny drops kind of thing. And I know this is obviously, I mean, this is, it's a what if, right? We don't know for sure. But the timing to me seemed, you know, awfully convenient. And like I said, for the last couple of weeks, the threat had gone quiet. And then all of a sudden, out of the blue, came this, this, this attempt that a buyer, and it was, it was for a phenomenal amount of money, a phenomenal amount of money.
And, you know, it came as a surprise to everyone. But when I actually told the people I was working with, it was that kind of, yeah, I wonder if that was what was going on. And that got me thinking about how these companies, they get compromised by these state sponsored groups.
as a means of due diligence, I guess, has the company, how much are they worth? What kind of IP do they have? What's their R&D department look like? As a means of, should we buy them? Can we make money off it? The client has designed something where it could be the next big thing. It really could be the next big thing.
It just makes me wonder whether or not they are the subject of these compromises as a means of some other third party conducting due diligence. Because there have been a couple of things in the media where companies that are being genuinely purchased have inflated their figures prior to acquisition.
if you're getting, if you're compromised and they're in there looking at your accounts, I guess, and what you've got going on there. I mean, that's a perfect opportunity to get what a company is worth and feed that back to whoever. So that was my train of thought on that.
As far as remediation goes, it was very quiet, touch words. We didn't hear anything after that. Once you do a remediation, you're kind of on high alert for some kind of activity afterwards, whether the threat actor realizes you've closed them out of the environment and then try and make their way back in. And that's a good opportunity to look for
Stuff that was, you know, there's no other way of putting other stuff that was missed during the monitoring phase, the discovery phase. But that one was very quiet. So did they accept the buyout offer? Yes, they succeeded in buying the company. Yeah, it just gets you thinking. Hacking is like a business for everything I've seen. I've never worked on an engagement where there's been
Any destruction to data, any corruption, any deletion. There's been no whilst theft, I guess, in itself, is malicious. I've not seen anything beyond theft. I've never seen the cyber vandalism or the hacktivism or anything like that. I've always seen it. It's always been
attempts at theft and intellectual property. And I think that's a business. I think in the real world, in the aboveboard world of business, people steal ideas every day. And I just think this is another form of it. And I think companies need to think differently to the way they are right now about how these groups and their sponsors are thinking.
It's all about money. It's all about money. You've been listening to Darknet Diaries. For show notes and links, check out darknetdiaries.com