2019-10-22, 13:15–14:00, Europe
Ever wonder what incident management is like when an embassy gets hacked, by ISIS? Come on a journey of surprisingly weak security, insider threats, a 50 million dollar extortion attempt, diplomatic immunity, city wide security lock down, all while >400 dignitary’s lives dangle in the negotiation crossfire. Join Chris, the lead investigator and resolver on a super-secret squirrel adventure against ISIS & Turkish Intel in The Hague, The Netherlands. Discussing the 2014 Saudi Arabian embassy hack. Whoever said STEM was boring made it boring! Solve the crime and save lives with key takeaways from a real life cyber terrorism investigation. No classified information will be shared, some terrorists were harmed in the making of this talk.
Presentation about the following two articles and the unclassified portions of the original report I wrote for the Kingdom of Saudi Arabia, Saudi Embassy of the Netherlands and Saudi Aramco.
A few years ago, I led an unusual digital crime incident investigation. A mix between cyber crime and cyber terrorism, leaving the events etched my the memory banks. Finding oneself in the midst of terrorist groups and high level political intrigue as a security expert and all around hacker seemed more fitting on a warped version of the IT crowd.
An Embassy in a European country had been hacked, pwnd hard. The back end, official business email account was targeted and subsequently misused by miscreants who sent out emails as if they were from the Ambassador’s trusted Secretary. Utilizing the compromised account, the nefarious attackers attempted to extort additional visa fees from select VVIP applicants. Time was of utmost importance. Quickly, I assembled a team, myself and one person, a senior forensics expert rockstar. We immediately travelled to the location and began the investigation.
The Embassy in question was highly distrustful of both the local police and the local Diplomatic Corp Police, a separate branch of police for embassies and diplomatic staff. The Embassy email account was high value, gave attackers access to contacts, communications and could lead to maximum damage to reputation. Non reputation concerns.
It was the Embassy IT person’s first week on the job and the previous person gave zero hand over. They couldn’t even get in touch with the previous person. The Embassy IT person had zero security experience, pure IT; but was willing to do just about anything to stop the attack. Stopping the damage, the bleeding and securing the email account was a top priority.
“What’s the username and password?” I asked, expecting some super duper 26 + character, two factor authentication credential set, virgin blood sacrifice and the attackers were super spies. Answer: firstname.lastname@example.org, password is 123456. Yes, 123456.
We investigated further, my forensics person checked around, taking samples, network checks via taps. Even though Windows XP was rampant, no real anti-virus was installed. They relied entirely on Microsoft Security Essentials. How good is MSE? “In June 2013, MSE achieved the lowest possible protection score, zero.” We changed the password, thought the worst was over and job done. Lucky for them, only two systems had any internet access and were on a closed network, separate from embassy government operations. Embassies frequently host intelligence services in addition to diplomacy. Glad there was a real separation, almost an air gap.
A few weeks later, as life was getting back to normal, another summoning. At this point, I was never going to eat my lunch. What began as some dodgy emails trying to fraudulently acquire extra visa fees using the embassy email account grew, exponentially. This time, an email went out, again from the official embassy email account, signed as the Ambassador’s Secretary to a handful of friendly embassies asking for 25 thousand Euro in the name of a friend of ISIS.
Back to the location again, this time alone to try and sort things out. Forensics was no longer required. The Ambassador was concerned it was an insider, as was I. As if we were on some sort of comedy skit on the BBC. We waited until everyone else exited the embassy after it closed for official business. Then, the comedy began by crouching down on our hands and knees looking for passwords written on post-it notes, under desks and other places. We were looking for embassy employee credentials to use their logins so I could further investigate certain employees without their knowledge. By we I mean the Ambassador and I. Never in my life had I expected to see an Ambassador sifting around dusty desks with me, on hands and knees.
We began to liaise with the Diplomatic Corps Police in a limited extent. At arms length at all times, trust was strained. It took a great deal of effort, meetings with the Ambassador to speak with any outside party.
Unfortunately, the attackers still had access somehow to the embassy email account. The Diplomatic Police, sending via CC not BCC gave away all the other official embassy back end email addresses. Then the real fun began. The attackers quickly capitalized on the faux pas and sent back an email to everyone spreading the fear. What began as a few hundred euro grew to 50 million USD.
The threats grew to not so casually mentioning a big private event the Ambassadors of the USA, UK, Japan, 400+ dignitaries and staff etc.. were slated to attend. If the money wasn’t paid up, the event would blow in more ways than one. During this time, the attackers took a particular and personal interest in the Ambassador’s Secretary, prompting the regular police to become involved for a split second. The regular police had no jurisdiction or authority in the matter and were warned to back off ASAP.
Quietly and unbeknownst to the residents. The city was put on alert, embassies locked down, every person passing by was treated with suspicion. I even had the joy of not one, but three “Cultural Attachés” of an ISIS friendly embassy try to befriend me at a pub I frequented during the investigation. One gave me a very personal gift, a set of Islamic prayer beads. Which I had promptly checked for bugs. The trio didn’t drink alcohol but would sit patiently in the pub, drinking tea for hours until I arrived. The trio said they wanted English lessons, but all spoke English.
Eventually I was able to gain the Ambassador’s trust to further interrogate some of the digital assets and accounts. This was quite unusual, I was not a citizen of the country in question. They allowed me to take back an asset to my lodgings. After getting comfortable, trying to relax, a glass of wine in hand. Eureka, I found it! The attackers still had access to the embassy email account because they had setup a back end email forwarder. Back end email forwarder closed, secured up the email account, gathered evidence. We then went on the hunt for who was behind the attack, hop by hop following each step back over multiple countries. The suspect(s) were isolated, placed under surveillance and effectively neutralized. Months later I was invited to a private embassy function. In the end, I was the only one blown away, by the Ambassador’s gift.
Further investigations by JM Porup, reporter for CSO Online revealed the rootkit in the original report had been used by some nefarious groups. Possibly pointing to the suspected insider having outside help.