Cyber Crime Junkies

The Undetected. Espionage and Spies.(Part 2)

β€’ Cyber Crime Junkies-David Mauro β€’ Season 5 β€’ Episode 62

Inside Espionage What Every American Should Know. Inside Truth Behind Data Breaches.

 There is a bigger story behind some breaches:

1.   the Anthem Breach

2.   The Equifax breach, 

3.   the breach of the OPM (Office of Personnel Management) for the US govt, and 

4.   Marriott International

The Impact of Chinese Espionage on US Businesses and Innovation 

Inside Espionage: What Every American Should Know 


Send us a text

Have a Guest idea or Story for us to Cover? You can now text our Podcast Studio direct. Text direct (904) 867-446

🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss an episode!

Follow Us:
πŸ”— Website: https://cybercrimejunkies.com
πŸ“± X/Twitter: https://x.com/CybercrimeJunky
πŸ“Έ Instagram: https://www.instagram.com/cybercrimejunkies/

Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
Listen to Our Podcast:
πŸŽ™οΈ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941
πŸŽ™οΈ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3
πŸŽ™οΈ Google Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast

Join the Conversation: πŸ’¬ Leave your comments and questions. TEXT THE LINK ABOVE . We'd love to hear your thoughts and suggestions for future episodes!

Inside Espionage What Every American Should Know

Inside Truth Behind Data Breaches

 

There is a bigger story behind some breaches:

1.   the Anthem Breach

2.   The Equifax breach, 

3.   the breach of the OPM (Office of Personnel Management) for the US govt, and 

4.   Marriott International

 

Topics: inside espionage what every american should know, inside truth behind data breaches,  inside the world of chinese espionage what every american should know , espionage hackers and spies, difference between breach and espionage, secret espionage behind beaches, what chinese espionage means to America, what china espionage means to America, espionage hackers and spy stories, secret espionage inside beaches, espionage stories behind american data breaches, espionage behind breaches, espionage behind american data breaches, espionage behind data breaches, real life espionage behind data breaches, chinese espionage from breaches, chinese espionage behind scenes, china espionage and what it means to America, how espionage works behind data breaches,

 

The Threat of Chinese Espionage to American National Security 

How Chinese Espionage is Undermining America's Economic Power 

The Impact of Chinese Espionage on US Businesses and Innovation 

Inside Espionage: What Every American Should Know 

The Dangers of Chinese Espionage: A Wake-Up Call for America's Intelligence Agencies

 

Espionage hackers and spies. Today’s Cyber Crime Junkies episode involves true stories of secret espionage behind beaches and what Chinese espionage means to America.

 

Subscribe to our YouTube Channel for Behind-Scenes and Better Content. It's FREE. @Cybercrimejunkiespodcast https://www.youtube.com/channel/UCNrU8kX3b4M8ZiQ-GW7Z1yg 

 

Want more true cyber crime stories? Check out Https://cybercrimejunkies.com

 

[00:00:00] Espionage, hackers and spies. Today's Cyber Crime Junkies episode involves true stories of secret espionage behind certain major breaches and what Chinese espionage means to America.

It was a sunny, hot, humid afternoon in Shanghai, China. The man folded his piece of paper while walking out of a crowded market.

Pushing past an elderly woman mumbling to herself in a regional dialect, as he hurried down the street, beads of sweat began to run over his brow. He thought to himself," what are they asking me to do? Will the morality police arrest me? Send me off to a work prison if I don't do this? But my family needs the money. I have to get this done. "

He confided in a friend by burner phone later on that day. "Of course I loved my childhood in the Midwest and believe in the United States. [00:01:00] I enjoyed growing up there. But I have to look out for my family, man, and I have to do what's best for me."

He knew he had access to certain systems that if turned over to the Chinese government would be devastating to U. S. citizens, causing private confidential personal information to be in the hands of people who would track. Hunt and watch every move of those unknowing Americans for decades to come, using it against them as they pleased. 

He also knew his life was in shambles. 

He hadn't eaten for days due to paralyzing anxiety.

His wife has stage 4 cancer. Their house is nearing foreclosure. His 12 year old autistic daughter needed treatment and his moderate government salary was causing his family to drown in a sea of [00:02:00] crippling debt. What happened next changed the trajectory of foreign relations. It led to U. S. indictments of several key Chinese government official computer hackers and ruined the lives and privacy of tens of millions of Americans.

This is Cybercrime Junkies. I'm your host, David Mauro.

And now the show.

(INTRO-MUSIC)

[00:00:00] So what is the difference between breach and espionage? There are data breaches and then there is cyber espionage. The difference between a breach and espionage lies in the use of the stolen data. The modus operandi, the way and mannerisms that the criminals, used and international law treaties and sanctions.

The ripple effect can be in the loss of life, imprisonment of people involved, the loss of billions of dollars above and beyond the cost of remediating the data breach and systems involved themselves. The core cyber military people we are discussing today are allegedly working for the Chinese government.

But as we all know, there are equally dangerous organizations from the Russian [00:01:00] regions and North Korea. We'll touch on those toward the end as there's recent news involving those as well in this same topic. Cyber security implications of all of these? are monumental. A few main data breaches that hit the news in the past few years are discussed usually in terms of the data breaches themselves, the amount of data that was exfiltrated, which is we always point out is a fancy way of saying it was stolen.

Um, the impact on the users and the wonderful free credit monitoring that people receive and how bad the security either was or was not that led up to the breach. Thank you very much. But there's a bigger story behind certain breaches. The ones that are ignored or silenced in regular common media. Why?

Because there might be reasons. There might be national security reasons, or it just might [00:02:00] not be something that is the flavor of the day. It might be taken the place of by some Kardashian news or something else, right? But the breaches we're going to talk about today are important. because it's much more than just the breaches.

We're going to talk about the Anthem breach, the Equifax breach, the breach of the OPM, which is the Office of Personnel Management for the U. S. government, and the breach involving Marriott International that happened in 2018. In many specific ways, and you will see, These breaches were all related because these breaches have widely been reported in the media as simply data breaches.

Massive thefts of data to be sold on the dark web. But there's a story behind the story, and that's what this is about. But what is it? What's really happening here? As U. S. Attorney Bill [00:03:00] Barr said on the one hand, quote, This data has economic value, and these thefts can feed... China's development of artificial intelligence tools, as well as the creation of intelligence targeting packages.

We're going to explore what that means, right? And it's even more than that. And what's surprising is what some of the ultimate charges that are brought against the people that have been identified that work for the Chinese government show in those documents and what they don't show. to the American public.

So let's walk through each breach. High level, business sense discussion without getting too technical. And let's talk about them in chronological order. I mean, it's better to listen to a timeline that happened in reality anyway, right? It's always easier to listen to something in order as it happened in real life.

So, [00:04:00] the Equifax breach. Even if you're not familiar with who Equifax is, you certainly have experienced their services. More importantly, you, dear viewer or listener, are most likely a customer of Equifax and was affected in this breach. You may not even know that. Have you ever borrowed money for a car, rented an apartment, or bought a house?

If so, you know that they run a credit report and that report gives you a score, a number, a FICO number, right? A FICO score. That's a combination of three main credit bureaus, companies that track all of your spending payments report. If you pay a bill three days, 30 days late, 60 days late, if you've ever been evicted, suffered a bankruptcy, they have it.

All, all of the dates, all of the payments. They have everything about you. [00:05:00] In school, we got grades, right? As an adult, you have grades too, and that's your FICO score. You have a FICO score and to have a FICO score, you get those scores from those three main credit bureaus, TransUnion, Experian, and our wonderful.

Subject of today's conversation, Equifax in March, 2017, personally identifiable data of more than 140 million us citizens was stolen from Equifax, 140 million. The breach exposed several scandals and launched Equifax to the very top of the list as the poster child of what not to do for security for an organization.

Equifax was criticized for everything, from [00:06:00] ranging from their terrible security posture to their alleged insider trading by executives and bumbling response to the breach. Most importantly, the questions of who was behind the breach. has serious implications for the global political landscape. Like watching a slow train wreck, a major data breach like Equifax, involved international cyber espionage.

It's the type of disaster resulting from a series of bad decisions. And like a slow train wreck, people can't help but watch.

[00:00:00] Into the details or researching more. Our research involved dark web mining, , and we storage strongly discourage you from doing that. But there's also some surface web resources, like an article from C s O online, a detailed report from the US General Accounting Office, in depth analysis from Broom, Bloomberg Business Week, as well as several other articles which we will link in the show notes.

So, Getting to the Equifax data breach, here's basically what happened. Equifax was initially hacked, compromised, , through a common vulnerability. , and they simply failed to patch that vulnerability. It had been something that was widely known in the security and IT and tech space to simply patch.

When we say patch, all we mean is, you know, on your Desktop when it says you have an update, like your MacBook has an update, your iPhone has an update, right? You need to, you need to do those things within a reasonable time. Why? Because [00:01:00] there's usually security implications and things like that. And now there's a whole host of practical reasons why people delay.

 Because usually they need to test those patches because when you patch something, something, it may break something else, but they didn't even do that. , one single IT resource. Failed to patch what was commonly being patched across the industry at the time, and then they ran another scan, right? And they did that what is said to be have done improperly also and they failed once again To patch that so now you have common exposures that anybody any moderate Level skill set hacker or threat actor or some hacktivist or somebody curious would be able to get in and this is a big company with a lot of things, you know, in their possession.

. What we just saw is like two or three different layers of [00:02:00] common basic hygiene that, that just wasn't done. , now enter China. And I don't mean the people of China at all. We're, when we talk about this, we're talking about the Chinese government, the communist government of the country, China, and their cyber mercenary team.

The attackers. We're able to get in, right, exploit this vulnerability that was left unpatched and then scanned and left unpatched again, and they were able to move from the Equifax web portal to other servers throughout the organization. And here's another yet another. Poor Security Act by Equifax, the systems weren't adequately segmented from one another.

So once they got in through the web portal, [00:03:00] they were able to access the keys to the kingdom, right? Which is a basic fundamental tenet not to do. These threat actors were able to find usernames and passwords stored. Right? Get another security flaw in plain text. So, here's one of the things that we always talk about, right?

If you are holding the usernames and passwords of people, you need to encrypt it. Right? You need to like salt or pepper the data. Salting means you put random series of numbers in the beginning. Peppering means you put random series of numbers at the end. What we mean is let's say you have a whole list of social security numbers, right?

And you have a small business, right? And you have this, let alone a huge business like Equifax. But if you have that, you have a duty to not do that job negligently. right? [00:04:00] And what you need to do is, is salt and pepper that data. Why? Because if somebody steals it, whether intentionally or not, or that data gets lost, right?

That somebody can't use that data. So if you have a whole series of say five random numbers before, and you know that the social security number actually starts on the sixth number, right? Then you'll be able to use that data all you want. But if somebody steals the data, they won't know. What the actual social security number is.

So they couldn't use it anyway. Well, that wasn't done here either. , it was done in plain text. So username, the actual user names right there. Passwords, the actual passwords right there. Social security numbers, the actual social security numbers right there. Data, driver's license, all of that credit information, all of that in plain text.

right there. This allowed, because the hackers were able to access the usernames and passwords that were stored in plain text, they were easily [00:05:00] allowed, to access other systems throughout the entire organization. All undetected, right? And yet, by another security area, , error, the attackers exfiltrated, again, a fancy word for steal, a ton of data.

all undetected. So they didn't have the systems in place to be able to catch the fact that all of this data was being pulled out. Why weren't they detected? Well, because Equifax had crucially failed to renew their encryption on their internal, servers. Security Tools. And what also puts them at the top of the wall of shame, as if all of this wasn't enough, is Equifax didn't publish to the public about this breach until more than a month after they discovered it had happened.

So, the data breach [00:06:00] happens. Time goes by. They discover the data breach. And then they do a bunch of things before they tell any of the people that were the victims. That's what leads them to the top of the wall of shame. And during that time, stock sales, right, by top executives, give rise to accusations of insider trading.

What that means is, top executives know Once this hits the public, our tank, our stock is going to tank. We're going to sell our stock now, and we're going to buy future. Futures, which are called options, we're going to buy puts, which go up in value when the stock price goes down. And lo and behold, that's exactly what they did.

, the Equifax breach affected 143 million people, almost one half of the entire US population. [00:07:00] Think about that. Not all of the US FICO score or was even in their system, but they, this Well, half of the entire population and the names, addresses, dates of birth, social security numbers, driver's license numbers, payment history, private financial records, payment to healthcare organizations.

All of that information was exposed and was stolen. Right? This also included credit card numbers as well. So who were the threat actors? Who were the hackers? The threat actors who committed this monumental heist, right? Who were they? Like, who are these cyber criminals that caused the largest financial breaches in U.

S. history? Well, that would be something that... Any cyber crime gang, think if you have ever listened to this podcast before, think [00:08:00] about LockBit, Klopp, Black Cat, right? What would they do if this were them? They would proudly claim that they did it. Right? They would proudly claim it on their dark web sites, they would issue proofs of life, they would show proof that they had done it, they would demand extortion, ransom, they would do one of those things prior to leaking all of this data, making it public for all of us to see, right?

They would often even tweet about it, right? On social media, , on the surface internet that we all see. Part of their business model, after all, is to leak the data and to extort victims by threatening to do that. Even targeting some of the individual, victims themselves. And after doing that, what would happen?

Well, we would see identity theft. We would [00:09:00] see, credit being issued for people that didn't do what, the, the, the identity theft resulted in. We would see false tax returns filed as a result of this. All tied to this massive... Breach and the data leaks that always follow it, right? So we clearly would have heard from one of these gangs, one of these cybercrime criminal outfits, right?

In this historic, massive financial crime. There's nothing that's been bigger than this financially. Not when you think of the actual payment history and all, everything that makes up your ability to buy a home and everything else they have at all, right? Well, no. Here we heard the sound of silence.

Nothing. As soon as the Equifax breach [00:10:00] was announced, security experts and even fellow cyber criminals alike grabbed their popcorn and began taking tabs on the dark web, looking at all the sites, waiting for the huge dumps of data and somebody to claim that they did it, who was connected to it. They waited and they waited, but the data leak, the extortion, the ransom claims, all of it never appeared.

To this day. Nothing. Why not? Well, most people are completely convinced the motives weren't financial at all. The motives were cyber espionage. And this monumental heist was not done by any of the cyber crime gangs. but rather by the Chinese government, 140 million Americans [00:11:00] greater than 40% of the U S population who had all of their financial transactions and complete financial private histories stolen.

This would have been worth billions of dollars. to sell on the dark web. Not tens of millions. This is buy several islands type of money. Billions in street value. In here, nothing. Think to yourself, why?

[00:00:00] A Massive breach of financials like this would lead to a rash of identity theft, fraudulent charges, extortion claims to keep the data quiet before being leaked. Everything we hear about happening today and every day in the news, like about the Move It file transfer breach, right? The breach involving the Klopp ransomware gang, everything we hear about LockBit, Black Hat, all of the the major healthcare breaches that we've seen, they all involve the same thing.

Cybercrime gangs take credit for it, they extort for it, or they ransom it, and they get paid. It's why they do what they do, right? But here, nothing. Zero is the number of fraud or identity theft cases that can be traced back to this Incident, none. American citizens were left with $125 [00:01:00] each. That is the most they could ever expect by spending a lot more time filling out forms and uh, systems in order to get that.

And of course there was the wonderful free credit model, cure it. Equifax itself wound up spending $1.4 billion. Uh, that's with a b. on upgrading its security after the breach. Wonderful. And the C suite was ousted. Wonderful. Uh, among allegations of insider trading and poor security practices. So what's the tie to the Chinese government?

Seems pretty obvious. It's not one of the standard cyber criminal gangs, but what's the tie to the Chinese government? Well, there's no leak site. Like we've mentioned, no extortion demands, no sale of stolen data, no identity theft from the victims. So experts point that this was [00:02:00] clearly state sponsored because it wasn't financially motivated.

Okay. But what ties it to China versus. Russia, or North Korea, or one like the Lazarus Group, or one of these other groups. What ties it straight to them? Most of the, um, experts in the reports that we've seen says look at the timeline. See, there was an international detente going on between the United States and 2015.

between these two states, right? Um, requiring them to stop cyber espionage. It was top of mind for both organizations. And there are numerous other examples at the time that China had seemingly been violating that detente. And what's more, the timeline is absolutely critical to [00:03:00] understand. So let's walk through it.

[00:00:00] Let's take a look at the timeline. So, as we mentioned, there was this international detente unhacking agreed between China and the U. S. In 2015, China had seemingly been violating this in a couple other instances, but let's talk about the timeline of the Equifax breach itself. And looking at it and looking at the M.

O., the modus operandi, and we've discussed M. O. in prior episodes. Think about M. O. in a typical crime scenario, right? , you hear that there's a rash of break ins in your neighborhood. Okay. That's bad. So maybe make sure you always lock the door at night. Okay. We always do that, right? Not, not really a big deal, but that doesn't tell you anything about the MO.

What if you knew what the police knew? And that is that the break ins are always happening Wednesday morning between 5 AM and 6 30 AM. And they're always breaking in on a [00:01:00] side window, right by a laundry room every single time. And they always use a certain type of crowbar and they always walk up two steps, like use a ladder to get there every single time.

That's their MO, right? That's something unique. This criminal, that's their footprint. Right? Because what could you do if you knew that information? You would make sure that during that time each week, right, you would have extra cameras or extra lights over on that part of the house to able to defend about it.

That's why understanding cybercrime and understanding the MO behind certain crimes is so critical so that you can know how to defend it. And in the digital space, just like a regular crime, there are digital MO. There are TTPs. There are tactics, techniques, protocols, processes that they use. There are digital calling cards, digital footprints, breadcrumbs that they leave.

And here, those [00:02:00] were present. So, additional clues behind, beyond the fact that the stolen Equifax data was never leaked point directly to that timeline. So think about this. The initial breach happened on March 10th of that year. then nothing for two months. So what investigators believe is that somebody, because the breach happened, the initial access, right?

That breach happened by anybody could have gotten in because Equifax had Very poor security hygiene. They just simply hadn't patched very commonly known vulnerabilities. It's like, Hey, your window's open. You should really shut the window. No, we're fine. We don't do that. And then time goes by, time goes by.

Everybody's talking about the windows being open. Everybody shut their windows open. , you do a scan. You, you take a look at the whole house. You see the windows open and you still don't do it. You still don't shut the window [00:03:00] and somebody walks in and goes, Hey, I found a way inside the fact that two months went by until.

Any next step is very common in the industry for what's known as IABs, Initial Access Brokers. What these people do is they gain the initial access, but they don't have the technical skills or the desire to go to prison and they don't want to go and, and in order to have the technical skills to do anything with that, right?

They just see, hey, there's, there's a window open, right? , and we can give you. The address to it, we can show you where the window is, right? And so they'll just list access on the dark web for a few thousand dollars and they'll make their money because they just know for the amount of time that they spent, which wasn't much.

For this one, right? It wouldn't have been much. , they can make a quick buck and really good money when you [00:04:00] think of a thousand bucks an hour or even higher. Right? So the odds are that that the belief is that that's what happened here. And then it winds up in the hands of.

and APT. APT is an Advanced Persistent Threat Group. Advanced means that he have advanced technical skills. Threat meaning that they're going to do harm. And persistent meaning it's a nation state actor. It's persistent. They don't quit. They have armies. of these threat actors that work 24 seven and shifts, right?

It's nonstop. It keeps going until the mission is accomplished. Always undetected, always effective. And that's what happened here. So the details are this. So what happens is once an initial hacker gains access here by using any of the standard hacking tools, [00:05:00] since Equifax hadn't patched or encrypted or turned on its ability to detect exfiltration, right?

That we wouldn't be able to tell when hackers were taking the data out. And then what happens is this, the, after two months, then you start to see activity where the threat actors move around from system to system. And get access to various systems moving laterally, left and right, vertically, up and down, right?

With all without being detected in various different types of systems and throughout a pretty complex network. All of that requires advanced technical skills and top tools. And above all else, it takes persistence. So, when cyber espionage is discussed, the groups of APTs are [00:06:00] the ones that remain persistent, and the persistence is the operative term.

So, why would the Chinese government be interested in Equifax data record? Well, here's the context. We're going to get into this toward the end, because what we're talking about now, think about it when you zoom in on a painting, an oil painting, if you get too close, you just look at what exactly was done, and the tools that were used here, and the methods of moving, and all of that, and the fact of not being detected.

All of that required an advanced technical skill. It wasn't a group of hacktivists. It wasn't just a, a random hacker, right? This was nonstop, non going. Once that two month gap happened, right? Which shows you like that initial access broker turned it over to somebody that really knew what they were doing.

Um, but if you look too close to that, [00:07:00] like an oil painting, right? All you see are the colorful dots. But when you step back, You're able to see the whole picture. You're able to see the Rembrandt, right? You're able to see the context in which this was done. So let's talk about that a little. The investigators there tie the attack into two other large breaches that similarly did not result in any dump whatsoever of personally identifying data on the dark web all around the same time.

And that was the U. S. Office of Personnel Management, the OPM breach, and the 2018 hack of Marriott's Starwood Hotel brand. All of these breaches are assumed to be part of an operation to build a huge data lake. on millions of Americans, but with a target for a few sub sectors of those Americans. The intention [00:08:00] to using these big data techniques to learn about U. S. government officials and intelligence operatives. In particular, evidence of American officials or American spies who are in financial trouble. Why would they want to know that? Because that could help Chinese intelligence identify potential targets for bribery or blackmail attempts.

[00:00:00] Digital breadcrumbs that were tied to the Chinese military hackers, in the Equifax breach, were the result of a long period of investigation that the U. S. government did. To uncover the ties. to specific individuals that worked for the Chinese military. The FBI conducted a broad kind of multinational investigation involving team members from around the world.

And it was led by the FBI's Atlanta field office. And they tracked those crime digital breadcrumbs that we talked about back. Not only to China, but actually to specific members of the Chinese military and the way that they configured all of the servers and exfiltrated the data and moved the data around.

That was the... [00:01:00] MO that was seen here and that was seen in the other breaches we're going to talk about. They allegedly use servers in various countries, like over 20 different countries, and approximately 40 different IP addresses to disguise The origin of where the attack came from, and it's the same thing that's been used in several other ones and they were able to draw it to specific individuals and actually bring federal indictments against those individuals, and we're going to get to that in just a minute.

And now we're going to turn it over and focus on the next critical breach and how that one is all part and parcel to this whole Rembrandt painting of the espionage that we've been talking about. And that is the breach of the Office of Personnel [00:02:00] Management, the OPM. And that's going to be right after this quick break.

00:00:00] You've mentioned some of these data breaches have a story behind the story. And back in 2015, right around the time of the Anthem breach that we just walked through, the OPM breach had a lot of similarities. So CSO magazine called it an attack where bad security practices. Meet China's Captain America, and in a really well done article, they kind of walk us through it.

The article is linked below, but here's the highlights, like, and here's what some of the other research that we've done kind of corroborates. So back in April of that year, IT staffers within the United States Office of Personal Management, which is the OPM, it's an agency that manages the government's civilian workforce.

right? It discovered some of its personnel files had been hacked. And among the sensitive data that [00:01:00] was exfiltrated, member of the fancy word for stolen were millions and millions of these SF86 forms, which contain extremely personal information. that are gathered in federal background checks that are done when people are seeking clearance for the highest levels of security clearances to work for the federal government.

Think about that for a second. So this is not about the data that's being stolen. This is about intelligence gathering on specific. People. When you combine all of these different breeches. And that was all stolen, along with records of millions of people's, check this out, fingerprints. So they have all of the people's most intimate, secret [00:02:00] information in order for them to get top secret clearance to work for the U.

S. government. And they have... Fingerprints. How friggin scary is that? The OPM breach led to a congressional investigation and the resignation of top OPM executives. No kidding, right? And the full implications for national security, for the privacy of those whose records were stolen are still not entirely clear.

It's still having ramifications today, eight years later. So, that's again, like we did with the Anthem Breach. Look at the timeline when we think about who did this. As the official congressional report of the incident says, the exact details of how and when the attackers actually gained entry, they're still not known, [00:03:00] right?

They're not exactly clear, but research have been able, researchers have been able to conduct A rough timeline of when they started and what the attackers did. And again, it looks at that mo, that modus operandi. The hack began in the NOV in the fall of actually 20 13, 2 years earlier. Think of the dwell time.

They had been in the system for years before ever realizing it and before ever being detected. When the attackers first breached OPM was November of 2013. This attacker group, which they dubbed X1, right? Which is the Congressional OPM Data Breach acronym that they gave it. It's just Attacker Group X1.

While X1 wasn't able to access any personnel records at that time, they did manage to exfiltrate [00:04:00] manuals. and IT system architecture information about the OPM. Then the next month in December of 2013 is when definitively attackers were attempting to breach the systems of two contractors, USIS and Keypoint.

Right? Who conducted background checks on government employees and had access to OPM servers. Though USIS may have actually been breached even months earlier. So think about that. I mean, that reminds us of the Target Breach. If you recall the Target breach, Target had been doing a lot of good best practices, but they were breached through the HVAC vendor, because their HVAC vendor didn't have as robust layers of security.

So, the official OPM hack report and breach report, , involved an exhaustive [00:05:00] and confidential Confrontational Investigation and Congressional Hearings. The House Oversight and Government Reform Committee released a report on the opium data breach. We'll have a link to that in the show notes below. And that was released to the public.

It's a long, just letting you guys know, it is a long document, like 240 some pages, and much of the material is very, very detailed on all of the modus operandi, all of the tactics, techniques used. What we can 2014, OPM officials realized they'd been hacked. They didn't publicize the breach then. They determined that the hackers were confined to part of the network that didn't have any personnel data.

So OPM officials chose to allow the attackers to remain so they could monitor them and [00:06:00] gain counterintelligence. They did plan for what they called. a Big Bang. That's a system reset that would purge the attackers from the system. When they implemented the Big Bang in May of 2014 a couple months later that's when things also didn't work well for them.

So that is a risky thing. Think about what they did, right? They saw them in there. They were gathering up counterintelligence. They did this big bang system. They did it at the time when the attackers began loading key loggers onto the database administrator's workstations, which capture all of the keystrokes that are done.

It was pretty, pretty shocking. Now, unfortunately, on May 7th, 2014, when they did this big bang, an attacker group called X2, different attacker group, they believe they're affiliated, right? But it's definitely the [00:07:00] MO of X2 was different. Right. It was more advanced. They used credentials stolen from Keypoint, the other contractor that was used to run the background checks and they use that data and that information, that access to establish another foothold in the OPM network and install malware there.

to create a backdoor. So they did that so that they can get back in. That breach went again undetected. And then when the Big Bang didn't wind up removing the backdoor that the X2 group had access to in July and August, the attackers exfiltrated and stole all of the background information from OPM's systems.

And then they weren't done there either. The report goes on to say that later on that year, in October, the attackers moved throughout the OPM [00:08:00] environment and breached a Department of Interior server. So another level of government, right? They were able to move around and also breach a department, the U.

S. Department of Interior server, where personnel records were also stored. And then in December of that year, and we're like eight, nine months in, another 4. 2 million personnel records. were exfiltrated. So fingerprint data was exfiltrated in late March of 2015 and on April 15th, 2015, a whole year later, security personnel noticed unusual activity within the OPM's networks, which quickly led them to realize the attackers still had been inside their systems.

Two persistent groups, X1 and then X2. What's clear is that OPM's technical leadership, overly [00:09:00] confident that they had defeated X1 with their big bang, did not use, did not view that intrusion as a wake up call. They failed to take measures that would have helped them detect the X2 group, and they had also largely failed to institute a number of important and recommended security measures that the report points out.

So who was it? Again, there's no smoking gun necessarily that was found. But the overwhelming consensus is that the OPM was hacked by state sponsored Hackers, an attacking group working for the Chinese government. Why? Because of the information that was taken and the roles and locations of the people about the information that was taken.

Right? When you look at the entire, again, when you zoom out a little bit and you look at the context of what was going on between the [00:10:00] US and China, you can see that yes, it was state sponsored, but where it was. And then they also trailed the digital footprints to certain locations again and the same kind of calling card in digital breadcrumbs.

Among other evidence is the fact that plug X. which is the backdoor tool that we talked about into Opium's network. It's associated with a Chinese language hacking group that's attacked political activists in Hong Kong and Tibet. And the use of superhero names, which is done and was done in this case, is also associated with groups.

tied to China. So opium data would be considered extremely valuable. So think about this. I mean, data like that, fingerprints, all of that information, all that top secret information, think of what that would be worth on the dark web. [00:11:00] It would be worth, again, these are millions of records taken. This would be in the Billions.

This would exceed LockBit and BlackHat's findings and their treasure trove of stuff and revenue that they've gathered. Think about that, right? This would be something They would be clamoring to brag about havoc. This is something, think of, you remember when we've had John DiMaggio on in his talks, his undercover talks, in his research with our evil leaders and with lock bit leaders, right?

There's that, there's that that mafioso kind of braggadocious kind of view that they have, right? They, they have, that's kind of their kryptonite, right? They brag about these things. They want to talk about these things. And when this happened, Cybercrime gangs were all watching the dark web [00:12:00] to see who was going to leak it, who was going to take credit for it, who was going to brag about how they did it, share their tactics, their techniques, their, their processes.

It's a whole community there. Nothing. Again, this breach, just like the Anthem Breach, there was silence. right? But when you think about how much data and how valuable that data would be to foreign intelligence services, because it includes very sensitive information gathered as part of the process of granting security clearances, you start to figure out why, right?

And do we want proof of this theory? How about this? The CIA cancelled assignments for some officers in China in the wake of this breach. Since many were to work undercover as State Department officials and would have been identifiable based on the data gathered in [00:13:00] this breach. Let's think about that for a second.

Just think about that for a hot minute. Right? The CIA cancelled assignments. Right? One way the federal government has tried to mitigate the potential damage from this is to provide free credit monitoring. Again, you know our view of that. It is awesome! It cures everything. Insert car sarcasm because it doesn't do anything right.

Those services, believe it or not, are still available for people until 2025. And it might even be able to, there was some hiccup and you have to reapply, but, but think about the cost of it. The cost in just in credit monitoring services alone from that breach cost the U. S. government 133 million dollars and the total figure for all of their remediation and the forensics and everything is set to exceed one billion dollars with a B [00:14:00] from just that one breach.

And again, What do we know about the data? It wasn't even leaked. It wasn't sold on the dark web. It's worth billions. It cost, close to a billion, if not, it's set to exceed a billion just to repair this breach. And it's not one that gets a lot of media attention. It needs to, and we need to look into this because this is one of the most concerning breaches.

on the planet, especially in light when we zoom out of the context of it, right? So one of the creepiest things about the breach Is the, is just that fact. The fact that there's an absence of media news, right? The Justice Department has been quiet about it, especially since they ultimately arrested a Chinese hacker.

So, in August of 2017, the FBI [00:15:00] arrested... Yu Pingan, Y U and then Pingan is P I N G A N. He's a Chinese national as in they arrested him as he arrived to the U. S. to attend a conference. They charged him with, quote, conspiring with others wielding malicious software known as Saccula. And although the OPM hack wasn't even explicitly mentioned in those charges, and we'll have links to the indictments and everything, which we've reviewed.

It's all, it'll all be in the show notes. That's exactly what they were talking about, right? In 20, in September of 2018, National Security Advisor John Bolton, at an event where the White House unveiled a new cyber security strategy at the time, explicitly tied this attack to Beijing. So there have been hints of it.

that there is something known that we in the public don't know. But this was one of the worst data breaches to the U. S. In history.[00:16:00] And in February 2020, we also see that the U. S. Department of Justice formally charged four members of the Chinese military with the 2017 attack on Equifax in relation to this one.

And we'll get into that in just a second. But that's where we find kind of the, the precipice of all of this. And In, in, in, in a move that's kind of rarely seen, you know, where they file criminal charges against a foreign intelligence officer, like they did formally charging four people for the Equifax breach, which we're going to talk about in just two seconds.

It was interesting because they did it in order to avoid retaliation against like American operatives. That's why they generally don't do it. But it underscored how seriously. The U. S. government has taken these attacks. And again, this OPM breach, there's been no cases of [00:17:00] identity theft tied to the OPM breach.

No darknet data leak, no ransom, no extortion, no cybercrime gang taking credit. One cybersecurity researcher Aaron So, Vishaneth with the State University of New York at Buffalo, tells Wired Magazine, We haven't seen a single indication of this data being used anywhere. So yeah, we know the data's gone, but where did it go?

What's the purpose of all this? No one knows. has a public answer to any of it, right? So where is the data, if we think about it? Well, it too, like the Equifax breach, would have been worth billions of dollars on the dark web. Nobody took credit for it. Nobody ever made or attempted to make money from the data that we know of.

So, the breach of OPM, the government employs with highly sensitive information, who do you [00:18:00] think has it? And why are they not selling? And why not? So when we come back from this break, we're going to touch on the 2018 Marriott breach, which has a direct tie to all of these.

 

[00:00:00] The 2018 Marriott breach was also similar to the OPM and Equifax breaches and leave unanswered questions and lots of people, like you and me, vulnerable and without any recourse for justice. In late 2018, the Marriott hotel chain announced that one of its reservation systems had been compromised. With hundreds of millions of customer records, including very sensitive details on credit card information and passport numbers and information, and that they were stolen, exfiltrated out of the Marriott systems by attackers.

In September of 2018, an internal security tool flagged. as suspicious and attempt to access the internal guest reservation database for Marriott's Starwood brands, which include the Westin, Sheridan, St. Regis, and the W [00:01:00] Hotels. This prompted an internal investigation that determined through a forensics process that the Starwood network had been compromised way back in 2014, four years earlier, back when Starwood had its own separate company.

Marriott had purchased Starwood in 2016, but nearly two years earlier, the former Starwood hotels hadn't been migrated to Marriott's own reservation system. And we're still using the IT infrastructure. Inherited from Starwood, which is an important fact. See the hackers had managed to decrypt the data and discovered that included information and exfiltrated up to five.

100 million guest records, 500 million of them. Many of the records include extremely sensitive information like credit card, [00:02:00] password numbers, travel plans of federal employees. You see why this is significant is that at the time, Marriott was the largest contractor with U. S. federal agencies, managing in part the travel for the CIA.

FBI, Department of Homeland Security, and more. Marriott CEO Ernie Sorensen was hauled before the U. S. Senate to talk about the attack. The transcript of his testimony is linked in the show notes. It provides a window into kind of what we've been able to figure out. Research done discovered that there was a remote access Trojan, a rat, along with this thing called Mimikatz, which is a tool for sniffing out usernames and passwords involved in like system memory, and together, Both of these two tools gave the attackers control of the administrator account, the keys to the castle.

It's not clear how the rat was [00:03:00] placed onto the Starwood server, but it's pretty common that Trojans like this are placed through phishing emails, which is pretty easy to do with social engineering. The shocking part here again is the timeline. The breach of the Starwood hotels happened in 2014. Starwood was later acquired by Marriott, and hackers were inside, undetected, from 2014 through 2018.

How good were they at being undetected? Which leads to one of the reasons... Why people pretty much know that it was a state sponsored group is the incredible fact that another hack happened at Starwood the year later in 2015 that was discovered and remediated over a period of eight months. And the first breach, and the attackers there, who were inside the network the entire time, [00:04:00] were never even found.

Merritt acquired Starwood in 2016, and most of Starwood's corporate staff, including the managing information technology and security staff, were all laid off. So, Starwood's old system, without any tech resources who were familiar with the tech environment, completely infected with malware, continued to limp along.

And Breach continued to happen completely undetected for a total of four years, two full years after Starwood had been acquired by Marriott. So hundreds of millions of people had their passport and credit card number stolen. Credit card numbers were also stored in plain text and all kept in basically one server location.

Again, terrible practices. We've talked about it before and who hacked Marriott And why? So, not only the timeline that we [00:05:00] mentioned, but the modus operandi, the MO, and the TTP, right? The technology, the tactics, techniques, and processes used. So, mass thefts like this, 500 million passports and credit card numbers, right?

That is gonna lead to a, one of the leading cybercrime gangs bragging about it. leaking it, extorting it. It's going to lead, even if they didn't do that, it's still going to lead to identity theft, a massive leak. It's going to lead to credit card fraud. Plus the code and attack patterns used here match up with the techniques employed by state sponsored Chinese hackers.

And what did we find? Again, nothing. Again, no cybercrime gang claimed history. No leak, no identity theft, no credit card theft, it all tied to this breach. And you have the code and attack patterns [00:06:00] that are virtually identical to what's already been traced and proven to come from state sponsored Chinese hackers.

See, these hackers used a cloud host cloud hosting space, used... It involves a, a certain type of cloud hosting environment that was tracked back to this same group that's been done in, in other instances. The involvement of the U. S. Intelligence Service in the investigation and the sensitive neighbor nature of the attack.

Probably explains why much of the technical details aren't in the public. But another clue that this was part of a government attack rather than mere cyber criminals is the fact that none of these millions of valuable records have ever wound up in the dark web. It wasn't. you know, purely financial raid.

Travel data. Think about that. It is rich with information and it can offer key insights into the lifestyles, the tastes, the relationships of individuals, who's traveling [00:07:00] with whom, what types of trips are being taken. And it's valuable far beyond just the travel industry and the travel industry itself is way behind other verticals like the finance industry, the banking industry, or even health care when it comes to cyber security.

So what does all of this mean? What is the... Equifax, the OPM, the Marriott Breach, again, let's focus out a little, right? Like we talked about earlier, when you get too close to an oil painting, it, it just looks like colorful dots on canvas. You zoom out and then boom, you see the Rembrandt. When you combine, Marriott, Equifax, and the OPM breaches in light of the international relations existing them.

And now, because all of this leads to what is happening today in the news, in the international relations between these countries, it shows us this wasn't about financial [00:08:00] motivations. That we know. How do we know that? Very simple. There has been no identity theft, no leaking, no claims of, of it. It's, it's not out there for sale on the dark web, but somebody's been using it and somebody's been in possession of it.

All of those breaches have several things in common. The M. O. The modus operandi, the timelines, the rats, the remote access Trojans and the back doors are the same ones used by Chinese hackers that we have been able to prove and not by Russian cybercrime gangs or North Korean state sponsored attacks.

There's also been no sale of this data, no identity theft, and no cybercrime gang claiming victory or the selling of billions and billions of dollars worth. Of very highly confidential data. Think back to what all was taken. The [00:09:00] background information for top level security clearances, all of the financial history, all of the travel plans all of that information.

These hacks show us that what's being reported in the news about data breaches. aren't always what they seem. It's not always about the data. It's about what gets used in a long term play and who the attackers are. That's really the news. And most importantly is this, we, us as individuals, private citizens, we can become collateral damages in the spy versus spy world of government espionage.

So we leave you with this. Where is the stolen data that's worth several billion dollars? Why was it taken, and who took it? This is Cyber Crime [00:10:00] Junkies, and that was the show.

 

People on this episode