Omar Avilez worked in the CSIRT of the Dominican Republic when a major cyber security incident erupted. Omar walks us through what happened and the incident response procedures that he went through.Breakmaster Cylinder’s new album: https://breakmastercylinder.bandcamp.com/album/the-moon-all-that.SponsorsSupport for this show comes from Varonis. Do you wonder what your company’s ransomware blast radius is? Varonis does a free cyber resilience assessment that tells you how many important files a compromised user could steal, whether anything would beep if they did, and a whole lot more. They actually do all the work – show you where your data is too open, if anyone is using it, and what you can lock down before attackers get inside. They also can detect behavior that looks like ransomware and stop it automatically. To learn more visit www.varonis.com/darknet.Support for this show comes from Axonius. The Axonius solution correlates asset data from your existing IT and security solutions to provide an always up-to-date inventory of all devices, users, cloud instances, and SaaS apps, so you can easily identify coverage gaps and automate response actions. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy — all while eliminating manual, repetitive tasks. Visit axonius.com/darknet to learn more and try it free.Support for this show comes from Flare. Flare automates monitoring across the dark & clear web to detect high-risk exposure, before threat actors have a chance to leverage it. Their unified solution makes it easy to rapidly identify risks across thousands of sources, including developers leaking secrets on public GitHub Repositories, threat actors selling infected devices on dark web markets, and targeted attacks being planned on illicit Telegram Channels. Visit https://flare.io to learn more.Sourceshttps://www.wired.com/story/costa-rica-ransomware-conti/https://malpedia.caad.fkie.fraunhofer.de/details/win.bandookhttps://www.youtube.com/watch?v=QHYH0U66K5Qhttps://www.youtube.com/live/prCr7Z94078https://www.eff.org/deeplinks/2023/02/uncle-sow-dark-caracal-latin-americahttps://www.bleepingcomputer.com/news/security/quantum-ransomware-attack-disrupts-govt-agency-in-dominican-republic/https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/AttributionDarknet Diaries is created by Jack Rhysider.Assembled by Tristan Ledger.Episode artwork by odibagas.Mixing by Proximity Sound.Theme music created by Breakmaster Cylinder. Theme song available for listen and download at bandcamp. Or listen to it on Spotify.
So throughout my life, I've had this recurring dream. It starts out with me being in my front yard, and coming down the street is a wild bull. It's typically white in color, and it's just on a terror, running around the neighborhood, smashing up cars, knocking down trees, trampling everything in its path. Nothing can stop it.
And then it, for some reason, turns and looks at me and I can tell it's coming from me. I mean, it's so wild. It's like falling down, tumbling, running into houses and stuff, trying to turn to come towards me. So I quickly run into the house, slam the door shut, lock it, and then go to the window to look to see what's going on.
but the bull just runs right up to my house, hits the front door, and just busts through it like it's paper.
It's suddenly in my house, and it's trying hard to turn corners and navigate through my house to get to me, but it's falling down and smashing into walls and furniture, and I'm frantically trying to find a safe place to go, but every room I go into, it just smashes through those doors or windows to get to where I am.
I keep going into room after room, shutting doors, locking it, but it just keeps getting in. I usually wake up around here, heart racing, I'm in a panic. And what I often feel after this dream is helplessness, complete vulnerability. There's no place that feels safe. And it doesn't matter how many locked doors I have or hiding places I know of, that bull always finds me and smashes its way to me.
I tell you this because after listening to today's story, I get that same feeling of feeling afraid and helpless.
These are true stories from the dark side of the internet. I'm Jack Recider. This is Darknet Diaries. This episode is brought to you by SpyCloud. For some people, ignorance is bliss. But for you, as a security practitioner, that's not the case.
I went to spycloud.com to check into my darknet exposure, and I won't tell you what it is, but spoiler alert, I found some things that are pretty eye-opening. From breach exposures to info stealing malware infections, knowing what criminals know about you and your business is the first step to setting things right.
Resetting stolen passwords and addressing the enterprise access points that have been stolen by malware helps you protect your business from ransomware, account takeovers, and online fraud. With SpyCloud, you have a trusted partner to fight the good fight with.
Their automated solutions, which is built on over 350 billion recaptured assets from the criminal underground, ensure you're not in the dark when it comes to your company's exposure to cybercrime.
To get your full Darknet exposure report, visit spycloud.com slash darknetdiaries. That's spycloud.com slash darknetdiaries.
This episode is sponsored by Delete Me. In episode 133, I spoke to Connor Tumbleson about some people from who knows where who were stealing his identity. Luckily, they weren't out to destroy his reputation or extort him, but think of the damage that could be done. We all have data out there, which data brokers use to make profit.
Anyone on the web can buy your private details to do anything they want. This can lead to identity theft, phishing attempts, harassment, and unwanted spam calls. But there's a solution called Delete Me. I tried it and they immediately got busy scouring the internet for my name and gave me reports on what they found. And they got busy deleting these things.
It was great to have someone on my team when it comes to privacy. Take control of your data and keep your private life private by signing up for Delete Me. Now at a special discount for my listeners, you can get 20% off your Delete Me plan when you go to joindeleteme.com slash darknetdiaries and use promo code DD20 at checkout.
The only way to get 20% off is to go to joindeleteme.com slash darknetdiaries and enter code DD20 at checkout. That's joindeleteme.com slash darknetdiaries code DD20. Okay, you all have seen this talk at the STIC conference earlier this year, right?
I don't speak Spanish, so I have to use YouTube to auto-translate for me, but hmm.
Now that I'm looking at it, there are only 115 views on this video. So, no, you absolutely have not seen this talk. Okay, let me find another. Okay, what about this one? This is a talk from Hack the Box Meetup in Santo Domingo in the Caribbean Sea.
Basically, I want to see all the computers where Domino's users are local admins.
Nah, you know what? This video only has 500 views, so no, you did not see this video either. Well, both of these talks are by a guy named Omar Avales, and he's talking about the worst day of his life. It's a chilling story. But since you haven't seen this talk, I really want you to hear it. And since it's in Spanish, I'm going to have to call up Omar to see if he can tell us the story in English.
This story starts much earlier, you know. Okay, so this is Omar, and he lives in the Dominican Republic, which is an island in the Caribbean Sea.
Across the Caribbean Sea, next to Panama, is Costa Rica. And what Omar saw happening in Costa Rica struck his curiosity.
The new president of Costa Rica has declared his country is at war with a ransomware group, which has been carrying out cyber attacks on the country's government. The cyber criminal gang known as Conti has disabled agencies across the government since April using ransomware attacks.
Whoa, that's kind of dramatic, isn't it? Declared war? Seriously? Like you go in to deploy troops and send fighter jets because someone put ransomware on your computers? Does Costa Rica even have fighter jets? Anyway, because Omar is in part of Latin America, he was watching this story unfold.
Let me introduce myself before I start talking about the incidents. So I used to work in the Dominican Republic National Desert, which is the National Cybersecurity Incident Response Team.
Hmm. Sorry, I had a bad connection with Omar when we were talking. So let me repeat that for you. Omar worked in the CCERT for the Dominican Republic. CCERT is an acronym which stands for Cyber Security Incident Response Team. And this CCERT unit falls under the Department of Defense in the Dominican Republic. So when cyber attacks threaten national security, Omar was there to review it.
But what's more is the Dominican Republic CCERT is part of a community of other incident response teams within Latin America.
So when the incident in Costa Rica happens, they contact us. just to ask for help.
What he saw was that 20 different government organizations in Costa Rica were hit with this Conti ransomware. This was a very widespread problem within their government, so it's no wonder they were reaching out for help anywhere they could. Many parts of the Costa Rican government came to a halt, and they were frantic over there.
But this gave Omar the ability to research and understand this Conti ransomware better.
You know, it was like a massive malware campaign in Costa Rica. They were targeting government organizations through phishing, exploiting vulnerabilities. But they, you know, compromised all the departments separately.
Wow, that's really remarkable. See, when I hear that 20 departments were hit, I immediately think that there must be some central connection that allowed the malware to spread internally. You know, like if you can get in through the front door, now you can take a tunnel to all the other buildings or something.
But no, what Omar saw was that each of these 20 departments were infected separately, some of which were infected through phishing emails and some from malware put right on systems that were connected to the Internet. But just because the malware got inside each of these places, it didn't actually turn on until the right time.
It was coordinated that when enough systems got infected, it would trigger the ransomware to lock all the computers at once and demand payment to unlock them. Now, the motive behind putting ransomware on systems like this is typically just to make money. I believe they were asking for $20 million to unlock Costa Rica's systems. So whoever did this seemed to be there only for financial gain.
Costa Rica got their systems fixed up, and I don't think they paid the ransom. They had backups and restored, but Omar saw how this malware operated and worked. And he saw the methods they used to get in, and took this new knowledge to scan the Dominican Republic's national computer infrastructure to see if anything matched what was on Costa Rica's systems.
After all, the malware seemed to be present in Costa Rica's network for a while before it actually executed. So he looked through computer after computer and scanned lots of systems looking for things that matched what he saw in Costa Rica. He didn't find anything, actually, which seemed like the Conti ransomware gang wasn't targeting the Dominican Republic, which was good.
But then, while looking for malware in the network, he noticed something. Someone had defaced a Dominican Republic government's website. They found a vulnerability on the web server and changed the pictures and text to something else. So he zoomed into this to investigate.
We found an implant. a piece of malware.
Now, typically when someone defaces a website, it's a small-time hacker. Being able to show your friends that you changed the text on a government website makes you look cool in some hacker circles. But it wasn't this person who defaced the website that put the malware on that computer. See, when Omar was investigating the defacement, he checked to see if any malware was left behind.
And it was just not by this person. One of the places Omar likes to look for malware is in the temp directory. The temp directory is used by programs to temporarily hold data. And it's kind of a free space for any app to use to dump data in there if it needs it. So this directory often has open permissions. Anyone can read or write to it. Not many directories are like that on a computer.
So that's why Omar looked in the temp directory, and that's where he saw that someone had stuck this malware in there.
But the malware, the implant was on the system from 10 to 11 months ago.
So someone had exploited this system 10 months ago, stuck some malware in there and then left quietly. And when someone else came and defaced the site, that's when he discovered that it was there. And just imagine that sinking feeling for a moment. Malware had been here for 10 months and nobody noticed. Your worst fears start racing through your head at this point. Did they steal anything?
Did they access stuff they shouldn't? Did they jump around to other computers?
It was a malware that did privilege escalation. So it exploded a window of vulnerability that was unknown to the Okay, this just got worse.
A zero-day means that not even Microsoft knows about this vulnerability. And the reason why it's worse is because whoever left this here must have access to some pretty advanced malware. It's not easy to find a zero-day exploit, because if it was, Microsoft would find it too and put a fix out for it. So it's supposed to be secret.
Now, specifically, this malware's purpose was to escalate privileges. So that means if you get on a system as a low-level user, it'll promote you to a user with administrator rights. So now you can do anything you want on that system. Kind of like if you were to just walk into the front door of a prison and convince the guards that you actually own the prison and to give you all the keys.
Being able to escalate your privileges is a crucial step at getting full control of a computer. And this could be the beginning of a big deal. And just as Omar was about to tell someone about this, news broke out.
The Dominican Republic's Agricultural Department has suffered a ransomware attack by the Quantum Ransomware Group. The attack disrupted multiple services by encrypting four physical and eight virtual servers, compromising most of the information, including databases, email, and applications.
Wait, quantum ransomware? Gosh, a totally different group hit them? It makes me want to make a meme out of all this ransomware news. Enough is enough. I've had it with this mother flipping ransomware on these mother flipping computers. Just when you tune your eyes to be able to see and detect a certain kind of malware, you get blindsided by a totally different kind.
And whatever that malware was that Omar found on that web server, that had nothing to do with this quantum ransomware.
They exploited a vulnerability, an unfortunate firewall. that allowed them to have VPN access to the infrastructure. So with the VPN access, they managed to compromise the entire organization and then try to ransom the organization.
Luckily, they detected this quite quickly and called Omar in very early. He got in his car and drove down to the data center that was infected. And when he got on the systems there, he was able to see the people who were behind the quantum ransomware typing out commands infecting more systems. So because he reacted so quickly, he was able to stop the spread of it from getting on more machines.
And this is a stressful situation. I don't know if you've ever gotten your computer or phone infected, but anytime this happens, you have to wonder, did you clean your device good enough? Are they still in there? And you never actually know. You sort of have to cross your fingers and hope the attackers will let you know if they're in there still.
Even though he's kicked them out of this one system, it's hard to tell if they just come right back in or what other systems they may have access to. It's like trying to build a dam in the dark with just sticks and rocks.
So... That went very public. So on the investigation, we found out the attacker got into the network via a phishing attack, but that didn't tell us much information. So we concluded the investigation or the report without any attribution. So we just know that somebody compromised the system.
No attribution on the final report for the quantum ransomware infection. Okay. Attribution means figuring out who did this. And they couldn't figure it out. There just simply wasn't enough clues. It seemed to be fairly common malware with no clear path leading to anyone in particular. All it seemed was that it was financially motivated.
They wanted money and that's the whole reason why they did this. And I think there's three main categories for different types of attackers. There's the hacktivist type people who are hacking into things just for fun or to make a point, like those defacing websites. And then there are people who are financially motivated. They're only there to make money.
And then there are more sophisticated groups there trying to steal state secrets or something. I mean, they might even have spies on the ground of the place they're trying to break into. If you know who your adversary is, you can combat against that particular threat more effectively. You can prepare better and be more alert.
So it's important to understand the landscape of who can and who is and who should and who would be attacking you. When you're dealing with ransomware, you're typically up against someone who just wants money. And if you don't pay it or make it really hard for them, they'll probably just move on to an easier target. So after this attack, things settled down. Omar went back to his normal duties.
And one day we got a tool to analyze all the DNS queries that the organization made. So we implemented that technology all around all government organizations so we can have a full visibility of what was happening on the government.
Okay, so they got a new tool to look at the domains that each organization is reaching out to and each domain that's connecting into the government's network. Now, they took this data and cross-referenced it with known malicious domains in the world. And this is called threat intelligence.
There are companies out there that try to classify every single IP address and domain name to try to determine if it's malicious or not. So if you see computers on your network contacting known malicious domains, then you can double-click on that and see what's going on. While he's scanning the network, I want to take a quick ad break.
But stay with us because you're going to want to hear what he found. Support for this show comes from Black Hills Information Security. This is a company that does penetration testing, incident response, and active monitoring to help keep businesses secure. I know a few people who work over there, and I can vouch they do very good work.
If you want to improve the security of your organization, give them a call. I'm sure they can help. But the founder of the company, John Strand, is a teacher, and he's made it a mission to make Black Hills Information Security world-class in security training. You can learn things like penetration testing, securing the cloud, breaching the cloud, digital forensics, and so much more.
But get this, the whole thing is pay what you can. Black Hills believes that great intro security classes do not need to be expensive, and they are trying to break down barriers to get more people into the security field. And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range, which is great for practicing your skills and showing them off to potential employers.
Head on over to blackhillsinfosec.com to learn more about what services they offer and find links to their webcasts to get some world-class training. That's BlackHillsInfosec.com. BlackHillsInfosec.com. Omar was scanning the Dominican Republic's DNS queries to see if anything unusual was going on.
So we discovered a C2 server that was, you know, utilized by Conti.
Oh, no. A computer within the Dominican Republic government was connecting to a command control server, otherwise known as a C2 server, that is known to control systems infected by the Conti ransomware. This is bad. This indicates that the government is about to get hit. Someone has them in their crosshairs and just needs to pull the trigger.
And perhaps they're going to get hit as hard as Costa Rica got hit. Whoever was behind that attack on Costa Rica clearly had a lot of time and resources to make a very deep and wide impact there, crippling their systems and government. But lucky that Omar has such a keen eye and is tuned into the threats of his government so he can detect this early.
So he zoomed into this alert and he saw that, yes, in fact, a system did get infected and it reached out to the command and control server to download Cobalt Strike. Cobalt Strike is like a full suite of hacker tools. It's equivalent to finding a bad guy in your building and also finding his huge sack of tactical spy tools.
But because they spotted this, as it was unfolding, they were able to delete those tools and clean that system and start hardening that system so it doesn't get infected again. On top of that, with this newfound activity on their network, knowing that they're in the crosshairs of somebody, it was important to start alerting the users in the government agencies. Be on alert.
We are seeing some bad weather on the horizon. Be very cautious of any phishing emails. And please, please, please report anything suspicious to the security team. Thank you.
So that's when everybody started sending us emails and emails and emails. We analyzed hundreds of emails. Literally hundreds of emails. So the weird thing is about these females that they were reading perfect Spanish, like they were not English, but perfect Spanish, like perfect Spanish.
Okay, wow, so they were seeing a lot of phishing attempts. Emails posing as someone else trying to get users to click links, open zip files or attachments. And in every one of these emails, the attackers spoke perfect Spanish. This is really curious since a lot of these ransomware gangs would be coming from Eastern Europe or Russia.
They wouldn't have the ability to speak perfect Spanish on such a large scale with hundreds of phishing emails being written.
At that time, it was June 2022, we had over five to six hundred emails, different emails, and all of them were different. So we didn't have one single email that was the same. But all of them, you know, shared one thing. All of them were about banking transactions or money or payments, something related to money. And also all of them had
a backdoor that the attackers were using, which was a backdoor known as Bandook.
Bandook. Okay, if I Google Bandook malware, I immediately get an article saying that this malware gives remote access to a computer, and it was written by someone named Prince Ali who's from Lebanon in the Middle East. More specifically, the Bandook malware has been known to be used by a group called Dark Caracol. Well, that's what the EFF named them, at least.
And while we aren't sure exactly who they are, there are quite a bit of clues that lead us to believe that the Lebanese government is somehow behind this dark Caracol group. Now, I want to paint a clear picture for you.
Hundreds of phishing emails are flooding into different government agencies in the Dominican Republic, all of which are trying to get the recipient to open an attachment or click a link, which will infect them with this Banduk malware, which typically seems to be the work of this threat actor group called Dark Caracal. As Omar looked at these emails coming in, he noticed something even more scary.
And they compromised the company. So it was an important target.
So what happened here is that the attackers knew that the Dominican Republic was doing business with a certain company, and they infiltrated that company just to pose as people from there in order to trick the victims in the Dominican Republic government to open attachments.
What they did is that they used a user that was having a conversation with the existing administrator. So the existing administrator was waiting for that user to send him an attachment. So in the step of the legitimate attachment, the existing administrator received the backdoor.
I mean, this seems to be the start of a horror story where it feels like you're home alone at night and someone is throwing rocks at your window, at all your windows, at once, constantly pinging them. And you just know at any moment one of those windows is going to break. But there's just no way to secure everything at once.
It just takes one user in an agency to get infected, and then the attacker can jump off their machine to infect the whole agency. And for dozens of agencies to be attacked at the same time is horrifying. On top of that, the attackers are scanning web servers, looking for vulnerabilities, trying to find an exploit to get into the network that way.
So it's like endless banging on the doors and you know they're not going to hold. Where do you even put your attention in a situation like this? The bull is trying to get in your house and there's nothing you can do to stop it.
And we found out, you know, something that was very terrifying for us. Over 30 government organizations were compromised by that campaign, like really big organizations.
The hacker group Dark Caracal had successfully made their way into 30 different government agencies. And each came in through a different entry point too. And to see that this was coming, to know the bull was headed towards you, but to have no ability to stop it, has got to be one of the most terrifying feelings. The feeling of helplessness, despair, vulnerability.
Suddenly, a huge portion of the Dominican Republic government's network is now in the control of someone else? Someone you have no idea who they are, but maybe related to the Lebanese government?
Let me tell you, you know, it was not just government organizations, but also critical infrastructure organizations.
Holy flip, critical infrastructures, things like power plants, water treatment facilities, dams. Disrupting or destroying these systems would absolutely bring this country to its knees.
Yeah, it was a very complicated moment. We didn't know what to do.
Now, of course, Omar isn't working by himself on this when he says that he did all these things. It was obviously a team effort. And his team consisted of like seven or eight people. But then every agency in the government has their own IT department. And some, of course, are bigger than others. But everyone was working extra hours to help out.
But it just makes me wonder, you know, how robust is the Dominican Republic's cybersecurity? I mean, they may not be able to afford the most up-to-date network infrastructure, and they may be running old systems in place. They may not have the funds to employ high-quality employees to react to this.
But when you're on the internet, it means you're only one click away for every threat actor in the world. So you absolutely need to secure your government's networks just as well as the largest governments in the world. Just because you're a small island doesn't mean you get to skimp on cybersecurity. You need to be just as good as everyone else. And it feels asymmetric in so many ways.
You have to be prepared for the most sophisticated threat actors in the world. And I just wonder, how advanced was the cybersecurity of the Dominican Republic?
But after, you know, they did some things on the system, they now... It downloaded or installed a second malware, which was a Coal Strike implant, which was communicating to Conti C2.
C2 means Command and Control Server, but I mean, what? You're telling me that some advanced adversary who may be in the Middle East is now starting to install the Conti ransomware on these systems? This is boggling because Conti has been widely attributed to be from Russia. So first of all, why are these two groups even allies or working together?
Second, holy crap, you now have two sophisticated attack teams working together to attack your entire country, national agencies, and critical infrastructure? Just when you thought you were in the thick of the storm, the storm got worse.
He was a man. And on that moment, we wanted to disappear.
Then he got alerted of another problem.
A big bank overnight stopped working for over a month. So if that bank cannot operate, all the people that have the money on that bank, you know, how they are going to get their money out or how that can affect the government or the economy. So that was something big, and we involved even more people to investigate
The Dominican Republic was in trouble and Omar's job was to help.
So one of the first thing that I did or I tried to do was call the people of Costa Rica because that happened to them. I wanted to know, you know, all about the incident.
Now, this is what I love about Omar, is his awareness and his social skills. I used to work for a company doing incident response, and guess how much cybersecurity news my boss paid attention to? None. Guess how many other companies my boss interacted with to understand what threats they were facing? None.
The attitude in our company was to put your head down and do your work, not look around to see what everyone else is doing or meet other people in the field. And I hated that. I can't stress this enough, that having allies in this business and going to conferences and meeting people and sharing stories with them will help you do your job so much better.
So please, IT managers, stop thinking you're in some silo and your problems are just yours. Encourage and support your IT employees to go to conferences, meetups, talks, and workshops. It will help your business. Trust me. Omar has gone to conferences. You heard two of his talks at the beginning of this episode even. And he's gone to meetups and he's made friends across the sea in Costa Rica.
Specifically, it was the conference called FIRST where he met them. And you can learn more about this at FIRST.org.
FIRST is a forum for instant response. So like all the instant response teams all over the world just have a conference once or twice a year. So we all go to the conference. They know each other. So if anybody needs help, so we know who we can call.
While FIRST is just one conference in the world, there are so many more going on these days. In fact, I think any given week, you can find two or three security conferences going on somewhere in the world. So just Google cybersecurity conference near me and see what's coming up near you. And having these connections were very valuable in this situation. I mean, it was a force multiplier even.
Dominican Republic doesn't have the biggest cybersecurity incident response team in the world. And so knowing who to tap for help creates a battalion of people who can help you in different ways. One thing they did was compare their malware and indicators with other countries in Latin America to see who else has seen anything like this.
Then he started creating a playbook with help from other nations to start remediating this. Of course, he was also calling up security vendors, the people who made the software that was supposed to be securing his network. He'd call up and say things like, hey, we pay you to block these attacks and you didn't. Please help us fix it.
And of course, the security vendors want to make their tools better. So they wanted like a sample of the malware and what methods they used to get in. And we're working quickly to fix their software so they would be able to block these attacks from continuing. continuing. And this was happening on Windows machines. They were getting infected even though they were fully patched and updated.
So a call to Microsoft was important to show them what they were dealing with and to ask, how can you fix this? They were calling out to other network vendors too because their systems were compromised. And by the way, when you call up one of these companies to try to report a zero-day exploit, it's not easy.
The first person that you get, the first tier support tells you stupid things like, okay, sir, did you try rebooting the system? And you're like, come on, please, please, please, please, please connect me to somebody who knows what they're doing over there. And they simply cannot. So you need to ask for a manager. And then the manager doesn't know how to fix it.
And they don't want to admit that their software has vulnerabilities in it. So you go back and forth trying to troubleshoot it for days. It's tedious and time-consuming before they escalate it to the next tier support and eventually you get an engineer or a developer who knows this system inside and out and can recognize the problem and replay it and fix it right away.
It's just that that person is behind like eight layers of support tiers before you can get to them. Now there's this quote from Bruce Schneier that has frustrated me but also educated me on the reality of cybersecurity. The quote goes like this. You can't defend. You can't protect. The only thing you can do is detect and respond.
I get frustrated from that quote because I feel like we should be able to defend and protect. Why don't we have secure software that can do that? I mean, how many more years and technical advancements do we need before we can defend our networks? But the sad truth is we may never get there.
And so what Bruce is saying is we need to be assuming we're breached and to work on improving our ability to detect and respond to cyber threats. Somewhere in the middle of the storm, Omar realized that too. Instead of trying to build those walls up higher and higher to stop people from getting in, he needed to get better at detecting when they did get in.
So he started installing more monitoring tools into the network so that he could watch more closely what was going on in there. And this allowed him to understand where Cobalt Strike was and spot it and the Bandook malware and Conti ransomware and Dark Caracal and where it was in the network and how it was moving around, giving him a beautiful view into which systems were infected.
We found out that the red actor was on the system over time. 10 months ago. They were in these agencies for 10 months? Jeez. So when we discovered that, we tried to get to somebody else that may have more information than us. We get to our partners. So when we reach out to them and we show them all the information that we have, they Russia as in the Russian government.
It was very strange for me why Russia would compromise the Dominican Republic in that way, what interest they would have here, because in the Dominican Republic we have a lot of Russians, like a lot of Russians living here.
uh what would be their intention and what that organization told us is that they were trying to experiment with some countries and something that may do in a bigger scale so they could not target some more mature countries like the united states or united kingdom because they have better defense so they were trying to do it in this part of the world so what happened in costa rica
Even though it's not publicly, I'm not saying that on behalf of the government. It's just my opinion. And what I know from what happened and from what I learned on the process, what happened in Costa Rica was part of that. And what was happening in the Dominican Republic was part of that.
And it was not just Costa Rica and the Dominican Republic, but also other countries in the Latin American region.
were involved on that so we as soon as we knew that we started reaching out to those countries to let them know that this was happening to send the indicators of compromise so that way they find out even earlier than us that something dangerous was happening in their country so they were able to Those things, you know, before something really bad happened.
There's now a third threat actor involved in this attack? Just before all this happened in the Dominican Republic, there was some crazy drama going on in the Conti ransomware gang. So Conti, we know, is based in Russia. And they came out publicly in support of Russia's invasion of Ukraine.
Well, I guess someone close to Conti did not like this and decided to publicly leak 60,000 messages between the Conti group and other people. And these leaked messages showed that the Russian government had been hacking into places that just seemed to be in poor taste, you know, like hacking medical researchers.
So it's not a far-fetched to think that Conti may be working with the Russian government, or that the Russian government would be attacking smaller countries, sort of as a testing ground to practice their hacking skills. But I mean, an infiltration at this level really can pose as a whole new type of ransomware.
Like, just hypothetically, imagine a phone call from Putin to the president of the Dominican Republic where Putin could say something like, listen, we want you to support our war with Ukraine, and if you don't, we'll turn your whole country off. Because they can. With their hand in so many agencies, networks, and critical infrastructure, they could just shut down the Dominican Republic.
And that would be a form of ransomware, wouldn't it be? No, this was just a hypothetical. I have no idea if Putin has any relations with the Dominican Republic. At some point, do you contact the president and say, hey, we've got a really big deal. It's not just your normal malware, but this is a geopolitical problem.
Yes, we did. So we call a national meeting with the big person supporting the government So we inform the president and intelligence agencies about what we discover.
Of course, attribution is very hard when it comes to cyber attacks. It's incredibly easy to hide in the shadows on the internet. So even though there are some things that point to this being Russia and dark caracol, How confident can you really be? Especially when you're on the phone briefing the president. Maybe someone else just got a hold of the Bandook malware or Conti ransomware.
Maybe someone wants you to think that it was those threat actors attacking you just to throw you off the scent. Because we've seen threat actors put in fake clues to do just that before. For this situation, there were a lot more questions than there were answers. If Dark Caracol is Lebanese-based, why would they be working with Russia or Conti?
Was this financially motivated or politically motivated? This attribution wasn't exactly clear, and neither are the motives.
Yeah, so they're not supposed to work together, so that thing went over our heads over and over. We overthink it, so why, why, why?
Does Lebanon and Dominican Republic have any relations?
We do. So our Current president, his family is from Lebanon. What?
Hold on. How can the president of the Dominican Republic be from Lebanon? Let me look this up. Okay. His grandfather was born in Lebanon and moved to the Dominican Republic in the 1800s. It was not clear to me, at least, if he's still tied to Lebanon in any way, shape, or form. I mean, I couldn't even find out if he can speak Lebanese, you know?
But it seems like only weeks after he was elected as president is when this attack happened. So maybe this has something to do with Lebanon sending a message to the president. My mind is spinning here, and I don't want to make any wild assumptions.
At the very least, I'm reminded of how Costa Rica's president declared war on Conti, and now I can see that that's not so far-fetched of an idea anymore.
At this point, Omar had a very good understanding of this campaign and malware, and he even reverse-engineered some of the malware, inspected it for clues, and looked at their command and control servers, and had a full map of where the infections were and how they were moving around the network.
On top of that, vendors started to improve their systems, issuing patches and updates and better ways to detect this. So he got together with all the teams inside the agencies that were infected and explained the remediation process. Step by step, he walked them through how to remove this and stop this from happening again. And he also called the ISP to have them block certain domains.
And he was actively cleaning up the mess. Of course, any good threat actor is not going to go down without a fight. So while they'd block a domain or a command and control server, a new one would just spin up, and they had to keep blocking and updating their detection methods.
And you know the goal for security isn't always to stop all the threats permanently, but instead just to make it as hard as you can for the bad guys to get in. Because it takes work to spin up new domains. It takes work to pull out a new zero day, to infect more systems. And it takes work to regain access once you get kicked out.
So having this coordinated effort to shut them out started to exhaust the attacker's resources. And do they really want to put a lot more work and effort into getting back in? Or just move on to the next target?
There's a concept called the pyramid of pain when defending a network, and it's basically the more painful you can make it for the attackers to get in, the less likely they'll actually do it. You never will become fully secure, but at least you can make them work for it.
So after a massive coordinated effort to clean up the government agencies and a big bank and critical infrastructure, they were able to successfully clear everything off and keep it off. In fact, they seem to have stopped the Conti ransomware attack before it actually triggered ransomware on any systems. It was only staging the ransom, but never actually executed it.
Omar also looked to see if any data got exfiltrated from the network, but it didn't. So it doesn't seem like Russia or Dark Caracal stole any information out of the government. Did they disrupt critical infrastructure?
They tried to, but they... Could not. The critical infrastructure works in what we call OT, which is operational technology.
Yeah, to control a dam or a water pump or electrical transformer, it doesn't use like a typical Windows computer or something. It's a different system called OT, which is operational technology, which is opposed to IT, information technology. And OT takes a completely different skill set.
And it sounds like whoever got into these systems didn't quite have the skill set to control OT systems, which was good that they didn't get disrupted. What a whirlwind story this was, huh? To have a government completely cracked open like that, with no way to stop the attackers, in my opinion at least, but then to gain back control of it and lock them out.
Omar likes sharing this story with others so that they can be aware that this kind of stuff goes on in the world. And in fact, as I'm looking things up here, it seems like Venezuela also got targeted with the same group or groups.
So in 2022, Latin American countries were hit hard with these huge coordinated attack campaigns that may have been unstoppable due to the sophistication and breadth of the attack. And I wonder if Haiti got hit, you know? The president of Haiti has been assassinated and the place has a barely functioning government and it's kind of been taken over by gangs.
Would you expect their cybersecurity posture to be strong or lacking? I mean, if Russia infiltrated Haiti's networks, is there anyone there to even notice it and clean it up? And I just wonder about Haiti because they share the same island as the Dominican Republic. I don't know.
In some ways, I hate that our world is so vulnerable digitally still, that our most critical systems are still susceptible to attack. My knee-jerk reaction is to say something like, take your systems offline if you can't secure them properly. But that's the opposite of technological progress. So that kind of attitude or strategy just isn't going to fly today.
I just feel like when our systems get too complicated, they become insecure. And we certainly live in a very complicated network of computers now, don't we? But the thing is, even in my dreams, I still can't find a safe place to hide. A huge thank you to Omar Avales for coming on the show and sharing this story with us.
The easiest way to find Omar to connect with him is by looking him up on LinkedIn. I'll have a link to his LinkedIn in the show notes. In this episode, we talked about the threat actor, Dark Caracal, and I actually did a full episode on them a while back, and that's episode 38. It's a really fascinating group, so go check out that episode.
Just as a reminder, this show is now on a monthly release schedule. So look for new episodes on the first Tuesday of every month. I also have a store where you can buy cool shirts to support the show. It's not all branded with Darknet Diaries logos. There are some there, but there are a ton of shirts that I just know you'll absolutely love the design and want to wear these shirts.
So please go visit shop.darknetdiaries.com. And thanks for supporting the show. This show is made by me, the bullfighter, Jack Recider. Editing helped this episode by the bipedal Tristan Ledger, mixing done by Proximity Sound, and our theme music was created by the mysterious Breakmaster Cylinder, who just released a new album, and I'll have a link in the show notes if you want to take a listen.
Now, even though when I see people rate this show a 10, I always assume it's in binary, and they're really giving it a 2. This is Darknet Diaries.