The Woman Who Squashed Terrorists When an Embassy Gets Hacked

so on the theme of everything is broken currently my laptop keyboard is broken and we're gonna see if my hotspot holds out because due to a Windows Update I can no longer run any Microsoft applications locally on my laptop so I have to run this over the Internet yay so so we're gonna see we're gonna see so already it just hates me ah here we go so there will now just be a slight delay with the slides that's okay better than nothing so my name is Chris kubecka and since this is the first time I've ever been in South Africa most of you probably don't know me very well but you will after today because I love meeting

new people so this is fantastic but to give you a bit of my background actually my area of expertise is cyber warfare and in that entails quite a few different things I handle incident management when it involves nation-states I also advise the EU Parliament the UK Parliament parts of the United States government and I try to avoid for instance Rockets getting launched when there's a cyber attack you know however on that note when I was involved with the EU NATO cyber warfare exercises the night before we had the second day where we got to kill people in the scenario because you know you got to have fun with this right the staff and I made a bet to see if any of the

countries we were working with would ever consider the nuclear option and I won the bet I got my countries to consider launching a nuclear weapon in the upper atmosphere of the attacking country right I'm fun at parties it's great it's okay but I do a lot of stuff with critical infrastructure so I see a SCADA systems industrial IOT systems the week before last I was at the United Nations doing a workshop one of Google's ex sternal subject-matter experts on IOT and it was for transparency and control of IOT devices so I love to have fun with all different types of Technology right I also get bored easily don't let me get bored then I started like trying

to I don't know if any of you saw a tweet about me discussing getting into the radiation detection monitor for Chernobyl so don't let me get bored but previous to all this I headed the information protection group for the Aramco family I was called in after the 2012 cyber warfare attacks against them that almost took out the country and the company so that was a lot of fun and I ran the network operation security operations joint international intelligence groups and things of that nature previous to that I was in the US Air Force I was a military aviator and also in Space Command and now one of my minor claim to fame is I got busted

breaking into the Department of Justice and the FBI at the age of 10 so oh it might be working so I'm gonna take you through an incident that was rather unusual I'll try not to stand too much in front of the thing I just like to pace and this incident started in 2014 it was not a short incident and actually lasted almost three months and it took place in The Hague the Netherlands which is the business capital and the political capital of the Netherlands and it involved the Royal Saudi Arabian embassy and a terrorist group that you may or may not have heard of called Isis it got to the point where it was so bad

that several of the embassies ended up having to put a disclaimer on their website that there was an issue involving cyber II stuff so there's a lot of fun now that it's over let me add that right so there's certain reasons why I was chosen to do this because I'm not a Saudi citizen I'm a US citizen so it's rather unusual for a non Saudi to come in and do the incident management and also be the trusted advisor in the liaison person for the Saudi Arabian embassy and when the reasons was I was already heading the information protection group for the Aramco family and involved with that we did a lot of incident responses home so many over beers if anybody wants

to buy me a beer after this just a hint right my very first week at a ram co I had my first nuclear incident so it was a lot of fun right I also have a background in forensics and we had a full forensics lab that had been approved by part of the Dutch government to make sure that we had our chain of custody and we could collect evidence for any criminal matters so we were all set up to handle a lot of this in addition to that even though sometimes my background with law enforcement can't involve handcuffs it doesn't anymore I happen to be one of your opponent polls experts for certain matters and so I've

dealt a lot with different types of law enforcement in addition to that I deal a lot with heads of state ministers ambassadors executives and never show these people packet captures ever because they will just go why are you doing this to me so I I do a lot of communications for people like that to translate what's going on for an incident and at the time we were having a bit of a problem in the Netherlands we have this right-wing guy whose name is hurt builders and he had made some videos one of which he pretended to rip up the code on and that caused a lot of problems to the point where Saudi Arabia itself cancelled all Dutch contracts and

kicked out a whole bunch of Dutch citizens out of Saudi Arabia so they did not want anyone Dutch handling this at all please work it might work it might take a little time who knows there we go so one thing to remember is an embassy is a sovereign property of a country and regularly law enforcement do not apply everything goes on the word of the ambassador him or herself everything you can watch somebody get where I should correct myself you can hear somebody get beaten to death in an embassy and nothing happens right so I'm just putting that out there I don't know anything about it I now embassies do have kind of a police force called the

diplomatic corps and they're supposed to just assist with certain matters but they are not generally law enforcement to arrest embassy and diplomat of personnel and it's quite interesting when you're dealing with an embassy because nothing matters but the Ambassador whatever he says goes so I was able to bring my top forensics person in for day one unfortunately because he was Dutch he had to leave but we were able to get Network packet captures now unfortunately the embassy in question had no antivirus right and we found a piece of malware which we call commercial off-the-shelf malware most interesting about this is this actually ended up involving a nation-state but if you use a custom tool which

usually cost millions for a nation-state to develop at the moment that you use it you're burned you can't use it again and they know that it was a nation-state so in this particular case the commercial off-the-shelf malware was used for plausible deniability even though Isis was involved the main perpetrator was being controlled by the Iranian government unbeknownst to him so this kind of stuff is kind of strange when you're dealing with embassies at the same time oh look it just went forward so that's okay I don't really need slides so my main office was in The Hague because I chose not to live in Saudi Arabia for various reasons one of which is you know I wear a dress and

next door to us even though we were not in the see section of the hague the many government purchased a very expensive building with cash and we suspected that the cash came from the Iranian government we also during this entire time period there were some unusual activities coming from that particular embassy one of which we caught their personnel digging in our backyard trying to get to our fiber to surveil another one we caught them in our building it's ok trust me it's fine I don't need slides it'll just distract and we're all gonna become friends after today ok so because it was coming from an embassy we had a lot of problems and we had to you also

get the diplomatic corps involved and one day I like to say you never forget the first time your droned during this time the Yemeni embassy also sent surveillance drones hovering over our fourth floor where our IT section was and I just so happened to be talking to my boss and he was facing me and I could see the windows and all of a sudden there were drones because who doesn't like drones in the middle of The Hague right luckily they were spoken to and they said hey you can fly drones over your own property but you can't fly it over other properties that that's just you know Dutch law outside the embassy no-go so I was attempting to eat lunch

one day because this was kind of rare because I had all of these different types of incidents going on and a very large man and a very nice tailored suit comes to summon me and I'm like oh why am I getting summoned did somebody die am I getting fired oh because you're always through those things right and he goes come with me there's been a problem and I asked him hey what's going on he goes oh no I don't know so I speak to our managing director and he goes we need to get you to the embassy immediately because there's been a hack and I'm like ok alright let's check this out so I get to the embassy

and there's just very nervous IT guy because it turns out it was his very first week actually second day and he got zero handover from the guy before hey how many of you have ever been in that situation yeah it's it's kind of nightmare fuel it's worse than having a nightmare boring you know no clothes in high school you know and I go okay what happened and he goes well we picked up that there were some suspicious emails going back and forth under the name of The Ambassadors secretary now at the time the only computers set up to do email or for Internet was supposed to be the ambassador's secretary Mike okay well we'll check this out we'll also I

changed the password of the email system and so forth what's the password he goes oh it's one two three or four five six I'm like excuse me please repeat that because maybe I'm having a little breakdown right now who knows so unfortunately the business side of the Saudi Arabian embassy was one two three four five six and they had no patches they had Microsoft Defender as their antivirus and thanks for not looking good and so what was happening was there was a doctor Sumaya I probably butchered her name she had emailed the Saudi Arabian embassy for citizen services and goes hey can you help me with the visa unbeknownst to her actually the embassy had stopped helping

with visas there was a third party that dealt with that now what she got back in return was an email from the ambassador secretary saying hey I can help you out if you send me $200 over MoneyGram in the name of His Royal Highness the prince who is the ambassador for the UK and she's like huh this looks strange I wonder what's going on so she reported it directly to the Ambassador thinking is the secretary trying to extort me for money and the secretary is like I have never made that email before my life so we went ahead and lockdown or what we thought locked down the email account because I also at the time only had

limited access because I'm not a citizen of Saudi Arabia so everything seems fine a couple of weeks go by and then I'm trying to eat lunch again I almost never eat lunch at this place and the same very nice man a large suit excuse me a very large man and a very nice suit comes to summon me and I'm like great they have finally found out I have been mining bitcoins yes so it turns out that there was another email incident and I'm like okay alright let's check this out so I go there by myself and this time an email had been sent from the Saudi Arabian business back-end email account to all of the GCC countries in the

Middle East and to Turkey which is not in the GCC saying hey if you'd like to save many lives please send $25,000 signed Isis and you're like oh because this was not expected I guess I didn't need coffee that day woohoo so obviously this was causing a diplomatic problem because turkey is not always the friendliest country with Saudi Arabia and we went ahead and collected evidence from Oman and Qatar Turkey would not give us evidence that's fine whatever because we were trying to look at the the header information and look at various things so during this time a couple of days later the diplomatic corps without speaking to the ambassador we're trying to be proactive

and they're very nice people they're very good at their job but unfortunately they made a big mistake the perpetrator was still on the back end of the email and the diplomatic corps sent an email to all the official back-channel email accounts to every single embassy using CC not BCC and said hey if anybody gets C's extortion emails for 25,000 go ahead and contact us and we'll try to help you out in the next email was from the perpetrator going well reply uh glad that we have your attention we're going to be raising up the amount now of course has caused an even bigger diplomatic problem because now every single embassy in The Hague got this

notice and then the perpetrator started taunting the diplomatic police with all of the embassies on copy H happy days so unfortunately because this was not a short incident and lasted a while the price started going up and because I still had at the time limited access we couldn't figure out what was going on so finally the Ambassador allowed me to take some of the embassy property home with me because I lived right around the corner and I was able to find that the perpetrator actually had an email for Durr on the back end of the system and we went ahead and started locking the perpetrator out so then I got another surprise during this time because Turkey

also got these emails I used to go this fantastic little pub called Sherlock's pub who was voted the best British pub in the Netherlands who knew that was a contest it was stumbling just I mean walking distance and I arrived one evening because this is you know a bit stressful dealing with you know demands from Isis and kind of this kind of stuff and there are three people waiting for me at the pub drinking tea and the owner goes they've been waiting here for about three hours for you and I go oh oh and they present their card there are all cultural attache --zz from the Turkish embassy and they have been waiting for me to teach them English lessons and

they spoke perfect English all right anyone think that's suspicious yeah red flag right so because I was working with various security services during this time as well they verified that they were indeed embassy personnel and then I got a bit of a shock after they verified who they were then the security services notified me that they had found a top 10 list from Isis itself and I was number 2 so I was then assigned I don't like close protection bodyguards but from a distance to watch me and then I was advised to engage with them to a certain extent and so every evening for two and a half weeks I gave English lessons to English

speaking Turkish embassy personnel so that that was entertaining to say the least and in addition to that on one of our very last lessons the senior person gave me a bit of an odd gift because I'm not Muslim he gave me a set of prayer beads which I also had security services test to see if they were bugged you know adult don't ever take gifts from a foreign government and not check that stuff out man and then at the two-and-a-half week mark they just disappeared and security services verified that they'd actually left the country so I never heard from my English lesson students ever again which is probably a good thing now shortly after the ambassadors started to suspect an

insider some of the reasons for this was the ambassador's Secretary's gmail account was also broken into by the perpetrator and it started becoming very weirdly personal and then extortion demands went from the 200 225 thousand 35 million to 50 million dollars and finally threat started to come saying you're gonna have national Saudi day we're all of these ambassadors from all these different countries are invited to parts of the Dutch royal family are invited to and if you don't give me fifty million dollars we're gonna blow it up and kill everybody that's not a good thing that's when the Dutch national terrorism police started getting involved as well and The Hague would slowly kind of shut down

with a lot of plainclothes police that were completely armed all around the embassy sections because this was obviously freaking people out and because the secretary had gotten these demands to her personal email account she went ahead and filed a couple of police reports because she was scared as anyone would be but unfortunately we had to use diplomatic means to have those reports shut down so as the ambassadors started to suspect a particular person one evening after everyone had left the embassy except for his bodyguards he started getting down on his hands and knees looking for post-it note credentials because we didn't want the perpetrator to know that he was under investigation and I've never in my life

seen an ambassador looking and sifting through dust on his hands and knees trying to deal with something like this and I probably never will so because I was able to get various different types of header information and using information from various ISPs from different hops using diplomatic means to those countries into those ISPs I was able to geo locate where some of the emails were coming from and it was the exact neighborhood that the suspect was living in in The Hague so after we were pretty sure we knew who it was we then had to deal with the fact that this particular perpetrator came from a very will say highborn family from Saudi and also had diplomatic immunity so the

ambassador made a decision to relocate that individual to a very physically dangerous location and unfortunately he was the only one hurt in a car bombs shortly after so afterwards I wrote up my report which is very interesting report I have to work things very carefully when you're dealing with an ambassador where you can't say man you got pwned because of one two three four five six I you have to be very nice it's very polite and do a lot of recommendations as well but it was a rather thick report with all of the evidence and technical information in the back as well so shortly afterwards the ambassador he had been there for five and a half years

which is a very long time for an ambassador usually they've got like a three-year stint and he was giving his farewell dinner so he invited me and I got to sit with all these posh people with all this posh wine unfortunately I was sick that evening so I could just smell the wine I couldn't have the posh wine but we had the dinner in front of a very famous Dutch painting called the night watchman in the Rijksmuseum and they had rented it out for dinner so that was awesome cuz it's not like the size of the Mona Lisa it's like the size of this wall so it's really cool and I got a gift from

the ambassador I also had a checked out I don't trust anybody and so we had a lot of fun that evening and I was just you know kind of wowed by all this but at the same time the stress of an almost three-month incident was finally over so that was very good now I do you want to leave some time for questions so I'll kind of end it with some lessons learned you never know when a small incident from an email breach could be something that involves geopolitics depending on your type of business if you're used as a pivot to get to someone else or if there's some really dodgy geopolitics going on or corruption that also happens

right another thing was I come from a military background so I'm fine with certain types of things but if you're ever in these types of situations tell your partner that there might be a problem I'm not getting a divorce and two years afterwards we had a friendly discussion over what had happened because I I never talked about it another thing is when you're dealing with a major incident try to keep as keep as calm as possible and take a deep breath what I've seen is a lot of management and executives are going to freak out I have seen managers scream I have seen a manager cry so try to be that strong pillar take a deep breath

and pause and try to calm that chaos because you're the only one that's going to be able to when you're leading an incident so I will end with that thank you very much besides Cape Town because you like it to come to South Africa for the first time and I'm leaving time for some questions [Applause] alright I'll try to repeat the question when you ask the question my favorite colors blue it's got to be some questions I've got one in the back

haha so the question was what do you think they were trying to achieve through the English lessons and did I get paid for the English lessons firstly we believed that they were trying to distract me and then they were trying to ask various questions about the infrastructure which of course I did not answer and respond to about the Saudi Aramco infrastructure and secondly a few times they did pay me by buying me some pints of beer will hack for free beer I see one back there

well it wasn't how did i hack the Department of Justice now back then they did not have a website I went to a rather unusual school will rehab a full computer lab and I had also been taught various programming languages starting at about the age of five because my mother was a robotics programmer on assembly lines for car manufacturing and what I did was we had modems and I did what's called war dialing and back then if you could get another modem usually could get in or the password at the most was one two three four so I got in and I was having fun and I was looking through reports and that was kind of cool I mean

it was text-based you know not the high-tech that we know now and unfortunately after about two and a half weeks after I had first gotten in and I was still looking through things I had two gentlemen and dark suits standing behind me at my school so then I was allowed to use a computer again at the age of eighteen so yes next question I get one there how do you get yourself to stay calm in situations like that well lucky for me I had been through the whole raft of what's called sere training for the US Air Force and that's for aviators and people at high risk for being kidnapped or something like that it

stands for survival evasion recovery an escape where they put you in a POWs camp setting they waterboard you they bury you alive they give you a cute fluffy bunny that you're with with a lead for a couple of days and you name it and then you beat it to death so you know go Air Force so that's one of the things to stay calm is a lot of my military training and another question here how do I stay up-to-date and what's happening with general security I have a tendency to get bored how many of you read about the Boeing story that I've been working on a few people so I still do a lot of very interesting legal

hacking right being protected by the Dutch government right now and the SEC for that I also do training hands-on because I like everything hands-on and so every time I do a training I update the material and I learn new things and I teach that back to my students and attendees so I'm constantly trying to get my hands dirty I I don't have any hobbies except for hacking question back here

which embassies seem to be the calmest about everything that would have been the Turkish embassy seemed to be the calmest and there's certain reasons for that it's just now coming out in the news that there's a particular relationship between Isis the oil caravans were brought from Syria and Iran's son next question when there now gets you next so should South Africa be concerned with Isis and specifically what should hackers be doing unfortunately when there's an opportunity a group like Isis will try to come in and do bad things most recently we've seen this in Sri Lanka where they're trying to regroup there because they've lost most of their land recently and we're starting to see

various attacks both them with the bombing and then now because of the unfortunate issue with religion there was recently a bus of Muslims that was shot up by a group of Christians so things are starting to escalate so they try to get a foothold anywhere they can or then they work with various more local terrorist type of groups who then get caught up because then there's the promise of money and things of that nature and one of the things that you can do as a hacker is a good hacker right we're all good hackers here some of the things that I work on is when I find certain forms a lot of these groups are not as technologically skilled as

most of us in this room so they'll have chatter and forums where they don't even encrypt you can scrape you can figure out some of the slang because I don't know the slang here I don't speak Afrikaans for example expect NATO loans not quite the same and if you start seeing things try to work with your computer emergency response team who should be able to get the information out and that's some of the things that you can do question back here

all right I'll try was shortened that so that question was when we basically were looking at the initial evidence and seeing what was going on what other types of hypotheses did we have other than a nation-state we actually first thought that it was just opportunistic because their password was one two three four five six and we didn't think that it was at the level of any sort of nation-state at that point in time so most of these types of things are opportunistic this one was opportunistic with a whole mix of things going along with it next question cuz I still have some time how much time aren't you glad my slides didn't work all right so after I was

allowed to use a computer again how did I land in cyber security so two days after my 18th birthday I bought a computer I had also been trying to keep up to date with at least magazines and books because it was something that I really wanted to do especially when you're told you can't do something right so then I basically jump back into it operating systems were different and that eight year time span which was fantastic and then the internet was being available because before you just had closed networks with modems so that was a lot of fun and I took the military entrance exam for the US military I missed one question so all the services

wanted me and then the US Air Force offered me lots of lovely things so I've got time for a couple more questions see one in the middle back how do how do I get authorization to talk about things that I just did

and what's the most interesting thing I left out well there's several reasons firstly the incident is now five years old and all of the parties have been settled taken care of car bombed and Saudi Aramco was okay with me giving this talk one thing I did actually leave out was we were able to trace the purchase of the commercial off-the-shelf malware that had been used using Bitcoin transactions to a particular wallet that was known to be used by the Iranian government I saw one back here yes do I think it would look bad on your CV if you work for 30 days in Turkey well I will tell you when I come over the US border and

I've got all of those lovely stamps they don't like me very much so I'm just putting that one out there I've got time for another question

after the Shamoon incident did saudi aramco improve yes unfortunately that was short-lived after I left which sad hacker face right but they did vastly improve before the attack they didn't even use encryption internally for example you could reset your domain admin password over clear text on yeah you know that that kind of stuff they had no cyber security awareness training so then they started putting that out there and they started really trying to lock things down because they didn't want to get it somebody had put in like the urban dictionary a few years ago don't get a RAM code yeah so am I out of time two more minutes I have time for one to

two questions who will buy me a beer tonight I gotta have one more one more one here

so it can be kind of difficult to talk to a partner because of the type of job that I do yes however one of the things I should have discussed with the partner was the fact that the partner could have been used as what we call the next hop so it could have been kidnapped and used against me so that was kind of a bad thing now that particular person whenever I am handling a very interesting case we'll call it then I notify the partner and the partner takes certain precautions seeing if anybody's tailing doing certain things changing up routines and so forth but because some of the things I work with are under the Official Secrets Act

for the UK as well now that person knows not to ask me very many questions on time all right thank you everyone [Applause]