The Wiper Virus That Nearly "Erased" the World's Biggest CasinoDarknet Diaries Ep. 37: LVS
imagine being at work in the office then all of a sudden the server you're working on goes down the phones stop working the screens go blank and as you investigate you realize the company has been hacked the virus is so bad and it's spreading so fast that you frantically start unplugging ethernet cables in an attempt to stop the attack and you're forced to sever your connection to the internet altogether yeah that did happen and i want to tell you about it these are true stories from the dark side of the internet i'm jack reciter this is darknet diaries [Music] imagine you're taking a nice gondola ride through a canal this is one of those boats where you hire someone to stand up on it and paddle for you it's nice and slow relaxing something you do as a tourist and it can be romantic except you're not in italy you're in the middle of the desert this is the scene from within the venetian a hotel casino in las vegas nevada but it's not just any hotel it's a luxury resort a massive resort with over 4 000 rooms in fact it was the largest hotel in the world up until 2015. and if you go to vegas you can't miss it the venetian looks just like italy it's amazing to look at and explore on top of it being a hotel they have a hundred and twenty thousand square foot casino a monster of a gaming hall which is where they make a ton of their money in 1988 sheldon adelson bought the sands hotel and casino in vegas three years later he got married to his second wife and took a honeymoon to venice italy and there's where he got the inspiration to bring italy to las vegas so he did he came back home and spent 1.5 billion dollars building the venetian and then imploded the sands hotel and built more venetian hotel rooms on top of it sheldon had a strong desire to succeed as a hotel casino investor and he did succeed his casino was very successful and now he controls 10 different properties the parent company of this empire is the las vegas sands which is what i'm going to refer to as lvs a lot in this episode lvs is the company that owns the venetian and palazzo in vegas and another venetia in china and the marina bay sands in singapore that's the one that looks like it has a cruise ship on the top of the buildings and another sands casino resort in bethlehem the las vegas sands has over 50 000 employees worldwide and is ranked 418th on the fortune 500 list it's a massive corporation today and its founder owner and ceo sheldon adelson we're going to learn a lot more about sheldon in a minute but i'm fascinated with the it infrastructure of a major global business like this you may have seen ocean's 11 at this point so you can probably take a guess as to how secure their physical infrastructure is to protect those millions of dollars that are transacted each night in the casinos but those are all physical securities i wonder what their it security looks like so i did some snooping if you want to know what's in a company's network and they're not really telling you what's in there there's two easy ways to figure this out first is their career page and the job openings and on the las vegas sands website you see job openings for things like network security engineer one network security engineer two network security engineer three and to qualify for these roles you have to be proficient in cisco routers aruba wireless controllers checkpoint firewalls palo alto firewalls bluecoat web proxies and f5 load balancers and vpn servers you know what these are all the technologies that i would expect to see in a large fortune 500 company's network so nothing's really out of ordinary here the second place i look to get a good idea of what's in their network is linkedin a couple of simple searches here and i'm finding hundreds of it people claiming that they work at the las vegas sands ranging everywhere from cyber security project manager to a whole army of cyber security engineers and analysts and administrators i think this paint's a good enough picture for me with a few other google searches i've got a pretty good idea what their internal network is like and what their staff is like the i.t security team at las vegas sands
seems to be pretty big i'm guessing somewhere between 200 and 1 000 engineers technicians analysts investigators directors and more the i.t security people's job is to understand find detect stop and remove threats from the network and you know what these are the good guys in our story the people who work tirelessly to keep that network up and safe to keep the company running smoothly in the middle of any kind of cyber attack las vegas sands has multiple data centers and it houses hundreds and hundreds of servers in each the network of these casinos is huge there are like thousands of slot machines that all need ethernet connections and then there's public wi-fi for the guests there's retail sales networks there's online booking servers for their 10 different properties each guest room has an electronic door lock that's got to be connected to something then there's the hotel reservation systems and the television network in each room and a whole bunch of security cameras everywhere and that's a lot of stuff in the network to keep up and operational it's a massive and complex network but this is typical for what i'd expect a fortune 500 company to have now i outline their network to you because i really want you to get a sense of who's working there these it and security people have a lot at stake to secure of course there's millions of dollars of actual cash to secure but there's also thousands of customers to keep happy every minute of the day 24 7. las vegas never sleeps the itn security team has to work their butt off to keep the network up and operating effectively and they can never sleep either someone's always there 24 7 365 in the security operations center watching threats in the network and they're just looking for hacking threats and a whole other team monitoring the surveillance cameras all 24 7. a network this big comes with a lot of hazards of things breaking it's just the nature of having a large network cables go bad upgrades fail patches introduce new bugs and of course there's network attackers hackers that are trying to push malware onto the network and through their websites and under the wireless network to maybe try to figure out a way in getting some of that casino cash i'm sure that running a casino attracts thieves like garbage attracts flies the security team at las vegas sands has done a great job they've deployed state-of-the-art infrastructure and hired top-notch talent to keep the place secure it seems like they've thought of everything that can possibly go wrong and they have a plan in case that happens but as you might guess something does go wrong that they didn't expect [Music] all right let's go back to sheldon now so what do we know about sheldon adelson well the man has money lots of money las vegas sands is the biggest casino operator in the world and this ceo owns over half of it the bloomberg billionaires index has sheldon with a net worth of 36 billion dollars that's the kind of money i can't even wrap my head around he's a self-made billionaire whose wealth just keeps growing sheldon started young growing up in a low-income family in boston and he had his eyes on making money and he set out to do just that he created business after business some were more successful than others and then he found gold in the 1970s when personal computers started to become popular he created comdex this is a computer trade show which brought all the top tech companies together to showcase their latest technologies the comdex tech conference was a major success to give you an idea of how well it did in 1979 sheldon held comdex at the mgm grand hotel in vegas the most famous and luxurious hotel casino in the world at the time within 10 years business had exploded for comdex and became the largest trade show in las vegas earning in excess of 20 million dollars each year listen to this reporter coming at you live from the 1993 comdex trade show there may be a recession going on out there somewhere but you certainly couldn't tell here in las vegas as over two thousand exhibitors more than a hundred and forty thousand attendees are here at a bigger than ever fall comdex lots of new product introductions from the big guys like microsoft and intel also new products from smaller companies with names you've probably never even heard of 140 000 attendees that's mind-boggling i mean the e3 convention that was in las vegas last year only brought in 69 000 attendees the success of comdex made sheldon adelson a multi-millionaire and he sold comdex in 1995 for 860 million dollars to focus his attention and wealth on the las vegas sands the venetian in las vegas his mega project that he developed to replicate venice italy was soon the first privately owned and largest convention facility space in the u.s and not to mention a casino heaven for gamblers so you can see how sheldon has emerged as a dominant figure and behind his businesses he's outspoken and not shy at all about using his money to bolster up the causes he believes in a sheer scale of donations to the republican party in the us alone has kept him in the spotlight we're talking donations of 120 million dollars in the 2012 presidential campaign and 82 million dollars in the 2016 presidential campaign all this went to the republican party these are colossal amounts to us but small change to sheldon considering he's a mega donor some question what kind of influence that sort of money buys you but he's not just interested in u.s policy he's also very concerned with
the rising online gambling phenomenon wants to protect his casino empire his reach doesn't stop there though he's a strong and vocal supporter of israel and a good friend to the israeli prime minister benjamin netanyahu sheldon also owns two israeli newspapers the israel today and mako richon he also owns the newspaper in las vegas the review journal so sheldon has a fair share of the media market in both israel and nevada right where he wants it hearing this i'm reminded of the great newspaper mogul william randolph hearst who once said you furnish the pictures i'll furnish the war meaning a newspaper has powerful way to shape general opinion and belief but i'm not going to go into whether or not sheldon's newspapers are slanted one way or another but for a person who's so involved in politics it certainly wouldn't be a surprise in his private life sheldon has a powerhouse of a wife who's equally supportive of israel israeli-born myriam adelson says her heart remains in israel and is clearly an influence on sheldon's strong pro-israel stance miriam is a medical doctor who specializes in drug addiction research and treatment and has a very nice career of her own and this husband and wife team stand firmly together when it comes to donating their money and supporting political candidates and israeli causes direct confident and a little arrogant sheldon adelson is a man with money influence and connections and he's not a figure who sits quietly in the background and when a ceo of a large corporation like this has such strong political character traits it can sometimes lead to trouble on october 22nd 2013 sheldon adelson was the guest of honor at the prominent jewish yesheva university in new york the rabbi who led the panel questioned sheldon on his thoughts on whether america should negotiate with iran here's what sheldon's response was so you would support negotiations with iran currently so long as they first seized all enrichment of uranium no what do you mean support negotiation what are we going to negotiate about what i would say is listen you'll see that desert out there i want to show you something uh you pick up your cell phone and you call somewhere in nebraska and you say okay let it go so there's an atomic weapon goes over ballistic missiles in the middle of the middle of the desert that doesn't hurt a soul maybe a couple of rattlesnakes and scorpions or whatever and then you and then you say see the next one is in the middle of terrorism the ceo of las vegas a multi-billion dollar company just casually suggests that the u.s should send nuclear weapons into the iranian desert as a warning shot following up with a message that the next one will be aimed straight for tehran the capital it's bold blunt unashamed sheldon had just dropped a verbal bombshell while the collection of students at the talks seemed to respond warmly to his comments philip weiss was in the audience recording the response on video philip runs a website called mondowice which some say is controversial many critics have said the stories posted to mondowice are anti-semitic and cause controversy and it's possible that if philip wasn't there recording this the story would have ended right here but because philip was there and he caught this on video and he's a popular journalist the story does not stop here he posted his video to his website mondowicz the following day the national media ate it right up the washington post huffington post the atlantic mother jones and buzzfeed news all picked up the story and had it up on their website within hours most reports featured the full video enabling readers to listen for themselves it turned out it wasn't just the general public who were listening a month after the comments aired supreme leader of iran responded directly we told students in tehran that america should quote slap these praying people and crush their mouths unquote the iranians were not happy with sheldon adelson one of sheldon's properties is called sans bethlehem but this is not the bethlehem that's in palestine sans bethlehem is in pennsylvania united states it's about two hours north of philadelphia this casino is nowhere near the las vegas mega resorts but it still has 300 rooms and 3 000 slot machines and two months after sheldon's comments about iran were broadcast the it team and the sans bethlehem resort saw some worrying activity on their computer network someone had scanned their network to see what sans bethlehem had on the internet and they found the usual stuff that you'd see a company has web access to email and external websites for customers and a vpn this vpn was for remote workers who could securely connect into the network and then they'd get access to the internal network so if a hacker could get into this vpn they'd have inside access to the network so the hackers started trying to guess the passwords to some vpn users they tried root admin password one sans and a bunch of common passwords when that didn't work they tried more complicated passwords like using special characters and numbers they tried hundreds and hundreds of password combinations to try to get into this vpn but so far they were unsuccessful the sans i.t security team is good top-notch like hawks okay they saw this they noticed the brute force password attack and they took action they enabled two-factor authentication for vpn users this would completely remove the ability for a brute force attack to be successful because you need not only the password but you also need that token code that only the vpn users would have on their phone so this brute force attack went on for a while and eventually died down the attackers weren't done they looked to see what else sans bethlehem had on the internet they found a curious server was online when new updates would go onto the official website for sans bethlehem they'd first passed through a staging server and this looks like an exact replica of the live site but it's where new changes can be staged and it's there for testing purposes the attackers found this server and they attempted to see if that staging server was vulnerable to some exploits the hackers exploited that server and gained access to it they were in but just getting into one server usually isn't enough you now need to figure out how to laterally move or escalate your privileges and find something else a hacker saw some other servers to try to get into but they didn't have any usernames or passwords to use to try to log in so we use a tool called mimikatz mimikatz is an incredible hacking tool here's how it works on a windows computer when you log into it it stores your password in clear text in the ram and that's just by design that's windows normal behavior and mimikatz knows exactly where to look to dig that password out of memory and what this means is that if you run mimikatz on a vulnerable windows computer you will get a list of all users and their clear text passwords that have ever logged into that computer since it's been rebooted this is huge and i don't know why but for some reason microsoft refused to fix this vulnerability for years there was literally nothing you could do about it so these hackers ran mimikats on this web development server and from there they were able to see the usernames and passwords of web developers and it admins for sans bethlehem and these are the people who probably have access to a lot of it infrastructure within the network this gave the hackers access to a lot of the network but they quickly discovered that sans bethlehem was completely isolated from the main las vegas sands network in nevada they could not find any tunnels or connectivity between the two locations the hackers were on some kind of mission and access to the sans bethlehem network was just not good enough they needed access to the main data center for all of las vegas sands they looked at the usernames and passwords that they harvested through mimikats and started trying to see what they had they found that for remote users to get in the las vegas data center there was a vpn for them to connect to you so the hackers tried these usernames and passwords they had from the staging server to try to connect to the main data center vpn in vegas and sure enough one worked a senior sans i.t administrator had visited the
bethlehem site and did some work there recently and now that the hackers had that person's login information they were able to use it to get into the main las vegas network and from here the hackers analyzed the network and established a firm foothold in it and they gave themselves a persistent connection to it in case that password was to change hackers continued to analyze the network and building a map of what was there and they were very quiet the whole time and were careful not to raise any alarms [Music] a few weeks later on february 10 2014 the hackers made their move inside the lvs network they set off a piece of code custom written in visual basic a wiper code with the goal of destruction it worked its way through the network accessing copying and deleting all the data as it went the data wiped from the hard drive was replaced with useless nonsense code making it almost impossible to recover while the wiper code silently crept through the network staff computers started crashing phone systems stopped working and i t teams were flooded with calls telling them the same thing from frantic staff members for a network the size of lvs or they had thousands of staff and computers and communication systems this was probably the absolute worst nightmare for the i.t security team computer systems at lvs were in total chaos the cyber incident responders who worked at lvs kicked into action the analysts were sent off to figure out where the attack was coming from and how to block its path and hundreds of it staff at las vegas stands were working together to try to protect the valuable servers the data centers the networks and lvs itself by the afternoon of february 10th it's security staff realized that hackers were in the network file logs told them that sensitive files were being compressed and downloaded not only had the networks been breached and firewalls been knocked through and servers exposed but hackers were now actively downloading the data on customers and guests and staff and gamblers like the exclusive invitation only members list it was stolen social security numbers were stolen driver's license details were stolen the list goes on and on but while sensitive data was being stolen what the i.t security engineers had to focus on was keeping those critical systems up so that the casino and hotel could stay operational the gaming tables and slot machines and access to hotel rooms and electronic door codes and the retail outlets and the elevators leading to the 50 different floors payment stations card machines and all that relies on a stable and functioning network but the network was crumbling away like a sand castle falling over las vegas sands the biggest casino operator in the world had to consider that they might have to stop everything and tell their visitors to leave close the doors at this point realizing the scale of the hack and the seriousness of it sans president michael levin ordered it system staff to sever lvs from the internet entirely this was a desperate bid to stop the attack and limit the damage the 10 websites owned by lvs did not escape the hackers attention in the blink of an eye the las vegas sands websites were morphed into something entirely more sinister the lvs websites had a message emblazoned across it saying encouraging the use of weapons of mass destruction under any condition is a crime another website said damn eh don't let your tongue cut your throat by now there was no question that this cyber attack was personal while all this was happening behind the scenes the functioning of the venetian and the palazzo in vegas did continue with guests in and gamblers blissfully unaware of what was going on because of the determined efforts of the security it staff and the fact that hackers missed the ibm mainframe guests were able to continue gaming access their hotel rooms and purchase things from the retail stores but the it staff made a strategic move to go to the data center and start unplugging key servers entirely to stop this wiper virus from spreading to them so the network engineers began frantically pulling ethernet cables from servers this wiper virus was on a mission to infect and spread to as many systems as it could and delete the data on those computers targeting just windows machines so this meant that users computers were going down and servers that run windows like sharepoint email and shared drives were probably going down early on in this attack the wiper virus hit the active directory server in las vegas and completely wiped it out and it then tried to spread to the sans properties in china and singapore to wipe them out too but by knocking out the active directory server in las vegas it completely severed the connections to china and singapore and so by complete accident it made those networks safe from this attack this destruction was confined to just sans bethlehem and the main network in las vegas the next day the las vegas sands websites were just offline entirely physical hardware had been disconnected cables were pulled out of machines and lvs servers were compromised it took the it security team which might be as high as 1 000 members strong almost a full week to re-establish connections securely to get las vegas back up and running fully this outage was noticed by some people so publicly the company spokesperson had to say something to reassure their customers if nothing else and they chose to play down the attack by announcing it was just vandalism targeted at their websites and some damage to the background office systems and emails but when the hackers heard this it didn't sit well with them the hackers responded with a 10-minute long youtube video highlighting sheldon's exact comments and showing a number of files and folders and passwords and details that they had accessed and stolen during the attack they wanted the world to know that what they were doing is much more than mere vandalism and the reasons why they were doing it but that video was removed by law enforcement very soon after it was uploaded but not before it had been viewed a few thousand times the cyber attack on lvs was clearly designed to immobilize and destroy as much of their server and network capacity as possible the goal here was to hit sheldon adelson right where it hurt the most so who did it the messages left on the defaced lvs website provide the first obvious clue sheldon's comments about nuclear weapons in iran clearly provoked some anger there in 2015 a year after the attack u.s
director of national intelligence james clapper addressed this exact hack in a senate hearing here he is 2014 saw for the first time destructive cyber attacks carried out on u.s soil by nation state entities marked first by the iranian attack against the las vegas sands casino corporation a year ago this month and the north korean attack against sony in november these destructive attacks demonstrate that iran and north korea are motivated and unpredictable cyber actors this is crazy while lvs itself refused to address that this cyber attack even occurred publicly here we have through an official channel that not only was lvs a victim to a cyber attack but james clapper is saying that the people who did it was the iranian government itself not just some activists but this was carried out by like the iranian military or something and this raises all kinds of new questions why would a government spend resources to attack a private company was this the same wiper virus that iran used to attack saudi aramco why didn't the iranian government take credit for this attack but then on top of that director clapper said that this was the first ever destructive cyber attack on u.s soil that was conducted by a nation-state actor i think the key word here must be destructive in episode 19 i go over an attack that china did on google back in 2009 and you can even go back 30 years ago to attack called moonlight maze which was russia hacking into a u.s air force base but i guess those weren't destructive in nature maybe this was the first ever destructive cyber attack on u.s soil done by a nation-state actor but if the iranian government is behind this it's interesting because stuxnet was a u.s
attack on iranian soil and maybe this is iran kind of flexing a little showing that they have cyber attack capabilities and this is kind of a response to stuxnet but if that's the case it's really troubling that a private company has to face the wrath of a nation-state actor but it's really hard to know exactly what the motives are behind this attack was it just a simple provocation that sheldon did was there something more to this for lvs even though we know where the hack came from i still can't get over the fact that the ceo of a fortune 500 company managed to talk himself into this huge amount of destruction and damage the attack on las vegas sands wiped out almost 75 percent of the company's networks and servers rendering much of their equipment and workstations useless and valuable data was just wiped but the damage went deeper than some crashed computers sans president michael levin confirmed it took more than 40 million dollars to fix the damage by building new systems and recovering from the data lost this was no small cyber attack and if the hacker's intention was to disrupt and destroy they achieved their aim las vegas sands were keen to keep the details of this attack under wraps which they managed to do so for almost a year but there was an article in bloomberg businessweek that exposed the hack and laid bare the true scale of this attack but neither sheldon adelson or any lvs spokesperson commented on this article at all people kept pressuring lvs to say something about the remarks that sheldon said about iran so a spokesperson did say something in the las vegas review journal which is a newspaper that sheldon owns the spokesperson said that adelson's comments were not meant to be taken literally he was simply trying to say that actions speak louder than words but i think the moral of the story here is that words matter las vegas sans did eventually confirm that they suffered a large-scale cyber attack in february 2014 and named its computer networks in the u.s as a target in their annual report of 2014 it said both the fbi and the u.s government were investigating this sophisticated cyber attack and were working with iit system experts to investigate what had happened in the years since this hack lvs has made no further comments the it security teams like the one in the las vegas sands have their work cut out for them for battling against such sophisticated threats and hackers who seek to destroy rather than steal and when the ceo of a company speaks publicly and gives such incendiary remarks there are risk assessors within a company that might tip off the security team to let them know the risk profile is higher than normal and they need to secure the networks and servers to be a little bit more tighter and protected but when the hackers are playing the long game watching and monitoring and lying in wait and when they do get in and wreak the kind of destruction and havoc they did here it leaves an almighty mess for even the biggest and best it security teams to clean up [Music] you've been listening to darknet diaries if the show brings value to you please consider donating to it through patreon and there you can get a bonus episode and ad free feed and stickers this episode was created by me just a plain old sock monkey jack reciter and got some writing and research help this episode from fiona guy and the theme music is created by the beat farmer brakemaster cylinder see you in two weeks
2022-08-21 06:27
