Hacking a nation: Alejandro Caceres' bold attack on North Korea

August 6, 2024
  • copy-link-icon
  • facebook-icon
  • linkedin-icon
  • copy-link-icon

    Copy URL

  • facebook-icon
  • linkedin-icon

From childhood hacking experiments to disrupting North Korea's internet, Alejandro Caceres shares his incredible journey and the future of cyber warfare on SecureTalk. Tune in to hear his story and learn how a single individual can have an outsized impact.

View full transcript

Secure Talk - Alejandro Caceres

Justin Beals:  Hello everyone, and welcome back to Secure Talk. Really excited about our episode today and our guest.

I learned about this particular guest reading a Wired article recently. See? That was delving into an internet outage in North Korea. And the story that I read was just absolutely intriguing to me. And the individual that we're going to get to chat with today was the person that executed the attack.

And we don't often get to talk to people that are this active in cybersecurity and the type of work that we do on the frontline. But today I'm super ecstatic to learn a little bit. from this expert that has had this, a pretty terrific experience, I have to say.

And so I'm excited to introduce Alejandro Caceres.  He is the founder of Hyperion Grey and comes to us with the title of hacker himself. Alejandro, thank you so much for joining SecureTalk today. 

Alejandro Caceres: Yeah. No, thanks for having me, Justin. Look forward to it, man. 

Justin Beals: So we do a little long form here. So before we get to the, all those super, super exciting bits, we love to learn about our guests a little bit, cause I think it's important for us to understand kind of what we're doing and, and, and how you got to the work that you're doing. So I'm curious about how you became interested in computer science and security, maybe even at an early age. You know, what were some of those? Early tech. Yeah. 

Alejandro Caceres: Yeah. So, definitely, my first exposure to computing was just my dad building computers. I had absolutely no interest in doing it. I did not join him, just to be clear. I was like, Oh, hey, what are you doing building computers? All right, I'm gonna go play over there. So, you know, none of that really, but I did see him do it.

So, you know, I like to mention that that was probably at the age of like eight or nine after that, I think, uh, my interest really came up when, I don't know if you remember the AOL days where basically AOL was the internet, right? To most people, I had to dial in and sometimes wait like three hours to get in.

That was, you know, not fun, but you know, once you got in, I would just join these, these, ah, I don't even know, they were hacker chat rooms. I don't know how many like actual hackers they were. And I think if I went and looked back, I'd be like, wow,  I was listening to a bunch of idiots, including myself. Yeah.

So, so yeah, I just, I started getting into these things called punters, which we would call them denial of service tools now or whatever. And they'd probably be all illegal and stuff, but really just kick somebody off AOL, right? It would flood their instant messages, or use some kind of a clever technique, like one of them increased the font to like an impossible size, and just took up all the memory and crashed AOL.

That was kind of my first exposure was getting into those. And hacked my friend at that time through just like a Trojan. It was silly. I don't even remember why I hacked. I wasn't mad at him or anything. I don't remember that. Like it wasn't like malicious. And I mean, clearly it was malicious, but I had no like mal intent against the guy.

I mean, he's a nice dude, but yeah. So, you know, those were the days of back orifice, which is a tool that has a very simple GUI. And you send somebody a Trojan, usually would embed it in some other executable or program and they open it and then you can connect to their computer. So this is basic ally that it was kind of like a copy of that or like an alternative or something.

But yeah, I just said, Oh, good. 

Justin Beals: I remember  those days I was an early prodigy user. That was the internet for a while, right? Like you, you, it's like a bulletin board service. You dial up through the modem and you get in and do work. And then I got really interested in AT commands for like Hayes modem style stuff and was, you know, trying to ping into a system.

I think the culture of hacking that you talk about was a lot different than it felt more like capture the flag almost. Right. Like it was fun and games, I think. 

Alejandro Caceres: That's exactly right. There was no like, I [ mean, unless you like hacked into the Pentagon or something like that. It was all funny. Like, nobody really gave a shit, right?

Like, it was just sort of, you know, these people are playing around with computers. And, you know, that's why I kind of say, like, yeah, I played with these tools. They're just, like, whatever at the time. Now we call them denial of service tools, and I'd probably be arrested for the CFAA or something like that. But back then it was just like. 

Justin Beals: I think it has a lot to do with the amount of money that's changing hands around, like, you know, and also the resilience, right? I had all the games that I played on floppy disks, so if something happened to my computer, I could wipe. Whatever 20 megabyte hard drive and reinstall the games pretty easily. 

Alejandro Caceres: that's totally fair. Yeah, I remember that, but you know, of course those games would take forever to download, or if you bought them, it would be like eight floppy disks you'd have to insert or whatever. It was definitely very different times. The hacker community was also like really closed off. I don't know if you remember, but like, they were just like, you know, you go into some chat room or something that's supposed to be a bunch of neat hackers.

You'd be like, Hey, I want to learn, where do I start? Like, no, you'd actually like ask the question and everybody, like everybody would tell you to fuck off. Somebody would have something to say about your mother every time. You know, it was just like, that's just how it worked, man. You know, like you don't ask about it.

You don't talk about it. You don't teach other people about it. You certainly don't put it on the internet. Yeah. So it was this really dark, mysterious thing that always kind of intrigued me. And. I kind of did what I could, right? Like, it wasn't like, it wasn't much, you know, for sure. 

Justin Beals: I felt like the skateboarding community and the hacker community had that in common.

Like back in the day, skaters were jerks to each other. They'd be like, no, I'm not telling you where my secret Half pipe in the woods are good on the bulletin board. They'd be like, no, you go figure it out for yourself. Script Kitty, you know, I'm not going to let you in the club. 

Alejandro Caceres: Oh, no, they wouldn't even call you a script kitty..Like if you were a script kitty, you were like way beyond most people. Right.

Justin Beals: Did you study computers in college or did you spend time in college at all? I mean, some of us skipped right through and found professional gigs. 

Alejandro Caceres: I'd say I indirectly studied computers sort of in the latter part of it. I have absolutely no interest in computer science. I took it in high school and I cheated my way through it. Like, a hundred percent cheated, but like, it was just It was absurd, but I just, there was a teacher's manual and I had it and one thing led to another and I just didn't do anything. Yeah. So I had like zero interest, but I think I was supposed to be learning like C plus. I don't even know. That's how bad it was.

But so yeah, man, I mean, honestly, I came into college, and I just told myself, like, I don't want to study anything technical. I hate technical things. I just want to do something like, And like, not easy necessarily, but just like something soft. So anthropology or something like that. And I took those courses, and I was like, wow, this is so boring.

And I ended up a math and physics major. So yeah, math and physics at Duke. And it was just like, Oh, God. So much work. Yeah. 

Justin Beals: I wasn't attracted to the computer science degree or culture in college. Myself. I have a theatre degree, and I was like, yeah, that's much more fun. But then at night I have my computer up and, you know, at that point, the Internet was all IP addresses for what it was worth, you know?

Yeah. And so I was playing around with that. And I'd like to apply computers to the things I thought were interesting, but I didn't care about it beyond that. 

Alejandro Caceres: I didn't even do that, man. Yeah. I don't know what happened to me that I became like a hacker or something like that. I just, I don't know how that all that, that ended up. I do, but, like, it was a very windy path. Yeah, I gave zero fucks about computers all throughout college until I sort of had to; I did; what was it? Well, it was like simulations of heavy ion collisions was my thesis. So, it was using a lot of Linux. The program I was using was actually written like Fortran 77.

So I learned a little bit of Fortran 77, but I do not remember even a little bit of it. I do remember one thing, though, that was pretty kind of interesting at the time. And that's the, like, they had a supercomputer, they had a supercomputer that I could use. And then they just had normal computers, right? 

So both of those, I would just SSH to each one and run these simulations. And obviously, one ran really fast, and the other one was shitty and slow, but like something kind of clicked a little bit in my mind where I was like, wait, so somebody set this up. SSH server. And I finally knew what the hell that was somebody set this up wrong. I could remote into this machine, have like full control over it. And so, like something kind of clicked in my mind, and I was just like, Oh, that's what hacking is all about. You know, like somebody could misconfigure this. Somebody could do whatever, give away the password, have an easy password.

So, it was definitely a moment I remember. And it just took me back to my old days and stuff like that. 

Justin Beals: When you realize like in a shared resources situation, the power you have when you have control over that system,  tt is eye-opening. And so as a matter of fact, like your first professional gigs, I think I read were kind of around consulting and open source intelligence in a way.

So you must've gotten out of school and been like, There's work here. I can make money. That was my thing. I was like, Oh, they pay. Yeah. 

Alejandro Caceres: Yeah. I mean, it was pretty cool that when I came out of school, like pen testing or red teaming, or I don't think red teaming was like a word back then, but pen testing definitely was.

And I was like, Oh, like, wait, so I hacked things and then you paid me. That's the thing now, like what happened? Like, I don't understand what happened, but okay. And you know, you'd think I'd be attracted to that. But once I was finished with like the whole physics and math thing, once again, I came out, and I went into the job market and I was like, I don't want to do anything technical, you know, it's like, I just keep repeating myself, I don't know why.

I was like, man, this sucks. Like, I was so tired of staring at problems and solving problems. And I was just like, I'm going to do something totally different. And where I started the job that I started at then the one that you're talking about was, was a cyber intelligence analyst. Now, little known to everybody, I actually applied for the Latin America analyst position because I wanted nothing to do with cyber.

And I remember the interview was super awkward because, you know, it started out and they were like, Hey, so we know that you're applying to like Latin America position, you know, I was like, yeah, I really want to know more about it and all that stuff. And they were like, well, you know, we're, we have an opening, but it's with the cybersecurity division of the whole thing.

And by, you know, by opening, like this was an unpaid internship. So like, like, now I look back, and I'm like, what are you fucking talking about opening? like you can take like six of them. But anyway, I think they just saw my resume and they were like, Oh, he's like kind of computery. So let's shove them in there, and that's where I started, man.

 It was, it was a company called total intelligence solutions. They were a subsidiary of Blackwater. Okay. It was known as, you know, one of the most ethical companies in the world, obviously,

I just started there. 

Justin Beals: I've never worked for an unethical. Company ever in my career, 

You now, speaking of like the ethics thing, I do have these conversations sometimes where people are like, am I a white hat? black hat, red team, blue team. I find binaries only work really good in code. And I think you have a perspective on the gray area of this.It's in the name of your company in a way. Now, how do you perceive these kind of attitudes around the work we do and whether it's good or bad? 

Alejandro Caceres: Yeah, honestly, pretty much everything that we do, [unless it's just like pure defense, right? You're watching a sock screen or something that almost everything that we do is in like kind of this weird gray area.

That actually is the meaning of the gray and Hyperion gray, like, right?. I'm Hyperion, and our work is going to be all thinking differently and trying to do things a little bit different. And yeah, it's probably going to piss some people off and it has, which is great, but we know that we, well, I should say, yeah, we knew that we operated in a gray area. And especially me, I have. Always operated in that area. Probably leaning a little more towards the like, ah, I don't know. It's hard to stay. 

People define things differently too. You know, if I were to say like, I'm a black hat, people would be like, I will still steal credit card numbers, and you're malicious to people. And, like, I don't do that kind of shit. It's not interesting to me. Right. Like that's not a challenge. That's not like, whatever. So yeah, you're right. I mean, those terms, when they came around, I was like, yeah, that's Like, okay, then pretty much everybody's somewhere in the gray hat area. And by the way, the grey hat area is massive so.

Justin Beals: Right. Yeah. Cause I think there's times where we're trying to break down things to test them to improve, you know, the security that we're working in. And then there's times where we're working in a more defensive posture and we're trying to keep things secure. You know, you wouldn't; I was talking with a friend about like environments where we work, where things are 

Like if you're in HR, you might not have a direct adversary, but if you're playing sports, you'll have a direct adversary. And are, you know, to me, anybody that's playing Atlanta United is. I think they're bad. So it has so much to do with the perspective that you walk in with, right? Yeah. 

Alejandro Caceres: Very true. It's actually a really,  really good point.

I mean, what is an adversary? We don't even have that very well-defined, right? And that's, I mean, been a problem and we've seen that in a lot of, uh, cases. A lot of shit. For lack of a better term. Somebody that finds an S3 bucket, And starts looking around and seeing if there's PII, and if they find any, they report it to you.

Was that adversarial? Probably illegal, right? I mean, you're exceeding intended access, or whatever the fuck the word is. Yeah. But is that wrong? Are they an adversary? Some would probably say yes, and some would probably say no. So, all these things live in this weird grey area, and that's why I think it doesn't play well with the law, right?

The law is like, You bad, you guilty, you not guilty, you know, so yeah, definitely. 

Justin Beals: The law does attempt to black and white situations. It beat out justice on some level, it's almost a requirement. So the story that brought you and me together, the thing that I read, had a lot to do with, um, having brought down The description that I read was North Korea's internet, but I think some really critical digital infrastructure in North Korea as a state.

And I wanted to talk a little bit about that experience and what you went through. And so my first question around this is that when I read your story, one of the things I noticed is that you felt that you had been targeted or been a target of hacking or intellectual property theft by North Korea. And I'm curious a little bit about that experience.

That seems like the Genesis. of how the story followed. 

Alejandro Caceres: It definitely was. I was just a normal, at this point, I was a pretty well experienced hacker through that, you know, really roundabout. And I was doing a lot of zero day hunting work. And I've just, I go through periods where I learned different, I suppose, like areas of hacking.

And, you know, sometimes network pen testing, I started out as a web app hacker. And at this particular time, I just happened to be doing a lot of zero-day work and mostly zero days and Windows drivers and Linux drivers and software. So, um, yeah, I wasn't quiet about it righ.? Like, why would I be? It's not a bad thing now.

Yeah. So, so one day I was contacted by a friend of mine. And his friend was like, Hey man, I got a customer for you. You know, being kind of the leader of Hyperion Grey, I sort of got to decide what our products were, what our services were. So I just put up a little page that said, like, you know, if you need help with the zero day or you need another hand or analysis or whatever.

 So, yeah, my friend was like, I,  got like the perfect, perfect customer for you and he introduced me to this guy. It was like over telegram and dude's name supposedly was James Willie, which I mean, was definitely a fake name, obviously, right?. I don't know. Jay, it just sounds like Johnny Johnson or something like that.

 Right. You know, you're just like, yeah, that's not your name, bro, but that's okay. That's not rare in that world, especially with people that are like attempting to sell them later or something. So whatever, I didn't think that much of it. And yeah, he had a reasonably interesting zero-day that he said was part of a full chain for Chrome.

Now, yeah, he had it all packaged up in a visual studio project. Right. Which is always really nice because you can just kind of open it, and Visual Studio will be like, you know, It's just the build is right there. You don't have to worry about all these flags and shit. Right. Yeah. Uh, so I grabbed that project, and I don't ever really trust anybody, which is, I think, good practice.

So, I opened it in a completely clean VM. I had nothing really on there. Like the most expensive thing I had on there was probably an IDA license. So, nothing sensitive, nothing actually, not literally nothing. So I opened it up, and you know, I was doing kind of like a pre-analysis for him. That was just going to be like a paragraph that's getting paid.

And I was like, fine, I'll do like a pre-analysis, but it's going to be shitty, you know, but I opened it up and, you know, everything seemed normal. Everything was all good. Then a couple of days later, Google tagged the Threat Analysis Group, I think that's what it says. They released this whole thing on Twitter.

A North Korean operation that was going around at the time. And sure enough, they gave aliases that they were using. And one of them was fucking James Willey. So.

Justin Beals: yeah. They, named James. You're like, They named James Willey, yeah. 

Alejandro Caceres: And then they went on to describe like, the exact methodology that they used on me.It was just like, so exact, and I was like.

Justin Beals: You were like, I'm in the, uh, threat briefing. It's happening to me. Yeah, yeah, 

Alejandro Caceres: exactly. And it said, you know, it's specifically targeting zero-day hunters. And I was like, Oh shit. Okay. And maybe James, where are we? You know, all this stuff. And I was like, okay, awesome.

So, I was hacked by North Korea. And my understanding was like, that it's just like a few researchers that were hit and, you know, I was one of the lucky ones. Right. I got it. So. You know, luckily, I guess they didn't get shit, but they didn't get anything. 

Justin Beals: Right. Yeah. You had it in a secured environment. It was clean, no assets on there to really take.

And rightly so, right? When you're operating in that environment, everyone has a part to play. You figure. 

Alejandro Caceres: Absolutely. And yeah, I mean, I don't trust that. I didn't, certainly didn't think he was North Korean or, or like an alias for a North Korean operation or anything like that, but, Yeah, I mean, definitely be a sketchy guy. And I went back and looked at the visual studio project and like it had, I should have done that first, right? 

Like actually, when you open Visual Studio, it says like, you know, make sure that you trust the configuration file because it can run code. I was just like, yeah, whatever. Fuck off. And click yes and opened it, right? . And. As soon as I read the thing about North Korea, I was like, are you serious? Like I got fished. Like I was one of the sheep that like I talk about all the time. That's just clicked completely through the security message and was like, yeah, you know, it's a zero-day. Let's open it. And I got to realize like, it was actually like pretty well done, but it's still a basic phishing attack.

You know, they went through a friend for a slaw, which gained some trust. a friend like didn't exactly specify how he knew him, really just like, Hey, here's a guy he, he dangled the exact right character in front of me, right? Yeah. And a Chrome zero-day for that, right?  Like, that's, it's like, he said, it's like full chain Chrome zero-day, which can mean like 4 million dollars these days.

Yeah. So, you know, I was like, yeah, this is awesome. And just like anybody else, right? It's just like a different carrot, but they, you know, everybody has a carrot, and they use different ones on them. And so I didn't feel stupid. I mean, in the end, like it's sure it's a nation-state, and they had this really weird and interesting roundabout way of getting the meat, but, uh, it's still basic fishing, and it just kind of, it just pisses me off.

Justin Beals: I've talked to some CISOs lately and we've had this discussion where we're like, again, to this adversarial environment that you're operating in, it's like, you're going to lose sometime, right?

Like you're not going to win everything. And to your point, like you're really aware. I'm fairly aware, I think, uh, security, but our brains are easier to hack sometimes than the computers we operate in and for someone to get in there. So obviously, you were, you know, a little. Chagrined, it might be the light way to say it.

Alejandro Caceres: Slightly peeved.

Justin Beals: Yeah. I read that you reported the hack, though, and I'm curious about reported and how did, how, who did you report it to, how'd they respond? 

Alejandro Caceres: Yeah, honestly, I cannot remember, but I believe the FBI actually came to me before I was able to get it. Yeah, they called me and, uh, like a cessation, so, and I was like, I don't fucking believe you.

Justin Beals: I've already been fished this week.

Alejandro Caceres: So I forgot how he, uh, how he proved that, or  maybe I called him, I honestly don't know. But, but either way, the initial talk with, with the agents was good. I, you know, he asked for all the typical information that he asked me if I'd kept the malware. And I was like, nah, man, that VM has been gone for days already.

So I didn't really have very much except for like, just retelling the exact story. That was a Google tags thing. Unfortunately. Yeah. 

Justin Beals: And that was what they said? What was their response to Alejandro? 

Alejandro Caceres: Oh, besides asking the questions. I mean, that first time that we talked, it was sort of just like, we'll be in touch.

And it was not clear at all to me why this agent was talking to me, if they were doing some kind of active investigation on this, or they were maybe going to pass it to the NSA or whatever, although I doubted that, you know, just to stay on Nobody really likes the FBI. I'll say it. 

Justin Beals: We've talked to some agents, and I thought one conversation was very, really revealing because this retired agent was basically like, Yeah, there's almost nothing we can do.

I think people call us thinking that there is something we can do, and he's like, We won't get your money back. We won't get your data back. We won't catch the bad guy. They live in a totally different country. You know, it's gone, and that's what people don't realize. Yeah. Well, so you kind of, I think you, maybe it will go back to those days on AOL when you're like banging your chest, being like, I'm a hacker, you a hacker.

And I think you were like, Hey, these guys. Came at me. I think I'm going to try and come at them. Was that part of your mental model? 

Alejandro Caceres: Definitely. Yeah. I mean, for the first couple of weeks, I was just like a little bit shocked, right? I mean, not like that shot. I was just like, really? Like, like me? Like I'm not sure I have a company and like, some people know about it.

I Spoke at DEF CON and stuff, but like, I don't know. I just didn't see myself as like one of the attractive targets. So in a way, like that sort of shock was like also like, okay, like they targeted me, I mentioned they targeted me, like, okay, they didn't get shit. So like, that's actually kind of cool. You know, so like, I should thank them for that, but after that, after the whole experience with the FBI, right, I talked to that agent once, I talked to him twice, where it was sort of reiterating the same stuff, I talked to him a third time, and that third time, it was incredibly clear that there was absolutely nothing they were going to do, and not really their fault, it's just they're a domestic law enforcement agency, and this didn't happen domestically.

It happened to somebody domestically, but I mean, what are they going to do? Right. I get it. And God forbid, like the NSA and FBI work together. That would [00:28:00] be 

Justin Beals: terrible. We had that problem publicly known once. Now we could say maybe it's. If they're collaborating more or not, who knows? It's a little more under the rug, maybe, than it used to be.

Alejandro Caceres: I don't buy it. That's just me. That's just me. I don't know anything. What do I know? 

Justin Beals: I think a lot of our listeners have never done this kind of work that you're talking about before. So, tell us a little bit about planning the attack on North Korea. Like, how'd you decide? What you might go after, what you wanted to impact. What were some of those inputs? 

Alejandro Caceres: Yeah, absolutely. So I started out just like, sort of like any other red teaming, pen testing, whatever, hacking engagement, which I mean, it all simulates hacking. Right. So, and I also like have done a lot of hacking that I won't go into before that. So I wasn't unfamiliar with this stuff.

All I did was first is reconnaissance, right? You just figure out what they have. And you look at it, stare at it, after enough years of staring at like Nmap scans, which is usually the studio you go to, you kind of get a feel for the environment, how protected it is, and also what might be interesting. So yeah, you know, I've found a couple of interesting things, and you know, just like findings, like I remember there's this router thing. I won't go exactly into what it was, but I don't want them to patch it. But there was this thing that you do and it always starts like that. It just started with, Hey, like what you got, they don't have a huge IP range either. So, scans were not slow. It's all pretty quick. 

Justin Beals: You're looking for soft spots, you know, areas that you can pressure test and patterns that you realize might, um, contain vulnerabilities that are exploitable. So, when you were doing that, when do you start thinking about, okay, I'm ready to execute, right? Like, I've built like enough reconnaissance that I got a plan of attack now.

Alejandro Caceres: Yeah, that's a really good question. It was pretty quick. Yeah, I'd say the planning took, like, just maybe a few days, and then the actual execution took, I'm sorry, like, I don't know what you call execution or what you call planning necessarily. Ah, I'd say a lot of planning slash, not breaking shit first.

What I actually ended up finding was, was far more interesting than any classical vulnerability you would find. I just kept noticing that no matter what server I scanned from, if there was like a trace route done on it, or something like it, the same two routers, Kept coming up. Oh yeah. And I was like, that's interesting.

Like two routers as an ingress to an entire country. Like that's kind of weird. They must be massive routers, I thought, right? So, like, you know, I mean, not that they're a big, huge country or that they let their people on the internet, but. Just looking at that, I was like, okay, that's really interesting. But of course, you know, I was like, I'm coming from one, one place and I'm sure that the routing is just, that's the optimal route or whatever.

And I looked at the routers and they were kind of medium size. So I was like, there's gotta be more. But, you know, I definitely was like, this is something to kind of look into is understanding. Actually, their entire architecture, which is something that I think a lot of hackers don't really necessarily do, and not that they necessarily should, a lot of the time.

This is a whole different type of hacking, analyzing a nation-state versus a corporate network, right? 

Justin Beals: Plus, you're pretty far down the stack, right? Yeah. Like you, you're looking at the router exchange level 

Alejandro Caceres: That’s right.

Justin Beals: as opposed to a web application or an operating system even. Yeah. 

Alejandro Caceres: Yeah. And, of course, like I did look at those, I spent a few days looking at those.

And one attack that I, I thought might be fruitful is North Korea. They don't really have an internet for the common people, right? They have an intranet for them and the internet is received or is reserved. Only for the elites, which from what I understand is very few. We don't really know. There was some interesting stuff.

I thought I could maybe get on that intranet and see like, what does that look like? Nobody's ever really seen it. They call it like it's like a walled garden. Yeah. So I figured, Oh, maybe I can go in there, take some snapshots of everything. Show it to the world. Right. That they probably wouldn't appreciate that. 

Justin Beals: I don't think they appreciated any of this. No, no, no. I don't think they 

Alejandro Caceres: appreciate it. I mean, you know, maybe they can take a step back and be like, well, we did try to hack him, so, you know, tit for tat. It's all right. 

Justin Beals: Funny games, back to the old AOL days. 

Alejandro Caceres: Yeah. So, hopefully, they can just appreciate that.

But yeah, I know. I don't think so. So, you know, after focusing on that for a minute, and their infrastructure was not very robust, is what I found, especially architecturally, and those two routers became kind of a very big interest of mine. What I ended up doing was actually I built a circle of VPSs, so I rented servers around the country, and I made sure that I included several in China because I had heard, and this probably was back from my intelligence analysis days, or maybe some article I read.

 I had heard that they may be using some Chinese IP space. So I thought, okay, there might be some specific routing that I don't know about or that you can't really see unless you are in China. Right. I got some Chinese VPSs, and I basically circled the country with other VPSs. Now, the idea there being, I want to see what routes they take, what are the other routes into this country?

And sure enough, I mean, the most important tool in this entire thing was TraceRoute, which is kind of funny, right? Like nobody ever thinks of that as a hacking tool. I mean, obviously anything can double as a hacking tool, but TraceRoute is not something that It's nothing to write home about, right? You just kind of, you're seeing the path that something is taken and you're like, Oh, cool.

 That's usually TraceRoute. I ran it on all of these servers and sure enough, every single server would go through those two routers. So I just thought like, okay. Two reasonably small routers, medium size, a really weak system inside. Their DNS servers weren't like, Anything to write home about their web servers weren't either .Nothing was bad. A very sticks and glue internet type thing, you know? Oh yeah. Yeah. So, I just thought, okay. 

And I rented a bunch of computing power, like a bunch, like a bunch. It was way overkill. 

Justin Beals: I had to imagine you're like, okay, how much room do I have on the credit card? 

Alejandro Caceres: And you know, I think I got all of it very carefully and stuff like that, but yeah, after that I was like, all right, new goal. Like I, I no longer want to see the wall garden or whatever. I'm just going to fuck them up. Yeah. I'm just gonna take everything down.

Everything is going to come down. All at once, and for a variety of reasons. Wow. And once I saw that that was actually possible, or potentially possible, right? I, in the back of my head I was always like, I have to be missing something, right? So I started conducting some little tests, right. Using all that bandwidth and sure enough, like a lot of sites came down, DNS came down and all this stuff started to see news reports about it.

That was the really cool part is. I, you know, you think like, Oh, maybe I'm the only one seeing it because of something. I don't know. But other people were noticing there was an article released by, I think it was like the Guardian or something that talks about how it was most likely a Chinese thing that was warning them to like, not, not like, or no, yeah, sorry, totally wrong.

It was a Guardian thing. But at the time, they had just conducted a missile test. And it just happened to work out that some of this stuff was being mildly disrupted, and they were like, Oh, this has to be a response from the United States or some allied country to kind of just give them a little warning, right?

And you know, obviously, I was there laughing my ass off, but I realized, like, I'm not having like the real effect here. Like to the point where the Guardian and people that really watched North Korea were noticing. 

Justin Beals: How long since the beginning is it to hit the bandwidth to hit those routers? How long did it take before you started seeing the news articles come out?

Alejandro Caceres: Oh man, great question. Probably a day or two. Yeah. I think the North Korean watchers were watching already, so it hit pretty quickly. 

Justin Beals: They saw it that day, they put it into an article that night. Probably came out the next morning. Yeah. 

Alejandro Caceres: Yeah. And you know, I was using a variety of different techniques for denial of servers and different things could take different times and it was actually all consolidated into one Python script.

So I've literally just turned the script on, let it do its thing. The logic in the script is really. There's a few things, right? like one was, okay, I'm just going to directly disrupt everything that's inside. Because I was like, I have seen that it's easy. They don't have that much stuff. What the hell, right?  So that was both flooding attacks and also slow polling attacks, which if people aren't familiar with that, a slow polling attack is just. You know, you connect to a web server, and you send it data really slowly. So it kind of keeps thinking, okay, data's coming. And you take up a thread or a Most web servers are configured to have like, I don't know, eight, 16, maybe a little bit bigger, but these machines weren't huge. So I did flooding, I did that, I did UDP attacks against the DNS. I did, man, what else? Yeah, uh, TCP floods, all kinds of weird stuff. We also with like weird TCP packets and, oh yeah, there, there was some NDAs in there as well that, that made it in.

They had some really ancient NGINX servers running. So I was like, what the hell? Might as well write something. They were, and they were like stupid easy. So I just wrote some quick end days and did that, and I allocated resources to that, and that definitely caused. intermittent disruption, I would say, which, yeah, I kind of started on purpose, just not taking everything down, but letting it sort of like ramp up and roll.

And eventually I just started hitting those routers, like all this bandwidth. I was still hitting inside, sure, but I was pounding the hell out of these routers. Again, these are the only two routers in and out of the country. So I just kept allocating more and more until I started seeing the message, like [00:40:00] in both my web browser and trying to ping and, you know, curl, any kind of tool that just would say no route exists, like to this host.

In other words, I kind of accomplished exactly what I come in to do. And that was destroy the entire freaking routing into and out of North Korea. So I got the question a lot of, you know, so like, what exactly did you take down? The answer's everything, like literally, they were completely cut off from the entire world.

The very limited times where I was able to like. I think maybe possibly get through to like a website or something. It was just infinite loading, but like nothing was getting in, and certainly nothing was coming back, even if it went in. So at that point I had some really powerful and true denial of service conditions against the entire country.

So I was like, okay, I'm going to leave this on for a while. 

Justin Beals: How long did you let it run? And how long did it last? 

Alejandro Caceres: I let it run for about nine days. I think a couple of those were like the, not the testing days, but the like ramp up days, I would say properly about a week, the whole thing was down during that time.

Justin Beals: They weren't getting Akamai in to reroute everything? You 

Alejandro Caceres: know, these two routers were like, they weren't like right directly smack in the country or anything like that. They were like off, like, off, like in the sea. Like, I'm not like literally in the sea, obviously, but they were off the coast of it.

So I don't even know if they care. Actually controls routers, to be honest with you, I didn't really care in the end. They were the ways in and the ways out. And I wanted to take those out. So no incident response. 

Justin Beals: Well, that's certainly wild. And I think it speaks a lot to how much, I think what it speaks to a little bit is how much North Korea doesn't think they're a target at all.

Alejandro Caceres: They don't seem worried. 

Justin Beals: Yeah. And I think what is really interesting to me is that one of the outcomes of this for you was that you started talking with the DOD. about kind of these, you as a single individual having this outsized impact on a nation state. 

Alejandro Caceres: Yeah, that absolutely is one of the things that happened.

You know, a lot of people came crawling out of the woodwork. I wasn't super quiet about who did it. I tweeted some shit and things like that. Not like not saying like, Oh, I'm going to take down the internet in North Korea. Yeah. But, you know, it's just some like little things like, Oh, Hey, this website's down, huh?

Justin Beals: That's pretty obsequious of you.

Alejandro Caceres: Well, then I, I started like, I tagged the jester, you know, that account. And he was kind of getting annoyed that I was tagging him. Obviously, he didn't know why. And so he was annoyed with me already. And by the time the whole thing just toppled over, it was like, Oh, I get it. And he posted a whole thing about it. And he was like, I now understand exactly what was happening. And he pointed at me on Twitter. 

Of course, you know, I messaged him, and I had actually, like, yeah, anyway, it was a whole thing, but he ended up taking it down because he was like a connection of a connection that I ended up meeting through this actually.

And, you know, we chatted and realized, like, Hey, we're both on the same side. So, yeah, that was actually really cool. That was one of those moments I'm like, okay, I'm glad I did this. I, you know, I'm already talking to the Jester. He's showing me around this platform and that stuff. So, but to your point about the DOD, yes, everybody came out, everybody came out to play all the nice intelligence agencies, people from NSA, people from cyber command came, some very deep people within the DOD that I have sworn not to say to somebody, And just like, yeah, I know there was CIA there.

They don't announce themselves, but I know CIA is their director of national intelligence, the marine special operations, all kinds of weird shit. And I ended up giving a full on presentation on how it was all done. Yeah. And it was basically the whole thing was just like, yeah, look, I'm one person. And the amount of funding that I have is, is me size, right? I'm not like a billionaire. 

Justin Beals: Household income here. Yeah.

Alejandro Caceres: So, you know, I, I just made it a point to be like, look, this is how it is. This is exactly how I did it. Obviously like the exact same attack isn't going to work on everybody. Yeah. Probably some other countries that work on, but say if you take like, I don't know, a larger country, China, then that shit's not going to fly.

Right. Yeah. But I do know that a few people, or even just one person can have a large scale effect, like at this point we are to the point where bandwidth, the tools, Everything is ready so that a small team of people, maybe like a rapid response type team, could do this. And of course, everyone there liked it.

They were in agreement with the whole thing. But one of them made a very astute joke, actually. And he said you forgot the part where we have to do like six PowerPoint decks and present it over six months and then wait. 

Justin Beals: Mission planning is critical. I guess, you know, I mean, when you're an organization that's doing everything from D-Day to, you know, to in-country incursions, they do a lot of planning.

Alejandro Caceres: They're absolutely right. There are also special forces, though, right? Let's talk about like special operations command. They are allowed to operate with fairly broad authority. Of course, they have lines that are drawn, and they're given orders. But they work pretty damn quick. The example I like to use is the Osama bin Laden, right?

How many laws did we break there? We essentially, we just, not essentially, we did, we violated the airspace of another country with nuclear weapons. And landed a helicopter, put boots on the ground, killed some civilians, and, of course, killed us all up in Lund. Now, don't get me wrong, had. And, yeah, that's all I'll say about it; it just had to be done.

Justin Beals: We bent, if not broke, a lot of rules that we typically wouldn't to do it. Absolutely. Because we felt it was an important mission, yeah.

Alejandro Caceres: Absolutely. And you know, one thing that I learned, because, you know, I was working with like, I said, I wouldn't say the organization, but I can say broadly it was special operations command for them.

It was interesting because I, went to a talk actually on, on unconventional warfare slash guerrilla warfare, 

 

Alejandro Caceres: And one of the questions that they asked themselves when planning things, and again, this is like pretty fast planning is. One, is it illegal? Two, do we care? So, it's that second one that's really important, right? 

Well, I guess they're both. But that second one is interesting. And, to me, it's very I don't even know the word, man. I don't want to use interesting again. But it is interesting that it is It's far easier to get boots on the ground to shoot somebody than it is to get a small hacking operation going.

And the reason for that, I think is that it's a relatively new thing. I don't think there's any kind of like malicious conspiracy or anything like that. 

I think like, just like you said, they're a massive place with a huge bureaucracy. And they need that bureaucracy for various reasons. However, they've also recognized that in some cases that just can't happen.

And my kind of pitch to them was, and I wasn't even pitching, like, give me money to do this, you know, or anything like that. It was just like, Hey, I really think you should do this. It was just like, basically, a special operation, but for cyberspace. Why can't that exist that authority? I outlined exactly how a team could work.

I outlined everything about it. And I told them like, look, I am the case study. You don't need to look for some theoretical, whatever; this will work. I just showed you it worked. So. Listen, everybody there was very much in agreement, but then nothing happened, right? And here we are. 

Justin Beals: There's a lot of projects that have died on the vine inside the bureaucracy.

But, but I think you philosophically bring up a change in how we might like think about cyber warfare broadly, right? Like. It's funny because I look at the way the United States has behaved in this, and I think they've thought about it from an intelligence perspective. Like, I assume, all of this is Justin assuming a bunch of stuff, so, no, you know, I assume that they do a lot of reconnaissance.

They know a lot about the, the network topology that's operating. I assume that they consider what attacks they could perform, but probably spend a ton of time on just defense. You know, like, what is defense? And I think if I were in their shoes, I would probably be somewhat nervous about if I were more on the front foot, what does it actually mean in like global landscape?

And I think that there's a fear there, right? Like, am I declaring war or are we, you know, pushing on each other and seeing where the soft spots are? Is this an exercise? You know, how would I define this in military parlance? 

Alejandro Caceres: Yeah, no. And it's a very good question. My kind of proposal for the answer to that is we should treat it a lot more like sanctions than we do warfare. I personally, I'm not, I think the word cyber warfare was used very early on and way too quickly. I do agree that there's certainly things that would be considered warfare. And I don't think the word cyber warfare is, is useless or by no means am I saying that, but it was picked up pretty early.

And now anything that you do on a computer against the country is cyber warfare, right? Okay. What I did like Fair. All right, fair. All right. We'll call it that. You know, these other things, I just feel like there's so many countries are doing it and we have a model actually. We have so many models, and one of them is North Korea, by the way.

And the way that they do it is they do their operation, they leave their calling card, and then they never say whether they did it or not. But we all know, right? I mean, we all know when it's Russia, we know when it's North Korea, we know when it's China. They never come out and say it, and diplomatically, it doesn't make sense to come out and say it.

But they sure as hell leave their calling card. So, to me, it's, there's, it is a little bit defined. And of course, like you mentioned, you know, the operators, you have to be careful. I mean, you have to have a certain level of planning. And I'm definitely not advocating for, let's have all these operators fuck everything up all the time, right?

That would just be kind of chaos, you know, that would be kind of like saying, like, let's just have the army and just, you know, fucking go kill all the people we don't like, right?  definitely not advocating for that, but I do think that things need to move faster. And I do think that there are certain cases where not moving quickly has cost us a lot, a lot of information, a lot of the safety of our citizens, for example, when we were attacked, the security researchers. Just a lot of examples, right? And a lot of them coming out of North Korea. So. 

Justin Beals: See your concept here around sanctions in a way, right? Like when we think about when we develop sanctions, it is a little bit like, Hey, we're really aware that we have a problem with something you're doing.

And we're so aware about it that we want to put some teeth to, you know, your experience with us. And when we do nothing. Then it's hard to say, like, it's hard to say that we're having an in, like, if we didn't have sanctions, then there's no pressure being put on the situation. But if we do have sanctions or we are on the front foot sometimes in response, then the adversary has to at least consider what the interaction is going to play out like.

Alejandro Caceres: Absolutely. And I mean, totally agree. I mean, that's, I think about sanctions, right? A lot of them are just. Denial of service, but for physical goods, right? I mean, one could call it that and it wouldn't be ridiculous. So, you know, why not try the same thing in cyberspace? Sure. It might be, I mean, it won't even, it wouldn't even be controversial at first.

Like everybody's attacking everybody, and we know it. And I think the United States is just one of those countries that we don't leave our calling card. I'm sure that we've done plenty. Don't get me wrong. I'm not saying like the U S never does anything. Absolutely not. I, There's brilliant people in the DoD, I've met brilliant people in the NSA, and I know they exist, and I know that they're doing something, right?

Justin Beals: Well, I always think about the Iran hack with the nuclear fission material, where they airdropped USB sticks into parking lots that people, you know, just randomly picked up and plugged into a computer. And then they changed the centrifugal force by a very small amount. They kept wondering why they couldn't get it, you know, get it to run.

Well, they couldn't get the visible material that they were looking for it. So they're obviously. I mean, that's creative as hell. That's a good one. Yeah. That's a good one. Yeah. I gotta say, 

Alejandro Caceres: that's a good one. 

Justin Beals: Alejandro, I'm very sad, but we, we are nearing the end of our time that we have for this particular episode.

I want to express my gratitude for a couple of things. First off, I want to express my gratitude for your willingness as a human, as an individual to join us and talk about this. I think that we should talk about it more. And I also want to express my gratitude. For your considering like the broader implications of this type of work.

And I think it's an important conversation. I don't think you or I think we have all the answers in the world, but having the talk is at least really important. So thank you so much for joining secure talk today. And let's, I would love to do this again in the future where we can. Uh, talk, uh, about how things are emerging.

Alejandro Caceres: Yeah. Thank you. 

Justin Beals: Excellent. 

Alejandro Caceres: That was good to be on here. Thanks a lot, man.

Justin Beals:  Our pleasure. SecureTalk listeners, we'll keep bringing you  exceptional guests, these great discussions, and we'll see you again in another week.

 

About our guest

Alejandro CaceresCEO, Hacker, Offensive Security Lead Tester Hyperion Gray, LLC

Alejandro is a cybersecurity entrepreneur and the founder of Hyperion Gray. This company develops innovative combinations of technologies and disciplines to create new solutions to challenging problems across various areas, from web security to global social issues.

From a young age, Cáceres was drawn to the fascinating aspects of the internet world. However, he kept his identity a secret for years until he decided to come forward and share his experience with the world. Revealing his face marked a milestone in his career and the beginning of an intriguing story about how one person can challenge the digital barriers imposed by authoritarian regimes.

Keep up to date with Strike Graph.

The security landscape is ever changing. Sign up for our newsletter to make sure you stay abreast of the latest regulations and requirements.