I posted this in 2013. It's one of my favorite stories to let small defense contractors know just have much other people want the things you make for the government.
This is a true story.
Honestly, ya just can't make this stuff up.
I laughed like crazy when one of my friends told me this story. I had to pass it along. I'm going to clean up his language a bit. I'm crusty, and he's crusty, and the story was conveyed over a beer and cigar at local watering hole. I know some of the color might be lost, but here goes anyway...
This guy (I'll call him Jack), is the CISO of a roughly 3500 person defense (engineering) company that does about a billion per year in sales. Although I won't tell you what the company makes, I'll say they're a high tech.
Jack has a problem. Chinese spies (APT actors) basically live in their network. Heck, they come to work nightly when Jack isn't there, stick around for an eight hour shift, and log in and out as they need to capture new information. It's bad, but Jack is good.. very good.. but has a small team and although they work very hard to keep actors out, sometimes it just doesn't work out that way.
So one day, Jack gets pissed. He knows the actors use a tool to capture passwords from machines and when they do, they have free reign to do what they want. Worse yet, they capture credentials all the way back to last reboot. So Jack --a really pissed Jack, knows someone is going to read his (what should be private) password. So Jack changes his password, leaving a message for his attacker. You won't be able to translate this in Google, and for those of you who know me, I don't usually pull these punches, but in writing, on a blog, I'm doing my best.
The CISO's taunting new password:
Limp [insert sailor slang for 'Male Sexual Organ'] [insert ‘Racial Slur’]
The password, after the next ‘shift’ (24 hours later) was changed to:
“woshihaoren” (我是好人) --Spaced out Wo Shi Hao Ren means "I am a good person."
So this tells me two things. First, yes, someone is living in the networks and not afraid to interact directly with this (incredibly technical) CISO and his team, and second, OPSEC isn't always a concern --especially when they know they've got you and have free range of movement in your networks.
This isn't the first time I've heard about attackers living in a network, and I'm sure it won't be the last. This guy has been sharing some of the best intel on attackers that I’ve ever seen. While it’s true he’s got a real mess, it’s also true that he knows how to capture data, record actions, and repel when he does find them. Unfortunately he can’t be cloned (yet), and can’t work 24/7, but without a doubt, Jack is one of the best and he isn’t afraid to show others what he’s got going on, or help them with their own problems.