THE WAR DRIVER

True Spies, Episode 81: The War Driver

NARRATOR: Welcome to True Spies. Week by week, mission by mission, you’ll hear the true stories behind the world’s greatest espionage operations. You’ll meet the people who navigate this secret world. What do they know? What are their skills? And what would you do in their position? 

This is True Spies, Episode 81: The War Driver.

MATT DEVOST: I was the first person to hack into systems on an aircraft carrier while it was at sea. Same with a nuclear submarine. I was able to change the intelligence picture that the commander in the battlefield was looking at while he was deciding where to deploy tanks and where his planes were going to drop bombs. Basically, I'm a hacker for hire, doing work for the good guys, helping companies secure their environment.

NARRATOR: Did you know that every device you use that connects to the internet has a unique address - it’s called an Internet Protocol or ‘I.P.’ address. It’s how the internet identifies different computers, routers, and websites. Every I.P. address contains location information. Are you using an open WiFi connection right now? Maybe in a coffee shop, a hotel lobby, a public library? If so, you should know that, without private password protection, someone skilled in cyber espionage who wants to find you badly enough - someone like our true spy - can use that I.P. address to locate you. It can lead them right to you. 

MATT DEVOST: My name is Matt Devost, CEO of OODA LLC. I get brought in to help people solve really complex problems, often with a cybersecurity or geopolitical nexus, so countering large-scale or sophisticated cyber crime or cyber espionage.

NARRATOR: Matt is a veteran of many cyber espionage ops involving wardriving. 

MATT DEVOST: For those unfamiliar with wardriving, what it entails is that you go around with a laptop, special software, and an antenna to pick up WiFi signals - one person driving, one person operating the laptop - and it really is a bit of a shot in the dark because we were looking for open WiFi signals publicly accessible.

NARRATOR: And he’s the kind of hacker you hire if you need to find someone using their I.P. address. 

MATT DEVOST: Where there used to be hundreds in a particular city, you now have thousands. It is crazy noisy because you're seeing all of these access points, just broadcasting the way that WiFi works. If you have an access point, it’s typically announcing to the world: “Here I am and here is my name. Do you want to connect to me?” So, what we were basically doing was driving around collecting that data. 

NARRATOR: This story revolves around a cyber hunt for a needle in a haystack. Then, it follows the tangled thread from that needle as it winds around an international spy triangle - from a victim on one continent, through a mysterious go-between on a second continent, to a mastermind of corporate extortion on a third. It’s an example of the lengths that some entities are prepared to go to in order to secure a strategic asset. But first things, first. Our cyber espionage specialist is very keen to point out that he’s not an operative of a state security service. 

MATT DEVOST: I'm not a spy. I know you've interviewed a lot of people who are actually CIA officers. I have never been an employee of the Central Intelligence Agency or other agency, but have worked closely with them in the past as a contractor and ran what was the private-sector equivalent. 

NARRATOR: Matt is being a little modest here. While he may not be a spy in the strictest sense of the word, within the world of cyber espionage he’s a bit of a legend. 

MATT DEVOST: The portion of work that I do is seen as almost black magic to the traditional spies, resulting in them thinking that I'm the most dangerous person that they know. And I think that they're the most dangerous people that I know because we have this swap of skill sets. 

NARRATOR: Matt’s superpower is breaking into computer systems and he has a self-confessed weakness for phones - lots of phones. 

MATT DEVOST: Whenever I travel with the real spies, the CIA veterans etc., I'm the comms guy. I am the guy with 10 phones. I'm the guy that they're reaching out to make sure that their mobile phones are secure and what applications that they should be using. 

NARRATOR: Over the years Matt has built up a clientele and a reputation for being able to help people out of sticky situations. 

MATT DEVOST: So countering large scale or sophisticated cyber crime, or cyber espionage, or working with companies to identify the risks in their environment as a ‘red teamer’, which basically means that I'm a hacker for hire, doing work for the good guys, helping companies secure their environment.

NARRATOR: Which is why the client in this story - a US-based multinational corporation - came to Matt when a rather sticky situation started to develop between them and one of their African subsidiaries. 

MATT DEVOST: I got a call from an executive at the firm [saying] they had this complex problem that they were trying to solve around what was a very interesting extortion-like series of emails that they had received. 

NARRATOR: Of course, that word ‘interesting’ depends on your point of view. To the client, it looked like a worrying and potentially financially damaging case of extortion.

MATT DEVOST: We knew it was going to be tricky based on some things that had confronted this company in the past that were related to cyber espionage and some assets that they controlled in Africa. 

NARRATOR: So, Matt had a corporate client who was being made to feel distinctly nervous that someone knew all about the vulnerabilities of one of their African assets. But what does he mean by ‘asset’? Because of client confidentiality, Matt isn’t able to reveal what kind of asset, the country in Africa, or even the region of the African continent. But let’s just say it was some kind of strategic natural resource. An anonymous informant was sending Matt’s client emails, containing information that no one outside of the company should have, hinting that they could potentially release this information to the world. Information that - should it become public knowledge - would cause Matt’s client a serious headache. There was a significant risk of extortion developing. Somehow the identity of this informant and the origin point of the leaking information needed to be tracked down and the underlying motivations uncovered. But where on earth would you start in a case like this? But let's park this story with Matt’s American-based client, the client’s African subsidiary, and the threatening emails for one minute and find out more about our true spy. How did Matt acquire this in-depth understanding of the world of cyber espionage in the first place? And what drew him into that world? It all began back in Matt’s school days. When most kids were trading the latest collectible cards, Matt and his pal made an altogether more unique transaction. 

MATT DEVOST: I was really an outdoorsy kid that also had a nerdy streak. I grew up in a very rural area in Vermont, was educated in a one-room schoolhouse up until sixth grade, and really got my first encounter with a computer when a new kid moved to town who had one. And I was able to trade him a hunting rifle because we were all hunters and fishers and going out snowshoeing and cross-country skiing. And he wanted to partake in those activities. 

NARRATOR: That schoolboy wheeler-dealing pulled Matt into a whole new world.

MATT DEVOST: I was curious as to this computer that he had. I think by nature I'm a purist with regards to the word ‘hacker’ in that it basically means someone who wants to understand how technology works and will dissect it or break it in order to understand that or to make it better. 

NARRATOR: Right from when Matt received that very first computer, he was looking for ways to get it to operate outside the normal parameters.

MATT DEVOST: Of course, our technology was fairly limited at the time, but that was certainly a passion of mine. If there was a program that I found in a magazine and I typed it up into my Commodore 64, what could I do to make it better? What could I do to change variables and adapt the program for my own use? 

NARRATOR: So, from an early age, Matt had a hacker’s mindset. But his real epiphany came a little later in his education. 

MATT DEVOST: I had this weird ‘ah ha’ moment, I was in college. I was studying computer science and political science, but in political science I had a focus on national security threats and even more focused on what we call asymmetric or gray-area phenomena like terrorism, etc. And I knew from my computer science work - and my contact with the hacker community, and seeing what was happening -that these technologies that we were building were incredibly vulnerable to attack.

NARRATOR: By ‘we’ Matt’s talking about the United States government and any companies or agencies engaged in legitimate activities. And in this second, more significantly seismic ‘ah ha’ moment, Matt realized just how vulnerable technologies could make society. Any society, American or otherwise. So he began writing and speaking about the threats of cyberattack and information warfare. This attracted him a fair amount of attention and some pretty spectacular graduate job opportunities. 

MATT DEVOST: Yeah, the first job that I had out of grad school was working for a defense contractor where I set up and ran the first ‘red team’ for the Department of Defense that allowed me to travel anywhere the Department of Defense was located and hack into classified or unclassified systems. And then I would brief the commander of that particular location with regards to what they needed to fix. 

NARRATOR: A red team emulates a cyberattack. For example, they might behave like a cybercriminal trying to steal money from a bank, including taking money out of the bank to show it can be done. In Matt’s case, after stealing the money he sits down with the bank security team and teaches them how to secure their systems from that kind of future attack - and gives the money back.

MATT DEVOST: A red team becomes really an effective sparring partner. The analogy I always like to use is that if you were scheduled to box against Mike Tyson in a boxing match, would you want to train just in a gym hitting a static punching bag, or would you want to have a sparring partner that would emulate a real attacker, that could emulate Mike Tyson and have you dodging punches and, kind of, learning how to operate in that space? 

NARRATOR: Of course, it’s essential that the client trusts you not to run off with the swag. 

MATT DEVOST: The question has come up dozens of times over the course of my career and I always tell the client that if my team were criminals, we wouldn't be working for an hourly rate targeting their bank. We would be living on a beach in Belize because we're very successful at what we do. 

NARRATOR: Which, judging by Matt’s client base, has obviously been a compelling reassurance. And he was in the right place at the right time, beginning his career just when the large-scale threats of cybersecurity - or rather insecurity - were beginning to be widely recognized. Matt’s great timing - and rapidly growing cyber expertise - led to him having some pretty remarkable firsts for a 24-year-old. 

MATT DEVOST: I was the first person to hack into systems on an aircraft carrier while it was at sea. Same with a nuclear submarine. I was able to change the intelligence picture that the commander in the battlefield was looking at while he was deciding where to deploy tanks and where his planes were going to drop bombs. So, it really allowed me to attract attention to just how big the risk was.

NARRATOR: Matt certainly did attract attention. His skills were taken up by those at the highest levels of the military.

MATT DEVOST: I then also parlayed that into creating a red team that basically worked as the cyber adversary during classified coalition missions. So what we would call ‘five eyes’ exercises - US, Canada, Australia, New Zealand, and the UK. 

NARRATOR: In these exercises, Matt played the cyber bad guy. 

MATT DEVOST: It was tremendously exciting because we were running these operations out of a warehouse in Virginia Beach and then one year I was in the back of a tractor-trailer that we converted into a kind of a Mission Impossible-style command center outside of Blandford, UK. So it was really exciting to be able to travel around and engage in these red team operations. I got to work with fascinating military commanders because this was a topic area that was so new. 

NARRATOR: All great experience in learning how to exploit cyber insecurities and, more importantly, how to think like a hacker to advise clients who need protection. If you want to use a thief to catch a thief, Matt is the closest thing to a thief who you can actually trust. Let's go back to the story we opened this episode with. Remember, Matt was approached by a client representing an American-based multinational company with assets in Africa. And they were worried about one of those assets in particular because they’d started receiving anonymous emails showing that someone with inside knowledge was leaking sensitive information about the African subsidiary. A situation that, as we’ve said, could very easily turn into extortion. All we know is that in this triangular case of cyber espionage, bad actor ‘A’, an inside man within an African subsidiary owned by Matt’s client, was feeding sensitive information to a go-between ‘B’ in a location unknown. This go-between was sending Matt’s client the information in a way which suggested that they had the power to make that intel widely available. Intel that had the power to significantly damage the reputation - and potentially the net worth - of an asset Matt’s client was trying to sell. This was presumably being done at the behest of a shady and unknown instigator - let’s call them entity ‘C’. And in the beginning, all Matt had to go on were those quasi-extortionate emails the company was receiving. Where would you begin investigating a tangled web like this? Would you go to the African subsidiary looking for informant ‘A’? Or would you start by looking for instigator ‘C’ - the brains behind the operation? Matt had to use all his knowledge of how to hack into companies to try and find the culprits.

MATT DEVOST: We started with two parallel efforts. One was working with the company to identify if there were ways we could see how the information was leaking out of their network. This was a specific facility in Africa. It had its own kind of closed network. So, we started studying that network to see if there was a way that that information was being compromised that way. 

NARRATOR: Having initiated a search for informant ‘A’ on the African subsidiary’s computer network, Matt turned his attention to go-between ‘B’. Because if he could track down the identity of either ‘A’ or ‘B’, that would likely lead him to instigator ‘C’. To hunt go-between ‘B’, Matt decided to use a passive form of email phishing. That’s ‘phishing’ spelled with a ‘ph’ - a type of online scam where a criminal will send you an email impersonating a legitimate organization - with a link that seems to take you to a legitimate company website. These messages often ask you to fill in information about yourself. But it’s a cyber trojan horse - and any information you send goes straight to the scammer. In this case, Matt didn’t need the go-between to respond. Cannily, he used something called ‘passive phishing’.

MATT DEVOST: We set a trap. Given the fact that the individual had emailed these documents in, we had an email address that we could correspond with. So we replied to the email but we replied with a web bug. 

NARRATOR: Which is why you should never open an email - especially one with an attachment - from a sender you don’t know.

MATT DEVOST: It's similar to phishing but a little bit more passive than with phishing. You are typically trying to get the recipient to click on a link and go to a server - similar to if you receive an email from somebody and in their signature, they have their company logo. And there are two ways that logo might be displayed. The first is they might have technically attached it to the email as a file or they might have displayed it as what we call ‘inline html’, in that, that image exists on a public web server. And all that the email does is have the email code saying display this image in this email message. What we did was the latter. 

NARRATOR: That bug was a white, one-by-one-pixel image, invisible to the recipient, and hosted on a server under Matt’s control. So all the go-between had to do was open the email.

MATT DEVOST: When the recipient opened the email, it gave us the I.P. address that they were currently located at when they opened that email address. 

NARRATOR: Remember, that I.P. - or Internet Protocol - address is a unique identifier to the device being used - and potentially, its location. 

MATT DEVOST: The trap worked and we now had the I.P. address for the person that was originating these emails that were of such concern. 

NARRATOR: This was the first breakthrough. But where was this shady cyber-courier? London, Moscow, the Maldives? 

MATT DEVOST: This go-between could have been anywhere in the world, but luckily I.P. addresses are somewhat geographically concentrated and what we realized was that the person that opened this email was right in our backyard. They were in Washington, D.C. 

NARRATOR: Not quite what Matt had been expecting.

MATT DEVOST: It was definitely a surprise - given that we were working an international case around resources in Africa - to find that the sender of the email was located so close to our offices and the investigation that we had launched. So we knew that the I.P. address was in Washington, D.C., and we wanted to collect some intelligence with regards to where the recipient was when they opened it. Now, they could be sitting in a coffee shop or a public library or a hotel lobby. 

NARRATOR: This was where wardriving came in. It might sound straightforward - cruising the streets with a car full of electronic gadgetry designed to pick up WiFi signals. But the sheer number of open WiFi access points made this like looking for a needle in an electronic haystack. And Matt didn’t even know if his target was using a public, open-access WiFi connection. If that go-between was using private, password-protected WiFi, the tracking effort would fail. 

MATT DEVOST: Wardriving has become increasingly difficult to collect any useful information just based on the proliferation of WiFi access points. You might have multiple per household. And also, the protocol is much more secure. People are putting passwords or putting an access point. We have to put in a last name and a room number at a hotel in order to gain access to the WiFi. So, a much more difficult proposition these days.

NARRATOR: For this wardriving effort, Matt and his team use laptops loaded with special software and fitted with antennas. There’s typically two or three people in the vehicle - someone to drive while the others operate the computers and software, searching through all the available WiFinetworks in the target neighborhoods. 

MATT DEVOST: So you can imagine driving around Washington, D.C. with this specialized equipment, an endeavor that I've done multiple times in assessments in the past. Looking for what was really a needle in a haystack. Would the I.P. address be something that was accessible via one of these public open WiFi access points? It really is a bit of a shot in the dark because you don't know this I.P. address could have been associated with the home router. 

NARRATOR: Matt had managed to narrow down the search to a few specific neighborhoods in D.C. And he was expecting that the target would be using an impersonal, neutral location - like a coffee shop or library. A location with open access WiFi and an I.P. address that would lead Matt right to the front door. But just in case they weren’t, as well as driving the streets he was also doing what he calls ‘deep technical analysis’ on that I.P. address. And this is where he made a significant breakthrough. 

MATT DEVOST: We found another technical indicator associated with that I.P. and we were able to narrow it down to a specific residence.

NARRATOR: In other words, Matt succeeded in tracing the go-between’s I.P. address to a specific house in D.C. Now he knew the actual house where the go-between was sending the quasi-extortionist emails from, it was surely just one more easy step to identifying the go-between? But that’s when Matt's investigation hit a bit of a brick wall.

MATT DEVOST: Unfortunately, the entity - the ID that we discovered associated with this I.P. -  the address did not make any sense. There was no clear nexus whatsoever with regards to the investigation that we were conducting. It was just a normal person, no connection to the industry, no connection whatsoever. It just did not fit the profile of anyone of interest. 

NARRATOR: They’d found themselves down a cyber cul de sac. Where do you go from here? Let’s recap. Cyber espionage expert and white-hat hacker, Matt, is trying to crack a challenging case of e-blackmail spanning three continents for a US-based corporate client. If he can unlock the identity of just one of the bad actors in this intercontinental spy triangle, he’ll be a lot closer to cracking the entire case. But he’s hit a wall. He’s traced the physical address where the emails are being received and sent by go-between ‘B’ - but it just looks like a normal family with no hint whatsoever of a connection to industrial espionage. 

MATT DEVOST: And then the question becomes: ‘Do you have a cyber attacker that is using this person's WiFi access point in order to read these emails? Are they more sophisticated than we had anticipated?’ Because that is also common as well. I've worked dozens of cases where you narrow it down to a particular place and come to find out it's just the WiFi is inadequately protected and the criminal has connected to the WiFi and is basically using that to obfuscate themselves. Was there someone who had been connecting to this WiFi access point that made sense in the context of this case that we were investigating?

NARRATOR: Would you have a clue where to search next? With ‘can-do’ tenacity, Matt and his team didn’t treat this situation as a problem but rather as an opportunity to do something different. 

MATT DEVOST: We had to pivot and engage in additional analysis and open-source collection to see if we could find any reasonable reason why this I.P. address was associated with opening that email. In parallel with that, we were also doing what we call, a kind of deep technical analysis on the I.P. And that's where we got lucky. And we found another technical indicator associated with that I.P. and that technical indicator had an identity of a real person associated with it. Based on the ID of the person, the identity that we had associated with that I.P. address, so basically seeing other entities that had connectivity into that person and we ended up discovering somebody who happened to make a lot of sense in the context of the case that we were working. 

NARRATOR: Here’s a translation of what Matt just said. What he did was comb through all the people that the go-between was exchanging emails with from that I.P. address, looking for someone likely to be connected with cyber espionage. And Matt’s team found that someone. But just what was it that made this person suspicious?

MATT DEVOST: They made a lot of sense because there was a link to China and monetary payments with regards to activities and business being done in China, and we suspected based on past activity targeting this company, that there might be a Chinese state-sponsored espionage nexus in this case. So, when we identified a person who had close proximity to this I.D. that had that nexus to China. 

NARRATOR: When Matt says ‘nexus’ he means that the fingers of suspicion were all pointing to - and intersecting in China - specifically a Chinese company. The suspected go-between ‘B’ was being paid handsomely to go on speaking tours to China, lecturing on a topic he can’t reveal the details of - but ones he describes diplomatically as ‘relatively obscure’. In other words, the kind of topics you wouldn’t normally get large fees to speak about. Not only that, this person of interest was identified as having the kind of technical skill required to set up a disguised email address. An address of the type being used to send the quasi-extortion emails to Matt’s client. But in an intriguing twist, the go-between wasn’t doing this from their own home. 

MATT DEVOST: So what we discovered based on this nexus was that the sender of these emails was actually using the WiFi at the in-law’s residence. So we had identified the in-law’s house based on the I.P. address. And instead of going to a coffee shop or a hotel lobby to read these emails, they were actually being read at the in-law’s house, which we thought was a fairly interesting dynamic. 

NARRATOR: In what could be seen as thumbing a secretive finger to the in-laws, the go-between was carrying out their illicit activities from their spouse’s parent’s place. Perhaps they thought it’d be the perfect cover. 

MATT DEVOST: It just seemed interesting that you would engage in this activity that was - I don't want to describe it as criminal. It was definitely questionable. You would think that you wouldn't set up your in-law’s house as being a place of origination for that activity. It is quite possible that they didn't get along with the in-laws. It is also quite possible that they got the alert that the email had been received and they just couldn't resist at dinner to go and check the email and thus were on the in-law’s WiFi when they did so. We will never know the exact dynamic that led to the email being opened at that particular residence. 

NARRATOR: You may remember that Matt was pursuing a two-pronged attack in the hunt for African informant ‘A’. That second prong was to examine the communications of all the employees at the African subsidiary with access to sensitive information - looking for any messages that might point to the identity of informant ‘A’. It didn’t take long. Within just a few days, Matt and his team struck gold.

MATT DEVOST: Now, we turned our attention inward and looked at the logs for that company's network traffic to see if they had if anyone had communicated with that individual. And now we had a much broader suite of identifiers. We had instant message usernames and we had email addresses beyond the one that was used to send these anonymous emails. We found something relatively quickly. We were looking at a lot of data, so it took a few days to sort out, but we did find where an employee at this facility was communicating over instant messenger with this person of interest that we had identified in Washington, D.C.

NARRATOR: A direct link from informant ‘A’ in Africa, to go-between ‘B’ in Washington D.C. They now had definitively identified two points of the triangle. 

MATT DEVOST: Now we had an employee on the inside that was communicating with an outsider as a proxy that was again now communicating back to the company with these sensitive documents. So that employee and their access, and behavior on the internal corporate network - which, of course, if you have a company, the laptop and computer systems that are being provided to the employees are the company's property, so they are monitoring those devices and they are monitoring that network traffic, Now, we focused in our attention on that employee of interest. We needed to find out why. 

NARRATOR: The ‘why’ was crucial to the whole investigation. Matt needed to know what was motivating the leaks since that knowledge would very likely lead him to who was behind the entire espionage scheme. 

MATT DEVOST: We basically collected all of the information regarding that employee’s network traffic. We found additional communications, and this is where it gets really interesting. We found communications with an individual in China that we believed - could not prove - to be associated with the state intelligence apparatus. 

NARRATOR: This confirmed something that Matt had been suspecting all along: the involvement of a Chinese company who were trying to acquire the resources owned by the African subsidiary. At this point in his investigation, Matt was starting to close in on all three points of the cyber espionage triangle. 

MATT DEVOST: Now, we had a direct communications link between the employee that was leaking the information. So, just to kind of adjust the chain, you have a suspected Chinese intelligence operative 

NARRATOR: That’s instigator ‘C’.

MATT DEVOST: Communicating with an insider. 

NARRATOR: We’ve been calling this person informant ‘A’.

MATT DEVOST: At this company that is collecting documents, sending them to a go-between proxy. 

NARRATOR: That’s go-between ‘B’ in Washington D.C.

MATT DEVOST: Who is anonymizing them and sending emails to the company that had this kind of extortionist kind of perspective to them. 

NARRATOR: If Matt could find out who was the source of the leaks in Africa, and more especially what the motivation was behind the leaking, he might be able to help his client prevent this type of activity from happening in the future.

MATT DEVOST: When we looked at the employee, it became a matter of trying to understand why they would do this. What type of operation was this? Were they being paid by this Chinese intelligence operative or was there something more nefarious at stake? 

NARRATOR: So, Matt’s team went back into the material stored on informant ‘A’s computer on the lookout for anything that might provide some sort of explanation for the leaks. And there was indeed something more nefarious. 

MATT DEVOST: The individual was actually engaged in illegal activity in the realm of child pornography. And we believe the intelligence operative had cued into that and was coercing the person into participating in this scheme. We pulled an image of the employee's computer for our team to analyze, and that is when they noticed that there was this illegal material that was on the computer. 

NARRATOR: The moment they found evidence that informant ‘A’ was consuming child pornography, they knew they’d found the motivation behind the leaks. The instigating Chinese entity ‘C’ was using their knowledge of informant A’s criminal child porn habit to blackmail them into acting as a corporate spy. Because - should it come to light - that habit would not only be career-ending disclosure, but would make informant ‘A’ the subject of a criminal investigation. Immediately Matt and his team followed a standard procedure in a situation involving child pornography. 

MATT DEVOST: At that point for us, given the sensitivities of the crime and having worked with law enforcement on similar cases in the past, we instantly shut down everything. The law is very, very clear that in an investigation when you encounter this material, you basically shut down the machine that you're working on and you secure the evidence for law enforcement. So that's what we did at that point in time. We maintained the chain of custody on the evidence. We shut down all of the investigation material that we had around this employee's computer. The actual computer itself was seized by law enforcement and it became a criminal case with regards to the child pornography.

NARRATOR: But why did instigator ‘C’ go to this much trouble? At the bottom of it all was an intelligence operation designed to make the resource owned by the African subsidiary troublesome. In fact, so troublesome that it would become less attractive to potential buyers and ultimately, nice and cheap for the Chinese entity to acquire. 

MATT DEVOST: So, you have this fairly complex triangle that takes place. Of Chinese intelligence, finding a vulnerable employee, getting that vulnerable employee to engage in this nefarious activity, having a third party serving as the proxy go-between that is sending this information into the company in the hopes that the company will view this resource as something that is troublesome, something that is a headache, and accelerate the potential for this asset to be acquired.

NARRATOR: The Chinese company was hoping that a quick, cheap sell-off for an apparently troubled African asset would seem increasingly attractive to the US parent company. Matt’s intel prompted his client to take swift action because it turns out that this wasn’t the only resource they owned that was being targeted in this way. 

MATT DEVOST: So the company found it to be incredibly insightful and it also allowed them to focus some of their activities with regards to their security posture around other assets because they knew that they were directly being targeted. And actually, as a result of this investigation, we did find other instances in which state-sponsored cyber attackers were actively penetrating the company and trying to get access to information again all around, trying to create favorable market conditions for them to acquire resources in Africa. What we found was they were engaging in this nefarious activity with the sole intent of trying to decrease the acquisition price for these assets to be sold in Africa and making the company more susceptible to wanting to sell them. 

NARRATOR: Luckily, Matt’s unraveling of this tangled three-way operation alerted his client to just how valuable the company’s assets really were. They backed out of selling the particular asset Matt had been working on as well as some other similar sales. And it prompted the company to completely re-evaluate their activities and expectations about who they’d work with and sell to in the region going forward. Despite his varied career, Matt hasn’t seen too many cases quite like this.

MATT DEVOST: It was unusual. We do see an incredible amount of just straight-out espionage and stealing of intellectual property. In this instance, there was no real intellectual property to steal. It wasn't like this company had invented a new medical device or a new network technology. It really was the value of the asset. So this was the way that they engaged in cyber operations to try and expand their reach and presence and resources under their control. 

NARRATOR: This case certainly made Matt realize there’s a whole new modus operandi at play. 

MATT DEVOST: It was eye-opening how deep the cyber element of this was and the use of multiple parties as kind of proxies finding the employee, finding this third party to transmit. 

NARRATOR: To this day, the Chinese company’s ulterior motives aren’t known for sure but Matt has his suspicions. 

MATT DEVOST: The stakes around some of the national strategic objectives where you have this connection that exists between a nation-state like China and their private sector - even some of their state-owned companies with regards to their global expansion - that they're willing to engage in this cyber espionage activity to pursue their own advantage. And it was something wherein working with Western intelligence communities is just not something that was done. So it was a different perspective, a different global perspective with regards to how these operations were going to be used now and in the future. 

NARRATOR: But what about ‘B’, that go-between passing on the leaked information from the in-law’s place in Washington D.C. What happened to him or her?

MATT DEVOST: To this day, I do not know how things ended for the go-between. They were simply a proxy and there was no real evidentiary trail of any wrong or criminal doing. They were the senders of an email with concerning information. So, at that point, we believe that they were just being used as almost a tool for hire, proxy for hire, that they were likely isolated from the true intent of the activity.

NARRATOR: There’s no knowing for sure but it’s quite possible that the go-between was being used not only to pass on the information, but also to conceal the trail to the true instigators and what was really in play. 

MATT DEVOST: It is possible that they were being manipulated to that extent as well, that maybe they thought they were part of a whistleblower or leak-type initiative. It was a very gray area because there was no criminal intent that was demonstrated. 

NARRATOR: Strictly speaking there was nothing illegal about what the go-between had done. But did they suspect something?

MATT DEVOST: The fact that they had traveled to China and been paid by Chinese entities definitely raised our ‘spider-sense’ a little bit with regards to exactly how ignorant they were as to the situation. 

NARRATOR: Matt admits to briefly having doubts about his ability to solve this case. 

MATT DEVOST: There were multiple points where we felt like we weren't going to crack it when we had what we believed to be a great identifier for where the email was opened and we couldn't figure out any nexus for why that individual would be involved. 

NARRATOR: It was sheer tenacity combined with Matt’s red team training that got him to that successful outcome. 

MATT DEVOST: I often say that the best investigators for activity like this are the red teamers because what we can do is put on the hat and say if we were engaging in this activity, what would we do? And that allowed us, I think, to be able to pursue this trail of evidence all the way down to its final conclusion. 

NARRATOR: A very successful conclusion and in pretty short order. 

MATT DEVOST: Everything had concluded within the course of about a month from when I got the first phone call from the executive to when we closed the laptop and put it in an evidence bag for law enforcement. 

NARRATOR: Time for some self-congratulatory pats on the back then?

MATT DEVOST: It is a fun feeling, right? Because you feel like you have solved a very interesting case. We've helped a client, which is the reason why in our office we had a fully operational whiskey bar. So in an instance like that, typically the team that was involved would go to the whiskey bar, and we would pour a shot and have a toast. And then we put down our glasses and go work on the next case. 

NARRATOR: If you’ve enjoyed this episode - you might enjoy other True Spies stories on cyber espionage like Olympic Games with Eric Chien and Liam O’Murchu on their discovery of Stuxnet - a digital weapon designed to attack the physical world. And Trade Secrets, when we met the cybersecurity experts who defended a cyberattack on the world’s largest semiconductor producer in Taiwan. I’m Vanessa Kirby.