A successful hack on semiconductors could cause mayhem worldwide - not just to health care services or power grids but disabling cars and laptops. That’s why the tech experts at CyCraft - Chad Duffy and C.K. Chen - are determined to stop cyber-terrorists from infiltrating the semiconductor industry in Taiwan, one of the world’s biggest. But where is the threat coming from? And how close have hackers come?
Read the transcript →

True Spies Episode 59: Trade Secrets

DISCLAIMER: This episode expresses strong language throughout. The views expressed in this podcast are those of the subject. These stories are told from their perspective, and their authenticity should be assessed on a case-by-case basis.

NARRATOR: Welcome to True Spies. Week by week, mission by mission, you’ll hear the true stories behind the world’s greatest espionage operations. You’ll meet the people who navigate this secret world. What do they know? What are their skills? And what would you do in their position? 

CHAD DUFFY: If you're able to alter or do anything to a semiconductor. There's hardware attacks. There's all sorts of things to where, either you can leak data from the semiconductor so you can steal someone’s data, or you can put your own malicious things in there. If you knew where the weaknesses were in these things, to interrupt the processing on these devices then I think this would cause untold mayhem. 

NARRATOR: This is True Spies Episode 59: Trade Secrets.

CHAD DUFFY: I would definitely not feel safe traveling to Hong Kong. I pretty much guarantee that if I were to go somewhere in China you would not hear from me again.

NARRATOR: We don’t want to alarm you, but whatever platform you’re using to listen to this episode of True Spies has probably been compromised.

CHAD DUFFY: All prevention is going to fail at some point. And all of these mechanisms you put in place, no matter how many put in place, a hacker will find a way to get through - whether or not having some weird scan of your retinas. Whatever we put in place a hacker will find a way around.

NARRATOR: Hacking. You’ve seen it in the movies but don’t be mistaken. This isn’t Hollywood. This is the story of a real-world attack with very real-world consequences. An attack that not only threatened Taiwan’s most high-profile industry - semiconductors - but the country’s entire economy. Or worse, in the right hands, it could have brought essential services to a halt, an industry to its knees. 

CHAD DUFFY: You're looking at power grids, and hospitals, and controlling water flow, and things like that. If you start to mess up those systems, you can cause major damage somewhere.

NARRATOR: I bet you thought semiconductors were boring. It’s not like we’re talking about a nuclear facility or a missile base after all. But think of them as the foundation of almost all the technology you enjoy today - your car, your computer, and even your washing machine. And yes, nuclear facilities or missile bases too. And the companies based in Taiwan don’t just produce the raw materials. They make the chips and processors - the brains - that power our digital lives. Control those chips… control the world? Maybe. And it’s our spies’ job to ensure that we don’t find out the hard way.

CHAD DUFFY: Right now, every organization is open to attacks because of the internet, and so one of the biggest threats out there is something called an APT, advanced persistent threat. And we specialize in, basically, stopping those.

NARRATOR: Fortunately, for every ‘bad’ hacker, there’s an ethical one waiting in the virtual wings to combat them. This is where this week’s spies come in. They’re what’s known as ‘white-hat hackers'. The good guys.

CHAD DUFFY: Hi, I'm Chad Duffy. I'm the global product manager for CyCraft technology, a Taiwan-based cybersecurity firm.

C.K. CHEN: I'm C.K. I’m the senior researcher in CyCraft, leading our research team.

NARRATOR: Before we proceed, make a note of that term Chad used. APT - or advanced, persistent, threat - because you’re going to hear it a lot. It’s bad enough to have any kind of attack on your business but when it reaches several of the most prolific producers of semiconductors in the world at the same time, that’s alarming. This episode’s heroes might be experts in their field but they weren’t expecting a virtual raid with this potential size and scale to land in their laps. They’re used to dealing with day-to-day security issues and protecting their clients’ most valuable assets safe from prying eyes.

CHAD DUFFY: It's an arms race. We learn how to stop, they find a new way. We learn how to stop. They find a new way. And that just keeps going on.

NARRATOR: Chad and C.K. are like any good cop duo. One is our seasoned pro with experience at large global tech companies and the US Department of Defense. The other? He’s the streetwise young maverick with the local intel. And, like all good crime fighters, they don’t work alone. There’s a highly skilled support team behind them. Between 2018 and 2019 our cyber-spies noticed a lot of attacks popping up, all of them on semiconductor vendors.

C.K. CHEN: And then, when we go to investigate... we discovered this is an APT attack, an attack on many... maybe more than seven semiconductor vendors.

NARRATOR: Fortunately, our spies have spent years honing their skills.

CHAD DUFFY: There's a lot of different ways that an organization wants to check out its cyber-security posture and defense. So, one of these ways is ‘red teaming’. And what red teaming is, [it] is sort of a full-on tactical assault on defenses where usually, say, there's some sort of goal ahead of time that you want the red team to achieve. Like, maybe there's a database inside an organization, you want to check how secure this is. So you make that the red team's objective. And then, so ‘blue teaming’ is on the side of the defense, where you're running your defense practices and drills against this.

NARRATOR: C.K. is a natural blue teamer. He cut his teeth protecting the computer network at his university, working as a system administrator as part of his computer science studies. Field training is one thing, but like all good agents, our spies need to keep their skills sharp and adapt to new threats. Think about your phone or computer. How many apps do you have? Do you ever stop to think how secure it is before you download it? Now imagine a large corporation, with all its employees and different suppliers. Anything that has access to the network can pose a threat.

CHAD DUFFY: I think one of the big things in cybersecurity is that it's always changing. It's like the laws of physics are always changing. No matter what you think you have, an understanding of the system, it's never quite going to continue to be that way. So that's what makes the defense and detection - all this - so challenging.

NARRATOR: In recent years, Chad and C.K. started to notice an increase in supply-chain attacks coming their way. By infecting popular software or hardware - legitimate products in a corporation’s supply chain - hackers can piggyback their way into multiple networks like a digital parasite. Take ‘Stuxnet’, the mysterious virus that hamstrung the Iranian nuclear program. Listen back to True Spies Olympic Games to hear more about that. SolarWinds - a common IT management software - is a more recent example. 

CHAD DUFFY: We're talking about compromising tons of organizations that are using SolarWinds, including [the] US government, but also like FireEye [and] many other large, well-known organizations.

C.K. CHEN: Something interesting is, when we analyze SolarWinds malware, we find they’re trying to disguise themself as a normal programmer, as a SolarWinds programmer.

NARRATOR: The hackers hide themselves within a normal program, in this case, SolarWinds. Needles and haystacks come to mind. But adapting to this increasingly common method of attack would prove to be crucial for Chad and C.K. as they tried to understand the threat that landed on their desks one fateful day in November 2019. This cyber-attack doesn’t begin deep inside a dilapidated warehouse hideout. There are no hooded figures hunched over laptops. No rock music playing in the background. It begins in a brightly lit, comfortable office just like the one you might go to every day. Except this one is on an island perched between the East and South China Seas. Specifically, the Hsinchu Science Park, about an hour southwest of Taipei.

CHAD DUFFY: There's a lot of large buildings and factories. Hsinchu is like [those] science park cities that look very modern, very up to date, with lots of new buildings. It looks like it was built, basically, yesterday.

NARRATOR: There are science park cities like this all over the island. They are where some of the brightest minds in technology go every day to make our electronics smarter and smaller. Hsinchu might not be unique to look at - it’s a fairly ordinary business park lined with neatly manicured hedgerows and glass-fronted buildings - but it’s a vital hub for the most important semiconductor companies in Taiwan. One of those companies is a client of CyCraft’s. We can’t share the name. That’s confidential. 

CHAD DUFFY: And C.K. simply calls it Company A. All you need to know is that modern cybersecurity has evolved in recent years. No more staring at errors and alerts streaming across a screen. Today’s savvy white hat uses artificial intelligence to flag any suspicious activity.

CHAD DUFFY: So what we'll see is, basically, a certain set of alerts of unusual behavior come up on our end. And that triggers an AI analysis to go in deeper and look more at connecting dots for what's going on here. So, basically, once we see one, two, or three - because a lot of times you'll see an individual behavior, and that won't really look that suspicious - but once you see it in the context of other, more malicious behaviors, then the whole ball starts to come together a little bit.

NARRATOR: If you’re thinking the right move is to neutralize the threat immediately, think again. Like all good tradecraft, white-hat hacking relies on intelligence. Sometimes you want to let the attacker reveal their intentions. Perhaps they might leave a clue as to who they are or what their objective is?

CHAD DUFFY: Chad and C.K.’s AI tool has indicated there’s a potential attacker, and caught it early enough that the villains haven’t been able to get very far into the network. 

NARRATOR: What’s surprising is that the hackers seem to have accessed the system using legitimate credentials. This isn’t as uncommon as you might think. All the hackers needed was to find a list of leaked usernames and passwords - something worryingly easy if you know where to look. This, at least, means they can follow that specific user’s activity and see what the intruders are up to. Confident that the hackers haven’t reached any critical infrastructure, our spies stand back and carefully observe. 

CHAD DUFFY: Hackers want to use the most convenient way and they don't want to burn whatever they don't have to. So, if I already know I have this valid account, then I'm just going to use that. You want to do the laziest thing that's going to get you to your goal.

NARRATOR: All Chad and C.K. know is that, right now, someone has a virtual foot in the digital door using stolen credentials. But that’s not going to get you much beyond some poor employee’s emails and maybe their calendar. Fortunately, if there’s one thing that computers are good at, it’s remembering things. Keeping logs or showing you what software was launched and at what time. Our spies notice that the attackers deployed their malware disguised as legitimate software. Remember the red and blue team training methods Chad mentioned earlier? The software in question is a popular tool that red teamers use to simulate a threat. But this time, it’s no simulation. By modifying a trusted application with some of their own code, the hackers were almost able to go unnoticed. Almost. If it weren’t for those pesky ‘lolbins’. 

CHAD DUFFY: So lolbins are 'living off the land binaries'. And binary just means an executable file on a given operating system. So to ‘live off the land’ is just to use the tools that are already there.

NARRATOR: Let me decode that for you. Another way to look at living off the land is pretending you’re a normal part of a computer’s operating system going about normal business. You might say it’s the digital equivalent of stealing a lanyard and casually walking through the front door.

CHAD DUFFY: And the reason why is, that makes detection a lot harder because these programs are already running anyway. And so, it's a lot easier for attackers to basically evade detection systems.

NARRATOR: C.K.’s blue-team experience kicks in and he’s quickly able to neutralize the threat. The hackers didn’t get very far this time but they left some small, vital clues. White-hat hackers are organized, collaborative, and freely share the code that their would-be attackers use to a website called VirusTotal. This helps other white hats detect and eliminate the threat with a simple search. And sometimes, it can also reveal that hack’s origins - the person or people behind it. So that’s what C.K. does, he uploads the malware to VirusTotal in the hope there’s a match.

C.K. CHEN: So when we get malware, we will first query this VirusTotal to check if this malware is being used to attack other organizations or not. 

NARRATOR: But when they check, they discover there is no information that corresponds with this malware in the VirusTotal database. 

C.K. CHEN: That means this malware is quite new, and maybe it's customized only for this attack.

NARRATOR: Well, it was worth a shot. But for now, Company A is in the clear. Chad and C.K. can tidy up their client's system and provide them with an incident report. Job done? Not quite. C.K.’s just told us the malware is unknown. The fact that it wasn’t listed anywhere was worrying. That indicated this was a new threat, or as Chad and C.K. suspected, a cocktail of existing ones, repackaged and tuned to intentionally attack the semiconductor industry. This meant this wasn’t a general virus that happened to infect their client. It was a deliberate, targeted attack. But who? Why? And what did they want? Our spies didn’t have to wait long for another opportunity to figure that out.

CHAD DUFFY: Not very much later, we get clients coming to us saying: “Hey, we need some help.” And they say: “We need an incident response.” And they come to us and we sort it out, and we start to look and see some similarities between this attack. And this occurred within a two-month period.

NARRATOR: Chad and C.K. soon made a startling discovery. This second semiconductor company had apparently been hacked for over a year, with the cybercriminals coming and going as they pleased. Bad news for Company B, but a lucky break for our intrepid white hats. If the hackers have spent this much time poking around their victims’ computer network, there’s a far higher likelihood of them having left a vital clue, a digital thread that can be pulled on. 

CHAD DUFFY: A lot of times what you see in, like, spies, you'll hear terminology like ‘false flag operations’, things like that. A lot of that stuff still applies in the cyber world. That one thing that we have to be careful of with attribution, for example, is we've seen times where maybe we see an attack that's made to look like it's coming from one organization because they might leave behind certain artifacts such as language artifacts, or adjusting times of things. There's all sorts of other variables of the attack that can be considered.

NARRATOR: What Chad’s saying here is important, because the next few discoveries would invoke their worst fears. Company A’s in-house blue team shared some small, but significant information about the hackers. 

C.K. CHEN: We find out their working hours are from 8 am to 8 pm.

NARRATOR: So, Clue 1: they work from 8 am to 8 pm. Clue 2: they’re in universal time+8. I wonder where in the world that is?

CHAD DUFFY: So we say 8 to 8, but it's often 9 to 9 because they're a little bit late getting to work and then getting off. That's 9-9-6. And working on Saturday is really common. This 9-9-6 schedule is common in the tech industry in China.

NARRATOR: And that wasn’t all.

CHAD DUFFY: Another thing that I did when I was looking over the data was that we noticed during October, [when] especially there's a big holiday in China during that time, and this is where the hackers really had a rest.

NARRATOR: The first week of October includes Chinese National Day. During this holiday, also known as Golden Week, workers enjoy several days off to celebrate the founding of the People’s Republic of China.

CHAD DUFFY: And, actually, this is common to a lot of attacks you're going to see coming out of China... is that the holiday, they take it really seriously. They do not work during that time. So that's also a really good part of the plan often because that's when they can see if their persistence mechanisms, everything is still working when they come back. What's been discovered, what's not been. And they can say: “Okay, now I can really launch the rest of my attack to move towards my exfiltration target after this holiday.”

NARRATOR: This presented another problem. Chad and C.K. knew this clue could be a false flag. A clue deliberately left to throw our cyberspies off the scent. It wouldn’t be hard to do. But mainland China and Taiwan’s history is complicated, so they need to proceed with caution before making any accusations. Time for a quick briefing. 

To China, Taiwan - an island to the southeast of mainland China - is a rogue province, one that it wants to reclaim. For most locals, however, Taiwan is an independent democracy, a situation they’d very much like to preserve. The conflict started in 1949 during China’s Civil War. The ousted leadership found exile on the island of Taiwan and a long-lasting standoff began.
For decades, political tensions have remained high. By the early 90s, things were improving, with the then-Taiwanese government officially declaring the war with the mainland over. But only a few years later, during Taiwan’s first democratic elections, China set off missiles, making it clear that things were far from settled. All the while, the legal status of the island has been a constant source of dispute. Much to China’s chagrin, Taiwan would then go on to become a dominant force in the computing industry, providing many of the complex components that allow you to enjoy the luxuries of the connected world - technology that China has never been able to compete with.

CHAD DUFFY: This gets into this, the semiconductor industry, hugely because that's one of Taiwan's largest contributions to the global economy. And this is [where] China has been really falling behind - or not able to catch up - in terms of their semiconductor technology. So they've been, definitely, having a huge amount of attacks here not only for political reasons but also for industrial espionage. It's been many years since Taiwan was recognized as a country globally - well, not since the 70s - and so it's been China's idea to, at some point, retake Taiwan, this idea of one China. But Taiwan has been very independent - we're a democracy. We have our own president, currency, flag, all that sort of stuff.

C.K. CHEN: China and Taiwan have a very complicated situation and relationship. So, a lot of attack(er)s will use Taiwan their first time - to [test] their attack - because we have a similar culture. So, when they want to attack, it will be easier to start from Taiwan. So I will say Taiwan is the frontline for our cyberwar between China and other countries.

NARRATOR: In summary, even if you don’t know who your attacker is, if you work in cybersecurity - in Taiwan at least - your first instinct for attribution might be to look toward the twinkling lights across the Taiwan Strait. It also means you’re potentially acting as the testbed for a broader, global attack. If C.K. and Chad’s guts were correct, the implications of this threat were more than just corporate secrets. It was a matter of concern for us all.

CHAD DUFFY: So really, it's again about this sort of supply-chain issue because semiconductors are like almost hacking the very core of the digital supply chain. So if you're able to alter or do anything to a semiconductor. There's hardware attacks. There's all sorts of things to where, either you can leak data from the semiconductor so you can steal some data, or you can put your own malicious things in there. I mean, there's all kinds of things that can get done, so this really affects everybody today. I don't think there's, really, anybody that would not be affected by large semiconductor attacks.

NARRATOR: What Chad is dancing around here, is that if the Chinese government were able to get hold of all the blueprints for the chips and processors being developed in Taiwan, it could be a very bad thing indeed.

CHAD DUFFY: If you knew where weaknesses were in these things, and you were able to shut down - to interrupt the processing on these devices - then, I think that would cause untold mayhem. For example, imagine in the healthcare industry, or imagine just your car, or imagine any of these other things.

NARRATOR: And that presents a huge dilemma. The worst-case scenario? A world superpower holding the world’s computers hostage. Or it could just be after trade secrets for its own commercial gain. But that’s still a massive problem for Chad, C.K. Chen, and the semiconductor industry as a whole. This, of course, would be true for any attack from any country. But the diplomatic minefield that is Taiwan and China relations means an incorrect attribution could also be the spark that reignites decades-old political gunpowder. But, whoever the hackers were, they certainly knew what they were doing. 

Jargon alert: ‘administrator’ is one of the highest levels of access you can have to a computer. A domain? That’s a group of computers that perform functions together or are overseen by the same administrator. A skeleton key? That’s just regular, old, very bad news.

CHAD DUFFY: One thing we noticed was how they were able to inject a skeleton key. The hackers were able to basically put in a default account where if your password didn't match one of the known ones - but if it was the secret default one - that allowed you access the administrator level to other computers on this domain.

NARRATOR: By sneaking a secondary ‘fallback’ password into the system, the hackers could freely log on and move around the network. They didn’t need to hack every single machine. They simply added a master password that unlocked everything. 

C.K. CHEN: So, in this moment, the hacker can use any account with the password to log into any system in your domain.

NARRATOR: Think about that... any account. The hackers now had a free run of the network. They could move over to more important endpoints as if they had a master key at a hotel.

C.K. CHEN: And also make our investigation more difficult.

NARRATOR: This is not what you want to hear when you’re suddenly tasked with protecting your country's most important industry. By C.K.’s account, at least seven of the semiconductor companies in Taiwan saw attacks around the same time. For a sense of scale, Taiwan’s top producer of semiconductors alone is estimated to account for half of the global market. The sector generates over $12bn a year in Taiwan. Right now, in 2021, there’s already a global chip shortage thanks to Covid-19’s impact on production. President Biden was forced to hold crisis meetings with industry leaders to address the issue. The situation is so bad, companies like Ford have had to suspend or reduce car production until the situation is resolved. Now imagine you could disrupt this industry on purpose? This cluster of attacks means there’s a high likelihood of them being from the same group or organization and they might have the keys to… everything? Frustratingly, Chad and C.K. could only know the specifics of what happened to Company A and Company B, but it wasn’t looking good. They discovered that the attackers encrypted some data from Company B before exfiltrating it, and that turned up another unusual clue. C.K. was able to reverse engineer the password they used and it was… interesting to say the least.

C.K. CHEN: F*** google.com.

NARRATOR: ALT: F*** google.com. The expletive password was more than just a micro-protest from the hackers. It was another vital clue. C.K. had been monitoring some of the other attacks going on at the same time, where this same password had been spotted by other white hats. This is why they share their intel, small details like this can make a difference. And the malware was hiding another secret.

C.K. CHEN: So we analyze this malware and find the location and authentication token to get into the Google Drive.

NARRATOR: An authentication token is exactly what it sounds like. Think of it as a key or a backstage pass. And on this occasion, 'back stage’ is a folder online containing something that looks like an instruction manual. A hacking 101. No spoilers, but as a reminder: in Taiwan, they write using traditional Chinese characters.

C.K. CHEN: They also had some simplified Chinese in this document. So, this gives us more strong evidence. In this group, there is at least one member that understands Chinese.

NARRATOR: That would indicate someone most likely in mainland China.

C.K. CHEN: And, in this document, there’s also reference to some very famous Chinese security website. 

NARRATOR: Okay, well it sounds like a fait accompli. Job done. But before you jump to conclusions, don’t forget what Chad said earlier about hackers sometimes leaving deliberate distractions - a false flag. Someone, or some group, could be setting the Chinese up.

C.K. CHEN: The attacker might fake themself (disguise themselves) as Chinese and launch this attack.

NARRATOR: You might be thinking: ”Why does it have to be the government? Couldn’t it just be a group of civilians using Chinese characters?” It could. In fact, the actual hackers are almost certainly not government employees. Not officially at least.

CHAD DUFFY: Inside of, not just China, but inside of many countries, you have all different types of threat actors and they're based off of their sponsorship and their purpose. So there are definitely ones that are government-run, and there are ones that are like quasi-government-run. So, you see a lot of people that might get trained through the government, but then they move on to a private, criminal organization(s). So they bring with them their techniques or their teammates. They have their own LinkedIn for this sort of thing.

NARRATOR: Yes, it’s 2021, so of course there’s a LinkedIn for quasi-government-sponsored hacking groups. The problem is they’re often loosely organized. Nebulous. And operate entirely in the shadows. But there are some groups that are well known in cyber-security circles. You’ve maybe heard of Anonymous. But what about APT41? Sometimes known as Winnti? Winnti isn’t as well known in the civilian world, but it’s a group that’s generally feared in cybersecurity circles. Highly skilled, well resourced, and - crucially for Chad and C.K. - based in China.

CHAD DUFFY: This Winnti group, it's not like one monolithic group, but it's probably a lot of subgroups with different objectives, and teams, and members are possibly shared, or techniques are possibly shared.

C.K. CHEN: So in this group, they may have some specialization of the work.

NARRATOR: Like any profession, hackers find their own specialization. Maybe you’re a pro at developing malware, or perhaps your skills are finding ways into a network.

CHAD DUFFY: So that's why they write notes to each other and pass them to each other. So they know how to operate their own tools.

NARRATOR: This is where things get complicated. Governments can be held accountable. Rogue hacking groups? Not so much. Conversely, Chad and C.K. don’t have the benefit of being anonymous. Especially because both of them are often quoted in the media suggesting a threat is coming from China. Despite all their clues and suspicions, it’s just too much of a gamble to firmly pin this attack on their neighboring giant. The risk is simply too high.

CHAD DUFFY: I would, definitely, not feel safe traveling to Hong Kong right now. I used to go to Hong Kong all the time. I'm quoted in Wired magazine as being, like: “Oh, yeah. This is highly likely to be coming from China.” And it's, yeah, I pretty much guarantee that if I were to go somewhere, China, you would not hear from me again.

C.K. CHEN: I like Hong Kong but I think it's hard to go to Hong Kong in the future.

NARRATOR: Thanks to their proactive work with Company A, Chad and C.K. were able to apply the same techniques to neutralize the threat on Company B. That, after all, is their more immediate objective. The long breach might have been a disaster for the client, but it provided vital clues about the perpetrators that can be shared with fellow white hats and provided copies of the malicious tools that can now be dissected, reverse engineered to help prevent future attacks should our mysterious hackers return. Now it’s a clean-up job.

CHAD DUFFY: One thing that we do is, we input agents on all of their machines, that kind of record activity and do analysis and stuff like that. And then after we do everything to clean it out, we'll rerun an analysis to make sure that we have actually cleaned everything out. And then, once that's fully done, then we'll also give policy recommendations to the organization. We give them full attack paths and storylines of everything that happened.

NARRATOR: While our duo’s immediate involvement in this hack had come to an end, there was a small, in-built problem. White-hat hackers rely on sharing solutions, but that means the criminal gangs also received a nice performance review, one they can use to patch any flaws in their attack.

C.K. CHEN: The race never ends. So when we publish some new defense mechanism, new detection mechanism, the attacker will try to bypass this mechanism.

CHAD DUFFY: Once we start to publish this information out there, and other groups start to track this organization, and then also track its behavior and stuff like that, we’re able to see similar attacks happening in Europe. And this really does fit the sort of model that we've been seeing over the past several years of certain threat actors in our region, maybe from China, will try here in Taiwan first. And then once they feel that they achieve some level of success from that, they'll move that over to Europe or elsewhere.

NARRATOR: They might have been able to prevent a full attack on Company A and spared Company B from further damage, but it’s a short-lived victory. A frustrating reality for Chad and C.K. is that they may never really know whether the attack is over or not.

CHAD DUFFY: These super, high-level attacks are very rare - speaking, based on a percentage of attacks - if it wasn't that way, then we wouldn't be able to have our modern economy right now. We don't get a notification from a hacker group saying: “Hey, guys, we've stopped.” They're not that cordial, I guess. So we just keep observing. We keep defending. We have to keep going because we really don't know the final motive, or destination, or whatever this hacker group is trying to do. You also always kind of question: did I do the work right? It's not so scientific in terms. I can't go out there and get the base truth all the time and go: “Oh, it is really exactly this.” So, when you put it out there, and then you find out that people are corroborating with your analysis, you're seeing the same thing out there in the world. I think that's really fortuitous.

NARRATOR: In late 2020, news reports emerged about another round of attacks on the island. The Taiwan Bureau of Investigation - Cyber Security Investigation Office - reported to the media that it suspected two well-known Chinese hacking groups that were able to infiltrate various government departments, with as many as 6,000 official email accounts compromised. Soon after, CyCraft published a report on its blog. The company’s own investigations spotted something worrying about the new hacks - the return of the skeleton key technique. As Chad and C.K. rightly predicted, it looks like the same attackers are back at it. All our spies can do now for now, though, is keep a watchful eye and batten down the virtual hatches. If there’s a silver lining here for Chad, C.K., and the silent team behind them at least, it’s that this is all very good for business.

CHAD DUFFY: It’s so satisfying when you are able to do something like an attribution, or especially if you've looked at something, and you go back over you go: “Wait a second, oh, there's one other section now. This links back.” And you can figure out that it came from somewhere and has an association with something. That's really exciting for us because it makes something a lot more real. So I think that that's what we need to look at: what's going to be the next mutation on it? And then, where can you go from there?

NARRATOR: I’m Vanessa Kirby. Join us next week for another brush with True Spies. We all have valuable spy skills, and our experts are here to help you discover yours. Get an authentic assessment of your spy skills, created by a former Head of Training at British Intelligence, now at SPYSCAPE.com.

DISCLAIMER: The views expressed in this podcast are those of the subject. These stories are told from their perspective, and their authenticity should be assessed on a case-by-case basis.

Guest Bio

Chad Duffy is a global product manager at CyCraft Technology based in Taipei, Taiwan. He’s a former software engineer and a graduate of the University of Texas, Austin. His colleague C.K. Chen (pictured) is CyCraft’s senior researcher and a graduate of Taiwan’s National Chiao Tung University.

Listen on Youtube
No items found.
No items found.