第10集：国家行为体的倒霉经历

想象一下詹姆斯·邦德。

Imagine James Bond.

在邦德执行任务之前，他会从Q那里获得一些关键设备。

Before Bond goes on a mission, he gets some vital equipment from Q.

在一次任务中，他获得了一枚特殊戒指，能够发射超高频声波，只要贴在窗户上，就能震碎玻璃。

On one mission, he got a special ring, had a way to emit a ultra high frequency, which when put up to a window, shattered the glass.

在这次任务中，邦德悄无声息地潜入了朝鲜。

On this mission, Bond snuck into North Korea undetected.

但想象一下，如果他在朝鲜期间丢失了这枚戒指，会有什么后果。

But imagine what kind of consequences there would be if he lost the ring while in North Korea.

如果朝鲜政府找到了这枚戒指，他们会对它进行分析，发现其尖端技术，并可能自行复制这项技术，从而让技术落入错误的人手中。

If the North Korean government found the ring, they would analyze it, and they would discover its cutting edge technology and possibly be able to reproduce that technology for themselves, essentially putting the technology in the wrong hands.

在分析这枚戒指时，他们甚至可能追踪到它的来源——军情五处。

When analyzing the ring, they may even be able to track down its origins to m I five.

这意味着，仅仅通过找到这枚戒指，朝鲜就能推断出他们的国家里有一名英国间谍。

This would mean that just by finding the ring alone, North Korea could deduct that there was a British spy in their country.

这可能会引发许多问题，甚至可能导致战争。

This could cause numerous problems, maybe even a war.

在网络世界中，政府之间相互黑客攻击，至关重要的是不要让敌人知道你的存在或捕获你的黑客技术，因为一旦发生，后果可能不堪设想。

In the Internet world where governments hack other governments, it's crucial to not let the enemy know you're there or capture your hacking techniques, because if they do, it could have devastating consequences.

这是《暗网日记》，来自互联网黑暗面的真实故事。

This is Darknet Diaries, true stories from the dark side of the Internet.

我是杰克·雷德。

I'm Jack Reider.

本集由Shopify赞助。

This episode is sponsored by Shopify.

还有什么时候比新年的开始更适合尝试新事物呢？

Is there any better time to try out something new than at the start of a new year?

我很喜欢。

I love it.

我觉得自己有理由去学习一项新技能、启动一个新项目或做出新的决定。

I feel like I have permission to try learning a new skill or starting a new project or making new decisions.

但如果你感到特别有雄心，为什么不三者都尝试，让2026年成为你用Shopify开启新事业的一年呢？

But if you're feeling extra ambitious, why not do all three and turn 2026 into the year you started your new business with Shopify?

Shopify为你提供了在线和线下销售所需的一切工具。

Shopify gives you everything you need to sell online and in person.

借助Shopify内置的AI工具，你可以快速完成设置，这些工具能撰写产品描述和标题，甚至帮助你编辑产品图片。

Set up as fast with Shopify's built in AI tools that write product descriptions and headlines and even help you edit product photos.

数百万创业者已经完成了这一跃，从家喻户晓的品牌到刚刚起步的初次创业者。

Millions of entrepreneurs have already made this leap from household names to first time business owners just getting started.

就连我，我的T恤店也在Shopify上。

And even me, my t shirt shop is on Shopify.

网址是shop.netdiaries.com，我非常喜欢Shopify，因为它让我轻松地把业务搬到线上。

That's shop..netdiaries.com, and I love Shopify because how easy it is for me to get my business online.

营销功能也内置其中。

Marketing is built in too.

你可以创建电子邮件和社交媒体活动，触达客户在任何地方浏览时的注意力。

You can create emails and social campaigns that reach customers wherever they scroll.

所以在2026年，别再等待，立即用Shopify开始销售吧。

So in 2026, stop waiting and start selling with Shopify.

注册每月1美元的试用版，今天就前往shopify.com/darknet开始销售。

Sign up for your $1 per month trial and start selling today at shopify.com/darknet.

前往shopify.com/darknet。

Go to shopify.com/darknet.

就是shopify.com/darknet。

That's shopify.com/darknet.

在新的一年里，让Shopify陪伴你开启你的第一段声音旅程。

Hear your first this new year with Shopify by your side.

本集由DeleteMe赞助。

This episode is sponsored by DeleteMe.

DeleteMe让删除你的在线个人信息变得简单、快速且安全，尤其是在监控和数据泄露日益普遍、人人都可能受害的今天。

DeleteMe makes it easy, quick, and safe to remove your personal data online at a time when surveillance and data breaches are common enough to make everyone vulnerable.

现在要在网上找到关于个人的隐私信息比以往任何时候都更容易。

It's easier than ever to find personal information about people online.

你的地址、电话号码以及家人姓名在网络上公开，可能会在现实世界中带来实际后果，让每个人都面临风险。

Having your address, phone number, and family members' names hanging out there on the Internet can have actual consequences in the real world and makes everyone vulnerable.

隐私对我来说是一个非常重要的议题。

Privacy is a super important topic to me.

所以几年前，我注册了DeleteMe，它立即开始在网上搜索我的名字，然后

So a few years ago, I signed up, and DeleteMe immediately got busy scouring the Internet looking for my name and then

向我提供了他们发现的结果报告。

gave me reports on what they found.

接着，他们开始删除这些信息，并向我展示他们移除了哪些内容。

And then they got busy deleting things showing me what they got rid of.

在隐私保护方面，有人为我保驾护航真是太好了。

It's great to have someone on my team when it comes to my privacy.

通过注册DeleteMe，掌握你的数据，让你的私人生活保持私密。

Take control of your data and keep your private life private by signing up for DeleteMe.

现在，我的听众可以享受特别折扣，访问 deleteme.com/darknetdiaries 并在结账时使用促销码 d d 20，即可享受DeleteMe服务20%的优惠。

Now at a special discount for my listeners, you can get 20% off your DeleteMe plan when you go to join deleteme.com/darknetdiaries and use promo code d d 20 at checkout.

获得20%折扣的唯一方式是访问 join deleteme.com/darknetdiaries，并在结账时输入代码DD20。

The only way to get 20% off is to go to join deleteme.com/darknetdiaries and enter CodeDD20 at checkout.

就是访问 join deleteme.com/darknetdiaries，输入代码DD20。

That's join deleteme.com/darknetdiaries code d d 20.

各位，各位，听好了。

Guys, guys, listen.

这一集相当严肃。

This episode is pretty serious.

对我来说，它让其他所有集都显得像小儿科一样。

It makes all other episodes seem like child's play to me.

我甚至不敢讲出来。

I'm even nervous to tell it.

我现在不认为自己在任何FBI监控名单上，但听完这一集后，我可能就会被列入了。

I don't think I'm on any FBI watch list now, but I probably will be after this episode.

我问你们一个问题。

Let me ask you this.

世界上最具技术实力的黑客团队是哪个？

Who is the most sophisticated hacking team in the world?

这是一个由麻省理工学院和卡内基梅隆大学毕业生组成的团队，他们开发了最前沿的黑客工具，能够调动几乎无限的资源，比如语言翻译人员、大型数据中心和超级计算机，这个团队还曾参与设计加密方法并参与构建互联网。

It's a team comprised of graduates from MIT and Carnegie Mellon, a team that has created the most cutting edge hacking tools, a team that can utilize an almost unlimited amount of resources, resources like language interpreters, huge data centers, and supercomputers, a team that has a history of creating encryption methods and building the Internet.

是的。

Yes.

那些隶属于政府机构的黑客组织，也就是所谓的国家行为体。

The hacking groups that are inside government agencies, otherwise known as nation state actors.

他们大部分行动都属于最高机密，因此能让他们在这档节目中接受采访，是一种非常特殊的殊荣。

And most of what they do is considered top secret, so getting one of them to talk on this show is a very special privilege.

国家行为体是一群非凡的黑客，因为他们本质上拥有合法的黑客授权。

Nation state actors are an exceptional group of hackers because they essentially have a license to hack.

他们工作时无需担心法律制裁。

They work without the fear of legal retribution.

他们常常被指派窃取机密或通过联网系统破坏目标，而且至关重要的是，他们所有的行动都必须完全隐匿，不被目标察觉。

They are often tasked with stealing secrets or disrupting the target through connected networks, And it's important that all of what they do goes entirely under the radar and is invisible to the target.

别问我怎么找到的，也别问我是谁。

Don't ask me how I found this and don't ask me who.

但在本期节目中，我们将听到一个曾深入世界上最顶尖黑客团队内部的人的故事。

But on this episode, we will hear a story from a person who has been in the innermost bowels of one of the most elite hacking teams in the world.

是的。

Yeah.

我为美国政府从事进攻性网络行动将近十五年，因此我有很多很多故事。

I spent almost fifteen years with the US government running offensive cyber operations, so I have many, many stories.

他们同意接受本节目采访的唯一条件是我必须保持他们的匿名性并伪装他们的声音。

The only way they would agree to be interviewed for this show was if I kept them anonymous and disguised their voice.

所以你们将听到的是一个配音演员朗读我与他对话的 transcript。

So what you'll hear is actually a voice actor reading the transcript of the conversation I had with him.

你可能会怀疑他们的故事是否真实，我会告诉你们我知道的情况。

You might wonder whether their story is true or not, and I'll tell you what I know.

我从事信息安全工作已经超过十年，曾经我的雇主送我去参加过威胁情报培训。

I've been an InfoSec professional for over ten years, and at one point, my employer sent me to a threat intelligence training.

在那里，我学到了许多最复杂黑客所使用的战术、技术和流程。

There, I learned all kinds of tactics, techniques, and procedures that some of the most sophisticated hackers use.

当听到这个人讲述他们的故事时，他们所使用的战术、技术和流程与我在课堂上学到的完全一致。

And while listening to this person tell their story, the tactics, techniques, and procedures they use match up exactly with what I learned in class.

因此，我可以证实这部分内容是真实的。

So I can vouch for that part being true.

但对于故事的其余部分，我不清楚。

But for the rest of the story, I don't know.

我会让你自己判断。

I'll let you decide.

但你需要一些额外的信息。

But you'll need some additional information.

几乎所有的政府都有情报部门。

Pretty much all governments have an intelligence department.

美国有中央情报局、国家安全局以及其他机构。

The US has the Central Intelligence Agency and the National Security Agency and others.

情报部门的目标是获取有关对国家构成威胁的敌方信息。

The goal of the intelligence department is to get information on enemies regarding threats to the nation.

这是以国家安全的名义进行的。

This is done in the name of national security.

简而言之，各国互相间进行间谍活动。

In short, governments spy on each other.

这对你来说不应该是什么新闻。

This shouldn't be news to you.

这种行为已经持续了几个世纪。

It's been happening for centuries.

过去，间谍会潜入敌方，亲自闯入场所以窃取机密数据。

In the past, spies would go undercover and physically break into places to extract secret data.

他们经过高度训练，擅长隐蔽行动、逃脱与规避，而且通常驾驶技术精湛。

They were highly trained at being stealthy, being able to escape and evade, and are often excellent drivers.

但现在，各国政府依赖计算机进行通信、存储数据和制定计划。

But now governments rely on computers to communicate, store data, and create plans.

这暴露了一个全新的攻击面。

This exposes a whole new attack surface.

黑客不再需要物理闯入建筑物窃取文件，而是可以从地球另一端窃取文件。

Instead of physically breaking into a building to steal documents, hackers can steal documents from the other side of the globe.

他们这样做是为了了解即将发生的袭击、获取军队动向，或窃取顶级机密武器的计划。

They do this to learn about an upcoming attack or gain knowledge of where the military is going or to steal plans of a top secret weapon.

各国政府正在积极入侵其他政府的系统。

Governments are actively hacking into other governments.

这已成为新的常态。

This is the new norm.

各国政府必须认真对待网络安全防御，哪怕只是为了保护自己的数据不被其他政府窃取。

Governments have to take their cyber defense seriously, if for nothing else, than to protect their data from other governments.

但当一个政府入侵另一个政府时，实际情况究竟是怎样的呢？

But what is it really like when a government hacks into another government?

接下来，我们就来听一听这个故事。

Well, that's the story we're about to hear.

所以，让我们搭上这位国家行为者的便车，亲耳听听他们是如何入侵另一个政府的。

So let's ride shotgun along with our nation state actor to hear exactly how they hack into another government.

这应该会很精彩。

This should be exciting.

系好安全带，我们出发吧。

So strap in, and let's go for a ride.

首先，我们来接任务。

First, let's get the mission.

几年前，我们接到一项任务，目标是某个外国政府机构的网络。

A couple years ago, we had a tasking to go after a network that belonged to a foreign government agency.

我们的任务是渗透进去并获取特定信息。

Our task was to get access to it and gather specific information.

国家行为体行动的方式是，国家的网络部门不会自行制定需求。

And the way nation state operations work is that the cyber elements of a nation state don't derive requirements unto themselves.

他们的需求来自其他人。

They get it from someone else.

你知道，政府或某个机构的其他人会说，我们认为这些信息存在于那个网络上。

You know, someone else in the government or an agency says, we think this information exists on that network.

去获取该网络的访问权限，但通常任务就只到此为止。

Go get access to the network, but that's usually all the task is.

这个任务似乎只提供了极少的信息。

This task seems to only have a tiny amount of information.

我们只得到了一个外国政府机构的名称、一些IP地址，以及需要获取的数据的大致方向。

We're only given a foreign government agency's name, some IP addresses, and a general idea of what data to grab.

这些信息远远不足以开始入侵该网络。

This is nowhere near enough information to get started hacking into that network.

我们不知道该使用什么工具，也不知道进入后该针对哪些计算机。

We don't know what tools to use or what computers to target once we're in.

我们需要更多信息。

We're gonna need more information.

对于国家行为体而言，尤其重要的是，目标不仅是获取访问权限并收集信息，更重要的是必须保持隐蔽。

And really the big thing for nation states in particular, where not only the goal is, of course, to get access and collect your information, but overriding that goal is your need to stay clandestine.

所以我们不仅需要更多信息，还需要秘密地获取它。

So not only do we need more information, but we need to get it secretly.

在这项任务中保持隐蔽有许多原因。

There are many reasons to stay hidden when doing this mission.

首先

First

可能会引发政治反弹。

There could be political blowback.

如果其他国家发现我们入侵他们的网络，可能会勃然大怒。

Another country could become furious if they caught us hacking into it.

另一个不能被发现的原因是我们的工具、漏洞和基础设施的敏感性。

Another reason not to get caught is because of the equities of our tools, exploits, infrastructure.

就像詹姆斯·邦德不能失去他的顶级秘密间谍技术一样，国家行为者也使用尖端的黑客技术，不希望目标察觉。

Just like James Bond can't afford to lose his top secret spying technology, a nation state actor also uses cutting edge hacking techniques that they don't want the target to be aware of.

这些黑客技术非常昂贵，有时需要数年研究，价值数百万美元。

These hacking techniques can be very expensive and sometimes takes years of research and are worth millions of dollars.

因此，在执行整个任务的过程中，我们必须尽可能保持隐形。

So, it's imperative that we stay as invisible as possible while conducting this entire mission.

另外，为了这个故事，我们选一个随机国家作为目标示例。

Oh, and for this story, let's pick a random country to use as an example target.

那就选秘鲁外交部吧。

So, let's go with the Peruvian Ministry of Foreign Affairs.

实际目标将保持匿名。

The actual target will remain anonymous.

军方有时使用‘杀伤链’这个术语来描述攻击是如何进行的。

The military sometimes uses the term kill chain to describe how an attack takes place.

所以军方称这为战场准备，而网络战中与此相当的是

So the military calls this the preparation of the battlefield, but the cyber sort of equivalent to that is

网络杀伤链。

The cyber kill chain.

这描述了网络攻击的不同阶段。

This describes the different phases of a cyber attack.

我会在讲述这个故事的过程中解释它的含义。

I'm gonna explain what that means as we walk through this story.

完成一次攻击需要经历网络杀伤链的七个阶段。

There are seven phases to the cyber kill chain that must be conducted to complete an attack.

第一阶段是侦察。

Phase one is reconnaissance.

在这个阶段，我们需要收集有关目标的信息。

In this phase, we need to gather information about the target.

正如我所说，我们完全不知道该使用哪种漏洞，或者攻击哪些系统。

Like I said, we have no idea what type of exploit to use or what systems to attack.

因此，我们首先开始收集信息。

So we begin by collecting information.

现在我得想办法入侵进去。

Now I gotta figure out a way in.

现在要做的事情包括被动侦察和地图绘制。

So now it's things like passive reconnaissance and mapping.

所以先想办法在不被发现的情况下，了解这个网络的更多信息。

So start figuring out what can we learn about this network without letting them know that we're trying to learn stuff about it.

比如，这个网络有多大？

Questions like, how big is the network?

上面有哪些类型的系统？

What kind of systems are on it?

硬件？

Hardware?

软件？

Software?

那里部署了什么类型的防病毒软件？

What kind of antivirus is deployed there?

我的攻击入口在哪里？

What is my access vector?

于是团队对目标网络进行扫描，查看哪些内容暴露在互联网上，并开始绘制对外可见的网络结构。

So the team does a scan against the target network to see what is exposed to the Internet, and they begin mapping what's visible to the world.

他们有一个网站。

They have a website.

他们在自己的环境中托管了一个Web服务器。

They're hosting a web server that's within their environment.

所以这是一台在互联网上运行着Apache Tomcat的服务器。

So that's a box on the internet with like Apache Tomcat running on it.

好吧，这很有用。

Okay, so that's good to know.

现在我知道这很可能是一台Linux服务器，并且运行着可能存在可利用漏洞的Web服务。

So now I know that it's probably a Linux box and a web server that potentially has vulnerabilities I can exploit.

这挺有意思的。

That's pretty interesting.

我们发现了几类似这样的情况。

We find a couple of things like that.

通常情况下，大多数政府和组织都会及时更新其面向互联网的设备。

Normally, most governments and organizations keep their Internet facing devices up to date.

这样做很重要，因为未更新的系统比已更新的系统存在更多的安全漏洞。

This is important to do because an out of date system has a lot more security holes than one that's been updated.

但在这个案例中，Web服务器并未完全打补丁，这意味着团队可以利用已知的漏洞来访问它。

But in this case, the web server was not fully patched, which means the team can use a known vulnerability to access it.

我们开始提出一些潜在的突破口。

And we start to come up with some potential avenues.

现在我们有了一个进入该政府网络的潜在入口，但这些信息仍然不够。

So now we have a potential point of entry into this government's network, but that's still not enough information.

重要的是要弄清楚他们网络中到底有什么，如果我们能有一张进入后该去哪的地图，那就更好了。

It's important to try to understand what exactly is in their network, and it would be nice if we had a map of where to go once we get in.

如果我们能知道那个办公室里有哪些人在工作，了解防守该网络的团队构成，那就再好不过了。

It would also be nice if we know who the people were at work in that office to get a sense of the team that's defending that network.

有一些巧妙的方法可以弄清楚这些信息。

And there are some tricky ways of figuring this out.

我们能做到这一点的方式是，大型机构中的IT和信息安全人员通常很友好、开放，而且常常有点天真。

The way we can do that is that IT and InfoSec people at large are pretty friendly, open, and somewhat stupid often.

那我们就以秘鲁外交部为例。

So let's go with the Peruvian Ministry of Foreign Affairs.

通过Facebook、LinkedIn以及秘鲁当地版本的Facebook，我大概能找出50到100甚至数百名在该机构工作、并在这些网络上拥有个人资料的人。

Between Facebook and LinkedIn and whatever local Peruvian version of Facebook exists down there, I can probably find somewhere between 50 to a 100 to hundreds of people that work at that organization that have profiles on those networks.

因此，我可以开始收集这些人的全名、电子邮件地址，甚至可能还有他们的职位头衔。

So I can start to collect full names and email addresses and maybe even position titles of people that work in there.

所以我关注的是IT基础设施，也就是技术基础设施。

So I care about the IT infrastructure, infrastructure, the technical infrastructure.

因此，我在寻找他们的IT人员和安全人员。

So I'm looking for their IT people and their security people.

我打赌我能找到该组织的系统管理员或数据库管理员，某个在互联网上公开自己存在、从事IT工作的人。

I bet I can find the systems administrator or database administrator, someone that does IT in that organization, who has announced on the Internet that they exist.

这是他们的姓名和电子邮件地址，以及他们在该组织中的职责。

This is their name and email address, and this is what they do for that organization.

因此，一旦我开始整理所有这些信息，我就会寻找能够将他们与该组织及其使用的系统关联起来的线索。

So once I start compiling all of that, I'm going to start looking for things that allow me to tie them to the organization, to the things they're using.

最合适的查找方式是，我说的是谷歌，但更具体地说，Reddit在这方面简直太棒了。

The best places to do that are, I mean, Google, but more specifically, Reddit is amazing for this.

然后是属于各个产品的技术论坛。

And then the technical forums that belong to products.

例如，如果我在LinkedIn或Facebook上发现Bob是秘鲁外交部的IT管理员，这就给了我Bob的全名和电子邮件地址。

For example, if I found on LinkedIn or Facebook that Bob is an IT administrator at the Peruvian Ministry of Foreign Affairs, This gives me Bob's full name and email address.

然后我可以用谷歌搜索他的名字和电子邮件地址。

I can then use Google to search his name and email address.

我会找到Bob在sysadmin子版块发的帖子，询问为什么他的Windows 2012服务器会这样运行。

I find things like Bob's posting on the sysadmin subreddit asking questions about why his Windows twenty twelve server is acting the way it is.

或者他提问说：我正在运行一台Windows 2008 R2的服务器。

Or him asking questions like, I'm running a Windows 2,008 r two box.

这是我的域控制器。

That's my domain controller.

我真的需要更新吗？

Do I really need to update or not?

我是不想这么做，但大家觉得呢？

Like, do I don't really want to, but what does everybody think?

我该这么做吗？

Should I do that?

当我找到这样的帖子时，我就能把它们和Bob联系起来。

And when I find postings like that, I can link them back to Bob.

我可以确认一些事情，比如：天啊。

I can confirm things like, oh, shit.

他们居然在Windows 2008 R2的机器上运行域控制器。

They're running a domain controller on a Windows 2,008 r two box.

这太棒了。

That's fantastic.

我们在杀毒软件和安全论坛上也能找到这类信息。

We find things in, like, antivirus and security forums.

因为我们目标是从网络中获取特定数据，这些数据很可能存在于某个数据库中。

Since our target is to get specific data out of the network, it's likely that data exists in a database somewhere.

所以团队会查看那里的员工，试图找到数据库管理员或DBA。

So the team looks through the people who work there to try to find the database administrator or DBA.

我在Facebook或LinkedIn上找到了一位DBA，他是一位资深DBA。

I found a DBA on Facebook or LinkedIn, and he's a senior DBA.

他提到自己是Oracle 11g的专家。

He noted that he's an expert on Oracle 11 g.

很棒。

Cool.

所以我可以推测，他们的网络内部很可能运行的是Oracle 11g左右的版本。

So I can assume that they're probably running Oracle roughly 11 g inside their network.

我有一支团队，大约有15个人，他们每天花八小时，持续六到八周，专门在互联网上搜索，收集我目标组织员工的姓名、电子邮件地址和电话号码。

And I have a team of people, I have like 15 people who do nothing other than spend eight hours a day for six to eight weeks searching, scouring the Internet to collect the names, email addresses, and phone numbers of the people that work for my target organization.

把人数缩减到那些在我不关心的特定岗位上工作的人，然后进一步在互联网上搜寻他们公开发布的一切信息。

Slim that number down to the ones that work there in the particular roles that I care about, and then scour the Internet for everything they publicly put out there.

这些信息都与技术相关，能给我们提供一些关于在环境中可能发现什么的线索。

It has to do with anything technical, and that gives us little tidbits about what we can expect to find in the environment.

在查看了我们迄今为止收集的数据后，我们发现了一个极其重要的信息。

And after looking at the data we've collected so far, we have discovered an incredibly important piece of information.

我知道他们环境中的Oracle数据库很可能包含我需要收集的数据。

I know the Oracle database that they have in their environment likely has the data that I'm supposed to be collecting.

在15个人全职工作两个月，尽可能多地收集目标信息后，我们现在有了一份非常详细的报告。

So after 15 people have worked full time for two months gathering as much information as they can on the target, we now have a very detailed report.

我们知道谁在那里工作，他们的角色是什么，他们运行什么样的系统，甚至到这些系统上软件的版本号。

We know who works there, what their roles are, what kind of systems they run, all the way down to the version of software on those systems.

我们现在对他们环境有了相当清晰的了解。

We now have a pretty good picture of their environment.

很好。

Great.

所以第一阶段已经完成。

So phase one is complete.

我们现在进入网络杀伤链的第二阶段：武器化。

We now move on to phase two of the cyber kill chain, weaponization.

现在我可以去找我的领导和管理层——那些表面上拥有我想使用的资源的人——并向他们申请批准进行我将要开展的行动。

I can now go to my leadership, my management, the ones who ostensibly own the equities that I want to now use, and I can ask them for approval to do what I'm going to do.

这些资源是指用于访问网络的黑客技术或漏洞利用。

The equities are hacking techniques used to access a network or exploits.

一些黑客技术是公开的，更容易获得批准，因为获取它们不需要任何成本。

Some hacking techniques are known to the public and are easier to get approval for because they cost nothing to acquire.

如果你在使用该漏洞时被发现，很难追踪到我们，因为世界上任何人都可以使用这个漏洞。

And if you're caught using the exploit, it's hard to trace it back to us since anyone in the world has access to that exploit.

但有些漏洞成本高昂且属于最高机密。

But some exploits are expensive and top secret.

这些漏洞更难获得批准，因为一旦被发现，敌人就可能学会如何使用你的漏洞。

These are harder to get approval for because if you get caught, the enemy could learn how to use your exploit.

但如果你使用了一个世界上无人知晓的漏洞时被发现，那么能拥有这种漏洞的就只剩下少数人，这可能导致攻击行为被追溯到我们身上。

But if you're caught using an exploit that nobody in the world knows about, it narrows down who could possibly have an exploit like that, which could result in the attempted break in to be traced back to us.

所以我去找领导，对他们说：我接到这些人的任务，要攻击这个网络。

So I go to leadership and I say, I have this tasking from these people to go after this network.

这是关于该网络的所有我们已知的信息。

Here's everything we know about the network.

这些是系统管理员。

These are the systems administrators.

这些是安全人员。

These are the security people.

这些是姓名、电子邮件地址和电话号码。

These are the names, email addresses, and phone numbers.

根据数据点a、b、c、d和e，我们推测他们使用的是这种防病毒软件和这种硬件。

Based on data points, a, b, c, d, and e, we believe they're using this sort of antivirus and this sort of hardware.

我们知道他们运行的是基于Tomcat的Web服务器。

We know they run, you know, web servers using Tomcat.

根据其他论坛的帖子，我们知道他们的内部运行着Oracle数据库实例。

We know based on some other forum postings that they got Oracle database instances running on the inside.

因此，我们将所有这些信息综合起来，结合这些数据点，推导出我需要使用的工具和漏洞利用手段。

So we put all that together, and with those data points, I derive the tools and exploits that I need to use.

在进入之前，我就知道可以申请使用针对Aluricol 11 gs的植入物x和漏洞y。

Knowing that before I get in, I can get approval to use implant x with exploit y that are specific to Aluricol 11 gs.

因此，一旦我构建好这个案例，就能获得批准，而批准的依据是基于我对环境的了解，评估对这些目标所构成的风险。

So once I build out that case, I can get approval and that approval is based on the risk posed to those equities given what I know about the environment.

所以当我提到我知道他们很可能运行着这种防病毒软件和这些安全工具时，我可以说我拥有这些工具和漏洞，并将在网络中部署，而这些不会被他们现有的防病毒软件和安全系统检测到。

So when I say I know that they are probably running this antivirus and these security tools, I can say that I have these tools and these exploits and that I'm going to deploy in the network that are not detected by that antivirus and the security system that they have.

现在，我已经消除了被发现的最大风险，也就是防病毒软件或安全系统会标记我的工具或我使用的漏洞。

I had now mitigated the biggest risk of getting caught, right, which is AV or security systems flagging my tools or me throwing exploits.

如果我能做到这一点，就能获得继续推进并实际执行行动的批准。

And if I can do that, then I can get approvals to proceed and actually execute my operation.

于是，六十天、九十天过去了，我建立了一个称为目标包的方案，并获得了使用相关资源完成任务的操作批准。

So sixty days, ninety days go by, I built what's called a targeting package, and I've got operational approval to use the equities to complete the task.

所以我们现在有了一个入口点、内部网络的布局图，并且知道我们到达时会遇到哪些人。

So we now have a point of entry, a map of the inside, and know who to expect to be there when we arrive.

我们还掌握了执行这项任务所需的所有具体漏洞。

We also have all the specific exploits we need to execute this task.

这标志着我们的武器化阶段结束。

This marks the end of our weaponization phase.

网络杀链的第三阶段是投递。

Phase three of the cyber kill chain is delivery.

我们需要将漏洞实际发送到网络中的系统。

We need to actually send the exploit to the system in the network.

从这里开始，任务变得危险起来。

This is where the mission begins to be dangerous.

从现在起，任何失误都可能带来严重后果，因为这意味着可能被发现。

From here on out, any misstep could have terrible consequences because it could mean being caught.

如果我们是詹姆斯·邦德，现在就已经全副武装，准备行动了。

If we were James Bond, we'd now be fully geared up and ready for action.

所以我们在这里找到了面向互联网的设备。

So we figured out here is the Internet facing box.

他们使用的网页服务器没有打补丁，也没有更新，因此我能够利用已知漏洞获取对该机器的正确访问权限。

The web server that they're using was not patched, wasn't updated, so I was able to actually use the known exploit to gain the right access to that machine.

一旦我做到了，我就在那台机器上安装了一个后门，因为那里相当安全。

Once I did that, I put an implant down on that machine because it was pretty safe.

那实际上是一台Linux服务器。

It was actually a Linux server.

Linux的好处是，你知道的，没有杀毒软件。

And the nice thing about Linux is that, you know, no antivirus.

对吧？

Right?

所以我并不太担心。

So I'm not super concerned.

尤其是因为它是一台Web服务器，我不用担心用户在使用时看到屏幕上有异常情况。

And especially because it's a web server, I don't worry about a user seeing the screen using it and see something weird going on.

但不管怎样，我在这台机器上安顿下来，待了一会儿。

But anyway, so I get down on that box, sit there for a little bit.

一切看起来都很正常。

Everything looks pretty good.

我的意思是，没什么可看的。

I mean, there's not much to see.

这是一台网页服务器，上面运行着一个网站。

It's a web server, and it's got a website on it.

它还有一个数据库作为后端。

Got a database back end to it.

没什么大动静。

Not a whole lot going on.

我们现在已经在外国政府的网络中了。

We are now in the foreign government's network.

我们已经成功渗透进去了。

We have successfully infiltrated it.

就像我们偷偷溜进了大楼，但现在只在走廊里。

It's like we've snuck in the building, but we're only in the hallway.

利用过去几个月收集到的数据，我们知道需要找到管理员的电脑来控制它。

Using the data we've collected in the last few months, we know we need to find the administrator's computer to gain control of it.

这引出了网络杀伤链的下一阶段：利用。

This leads us to the next phase of the cyber kill chain, exploitation.

因为如果我们能登上管理员的电脑，他们很可能掌握着所有关键权限。

Because if we can get on the admin's computer, chances are they have all the keys to the kingdom.

通过使用他们的机器，我们可以访问任何我们想要的东西。

And by using their machine, we can access anything we want.

在这样的服务器上立足的好处之一是，服务器通常会有管理员登录以进行管理。

The nice thing about landing on a server like that is one thing that servers do have is admins logging into them to administer them.

而这位管理员肯定会登录，我很可能能够捕获他的凭证，或者这位管理员会在该服务器（即Web服务器）和其个人电脑之间建立一个经过身份验证的会话。

And that admin is going to log in, and I'm probably gonna be able to capture his credentials or that admin is going to establish an authenticated session between that server, in this case, the web server and the admin's machine.

我很可能能够通过这个经过身份验证的会话横向移动到管理员的机器上。

And I'm probably gonna be able to float across that authenticated session and move laterally to the admin's machine.

实现这一点的方法有很多种，但简而言之，要么我捕获他的凭证，因为他要登录进行管理，要么我就直接利用他已建立的会话进行横向移动。

There's a variety of ways that you can do that, but suffice to say it's either I'm capturing his credentials because he's going to log in to administer, or I'm just going to use his authenticated session to move laterally over.

所以在这种情况下，我们的好处是，我们认识这位管理员——就像我说的，我们已经进行了一个月的开源情报搜集。

So the nice thing in this case was that we knew the admin, you know, like I said, we had done a month of open source research.

因为我们知道要攻击的是网页服务器，所以我们知道他们的网站管理员是谁，也知道网络内部负责维护网站、网站后端数据库以及所有相关代码的团队成员。

Because we knew we were going to be exploiting the web server, we knew who their website administrator was, we knew the team of people inside that network that were responsible for maintaining the website, the database that sat behind the website, all the code associated with the website.

我们认识所有这些人。

We knew all these people.

网页开发者简直是最糟糕的，对吧？

Web developers are are like the worst, right?

IT人员会在互联网上发布大量信息。

Like IT people post a lot of stuff on the Internet.

安全人员在互联网上发布的内容相对少一些，但开发者、网页管理员却会把所有东西都发到网上。

Security people post a little bit less stuff on the Internet, but developers and web administrators and web admin, they post everything on the Internet.

这太离谱了。

It's ridiculous.

所以我们找到了他们所有人以及他们的所有信息，并且我们都叫得出他们的名字。

So we found all of them and all their content, and we knew them all by name.

我们甚至拥有所有与该网站相关人士的照片。

We had pictures of all the guys associated with the website.

我们认识所有这些人。

We knew all these guys.

所以很棒的是，一旦我们攻破了网页服务器，我们就几乎可以确定登录并管理它的人只会是那三个人中的一个。

So what was great was that once we exploited the web server, we pretty much knew it was going to be one of three people that were going to log in and administer it.

所以我们的计划就是简单地等待这三个人中的一个登录。

So the plan was to simply sit and wait for one of those three people to log in.

我们认为我们知道他们会如何登录，因为再次强调，我们对他们所使用的系统非常熟悉。

We thought we knew how they were gonna log in because, again, we were familiar with the systems they had deployed.

我们可以通过网页服务器的配置来判断他们会如何登录这台机器。

We could tell by the configuration on the web server how we could expect to see them log in to that machine.

所以对我们来说，这纯粹变成了一场等待的游戏。

So really, it just became a waiting game for us.

本集由Vanta赞助。

This episode is sponsored by Vanta.

客户信任可以决定你业务的成败。

Customer trust can make or break your business.

随着你的业务增长，你的安全和合规工具也会变得越来越复杂。

And the more your business grows, the more complex your security and compliance tools get.

这可能会变成一团混乱，而混乱并不是一种安全策略。

It can turn into chaos, and chaos isn't a security strategy.

这就是Vanta发挥作用的地方。

That's where Vanta comes in.

把Vanta想象成一位24小时在线、由AI驱动的安全专家，它会随着你一起成长。

Think of Vanta as your always on AI powered security expert who scales with you.

Vanta自动完成合规性工作，持续监控你的控制措施，并为你提供合规与风险的单一信息来源。

Vanta automates compliance, continuously monitors your controls, and gives you a single source of truth for compliance and risk.

无论你是像Cursor这样的快速成长型初创公司，还是像Snowflake这样的大型企业，Vanta都能轻松融入你现有的工作流程，让你继续打造客户信赖的公司。

So whether you're fast growing startup like Cursor or an enterprise like Snowflake, Vanta fits easily into your existing workflows so you can keep growing a company your customers can trust.

前往 vanta.com/darknet 开始使用。

Get started at vanta.com/darknet.

拼写是 v-a-n-t-a。

That's spelled vanta.

vanta.com/darknet。

Vanta.com/darknet.

有时等待管理员登录可能需要很长时间，几天、几周甚至几个月。

Sometimes waiting for an admin to log in can take a long time, days, weeks, months.

我听说黑客常用的一个伎俩是故意在网页服务器上制造问题，比如让CPU使用率飙升或导致应用程序崩溃。

One trick I've heard that hackers do is to sometimes cause a problem on the web server, like make the CPU spike or crash an application.

但为什么要这么做呢？

But why do this?

因为如果网页服务器出现异常，管理员就会登录来排查问题。

Well, if the web server is acting problematic, it will result in an admin logging in to troubleshoot it.

而当他们登录时，啪，他们就直接走进了陷阱。

And when they do, pow, they've just walked into the trap.

但在我们的情况下，等待的时间并没有那么长。

But in our case, the waiting wasn't that long.

于是，其中一位管理员登录了。

So one of the admins logs in.

我们看到了这种情况发生。

We see it happen.

我们获取了所需的信息。

We get the information that we need.

我们横向移动到他的机器上，并在那台机器上部署了植入程序。

We move laterally onto his machine, and we put the implant on his machine.

你刚刚听到了网络杀伤链的第五个阶段：安装。

You just heard the fifth phase of the cyber kill chain, installation.

我们刚刚在目标系统上安装了一个植入程序。

We've just installed an implant on the target system.

植入程序是一种后门、木马或远程控制工具，让我们几乎可以完全掌控那台计算机。

An implant is a bug, a trojan, a remote access tool that allows us to pretty much take ownership of that computer.

对于熟悉Metasploit的人来说。

For those of you familiar with Metasploit

想象一下，基本上就是Metasploit被注入了大量强效成分。

Just imagine basically something like Metasploit on lots of lots of steroids.

网络杀链的下一阶段是命令与控制。

The next phase of the cyber kill chain is command and control.

仅仅因为植入物在机器上，并不意味着它会做任何事情。

Just because the implant is on the machine doesn't mean it's going to do anything.

需要有人告诉它该做什么。

Someone needs to tell it what to do.

在这种情况下，我们现在能够远程访问网络管理员的计算机。

And in this case, we now have the ability to remotely access the network admin's computer.

这就是我们对目标计算机的命令与控制。

This is our command and control over the target computer.

我们现在非常接近完成任务了。

We are now very close to finishing our mission.

剩下的就是我们控制管理员的计算机，然后访问数据库，获取我们需要的数据。

All that's left is for us to control of the admin's computer and then access the database and take the data we need.

因此，我们会稍等一会儿再进入管理员的计算机，以免引起怀疑。

So we wait a little while before getting into the admin's computer to not look suspicious.

我们等了一天左右，一天半，才开始与这台机器进行交互式操作。

We waited about a day, day and a half to go interactive on the box, actually be using it interactively.

一旦我们开始交互式使用它，而另一个人也在使用时，我们就会在他们登录时也登录，这通常是正常的工作方式。

Once we were using it interactively while the other person was using it, we were logged on when they were, which is generally the way that works.

我们开始查看桌面的截图，发现浏览器是打开的，浏览器里有几十个标签页。

We started looking at screenshots of the desktop and we saw a browser open, and we saw dozens of tabs open in the browser.

我们翻看了大量截图，查看各个标签页的内容，发现这个人正在搜索Windows出现的这种奇怪行为。

We started going through a lot of the screenshots and seeing the contents of the tabs, and it was the person Googling this weird behavior that Windows was doing.

我们入侵的管理员计算机行为异常。

The administrator's computer that we have infiltrated was acting strange.

它显示了大量错误，某些程序不断崩溃。

It was displaying lots of errors and certain programs were crashing.

很明显，这位管理员的电脑感染了某种病毒。

It definitely looked like this admin had a virus of some kind.

起初我们看到时，心想这真奇怪。

And at first we saw that we're thinking, well, that's weird.

我不禁怀疑，他电脑上的这些问题是否在我们到来之前就已存在。

I wonder if these problems on his computer predate our presence there.

我们其实并不确定，但隐隐觉得这可能和我们有关。

We didn't really know, but we had the sneaking suspicion that it had something to do with us.

因此，在我们不知情的情况下，从我们最初通过开源渠道收集信息到部署植入程序这段时间里，他升级了操作系统。

So unbeknownst to us and the time from when we collected our information initially through the open source and when we put the implant down, he had upgraded his operating system.

他基本上把Windows升级到了下一个版本。

He'd upgraded Windows essentially to the next version.

通常情况下，最坏的结果是你的植入程序因为不兼容而无法运行，对吧？出于某种原因。

Normally, worst case scenario is that your implant doesn't work because it's not compatible, right, for whatever reason.

不兼容，根本无法运行，这确实让人沮丧。

It's not compatible and just doesn't work and that sucks and you're really upset by that.

我本希望这里的结果就是如此。

I would have preferred that to be the outcome here.

但实际情况是，植入程序不仅成功运行，还顺利安装到了应有位置，并按预期开始运作。

Instead, the implant worked from the extent of it, went down, installed where it should have, and began operating as expected.

问题是，它与那台电脑上新版本的Windows不兼容，不幸的是引发了非常奇怪的Windows行为。

The problem was that it wasn't playing well with the newer version of Windows that was on that box, and unfortunately started causing very odd Windows behavior.

而这种奇怪的行为达到了最糟糕的程度，表现为用户能明显察觉到的各种异常。

And that very odd behavior took on like the worst possible version, which was things that were very visible to the user.

因此，既然我们现在知道这台电脑上具体是哪个版本的Windows，我们就在我方实验室环境中复现了这一情况。

So now that we're on the box and we know exactly what version of Windows it was, we recreated it in our own lab environment.

我知道它运行的是哪个版本的Windows，也知道它的硬件配置。

So I know what version of Windows it is, and I know the hardware.

我基本上在我们环境中重建了完全相同的机器，然后安装了我们的植入程序，结果发现正是这个植入程序导致了这些异常行为。

I basically rebuilt that same exact machine in our environment and tossed our implant on it and saw that our implant was causing this weird behavior.

这对我们的打击非常严重，因为这正是你会被发现的方式。

So this was really, really bad news for us because this is how you get caught.

对吧？

Right?

从政治反弹的角度来看，这令人极度恐慌。

It was terrifying from the standpoint of political blowback.