November 2, 2025 • 30 mins
A fake contractor calls the help desk, a password gets reset, and suddenly a national retailer has hackers inside. We open the door on the human side of hacking—how believable stories and helpful habits become the first domino—then trace the technical steps that turn a small foothold into a system‑wide crisis.
We walk through the anatomy of the Marks & Spencer breach: social engineering as the entry point, slow‑burn privilege escalation, and the moment attackers reached the Active Directory—the store of who can do what. From there, it’s a short hop to ransomware detonation and double extortion, where every machine is unusable and stolen customer data adds pressure to pay. Along the way, we translate hashing, brute force, and admin access into plain English, and we talk candidly about what detection looks like when it actually works: least privilege that’s enforced, behavioural alerts that catch odd access patterns, and teams empowered to say no.
The hardest lesson lands in recovery. Backups that live on the same network get encrypted or deleted; backups that are never rehearsed don’t restore on time. We break down air‑gapped, immutable backups, how to test restores, and why a clean rebuild is sometimes the only safe path. We also connect this case to higher‑stakes incidents at pipelines and hospitals, showing why attackers chase critical bottlenecks and how zero‑trust identity, MFA, network segmentation, and vendor risk controls blunt that leverage. It’s a story about culture as much as code: small process choices—like verifying contractors—change outcomes.
If this breakdown sharpened your thinking, follow the show, leave a quick review, and share it with a teammate who owns identity, help desk, or backups. Your support gets us to series two—and might just get Hannah to Melbourne.
Like, Subscribe, and Follow the Tech Overflow Podcast by visiting this link: https://linktr.ee/Techoverflowpodcast
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Hannah Clayton-Langton (00:04):
Hello world and welcome to the Tech
Overflow Podcast.
As always, I'm Hannah ClaytonAinten.
Hugh Williams (00:09):
And I'm Hugh Williams here.
Hannah Clayton-Langton (00:11):
And we're the podcast that explains
technical concepts to smartpeople.
And today we're coming to youfrom London.
Hugh Williams (00:16):
Yeah, here we are in the podcast room.
It's so awesome.
It's a very nice decor too.
We'll have to post a coupleclips, huh?
Hannah Clayton-Langton (00:22):
Yeah, it's a lovely studio and it's
always a treat to record inperson rather than virtually, as
I'm sure we've said a few timesbefore.
Hugh Williams (00:29):
Yeah, so so true.
Next series, I think we uh werecord the whole thing in
person.
We'll figure out how to do it.
Hannah Clayton-Langton (00:34):
Yeah, Hugh's making a pitch for
Melbourne, and I'm really opento it, to be honest.
Especially as we go into the UKwinter.
So um share the podcast withyour friends, and if we get to
enough listens, then I will getmyself down to Melbourne.
Hugh Williams (00:47):
Fantastic.
So I read, Hannett, that uhthis month, which is October
when we're recording it, isNational Cybersecurity Awareness
Month.
Hannah Clayton-Langton (00:56):
Yes, so I read the same.
I'm not sure what that meansand which nation it's national
to, but it's a good segue intothe episode topic today, which
is hacking.
Which is gonna be fun.
It's super interesting, and Ithink it will pair really well
if you've not listened to ourepisode on bugs and outages.
I think there's like a reallyinteresting common thread
(01:18):
between these two topics becauseobviously being hacked is a
massive P0 outage.
So I suspect it uh ruins asoftware engineer's day in sort
of a similar way.
Hugh Williams (01:29):
Yeah.
I think uh, you know, searchengine being down for nine
hours, whatever your favoriteexample is definitely uh
definitely is tough going, buthacking is worse because you've
kind of lost control.
That makes it an extra level ofstress.
Hannah Clayton-Langton (01:42):
And there's blackmail involved.
Hugh Williams (01:44):
Often.
Hannah Clayton-Langton (01:45):
Yeah.
Hugh Williams (01:46):
Often, often.
These hacks have become very,very sophisticated.
Hannah Clayton-Langton (01:49):
Yeah, there's like a whole subtopic
I'd love for us to talk throughon how AI makes this even more
significant a threat.
But let's start with the basicsbefore we get into this.
Hugh Williams (01:58):
Sounds good.
Hannah Clayton-Langton (01:59):
So, as listeners will remember from our
episode on outages, nine hourseBay search was down for.
Yep, felt like 90, but yeah,that's probably like one of the
worst days of your career.
Hugh Williams (02:10):
Definitely.
Hannah Clayton-Langton (02:11):
Okay, so we're gonna start the episode
with a sort of case study.
And in this case study, theretailer was effective for like
40-something days.
Hugh Williams (02:20):
Yeah.
Hannah Clayton-Langton (02:21):
Okay, so this past summer, which is
we're in 2025, um, famously inOctober, Cybersecurity Awareness
Month.
Back earlier this year, therewas like a spate of attacks on
UK retailers.
And there's a retailer calledMarks and Spencer's, who were
basically the worst hit.
And we'll there's a lot we cantake and learn from the case
study.
But if you're not familiar withMarks and Spencer's, is you may
(02:44):
not be, if you're aninternational listener, it's
like a, I would call it adarling of the UK high street.
So they have like a superwell-regarded food business, and
then they have a clothing andhome business, which has had
like a real comeback in the lastfew years, particularly for
women in their 30s, such as Iam.
So they did some super cleverthings with acquisitions and
(03:05):
rebranding, and like they're areally, really much loved brand
on the UK high street.
Probably one of the keydifferences to bear in mind as
we talk through this hack isthat they are not an
e-commerplay like eBay is.
So whilst the fact that theironline orders were down for over
40 days is is pretty horrific,wouldn't have been their only
revenue source.
Hugh Williams (03:25):
And maybe for our US listeners, perhaps they're
they're Nordstrom with anamazing, amazing food haul and
uh maybe a little bit like DavidJones in Australia.
Hannah Clayton-Langton (03:34):
Yeah, I think that's probably fair.
So from a lay person's likecustomer perspective, suddenly
the news is flashing headlines,MS hack.
Sorry, and I will use Marks andSpencer's and MS very
interchangeably in this episode,just to call that out.
Um so Marks and Spencer's hack,this is huge.
(03:54):
I understand that the firstsigns of a problem were that the
tills or the like contactlesscheckout stops working in a
bunch of the MS.
I think it was the food stores,but the stores in general,
right?
Contactless payment goes down,but pretty quickly it emerges to
be something much moresignificant.
Hugh Williams (04:13):
Yeah, absolutely.
Hannah Clayton-Langton (04:14):
And I also have understood, and and
just to caveat, we've found abunch of information on the
internet about this, some of itfrom MS themselves and some of
it from sort of critics in theindustry.
But I think it's pretty widelyknown that the hackers came in
via what we'll call socialengineering and they leveraged a
couple of vulnerabilities intheir processes.
So there were hackers posing asemployees.
(04:38):
They pose as contractors.
So they they weren't pretendingto be permanent employees.
Uh, and I think that probablyif I'm a help desk operative and
someone's calling asking for apassword reset and they mention
they're a contractor, that sortof immediately the story tracks
in my head.
Do you think that's fair?
Hugh Williams (04:53):
I think that's fair.
The other thing that was wellknown about these folks is that
their English was excellent.
Um, they they'd done thisbefore.
They're very, very good atpersuading people like help desk
employees to do the things thatthey wanted to do.
So these are very accomplishedpeople, very crafty, very good
at pitching the right story inthe right way to the right
people.
Hannah Clayton-Langton (05:12):
And they ring the MS help desk, which is
also a third party, which Ithink that's not uncommon here,
right?
Hugh Williams (05:19):
Yeah, and that's important, Hannah.
I mean, you you are as weak asthe weakest link.
And so if one of yourcontractors or suppliers is a
weak link, then that's theusually the vector that folks
are going to use to get intoyour systems.
Hannah Clayton-Langton (05:31):
That makes sense.
If I were a hacker, which issomething I think I'm gonna say
a lot in this episode, I'dprobably be looking for stuff
like that.
And um, I don't know that meansto say that by leveraging
contractors or third parties,you inherently create a
vulnerability.
But I think if you don't setthem up for success and
integrate them correctly, thenthey could quite easily become
(05:51):
one.
Hugh Williams (05:51):
Yeah, absolutely.
Hannah Clayton-Langton (05:53):
Okay, so the the hackers opposes these
contractors, they call up thehelp desk, the people at the
help desk are trying to helpbecause that's their job.
They reset their passwords, andthese guys are in.
They're in the systems.
And from all accounts, so Ithink MS issued some official
communication that they caughtthis whole hack pretty early
(06:16):
days.
But I think I think that's beensomewhat debunked.
Hugh Williams (06:18):
Yeah, I don't think that's true.
I think what is true is thatonce the ransomware was
executed, and we'll talk aboutransomware and what it does a
little bit later on.
Once that was executed, MS werevery quick to explain that
that's what happened and andbegin a path that took a long
time to towards rectification.
But uh, I don't think they werequick to detect that the
(06:39):
hackers were inside theirsystems.
And some folks are sayingthey're probably in there at
least a couple of months.
Hannah Clayton-Langton (06:45):
We can talk later about whether or not
that's unusual.
I think the answer is no.
Not unusual.
No.
Okay.
So hackers they get in, theyexploit this vulnerability, and
then they do like a few reallykey things that sort of set them
up for success and takingthings down.
Hugh Williams (06:58):
Yeah, that's right.
I I think there's a couple ofparts of the story that we'll
never know the real details to,but what's certainly happened is
they got in as fairly low-levelemployees, right, or in
contractors.
They've now got access to somesystem.
It's certainly not going to bethe absolute core of MS, but
they're they're in.
They're in the edges.
They've made it into some ofthe outbuildings if you wanted
(07:19):
to use an analogy.
Somewhere along this track overthe next couple of months,
they've managed to what we callescalate their privileges.
So they've managed to figureout how to get more access to,
you know, more of the buildingsto continue the analogy.
Now, they might have done thatin a couple of different ways.
One way is perhaps repeatingthis thing that they've done.
(07:39):
So they've now perhaps know alittle bit more, perhaps they
can do a little bit more socialengineering.
Hannah Clayton-Langton (07:44):
So they're calling the help desk
again to be able to do that.
Hugh Williams (07:45):
Perhaps or calling something in the finance
department or whatever it is,right?
So at some point they'rethey're getting more and more
access.
Hannah Clayton-Langton (07:52):
And I think it that folks are trying
to be helpful.
Like I work for a tech company,and if you know, if you need
access to something, yeah, I'mgonna try and help.
Hugh Williams (08:00):
Sure, I'll share the spreadsheet with you.
As long as I believe you arewho you are.
And I guess because they'reinside, they're able to do some
research and probably build up amore credible story that they
can then email about, talk aboutwhatever else it is.
But slowly but surely over thisperiod of time, they're
escalating their privileges,they're getting more and more
access.
Hannah Clayton-Langton (08:19):
And the way in which they infiltrated
helped them do all thisundetected, right?
Because they've just got anormal employee login at this
point.
So you'd have to be prettysophisticated in your monitoring
to know that they're doinganything beyond what any normal
employee would be doing, right?
Like getting access to systems,logging in, having a look
(08:39):
around.
Hugh Williams (08:40):
Yeah, possibly.
Possibly.
I mean, I think uh I think thebest of the best will certainly
look for behaviors or patternsor unusual access by employees
to unusual things and detectthose.
If you tried this out on one ofthe largest tech companies in
the world, you you'd probablyget detected a little bit more
quickly.
Hannah Clayton-Langton (08:59):
Okay, because they'd be like, why has
the contractor got access to theactive directory or something
like that?
Hugh Williams (09:03):
Yeah, yeah.
Or why does this particularperson um change their login
from a particular computer andand come in as somebody else?
Or who knows?
Who knows?
But I would say, you know,these patterns are it's very
difficult to do these thingswithout getting detected if
you're really, really workinghard on the detection.
Hannah Clayton-Langton (09:20):
Okay, and we we talked about this a
little bit.
I think it was in the productmanagement episode when we were
talking about like banks needinga certain level of security or
user insight.
And those are the kind ofcompanies that are really going
to be hot on like why have yousuddenly logged in from a
location in Australia orwhatever it is.
Hugh Williams (09:35):
Yeah, exactly.
Exactly.
So anyway, this this story,right?
So they're they're in, they'reescalating their privileges
somehow, they're getting accessto, you know, game sticking with
our analogy, more and morebuildings on the compound.
At some point, they get accessto what's called the active
directory, and that iseffectively the list of
usernames and encryptedpasswords.
(09:57):
We can talk about encryption ina second, but and encrypted
passwords for everybody at MSwho can access any of the
systems at MS.
And this is something thatcertainly should have been
detected, they download thisfile.
Hannah Clayton-Langton (10:10):
Oh my god.
Okay, wait.
Hugh Williams (10:11):
So take it off, they take it out of MS's system
into their systems.
Hannah Clayton-Langton (10:14):
Okay, so Active Directory, I presume you
normally would give like threepeople in the company access to.
Hugh Williams (10:20):
Exactly, yeah.
I mean, look, I'll tell you aquick story.
You know, when I was at GoogleMaps, I ran the whole of Google
Maps, right?
So I ran the whole of productand engineering, I did not have
access to user data.
Hannah Clayton-Langton (10:30):
Well, and why why would you need that,
right?
If you think about your dayjob.
Hugh Williams (10:32):
So you want as few people as possible to have
access to that data, and eventhe person who runs it doesn't
need access to it.
So I couldn't go and look up,you know, where you'd been in
the world and how you'd movedaround.
I mean, it just simply was notpossible, despite the fact that
I'm the person who leads thewhole organization.
So the best of the best willlock down access to critical
pieces of the infrastructure ashard as they can possibly lock
(10:55):
it down.
But somehow they've got thisfile and they managed to take it
off site.
And that should have beendetected.
And then again, look, some ofthis is speculation, right?
We'll never, we'll never hearthe true story.
But they've got this file, andthen I imagine what's happened
next is they've used what'scalled a brute force attack, and
they've gone and tried tofigure out the passwords of some
(11:15):
of those usernames.
Hannah Clayton-Langton (11:17):
Okay, so you said that the Active
Directory has encryptedpasswords, which means that it's
not HANA.clate9 or whatever,plus my password.
The password is like coded insome way.
Hugh Williams (11:27):
Yeah, that's right.
And look, occasionally you'llhear of a company where
passwords were stolen, and andthat that's a company that's
incompetent.
So you should never ever storepasswords in their plain
unencrypted form.
So no company should have arepresentation of your password
that's actually your password.
So all companies should bestoring an encrypted version of
your password.
(11:48):
And maybe the simplest way tounderstand that, let's imagine
that your password was an essayon a page, right?
So you've got a 500 words on apage.
The encrypted version might beevery tenth letter off that page
saved as a string in the file.
Now that's not literally what'sgoing to happen because we're
gonna we're gonna scramble it,we're gonna spin the dials, if
you like, in in reallyinteresting ways.
(12:09):
But the encrypted version ofyour password is not the
complete password.
It's a sampling, if you like,of the password.
So it's actually kind of oneway, right?
So if I only got every tenthletter off the page, I can't
recreate BSA.
Hannah Clayton-Langton (12:22):
So I don't want to take us down a
rabbit hole on encryption,although I am very interested in
it.
Marks and Spencer's or Googleor wherever I'm logging in, they
don't have my password writtendown anywhere.
They have an encrypted versionof it stored.
Hugh Williams (12:35):
Correct.
Hannah Clayton-Langton (12:36):
Okay.
They, however, do know how torecognize the correct password.
Hugh Williams (12:40):
Yeah, because then, so let's stick with this
uh essay analogy.
If you provide the whole essay,they can again go and take
every tenth character and see ifit matches what they've got
saved on their system, right?
So if you provide the fullpassword, they can run it
through the same algorithm toproduce the same what we call
lossy version of the password.
And then they can compare thatsampling of the password to what
(13:02):
they have stored.
And they can say, oh yeah,great.
This is this is actually Hannahbecause she's provided the same
input to give us the sameoutput.
Hannah Clayton-Langton (13:08):
Okay, and the encryption algorithm,
it's like a standard rule thatyou put in for Yeah.
Hugh Williams (13:14):
So there's a bunch of different encryption
algorithms, and some of them areeasier to what we call crack
than others.
And maybe let's just talk aboutcracking for a second, right?
You can pretty trivially, um,listeners might want to try it,
but you can pretty trivially getlists on the internet of
typical passwords.
You can say, you know, I want alist of common passwords, and
you can download files that haveprobably got hundreds of
(13:35):
thousands, if not millions, ofvery common passwords.
Hannah Clayton-Langton (13:38):
I suspect this is one of those
moments where we don't realizeas individuals how similar we
all are.
And so there's probably likequite a lot of overlap in the
types of passwords people have.
Hugh Williams (13:48):
Yeah, absolutely.
I mean, people use, you know,dog's names, their birth date,
the word password, you know,parts of their login name, you
know, the street they live in,these kinds of things.
So, you know, you're notoriginal if you're having these
ideas.
And so you can get a file thatcontains a very large sample of
all these typical ideas.
And then, of course, what youcould do is you could run each
(14:09):
one of those passwords throughthe encryption algorithm that
you know MNS is using andproduce the password.
And if the password matcheswhat's saved in the Active
Directory, then you say, bingo,the CEO's password is clearly
this, because the encryptedversion that you've created
matches the encrypted versionthat's stored in the active
directory.
So if you've got enough timeand enough energy and enough
(14:30):
compute resources, you can keeprunning passwords through these
algorithms and you can producethe encrypted password and get a
match.
And if you do that for longenough, then you can get the
passwords of lots of people.
So this is a this is a very,very valuable asset to have,
especially if you can take itoff-site and do this kind of
what we call brute force attack.
Hannah Clayton-Langton (14:48):
First of all, I'm gonna ask you later
why you know that you can buypasswords off of the internet.
But do you think that's whathappened?
Do you think that the attackersin the Morrison Spencer's case
figured out what the encryptionalgorithm was and therefore like
unencrypted all of thepasswords?
Hugh Williams (15:03):
Yeah, probably not all of them, but uh enough
to give them some very seriousaccess.
So they probably at this pointgot admin access to the system,
which effectively means stickingwith our building analogy, they
can get any any part of thebuilding they feel like and do
anything they feel like doing.
So they've probably come in asa contractor, escalated enough
to be able to get their hands onthe Active Directory, taken the
Active Directory away, spentsome computing resources, and
(15:26):
then come back with the adminpassword.
Admin login and admin password,now they can do anything they
like to MS.
That is a couple of months ofhard work.
Hannah Clayton-Langton (15:34):
Yeah.
If you take out the contactsthat it's crime, it sounds quite
interesting, sort ofintellectually, but obviously
the impact of that in for realcustomers and for the business
is pretty catastrophic.
Hugh Williams (15:46):
Yeah, I mean, you know, terrible, terrible thing
that happened to to MS and theirshareholders, employees, the
customers, everybody, right?
This is a disastrous outcome.
Hannah Clayton-Langton (15:55):
Yeah, I think I saw that there was like
300 million pounds worth ofimpact that someone had
assessed.
And they were like reverting topen and paper to replicate some
of the processes that weredowned by the systems being out.
Hugh Williams (16:08):
Yeah.
And maybe that's a good time topause and say, well, what did
they do next, these hackers?
So the hackers used thisransomware program called Dragon
Force.
It's not important that it'scalled Dragon Force, good name,
nice name for a bit ofransomware.
And basically what they did isthey effectively detonated this
thing inside of MS.
And what this did was itencrypted every single computer
that they could possibly get toacross MS.
(16:31):
So now your computer doesn'twork anymore.
It's it's effectively beenturned into a giant password.
Unless you know the password,you cannot use this piece of
computing equipment.
So they did this to as manycomputers as they could possibly
get their hands on, roughlysimultaneously.
And so every computereffectively at MS became locked.
Hannah Clayton-Langton (16:50):
That's the point that MS say we become
aware of it and we immediatelystart managing it, which is true
from the point of theransomware deployment.
But what was happening possiblyup to two months prior, and
sounds like what happens in alot of cases with hacking is
these folks get in the back doorthrough the window, and then
they set up all the differentcomponent parts of their plan,
(17:12):
and then they hit the big bigbutton.
Yeah.
Hugh Williams (17:14):
Yeah.
And of course, you know, I'llsay it again.
I'm I'm speculating a littlebit, I'm relying on what I've
read, but this is a prettycommon pattern, right?
You get in as a low-levelemployee, work your way up,
eventually get admin access, andthen let rip.
It's really terrifying.
Yeah, it is.
It is.
Hannah Clayton-Langton (17:30):
I think I read also, and I can talk
about this from a customerperspective in a minute, but
that whilst they were in thereprepping, they stole a whole
bunch of customer data as theirlike blackmail materials.
So they're thinking in asituation where Marks and
Spencers can like revert theencryption and get back up and
running really quickly, we alsonow have something to hold over
(17:51):
their heads, I assume tobasically just like get some
money out of them.
Yeah.
Hugh Williams (17:54):
I think they call it a double blackmail.
We can now say, look, you know,pay us and we'll restore your
computers.
And if you don't pay us or youdo restore your computers, then
we're going to release all ofyour users' data anyway.
Hannah Clayton-Langton (18:03):
So I, as a customer of Marks and
Spencer's, because I'm a bigfan, by the way, of Marks and
Spencer's and we're too verydisappointed that I couldn't
order anything online for over amonth.
But I got an email saying thatlike some manner of my customer
data had been like exposed, butthat it wasn't payment data or
like passwords.
They were like, you may haveread that this data has been
(18:24):
stolen, and if it were, it's notlike anything you need to worry
about.
That's my memory of the email.
I tried to find it yesterday,but I think I've deleted it.
Hugh Williams (18:31):
Yeah.
This happened to uh my favoriteairlines, Qantas.
It's what I fly back and forthto London on.
All of their uh frequent flyerdata was stolen recently and uh
actually released on the on thedark web because Qantas, I
guess, didn't pay the ransomthey needed to pay.
And um, so all of my data's outthere now and my meal
preferences, you know, whatseats I like to sit in, all
those kinds of things.
Hannah Clayton-Lan (18:51):
Interesting, because my husband, just to
talk about how common I thinkthis stuff is at the minute, my
husband's Eurostar account waslike somehow hacked for the
frequent flyer equivalent, likethe points.
And someone had then used hispoints to book like a free
London to Paris journey.
I guess it's like the samething, like someone goes in,
finds something worthwhile, andthey basically they might be
(19:12):
selling it to someone on thedark web who wants a cheap
ticket to Paris or somethinglike that.
Hugh Williams (19:16):
Yep, exactly.
I mean, this is uh it's a wholeindustry.
Hannah Clayton-Langton (19:19):
Okay, so they basically down the whole
thing.
MS, I assume.
Well, MS, let's be very clear,publicly state that they've
never paid any ransom to thehackers.
So on that basis, I can onlyassume that they rebuilt from
the ground up over that 46 days,I think it was that their
online systems were down.
And by the way, it's all backup and running.
(19:40):
I go into MS regularly to buystuff, contentless works, I've
got an online order brewing.
Hugh Williams (19:45):
So, like for all intents and purposes, they even
told a story that you know theybrought forward a whole bunch of
system upgrades and whateverelse.
And while they were down, theyquickly went forward to the next
version of their exciting newsystems rather than take two
years, it took them, you know,no time at all because the
systems were down, so they werefast to update.
So they definitely spun this.
Hannah Clayton-Langton (20:01):
Isn't the inference there that the
systems were overdue a massiveupdate?
Uh yeah, you do you think so.
Hugh Williams (20:08):
Yeah.
Hannah Clayton-Langton (20:09):
I need to be clear, this is all
conjecture.
Yeah, yeah.
Hugh Williams (20:11):
And look, you know, it's very hard to get to
the bottom of these stories,right, for lots of very good
reasons, both both, you know,safety and legal reasons and
also, you know, reputationalreasons.
But you know, let's talk aboutwhy it took them 40 days,
though.
Let's imagine Utopia, right?
So let's imagine you you and Iwork at the best run company in
the world, and this happens tous.
Bad luck, bad management, youknow, really sophisticated
attackers.
And imagine you're running theIT team.
(20:33):
First thing I'm gonna do,Hannah, is I'm gonna go, uh, so
you can just restore frombackups, right?
You've been backing up all ofour machines and all of our
important software, and you'veyou've stored that, right?
So can you just get that thosebackups uh out of the cupboard
and uh get all our machines upand running?
How long is that gonna take?
And you're gonna say, oh, hoursor a day or some fairly short
amount of time.
And that didn't happen here,right?
(20:55):
So something's gone horriblywrong.
If I were to speculate, I'd sayit's one of two things.
It's either the folks thathacked the system encrypted the
backups or deleted the backups.
Hannah Clayton-Langton (21:07):
And that's because the backups
weren't, I'm gonna use your likebuilding analogy.
In a world where this is abuilding, you want your backups
like off-site somewhere.
Yeah, yeah, yeah.
Hugh Williams (21:16):
Maybe you dig a motor around the building that
you can't swim through with fullof alligators, exactly.
Yeah.
Yeah, we call that air gapped.
So what we'd say is that thebackups shouldn't be on the same
network, shouldn't be connectedto the main infrastructure,
right?
Because if they're connected,so if you've got a bridge across
to the outbuilding, the thethieves can just wander across
the bridge and into theoutbuilding and do things to
(21:37):
your backups.
Whereas if you don't have abridge, you've got a you've got
a moat full of crocodiles, youknow, you've very literally
perhaps stored them on tape andput the tapes in a safe
somewhere else, then there is noway these folks who've got into
your systems can actually messwith your backups.
So something's gone wrong here.
The backups have been deleted,or the machines that have the
backups have also been encryptedin the same way as all their
(21:59):
other machines.
Hannah Clayton-Langton (22:00):
Because there's not enough of a break in
the circuit of systems.
Hugh Williams (22:03):
Just simply not, I mean, you simply should not
connect wherever your backupsare stored to the network,
right?
Like it should not beconnected.
So that's one possibility.
The other possibility is moreof a competence question, which
is lots of companies, and I knowsome of our listeners are going
to work at companies that arein this situation.
Lots of companies do backups,but they don't actually practice
restoring the backups.
(22:23):
So you think you're doing agreat job of backing up, but it
turns out when you go to restorethem, you're like, ah, you
know, we've never tried thisbefore.
We didn't back up something weneeded to back up, we didn't
back up a critical system, webacked up only some of the
systems.
Restoring it's really hard,doesn't work.
So often competence gets youhere.
Hannah Clayton-Langton (22:43):
Well, that's like my friend once gave
me her spare key to water herplants while she was away for a
month.
And then when I went to herflat, the key didn't, it didn't
work properly because it hadn'tbeen cut right.
And she'd never use that key.
Well, she'd gone and got itcopied and then given it to me.
But it's, I mean, it sounds soobvious, but it's you think
you've done the job by doingstep one.
But as you say, if you don'tpractice utilizing it, then you
(23:04):
don't know how strong yourbackup is.
Hugh Williams (23:05):
100%.
Yeah.
100%.
So something's gone horriblywrong here.
Backups weren't able to berestored.
And so I guess once they'verealized this, they've gone,
okay, uh, there's no other wayto get our systems back up and
running except start fromscratch.
So we need to go machine bymachine, re-image the machine,
reinstall the operating system,get the software on there, get
(23:27):
it running, you know, test them,get them on the network,
whatever else it is, and slowlybut surely, you know, work
through every single computerthat's affected at MS to get the
systems back up and running.
And and they've chosen for goodor for bad at the same time to
do some upgrades.
Hannah Clayton-Langton (23:41):
Okay.
So that sounds like a reallydifficult 46 days for a lot of
folks on the teams and MarcusSpencer.
Hugh Williams (23:48):
Yeah, I don't think it would have been a lot
of sleep.
I mean, what a what a terriblething to happen to these folks.
Look, there may be somequestions of competence and
detection and backups andwhatever else, there's some
processes that need improving,but what a terrible thing to
happen to, you know, anengineering team and a and a
whole company.
Hannah Clayton-Langton (24:04):
100%.
And I am sure that they are notthe only company with these
vulnerabilities.
One of my global takeaways fromprepping for this episode is
this stuff's like a lot of work.
But at the same time, I couldsee that if you're in a high
growth phase or you're budgetconstrained, that like your
security engineer is coming inand saying something needs to
(24:24):
take a certain amount of time orrequires a certain amount of
investment will just immediatelyget squeezed and challenged
because it's not sexy.
It's not deploying cool new AIor product features, it's like
the plumbing behind the scenesthat is probably pretty dense
and complex to even explain tolike the executive team.
Hugh Williams (24:40):
Yeah, absolutely.
You know, probably goes in thesame bucket as um should we work
on accessibility for peoplewith vision impairment?
You know, you sort of say, Oh,we'll do that later.
Hannah Clayton-Langton (24:47):
Yeah.
Hugh Williams (24:48):
Yeah.
And wrong, wrong choice.
Wrong, wrong choice.
Hannah Clayton-Langton (24:51):
Yeah, definitely.
Okay.
And to round up the MS story,the criminals were arrested, or
at least some of them.
So there was a group calledScattered Spider.
I think I read somewhere thatit was like an offshoot of that
group, but there's like thesehacking groups and communities
that exist.
And like the craziest thingabout this one was that they
arrested three people in the UK,or sorry, four.
(25:13):
And they were all like between17 and 20 years old.
Hugh Williams (25:17):
Yeah, yeah, yeah, yeah.
Which is probably uh I mean, Idon't think there's any
mathematician who's inventedanything interesting past the
age of 30.
So maybe one of our listenerswill correct me on that, point
out, point out something.
But yeah, no, it's definitelywhen your brain is uh perhaps
best at these things as uh, youknow, teens into the 20s.
Hannah Clayton-Langton (25:32):
For me, it's not like their intellectual
capacity to do this, it's theirnefarious intent at that age.
Because that this is a reallyserious crime.
Hugh Williams (25:42):
Yeah, the folks are gonna potentially get locked
up for a really, really longtime for this, right?
Enormous, enormous damage.
And and let's be clear, thesegroups are not nice groups of
people, right?
They're up to all sorts ofthings.
So this is these are dangerousindividuals uh doing very
unpleasant things and uhthere'll be consequences.
Hannah Clayton-Langton (25:57):
If anyone is feeling super nerdy, I
sometimes listen to thispodcast that I think is called
Darknet Diaries.
Hugh Williams (26:02):
Yeah, very good.
Hannah Clayton-Langton (26:03):
Yeah, and it's like they interview
hackers.
They're mostly hackers thathave sort of seen the light.
But the way that the mostrecent episode, this guy, you
know, they don't reveal theiridentities and they're they I
think they like being reallycandid and open about all their
crimes, but it's it's reallydark.
Hugh Williams (26:19):
Yeah, it is.
We should get somebody on theuh series two.
Hannah Clayton-Langton (26:21):
Yeah, if I keep promising things in
series two, maybe if anyone is ahacker, ethical or otherwise,
and wants to talk to us, wewould totally love to talk to
you.
Although I would say ethicalhackers preferred because I'm
not sure like the moral argumentaround interviewing a hacker
and them telling you about alltheir criminal intent and what
you do.
What you do with that as apodcaster.
Hugh Williams (26:43):
No, we'll go we'll go to the ethical white
hat and uh hacker on the showfor sure.
Hannah Clayton-Langton (26:48):
Okay.
Hugh Williams (26:48):
We need a series two.
Hannah Clayton-Langton (26:49):
We need a series two, guys.
Hugh Williams (26:50):
So Yeah, listen, share, subscribe, get me to
Melbourne.
Get Hannah to Melbourne.
Hannah Clayton-Langton (26:55):
So this particular example felt relevant
because it's quite recent.
Like the arrests were madefairly recently.
The hack itself happened in thelast six months.
And there's definitely somegeneric learnings that are
interesting and insightful totalk to.
Hugh Williams (27:09):
There's been a few in the news, Hannah.
I was reading about one uhcompany called Colonial
Pipeline.
I don't know if you've bumpedinto those folks.
They're a major oil and gaspipeline company in the US, and
they had a ransomware attack,you know, similar sort of story
to the MS story, and they'reunable to, you know, make fuel
travel around in the east coastof the US, and it caused panic
buying at gas stations.
So, you know, these theseattacks can be pretty serious.
(27:30):
I mean, here in the UK,obviously it's affected the food
suppliers, but you know, thisexample in the US affected uh
another piece of criticalinfrastructure.
So, you know, these things areuh pretty dangerous.
Hannah Clayton-Langton (27:39):
Yeah, I guess in the the UK example,
customers being worried abouttheir data being exposed to me
is probably the biggest concern,particularly with such a
well-known, trusted, respectedretailer.
And I this to me, and the thecolonial pipeline example is
just a reminder that like thehackers are going for
vulnerabilities that theybelieve are valuable.
(28:00):
Like in the UK a few years ago,they went after our National
Health Service computers, whichwas like clearly hadn't been
robustly invested in from like acybersecurity perspective, or
at least that is my conclusionfrom what happened.
But like people couldn't havetheir surgeries done that day.
So that's when it gets prettydark.
Like you're trying to disruptthe gas supply to folks during
(28:21):
the winter.
I I don't know if that one wasduring the winter, but I assume
it was it was a critical time.
Yeah.
That's where, you know, we gotto remember that there's some
really intellectuallyinteresting discussions.
But like all in all, thesepeople are nasty operators
looking to create quitesignificant threats to like
infrastructure and well-being ofpopulations to maximize the
(28:41):
amount they get paid.
Hugh Williams (28:42):
So I think, you know, the the story on the
street was that this colonialpipeline company paid $4.4
million to get this reversed bythe hackers.
Um, you know, they're going forcritical infrastructure because
they can hold these folks toransom and get a lot of money.
Hannah Clayton-Langton (28:56):
Okay, so that MS case study has actually
turned out to be a super richcase study that's teased out
like quite a lot of interestinginsight already.
I reckon we cut it here andcome back next week to get into
some more of the like technicalaspects of hacking more
generally.
Hugh Williams (29:14):
I think that's a great idea, Hannah.
I mean, there's so many morethings to talk about, you know,
viruses, worms, trojans, SQLinjection attacks, how people
can be more secure.
How people can be more secure,you know, tips for companies.
And I think I think the MSstory sets it up super, super
well.
So I think a second episodewould be fabulous.
Hannah Clayton-Langton (29:32):
Okay, so that takes us to the end of
part one on hacking, the anatomyof a hack.
And we'll see you next week forpart two.
If you've liked what you'velistened to today, do subscribe
wherever you get your podcast,give us a review, share with
your friends, and you can findus on LinkedIn, Instagram, and
X.
Hugh Williams (29:51):
Yeah, and we're also available at
techoverflowpodcast.com.
And if you do like, subscribeand share this uh episode and
our series, there's a fairchance that Hannah will get to.
Australia and there will be asecond series.
Hannah Clayton-Langton (30:02):
Thanks for listening, and we'll see you
all next week.
Bye.
Bye.
Hello world and welcome to the Tech
Overflow Podcast.
As always, I'm Hannah ClaytonAinten.
Hugh Williams (00:09):
And I'm Hugh Williams here.
Hannah Clayton-Langton (00:11):
And we're the podcast that explains
technical concepts to smartpeople.
And today we're coming to youfrom London.
Hugh Williams (00:16):
Yeah, here we are in the podcast room.
It's so awesome.
It's a very nice decor too.
We'll have to post a coupleclips, huh?
Hannah Clayton-Langton (00:22):
Yeah, it's a lovely studio and it's
always a treat to record inperson rather than virtually, as
I'm sure we've said a few timesbefore.
Hugh Williams (00:29):
Yeah, so so true.
Next series, I think we uh werecord the whole thing in
person.
We'll figure out how to do it.
Hannah Clayton-Langton (00:34):
Yeah, Hugh's making a pitch for
Melbourne, and I'm really opento it, to be honest.
Especially as we go into the UKwinter.
So um share the podcast withyour friends, and if we get to
enough listens, then I will getmyself down to Melbourne.
Hugh Williams (00:47):
Fantastic.
So I read, Hannett, that uhthis month, which is October
when we're recording it, isNational Cybersecurity Awareness
Month.
Hannah Clayton-Langton (00:56):
Yes, so I read the same.
I'm not sure what that meansand which nation it's national
to, but it's a good segue intothe episode topic today, which
is hacking.
Which is gonna be fun.
It's super interesting, and Ithink it will pair really well
if you've not listened to ourepisode on bugs and outages.
I think there's like a reallyinteresting common thread
(01:18):
between these two topics becauseobviously being hacked is a
massive P0 outage.
So I suspect it uh ruins asoftware engineer's day in sort
of a similar way.
Hugh Williams (01:29):
Yeah.
I think uh, you know, searchengine being down for nine
hours, whatever your favoriteexample is definitely uh
definitely is tough going, buthacking is worse because you've
kind of lost control.
That makes it an extra level ofstress.
Hannah Clayton-Langton (01:42):
And there's blackmail involved.
Hugh Williams (01:44):
Often.
Hannah Clayton-Langton (01:45):
Yeah.
Hugh Williams (01:46):
Often, often.
These hacks have become very,very sophisticated.
Hannah Clayton-Langton (01:49):
Yeah, there's like a whole subtopic
I'd love for us to talk throughon how AI makes this even more
significant a threat.
But let's start with the basicsbefore we get into this.
Hugh Williams (01:58):
Sounds good.
Hannah Clayton-Langton (01:59):
So, as listeners will remember from our
episode on outages, nine hourseBay search was down for.
Yep, felt like 90, but yeah,that's probably like one of the
worst days of your career.
Hugh Williams (02:10):
Definitely.
Hannah Clayton-Langton (02:11):
Okay, so we're gonna start the episode
with a sort of case study.
And in this case study, theretailer was effective for like
40-something days.
Hugh Williams (02:20):
Yeah.
Hannah Clayton-Langton (02:21):
Okay, so this past summer, which is
we're in 2025, um, famously inOctober, Cybersecurity Awareness
Month.
Back earlier this year, therewas like a spate of attacks on
UK retailers.
And there's a retailer calledMarks and Spencer's, who were
basically the worst hit.
And we'll there's a lot we cantake and learn from the case
study.
But if you're not familiar withMarks and Spencer's, is you may
(02:44):
not be, if you're aninternational listener, it's
like a, I would call it adarling of the UK high street.
So they have like a superwell-regarded food business, and
then they have a clothing andhome business, which has had
like a real comeback in the lastfew years, particularly for
women in their 30s, such as Iam.
So they did some super cleverthings with acquisitions and
(03:05):
rebranding, and like they're areally, really much loved brand
on the UK high street.
Probably one of the keydifferences to bear in mind as
we talk through this hack isthat they are not an
e-commerplay like eBay is.
So whilst the fact that theironline orders were down for over
40 days is is pretty horrific,wouldn't have been their only
revenue source.
Hugh Williams (03:25):
And maybe for our US listeners, perhaps they're
they're Nordstrom with anamazing, amazing food haul and
uh maybe a little bit like DavidJones in Australia.
Hannah Clayton-Langton (03:34):
Yeah, I think that's probably fair.
So from a lay person's likecustomer perspective, suddenly
the news is flashing headlines,MS hack.
Sorry, and I will use Marks andSpencer's and MS very
interchangeably in this episode,just to call that out.
Um so Marks and Spencer's hack,this is huge.
(03:54):
I understand that the firstsigns of a problem were that the
tills or the like contactlesscheckout stops working in a
bunch of the MS.
I think it was the food stores,but the stores in general,
right?
Contactless payment goes down,but pretty quickly it emerges to
be something much moresignificant.
Hugh Williams (04:13):
Yeah, absolutely.
Hannah Clayton-Langton (04:14):
And I also have understood, and and
just to caveat, we've found abunch of information on the
internet about this, some of itfrom MS themselves and some of
it from sort of critics in theindustry.
But I think it's pretty widelyknown that the hackers came in
via what we'll call socialengineering and they leveraged a
couple of vulnerabilities intheir processes.
So there were hackers posing asemployees.
(04:38):
They pose as contractors.
So they they weren't pretendingto be permanent employees.
Uh, and I think that probablyif I'm a help desk operative and
someone's calling asking for apassword reset and they mention
they're a contractor, that sortof immediately the story tracks
in my head.
Do you think that's fair?
Hugh Williams (04:53):
I think that's fair.
The other thing that was wellknown about these folks is that
their English was excellent.
Um, they they'd done thisbefore.
They're very, very good atpersuading people like help desk
employees to do the things thatthey wanted to do.
So these are very accomplishedpeople, very crafty, very good
at pitching the right story inthe right way to the right
people.
Hannah Clayton-Langton (05:12):
And they ring the MS help desk, which is
also a third party, which Ithink that's not uncommon here,
right?
Hugh Williams (05:19):
Yeah, and that's important, Hannah.
I mean, you you are as weak asthe weakest link.
And so if one of yourcontractors or suppliers is a
weak link, then that's theusually the vector that folks
are going to use to get intoyour systems.
Hannah Clayton-Langton (05:31):
That makes sense.
If I were a hacker, which issomething I think I'm gonna say
a lot in this episode, I'dprobably be looking for stuff
like that.
And um, I don't know that meansto say that by leveraging
contractors or third parties,you inherently create a
vulnerability.
But I think if you don't setthem up for success and
integrate them correctly, thenthey could quite easily become
(05:51):
one.
Hugh Williams (05:51):
Yeah, absolutely.
Hannah Clayton-Langton (05:53):
Okay, so the the hackers opposes these
contractors, they call up thehelp desk, the people at the
help desk are trying to helpbecause that's their job.
They reset their passwords, andthese guys are in.
They're in the systems.
And from all accounts, so Ithink MS issued some official
communication that they caughtthis whole hack pretty early
(06:16):
days.
But I think I think that's beensomewhat debunked.
Hugh Williams (06:18):
Yeah, I don't think that's true.
I think what is true is thatonce the ransomware was
executed, and we'll talk aboutransomware and what it does a
little bit later on.
Once that was executed, MS werevery quick to explain that
that's what happened and andbegin a path that took a long
time to towards rectification.
But uh, I don't think they werequick to detect that the
(06:39):
hackers were inside theirsystems.
And some folks are sayingthey're probably in there at
least a couple of months.
Hannah Clayton-Langton (06:45):
We can talk later about whether or not
that's unusual.
I think the answer is no.
Not unusual.
No.
Okay.
So hackers they get in, theyexploit this vulnerability, and
then they do like a few reallykey things that sort of set them
up for success and takingthings down.
Hugh Williams (06:58):
Yeah, that's right.
I I think there's a couple ofparts of the story that we'll
never know the real details to,but what's certainly happened is
they got in as fairly low-levelemployees, right, or in
contractors.
They've now got access to somesystem.
It's certainly not going to bethe absolute core of MS, but
they're they're in.
They're in the edges.
They've made it into some ofthe outbuildings if you wanted
(07:19):
to use an analogy.
Somewhere along this track overthe next couple of months,
they've managed to what we callescalate their privileges.
So they've managed to figureout how to get more access to,
you know, more of the buildingsto continue the analogy.
Now, they might have done thatin a couple of different ways.
One way is perhaps repeatingthis thing that they've done.
(07:39):
So they've now perhaps know alittle bit more, perhaps they
can do a little bit more socialengineering.
Hannah Clayton-Langton (07:44):
So they're calling the help desk
again to be able to do that.
Hugh Williams (07:45):
Perhaps or calling something in the finance
department or whatever it is,right?
So at some point they'rethey're getting more and more
access.
Hannah Clayton-Langton (07:52):
And I think it that folks are trying
to be helpful.
Like I work for a tech company,and if you know, if you need
access to something, yeah, I'mgonna try and help.
Hugh Williams (08:00):
Sure, I'll share the spreadsheet with you.
As long as I believe you arewho you are.
And I guess because they'reinside, they're able to do some
research and probably build up amore credible story that they
can then email about, talk aboutwhatever else it is.
But slowly but surely over thisperiod of time, they're
escalating their privileges,they're getting more and more
access.
Hannah Clayton-Langton (08:19):
And the way in which they infiltrated
helped them do all thisundetected, right?
Because they've just got anormal employee login at this
point.
So you'd have to be prettysophisticated in your monitoring
to know that they're doinganything beyond what any normal
employee would be doing, right?
Like getting access to systems,logging in, having a look
(08:39):
around.
Hugh Williams (08:40):
Yeah, possibly.
Possibly.
I mean, I think uh I think thebest of the best will certainly
look for behaviors or patternsor unusual access by employees
to unusual things and detectthose.
If you tried this out on one ofthe largest tech companies in
the world, you you'd probablyget detected a little bit more
quickly.
Hannah Clayton-Langton (08:59):
Okay, because they'd be like, why has
the contractor got access to theactive directory or something
like that?
Hugh Williams (09:03):
Yeah, yeah.
Or why does this particularperson um change their login
from a particular computer andand come in as somebody else?
Or who knows?
Who knows?
But I would say, you know,these patterns are it's very
difficult to do these thingswithout getting detected if
you're really, really workinghard on the detection.
Hannah Clayton-Langton (09:20):
Okay, and we we talked about this a
little bit.
I think it was in the productmanagement episode when we were
talking about like banks needinga certain level of security or
user insight.
And those are the kind ofcompanies that are really going
to be hot on like why have yousuddenly logged in from a
location in Australia orwhatever it is.
Hugh Williams (09:35):
Yeah, exactly.
Exactly.
So anyway, this this story,right?
So they're they're in, they'reescalating their privileges
somehow, they're getting accessto, you know, game sticking with
our analogy, more and morebuildings on the compound.
At some point, they get accessto what's called the active
directory, and that iseffectively the list of
usernames and encryptedpasswords.
(09:57):
We can talk about encryption ina second, but and encrypted
passwords for everybody at MSwho can access any of the
systems at MS.
And this is something thatcertainly should have been
detected, they download thisfile.
Hannah Clayton-Langton (10:10):
Oh my god.
Okay, wait.
Hugh Williams (10:11):
So take it off, they take it out of MS's system
into their systems.
Hannah Clayton-Langton (10:14):
Okay, so Active Directory, I presume you
normally would give like threepeople in the company access to.
Hugh Williams (10:20):
Exactly, yeah.
I mean, look, I'll tell you aquick story.
You know, when I was at GoogleMaps, I ran the whole of Google
Maps, right?
So I ran the whole of productand engineering, I did not have
access to user data.
Hannah Clayton-Langton (10:30):
Well, and why why would you need that,
right?
If you think about your dayjob.
Hugh Williams (10:32):
So you want as few people as possible to have
access to that data, and eventhe person who runs it doesn't
need access to it.
So I couldn't go and look up,you know, where you'd been in
the world and how you'd movedaround.
I mean, it just simply was notpossible, despite the fact that
I'm the person who leads thewhole organization.
So the best of the best willlock down access to critical
pieces of the infrastructure ashard as they can possibly lock
(10:55):
it down.
But somehow they've got thisfile and they managed to take it
off site.
And that should have beendetected.
And then again, look, some ofthis is speculation, right?
We'll never, we'll never hearthe true story.
But they've got this file, andthen I imagine what's happened
next is they've used what'scalled a brute force attack, and
they've gone and tried tofigure out the passwords of some
(11:15):
of those usernames.
Hannah Clayton-Langton (11:17):
Okay, so you said that the Active
Directory has encryptedpasswords, which means that it's
not HANA.clate9 or whatever,plus my password.
The password is like coded insome way.
Hugh Williams (11:27):
Yeah, that's right.
And look, occasionally you'llhear of a company where
passwords were stolen, and andthat that's a company that's
incompetent.
So you should never ever storepasswords in their plain
unencrypted form.
So no company should have arepresentation of your password
that's actually your password.
So all companies should bestoring an encrypted version of
your password.
(11:48):
And maybe the simplest way tounderstand that, let's imagine
that your password was an essayon a page, right?
So you've got a 500 words on apage.
The encrypted version might beevery tenth letter off that page
saved as a string in the file.
Now that's not literally what'sgoing to happen because we're
gonna we're gonna scramble it,we're gonna spin the dials, if
you like, in in reallyinteresting ways.
(12:09):
But the encrypted version ofyour password is not the
complete password.
It's a sampling, if you like,of the password.
So it's actually kind of oneway, right?
So if I only got every tenthletter off the page, I can't
recreate BSA.
Hannah Clayton-Langton (12:22):
So I don't want to take us down a
rabbit hole on encryption,although I am very interested in
it.
Marks and Spencer's or Googleor wherever I'm logging in, they
don't have my password writtendown anywhere.
They have an encrypted versionof it stored.
Hugh Williams (12:35):
Correct.
Hannah Clayton-Langton (12:36):
Okay.
They, however, do know how torecognize the correct password.
Hugh Williams (12:40):
Yeah, because then, so let's stick with this
uh essay analogy.
If you provide the whole essay,they can again go and take
every tenth character and see ifit matches what they've got
saved on their system, right?
So if you provide the fullpassword, they can run it
through the same algorithm toproduce the same what we call
lossy version of the password.
And then they can compare thatsampling of the password to what
(13:02):
they have stored.
And they can say, oh yeah,great.
This is this is actually Hannahbecause she's provided the same
input to give us the sameoutput.
Hannah Clayton-Langton (13:08):
Okay, and the encryption algorithm,
it's like a standard rule thatyou put in for Yeah.
Hugh Williams (13:14):
So there's a bunch of different encryption
algorithms, and some of them areeasier to what we call crack
than others.
And maybe let's just talk aboutcracking for a second, right?
You can pretty trivially, um,listeners might want to try it,
but you can pretty trivially getlists on the internet of
typical passwords.
You can say, you know, I want alist of common passwords, and
you can download files that haveprobably got hundreds of
(13:35):
thousands, if not millions, ofvery common passwords.
Hannah Clayton-Langton (13:38):
I suspect this is one of those
moments where we don't realizeas individuals how similar we
all are.
And so there's probably likequite a lot of overlap in the
types of passwords people have.
Hugh Williams (13:48):
Yeah, absolutely.
I mean, people use, you know,dog's names, their birth date,
the word password, you know,parts of their login name, you
know, the street they live in,these kinds of things.
So, you know, you're notoriginal if you're having these
ideas.
And so you can get a file thatcontains a very large sample of
all these typical ideas.
And then, of course, what youcould do is you could run each
(14:09):
one of those passwords throughthe encryption algorithm that
you know MNS is using andproduce the password.
And if the password matcheswhat's saved in the Active
Directory, then you say, bingo,the CEO's password is clearly
this, because the encryptedversion that you've created
matches the encrypted versionthat's stored in the active
directory.
So if you've got enough timeand enough energy and enough
(14:30):
compute resources, you can keeprunning passwords through these
algorithms and you can producethe encrypted password and get a
match.
And if you do that for longenough, then you can get the
passwords of lots of people.
So this is a this is a very,very valuable asset to have,
especially if you can take itoff-site and do this kind of
what we call brute force attack.
Hannah Clayton-Langton (14:48):
First of all, I'm gonna ask you later
why you know that you can buypasswords off of the internet.
But do you think that's whathappened?
Do you think that the attackersin the Morrison Spencer's case
figured out what the encryptionalgorithm was and therefore like
unencrypted all of thepasswords?
Hugh Williams (15:03):
Yeah, probably not all of them, but uh enough
to give them some very seriousaccess.
So they probably at this pointgot admin access to the system,
which effectively means stickingwith our building analogy, they
can get any any part of thebuilding they feel like and do
anything they feel like doing.
So they've probably come in asa contractor, escalated enough
to be able to get their hands onthe Active Directory, taken the
Active Directory away, spentsome computing resources, and
(15:26):
then come back with the adminpassword.
Admin login and admin password,now they can do anything they
like to MS.
That is a couple of months ofhard work.
Hannah Clayton-Langton (15:34):
Yeah.
If you take out the contactsthat it's crime, it sounds quite
interesting, sort ofintellectually, but obviously
the impact of that in for realcustomers and for the business
is pretty catastrophic.
Hugh Williams (15:46):
Yeah, I mean, you know, terrible, terrible thing
that happened to to MS and theirshareholders, employees, the
customers, everybody, right?
This is a disastrous outcome.
Hannah Clayton-Langton (15:55):
Yeah, I think I saw that there was like
300 million pounds worth ofimpact that someone had
assessed.
And they were like reverting topen and paper to replicate some
of the processes that weredowned by the systems being out.
Hugh Williams (16:08):
Yeah.
And maybe that's a good time topause and say, well, what did
they do next, these hackers?
So the hackers used thisransomware program called Dragon
Force.
It's not important that it'scalled Dragon Force, good name,
nice name for a bit ofransomware.
And basically what they did isthey effectively detonated this
thing inside of MS.
And what this did was itencrypted every single computer
that they could possibly get toacross MS.
(16:31):
So now your computer doesn'twork anymore.
It's it's effectively beenturned into a giant password.
Unless you know the password,you cannot use this piece of
computing equipment.
So they did this to as manycomputers as they could possibly
get their hands on, roughlysimultaneously.
And so every computereffectively at MS became locked.
Hannah Clayton-Langton (16:50):
That's the point that MS say we become
aware of it and we immediatelystart managing it, which is true
from the point of theransomware deployment.
But what was happening possiblyup to two months prior, and
sounds like what happens in alot of cases with hacking is
these folks get in the back doorthrough the window, and then
they set up all the differentcomponent parts of their plan,
(17:12):
and then they hit the big bigbutton.
Yeah.
Hugh Williams (17:14):
Yeah.
And of course, you know, I'llsay it again.
I'm I'm speculating a littlebit, I'm relying on what I've
read, but this is a prettycommon pattern, right?
You get in as a low-levelemployee, work your way up,
eventually get admin access, andthen let rip.
It's really terrifying.
Yeah, it is.
It is.
Hannah Clayton-Langton (17:30):
I think I read also, and I can talk
about this from a customerperspective in a minute, but
that whilst they were in thereprepping, they stole a whole
bunch of customer data as theirlike blackmail materials.
So they're thinking in asituation where Marks and
Spencers can like revert theencryption and get back up and
running really quickly, we alsonow have something to hold over
(17:51):
their heads, I assume tobasically just like get some
money out of them.
Yeah.
Hugh Williams (17:54):
I think they call it a double blackmail.
We can now say, look, you know,pay us and we'll restore your
computers.
And if you don't pay us or youdo restore your computers, then
we're going to release all ofyour users' data anyway.
Hannah Clayton-Langton (18:03):
So I, as a customer of Marks and
Spencer's, because I'm a bigfan, by the way, of Marks and
Spencer's and we're too verydisappointed that I couldn't
order anything online for over amonth.
But I got an email saying thatlike some manner of my customer
data had been like exposed, butthat it wasn't payment data or
like passwords.
They were like, you may haveread that this data has been
(18:24):
stolen, and if it were, it's notlike anything you need to worry
about.
That's my memory of the email.
I tried to find it yesterday,but I think I've deleted it.
Hugh Williams (18:31):
Yeah.
This happened to uh my favoriteairlines, Qantas.
It's what I fly back and forthto London on.
All of their uh frequent flyerdata was stolen recently and uh
actually released on the on thedark web because Qantas, I
guess, didn't pay the ransomthey needed to pay.
And um, so all of my data's outthere now and my meal
preferences, you know, whatseats I like to sit in, all
those kinds of things.
Hannah Clayton-Lan (18:51):
Interesting, because my husband, just to
talk about how common I thinkthis stuff is at the minute, my
husband's Eurostar account waslike somehow hacked for the
frequent flyer equivalent, likethe points.
And someone had then used hispoints to book like a free
London to Paris journey.
I guess it's like the samething, like someone goes in,
finds something worthwhile, andthey basically they might be
(19:12):
selling it to someone on thedark web who wants a cheap
ticket to Paris or somethinglike that.
Hugh Williams (19:16):
Yep, exactly.
I mean, this is uh it's a wholeindustry.
Hannah Clayton-Langton (19:19):
Okay, so they basically down the whole
thing.
MS, I assume.
Well, MS, let's be very clear,publicly state that they've
never paid any ransom to thehackers.
So on that basis, I can onlyassume that they rebuilt from
the ground up over that 46 days,I think it was that their
online systems were down.
And by the way, it's all backup and running.
(19:40):
I go into MS regularly to buystuff, contentless works, I've
got an online order brewing.
Hugh Williams (19:45):
So, like for all intents and purposes, they even
told a story that you know theybrought forward a whole bunch of
system upgrades and whateverelse.
And while they were down, theyquickly went forward to the next
version of their exciting newsystems rather than take two
years, it took them, you know,no time at all because the
systems were down, so they werefast to update.
So they definitely spun this.
Hannah Clayton-Langton (20:01):
Isn't the inference there that the
systems were overdue a massiveupdate?
Uh yeah, you do you think so.
Hugh Williams (20:08):
Yeah.
Hannah Clayton-Langton (20:09):
I need to be clear, this is all
conjecture.
Yeah, yeah.
Hugh Williams (20:11):
And look, you know, it's very hard to get to
the bottom of these stories,right, for lots of very good
reasons, both both, you know,safety and legal reasons and
also, you know, reputationalreasons.
But you know, let's talk aboutwhy it took them 40 days,
though.
Let's imagine Utopia, right?
So let's imagine you you and Iwork at the best run company in
the world, and this happens tous.
Bad luck, bad management, youknow, really sophisticated
attackers.
And imagine you're running theIT team.
(20:33):
First thing I'm gonna do,Hannah, is I'm gonna go, uh, so
you can just restore frombackups, right?
You've been backing up all ofour machines and all of our
important software, and you'veyou've stored that, right?
So can you just get that thosebackups uh out of the cupboard
and uh get all our machines upand running?
How long is that gonna take?
And you're gonna say, oh, hoursor a day or some fairly short
amount of time.
And that didn't happen here,right?
(20:55):
So something's gone horriblywrong.
If I were to speculate, I'd sayit's one of two things.
It's either the folks thathacked the system encrypted the
backups or deleted the backups.
Hannah Clayton-Langton (21:07):
And that's because the backups
weren't, I'm gonna use your likebuilding analogy.
In a world where this is abuilding, you want your backups
like off-site somewhere.
Yeah, yeah, yeah.
Hugh Williams (21:16):
Maybe you dig a motor around the building that
you can't swim through with fullof alligators, exactly.
Yeah.
Yeah, we call that air gapped.
So what we'd say is that thebackups shouldn't be on the same
network, shouldn't be connectedto the main infrastructure,
right?
Because if they're connected,so if you've got a bridge across
to the outbuilding, the thethieves can just wander across
the bridge and into theoutbuilding and do things to
(21:37):
your backups.
Whereas if you don't have abridge, you've got a you've got
a moat full of crocodiles, youknow, you've very literally
perhaps stored them on tape andput the tapes in a safe
somewhere else, then there is noway these folks who've got into
your systems can actually messwith your backups.
So something's gone wrong here.
The backups have been deleted,or the machines that have the
backups have also been encryptedin the same way as all their
(21:59):
other machines.
Hannah Clayton-Langton (22:00):
Because there's not enough of a break in
the circuit of systems.
Hugh Williams (22:03):
Just simply not, I mean, you simply should not
connect wherever your backupsare stored to the network,
right?
Like it should not beconnected.
So that's one possibility.
The other possibility is moreof a competence question, which
is lots of companies, and I knowsome of our listeners are going
to work at companies that arein this situation.
Lots of companies do backups,but they don't actually practice
restoring the backups.
(22:23):
So you think you're doing agreat job of backing up, but it
turns out when you go to restorethem, you're like, ah, you
know, we've never tried thisbefore.
We didn't back up something weneeded to back up, we didn't
back up a critical system, webacked up only some of the
systems.
Restoring it's really hard,doesn't work.
So often competence gets youhere.
Hannah Clayton-Langton (22:43):
Well, that's like my friend once gave
me her spare key to water herplants while she was away for a
month.
And then when I went to herflat, the key didn't, it didn't
work properly because it hadn'tbeen cut right.
And she'd never use that key.
Well, she'd gone and got itcopied and then given it to me.
But it's, I mean, it sounds soobvious, but it's you think
you've done the job by doingstep one.
But as you say, if you don'tpractice utilizing it, then you
(23:04):
don't know how strong yourbackup is.
Hugh Williams (23:05):
100%.
Yeah.
100%.
So something's gone horriblywrong here.
Backups weren't able to berestored.
And so I guess once they'verealized this, they've gone,
okay, uh, there's no other wayto get our systems back up and
running except start fromscratch.
So we need to go machine bymachine, re-image the machine,
reinstall the operating system,get the software on there, get
(23:27):
it running, you know, test them,get them on the network,
whatever else it is, and slowlybut surely, you know, work
through every single computerthat's affected at MS to get the
systems back up and running.
And and they've chosen for goodor for bad at the same time to
do some upgrades.
Hannah Clayton-Langton (23:41):
Okay.
So that sounds like a reallydifficult 46 days for a lot of
folks on the teams and MarcusSpencer.
Hugh Williams (23:48):
Yeah, I don't think it would have been a lot
of sleep.
I mean, what a what a terriblething to happen to these folks.
Look, there may be somequestions of competence and
detection and backups andwhatever else, there's some
processes that need improving,but what a terrible thing to
happen to, you know, anengineering team and a and a
whole company.
Hannah Clayton-Langton (24:04):
100%.
And I am sure that they are notthe only company with these
vulnerabilities.
One of my global takeaways fromprepping for this episode is
this stuff's like a lot of work.
But at the same time, I couldsee that if you're in a high
growth phase or you're budgetconstrained, that like your
security engineer is coming inand saying something needs to
(24:24):
take a certain amount of time orrequires a certain amount of
investment will just immediatelyget squeezed and challenged
because it's not sexy.
It's not deploying cool new AIor product features, it's like
the plumbing behind the scenesthat is probably pretty dense
and complex to even explain tolike the executive team.
Hugh Williams (24:40):
Yeah, absolutely.
You know, probably goes in thesame bucket as um should we work
on accessibility for peoplewith vision impairment?
You know, you sort of say, Oh,we'll do that later.
Hannah Clayton-Langton (24:47):
Yeah.
Hugh Williams (24:48):
Yeah.
And wrong, wrong choice.
Wrong, wrong choice.
Hannah Clayton-Langton (24:51):
Yeah, definitely.
Okay.
And to round up the MS story,the criminals were arrested, or
at least some of them.
So there was a group calledScattered Spider.
I think I read somewhere thatit was like an offshoot of that
group, but there's like thesehacking groups and communities
that exist.
And like the craziest thingabout this one was that they
arrested three people in the UK,or sorry, four.
(25:13):
And they were all like between17 and 20 years old.
Hugh Williams (25:17):
Yeah, yeah, yeah, yeah.
Which is probably uh I mean, Idon't think there's any
mathematician who's inventedanything interesting past the
age of 30.
So maybe one of our listenerswill correct me on that, point
out, point out something.
But yeah, no, it's definitelywhen your brain is uh perhaps
best at these things as uh, youknow, teens into the 20s.
Hannah Clayton-Langton (25:32):
For me, it's not like their intellectual
capacity to do this, it's theirnefarious intent at that age.
Because that this is a reallyserious crime.
Hugh Williams (25:42):
Yeah, the folks are gonna potentially get locked
up for a really, really longtime for this, right?
Enormous, enormous damage.
And and let's be clear, thesegroups are not nice groups of
people, right?
They're up to all sorts ofthings.
So this is these are dangerousindividuals uh doing very
unpleasant things and uhthere'll be consequences.
Hannah Clayton-Langton (25:57):
If anyone is feeling super nerdy, I
sometimes listen to thispodcast that I think is called
Darknet Diaries.
Hugh Williams (26:02):
Yeah, very good.
Hannah Clayton-Langton (26:03):
Yeah, and it's like they interview
hackers.
They're mostly hackers thathave sort of seen the light.
But the way that the mostrecent episode, this guy, you
know, they don't reveal theiridentities and they're they I
think they like being reallycandid and open about all their
crimes, but it's it's reallydark.
Hugh Williams (26:19):
Yeah, it is.
We should get somebody on theuh series two.
Hannah Clayton-Langton (26:21):
Yeah, if I keep promising things in
series two, maybe if anyone is ahacker, ethical or otherwise,
and wants to talk to us, wewould totally love to talk to
you.
Although I would say ethicalhackers preferred because I'm
not sure like the moral argumentaround interviewing a hacker
and them telling you about alltheir criminal intent and what
you do.
What you do with that as apodcaster.
Hugh Williams (26:43):
No, we'll go we'll go to the ethical white
hat and uh hacker on the showfor sure.
Hannah Clayton-Langton (26:48):
Okay.
Hugh Williams (26:48):
We need a series two.
Hannah Clayton-Langton (26:49):
We need a series two, guys.
Hugh Williams (26:50):
So Yeah, listen, share, subscribe, get me to
Melbourne.
Get Hannah to Melbourne.
Hannah Clayton-Langton (26:55):
So this particular example felt relevant
because it's quite recent.
Like the arrests were madefairly recently.
The hack itself happened in thelast six months.
And there's definitely somegeneric learnings that are
interesting and insightful totalk to.
Hugh Williams (27:09):
There's been a few in the news, Hannah.
I was reading about one uhcompany called Colonial
Pipeline.
I don't know if you've bumpedinto those folks.
They're a major oil and gaspipeline company in the US, and
they had a ransomware attack,you know, similar sort of story
to the MS story, and they'reunable to, you know, make fuel
travel around in the east coastof the US, and it caused panic
buying at gas stations.
So, you know, these theseattacks can be pretty serious.
(27:30):
I mean, here in the UK,obviously it's affected the food
suppliers, but you know, thisexample in the US affected uh
another piece of criticalinfrastructure.
So, you know, these things areuh pretty dangerous.
Hannah Clayton-Langton (27:39):
Yeah, I guess in the the UK example,
customers being worried abouttheir data being exposed to me
is probably the biggest concern,particularly with such a
well-known, trusted, respectedretailer.
And I this to me, and the thecolonial pipeline example is
just a reminder that like thehackers are going for
vulnerabilities that theybelieve are valuable.
(28:00):
Like in the UK a few years ago,they went after our National
Health Service computers, whichwas like clearly hadn't been
robustly invested in from like acybersecurity perspective, or
at least that is my conclusionfrom what happened.
But like people couldn't havetheir surgeries done that day.
So that's when it gets prettydark.
Like you're trying to disruptthe gas supply to folks during
(28:21):
the winter.
I I don't know if that one wasduring the winter, but I assume
it was it was a critical time.
Yeah.
That's where, you know, we gotto remember that there's some
really intellectuallyinteresting discussions.
But like all in all, thesepeople are nasty operators
looking to create quitesignificant threats to like
infrastructure and well-being ofpopulations to maximize the
(28:41):
amount they get paid.
Hugh Williams (28:42):
So I think, you know, the the story on the
street was that this colonialpipeline company paid $4.4
million to get this reversed bythe hackers.
Um, you know, they're going forcritical infrastructure because
they can hold these folks toransom and get a lot of money.
Hannah Clayton-Langton (28:56):
Okay, so that MS case study has actually
turned out to be a super richcase study that's teased out
like quite a lot of interestinginsight already.
I reckon we cut it here andcome back next week to get into
some more of the like technicalaspects of hacking more
generally.
Hugh Williams (29:14):
I think that's a great idea, Hannah.
I mean, there's so many morethings to talk about, you know,
viruses, worms, trojans, SQLinjection attacks, how people
can be more secure.
How people can be more secure,you know, tips for companies.
And I think I think the MSstory sets it up super, super
well.
So I think a second episodewould be fabulous.
Hannah Clayton-Langton (29:32):
Okay, so that takes us to the end of
part one on hacking, the anatomyof a hack.
And we'll see you next week forpart two.
If you've liked what you'velistened to today, do subscribe
wherever you get your podcast,give us a review, share with
your friends, and you can findus on LinkedIn, Instagram, and
X.
Hugh Williams (29:51):
Yeah, and we're also available at
techoverflowpodcast.com.
And if you do like, subscribeand share this uh episode and
our series, there's a fairchance that Hannah will get to.
Australia and there will be asecond series.
Hannah Clayton-Langton (30:02):
Thanks for listening, and we'll see you
all next week.
Bye.
Bye.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!