113: Adam
Adam got a job doing IT work at a learning academy. He liked it and was happy there and feeling part of the team. But a strange series of events took him in another direction, that definitely didn’t make him happy.
Sponsors
Support for this show comes from Axonius. Securing assets — whether managed, unmanaged, ephemeral, or in the cloud — is a tricky task. The Axonius Cybersecurity Asset Management Platform correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy — all while eliminating manual, repetitive tasks. Visit axonius.com/darknet to learn more and try it free.
Support for this podcast comes from Cybereason. Cybereason reverses the attacker’s advantage and puts the power back in the defender’s hands. End cyber attacks. From endpoints to everywhere. Learn more at Cybereason.com/darknet.
Support for this show comes from Varonis. Do you wonder what your company’s ransomware blast radius is? Varonis does a free cyber resilience assessment that tells you how many important files a compromised user could steal, whether anything would beep if they did, and a whole lot more. They actually do all the work – show you where your data is too open, if anyone is using it, and what you can lock down before attackers get inside. They also can detect behavior that looks like ransomware and stop it automatically. To learn more visit www.varonis.com/darknet.
Listen and follow along
Transcript
One time when I was in middle school, my mom bought some cookies at the store and put them in the cupboard.
After school one day, I saw the box and it wasn't open yet.
I opened it up and took two cookies.
They were so good.
So I went back and got two more.
And I was still hungry, so I went and got four more and ate them too.
At this point, I looked, and over half the box was gone.
And I thought, oh no, I'm gonna be in trouble for eating over half a box of cookies.
I didn't like getting in trouble, so I stood there and looked at the box and tried thinking what I could do.
But there was no way to undo it.
So my 12-year-old self came up with the idea that maybe
if the whole box is completely gone, like box and all, then maybe my mom will just forget she bought it altogether.
And so I took the whole box out of the cupboard, covered the area with some other food so it didn't look like anything was missing, and I ate them all.
And then I threw the empty box away in the outside trash bin, covered it up with some more trash.
And you know what?
It worked.
She didn't notice.
At least she never mentioned to me anything about the cookies, and I didn't get in any trouble.
I think she really did forget that she bought them.
And so my plan worked.
And I tell you this story because in this episode, you'll hear a similar story, but one with much higher stakes.
And it doesn't end so well.
These are true stories from the dark side of the internet.
I'm Jack Reesider.
This is Darknet Diaries.
This show is sponsored by Delete Me.
DeleteMe makes it easy, quick, and safe to remove your personal data online at a time when surveillance and data breaches are common enough to make everyone vulnerable.
Delete Me knows your privacy is worth protecting.
Sign up and provide DeleteMe with exactly what information you want deleted, and their experts will take it from there.
DeleteMe is always working for you, constantly monitoring and removing the personal information you don't want on the internet.
They're even on the lookout for new data leaks that might re-release info about you.
Privacy is a super important topic for me.
So a year ago I signed up.
Delete me immediately got busy scouring the internet looking for my name and gave me reports of what they found.
Then they got busy deleting things.
It was great to have someone on my team when it comes to protecting my privacy.
Take control of your data and keep your private life private by signing up for Delete Me.
Now at a special discount for my listeners, get 20% off your Delete Me plan when you go to joindeleteme.com slash darknet diaries and use promo code dd20 at checkout.
The only way to get 20% off is to go to joindeleatme.com slash darknet diaries and enter code dd20 at checkout.
That's joindeleatme.com slash darknet diaries code dd20.
This episode is sponsored by my friends at Black Hills Information Security.
Black Hills has earned the trust of the cybersecurity industry since John Strand founded it in 2008.
Through their anti-siphon training program, they teach you how to think like an attacker.
From SOC analyst skills to how to defend your network with traps and deception, it's hands-on, practical training built for defenders who want to level up.
Black Hills loves to share their knowledge through webcasts, blogs, zines, comics, and training courses all designed by hackers.
For hackers.
But do you need someone to do a penetration test to see where your defenses stand?
Or are you looking for 24-7 monitoring from their active SOC team?
Or maybe you're ready for continuous pen testing, where testing never stops and your systems stay battle-ready all the time.
Well, they can help you with all of that.
They've even made a card game.
It's called Backdoors and Breaches.
The idea is simple.
It teaches people cybersecurity while they play.
Companies use it to stress test their defenses.
Teachers use it in the classroom to train the next generation.
And if you're curious, there's a free version online that you can try right now.
And this fall, they're launching a brand new competitive edition of Backdoors and Breaches, where you and your friends can go head to head hacking and defending just like the real thing.
Check it all out at blackhillsinfosec.com slash darknet.
That's blackhillsinfosec.com slash darknet.
In 2016, Adam applied for his first proper IT job at what we'll call the Academy.
So it's
essentially a high school.
I think it's private.
It's based in a small town, not too far from me.
There'll be kids, you know, right down to Stunnon High School all the way up to just before they're ending high school.
The only difference is, I think some of the students are private.
That's pretty much the only way I can describe it.
He'd been looking for a job for a while and was excited to start work at this fancy UK high school.
I started my first day.
Now in that first day, I got paperwork
as you do when you join a new company.
And in that paperwork, it said, please tick here if you've lived overseas before.
So I ticked that box and then on the next page, it said, please go to this box down here and it says, are you willing to pay for a criminal record check in the country you were previously in?
And I went, oh, okay.
This was a problem for Adam.
He did have a criminal record from a past life in another country and wasn't sure how they'd react to this.
He wondered if this would keep him from getting the job.
Are you smoking a cigarette?
Yeah, sorry.
No, that's fine.
Adam's dad is from the UK and his mother is from Thailand, but he was born in Australia.
And growing up, he always liked computers.
His dad owned a computer repair shop and he loved learning how things worked and loved playing games like RuneScape and eventually figured out a way to hack the game in order to get it to do things it wasn't supposed to.
And I think it did start with
RuneScape for me.
First game I ever played.
So
there was a battlefield where you could play single player.
And I started getting into modifying it so there could be more people, more AI players against me.
And that's when I started liking it more, if that makes sense.
But when Adam starts high school, some unlucky things happen to him.
Some older kids decide to pick on him.
I would have to go and get my dad
milk and bread from the shop after he'd come home from work and after I'd got home from school.
That's when I'd usually bump into them.
And
most of the time, they would take the money that my dad had given me to go get bread and milk or whatever he wanted me to get.
It started off with, can I have a dollar to give give me a dollar to write you're going to give me everything in your wallet?
Adam knew this wasn't right, but wasn't sure what to do.
These kids were much bigger than him, so standing up to them might mean he gets hurt.
But he was sick of getting his stuff stolen over and over.
So he went to the police.
The police would put me in the back of the police car, drive down to where these kids were that were bullying me, make me get out of the police car and basically get them to say sorry to me, which obviously made things a lot worse so i lost my faith in the police because obviously it did make things worse it started getting physical that move backfired pretty badly
stopped being more so give me your money and started being give you your money or i'm gonna um you know punch your face and um and eventually it got to that point where you know they're kicking me kicking me on the floor uh chasing me down alleyways and everything he gets to the point where he's scared just to go walk through his neighborhood adam says his coping strategy was just to stop going to school.
He would spend time at home on his computer.
Eventually, he gets called into the principal's office about his attendance.
He tries to explain that he's being bullied and doesn't want to come to school.
I just, at that point, had enough of it.
You know, I was even scared to go around the corners to the corner shop by myself in my own area where I lived.
So I would rather just be on the computer.
I guess having friends over the internet was a lot easier than trying to go out and make friends in person at the time.
So the result of that was they thought that I was just, I guess, a trouble student and just, yeah, expelled me and sent me to a behavior school.
A behavior school in Australia is the place where troublemaking teenagers go as a last chance at education.
We call them alternative schools here in the US.
The one he got sent to was far away from home, which also meant it was far away from those bullies.
It was a really fresh start and I made made a lot of friends now obviously they didn't know anything about what i was like in my previous high school or what i'm like in my local area but i found it very easy to um get along with them and get involved in things that i i never expected to get involved in so you know started hanging out with them smoking cigarettes drinking alcohol ended up eventually you know getting into fights with people and it just became a
i guess normal for me but it was like a fresh start if that makes sense adam's mother is from Thailand, which makes him half Thai, which means he was hanging out with the other Asian kids at school.
But some of these kids were smoking cigarettes and drinking alcohol.
And it turns out that some of them were in an Asian high school gang.
There was this little Chinese red envelope that they gave me, and they said, if you want to join us, put one dollar in here and then give it to this guy who was meant to be our boss at the end of the day after school.
Adam took this really seriously.
To be honest, looking back, I find it a little bit funny, but I went to the teacher in the school and I said, hey, these guys approached me and they said, I should join this game.
What should I do?
And
I mean, at the time, I thought it was a good idea because, you know, from all the bullying and not being liked in high school and, you know, being scared of, you know, going around the corner to go buy food in my own area to now having what I thought at the time was really, really powerful friends.
And, you know, no one's going to mess with me anymore.
The main reason it started was because naturally I'm a very
quiet and shy person so I've always been very shy around people so in groups I'm not one to really talk a lot if that makes sense.
From being the kid that everyone used to pick on who was too scared to leave the house he finds strength in being part of a group.
Now he was someone to be scared of, which gives him a sense of power and strength and safety and perhaps overly confident because he's starting to get into fights at school fairly frequently and starts selling marijuana too because this wasn't just a little high school gang it was actually connected to a larger one so our boss who sort of looked after all of us young guys most of us were under 16 17 years old i think at the time i was one of the oldest ones He was, I think, 18, and then his boss was, I think, 24, 25.
And then he had a boss above him who we never saw, but apparently he was in his 40s, come over from China or something, and he was involved in a more heavier gang, but was also running the drug side of this gang.
This gang was trafficking drugs and using the high schoolers to try to sell it.
They'd hand him some weed and say, hey, go sell this.
And we would have like two ways to sell it.
If we didn't sell it, we'd get taxed for not selling it.
So it's worth, I think, off the top of my head, it was worth $200 if we'd have to sell it for $350 we didn't sell it we'd then have to pay the $350 to our boss as a tax and punishment of course Adam didn't want to be punished so he found ways to sell the weed as a 16 year old and this goes on for a while but then one day someone told Adam a made-up story about another kid and that this other kid was hurting girls and that made Adam mad and went looking for this guy and found him and beat him up pretty badly.
And one of the people that Adam was with took the guy's phone.
And this resulted in Adam getting arrested.
The law is over there that if it's a serious assault and then someone picks up a mobile phone and puts it in their pocket, so steals a mobile phone, it's then classified as a robberying company.
And that is quite a serious charge to have over there, which is what essentially I got charged with and resulted in me ending up in prison.
After Adam gets out of prison, his family decides to move to the UK for a fresh start.
His behavior had been hard on his parents and he didn't want to cause them any more problems.
So when I got out in Australia, one of the main reasons we wanted to move over here was that, you know, I didn't know how to make normal friends because a normal person to me from the last four or five years was someone who wanted to get into a fight every weekend.
And I didn't want to get back into that because I didn't want to get taken away or, you know, I didn't want to put myself in a position where I was taken away to prison again and I was just like you know what I can't do this anymore because if I keep doing this I'm going to either end up dead or back in prison for the rest of my life in and out.
So it was hard for Adam to integrate himself into society.
A lot was different for him.
He had just come out of prison, he had just moved to the UK and he didn't have any friends and wasn't even sure what kind of friends he wanted to make.
Life was weird for a while.
I ended up doing some warehouse work and going back and forth between different jobs.
I ended up as a debt collector at one point and eventually led to, I think it was 2016, when I eventually sort of said, well, you know what, I got skills in computers and IT.
And my dad's been for years telling me to get a job in IT.
So I took the plunge and I jumped straight into an apprenticeship, which was very bad money.
But at the end of it, I would have got my sort in the door within the IT industry.
This apprenticeship was where they asked him about his criminal record.
The job was to do IT work at the academy.
Think of it like a private high school, maybe 1,000 students, and it wasn't too far from where he was living at the time with his parents.
He didn't think they'd be interested in him, but he applied anyway and they called him in for an interview.
They liked him during the interview and offered him a job.
He took it and was really excited about it.
But it was only then, when he was getting onboarded and he had to fill out some paperwork, that he saw this question, Are you willing to pay for a criminal record check?
At no point did any of this come up before.
He put his pen down and met with one of the people who interviewed him.
So I went and I spoke to one of the,
I think it was an assistant principal or something at the time.
And I said, look, I really got to speak to someone that's really important.
She listened to his story and he told her all about the assault in Australia and how he beat someone up and got arrested.
She turned around and she said,
okay.
That's fine.
Well, let's apply for your criminal record check and we'll go, yeah, nothing to worry about.
Now, she didn't put any of that in writing, but but uh yeah
while the criminal record was still being processed adam started working at the academy thinking they must have known and thought it was okay anyway so he starts getting training and doing general it support for the school things like resetting passwords replacing broken keyboards and installing software he liked doing i.t support and felt like he was part of the team and the school spirit and was getting to know some of the students and staff He was doing good and learning fast.
Now, this school had a lot of computers.
They were in the classrooms and computer labs and in the library and the office and teachers had some too and he was tasked with going around these computers and fixing any issues they might have.
Now if a computer was connected to the network he could just log into it with his username and password.
But some computers weren't connected to the network.
And for those Adam had to use the local admin username and password to get into them.
Now this is different than the domain admin password which can control everything.
The local admin password theoretically only lets you into that one computer.
But the way the academy set it up is that all the computers use the same local admin password.
All the student computers throughout every classroom in the academy had a particular password for the local admin account.
Adam noticed this pattern, which actually is a security issue.
If all the computers use the same local admin password, then having that one password pretty much gets you into everything.
But this made Adam wonder, wait a minute, could this local password also be the global domain admin password too?
This was probably about a week and a half into the job.
So the computers in the classrooms had a particular password.
And I pretty much, from that particular password, because it was the same on every single computer in the school, I pretty much figured out what it might be.
And I asked...
this guy who I was working with who was more senior than me and he kind of smiled and that's when I figured out what the the password was a week and a half into his role as an it apprentice and he guessed what the domain admin password was this is not good junior employees should probably not have this kind of access early on there's a concept in it called least privilege which means you should not give users access to more than what's necessary for them to do their job while it's true that nobody gave adam the global admin password he was able to easily guess what it was based on patterns of what he saw in the first week there.
This really is bad practice too, since the admin password should be the most guarded and protected password on the network and not so easily guessable.
As far as I'm aware, there was one admin account which had full access across their entire network infrastructure.
That had one particular password and then every employee had one particular password which is very easy to guess.
So all their network was set up in a way with a certain prefix that was used for everyone.
Oh right.
Sometimes schools will assign passwords, which is a combination of like your name and birthday or something.
And so if you just know someone's name and you know the pattern, all you gotta do is find out their birthday and now you can have access to their account.
A better method is to force users to pick a password when they sign up for their account.
This way there's just no default password at all.
As time goes on, Adam becomes more aware of these issues and the passwords, but he's still too new to really do anything about it.
Part of him doesn't really know if this is a problem, and part of him doesn't really know how to fix it, and part of him just wants to follow what he's supposed to do and not call the current system crap.
Stay with us, because after the break, these passwords become a big problem.
This episode is sponsored by Shopify.
Starting a new solo project is really overwhelming.
When I started this podcast, I suddenly had to worry about writing, editing, researching, interviewing, and so much more, all alone.
And when you're starting something new, finding the right tool that not only helps you out, but simplifies everything can be a game changer.
For millions of businesses, that tool is Shopify.
Shopify is the commerce platform behind millions of businesses around the world and 10% of all e-commerce in the US.
From household names like Mattel and Gymshark to my own t-shirt shop, which is shop.darknetdiaries.com.
And I love Shopify because of how easy it makes getting my business online.
And once it's there, Shopify has built-in tools to help me create, execute, and analyze my online marketing campaigns.
So get started with your own design studio.
With hundreds of ready-to-use templates, Shopify helps you build a beautiful online store to match your brand's style.
If you're ready to sell, you're ready for Shopify.
Turn your big business idea into
with Shopify on your side.
Sign up for your $1 a month trial and start selling today at shopify.com/slash darknet.
Go to shopify.com/slash darknet, shopify.com/slash darknet.
Adam was working at this academy for a few months at this point and getting familiar with the systems there and the people.
But that's when the school finally got his criminal record back and took a look at it.
When they got it back, they then turned around and pulled me into the office.
This time, the principal, and she said, you didn't declare this.
And I said, well, yes, I did.
spoke to you, spoke to this lady, and she said, don't worry.
And she said, was that her exact words?
And I said, yes.
And she was like, well, you're going to have to worry.
Unfortunately, we can't keep you here.
You're sacked, basically.
The school didn't want people who had a criminal record for assault working around children.
But to Adam, who'd been trying his best to make a new life, this felt like a betrayal.
For them to turn around and say, right, we can't have you here.
I was angry.
From my perspective, at the time, I'd wasted the last months or two months or whatever it was trying to learn and getting used to the school, making friends with the IT department, the teachers, for them to turn around and just say, no,
we don't care whether you changed or you've done things to make yourself better.
End of the day, you can't be here.
Adam was angry.
He wanted to do something.
But there was nothing to do about it.
It's not okay to lash out on someone just for firing him over this.
So, begrudgingly, he moves moves on.
He gets a different IT job, and this one they're fine with his past.
It was never an issue for them.
And he picks up a lot of new IT skills at this job.
He learned about domain controllers, Active Directory, Office 365, and managing computers and using Microsoft tools.
At the same time, he liked playing first-person shooter games online, and this led him into the online game cheat community.
And that led him into learning more about hacking and exploiting computers.
But all all that was just innocent stuff, though.
After a while, he took his newly acquired skills and went and got an even better IT job, this time as a senior technician, which taught him even more new skills.
And after a few years of working in IT, Adam's life was looking up.
He had a job as a senior technician, he had a relationship, and after being scared to get to know people for so long, he really put himself out there and started to make friends.
But all this changes after a bad breakup in October of 2020.
I guess it really
was crushing and I got into a really deep depression.
I wasn't too pleased with the job that I was in because I felt at the time that I was being heavily underpaid for what I was actually doing.
And I don't think everything was at the time and even now, things weren't very good.
His personal problems made him restless.
And he was starting to grow frustrated at work.
One of his supervisors was always giving him a hard time about something.
All this added up and it made it hard for him to sleep at night.
So he spends a lot of late nights playing video games and looking at hacker websites and forums, learning about malware and how to break into systems, what you could do if you did break into something, like how to read other people's emails or cover your tracks or read messages on Teams and Slack without people knowing.
And late one night in January of 2021, after watching a film, he goes to check his email before bed and notices something.
My email address in the autofuels for the Academy popped up and I thought, oh, you know, I think there's a lot of curiosity just to see if they'd changed it because it's been a long time now.
Obviously, the first thought in my mind is, yeah, they've definitely changed the password to the admin Office 365 account.
The Academy fired him four years ago, but he still had that local admin password memorized for the computers there.
Now that he knows a lot more about computers, he was curious to see one, if that was still a valid password, and two, if it was also the domain admin password.
So he goes to the Office 365 login screen, which is just office.com.
And this is the tool the Academy used to manage the school's network, like usernames and email boxes and that sort of thing.
He goes to the Office 365 login screen.
He types in the school's domain, then the admin username, and the admin password, which he still had memorized all this time.
And what do you know?
It worked.
First try even.
He was logged into the school's admin portal on Office 365.
I felt like it was an achievement at the time because I was more surprised that it worked
because obviously it's been so many years now.
I would have thought from working in IT that you change passwords more often, if that makes sense.
It felt like an achievement getting in and then it kind of progressed on to being motivated to find out how much more I can get to.
From within the Office 365 portal, one could potentially configure and view the computers in the network.
You could see what users there are, reset their passwords, look at what email accounts there are, configure Skype, see SharePoint sites, and look at and configure the Active Directory settings.
It's the heart of the network.
This is what makes everything else function at the school.
He hadn't really thought about the academy that much since being fired, and he learned so much since then.
And specifically, he now really knew his way around Office 365.
But since he got into the Academy's admin panel, he was curious to see what was their setup like?
How good was their security?
And he decides to poke around.
But just looking, though, no touching.
So the account I was on, I only had access to certain things like changing users' passwords.
Now, this was what I can understand was just sort of like the lower level IT guys account that they used.
And I wanted to get access to more permissions.
So I had a look through the groups and I found three accounts in particular which had super administrator access.
So essentially giving me free reign over the entire Office 365 side of things.
And I identified who they were.
One of the first things I'd done after I'd done that was I went into, they call it
e-discovery on Office 365 and went in there and just made sure that there was no alerts.
This is something Adam had learned on his own time since getting fired at the Academy.
He knew what kind of security alerts would generate just by being there and was watching to see if he was triggering any of them.
Then I changed password for one of the accounts that had super administrator rights, changed password and logged into it and went through some of the emails just having a look around, seeing what other things they had on the setup, the domains that were connected to Office 365.
Oh, well, this is no longer just looking anymore.
He's changed a super user's password and logged in as them and is reading their emails.
He's done what's called privilege escalation.
The first login didn't have all the permissions he wanted, so he switched to this account, which did give him all the control and access he wanted.
So now he's basically in God mode.
With a click of a button, he could bring down the whole network if he wanted, but he didn't want to.
He was still just curious and wanted to look around.
So I think at the time, my thought process was just I want to find out as much as possible without doing as much damage.
So changing this one particular password, I firstly looked at that account just to see if it was being used.
So after I'd checked that there was no alerts, I then set delegated mailbox access to that account so I could check the inbox and see if anyone had been using it, you know, sending emails or not reading emails, which they hadn't.
I had figured that no one was using it, no one's going to care.
You know, if someone tries to log in in five or six weeks, they'll just say, oh, it's got the password and change it.
At this point, it's now one o'clock in the morning, and specifically, it's Saturday morning, January 16th, 2021.
So far, Adam has full super user access to Office 365 for the Academy, but this is a cloud portal.
And while the computers in the Academy get their configuration and authorization from this cloud portal, he's not actually in the school's network or any of their computers in the school and he's curious to see if he can actually get in there he remembers there was a way for the it staff to vpn into the school from home a vpn is a secure private connection to the internal school network so his curiosity is leading him to see if he can find vpn access into the school's network he starts looking through emails to try to find a vpn password i happened to come across on one of the help desk accounts had sent an email out to someone basically with a file, a vpn file and told them to use a certain prefix and uh characters for their password which i at that point then switched from office 365 so the website closed that down and um i was very determined to get into the network no matter what so i didn't know what password it was i didn't know what account i had to use i spent maybe the next two hours trying to get into it and they had a method of sending passwords which again surprised me that they'd kept the same method but it was quite simple once I'd guessed the Office 365 one to follow the pattern.
After a few hours at guessing VPN passwords he finally gets it.
He successfully VPNs into the school's network which means he's connected to the school as if he's inside the school itself but he's at home.
And he hasn't hidden his tracks at all.
He's made all these connections to Office 365 and the VPN directly from his home's network connection.
Adam realized that.
And it was like that moment when I ate that half box of cookies and I realized I had gone too far.
Adam had crossed the line and all his activity could easily be traced back to him.
And he had to think about what he should do.
When I did get into it, I think this is where the turning point was where I thought, right.
I've not done anything to hide myself at all.
And this has turned from just me being curious to more malicious now and I've got myself in trouble basically.
There's no way around it that they're going to easily find this person logged in from this IP address at this time.
Who's that person?
Don't know who they are.
Let's report it to the police.
So I think that's when the tables are turned more destruction.
He gets up out of his chair and does something else for a little bit just to think about the situation.
His real IP, which is registered under his real name, is what he used to do all this with.
And yeah, he crossed the line a few times with what he's done already.
Changing passwords, reading emails, and brute forcing his way into the VPN.
He thought surely he's going to be in trouble for this.
I know what's going to happen.
There's a 50% chance they'll come in and they'll say, oh, why isn't this password working anymore?
Who's changed this?
They'll do a little internal investigation and they'll conclude that someone's been on the network and they'll just change passwords.
Or there's a 50% chance that they'll look deeper into it and call the police.
Calling the police is what I wanted to avoid, so I couldn't avoid it.
So my next thoughts were, right, let's try and get rid of as much as possible to try and cover my tracks.
So he's in the network, but doesn't know which computer he's on.
He wants to learn more about the network and uses an IP scanner to get a lay of the land, which gives him a list of all the computers on the network.
He figures out he's on the main computer that everyone logs into from home, but there's nothing good on this computer.
The main infrastructure with all the good stuff is where he wants to get into, but that's on a different part of the network.
So he consults the spreadsheet of all the computers he found earlier and picks his next target.
So I found a computer which was in the, I believe it was in the IoT workshop somewhere.
And I had thought that maybe if I can get into that computer, then there might be, you know, an RDP icon saved with saved credentials that I might get into the main controller.
What he's doing is a classic example of lateral movement, which is the foundation of a lot of cyber attacks.
It's when the attacker manages to get a foothold in one system and then pivots around the network, hopping from one system to another until they find what they're looking for.
At each step, there's a vulnerability that can be used to get closer to the target.
Adam kept hopping from one system to another to try to get to the computer he wanted, and not having strong passwords in a network really helped him get around a lot easier.
Eventually, Adam was able to remote desktop to a computer and from there, remote desktop to another computer, which was in the IT workshop.
And then from there, as I'd thought might be the case, there was sort of saved credentials.
I think there was domain controller one, domain controller two, there was a backup server, I think there was a gateway server.
and a couple of other servers as well.
I think at that point I'd realized how far I'd come in to the network.
I had access to everything from now.
Just from knowing the school's domain and guessing the admin password that he thought he knew years ago, Adam has worked his way into the entire infrastructure in just a few hours.
From what I remember, once I had gained access to all the infrastructure, I then started the process of wiping the entire servers that I was on.
As I was doing that, I went on to office.com and I saw a list of devices.
He sees a list of all the devices connected to the mail server.
Now, this is thousands of mobile devices.
It's every phone and tablet that had email access.
Now, most of these were devices owned by either teachers, students, or parents, which had all connected to Office 365 to get their emails and files.
I highlighted the box to select all and I clicked the wipe button.
When you log in to Outlook from your personal device, you'll get a prompt saying, Do you want to add this organization to your device?
But what you might not know is doing so can give the administrator the power to fully wipe your entire mobile device.
And this is actually a security feature.
If you lose your phone, the IT admin can wipe the device, which makes it so nobody can see what was on that phone because you don't want the wrong person seeing sensitive information.
But what's crazy is the IT admin can wipe thousands of devices with just a few clicks.
And Adam had just attempted to wipe 2,947 devices through his access that he had on Office 365.
People would be waking up to their phone being factory reset, all their pictures, texts, and files completely gone.
Once that was done, Adam took a look at the domain controller itself to see what he can do on that.
There was a command that we'd used in the company that I was working with a couple of times to just just do a complete wipe.
Essentially, the command makes the computer or server not be able to boot because it deletes everything.
So it's to take ownership of all folders and then it deletes all folders basically.
And
I ran that on, I think, the domain controller.
Okay.
So this isn't just wiping your tracks.
You knew this.
Yes.
This is wiping out the entire, I mean, the heart heart of the infrastructure.
Yeah, and I think at this point, it was,
well, if I'm going to get caught, I might as well get them back for what they've done to me.
I think that was my thinking at the time.
So very destructive, malicious actions.
It was like,
right, let's just release all the anger, everything that I've, you know, had against them, and just wipe everything.
Make their life as difficult as it can be on Monday morning.
What about backups?
There was a backup server and a secondary backup server that I started running the commands on.
It was at that point that I found this IP address just on this spreadsheet and it had nothing written next to it.
So there was two IP addresses with a username and password in that document, which was completely separate username and password from any of the methods.
that I'd used to get in previously.
So I was a bit interesting to find out what it was.
And then surprisingly, when I logged into it, it was a hypervisor basically and it had
two hypervisors.
What he logged into was a virtual machine host.
That is this one computer housed and controlled many other computers inside it and it was from this host machine that he could do whatever he wanted to the subsystems such as delete them entirely and it was on this virtual machine where the backups were for this network.
The backups were completely wiped as well.
I mean all of these actions are really stupid
and I think at the time I just thought, this is their backup server.
This is probably everything they have.
From here, he works his way backwards out of the network, deleting, destroying, or degrading every computer that he could log into on his way out.
And when he tries to log back into some servers, all he sees is a black screen.
And the last thing he deletes were all the user accounts, making it so nobody had a valid login anymore.
Adam was letting out a lifetime of anger and I don't think it was just from how this school treated him, but it was from how previous schools treated him and how bullies treated him and this recent breakup made him feel and the anger he was getting from his current job.
There have been multiple times in his life where he felt like a victim and was powerless and even went to the police for help when he was a kid, which didn't actually help at all.
And then there was a time when he joined a gang and saw a glimpse of power and strength in numbers, but that escalated out of control and he wound up in prison.
But now that sense of power has returned.
Power over the network.
Power over those who have wronged him.
And he was exercising that power with great vengeance and furious anger.
What's it like at the end of all this?
Because I mean, by the time you're done,
you're just leaving like a wreckage of smoldering, you know,
you've ruined everything.
What's that feeling like at the end of all that?
It was more, so getting towards the end of doing what I'd done, it was more panic.
And I guess I wanted to go to sleep, but I wasn't wanting to process what I'd actually just done.
So it was all kind of went very quickly.
There wasn't really much thought process or time to think about what I was doing other than just do it, just get it over and done with.
So I finished up and I think I went to sleep.
This attack was pretty devastating for the school.
The UK was on lockdown due to the pandemic at the time, and the students were remote learning from home.
Adam had obliterated the academy's whole infrastructure, meaning students couldn't connect to school, and there were no shared drives.
SharePoint was down, emails were down, and absolutely none of the logins worked.
But it hadn't just wiped out the school's infrastructure.
Many of the students' and teachers' devices that connected to the school were also wiped, too.
Hundreds, maybe thousands of devices were screwed up from this.
And somewhere around 5 a.m., he crashes for the night.
The next day, he wakes up and checks back in.
It's bad.
The servers are all offline still, but he finds a few more things that are still up.
And he logs into them and uninstalls some key software on those systems too.
Then he logs out of everything altogether and just thinks about what happened.
I was worried about what was going on.
You know, I was searching.
on Google to see if there's been any news about the school going down.
So I was really, really panicking about what has happened.
I did think about wiping my computer, but at that point, I'd thought, you know, I couldn't get into the firewall to wipe the logs.
So no matter what I do, they're going to come for me.
They know who I am as soon as they look into it.
The days after that are a fog of paranoia for him.
He calls in sick to his current job because he's too anxious to work.
Were you living with your mom and dad?
Yes, yeah.
Did they have any clue?
No, no.
I mean, my dad sort of suspected something was up when I kept looking out the window.
That's an interesting picture.
You're looking out the window a lot and your dad's like, is everything all right?
Yeah, yeah, so there's definitely a lot of paranoia.
You know, I take the dog out for a walk twice a day and I'm walking outside, leave the house and I'm looking left, looking right, seeing if there's any police cars around because obviously in Australia, I have a little bit of experience of what the police are like.
And I was looking around for anything out of place and it was just very, very paranoid couple days.
So Monday he calls in sick.
He doesn't go to work at all.
Tuesday he calls in sick again.
Wednesday he calls in sick still.
The anxiety, stress, paranoia of all this just makes it so he cannot concentrate on anything work related.
Thursday, he sleeps in and then wakes up and goes to take the dog for a walk.
As I was going in the front door, I sort of turned around because I I noticed something on the corner of my eye and there was car parks sort of across the road and there was two guys in the car and I thought, oh, that's a bit weird.
I've never seen them before.
And the way they were looking at me.
But as soon as I shut the door and got inside the house, walked into the living room, took the lead off the dog, I heard really, really loud knocks on the door.
And I knew instantly, yeah, it is the police.
And my mum went to go get the door.
And there was about 10 or 15 police officers.
Adam calmly lets them in and tells them straight up.
I said, you know what, I know what this is about.
Everything you need is in here.
Nothing's been wiped.
Let's get it over and done with.
He leads them to his room and shows them where he did everything from and confesses to it all.
In Australia, with my experience with the police, when I was arrested and everything, I didn't want to go through going, you know, lying about what had happened.
It was very, very obvious.
You know, working in IT, it's very, very obvious that there was enough evidence to convict me for it so I'm not gonna make their life harder and because that'll just make my life harder as well.
Did they handcuff you?
No, no, they were actually really, really good.
And so
we walked upstairs.
I showed them all my computer equipment, where my phone was, gave them all the passwords to the computer and my phone.
And they basically said, yeah, you can have a cigarette or a smoke before you go.
We had a little chat about, interestingly, they were very interested in my setup and they were asking asking what sort of components I had in my computer.
And then we literally walked outside, got in the car, and they drove me to the police station.
The police had brought 15 officers, so they were prepared for a struggle.
Adam, being so cooperative, caught them off guard.
They did say that.
Usually, the majority of the cases that they come across with cybercrime, they never catch the people.
that are involved in these attacks on schools and businesses.
So this was kind of a first for the particular officer who arrested me as well.
The attack was so destructive.
The police were actually asking Adam to help make sense of what happened so they can help get the school's servers back up and running again.
The main thing that they wanted was the commands that I had run and what servers I'd run them on, because from what I was told, they only had the logs of me getting into that first VPN computer and without restoring the servers that I'd destroyed, basically.
They couldn't get the logs off them servers.
So we went through a list together.
One or two times, times I went to the police station, sat down with them, and they listed out all the servers and asked me to sort of map out in which way I went and what command I had run on each server.
To make matters worse, the head of IT and senior technician were actually off work recovering from COVID.
This had left the most junior technician in the school scrambling around to try to work out why all these systems were down.
The school even got Microsoft involved at some point and paid them £15,000 to help restore the systems
but yeah i mean to try to restore from a whole network with no backups yeah starting from scratch is oh my gosh it's uh with no data in there to review or to look back on or the configurations oh my goodness yeah yeah so it's quite quite bad I think it was about a week to immediately get everything back up, everything that was down back up to a running state and for the students and the teachers to use the the system again but from what I'm told it took almost a month from start to finish to actually get everything back into a stable place
okay so did they say how um how they caught you
um no I mean I pretty much assumed so
I said in the car in the drive back from the police station one of the investigating officers the main officer in charge of the investigation he um I said to him so you obviously caught me via my IP address and he he turned around and gave me a little smile and he said you know i can't answer that
while he did try to destroy all the logs he wasn't able to clear everything he never was able to get into the firewall which would show what ip was his and my guess is that the school saw what ip had logged in or they asked microsoft what ip logged into office 365 that night and then they handed that ip address to the uk police who could then get a warrant from the isp and figure out who had that ip at the time which would then then lead directly to Adam and his address.
Adam lived with his parents, but he had a separate internet connection just in his own name.
When the police found his IP and looked him up and found he was an aggrieved former employee, you can imagine it was a pretty open and shut case.
But after he's questioned and processed, they release him from custody to go home and wait for his court case, which was scheduled for March of 2021.
He tries to go back to work, but it's rough.
He's calling in sick a lot due to the stress of what he did at the academy.
There's COVID in the air, so maybe he's sick from that too.
So he's just not attending work very much at all in this time.
I had a disagreement with my employer and it was about money.
Over here, we have what we call a furlough scheme.
The furlough scheme in the UK was where the government would pay 80% of the employees' wages for people who couldn't work during COVID, and the employer only had to pay 20%.
And as Adam tells it, his employer decides to let him go and refuses to pay him furlough.
On top of that, the company gave Adam permission to buy a new laptop for work, but when he did, they claimed he used the company's money without permission.
The company claims they took his corporate credit card away and he bought something else with it after that.
Adam denies this and said everything he bought, he either had permission to buy or made an agreement to pay it back.
That really, really, really made me angry.
And the following steps to that was that I had thought, you know, let's send them a message.
Now, they weren't very smart in the way after after they've sort of got rid of me, changing passwords and everything.
Oh no, this doesn't sound good.
Adam is really upset at this company for firing him and blaming him for things he didn't do.
And he has privileged access to their network and knows his way around it.
You can guess where this is headed.
He waits until late one night on a weekend and tries to log into their network.
He uses the domain admin credentials that he still had written down somewhere to log into this company's Office 365 portal.
And from there, he gets access to the global administrator account.
And from there, he spiders around to get access to more systems.
Then he starts uninstalling software on various computers.
And it appears he was specifically targeting his supervisors and managers, uninstalling software on some IT support systems, and then getting into the accounts of the IT director and senior IT staff.
And he changed their passwords so they couldn't log in anymore.
He tried uninstalling some more software and then logged out.
Overall, it wasn't nearly as destructive as he was with the Academy, but it was still over the line and criminal.
And the company knew immediately who might have done this and reported the IP address to the police along with Adam's name.
The police was, you know, I was on their radar already.
So when the report went into the police, the cybercrime unit picked up on it and arrested me for it.
The same officers came to his house, but this time he wasn't wasn't as cooperative.
To begin with, he denied doing it.
So they handcuffed him and took him to custody for two days.
He figured this time there's actually plausible deniability, but the police already knew his MO from the Academy case.
And he ends up admitting that, yeah, he did get in there and change passwords.
But his employer also claimed he made thousands of pounds of unauthorized purchases from the company credit card.
So I did spend it, but it was a civil agreement between me and the director of the company.
So essentially, what happened was there was a civil agreement between us.
So, I spent the money.
I went to him.
I said, Look, I spent the money.
Are you okay with me paying this back out of my wages?
And he said, Yes.
But what he had then done is when these passwords were changed, is he's gone to the police and he said to the police, he used it fraudulently.
I never gave him permission to do so.
I want him charged for this.
So, what Adam describes as a loan dispute gets dropped from this case because there's just not enough evidence.
But this court case with his employer and the court case from the academy get rolled up into one big case.
Basically, the judge had indicated that it will be a prison sentence as it stands with no other mitigating circumstances.
So if he had sentenced me on that day, he would have sentenced me to prison.
But I think because of my cooperation with the police and how open I was as soon as they came, didn't make it hard for them.
He wanted to give my defense teams and my solicitors and lawyers the opportunity to get as much mitigating circumstances as possible.
His lawyers say there's a 50-50 chance that he'll get prison time or a suspended sentence.
And if he goes to prison, it'll probably be between six months to three years.
He's 28 years old now and spends a lot of time thinking about the upcoming sentencing.
I am pretty worried.
I mean
from the start when the police turned up I've been very open to owning up to this mistake that I made.
So I don't like
thinking about you know what's going to happen because I'm just taking it day by day at the moment.
Yeah, I think you might have
I think you might have spoiled the soup here because
You know, if this is your if this is what you want to do, you you're you're very knowledgeable of this stuff.
It sounds like you want to make a career in this, but I mean fighting in the schoolyard.
I've been in the in the you know the hiring seat before and I would have said, no, that's fine.
You can still come in here.
Just don't fight anybody in here.
Yeah.
But but like like
sabotaging two different networks that you worked for previously, your previous employers, there's no way I would hire you
anymore.
Like
you're done, I think.
Yeah, yeah.
In February of 2022, Adam appeared before the court to be sentenced.
Judge looked at his case and sentenced Adam to 21 months in prison.
He was not able to reach out after the sentence to give me any updates.
They immediately escorted him to a holding cell and transferred him to a prison.
He's due to be released sometime in 2023.
The moral of the story is you should always change your admin passwords when someone from IT leaves the company, maybe even twice.
And this should be standard best practices for all organizations, because if you don't, you now have someone outside your company who has privileged access into your company.
And in Adam's case, it was four years after he left the academy that he used the domain admin to log in, a password that he was never supposed to have in the first place, but was able to guess it in the first week of being there.
But I think, on a more personal level, you should also change your passwords when you break up with someone who's close to you, like a girlfriend or boyfriend.
I've seen so many stories where someone took their ex's password and got into their accounts after a breakup and caused significant damage.
So anytime you think someone may have seen your password or could have guessed it or actually did have it, you really should change that password when that relationship ends, whether it's work or personal relationships.
A big thank you to Adam for sharing the story with us.
As a reminder, you can get an ad-free version of this show and bonus episodes.
You can do this by either subscribing to Darknet Diaries Plus on Apple Podcasts or by visiting patreon.com slash darknet diaries.
And if you do, it'll also support the show quite a lot, so thank you very much.
The show is made by me, Captain Jackry Sider.
This episode was produced by the warm-blooded Elizabeth Winter.
Mixing is done by Proximity Sound.
Sound designed by the foot shuffling Andrew Merriweather and our theme music is by the beautiful Breakmaster Cylinder.
Do you know the name of the chemical that's released in your brain after you see funny cat pictures on the internet?
It's called dopamine.
This is Dark Knight Diaries.