tonight we'll take you inside the growing shadowy Global Market of cyber Espionage we look specifically at a controversial Israeli company called the NSO group valued at nearly a billion dollars that says it developed a in tool that can break into just about any smartphone on Earth NSO licenses this software called Pegasus to intelligence and law enforcement agencies worldwide so they can Infiltrate The encrypted phones and apps of criminals and terrorists problem is this same tool can also be deployed by a government to crush descent and so it is that Pegasus has been linked to Human Rights abuses on ethical surveillance and even to the notoriously brutal murder of the Saudi Arabian critic Jamal kogi headquartered in the Israeli city of herzelia NSO group operates in strict secrecy and I said them but co-founder and CEO shalev Julio has been forced out of the shadows and not into a good light accused of selling Pegasus to Saudi Arabia despite its abysmal record on human rights and the word is that you sold Pegasus to them and then they turned it around to get kogi kugi murder is horrible really horrible and therefore when I first heard there are accusations that our technology been used on Jamal kugi or on his relatives I started an immediate check about it and I can tell you very clear we had nothing to do with this horrible murder it's been reported that you yourself went to Riad in Saudi Arabia you yourself sold Pegasus to the Saudis for $55 million don't believe newspapers is that a denial no Pegasus is so expensive because it lets authorities do what they long couldn't break into smartphones remotely making everything in them completely visible all emails contacts and texts new old encrypted are not Pegasus allows detectives and agents to track locations listen into and record conversations basically turning the phone against its user in the company's 8-year history they have never let cameras in but they wanted to show us they're like any high-tech company with PlayStations and pilates but there was a lot we couldn't show notice no faces the work is top secret and some employees are exmilitary intelligence and mosad Pegasus is such a sensitive spy tool NSO has to get approval before it can be licensed to any client let alone Saudi Arabia from the Israeli defense ministry as though it's an arms deal why would would the government of Israel want you know what seems to be an enemy um to have this technology I'm I'm not going to talk about specific customer but can can you say that you won't and haven't sold Pegasus to a country that is known to violate human rights and imprison journalists and go after activists I only say that we are selling Pegasus in order to prevent vent crime and Terror we have theic stop penetrating an iPhone was an issue in the terrorist attack in San Bernardino California in 2015 right now we have one down outside the car the FBI said it couldn't get into the shooters phone and apple refused to help over privacy concerns an issue that had come up before intelligence agencies came to us and say we do have a problem with the new smartphones H we cannot not longer get valuable intelligence they were encrypted exactly how many lives do you think Pegasus has saved 10 of thousands of people really yes Julio referred us to the head of a Western European intelligence agency who off camera confirmed that Pegasus is a GameChanger in foiling attacks by European jihadists as well as shutting down drug and human trafficking rings but here's the question question how often has Pegasus also been used to go after a government's critics if you were in Saudi Arabia you'd be in jail well I don't think I will be in jail I don't think anyone will find my buddy like what what Jamal Kash has fac gam Al masar is a saudy comic living in London who has a popular YouTube satire show that takes aim at Crown Prince Muhammad bin Salman last year as the regime was kidnapping locking up and torturing Saudi dissidents gam says he and other critics abroad got text messages like this fake DHL notice that if clicked would download Pegasus onto their phones so they could be spied on and you clicked on it of course yeah who's sending me a package now Pegasus is designed to catch terrorists so who defying the terorist do you think I am a terrorist do I look like a terrorist I don't know what I don't know what a terrorist looks like yeah but I mean the problem is the Saudis consider people asking for uh freedom of speech as terrorist they consider anybody who is a threat to their regime is a terrorist what do you do when your customer has a definition of terrorist that isn't our definition in some countries the opposition are are terrorists no such thing every customer that we sold had a very clear definition of what terrorism is and it's basically bad guys doing bad things in order to kill innocent people in order to change the political agenda I never met with a customer that told me that oppositions are terrorists well they're not going to tell you but if they will act like that they will not going to be a customer there are more than 100 countries 100 countries that we will never sell our Technologies to the problem is there's there are not proper controls around how this technology is being used based out of the Ron debert heads citizen lab a human rights Watchdog at the University of Toronto where researchers like computer scientist Bill marzac say they figured out a way to detect if a phone has been targeted by Pegasus which they did in the case of Gham Al masar and other Saudi dissidents this technology is being used by autocratic dictators who can mount Global cyber Espionage operations simply by purchasing the technology so you are saying that once they sell this technology once the Israelis sell it they know how it's being used well uh the question is do they care to look um I think if they cared to look they would have the opportunity to see how it was being used but jio says NSO is unable to see who their clients are targeting only after there's an allegation of misuse can NSO demand Target data in order to investigate and I can tell you that in the last eight years that the company exists we only had real three cases of misuse three cases out of thousands of cases of saving lives three was a misuse and those people or those organization that misuse the system they are no longer a customer they will never be a customer again the first case we uncovered in Mexico but citizen lab says it was able to find many more cases 25 in Mexico alone where Pegasus was used to Target political Rivals reporters and civil rights lawyers they also say they found the Pegasus link on the phone of this human rights activist Ahmed Mansour from from the United Arab Emirates I think that people that are not part of criminal or terrorist activities have nothing to worry about Tommy Shahar nso's co-president says Pegasus is used with surgical Precision it's not mass surveillance technology this is really for the bin laddin of the world but the reason that your company has been criticized and the reason that we're here doing this interview is because countries have used your technology on human rights activists on journalists there are allegations that are been brought there are reports that were said and we take every such allegation very seriously and we look into it nothing has been proven to protect against misuse she says NSO has three layers of vetting potential customers one by the Israeli defense Ministry a second by its own business business Ethics Committee and thirdly our contractual agreements have our customers signed that the only intended use of the system will be Against Terror and CRI oh they sign come on you have an autocratic government and they say oh we're not going to use it accept against criminals and you just believe them no as I said the contractual agreement comes after two layers and you know I would love for you to sit in one of our business Ethics Committee we have a tough discussion because imagine a country is facing major terrorist threats in the same time they have some corruption issues and you have to sit in that room and weigh what is more important to help them fight Terror or maybe there is a chance that it's going to be misused it's not a black and white answer it's a tough ethic ethical question there are other ethical questions in deploying Pegasus to hone in on a target for instance authorities often infect the phones of innocent people around them like family members it's been reported that Mexican authorities used Pegasus to capture drug lord Walkin Guzman better known as El Chapo by tapping the phones of a few people he talked to while he was on the lamp I read it in the newspaper the same as you okay in order to catch a Chapo for example they had to intercept a journalist an actress and a lawyer Now by thems they you know they're not criminals right right but if they are in touch with a drug lord and in order to catch them you need to intercept them that's a decision that intelligence agencies should get what if you can prevent the 9911 terror attack and for that you had to intercept the Sun the 16 years old son of Bin ladin would that be legit or not targeting someone's Inner Circle has become an issue in the kogi case Omar abdalaziz an influential Saudi online critic based in Canada was texting with kogi up to his death now Abdul aiz is suing ano alleging that the Saudis used Pegasus to hack his phone and thereby spy on kogi we ask shalev Julio if his investigation explored the wider cumference around the slain journalist I can tell you that we've checked and we have a lot of ways to check and I can guarantee to you our technology was not used on Jamal kugi or his relatives or the dissidents like Omar abdulaziz and I'm not going to get into specific I tell you that if we will figure out that somebody misused the system we will shut down the system immediately we have the right to do it and we have the technology to do it it begs the question did you shut down the Saudis I'm not going to talk about customers and I'm not going to go into specific we do what we need to do we help create a safer world if most people remember anything about the North Korean government Cyber attack against Sony Pictures last November it's probably that there was a lot of juicy gossip in leaked emails about movie stars agents and Studio Executives there was also an absurd quality to the whole episode which was over an ill-advised movie comedy about the assassination of North Korea's leader which the North Koreans did not find funny the weirdness of it all has obscured a much more significant ific an point that an impoverished foreign country had launched a devastating attack against a major company on us soil and that not much could be done about it in some ways it's another milestone in the Cyber Wars which are just beginning to heat up not cool down the Cyber attack on Sony Pictures Entertainment exposed a new reality that you don't have to be a superpower to inflict damage on us corporations a fact that has been duly noted Within corporate boardrooms and the National Security apparatus what's the significance of the Sony hack in a nutshell the significance is that a foreign power has reached out and touched an American Target the fact that the North Korean government felt that it could do something in the United States and get away with it that's what's significant James Lewis a director at the center for strategic and international studies in Washington has helped shape us cyber policy for decades dealing with criminals stealing money Russian stealing intelligence and the Chinese stealing the latest technology this was different because it qualified as the use of force it qualified as an attack there was disruption there was destruction of data there was an intent to hurt the company and it succeeded bringing a major US entertainment company to its knees like other corporate victims of cyber attacks Sony has released very little information and declined our request for interviews we were allowed to film on Sony's 44 acre Studio Lot and inside this building where technicians were still repairing damaged computers we do know that when people fired up their computers on the morning of November 24th they were greeted with this skeletal image now referred to as the screen of death it announced an undetected Cyber attack that actually began weeks earlier when a malicious piece of software began stealing vast amounts of data from the Sony computer network now it had begun done the job of wiping Sony's corporate files it was the attacker saying I'm going to delete what you've made I'm going to destroy your stuff Kevin mandia is one of the best known cyber sleuths in the US and his company fire eye was hired by Sony to respond immediately to the crisis but there was only so much they could do for lack of a better analogy the wiping is the grand finale that's the infamous we ran into the house we took what we wanted and then we left the detonation charge behind us and then that detonation charge goes off you're not going back to the house anymore and that's what happened that's what happened more than 3,000 computers and 800 servers were destroyed by the attackers after they had made off with mountains of business Secrets several unreleased movies unfinished scripts and the personal records of 6,000 employees all of whom were given a taste of living offline Sony made the decision to take itself off the grid all connections to the internet all all connections to the rest of sonyy and all connections to third parties were shut off effectively disconnecting an international corporation from the outside world and plunging itself into a pre-digital age of landline telephones and hand delivered messages written with pen and paper immediately employees start to remember the things they took for granted does the gate let you in the garage you can't get your email people's benefits can't be processed appropriately time cards can't be done what if payrolls the next day there are so many things that depend on the internet that quite frankly most companies don't even know all of them so they come off the internet and go oh wow didn't see that common to Kevin mandia it looked like a military style operation mounted by a foreign government and when his company began comparing the Sony computer virus with a 500 million pieces of malware in its archives it quickly came up with a nearly identical match right down to the skull on the calling card it was a Cyber attack to 2 years ago against South Korea's Banks and broadcast networks called Dark Soul that wiped out 40,000 computers and cause $700 million in damage we had the malware from the attacks that happened in South Korea in 2013 and these things when put side by side this looks like whoever hacked South Korea in 2013 is hacking Sony and the attribution in those attacks in 2013 was to North Korea Mandy's suspicions about North Korea which has a wellestablished cyber cap ability and a long history of attacking its neighbor were soon confirmed by the NSA the FBI and the White House and the attackers themselves hinted at it when they contacted Matt zeitlin of buzzfeed.com and at least a half a dozen other online reporters offering them everything they'd stolen from Sony so this is the first email you got yep yeah you know the weekend after Thanksgiving you know it says that it has all this data from Sony and have all these links so that we could download the information what followed from zeitlin and others was two weeks of damaging embarrassing stories from the corporate files and private emails of Sony Executives as well as threats and a specific demand from the attackers that Sony not release its comedy about the assassination of North Korean leader Kim jung-un they hate us because they ain't us soon all the world will see what an awful movie Sony Pictures Entertainment has made that part may have been true Sony scares CEO yeah right I mean that's the difference every CEO is walking around go how do I feel if my emails out on the internet how would I feel if my machines got disrupted so all of a sudden every Chief Information Security Officer is now talking to their board because every board wants to know hey is this the new normal and it may well be Kevin mandia says even big corporations with sophisticated it departments are no match for the dozens of countries that now have offensive cyber War capabilities all Advantage goes to the offense in cyber it just does on the defensive side you have to say I must defend all 100,000 machines all 50,000 employees the offensive side thinks I only need to break into one and I'm on the inside of and any company or any Corporation is as strong as its weakest link in a way yes in security the nation state threat actors or hackers Target human weakness not system weakness and there's no shortage of weaknesses most company employees are allowed to browse online or visit Facebook on corporate computers and many take them home for personal use all it takes to contaminate a network is for one person to unwittingly access an infected file that looks realistic like an Adobe Flash player update or an email that pretends to be from Apple support and then what happens when they click on them they compromise their machine and now that machine being on the inside of a corporate Network can be used as a beach head to increase access and that's what happened at Sony eventually the North Koreans were able to obtain the passwords and credentials of the company's computer system administrators and build them right into the malware that carried out the attack with help from anybody you know anything's possible I simply don't know how sophisticated was the malware that they used was this brand new stuff it was sophisticated enough that it works on the vast majority of companies you know the FBI is quoted as saying this would work at over 90% of the companies that they they deal with we're going to see more and more companies hacked we're going to see deeper levels of Destruction so you're saying we're at the beginning yeah it's it's going to get worse before it gets better if you want to talk about state-of-the-art hacking or what's going on in the international cyber arms Market John Miller is a good place to start he turned down a job with the NSA in a government car while he was still in high school because he says he was already making more money doing private Consulting work and honing his skills as a penetration tester so you're a hacker I was um now I'm a you know a computer security professional but yeah I mean for the majority of my career I was an ethical hacker where I would actually go out and hack companies and then work with them to make sure they didn't get hacked by somebody else since Miller says he's been well paid to hack into nuclear power plants by utility companies we wanted to know what he thought about the Sony attack and the malware the North Koreans used to pull it off if I sat you down and gave you a pencil and paper and said write a list of a dozen people that could do this oh yeah I mean they're way more than a dozen people there are probably three four 5,000 people that could do that attack today and not all of them are in friendly countries no not all of them are in friendly countries and the number is growing rapidly I mean it's certainly within the realm of possibility that a terrorist group could go out and put together a team and do some real damage I mean Isis hacked centcom's Twitter the barrier to entry is low Miller's previous job was leading a research team for a company that made and sold offensive cyber weapons to the US government he's currently a vice president of Silence a company that makes Next Generation antivirus software for banks and Fortune 500 companies it's currently marketing a product it claims would have detected and stopped the Sony hack while it was in progress how sophisticated was this attack not very when you look at it in contrast to the capabilities that the United States government are deploying it is nowhere close to being sophisticated my favorite analogy is the malware that was used to hack Sony is like a moped and the malware being deployed by United States intelligence agencies is like an F22 fighter chat it's much more sophisticated it's much harder to detect and yet still if this is a mop head there were only a handful of companies in the United States that would have been able to survive this attack and that really is the scary part is it does not take an overly sophisticated attack to compromise these huge Global multinational Brands Miller says there have been other major cyber attacks like the one against Sony but they didn't get as much attention in 2012 Iran was blamed for an attack against the headquarters of Saudi Arabia's National oil company aramco that destroyed 30,000 computers Iran has also been accused of a cyber assault against a group of casinos owned by Sheldon adelon a vocal enemy of the regime in tyon and there have been others I've worked with companies before in the oil and gas space that have had control system networks get compromised by malware and and they've lost control of their floating oil platforms I remember reading about that yeah yeah no you didn't read about it there was no need to disclose no customer information got leaked so these things happen more often than the public knows absolutely there's a lot the public doesn't know about including an active International Underground Market in cyber weapons like the one that was used to take down Sony's computers Miller took us to a site on the dark web where you can buy them this is actually a list of Black Market exploits that I was contacted from a a Russian hacker that he was trying to sell and his price right so what does this one do player this is a a vulnerability in that software that would allow someone to take over control of your computer 39,000 29,000 39,000 yeah majority of them are 30 that's $30,000 payable in Bitcoin the virtual currency of choice on the dark web for the most part the internet is completely unregulated it's the wild west it truly truly is the wild west right now what we're seeing are people getting pulled out onto the street and shot and it's like where's the sheriff there's no Sheriff when I started doing this stuff about 20 years ago there were things that were top secret you know only NSA and FBI knew about them you weren't allowed to even talk about them in public you can download them now for free James Lewis of the center for strategic and International Studies knows better than most that there are no easy solutions he says the US can deter catastrophic cyber attacks from China and Russia by responding in kind but how do you respond to a rogue State like North Korea for an attack against major corporations like Sony turning off the lights in North Korea no one would notice it happens all the time right uh going after a North Korean movie studio it would probably be a relief for the people there the only pressure point we really have is going after the leadership going after the revenue streams coming to the leadership and that's what the Obama Administration has done at least publicly Lewis and others believe that it will take a technological breakthrough in cyber warfare defense to solve a problem technology created but that could take years legislation forcing companies to improve cyber security has gone nowhere there's a reluctance uh in the Congress to force companies to do anything that the administration shares that reluctance we were lucky until this year hopefully we'll be a little luck here for a bit longer in the time being keep your fingers crusted I used to say that the US had a faith-based defense when it came to cyber security because we had faith that the people who didn't like us weren't going to do anything bad that's what Sony has changed is that we had somebody who doesn't like us step out and say how far can I go with the Americans and that's where um Faith isn't enough for the past few months now the nation top military intelligence and law enforcement officials have been warning Congress and the country about a coming Cyber attack against critical infrastructure in the United States that could affect everything from the heat in your home to the money in your bank account the warnings have been raised before but never with such urgency because this new era of warfare has already begun the first attack using a computer virus called stuck net was launched several years ago against an Iranian nuclear facility almost certainly with some us involvement but the implications and the possible consequences are only now coming to light I do believe that the Cyber threat will equal or surpass the threat from counterterrorism in the foreseeable future there's a strong likelihood that the next Pearl Harbor that we confront could very well be a Cyber attack we will suffer a catastrophic Cyber attack the clock is ticking and there's reason for concern for more than a a decade the US military establishment has treated cyberspace as a domain of conflict where it would need the capability to fend off attack or launch its own that time is here because someone sabotaged a top secret nuclear installation in Iran with nothing more than a long string of computer code we have entered into a new phase of conflict in which we use a cyber weapon to create physical destruction and in this case physical destruction and someone else's critical infrastructure few people know more about the dark military art of cyber War than retired General Michael Hayden he's a former head of the National Security Agency and was CIA director under George W bush he knows a lot more about the attack on Iran than he can say here this was a good idea all right but I also admit this was a really big idea too the rest of the world is looking at this and say and saying clearly someone has legit I imated this kind of activity as acceptable International conduct the whole world is watching the story of what we know about the stuck net virus begins in June of 2010 when it was first detected and isolated by a tiny company in bellarus after one of its clients in Iran complained about a software glitch within a month a copy of the computer bug was being analyzed within a tight-knit community of computer Security Experts and it immediately grabbed the attention of Liam omu an operations manager for sanch one of the largest antivirus companies in the world as soon as we saw it we knew it was something completely different and red flag started to go up straight away to begin with stucks net was incredibly complicated and sophisticated Beyond The Cutting Edge it had been out in the wild for a year without drawing anyone's attention and seemed to spread by way of USB thumb drives not over over the Internet U's job was to try and unlock its secrets and assess the threat for sanch clients by figuring out what the milicia software was engineered to do and who was behind it how long was the Stu that code you talking tens of thousands of lines of code a very very long project very well written very professionally written and very difficult to analyze unlike the millions of worms and viruses that turn up on the internet every year this one was not trying to steal passwords ident or money stuck net appeared to be crawling around the world computer by computer looking for some sort of industrial operation that was using a specific piece of equipment a seens s7300 programmable logic controller this gray box here is essentially what runs uh Factory floors and you program this box to control your equipment and you say turn on a conveyor belt H turn on a heater turn on a cooler shut the plant down um it's all contained in that in that box and that's what St was looking for it wanted to get its malicious code onto that box the programmable logic controller or PLC is one of the most critical pieces of Technology you've never heard of they contain circuitry and software essential for Modern Life and control the machines that run traffic lights assembly lines oil and gas pipelines not to mention water treatment facilities electric companies and new uclear power plants and that was very worrying to us cuz we thought it could have been a water treatment facility here in the US or it could have been trying to take down electricity plants here in the US the first breakthrough came when om merku and his fiveman team discovered that stuck net was programmed to collect information every time it infected a computer and to send it on to two websites in Denmark and Malaysia both had been registered with a stolen credit card and the operators were nowhere to be found but was able to monitor the communications well the first thing we did was we looked at where the infections were occurring in the world and we mapped them out and that's what we see here we saw that 70% of the infections occurred in Iran that's very unusual for malware that we see we don't normally see high infections in Iran please learn from stocket two months later Ralph langner a German expert on Industrial Control Systems added another piece of important information stuck net didn't attack every computer it infected this whole virus is designed only to hit one specific Target in the world how could you tell that it goes through a sequence of checks to actually determine if this is the right target it's kind of a fingerprinting process a process of probing if this is the target I'm looking for and if not it Just leaves the controller alone Stu net wasn't just looking for a seaman controller that ran a factory floor it was looking for a specific Factory floor with a specific type and configuration of equipment including Iranian components that weren't used anywhere else in the world in variable speed motors that might be used to regulate spinning centrifuges a fragile piece of equipment essential to the enrichment of uranium and longer speculated publicly that stuck net was out to sabotage Iran's nuclear program we knew at this time that the highest number of infections had been reported in Iran and second was pretty pretty clear just by looking at the sophistication that there would be at least one nation state behind this and know you just add one and one together by the fall of 2010 the consensus was that Iran's top secret uranium enrichment plant in Nan's was the Target and that stuck net was a carefully constructed weapon designed to be carried into the plant on a corrupted laptop or thumb drive then infected the system disguise its presence move through the network changing computer code and subtly alter the speed of the centrifuges without the uranians ever noticing Sabotage by software Stu's entire purpose is to control centrifuges to make centrifuges speed up past what they're meant to spin at and to damage them certainly it would damage the uranium enrichment facility and they would need to be replaced if the centrifuges were spinning too fast The Operators at the plant know that stuck net was able to prevent The Operators from seeing that on their screen The Operators would look at the screen to see what's happening with cuses and they wouldn't see that anything bad was happening it now seems likely that by the time omu and langner finally unraveled the mystery in November of 2010 stuck net had already accomplished at least part of its Mission months before the virus was first detected inspectors from the international atomic energy agency it begun to notice that Iran was having serious problems with its centrifuges at naton what we know is that an iaea report said that a th000 to 2,000 Cent fuses were removed from the Tans for unknown reasons and we know that stet targets 1,000 cuses so from that people are drawing to conclusion well stet got in and succeeded that's the only evidence that we have the only information that's not classified yes and there are lots of things about stuck net that are still top secret who was behind it what we do know is that this was a very large operation you're really looking at a government agency from some from some country um who's politically motivated and who has The Insider information from a uranium en facility that would facilitate building a threat like this an intelligence agency probably probably we know from reverse engineering the attack code that the attackers have full and I mean this literally full technical knowledge of every damn detail of this plant so you could say in a way they know the plant better than the Iranian operator we wanted to know what retired General Michael Hayden had to say about all this since he was the CIA director at the time stuck net would have been developed you left the CIA in 2009 2009 right does this surprise you that this happened you need to separate my experience at CIA with your question right all right you can't talk about the CIA and and so and I don't even want to suggest what may may have been on the horizon or not on the horizon or anything like right if you look at the countries that have the capability of Designing something like the stuck net and you take a look at the countries that have would have a motive for trying to destroy an where do those two sets intersect um uh you're pretty much left with the United States and Israel well yes but but it it there is no good with someone of my background even speculating on that question so I won't Iran's president makm amadin Jad shown here at nans in 2008 blamed the Cyber attack on enemies of the state and downplayed the Damage both the US and Israel maintain that it set back the Iranian program by several years what's impossible to know is how much damage the attackers might have inflicted if the virus had gone undetected and not been exposed by computer security companies trying to protect their customers they planned to stay in that plant for many years and and to to do the whole attack in a completely covert manner that anytime centrifuge would break the operators would think this is again a technical problem that we have experienced for example uh because of poor quality of of these cuses that we are using we had a good idea that this was a a blown operation something that was never meant to be seen it was never meant to come to the Public's attention you say blown meaning if you're running an operation like this to sabotage a uranium richan facility you don't want the code uncovered you want it kept secret and you want it just to keep working stay undercover do its damage and disappear and hopefully nobody would ever see it do you think this was a blown operation no not at all I think it's an incredibly sophisticated operation but General Hayden did acknowledge that there are all sorts of potential problem s and possible consequences that come with this new form of Warfare when you use a physical weapon it destroys itself in addition to the Target if it's used properly uh cyber weapon doesn't so there are those out there who can take a look at this study it and maybe even attempt to turn turn it to their own purposes such as launching a Cyber attack against critical infrastructure here in the United States until last fall Shawn mcer was in charge of protecting it as head of cyber def defense at the Department of Homeland Security he believes that stucks net is given countries like Russia and China not to mention terrorist groups and gangs of cyber criminals for hire a textbook on how to attack key us installations you can download the actual source code of stucknut now and you can repurpose it repackage it and then you know point it back towards uh wherever it came from sounds a little bit like Pandora's Box yes whoever launched this attack they opened up the box they demonstrated the capability they showed the ability and the desire to do so and it's not something that can be put back if somebody in the government had come to you and said look we're thinking about doing this what do you think what would you have told them I would have strongly caution them against it because of the unintended consequences of releasing such a code meaning that other people could use it against you yes or use their own version of the code something similar son of stuck net if you will as a result what was once abstract theory has now become a distinct possibility if you can do this to uranium enrichment plant why couldn't you do it to a a nuclear power reactor in the United States or an electric company you could do that to those facilities it's not easy it's difficult task and that's why stuck set was so sophisticated but it could be done you don't need many billions you just need a couple of millions and this would buy you a decent Cyber attack for example against the US power grid if you were a terrorist group or a fail nation state and you had a couple of million dollars where would you go to find the people that knew how to do this on the internet they're out there sure most of the nation's critical infrastructure is privately owned and extremely vulnerable to a highly sophisticated cyber weapon like stuck net I can't think of another area in home Homeland Security where the threat is greater and we've done less after several failures Congress is once again trying to pass the nation's first cyber security law and once again there is fierce debate over whether the federal government should be allowed to require the owners of critical infrastructure to improve the security of their computer networks whatever the outcome no one can say the nation hasn't been warned more Americans than ever rely on alarm systems Gates or doorbell cameras to help protect their families but statistically you are now more likely to be the victim of Theft Online than a physical break-in at home a new report from the FBI reveals that Americans lost more than $1 billion last year to online scams and digital fraud people in their 30s who are among the most connected online filed the most complaints but we were surprised to learn the group that loses the most money to scammers is seniors tonight we will show you how cyber con artists are using artificial intelligence widely available apps and social engineering to Target our parents and grandparents it's like a death in the family almost well she for so hard you know for my money I sure have Susan Monahan and her daughter Tamara are talking about how the 81-year-old was conned out of thousands of dollars in what law enforcement calls a grandparent scam tell me about the call that you got there was a young adult on the line saying Grandma I I need your help in franic voice scared saying I was driving and suddenly there was a woman stopped in front of me she's pregnant and I hit her and they're going to take me to jail and and grandma please don't call my mom and dad because I don't want them to know I said Brandon it doesn't sound like you he said oh I have a cold Grandma you think it's your grandson I do and he said Grandma A friend of mine has an attorney that we can that we can use and that we can do something about me going to jail and I said yes of course Monahan said the scammer pretending to be a helpful attorney got on the line it was June of 2020 during the pandemic and he promised to keep her grandson out of jail if she could get $99,000 for bail to him quickly what other instructions were you given I needed to make an envelope that was addressed to this certain judge that he was going to um coordinate this through and uh right on there and they gave me the name the address and everything else for this envelope did it sound pretty legitimate he oh absolutely he had the legal ease Monahan is a tax preparer with an MBA the scammer kept her on the phone as she rushed to the bank what' he say he said when you go there make sure you tell them that it's for Home Improvements because they might question the fact that you're withdrawing $9,000 minutes after Monahan got home with the cash a courier showed up to take it this is video from the doorbell camera you can hear Monahan on the phone with a scammer as she hands off the money he said to move your butt I want to deadine she says as soon as the Courier left and the adrenaline left her body she was filled with a sick feeling she'd been scammed it's just devastating what did they do to your mom beyond the money Beyond taking $99,000 from her well it's your livelihood sorry it just gets you like in your gut the Federal Trade TR commission reports scams like these skyrocketed 70% during the pandemic when seniors home alone went online to shop or keep in touch with family how much money were you scammed out of 11,300 14,000 7,600 Judy adig and her husband Ron a retired iron worker were victims of the same grandparent scam as Susan Monahan that's the view from their doorbell camera as the same Courier took off with $7,600 of their savings $7,600 hits hard well that was for our you know if we want to go on a trip or something it was terrible I W I was a mess Steve Savage a retired scientist was scammed when he opened a fake email from The Geek Squad the email said that your bank account is being charged uh $399 for another year and I'm like like wait a minute I don't remember it being anywhere close to that the customer's service number went to a scammer posing as a representative of the company Savage was duped out of $14,000 Esther Mestre was scammed too the retired nurse says an alarm sounded on her iPad with a message to call tech support she did he said that last night between 4: and 900 p.m. your bank account has been hacked and your heart probably stop you know I felt so nervous but he said I am going to transfer you to another guy who is a security at Chase Bank that fake Bank employee told her hackers might be able to access her bank account and instructed her to immediately withdraw money and deposit it into a new account for safekeeping my estra did and lost $111,000 and have you been able to recover any of your money nothing nothing I'm the one that pulled the money out of the bank so I won't be reimbursed if your house gets broken into you call the police if this happens there's no one to call Scott pello is a deputy district attorney who runs San Diego's Elder Justice task force and connected us to the victims you just heard from he says studies show only one in every 20 seniors who've been scammed reported often they're embarrassed most people who have not experienced this think well these people must have Dementia or Alzheimer's it's not the case our victims are sharp as attack we had a woman 66 years old she came home she got a message on her computer from Microsoft and the message said that she had a virus on her computer and then that virus had somehow infected her financial accounts within a matter of weeks this victim had lost $800,000 oh my gosh the scariest part of these scams is is that these victims have no recourse they're left bewildered what typically happens the seniors that have the courage to report that this has happened are being told that I'm sorry there's nothing we could do and and that is the reality that a local uh police detective in Kansas City doesn't have the reach to go investigate a case that's being operated from the Caribbean or from Nigeria or Ghana investigators have also traced scams to Europe southeast Asia and Canada Under reporting to combat them San Diego's Elder Justice task force has taken a new approach investigators collect every local fraud case then collaborate with Federal authorities to connect them if we have a victim that lost $12,000 here in San Diego there is without question dozens of other victims to the same scam and millions of dollars in losses and then once we identify that the scam is part of something much larger then we can deliver that to our federal partners with the reach to go around the country because these are networks these are transnational organized criminal networks in 2021 pello helped the FBI bring down a network of criminals who stole millions of dollars from elderly victims remember those doorbell videos from the grandparents scam The Courier a 22-year-old Californian was the starting point for the FBI's case she's serving time for her role but the FBI says the scams ring leaders two Bahamian Nationals based in Florida fled the country before they could be arrested if you don't know how a criminal thinks then you really don't know how you can protect yourself online Rachel tobac is what's called an ethical hacker she studies how these criminals operate so ethical hackers we step in and show you how it works tobac is the CEO of social proof security a data protection firm that advises Fortune 500 100 companies the military and private citizens on their vulnerabilities we hired her to show us how easy it is to use information found online to scam someone we asked her to Target our unsuspecting colleague Elizabeth toac found Elizabeth's cell phone number on a business networking website as we set up for an interview toac called Elizabeth but used an AI powerered app to mimic my voice and ask for my passport number oh yes yes yes I do have it okay ready it's toeach played the AI generated voice recording for us to reveal the scam Elizabeth sorry need my passport number because the Ukraine trip is on can you read that out to me does that sound familiar and I gave her wow D sitting over there did what did it say on your phone Sharon how did you do that so I used something called a spoofing tool to actually be able to call you as Sharon so I was hacked and I fa I failed hacking but everybody would get tricked with that everybody would it says Sharon why would I not answer this call why would I not give that information toac showed us how she took clips of me from television and put it into an app that cloned my voice it took about 5 minutes I am a public person my voices out there could a person who's not a public person like me be spoofed as easily anybody can be spoofed and often times attackers will go after people they don't even know who these people are but they just know this person has a relationship to this other person and they can impersonate that person enough just by changing the pitch and the modulation of their voice that I believe that's my nephew and I need to really wire that money toag says hackers no longer need to infiltrate computers through a back door she says 95% of hacks today happen after a user clicks on a text a link or gives person information over the phone you were able to hack my colleague Elizabeth who is a techsavvy millennial what does that tell you anybody can be hacked anybody can fall for what Elizabeth fell for in fact when I do that type of attack every single time the person falls for it she said hackers armed with basic information like a relative's name found online or an app that can mimic a voice or change the callor ID can create a convincing story if you were to receive a phone call a text message an email and it's asking for something sensitive urgent or with fear that's when the alarm Bells have to go off in your head and they want me to give something to them I'm going to take a beat and I'm going to check that this person is who they say they are I call it being politely paranoid politely paranoid politely paranoid toac has worked as a consultant for Aura a boston-based technology company that created software to protect the identity passwords finances and personal data for entire families in one app so here you can see a full footprint of everything that's happening inside the family so har randin is the CEO of Aura he says their software can reroute scam calls away from grandparents if the parent is getting a call and we are identifying using AI that the call is a potential scam call then they can route that call to me does this stop the call from getting in it does so it just blocks the call When the Call Comes in uh it will uh have a recording that says let me know who you are what's your intent if it's an unknown person if it's a known person that's already in your contacts it'll go right through ra shandin says AI is also used to monitor finances and alert users of problems in real time if I see a charge uh from my mom for $10 at Starbucks that feels okay but if there's a $500 charge from Starbucks something's off-kilter so we try to figure out uh with AI contextually what's different but if something is off pattern you can look at that and say okay well something's off here I need to go take care of this San Diego Deputy district attorney Scott pello says more help is needed from law enforcement and the banking and Retail Industries to protect seniors the FBI reports over the past two years the losses from digital theft have doubled the trends and and the data are horrifying we have the senior population is growing exponentially every year we have this Dynamic of Under reporting and then we have the technology coming people are convinced that AI is playing a part in maybe pretending it's the grandchild's voice we're all just next on the conveyor belt and we all need to do a better job