Global Threat Brief: Hacks and Adversaries Unveiled


Posted on in Presentations

This session will be an unveiling of the most novel attacks in the current global threat landscape, diving into specific, real-time examples of threat actor activity from both nation-states and criminal groups, along with strategic advice for countering them.


Video Transcript

>> ANNOUNCER:  Please welcome Sandra Joyce and Dmitri Alperovitch. 

 

     >> DMITRI ALPEROVITCH:  Good morning, RSA.

 

     >> SANDRA JOYCE:   Everybody is 3-D.  It's amazing.  So glad to be here. 

 

     >> DMITRI ALPEROVITCH:  This is so much better than being huddled together at a non‑disclosed location doing this over video, isn’t it?

 

     >> SANDRA JOYCE:  That’s right.  That's what we did last year, but now we're here.

 

     >> DMITRI ALPEROVITCH:  Yeah.  3-D, much better than 2-D.  All right, folks.  We're going to talk about some adversaries.  And, of course, there is no bigger event today than the invasion of Ukraine by Russia, in geopolitics or in cyberspace.

 

     One of the big questions that people have been asking since day one of the war is, where is the cyber war?  And, of course, I think the expectations that cyber is going to be such a critical element of warfare to come, I think, have been unnecessarily elevated.  Cyber is an important part of warfare, but it's a tactical issue.  When you have kinetic options at your disposal, when you have bombs, when you have artillery, when you have missiles, you're going to prefer to use that once you're in actual warfare than cyber, which can have a very fleeting affect.

 

     But actually, one of the biggest cyber events that we have seen perhaps ever, and certainly in warfare, occurred in the first hours of the war.  It was the hack of Viasat, the commercial satellite provider here in United States, who had actually purchased a European company that it was running another satellite called Kiasat, that was providing service in eastern Europe.  Communication service over satellites.  A lot of it was used by the Ukrainian military and other parts of the Ukrainian government.

 

What the Russians have done, as it has now been attributed by U.S. Government, European Union, and many other counties around the world, is they were able to infiltrate the network - the Kiasat, the management network - and issue commands to download a wiper malware on the modems that were connected to the spot beam on the satellite; mostly in Ukraine, although there were some spillover effects, as well.  And this had, actually, devastating effects, that we now know, on Ukrainian military's ability to communicate in the first hours and days of the war.

 

     Here is the problem.  As we have seen time and time again, for now almost 3 ½ months of this war, the Russians are horrible at combined arms.  We're seeing that in traditional military campaign where they can't do ground‑to‑air collaboration.  They can't even do ground‑to‑ground infantry and armor; are uncoordinated.  And that’s what you're seeing in cyber, as well.  Even though they've been able to achieve tactical successes in a number of occasions, including in the case of Viasat, they've not been able to leverage it to actually prosecute a campaign.  So, even the best tactics, even in cyber, don't compensate for a really, really bad plan.

 

     One of the other things we're seeing now is that on the I/O side, as well, Russians aren't doing so well.  Isn't that right, Sandra?

 

     >> SANDRA JOYCE:  Right.  So, with influence operations being a huge part of the playbook for Russia, what we're seeing is they are not really panning out the way that we might have expected on the battlefield.  A group that we've been following since about 2019 is a group called Secondary Infection.  It's a campaign for influence operations.  And what we saw from them is they disseminated this map, and this is a fake map.  And what it shows is four deployed infantry battalions from Poland within the borders of Ukraine.  Now, this was intended to unsettle the Ukrainians before the invasion.  But actually, what this would have done is signaled an escalation by NATO, Poland being a member of NATO.  So, this influence operation really kind of fell on its face.  It didn't have the outcome of the target population that they would have expected. 

 

     >> DMITRI ALPEROVITCH:  Well, they wanted to convince the Ukrainians that there were foreign troops in their country, except the foreign troops were Russian, not Polish.

 

     >> SANDRA JOYCE:  Exactly.  Another campaign that we track is an influence operation campaign called Ghostwriter. Now, this has long been an anti‑NATO sort of pro‑Russian narrative, and we've actually linked this to Belarus.  And they have been pushing these narratives over time.  The narrative that they pushed on this occasion was that there were Polish criminal gangs waiting in Poland for Ukrainian refugees, and they were going to harvest the organs of children, which is a very cruel narrative, and obviously not true; designed to drive a wedge between Ukrainian refugees and their Polish partners.

 

     If you think about it, early in the conflict there were DDoS attacks banks and other organizations that the U.S. government attributed to the GRU, which is the military intelligence unit in Russia.  And what accompanied that was actually SMS text messages.  So, SMS messages that were alerting Ukrainians that the ATMs weren't working, which was also not true.

 

     There were two reasons that they did this.  Number one was in order to drive more traffic to the DDoS to make it more effective, but really, the intent was to undermine the confidence in those institutions.  So, what we're really looking at is narratives that are driving wedges between Ukrainians and their counterparts in Ukraine against ‑ wedges between them and their allies.  And narratives that are trying to bolster Russian narratives.  For example, miscounting the number of casualties on the Russian side.

 

     Now, where this narrative and these influence operations might actually be working is in the rest of the world.  In March, about 141 countries in the United Nations referendum actually voted to deplore the Russian invasion of Ukraine.  And that represents, according to the economists, about 36% of the world's population.  But it leaves roughly a third of the world's population in countries who are neutral to Russia's actions, and roughly a third who actually support it.  So, what we're looking at is, most people in the world are living today in countries that either are neutral to Russia's actions or actually support them.

 

     So, Dmitri, it's really that the Russian influence operations may not be working on the battlefield, but they may very well be working in the rest of the world. 

 

     >> DMITRI ALPEROVITCH:  I think the one thing that this shows, Sandra, is that even the best I/O has to have a kernel of truth to it to get people to believe it.  And, of course, the Ukrainians aren't afraid of Poland invading their country.  They're afraid of Russia invading their country, so we know that that’s not going to work.  But if they are trying to craft a narrative that this is not really a war between Russia and Ukraine, this is a war between the imperialist, quote-unquote, west, and Russia using Ukraine as a proxy, that can resonate in a lot of countries in the global South, and we're seeing that.

 

     The one area where we're seeing a lot of very effective I/O is actually on Ukrainian side.  Who would have thought, just four months ago, that it would be the Ukrainians that are standing up to the Russian Army and are able to defeat them in the battle of Kyiv and defeat them in the battle of Kharkiv, and have a lot of success on the ground, but also a lot of successes in formation operations fear?

 

And, of course, there are a number of elements to that.  One is leading by example, leading from the front, as President Zelensky, his nightly videos every single day of the war, trying to mobilize the west.  Trying to appear like a modern day Churchill, talking about the invasion, talking about the heroic activities of the Ukrainian public.

 

     The other thing is the incredibly effective way that they're using information that they're collecting from the battlefield, like civilian cell phones, in order to push out their message.  And they're doing it a number of ways.  One, the Russians were actually using their own cell phones in the first days of the war, because they weren't able to get their radios working.  They probably didn't have enough cryptographic equipment early on for their hard secure communications.

 

     The Ukrainians responded very rapidly by shutting off Russian phone numbers from the Ukrainian Telco providers.  What did the Russians do in response?  They started stealing, confiscating civilian phones in the occupied territories.  But one thing they didn't anticipate is the civilians would immediately report the theft of their numbers to the Ukrainian government, who would start monitoring them.  And they would start publicizing these phone calls that we've seen so much of in the last couple of months, where the Russian soldiers are calling back their families, they're calling back their commanders over these stolen phone numbers, phones; and talking about operational parts of the campaign, talking about the problems that they're facing, which is obviously creating the narrative that the Ukrainians are really bringing a lot of pain to the Russians.

 

     But the other thing that they're doing is they're stealing the Russian phones that they have been using to take pictures, to take videos, and they're releasing that online.  They're releasing that in their official communications to, again, show how bad the war has been going on from the Russian side, using their own videos.  The battlefield footage, the drones that everyone has been so glued to over the course of this war is also having enormous impact in this operation.

 

     Then the hero narratives, not always true.  Like the famous Ghost of Kyiv fighter jet pilot that has, according to the Ukrainians, taken down almost single-handedly the entire Russian Air Force.  We now know that that’s not the case, and that pilot never actually existed.  But that has helped to galvanize the world and really get the Ukrainians to win this fight in the information sphere.

 

     But the other element of this, of course, is how do you do IR, respond to Russian attacks that are taking place every single day in the Ukraine when you are in an actual war situation?  And you guys are having a lot of experience with that right now on the ground.

 

     >> SANDRA JOYCE:  It's stressful enough to do an incident response, let alone do one during a war.  And what you see here are quotes, just a small sample of quotes from people that we are helping through incident response in Ukraine.  Defenders who are protecting the networks.  And we have a lot of operations and campaigns that we're running there to try to help defenders.

 

     And what we're also seeing is actually Chinese threat actors within those networks, not deploying malware, not doing any of that, but watching, learning, observing.  What we are seeing is the tactical deployment of wipers against individuals and organizations.  And they are doing these things, they're defending in the most amazing circumstances.  They're operating in blackout conditions.  There’s no electricity right now, right, as soon as the power is back on.  They're writing during bombardment and amidst shelling of their positions.  “Can we continue tomorrow is one of the main backend developer is at the bomb shelter at the moment.”  They're also trying to do this while the technical landscape is shifting underneath their feet.  This IP address is connected from a temporary occupied territory, so it was blocked.

 

     The type of resilience that the Ukrainian defenders are showing right now in the cyber domain is incredible.  And it's something that, from our position in Mandiant, supporting these incident responses is something we've frankly never seen before. 

 

     >> DMITRI ALPEROVITCH:  I haven't done a lot of IR in the course of my career.  It is stressful under normal circumstances.  When you have to worry about the life and safety of your family and your own, that takes it to a completely different level.

 

     >> SANDRA JOYCE:  Well, Dmitri, do you have any strategic takeaways for people who are thinking about the Russia problem? 

 

     >> DMITRI ALPEROVITCH:  Yeah.  I think there’s a lot that we can learn from Ukraine.  One thing that the Ukrainians have taught us so well, and they have eight years of practice, having suffered from Russian cyber operations, is the importance of resiliency.  The reality is that a number of these Russian attacks are successful.  They're infiltrating networks, they’re deploying wiper malware.  They're having effects.  However, the Ukrainians are able to rebuild a network, literally, within hours.  They've gotten so bad at it after all of these wiper attacks that they have seen over the years, that it's really not a big deal to see a network wiped out.  Because they are ready for it.  They’ve got backups ready to go, they can rebuild it very, very quickly and very efficiently.  And that’s something that we don't practice here often enough, in this country, where an attack like that on our organization could be truly devastating; can take, in some cases, weeks to recover.  We have to spend a lot more effort on resiliency.

 

     The other elements of this is, don't be scared by the I/O.  We've been talking about Russian information operations for so long, and the reality is that the adversary is not ten feet tall, is it Sandra? 

     >> SANDRA JOYCE:  The other piece is that audiences are getting more sophisticated.  With the videos that came with President Zelensky that were fake, and deep fakes, they actually weren't effective.  People didn't believe that he was calling for surrender.  So, the audience, too, is maturing along with them. 

 

     >> DMITRI ALPEROVITCH:  Now, the one thing that we still have to be mindful of is that we have not yet, of course, seen the Russian cyber-attacks against the west.  They have not yet retaliated with the sanctions that many have been expecting.  SISA has been warning about this, as has the rest of the administration with its great shields up campaign.  But we can't let down our vigilance, because reality is, just yesterday, the Russian Foreign Ministry has said that, because of the cyber-attacks, that they themselves are being targeted both from volunteers, vigilantes around the world as well as in Ukraine, often targeting critical infrastructure in Russia, that it's only a matter of time before they may actually retaliate against this.

 

And once they heard the comment from General Nakasone, the Commander of Cyber Command and the NSA, saying that the United States is engaged in offensive cyber operations against Russia, that is certainly inflaming tensions even further.  So, those attacks may still come.  We still have to be ready for it.  And, again, I would urge everyone to focus on resiliency, because the reality is you can't stop everything.

 

     But let’s move on.  Let's talk about China.  So, the Chinese have been busy.  They've been quiet.  They're not as flamboyant and flashy as the Russians.  But this is not the China of ten years ago, when it comes to cyber operations.  Their trade craft has gotten incredibly good.  We'll talk about a couple of case studies that demonstrate that.

 

One of them is this LightBasin, or UNC1945, as Mandiant calls it, campaign against the Telcos.  Global Telcos in southeast Asia and other parts of the worlds.  Telcos, of course, are one of the primary targets for intelligence agencies getting call information, subscriber data.  Geolocation data that you can get from a Telco is so invaluable for monitoring people, monitoring communications of targeted companies and individuals.  And one of the things that you're seeing now from the Chinese is moving beyond the traditional platforms, the windows, malware, the Mac and Linux implants, and actually starting to go after some of these more esoteric operating systems like the Huawei routers, with the Euler OS implants that they had developed in the course of this operation.  Solaris implants, as well.

 

And you're also starting to see them use non‑traditional communication channels for control of those implants.  Use of ICMP, a little ping that you send to an implant that would then respond with an outbound communication to establish a tunnel between the target environment and the server control by the adversary.  Or GPRS, the cell phone network communication's tunneling protocols that they can use in those environments to bypass IP-based filtering, ATC-based filtering, I should say, and use these non‑standard protocols to try to blend in to normal communications and try to avoid normal network monitoring.  Really, really great trade craft.  And you are also starting to see them use Zero Days a lot more.

 

     Sandra, one of the things that you guys have been seeing a lot of is targeting of state governments here in the United States.

 

     >> SANDRA JOYCE:  That's right.  Dmitri, you're probably wondering why there are a bunch of cows behind me right now.  The reason is because I'm trying to illustrate how the attack surface can be very vast and, at times, incredibly weird; and a little bit creative.

 

     About late last year, what we saw was APT41, which is a very prolific threat actor.  They're very interesting, because during the day, they tend to conduct espionage on behalf of the Chinese government; at night, they moonlight as cyber criminals for financial gain.  This is a very multifaceted group.  What they did was they found a vulnerability in software that is used to track diseases in cattle and herds in agriculture.

 

This software is used by about 18 different U.S. states, state governments, and they used this in order to get a foothold into state and local governments.  So, it just goes to show how creative threat actors are getting in order to gain a foothold into their ultimate target.  And that’s why there are cows behind me.

 

     The other way that China has been incredibly busy is through the exploitation of Zero Days.  Now, this is a chart that is depicting the Zero Days that have been exploited.  You can see in 2021, and we're still measuring 2022 as we speak, but we saw more than double the amount of Zero Days exploited just in the last year.  From this, of the ones that we attributed, and overall, China's responsible for 10% of the total.  And we expect that, when we can attribute all of them, that that percentage will go up. 

 

     >> DMITRI ALPEROVITCH:  And that's actually the highest actor that has been attributed?

 

     >> SANDRA JOYCE:  That is the number one actor that we have been tracking to exploit Zero Days.  So, they're incredibly busy.

 

     When we think about the reorganization of the MSS and the way that some of these organizations are kind of creating a clearing house for Zero Days exploitation, you can see that the scale at which Chinese threat actors are operating.  And they're also getting into the influence operation space, as well.

 

     >> DMITRI ALPEROVITCH:  Now, of course, our friend Rob Joyce, who I think is here, often talks about how you don't need to use Zero Days; and many advanced actors don’t use Zero Days.  But the reality is that Zero Days are still very important, particularly when you're going after particularly secure networks and you're trying to be stealthy and avoid detections by common tools.  So, you're seeing China really leaning into this now.

 

     >> SANDRA JOYCE:   They're still very effective.  And they're also looking at influence operation.  There is a group called Dragon Bridge, named by our friends at Google, and we’ve been tracking them since about mid‑2019, as well.  What they did was they leveraged this real picture on social media, on the left.  If you think about the context or the time where this happened, it was right around the peak of the anti‑Asian hate campaign.  What Dragon Bridge was doing was actually trying to mobilize U.S. citizens to protest in the streets.

 

So, what they did is they took this image on the left and they altered it.  Now, what you see on there is a picture of Dr. Li‑Meng Yan, who is a virologist, who made claims about COVID‑19's origins being from a Chinese lab.  Notice the U.S. flag in the background, as well.  This is just another way that influence operations are being conducted by campaigns that have a sort of pro-PRC narrative to them.

 

     Another campaign that we saw from the same group actually was earlier this year in March.  What this purported was that - the translation shows a causal relationship between the location U.S. biolabs in Ukraine and a narrative about how there are illnesses spreading in those areas.  The quotes are around that they “happen” to coincide with those locations.  Again, all this being tied to the supposed true origins of COVID‑19.  And that's part of how China is doing these influence operations.

 

     >> DMITRI ALPEROVITCH:  So, what are the takeaways for defenders here?  One of them is that it's really long past time to start looking at other assets in your network, non‑traditional servers and laptops that we focus so much of our efforts protecting.  You have to start expecting non‑IP-based protocols.  If you are in Telco, absolutely look at your GPRS tunnels, start looking at your ICMP in traffic as well.  Start looking at routers, start looking at other things on your network that these actors are starting to exploit in greater and greater numbers.  Not just going after traditional Windows, Mac, and Linux systems.

 

     The other thing, I know this is hard, but you've got to accelerate passion process.  I was just talking to a person recently that was telling me that they can't get beyond patching once a quarter for known vulnerabilities.  That is just not enough.  Yes, adversaries can always get through, they can always use Zero Days; but, often, they don't.  The reality is if you have so many holes in your network it’s going to be impossible for you to instrument it, it’s going to be impossible for you to react quickly.  You have to patch much, much faster.  You have to have the hard conversations with your business about the potential for downtime, and schedule it on a much more regular basis.

 

     >> SANDRA JOYCE:  Probably one way to think about it is, it’s not every patch.  It's those critical patches.  Things that can be deployed remotely.  Things that are being used in the wild.

 

     I'll give you a great example.  APT41, the same group that was looking at that software that was doing the cattle disease tracking, that same group actually was able to exploit the log4j vulnerability within hours of it going public.  If you think about that, when it’s critical, it’s time to really accelerate the patching, because threat actors can act within hours. 

 

     >> DMITRI ALPEROVITCH:  What’s happening with Iran, Sandra? 

 

     >> SANDRA JOYCE:  Iran, also very busy.  Iran has been targeting many organizations in the Middle East, and also abroad.  And, really, what they're doing is conducting mostly recognizance and ransomware as harassment.

 

     When we think about Iran, we know that they are targeting the defense industrial base.  We also know that they have gotten very good at social engineering through social media.  What do I mean by that?  Where they used to deploy social media counts were very easy to spot.  They would’ve been very new, recently created.  But now they're aging accounts in order to give more of a backstory.  They're also taking their time.  They're getting more patient.  So, they may have ten different interactions before they actually deploy anything malicious.

 

     Another piece is that group that we call Zagros has actually been tracking in hospitality and in the travel sector in order to follow individuals.  When they're looking at individuals, they're looking at professors, women's rights activists, people who have a different philosophy or agenda than they have.

 

     >> DMITRI ALPEROVITCH:  By the way, the consequences of this are not just that they know where people are.  There is an allegation that was just released in the last 24 hours about a dissident in Turkey that has been kidnapped by the Iranian Revolutionary Guard.  So, when you are identified like this, particularly in a location where they can do a kidnap operation or even assassination, the consequences are obviously very dire.

 

     Iran has been an innovator, in many ways, in ransomware.  Samsan, of course by an Iranian actor, the group that attacked the city of Atlanta, state of Colorado, was the first group to really use big game hunting at huge scale.  Not just trying to target one system within the network and lock it up, but really doing an intrusion and then rolling ransomware across the entire network to try to get as big of a ransom as possible that we have now seen from all these groups, like Revil, Lockbit, and others.

 

     >> SANDRA JOYCE:   It's incredible evolution for what they are doing.

 

     The document that you see here was actually put out by Sky News.  It's a leaked document from the Iranian government, and what it shows is their intention to actually conduct recognizance on U.S. and Israeli ICS - Industrial Control System - targets.  So, we're talking about water ballast systems, fuel systems, satellite, PLCs; vulnerabilities, in general.

 

     We've seen this groups actually scan for proxy shell vulnerabilities, and SISA put out a report that showed that they were actually targeting, also, U.S. children's hospitals.  So, there doesn't seem to be a lot of limits for these types of organizations.

 

     Do you have any takeaways, Dmitri? 

 

     >> DMITRI ALPEROVITCH:  Absolutely.  While we haven't seen a lot of ICS targeting from Iran, the fact that we know that they are now looking at these systems, that they’re developing malicious code, they’re procuring a lot of these systems, because after all, you have to remember exploits malware is just software, and in software development you have to have the system to test it on.  Without that, you have no confidence that it's going to work.  So you're seeing them preparing for these types of attacks, which they may launch in the future.  Particularly if you have subsidiaries in the Middle East, in Israel and Saudi Arabia and UAE, you really want to start instrumenting your ICS systems to start focusing on that part of your network beyond just IT.

 

     One of the things that the Iranians are doing, and we're seeing this in the criminal space as well, is leaking data to harass organizations.  And there’s not a lot of resilience right now in organizations from a public relations, from communications perspective, on what happens when your data is out there.  How are you going to respond?  We really have to start building more resiliency, more preparedness, on that front.

 

     All right, North Korea.

 

     >> SANDRA JOYCE:  Oh, I love that movie.  Did you see it?  The new Top Gun.  Oh, never mind.  I thought we were talking about something else.

 

[Laughter]

 

     >> DMITRI ALPEROVITCH:  Yeah.  Tom Cruise, the Saint.

 

     One interesting thing about North Koreans is that they've kind of been pretty low in the last couple of years, with COVID.  A lot of their activity in the cyber domain has diminished substantially, and to the extent that they were still engaged in operations, it was mostly espionage related to COVID.  They were obviously very concerned about the impact in their own country.  They were trying to steal research related to vaccines and treatments.

 

But now they are truly back, and you are seeing them go back after the South Koreans who were heavily involved in elections, presidential elections in South Korea that just happened recently.  And you are continuing to see incredible innovation taking place.  I've called, in the past, the North Koreans the most innovative cyber actor, because they're really pushing the envelope in terms of techniques, in terms of ways to compromise organizations, ways to leverage the information that they get.

 

     One of the most fascinating things has been this development of TPRK, this fake ICO that they attempted to launch a couple of years ago for Maritime chain ICO, as they call it, which was designed to raise money on the premise that you are going to tokenize commercial shipping and sell parts of the ship to investors.  The whole thing was a complete scam and has now been tracked to the RGB, their recognizance general bureau, one of the main intelligence agencies of the North Koreans.

 

But the other thing that’s been really interesting to watch is their attempts to infiltrate organizations remotely by trying to get hired, actually get hired inside of these companies, particularly in the web 3 crypto space; where they're responding to advertisements, saying they're willing to do remote development work, they're saying they're from the Bay Area, although in many of the interviews, they failed to identify even the most common locations in the Bay Area.  Not sure if they mean the Bay Area in Korea or the Bay Area here in San Francisco.  Using stolen IDs to try to pretend to be westerners.  But one of the things that they're still finding hard to do is actually passing these interviews.  That remains a huge challenge for them.

 

     When you look at the full scope of their operations, much of it, in addition to the traditional espionage, is focused on raising funds.  Raising funds for the regime, raising funds for these intelligence agencies that have to somehow fill the gap between what the mission requirements are and what their budgets actually allow them to execute.  And what you have seen them do is a couple of things.  One, on the crypto-space, actual targeting on crypto-exchanges and other sorts of crypto-businesses.  Doing fake wallets attempting to get access to individual users’ crypto-keys to steal their coins.  And then, doing these native schemes, like the ICOs that I've just mentioned, doing IT outsourcing work to try to get jobs in the sector.

 

     The one thing, of course, that they have still not stopped doing is targeting traditional financial organizations.  We're still seeing them targeting banks, particularly in Asia and Europe, trying to get in and steal money through wire transfers.

 

     Even on the ransomware front, while they haven't been that big, the WannaCry was one of the big examples of their attempt to use ransomware.  We have seen some actors actually do deployments of ransomware in the past.

 

     Again, takeaways for North Koreans.  Beef up your insider threat program.  Really focus on educating your chart folks, your recruiters, on what to look for when people are submitting resumes.  One, those resumes may, of course, have exploit lures in them.  But the other thing is that, even if they're completely innocuous, there are people out there that are trying to get hired inside of your companies, both from North Korea and from Russia and other nation state actors, and you have to be very vigilant to make sure that you're not letting an intruder literally on your payroll to break into your company.

 

     And if you are in crypto, you’ve got to start looking at cold storage, if you aren't already.  The reality is that there’s so much crypto-wallets that are being stolen these days from exchanges, from individuals.  If you’re not doing cold storage, you're very likely to lose all of your funds that are encrypted today.

 

     Sandra, what is going on in the crimeware space?

 

     >> SANDRA JOYCE:  I know there has been a lot of dialogue in our industry about, is ransomware going up or down?  I don't have a direct answer for you yet, but what I can tell you is that at Mandiant, we saw a spike in the last week and a half.  For that, I can tell you that we're just continuing to measure.

 

     What you see here is shaming site victims, also.  With shaming site victims, what this is sites where if you don't pay, and frankly, in times where you do actually pay, threat actors are going to go and dump your data there.

 

     Now, at first glance you might say this chart looks promising, because it looks like it's going down.  But it's a little bit misleading, because it has very strong seasonality.  If you look at Q1 year after year and Q2 year after year, what you're going to see a very stark rise up and to the right.  Now, we are still measuring Q2 of this quarter, so the last bar is also sort of in progress.

 

     So, what I can tell you is that we are seeing an increase in ransomware shaming sites, but also think of it this way: a lot of what we measure for ransomware gets intermixed with data theft and extortion.  And there may not be any need to drop any malware at all.  What we've been predicting for quite a while that we're seeing kind of turn true is that ransomware could have nothing to do with malware.  It could just simply be extortion and data theft, and it's getting measured as ransomware as well.

 

     So, the thing to think about is a lot of what’s happening in the ransomware space, with or without malware, is a tactic to evade sanctions, in some cases.

 

     >> DMITRI ALPEROVITCH:  That's right.

 

     >> SANDRA JOYCE:  That looks serious.  Someone’s having a bad day. 

 

     >> DMITRI ALPEROVITCH:  We had some good news on the ransomware front.  In January, a month before the invasion, the Russians did take action against 14 individuals that were part of this group, REvil, that was responsible for some of the most high-profile attacks last year.  This is one of the pictures from the raid.  They did take them down, but what we're seeing now ‑

 

     >> SANDRA JOYCE:  Great.  Problem solved, right?  Ransomware solved. 

 

     >> DMITRI ALPEROVITCH:  Not so fast.  This little thing called war happened.  And that, of course, has resulted in breakdown in the communications between the cyber teams and the United States government and the Russian cyber teams, understandably so.  And what you’re seeing now is statements coming out of lawyers for these individuals back in Russia saying, well, it turns out that the U.S. has not provided any information that the Russian government can use in the prosecutions of these individuals, so they should drop the charges and let them go.  Unclear if that has yet happened, but one of the things we are seeing now is REvil is starting to come back.  Some of their sites and networks have come back.  And we have to watch that very carefully.  But perhaps an early indication that perhaps these individuals have gotten released and are back doing what they've been doing in the past.

 

     But of course, the one thing that you still have to keep in mind is that this is an incredibly resilient ecosystem.  It is not dependent, in terms of these groups, on one individual doing everything.  You have the spread of responsibilities between the actors that write the ransomware, the people that are executing the spam campaigns to send out the fishing lures, the access providers that are responsible for just breaking into networks, gaining access, and then reselling that access to the ransomware crews to deploy their malware.  And the negotiators themselves that are trying to extract as much ransom as possible and using extortion, using some of these leak sites to really amp up the pressure on organizations.

 

     So, what are the takeaways for this?  Well, one is really, have a plan.  Right, Sandra?  Do not panic.  One of the things that I've been observing for a number of years now, unfortunately, is that a lot of organizations rush to pay a ransom, even before they have a full appreciation of the impact that the malware may have caused on their network.  And because they simply cannot get a rapid answer that they want from their C I/O and CS I/O about how quickly they can be recovered in those initial hours of the attack, they're just saying “well, if it's a couple million bucks, let's just pay it.”

 

     >> SANDRA JOYCE:  And you don't know who you're giving money to at that point, either.  A lot of these groups are going to be funding their own regimes, their own illegal schemes.  So, when you do pay a ransom, you could be funding something that you're very much morally against. 

 

     >> DMITRI ALPEROVITCH:  Absolutely.  And, obviously, have the IR teams on retainer to be ready to go, but also have the negotiators ready to go.  That’s becoming so critically important, particularly when they're starting to use these leaks, or threat of leaks, as extorsions.  We often know that these leaks may not be real.  Oftentimes, they get data from victim A, and if it has information from company B, they'll claim that company B is also a victim.  Often untrue.

 

So, you really have to take your time, don't panic, engage in the negotiations, stall for time while you figure out what is going on, how quickly can you recover if it's a ransomware, an actual ransomware attack.  Or, if you're seeing your data, did it actually come from your network?  Is it perhaps another party that was compromised?

 

     Expect leaks.  They're becoming so common these days.  Your data is everywhere, not just on your own network.  And, really, practice, practice, practice.

 

     >> SANDRA JOYCE:  A lot of advice is always to run tabletops, but rarely do you know exactly what things should you be practicing.  Dmitri, what are some things that are very specific that we should be practicing for? 

 

     >> DMITRI ALPEROVITCH:  Well, the one thing that I often see people neglect is they focus their tabletops, they focus their real exercises, obviously, on the technical side of the recovery.  How quickly can we get the networks back up?  If the network is completely down, can they still communicate, can they still do payroll and things like that?  But communication is often the most important thing of a response exercise.

 

Where I've seen things go off the rail is often because people are not ready for the PR disaster that is about to take place, and the companies that have done well, even though they may have suffered severe breaches, are the ones that are transparent, they’re communicating rapidly, and revealing information about what has happened, and what they're doing to respond and make things better.  They're the ones that people often respect.  And understand that everyone’s getting hit.  This is unavoidable.  But how you respond is actually going to make all the difference.

 

     One of the things I recommend to people, in terms of tabletop exercise, is actually write the press release that you're going to put out in the event of a leak, or the event of a ransomware attack.  Have that be ready, because oftentimes, inevitably, it takes days for people to get their arms around what they're going to say publicly.  They involve way too many lawyers, and yes, lawyers are important, no offense to the lawyers in the room.  But they slow down the process dramatically.  So, get that out of the way early on so that you can just fill in the details, but you know roughly what you are going to say in the different scenarios that may occur, and have that be out as quickly as you possibly can.

 

     So, one other thing.  We've talked a lot about nation states here, Sandra, but the last couple of years in particular, I think, have been a really great example of how we're moving beyond just nation states, beyond just criminal groups.  But the rise of these hackers for hire.  Companies out there and countries all over the globe that are now engaging in operations either to help nation states where they're being hired by some of these third tier countries, they may not have their own CNE, computer network exploitation, computer network attack programs, or actually being hired by individuals; and this can be a spouse that wants to legally monitor their partner that they think maybe cheating, could be a company that is engaging in economic espionage.

 

Reuters did a phenomenal deep drive into one of these companies, Belltrox in India, that has been doing so much.  They're being hired by private investigators all over the world to conduct espionage campaigns.  And some of them, some of the people involved are even in the United States.  There was another Reuter's investigation into a company called DarkMatter that is operating in the UAE, that had hired former NSA employees to perform operations in the region.  Some of them have since been indicted.

 

So, this is a trend to watch very carefully, because the reality is, particularly some of these Israeli groups are getting very good at targeting smart phones.  Smart phones traditionally don't have any security built-in that would allow you to determine if there’s an implant on your phone.  And, of course, the implications of targeting your smart phones with all of your data in it, essentially a walking microphone and camera, can be devastating to individuals.

 

     >> SANDRA JOYCE:  Dmitri, the other piece about this is that countries will often - we've seen them use contractors to do this type of work before.  But with this rise of hackers for hire, what we're also seeing is a way that nation states can obfuscate and confuse attribution.  And oftentimes, they will use contractors in order to avoid or at least complicate that attribution process. 

 

     >> DMITRI ALPEROVITCH:  That's right.  We're seeing so much of NSO activity with Pegasus implants.  And sometimes it’s really hard to tell who is the actual beneficiary of the data that’s being stolen.

 

     Here is some of the takeaways, particularly for the hackers for hire groups that are targeting a smartphone.  One, and I know this is hard, but get a Google Voice number, get another VoIP number.  Use that number with others when you’re trying to get people to text you, get people to make phone calls to you.  And then have that redirect to your real number.  Don't give out your real number because oftentimes, these zero-click implants will use the iMessage protocol, will use some of these other baseband exploits to try to get into your device surreptitiously.  You will not even know that it's happening.  There will be nothing shown on your device.  So, the only way to protect you is really making sure that your real number that’s attached to your phone through your Telco is known by as few people as possible.

 

     Reboot your phone frequently.  It's really hard for many of these implants to get persistence on the device.  Oftentimes, when they land on the device, while the device is running, they can collect information, they can communicate, they can activate the microphone.  But once you reboot, the implant goes away, and unless you're being retargeted, you'll be free of the malware.  So, rebooting quickly, I recommend once a day.  You go to sleep, reboot your phone right before you go to bed.  An effective tactic to try to mitigate at least some of the damage.

 

     Look, if you’re a high‑value target, if you think that another nation state in particular may be interested in what you have, contact Citizens Lab.  Those guys have been phenomenal up in the University of Toronto in doing a lot of these investigations, being really at the forefront of the NSO investigations, as well.  They’ve got great tools to do forensics on these devices to try to determine if you’ve been a target in the past.

 

     So, let's talk about some of the strategic takeaways that people should have, based on this quick overview of the threat landscape, Sandra.

 

     >> SANDRA JOYCE:  We'll start with influence operations, in general.  Almost every actor in this space is getting more mature when it comes to that.  But their effectiveness is not a forgone conclusion.  So, this means there’s going to be a bit of evolution on the part of threat actors who are deploying this.  They're going to get better, they're going to evolve, they’re going to be targeting the groups that they want to influence.  But audiences are getting more mature, as well.  So, you’re going to see an evolution of that entire space.  And whether or not there is malware attached, ransomware or data theft with extortion, is going to be with us for a very long time.

 

But it’s not really a time to panic.  Mandiant responds to over 1,000 incidents every year.  And we watch organizations go through just tremendously challenging situations.  And then we watch them resolve it and get back on their feet and press on.

 

     So, we need to be resilient.  That’s really the message here.  It’s preparedness, resiliency, and taking care of defenders.  We can't take for granted the fact that defenders, like you, are working day in and day out.  Appreciate them, take care of them, because if you do, they can take care of the mission. 

 

     >> DMITRI ALPEROVITCH:  That's right.  And look, it's not all gloom and doom out there.  We need to reevaluate some of our cyber warfare assumptions.  Here you have a major war breakout in Europe, the biggest war that the continent has seen since World War II, and cyber has not been a major topic of conversation.  It has not been a major impact to Ukraine operations.  I think that, as we look forward to future conflicts, we have to appreciate that yes, cyber will be an element, there will be tactical attacks that can help forces to disable air defense systems, disable communications, et cetera.  But resiliency matters, and the adversaries aren't 10 feet tall, and if you’re able to get back up and running very quickly, that attack is not going to be very useful to the enemy that is trying to execute it.

 

     And last thing I'll mention.  This is a little bit self‑serving, because one of the things that is a huge passion of mine is building up our talent in this domain.  We simply don't have enough defenders for everyone.  We have to build up capacity, we have to educate people on policy as it's becoming the next frontier in this domain.

 

     One of the things I did last year is launched the Alperovitch Institute for Cybersecurity Studies with Johns Hopkins University.  They're going to be offering Master's degrees starting in the fall, and PhD programs, fully paid rides for people that want to go into this field.  And I'm very pleased to announce, for the first time here on stage at RSA, that our first PhD candidate has been accepted.  Sandra Joyce, my partner here.

 

     >> SANDRA JOYCE:  I'm going for nerd supreme. 

 

[Applause]

 

     >> DMITRI ALPEROVITCH:  Thank you for elevating my name out of the gutter, and I'm looking forward to great from you at Johns Hopkins.

 

     >> SANDRA JOYCE:  Thanks.  Appreciate it. 

 

     >> DMITRI ALPEROVITCH:  Thank you so much for coming to us.  Please review the talk.  Hopefully you enjoyed it.  We look forward to seeing you next year.

 

     Take care.

 

     >> SANDRA JOYCE:  Take care.


Participants
Dmitri Alperovitch

Speaker

Chairman, Silverado Policy Accelerator

Sandra Joyce

Speaker

Executive Vice President, Mandiant Intelligence


Share With Your Community