WEBVTT 1 00:00:00.240 --> 00:00:02.880 Anna Delaney: Hello, this is the ISMG Editors' Panel. I'm Anna 2 00:00:02.880 --> 00:00:06.510 Delaney and this is our weekly editorial get together to mull 3 00:00:06.510 --> 00:00:10.560 over and scrutinize the latest in cybersecurity. And I'm very 4 00:00:10.560 --> 00:00:13.560 pleased to be joined this week by Tom Field, senior vice 5 00:00:13.560 --> 00:00:16.920 president of editorial, Mathew Schwartz, executive editor of 6 00:00:16.980 --> 00:00:20.190 Data BreachToday & Europe and Tony Morbin, executive news 7 00:00:20.190 --> 00:00:24.210 editor for the EU. Hello to you all. Tom, we missed you last 8 00:00:24.000 --> 00:00:28.050 Tom Field: I've been traveling a bit. These are the days 9 00:00:24.210 --> 00:00:24.660 week. 10 00:00:28.710 --> 00:00:31.380 Anna Delaney: These are the days. Talk to us about your 11 00:00:31.380 --> 00:00:33.360 backdrop. I think that's linked to your travels. 12 00:00:33.840 --> 00:00:36.480 Tom Field: It is! "Who can turn the world on with her smile? Who 13 00:00:36.480 --> 00:00:38.400 can take a nothing day, and suddenly make it all seem 14 00:00:38.520 --> 00:00:41.070 worthwhile?" I was in Minneapolis last week. This is 15 00:00:41.070 --> 00:00:45.000 the statue to Mary Tyler Moore famously throwing her hat up 16 00:00:45.000 --> 00:00:45.480 into the air. 17 00:00:46.140 --> 00:00:51.540 Anna Delaney: Good. Talking about hats or masks. Tony? I 18 00:00:51.540 --> 00:00:52.440 think we can guess. 19 00:00:52.000 --> 00:00:57.790 Tony Morbin: Yes! Anonymous hacktivists and news that the 20 00:00:57.790 --> 00:01:00.820 hacktivism going on in Ukraine is actually declining and 21 00:01:00.820 --> 00:01:06.100 declined quite rapidly after it initially flared up. So hence, 22 00:01:06.730 --> 00:01:09.640 our good friend, Guy Fawkes. 23 00:01:10.180 --> 00:01:12.790 Anna Delaney: Yeah, more on that later. Thank you, Tony, and 24 00:01:12.790 --> 00:01:16.240 Matt, outside enjoying the fresh air? 25 00:01:16.780 --> 00:01:19.780 Mathew Schwartz: That's right. A beautiful weekend in Scotland. 26 00:01:19.810 --> 00:01:24.370 This was an epically long walk that I did. And this is looking 27 00:01:24.370 --> 00:01:31.360 back from the village of ... but first, there was Newport, and 28 00:01:31.360 --> 00:01:35.260 then there was Wormit. I love that name. And so just looking 29 00:01:35.260 --> 00:01:38.710 back over the Dundee Rail Bridge - actually this is the road 30 00:01:38.710 --> 00:01:42.130 bridge, the rail bridge is over here. So, most people won't know 31 00:01:42.130 --> 00:01:45.070 Dundee. But the bridge is about a mile long. So it was a 32 00:01:45.130 --> 00:01:47.350 gorgeous day looking back over the city of Dundee. 33 00:01:47.890 --> 00:01:50.890 Anna Delaney: And epically long means how long? 34 00:01:51.880 --> 00:01:53.890 Mathew Schwartz: Well, 11 miles. 35 00:01:54.070 --> 00:01:59.560 Anna Delaney: 11 miles! Well, on the theme of walking - not quite 36 00:01:59.590 --> 00:02:02.980 11 miles - but this is the English countryside near where I 37 00:02:02.980 --> 00:02:07.420 grew up. Painshill is an 18th century English landscape park. 38 00:02:07.420 --> 00:02:13.150 So I go there for strolls rather than epic walks. But Tom, you 39 00:02:13.150 --> 00:02:16.150 interviewed members of the Secret Service recently? 40 00:02:17.470 --> 00:02:19.870 Tom Field: Yeah, it was our Government Security Summit in 41 00:02:19.870 --> 00:02:22.810 Washington, DC, and of course, the topic was business email 42 00:02:22.810 --> 00:02:25.750 compromised. Now, you might not expect the Secret Service to be 43 00:02:25.750 --> 00:02:28.990 so active in this conversation. But it's something that they are 44 00:02:28.990 --> 00:02:32.890 trying to bring more to the attention, particularly 45 00:02:32.890 --> 00:02:34.900 financial services organizations, but all 46 00:02:34.900 --> 00:02:38.890 organizations, and the message that they're hammering home is, 47 00:02:38.920 --> 00:02:42.640 "Okay, ransomware gets all the headlines, justifiably so. It's 48 00:02:42.640 --> 00:02:46.000 a huge issue, particularly in supply chain. Phishing, frankly, 49 00:02:46.000 --> 00:02:49.900 gets more attention within organizations because of the 50 00:02:49.900 --> 00:02:53.470 volume of automated attacks. And, of course, organizations 51 00:02:53.470 --> 00:02:57.370 are constantly conducting their own exercise. But business email 52 00:02:57.370 --> 00:03:01.390 compromise is sort of the quiet killer." In over the course of 53 00:03:01.390 --> 00:03:08.020 five years from 2016 to 2021, known cases - let's put a pin on 54 00:03:08.020 --> 00:03:12.130 that - known cases of business email compromised added up to 55 00:03:12.220 --> 00:03:18.040 more than 43 billion, with a B, dollars in losses: some 56 00:03:18.040 --> 00:03:23.200 substantial numbers there. And so, I had a conversation with 57 00:03:23.200 --> 00:03:26.590 Secret Service agents about the criticality of this and how it 58 00:03:26.590 --> 00:03:30.460 sort of flown under the radar. And I'd love to share an excerpt 59 00:03:30.580 --> 00:03:33.790 of the conversation I had at our recent summit. 60 00:03:33.000 --> 00:03:35.100 Stephen Dougherty: Unfortunately, for years, it has, even though 61 00:03:35.100 --> 00:03:36.330 it's been the largest grossing cybercrime out there going back 62 00:03:36.330 --> 00:03:37.500 to 2016 I think. And yeah, flies under the radar for several 63 00:03:37.500 --> 00:03:39.060 reasons. One, it's a relatively nebulous crime. People don't 64 00:03:43.560 --> 00:03:48.330 necessarily understand it in its true form, which you really need 65 00:03:48.750 --> 00:03:54.090 to address if that is driven by the stealing and interception of 66 00:03:54.240 --> 00:03:58.140 privileged and contemporaneous information, meaning information 67 00:03:58.140 --> 00:03:59.790 that's really trusted only with the person you're doing a 68 00:03:59.790 --> 00:04:02.730 transaction with. So the things like that, the intricacies of 69 00:04:02.730 --> 00:04:05.370 it, kind of really has a fly under the radar. It doesn't get 70 00:04:05.370 --> 00:04:08.610 the big press like ransomware does, but it is actually more 71 00:04:08.610 --> 00:04:10.470 devastating of a crime out there right now. 72 00:04:10.500 --> 00:04:12.390 Tom Field: What's the dollar figure you're looking at over 73 00:04:12.390 --> 00:04:13.410 the past five-six years? 74 00:04:13.450 --> 00:04:16.390 Stephen Dougherty: About 45 billion, and that's actually an 75 00:04:16.390 --> 00:04:20.740 underreported number. These things go - I say maybe 30 to 76 00:04:20.740 --> 00:04:25.090 40% are only reported properly. Yeah, no one wants to report it 77 00:04:25.090 --> 00:04:26.140 or they don't know how to report it. 78 00:04:26.130 --> 00:04:28.850 Tom Field: So there you go. Even I underreport it. I said 43 79 00:04:28.905 --> 00:04:32.347 billion. That's 45. The key is the underreported because those 80 00:04:32.403 --> 00:04:35.845 are the only cases that they're aware about. Matt's well aware 81 00:04:35.900 --> 00:04:39.120 of this from the ransomware incidents that he talks about. 82 00:04:39.176 --> 00:04:42.229 So much goes underreported because of embarrassment, of 83 00:04:42.285 --> 00:04:45.505 losses. And the reason we're talking about this is because 84 00:04:45.560 --> 00:04:49.058 the criticality of being able to detect and respond. It used to 85 00:04:49.113 --> 00:04:52.333 be that once an incident was reported that law enforcement 86 00:04:52.389 --> 00:04:55.664 agents like the Secret Service would have 48-72 hours to be 87 00:04:55.720 --> 00:04:58.940 able to recover some of that money. Now it can be 12 to 24 88 00:04:58.995 --> 00:05:02.437 hours because of the speed of being able to launder this money 89 00:05:02.493 --> 00:05:05.880 and get it out of the system. So that's what we talked about. 90 00:05:05.000 --> 00:05:09.170 Anna Delaney: And Tom, you you moderate many roundtables. What 91 00:05:09.170 --> 00:05:12.230 do you hear from security leaders as to, you know, the 92 00:05:12.230 --> 00:05:16.130 challenges they face around fending off the scams? 93 00:05:16.330 --> 00:05:19.060 Tom Field: This is where the hybrid workforce works to the 94 00:05:19.060 --> 00:05:22.060 disadvantage because the adversaries have been able to 95 00:05:22.300 --> 00:05:25.720 divide and conquer when you don't have people within a 96 00:05:25.720 --> 00:05:28.990 central office who can stand up in an office or a cubicle and 97 00:05:28.990 --> 00:05:32.110 say, "Hey, does this look funny to you?" People are making 98 00:05:32.110 --> 00:05:34.690 decisions on their own, the adversaries are able to sort of 99 00:05:35.680 --> 00:05:38.470 pick on the weaker links and be able to exploit them. And that's 100 00:05:38.470 --> 00:05:41.770 why business email compromised, phishing schemes, socially 101 00:05:41.770 --> 00:05:45.640 engineered schemes are continually so successful. And 102 00:05:45.640 --> 00:05:48.340 don't forget the automated pace of these. They're coming at 103 00:05:48.340 --> 00:05:53.230 organizations constantly. And the social engineers constantly 104 00:05:53.230 --> 00:05:55.030 tune their instruments as well. 105 00:05:56.440 --> 00:05:58.510 Anna Delaney: Yeah, I think it stopped. But forming 106 00:05:58.510 --> 00:06:01.360 partnerships, trusted partnerships was a massive topic 107 00:06:01.360 --> 00:06:05.620 at this particular summit. What did you hear that encouraged you 108 00:06:05.650 --> 00:06:09.640 more than the usual we need trusted partnerships? 109 00:06:09.000 --> 00:06:12.300 Tom Field: Organizations actually taking steps to do 110 00:06:12.300 --> 00:06:17.130 that. They used to be "We want to be in partnerships where we 111 00:06:17.130 --> 00:06:19.800 share information." That used to mean, "You give me your 112 00:06:19.800 --> 00:06:23.070 information, I'll keep mine to myself. Thank you." You see now 113 00:06:23.070 --> 00:06:26.970 that the private sector, in particular, is forthcoming, in 114 00:06:26.970 --> 00:06:29.970 wanting to engage with the government to share real-time 115 00:06:29.970 --> 00:06:33.540 information so that they can perhaps be proactive against 116 00:06:33.540 --> 00:06:37.020 some of these threats, if not constantly reactive. So it is 117 00:06:37.020 --> 00:06:37.530 encouraging. 118 00:06:38.290 --> 00:06:40.750 Mathew Schwartz: It's great, though, as well, to see the 119 00:06:40.750 --> 00:06:43.510 Secret Service and others talking about this. I mean, I 120 00:06:43.510 --> 00:06:47.980 think the FBI has got the RAT, the recovery asset team, where 121 00:06:47.980 --> 00:06:52.300 if they get a heads up early enough, they can, as you said, 122 00:06:52.870 --> 00:06:55.960 there's not a lot of time, but they can help organizations get 123 00:06:55.960 --> 00:06:59.740 the money back. That's huge. And that's a great reason to be 124 00:06:59.770 --> 00:07:03.700 aware of what you need to do, in case this happens. And another 125 00:07:03.700 --> 00:07:06.970 big thing, though, for me, as with ransomware, especially with 126 00:07:06.970 --> 00:07:10.810 a business email compromise, preparation is often not about a 127 00:07:10.810 --> 00:07:14.470 high tech or it doesn't need to be high tech, you need to have 128 00:07:14.560 --> 00:07:18.040 business processes in place that slow things down. So, someone's 129 00:07:18.040 --> 00:07:21.550 claiming to be the CEO and says, friends for $24 million, 130 00:07:21.880 --> 00:07:26.560 immediately, alarm bells start to go off. And I think that can 131 00:07:26.560 --> 00:07:29.320 be a bit of a litmus test. Organizations can still fall 132 00:07:29.320 --> 00:07:32.980 victim. But did they fall victim because they just didn't have 133 00:07:32.980 --> 00:07:35.710 these common sense, roadblocks in place inside the 134 00:07:35.710 --> 00:07:38.290 organization. If they don't have those, they need to get them. 135 00:07:40.150 --> 00:07:41.860 Tom Field: To ask you to go out and get gift cards. 136 00:07:41.950 --> 00:07:44.050 Mathew Schwartz: Yes. Exactly. 137 00:07:44.570 --> 00:07:45.740 Tony Morbin: I was going to say that they're going to need them 138 00:07:45.740 --> 00:07:48.920 even more with deep fakes as well. Because, you know, if 139 00:07:48.920 --> 00:07:54.020 you've got your CEO on the video telling you to do something, if 140 00:07:54.020 --> 00:07:56.660 you've got a strict policy in place that he has to give you 141 00:07:56.660 --> 00:07:58.520 the password, then he has to give you the password. 142 00:08:00.710 --> 00:08:01.220 Anna Delaney: Very good. 143 00:08:01.340 --> 00:08:02.810 Tony Morbin: Logon passwords are the best way. 144 00:08:04.610 --> 00:08:07.760 Anna Delaney: Well, moving on, Matt, Cuba ransomware hits 145 00:08:07.790 --> 00:08:11.720 Montenegro, or does it? Help us through this story. What is 146 00:08:11.720 --> 00:08:12.320 going on? 147 00:08:12.930 --> 00:08:15.656 Mathew Schwartz: Yes, what is going on? I'm a little late to 148 00:08:15.720 --> 00:08:19.271 cover this just in case something massive changes in the 149 00:08:19.334 --> 00:08:22.822 next 12 to 24 hours. But over the past weekend, I think 150 00:08:22.885 --> 00:08:26.182 beginning last Thursday and intensifying Friday, the 151 00:08:26.246 --> 00:08:29.924 government of Montenegro said that it was being disrupted. 152 00:08:29.987 --> 00:08:33.855 They didn't specify how, so a lot of people were saying is it 153 00:08:33.918 --> 00:08:37.470 distributed denial-of-service attacks? Is it ransomware? 154 00:08:37.533 --> 00:08:41.464 Because oftentimes these days, it's ransomware. And, again, no 155 00:08:41.528 --> 00:08:45.523 detail was really forthcoming. There was a defense minister who 156 00:08:45.586 --> 00:08:49.327 said, "Well, when Montenegro is disrupted, who do you think 157 00:08:49.391 --> 00:08:53.322 would be involved?", basically figuring Russia as the culprit. 158 00:08:53.386 --> 00:08:56.873 But what's happened more recently now is the parliament 159 00:08:56.937 --> 00:09:01.058 in Montenegro has been listed on the clock, not the clock, excuse 160 00:09:01.122 --> 00:09:05.117 me, the Cuba - different seaward - ransomware gang and Cuba, no 161 00:09:05.180 --> 00:09:09.238 affiliation with Havana, perhaps there's a love of cigars or rum 162 00:09:09.302 --> 00:09:13.360 or they just liked the name. But the Cuba ransomware gang, which 163 00:09:13.423 --> 00:09:16.848 is staffed by Russian speakers, says that they hit the 164 00:09:16.911 --> 00:09:20.652 parliament, they have posted some stolen files. And there's 165 00:09:20.716 --> 00:09:24.267 no pure 100% confirmation yet. But this would seem to be 166 00:09:24.330 --> 00:09:28.262 associated with the disruption of Montenegro government sites. 167 00:09:28.325 --> 00:09:32.003 This is the second disruption they've experienced, well, I 168 00:09:32.066 --> 00:09:36.188 should say, in August. There has been a lot of political turmoil, 169 00:09:36.251 --> 00:09:39.802 the coalition government proposed by the Prime Minister, 170 00:09:39.866 --> 00:09:43.797 he proposed to cabinet and it didn't get voted through. So the 171 00:09:43.861 --> 00:09:47.412 government has toppled for the second time this year. So 172 00:09:47.475 --> 00:09:51.343 there's a pro-Russia faction that work here, there's a pro-EU 173 00:09:51.407 --> 00:09:54.767 faction at work, so it's already a highly politicized 174 00:09:54.831 --> 00:09:58.635 environment, and then you appear to have this one ransomware 175 00:09:58.699 --> 00:10:02.567 group come waltzing in. So, I think a lot of people are going 176 00:10:02.630 --> 00:10:06.372 to say, "Oh, well, they're probably acting on behalf of the 177 00:10:06.435 --> 00:10:10.366 Russian state." We don't really see ransomware groups do that. 178 00:10:10.430 --> 00:10:14.108 Possibly, Russia doesn't care for Montenegro. And so, this 179 00:10:14.171 --> 00:10:18.103 ransomware group has found that it has managed to infiltrate a 180 00:10:18.166 --> 00:10:22.161 network, or two or five or 12, who knows, in the government and 181 00:10:22.224 --> 00:10:25.839 they think, "Moscow doesn't care. So, we're just going to 182 00:10:25.902 --> 00:10:29.834 hit them and see what happens." I'm a little surprised because 183 00:10:29.897 --> 00:10:33.828 governments don't tend to pay. We occasionally see governments 184 00:10:33.892 --> 00:10:37.570 get hit by ransomware groups, such as Costa Rica. But what 185 00:10:37.633 --> 00:10:41.691 emerged in that case, which was Conti was clumsy, appeared to be 186 00:10:41.755 --> 00:10:45.369 using it as a smokescreen while they spun up other groups 187 00:10:45.433 --> 00:10:49.301 quietly, so as to hopefully not have them associated with the 188 00:10:49.364 --> 00:10:53.296 Conti brand, which was burned after Conti backed Russia in its 189 00:10:53.359 --> 00:10:57.164 invasion of Ukraine. All of a sudden, the ransom payments to 190 00:10:57.227 --> 00:11:00.778 Conti went from a lot to apparently next to nothing. So, 191 00:11:00.841 --> 00:11:04.519 they had to rebrand, spin off some groups, etc. So one big 192 00:11:04.583 --> 00:11:08.578 takeaway here for me is a lot of news reports said, "Montenegro 193 00:11:08.641 --> 00:11:12.319 blames Russia." Well, it was your defense minister. And if 194 00:11:12.382 --> 00:11:16.187 they are not bellicose, they probably can't get the job. And 195 00:11:16.250 --> 00:11:20.182 I would just urge everyone to not report that as such. Back in 196 00:11:20.245 --> 00:11:24.050 the day, every bank attack was blamed on Russia, there'll be 197 00:11:24.113 --> 00:11:27.664 some White House officials speaking on background, every 198 00:11:27.728 --> 00:11:31.723 intellectual property theft was blamed on China. A lot of times 199 00:11:31.786 --> 00:11:35.464 it was just crime, pure, simple crime. But anytime there's 200 00:11:35.527 --> 00:11:39.015 attribution, there's a political component to that. And 201 00:11:39.078 --> 00:11:43.137 governments only attribute when it works in their advantage. And 202 00:11:43.200 --> 00:11:46.688 with this political turmoil happening in Montenegro, of 203 00:11:46.751 --> 00:11:50.809 course, some people are going to say, "Oh! it's Russia. How dare 204 00:11:50.873 --> 00:11:54.677 the pro-Russia faction in our country be so aligned?" All of 205 00:11:54.741 --> 00:11:58.165 this nuance, and then, as, again, has happened so many 206 00:11:58.228 --> 00:12:01.589 times, it looks to just be criminals, probably acting 207 00:12:01.653 --> 00:12:05.584 opportunistically. Yes, causing lots of disruption. Montenegro 208 00:12:05.647 --> 00:12:09.325 has thanked its NATO partner friends for coming in to help 209 00:12:09.389 --> 00:12:13.320 with the cleanup. And I would presume in the next week or two, 210 00:12:13.384 --> 00:12:15.540 everything will be back to normal. 211 00:12:15.000 --> 00:12:19.140 Anna Delaney: If they have any parties involved in it, again, 212 00:12:19.140 --> 00:12:23.010 it brings up the challenge of attribution. The question we 213 00:12:23.010 --> 00:12:24.090 always talk about. 214 00:12:25.110 --> 00:12:27.300 Mathew Schwartz: Yep, we should never rush. Everyone should 215 00:12:27.300 --> 00:12:30.300 always be careful. And when you do see attribution, again, it's 216 00:12:30.300 --> 00:12:36.600 inherently political. Ask, why is this being attributed? And if 217 00:12:36.600 --> 00:12:40.980 it's a Baltic, or I should say Balkan nation, blaming Russia, 218 00:12:41.280 --> 00:12:44.100 okay, that's kind of obvious. South Korea gets attacked. Who 219 00:12:44.100 --> 00:12:48.570 are they going to blame? But just because it's obvious 220 00:12:48.570 --> 00:12:51.690 doesn't mean it's true. And so we need to be really careful 221 00:12:51.690 --> 00:12:54.570 about who's attributing, why they're attributing, and to take 222 00:12:54.570 --> 00:12:56.730 this all with a big grain of salt when it does happen. 223 00:12:58.110 --> 00:12:59.730 Anna Delaney: Matt, how sophisticated were these 224 00:12:59.730 --> 00:13:02.700 attacks? And how grave was the damage caused? 225 00:13:02.000 --> 00:13:04.910 Mathew Schwartz: So, there's been disruption of government 226 00:13:04.910 --> 00:13:09.650 services, a lot of sites can't be used. I forget the precise 227 00:13:09.650 --> 00:13:12.860 population of Montenegro of 600,000, give or take, I think. 228 00:13:13.100 --> 00:13:15.920 So this could be a serious disruption. For example, if 229 00:13:15.920 --> 00:13:19.340 you're trying to pay your energy bill or that sort of thing. I 230 00:13:19.340 --> 00:13:24.980 don't know. But sophistication. I also don't know. I mean, it 231 00:13:24.980 --> 00:13:28.880 did disrupt services. But does that make us sophisticated? Or 232 00:13:28.970 --> 00:13:32.180 were the attackers able to do something kind of really basic, 233 00:13:32.210 --> 00:13:34.520 and it just brought down the whole government infrastructure? 234 00:13:34.000 --> 00:13:37.131 Tom Field: In parallel to what you said, the attribution that 235 00:13:34.000 --> 00:13:51.400 Back to your BEC attacks, if you can steal $24 million by 236 00:13:37.193 --> 00:13:41.202 no one ever gets attacked in an unsophisticated attack. And yet, 237 00:13:41.264 --> 00:13:45.210 when you dig down deeply, often it says, things that we've seen 238 00:13:45.272 --> 00:13:47.590 over and over tried, true, they work. 239 00:13:51.400 --> 00:13:56.140 impersonating the CEO on an instant message chat. Is that 240 00:13:56.170 --> 00:13:59.830 sophisticated? No. Is it effective? Yes. So why bother 241 00:13:59.830 --> 00:14:00.820 with sophistication? 242 00:14:02.280 --> 00:14:06.480 Anna Delaney: Staying with Russia-Ukraine. Tony, who is 243 00:14:06.480 --> 00:14:08.280 getting bored of cyber war? 244 00:14:09.080 --> 00:14:12.320 Tony Morbin: Well, it's the hacktivists. Even while 245 00:14:12.320 --> 00:14:15.950 Ukraine's Computer Emergency Response Team has been reporting 246 00:14:15.950 --> 00:14:21.050 that the country was hit by 1,123 cyber attacks in the first 247 00:14:21.410 --> 00:14:24.560 six months of the war, two separate reports have come out 248 00:14:24.560 --> 00:14:27.440 this week suggesting that the part played by hacktivist 249 00:14:27.440 --> 00:14:31.340 activity hasn't been sustained. So, while the state actors are 250 00:14:31.340 --> 00:14:34.580 continuing to target critical infrastructure as part of their 251 00:14:34.580 --> 00:14:37.940 hybrid warfare, the onslaught of lower-level activity by 252 00:14:37.940 --> 00:14:41.810 volunteers, including criminals, hacktivist groups, ideologically 253 00:14:41.810 --> 00:14:46.910 motivated individuals has slumped. One of the first of the 254 00:14:46.910 --> 00:14:50.510 two reports is from Cornell University. It analyzed web 255 00:14:50.510 --> 00:14:54.620 defacement attacks, DDoS attacks, volunteer hacking 256 00:14:54.620 --> 00:14:58.730 discussion groups, both before and after the invasion. And it 257 00:14:58.730 --> 00:15:01.700 says that while the conflict did briefly, but significantly, get 258 00:15:01.700 --> 00:15:05.180 the attention of low-level cybercrime community, the 259 00:15:05.180 --> 00:15:09.050 notable shifts in geographic distribution of defacement and 260 00:15:09.050 --> 00:15:15.080 DDoS attacks by these players overall, it's quite minor. There 261 00:15:15.080 --> 00:15:19.310 were mass attacks against fairly random websites within the .ru 262 00:15:19.310 --> 00:15:24.170 and the .ua domain. The researchers found no evidence of 263 00:15:24.170 --> 00:15:27.350 any high-profile actions such as targeting critical 264 00:15:27.350 --> 00:15:30.380 infrastructure. This is by the activists where there was 265 00:15:30.380 --> 00:15:35.540 significant use of DDoS by the IT army of Ukraine. But there's 266 00:15:35.540 --> 00:15:38.360 been a clear loss of interest in carrying out these defacements 267 00:15:38.360 --> 00:15:42.320 and DDoS attacks after just a few weeks. Now, these findings 268 00:15:42.320 --> 00:15:47.990 from Cornell were echoed in a separate research that reports 269 00:15:47.990 --> 00:15:50.960 that hacktivist groups such as Anonymous slowed their efforts 270 00:15:50.960 --> 00:15:54.620 in the last few months after initially focusing on Russian 271 00:15:54.620 --> 00:15:59.090 oligarchs in the real-estate and mining sectors. In fact, half of 272 00:15:59.090 --> 00:16:01.670 all reported cyber-warfare-related incidents 273 00:16:01.670 --> 00:16:08.630 this year took place in February and March. The invasion did 274 00:16:08.630 --> 00:16:11.240 spark a flurry of cyber incidents relating to Russia in 275 00:16:11.240 --> 00:16:14.330 the early part of the year, clear spark in cyber espionage 276 00:16:14.360 --> 00:16:17.330 hacktivism, cyber warfare targeting Russian business and 277 00:16:17.330 --> 00:16:20.900 individuals. But he too says that this was very short-lived, 278 00:16:21.230 --> 00:16:24.020 with activity falling off considerably in recent months, 279 00:16:24.140 --> 00:16:27.530 most likely due to hacktivist groups just not being willing or 280 00:16:27.560 --> 00:16:32.180 able to sustain their efforts as the conflict continued. Now, 281 00:16:32.180 --> 00:16:35.330 whilst this might sound like bad news for activists and citizen 282 00:16:35.330 --> 00:16:39.230 warriors, personally from my own point of view, I'd say it's good 283 00:16:39.230 --> 00:16:42.770 news for society. I mean, in my opinion, it's not advisable for 284 00:16:42.770 --> 00:16:45.500 citizens to be personally attacking citizens of other 285 00:16:45.500 --> 00:16:48.140 countries or their governments. And there were certainly 286 00:16:48.140 --> 00:16:51.290 concerns for where the same people might turn their talents 287 00:16:51.560 --> 00:16:56.900 once the war was resolved. So I accept that mostly, it was well 288 00:16:56.900 --> 00:17:01.400 intentioned, that governments did play some coordinating roles 289 00:17:01.430 --> 00:17:05.660 sometimes. And so, you can't simply put it down to being pure 290 00:17:05.660 --> 00:17:10.190 vigilantism. But, again, my own opinion, if you want to 291 00:17:10.190 --> 00:17:13.040 contribute to your country's cyber efforts, join the cyber 292 00:17:13.040 --> 00:17:13.580 reserves. 293 00:17:15.130 --> 00:17:17.680 Mathew Schwartz: That's a good point. Very good point. I was 294 00:17:17.680 --> 00:17:19.960 just going to say this isn't the first time we've heard some 295 00:17:20.170 --> 00:17:25.360 caution about the role of hacktivism and such in the 296 00:17:25.390 --> 00:17:28.960 Russia-Ukraine conflict. I know the operational security expert, 297 00:17:28.990 --> 00:17:32.800 who is known as the grugq, had delivered a presentation in May, 298 00:17:32.950 --> 00:17:36.250 saying, "This didn't really seem to be happening." In large part 299 00:17:36.250 --> 00:17:38.650 because the military establishment and the 300 00:17:38.650 --> 00:17:42.280 intelligence establishment, law enforcement in Russia doesn't 301 00:17:42.280 --> 00:17:44.980 interface with criminals. And the criminals don't want to be 302 00:17:44.980 --> 00:17:46.990 seen to be interfacing with them, because it's bad for 303 00:17:46.990 --> 00:17:51.310 business. So it's interesting really to have these numbers. As 304 00:17:51.310 --> 00:17:53.710 you were saying, Tony, it's a team of researchers who now 305 00:17:53.710 --> 00:17:56.290 published the paper, the researchers from the University 306 00:17:56.320 --> 00:17:59.890 of Strathclyde, Edinburgh and Cambridge, really put some 307 00:17:59.890 --> 00:18:04.330 numbers to what they've been seeing. One can and should ask, 308 00:18:04.540 --> 00:18:08.860 do website defacements, ultimately, impact a war? Do 309 00:18:08.860 --> 00:18:12.190 DDoS attacks against non-critical infrastructure make 310 00:18:12.250 --> 00:18:15.670 a difference? I think for the IT army, the morale was a factor 311 00:18:15.700 --> 00:18:18.520 for Ukraine, look at all these people rising to the Defense of 312 00:18:18.520 --> 00:18:21.640 Ukraine. But I think in terms of - I mean, psychologically - that 313 00:18:21.640 --> 00:18:26.020 is notable, but in terms of the military benefit, as you say, as 314 00:18:26.020 --> 00:18:28.810 his research shows, nil, I think is the answer. 315 00:18:29.230 --> 00:18:32.050 Tony Morbin: Yeah, it was fairly sort of random and all over the 316 00:18:32.050 --> 00:18:36.820 place. So, it wasn't really coordinated. The same kind of 317 00:18:36.820 --> 00:18:41.080 activity conducted by a state maybe, to a purpose, as part of 318 00:18:41.080 --> 00:18:45.700 hybrid warfare, you know. We obviously saw the attack on the 319 00:18:45.700 --> 00:18:50.860 satellites prior to the start of the war by Russia. So, you can 320 00:18:50.860 --> 00:18:55.000 have hybrid warfare. But if you're an individual, you're not 321 00:18:55.000 --> 00:18:57.160 really going to be that sophisticated enough to really 322 00:18:57.160 --> 00:19:00.820 know who's the best target, let alone necessarily be able to get 323 00:19:00.820 --> 00:19:01.120 them. 324 00:19:01.690 --> 00:19:04.390 Tom Field: We like short stories. And Russia-Ukraine is 325 00:19:04.390 --> 00:19:05.170 not a short story. 326 00:19:07.070 --> 00:19:08.570 Anna Delaney: It's very interesting to see how this 327 00:19:08.900 --> 00:19:11.780 hybrid war is evolving and how many countries are being 328 00:19:11.780 --> 00:19:14.960 impacted. Well, to our audience, stay tuned for further 329 00:19:14.960 --> 00:19:19.670 developments as there will be more. Well, finally, from cyber 330 00:19:19.670 --> 00:19:23.210 warriors. I know there's still a few more months left of the 331 00:19:23.210 --> 00:19:29.060 year, but reflecting on 2022, so far, who stands out as a cyber 332 00:19:29.060 --> 00:19:30.440 warrior for you? 333 00:19:31.310 --> 00:19:31.850 Tom Field: I got two. 334 00:19:32.480 --> 00:19:33.170 Anna Delaney: Okay. 335 00:19:33.870 --> 00:19:36.600 Tom Field: I'm going to come back to Jen Easterly, CISO, 336 00:19:36.870 --> 00:19:38.760 because she makes cybersecurity look cool. 337 00:19:39.000 --> 00:19:44.430 Tom Field: And I'm also going to take a hat off to Mudge who took 338 00:19:39.030 --> 00:19:39.840 Anna Delaney: Yeah, she does. 339 00:19:44.430 --> 00:19:49.170 a big stand last week when he filed his whistleblower report 340 00:19:50.190 --> 00:19:52.890 with federal government regarding his experience with 341 00:19:52.890 --> 00:19:56.610 Twitter. That was a stand for accountability. And I think that 342 00:19:56.940 --> 00:20:03.090 we can debate the impact on the CISO profession, we can debate 343 00:20:03.090 --> 00:20:06.150 the impact on his own career. But he took a stand for 344 00:20:06.150 --> 00:20:08.040 accountability. I think that's important to note. 345 00:20:09.900 --> 00:20:11.970 Anna Delaney: I will say that'll be interesting to see how that 346 00:20:11.970 --> 00:20:14.070 story evolves. Tony? 347 00:20:15.650 --> 00:20:18.260 Tony Morbin: I'm going to be very controversial, not quite as 348 00:20:18.260 --> 00:20:22.340 current, but somebody who maybe didn't get any awards at the 349 00:20:22.340 --> 00:20:27.110 time. Christopher Krebs, former director of the CISA, for 350 00:20:27.110 --> 00:20:29.810 creating the CISA website to debunk election-related 351 00:20:29.810 --> 00:20:33.470 disinformation, upholding democracy and the rule of law. I 352 00:20:33.470 --> 00:20:36.830 mean, as a non-American, I'm not in any party, political. In 353 00:20:36.830 --> 00:20:39.230 fact, I believe Christopher Krebs is a Republican himself. 354 00:20:39.470 --> 00:20:44.900 But for me, that was a big stand by the cybersecurity industry 355 00:20:44.930 --> 00:20:48.080 for upholding law and order, and democracy. 356 00:20:49.740 --> 00:20:52.140 Anna Delaney: Good choice. Thank you. 357 00:20:52.360 --> 00:20:54.970 Mathew Schwartz: I'm gonna weigh in with Victor Zhora, the deputy 358 00:20:54.970 --> 00:20:59.050 head of Ukraine's cyber defense agency, who I had the good 359 00:20:59.050 --> 00:21:04.210 fortune to speak to recently. And he was meeting Jen Easterly 360 00:21:04.270 --> 00:21:08.440 at the recent Black Hat conference in Vegas and flying 361 00:21:08.440 --> 00:21:12.340 the flag for Ukraine and collective cyber defense. But 362 00:21:12.730 --> 00:21:16.300 it's thanks to individuals like him. He's been in the industry 363 00:21:16.300 --> 00:21:19.960 for a long time, he's helped organize BSides in Ukraine, I 364 00:21:19.960 --> 00:21:24.700 think from back 2012 onwards, is a part of the community but 365 00:21:24.730 --> 00:21:28.360 obviously finds himself in this difficult position as to all 366 00:21:28.390 --> 00:21:32.980 Ukrainians, of having to help with the collective defense. So 367 00:21:33.190 --> 00:21:34.990 I mean, the definition of a warrior right there. 368 00:21:35.500 --> 00:21:37.450 Tom Field: Terrific interview, by the way, Matt. I recommend 369 00:21:37.480 --> 00:21:38.560 everybody watch that. 370 00:21:40.570 --> 00:21:42.730 Anna Delaney: You take the words out of my mouth, Tom. Well, 371 00:21:42.730 --> 00:21:45.400 thank you so much, everybody. This has been excellent. And 372 00:21:45.400 --> 00:21:47.800 thank you so much for watching. Until next time.