0:04

Hey everyone and welcome to see was

0:06

the Risky Business I'm Adam Wallow This

0:09

week's episode is brought to you by

0:11

trail of bits who do office really

0:13

proper interesting security researcher Tom talk to

0:16

their cod and Guido this weekend on

0:18

the channel and as usual with that

0:20

guy like whenever you listen to him

0:22

talk you come away with bunch of

0:25

interesting questions and interesting ideas and the

0:27

that's what of it she feeling in

0:29

your brain which is always a good

0:31

sign that when it comes to a

0:34

new and. Interesting security stuff.

0:37

Speaking of top, I don't I'm yeah

0:39

good and I'm here. You I'm doing

0:41

don't wear, I'm up at so this

0:43

week for the news that a you

0:46

wrote up a report that came out

0:48

of google mandy and looking into. The.

0:51

Tory S. G are you hacking group said

0:53

when and that been I've been around for

0:56

so long that was like there's literally a

0:58

book by and Greenberg A Paths and Web

1:00

Am. So what's Mandy and got to say

1:02

about to know what they've been up to

1:05

and you know there? have there been very

1:07

busy I suppose lately there was too interesting

1:09

things in this report. One was that. Mandy.

1:12

And. Portrays. San Worm

1:14

as a proliferation risk and the

1:16

idea here is that they were

1:18

risk just because they do all

1:21

sorts of wild and crazy things

1:23

that basically inspire other hostile actors.

1:25

So I thought that was interesting

1:27

in. In. That cyber proliferation

1:29

is different from conventional weapons or

1:31

nuclear where it's the technology, all

1:33

the parts or the designs or

1:35

the intellectual property. And for these

1:37

kind of cyber operations it's just

1:40

it can be as as little

1:42

as just the idea of doing

1:44

this thing that fact the idea

1:46

of going after the power grid

1:48

and Ukraine which was often made

1:50

it pretty pretty early on. like

1:52

that's from to a bunch of

1:54

able to think about crime, infrastructure

1:56

security right? So yeah it's it's

1:58

idea proliferation. Yeah. And in

2:00

the second, Thing was that

2:02

they. Stepped. Through House

2:05

and Worm has operated during

2:07

the Russian invasion of Ukraine

2:09

so that got a timeline

2:11

of it's activities. How with

2:13

Initially started off with some.

2:16

Pretty. Spectacular destructive operations

2:18

particularly, but. There.

2:21

There are action to

2:23

disrupt. Our. Ukrainian

2:25

military satellite communications by that attacking

2:27

the K I at network. And

2:30

then there was a series of.

2:33

Disruptive. Viper Operations

2:35

around the same time as the

2:37

invasion. The kind of period of.

2:40

Rebuilding. And regaining access.

2:42

More destructive operations. And

2:44

then they've. Towards. The

2:46

light a pop. as last year

2:48

or so. Pivoted. Term

2:50

more espionage operations and so this

2:53

is interesting for people who are

2:55

trying to figure out. What's.

2:57

The role of cyber operations

2:59

in Warfare. Where's the. You

3:02

know where do they fit in? Had

3:04

of I play with other conventional military

3:07

activities. And so one

3:09

way of looking at best is that. Same

3:11

womb has just been learning by

3:14

doing and it's is gradually kind

3:16

of settled on more espionage operations.

3:18

So the report actually talks about

3:21

Albay providing. Excellent

3:23

tactical support the military efforts

3:25

in the field so ext

3:28

helping to extract telegram signal

3:30

messages from mobile devices. And

3:33

also interestingly targeting the drone

3:36

supply and logistics networks. And.is

3:40

felt like very. Ah,

3:43

The type of things that somewhere

3:45

like an essay or with thought

3:48

command would not get involved in.

3:50

Buses a competent military would say

3:52

we're going to capture. Mobile

3:55

devices on the battlefield and we're going

3:57

to have some. Ah well

3:59

thought out. Proceeds from the get

4:01

go to do forensics and incorporate

4:03

that and ingested and it's still

4:06

very much to me Like Sandworms

4:08

is just the group. In.

4:10

The Russian military that never says

4:13

no because I was someone says

4:15

ah, we've got mobile phones. Who's

4:17

who's gonna deal with this. Who

4:20

knows our computer Yeah yeah, some.

4:23

With that they'll discuss yes we'll deal

4:25

with it. Ah we've got a satellite

4:27

network the be want you disrupt can

4:29

you do that? Yes with summoned to

4:31

be honest sounds like a pretty fun

4:33

led by a syringe. We sit around

4:35

during born hacking work and my gifts

4:37

having interesting and strains requirements were you

4:39

have to go build what you need

4:41

to do it. That's

4:44

probably quite rewarding works, but in

4:46

us as they like it, it's

4:48

It's quite a different approach. Them

4:50

block fi imagine it's like. Inside,

4:53

Five Eyes and Western Militaries And

4:55

how we think about both such

4:57

things as well, I think about

4:59

it. Does he have turf wars

5:02

that I kind of arranged before

5:04

the conventional war? So you know

5:06

who's responsible for this? So ah,

5:08

you know, maybe an essay is

5:10

responsible for. You. Know forensics of

5:12

mobile devices from the battlefield but that

5:14

would be sorted out well before for

5:17

actual invasion occurred like he he would

5:19

have this. Bureaucratic. Fight

5:21

beforehand and people to sort it

5:23

out where that feels very much

5:25

like sandworms like to saying yes

5:27

after the fact because no one

5:29

thought about it before. so it

5:31

it it nights maybe I'm reading

5:33

t they see but it felt

5:35

a bit like a i'm a

5:37

sort of reactive never say no

5:39

approach and that that kind of

5:41

to me has. I'm.

5:44

is is interesting in the way

5:46

that sam when does so many

5:48

things so they do espionage they

5:51

do destructive they do information operations

5:53

and in a western context you'd

5:56

have organizations going well that's not

5:58

our role that some else's

6:00

role we specialize in

6:03

this and you'd have

6:05

different authorities that actually

6:08

delineate who does what.

6:10

So I just thought that was a very

6:13

different way of operating and because it's so

6:17

expansive or audacious like

6:19

that's why

6:21

it possibly gives

6:24

other actors ideas about what to

6:26

do or how to behave. Yeah

6:28

I mean certainly not Petcher was

6:30

a pretty stunning you know

6:32

I mean when that when that went down like

6:34

that was a pretty stunning thing to watch unfurl

6:36

and then also you know watching it go off

6:38

the rails so quickly and turn

6:40

into you know into a global thing compared to

6:43

something like Stuxnet which went off the rails in

6:45

a very kind of slow motion you know

6:47

long presumably lots of turf was

6:50

involved process as that escaped

6:52

from from where it was meant to be so

6:54

it's definitely interesting comparing and contrasting those and I

6:56

know when you

6:58

and Grak have been talking through on

7:01

the Between Two Nerds podcast talking through how

7:04

cyber has been used in the Ukrainian

7:06

conflict it's just been

7:08

really interesting you know seeing our

7:10

understanding you know start to

7:12

you know become a bit more well-rounded

7:14

because before the situation in Ukraine really

7:16

kicked off we were all you know

7:19

sitting there expecting maybe some you know

7:21

cyber pearl hubba all things we've been

7:23

promised for so long that then you

7:26

know as you said vice that great

7:28

example of an interesting attack but ultimately

7:30

you know not that effective

7:32

in terms of you know making

7:34

their initial invasion of Ukraine go

7:36

well and you know I

7:38

do wonder you know because the proliferation goes

7:40

like both down into you know criminal groups

7:42

but also to other countries where we can

7:44

look at it and see how

7:46

they've reacted and you know were

7:49

there were their lessons

7:52

like is it too soon to start drawing

7:54

lessons from Ukraine and the way Russia has

7:56

you know done the cyber there or are

7:58

we still you know a couple years out

8:00

from learning stuff? I

8:02

think it's never too soon because

8:05

like the, and

8:07

I say that because you don't

8:09

want to just wait and wait

8:12

and wait before making a decision and

8:14

doing something. And so I think that

8:17

in this case there's lots

8:19

of countries that are thinking about what's the

8:21

role for cyber operations.

8:24

So a couple of things are clear that cyber

8:27

operations are just

8:29

another part of warfare. Right,

8:32

so the entire time Sandworm

8:35

has been involved in the war,

8:37

it's not irrelevant

8:40

to a war. So that's the first

8:43

thing. The other thing is that those

8:45

cyber operations started years and years before

8:47

the war. So it's a regular part

8:49

of how countries I guess

8:52

compete with each other even in

8:55

peacetime. So if

8:57

you're not paying attention even in

8:59

peacetime you're behind the April. So

9:02

you need something. And

9:04

then I think having

9:07

a good espionage capability is a

9:09

must have. Right, that's the first

9:11

thing you would do. And then

9:13

there's still a question about how

9:16

much can you expect from an offensive

9:19

capability. So to me so far what

9:21

we've learned is that there was the

9:23

potential for some of those destructive actions

9:25

to have a significant

9:28

impact. And so

9:30

all countries I think have to be exploring

9:33

what do we do in this space, how far

9:35

do we go and it seems to me you

9:37

should be making some investments but

9:39

not betting the house on

9:42

that kind of operation

9:45

making a huge difference in the war. That

9:50

makes sense and I think the

9:52

Ukraine conflict has also been really interesting in

9:54

seeing how resilient Ukraine has been at weathering

9:57

some of those destructive attacks and

9:59

having banks or telcos, you

10:02

know, having all their computers wiped and all the other

10:04

things that have happened to them. And

10:07

by and large they've recovered pretty quickly.

10:09

And, you know, you look at the the

10:13

Chinese pre-positioning, you know, with the volatile phone that

10:15

we've seen the US, you know, making quite a

10:17

lot of noise about. And part

10:19

of you wonders, part of me wonders, you

10:22

know, like do we think

10:24

that all of that work is going to have

10:26

been effective? Or have, you know, the

10:28

US blunted the effectiveness of that?

10:30

And indeed, even if they didn't,

10:33

you know, is the

10:35

US actually resilient enough to

10:37

weather the sorts of things that have

10:39

happened in Ukraine? Can you imagine, you

10:42

know, Verizon being RMed off

10:44

the internet in the same way that some

10:46

of the telcos in Ukraine have been? You

10:48

know, that's a, you know, we

10:51

can look at this conflict and look at things that San

10:54

Werm and Ukraine have been doing. But there's, you know,

10:56

the how recovery works, I

10:59

think, has also been really, really interesting.

11:01

Yeah, I think, you

11:03

know, I fall prey to

11:05

the fascination of offensive cyber

11:07

activities. But I think you're right that

11:10

the actual resilience is probably the most

11:12

important thing to take out of the

11:14

war. That rather

11:16

than focusing on an offensive capability,

11:18

you should probably focus on internal

11:21

resilience. Yeah,

11:24

but certainly a very broadly applicable thing

11:26

to have, you know, being able to deal

11:28

with disasters, even if they're natural disasters, not

11:30

necessarily, you know, human

11:33

caused ones. But I'm thinking

11:35

when I, you know, in my pen testing

11:37

time, you know, when we'd sit around

11:39

and talk through with the customer, like, here are

11:41

the things we could have done, how long, you

11:43

know, how long do you think it would take

11:45

you to recover from? And the

11:48

kind of estimates we would get From,

11:51

we can delete your backups, and we

11:53

can encrypt the files or whatever it

11:55

is, turn off your VMware cluster, you

11:57

know, all of those estimates were. Month

12:00

we see the Ukraine turn around,

12:02

recovery and-to switch here they will

12:05

set case of a telco getting

12:07

pretty badly. Done. Over and

12:09

the Ceo later came out

12:11

and said that if. The.

12:14

Russians had been able to go one step

12:16

further. It. Would have taken months,

12:18

but they'd. They'd stop them

12:20

before. I can't remember what that next

12:22

step was. I think it was wiping

12:24

a whole lot of like thousands of

12:26

devices that were close to college in

12:29

the networks the field. Yes, given either

12:31

you have to roll, traffic gets slayer.

12:33

Yeah, yeah, so I mean there's an

12:35

element of of luck there as well.

12:37

I'm. I

12:39

think you need both. he need

12:41

preparation the end of little bit

12:43

of luck or do you make

12:45

your own lock or something like

12:47

that? If your arm bet that

12:49

I think you're totally right. Like,

12:51

Resilience is useful all the time

12:53

for all sorts of reasons. Having

12:56

a top notch offensive cyber capabilities

12:58

is useful in a very small

13:00

sliver of scenarios that hopefully never

13:02

have enjoyed. Anyway, yeah, hopefully hopefully.

13:04

Ah, so one of the other

13:06

things he wrote about this week

13:08

was a section. Seventy two of

13:10

Pfizer being reauthorized are in the

13:12

United States, but we all hear

13:14

it. Risky with Africa pretty. Property.

13:17

Out of a section zebra to put some

13:19

pants coverage and we've had to talk about

13:21

it so often over the years so I

13:24

was thinking the perhaps we could talk about

13:26

not six and seven attempts at one of

13:28

the other things the talked about this week

13:31

though I was this kind of academic study

13:33

the trying to arrive at a fuck up

13:35

a cyber will cybercrime index here. this conversation

13:37

about air about resilience and learning lessons from

13:40

what's been happening to other people of this

13:42

also seemed interesting in the same way as

13:44

a a tell us about this about the

13:46

studied. Gaze I The study

13:49

is really trying to answer

13:51

the question which countries are

13:53

home to most to the

13:55

most cyber criminals. And course.

13:58

I'm black. Cybersecurity

14:00

Cyber crime is avast field and

14:02

so it. It to

14:04

be dope. Cybercrime. Into.

14:08

Five different. Different.

14:10

Play call them threats. So

14:12

this kind of the country

14:14

that is best at making

14:16

technical products or services, The

14:19

country that posts the most

14:21

attack and extortion taught cybercriminals,

14:23

the country, the Us daughter

14:25

and identity theft scams and

14:27

cashing out money laundering I'm

14:29

and the way they did

14:31

this is they basically got

14:33

together. A selection of

14:35

experts. From around the

14:37

world and so. Ah,

14:40

I take steps to make sure

14:42

that they're not two anglo centric

14:44

that got global coverage. They make

14:47

sure or tackle these. take steps

14:49

to try and get. Credible.

14:51

Experts and then I just basically gave him

14:53

a survey. And so what

14:55

I thought was interesting is that. Some.

14:58

of the index matches what

15:00

was in my head so.

15:03

No. Surprise Russia and Ukraine.

15:06

First. I'm

15:08

at. But it was a

15:10

surprise to me to see

15:12

China ranked third overall And

15:14

so the context this was

15:16

a crime. Are. Index

15:19

and not a street sponsored index.

15:21

So. If you if

15:24

it's state sponsored of you know

15:26

John is probably one or two

15:28

rights but I. Don't.

15:30

Hear a lot about Chinese

15:33

cybercriminals and side. To

15:35

me, What? this? Index is

15:37

saying is that. I.

15:39

Read: a lot of English language reporting

15:41

on cyber crime. Is it? it is.

15:43

And I'm missing out on a whole

15:45

lot of Chinese language. Either

15:47

because it's not reported. I mean, The.

15:50

Prc is notorious for it's since

15:52

ship. Or

15:55

it's make it not making it

15:58

into english language and tear. But

16:00

I. Don't. I can search for

16:02

and read about when the the stuff

16:05

without them like a pig book series

16:07

chemicals into the appetizer and in Myanmar

16:09

and so on. Like I remember being

16:11

surprised at the scale of that. I'm

16:13

in. The fact that that

16:16

was targeting a lot of victims in

16:18

China was was interesting because we haven't

16:20

really? Yeah, I don't recall seeing. Cybercrime.

16:23

Targeting. A Chinese audience?

16:25

A much better cause. why would I

16:27

write scan address of that's what? What

16:30

is interesting as is that we do

16:32

have very different perspectives. Yeah, and we

16:34

I used to, you know, Nigerian scamming.

16:36

Big thing because we experienced the appearance

16:38

and I don't know like were Nigeria

16:40

ranks in this particular study but in

16:42

terms of mindshare Nigerian in a for

16:44

nine scammers were pretty early early market

16:47

leader a month. But yeah it's interesting

16:49

to see it on a more globally

16:51

even perspective on this kind of him

16:53

because I you say we'd. We do

16:55

have a Euro centric box. Yeah

16:57

yeah so we're to answer your

17:00

question in specific Nigeria ranked five

17:02

but it was to basically because

17:04

it was top of scam is

17:06

on other things like I'm. It.

17:08

Seemed like such. Dividing it into

17:11

different aspects is useful because he

17:13

my can say look and Nigeria's

17:15

the top scamming nation and then

17:17

it was actually. India.

17:20

And. They gonna and South Africa. And

17:22

that fact that kind of makes

17:24

sense. that sort of feels right

17:26

of got a lot of Indian

17:28

scams by lithographic armed force. A

17:30

proclamation? yeah, makes sense. Yeah, I'm

17:33

now. The thing that. Really

17:36

surprise me is that the Uk

17:38

actually comes first when it came

17:40

to money laundering and testing am.

17:42

Now that makes sense because London

17:44

is such a financial hub games

17:46

but it is absolutely not what

17:48

I would have thought based on

17:50

the side a crime. Reporting.

17:52

that i read you know my we expect

17:54

that thread to go to casinos in macau

17:56

or something like that but now like i

17:58

guess it makes sense that financial

18:01

hub is where

18:03

financial stuff happens. So yeah. Yeah, yeah. And

18:05

so to me, that's the kind

18:07

of value in this kind of index is that

18:09

it makes you take a

18:12

second look and think, well, the UK

18:14

is actually a country that would be

18:18

motivated to, I

18:20

guess the word would be cracked down on this sort of thing once

18:24

it realises that it's a problem. Yeah.

18:26

And so just pointing out that it's a

18:28

potential problem, like I'm like

18:31

no index like this is perfect because

18:33

it's just kind of a

18:35

sampling of people. A

18:37

lot of fingers in the air. That's right.

18:40

Yeah. And at the very least, it

18:42

should make regulators in the UK have

18:44

a deeper look. You

18:46

know, what's the wider people

18:48

think this? What is, is there a

18:50

loophole that's being exploited? What can

18:52

we do about it? And maybe

18:55

there's nothing there because it

18:57

is an index made up of experts,

18:59

but I think it forces you to

19:02

ask the question that demands a

19:04

second look. And then it's also useful for things

19:06

like capacity building, you

19:08

know, what would

19:11

you like to teach a country? So

19:14

for example, Brazil, Brazil

19:17

comes actually relatively high in

19:19

terms of countries that are

19:22

homes for the technology that's

19:24

used in malware. And

19:26

so Brazil seems like a country where you could get

19:28

some traction teaching police

19:31

forces there how to prosecute

19:33

those kinds of crimes. And

19:36

so it allows you to tailor your

19:38

efforts in different countries to the problems

19:40

that exist or that

19:42

we believe exist in that country. If

19:45

you're thinking about where to spend money

19:47

or where to invest effort in tackling

19:49

cybercrime at its source, it's a useful

19:51

resource that you should have a look

19:53

at. All right, well, excellent.

19:55

Thank you for bringing it to everyone's attention. And

19:58

thank you for talking to us. to be

20:00

today. Pat will be back next week so you're

20:02

probably chatting to him. But yes, everyone, I hope

20:04

you've enjoyed the show and have a read of

20:07

Tom's newsletter. Thanks very much, Tom. Thanks,

20:09

Adam.