WEBVTT - Here's What Cyber War With Russia Would Actually Look Like 0:00:10.800 --> 0:00:14.160 Hello, and welcome to another episode of the ad Thoughts podcast. 0:00:14.240 --> 0:00:17.880 I'm Tracy Alloway and I'm Joe. Wisn't thal so Joe. 0:00:18.079 --> 0:00:22.840 Clearly a lot still going on with Russia's invasion of Ukraine, 0:00:22.920 --> 0:00:25.800 but one of the big talking points in the past 0:00:25.840 --> 0:00:30.280 couple of weeks has been this idea of a retaliatory 0:00:30.320 --> 0:00:35.640 response from Russia, not necessarily in the sense of traditional warfare, 0:00:36.040 --> 0:00:39.839 but in the form of cyber warfare. Right, So, this 0:00:39.920 --> 0:00:43.360 has always been a source of concern, going back for 0:00:43.440 --> 0:00:48.199 several years, long before the existing conflict. What are Russia's 0:00:48.240 --> 0:00:52.519 cyber warfare capabilities, how weak is the rest of the world, 0:00:52.600 --> 0:00:57.040 how exposed is critical infrastructure and so forth? As of now, 0:00:57.600 --> 0:00:59.560 you know, I don't think this has been a huge 0:01:00.080 --> 0:01:05.040 spect of the current conflict. Traditional violent warfare is sort 0:01:05.080 --> 0:01:08.600 of being the story, but it is always lurking out 0:01:08.640 --> 0:01:12.080 there as a risk. Yeah, there have been some rumblings 0:01:12.120 --> 0:01:15.560 of potential attacks. I saw something in um der Spiegel 0:01:15.760 --> 0:01:20.640 this morning about possibly a hack of satellites that might 0:01:20.680 --> 0:01:24.680 have been impacting Ukraine. So there are sort of rumblings 0:01:24.680 --> 0:01:28.039 of this, uh, you know, some accusations lurking in the background, 0:01:28.120 --> 0:01:31.080 but we haven't seen anything. Let's say, we haven't seen 0:01:31.120 --> 0:01:35.039 anything major yet. And I feel like cyber security risks, 0:01:35.080 --> 0:01:37.199 it's one of those things that you you always see 0:01:37.240 --> 0:01:40.520 people mention as a sort of left tail risk. You 0:01:40.560 --> 0:01:43.920 see lots of analyst notes about it, but no one 0:01:44.000 --> 0:01:47.919 really talks about it in concrete terms. It always seems 0:01:47.960 --> 0:01:52.280 to be just this vague threat lurking in the background. Yes, 0:01:52.400 --> 0:01:55.000 and I think it's in part because, as you exactly say, 0:01:55.120 --> 0:01:58.880 no one precisely knows what it would look like. Um. 0:01:58.920 --> 0:02:02.440 I mean, obviously, companies are regularly getting hacked. We've seen 0:02:02.440 --> 0:02:06.200 an increase over the years, and malware and ransomware, and 0:02:06.200 --> 0:02:09.800 companies losing data, companies having to pay to bring factories 0:02:09.800 --> 0:02:12.680 and infrastructure back online. Of course, I think it was 0:02:13.600 --> 0:02:17.000 late or maybe early last year there was that pipeline 0:02:17.680 --> 0:02:20.200 on the central part of the United States. So these 0:02:20.240 --> 0:02:24.080 things recur, but I think it's very nebulous what that 0:02:24.200 --> 0:02:27.239 risk actually looks like. So today I'm very pleased to 0:02:27.280 --> 0:02:30.360 say we're going to try to get a firmer handle 0:02:30.480 --> 0:02:35.000 on what cyber warfare risk might actually look like, and 0:02:35.320 --> 0:02:37.600 we're gonna do it maybe a little bit differently um 0:02:37.639 --> 0:02:39.720 to what we normally do. But today on the show, 0:02:39.760 --> 0:02:43.040 we're gonna be talking to a hacker about what it 0:02:43.120 --> 0:02:47.040 actually means to, you know, do cyber warfare to hack 0:02:47.080 --> 0:02:50.519 into someone's systems, what the threat actually looks like, and 0:02:50.560 --> 0:02:54.760 what is possible from a technological perspective. I'm really looking 0:02:54.760 --> 0:02:57.360 forward to this sort of different from our normal path, 0:02:57.440 --> 0:03:01.040 but of something important to be uh, to learn more that. Yeah, 0:03:01.400 --> 0:03:03.560 so we're going to be speaking with Matt Swish. He 0:03:03.639 --> 0:03:07.760 is the founder of Komi and incident response startup based 0:03:07.800 --> 0:03:10.440 in Dubai, which is where I met him, and I 0:03:10.480 --> 0:03:14.040 have to say he's definitely an expert on all of us. Matt, 0:03:14.120 --> 0:03:17.680 Welcome to the show. Hi Trici, Hi Joe. Thanks for 0:03:17.800 --> 0:03:22.520 inviting me. Looking forward talking with you about what cyber 0:03:22.600 --> 0:03:26.440 war might look like. Yeah, so you have a bit 0:03:26.480 --> 0:03:28.720 of expertise in this. I mean not just from the 0:03:28.760 --> 0:03:32.160 hacking perspective, but uh, there are some Russian hackers who 0:03:32.160 --> 0:03:37.000 seem to be obsessed with you. Is that right? Uh? Yeah, 0:03:37.200 --> 0:03:42.920 so I assume you're referrain to the group called the 0:03:43.200 --> 0:03:46.680 Shadow Brokers that mentioned me like few years back. Yeah. 0:03:46.760 --> 0:03:50.080 So just for background, Uh, Matt and I met when 0:03:50.120 --> 0:03:54.200 I was working in Abu Dhabi and Dubai. And this 0:03:54.360 --> 0:03:58.480 was back when Shadow Brokers had a major um attack 0:03:58.520 --> 0:04:00.480 and there was a lot of talk about them, and 0:04:00.520 --> 0:04:04.280 they allegedly were a Russian group of hackers and they 0:04:04.320 --> 0:04:09.880 seem to really I don't know, just focus on you, Matt. Yeah, 0:04:10.080 --> 0:04:13.040 So I guess like one of the main reasons for 0:04:13.280 --> 0:04:16.120 the focus at the time was mainly due to the 0:04:16.160 --> 0:04:20.280 fact that I was analyzing a lot of the documents 0:04:20.279 --> 0:04:23.680 that they were releasing. To date, that's one of the 0:04:24.760 --> 0:04:28.680 group that released some of the most significant documents in 0:04:28.760 --> 0:04:32.880 cyber security, like partly as significant as the snow Don 0:04:33.000 --> 0:04:36.560 documents to give some context for the audience. And as 0:04:36.560 --> 0:04:42.680 part of the release, they release operational notes and exploits 0:04:42.720 --> 0:04:47.440 that belonged to the US government, particularly to the n ESSAY, 0:04:47.560 --> 0:04:52.760 which is the Man intelligence agency in the US, where 0:04:52.760 --> 0:04:59.080 they were exposing US intelligence capabilities. So those documents were released. 0:04:59.200 --> 0:05:02.200 I was of the many people who are like analyzing 0:05:02.240 --> 0:05:05.440 them and uh and like human and like you said, 0:05:05.480 --> 0:05:08.640 you know, they've been mentioning me a few times so far. 0:05:08.800 --> 0:05:12.600 Like the man assumption is that that group is affiliated 0:05:12.640 --> 0:05:16.840 to the Rusian government, and like many times you know, 0:05:16.880 --> 0:05:18.760 and that we I'm sure we're gonna talk about it 0:05:18.839 --> 0:05:22.240 more in details. With cyber it's very out to know 0:05:23.560 --> 0:05:27.560 who is doing what. Sometimes it texts years to find 0:05:27.640 --> 0:05:32.520 enough evidence. Sometimes like governments know about something, but they 0:05:32.560 --> 0:05:36.160 would not necessarily like released the information because they may 0:05:36.240 --> 0:05:41.760 burn some source that they have to collect additional intelligence. 0:05:42.080 --> 0:05:45.039 So it's always like very complicated when it comes to cyber, 0:05:45.800 --> 0:05:49.120 especially with attribution. So usually you have to use the 0:05:49.279 --> 0:05:53.320 common sense. But in terms of timing, these shadow bookers 0:05:53.400 --> 0:05:58.680 were really active around twenty seventeen, which is around the 0:05:58.800 --> 0:06:02.240 time where we start to see a lot of attacks 0:06:02.279 --> 0:06:07.400 from Russia and Ukraine. Also when you say attribution is difficult, 0:06:07.440 --> 0:06:10.839 I mean intuitively, of course that makes a lot of sense. 0:06:11.080 --> 0:06:13.719 What are the type of evidence or what do the 0:06:13.760 --> 0:06:16.840 certain like fingerprints, because you hear that a lot, there's 0:06:16.880 --> 0:06:21.000 a hag and people suspect often suspect Russians, sometimes Chinese. 0:06:21.440 --> 0:06:25.080 Are there certain characteristics of attacks or certain things you 0:06:25.160 --> 0:06:29.640 look at to start to sort of engauge the origin 0:06:29.760 --> 0:06:34.600 of an attacker. Uh, yeah, definitely, Like different attackers have 0:06:34.640 --> 0:06:40.040 different motives and different groups organized that differently. So when 0:06:40.080 --> 0:06:42.960 it comes to hear when we're talking about hackers, who 0:06:42.960 --> 0:06:45.640 are talking about national states. We're not talking about someone 0:06:45.680 --> 0:06:49.000 who's like alone in the bedroom trying to haick a 0:06:49.080 --> 0:06:51.760 video game. Right, So, just to make sure it's clear 0:06:51.800 --> 0:06:54.640 for the audience, who are talking about nation states carrying 0:06:54.920 --> 0:06:59.840 uh intelligence, all military operations against other like nation states 0:07:00.120 --> 0:07:06.000 companies sometimes critically critical infrastructures. Uh So when it comes 0:07:06.040 --> 0:07:09.039 down to what it looks like in terms of fingerprints 0:07:09.040 --> 0:07:12.680 when you're doing an investigation, uh, it is a good 0:07:12.760 --> 0:07:17.320 question because at the beginning in the introdution chat, you're 0:07:17.320 --> 0:07:22.680 wondering what cyber war, cyber warfare might look like, and 0:07:22.720 --> 0:07:27.520 there's this conception that people have that cyber war is 0:07:27.520 --> 0:07:30.440 going to be like completely different, something we haven't seen before, 0:07:31.320 --> 0:07:33.160 that you know, it's just going to be like in 0:07:33.200 --> 0:07:36.160 the medieval time where you see like people riding a 0:07:36.160 --> 0:07:38.160 horse and instead of having salts, you know, they're gonna 0:07:38.160 --> 0:07:40.160 have vented us and they're gonna start stabbing each other, 0:07:40.240 --> 0:07:44.120 and then you use that as forensic evidence. The reality 0:07:44.160 --> 0:07:47.640 is we have been seeing a lot of those happening 0:07:48.360 --> 0:07:52.200 over the past years, probably more than ten years. You know, 0:07:52.360 --> 0:07:58.480 like even back in the two thousand's when China acts Google, 0:07:58.560 --> 0:08:00.480 you know that was a prettier signific come to one, 0:08:00.840 --> 0:08:03.080 and that was one of the first time we saw 0:08:03.160 --> 0:08:08.559 nation state attacking like an actual company and being able 0:08:08.680 --> 0:08:13.120 to track it. So what we have been seeing more 0:08:13.160 --> 0:08:17.000 and more is often like patterns between attacks, but also 0:08:17.080 --> 0:08:22.040 like motives. So whenever it comes to attacks on critical 0:08:22.120 --> 0:08:26.880 infrastructure in UH, let's say like Ukraine, so there is 0:08:26.920 --> 0:08:30.960 a very short list of suspects that comes to mind. 0:08:31.720 --> 0:08:34.720 Same thing when there's an attack happening like not Petya 0:08:34.760 --> 0:08:38.640 in twenty seventeen that gets that gets released on the 0:08:38.720 --> 0:08:43.040 independence day, So often, like the timing is very suspicious. 0:08:43.520 --> 0:08:46.320 Same thing with the article that you mentioned that you 0:08:46.400 --> 0:08:49.520 thought this morning, Tracy, with the asset, which is an 0:08:49.520 --> 0:08:58.719 American company, when the satellites have been like UH attacked, 0:08:59.640 --> 0:09:03.560 like the initial suspicion back so we're talking like back 0:09:03.559 --> 0:09:08.040 on February twenty four when like around the same time 0:09:08.080 --> 0:09:11.920 of the invasion. One of the suspicion was while that's 0:09:11.960 --> 0:09:15.640 happening the same day that Russia is invading a crane, 0:09:16.000 --> 0:09:18.800 so that was also one of the susipicition. So often 0:09:18.840 --> 0:09:20.680 you would use the common sense when it comes to 0:09:20.679 --> 0:09:24.120 a national state attackers, and then you would backtrack based 0:09:24.120 --> 0:09:26.920 on what you have found and see if your assumption 0:09:27.000 --> 0:09:30.480 makes sense or not. But it can be you would 0:09:30.480 --> 0:09:35.160 find a malaware that's on the on the system. And 0:09:35.960 --> 0:09:38.360 in some cases, like people kind of assumed that once 0:09:38.360 --> 0:09:40.560 you are hacked, you know, like your screen is gonna 0:09:40.640 --> 0:09:43.760 change color, is gonna become red or green most of 0:09:43.800 --> 0:09:48.880 the time, like Cyberry is often used for like intelligence gathering, 0:09:49.280 --> 0:09:52.880 so you not even know that people are in your system. Uh. 0:09:53.120 --> 0:09:57.760 In some cases it may take like years before an attacker, 0:09:58.200 --> 0:10:02.800 uh affected, So when you get hacked, a face doesn't 0:10:02.800 --> 0:10:08.680 come up on your screen and start laughing exactly. Okay, 0:10:09.640 --> 0:10:15.120 so now you know Joe um So you mentioned Matt 0:10:15.200 --> 0:10:18.719 that this has been ongoing for some time, and this 0:10:18.800 --> 0:10:22.280 is something that I've wondered about for a long time. 0:10:22.360 --> 0:10:26.719 But why, I mean, if you know that Russia is 0:10:26.760 --> 0:10:28.560 doing a lot of hacking, I mean along with some 0:10:28.640 --> 0:10:31.800 other countries like China, North Korea maybe, but you know 0:10:31.840 --> 0:10:36.880 that this is happening, why do nation states tolerated, Like 0:10:37.080 --> 0:10:42.240 why hasn't this become a bigger area of concern for 0:10:42.320 --> 0:10:45.720 the US in recent years? Or is it that it 0:10:45.880 --> 0:10:48.600 is a major area of concern? But we just don't 0:10:48.600 --> 0:10:51.440 see the response because it's all happening, you know, at 0:10:51.480 --> 0:10:54.920 the back end of technological systems and UM with the 0:10:55.080 --> 0:11:00.000 n s A and you know in sort of secret offices. Uh, 0:11:00.080 --> 0:11:04.240 it is a good question. Actually it is happening. If 0:11:04.240 --> 0:11:07.719 you go on the like the State Department website, you're 0:11:07.720 --> 0:11:12.720 gonna find a lot of indictment against like like for instance, 0:11:12.800 --> 0:11:16.760 like Russian officers that work for the g r U 0:11:17.160 --> 0:11:22.280 or other like intelligence agencies. So for instance, like a 0:11:22.320 --> 0:11:26.520 lot of the attacks on the twenties seventeen, there is 0:11:26.520 --> 0:11:31.120 an indictment where six officers are being mentioned for a 0:11:31.120 --> 0:11:35.280 lot of the damage that they have done, including like 0:11:35.679 --> 0:11:39.040 the Olympic Games that have been you know, one of 0:11:39.120 --> 0:11:43.520 the targets, including like the visitors, the host of the 0:11:43.559 --> 0:11:48.360 Olympic Games, one of the electricity grid in Ukraine being 0:11:48.360 --> 0:11:52.319 in target. Also the election in France at that time 0:11:52.760 --> 0:11:56.480 when the emails from Emmanuel mcron had been released. H 0:11:57.240 --> 0:12:00.360 t V five months also, which was a TV channel 0:12:00.400 --> 0:12:02.600 that was acted in the past, you know, it was 0:12:02.640 --> 0:12:08.760 linked to the delusion government. So the actual uh, proof 0:12:08.760 --> 0:12:11.960 and accusation have been like published. A lot of it 0:12:12.000 --> 0:12:16.720 is usually like policy work and don't done at a 0:12:16.760 --> 0:12:19.800 political level. So that would explain why it takes so 0:12:19.880 --> 0:12:25.320 much time and often very little UH can be done 0:12:25.320 --> 0:12:28.880 in a short period of time, and often what we 0:12:28.920 --> 0:12:34.000 would see in response would be sanctions on some of 0:12:34.040 --> 0:12:37.920 the governments. So it is happening, but I think it's 0:12:37.920 --> 0:12:40.880 happening at the pace where there are so many attacks 0:12:41.920 --> 0:12:45.960 happening from different countries, like you mentioned like North Korea, friends, 0:12:46.000 --> 0:12:50.360 and that had been like very active mostly for like 0:12:50.440 --> 0:12:53.680 financial gains, like we remember the attack of the Central 0:12:53.679 --> 0:12:56.440 Bank of Bangladesh for instance, where they try to steal 0:12:56.480 --> 0:13:00.120 like one billion dollars uh, and we're money launde being 0:13:00.200 --> 0:13:04.000 like happened in casinos in the Philippines. So like a 0:13:04.000 --> 0:13:06.760 lot of information is public and non around like modus 0:13:06.840 --> 0:13:10.080 apparently from like different like either groups that are working 0:13:10.080 --> 0:13:14.000 independently or like some independently like for like a national state. 0:13:15.520 --> 0:13:18.920 But it's such a complex problem that it's very up 0:13:19.000 --> 0:13:21.640 to fix a bit like conflict all around the world. 0:13:37.520 --> 0:13:41.240 So a nightmare scenario in the US. But I guess, 0:13:41.440 --> 0:13:46.280 but anywhere is this idea of they're gonna hackers could 0:13:46.320 --> 0:13:50.760 shut down critical infrastructure. Maybe the grid in New York 0:13:50.760 --> 0:13:54.200 City just goes dark because of some hack attack? Is 0:13:54.240 --> 0:13:57.240 that a realistic threat in your view? I mean that 0:13:57.360 --> 0:13:59.920 I think comes to mind or we can't log in 0:14:00.000 --> 0:14:04.160 to our banks or how like big pieces of infrastructure 0:14:04.200 --> 0:14:07.680 that could disrupt society. He is that a plausible threat? 0:14:07.800 --> 0:14:11.560 And be is that something that these types of hacker 0:14:11.640 --> 0:14:17.120 groups are could could conceivably work on? Uh? Yeah, No, definitely. 0:14:17.200 --> 0:14:20.000 And like I mentioned before, it happened in the past 0:14:20.080 --> 0:14:24.080 with the Ukrainian like power grids. It happened like you know, 0:14:24.160 --> 0:14:28.040 like in twenty fifteen and six at some point the 0:14:28.040 --> 0:14:31.080 electricity like grid was down for like a few hours. 0:14:32.440 --> 0:14:34.520 But one of the things to keep in mind is, 0:14:34.560 --> 0:14:36.560 like I asked, those attacks have been happening over the 0:14:36.560 --> 0:14:42.120 past ten years. Defense capabilities, you know also from like 0:14:42.200 --> 0:14:46.760 different companies and like countries also like became more and 0:14:46.800 --> 0:14:52.040 more um efficient because on one side you have the 0:14:52.040 --> 0:14:56.280 attack curs that are like publishing their craft and becoming 0:14:56.320 --> 0:14:58.720 more efficient. But also on the defense side, people are 0:14:58.800 --> 0:15:02.040 becoming more aware of what of attack to expect. They're 0:15:02.080 --> 0:15:04.840 becoming more resilient, like if something happens, you know, like 0:15:04.880 --> 0:15:07.760 if any incident happens, like or do you investigate it? 0:15:07.800 --> 0:15:11.000 So that's what you would usually call like incident response, 0:15:11.040 --> 0:15:14.440 but also like all the recover like a system for 0:15:14.560 --> 0:15:19.720 especially for like critical infrastructure, so regarding targeting like a 0:15:19.840 --> 0:15:23.840 critical infrastructure. So we saw it like around two weeks 0:15:23.880 --> 0:15:27.000 ago with the satellites, So with that company, Yea said, 0:15:27.440 --> 0:15:32.160 So a lot of the actual like users that have 0:15:32.240 --> 0:15:37.280 been targeted were like partly the Ukrainian military. So that's uh, 0:15:37.400 --> 0:15:41.200 one of the attempts of like interfering with the infrastructure 0:15:41.360 --> 0:15:44.880 for of like the target to like kind of slow 0:15:44.960 --> 0:15:50.320 down or make communication like more difficult. But during that 0:15:50.320 --> 0:15:53.960 that hack, you know, like unexpectedly like there's like three 0:15:54.000 --> 0:15:58.600 thousands like wind, like when the turbines in Germany that 0:15:59.320 --> 0:16:03.080 where should on you know, as like like the German 0:16:03.120 --> 0:16:08.440 government was calling it cyber collateral damage, you know. Um, 0:16:08.480 --> 0:16:11.560 so sometimes it may come in unexpected ways. But in 0:16:11.640 --> 0:16:17.520 that scenario, what it meant is the access Internet was 0:16:17.560 --> 0:16:21.920 not available anymore. But the actual electoral buying for instance, 0:16:22.240 --> 0:16:25.080 why not damaged. It is just the communication link. You know. 0:16:25.160 --> 0:16:27.920 It's like if someone would shut down like a cell 0:16:27.960 --> 0:16:29.960 phone tower, it will not damage your phone, you will 0:16:30.040 --> 0:16:33.000 just not be able to communicate. And we saw that 0:16:33.080 --> 0:16:36.200 also at the beginning of the invasion, because there also 0:16:36.280 --> 0:16:40.840 tis very weird aspect of the Russian military since the 0:16:40.880 --> 0:16:43.880 beginning of the invasion, and that's kind of why a 0:16:43.880 --> 0:16:46.960 lot of people are a bit uh skeptical on the 0:16:47.400 --> 0:16:51.240 planning and the logistics of the Russian military on that 0:16:51.360 --> 0:16:55.720 aspect is mostly around communications. They are still not necessarily 0:16:55.800 --> 0:16:59.160 like using like military equipment. They still use like an 0:16:59.160 --> 0:17:02.000 a lot of communication, but also like cell phones with 0:17:02.080 --> 0:17:06.320 like Russian numbers. So at some point some of the 0:17:06.440 --> 0:17:11.800 Ukrainian tell co Operato rejected like Russian numbers and they 0:17:11.800 --> 0:17:13.880 were not able to communicate, and that to take over 0:17:14.040 --> 0:17:16.239 a cell phone of civilians just to be able to 0:17:16.440 --> 0:17:18.919 still communicate with each other. Well, there's a lot of 0:17:21.000 --> 0:17:25.000 uh like communication aspect obviously when you conduct like a 0:17:25.040 --> 0:17:28.879 military operation so like, and that's a completely different field. 0:17:28.920 --> 0:17:32.639 You know, that's not not my specialty. But we do 0:17:32.720 --> 0:17:35.760 see it happening because cyber war on its own does 0:17:35.800 --> 0:17:38.080 not really like exist, you know, like cyber is a 0:17:38.119 --> 0:17:41.080 component of war, and that's what we're seeing now. So 0:17:41.200 --> 0:17:44.520 instead of seeing like a conventional war, we see like 0:17:44.680 --> 0:17:48.560 this hybrid warfare happening in front of our eyes, where 0:17:48.600 --> 0:17:52.080 like there's multiple aspect to it and a lot of 0:17:52.119 --> 0:17:55.320 the actual attacks that we have seen also with Russia, 0:17:55.680 --> 0:17:58.720 and that Russia is probably well known for and I'm 0:17:58.720 --> 0:18:02.920 sure as journalists you're like yeah, like familiar with it 0:18:02.960 --> 0:18:06.440 is also like disinformation and misinformation, like we have seen 0:18:07.160 --> 0:18:11.359 what they call like active measures being used for a 0:18:11.359 --> 0:18:14.919 long long time Russia today and Sputnik news have been 0:18:14.960 --> 0:18:19.000 like banned in the EU now. So it took like 0:18:19.119 --> 0:18:22.360 the invasion you know, of any Ropean country for them 0:18:22.400 --> 0:18:25.159 to shut down those media. So, like to answer your 0:18:25.200 --> 0:18:26.960 question of before like how come we don't see like 0:18:27.040 --> 0:18:31.720 more thanks response from the governments, Well, that's a perfect example, 0:18:31.840 --> 0:18:35.679 like we knew that was happening and it took the 0:18:35.720 --> 0:18:38.080 invasion of an European country for them to do something 0:18:38.119 --> 0:18:42.000 about it. Yeah. Um, I want to ask you this 0:18:42.040 --> 0:18:44.040 is it might be a tricky question, I don't know, 0:18:44.119 --> 0:18:46.840 but could you maybe walk us through a timeline of 0:18:47.080 --> 0:18:51.520 what actually happens if say a nation state like Russia 0:18:51.640 --> 0:18:56.520 hypothetically launches some store let's say some sort of malware 0:18:56.640 --> 0:19:05.359 attack on a West Earn company or infrastructure utility type 0:19:05.400 --> 0:19:09.000 thing like what happened? So the attack starts and then 0:19:09.040 --> 0:19:11.840 can you walk us through what the actual response looks 0:19:11.880 --> 0:19:17.640 like and when the attack stops. Uh yeah, I can't 0:19:17.640 --> 0:19:22.959 even give you an example. So around Christmas, there is 0:19:23.000 --> 0:19:27.560 a company called Solar Winds that was targeted. I think 0:19:27.560 --> 0:19:33.080 it targeted earned like twenty thousands of their customers. So 0:19:34.119 --> 0:19:37.840 and uh the and you have to keep in mind, 0:19:37.880 --> 0:19:41.320 so like let's say, like you have twenty thou you know, 0:19:41.400 --> 0:19:45.159 customers companies using the same software, and that was a 0:19:45.200 --> 0:19:48.240 massive problem. Uh. It means that all of them have 0:19:48.320 --> 0:19:51.080 been hacked. So what happened is what they did is 0:19:51.119 --> 0:19:53.840 what we call the supply chain attack, you know, where 0:19:53.880 --> 0:19:57.320 they managed to distribute a man issues update to all 0:19:57.359 --> 0:20:01.280 their customers and whenever that update has distributed to all 0:20:01.320 --> 0:20:05.280 their customers, that was their infection vector for all of 0:20:05.320 --> 0:20:09.920 those companies. And that was partly, like to date, the 0:20:10.000 --> 0:20:17.480 largest hack of foreign countries. That was uh your um, 0:20:18.520 --> 0:20:22.399 your scandal obviously. Uh Like the White House blamed the 0:20:23.040 --> 0:20:28.360 SVR agencies, which is like the foreign intelligence agency of 0:20:28.400 --> 0:20:35.280 Russia for that attack. Uh So in that case, Uh yeah, 0:20:35.520 --> 0:20:39.400 governments have been blaming, blaming and pointing fingers to Russia. 0:20:39.880 --> 0:20:43.840 But out of that we didn't see like Munch coming 0:20:43.880 --> 0:20:47.879 out of it. Uh in that case, and uh, in 0:20:48.000 --> 0:20:52.439 that scenario, it took one cyber security company to be 0:20:52.520 --> 0:20:55.600 a victim that I found out that they have been 0:20:55.640 --> 0:20:59.080 infected by luck, and then more and more people started 0:20:59.119 --> 0:21:03.879 to investigate and they realize, oh wow, like eighteen customers 0:21:03.880 --> 0:21:07.800 from that company have been targeting and the madaware was 0:21:07.880 --> 0:21:12.720 like spreading undetected. Our company is good at sharing cyber 0:21:12.840 --> 0:21:16.280 information with each other because it is such a sensitive 0:21:16.320 --> 0:21:18.840 topic and when you're under attack. On on the one hand, 0:21:18.880 --> 0:21:21.320 I imagine you don't necessarily want to broadcast it to 0:21:21.359 --> 0:21:24.280 the world. But on the other hand, you could argue 0:21:24.320 --> 0:21:27.479 that you have a responsibility um to your customers clearly, 0:21:27.520 --> 0:21:31.760 but also to other companies to flag a threat that 0:21:31.920 --> 0:21:37.560 is actually happening. Yeah, very good question. Actually. Uh So 0:21:37.600 --> 0:21:41.920 in the case of Solar Winds, Uh, if that cybersecurity 0:21:42.000 --> 0:21:45.280 company that was a victim of the heck, UH didn't 0:21:45.440 --> 0:21:48.400 raise the alarm saying all we found this, that's suspicious. 0:21:48.400 --> 0:21:50.680 You know, then like people photoed up and that's like 0:21:50.800 --> 0:21:55.280 you're mad where we found it present in other places? Uh, 0:21:55.480 --> 0:21:57.800 people would not have been able to conclude that so 0:21:57.880 --> 0:22:02.520 many customers were targeted. And in that scenario, like you're saying, 0:22:02.520 --> 0:22:08.360 like the information sharing was very beneficial often for cyber security. 0:22:08.440 --> 0:22:10.359 So you have like few companies that are like the 0:22:10.400 --> 0:22:16.199 anti virus providers or endpoint security companies that have a 0:22:16.200 --> 0:22:19.280 lot of visibility because of the telemetry they have on 0:22:19.400 --> 0:22:23.080 millions of machines. So for them it's pretty good too 0:22:23.520 --> 0:22:28.160 and pretty easy to see if something new like happens. 0:22:28.200 --> 0:22:31.320 You know, in the case of Microsoft now which is 0:22:31.359 --> 0:22:34.879 probably like the biggest cyber security company in the world, 0:22:35.280 --> 0:22:40.720 are ironically they're very very good telemetry before the invasion. 0:22:41.359 --> 0:22:46.760 So a wiper, which is a malaware that's designed to 0:22:46.960 --> 0:22:52.360 erase the computer, was detected. So a few different security 0:22:52.440 --> 0:22:56.920 vendors managed to detect it. Microsoft was one of them. 0:22:57.880 --> 0:23:00.160 Because that's really good telemetry, they were able to take 0:23:00.280 --> 0:23:03.600 it within like a few hours. Uh in that case. 0:23:03.680 --> 0:23:06.320 You know, like what we noticed so far when it 0:23:06.320 --> 0:23:09.719 comes to like cyber is there is a huge focus 0:23:09.800 --> 0:23:15.680 on cyber before the war become actually kinetic, so either 0:23:15.760 --> 0:23:22.240 to destabilize the enemy or to uh gather information. How 0:23:22.320 --> 0:23:25.199 often you know you mentioned and I remember that the 0:23:25.240 --> 0:23:29.480 Solar winds hack that used a patch uptake to distribute 0:23:29.480 --> 0:23:34.480 mailware too solar winds clads. How often are cyber security 0:23:34.520 --> 0:23:40.240 companies themselves the target of hackers? And this this you know, 0:23:40.320 --> 0:23:44.040 this technique of using a cyber security update PADG to 0:23:44.160 --> 0:23:47.480 distribute mailware? How common is that? And how interest in general? 0:23:47.480 --> 0:23:50.760 How much of these companies themselves the target of attacks? 0:23:52.680 --> 0:23:56.000 A very good questions? So so they are? And often 0:23:56.000 --> 0:23:58.560 does it happen for like security companies to be like 0:23:58.640 --> 0:24:03.919 targets Really happens all the time because of the assets 0:24:04.840 --> 0:24:07.680 that they have, they're like toolings, like the tools, you know, 0:24:08.160 --> 0:24:12.240 all the human resources they have, you know that could 0:24:12.280 --> 0:24:18.080 include being targeted that conference or not. Uh, Like I 0:24:18.119 --> 0:24:22.080 was like I was giving an example to to two traces. 0:24:22.160 --> 0:24:24.920 So for instance, I was supposed to give a keynote 0:24:24.960 --> 0:24:29.320 at security conference in Russia a few years ago before COVID. 0:24:29.600 --> 0:24:32.800 So when you're before COVID, and I got denied of 0:24:33.000 --> 0:24:37.560 entry uh in Russia, so at the airport. So I 0:24:37.600 --> 0:24:42.119 was not able to deliver the keynote at that conference. Uh. 0:24:42.280 --> 0:24:45.720 The official reason is because my visa was not valid. 0:24:46.560 --> 0:24:48.199 Although I told them, I was like, you're the one 0:24:48.240 --> 0:24:49.760 we shoot meet the visa. What do you mean it's 0:24:49.800 --> 0:24:52.760 not valid? You know? And that I to fly back 0:24:52.800 --> 0:24:57.320 on the next flight back to Dubai. So in that case, 0:24:57.359 --> 0:25:00.800 you know, like uh and fun. You know, like there's 0:25:00.800 --> 0:25:04.040 always stories in security conferences were like security researchers you know, 0:25:04.160 --> 0:25:07.639 like are either like being followed or like someone like 0:25:07.720 --> 0:25:11.320 quenty into like the hotel room. You know, there's a 0:25:11.320 --> 0:25:14.560 bunch of like different stories like that. So when it 0:25:14.600 --> 0:25:18.080 comes to like often like security companies or security researchers 0:25:18.080 --> 0:25:21.119 are being targets, it happens a lot. It also happened 0:25:21.119 --> 0:25:24.320 like last year where like a bunch of security researchers 0:25:24.359 --> 0:25:30.240 were like active targets by North Korean hackers mostly like 0:25:30.359 --> 0:25:33.280 to try to steal like tools from them or if 0:25:33.440 --> 0:25:37.480 if they had any exploits. So for the audience and 0:25:37.640 --> 0:25:43.800 exploit is what like groups or nation states can use 0:25:43.920 --> 0:25:47.360 to directly like target the machine so they can get 0:25:47.680 --> 0:25:50.600 an authorized access to a machine. So usually they have 0:25:51.119 --> 0:25:55.080 if you have a security nobility in the software and 0:25:55.240 --> 0:25:58.080 you have the software that can take advantage of it, 0:25:58.160 --> 0:26:00.480 that's what we call an exploit. You have different tagories 0:26:00.560 --> 0:26:03.679 of them, including what we callect zero. They exploit that 0:26:04.160 --> 0:26:07.919 even software providers and not to wear off. So that 0:26:07.960 --> 0:26:12.159 could be like Microsoft happened, and in some cases it 0:26:12.240 --> 0:26:16.679 may even not even require like any user interaction to 0:26:16.840 --> 0:26:21.040 be enabled. And in the case of the national state 0:26:21.960 --> 0:26:25.280 type of hacking, because that requires a lot of R 0:26:25.320 --> 0:26:28.480 and D, it is very expensive. Some of those exploits 0:26:28.480 --> 0:26:31.600 like go for selling the like gray market for like 0:26:31.640 --> 0:26:35.520 millions of dollars. And also like it's very complicated to 0:26:35.600 --> 0:26:38.960 do because unlike traditional weapons, that's not something that you 0:26:39.000 --> 0:26:43.560 can replicate. Each security vulnerability bug is going to be different, 0:26:44.200 --> 0:26:47.320