WEBVTT 1 00:00:00.270 --> 00:00:02.970 Anna Delaney: Hello, this is the ISMG Editors' Panel. I'm Anna 2 00:00:02.970 --> 00:00:06.210 Delaney and this is our weekly discussion and analysis of the 3 00:00:06.210 --> 00:00:10.080 latest cybersecurity stories. And with me this week are 4 00:00:10.080 --> 00:00:13.020 Matthew Schwartz, executive editor of DataBreachToday and 5 00:00:13.020 --> 00:00:16.920 Europe; Rashmi Ramesh, senior sub editor for ISMG's Global 6 00:00:16.920 --> 00:00:20.430 News Desk; and Tony Morbin, executive news editor for the 7 00:00:20.430 --> 00:00:22.080 EU. Wonderful to see you. 8 00:00:23.310 --> 00:00:23.940 Tony Morbin: Good to see you. 9 00:00:24.540 --> 00:00:25.800 Rashmi Ramesh: Thanks for having us. 10 00:00:25.000 --> 00:00:28.600 Anna Delaney: So Tony, where are you today? Intriguing! 11 00:00:28.630 --> 00:00:30.820 Tony Morbin: Oh, it's pretty generic, but it's about 12 00:00:30.940 --> 00:00:35.560 satellite communications. And so you know, as I speak, you'll 13 00:00:35.560 --> 00:00:36.220 understand why. 14 00:00:36.610 --> 00:00:39.250 Matthew Schwartz: Is this you contacting Mothership, Tony? 15 00:00:40.090 --> 00:00:41.650 Tony Morbin: Absolutely, yes. 16 00:00:41.890 --> 00:00:42.460 Matthew Schwartz: Excellent! 17 00:00:43.300 --> 00:00:46.030 Anna Delaney: Talking of ships, I don't know if that's a great 18 00:00:46.030 --> 00:00:48.760 segue. But Rashmi, you're outside. There's some water. 19 00:00:49.720 --> 00:00:53.680 Rashmi Ramesh: Yeah. So I'm in a city, it's called Talakadu, 20 00:00:54.160 --> 00:00:56.770 which is about a three-hour drive from Bangalore where I 21 00:00:56.770 --> 00:01:01.060 live. So you basically have to walk through the woods to get to 22 00:01:01.360 --> 00:01:05.590 temples that were buried in sand, centuries ago. And as you 23 00:01:05.590 --> 00:01:10.450 walk on, you get to the riverbed behind me. So it has like, you 24 00:01:10.450 --> 00:01:13.990 know, people have excavated artifacts about 4,000 years old 25 00:01:13.990 --> 00:01:14.440 from here. 26 00:01:16.990 --> 00:01:19.000 Anna Delaney: Impressive! Were you there recently? 27 00:01:19.660 --> 00:01:22.510 Rashmi Ramesh: I was! I was there about three weeks ago. I 28 00:01:22.510 --> 00:01:26.260 also, you know, went on one of these boats they call Cork 29 00:01:26.260 --> 00:01:31.180 boats. I think you have them in Britain as well or have them in 30 00:01:31.180 --> 00:01:34.750 Britain at some point. They're made of bamboo and they're so 31 00:01:34.750 --> 00:01:35.500 much fun to ride. 32 00:01:35.790 --> 00:01:40.140 Anna Delaney: Hey, they sound fun. That's great. And Matthew, 33 00:01:41.100 --> 00:01:42.630 very residential, perhaps? 34 00:01:42.750 --> 00:01:44.940 Matthew Schwartz: Very residential. This is a little 35 00:01:44.940 --> 00:01:51.120 getaway recently in Fife, in the center of Scotland. It was 36 00:01:51.150 --> 00:01:54.750 raining. I know that is an astounding surprise, never 37 00:01:54.750 --> 00:01:57.810 happens here in Scotland. But lovely to get away. Just farm 38 00:01:57.810 --> 00:02:00.810 fields. You can see the pockets, but there's all pockets and also 39 00:02:00.810 --> 00:02:01.470 some sheep. 40 00:02:02.430 --> 00:02:04.740 Anna Delaney: Lovely and we're keeping it fairly local then 41 00:02:04.740 --> 00:02:08.340 this week because I'm in London at the iconic London Eye. Just 42 00:02:08.340 --> 00:02:11.460 thought I'd warm us up for our London Summit coming up in a 43 00:02:11.460 --> 00:02:16.740 couple of weeks. There you go! So Matthew, let's start with 44 00:02:16.740 --> 00:02:21.660 ransomware, why not? I hear that Conti, there's a bit of chatter 45 00:02:21.660 --> 00:02:23.490 on Conti this week. Why is that? 46 00:02:24.290 --> 00:02:28.250 Matthew Schwartz: So there is a little leak in Conti's recent 47 00:02:28.280 --> 00:02:32.390 past. At the end of February, a Ukrainian security researcher 48 00:02:32.420 --> 00:02:37.130 got his hands on internal communications and source code 49 00:02:37.160 --> 00:02:39.680 for the Conti ransomware-as-a-service 50 00:02:39.710 --> 00:02:44.330 operation. Now, if you're a journalist or into threat 51 00:02:44.330 --> 00:02:47.930 intelligence, or anyone who's interested in ransomware, the 52 00:02:47.930 --> 00:02:53.810 leaks are really interesting reading in terms of how one of 53 00:02:53.810 --> 00:03:00.230 the most virulent, if you will, ransomware operations today 54 00:03:00.440 --> 00:03:04.820 operates. Now, to learn from these leaks, we're relying on 55 00:03:04.850 --> 00:03:07.700 security firms, security experts, and researchers, who 56 00:03:07.700 --> 00:03:11.240 have been going through the Russian language communications 57 00:03:11.390 --> 00:03:16.340 and giving us translations. So kudos to them. And like I said, 58 00:03:16.340 --> 00:03:19.580 the leaks came out at the end of February, but we're still seeing 59 00:03:19.610 --> 00:03:23.510 really interesting research and insights into what they contain, 60 00:03:23.660 --> 00:03:28.100 and what's going on. So as these reports continue to get 61 00:03:28.490 --> 00:03:34.700 released, and interesting new trends get drawn out, I've been 62 00:03:34.700 --> 00:03:37.160 continuing to document them. And one of the interesting things 63 00:03:37.160 --> 00:03:43.610 for me is, if I may quote a Beatles song, Conti does buy a 64 00:03:43.610 --> 00:03:47.240 little bit of help from its friends. Although friends might 65 00:03:47.240 --> 00:03:51.290 be overstating it. As I said in my piece, they beg, borrow, 66 00:03:51.290 --> 00:03:55.670 steal or do whatever else in pursuit of their illicit 67 00:03:55.670 --> 00:04:00.740 profits. So cybercrime, the imperative remains to make money 68 00:04:00.890 --> 00:04:05.630 and you'll find organizations doing that any way that they can 69 00:04:05.660 --> 00:04:10.970 that's probably easy, won't get them into too much trouble, and 70 00:04:11.450 --> 00:04:13.460 gives them the most amount of profit for the least amount of 71 00:04:13.460 --> 00:04:17.720 work. So what we see here, which is fascinating to me, are little 72 00:04:17.720 --> 00:04:22.580 things sometimes. Like Conti looking at the ransom note from 73 00:04:22.610 --> 00:04:26.270 Ragnar Locker, which I don't know if you remember it, but 74 00:04:26.450 --> 00:04:30.800 it's interesting because Ragnar Locker threatened any victim who 75 00:04:30.800 --> 00:04:34.220 reached out to police or professional investigators. It 76 00:04:34.220 --> 00:04:37.460 said, if you do this, we will immediately leak all of your 77 00:04:37.460 --> 00:04:42.020 data. So scare tactics, right? Because the likelihood of them 78 00:04:42.020 --> 00:04:45.860 knowing that you had contacted the FBI for help, provided you 79 00:04:45.860 --> 00:04:50.390 took appropriate measures, perhaps not using the email that 80 00:04:50.420 --> 00:04:52.940 the ransomware gang had compromised, provided you did 81 00:04:52.940 --> 00:04:56.690 that they shouldn't really know the FBI was involved. But we see 82 00:04:56.690 --> 00:05:00.260 them when it comes to trying to pressure victims. There is a lot 83 00:05:00.290 --> 00:05:04.940 of non-tactical tactics brought to bear. So I just thought that 84 00:05:04.940 --> 00:05:08.300 was fascinating. They liked the wording of this ransom note and 85 00:05:08.300 --> 00:05:12.200 so the leaked chats from the internal Conti people basically 86 00:05:12.200 --> 00:05:16.640 say, steal it, we're gonna use that from now on. Other 87 00:05:16.640 --> 00:05:21.890 interesting details, the leaks have revealed a lot of back and 88 00:05:21.890 --> 00:05:25.580 forth with other groups. And we saw some of this from the 89 00:05:25.580 --> 00:05:29.810 outside, we might see or we might have seen a victim, 90 00:05:30.170 --> 00:05:34.820 supposedly who got hit by one group. But the stolen data was 91 00:05:34.820 --> 00:05:38.720 being cross-posted on somebody else's ransom site. So it looks 92 00:05:38.720 --> 00:05:42.140 like there was kind of some cartel activity, these different 93 00:05:42.140 --> 00:05:45.590 groups working together. The leaks provide a little bit more 94 00:05:45.590 --> 00:05:50.360 information on that. Look at, for example, the Maze group. 95 00:05:50.390 --> 00:05:54.890 Supposedly Maze, which went away at the end of 2020, was in 96 00:05:54.890 --> 00:05:59.210 discussions with Conti or possibly Conti's predecessor, 97 00:05:59.240 --> 00:06:03.740 Ryuk. The leaks have revealed very close ties between Conti 98 00:06:03.740 --> 00:06:08.030 and Ryuk. And again, this isn't a huge surprise because security 99 00:06:08.030 --> 00:06:11.330 experts said Conti's code appeared to be based on Ryuk's. 100 00:06:11.990 --> 00:06:14.540 But it wasn't clear how they might have gotten that. Did they 101 00:06:14.540 --> 00:06:18.410 hire a developer, for example? According to the leaks, it looks 102 00:06:18.410 --> 00:06:21.470 like there was extremely high-level access, at least some 103 00:06:21.470 --> 00:06:25.580 high ups, and Conti knew some high ups and Ryuk, maybe because 104 00:06:25.580 --> 00:06:28.790 they'd all been part of the same organization. Organizationally, 105 00:06:28.790 --> 00:06:32.180 another really fascinating takeaway is that the person 106 00:06:32.180 --> 00:06:36.260 codenamed Stern, who runs Conti, which has about 100 employees, 107 00:06:36.650 --> 00:06:42.650 Stern appears to have extremely close ties with Russia's FSB, a 108 00:06:42.650 --> 00:06:47.720 law enforcement agency. There's multiple references to how Stern 109 00:06:47.720 --> 00:06:50.030 is in really tight with the Russian government, works for 110 00:06:50.030 --> 00:06:54.500 Putin, I think, in a general sense, is the implication there. 111 00:06:54.740 --> 00:06:58.160 But these leaks have also revealed extremely close 112 00:06:58.160 --> 00:07:03.110 connections, it seems between this Russian language ransomware 113 00:07:03.110 --> 00:07:06.530 group and Russia's law enforcement and intelligence 114 00:07:06.980 --> 00:07:11.030 apparatus. We suspected this, but leaks provide real proof 115 00:07:11.060 --> 00:07:13.160 that this is actually the case. 116 00:07:14.520 --> 00:07:18.420 Anna Delaney: Fascinating! So Matthew, how damaging have these 117 00:07:18.420 --> 00:07:20.130 leaks been to the group? 118 00:07:20.580 --> 00:07:21.780 Matthew Schwartz: Yeah, unfortunately, there seems to 119 00:07:21.780 --> 00:07:25.710 have been no fallout, no damage that we can perceive. Conti's 120 00:07:25.710 --> 00:07:30.120 attacks don't seem to have decreased. The spilled source 121 00:07:30.120 --> 00:07:34.290 code, as far as I can tell, doesn't appear to have given 122 00:07:34.620 --> 00:07:38.040 anti-ransomware firms or security firms a leg up on 123 00:07:38.040 --> 00:07:42.450 combating its attacks. Now perhaps it's happening quietly? 124 00:07:42.690 --> 00:07:45.690 That would be wonderful, if so, but definitely, we haven't seen 125 00:07:46.050 --> 00:07:49.620 the quantity of Conti's attacks go down. So well, it's 126 00:07:49.620 --> 00:07:52.740 interesting, I'm not seeing an impact. 127 00:07:53.760 --> 00:07:55.170 Anna Delaney: And you say it's gone up? 128 00:07:55.570 --> 00:07:58.750 Tony Morbin: Yeah, 50 In the last month, I believe, including 129 00:07:58.780 --> 00:08:01.120 the huge one on Costa Rica. 130 00:08:01.950 --> 00:08:03.720 Matthew Schwartz: The government of Costa Rica, and then Peru's 131 00:08:03.750 --> 00:08:08.280 intelligence agency, supposedly, is just a victim. So like Tony 132 00:08:08.280 --> 00:08:13.860 says, we do know to an extent, the victim count. But Conti like 133 00:08:13.860 --> 00:08:17.760 other groups that run data leak sites only names victims who 134 00:08:17.760 --> 00:08:21.990 haven't paid and it doesn't always name them all. So we 135 00:08:21.990 --> 00:08:27.900 never have an accurate sense of who all it's hit. And in fact, 136 00:08:27.930 --> 00:08:32.010 the leaks have revealed, I think, close to 100 victims that 137 00:08:32.100 --> 00:08:37.440 had never come to light before publicly who had paid Conti. I 138 00:08:37.440 --> 00:08:40.740 think most of them had paid Conti. Anyway, so lots going on 139 00:08:40.770 --> 00:08:44.910 that we don't know about. But definitely like Tony said, a 140 00:08:44.910 --> 00:08:46.590 huge number of victims still coming to light. 141 00:08:48.480 --> 00:08:52.230 Anna Delaney: Never stops, does it, Matthew? So Rashmi, coming 142 00:08:52.230 --> 00:08:55.980 to you, our next story is on cryptocurrency mixers. And I 143 00:08:55.980 --> 00:08:59.310 know that Conti has not been impartial to using a few mixers, 144 00:08:59.730 --> 00:09:02.970 particularly Blender.io. So Blender has been in the news 145 00:09:02.970 --> 00:09:04.350 this week. What's up? 146 00:09:04.000 --> 00:09:08.350 Rashmi Ramesh: So the Treasury recently sanctioned its first 147 00:09:05.200 --> 00:09:55.120 Anna Delaney: So just to be clear, a mixer is not illegal. 148 00:09:08.350 --> 00:09:11.890 virtual currency itself, Blender, and it was part of its 149 00:09:12.220 --> 00:09:16.900 move to actually curb illicit activity by North Korean 150 00:09:16.960 --> 00:09:20.980 state-sponsored actors who used this mixer to launder stolen 151 00:09:20.980 --> 00:09:26.710 virtual currency. So a quick summary: Basically it takes 152 00:09:26.710 --> 00:09:29.890 cryptocurrencies, breaks them up into smaller pieces, mixes the 153 00:09:29.890 --> 00:09:34.000 pieces up with other clean coins, and then redistributes 154 00:09:34.270 --> 00:09:37.930 random increments of tumbled coins to designated 155 00:09:37.930 --> 00:09:41.770 cryptocurrency wallets at random times. So this is basically done 156 00:09:41.800 --> 00:09:44.440 to make it harder for law enforcement to follow the flow 157 00:09:44.440 --> 00:09:47.950 of funds on the blockchain and trace it back to them. So back 158 00:09:47.950 --> 00:09:52.060 to Blender, it was actually used by hacker group Lazarus$ to 159 00:09:52.060 --> 00:09:56.170 launder a small portion of the $620 million it stole from Axie 160 00:09:55.150 --> 00:10:07.000 It's just the lack of compliance controls. 161 00:09:56.170 --> 00:10:02.320 Infinity, which is by far one of the largest, if not the largest, 162 00:10:02.590 --> 00:10:06.370 virtual currency heights recorded. So the Treasury 163 00:10:06.370 --> 00:10:09.670 Department said that the mixer was being used to launder money 164 00:10:10.510 --> 00:10:14.680 stolen from crypto exchanges and also other financial 165 00:10:13.150 --> 00:10:51.310 Rashmi Ramesh: Yes. You also have centralized mixers. You 166 00:10:14.680 --> 00:10:19.720 institutions to generate revenue for developing unlawful weapons 167 00:10:19.720 --> 00:10:23.290 of mass destruction and ballistic missile programs. And 168 00:10:23.590 --> 00:10:27.040 it's not just North Korea. Blender does not have borders. 169 00:10:27.910 --> 00:10:31.840 It has also facilitated money laundering for ransom by groups 170 00:10:31.840 --> 00:10:35.470 that Matt spoke about: Conti, Ryuk, and also TrickBot, and 171 00:10:35.470 --> 00:10:40.300 Sodinokibi. So, the US has taken measures against tumblers in the 172 00:10:40.300 --> 00:10:42.190 past, but this is the first one that is sanctioned. 173 00:10:51.520 --> 00:10:57.010 have decentralized ones, ones that have, you know, anti-money 174 00:10:57.010 --> 00:11:01.990 laundering laws baked into it. So not all of them are illegal, 175 00:11:01.990 --> 00:11:02.500 of course. 176 00:11:05.030 --> 00:11:06.800 Matthew Schwartz: It's a huge tool for money laundering, not 177 00:11:06.800 --> 00:11:10.040 just if you're a cybercriminal, but also drug cartels, anybody 178 00:11:10.040 --> 00:11:13.700 else who wants to try to launder money. These have been widely 179 00:11:13.700 --> 00:11:14.990 used tools. 180 00:11:15.390 --> 00:11:18.150 Anna Delaney: How do you think criminals will adapt? And I'd 181 00:11:18.150 --> 00:11:20.430 love your thoughts. And, Matt, I'm sure you have thoughts as 182 00:11:20.430 --> 00:11:24.090 well because Bitcoin mixer is not the only way to obfuscate 183 00:11:24.480 --> 00:11:28.980 the transactions. So how will the criminals evolve and adapt? 184 00:11:30.550 --> 00:11:32.830 Rashmi Ramesh: I mean, we've seen in the past that they've 185 00:11:33.010 --> 00:11:37.660 usually been really quick to adapt whenever law enforcement 186 00:11:37.660 --> 00:11:44.680 has taken steps to curb illicit crime. But with, you know, 187 00:11:44.710 --> 00:11:48.160 lawmakers finally recognizing that this is something that you 188 00:11:48.160 --> 00:11:52.060 do need to pay attention to, and they are paying quite a bit of 189 00:11:52.060 --> 00:11:54.370 attention too, here's hoping that they're one step ahead of 190 00:11:54.370 --> 00:11:55.420 the cybercriminals. 191 00:11:57.360 --> 00:12:00.540 Matthew Schwartz: Yeah, we see a lot of efforts to get exchanges 192 00:12:00.570 --> 00:12:05.100 and other services involved in cryptocurrency, to comply with 193 00:12:05.100 --> 00:12:08.640 existing regulations, know your customer rules, and also 194 00:12:08.670 --> 00:12:13.470 anti-money laundering rules. So if you run a mixing service, and 195 00:12:13.500 --> 00:12:16.800 you comply with those rules, then the government is not going 196 00:12:16.800 --> 00:12:20.430 to come after you. But to your question of how are criminals 197 00:12:20.430 --> 00:12:25.590 going to respond if they can't easily obscure the trail of 198 00:12:25.590 --> 00:12:29.010 their Bitcoins. For example, if you're North Korea, as Rashmi 199 00:12:29.010 --> 00:12:32.310 noted, attempting to launder millions to fund your weapons of 200 00:12:32.310 --> 00:12:36.120 mass destruction program, among other things, what do you do? 201 00:12:36.480 --> 00:12:40.020 And we've been seeing more groups look to Monero because 202 00:12:40.020 --> 00:12:44.040 that's a privacy coin. And you don't actually need a mixer with 203 00:12:44.070 --> 00:12:48.210 Monero because it's already difficult to trace. So 204 00:12:48.420 --> 00:12:52.950 ransomware groups will sometimes ask for Bitcoin or Monero. And 205 00:12:52.950 --> 00:12:56.190 if you pay with Bitcoin, they'll charge you a premium, usually 206 00:12:56.190 --> 00:13:01.260 anywhere between 10% and 20%, which covers their mixing 207 00:13:01.290 --> 00:13:06.000 charges. So they're baking in the price of meeting to obscure 208 00:13:06.540 --> 00:13:09.960 where the money goes. So I think we'll maybe see more use of 209 00:13:09.960 --> 00:13:13.980 things like Monero. Not that it's necessarily as easy to 210 00:13:13.980 --> 00:13:18.000 procure or as easy for victims to pay. So there's a bit of a 211 00:13:18.270 --> 00:13:20.730 cost-benefit analysis there for criminals, but I think more 212 00:13:20.730 --> 00:13:22.110 Monero is definitely on the cards. 213 00:13:23.610 --> 00:13:26.160 Anna Delaney: We will watch that closely. Thank you both. So 214 00:13:26.160 --> 00:13:31.110 Tony, the Ukraine-Russia crisis, the war continues. What are we 215 00:13:31.110 --> 00:13:33.930 seeing on the cyber activity front? 216 00:13:35.070 --> 00:13:37.860 Tony Morbin: Well, in addition to condemning Russia for its 217 00:13:39.030 --> 00:13:42.450 unjustified and brutal invasion of Ukraine, yesterday, we saw 218 00:13:42.450 --> 00:13:47.940 the EU member states, the UK, US, and allies, all confirming 219 00:13:47.940 --> 00:13:51.000 and condemning Russia for conducting malicious cyber 220 00:13:51.000 --> 00:13:54.090 activity against Ukraine. And they were particularly focusing 221 00:13:54.090 --> 00:13:59.160 on the satellite KA-SAT network operated by Viasat that was 222 00:13:59.160 --> 00:14:03.360 attacked an hour before Russia's invasion of Ukraine. Part of the 223 00:14:03.360 --> 00:14:07.500 concern obviously, in addition to the attack on Ukraine, is 224 00:14:07.500 --> 00:14:10.350 that it also disrupted wind farms and internet users in 225 00:14:10.350 --> 00:14:13.950 Central Europe. There were tens of thousands of terminals 226 00:14:13.950 --> 00:14:18.000 damaged, made inoperable, and they just can't be repaired. So 227 00:14:18.030 --> 00:14:21.300 this move exacerbated existing concerns that cyberattacks 228 00:14:21.300 --> 00:14:24.870 targeting Ukraine, including its critical infrastructure, are 229 00:14:24.870 --> 00:14:27.720 spilling over into other countries and could cause 230 00:14:27.750 --> 00:14:30.690 systemic effects putting citizens and other countries at 231 00:14:30.690 --> 00:14:35.610 risk. In various meetings yesterday, we had different 232 00:14:37.200 --> 00:14:40.800 senior people condemning the actions. There was US Secretary 233 00:14:40.800 --> 00:14:45.030 of State Antony Blinken, blaming Russian military hackers for a 234 00:14:45.030 --> 00:14:48.090 whole series of data wiping attacks on Ukrainian government 235 00:14:48.090 --> 00:14:53.220 agencies and companies prior to the invasion of Ukraine, and 236 00:14:53.490 --> 00:14:57.900 significant DDoS attacks, Wiper activity, and various other 237 00:14:57.900 --> 00:15:02.580 cyberattacks really keeping Ukraine really busy since then. 238 00:15:03.720 --> 00:15:08.010 The other concern is that any malware tools deployed in 239 00:15:08.010 --> 00:15:11.640 Ukraine might not stay in Ukraine even accidentally, as we 240 00:15:11.640 --> 00:15:14.820 saw with NotPetya. So once you set these things out into the 241 00:15:14.820 --> 00:15:17.940 wild, you don't know what's going to happen to them. So 242 00:15:17.940 --> 00:15:21.150 again, the EU, UK, US allies announced that they're 243 00:15:21.150 --> 00:15:24.870 considering further unspecified steps to prevent discourage, 244 00:15:24.900 --> 00:15:27.990 deter, and respond to this malicious activity in 245 00:15:27.990 --> 00:15:32.760 cyberspace. We also got some more details on what had been 246 00:15:32.760 --> 00:15:35.580 done previously with the US Agency for International 247 00:15:35.580 --> 00:15:38.910 Development, saying how they've been providing hands-on support 248 00:15:38.910 --> 00:15:41.280 to Ukrainian government agencies, and critical 249 00:15:41.280 --> 00:15:45.450 infrastructure. That was including the FBI briefing 250 00:15:45.510 --> 00:15:48.090 Ukrainian officials about Russian intelligence services 251 00:15:48.090 --> 00:15:52.170 hacking operations, receiving leads themselves on cyberthreats 252 00:15:52.380 --> 00:15:58.890 for the FBI to investigate. It was a ramping up of a 38 million 253 00:15:58.890 --> 00:16:03.390 cybersecurity reform program from USAID to strengthen 254 00:16:03.390 --> 00:16:06.660 Ukraine's cybersecurity, its legal regulatory environment. 255 00:16:07.140 --> 00:16:11.010 They embedded 20+ technical experts, this was from back in 256 00:16:11.010 --> 00:16:15.720 2020. And really improving their cyber response and recovery. 257 00:16:17.310 --> 00:16:22.980 Other people affected by the fallout of this whole war 258 00:16:23.250 --> 00:16:25.950 include the people like Russian-linked products and 259 00:16:25.950 --> 00:16:29.580 services providers, such as Kaspersky, with the UK and the 260 00:16:29.580 --> 00:16:32.940 US advising individuals and organizations to immediately 261 00:16:32.940 --> 00:16:36.270 review any use of Russian security products or services, 262 00:16:36.450 --> 00:16:39.510 and there are government agencies banned from such use. 263 00:16:39.960 --> 00:16:44.400 And then at yesterday's CYBERUK conference in Wales, Jeremy 264 00:16:44.400 --> 00:16:48.300 Fleming, the director of Britain's GCHQ, noted that 265 00:16:48.420 --> 00:16:52.380 despite the absence of a cyber blitzkrieg in Ukraine, there has 266 00:16:52.380 --> 00:16:55.770 been plenty of cyber activity around that has been attributed 267 00:16:55.770 --> 00:16:59.310 to Ukraine. And he also confirmed the spillover activity 268 00:16:59.310 --> 00:17:01.830 into other countries and affecting other countries, 269 00:17:02.190 --> 00:17:05.610 saying that he'd seen evidence, GCHQ have seen evidence of 270 00:17:05.610 --> 00:17:08.550 Russia's cyber operatives continuing to look for targets 271 00:17:08.550 --> 00:17:11.580 in countries that oppose their actions. Of course, the whole 272 00:17:11.610 --> 00:17:14.610 issue has been blurred as well, by hacktivists supporting either 273 00:17:14.610 --> 00:17:17.880 side, making attribution of attacks difficult with 274 00:17:18.180 --> 00:17:21.660 Russia-based ransomware gangs supporting Russia, Anonymous 275 00:17:21.660 --> 00:17:25.650 collective supporting Ukraine. This is a strange positive 276 00:17:25.680 --> 00:17:29.130 knock-on effect of the war. Rob Joyce, director of the US 277 00:17:29.130 --> 00:17:32.970 National Security Agency's Cybersecurity Directorate told 278 00:17:32.970 --> 00:17:35.550 delegates there's actually been a reduction in the quantity of 279 00:17:35.550 --> 00:17:38.940 ransomware attacks in the last month or two. And he was 280 00:17:38.940 --> 00:17:42.030 suggesting that, you know, as the sanctions have increased, 281 00:17:42.120 --> 00:17:46.560 it's made it harder to move money. Okay. Ironically, Rashmi 282 00:17:46.560 --> 00:17:49.920 was saying it was Ukraine that got out; it was Korea that 283 00:17:49.920 --> 00:17:55.470 effectively was the impetus for that move. But it's become 284 00:17:55.470 --> 00:17:58.350 harder to buy infrastructure in the West. And that's made it 285 00:17:58.350 --> 00:18:02.460 less effective for the attacks. As Matt was saying, that doesn't 286 00:18:02.460 --> 00:18:05.610 mean that the ransomware gangs are going away. And as we saw, 287 00:18:05.670 --> 00:18:09.120 you know, we mentioned Conti having done, you know, 50 288 00:18:09.180 --> 00:18:12.660 attacks in April. So, you know, it's including the huge one on 289 00:18:12.660 --> 00:18:17.190 Costa Rica. And, of course, the threat of cyber retaliation 290 00:18:17.190 --> 00:18:23.130 beyond Ukraine hasn't gone away. So just as we saw Russia, its 291 00:18:23.130 --> 00:18:26.760 big error was underestimating its opponent. We shouldn't 292 00:18:27.240 --> 00:18:30.540 underestimate Russia's ability. And many are suggesting that we 293 00:18:30.540 --> 00:18:33.630 haven't actually seen Russia's A-game in cyber, because it's 294 00:18:33.630 --> 00:18:38.160 using it more as a deterrent effect. And if it actually uses 295 00:18:38.160 --> 00:18:40.350 it, then that deterrent effect is kind of gone. 296 00:18:41.580 --> 00:18:43.830 Anna Delaney: Great overview, Tony. I mean, certainly, any 297 00:18:43.830 --> 00:18:46.050 organization and critical infrastructure has got their 298 00:18:46.050 --> 00:18:50.580 hands full at the moment. Do we have any ideas as to whether or 299 00:18:50.580 --> 00:18:54.030 how the CISA campaign, the Shields Up campaign has done? 300 00:18:54.960 --> 00:18:59.460 Have organizations listened and put their shields up? 301 00:19:01.050 --> 00:19:05.610 Tony Morbin: I think that, again, it's kind of preaching to 302 00:19:05.610 --> 00:19:09.420 the choir, those who are good, have done more and got better. 303 00:19:09.990 --> 00:19:19.020 Those who are less aware, aren't listening. So there have been 304 00:19:19.020 --> 00:19:22.260 definite improvements in critical infrastructure. So the 305 00:19:22.260 --> 00:19:24.960 people who are listening so yes, you know that there have been 306 00:19:24.960 --> 00:19:28.890 some really good things. But of course, supply chains mean that 307 00:19:28.890 --> 00:19:32.640 you have to get further down your chain and so supply chains 308 00:19:32.640 --> 00:19:35.190 will be the weak link in that. 309 00:19:35.000 --> 00:19:39.320 Matthew Schwartz: At the CYBERUK conference yesterday, Abigail 310 00:19:39.320 --> 00:19:43.880 Bradshaw, who leads Australia's, I'm going to probably get the 311 00:19:43.880 --> 00:19:47.660 name wrong, but their cybersecurity agency. She noted 312 00:19:47.690 --> 00:19:52.160 seeing a big increase in companies not just requesting 313 00:19:52.160 --> 00:19:56.420 briefings to their board, but that the briefers stick around 314 00:19:56.420 --> 00:20:00.590 for when the chief security officer brief the board. And 315 00:20:00.590 --> 00:20:03.290 then the Australian cybersecurity officials stuck 316 00:20:03.290 --> 00:20:07.280 around to give them feedback on the quality of their controls. 317 00:20:07.640 --> 00:20:11.330 So she said, at least at some organizations, the business 318 00:20:11.330 --> 00:20:15.650 resilience and planning and incident response discussion was 319 00:20:15.680 --> 00:20:19.370 far elevated from what she saw even just a year or two ago. So 320 00:20:19.370 --> 00:20:20.420 that's good news. 321 00:20:21.870 --> 00:20:23.970 Anna Delaney: Finally, some good news. Okay. Well, I think we'll 322 00:20:23.970 --> 00:20:27.540 be continuing all of these conversations down the line for 323 00:20:27.540 --> 00:20:32.190 sure. So final question to you all. We are nearly half a year 324 00:20:32.520 --> 00:20:37.860 into this year 2022. Looking back over the past nearly six 325 00:20:37.860 --> 00:20:42.660 months, give me one word to describe what this year has been 326 00:20:43.050 --> 00:20:45.840 in cybersecurity. Busy? 327 00:20:47.580 --> 00:20:49.260 Tony Morbin: Explosive rather than busy. 328 00:20:49.440 --> 00:20:51.570 Anna Delaney: Explosive, dynamic. 329 00:20:52.950 --> 00:20:54.870 Matthew Schwartz: Surprising, not least with the 330 00:20:54.990 --> 00:20:58.050 Russia-Ukraine war. It just continues to surprise me. 331 00:20:58.800 --> 00:21:01.350 Rashmi Ramesh: Yeah, I would probably say unprecedented. 332 00:21:02.550 --> 00:21:06.030 Anna Delaney: That's been a word for a while now. But it applies 333 00:21:06.030 --> 00:21:09.150 this year as well. Well, thank you for that, those gut 334 00:21:09.150 --> 00:21:15.180 instincts. No one said it was pleasant, jolly, calming. We 335 00:21:15.180 --> 00:21:18.720 must be doing something wrong. Thank you very much, Matt, Tony, 336 00:21:18.750 --> 00:21:19.980 Rashmi. Always a pleasure. 337 00:21:20.880 --> 00:21:22.170 Matthew Schwartz: Thanks, Anna. Enjoy the Eye! 338 00:21:22.830 --> 00:21:23.490 Tony Morbin: Thank you, Anna. 339 00:21:23.880 --> 00:21:25.830 Anna Delaney: Take care. Thank you very much for watching.