Russia’s invasion of Ukraine has set off a new wave of concern about cyber attacks. Indeed, there were already reports of some in the run up to the war—like when hackers reportedly targeted U.S. gas producers. But while worries about cyber attacks have been around for a long time, it remains hard to get a handle on the actual threat. Such attacks aren’t all that visible and information on them is often difficult to get, or comes long after the fact. On this episode of Odd Lots, Joe Weisenthal and Tracy Alloway speak with Matt Suiche, a famous hacker and co-founder of Comae Technologies, about what a cyber war between Russia and the West may actually look like.
Points of interest in the pod:
Matt and the Shadow Brokers — 04:09
Modus operandi of cyber attackers — 06:32
Possibility of shutting down critical infrastructure — 14:16
Russian logistics and communications — 17:03
On sharing cyber info — 21:34
The market for exploits — 23:53
On cyber attacks and cryptocurrencies — 35:18
What the U.S. and Europe can do — 39:16
On cyber’s role in warfare — 44:10
What makes a good hacker — 50:02
Tracy Alloway: (00:10)
Hello, and welcome to another episode of the Odd Lots podcast. I'm Tracy Alloway.
Joe Weisenthal: (00:15)
And I'm Joe Weisenthal.
Tracy : (00:17)
So Joe, clearly a lot still going on with Russia's invasion of Ukraine. But one of the big talking points in the past couple of weeks has been this idea of a retaliatory response from Russia, not necessarily in the sense of traditional warfare, but in the form of cyber warfare.
Joe : (00:38)
Right. So this has always been a source of concern going back for several years long before the existing conflict, what are Russia's cyber warfare capabilities? How weak is the rest of the world, how exposed is critical infrastructure and so forth. As of now, you know, I don't think this has been a huge aspect of the current conflict. Traditional, violent warfare has sort of been the story, but it is always lurking out there as a risk.
Tracy : (01:10)
Yeah. There have been some rumblings of potential attacks. I saw something in Der Spiegel this morning about possibly a hack of satellites that might have been impacting Ukraine. So there are sort of rumblings of this, you know, some accusations lurking in the background, but we haven't seen anything – let’s say we haven't seen anything major yet. And I feel like cyber security risks, it's one of those things that you always see people mention as a sort of left-tail risk. You see lots of analyst notes about it, but no one really talks about it in concrete terms. It always seems to be just this vague threat lurking in the background.
Joe : (01:52)
Yes. And I think it's in part because as you exactly say, no one precisely knows what it would look like. I mean, obviously companies are regularly getting hacked. We've seen an increase over the years in malware and ransomware and companies losing data, companies having to pay to bring factories and infrastructure back online. Of course, I think it was late 2020 or maybe early last year, there was that pipeline in the central part of the United States. So these things re-occur, but I think it's very nebulous what that risk actually looks like.
Tracy : (02:25)
So today I'm very pleased to say we are going to try to get a firmer handle on what cyber warfare risk might actually look like. And, we're going to do it maybe a little bit differently to what we normally do. But today on the show, we're going to be talking to a hacker about what it actually means to, you know, do cyber warfare, to hack into someone's systems, what the threat actually looks like and what is possible from a technological perspective.
Joe : (02:54)
I'm really looking forward to this sort of different from our normal path, but something important to learn more about.
Tracy : (03:01)
Yep. So we are going to be speaking with Matt . He is the founder of Comae, an incident-response startup based in Dubai, which is where I met him. And I have to say he's definitely an expert on all of this. Matt, welcome to the show.
Matt : (03:15)
Hi Tracy. Hi Joe. Thanks for inviting me, looking forward to talking with you about what cyber war might look like.
Tracy : (03:24)
Yeah. So you have a bit of expertise in this. I mean, not just from the hacking perspective, but there are some Russian hackers who seem to be obsessed with you, is that right?
Matt: (03:36)
Yeah, so I assume you’re referring to the group called the Shadow Brokers that mentioned me like years back.
Tracy : (03:46)
Yeah. So just for background, Matt and I met when I was working in Abu Dhabi and Dubai, and this was back when Shadow Brokers had a major attack and there was a lot of talk about out them. And they allegedly were a Russian group of hackers and they seemed to really, I don't know, just focus on you, Matt.
Matt : (04:09):
Yeah, so I guess one of the main reasons for the focus at the time was mainly due to the fact that I was analyzing a lot of the documents that they were releasing. To date, that's one of the groups that release some of the most significant documents in cyber security, like probably as significant as the Snowden documents to give some context for the audience. And as part of the release, they released operational notes and exploits that belong to the U.S. government, particularly to the NSA, which is the main intelligence agency in the U.S. where they were exposing U.S. intelligence capabilities. So those documents were released. I was part of the main people were analyzing them. And like you said, you know, they've been mentioning me a few times.
So far the main assumption is that that group is affiliated to the Russian government and many times, you know, and I'm sure we're gonna talk about it more in detail, with cyber it is very hard to know, who is doing what. Sometimes it takes years to find enough evidence. Sometimes government know about something, but they would not necessarily release the information because they may burn some source that they have to collect additional intelligence. So it’s always very complicated when it comes to cyber, especially with attribution. So usually you have to use common sense but in terms of timing, the Shadow Brokers were really active around 2016 and 2017, which is around the time where we started to see a lot of attacks from Russia and Ukraine also.
Joe : (06:05)
When you say attribution is difficult, I mean, intuitively of course, that makes a lot of sense. What are the types of evidence or what are the certain fingerprints, because you hear that a lot. There’s a hack and people often suspect Russian, sometimes Chinese, are there certain characteristics of attacks or certain things you look at to start to sort of gauge the origin of an attacker?
Matt : (06:32)
Yeah, definitely. Different attackers have different motives and different groups are going to organize differently. So when it comes to here, when we're talking about hackers, we're talking about nation states, we're not talking about someone who is like alone in their bedroom trying to hack a video game. So just to make sure it's clear for the audience, we are talking about nation states, carrying intelligence or military operations – so they’re nation states or companies, sometimes critical infrastructures. So when it comes down to what it looks like in term of fingerprints when you're doing an investigation, it is a good question because at the beginning in the introduction chat you are wondering what cyber warfare might look like. And there is this conception that people have, that cyber war is gonna be like completely different — something we haven't seen before that, you know, it is gonna be like in the medieval time where you see people riding a horse and instead of having swords you know, they're gonna have antennas and they're gonna start stabbing each other and then you use that as forensic evidence.
The reality is we have been seeing a lot of those happening over the past years. Probably more than 10 years, you know, like even back in the 2000s when China hacked Google, you know, that was a pretty account one. And it was one of the first time we saw nation state attacking an actual company and being able to track it. So what we have been seeing more and more, is often patterns between attacks, but also motives. So whenever it comes to attacks on critical infrastructure in, let's say Ukraine, so there is a very short list of suspects that comes to mind. Same thing when there is an attack happening, like NotPetya in 2017, that gets released on the independence day.
So often the timing is very suspicious. Same thing with the article that you mentioned that you saw this morning, Tracy, with Viasat, which is an American company. When the satellites have been attacked, the initial suspicion – we’re talking like back on February 24, around the same time of the invasion -- so one of the suspicions was, well, that's happening the same day that Russia is invading Ukraine. So that was also one of the suspicions. So often you would use common sense when it comes to nation-state attackers, and then you would backtrack based on what you have found and see if your assumption makes sense or not. But it can be, you would find the malware that's on the system. And in some cases people kind of assume that once you are hacked, you know, your screen is gonna change colors, gonna become red or green. Most of the time, cyber is often used for like intelligence gathering. So you won’t even know that people are in your system. In some cases it may take like years before before an attacker acted.
Joe : (10:00)
So when you get hacked, a face doesn't come up on your screen and start laughing?
Matt : (10:05)
Exactly.
Joe : (10:08)
OK. Thank you.
Tracy : (10:09)
So now you know, Joe. So you mentioned, Matt, that this has been ongoing for some time, and this is something that I've wondered about for a long time, but why, I mean, if you know that Russia is doing a lot of hacking, I mean, along with some other countries like China, North Korea maybe, but you know that this is happening. Why do nation states tolerate it? Like why hasn't this become a bigger area of concern for the U.S. in recent years, or is it that it is a major area of concern, but we just don't see the response because it's all happening, you know, at the backend of technological systems and with the NSA in secret offices?
Matt : (10:59)
It is a good question. Actually, it is happening. If you go on the State Department website, you're gonna find a lot of indictments against, for instance, Russian officers that work for the GRU or other intelligence agencies. So for instance, a lot of the attacks on 2017, there is an indictment where six officials are being mentioned for a lot of the damage that they have done, including the Olympic games that have been one of the targets, including like the visitors, the host of the Olympic games, one of the electricity grids in Ukraine has been a target, also the election in France at that time, when the emails from Emmanuel Macron had been released. TV5 Monde also, which was a TV channel that was hacked in the past, you know, it was linked to the Russian government.
So the actual proof and accusation has been published. A lot of it is usually policy work and done at a political level. So that would explain why it takes so much time and often very little can be done in a short period of time. And often what we would see in response would be sanctions on some of the governments. So it is happening, but I think it's happening at the pace where there are so many attacks happening from different countries like you mentioned, like North Korea, for instance, that had been like very active mostly for financial gains. We remember the attack of the central bank of Bangladesh, for instance, where they tried to steal like $1 billion and where money laundering happened in casinos in the Philippines. So a lot of information is public and known around modus operandi from different, either groups that are working independently or some independently, like for a nation. But it's such a complex problem that it's very hard to fix -- a bit like conflict all around the world.
Joe : (13:37)
So a nightmare scenario in the U.S., but I guess anywhere, is this idea that hackers could shut down critical infrastructure. Maybe the grid in New York City just goes dark because of some hack attack. Is that a realistic threat in your view? I mean, that, I think comes to mind, or we can't log into our banks or like big pieces of infrastructure that could disrupt society. A) is that a plausible threat? and B) is that something that these types of hacker groups could conceivably work on?
Matt : (14:16)
Yeah, definitely. Like I mentioned before, it happened in the past with the Ukrainian power grids. It happened like in 2015 and 2016, at some point the electricity grid was down for like a few hours. But one of the things to keep in mind is, as those attacks have been happening over the past 10 years, defense capabilities, also from like different companies and countries, also became more and more efficient. Because on one side you have the attackers that are polishing their craft and becoming more efficient. But also on the defense side, people are becoming more aware of what type of attack to expect. They're becoming more resilient. Like if something happens, you know, if any incident happens or you investigate it. So that's what you would usually call incident response, but also like how to recover systems especially for critical infrastructure.
So regarding targeting critical infrastructure. So we saw it like around two weeks ago with the satellites, so that company Viasat, so a lot of the actual users that have been targeted were partly the Ukrainian military. So that's one of the attempts of interfering with the infrastructure of the target, to kind of slow down or make communication more difficult. But during that hack, you know, unexpectedly there is like 3,000 wind turbines in Germany that were shut down. The German government was calling it cyber collateral damage, you know?
So sometimes it may come in unexpected ways, but in that scenario what it meant is the access internet was not available anymore, but the actual turbines, for instance, were not damaged. It’s just the communication link. You know, it's like if someone would shut down a cell-phone tower, it would not damage your phone, you would just not be able to communicate. And we saw that also at the beginning of the invasion, because there's also this very weird aspect of the Russian military since the beginning of the invasion. And that's kind of why a lot of people are a bit skeptical on the planning and the logistics of the Russian military on that aspect -- is mostly around communications. They're still, not necessarily like using like military equipment, they still use like analog communications, but also cell phones with Russian numbers.
So at some point, some of the Ukrainian telco operators rejected Russian numbers and they were not able to communicate and they had to take over the cell phones of civilians, just to be able to still communicate with each other. But there's a lot of like communication aspects, obviously, when you conduct a military operation. And that's completely a different field, you know, that's not my specialty, but we do see it happening because cyber on its own does not really like exist. You know, cyber is a component of war and that's what we're seeing now. So instead of seeing a conventional war, we see like this hybrid warfare happening in front of our eyes where there's multiple aspect to it. And a lot of the actual attacks that we have seen also with Russia and that Russia is pretty well known for.
And I'm sure as journalists, you are very familiar with disinformation and misinformation. We have seen what they call active measures being used for a long, long time. Russia Today and Sputnik News have been banned in the EU now. So it took the invasion, you know, of a European country for them to shut down those media. So to answer your question of before, like how come we don't see like more sanctions or response from the government, that's a perfect example. We knew that was happening and it took the invasion of a European country for them to do something about it.
Tracy : (18:39)
Yeah. I want to ask you, it might be a tricky question, I don't know, but could you maybe walk us through a timeline of what actually happens if say a nation state like Russia, hypothetically launches some sort, let's say some sort of malware attack on a Western company or infrastructure utility type thing? What happens? So the attack starts, and then can you walk us through what the actual response looks like? And when the attack stops?
Matt : (19:16)
Yeah, I can even give you an example. So around Christmas 2020, there is a company called SolarWinds that was targeted, I think it targeted around like 20,000 of their customers. And you have to keep in mind, so let's say if like you have 20,000 customers, companies using the same software, and that was a massive problem. It means that all of them have been hacked. So what happened is, what they did is what we call a supply chain attack, where they managed to distribute a malware update to all their customers. And whenever that update was distributed to all their customers, that was their infection vector for all of those companies. And that was probably to date the largest hack of foreign countries.
That was a huge, huge scandal, obviously like the White House blame the SVR agency, which is like the foreign intelligence agency of Russia for that attack. So in that case, yeah, governments have been blaming and pointing fingers to Russia. But out of that, we didn't see like much coming out of it in that case. And in that scenario, it took one cyber security company to be a victim that found out that they've been infected by luck, and then more and more people started to investigate and they realized, oh, wow, like 18,000 customers from that company have been targeted. And the malware was spreading undetected.
Tracy : (21:10)
Are companies good at sharing cyber information with each other? Because it is such a sensitive topic. And when you're under attack on the one hand, I imagine you don't necessarily want to broadcast it to the world. But on the other hand, you could argue that you have a responsibility to your customers clearly, but also to other companies, to flag a threat that is actually happening.
Matt : (21:34)
Yeah, very good question, actually. So in the case of SolarWinds, if that cyber security company that was a victim of the hack didn't raise the alarm saying, oh, we found this, that's suspicious. You know, then like people followed up and were like, oh, that's actually malware. We found it present in other places. People would not have been able to conclude that so many customers were targeted. And in that scenario, like you are saying, the information sharing was very beneficial. Often for cybersecurity, so you have like a few companies that are like the antivirus providers or endpoint security companies, that have a lot of visibility because of the telemetry they have on millions of machines. So for them it's pretty good to, and pretty easy, to see if something new happens.
In the case of Microsoft now, which is probably like the biggest cyber security company in the world, ironically, they have very, very good telemetry. Before the invasion, so a wiper, which is a malware that's designed to erase the computer, was detected. So a few different security vendors managed to detect it. Microsoft was one of them because they had really good telemetry. They were able to detect it within like a few hours. In that case, you know, what we notice so far when it comes to cyber is there is a huge focus on cyber before the war becomes actually kinetic. So either to destabilize the enemy or to gather information.
Joe : (23:22)
How often, you know, you mentioned, and I remember the SolarWinds hack that used a patch update to distribute malware to SolarWinds clients, how often are cybersecurity companies themselves the target of hackers? And this, you know, this technique of using a cybersecurity update page to distribute malware, how common is that? And just in general, how much are these companies themselves the target of attacks?
Matt : (23:52)
Very good question. So how often does it happen for like security companies to be targets? It really happens all the time because of the assets that they have, either the tools, you know, or the human resources they have, you know, that could include being targeted at conference or not. Like I was giving an example to Tracy. So for instance, I was supposed to give a keynote at a security conference in Russia a few years ago before Covid, so one year before Covid. And I got denied entry in Russia, at the airport. So I was not able to deliver the keynote at that conference. The official reason is because my visa was not valid, although I told them, I was like, you are the one who issued me the visa, what do you mean it’s not valid? And then I fly back on the next flight back to Dubai.
So in that case, you know, and often there's always stories in security conferences or like security researchers, either being followed or someone like pointing to their hotel room, you know there is a bunch of like different stories like that. So when it comes to how often security companies or security researchers are being targets, it happens a lot. It also happened last year, where a bunch of security researchers were active targets by North Korean hackers, mostly like to try to steal tools from them or if they had any exploits. So for the audience, an exploit is what groups or nation states can use to directly target machines so they can get unauthorized access to a machine.
So usually if you have a security vulnerability in the software and you have the software that can take advantage of it, that's what we call an exploit. You have different categories of them, including what we call like zero-day exploit that even software providers are not aware of. So that could be like Microsoft, Apple. And in some cases it may not even require any user interaction to be enabled. And in the case of the nation-state type of hacking, because that requires a lot of R&D, it is very expensive. Some of those exploits are selling in the gray market for like millions of dollars. And also, it's very complicated to do, because unlike traditional weapons, that's not something that you can replicate. Each security, vulnerability bug is gonna be different. And it requires a specific skill set to be able to find and write an exploit.
So in the case of a full-on cyber war, a lot of people were kind of expecting countries to start to use exploits like left and right at each other. But to go back to your other question, it's something that's very difficult to measure because there’s no proper unit of measures for how often it happens. When you know it happens, it's only a smart subset of the information that you have. What’s happening over the past two weeks and over the next month, I'm pretty sure we're still gonna be analyzing it in three, four years. Some of the tools that have been released by the Shadow Brokers, a lot of the exploits were like four or five years old in that case. And when they got released, you know, it got a lot of attention.
Some of them have been even like repurposed into some new malwares, including NotPetya, which was targeting Ukraine at the time. So it's very difficult to have, pretty ironic, it's pretty difficult to have like data on those things. And keep in mind, like what you said before, when you get hacked, you don't get some face like showing up on your screen and some guy laughing. But it is very important to highlight actually, because cyber is mostly used for intelligence. So you won’t know what your target is doing, unless you just want to steal money. You know, that's a completely different category of cyber attack. So like, do you have a clear goal, you know, where you're like, oh, OK, money's gone now. Like if a crypto exchange is being hacked or a Swift service is being hacked.
But most of the time it is for intelligence and whenever you have access somewhere, you want to make sure you keep your access. So whatever door you use to enter the machines that you have been targeting … you don't want to lose that access. And that's also one of the suspicions, there are cyber attacks happening now, probably on both sides, but we don't necessarily see them.
In January, there is a Belarussian group called the Cyber Partisans. I don’t know if you have heard about them, but they are very organized. They're all like independent, all anonymous, decentralized, around like 20 to 30 people, but what they did back in January when they started to see that Russia started to ship military equipment from Belarus, they started to target the railway system of Belarus.
And this is pretty interesting and very important to notice, because so far when you hear about independent groups, you know, kind of like counter attacking or doing something, mostly shutting down websites, changing a website, but here you have an independent group that actually managed to create a dent into a big enemy to affect their logistics. So by slowing down, by shutting down the railway system, they were able to slow down the transportation of military equipment. And the second objective, which is suspected, is also to create a doubt within the enemy, in that case with Russia, with the leadership, to ensure that the Belarussian allies were not necessarily like that reliable. But also on their side, once they realized that it actually had been hacked, to create a doubt saying well if their railway system had been hacked, what makes our own rail system immune to such an attack? So they would spend additional few days or weeks investigating their own infrastructure, postponing the transportation of military equipment and assets.
Tracy : (31:21)
That's interesting. I want to ask more about retaliatory hacking, but before we do, I just wanna go back to something you said about exploits, is there a marketplace for exploits? Like, how are these things actually sold or dealt? I just have this vision in my head of like a guy with a briefcase in a hotel room, opening it up. And there's like different exploits in the briefcase, but obviously it wouldn't happen like that.
Matt : (31:48)
It depends, you know, if Nicolas Cage was selling exports, I'm sure it would be like this. But in some cases you have to keep in mind that some of the transactions don't necessarily want to be traced. So using cash actually would make sense, using payment over like cryptocurrency would make sense, using wire transfer would make sense as long as there is a transaction for something, you know, like everything you can imagine does make sense. So like that image you have in mind, sure. It happens in some scenarios. But regarding like outside of what a transaction might look like, what the marketplace may look like, obviously it's not like a Facebook marketplace where you are just selecting what you want. So you have companies that are brokers doing this.
Some of them, you know, are quite public in the U.S. or in Australia. Usually they would work with their own governments. In the case of each government is gonna have different stories. Like in the case of, for instance, China, there's a competition that was organized few years back called the Tianfu Cup, where as part of the competition they were saying, OK, if security researchers find a bug, you know, we're gonna report it to vendors, etc. But one of the exploits was actually linked to another exploit, very similar that was used against the Uighurs. So regarding how people buy exploits, you know, there is a demand that's higher than the supply in that scenario. So most of the time and the buyers always the same, you know, it's gonna be like governments, like either NATO members or like, you know, China, like Russia, etc. So most of the main governments would just buy those exploits. I’m sure there’s still some researchers like internally finding their own bugs and writing their own exploits. But yeah, you have a bunch of brokers in different countries.
Joe : (34:28)
So I don't want to get sidetracked on this too much, but I do want to ask one question because you mentioned use of crypto for payments. And of course there seems, you know, the two sides of this question take very maximalist viewpoints. I don't really trust either. So you have governments saying, oh, crypto is just used for money laundering and crime and stuff like that. And that seems to be an exaggeration, to say the least. And then you have these sort of crypto defenders who go to the extreme and say, no, crypto is terrible for any of this stuff, because you can see it all on the blockchain. And so don't point finger at us. As someone who is sort of watching this, were do you come on this question? And how do people in the hacker community think about the advantages or disadvantages of using crypto for transactions?
Matt : (35:18)
Well, it depends for what. In the case of ransomware, which is malware that's gonna infect machines, encrypt files and ask for a ransom in exchange of decrypting the files, usually those transactions are happening over crypto. In that specific scenario for ransomware, cryptocurrency literally created a whole new market for criminal hackers. Because otherwise, if crypto was not around, you know, you would not see ransomware, you know, you could not ask for payment over wire transfer. Or you know, over PayPal, although I have seen some adverts for like Phishing emails, you know, when they change invoices, you know, they put the fake bank account, it ends up doing a wire transfer and large amount of money being transferred.
But if that would be the case, you know, for law enforcement, it's much easier to trace who is behind it and to find, OK, like that attacker was there. Those are like the people who pinged the account, OK … Regarding cryptocurrency in the context of Ukraine and Russia, like there's a bunch of interesting things happening. For instance, the money that the Ukrainian government has been raising over crypto, right? Like the founder of Ethereum donated, the founder of Solana donated, the founder of Polkadot donated, and they managed to buy equipment with it etc. They’re also talking about launching their own NFT campaign, you know, in exchange for support, etc.
So they are using crypto in a way that makes sense for financial transactions. But my personal opinion also, it's also like what we're witnessing is obviously there is an actual, conventional war where people are being killed in that sense. But on the other side, Ukraine has been doing very well in terms of fighting disinformation, which is widely used by the Russian government. Like when they're spreading fake news about Ukrainian soldiers being defeated to reduce the morale of the troops. Instead, what we see is Ukraine publishing news of like, oh, like, look at those farmers, they’ve been stealing a tank with their tractor and they're sharing videos that are going viral. And we see them, oh, we're using crypto to raise money, like a people from the internet, we need your support. Oh, we’re also gonna do an NFT, you know, support Ukraine. So I think it's also part of the response to Russian attacks, but not only from the actual cyber attack point of view, but also from a disinformation point of view, because if you keep the news positive around it and people engage people on your side while sanctions are happening on your enemy, that's very efficient. And I think that's where Ukraine has been very innovative in how to use crypto since the beginning of the invasion.
Tracy : (38:53)
I wanna go back to Russia and Ukraine specifically. So, you know, you mentioned the one group, and its attacks on Belarusian railways. What are the options for retaliation from either the west or from independent groups who want to create trouble for Russia?
Matt : (39:16)
Well in the case of like, what's happening with Viasat, we have the German government saying, okay, like we think we we've been victim of cyber collateral damage from the conflict. So they recognize they’ve been a victim from that I guess we're gonna see the response to it. I'm sure a lot of Nato countries are also like retaliating in private, not necessarily communicating about it. So I was saying a lot of the things we're probably gonna see more in few years actually, and actually I'm glad that the podcast is happening a few weeks after the invasion, because it also gave us some time to kind of watch what was happening instead of just speculating like, OK, are we gonna go full-on cyber war? All the countries, you know, in Europe are going to have the electricity being shut down for like days. So far that's not the case.
And regarding the response from the government. So there, there are like a few aspects to it. I think a lot of governments so far are also realizing that they have been over-estimating the capabilities of Russia. And that's not necessarily only from a cyber point of view, because like I was saying at the beginning, what we can see now is the poor planning and the logistics since the beginning of the invasion from Russia. In term of cyber, yes. More can be done from both sides. But like I was saying, most of it is for intelligence. At the beginning, for instance, the satellites that were hacked, you know, was mostly to disrupt the military infrastructure.
But as we see now two weeks later, the military infrastructure of Ukraine is still functioning pretty efficiently. So if they could have done it, they probably would have done it by now, instead of just like dragging the the conflict longer. But yeah, in term of response from like NATO and in general for cyber attacks, you know, I think we're gonna see a lot of policy being changed, you know, over the next months, probably like new bills being passed, you know not that it's becoming one of the priority for government in the, probably some cases, you know, that didn't listen to before. But I would not expect much in term of traditional response. I think it's response in the sense that like, OK, there is a war happening, potentially a world war. Are we gonna respond? And it's probably gonna be like more sanctions, like what we are witnessing now, those are part of the actual response.
And it also implies, you know, if they obviously hack NATO governments, so maybe like we have seen Russia being disconnected from Swift, then some tech companies, you know, like Apple and Microsoft not selling their softwares anymore. At the moment, it’s still unclear if software updates are still gonna be deployed in Russia, because if they are not deployed, it means they will not have access to security updates also. So far they're just talking about payments and selling. So Steam, you know, a video game company was like that, Microsoft, Apple, you know, stop providing access to the app store. But those are like the responses we are seeing so far, like Swift, mostly sanctions either by governments or major tech companies.
Joe : (43:14)
You know, we talk about Russian hacking teams, you mentioned North Korea, China. Is it safe to assume that anything that's being done by those countries, that U.S. and NATO governments have the equivalent teams and capabilities?
Matt : (43:32)
Oh yeah, definitely. I mean one of the big releases from these Shadow Brokers was to show the capabilities of the U.S. government. And some of that was also including, you know, targets from the U.S. government. Same thing when Snowden released some of the documents. We also saw some of the targets, from the U.S. government, including European telco companies. Although they're allies, they're not enemies, spies are just continuing to spy, you know, it's just like spying stuff everywhere.
Joe : (44:52)
So that actually leads to one question that's been at the back of my mind this whole conversation, the spies are always gonna be spying. Is it worth thinking of cyber warfare as a sort of discreet event? And so of course, when we think of conventional warfare, there's often a start, there's an invasion. Maybe there's a cease fire, hopefully at some point soon the war ends. Is cyber warfare an event, or is it just an occurring sort of ongoing persistent element of the interaction between nations these days that doesn't have any sort of like start or end?
Matt : (44:52)
I would say it's a component of war. So at the beginning I was talking about like hybrid war versus like conventional war. And mostly it is used here for intelligence gathering. So to collect information on troops, enemies, capabilities. It may be used for disruption like we've seen with the satellites a few weeks ago, or with the Cyber Partisans in January. But in that case, working as an independent, independent group, because their goal is like to protect the Belarusian democracy. So it may have some strategic objectives, like in the case of the rail system in Belarus. But it may just be intelligence. And I think here it is mostly used for intelligence. For disruption, it does not make that much sense once you enter in kinetic mode, because if you have soldiers physically present in the country, you can just shut down cell-phone towers.
You can engage in electronic warfare. You can start jamming whatever ways of communication there is. So you don't necessarily need to use cyber. Cyber makes sense before the kinetic war happening, because you're gonna collect information. You may do some light disruption, but at some point once the war is starting, it becomes more of a conventional war where, well, you need a winner and a loser, you need an agreement, or you have like a ceasefire. And then cyber is kind of like this background element depending if you include, you know, disinformation, propaganda and misinformation as part of cyber or not. Because, as we can see now on social media, a bit like when the Arab Spring was happening, when a lot of people were sharing information on Twitter, now we can see people sharing a lot of information on Facebook, Instagram, Twitter, around the war, like the donations, those stories, you know, like those stories I was saying about the tanks being stolen and being shared, going viral, that's part of the information warfare. And that's a very new component because things like TikTok, etc., weren’t used in the past and now they’re having also like their role within this information warfare.
Tracy : (47:37)
Does that mean that those of us sitting in the U.S. or Europe, we don't need to be worrying about an attack on critical infrastructure that suddenly takes away our electricity or empties out our bank accounts or something like that?
Matt : (47:53)
Yeah, no, I would not be worried about it. And even if it would happen, you know, I'm sure, you know, electricity would be down for a very short period of time because there's process in place on how to recover systems, just like if something is faulty especially for like critical infrastructure. So I would not really worry. One of the big stories regarding critical in infrastructure was the Stuxnet story which is more than 10 years old now back in Iran. When that joint operation between Israel and the U.S. was targeting one of the nuclear centers. They kind of just stopped it and back then, you know, like some movie came out, what's the name with Chris Hemsworth? “Blackhat.” You know, where there's this nuclear center that’s exploding at the end, etc. It's like the Hollywood version.
But in reality, OK. Like it's down, you know, what are the guys doing? You know, because they already have processes in place. And if you’re the U.S. or Europe, you definitely like plan for faulty issues, regardless if it's like cyber or something that's not working anymore. In terms of money being drained from your account, although you won't have your money like being drained directly. But you know, stock markets are gonna go down now or is it gonna affect like, you know, the inflation? Like you can see it with the ruble now, like it's completely crashing. So technically, money is not running out of your account, but, you know, you can do less with your money or whatever you have is less valuable, you know? So I think that's kind of like one of the side concepts that we would see.
Joe : (49:33)
Last question for me is what is the skillset of a good hacker and thinking about, OK, if you're Russia, or any government, and you're recruiting, what do you look for? What makes a good hacker?
Matt : (49:44)
Well, I just want to clarify I'm not recruiting like hackers for the Russian government, you know,
Joe : (49:51)
Of course, of course, of course. What would they be looking for or what would any government be looking for?
Matt : (49:57)
Yeah, yeah. Or like private companies?
Joe : (50:01)
Yeah, or private companies.
Matt : (50:02)
Most of the really good security researchers I know are just either independent or working for tech companies, because they tend to pay the best. You work on building cool technologies. Usually if people are really good, just end up doing a lot of research. So you want to work with the very, very best, and, you know, it's a field that's moving so fast that at the end of the day, you know, you need to surround yourself with the best, otherwise you won't learn — like everything, right? So there is no equivalent of like WallStreetBets for hackers per se, you know, where like people are just sharing random information around. But in terms of skillset, you know, I keep reminding people that hacking or being a hacker is a skillset first, you know, it's not an ethical or political position. That comes secondary.
Like if you're a lawyer, you know, you don't ask him if he's like ethical or unethical, and we've seen in the past with like Panama Papers and all those things, you know, you could ask the question as well for like lawyers. But yeah, most good security researchers or hackers, you know, they all have different backgrounds, different skillsets because it can go from physical security to radio frequency to software security, hardware, security, open source in intelligence, you know, we see more and more people even like groups, you know, like Bellingcats, you know, that’ve been tracking a lot of the military activity from online resources, you know, like on the different groups. Those are all like different fields that come from information security. Everyone who is curious and likes to put the time into the research is a good hacker, you know, I've seen journalists who are really good at doing their research, you know, etc. They sometimes have more knowledge and more skills than some actual professionals. So it's really something that's very across multiple disciplines.
Tracy : (52:18)
Well, Matt, I think that's a good place to leave it. Thank you so much for coming on Odd Lots and spending time with us to explain hacking and what it could actually look like in this context. Thank you!
Matt : (52:29)
Thank you.
Tracy : (52:45)
So, Joe, I really enjoyed that conversation. I don't think we talked about it, but the Shadow Brokers actually called Matt a fun guy at one point. And he is a very fun guy. He's really good at explaining some of the more technical aspects of this, but I thought his framing of cyber as a component of conventional warfare, I mean, that seems right at least so far, given what we've seen so far.
Joe : (53:11)
I think that's right. Or let's put it this way. I found that to be really helpful because when you think of cyber attacks, I think we often have these very dramatic visions of some big grid being taken down. And obviously that's possible. And he mentioned examples and he mentioned the example of the Belarusian railway and the Ukrainian grid, but the more common impulse is intelligence gathering. And that's the big thing. Collecting data is sort of a useful way of thinking thinking about its role.
Tracy : (53:44)
Yeah. And the other thing that it sort of coalesced for me was the idea of a lot of governments have been tolerating these attacks for a long time. And this seems like a crunch point, at least when it comes to Russia, right? Like I was reading, Goldman Sachs put out a note right before we came on to record, talking about cyber warfare and they had a stat there, something like 60% of state-sponsored cyber attacks are thought to have come from Russia, which seems extreme. But for some reason, no one really did anything about it. There were some sanctions in place, but now we've seen a very dramatic form of sanctions rolled out and it seems doubtful that that kind of behavior is gonna be tolerated going forward.
Joe : (54:31)
Yeah. But on the other hand, it's so nebulous, it's so difficult to know what you're gonna do about it. And the point, you know, as Matt was saying, attacks that are happening right now which they're certainly going on, we’ll be talking about in three or four years perhaps, or what we learn about them and how difficult it is to know often when you're being hacked or what the scope of the damage is. And that element is very different. I think he used the word metrics, but this idea that we have metrics to measure the devastation of conventional war. We don't have, and it seems very implausible that we would have anytime soon, sort of equivalent metrics for cyber warfare.
Tracy : (55:15)
Yeah. It seems like it. All right. Well, shall we leave it there?
Joe : (55:20)
Let's leave it there.
You can follow Matt Suiche on Twitter at @msuiche.