Geopolitical Cyber Threats: What Businesses Need to Know

Speaker 1 00:02

This is CyberSound, your simplified and fundamentals-focused source for all things cybersecurity.

Jason Pufahl 00:10

Welcome to CyberSound. I’m your host, Jason Pufahl, joined by Michael Grande, the Vancord CEO. Hey, Mike.

Michael Grande 00:19

Hey, how are you?

Jason Pufahl 00:20

And Patrick Wallenhorst, a member, kind of a newish member, actually, of our Virtual Information Security Office team. Thanks for joining.

Patrick Wallenhorst 00:30

Sure. Happy to be here.

Jason Pufahl 00:32

So, it can’t be but two-ish weeks ago, he did a webinar where we discussed the, essentially, geopolitical landscape and really how unrest in some of these events actually inform some of our thinking on it from a defensive standpoint, but also how they shape cybersecurity attacks globally. And really, I thought it was a really germane topic, of course, given everything that’s going on. And it felt really relevant to bring it up here again. We’ll probably reference at the end a link to the webinar if people want to look at that, and I think, likely, we can put the presentation available. But I wanted to keep it a little bit more conversational than that formal and traditional webinar format. So maybe, Pat, if you can, just spend a second on your background.
What makes you somebody who can speak to this topic? And then we’ll kind of jump in.

Patrick Wallenhorst 01:32

Sure. So, Patrick Wallenhorst, relatively new to the Vancord team. I spent my early career as an army officer, started in the infantry side of the house in the combat arms, eventually moved it over to intelligence, and I was very fortunate to be able to go to the Army Counterintelligence School. I became a Badging Credentialed Agent and got to work counterintelligence operations for a few years, working national security investigations and counterintelligence in the Army. They work the insider threat for the Army.
So, individuals coming into the military with the sole purpose of stealing secrets and then kind of at broad, you know, in intelligence versus intelligence. You’ve probably seen movies and things about how the U.S. intelligence works and how we collect things. So you can assume our adversaries are doing the same things. And it was our goal to prevent and counteract those things. With that, following my military career, I moved into cybersecurity. Got my start kind of translating my intelligence experience into threat intelligence and really focusing on the dark web and kind of how the dark web threat actors operate, how they’re organized and that has propelled me into the greater cybersecurity world as a whole. So that’s a quick look at my background and where we are today. I was heavily involved in monitoring threat intelligence at the onset of the Ukraine conflict and seeing a lot of similarities of kind of how that conflict geopolitically spilled into the cyber realm and how that looks with the current conflict in Iran as well.

Jason Pufahl 03:09

So you brought it up. I’m going to ask because you said, you know, similar to what you see in the movies. What I think of the movies, right, I think of, you know, if you’re in intelligence, the room’s pretty dark. There’s probably a hundred monitors, all with, you know, black screens and green letters. Is that is that the environment you lived in or was that a little bit more drab than that?

Patrick Wallenhorst 03:29

A little more drab. Depends where you are. But yeah, it’s a lot of a lot of rooms with no windows in classified areas, but also not as exciting. I hate to break it to everyone as the movies.

Jason Pufahl 03:42

Every movie makes it look real glorious.

Patrick Wallenhorst 03:45

So, yeah, no, that one of the things at the schoolhouse they tell you is you will not become a J.B. at the at the finish of the school and everyone’s like, what’s a J.B.? It’s your Jason Bourne, your James Bond. So they make sure we all know that.

Jason Pufahl 03:58

That’s funny.

Michael Grande 03:59

Yeah. I wasn’t sure if there was a Jack Ryan reference somewhere, you know.

Patrick Wallenhorst 04:03

Yeah, I guess. Yeah.

Michael Grande 04:05

He may have been Navy. I’m not sure. But yeah, I got it.

Jason Pufahl 04:08

But, but they always have a they can have a successful counter attack in, you know, 15 seconds every time.

Patrick Wallenhorst 04:13

That’s right.

Jason Pufahl 04:14

Yeah. Every day.
So do you mind maybe starting, you know, let’s talk a little bit about Operation Epic Fury, you know, kind of how things started, where you think things sit today and what some of the risks might be coming out of that.

Patrick Wallenhorst 04:31

Sure. Yeah. So I think, as everyone knows, late February, the United States lost launched a kinetic attack into Iran, took out their leadership pretty effectively and quickly. And really, within hours, the cyber aspect of the conflict kicked off. Telegram, which is a very popular platform for threat actors to use, saw a lot of flurry of activity and organization, too. And you saw that from hacktivists, really, which, you know, is a term that I became popularized during the Ukraine conflict. Not sure if it started there or not. And, you know, that’s really where people with the skills to conduct cyber activity organized together in terms of completing an ideological goal, in this case, fighting against Western nations and primarily Israel launching DDoS attacks and things. And then, you know, as the weeks kind of went on, you saw criminal organizations kind of get into the fight, leveraging social engineering attacks that are, you know, surrounding the conflict as a launch point for maybe a ransomware or a financial opportunity of a data breach or something. And then, you know, the waters get muddy pretty quick between who’s supporting these threat actors. Having a hacktivist group that can leverage cyber attacks on Western nations is kind of like the greatest cover ever for an intelligence operation. It gives you deniability immediately to be like, well, yeah, those are criminal actors. We have nothing to do with it. But, you know, they’re attacking U.S. critical infrastructure and providing intelligence back. So, yes, hacktivism is a real thing. Is it state backed? Probably. But the attribution of that is very difficult. So but immediately the attention amplifies with a kinetic war in the cyber realm. It overlaps a lot, really.

Michael Grande 06:33

Patrick, you mentioned sort of DDoS attacks that were prevalent following that. Are there any sort of focused infrastructure targets or any particular targets that some of these groups pursue first? Or is there an order of operations that there’s a consistency to?

Patrick Wallenhorst 06:52

Sure. So I think the criminal organizations are pretty opportunistic. They’re looking for the quick financial gain. There’s also on the criminal side, too, there’s been a historical view of they want to hit the big finance, but they don’t want to disrupt too much and bring too much heat on them. If you saw or remember the Colonial Pipeline attack, that gained so much traction with federal government and FBI going after these threat actors that they kind of walked it back and actually gave back some money, if you look into kind of how that played out. So there is an honor code, if you will, I’ll be a twisted one. But in terms of, I would guess that the Iranian government has a list of critical infrastructure and things that they are aware that they can target. And then becomes like an escalation of force. I mean, they know if they attack our power grid, we’re going to respond to that. And one thing the United States is really good at is our offensive cyber capabilities. Obviously, we can’t dive too deep into it, because I don’t even know the full extent of them. But both in Iran and in the Venezuela attack that we saw, the internet in those countries both went out. And that was not due to a kinetic strike or a missile hitting critical infrastructure. It was an offensive cyber attack. So there is give and take. And they understand that we have capabilities that we have not shared. And they’ve also seen, Iran in particular, has kind of seen the full force of cyber capabilities in previous attacks. So what they can do, what they’re willing to do, and what they’re able to do are all probably, you know, different categories at their disposal.

Jason Pufahl 08:36

It’s interesting the statement that it sort of mimics traditional warfare, right? Really, you have to be careful, you know, how aggressive you are, because you’ll have a retaliatory response that is similar, right? So you’re still mindful of that.

Patrick Wallenhorst 08:50

Yeah. And kind of going back to what I talked about in my beginnings of my military career, that was more combat arms focused and kind of the military strategic view of it. Cyber is now a layer into that thought process. So if we’re talking, and on all sides, so you’re talking about launching some sort of military conflict, there is a cyber element at every turn of that. So whether that’s critical infrastructure here in the United States, whether that’s ships, capabilities, and targeting systems, I mean, it’s involved in every aspect of conflict.

Michael Grande 09:28

Sort of skipping around a little bit, I guess, but you’re going back to sort of Russia-Ukraine conflict, and that has been ongoing now for, I think, are we not quite in four years?

Patrick Wallenhorst 09:40

Yeah, four years now.

Michael Grande 09:43

And so are there sort of ebbs and flows of how sort of one nation-state’s ire could be focused at different times and based on sort of, you know, maybe allies that are assisting in one areas or providing weapons, and then we see an increase in attacks against different infrastructure or business. And then I guess the second half of this, and this is probably a much longer answer, but is, you know, how does that impact sort of small organization, you know, middle market businesses, maybe not large enterprise with huge notoriety, you know, and what are the things that we should be looking out for?

Patrick Wallenhorst 10:25

Sure. Yeah, the answer is, are there ebbs and flows? Yes.
And you saw, again, you saw it immediately with the organization of hacktivism across Ukraine. There’s basically a call to arms on both sides, Ukrainian hacktivism and Russian hacktivism spikes. And quite literally, when I’m talking about these Telegram channels, they’re recruiting on these to bring in more threat actors or cyber actors, however you want to label them. And then I think that just kind of escalates, you know, I think in the Ukraine conflict, Russia has always been good at leveraging the criminals within their borders to act on behalf of the government. When you talk about other state actors like China, they don’t really need to do that because they have such a robust military cyber force that they don’t need to leverage any sort of criminals and their control on the Internet within China is so much more restrictive than Russia. So yeah, you do see that scale. And then from a criminal standpoint, you see that being broadly influenced as well. I think in the webinar we talked about on these dark web forums, which are, you know, breeding grounds of criminal activity that also are educational for activists or someone that or threat actors, someone that starts off with, you know, maybe knowing how to do a really minor, build a malware and doesn’t really know how to deploy it. They get onto these forums and within a year they’re, you know, they’ve leveled up their skill set.
Well, you also see the criminal organizations leveraging different types of things. So at the onset of the Ukraine conflict, Russia was losing soldiers at a rapid rate and they didn’t have the support from their populace to continue bringing in soldiers. People didn’t want to join the military, so they started drafting folks.
Well, almost immediately criminal organizations started providing fake documentation so military age men could get out of the country or say they’re Polish or whatever and cross borders and things. So they really leverage it every aspect. And then in terms of the second question, and this is a very important point, and this was kind of the driving force behind the webinar, is when these geopolitical events kind of skyrocket and you start getting FBI warnings saying there’s a heightened state of, you know, focus right now and we need to be aware. It’s true and we do need to be aware, but also you need to remain level-headed and really it doesn’t matter where the threat’s coming from, if it’s an Iranian hacktivist or a Russian cyber criminal or just a group in some other part of the globe that’s very effective at what they’re doing, it doesn’t change how you defend yourself. So really understanding what threats are out there. Now, if they’re bringing in new novel ways to deploy malware, then of course, yeah, you need to pay attention to that, but it shouldn’t change your defense posture. Really, you should be trying to maintain a baseline no matter what. That’s really the point to drive home in all this. It’s very alarming, it’s nerve-wracking, it’s a constant news story, and it’s something to pay attention to but not panic about.

Jason Pufahl 13:31

Do you mind spending a minute or two on sort of the scale of this? Maybe what countries are most active? What are we seeing as a ramp-up?
It’s probably helpful to give people a sense of, well, what is the threat?

Patrick Wallenhorst 13:45

Yeah, I think the statistics we have in the presentation and the webinar showed within, I think, the first month there was approximately a thousand hacktivist claims of some sort of cyber activity. And I think if you were to just ask the everyday person who is being attacked, you would say the U.S. But in reality, the U.S. is very low in terms of the countries being attacked. It all stays very regional for several reasons, right?
And you can launch a DDoS attack at Israel, who is really, you know, really great military capabilities. If you can shift their focus from their military to focus on their critical infrastructure, you may be helping, you know, military units within Iran have more freedom of maneuver or whatever it may be. So they’re really regionalized attacks.
I’m not saying there haven’t been attacks on Western companies. We all saw the Stryker attack. Iran came out and said they, you know, hacked Kash Vertel’s email, the director of the FBI’s email and personal phone.
So there’s definitely targeted attacks. But I don’t know as of today what the numbers are, but I can say that the United States is probably in like the 3 percent of claimed attacks going on around this conflict specifically in Iran. That being said, one single attack could be devastating.
But the focus is really on Israel right now in terms of what Iran’s targeting and then any supporting countries around that region.

Jason Pufahl 15:14

So I think, you know, maybe as we kind of come up against time here a little bit, the big question I have, which you didn’t have the luxury of answering during the webinar, is how does the ceasefire impact things? Like, you know, are we seeing things in any way as a result of that? Or from a, you know, computer, electronic standpoint, are we still seeing the same level of activity?

Patrick Wallenhorst 15:40

I would say no. I would say anything that’s state sponsored has been tempered at this time. That being said, if there’s any sort of reconnaissance going on, I think that’s kind of always happening from multiple nations, too.
If you look back at the previous FBI director, it was kind of his mission to go out and talk about the Chinese threat and how we’ve seen them several times kind of infiltrate our critical infrastructure and not do anything. But it’s also kind of a show of force to say, like, hey, look at what we could do and look at how easy it is for us to get into these different places. So I would, you know, I can’t say for certain, but I would not be surprised at all if Iran is doing those same things.
Maybe some probing and recon, just showing kind of what they could do if they wanted. And at the same time, we’re doing probably similar things back to Iran.

Jason Pufahl 16:35

So similar to a comment before, you know, just like your more traditional warfare, your cyber crime, it’s part of a ceasefire, right? Theoretically, your cyber crime is an element of that and should stop.

Patrick Wallenhorst 16:50

Sure. Sure. I mean, let me put it this way.
If they were to launch a large scale cyber attack during the ceasefire, it would give all the ammunition, you know, no pun intended, in the current administration to say, okay, you broke the terms of the ceasefire. Therefore, you know, we’re sending it in X, Y, and Z.

Jason Pufahl 17:12

Michael, it looks like you’re going to say something.

Michael Grande 17:14

No, I, you know, I think there’s so many places to go with the conversation, right? I mean, because it’s relevance to, I think, what we see and we hear in the news and what we’re exposed to, and I think from a cyber perspective, there’s definitely a, I don’t think the general public appreciates perhaps the scale and scope of what happens at the beginning of a conflict with relation to sort of cybersecurity measures and what type of attacks are taking place.
But there’s definitely a long tail, and it’s interesting just to hear, you know, that, or to think about like what are good, what’s something outside of the sort of fundamentals that we always talk about that organizations should be thinking about, you know, the things not to do, the things to do. Because I think in many ways, smaller, mid-sized companies, well, it doesn’t necessarily affect me, right?
It’s as a geopolitical, it’s such a big concept. These are nation states. This doesn’t have any impact or bearing on us.
But if you have, you know, operational technology assets, if you’ve got open back doors, if you’re not doing a good job with some of the basic blocking and tackling, you could still remain a target of convenience in certain ways. But, you know, that’s sort of where my mind goes with all of this.

Patrick Wallenhorst 18:34

No, 100%. I think the biggest takeaway, again, along with, you know, remaining calm and staying level-headed and keeping the baseline is reviewing incident response plans at times like these. Like, let’s just assume this ceasefire fails and this conflict intensifies, you know, a lot of resources will be from the federal side of the house are going to be looking outward.

So it’s time for organizations to look inward. Look at your incident response plans, create a disaster recovery plan that may include, you know, if critical infrastructure is affected, do we need to move hardware to a new location in order to maintain operations? I mean, really have to look at things at a level that beforehand might’ve been, you know, what was thought of as overkill.

It’s a reality now. I mean, and I almost don’t want to say this because it’s going to open up another door, but AI is accelerating all these things as well. And again, that’s another talk for another day, but it’s also going to accelerate defense too.

So a lot of people are scared and talking about the offensive capabilities and all the negative things that AI is going to do. And it’s true. It’s a reality.

There’s going to be increased threats, but there’s also going to be increased defense too. So there is a light at the end of the tunnel there. And that’s what I want to leave people with is look inward, make sure you have a good defense posture. Make sure, you know, you’ve dotted your I’s and crossed your T’s and have your incident response plans, your disaster recovery plans and remain threat agnostic. And, you know, that’s really the best position to be in during the times of, you know, complete unrest. You don’t want to have your hair on fire when the rest of the world is on fire.

That’s kind of the message.

Michael Grande 20:14

Good advice.

Jason Pufahl 20:15

Maybe I’ll use this plug. So Pat, I think you inadvertently touched on a topic actually that we coincidentally just recorded.
So we usually do a few of these over the course of a couple of successive days. And Dylan and I just spoke about the, really the looming threat. I don’t even know if looming is the right word.
It just seems like the threat that is here, right, that is improving all the time as it relates to AI ability to do some of the automated vulnerability hunting, threat hunting. So I think what, you know, what we’ll do is maybe release this podcast first, and we’ll leverage this as a teaser for the upcoming podcast that we have with Dylan. So I appreciate that inadvertent plug for the upcoming podcast.

Patrick Wallenhorst 21:07

Absolutely.

Jason Pufahl 21:08

So, all right. I think we’ll wrap up. I think, you know, the reality is we’ll, like everybody, we’ll pay attention to kind of what’s going on overseas if the situation warrants us coming back together because, you know, for some reason, at least in the information security space, the cybersecurity space, you know, things have escalated. We’ll definitely come back and talk a little bit more about that. But Pat, I really appreciate you joining. I really appreciate you putting together the webinar that you did and kind of falling back to your sort of previous expertise a little bit and leveraging that.

So thanks for joining.

Patrick Wallenhorst 21:40

Absolutely.

Jason Pufahl 21:41

And Mike, as always, thanks for being here.

Michael Grande 21:43

It’s been great.

Speaker 1 21:45

We’d love to hear your feedback. Feel free to get in touch at Vancord on LinkedIn, and remember, stay vigilant, stay resilient. This has been CyberSound.