177. Mic Drop: NSA’s David Luber on Russia, China and the power of partnerships - Click Here

Summary5 min read

Podcast Summary: Click Here's Episode 177 – "Mic Drop: NSA’s David Luber on Russia, China and the Power of Partnerships"

Introduction

In Episode 177 of Click Here, titled "Mic Drop: NSA’s David Luber on Russia, China and the Power of Partnerships," host Deana Temple-Raston engages in a comprehensive discussion with David Luber, the Director of the Cybersecurity Directorate at the National Security Agency (NSA). Released on October 25, 2024, this episode delves into the evolving landscape of cyber threats posed by Russia and China, the strategic operations undertaken by U.S. Cyber Command, and the critical role of international partnerships in combating cyber adversaries.

Hunt Forward Operations: Proactive Cyber Defense

The conversation begins with an exploration of Hunt Forward Operations, a proactive approach where U.S. Cyber Command teams collaborate with foreign partners to identify and mitigate cyber threats before they can be exploited.

Deana Temple-Raston introduces the concept:
“A few months before the Russian invasion in 2022, a contingent of cyber operators from US Cyber Command quietly flew to Ukraine on a secret mission... They're called Hunt Forward Operations.” [01:37]
David Luber elaborates on the operational framework:
“One can then go and support a country in their cybersecurity... It's a side by side type operation...” [02:10]

These operations are designed to embed U.S. cyber expertise alongside allied forces, enhancing their ability to detect and neutralize malware and other cyber threats. Luber emphasizes the importance of intelligence sharing:
"We partner with the Hunt Forward teams to ensure that they have the best insights possible from intelligence..." [02:36]

Russia’s Cyber Expectations vs. Reality in Ukraine

A significant portion of the discussion centers on Russia's anticipated cyber aggression during the Ukraine conflict and the actual outcomes.

Deana Temple-Raston notes the initial fears:
“The general sense at the time was that Russia was going to use the war in Ukraine to show the world how cyberattacks would change what we thought we knew about modern warfare, but that didn't happen.” [03:21]
David Luber responds:
“If you go back to the start of the Ukraine conflict... There was no real big bang.” [03:45]

Despite pre-war preparations by Russia, including the planting of malware targeting critical infrastructure, the Hunt Forward Operations successfully identified and removed many of these threats quietly, preventing the large-scale disruptions that were feared.

Case Study: The Kasat Satellite Attack

Luber and Deana delve into a specific incident highlighting the sophistication of Russian cyber tactics.

Deana Temple-Raston recounts the attack:
“One of the things that actually happened... was a Russian hack into the Kasat satellite on the eve of the war... Russian hackers had broken into the company's modems and dropped wiper malware on them.” [04:05-04:36]
David Luber discusses the aftermath:
“Russian hackers broke into the company's modems and dropped wiper malware on them. BioSat ended up working closely with the NSA...” [05:20]

This attack disrupted high-speed internet access for thousands across Europe, showcasing the potential impact of cyber warfare on critical infrastructure. The collaboration between BioSat and the NSA was crucial in mitigating the damage and preventing future breaches.

Shifting Tactics: From Destruction to Espionage

Luber explains how Russian cyber strategies have evolved from overt attacks to more covert espionage aimed at gaining battlefield intelligence.

David Luber states:
“What I think has shifted... is the Russians shifting back to more espionage... to conduct espionage against Ukrainian systems so that I can have an advantage on the battlefield.” [06:20]

This transition underscores a strategic pivot towards intelligence gathering, allowing Russia to enhance its operational effectiveness without causing immediate, large-scale disruptions.

China’s Emerging Cyber Threat: Volt Typhoon

The conversation shifts focus to China, highlighting the emergence of advanced cyber threats that pose significant challenges to U.S. cybersecurity.

Deana Temple-Raston introduces China’s cyber unit:
“China's offensive cyber operations against the People's Liberation Army has a hacking unit that researchers have named Volt Typhoon.” [06:51]
David Luber elaborates on Volt Typhoon's tactics:
“In Volt Typhoon, it's really the idea of pre-positioning for a future computer network attack at a time of their choosing...” [07:47]

Volt Typhoon represents a sophisticated approach where hackers plant malicious code within U.S. infrastructure, potentially serving as “ticking time bombs” to be activated during conflicts. This stealthy method contrasts with Russia’s previously more aggressive tactics and poses a new level of threat requiring vigilant detection and prevention.

Election Security and Evolving Threats

With the 2024 elections approaching, concerns about cyber interference are paramount. Luber addresses the dynamic nature of these threats.

Deana Temple-Raston asks:
“With an election around the corner... has the nature of meddling actually evolved?” [10:42]
David Luber responds:
“Adversaries are always changing their trade craft... it's an evolving landscape that requires constant change and constant vigilance...” [10:56]

Luber emphasizes that cyber adversaries continuously adapt their methods, necessitating persistent and adaptive defense strategies to safeguard electoral processes from interference.

The Power of Partnerships and Preemption

A recurring theme in the episode is the critical role of partnerships in effective cyber defense.

David Luber asserts:
“It does take a number of different US government partners, industry partners, and even foreign partners to ensure that we can identify, enumerate and then work towards the ability to thwart ransomware activity across the globe.” [08:39]
Deana Temple-Raston summarizes:
“It seems like what you're saying is the best solution is preemption.” [09:13]
David Luber reinforces the concept:
“Exactly. ... it means relentlessly tracking adversaries...” [09:15]

Luber advocates for a strategy of persistent engagement, where continuous intelligence sharing and collaboration among various stakeholders enable preemptive actions against cyber threats, thereby neutralizing adversaries before they can execute significant attacks.

Conclusion

In this episode of Click Here, David Luber provides invaluable insights into the current state of cyber warfare, highlighting the adaptive tactics of Russian and Chinese adversaries and the essential role of international partnerships in countering these threats. The discussion underscores the necessity of proactive defense measures and persistent collaboration to safeguard critical infrastructure and democratic processes from sophisticated cyber threats.

Notable Quotes with Timestamps

“It is a side by side type operation...” – David Luber [02:26]
“There was no real big bang.” – David Luber [03:45]
“What I think has shifted... is the Russians shifting back to more espionage.” – David Luber [06:20]
“Volt Typhoon... pre-positioning for a future computer network attack.” – David Luber [07:47]
“Adversaries are always changing their trade craft.” – David Luber [10:56]

This episode offers a detailed examination of the nuanced and evolving nature of cyber threats, emphasizing the importance of strategic partnerships and adaptive defense mechanisms in maintaining national and global cybersecurity.

Loading summary

Transcript24 lines

[00:02]
Deana Temple
From Recorded Future News, this is click here's mic drop. About a month before the 2024 elections, I was on stage with the relatively new Director of Cybersecurity over at the National Security Agency, David Luber. He's a bit of a fixture in cybersecurity circles. He was deputy at the Cybersecurity Directorate. Before he took that top job, he was Executive Director at Cyber Command. He worked cyber and space issues in Colorado, and we interviewed him at Recorded Future's Predict conference in dc. Recorded Future News is an editorially independent arm of Recorded Future and we wanted the Director to talk to us about this relatively simple thing. So what are the threats that kind of keep you up at night? Stay with us.
[01:05]
Jon Favreau
If you're getting tired of the same old Sunday routine of drinking coffee and doom scrolling, try something new and listen to Offline with me, Jon Favreau. Offline is a different kind of Sunday show, a chance to step away from our social media fueled news cycles and hear smarter, lighter conversations about all the ways that our chronically online existence is shaping everything about the way we interact with the world around us. So put down your screens, grab your headphones and listen to new episodes of Offline every Sunday. Wherever you get your podcasts.
[01:38]
Deana Temple
ChatGPT, AI machines, satellite engine ignition. Click here and lift off. A few months before the Russian invasion in 2022, a contingent of cyber operators from US Cyber Command quietly flew to Ukraine on a secret mission. They came to help Ukraine find any malware Russia might have dropped on their critical networks ahead of the war. U.S. cyber Command does these kinds of missions all over the world, all the time. They're called Hunt Forward Operations.
[02:10]
David Luber
It's an actual authority that Cyber Command has when requested by a foreign partner and approved through the Department of Defense.
[02:22]
Deana Temple
This is David Luber, the Director of the CyberSecurity Directorate at NSA.
[02:27]
David Luber
One can then go and support a country in their cybersecurity and they're sitting.
[02:33]
Deana Temple
Side by side with Ukrainian operators looking for bad things.
[02:36]
David Luber
It is a side by side type operation, but where NSA plays a role in those Hunt Forward operations is sharing insights with the team on the adversaries they're likely to encounter when they go out on a Hunt Forward operation. So we partner with the Hunt Forward teams to ensure that they have the best insights possible from intelligence, the best insights possible even from the experts that we have at the National Security Agency on mitigation guidance and capabilities to identify advanced persistent threats and cyber activity. Once they get into an area and as they're operating so A really important partnership.
[03:22]
Deana Temple
So Cyber Command operators wade into the networks with their foreign partners, and NSA offers additional intelligence so they can get more insights from what they find. And the general sense at the time was that Russia was going to use the war in Ukraine to show the world how cyberattacks would change what we thought we knew about modern warfare, but that didn't happen.
[03:46]
David Luber
If you go back to the start of the Ukraine conflict and what we saw from Russia, I think there was a big expectation there was going to be a large scale cyber attack against Ukrainian systems. There was no real big bang.
[04:05]
Deana Temple
No big bang. Maybe because Russia had indeed planted malware it planned to use when the invasion started. But the hunt forward teams had found a lot of it and quietly removed it. Cyber Command declined to say exactly how many pieces of malware they had removed from Ukraine's critical networks during that operation. But we did get a hint from the Ukrainians when we went to Ukraine this time last year. The cybersecurity chief of the sbu, that's the nation's main security agency, was a guy named Ilya Vituk. His cyber operators were the ones sitting alongside the American teams. And. And he told us they discovered more than 90 different pieces of malware. And while he wouldn't be specific about where exactly they'd found it, he did say Russian intelligence, their gru, had planted it in networks that could control things like water and electricity and communications. By the way, GRU were also responsible for these attacks. They thought that we, our infrastructure, our digital infrastructure will be on its knees. But their expectations were far beyond comparing to what actually happened. One of the things that actually happened outside those critical networks but rocked Ukraine all the same, was a Russian hack into the Kasat satellite on the eve of the war. K Asat, which is owned by the US company ViaSat, beams high speed Internet to a wide swath of Europe. And in the early hours of February 24, Kasat modems and terminals started to go down, knocking thousands of people, not just Ukrainians, offline. At first, security officials assumed it was a jammed signal. They eventually discovered that Russian hackers had broken into the company's modems and dropped wiper malware on them. BioSat ended up working closely with the NSA, not just to figure out how Russian hackers got in, but also to share what they knew so it wouldn't happen anywhere else. Since then, Luber said Russian hackers appear to have changed tactics.
[06:20]
David Luber
What I think has shifted and changed is now the Russians shifting back to more espionage. How can I conduct espionage against Ukrainian systems so that I can have an advantage on the battlefield. So a shift from I'm gonna potential with a potential objective to do attack operations to what we see more of today is the opportunity for gleaning intelligence that would give the Russians advantage on the battlefield.
[06:52]
Deana Temple
But it isn't just Russian hackers making a pivot. Luber said that he thinks one of the most impactful discoveries over the past year and a half has been China's offensive cyber operations against the the People's Liberation army has a hacking unit that researchers have named Volt Typhoon. In the past they were focused on espionage, but earlier this year, American officials, including FBI Director Christopher Wray, announced that Volt Typhoon had dropped malicious code into key NETWORKS Inside the U.S. ray said it looked like Volt Typhoon was planting little ticking time bombs in US infrastructure so they could set them off if ever the US and China found themselves in conflict. To find it, the US launched a hunt operation. Just this time it was much closer to home.
[07:47]
David Luber
In Volt Typhoon, it's really the idea of pre positioning for a future computer network attack at a time of their choosing. And that's very different than the espionage approach because they may only come into that network every 60 days, every 90 days to check access and using credentials and legitimate credentials and command line tools and capabilities. It looks like a legitimate user doing non legitimate activity.
[08:23]
Deana Temple
Officials haven't said publicly how the Volt Typhoon cyber operations were discovered. What we do know is that the US is continuing to hunt for malware deep inside its own networks and they'll need lots of people both in the public and private sector to help them look.
[08:39]
David Luber
In the end, it does take a number of different US government partners, industry partners, and even foreign partners to ensure that we can identify, enumerate and then work towards the ability to thwart ransomware activity across the globe. The most important thing that we have learned is sharing insights frequently with partners helps us ensure that adversaries like Russia and in other areas of the world, China, are not successful in their activities and operations.
[09:13]
Deana Temple
It seems like what you're saying is the best solution is preemption.
[09:16]
David Luber
Exactly.
[09:17]
Deana Temple
Former NSA Director General Paul Nakasone had a name for this kind of work. Persistent engagement. And at its core it means relentlessly tracking adversaries.
[09:28]
David Luber
And that means you're constantly going to look for changes in the way they conduct their tradecraft. You're going to look for adjustments in the way that you also identify that trade craft. So whether it's a hunt forward operation or whether it's something that we're doing in the National Security Agency, from an intelligence perspective, it's the ability to ensure that you can continue to identify those changes in the cyber landscape. So if you think about the malware that was used in the Kasat attack, that was acid rain, and that particular malware was shared broadly so that folks could understand how that malware could be used to actually impact a satellite modem. Of course, later the Ukrainians found another version of that malware. I think it was March of this year, was called Asset Poor, so an adjusted version of that malware, and they shared that broadly. So that's one of the ways that we can work together as partners to ensure that when new versions of malware or new capabilities are developed by adversaries, that it's shared broadly.
[10:42]
Deana Temple
Now, with an election around the corner and the prospect of adversarial meddling in both the Trump and Harris campaigns, I asked Director Luber whether what we've been seeing so far is more of the same or if the nature of meddling has actually evolved.
[10:56]
David Luber
I won't be able to go into any specifics, but in general, outside of election security, you have to consider that adversaries are always changing their trade craft. Adversaries are evolving their tactics and their techniques. Even as we've been sitting here, new malware has been created, new detections have occurred. So it's an evolving landscape that requires, requires constant change and constant vigilance when it comes to understanding how that environment's changing. That's where the real power of cybersecurity comes into play, because that's when you can start to scale the insights and scale the outcomes in a way that you can't do if you just try and go it alone.
[11:41]
Deana Temple
Well, I want to thank you very much for being with us today. If you could give him a hand, please. And, and we hope to have you come back after the election and tell us all the things that you did. Thank you. This has been Click Here's Mic Drop. It was written and produced by Megan Dietrich, Jade Abdul Malik, Sean Powers and me, Deana Temple. Rest. It was edited by Karen Duffin. We'll be back on Tuesday with with an all new episode of Click Here. Have a great weekend.
[12:34]
Megan Dietrich
If you're looking for a daily guide to cybersecurity news and policy, sign up for the Cyber Daily from Recorded Future News. It serves up the day's most interesting and important cyber stories from our sister publication the Record, and then aggregates all of the big cyber stories you might have missed from News outlets around the world. Just go to TheRecord Media and click on Cyber Daily to get all you need to know about the world of cybersecurity right in your inbox.