A

You're listening to the Cyberwire Network powered by N2K. Most important thing to remember today is verify claims, stay educated, do the basics.

B

I'm David Moulton and this is Threat Vector. Today I'm speaking with Justin Moore and andy Piazza from Unit 42. Unit 42 has published a threat brief on Iran linked cyber activity. And these two are me through what the team is actually observing, which groups are active and what defenders should be doing. Justin, Andy, welcome to Threat Vector. Really glad to have you both here today.

A

Hey, thanks for having me, David.

C

Yep, thanks for the break in the chaos. This is a good slowdown to have this conversation.

B

I know it's been a busy day for you today. I appreciate you giving me a few minutes to walk through the threat brief, tell me what it's been like inside of unit 42 threat intelligence the last few days.

A

Chaotic. Busy. A lot of typing and a lot of collaboration, a lot of communication, trying to keep a. Keep abreast of everything that's going on, you know, making sure that we're doing everything we can to protect our customers and, and that we know everything that's, that's happening that, that we can stay ahead of. So keeping us up late at night and early in the morning.

C

Yeah, piggyback off that. I think Justin and I both being former ops folks, we thrive in chaos. So it's kind of been our sweet spot. A lot of coordination. You know, we call the internally, we call this a rapid response. And I think every time we, we do one of these within the organization, it gives us a really good opportunity to collaborate and work with some really, really smart peers across the company. Right. Product side and services side. So despite the stress and everything that's going on, it's a really, really cool opportunity to make an impact for our customers and get to know the company a little bit better internally and work with some really smart folks.

B

Before we get into the specifics of this threat report, I want to help our audience understand how your roles connect. Justin, you're leading the rapid response right now and our fusion intelligence team. And then Andy, you're leading threat research for unit 42. How do those two functions work together when unit 42 is publishing a brief like this one?

C

Yeah, I'll try to tackle that. Let. Let Justin expand on his role for a rapid response perspective. But day to day, I have the, the traditional threat researchers within unit 42. We're the ones that are going out into case data, customer telemetry, if they have it turned on, coming in house, and we're the ones trying to understand the intelligence picture. Big, big picture, down to the technical weeds. I won't just say strategic, but really understanding the intent capability of threat actors that we see through Palo Alto Networks, products and services. We're the ones that are going to drive a lot of the original research and then trying to make sense of that is Justin's kind of fusion intelligence role is taking what we're seeing, plus what rest of the vendors are seeing and partners and information sharing circles, trying to fuse all that together to make a bigger intelligence picture. But I'll hand it Justin to explain the chaos of running a rapid response too, and how that plays in with us.

A

Yeah, so rapid responses are kind of a lot of fun. It's very much like herding cats. So it's very much the what does unit 42 know about this specific instance, you know, this threat activity, this vulnerability? And that means pulling in resources from every single one of the teams within unit 42. That also generally culminates in a threat brief for the website. So that way we can inform our customers of what we know, how they are defended, and also to let them know that we're paying attention to the landscape. Right. And so we're able to leverage Unit 42's and Palo Alto's product suite to bring you the best intelligence. So that means a lot of monitoring and a lot of communication.

B

So, Justin, the brief notes that Iran's Internet connectivity dropped significantly. Walk me through what unit 42 is observing as a result of that and what it means for how defenders should be thinking about this threat landscape.

A

Well, I think the most interesting part of that is, right, Iran has been without near Internet for over 72 hours at this point. So the majority of activity that we're seeing is actually coming from outside of the country. Right. So your globally dispersed or regionally dispersed activists have jumped on board and they're the ones that are kind of carrying the weight of retaliation right now.

B

I know that the brief mention that state aligned cyber units may be acting in operational isolation. What does unit 42 actually observe when that happens?

A

I think. Well, that's a little bit of a tougher question only because this is a unique situation. The ground truth in Iran right now is that they're very much cut off. There are a lot of leadership changes going on and that means the individual units are more likely to have to take a more operationally autonomous role in conducting operations. This is probably a position they're not used to, and so that kind of changes the calculus significantly for them.

C

Yeah, I would add too it goes goes back to the my comment about noise like we're seeing the pro Iranian activists, a lot of activity from them where with a nation state actor, especially when things are kinetic, right? Well missiles and bullets are flying. You know this is a little bit of projection. I'm not saying this is what they're doing but primarily a military unit or government intelligence unit is going to be more worried about, you know, collection and intelligence and and those types of activities. That's when we talk about dwell times of 8, 9 months, not 24 hour impact type of thing. So seeing that those espionage access if that exists is much harder when you're in the middle of a DDoS, right. Or we're dealing with defacements and stuff like that. So this is that part where those units may be active even with their Internet out. They may be acting outside of their country, fully deployed. But it's a lot harder to see intelligence collection happening when there's so much going on from a defacement disruption standpoint.

B

So the brief names a fairly large group of active threat actors. I think it had HANDELA hack, it had Dark Storm Team Dinette. There were some pro Russian groups and coming to mind one of them is Cardinal. Walk me through how unit 42 is categorizing and tracking these groups and what does observed activity from each of them actually look like.

C

So traditionally we do have our attribution framework and we use our constellation names for threat actors that we track over time. We have a great threat research article out there on our methodology for that. When it comes to one rapid response, a quick turn, we're not going through that mature process. We're going to report as quickly as possible. And two, when it comes to what I kind of call these self name groups, when it comes to activists, they give themselves their own name. Like it's much easier just to stick with those. So these are often names that they've given themselves or maybe the community has given them and they're kind of the common names that are people are tracking. Sometimes it's just literally associated with either a handle on a platform that one of their actors used or the actual name of a chat group that they have set up. But the big thing that we've I think the last 72 hours been really trying to understand is origins of these group. Are they, you know, pro Russian, pro Iranian, because this does give an opportunity for other actors to take take advantage of the situation. So we're trying to categorize the types of attacks and start Validating some of their claims. Again, a lot of these are claims that they haven't necessarily been validated. So our teams right now are bringing in all these links, getting them into spreadsheets. Right. Because Excel is the master intelligence tool of it all. And start categorizing, right. Is it valid, is it need further evidence and then what type of attack claim it is. So we can start kind of categorizing DDoS versus, you know, distributed denial of service versus defacements versus threats. There's some hack and leak claims, those types of things. And so we just want to categorize those. Yeah. Justin, anything to add there?

A

Yeah, I mean, just to piggyback on what Andy was saying, I think the most important piece there is verifying the claims.

C

Right.

A

A lot of claims are occurring. Groups are very well known to exaggerate access, exaggerate impact. And so that's one of the things for downstream, possibly impacted entities. Right. Be aware that just because they've claimed access doesn't mean they have access. So definitely important to be on top of robust communication plan scoping and determining whether or not they actually have access or they just wanted to look really good.

B

So, so handela hack stands out because in the brief because it's reportedly sending death threats to U.S. and Canadian individuals and it's claiming that they have shared the home addresses of those folks with physical operatives. What is unit 42 actually observed from this group in terms of activity and capabilities? And what's the practical implication for organizations?

C

Yeah, you know, I think with, with any of these claims, again there is the matter of we need to continue to monitor them and try to validate them, first off. Second, I do think it is an escalation of threats that we have not seen in previous conflicts in general. So that is, it's something new. I think overall this situation with the conflict today is much different than we've seen in previous conflicts with Iran. And I want to point that out because as we get into talking about whether it's cyber capabilities or these death threats, the rule book's out, right. They are a country that's under attack. We do not know how they respond, are going to respond. These pro hacktivists are going to respond differently than we've seen in the past. They may feel like this is a gloves off situation and those red lines don't exist anymore. I do think because we're talking about physical threats, those are things that we need to talk, take seriously and consider our OPSEC or persec or operational security and personal security. A little bit more. We've seen ransomware groups do some of this stuff in the past, but for the most part they've either not been taken seriously or haven't actually bore fruit. But with the situation now, if Iran's been a state sponsor of terrorist organizations in the past, there's no talent and I think this is a little bit, when it comes in, the physical threats is a little about bit outside of our expertise. From the unit 42 perspective, I really just encourage folks to look at their cyber hygiene to help protect that data of, you know, where they live and think about what they're posting to social media, especially if they're outspoken against the conflict in Iran. I think you have to consider yourself a hyping target place, ensure your personal accounts are enabled multi factor authentication, protect, you know, privacy, protect records as much as possible. A little harder with us. I'm not sure about Canadian laws but us with our home records and yellow pages and all that information being out there. But we can also make it a little bit harder by not, you know, posting to social media where our home addresses are and things like that. So if you're going to be public facing and, and talking against the regime, you should take some additional precautions.

B

Andy, if you've received a physical threat, a death threat from one of these groups, what should you do now?

C

I think if individuals are named, they need to take it seriously and consult with local law enforcement. Make sure report to the FBI as well. But I would definitely talk to local law enforcement. They understand your, your Persona, why you might be involved in the threats. You know, talking to local law enforcement about the security of your house. If you've got, you know, security systems, those types of things. Just making sure that you've touched that touch base with, with local law enforcement and, and federal as well. Since this is an international thing, I would definitely touch base with the FBI as well.

A

I also like to just jump on there and say too that social media accounts are an immediate place for, you know, for threat actors to go. So if you have been targeted, ensuring extremely high levels of cyber hygiene. Change passwords, ensure that you're not, that you're paying attention to phishing emails, SMS messages, just kind of the basics of cyber hygiene will go a long way protecting you.

B

What are The TTPS and IOCS unit 42 is tracking that defenders should be watching for regardless of where their organization is located?

C

Well, I definitely think more of the, the TTP side is, you know, higher, higher level is the disruption is understanding your supply chain as far, far out as possible and what those impacts could be. Right. We've seen a data center literally destroyed. Right. That might not be in most people's threat model. And so understanding, right, as, as the US always jokes around when US East 1 goes down and east coast loses access to most social media, Netflix, if you're regionally based, understanding where your backbone is and if you lose network, do you have, you know, satellite comms or secondary communications for especially critical systems, I would look at some of those relationships that may be under stress. If you have, you know, shipping relationships or if you're an especially energy company operating in the Middle east. Right. Those are heightened tensions. Expect delays in any transportation going through that region. A lot of those things are kind of non, non cyber may be impacted from just the fact that there's geopolitical situation going on. I mean, we've got closed airspace that's going to reroute airplanes, closed, you know, shipping routes. Those types of things are going to slow down transportation. So understanding impacts to the greater business and supply chain from that perspective, I think is important. From the cyber kind of side of things, understanding your ability to protect from disruption. For DDoS, distributed denial of service attacks recover from destructive attacks. Right. Do we have backups? Are they tested? If you get a, you know, a wipeout or wiper deployed from Iranian actors, you know, how are you going to respond? Are you prepared? Have you tabletop that? Do you actually know where the backups are and if they work? Those types of things I think would be be the conversations I would be having with my security team right now.

B

For the CISOs that might be listening who don't see an immediate connection between their organization and this activity. How do you help them understand whether they have actual exposures?

C

Yeah, I mean the, this is one of those situations where, you know, prevention goes a long way. And so understanding this long before there's a conflict I think is definitely important. However, now that we are where we're at, having an understanding of, you know, it's, it's eating your vegetables and you know, exercising every day. Right. What's in your risk register? What are we prioritizing? You know, I think this shortens the response time frame of being able to do some of those things on the risk register. But I don't think it's a novel net new risk for most companies. If this was on the radar, it should have been on their radar years ago or at least months ago. Yeah, like I said, it might speed up how they respond and what they do. But I would really Encourage them to look at the fundamentals and ensuring that they have MFA in place, that they have patching and prioritizing patching of edge devices. All of the traditional initial access places I think are very important. I don't think any of that shifts just because of the kind of time based pressure from a threat landscape perspective, especially with the hacktivist, pro hacktivists and the third parties who may be taking advantage of the situation. I do think it changes the threat landscape of who or what we call like a threat model of who may impact your organization. Normally, normally you worry about, okay, I have these critical assets and these are the type of actors who care about these critical assets. But when there is an armed conflict, it's more of an acting out situation. And so I think it any organization that deals with the energy sector, deals with the Middle east, telecoms, they all need to be on heightened alert. But then anybody who uses energy or telecoms needs to also understand what those impacts could be too, right? There's a lot, I mean unfortunately there's no company that exists on its own on this planet, right. Every, everything is connected sometimes that is it literally as a network trust connections, they are connected to their supply chains. And so we have to think about it holistically and what are those measures that we can prevent or detect and respond and kind of slow down those breaches inside of our network.

A

So you know, also with that said, for CISOs, it's understanding anyone who's doing business internationally, any sort of upstream target is going to have downstream impact, right? So international logistics companies, every single one of those international vendors, right, that that will end up coming back to haunt you downstream, right. If you're not paying attention. And like Andy said, that doing your job is, is understanding your risk. So hopefully that's already been, that's already been considered. But also understanding that because this is, this is a wider spread operation here for a lot of these groups that it doesn't take anyone off the table. And that means that you may unexpectedly be impacted by an upstream vendor of yours.

B

Andy, you were just talking about security, hygiene, the very fundamentals, right, like having air gap backups or looking at your phishing training. Those are some things that you know, have to be done before this becomes a real threat that you're facing. But I'm wondering, you know, not new recommendations, but which of those are directly tied to The TTPS unit 42 is observing right now and, or which would you prioritize within your controls as a space to, to focus on?

C

So I think because of the threat of disruption. I think resilience, anything resilience, if you've got DDoS protection, those types of things is something I would, I would crank up to an 11 right now and then recovery operations, the air gap backups and testing and recovery capabilities because we don't know if we know Iran has used destructive malware in the past and we don't know when and where those are coming from next. Right. So I would definitely be prepared for those types of things. So prevention, get, get ahead of it from a. Can we stop the ddos and continue to have our network operate and then also being able to respond and recover from a major, major event using backups and recovery.

B

I'm curious as you're watching this situation unfold and you go back to some of the similar situations in the past, where do organizations make mistakes? Where are they tripping up consistently that you would call out today to give them a little, little bit of a heads up on, on what to look out for?

C

Burnout. Definitely burnout. You can't be intelligent if you're not sleeping and eating and getting up and moving. I don't know if we're date three or four or seven at this point and it's a good reminder for myself. Leaders, leaders need to start thinking about what is the rotation schedule are. You know, Justin's starting to look a little bloodshot in the eyes when was the last time he slept and ate and, and got up and got some water and making sure that we're forcing people away. It's really, really easy to, to burn folks out and you know, the more tired we are, the more mistakes we're going to make. We're not going to be, be intelligent if we're not getting the right calories and in recovery. So take care of your people right now. You know this is a major crisis. Absolutely. But if your network is not under threat right now, you should not be in a war room and incident response bridge on every day. You should be taking care of your people and be prepared and have enhanced monitoring. But let some people get some sleep or you're not going to be there when you need to be responding.

A

A lot of that too. Just go back to the basics when it comes to cyber hygiene and policy. Make sure your IR plan is solid, make sure you have a response plan, make sure sure you have a comms plan. Ensure that you've conducted asset management, you've patched everything. A lot of this comes back to the basics and that goes so far in the long run.

B

I Think that's really good advice all the time, but especially during a crisis, is to make sure that your plans are in place and your teams aren't burning out. This could be one of those things that, given the personalities I've observed insecurity. You're mission driven and the mission's over when the mission's over, not when you're tired. But you're right, Andy, not enough sleep. It's whatever the opposite of intelligent is, at least for me, when I've not caught enough shut eye.

C

No situation is made better by being tired.

B

So yeah, that's true. The brief includes some recommendations that are different from technical ones. Prepare to validate and respond to claims of breaches or data leaks because the threat actors may be using false or those exaggerated claims. You guys have covered that quite a bit. You know, to validate. What does unit 42 observe about how these claim cycles play out and what does a good organizational response look like?

C

I think one is, is understanding that you're still allowed to lie on the Internet. So don't take them. You know, don't burn all of your resources trying to, to jump on these claims. The same thing we've seen with the, the hack and extortion groups, the ransomware groups, you know, they have. We completely compromised this entity, this organization, and we find out it was like a third party database that was three years old from testing, right? So bad guys still lie on the Internet. Do not burn all of your resources. Try to react to that. Take a systematic approach, look at the data. Usually from the data you can tell what type of database it likely came from. Go check that database for signs of compromise. Be systematic about it and don't be reactionary. You know, some of these false claims are literally too stressed people out. And so I'll just say don't let the bad guys win and take a systematic and measured approach to it.

A

A great organizational response is to continue doing what you're doing, do the right things at all times, right? Don't make a situation out of a claim and do your best to maintain a pretty positive but diligent posture. Make sure that the soc is doing their work, make sure that you're in touch with your vendors, make sure that you're paying attention to third party risk, consult with legal and policy in your companies, comms, things like that, you know, and continue to stay abreast of what's going on. You know, read, ensure that you know what the landscape looks like. Right now the landscape is heavy activist activity. So that's a That's a great thing to know. The majority of that has been, you know, very much in the realm of, of DDoS. Right. So being aware of that and the potential impact, that's going to set you up for success.

B

Have you guys seen any cases where a really well handled public response to a hack, to this claim reduced the attacker's impact?

A

There are, there are a lot of exaggerated claims even, even DDoS claims. Right. You may have a 12 minute downtime on a website that could be considered a win for a hacktivist group. But if you're, if your comms plan, you know, ensures that you're coming out to say, well, this is actually only a 12 minute, 12 minute downtime or kind of related to what Andy was talking about earlier where, you know, it was really a two year old breach that, you know, had been posted online and then aggregated with some other. And then it comes back out. You know, for companies to get ahead of that, it not only mitigates the impact to your organization reputationally in the, in the moment, but it also degrades the ability for those activists to continue to exaggerate over time. And so it, it discredits the group in its future operations.

C

Yeah, I will say without naming names, a comms plan can, can make or break a company's response. They could have the best response in the world from an IR and protective perspective and their comms plan or team botches it and it, it looks horrible, right. Or we've all, we've all gotten a, oh, there was no major impact. Then a week later like 5 million records and then two weeks later 10 million records. Right. Like it just keeps getting worse. And then you get the letter in the mail and it was, you know, everything, including your DNA test. So I would encourage companies to have a solid tested comms plan. Go look at other examples. Obviously there's a number of firms like ours that will consult and help them with those types of things. But those cons plans are things that you can have in place ahead of time. You should not be trying to write a PR response during an incident, just like you should not be trying to write an incident response plan during an incident. Have those. As much transparency as possible, I think is really, really critical. Most of the time in this industry you're going to get judged on how you handle your communications way more than how you handle the breach itself.

B

Yeah, you handle your response in life is up to you and what happens to you is sometimes out of your control. Well, you've mentioned, you've mentioned this idea of having a really good comms plan and you've talked about validating some of the claims and not over rotating on them. Are there maybe two or three other concrete actions that you would recommend to our listeners that move the needle most based on what unit 42 is actually observing?

C

Yeah.

A

I'm going to go first on ensuring companies are educating and reconfirming with their employees that they're paying attention to their social media, they're paying attention to phishing attempts. Cognizance and diligence is where I would be looking for right now. Those are the easiest access vectors in a lot of places. Right. I mean we're talking mid 60% of compromises are based on phishing. So that's a huge factor. So looking at that would be the first place I look to and then ensuring. Right. All of the same things. Right. Your plans are ready to go and you're ready to respond when needed to.

C

I'm a big proponent of multi factor authentication, especially for remote access. Evaluating remote access and ensuring that any temporary exceptions as a policy were actually closed. There's nothing more permanent than a temporary exception to policy. So if someone got a waiver that they didn't need to patch the server when when the patch came out, or there's a waiver for remote access without mfa, go back and evaluate those right now and double check that they're justified and still needed in place. Because that's often where we see the the biggest gaps is bad guys will find that the one account that got the exception to policy for multifactor authentication, they'll find the one server that didn't get updated. It's better that you do your asset and identity inventory than letting the bad guys do it. So double check that. Like I said, sizzles have the risk register. They probably know where the problems are. They don't need us to point at them. But I think it's really easy for us to go look at the shiny thing and go what's that? You know, just like Jim guidance. Right. What's that one secret? It's like show up and do it every day. Wait, what? No, no. But what's the secret Patch audit secure. That's it every day.

B

For listeners who want to be able to stay current on what unit 42 is seeing, I want you to go to our threat research center and read our blog. It will continually be updated as we know more and as we validate what we know. The link to that will be in the show notes. Justin, Andy, thanks for coming in. Today giving me some of your time and sharing what you've observed in this unfolding situation with the Threat Vector audience today. I appreciate you both coming in and and answering my questions.

A

Thanks for having us on, David. Appreciate it.

C

Yeah, appreciate the opportunity and the, the short break from all of the slack messages and emails we probably missed. But we definitely needed it and we're going to take our own advice and hopefully get up and get some water after this.

B

That's it for today. If you like what you've heard, please subscribe wherever you listen and leave us a review on Apple Podcast or Spotify. Those reviews and your feedback really, really do help me understand what you want to hear about. If you want to reach out to me about the show, email me at Threat Vector Palo Alto networks.com I want to thank our executive producer, Michael Heller, our content and production teams, which include Kenny Miller, Joe Bourt and Virginia Tran. Elliot Peltzman edits the show and mixes the audio. Goodbye for now.