A

You're listening to the Cyberwire network, powered by N2K.

B

Copyright strike.

C

Approved, royalty free music.

A

Okay, this building is seriously giving me goosebumps. Why are we recording here again?

B

Yeah, it's like the air itself is trying to spook us.

C

Relax, it's probably just the wind or faulty wiring or.

A

Or a ghost.

B

Wait, did you see that curtain move over there?

A

I definitely saw it move. Is that a ghost wearing a mask? Someone do something.

C

I'm on it. Almost got it.

A

Go, Keith. Hey, get off me.

C

Aha. Now let's see who you really.

B

Liz, the producer.

A

Liz, what are you doing here? Producing, obviously. I thought scaring you a little would make this Halloween recording interesting. And I would have got away with it too, if it weren't for you meddling hosts.

C

Classic producer move.

A

Yeah, yeah, yeah. Fine. Scooby Doo gang style reveal complete.

C

Can we please, please just start the show?

A

Ruh Ro. Guess we caught the villain. Good job, gang.

B

Zx. And now a word from our sponsor. Threat Locker, the powerful zero trust enterprise solution that stops ransomware in its tracks. ThreatLocker Protect is the core Threat Locker product focused on endpoint security, designed to prevent unauthorized software from running, control how applications interact and manage access to storage devices. Its building blocks are allowlisting, Ring Fencing, and Network Control. Allow Listing is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy, ensuring apps can only access the system resources they truly need to function. Network Control locks down access by port, source, IP, or dynamically with ACLs that automatically update as IP addresses change. Shut out cybercriminals with world class endpoint protection from Threat Locker. And we thank threatlocker for sponsoring only malware in the building.

A

Today we're going to share our favorite or least favorite scary stories from cyberspace. You know, we've already made multiple ghost jokes, so I think it's only fair that we start with Ghost Rat. Keith, you also had Ghost Rat on your list, right?

C

I do have Ghost Rat on my list. So I'll let you kind of kick it off on that and then we can kind of dive into Ghost Rat. It's a fun one.

A

It is a fun one. So Ghost Ride has been around for execute the it's been 84 years meme.

C

Many unbearable hours later.

A

It was initially on the scene, what, like a decade ago. And it was initially used by Chinese state threat actors, but now it's broadly available, regularly used by threat actors, including Chinese speaking cyber crime threat actors. And oftentimes we'll see new variants of ghost rat in threat data. And I'll be like, oh, this is a new malware. This is fun. This is interesting. And then it just ends up being ghost rat in a hat.

C

Yeah, back in the day, ghost rat was just everywhere. When I was at the FBI working Chinese matters, I mean, it was just like, seemed like every time we would go out and do some kind of an IR at a victim company, it was always ghost rat. And it was just then it became so prevalent that if you saw ghost rat, everybody just naturally just thought, wow, it's China. But then naturally, it just became very prevalent where, you know, everybody was using ghost rats.

A

Yeah, it was definitely one of those things where sometimes you have malware that starts off as belonging to a certain threat actor, or you can use malware for attribution of a particular state or adversary or group. But now I feel like that's not really the case anymore. I feel like a lot of that old school malware is used by a lot of different threat actors. And there also really isn't any. There's not a whole lot of malware, at least let's say, that is only used by one threat group.

C

Yeah. And I think, you know, they've kind of pivoted to that to make attribution a lot harder. Whereas back in the day with some of those first cyber espionage campaigns, you know, they would develop unique, you know, malware packages, and then that became so, hey, that, well, that's China or that's Russia. But they've kind of learned to kind of blend in with the other noise. The other neat thing about ghost, you know, rat was because it was one of those first rats used for cyber espionage. You know, if our listeners don't know kind of what it did, it, you know, it would log the keystrokes, it would capture screenshots and activate webcams. You know, to really be able to steal any of that intellectual property on the computers, be able to, you know, videotape conferences, really, anything like that. So the victims really had no idea that their systems were haunted back in those days.

B

Now, how does now, yes, I use words for a living. How does it come to pass that a tool like ghost rat becomes so widely used? Are people who are not the original users? Does it somehow get shared or do they reverse engineer it? Like, what do we think is going on there?

C

I think it was just really developed as a, you know, a remote admin tool in China, and it became predominantly used by nation state actors, but it really wasn't a nation state. So you know, designed by the PLA or the mss, it was just one that was adopted by actors. So it was out there in the wild. But we at that time we really weren't seeing Chinese E crime actors attacking the United States. So really anything coming out of China back in those days was predominantly nation state. So that's kind of how Ghost Rap became associated with PLA actors at the time.

A

And now you have the builder available online, which I believe it has been around for quite some time. And so it is openly available. It's like one of those tools that you see various criminals use, adopt, add their own little flavors to it, clone existing repositories or existing samples of it. And then sometimes they'll add additional features that might make it seem like it's something else. But then when you kind of do like code analysis, it's like, okay, this is, this is just Ghost Rat or like an evolution of Ghost Rat. Yeah, so a lot, I feel like a lot of times these things just kind of end up online and then threat actors can use however they want. But interestingly enough, at least when we see it, it is still predominantly used by Chinese speaking threat actors. We mostly see it in those types of campaigns.

B

I've also seen variants like there's one called Sugar Ghost Rat. Are you familiar with that? I think actually wasn't it proofpoint that originally spotted that one?

A

Yes, it added a little sweetness to the spookiness.

B

Like. Like a delicious Halloween candy.

C

I thought you were going to go there for sure.

A

Yeah. And this one was actually suspected to be an espionage threat actor. So it was again a customized variant of Ghost Rat. So, you know, building on the existing tooling and we actually named the. Because we, you know, unk clustering unattributed threat clusters before they graduated to a full ta, we did call it Sweet Specter. So fully leaning into the naming conventions of this. So yeah, so it was kind of interesting. So you do see even espionage threat actors using the variants that are available out there, adding their own spice or sweetness, if you will. But yeah, it's one of those things that it's still spooky, it's still out there, and even old malware can come back to haunt us.

C

Speaking of old malware, that's a perfect segue because if we're talking about spooky malware, we really kind of have to go way back to the beginning and how I like history. So we gotta go back to 1972 to the very first ever computer worm called the Creeper, which actually, if You're a Scooby Doo fan? Since we did our Scooby Doo entrance as well. One of the Scooby Doo gang did go up against the Creeper in one of their episodes. But if you're not familiar with the Creeper malware, it was the first ever computer worm. And it was used as an experiment, but it wasn't designed, assigned to do any actual harm or anything like that. All the Creeper did was write, I'm the Creeper. Catch me if you can. But all the data was left untouched. So it was a worm that would go through the ARPANET back in those days. And the Creeper actually inspired an early computer game called Core War way back in the day. So going way back to the beginning with the Halloween themes, it's hard to.

B

Imagine you're talking about 1972. I mean, there basically wasn't any cybersecurity. It was all just the gentleman's and gentlewomen's agreements of, you know, that we are simply not going to do things. And so something like Creeper could spread with abandon.

C

So which actually is led to the very first antivirus, so to speak, which was called Reaper Creeper, which was specifically designed to combat Creeper back in the day. So you have one thing led to another way back in the day.

B

Creeper without the R, without the C, I guess, right? Creeper, Reaper.

A

It also reminds me of the Cuckoo's Egg by Cliff Stoll, which talks about the first ever basically identified espionage hack at a university campus in California.

C

I think of a Stamper. Was it Berkeley? Yeah, Berkeley.

A

One of the. Yeah, Northern California Infiltration. And basically talking about how a discrepancy in the phone costs of like the phone line because, you know, Internet phone was still connected way back then. It's like, wait a second, there is some discrepancies in these calls or these telephone connections. And he fell down the rabbit hole.

B

See, the thing is, Selena, back in the day, we used to use wires to connect our telephone calls together. It didn't use radio, it used wires.

A

I mean, look, this is all before my time. I'm just walking down memory lane with you guys.

B

Aw, right. Like in a retirement home. Go on, Grandpa, tell us about Creeper. No, no, no, please go on. This is fascinating.

A

Well, speaking of. Because you mentioned. So Creeper was a computer program and it was a research project. Right? You were saying, like they were trying to figure out how. How it works. But we still see that today because you guys, I'm sure, are aware of prompt lock, the AI Generated ransomware. I'm using air quotes. AI powered ransomware that ESET reported on that turned out to be New York University Tandon School of Engineering confirmed that they created the code as part of a project to illustrate the potential harms of AI powered malware. So we still have scary research projects that creep up and confuse people and then they're like, oh, wait, we are, we are continuing to investigate these spooky strains of malware. And it just so happened that some NYU researchers stumbled across something that blew up.

C

Yeah, I just read that article in Wired about the AI anthropic was also talking about how actors were, whether that was the same researchers or not, you know, abusing Plaud code to develop ransomware. And I think, you know, that's if we're talking about scary things. I think that's one of our big fears going forward with AI, you know, are threat actors going to abuse AI for malicious purposes to write code to develop new exploits and ransomware variants or whatever, going to be the next, you know, big thing on the cybercrime horizon? But that's definitely one of the scary things on the horizon for sure.

B

Well, since we're talking about worms, can I point out two that I think are noteworthy? First, there's the Morris worm, which was 1988, I'm guessing still before your time, Selina?

A

Yes.

B

So in 1988, I was indeed using a computer, but Morris was the first worm to spread across the Internet and evidently it crashed about 10% of all Internet connected systems at the time. In fact, its creator, who was a gentleman named Robert Morris, which is why it's called the Morris worm, he was the first person convicted under the Computer Fraud and Abuse Act. Now, Keith, did you have anything to do with that?

C

No, not that one. That one's a little bit before my time, too.

B

Well, let me move on to I love you and I do love both of you, but that's not what I'm talking about right now. This is the I love you worm, which was in 2000, and this one masqueraded as a love letter in an email attachment.

C

New dangers tonight from the love bug computer virus, this time disguised as a friendlier email. Copycats have now spread around the world. Bill Grafen joins us live. Bill? David, this is far from a childhood prank anymore. Experts say that the I love you virus could end up costing the world economy $10 billion in lost work time.

B

It was really, I'd say, one of the first big email malware campaigns. Is any recollection of this one? From, from either of you?

C

Oh, I do. I do remember getting that on my computer.

A

Really?

C

This is pre cyber days for me. And it definitely infected my gateway computer back in the day.

B

Okay. See, those of us on planet Macintosh were smugly smiling and pointing our fingers at you poor Windows users back then. The pre ubiquity of malware days.

C

Yeah, it got through my 28 bit modem back in the day.

B

Right, right. You had to wait 10 minutes to download malware while it.

A

Well, if you're waiting for that long to actually download and install the malware, does that provide a better window of opportunity for defenders? Is it bad that computers have gotten so much faster? Dave, should we go back to. Back to dial up?

B

Yeah, well, look, I will make the case that computers were much more fun when they were simpler and not ubiquitous and more hobby related where you had. Not everybody had a computer on their desk. And so it was a much more experimental period of time. It just, you know, everybody's got a computer, everybody's got a smartphone. But back then, I guess the pioneering days is what I'm pining away for, is when it seemed like every day there was new discovery and people were impressing each other with the things they could do, like new things they figured out to do with a computer that someone hadn't done before with these very, very slow, very, very incapable machines.

A

So it's like the age of exploration, but for. In the digital world.

B

Yeah, right, right. Do you want to go back to crossing the Atlantic on one of Christopher Columbus's ships? No, no. But I'm glad they did it.

C

I will take my, my tech now over those tech days.

B

Oh, absolutely. Yeah. I think, what was it say? You definitely want to be born at a time after the invention of antibiotics. I think Woody Allen said that.

A

And antivirus.

B

Well, there you go. See, there you go. Selena.

A

Inoculating against malware, you just always bring it home.

B

Nicely done, nicely done.

A

I like to go wrap things up in a little bow like packages of malware, for example. And I think actually. So since we're talking about the before times and the happy times and how now everything is dark and dreary and we all have to be on watch for everything. But I actually think that no matter the era, whether it was in the time of the Egyptian water clock or the time of dial up Internet or Dave phone freaking, there has always been a threat of social engineering. And I think that that is baked into human nature. And regardless of the tools and resources that are available to us or where we're going where we're shopping, what we're selling. Hawking Snake, literal snake oil. That to me is something that's very, very spooky, is social engineering. And the cleverness of social engineering especially that has emerged recently. And my number one, the thing that I hate the most, talk a lot about espionage. I know that there's, and we can even talk about this too, is like malware, the target safety and systems, and industrial control systems that can lead to physical disruptions. That is also very scary. But one thing that really makes me angry, and it is a little spooky, is pig butchering. Pig butchering. It's called a pig butchering scam. The FBI says this scam is known as pig butchering or crypto confidence fraud.

C

Pig butchering cost Americans nearly $4 billion last year alone.

A

And like romance scam and crypto investment fraud, scamming. And it has blown up in the last few years. And it's a fundamentally social engineering based thing where threat actors are using the phones and our computers and the tools in our hands because we're online all the time to manipulate people, hack your brain, hack your emotions, into sending money, into making you feel a certain way, making you feel loved, making you feel wanted, and using that to steal your money. And to me, that's the worst. I think that that's the scariest. I talked to a lot of folks lately about this type of threat just in my community. I've been trying to do a lot more training, especially with older folks. And I have heard many stories lately about older folks getting romance scammed. And it just breaks my heart and it's just. I hate it.

C

I think that's the worst level of criminality. You know, when, when I worked undercover and you know, working with all the E Fraud guys and the Russians, and there was kind of this unspoken code with the groups that I was in, was that you were attacking corporations because the corporations made the people whole. So it was kind of going after corporate greed of stealing credit cards or taking money out of bank accounts because the corporations wouldn't. Would make the people whole. And it was kind of an unspoken thing where it was like you were like the low of the low if you were targeting individuals, you know, so it was at least, at least the groups that I work with, you know, undercover. It was like you wanted to go after the corporations and not, not the people. And so when you're talking about the pig butchering, those are just, you know, the, the worst of the worst, in my opinion.

B

We talk about this over on the Hacking Humans podcast a lot. And it's just heartbreaking because you'll have cases where someone gets caught up in a romance scam and their family cannot convince them otherwise. They, I mean, it sounds crazy, but they really believe that Keanu Reeves is getting ready to marry them and they will lose touch with their family. They'll push their family aside in pursuit of this fake romance that has swept them off their feet and can cost them their life savings. And it really is heartbreaking.

C

I actually talked to a friend of mine who had a friend that was getting romance scammed and they were talking to that person and the person basically said, yeah, I know that that's probably not the case, that they're not going to marry me, but when I talk to that person, I feel good and I don't have anything else. So if I'm paying the money to feel good and feel wanted, they continue to do that even though they're confronted that this is all fake. And that's just really. That's heartbreaking.

B

It is. And I guess on the one hand, if you are self aware and know what's going on and you can afford it, you know, the same way as someone going to a casino to play slot machines just for fun, knowing that they're going to lose money but be entertained in exchange for it. And I guess there's nothing wrong with that, but it's really these cases where people lose everything and get their hearts broken and just these, it's just despicable.

C

Which actually kind of pivots into my next malware, which is Trickbot. So you can't have Halloween without Trick or Treat is, is one of my favorites because that one of the guys behind it is just, I guess one of my all time favorite cyber criminals, Vitalik Kovalev, who is in my opinion, one of the the original OGs of the cyber underground. But do you have trading cards? I do not have trading cards. I need trading cards, Dave.

A

That's a great idea actually. Yes. Keith Smellwer Trading cards.

C

Yeah. So Trick Bot has been around since 2016 and it really was initially designed to steal financial information like banking credentials. And it was the successor to a previous banking Trojan called Dire. But what made Tripbot was like special. It was kind of like a Swiss army knife for cybercriminals. It had plugins and modules that could be loaded to perform different types of attacks, such as credential theft, key logging, stealing emails, and you know, and spreading through throughout networks. So it would worm his way like we were talking about. Worms across networks move laterally and maintain that persistence. So that's what made it so scary for that. And there was a big botnet built for that, and it compromised millions of computers worldwide. And it was kind of one of those first malware as a service type platforms that's out there. And that was taken down in 2020 with a big operation by Microsoft to dismantle Trickbot's infrastructure. They went after the C2s or CNCs. It didn't actually kill it completely. But my favorite thing is with Vitaly Kovalev, though. He. During the Trickbod operation, they actually ran a film distribution company called 25th Floor Films in the heart of Moscow. And they would hire people for their coders, and they were legitimately distributing Russian films as a way to launder their money. So it's just a fascinating case study of. Of organized crime in the 21st century. And he wanted to make a movie about himself.

B

Well, who wouldn't?

C

Yes.

B

We'll be right back. I have one. I am not exaggerating that this one disturbs me more than any that I've seen in a while. And this one came from you and your colleagues. Selina. This is Stellarium. So many of us have seen the common scam that you'll get via email. And it says, hey, I've hacked into your machine, and I've been watching you through your webcam, and you've been visiting some naughty websites, and you should be ashamed of yourself. And unless you send me some money, I'm gonna send pictures of your naughtiness to all of your friends and family. But of course, it's an empty threat. It's just trying to scare you into sending the money. Well, Stellarium takes it to the next level. Am I saying that right, Selina? Is it Stellarium or Stellarium?

A

That's a great question.

C

She's like, I didn't name it.

A

I think we were saying Stellarium.

B

Stellarium. Like delirium.

A

Okay, that's just how I was saying it. But it's, again, one of those words that you just read and don't say out loud until this moment when you're.

B

Asked to pronounce it. Until you have to. Yeah, I have to say all these out loud so what these folks have done. And please, Selina, feel free to jump in here if I miss anything or get something wrong. This is an infostealer that can. It gets installed on your machine, and it can detect when you're viewing adult content. It'll take webcam photos, so it'll take a screen grab of the adult content you're viewing. It'll take a snapshot from your webcam, pair those things up and then send you the blackmail letter as leverage. So it's taking that thing that was an empty threat and making it real.

A

I would point out Stellarium has a is is a typical information stealer, but it does have the addition of not safe for work content searching. The default configuration has a bunch of strings that could be configurable by the operator of the malware. But basically there's a function in the malware that will query a victim's open browser windows to see if any of the following words are in the titles of open web pages. So it's actually literally called porn services, but there's words and apologies for saying porn and sex on the podcast. There were a couple others that I'm not going to say on the podcast that we did blackout in the research because they are not safe for work. And yeah, so essentially they will have you can configure adult content words. And so it looks like the operators of this malware could potentially use it for sextortion activities. And we did actually see a couple of adult themed lures that were related to the distribution of Stellarium. Not hey, I'm going to expose you, but check out my adult content that was actually distributing this particular malware. We didn't actually see follow on activity from this malware, but based off of the functionality of the malware and some of the configurable components of it, it could be used for sextortion. Which is very gross because yeah, I've actually had friends who've emailed me or sent me emails be like, oh my gosh, some guy just emailed me, said he's going to expose me if I don't pay him in Bitcoin. I'm freaking out. He says my computer's hacked and, and you know, I go over to my friend's house, look at their laptop. It's not hacked, it's just, you know, empty threats basically. But yeah, with this type of, of malware they, they could have this automated capability. It's not just looking for your banking credentials or your passwords and you know, clipboard information, crypto wallets. But it's also with the addition of the sensitive adult content, personal information that adds an additional layer of absolute disgusting capabilities that's really just horrible. I mean, it's bad enough stealing your banking details, but when you add sprinkle on just gross behavior, it's just so much Worse.

B

Well, I want to apologize to Keith for all of the tasteful nudes that I've sent him. Just to say, Keith, do you think this image was stolen or not? And Keith sends back and he says.

C

And you sent it over as like cat videos to me? Come on, Dave.

B

Yeah, that's right, that's right. And he says, I can only block you so much. So bleach out his eyeballs.

A

Yes, that's important. It's also worth noting here too actually, that since we published that research, it is no longer available on GitHub. The URL published is no longer there. So that's good for you. Yeah, Much, much appreciated. Even though it said for educational purposes only.

B

Oh yeah, doesn't that was another thing that, that grinds my gears, right? Like you know, I, I'm just putting it out there, I'm just asking questions. I'm just putting this out there for people to experiment with. Do what? To be sure not to do anything illegal.

C

That was always so funny on a lot of the cyber underground forums the criminals would have this big disclaimer at the beginning in order to enter into the forum. It would say, you know, this is just. Everything being discussed here is for research purpose only. There's no criminal activity. And you're like, okay, yeah, you know, like, like that was going to indemnify them.

B

Keith, how many times did someone ask you if you were a cop?

C

Oh, so many times. Like, like, like people would think that I had to tell them the truth, right? I'm lying about my identity, I'm giving them a false name, but all sudden I have to tell the truth when I'm. They ask me whether I'm a cop or not.

B

It doesn't seem very sporting of me. It doesn't seem very sporting, Keith, that the FBI is allowed to lie to you, but lying to the FBI is a crime.

C

Yes, I guess it's, it's a little one sided there, isn't it?

B

Yes, it is.

C

It worked for me though.

A

Steve, you were trick or treating. Basically I was. Is trick or treating social engineering? Is that. Are we teaching our youth of the world early to social engineer their neighbors into giving them candy?

C

I want the big chocolate bars. That's what I want. I don't want the fun size, I want the full size.

B

Well, that's our strategy in our neighborhood is we give away full size candy bars as insurance against anything bad happening to our home. Right. Like any of the tricks. And I think trick or treating is, I mean there is the threat of mischief if you don't give me a treat, then there will be a trick. But you know, straightforward deal. It's a transaction. We all know what's up with that, I guess.

A

Yeah, it's a little bit. It's too transparent to be real social engineering. But it is introduction. Entry level. Entry level social engineering.

B

Right. The thing that gets me is when you see like the same Spider man come around five times.

C

You know, honestly, any 17, Dave, any.

B

17 or even worse, like high school kids who don't even bother with a costume. They're just like, give me candy.

A

I will give those kids candy. They can come to my house. I love it. I'm like, you're out here trick or treating. That means you're not getting into any other trouble. I'll give you my fun Siiz candy bars. But also I never get trick or treaters at my house. So I, I love it when they come back because I have to get rid of candy, otherwise I will end up eating it all.

C

We, we always have at our place, we have, we have for the kids, we have the candy and then we have a little cooler on the side for trick or treat for mom or dad too. So yes, that's always important.

B

Yes.

A

Extra layer.

B

We have a box wine along with plastic cups.

C

So you're really going trick or treat, right, Dave?

B

Well, you can get some red or you could get some white, whatever. Let me tell you, parents are gracious, they're grateful. It's merciful on Halloween night when you're out there with all the kids.

C

I knew every house in the neighborhood that had adult trick or treat beverages when I took my son around.

A

So what I'm hearing is I need to go spooky season at Dave's neighborhood.

B

Yeah, yeah. People come from all around because they know they're gonna get full size candy bars.

A

Well, I do think that it's probably worth talking about one, at least one more spooky malware because I think it's interesting and I'm curious to hear your guys thoughts because one of the things that I wrote down was Trisis, which was a malware that targeted safety instrumented systems. At an oil and gas facility in Saudi Arabia back in 2017. There was a handful of ICS specific malware that could cause disruptions to industrial control systems if deployed correctly. And this particular one specifically targeted the safety equipment, which I thought was extra scary because it could have very, very bad impacts. It didn't. Thankfully, it was detected and disrupted in 2020. The U.S. treasury actually sanctioned a Russian government research institution connected to developing this malware. What I find so interesting is we just don't see very much of it reported publicly of course and I think, you know, targeting safety equipment is particularly heinous. But also I think it's so interesting because stuff as basic as ransomware can have widespread disruptions to operations. Not necessarily the safety equipment, but you just disrupt some of the actual operations. They have to turn off production, they have to, you know, things really grind to a halt. But it's not disrupting the pieces of the environment that will could potentially cause a catastrophic incident and loss of human life. The flip side of that though is you have ransomware that targets hospitals that does actually impact human life. So I think that, you know, I'm curious about is your guys thoughts of this sort of, I don't know, era of malware that can have real world physical impacts. Is it getting worse? Is it getting better? Like what, what are we kind of expecting?

C

Well, I think just what you said is kind of the segue was the next variation of the black energy malware that targeted ICS systems back in the mid 2010s somewhere around there, which then led to not Petya, you know, so very destructive attacks. And when you're thinking about targeting ICS or control systems, you're talking about some of our most sensitive things and especially our energy grid of, you know, being in the dark. If we're talking about scary things, you know, shut down dams or release water from dams or you know, just hit the whole, you know, take control of all those SCADA systems. So that's probably some of our biggest nightmares. And we're just still seeing the evolution of that, of those types of malware to be able to target those types of systems.

A

Yeah, I hope we're not going to see a huge one. Obviously we have seen some pretty significant disruptive things, but not the sort of blackout level event that I think a lot of people are afraid is coming.

B

I'm surprised there hasn't been more significant accidents where a threat actor releases something that they weren't intending to do damage to ICS systems, but it just got loose and shut something down and a chemical factory explodes.

A

So I think it's important to note that defense in depth really plays a role here. So I think, you know, in cyber land we're so used to everything being like flat networks and not, you know, everyone having admin access and you know, very easy to sort of go through and expand the networks and have these sort of catastrophic digital impacts. A lot of times the physical Impacts to a lot of these things are because people just turn them off and not because a hacker successfully disrupted the safety or security of chemical materials or chlorine or oil and gas transportation. But yeah, I mean, Dave, to your point, I think it's because these systems are so secure and we have things, for example, like regulations that you have to maintain a certain level of safety and security within your environment. I don't know if you guys have ever watched OSHA YouTube videos that will reconstruct major disasters. Oh my gosh.

B

National. I have a friend who does animations for the. I think it's the National Chemical Safety Board. And they're the ones who. They're the ones who reconstruct. When a manufacturing plant explodes or a chemical plant explodes, they go in and figure out what the heck happened and why. And they're so scary.

A

They are really scary. Yeah. And we haven't had quite like a cyber enabled thing leading to that type of disruption. And I think that's a great testament to the folks who are working on the front lines of OT security, both digital security as well as physical security of a lot of these environments.

C

And I think too that why we haven't seen something major is it really takes a special skill set to be able to penetrate these systems. That's usually reserved for nation state actors. So when a nation state would be doing something that's kind of an act of war. In one of the few times that we've seen a criminal do that, which was Colonial Pipeline, they kind of realized very quickly, whoa, we kind of maybe overstepped our bounds here because now the whole US government was looking at going after them. So I think criminals, for the most part, they want their money and they want us blend a little bit more in the background. And from a nation state standpoint, if they do something like that, that is an act of war. And you would think that there would be some kind of retaliation. So there is a little bit of that standoff, cold wars type thing on those things.

B

Yeah, I think about our pal Alan Liska from Recorded future. I don't know if either you know Alan. Oh yeah, but everybody knows Al. But Alan says that some people really do deserve targeted drone strikes. And to me it's the people who go after the hospitals. You know, like what the rules of engagement, the, you know, the laws of armed conflict say that you don't go after hospitals. Those are not targets. And here we are. And I wonder if the people who go after hospitals started receiving targeted drone strikes or some other kinetic response if that would. Even if we had international treaties that said that extended that to the cyber realm and said we all agree. Same thing, you know, like, we're not going to use chemical weapons. Okay, great. We're not going to attack hospitals. Because with cyber, why can't we get there? It's frustrating.

A

Keith, you mentioned, you know, the groups that you were infiltrating did have some sort of standards of operations where there.

C

Was honor among thieves, believe it or.

A

Not, among thieves, you just don't really have that anymore. To be clear, no hacking, please. But, but, but yes. Where, where are the gentlemen hackers, Dave?

B

Well, it's a funny story. I. Years ago, I was working at a television facility and we were transmitting our signal to a satellite and back down again. And I was talking to the satellite engineer and I said, you know, you're in charge of this dish that sends this signal up to the satellite to be received and then bounced back down to Earth. I said, what's to keep you from pointing your dish at another satellite and just jamming them off the air, either intentionally or accidentally? He paused for a moment and he looked at me incredulously and he said, david, we're gentlemen. And that was it. Right?

A

That's why. Yeah, yeah.

B

This is probably 20 years ago, so simpler times. But you had those agreements that this is a shared space and so there are things we simply will not do. And I find it really troubling that keeping your hands off of hospitals, they don't respect that. It's despicable.

C

There should be. If you look at, back at the old anti piracy laws back in the 1800s and 1700s, where they basically called pirates the scum of the earth in that they should all be hung if they're caught. And so I think there should be kind of modern day piracy laws for these scum of the earth that do attack hospitals or do ransomware types of attacks to really have that global law like they did for piracy way back in the day. Because it's really no different, in my opinion.

B

Yeah, spooky pirates.

A

Yeah, We've really hit on maritime adventures in this podcast. Christopher Columbus, 17th century, 18th century pirates. I love it.

B

Want to hear a pirate joke Always?

C

Oh, of course.

B

What is a pirate's favorite letter? R. You'd think it'd be R, but it's actually the C.

C

Well played. Well played.

A

Okay, that was good. That was good.

B

We'll be right back. You want to just take us out, Selena?

A

Of course. Thank you, Dave. Thank you, Keith, for this sale down memory lane. Of very spooky stories of malware. And I think, you know, moving forward, a lot of the stuff that we talked about today is still very much a threat. And we are still seeing the evolution of social engineering, the evolution of open source malware that's being retooled and reused. And we will continue to see potentially hospitals and those things that should be off limits continuing to get targeted. And it's more important than ever for collective defense. So we can make those ghost stories a bit of history. Thank you to all our listeners for tuning in. As always, we hope you have a wonderful spooky season and we'll see you next time.

B

Thank you to ThreatLocker, the powerful zero trust enterprise solution that stops ransomware in its tracks. For sponsoring only malware in the building, visit threatlocker.com.