A

Hello everyone, this is Tom Uren. I'm here with the Gruck for another between two nerds discussion. G', day, Grok. How are you?

B

Good day, Tom. I'm fine. And yourself?

A

I'm very well. This week's edition is brought to you by MasterCard. I spoke to MasterCard's Mike Lashley, their chief security officer, last week, all about why MasterCard got into threat intelligence and what it hopes to really gain from it. That's out on the podcast channel. So, Gruk, I've just produced the newsletter this week. One of the topics I spoke about with Amberly was this massive leak of documents relating to an Iranian APT APT 35, which is also known as Charming Kitten. And like, there's a whole lot of technical detail in there describing the organization. There's a really good blog post about the different organizational structures. So one of the questions Ambly asked me was, will this be the end of the organization? So the writer of one of the blog posts says, this is the end. They've revealed every single operative, every single front company, every single address, national IDs, everything. And my response was, this will disrupt the organization. This will be painful for them. But you're not going to disrupt a state from doing intelligence. Like Iran is going to keep wanting to collect intelligence. It's not going to stop just because some foot soldiers have been named. But sort of thinking about it a bit more, it made me think about what the point of the whole operation is and whether you can in fact deter a state from collecting intelligence. So that's what we're going to talk about today.

B

I think that raises some points that have nothing to do with this specific incident, which is the can you disrupt, like what would be the process of disrupting an intelligence agency's collection efforts for a long period of time? What are the things that you could, particularly with cyber. What could you do to interfere with your opponents then? That's a hard question.

A

Well, I can think.

B

It's an easy question. It's a hard answer.

A

Well, I can think of two examples immediately. Right. Probably even more so. I think the APT1 report, which was Mandiant, I think it was Mandiant back in the day producing a report which, like this one, it went to. This is the building. Here are some of the people. This is what they're doing. My understanding is that that was very disruptive for the pla. And in fact the PLA unit, it kind of disappeared and is doing a different job now. And so I don't know if it was directly Related. But there was a strategic restructuring around that incident.

B

Right.

A

So you would have to say that that's a win.

B

The second example, China no longer did any espionage after that.

A

So yeah, I think there is a big distinction between disrupting a unit and stopping intelligence. So we clearly they did not stop collecting intelligence. But in terms of a long term disruption, I think that would. More than a few days, more than a few weeks. I think it was months.

B

It would set them back.

A

Yeah. And some of that is self inflicted is not the right word but that's a choice that the Chinese apparatus made. We're going to. This is such a big stuff up that we're going to change things and do things differently is my. Is what I think happened.

B

Right, right.

A

And then the second one is actually shadow brokers. And yeah, the Snowden Lakes, I'll group them together. I think that is again, it didn't stop the US from collecting intelligence or its five eyes partners, but it was disruptive.

B

Soden was very disruptive to the nsa and I think it actually, you could say it did stop them collecting because the rollout of SSL accelerated massively. And for example they used to collect on Google when Google was transferring between data centers and then Google encrypted that. So that blinded NSA to one of their collection points. So I'd say like it did stop them at least on some collection operations that they were doing. Like yes, cyber can do that.

A

Right. Yeah. It allowed people to impose countermeasures or whatever. It sped up countermeasures arriving and then that makes me think that this incident will have a similar effect on APD35 or charming kitten or whatever. It'll. It'll result in some sort of short to medium term disruption. Now I think both of those cases, NSA and APT1, it's the host government being sensitive to the political.

B

Yeah. Fallout. Yeah. Yeah.

A

And so maybe, I guess it's possible that Iran will go, oh whatever, just keep going. I don't know, I'm not an expert in that sense to know whether that will be true. But it doesn't seem like revealing everyone's name stops you from hacking. Right. There's no direct. Like it's not like I can't touch keyboard. Yeah.

B

Like it's not. If you reveal like the location of a safe house in London, that safe house can no longer be used. It ceases to function. Whereas if you reveal the location of an office in Tehran where people go to do hacking, they can still go there tomorrow. Like nothing has actually changed. But I do Wonder in a way if there might be secondary effects. So like the second order effect might be that by releasing the list of target companies or the victims that were being targeted, they might take steps. Like they might have not been as particularly careful as they should be.

A

Right, right. So again, countermeasures.

B

Right, right. That they might be like, oh, okay, since we're in the crosshairs, maybe we should invest in that patching cycle that we've been putting off.

A

Yeah, whatever.

B

Right.

A

Yep. Now my other thought was that this Iranian case, I got a strong feeling that it was the Israeli intelligence that was providing.

B

That's, you know, I hate to judge before all the facts are in, but.

A

The giving these materials to Iran International, that was the media outlet that published them. And it was like for various reasons, which I won't go into, but it made me wonder about what Israel's purpose was. So it's actually been, I think this is the fifth in a series of leaks from October this year. So there's obviously a timing thing. There's been that actual bombing of Iran and so it seems this is timed somehow to take advantage of that. But it's not exactly clear what the purpose is. So, I mean, the purpose is to disrupt it. But is there a deeper, I guess, coordination or orchestration with other things to try and amplify the effect, which is what you and I are always looking out for.

B

Yeah. So I, I've been keeping a little bit of an eye on this. I'll. I'll be the first to admit that I don't know very much about the Iranian scene. So these sorts of like deep dive details with like a whole bunch of Farsi documents. Yeah. I don't get very deep on it, but it doesn't seem to be linked to external actions of any sort. There seems to be some internal logic to it that is following that is not obviously like, it's not obvious that like, oh, there's a car crash, oh, there's another car crash. There are like five simultaneous car crashes that all killed the heads of cyber. And the same day, then this thing came out where it's like some sort of combined arms cyber intelligence offensive. There's nothing, it's nothing obvious. At least I think it's a self contained operation from what I've seen. But it, it's had this like rolling effect where like there was the first one that came out and there's a whole bunch of like, ooh, this is pretty bad.

A

Yeah.

B

And they were like, there'll be more and everyone's like, oh, this is going to be good. And then there's the next one that came out and like that was pretty good. And there's another one that came out. So I think that this, you have to say that part of the operation is that this sort of repeated like these hits that just keep coming on a regular basis saying, right?

A

Yep, yep. So Machiavelli, he said that if you had bad news to get it all out at once and then people move on. And this is the exact opposite of this. It's like bad news, more bad news.

B

Right. Drawing it out, you know, reminding people, hey, these guys suck.

A

You know, a month, a few weeks later, they still suck. They suck even more next week. Yeah.

B

Remember them? Yep. They suck.

A

Yeah. So one thing I was thinking about is maybe the. So this is a department of the irgc, the Islamic Revolutionary Guard Corps, is it? Revolutionary Republic? Anyway, it's a department of that. So they could lose faith in these particular people. So it's possible that these particular people who run this hacking outfit could not be employed by the IRGC anymore. And so there would be quite a disruption to find other people. But it would be. They will find other people, right?

B

I mean they already have other people, even if they just shift workload around. It's. Although I guess Charming Kitten has been around for quite a long time. So there might be some institutional knowledge that is being lost. There might be sort of personal relationships which have been used to get around bureaucracy, ways of doing business that have been established over years that will have to be rebuilt. And while they're being rebuilt, they'll be very inefficient.

A

Yeah. So I guess from an Israeli point of view that would be the absolute best you could hope for, that the actual department 40 organization will like all those people will be left jobless or.

B

Cash out, you know, like which I.

A

Find hard to imagine. But I suppose that that seems to me to be the extreme and it would be.

B

Right, Right. Well then, I mean I think it's realistic to assume that there's going to be a lot of like there's going to be a lot of shouting at some closed door meetings. But here's what I think might be a side effect of this prolonged release, then release, then release, then like this. At some point they're going to get acclimated to it, you know, oh, what's it this week They've published your internals. That's nothing. They really have it in for you guys. The first one is probably a big shock and the second one is like this is getting worse. The third one's like, eh, I guess it's still getting worse. Then the fourth one's like, geez, don't they have anything else to do? By the fifth one, it's like, okay, we get it already.

A

Well, I mean, another thing is probably if you're that badly compromised, it makes you think that you've got to rebuild all your infrastructure. So that would be a pain.

B

Yeah. And so like, if you think about it, by the time you get to the fifth release, all of the sort of countermeasure responses that you would have had to do, you would have kicked off. Right. So the first one might have been like, okay, maybe it's not so bad. We can like, we can weather the storm. The second one comes out like, you do your full damage assessment, you go through and you're like, okay, let's just assume everything is burned. Let's bite the bullet. We'll do the big, the big rebuild, the big whatever. And then when the third one comes out, it's going to be like, yeah, we've already mitigated this. It's just like this is historic data that's still coming out.

A

What else can we do? We're cooked, right? We've hit rock bottom. This does seem like as bad as it could possibly get for a state intelligence service. Like it's the gold standard for state doxing, I suppose. But it also makes me wonder about what could you do against China or another state, for example? Like this seems to be a particular case that is probably as good as it's going to get, but I think it's. Well, I was going to say the jury's out on how long it's actually going to disrupt this organization, but something will come back.

B

What I would. So what I would say is I think that this might be unique to the Iranian intelligence apparatus because they rely so heavily on this ecosystem of contractors. I think that if you hit a contractor, then it will cause disruption simply because the contractor is vulnerable in a way that a state service itself is not. And border, by removing them, you might deter some of the other contractors in that ecosystem. So I think that this sort of attack is likely to work against that environment, if it's going to work at all.

A

Right. It did strike me that the numbers of people they were talking about were rather small. So the whole organization is 60 people.

B

I think that's actually quite big for an Iranian organization, right?

A

Yeah. Yeah. So I guess that that goes to the scale of the whole industry, right?

B

Yep.

A

So if it's China, it's probably, I don't know, 100 fold bigger thousand.

B

Right. Like this.

A

And that makes it a harder target.

B

Like we've had similar sorts of things with China. Right. Like we've had leaks that have come out in that and it's, it clearly hasn't stopped them.

A

No, it to me that those organizations, it was never quite clear how many people were in them, but they didn't seem like bigger organizations. It just seemed like there were more different contractors.

B

Yeah. So my impression is that Charming Kitten is sort of, they've been in the space for a long time. They've got a serious longevity, they've been around for years. They've probably got something of a privileged status given just how long they've been operating. It might be like, you know, if you come at the king, you bet not miss. Like they might be going after the top dog as a threat to everyone else in the environment. Whereas, like, if, if even the guys with the 15 years of experience and the really close friendships and like all these good relationships, the huge team, if they can get got, if they can get taken down, what chance do you have?

A

Right.

B

Again, like, I think this is very unique to that environment. Like there's a chance that it might have a deterrence effect on other players and that would eventually impact the IRGC's ability to collect itself. It's the sort of thing where, like, if you, you take out this unit, it could disrupt a whole bunch of other units which would actually have an impact. But that, for example, wouldn't work as a strategy against Norway or the Netherlands or the uk. Right. Like that. Because they just, they don't have that sort of structure of cyber. You just.

A

Well, yeah, that's. Is it a principal agent problem where the, the interests of the contracting companies are slightly different from the interests of the state? Whereas when it's the state doing it, there is no principal principle solution. Yeah. So I was thinking about the Chinese ecosystem, where it seems like the companies, they don't feel like they're any bigger. Maybe, probably some of them are, but it would be very difficult to deter them because there's just so many of them. So, you know, it's whack a mole. So if you indict one launch a hacking campaign where you wipe their servers, what are you going to achieve? There's plenty more to pick them up.

B

Right. Well, someone's just going to look at it as an opportunity of like, okay, if they're out of the way, then it means that their contracts are up for Grabs. Let's schedule a lunch with. So I think this is because we're speculating. It's very hard to tell, but it seems to me like the determinant, like the thing that would decide what's going on here is whether it's a very competitive ecosystem or a very collaborative one. Sort of like, do they look at each other as everything I can steal off his plate is more for me and you know, screw him, or is it like, you know, we're all getting some, you know, let's work it together. You know, we're like, if they're inherently competitive against each other, they might just view it as like, well, you know, those idiots deserve what they got.

A

Sucks to be you.

B

We would never. Right. You know. Well, I think it's worth considering, like what is the effect going to be on the agency farming out the work? Right. Are they going to look at this and say like, we should no longer rely on this ecosystem as a means of doing business because it's inherently vulnerable to whatever the security practices are of all of these individual firms.

A

Right.

B

So let's make a concerted effort to move away from this and restructure around internal capability and do some capacity building. Or is it just like these things happen?

A

So my impression is that there's a kind of layered, when it comes to China, a kind of layered approach where you've got top tier teams that are actual state employees and they might do the really hard stuff and then you've got a whole lot of contractors who do the not busy work, but the low equity, hack the planet type work.

B

Hack the planet ops.

A

Right?

B

Yeah.

A

And it was, it's like, you know, broad based targets, but we just want to get something. And so that to me seemed like a very difficult problem to actually try and stop them because there's so many of them now. To me it's always made sense to focus on the groups that are your biggest problem. And so if you can disrupt them, even if it's like you know, 10% or 15% over a long period of time, like just slow them down.

B

Right.

A

That probably is still a good use of resources.

B

Right. If there's an 80, 20 there somewhere where like 80% of the problem is caused by 20% of the teams. So if you can focus on those 20% and disrupt even some of them, it will have an outsized impact down the line.

A

Yeah, yeah. So I guess, I think, what was it the Dutch AIVD where they got onto the, Was it the security cameras of some, Was it svr, some Russian?

B

I think so, yeah.

A

Some fairly competent Russian group. That seems to me like, yeah, that would be a really good place to go. And that would give you a heads up on many different things depending upon if they could see what they were typing, I guess. But potentially that kind of operation focused on that kind of group if you got a good insight.

B

So I was just thinking what would be very, very amusing is if at their office suddenly a whole bunch of very high end cameras show up.

A

Who ordered this? I don't know, I thought it was you. Let's just install it.

B

Let's just install them.

A

Anyway. That style of operation I think could potentially pay a lot of dividends even if you don't stop every single operation. If you get some insight and it allows you to react quicker or.

B

Well, I mean, you'd be able to do certain sorts of correlations. Right. If you suspect that that group is behind an operation, you can monitor for tcp, dump and see the traffic. And also look, if there's hands on keyboards and correlate that that could be a thing that you could do. So I guess one of the things that sort of reminds me of is how does the intelligence agency engage with an adversarial intelligence agency when you have your counterintelligence operations run through and you now know a lot of information about them. So some of it you keep secret because it's very useful, but some of it you can actually use an attack of some sort. So how would you go about doing that in a way that's most beneficial for you? And I'm not sure if I've brought this up before, but one of the ways that the FBI used to manage the KGB was if there was a KGB officer who was particularly good, who was just very capable, what they would try and do is find some way of setting him up, framing him, catching in the act on something just so that they could expose him and do a Persona non grata. They could PNG and kick him out of the country to interfere with his career. And therefore they would get rid of the people who are competent leaving. You know, if there's someone who's easy to monitor, you leave him in place. Because that's like, that's ideal. That's the guy you want. And anyone who's good, you get rid of them because they're a problem. And the last thing you want is for them to become more of a problem.

A

Yeah, yeah. I think that's the same principle as the. I think you called it 80, 20. I guess aiming at the most Capable groups. I suppose it's better because it's a bit more final in that once you evict from them from the country, they're gone out of the country. Whereas you can't evict a cyber espionage group from the Internet.

B

Yeah. Once you've evicted them from a vps, they're gone from that vp. Yes. I think conceptually it's the same sort of approach, though. It's that if you can get rid of the biggest threat, then every threat afterwards is at least smaller and easier to deal with for a while until someone else takes their place. But I wonder, will this actually get rid of that threat? Will it disrupt the relationships that have allowed it to stay in business? Will it. Are you talking about the guys?

A

The Iranians?

B

Sorry. Yeah. The charming kitten incident. Like, will this have the intended effect? Because, for example, when the indictments were going on against the Chinese, it ended up becoming a sort of badge of honor of like, you know, you are so competent and good at your job that the Americans have singled you out for praise. Would it have that sort of effect? Would it go from, you know, oh, my God, we've been burned, everything's terrible, to we are such a big deal that the Israelis bent over backwards and spent months talking about us because we're so good.

A

Yeah. So that seems like a job that the intelligence agency, the Israeli one, presumably that would be their job to try and figure out what effect this will have. Now, I don't know. I can imagine all sorts of effects. So in a way, it felt like a family business where there was one key person. So maybe that destroys their relationship with their higher ups, in which case maybe it's super effective. Or it could be exactly what you said. You know, they're focusing so much effort on us, we've got to be really important. Therefore you should double down. And it's totally unclear to me.

B

Yeah. By the way, if they do use that as their PR line, do not pay me in any way. I don't want to know about it.

A

Yeah, yeah, yeah. So it's. I mean, I guess we'll just wait and see. My gut feeling is that it'll have some sort of disruptive effect and it'll be, in a way, the gold standard for having a disruption. That's my. My guess.

B

Right.

A

But I'm not. I think maybe you're right. And that it's a unique situation. Like it's the Goldilocks sort of size of state where you can disrupt it.

B

Right. And it's their particular organizational. It's a particular structure of their intelligence ecosystem, the way that they do their intelligence work that makes them vulnerable to the sort of thing. Right. Like if you get to China, it's a similar setup, but it's just so big that you get lost. And if you go, it's probably a similar setup in other countries, but, you know, they're so small that, for example.

A

Other countries that are the same size, probably no one cares about them.

B

I was just going to say this reminds me actually quite a lot of my understanding of how the Pakistani cyber intelligence works, that it's these personal relationships that get set up between generals or colonels and then these civilian providers who get a lot of benefit from being associated with the military and these guys in power. So you have basically, this might be something that India could do against Pakistan. It might be. I'm not sure because I think the downside for India is that they also have a similar structure. So it's something that Pakistan could do to India as a response.

A

Yeah.

B

So that could be interesting of this.

A

Also, which maybe also makes Iran unique, is that many of the operations were in support of pretty extreme things like assassination attempts.

B

Right.

A

In foreign countries. So that seems like the sort of operation as a state you don't really want to be associated with, like, at all, even. Yeah, Iran.

B

Yeah.

A

And so, you know, maybe Pakistan, it does more air quotes, normal intelligence operations that are less. That are more just collecting intelligence rather than collecting intelligence for the purpose of killing people.

B

Right.

A

And so it makes them less susceptible to the. The doxing because it seems less outrageous.

B

Yes, that's a good point. I think that might just reinforce just how uniquely vulnerable Iran is to this attack. Probably you can find elements of what Iran is doing in other countries. You know, lots of places will use this contractor ecosystem. There's a few other countries that do assassinations, but are there countries that do assassinations using contractors, that.

A

This is a unique case study. Absolutely useless for telling us anything about anywhere else.

B

Thanks a lot, Tom. Thanks. It.