A

Hello, everyone, this is Tom Uren. I'm here for another between two nerds with the gruk. G', Day, Gruk, how are you?

B

G', day, Tom. I'm fine. And yourself?

A

I'm well. This week's edition is brought to you by Sublime Security, a next generation email platform. Find them at Sublime Security. So this week there's this story. I'm reading it from Kim Zeta's site. What is it? Zeta Zero Day. And she talks about Stryker, which is a medical device manufacturer I'd never heard of.

B

Yeah, that household name.

A

Yeah. So according to Kim, they're a leading maker of medical devices, but they've been hit by ransomware from a known Iranian hacktivist group named Handela. Handella. H A N D A L A. And like, it sounds pretty serious, like lots of people not working.

B

That's awful. I would. I would hate to be struck with not working.

A

For a short time at least. That's fine.

B

Yeah.

A

And obviously I've been thinking about Iran, the war there, and what that means for its hackers in the longer term. So my first thought was that in the short term, and as of last week, this is as far as I got, was that I'm not particularly worried about Iranian hackers because they'll just have other things on their mind and.

B

And they don't have Internet right now, so it's sort of like.

A

Yeah, so they. I mean, in the past we've seen them use Starlink to do hacking, I think if they would like. The problem with that is that that could also be blocked. Like, it would be not hard to, in the grand scheme of things, to get Starlink to turn off a few terminals.

B

Right. And realistically, if you need five guys with a portable hard drive and $10,000 to buy new equipment, you can give them that and put them across the border anywhere you like and say, go shack up in a hotel, buy the premium Internet package, get some laptops and have at it.

A

Yeah, yeah. In the very short term, though, like, there have been a couple of stories that the irgcs, the Iranian Revolutionary Guard Corps Cyber headquarters were bombed, or cyber warfare headquarters was the term I heard or saw in the reporting. There's another unconfirmed story that a hacking office, an office for some threat actor group, was bombed. And then there's a story that a particular individual hacker who was on the FBI's most wanted list was actually killed. So it seems like Iranian state hackers were in the country, their facilities or at least to some degree, being targeted.

B

Right.

A

And so, yeah, They've got other concerns rather than.

B

And they're probably more worried about like, getting food, water, electricity, and like staying alive in the middle of a bombing campaign as opposed to what the return to office policy is at that particular moment.

A

Yep, yep. And so that was kind of as far as I'd got short term, this article. Well, first of all, what it made me think was, what's the point?

B

Oh, okay.

A

So, yeah, I knew you'd have thoughts.

B

What is the point of cyber during war? Yeah. So look, I think, like, it's very interesting, the situation that Iran is right now in terms of wartime cyber, because on the one hand I've, I've said a lot that, like, espionage is where all the value is during war.

A

Yep.

B

Right. But I think that that's only true if you have a military chance in hell using the technical terms. Right. Like if you are Iran versus the U.S. i think even having like complete access to every message that the US military is sending itself would not help you in any way militarily. I mean, it would be so minor.

A

A little. Yeah. And you don't have the conventional capability to take advantage of it.

B

Right, right. You couldn't exploit that access.

A

Yep.

B

Right. Like, even if you had it, you couldn't really do anything with it, so you'd still get crushed. So I've argued that effects, particularly if you're trying to coordinate with military action, are extremely hard to do in a way that is relevant.

A

Yep.

B

But if you have no military to speak of in a way, like if your military is unable to coordinate regardless, you could just do effects for effect's sake, you know, just for the hell of it, really. And the way I see it is if you have an extremely unpopular war, if you make life annoying for the civilians, like, there's no will to fight.

A

Yeah. So you're talking about from the US perspective here and from the perspective of American citizens, allies and.

B

Yeah, yeah. I mean, I would think that like, granted, right now they're blowing up like Kuwait and Qatar and, you know, Dubai and all this stuff, but they can do cyber as well and go after infrastructure. Right. As just another level of like making life difficult and annoying for them. And then I would say that effects make sense because there's no alternative. You're not doing an espionage or effects. Because espionage is not a valuable resource. So. Yeah, just to effect, why not?

A

What I was wondering about is whether it actually hardens the civilian population against you. So first of all, the US is a massive country. There are some Stryker factories in the US I think apparently it's got like 60,000 personnel or employees around the world, but I mean, you know, does that even scratch the surface? It's not a mainstream media thing and, you know, they don't work for a week or two. You know, at worst, maybe a bit longer.

B

It's not the Jaguar Land Rover level of attack where you're impacting the growth of the GDP by a measurable percent for one quarter. It's not at that level. That said, there's no reason they couldn't do a Jaguar Land Rover style attack. That's just a targeting issue. You know, at, at the point where you are Iran, trying to cause problems, you can get into a car manufacturer. Like, that's not a, that's not an impossible ask. It's not like a huge amount of O day and development and all this stuff. It's just the right person with the right phishing email and you're in. So I think there's an opportunity for them to do damage. Then the question, you know, as you've said, is like, is this a strategic bombing campaign where rather than making the citizens ask for the war to end, it makes them harden against an outside enemy? And I wonder if that's true for cyber, because most of the problems that show up are not like, no one dies, nothing blows up.

A

Yep.

B

Things are annoying and delayed and I don't know if annoyance and like frustration works in quite the same way as like, having your neighbors killed.

A

Yes. That's kind of. My feeling is that it doesn't really help your cause. I don't think the American people will even more vociferously hate the war because a medical device manufacturer or even, you know, hundreds of small to medium businesses are affected across the country. That's not the. I don't think it will move the needle. So it's. But. But I don't think it will move the needle the other way either, or make them.

B

It's a, it's a no op in a way. Like, it's, it's not.

A

Well, I think maybe the situation is different in Israel, you know, a smaller country. I'm not sure. But I think for the US it's like such a big country. The capacity to cause a whole lot of pain.

B

Yeah. You can jab them with a needle as many times as you like. There's still an elephant.

A

Yeah.

B

Like, it's, it's not really gonna. They won't notice. Reminds me a little bit of a. So very early in the RAF bombing campaign against Germany, they were doing nighttime Bombing, because they kept losing planes during the day, but they didn't have navigators, so it was just sort of like fly by vibe to find the. Yeah, right. To like, to find the target. And then they couldn't send that many planes at a time, and they didn't carry that big a bomb load. And so the problem was that the pilots didn't know where they were bombing. They didn't think, like, oh, we missed the target. They'd say, we were over Cologne and we unloaded the four tons of whatever that we carried, even if it turned out to have been in France by mistake. And so what happened was their strategic assessments basically said, like, we have Germany on the ropes. Like, we've destroyed their. Like, their Rhineland industry. We've wiped out, you know, like, this much of their capacity. Whereas the Germans didn't know that the strategic bombing campaign was going on. Like, they were essentially unaware. It's like every now and then a tiny village gets blown up for some reason.

A

Right.

B

The RAF finally did an analysis that came out called the Butt Report, because that was the guy's last name and it was scathing and it changed all the way that they work. But I was just thinking of the. Like, you could see the Iranians responding. We've wiped out over 20% of their small to medium business capacity for selling shoes or delivering pizza. We've got them on the ropes and the US is just completely unaware that this is happening. Yeah.

A

So that seems to me that that campaign, and this was kind of my gut feeling it would be pointless in terms of actually achieving anything in terms of the contest between the two. But that doesn't mean that it's like a pointless campaign.

B

Right?

A

That's right. Like, you people have different motivations. So my sort of conception was that this may be a thing that you feel has value regardless of whether it makes any difference or not.

B

So another tangent anecdote. Right? So, like, the Psyops leaflets that they drop over troops, like, they were the sex ones, where basically there'd be, like, a pretty girl. And it's like, you know, while you're here in the trenches, the officers are back with your girlfriend or the foreigners are sleeping with your wife while you're here dying. And the thing is, the Psyops departments knew that these were not, like, These were just not very effective. None of it was particularly effective. But they knew that these weren't any more effective than the other ones. The thing is, one of the reasons that they did these is because it meant that they got to have Their illustrators draw pretty women for a change, rather than corpses and skulls and dead people all the time. Right. So it was. The morale was actually internal as opposed to.

A

Right, yeah.

B

And so I could see it falling into that exact same category.

A

Right.

B

Like it's.

A

Yeah, sure.

B

It's not doing.

A

We've had a win.

B

Exactly. Right. It gives you something to celebrate and I don't see that it costs them anything because during peacetime if you do a destructive attack, there's the, the fear of escalation, you know, like, where does this end? Do we. Do we accidentally trigger a real war and they bomb us? But you can't escalate from where they are right now. Right. Like it's. They've already realized the worst outcome. So.

A

Yeah, so. So like in the longer term, it seems like there's the possibility that they'll in effect be unleashed because I guess it's at least possible that the US or Israel could bomb them again in the future. It seems like politically that is unlikely. Assuming that they stop bombing them at some point, it seems unlikely that they would. The reason they would stop is because it's politically unpalatable and so it's a political reason not to do it again, not a military or. Yeah, that's right. Like it seems like Iranian air defences don't exist anymore, so they could do it at any time, but it just seems like it would be a threshold that they would be reluctant to do and so.

B

Right. Yeah. Well, I mean, even if they do bomb again, it's like, what are they going to do? Blow up the. Like what's left. Right. Really?

A

Yeah.

B

Right.

A

You can't sink the ship twice.

B

Exactly. Like if you've blown up the surface to air missile battery, you're not going to get anything by blowing it up one more time.

A

So I suppose there are office buildings, for example, so if you knew that there was.

B

Sure.

A

But like a hacker group in a particular office building.

B

Right.

A

That that's potentially a thing.

B

I don't know. I think that that would play very badly because if you're Iran, the first thing you do is you start sectioning off three classrooms in every school and make them hacker offices.

A

Right. Yeah. And you go every girl school in particular.

B

Right. So like during the Syrian war, that was one of the things that the, the different rebel factions were doing was every time they would get foreign journalists, they would put them in the room just above the headquarters where all of the like, radio equipment and everything was. And like. So they're basically saying, yes, you can bomb Us. But you're going to kill foreign journalists and it's going to look bad.

A

Were these kidnapped foreign journalists or just.

B

No, no, no. It was like if, if you showed up and you're like, I want to interview you for your, you know, what's happening. And they'd be like, great, why don't you stay the night? We've got like a special room for you and everything. It's all set up, you know.

A

Yeah.

B

It would be foolish not to do it if you're Iran. Right. Like, you're not going to be like, oh, you know, if, what if they get bombed? We better make sure that they're in an isolated area by themselves where there's no collateral damage. That's the. Right. Like, that's the opposite, you know.

A

Yeah.

B

You want to make sure that they go everywhere surrounded by like small girls and, you know, cameras, basically.

A

Yeah.

B

I think one of the other things that will play to Iran with this is that they don't, like, they don't have a Cybercom as such. Right. Like, I think with the US if you were to take out Cybercom, like the, the physical infrastructure and the central location of all of their people, they would have to reconstitute somewhere else and that would be difficult because they, they have this sort of hierarchical approach. Like it's not impossible and they'd obviously be able to do it, but it would be a, like, it would be an impact that they would have to deal with. Whereas I think that because Iran is made up of these small companies that do contract work, any individual one that you take out is not going to impact any of the other ones. Like it's almost a terrorist cell network in a way.

A

Right. Yeah. I was thinking that in a way the US or the Western focus on operating carefully and covertly means they've got things like basically specialist equipment, which is air gap networks and stuff like that. They're a lot harder to rebuild because it's not just walking down. You can't go down to Best Buy and Costco and getting a few laptops and just hooking up to the Internet. And so I think that being less operationally sophisticated in a way makes it easier because it's just more resilient. Download a whole lot of stuff from the Internet and off you go.

B

Yeah. And I mean, realistically, how much tooling do they actually need that they can't rebuild, that they can't vibe code into existence again? Because if you're doing destruction attacks, you don't need stealth in the same way, like Stealth is important if you want to get in, do your espionage and then get out without leaving a trace. Or you know, if you do get discovered that they can't be traced back to you. Like all of these things are very important in an espionage scenario where you're expecting sort of long term investment and return on investment and stuff. If you're just doing destruction attacks, you actually do not want to invest in bespoke malware because it's going to get burned as soon as it's used. Instead what you want is cheap commodity malware, like as much as you can get so that it's not detected the second time you use it something else again the third time. And for that being able to just vibe code or use things off GitHub is actually the better option. Like it, it fits their operational needs much better than any specialist tooling that they might have. Like essentially having a, like a dispersed, distributed like decentralized group of hackers who can operate with minimal bespoke tooling is a great strength when all you want to do is maybe wreak havoc.

A

Be a pain in the ass. Yeah, yeah. So I was, before we started, I was watching some video, some guy called Preston, what's his last name?

B

Preston Stewart.

A

Yes, that's right. And he was talking about how the war aims of the US they had had four and if I recall correctly, it was, you know, reduce military capability, remove the ability for nuclear, eliminate nuclear capability. What was the third and the fourth?

B

The, the fourth one. Oh, there was the Wipe out the Navy, get rid of their navy and then end their ability to support proxy groups or something.

A

Yeah. And his and their supporter proxy groups. Yeah. And his video was. Well, hang on. All of a sudden they're now talking about three goals and that fourth goal of eliminating proxies had dropped off. Just. They don't mention it.

B

No.

A

And it seemed to me that it's obvious why it's not a goal because it's like anymore because they've realized, well, how are we going to actually achieve that? It doesn't seem like we're going to bomb them into submission where they voluntarily say yes, we'll stop doing that. But it also struck me that's very similar to operating a hacker group.

B

Yeah. So like the fundamental problem with ending the support for proxy networks is those relationships are relationships. Right. Like they just know each other. You can't bomb a relationship. It's not a tangible thing that can be destroyed in the same way that like some sort of missile capacity or a navy. Right. Like you can sink a ship twice, but you can't sink a friendship with a bomb.

A

Right, yeah. Well, I guess what you've got to do is remove the will to want that relationship. And I suppose that by removing that as a goal, they're in effect conceding that this is not going to be achieved. We don't think. Now, presumably they, it's very much, you

B

know, the sugar ration has been increased to 20 grams sort of thing. The war goals have been increased to three rather than four.

A

And so that, And I think proxies, terror proxies are a worse problem than hackers.

B

One of the things I'd point out is that they've been surprisingly quiet in all of these attacks in Iran. They haven't really shown up. During the 12 Day War, the Iraq proxy groups basically did a new phone. Who dis. They did not do anything. And Hezbollah is like, I'm a bit busy right now, can you call me back later? Although to be fair, Hezbollah did launch a drone against the RAF base in Cyprus.

A

Right. I thought there was a few things that the Houthis had done. I guess it may be the same dynamic with the hackers in that their main support is like otherwise occupied. Their main funders, their main directors, whatever. And so it's in the short term, maybe nothing, but in the longer term, perhaps it's the same dynamic. I guess that's not a cyber thing, so we won't talk too much about that. But I don't, I could believe the same dynamic applies. So so far it seems to me that there's reasons to believe that they would be unleashed in a way, because they've got in effect, nothing to lose. It probably won't achieve much from balance of power in a strategic sense, but it could well appeal to like just national pride, I suppose, or an internal organization morale. That could be a thing.

B

So there's potential upside and basically no downside. So why not?

A

Right, yeah, that's my feeling at this point. So I guess that is bad news.

B

Well, I mean, only if you're in the west,

A

but I mean like in terms of a political trade off, I would probably go, okay, Iran. Let me swap the possibility of nuclear war with Iran for worse hack. Right. That is actually like a good trade.

B

That's a fair trade.

A

Yeah, yeah. So, yeah, well done, I guess.

B

But yeah, I'm not sure that Iran is going to go like, okay, well, we don't need, we don't need the nukes anymore. You know, we've got, we found One of the USBs that has Shamoon on it. So we're good to go.

A

But well, I suppose to me it's not that they would think of it as bright replacement. Right. It's that this is just what we can do in the short time because it's probably the easiest thing we can reconstitute that is resilient to further bombing. Like, you know, you have people like working remotely.

B

Yeah. And you can station them outside the country. Right. Like you don't need them to.

A

I mean, I don't even know if that's better, but you could do all sorts of things. Right.

B

Well, I mean you could put them in other places and let them operate from there and then have them move every couple of weeks to somewhere else. There's just a lot of opportunities. It's much easier to have a small hacking team continue to operate than it is to build a nuclear enrichment facility. So that's pretty straightforward. But so like one of the issues I see is they have no incentive not to do this regardless of when the US stops bombing them. There's no reason for them to stop going all out on cyber and just becoming a nuisance. In fact, there's every reason for them to do it. And if you look at for example, the trajectory of North Korea, where they went from being sort of very low skilled, low level capabilities that over time they invested in and they, they put resources into and they built up now like an absolutely world class team or teams or whatever. Like they have good people doing amazing operations these days.

A

Yep.

B

There's no reason that Iran can't do the same thing over the next few years. Right. Like they were already on that trajectory as we discussed in the previous BTN episode with Hamid Kashi. Yep. And so to a degree, like they can be annoying, but they can be progressively more annoying as time goes on.

A

Right. So you're saying that perhaps this will actually be an accelerant and it'll encourage them because they've got no alternatives in the short term. At least it'll take time to build up or rebuild their other.

B

Yeah, like, and they'll be able to get visible victories. Right. Like they'll be able to do a thing that is visible that they can say, look, we did that. Like we knocked out Jaguar Land Rover. Right. We interfered with like BMW's production line. We did some other thing. Like they can get, they can get these propaganda wins fairly easily and those will probably be valuable internally outside of just the hacker communities. And it would of course be difficult to stop them and it would look bad for the west when this happens as well.

A

Yeah. So I guess in that scenario it's the shining light after they've been bombed like this is the thing that we've got that will, I don't know is it save face or demonstrate Iranian strength and so that that may in fact give it more resources than perhaps it would have been if it had been left alone. So in comparison with North Korea it seems that in a way they were both cornered kind of into investing in cyber capabilities to some degree. So North Korea because it had very little else went all in. And in fact this situation it seems like the we've taken away a lot of the things that Iran could have used instead to project power.

B

Right. But so I think, I think the key difference there is that because Iran already has oil we can't distract them with crypto. Bros. Thanks a lot, dom.

A

Thanks craig.