A

Foreign. And welcome to Seriously Risky Business, the podcast we do here at Risky Biz HQ with Tom Uren, who is our policy and intelligence editor. Basically what happens is this. Tom writes a big newsletter once a week called Seriously Risky Business, which goes out to all of our, all of the email subscribers. And you can subscribe to it too by going to Risky Biz and then Tom and I have a chat about it so that there's a podcast version of the newsletter. Although these days Amberly Jack is hosting this podcast most of the time I'm filling in because Amberly is on medical leave recovering. Get well soon, Amberly. Today's edition of Seriously Risky Business is brought to you by Push Security, which is a fantastic company that does browser based security. So they got like essentially like a browser extension that just sits there and looks for bad stuff happening. And it's a really great way to catch phishing that might, you know, that your email security solution might miss like, you know, a dodgy URL via LinkedIn or whatever. There's. Yeah, it catches a lot of stuff. It's very, very cool. That's Push Security, this week's sponsor. But Tom, we've just finished going over your newsletter for the week and you know, you've got, we've got three things we're going to talk about today. One of the, one of them is this like really dumb, like Russian state sponsored hacktivism, which is just like we spoke about that in the weekly show as well. It's just like crazy. The other thing we are talking about is this wiper slash ransomware attack against Venezuela's state owned oil company, which you and I both agree probably could maybe be America, which is a bit wild. But before we get into them, because we did talk about them in the weekly show, I wanted to talk about this other piece you've written here, which is about a series of reports that have come out in the last month, all honing in on this, this topic which is the everyone's reliance on Chinese manufacturers when it comes to the renewable energy transition. So whether we're talking about solar inverters or grid connected batteries or whatever, like all of this stuff is coming from China. And you know, this is a country that in its spare time tasks its academics and military people with writing peer reviewed academic papers about how one might best attack America's electricity grid. Grid seems like maybe not the best place to get your grid equipment from.

B

Yeah, yeah. So this really strikes me like the Huawei debate back in the day where people were concerned about having Huawei and ZTE telecommunications equipment in their 5G networks. But it seems like it's actually a whole lot worse. And so the big picture stepping back is that China's massively investing in electrification of its energy grid or its energy supply systems, like replacing oil, replacing coal to some degree. And the country's so large that it's just rolling out a huge amount of equipment and it's building it at very competitive prices. And it's essentially become a sort of dominant player in many parts of, you know, many factors of the what you need for an electricity grid. And this has all been happening and Western countries are now somewhat dependent for many of those things. Like it's not just batteries, it's not just inverters, but other parts of the electrical grid. And the Huawei debate always felt somewhat theoretical, like there was no actual evidence of bad things like sabotage being actually considered. Like this was, you know, maybe a decade ago. But nowadays we've got Vault Typhoon, which is that Chinese group that is going around pre positioning in critical infrastructure apparently for the purpose of sabotage. So you have a very clear intent coupled with the, you know, the dependence. It's not like you've got several other. For some of these types of equipment. It's not like you've got several other competitive firms. China is the dominant player. And so it seems like we're in much worse of a pickle than we were back in the day. And the other thing that strikes me is that these types of equipment, there's actually an example of a Chinese manufacturer flicking the switch and turning off their inverters. Now this was a commercial.

A

This is, this is. Yeah, it's a, it's a commercial dispute. That's what makes it so funny is like somebody like violated their reseller agreement or something. So they just flip the switch on all of these devices that were sold like outside of the terms of their commercial contract. And you know, that's all well and good and I guess they're within their rights to do that because the end user license agreement says so. But it is the sort of thing to make a Western think tanker go.

B

Hmm, yeah, yeah, yeah. So this was, I really struggle to think that I Western manufacturer would do that. So it, it kind of displays a different mindset, a very like quite brutal mindset, frankly, of.

A

Well, they're, I mean, now that now they're beating us at capitalism, which is, you know, quite the achievement considering their history.

B

So I went into reading these different reports, as I do, with a fair bit of skepticism. Like, you know, it's I think it's quite easy to take a China bad perspective and there's definitely people who take that, regardless of what the facts are. But the more I read, the more concerned I got. And it's kind of a topic that is. Well, it snuck up on me until now. Like I knew there was a lot of Chinese solar based inverters, but I didn't realize how much of the entire grid was dependent. And another part of the problem is that a lot of these systems.

A

They.

B

Fall below thresholds where cyber security standards have to be very strict. Maybe very strict is too strong a word, but they're. And so there's a lot of them that can sneak under the, you know, under the bar without a whole lot of oversight or review or whatever. And so in, you know, any one system is not that important. When you've got tonnes and tons of them, it becomes quite significant.

A

Yeah, I mean, we've seen various research papers as well from people saying, oh, you could use these vulnerabilities in various inverters and whatnot to trigger cascading failures on the grid and whatnot. I mean, it does. This is the problem when you're trying to look at a topic like this is it just does sound a little bit hysterical and unrealistic. There's some great stuff in here too, which is this, you know, intelligence, strategic intelligence firm Strider, we wrote one of these reports, looked at Chinese research publications and I alluded to this in the intro and they found there were 225 papers written by PLA affiliated organizations that were basically like dreaming up scenarios for how to attack the grid in America. This is like where America's buying its grid tech from. So, you know, it feels like it's a real challenge. That said, you've also talked about a report from, I think it was Dragos and another company looking about like what you can do to sort of mitigate some of the harms here. And that's where I feel like there might be some hope here. Tom is unlike Huawei, which is, you know, was making equipment that would form the core and the edge of a 5G network, because that's kind of how 5G networks work. You know, these things, at least from a sort of Internet comms perspective, are a little bit simpler and you might be able to architect your way out of this. Was that the vibe from the Dragos report?

B

Yeah, I thought that it's a very tricky problem when you're relying on an adversary for equipment. But I think you're right that the whole purpose of 5G equipment is to talk to other stuff. And so it's quite hard to say, well you cannot talk to this. Like how do you firewall a network? Like that's the whole point is to talk to other stuff.

A

Yeah.

B

And the electricity equipment is like, what it's trying to do is more defined. So at least in theory there's some hope there that you can do a more convincing job locking it down. Not, not maybe a perfect job. But I think that there's. The compensating controls are more robust, perhaps is a way to say it.

A

Yeah. I mean I've seen some idiot, I've seen some idiotic politics seep into this issue in the past as well. As an Australian politician, I won't name him, but I think the joke about him is he was, it's, it's. He, he seems like he was manifest. He was bio engineered in an IPA laboratory. Right. The IPA is a conservative think tank here in Australia. I'll name him. It's James Patterson, Senator James Patterson, who is, I think, what is he like Shadow probably got a few portfolios given to the lack of members his party has at the moment. But he put out a release a couple of years ago saying that the government was putting Australian national security at risk because it was buying. It was allowing vulnerable Chinese solar tech to be installed into Australian households. Now look, I mean, you know, is the security of Chinese tech being installed into Australian households something worthy of scrutiny? Absolutely. But when you are using this as a way to just smear renewables, it's like no one engages with it. Right. So I feel like this is one of those rare cases in cybersecurity where, you know, outside politics are kind of bleeding into it a bit. Do you know what I mean?

B

Yeah, yeah. I mean, I think the overall dynamic is that there's a large anti China lobby, which has a lot of justification and there's.

A

But there's a large, There's a large. Yeah. Anti renewable lobby.

B

Yeah, yeah, that's right. And the, it's a problem where like it actually has significant benefits, these technologies from both a cost and a carbon perspective. But they're difficult because they cause a lot of change and you know, change is bad. So the looking at the security aspects in isolation is like not the right answer. Like we need to have a. Yeah, there's a risk here, but we also need to manage that given the other benefits that we get out of these technologies. And that's actually quite hard, I think, because security people tend to focus on Just security. And it's quite hard to get people to weigh up the, you know, the risks and benefits when they're in two different areas.

A

Indeed, indeed. Well, look, let's move on to. And look, I guess we're sticking with energy as a theme. This week, Venezuela's state run oil company, pdvsa, it experienced a, either a wiper or a ransomware attack which has apparently really devastated its operations. And this comes hot on the heels of the Americans, like seizing a tanker full of oil that had left Venezuela. And PDVSA has blamed those imperialist Americans for doing this. And in normal times, Tom, you would hear the Venezuelans say this and you'd say, sure, buddy, you know, the Americans did it. You know, because they like to say the Americans did everything. Of course, you know, the Americans are their most useful foreign enemy for domestic political purposes. So normally you hear something like this and you just think it's a, it's a lie. In this case, you know, your reaction, My reaction, Adam Boileau's reaction has been it very well could have been the Americans who were behind this. And, you know, you've spelled it out here in a, in a short piece saying, well, yes, it could be a U.S. cyber Command or CIA operation.

B

Yeah. So the, I've written a couple of times about, particularly President Trump's desire to do something about Venezuela. And the history is that throughout his entire first term, maybe not the entire first term, but for much of his first term, there were cyber operations that were carried out in more or less isolation because there was a whole lot of pushback from, well, the bureaucracy or the deep state, I guess, that didn't want to do these kind of, I'll call them outrageous operations which involve conventional force. And he was basically restrained by what I would describe as wiser heads. And so the cyber operations were, in a way, a kind of, look, we'll do this. And people carrying them out probably knew that they weren't going to work in isolation. And so one of the examples was they disrupted the payroll for military officers in the Venezuelan army and they kicked around other ideas. So there have been people thinking about what to do against Venezuela for a long time. One of the operations was to, I think, disable supertankers or something like that. So, like these ideas have been kicking around and what stopped them back then was people like the head of the CIA, I think it was Gina Haspel, who just didn't like the idea of these kind of destructive operations.

A

Well, and a lot of the stuff that the CIA wound up doing, they Kind of half assed it as well. Like we sort of found out years later, which was kind of funny, which is like they kind of said, yeah, yeah, sure, we'll do that. And then did like a really, like, bad job of it, basically because they didn't really take it seriously or dedicate resources to it. But this time it really feels different, doesn't it?

B

Yeah. Well, I think what's changed is that all the senior personnel are now on board with these kinds of operations. So I would be, in a way at this point, I'd be surprised if it wasn't a U.S. operation. There's no guarantees, but it's kind of aligns with what they're trying to do. It's happening at the same time. They've kicked around a whole lot of operations before and didn't do them because they were restrained by senior personnel. Those senior personnel are gone. And so, like, what's, what would stop them? I don't think there is anything that would stop them.

A

No. One thing that occurred to me as well is that, you know, if you're Venezuela and the Americans are doing this to you, there is absolutely nothing you can do about it. Because even if you did have a capability and they're not particularly known for their cyber prowess, even if they did have a capability to be able to hit back, you know, Trump is itching for an excuse to start dropping warheads on foreheads. Right. And you know, if Venezuela were to escalate this, even in the cyber domain, it would be disastrous for them. So they just have to sit there and take it. Which is another data point that makes me think. Think. Or another bit of speculation that makes me think it's the Americans, because why not? They're holding all the cards in this case.

B

Yeah. I think the only kind of operations that make sense are the ones that have like, no impact. Like hack and leak. Like you could do a hack and leak and Trump wouldn't necessarily escalate. Like, but at this point, there's nothing that you could hack and leak about President Trump that would have any impact on his popularity or, or anything.

A

As he once said, he could shoot someone in the middle of Times Square and it wouldn't matter. And that turned out to be, you know, pretty prescient really. But, you know, I guess one thing that's interesting about this is it's been about 13 years since, you know, we saw the Biggie versus Tupac style wiper wars in the Middle east with Iranian oil infrastructure being targeted first with wipers and then Saudi Aramco having 30,000 of its workstations vaped for a while. So now we got, you know, we got like, maybe America is doing a shamoon. I guess is, is where we've left that. And not something I would have expected to say until recently. And just finally and quickly, because this is something that we covered in the weekly show with Adam. You've also taken a look at these state backed hacktivists. The Russians who really just haven't achieved anything are pretty dumb, but you know, you've also argued they're sort of dumb until they're not. And that makes them possibly dangerous, which I think is a good point. But it just, look, it seems an odd way to run a country, which is to throw money at people like this and tell them to just go and cause problems. For those who've missed it, the US has indicted some people for, yeah, basically being state funded hacktivists who just went around attacking any control system that was vulnerable and trying to fiddle with dials and just make life tough. But it didn't really, it doesn't look like they really caused any damage.

B

Yeah, I, I think the thing that makes this kind of make sense from a Russian point of view is the invasion of Ukraine. And so at that point I'm assuming that the intelligence services were under pressure to do something. And so this is something. And so to me that is the, the sort of underlying motivation for these groups. And they just went, well, we've got a person, we can shovel some money to them, get them to do some things and maybe that'll pay off. But it doesn't cost us all that much in terms of time and resources. Like giving money to a group of people is, you know, that's the thing we've got most of it's the time and effort and, and so like that kind of makes sense. I think if it weren't for the war, they wouldn't be doing this.

A

No, but it is very low effort and has potential to like blow back on them as well. Like, I just, you know, it just doesn't seem like there's much of a benefit here. And you know, one thing that I've learned from following your work, Tom, is just how much of this activity is dictated by people's need to impress their bosses by putting stuff in a PowerPoint presentation and saying, look, we did a thing. Whether the, that's the Iranians or the Russians or even the Chinese, mate, that is actually it for our discussion this week in the Seriously Risky Business podcast. The Last one for 2025. Of course, when this podcast resumes next year, it'll be back to Amberly Jack hosting. But it was a, it was, it was a lot of fun to fill in for and have, have this chat with you, Tom, and thank you for all of the terrific work you've done through this year, mate. And looking forward to seeing you again in 26.

B

Thanks, Patrick.