B (5:17)

You referenced this a little bit, but I wonder if you could kind of maybe frame this some more, which is, you know, how this differs from what Google has historically done. Obviously we've got, you know, trust and safety teams, counter abuse teams across the Alphabet ecosystem. Is it really the thing that you see that sort of defines this is the holistic nature that you're looking at this strategically working with a lot of those teams or how does this differ from what we have done in the past here at Google?

A (5:46)

Great question. I'm always quick to state like disruption is by no means new to Google. There are lots of teams, some of which you've mentioned, that disrupts malicious activity on a daily basis, you know, hundreds, thousands of times per day. What I think is new or a little bit different is that the primary focus of most or all of these teams is, you know, things like detection of threats, defense of our products, defense of our users. And with our team, I think, although Google's a big place, you never know. But I think we are the first team who's primary focus is on disrupting the actor behind that activity. So we're not a detection team, we're not a defense team in the purest sense of how I would think about it. We are a team focused on imposing costs on those bad actors. Importantly, there's obviously a nexus between all of the counter abuse security teams, threat intelligence functions at Google. We benefit immensely from their expertise. In fact, we couldn't really do anything without those teams tracking threats 24, 7. And what we try to do is leverage all of that expertise, the tooling, the visibility, to really look at an actor from that other standpoint of how can we go study what they're doing, study what they value and try to degrade and disrupt that to try to make them have a bad day. And in that way I really hope that we can be a value add to those defender teams, to those counter abuse teams to make that kind of firefighting a little bit easier.

B (7:32)

So I think maybe it would be helpful to get into some of the examples where you guys have been active already. Again, this has been around for a little while here at Google, even though we're talking about it more publicly and it's shown up in a few of the blogs within the last several months, within last year. Maybe we could dive into a few of those examples because I think that really highlights, highlights some of the ways that you approach this sort of work. So whether it's grid tied or iPadadia, I don't know which one you want to dive into first, but maybe we could talk about some of those examples.

A (8:02)

Yeah, sure. And you know, as I mentioned up front, we are kind of, you know, adversary agnostic in that we don't just look at apts, we don't just look at crime. We look for good opportunities where a given threat is causing havoc or causing pain to our users and customers and then pair that with the opportunity. There's some cases where we might see malicious activity, but we don't really see a good path to disrupting them in a comprehensive way. And so for better or worse, there's no shortage of different things to look at and focus on. And as you mentioned, a couple of our projects have been publicized in the last six or seven months that we've been up and running. And I think the two cases, one is kind of a group of residential proxy networks, all operated by kind of this same group called IP Idea. And the other was taking down a campaign we called Grid Tied, that was a China Nexus APT group on 2814. And so that kind of shows, like, the breadth of different activity we're looking at. And I think there's some interesting kind of differences between those cases. So, you know, IP Idea, we started looking at kind of this group, which I would put in kind of like the enabler category. They're kind of. They kind of sit in the, in the crime bucket, but what they're really doing is enabling a lot of other bad activity. And so when you. The reason we like going after enablers is by going after one, you can potentially impact a wide array of threat actors who are relying on those enablers. You know, residential proxy networks have become a bit of a scourge in the last several years. What these are, you, you know, they are a proxy network. So you can look at them as, you know, a way for a user to make their activity appear as if it's coming from a different place online. And the difference with residential proxies, as opposed to other forms of technologies that do this, like ISP proxies or VPNs, is residential proxy networks are built upon basically consumer devices in residential Networks provided by ISPs. And the reason they want to do that, the reason threat actors want to use them, is because they look like they're coming from, you know, John Doe in Iowa or wherever. And the way they build these networks is, you know, in a couple different ways. One, pure malware. They will infect those consumer devices and join them to the network also through kind of subterfuge. So what we found in our investigation was they would essentially go to developers of applications in our Play Store. Although it wasn't limited to just Android, it was other platforms as well. Say, hey, developers, this is a totally legit software development kit. If you incorporate this in your app, you'll get paid for doing so. Like, we'll basically pay you on a per download basis. And when, when it was incorporated into that app and when users download and run the app that, that joins the, the device into the network in most cases without that consumer's knowledge or awareness of what was going on. And so essentially the consumer is renting their bandwidth to this proxy network. And because of those advantages of residential proxies, again it's making it look like it's coming from, you know, a normal residents somewhere in the world. It is overwhelmingly abused by threat actors. And as we kept pulling the thread, we found hundreds of threat actors using IP ideas, residential proxy networks specifically everything from, you know, APT crime, hacktivism, information operations. We observed model distillation attacks against our LLMs transiting that infrastructure. So really enabled a lot of bad behavior. And in that case we were able to bring together a couple different tools including enforcement on Android, ripping all of this stuff out of Android devices and also some interesting legal authorities. We were able to kind of repurpose a court order to work with other providers in the ecosystem, like domain registrars and the like to take down all of their or a lot of their online infrastructure. And we went after both the command and control that the devices were communicating with that were routing proxy payloads through those devices to the end destinations. But we also went after their digital storefronts so where they actually marketed these proxy technologies. And I think the latter is probably maybe the largest effect I think because you know, these technologies are in a competitive marketplace. There's lots of proxies out there. They'd spent a lot of time and capital in getting distribution, getting people interested in their product and by taking down all of their websites, we've, we kind of, you know, we impacted that. So in that case, you know, this is a very kind of complex ecosystem. We're pleased with the initial results but you know, there's no shortage of devices out there that can be added to these networks. They've been able to reconstitute to a degree. And that kind of illustrates another kind of important point about our team, that we don't just launch kind of one off projects. It's very much kind of a journey, a cat and mouse game, et cetera. We know we have to keep hammering away at the residential proxy issue. The other case you mentioned, kind of more of a straightforward disruption of a APT group's operations. Again, this is UNK 2814, it's a China Nexus APT group. We had been monitoring this group for a long time, well before our team was formed. And there was this kind of untold story I think about global telecommunications targeting. And I think obviously Salt Typhoon gets, you know, has gotten A lot of the headlines and in particular for some of the specific systems they, they were targeting in the United States, but there are other China Nexus Apt groups out there that are, that are going after and successfully compromising global telecommunications infrastructure every bit and having every bit as much success as Salt Typhoon. And so. So this group has been on our radar for a long time. And what I think is interesting about this case is how much we benefited from different Google teams coming together in a relatively short amount of time to create a significant impact. So this started with a managed threat defense investigation. And what that is is you know, we have a product that will, on behalf of Google Cloud customers, monitor their security telemetry when alerts fire. And in this case, so it all started at a customer where that team, our managed threat defense team, quickly saw an alert, triaged it and actioned it quickly about a process being initiated from a suspicious location in the system. What we were able to find pretty quickly is the actor was using,

B (15:52)

you

A (15:53)

know, an interesting malware family that had been on our radar, but we didn't have kind of all the pieces of it to piece it together fully that used, you know, Google APIs and Google Sheets specifically as kind of a C2 mechanism. So rather than the way you or I would use spreadsheets, they would communicate, you know, the attacker would communicate from an attacker owned server to the victim, in this case the customer we were investigating, to issue commands to the compromise machine and to upload data from the compromise machine to the attacker all through Google Sheets basically. And so as soon as we saw that, we were obviously very interested in how we could pivot off this and create greater disruptive impact against the threat actor. And so we were able to combine kind of that world class investigative capability, working with customers, with our visibility within Google to identify all the instances, we think, where the actor was utilizing this mechanism. And through that process, as well as working with some key partners, we were able to identify quite a bit of infrastructure and identify, you know, frankly a large number of victims, almost unanimously in the kind of telco sector and then rip it all out all at once and sinkhole a lot of their infrastructure as well. And you know, as I think we said in the public materials, you know, building up this capability that the threat actor had of, you know, essentially maintaining live connections to 70 plus telecommunications companies worldwide, likely took quite a bit of effort for the threat actor to build over time. And we hope we set them back quite a bit. So that was a really fun, interesting project, working with a lot of really Highly capable teams across Google and with partners in a relatively condensed amount of time.

B (18:06)

That's an interesting one too when you think about one of those levers, one of those tools that you utilize being disclosure. Given that even though that actor has been around for a while, we've tracked them for a while, there had not been a lot previously discussed about them out in the open source. And it's also a campaign, a set of activity where as we highlight in the blog, there were a lot more other suspected victims than the ones we are aware of. So I think that's a great example where obviously many different tools kind of applied to that. But even just talking about this publicly and raising awareness about this actor and what they're doing, hopefully it leads to further investigations into parts of this that maybe we haven't seen or hasn't been discovered yet.

A (18:52)

Yeah, absolutely. I think that was a big goal or reason for releasing some information publicly. Again, you know, wanting to drive the message. It's not just, you know, it's not just salt typhoon, it's not over. This activity is, is continuing, people are at risk and then obviously releasing, you know, indicators of compromise to help organizations check if they've been impacted. You know, the other piece of it that's kind of a longer term thing is driving, you know, kind of more resilience and product hardening. One thing we point out is sheets is just another mechanism to upload and download arbitrary data. There's lots of places attackers can misuse products. For C2. It's clearly becoming a common tactic to use the products of popular kind of cloud and all online technologies in general for that purpose. And so hopefully we can, you know, spark additional action, you know, both within Google and with, with other operators of online services to try to find more solutions to try to cut down on that. And again, I think that's a, that's a longer term piece of that.

B (20:12)

Let's talk a little bit about measuring impact. I think as you noted at the beginning, you know, some of the ways that adversaries respond to being publicly disclosed, their activities being disclosed, some of the extent to which their operations are disrupted, that's going to vary, it's going to vary actor to actor, what was actually impacted. There's also this dynamic where at times the very act of disruption, of taking down infrastructure, of forcing an actor to retool might mean that we lose some visibility into their operation. So there's, there's trade offs to even some of this activity. As we've always known, when we release blogs and Put the stuff out there publicly. The actors read this stuff. That's not new. But I guess I'm curious, maybe at a high level or even in some of these specific areas, how do you think about measuring the impact from disruptive operations to specific actors? And how do you think about that kind of balance between needing to do more to impose cost, particularly in the private sector, needing to kind of take more of a stance there, but then also meaning that, you know, in some cases we may risk losing visibility into operations?

A (21:24)

Yeah, great question. So first piece of it, you know, measuring impact, it is a, it's a supreme challenge. And I think this is not common to what we're doing. It's common across the security field in general. How do you know if things are getting better if you've done your job? And certainly when you're working against highly advanced threat actors, it can be very hard to get accurate assessments of. Again, we set out to make bad actors have bad days. How do we really know that it's a bad day or a bad week? So it is a challenge. We try our best and we look at different things. First, if we're able to identify potentially impacted organizations and help them remediate and recover, you know, I think that's, that's always a win. But two, can we identify classes of attacks, things that we can work on to again, kind of like harden the products, make it, you know, make the attacker have to expend more resources to do what was previously a little bit easier for them. And so we measure, we have metrics related to that. And then, you know, of course, just looking at, you know, for whatever we can find. And again, this is often a challenge, you know, how has the actor specifically been impacted? Do we see their operations becoming less effective? Things like that. And then of course, that kind of leads into, you know, the last part of your question, which is when we do this, we necessarily often lose visibility. And so that gets into that kind of intel gain loss conversation that I think has been an ongoing conversation in this industry for, for decades. You know, there's, there's a couple ways we look at that and like the, you know, what we can gain versus lose by being a little bit more aggressive, having a more kind of disruptive posture versus things, you know, against things we're monitoring first. First thing, and I try not to throw around kind of too many industry stereotypes, but in my opinion, I think it is true that the, you know, quote unquote threat picture is worse now than it was maybe 10, 15, 20 years ago. For in. And again, in my opinion, this is really for one primary reason, and it's that adversaries are bolder now. They're willing to do things that were unthinkable before that, that were not kind of the norm of what we would see in, you know, 2015 or 2010. When you look at kind of the crime sprees of Shiny Hunters, the extortion, the ransomware against hospitals, things like that, when you look at the volts holding critical, I say the Volts of Volt Typhoon, the things we're seeing where adversaries are willing to hold critical services at risk for entire nations. When you look at the kind of pairing of cyber and kinetic effects and things that we've seen play out in Ukraine, to me, I feel like adversaries have, you know, whether there were ever norms, it seems like the norms have shifted, if ever there were any. And adversaries are bolder now. And against that type of activity versus, you know, espionage, you know, you really have to meet that aggression head on. You know, we don't want to be just, you know, quote unquote, monitoring the situation when that kind of activity is occurring that, you know, that's not something you're going to be able to explain to, you know, your boss or the government or whatever. You know, we want to take an active posture against what is increasingly kind of bolder and more disruptive adversarial cyber attacks. We want to be pushing actors kind of off the X, give time for, you know, the defender community to take more kind of to take action to protect these services that, you know, everyone relies on. And then the other thing that we look at a little bit there is, you know, some of these actors we've tracked for a very long time and we want to look at how things have been working, you know, for a threat actor that we've been monitoring for a long time. Do they look substantially similar today as how they looked, you know, two years ago, three years ago, five years ago? Are they able to successfully complete the same types of operations that they were doing a couple years ago? If so, maybe it is time to try something different. If we're seeing them be successful and it's kind of a status quo business as usual for them, they clock in and they compromise users. Maybe it is time to try something new and take on a little bit of risk that we might lose visibility. And of course, there's cases where our visibility is too tenuous. We don't have confidence in the effects of some action. We want to take and in those cases, you know, I think caution would, would certainly prevail.

B (26:25)

So I guess, you know, looking forward, you know, given the sort of, this is, this is still a relatively new kind of area of focus for us and there's going to be some trial and error. Where are you kind of excited about in terms of, you know, potential future areas, you know, without getting into specifics, of course, but when you look at where the utilization of these different tools and levers can be applied, when you look at some of the different problem sets that are out there, do you think we're going to be seeing more of this applied to the infrastructure takedowns? Like with IP idea, is it going to be more around specific actors? Just curious some general thoughts you have. Kind of looking forward into the future here.

A (27:06)

Yeah, so I'm excited for the future. We are still, we are a small team and we are looking forward to scaling our impact. Just, you know, frankly a lot of this work right now is pretty artisanal. You know, we're very interested and I think well positioned, you know, working where we do to leverage AI and automation to scale our impact. You know, we've got amazing tools to leverage, amazing, you know, expert teams to partner with within Google. And we really want to systematize this disruption activity. So we're focused on that. We're also, you know, I think I've been very pleased with some of the partnerships we've developed with other companies, government organizations and the like. And you know, we really want to build on that and deepen those partnerships, make them, you know, really ingrained into the working model both for us and those partners. And I think we can just accomplish a lot more together. And ultimately, you know what, what I hope is next is bringing more pain to more bad actors.

B (28:16)

Excellent. Well, I expect in the upcoming months there's going to be more blogs where your team, if not the full focus of it, will have a footnote about. Hey, you know, here's a new operation that we didn't just respond to. We also had a role interrupting, so I look forward to seeing those. And we'll include a link in the show notes to some of the ones that you mentioned as well. But Charlie, thanks for your time today and I think this is a great discussion around the work your team is doing.

A (28:42)

Thank you so much, Luke. This was a. This was a lot of fun. Let's do it again.

B (28:45)

All right, take care.

A (28:47)

You too. Bye. Bye.