In this episode of Modern Cyber, Jeremy is at RSAC 2024 where he catches up in person with cybersecurity legend, Mikko Hypponen.
In this episode of Modern Cyber, Jeremy is at RSAC 2024 where he catches up in person with cybersecurity legend, Mikko Hypponen.
Fresh from his keynote on the 'First Decade of Corporate Ransomware', Mikko talks ransomware gangs, AI, quantum computing and the role of cyber in modern conflicts. This is an episode you don't want to miss.
About Mikko Hypponen
Mikko is a cybersecurity expert, speaker and author and currently the Chief Research Officer at WithSecure. He is well known for the Hypponen Law of IoT Security: "If It's Smart, It's Vulnerable," which is also the title of his latest book, which has been translated into five languages. During his long career - which has lasted over 30 years - he has accomplished many notable career achievements: he was selected as one of the 50 most important people on the web by the PC World magazine, and was included in Foreign Policy’s Top 100 Global Thinkers list. Mikko is an accomplished speaker, regularly presenting at prestigious conferences around the world like TED, SXSW, Black Hat, DEFCON, RSA, and more.
Mikko's Website: https://mikko.com/
WithSecure Website: https://www.withsecure.com/en/home
Mikko's Linkedin: https://www.linkedin.com/in/hypponen/
Mikko's X: https://twitter.com/mikko
Jeremy: Alright, welcome back to another episode of the Modern Cyber Podcast. I think for the second time only, I'm actually in person with our guest today. You already see him in the picture, he doesn't really need much of an introduction. I am delighted to be joined live by the one and only Mikko Hypponen.
Mikko: Well, thank you, Jeremy. Thank you for having me. It's great to be here.
Jeremy: Yeah. And just by way of disclosure, Mikko is a member of the FireTail Advisory Board, but nothing that we discuss today will concern FireTail. We actually have a lot to talk about today. Four things that I want to hit in particular: We're at RSA; you gave a keynote yesterday. I'm sure by now most of our audience will have seen it because by the time this goes live, it will have already happened, and the post-event video will already be live as well. But for those who might have missed it, what did you talk about? What can you share?
Mikko: Over the years, I've spoken nine times at RSA. I also have had a multi-year boycott of the event, which is over by now. I'm back at RSA by now, yeah. And I had a personal long-term goal of being able to do a keynote talk in all three, that means Defcon, Black Hat, and RSA. Yep, I've done Defcon, I've done Black Hat. I'm really glad I was able to do yesterday the RSA keynote on South stage. When we started discussing the key topics with the RSA organizers, I followed a couple of ideas. AI, obviously. Everybody wants to speak about AI. So they chose something different and we went with ransomware. The topic was the first decade of corporate ransomware because the very first Bitcoin-enabled ransom attacks happened in 2013, and then roughly a year, year and a half later, they started targeting companies. And this is actually—it's hard for us to remember—the very first Bitcoin ransomware, like CryptoLocker and CryptoWall and CTB Locker and Lockee, they were targeting home users. Yeah. And the ransom amounts were $200 bucks, $300 bucks. Okay. So they were really encrypting your photos and asking you to pay money to get them back. But they were already using Bitcoin. Okay. And they very quickly realized that it's much harder to gain access to corporate networks, but then you can ask for much larger ransoms,
Jeremy: yeah. I mean, there's a huge difference between $200 and the $22 million that got paid, you know, just a couple of weeks ago. So I'm curious—Okay. So we've had a decade of it. Obviously, the amounts are much larger when you go after the corporations. Are the attack factors pretty much the same?
Mikko: No, no, they're not. In fact, the very first consumer ransomware malware was being distributed through existing botnets. Okay. Some of the audience might remember the Zeus botnet, which was a banking Trojan botnet in the early 2000s developed by a Russian hacker called Yevgeny Bogachev. Okay. That, towards the end of the botnet, Bogachev migrated the botnet from distributing banking Trojans which were stealing money while you were doing online banking to distributing CryptoLocker, the first Bitcoin-enabled ransomware, which was a massive shift in the money-making mechanisms. Another early mechanism which we saw a lot was simply email attachments. Sure. Also drive-by exploits. Remember Flash exploits? Yeah, ten years ago, still a thing. So people, consumers were surfing the web, they happened to end up on a hacked website which had a Flash plugin or Flash exploit which would exploit the plugin in your browser, you would get infected. Yeah. But then the corporate attacks, especially over the last couple of years, have definitely migrated much more towards remote exploits. Okay. So they scan the whole IPv4 address space looking for vulnerable systems, whether it's an RDP server or a VPN server or a firewall or some router exploit. Yeah, maybe exploits in file management tools, which we've seen a lot. Yeah. And these are only really used by corporate entities, yeah. Yeah. And it also means that's an important part of the whole situation today, that it means that you don't need to be interesting to become a target, yeah, you just have to be online. That's all it takes.
Jeremy: I bring this point up a lot, you know, and I mean, not to talk about us too much, we put APIs online for testing purposes all the time as we develop our own software, and one of the things that we see is any API that we put online within about three minutes is getting probed, we're getting traffic against it, we're also getting more interesting traffic. And what I mean by that is it's not just a random bot saying like, "Hey, is there something sitting here?" but we actually see kind of intelligent follow-up to the initial pings, right? So you get a request and then you get a series of follow-up requests that are checking for certain third-party software packages and things like that. And if, you know, we put, let's say, a version of WordPress online, God forbid, we're going to see very targeted WordPress attacks because actually, once you go through round one, there is something, round two, it is WordPress, round three, let's check the version, let's try to deploy exploits against that. So I tell people this whole strategy of security by obscurity or thinking that I don't have to be the fastest one to escape the hunting lion, I just have to be faster than the next guy. This is not actually a valid tactic anymore.
Mikko: No, it unfortunately it isn't. And the way I very often show and tell these to clients and customers that I meet is simply open up a leak site of one of the larger gangs. Maybe Akira lately has used a lot of LockBit. LockBit is right now in flux but one of the active sites and simply scroll down the list of the leak sites showing the different victims, yeah, for example, LockBit has 7,000 organizations listed on the site, okay. And when you just look at the different victims, you'll see a furniture manufacturer from Copenhagen, Denmark. Yeah, then there's a steel mill from São Paulo, Brazil. Then there's a mom-and-pop restaurant from Vancouver, Canada. And you very quickly realize that there's nothing common in these organizations.
Jeremy: Well, and not only that, none of those are what I would consider—maybe the steel mill—but these are not what you would typically think of as your high-value targets. These are not companies that possess a high amount of very interesting intellectual property, these are not banks who have a lot of money, these are not pharmaceutical organizations or healthcare systems that have a lot of proprietary data for identity theft purposes. These are just random companies.
Mikko: Exactly. That's exactly the point. And when you realize that, it's companies of all sizes, of all business areas, from everywhere on the planet, then you do realize that if these were targeted, I could be targeted as well. The comparison I mentioned on stage when speaking about this was that it's like someone would have shot at the internet with shotgun and it just sprays randomly. Yeah.
Jeremy: Okay. So random targets all over the place. Cryptocurrency pretty consistent throughout this ten-year run of ransomware, targets not targets, but ransom values kind of consistently going up and up and up. What else have we learned? Because I hear a lot about, well, you mentioned LockBit, you mentioned one other organization. So you hear about the organized criminal nature of this, and I think that's kind of an evolution, right? Because I think probably the early ones were just these individuals like you mentioned, Yevgeny who developed that first banking Trojan. What else have you seen in kind of the evolution over the ten years?
Mikko: Maybe the biggest insight we've had into the working organizations of these gangs was through a massive leak, the Conti Leaks, yeah. Conti was the largest ransomware gang in the world in early 2022. In early 2022, Russia also invaded Ukraine again. Conti famously aligned themselves with the Russian government, posting publicly on their website that we will be supporting Russian government in this war on Ukraine, without realizing that they had Ukrainians within the group. Yes, the gang had Ukrainian members and one of the members didn't like this, started leaking the information, including contact information, photos, insider files, their backend control panel
Jeremy: chats—
Mikko: Chats, yeah. Thousands and thousands of lines of chats. And we learned a lot about how an organized crime gang like Conti works, okay. So they have physical offices, they pay salaries twice a month, they have an HR unit which is recruiting new employees, they have lawyers working for them, they have their own data centers, they have business analysts. So it's an organized crime gang just like real-world organized crime.
Jeremy: I would only question one thing in what you said. You said organized crime gang, that sounds much more like an organized crime company, right?
Mikko: Maybe you're right, maybe you're right. There's also one interesting thing which is around branding. So I'm calling this the Conti Gang, so they have a name, they have a logo, they have a website, the brand was very well-known. Yeah, of course, Conti has disbanded because of these leaks. But again, Akira or LockBit or QuantumX or whoever, all of these, they are very well-known brands. And it might seem a bit weird that the crime gang does branding. However, think about real-world crimes. Yeah, they have some of the strongest brands in the world. Hells Angels,
Jeremy: Gambino Crime Family—
Mikko: MS-13, exactly.So organized crime gangs in the real world, those gangs, they are building a very strong and a very scary brand. That's exactly what these online crime gangs are trying to do. They try to build a brand which is scary to IT professionals. Yeah, you know, "Oh my God, we were hit by Ransomware. Oh my God, this is LockBit," because now you know, this is serious. You know, these guys are professionals, you know, they've been around for years, you know you won't be able to crack the encryption, but you also know if you play ball, if you pay the ransom, they will work with you, they will give you tools to get your files back, they will not leak your documents that they've stolen, and then they promise not to attack you again. And this is good business sense from these criminals. If they wouldn't follow the rules, pretty quickly, no one would pay the ransom.
Jeremy: It does mean that customer churn is by definition 100%.
Mikko: That's very true.
Jeremy: Yeah, I'm curious, though. One thing that you said there, and I mean, I get the branding aspect of it, and by the way, it's very much like The Princess Bride and the Dread Pirate Roberts, right? Actually, probably nobody cares if Yetta attacks them. Maybe they care more about LockBit. If you have a name or a reputation, but they care a hell of a lot more if it's Conti. I totally get that branding aspect of it. But one, again, one difference that I'd be very curious about is so it was actually through internal disagreement and internal members of Conti who leaked all the data. What happens when people try to leave these companies?
Jeremy: Well, many of these affiliates or individual members of these gangs, their real-world identities aren't really known to the gang leaders either, but I mean, they have offices, they're showing up, they're working together, but those that actually come to physical—
Mikko: Okay, there's a difference between employees and affiliates. Okay, that's true. If they want to leave, they probably have to somehow negotiate, you know, "I'm out of here." Who knows? That part is dog. But a big part of the actual working logistics of these gangs is through a software-as-a-service model. So we call it as ransomware as a service. So, Conti, Akira, they develop the actual ransomware, they create the back ends, they have the payment mechanism, they have the chat system in which you can negotiate with the victims. The affiliates, basically anyone anywhere on the planet can work with a gang like this. They get the tools, they get access to the backend. If you're able to infect someone with the malware and direct them to this chat and they pay, then you get a 20%, 30%, 40% cut of the ransom. Those guys are doing the vast majority of the hacks, and those guys are the ones whose identity is unknown even to the leadership of the gang.
Jeremy: Question. Did you see any evidence of kind of multi-level marketing tactics in there? Because everything that you just said points me in that direction, right?
Mikko:If you can find new affiliates, you will get a cut of the money they make. So is it multi-level marketing?
Jeremy: So 20%, 20%, 20% off the line.
Mikko: Conti does exactly this. Also, interestingly, one example of how this model where affiliates can join into the backend can backfire to these ransomware gangs is what happened with Hive. Hive was a top five gang. They were infiltrated by the FBI who signed up as one of the affiliates, gained access to the control panel backend, and Hive's backend allowed you to create decryption keys for any victim. FBI generated keys for 1,700 victims and gave them to the victims, decrypting their files for free. So Hive basically disbanded because of this. It just wasn't able to recover from this breach of security. So identity security is important, even for criminals.
Jeremy: Fair enough. Next question that comes to mind, there's two that I want to get to. Number one is I hear a lot about initial access brokers (IABs) kind of in this ransomware as a service business model, right? The question that I've never quite understood, and you've studied this space way more than I have, why do these exist? And why, for instance, are the initial access brokers, why are the gangs themselves not doing the initial access? Why are they outsourcing that?
Mikko: It's simply a question of outsourcing. It's easier for them and more beneficial for them. They don't need to worry about finding the latest vulnerability or trying to scan the whole internet over and over again. It's just more effective, more efficient.
Jeremy: So it's more efficient because they're better at writing the ransomware than they are at probing for vulnerabilities.
Mikko: Their business is managing the overall program, and then they just outsource different parts to whoever is good at that. So initial access brokers, they are the ones doing the port scanning, they are the ones finding the vulnerabilities, they find the way in, and the reason why initial access brokers prefer to work like this is that they're not technically necessarily breaking the law. They find a way in, they know that, "Hey, here in this IP address, there's a vulnerable VPN server." Yeah, here you go. They don't break in, they don't assault. Even if they get caught, what's the crime? So the reason why IABs want to do what they do is that they make good money, but the crime they do is a very small crime.
Jeremy: Gotcha. Second thing I wanted to understand, you were talking about the FBI generating these decryption keys for everybody. I hear about quantum computing, I'll be honest, I don't actually understand it all that well. Maybe I understand a little bit of the theory of it. Is it a solution for ransomware, or is it just the case that once we get quantum computing that can generate these keys for the victims, they get quantum computing that can make the encryption generation that much more difficult?
Mikko: Quantum computers are going to be a solution for ransomware in a hundred years or so. Okay, it's going to take a while. Of course, I could be wrong. Nobody was really expecting AI to become the huge revolution it did over the last two years, and maybe something could happen with quantum as well. I've actually touched a quantum computer last year.
Jeremy: Okay.
Mikko: It's cool. Literally cool. Yeah, yeah, yeah, because they run at minus 273 Celsius. So it is moving very quickly, but I'm not holding my breath with usable amounts of qubits with the kind of error correction we would be needing for that. Having said that, it still would be crucial for all security systems to try to migrate to quantum-safe algorithms rather sooner than later, because when this happens, then it's going to be very hard to change everything over overnight.
Jeremy: But from that perspective, right? So you talked about this very specialized system operating at minus 273. Is there, okay, maybe it's a hundred years out, so this question is kind of irrelevant, but is there an advantage then from the defender side because the defenders are legitimate businesses and organizations like the FBI have way more resources than these ransomware gangs? So if anybody is going to get the quantum computing and the ability to generate decryption keys, it's more likely the quote-unquote good guys, right?
Mikko: This is the case, and you could say exactly the same thing about artificial intelligence as well. So the fact that something like this is doable and runnable drops the barriers for everyone. So organized crime gangs are not running their own data centers filled with hundreds of thousands of Nvidia H100s to train their own large language models. They couldn't do that or maybe they could do it, but it makes no sense. So they simply just use existing services, hire API access to OpenAI or Gemini or whatever. And the same thing will happen with Quantum. The criminals don't need to have their own quantum computers. They will be running in data centers and you could just use them, use somebody else's quantum computer. That's going to be the case.
Jeremy: We could talk about ransomware probably the entire time that we have today, but I actually maybe, maybe I mean, arguably we should. I mean, look, the single largest cyber event of last year was a string of ransomware events. Arguably, I would say the single largest from last year was the string of ransomware events that came from the Progress Software Move-It file transfer.
Mikko: And that was a zero-day. This is rare. Most of the vulnerabilities used by ransomware gangs are older exploits. They just scan the net to find companies which haven't patched. Move-It was a zero-day, a genuine, real zero-day used by ransom gangs, something which we think they actually found and developed by themselves, which tells you quite a bit about the capabilities of the most professional gangs.
Jeremy: Well, question on that because all the analysis that I've read of it points pretty strongly in the direction that somebody had to have the resources to go through all the research to develop this thing. And I have heard the argument that that points much more to nation-state than it does to criminal gang.
Mikko: I'm not buying it. I do believe this was developed internally by Clop, which was the gang running the operation. It wasn't that hard. Finding zero days, then you typically think about, like, zero-day exploits to mobile phones, things like that, which are really hard to do. It wasn't that hard to do Move-It. It was a fairly esoteric tool only used by very large enterprises. The security model of that system or the audits on the tool were not probably that great, as you would see on some really common consumer software. So if you find a tool which is used by the kind of customers and clients you would like to exploit just take the time to find if there's are any remotely exploitable bugs, you will find it. And while we're speaking about this, I will make one forecast about finding zero days. In the near future, large language models already speak all human languages and all programming languages, right? You could already today take the source code of any program, give it to a large language model, and give it the prompt that, "Hey, find all the bugs from this program." Then, of all those bugs you found, find all the remotely exploitable bugs. Then, write the code to exploit it remotely. And then, the next step is that you don't give the large language model the source code, you just give the binary. Here's the binary, here's the exe, reverse engineer the exe, find all the bugs, find the remotely exploitable bugs. That's awesome and awful at the same time.
Jeremy: I agree with you, it is awesome and awful at the same time. But just if I look at this example again of the Move It software, okay, so you say it's a zero day, it wasn't that hard to find it, maybe it didn't require nation-state resources, but I will say it was creative.
Mikko: I agree.
Jeremy: And the creativity aspect of it I bring up because I don't know if LLMs are designed to be creative. If you tell an LLM to find all the bugs, it can only go on the basis of what it has been trained on, and it likely has not been trained on, let's say, the creative thinking of a red teamer or an effective hacker or pentester.
Mikko: You're underestimating. Okay, all right, could be. I don't know. You spend a lot more time playing with them than I have. We use surprisingly creative, I'll just say that. This will happen, trust me. And when it happens, remember I said it here. And if it doesn't happen, never mind.
Jeremy: OK, if it doesn't happen, skip this episode, move on to the next one. While we're on the topic of AI, I have a question that's been I've been thinking about. Look, everybody's talking about it, we're talking about it, everybody's using it, we're using it as well. But I do have one question that I kind of thought of the other day and it left me thinking for a little while. AI is the new shiny object in the room. AI is the thing that..I've seen an organization that I talked to recently, and they'll remain nameless here, but they were talking to me about some of their cyber strategic initiatives for 2024. And in roughly November-December timeframe, a person over there told me that all the spending, all the project planning, everything got shifted over to AI. And on this organization's list, they had things like AI security, they had things like basic Cloud security. They're in the middle of a migration. And I just, I wonder, what are your thoughts on this particular concern that I have? If we focus all of our energy on AI, what are we forgetting about or what are we neglecting? And does that actually introduce kind of more fundamental risk that we should be just taking care of?
Mikko: I hear what you're saying. And clearly, we're not supposed to move all of our attention into the new shiny object in the room. It's just very hard to avoid doing that because it is interesting. There's tons of like basic things, basic digital hygiene we have to be taking care of. I mean, we're still in the middle of migrating companies to multifactor authentication, which probably would be the single best thing to help you avoid problems. Moving all of your resources to think about new AI defenses is the wrong thing to do. And it's also quite clear to me that we are in the middle of a hype cycle. I mean, a massive bubble is growing right now around AI. Some of the people watching this will remember the Dotcom bubble which bursted in 2000. And the thing I take away from the Dotcom hype and AI hype is that we tend to overestimate the speed of these revolutions and underestimate the size of these revolutions. Think about the promises that were given to users and investors in 1999 about the internet. Yeah, they were floated with ideas like, you know, eventually we will all be doing shopping online, or one day we will all be watching movies online, all of our banks are going to be online, things like that. And of course, yeah, that's exactly where we are today, but it didn't happen in 2001 or 2 or 3. It took a decade. But then when it happened, it was a much bigger revolution. For example, in 1999, nobody was forecasting that everybody's going to have the internet in their pockets, which is of course the most likely way for you to use the internet today. Yeah. And that's what I'm seeing with AI as well. There's tons of promises being given and I think all of those promises will be coming through and much more. But it's not going to happen next year. It's going to take a little bit longer time. And the bubble will burst between that moment and when all of these things are actually real, which is sort of comforting because it also, well, it tells us that if you think you're late or your organization is late that we should be using AI everywhere, you're not late yet. I mean, this revolution is going to take a while. But I also think when we get there, the changes are going to be bigger than what the internet was.
Jeremy: Well, this is what I was going to ask as the follow-up. So if you say that the timing is often wrong or the speed is wrong, but the impact is even bigger, what's on your mind?
Mikko: There's a great video clip somewhere on YouTube of Mark Andreesen being interviewed about this new web browser Mosaic he had just been working on.
Jeremy: Yeah, I remember it.
Mikko: And there's a great misconnect where the interviewer, who has no idea what a web browser is or what the internet is, trying to ask questions from Andreesen, like, okay, what can you do with this browser you've created?
Jeremy: Right.
Mikko: And he said, well, you could do anything. You could do anything with it. Like what? Well, you can put things online. Like what? Well, everything. You can put things, you know, services, you can have services. Nobody in the audience has any idea like, what do you mean like services, things. He couldn't describe one single concrete example of what could, for example, he could have said that we will have the weather report, which you could see from your computer. He doesn't say that. He can't imagine. There's just this service, and you can build anything on top of it. That's what AI is. You could put anything, you can do things, you could have services. And in 10 years, 20 years, we'll look at this interview and laugh about it, how come they didn't see that this is gonna happen?
Jeremy: Yeah, yeah, yeah, all right, fair enough. One other thing that I saw this year at RSA was the presence of some pretty high-ranking officials from governments. I think Anthony Blinken was here and gave a talk. I know a number of people from CISA very highly placed were here and gave talks. Another thing that's been on my mind is how far are we from having military cybersecurity branches? And what I mean is I know that every military branch has its own cyber unit, and probably anybody watching this video will know that there are both kind of Blue Team and Red Team components to that. And for those who don't know the lingo, Blue Team is defense, Red Team is attack, right? But how far are we from where we actually have a dedicated offensive cyber force not part of a army, not part of an Air Force, not part of a Navy only focused on Cyber? Because what I hear right now is if you listen to The CyberWire Daily podcast, every time they refer to the conflict in Ukraine, they'd say Russia's hybrid war with Ukraine. And they describe it as a hybrid war why? Because it's a mix of kinetic action on the ground with tanks and bombs and guns and planes in the air, etcetera. And then attacks on the Ukraine power grid and on the banking system and so on. And it just seems to me that we are moving in the direction where that's A) that's normal and that's going to be part of every human conflict, every nation-state human conflict. And maybe even, you know, lower level kind of one town against one town, one gang against one gang, etc. But B) it just seems like there's actually so much value from the pain and the damage that you can inflict on the other side that it seems just completely inevitable. And it just seems like that's the direction we're going. And I'm just curious, your perspective on this, because I know you do a lot of advisory work with governments.
Mikko: Sure, sure. I think that's the direction we're going, but I think it's going to take a long while. I mean, if there's organizations which are, you know, have huge levels of bureaucracy and are moving very slowly, that would be militaries. And some of the militaries I work with, the first briefings I've done about Cyber attack were in the 1990s. And I was already then giving like, okay, we should be doing this and you should be doing this. And it took a decade, no joke, 10 years for the ball to start rolling in that direction.
Jeremy: But start rolling meaning what?
Mikko: Start rolling that they took it seriously or that they started to have a cyber unit within that branch or just having like the information flow to the decision makers takes years like generals really becoming aware that this is something they should be taking seriously doesn't happen overnight. It's a little bit frustrating.
Jeremy: Super frustrating.
Mikko: It is. I mean, because it's pretty obvious that technology is going to change the world. All the biggest revolutions in the world like how world changes is being fed by technology. So clearly technology should be a core focus of Defense Forces. And that's not really what we've seen in any country. The more agile countries in the world are the ones which have been building, you know, movement towards that direction. It's going to happen, but I'm not holding my breath on that. I'll probably be retired before we actually see them happening.
Jeremy: Okay. I'm going to go on the other side of this, okay? And I'll tell you part of my logic why. Number one is how long did it take the US to create Space Force from the time that it was very first discussed to the time that it was actually a thing? And yes, people laughed about it at the beginning and so on, but now we actually see the danger of losing satellites. We see the impact on operations of daily services and so on from that. Granted, they're not really doing anything active. They're not doing any attacks. But an organization has already been formed. It starts to get its bureaucracy and by the way all the downsides that come with it, but that was kind of a five-year cycle
Mikko: which is surprisingly fast.
Jeremy: Exactly, that's my point. It was surprisingly fast, right? We've now seen an active conflict where cyber has been probably for the first time a major component of it. If you look at the other conflicts going on in the world right now in places like Myanmar or Sudan, or actually, I would say, Israel-Palestine, cyber is a major component of what's going on there as well, in terms of things like taking down mobile network infrastructure and the ability to communicate and so on. I think it's pretty clear that this is now such a major component. I would be surprised if we don't see before I retire cyber forces.
Mikko: Well, maybe you're right. Yeah, it's interesting to see how this will play out. And it's quite clear that if you want to shut down a society, you want to shut down a country, civilian infrastructure right now, the most effective way to shut it down is to shut down electricity. Everything relies on electricity. Without electricity, we won't be feeding 8 billion people on this planet. So, how crucial is connectivity? We have electricity and connectivity. Connectivity is very important. If internet shuts down, it's very expensive, it's very painful, but clearly not as painful as losing electricity. But this eventually will be the same. It's going to take a decade, two, something like that. Eventually, shutting down the internet is going to shut down electricity itself. Everything is going to be interconnected. So, yeah, attacking cyber is crucial and defending cyber is crucial. And I'll make one note on that, which is that in some governments that I've spoken with, with some militaries I've spoken with, there seems to be like a barrier to think about offensive action in cyber. And this isn't really something we should be scared about. If you think about defense forces, every single like traditional real-world defense force trains attack. It's part of credible defense. You have to be able to, you know, shoot guns, shoot tanks. You have to be ready to kill people if you want to have credible defense, defending your own country. Cyber is no different. You have to have the capability to attack. You have to be able to exploit enemy systems. And it doesn't mean that having the capability to attack enemy systems that we would actually attack them. It's part of being able to defend, you have the attack capabilities.
Jeremy: But this is again one of these things that when I hear some of the conversations going on around them, I think, like, this is inevitable. It will actually accelerate the conversation. I'll give you an example of what I mean. So, I think there was a recent issue brought up with, I believe it was China, that, "Hey, healthcare systems and critical infrastructure are off limits." But expecting an adversary to respect those limits, it's not like there's a Geneva Convention around it. And by the way, it's not like the Geneva Convention is respected in all conflicts, even by member states who have signed on to it, which by the way, should include Russia and Ukraine, right? So, I just see the kind of, it's almost like a naivete around thinking about, to your point, we shouldn't attack or to your point, like these things are already happening, and the level of investment and the level of kind of dedicated focus that's going into them is not sufficient. So, you mentioned electricity and connectivity. The third one in my mind kind of that completes the triangle of most critical systems is water. And we have seen attacks on water systems already.
Mikko: Yes, we have, yeah. Both individual criminal actors but also nation-states, exactly. Water is crucial. You're absolutely right.
Jeremy: And water systems are connected, by the way. They need electricity and connectivity. It's all connected. So, anyway, all right. So, I'll take my side of the bet. You can take yours. We'll check in in 20, what are we, 24 right now? I retire in 15 years. Fingers crossed.
Mikko: We have to check back before 2038 because Linux kernel dies in 2038,
Jeremy: and there will be a new one by then, right?
Mikko: Yeah, current Linux kernel, you think everything's going to be updated by 2038?
Jeremy: Well, hey, we all thought the world was going to end at Y2K.
Mikko: Well, then again, a lot of things did fail. However, many of the systems are calculating things to the future. If you have a system calculating 25-year interest, it's already hitting 2038.
Jeremy: Yeah, fair enough. What's the 2038 issue if..
Mikko: we're running out of bits that kernel used to use for calculating the time ticks?
Mikko: Yeah, which start from the first of January 1970 of the offset from UTC. January is going to wrap around. And yes, it's been fixed already in the current Linux kernel. I'm worried about systems like cars.
Jeremy: Yeah.
Mikko: Don't have the updated systems and will still be on the road in 2038.
Jeremy: Yeah, that's true. I mean, it's only 14 years away, and there are connected cars, and every connected car is running a version of embedded Linux, as we all know.
Mikko: So, good luck.
Jeremy: Yeah, yeah. And by the way, those connected cars are running way more APIs than you think. I actually recently spoke with a connected car company, and I was chatting with the cybersecurity guy there, and I asked him, how many APIs are in a car? And he just laughed at me. And I said, what do you mean? He's like, I have no idea. It's thousands.
Mikko: So, it sounds like there's job security in API security.
Jeremy: Well, there's job security in cybersecurity, that's for sure. Other thoughts on RSA this year, other things that you've seen, other things that have been interesting or stood out to you?
Mikko: Um, the best talk I've seen so far has been actually on the very first talk slot Monday morning, 8:30. Jeff White from the United Kingdom speaking about the practical ways North Korea has been laundering the money. They still, oh, and of course, North Korea. They've used ransomware, they've attacked banking networks, they've attacked Swift, and they've done a series of attacks on cryptocurrency exchanges. However, excuse me, the biggest heist they've done, typically people think about the Swift hack where they stole $81 million, something like that, which is big,
Jeremy: the Swift heist, not the Lazarus heist.
Mikko: No, no, well, actually, it's the same. They tried stealing hundreds of millions, but they got $81 million, which is a lot of money. However, there is the Axi hack, cryptocurrency heist, where they got $625 million, and they successfully laundered the money through Tornado Cash. And as Jeff explained it, this is the single biggest theft in mankind's history. Makes you wonder, makes you take a step back because you don't really think about what's the biggest theft in mankind's history. People think about some art, some great train robbery or whatever. This is the biggest one, and this was done two years ago by North Korea, and they used the money, which they successfully laundered, to fuel or to fund..
Jeremy: the nuclear research and the nuclear bomb making. Yeah, that sucks. So, what is not connected going forward, right? Because actually all the things that we've talked about, we talked about water systems and power grids and so on, and this cryptocurrency, all of that was done presumably by people operating either in North Korea or in North Korean embassies around the world, or you know, maybe in the few countries that North Koreans can get access to.
Mikko: They've actually done a lot of this hacking from hotels in countries like Malaysia or Vietnam or Bangkok, things like that. So they go outside the country to do it, okay, which is interesting. But yeah, most of these IT professionals who do hacking for North Korea are North Koreans, which means they've been trained in mainland China, okay, so they have knowledge. They're not bad in their capabilities. Yeah, so what was your question? What's not connected? Oh, I can't come up with an example. What wouldn't be connected today? I don't know.
Jeremy: Yeah, and this is one of the things you worry about, or not worry about, or at least I think about. But let's say the water grid and the power system and the connectivity systems are down. Are there backups that are not connected? You know, is there an analog water filtration system?
Mikko: One example I did research on but didn't actually use in my keynote was the Norsk Aluminum hack when they were hit with the LockerGoga ransomware. Okay, aluminum factories are special cases because they run 24/7. You never shut them down. If you have to shut it down, you cannot restart it. You have to build a new factory, that's what they told me. It's okay, I mean, if the aluminum loses temperature, it will just fill in all the systems and you will lose the whole thing. Okay, so all of their systems are, of course, run by computers. They lost all of their computers. What do you do? How do you recover? How do you keep it running? They were able to keep it running simply because they had a small group of older employees still working for the company who remembered how to run all these systems without computers, who had old notes written down on paper in binders which they could still access. And this was more like luck than anything. You can still do this today. They were able to do this 4 years ago. This...how much longer can we do this?
Jeremy: Did you ever read Lucifer's Hammer?
Mikko: No, I did not.
Jeremy: This...I mean, it talks about this. And, you know, one of the...it's this apocalyptic book kind of thing, and it's a...a comet hits the Earth and takes down all the electricity and all of the ability for humankind to generate electricity, and the most valuable possessions become a set of encyclopedias and guides to doing all these things analog, farming without tractors, and, you know, generating electricity from a water mill, kind of thing. But not really electricity, just generating power.
Mikko: This has become really doomy and gloomy, I know, yeah.
Jeremy: I think we should maybe wrap up the episode, but I want to thank you so much for your thoughts on ransomware, on the conference itself, on cyber forces, everything. I think they're greatly appreciated not only by me, but hopefully by all of our audience. For those watching, please do join us for the next episode of Modern Cyber. Rate, subscribe, review, all that good stuff. Mikko Hypponen, everybody.
Mikko: Thank you for having me. Thank you.