Dark Reading News Desk interviewed Adam Meyers, head of counter adversary operations for CrowdStrike at Black Hat USA 2023. Check out the News Desk clip on YouTube (transcript below).
Dark Reading, Becky Bracken: Hi everybody, and welcome back to the Dark Reading News Desk coming to you live from Black Hat 2023. I’m Becky Bracken, an editor with Dark Reading, and I am here to welcome Adam Meyers, head of counter adversary operations with CrowdStrike, to the Dark Reading News Desk.
Thanks for joining us, Adam. I appreciate it. Last year, everybody was very focused on APT groups in Russia, what they were doing in Ukraine, and how the cybersecurity community could rally around and help them. There seems to have been a pretty sizable shift in the ground since then. Can you give us an update of what’s happening in Russia now versus maybe a year ago?
Adam Meyers: So I think there’s a lot of concern about that, of course. Certainly I think we saw that the disruptions that generally after the conflict started are not going away. But while (we were focused), you know, on what was going on with the Russians, the Chinese have established a massive data-collection effort around that.
DR: Were they (the Chinese government at associated APT groups) using the Russian invasion as cover while everybody was looking over here? Were they doing that before that?
AM: That’s a good question. I think it worked out that it provided that kind of cover because everybody’s so focused on what was happening in Russia and Ukraine. So it distracted from the steady drumbeat of everybody calling out China or doing things that they were there.
DR: So we know Russia’s motivations. What about Chinese APT groups? What are their motivations? What are they trying to do?
AM: So it’s a massive collection platform. China has a number of different major programs. They have things like the Five-Year Plans dictated by the Chinese Government with aggressive development demands. They have the “Made in China 2025” initiative, they have the Belt and Road Initiative. And so they’ve built all of these different programs in order to grow the economy to develop the economy in China.
Some of the major things that they’ve targeted are around things like healthcare. It’s the first time that the Chinese are dealing with an increasing middle class and so preventative health care issues (are a priority), diabetes, cancer treatments, all of that. And they’re sourcing a lot of that from the West. They (the Chinese) want to build it there. They want to have domestic-equivalent products so they can service their own market and then grow that into the surrounding area, the broader Asia Pacific region. And through doing that, they build additional influence. They build these ties to these countries where they can start to push Chinese products and trading solutions and Chinese programs… So that when push comes to shove on an issue — a Taiwan or something — that they don’t like at the United Nations, they can say “Hey, you should really vote this way. We would appreciate it.”
DR: So it’s really an intelligence collection and an intellectual property gain for them. And so what are we going to see in the next few years? Are they going to operationalize this intelligence?
AM: That’s happening right now, if you look at what they’ve been doing with AI. Look at what they’ve been doing with healthcare and various chip manufacturing, where they source most of their chips externally. They don’t want to do that.
They think that people see them as the world’s workshop, and it really wants to become an innovator. And the way that they’re looking to do that is by leveraging Chinese APT groups and leapfrogging (competing nations) through cyber operations, cyber espionage, (stealing) what is currently state-of-the-art, and then they can try to replicate and innovate on top of that.
DR: Interesting. OK, so moving from China, now we go over to North Korea, and they are in the business — their APT groups are moneymakers, right? That’s what they’re looking to do.
AM: Yeah. So there’s three pieces of it. One, they certainly service the diplomatic, military, and political intelligence collection process, but they also do intellectual property.
They launched a program called the National Economic Development Strategy, or NEDS. And with that, there’s six core areas that focus on things like energy, mining, agriculture, heavy machinery, all things that are associated with the North Korean economy.
They need to raise the cost, and the lifestyle of the average North Korean citizen. Only 30% of the population has reliable power, so things like renewable energy and ways to get energy (are the kind of data North Korean APT groups are looking for).
And then revenue generation. They got cut off from the International SWIFT system and international financial economies. And so now they have to find ways to generate revenue. They have something called the Third Office, which generates revenues with the regime and also for the family.
And so they (Third Office) do a lot of things, things like drugs, human trafficking, and also cybercrime. So North Korean APT groups been very effective at targeting traditional financials as well as cryptocurrency companies. And we’ve seen that — one of the things in our report that just came out yesterday shows that the second most targeted vertical last year was financials, which replaced telecoms. So it’s making an impact.
DR: They’re making tons of money. Let’s pivot around, which I guess is the other major pillar of APT action, is in Iran. What’s going among Iranian APT groups?
AM: So we’ve seen, in many cases, fake personas to target their (Iranian) enemies — to go after Israel and the United States, kind of Western countries. APT groups backed by Iran create these fake personas and deploy ransomware, but it’s not really ransomware because they don’t care about collecting the money necessarily. They (Iranian APT groups) just want to cause that disruption and then collect sensitive information. All of this makes people lose faith, or belief, in political organizations or the companies that they’re targeting. So it’s really a disruptive campaign masquerading as ransomware for Iranian threat actors.
DR: It must be so tricky to try to assign motivation for a lot of these attacks. How do you do that? I mean, how do you know that it’s just a front for disruption and not a money-making operation?
AM: That’s a great question, but it’s actually not that difficult because if you look at what actually happens, right? — what transpires — if they’re criminal, and they’re financially motivated, they’re gonna make payments. That’s the objective, right?
If they don’t really seem to care about making money, like NotPetya for example, that’s pretty obvious to us. We’ll be targeting infrastructure, and then we look at the motive itself.
DR: And generally, among APT groups, what are some of the attacks du jour? What are they really relying on right now?
AM: So we’ve seen a lot of APT groups going after network type appliances. There’s been a lot of more attacks against devices exposed to various cloud systems and network appliances, things that don’t typically have modern endpoint security stacks on them.
And it’s not just APT groups. We see this tremendously with ransomware groups. So 80% of the attacks are using legitimate credentials to get in. They live off the land and move laterally from there. And then if they can, in many cases, they’re going to try to deploy ransomware to a hypervisor that doesn’t support your DVR tool, and then they can lock all of the servers that are running on that hypervisor and put the organization out of business.
DR: Unfortunately, we’re out of time. I would really like to discuss this for much longer, but can you just quickly give us your predictions? What are we going to be looking at in the APT space, do you think, 12 months from now?
AM: The space has been pretty consistent. I think we’ll see them (APT groups) continue to evolve the vulnerability landscape.
If you look at China, for example, effectively any vulnerability research has to go through Ministry of State Security. The focus on intelligence collection there. That’s the primary motive in some cases; there’s disruption as well.
And then, as a prediction, the thing everybody needs to be thinking about is identity management, because of the threats that we’re seeing. These breaches involve identity. We have something called the “breakout time,” which measures how long it takes for an actor to move from initial foothold into their environment to another system. The fastest one (breakout time) we saw was seven minutes. So these actors are moving faster. The biggest takeaway that is they (APT groups) are using legitimate credentials, coming in as a legitimate user. And in order to protect against that, protecting identity is critical. Not just endpoints.