37.

‘Presence Matters’: Nakasone and Easterly on Ukraine, collaboration and those

midterm elections.

(MUSIC)

DINA TEMPLE-RASTON: Back in December, a small team of cyber warriors landed in Ukraine
as part of a stealthy mission. It was less than three months before Russia would invade.

NEWS TAPE: Russia has for weeks been massing tanks at the Ukrainian border…

TEMPLE-RASTON: The group was from U.S. Cyber Command, the cyber arm of the military,
and had been deployed to help Ukraine hunt for Russian malware in their networks.
Remember this was a time when no one seemed sure whether the troops on the border
were part of a head fake

TELEVISION PUNDIT: My best guess still is that he’s not going to invade…

TEMPLE-RASTON: Or were preparations for war…

JOE BIDEN: We have reason to believe the Russian forces are planning to and intend to
invade Ukraine.

TEMPLE-RASTON: A major in the Marine Corps led the U.S. team.

GEN. PAUL NAKASONE: Her guidance was this, Hey, go help them and make sure that
they're ready in terms of anything that may occur.

That’s the head of the NSA and Cybercom, General Paul Nakasone.

NAKASONE: She called back within the first two weeks and said, Hey, instead of coming
home for the holidays, we're gonna be here for a while.

TEMPLE-RASTON: It ended up being more than a while. The teams stayed for three months,
and just kept getting bigger.

NAKASONE: Begins with 10 and then we surge to well over 30. And so we had flooded the
zone.

1
(THEME MUSIC)

TEMPLE-RASTON: Given Russia’s hacking history in Ukraine before the war, people naturally
expected Russian hackers to take down Ukraine’s power grid or to hobble its
communications systems. That didn’t happen.

Nakasone was careful not to give all the credit to the hunt teams.

NAKASONE: While I certainly would not say that was a key reason, I think that it was a
contributing factor. You know, having 10, uh, folks on the ground that are tied back to our
command and our agency, that's a power that I think is really helpful.

TEMPLE-RASTON: This is the kind of work Nakasone talked about last week at the Council
on Foreign Relations in DC. He was joined by CISA Director Jen Easterly at an event focused
on the importance of collaboration during a war that combines cyber with more
conventional forces.

And the event was moderated…

TEMPLE-RASTON AT EVENT: Uh, thank you so much…

TEMPLE-RASTON: By me.

TEMPLE-RASTON AT EVENT: I’m Dina Temple-Raston…

(THEME MUSIC)

TEMPLE-RASTON: And this is Click Here, a podcast about all things cyber and intelligence.
Today, highlights from a rare sit-down with two of the nation’s leaders in cyber. We talked
about everything from Ukrainian network defense…

JEN EASTERLY: They've been the cyber sandbox for the past 10 years…

TEMPLE-RASTON: To collaborating with private companies and allies.

NAKASONE: We've gotta operate in a manner that can share rapidly so that means for the
most part, it has to be unclassified.

2
TEMPLE-RASTON: To what to expect in the run-up to the midterm elections.

NAKASONE: We still have 29 days to election, and so every single day is a day that we're
very, very focused on this.

TEMPLE-RASTON: Stay with us.

[BREAK]

(CROWD NOISE)

ANNOUNCER: Good afternoon everyone. If you could please take your seats. We'd like to get
started…

TEMPLE-RASTON: General Nakasone spoke first.

NAKASONE: First of all, thanks to the Council on Foreign Relations and really nice to be
back with Jen, my colleague, and good friend. Um…

TEMPLE-RASTON: Jen Easterly, director of the Cybersecurity and Infrastructure Security

Agency, or CISA, was sitting next to him on stage.

EASTERLY: You know, let me just say a couple things and Paul can weigh in here.

TEMPLE-RASTON: The pair have been colleagues in one way or another for years. They
actually worked together on convincing the Pentagon that America needed a command
dedicated to cyber — not to just defend U.S. networks, but also to launch offensive cyber
operations against America’s adversaries.

Since that time Cybercom has hobbled ISIS’s media operations, taken down servers Russia
was using to sow disinformation, and a few years ago hacked Iranian networks that were
digitally tracking and targeting ships in the Persian Gulf.

NAKASONE: How do you judge your success?

TEMPLE-RASTON: That’s Nakasone again.

3
NAKASONE: You judge your success by staying ahead of your adversary. That's something
we do very, very well at the agency, in the command, in trying to figure out the next access,
the next tool, the next operation.

TEMPLE-RASTON: With every conflict there is a lesson. The war with Ukraine, for example,
has shown that Russian hackers haven’t been particularly good at coming up with
spur-of-the-moment cyber operations. And that collaboration – whether it is between
Ukraine and the U.S. or Ukraine and American tech companies – is a key component in
cyber battles.

Now, those hunt teams Nakasone sent to Ukraine, back in December, they aren’t new. In
fact, Nakasone said there have been more than three dozen similar hunt teams dispatched
to 20 different countries in the past three years alone. But the way the U.S. is using them
now is a little different.

NAKASONE: First lesson learned: presence matters. We learned that, again, not only were
we able to assist Ukraine in terms of the networks they looked at, but interestingly enough,
as you have a presence on the ground, all the malware that's coming in, it's coming to this
team in Kyiv.

TEMPLE-RASTON: We talked to someone after the event who told us the Cybercom hunt
teams are doing important work, but the problem is it stops when they leave. The American
teams aren’t there long enough to teach allies how to hunt for malware by themselves.

So in the case of the Ukrainians, for example, they end up being more reactive to attacks
when they happen, instead of preventing them from happening in the first place.

(MUSIC)

TEMPLE-RASTON: Sending hunt teams aboard has worked for American cyber defense
because operators return with a wealth of information about what the adversary is up to. It
becomes like an early warning system for the US – here’s what the adversary is doing over
there, let’s prepare for that before it gets here.

Which, Jen Easterly said, is where CISA would naturally step in.

4
EASTERLY: We've been working with the Ukrainian computer emergency response team,
known as CERT because we serve as US CERT, but our partners from Latvia, Estonia,
Lithuania, Poland, the Czech Republic, to essentially get ahead of potential cyber activity.

TEMPLE-RASTON: By working with CISA equivalents around the world, cyber operators
working for the allies have been essentially deputized. Everyone knows what to look for —
the new malware variant or undiscovered vulnerability — and that means people guarding
networks around the world, people defending these endpoints, are on alert for something
specific.

NAKASONE: We're talking 400 million, 1.5 billion endpoints that now have the information
that this malware is being used. And think about that. If you are an adversary producing
these types of tools, suddenly with the work of, you know, CISA and Cyber Command and
NSA, we have that ability working with the private sector that's so critical to be able to
provide that information.

TEMPLE-RASTON: In fact, we’ve already seen how much the private sector can help spot
critical hacks before they metastasize. One of the most consequential hacks against the US
in years was discovered by a cybersecurity company scrubbing their own servers.

Remember SolarWinds? Russian hackers got into this management software program and
it gave them access to the networks of some 18,000 Solarwinds customers — including,
embarrassingly, U.S. government entities like the Treasury and the Department of
Homeland Security.

EASTERLY: I don't think it was lost on anybody that SolarWinds was first discovered by Fire
Eye, a private sector company. And they're very likely to see malicious activity here at home
on critical infrastructure.

TEMPLE-RASTON: Nakasone – the leader of an organization that people used to joke was so
secretive the letters NSA actually stood for No Such Agency — says he has come around to
the idea that the information about adversaries cyber efforts is more powerful when it is
shared.

NAKASONE: I think we've also figured out if you're gonna operate in this space, we've gotta
operate in a manner that we can share rapidly. So that means for the most part, it has to be
unclassified. I think we’ve gotten much better at sanitizing the information because it's not
necessarily what the information is saying a lot of times for us; it's where it's coming from.

5
TEMPLE-RASTON: So is the classified part the “who did it,” the “whodunnit” part of it? What
is it that you're declassifying?

NAKASONE: A lot of times it's how we obtain the information.

TEMPLE-RASTON: So sources and methods

NAKASONE: Exactly. We’re always worried about sources and methods. And so again, to my
point, I think what we have done, uh, across the intelligence community and I think done
very, very well is to take a look at are there other ways that this information could be
obtained? And if there is, you know, is it really necessary to classify it as such?

TEMPLE-RASTON: So in other words, if for example NSA finds some malware and Microsoft
does too, why not let Microsoft just tell everyone? Then no one has to worry about
declassifying it.

When we come back, bracing for the next cyber attack.

EASTERLY: We could see cascading attacks from Ukraine that affect other things. And so we
absolutely need to be very vigilant.

TEMPLE-RASTON: Stay with us.

[BREAK]

TEMPLE-RASTON: Back in March, the Justice Department indicted four Russian nationals for
their alleged role in targeting thousands of energy company networks around the world.
Prosecutors said hackers linked to the Russian defense ministry installed back doors and
tried to drop malware on the networks for use later.

Easterly said they are still doing that.

EASTERLY: Now we know the Russian playbook, and we've been working very closely with
the energy sector. But we are not at a place where we should be putting our shields down.
The environment is very difficult. The Russians are very unpredictable. Their back is up

6
against the wall. We've seen these horrific kinetic attacks against civilian infrastructure. And
we may be seeing a lot worse coming.

TEMPLE-RASTON: Have we had close calls?

(AUDIENCE NERVOUS LAUGHTER)

EASTERLY: So I think we've seen, certainly from what we get from our critical infrastructure
partners, we have seen an uptick in things like reconnaissance.

TEMPLE-RASTON: In other words, bad actors scanning systems to see if they aren’t patched
or have vulnerabilities that haven’t been discovered.

NAKASONE: We see scanning all the time. I mean just all the time. All the time, we are
looking and seeing scanning. This is why this campaign against malware, I think is so
important: being able to stay ahead of the adversary.

TEMPLE-RASTON: Which again, Nakasone said, requires some teamwork not just from the
military but from the civilian sector too.

NAKASONE: What are they using? If they're using that, let's share with a series of, you know,
cybersecurity firms to have them rip it apart and see if they can attribute it. And then if they
can attribute it, even if they can't, let's go ahead and publish it.

TEMPLE-RASTON: All that said, it is almost inevitable that something will get through. And
for a brief moment, last week, that something finally had.

DENVER LOCAL NEWS: Some of the nation’s largest airports today, including DIA and La
Guardia, have been targets for cyber attacks.

TODAY SHOW: More than a dozen websites for major airports, including LAX and Atlanta’s
Hartfield Jackson, were temporarily knocked offline.

TEMPLE-RASTON: Maybe because we’ve been girding ourselves for some sort of cyber
reprisal ever since the Russian invasion of Ukraine, things got a little overblown with the
airports.

7
ABC: Tonight, some of the nation’s biggest airports are scrambling to protect their
websites…

FOX: It happened after a group called Killnet urged its followers to participate…

NBC: Pro-Russian hackers now claiming responsibility…

TEMPLE-RASTON: The hackers just got into the public websites of LAX and O’Hare and
Atlanta Hartsfield. But it was a simple DDOS attack, and it didn’t have any effect on flights.

EASTERLY: The distributed denial of service attacks were a nuisance at best.

TEMPLE-RASTON: That’s Jen Easterly again.

EASTERLY: We were in touch with the airports over the weekend. Yes, there were some
website defacements. But at the end of the day, there were no operational impacts and
that's the important thing, nothing that impacted the critical services or the airports.

TEMPLE-RASTON: Of course, the elephant – and donkey – in the room is November, and the
midterm elections. And this gets us back to hunt teams. They don’t just look for malware
and sinister cyber tools. In recent years, they’ve also been looking for something a little
more nuanced: the tell tale signs of influence operations.

And Nakason said, less than a month before the midterms, he isn’t seeing anything like
that yet.

NAKASONE: In terms of influence, we are seeing no significant indications of attacks that

are being planned right now. We have sent a number of hunt forward teams across very
select countries to look at what our adversaries might be doing.

TEMPLE-RASTON: And so far, he says, they aren’t seeing anything new.

NAKASONE: Have we seen any new tools? Is there any new trade craft they might be
utilizing? Are there new operational places that they're running out of?

TEMPLE-RASTON: And the answer to that is?

8
NAKASONE Uh, so not yet. But again, we still have 29 days to the election. And so every
single day is a day that we're very, very focused on this.

TEMPLE-RASTON: Then again, it may be too early to tell. Around this time in the election
cycle two years ago, U.S. Cybercom launched an operation against a notorious Russian
ransomware gang called TrickBot. They knocked them off line to make sure they wouldn’t
be able to attack U.S. networks during the election. Cybercom hacked into their command
and control servers and made it impossible for the Trickbot’s leaders to connect to them…

(MUSIC)

TEMPLE-RASTON: While the operation had little effect on the group's long term prospects –
Trickbot is back to full strength now — that wasn’t the point. The point was to knee-cap the
group so they couldn’t meddle in U.S. elections. At the event last week, Nakasone didn’t give
any indication that something similar might be underway now, just weeks from the
midterms.

Then again, he’s from the NSA. And it’s his job not to tell me.

This is Click Here.

(B SEGMENT MUSIC)

TEMPLE-RASTON: Protests in Iran over the death of 22-year-old Mahsa Amini have reached
their fourth week. She was arrested last month for allegedly violating Iran's hijab policy, and
then she died in police custody.

Dozens of demonstrators are thought to have been killed in government crackdowns across
the country since then. And that crackdown is being felt outside Iran too. As Click Here’s
Sean Powers explains, hackers working for the authorities there are taking aim at
journalists, academics and researchers with some ham-handed phishing campaigns.

SEAN POWERS: Mahsa Alimardani has standards for hackers who try to send her phishing
emails.

ALIMARDANI: Like why can't they properly use Google and figure some of this stuff out? Why
are they so sloppy?

9
SEAN POWERS: So sloppy and so obvious. A few months ago Mahsa got this email that was
supposed to be from a journalist she knew. The signature box on the email said Washington
Post. Only Trouble? The journalist didn’t work there anymore. He’d joined the New York
Times.

ALIMARDANI: They hadn't quite updated his current workplace.

POWERS: Mahsa knew she was being phished. Someone wanted her to click on a link, let
them put malware on her computer, steal her passwords.

ALIMARDANI: So I, I was like, oh, this is fun. I wanna reply and engage in a back and forth
and see where this goes.

POWERS: Not your typical response to a phishing email. But Mahsa at this point is used to
this sort of thing. She is a researcher at Article 19, a human rights organization, and she
specializes in Iran.

And she says they are trying to hack her all the time. So after a little back and forth…

ALIMARDANI: I ended up just tweeting: this happened…

POWERS: And her Tweet caught the attention of a cybersecurity company and this woman.

DEGRIPPO: My name is Sherrod DeGrippo. I'm the Vice President of Threat Research and
Detection at Proofpoint.

POWERS: And Sherrod and her team decided they would try to trace Mahsa’s email back to
its source. It turned out that Mahsa had been targeted by a group called TA 453. They’re
linked to the Iranian government, and they may be better known by their other name:
Charming Kitten.

Get it? Iran… Persian Cat…

And it might be adorable but for the fact the group hacks for Iran’s Islamic Revolutionary
Guard. And, Sherrod says, they tend to target diplomats, academics, journalists and, you
guessed it, human rights workers.

Which explains how Mahsa got mixed up with them. Here’s Sherrod again.

10
DEGRIPPO: They pretend to be someone looking into issues around the Middle East, and a
lot of times they offer to get on a Zoom call. Now, you might think, why would a cyber
espionage actor out of Iran be able to easily get on a Zoom? Well, generally they don't
actually follow through with the call. They offer it and then send some kind of credential
harvesting link, an attempt to get the username and password of their target.

POWERS: Their MO: Hey I’m a fellow researcher from a think tank or a journalist looking for
information on the Middle East. Can you help me?

DEGRIPPO: That's the best way to do it — rapport is hard to build over internet
communication, but you can have a little bit of rapport instantly if it appears that you're a
part of the same circles.

POWERS: Which is pretty smart.

DEGRIPPO: Oh yeah. The threat actors are smart. They know what they're doing.

POWERS: So why pick on Mahsa Alimardani? Sherrod says they were probably less
interested in her research about Internet freedom and Iran and more interested in her
contacts both inside and outside Iran, particularly given the current protests.

Mahsa, for her part, decided to turn the tables on whomever was phishing her.

ALIMARDANI: And I was insisting that they get on like my Zoom link to chat cause I just
wanted to see who they were.

POWERS: They refused.

ALIMARDANI: They eventually stopped responding to me because I was annoying them so

much.

POWERS: Take that kitty.

I’m Sean Powers, and this is Click Here.

(HEADLINES MUSIC)

11
TEMPLE-RASTON: Here are some of the big cyber and intelligence stories of the past week.

Hackers linked to China targeted the networks of U.S. state legislatures back in July,
according to a new report from Symantec. Its Threat Hunter Team said a long-standing
Chinese hacker group known for hacking a roster of industries to pick up intelligence took
aim at networks that both lawmakers and state employees had access to. The hacking
group is known by some cyber security companies as “Emissary Panda” and it has been
around since 2013. Symantec wouldn’t say exactly who was targeted but did mention this is
the first time in years that the group has taken aim at the U.S.

The White House plans to beef up baseline cybersecurity on three more critical
infrastructure sectors: communications, water and health care networks. The move,
announced on Thursday by White House deputy national security adviser Anne Neuberger,
is part of the Biden administration’s effort to seal gaps in the nation’s infrastructure in the
wake of the ransomware attack on Colonial Pipeline.

And finally, on Friday Microsoft revealed details of a coordinated ransomware campaign

against the transportation and logistics sectors in Ukraine and Poland. The company’s
Threat Intelligence Center said it observed the malware was used in a roster of attacks that
all occurred within an hour of each other. Notes left on victim devices dubbed the malware
“Prestige ransomware.”

Microsoft hasn’t attributed the attacks to any known threat actor, but the company did say
the destructive wipers used by Prestige have some similarities with other attacks targeting
Ukraine since the Russian invasion in February. Microsoft said the attackers had already
gained a high level of access on the targeted networks. They still don’t know how they got
in.

(THEME MUSIC)

TEMPLE-RASTON: Click Here is a Production of The Record by Recorded Future. I'm Dina
Temple-Raston, your host, writer, and executive producer. Sean Powers is our senior
producer and marketing director, and Will Jarvis is our producer and helps with the writing.

12
Karen Duffin and Lu Olkowski are our editors. Darren Ankrum is our fact checker and Ben
Leving-ston composed our theme. Kendra Hanna is our intern.

And we want to hear from you. Please leave us a review and rating wherever you get your
podcast and connect with us by email at ClickHere [at] recordedfuture [dot] com or on our
website at ClickHereShow.com.

13