0:02

You're listening to the Cyberwire Network

0:04

powered by N2K. This

0:16

week on Only Malware in the

0:19

Build. Make it sound

0:21

like you're narrating a Ken Burns documentary. It's

0:23

not that serious, my friend. I don't know.

0:26

It's a spork stealer with an X. Perhaps

0:28

encouraging threat actors to sleep with pajamas

0:30

on in the future. Really

0:32

take stock and think whether or not

0:35

this is worth the effort. I

0:37

like to think the request was submitted an emoji.

0:40

That was an Apple 2C for that matter, for

0:42

those of you who want to know that. Okay.

0:44

Yes, that is a distinction without a difference. Dave,

0:46

what are your dips today? I

0:51

am not sharing my dips with my

0:53

podcast co-host Rick. He's already

0:55

taken my airtime. He's not taking my dips

0:57

too. In a

1:00

world where the cyber good guys have finally

1:02

had enough. This

1:09

summer, only

1:12

malware in the building.

1:15

This is going to be money well spent. Trust me. You

1:30

guys might remember last time when we talked

1:33

about the curious case of the missing ICE

1:35

ID. Well, we got a

1:37

little bit of an answer with Operation Endgame.

1:40

This was a major law enforcement

1:42

activity called Operation Endgame. It was

1:44

a widespread effort to disrupt malware

1:46

and botnet infrastructure and

1:48

identify the alleged individuals associated with

1:51

the activity. Europol called

1:53

it the largest operation ever against

1:55

botnets. And ICE ID was

1:57

one of the malware, including S like

2:00

a bot, Smoke Loader, Bumble Beat, and Trickbot

2:02

that were also announced as part of this

2:04

takedown. Can I just say, I think

2:06

we mentioned this in the last show, okay? I

2:08

love that we have all those stupid names, right?

2:10

If it wasn't for that, I don't think I

2:12

would be a cybersecurity person. Huh. Speak

2:15

for yourself. I'm the one who has to say

2:17

all those stupid names and has to, you know,

2:20

oh, it's, it's, I

2:22

don't know, it's Sporkstealer with

2:24

an X, like, huh. Great.

2:27

No, don't give them any ideas, Dave, but I

2:30

don't want to write that one down. I've already written it down.

2:33

Sporkstealer with an X, that's my

2:35

new favorite adversary campaign. Right. Yeah.

2:38

Somebody needs to make a t-shirt that says that. It's

2:41

Sporkstealer with an X. I

2:46

have to apologize to both of you. I'm a

2:48

little, I'm a little behind the game

2:50

here. The producers told

2:53

me that this was going to be on

2:55

camera, so I'm actually wearing two layers of

2:57

Spanx. Spanx

3:01

Loader, that's where you're getting that from. Spanx

3:03

Loader. I can barely breathe here,

3:06

so. All right.

3:08

Well, Selena, take us through this. I

3:10

mean, did we see this coming? Was

3:13

there any scuttlebutt that something like this was

3:15

underway? So

3:23

I think it was kept

3:25

pretty closely under wraps. Obviously, this

3:27

was a large private-public

3:30

partnership success, so there were,

3:32

of course, some private

3:34

organizations involved, as well as a lot

3:36

of various global law enforcement. And so

3:38

it was really cool to see this

3:41

coordinated effort. And you know,

3:43

you mentioned all these silly malware

3:45

names. Well, I have to say,

3:48

part of Operation Endgame was releasing

3:50

Hollywood-style videos on all of

3:53

the malware and the suspected usernames

3:55

of folks behind it. It's almost

3:57

as if Ryan Reynolds directed it.

4:00

a malware disruption. It's fantastic.

4:03

They're really leaning in to the

4:05

trolling of threat actors. The whole

4:08

image of Ryan Reynolds trolling

4:10

a bunch of malware producing

4:13

criminals. Okay, that is right

4:15

up my alley. Oh, it's

4:17

fantastic. They have these great videos. Some are in 8-bit. Others are

4:19

cartoons. It's

4:22

just very, very fun. I want to

4:24

know how the people who got those made went

4:26

to their bosses and got the budgets approved. Like

4:30

in the federal government, you know, like, no, seriously,

4:32

this is going to be money well spent. No,

4:34

no, hear me out. I

4:38

like to think the request was submitted an emoji.

4:42

Oh, I like that. I like that.

4:45

Yes, yeah. I mean,

4:47

it's interesting to think about how law enforcement

4:49

was able to get

4:51

the drop on these folks, you know, to

4:54

listen in on their things. Selena,

4:56

did you know that Rick is actually an

4:58

old signals intelligence officer? Damn straight I am.

5:02

I didn't know that. And by old,

5:04

I mean his first job was tapping out

5:06

Morse code for the Transcontinental Railroad. And

5:10

I am still waiting for an answer back on that

5:12

first message, did I? Well,

5:17

I do think that this was a awesome

5:19

and fantastic effort by a lot of the

5:22

folks that were involved in law enforcement. I

5:25

know that we've seen takedowns before, right, where

5:27

it's like, oh, we're taking down Emotet, we're

5:29

taking down Cubot, but they

5:31

don't have necessarily multiple

5:33

legs in this chair, right? So with

5:35

Operation Endgame, you had people that were

5:37

also arrested as part of it and

5:39

identified as part of these disruptions. So

5:41

when you have, you know, the infrastructure

5:43

taken down, as well as the people

5:45

behind it potentially impacted, you

5:47

have a little bit more sort of reach and success.

5:50

And what is absolutely fantastic is this

5:52

Operation Endgame really cuts off ransomware operators

5:54

at the knees, right? law

10:00

enforcement. You know, it wasn't too long ago

10:02

that law enforcement, I mean official law enforcement

10:04

like the FBI, only thought they

10:07

could get after these folks by, you know, arresting

10:09

them and putting them on trial. But it seems

10:12

like in the last couple of

10:14

years they've decided that it's

10:16

okay to unleash the hounds, as they

10:18

say, right? And do all

10:20

kinds of vectors of disrupting this kind of

10:22

activity. Trolling is one of them, but offensive

10:25

operations and other kinds of things,

10:27

right? And it seems to

10:30

be a lot of that going on in the last year or

10:32

so. I do think it's

10:34

exciting to see more activity like

10:36

that. I also, you mentioned unleash the

10:38

hounds. I like to think it's unleashing the Millennials and

10:40

Gen Z. That's

10:43

a scary thought. Oh

10:45

no, well, so much for us, Rick. No,

10:48

they're coming for us next, Dave, is what they're doing.

10:52

You know, you know, Malware and

10:54

Rick both have one thing in common. They love

10:56

to come back just when you think you've gotten

10:58

rid of them for good. I

11:01

made the mistake of driving Rick to the

11:03

Apple Store last week. Oh no. And

11:06

we were asked to leave after he kept

11:08

badgering the poor woman at the genius bar

11:10

to sell him headphones for his Walkman. I

11:14

don't know why they don't have those. Why don't

11:16

they have those? No,

11:19

sir, we do not have floppy disks for your Apple

11:21

II Plus. Okay,

11:25

grandpa, that's down at Radio Shack. That

11:27

was an Apple IIc for that matter, for those of you

11:30

who want to know that. Yes,

11:32

that is the distinction without a difference. So,

11:37

Selena, where do you think we're headed here then? I

11:39

mean, we're seeing all of this swagger

11:42

from law enforcement. Does it feel like

11:44

it's making a dent? Are there any,

11:47

we used to talk about Whack-A-Mole, you know, and

11:49

how these organizations would just pop up. Are

11:53

there lasting after effects here? Definitely.

11:55

So I like using

11:58

swagger to describe this. focus

16:00

on, okay, can we track this? Because

16:02

it's all on the blockchain, right? So

16:04

you're able, even if it's synonymized, you're

16:07

able to see the different wallets, who's

16:09

receiving what, what's going where. And

16:12

what's kind of cool is Chainalysis

16:14

did a fantastic write-up on the

16:16

ransomware ecosystem, looking at the cryptocurrency

16:18

perspective. You can see relationships and

16:20

you can see where the

16:22

money is going and to, if

16:25

you have a wallet that you know

16:27

is identified as X

16:30

Thread actor, sending money to this Thread actor,

16:32

you can kind of see those relationships. So

16:34

in a way, it's given us a little

16:36

bit more intelligence, but at the same time,

16:38

it's made it easier to make money. So,

17:03

you mentioned the Wired story. One of

17:05

their journalists, Andy Greenberg, published a book

17:07

last year called, The Tracers in the

17:09

Dark, that talks

17:12

about the researcher's breakthrough

17:14

of being able to track down

17:16

Bitcoin, who's behind the Bitcoin transactions.

17:19

And if you had any illusions that

17:22

somehow Bitcoin was anonymous, you should

17:24

wipe those out right now. The

17:26

good guys can track you down

17:29

now and Chainalysis is the company

17:31

that, one of the companies that

17:33

are providing those tools in

17:36

the cybercriminal space now. So yeah,

17:38

it's really amazing that we figured that out at

17:40

this point. Especially like, they

17:42

call them tumblers, right? Where they would

17:45

try to, they take a bunch of

17:47

different cryptocurrency and, you know, I imagine

17:51

it either going into like a

17:53

blender or a washing machine, you

17:55

know, all just getting spun and

17:57

mixed together. But to Rick, I

18:00

mean, even that, it seems as though

18:02

law enforcement has a window into that

18:04

and they're clever enough to be able

18:06

to follow those breadcrumbs.

18:09

I think I realized that cryptocurrency was

18:11

mainstream, like super mainstream enough, and I

18:14

was watching one of my favorite British

18:17

murder mysteries. And

18:19

the- Go on. There

18:23

was death in paradise, and there was a plot

18:26

line about a guy who was

18:28

stealing electricity to mine cryptocurrency getting

18:30

murdered. Here's an exclusive

18:32

sneak peek of an all new motion

18:35

picture event. What's

18:37

this? It's a crypto mining rig.

18:40

Beautiful, isn't she? What does

18:42

it do? What it says

18:44

on the tin, it mines cryptocurrency, like

18:47

Bitcoin, or in this case, Talium. I

18:51

was like, we have fully

18:54

achieved widespread awareness about crypto

18:57

when this is a plot point on this

19:01

British mystery show. I

19:04

will know it has reached critical mass when

19:06

I can use Bitcoin at the place where

19:08

I purchase my delicious dips. Dave,

19:13

what are your dips today? I

19:15

am not sharing my dips with my

19:17

podcast co-host Rick. He's already taken my

19:19

air time. He is not taking my

19:21

dips too. Rick

19:24

can have some of my snacks when he

19:26

starts bringing jokes that are as fresh as

19:28

my dips. Until then,

19:30

no dips for you. Only

19:35

Dave's dips. Okay, only

19:37

Dave gets those dips. So

19:40

what's next, Selena? I mean, what

19:43

are we expecting here? Is this the first

19:45

of many more to come? Or

19:49

we often use these metaphors like

19:51

cyber pearl harbors and cyber 911s

19:53

and those sorts of things. So

19:55

if we turn those metaphors on,

19:57

the good guys coming after the bad

20:00

guys. You know, what's the big one

20:02

look like? Is there, is it possible to

20:04

have such a big hit that

20:06

it makes all of the bad guys really

20:09

take stock and think whether or not

20:11

this is worth the effort? Jeez, Dave,

20:13

listen to you. Make

20:15

it sound like you're narrating a Ken Burns

20:17

documentary. It's not that serious, my friend. Yeah,

20:22

we should get Ken Burns on this podcast

20:24

to narrate the, narrate the cyber war. Yes,

20:28

coming to PBS in 2025. I

20:32

think, well, you know, I think, well, so

20:34

if we're talking about metaphors, Operation Endgame, that

20:36

was like the Avengers Endgame. That was the

20:38

final big finale, say no snap. Everyone

20:41

comes together to defeat the baddies. Oh,

20:43

that's the movie with all the superheroes, right?

20:47

Yes, it absolutely is. I think

20:49

my kids told me about that. All right,

20:51

well, you may not be familiar

20:59

with the Avengers, Dave, but. I

21:01

would see, when you said Endgame, I thought

21:03

you were talking about chess. That

21:05

too, I mean, it could be a lot of

21:07

different metaphors. I guarantee

21:10

you that somebody in the FBI is

21:12

totally a fan of the Avengers movies, right? And

21:14

that is the reason it's called Endgame. Well,

21:17

there is a chess favicon on the

21:19

Operation Endgame website and the logo. Are

21:24

you saying I'm wrong, Selena? Is that what

21:26

you're saying? I'm saying that

21:28

I. Is

21:30

there a picture of Thanos on the website

21:32

or is it just the chess metaphor? The

21:35

videos look like they're superheroes involved. Okay,

21:37

the sign's saying. All right, fair enough.

21:41

We'll just say, well, let's all agree that

21:43

it's ambiguous. Well,

21:47

I mean, either way, either way, it was a big

21:49

win. And I do think that

21:51

hopefully this is kind of what the gold

21:53

standard moving forward, right? Like if we're gonna

21:56

combat these guys, it needs to be a

21:58

concerted effort with global law enforcement, public. private

22:00

partnerships, making

22:02

fun of them. That's my favorite

22:05

part. And,

22:07

you know, I think we'll

22:09

see what happens. I think it'll take a

22:11

few months for the landscape to kind

22:13

of really return or fluctuate a

22:15

little bit as we kind of get the

22:17

heartbeat of consistent activity back for some of

22:19

the actors whose botnets or

22:21

operations may have been disrupted. But I think this

22:23

is exciting. I don't really

22:26

think there's going to be a true

22:28

thing of snap for all

22:30

crime everywhere. So that would be

22:32

amazing. But then I also wouldn't have a job.

22:36

That's a good point. We all would be out of jobs

22:39

if we did the Thanos snap. Another

22:46

thing that strikes me about this is that

22:48

for the folks who are in law enforcement,

22:51

coming at something like this in this way, in

22:53

this public way, like we said, with a lot

22:55

of swagger, to me,

22:57

this really opens up avenues

23:00

for them in terms of recruiting. Right.

23:03

Because the folks who are coming out of

23:05

school or coming out of, you know, trade

23:07

school or boot camp or whatever, they

23:09

can look at this and say, you know,

23:12

maybe I'm not going to have to be

23:14

operating behind the scenes in some, you

23:16

know, nondescript government building and no one

23:18

will ever know what I do and

23:20

I won't get credit for anything. Right.

23:23

So even in the recruiting side of things, it

23:25

seems to me like law enforcement

23:27

being able to take

23:29

credit this way in such a flashy

23:32

kind of way that must help them

23:34

in that side of it as well.

23:37

I think so. You know, I don't know if it's necessarily the

23:39

people that are going to get a lot more attention. It's just

23:41

going to be the work that they're doing, I think might be

23:44

a little bit more fun. There was sleuth

23:46

con at Washington, D.C. a couple of weeks ago

23:48

and a couple of folks from the U.K.'s National

23:50

Crime Agency again talking about lock fit and the

23:52

NCA and they were able to sort of stand

23:55

there and be like, look at this great stuff

23:57

we did. Like, look at these tweets that people

23:59

made about. about the work that we were doing.

24:01

And it was really fun. And I do think that

24:04

showing your work and making it

24:06

fun and not having it necessarily

24:08

be closed off, super,

24:12

you can't talk about it. This

24:15

is a way for people to explain to people outside

24:17

of the cyber bubble, this is what happens. This is

24:19

what I do for work. This

24:21

is, these are cool projects that I'm working on. This

24:23

is why it matters. This is why it's important. And

24:25

I think not only for recruiting purposes, but I also

24:27

think for general cyber education

24:30

purposes and understanding the overall fat landscape,

24:32

telling a story via video and making,

24:34

you know, hackers in their hoodies

24:36

and as cartoons or eight big characters is a

24:38

really cool way of showing, you know, the actor,

24:41

hey, we see you, we know what you're doing.

24:43

But also people like, this is cool. Like this

24:45

is fun, cool stuff. And,

24:47

you know, it's not necessarily like spy

24:49

versus spy espionage type of thing where we

24:52

think about cyber in a lot of ways,

24:54

but this is, you know, having real impact on a

24:57

cyber criminal ecosystem is just

24:59

plain cool. Well,

25:05

aside from the cool code names that I

25:07

particularly like, right? One of the

25:10

things that makes the cybersecurity profession unique,

25:13

I think, is that you're not

25:15

just protecting your enterprise from, you

25:18

know, bad things happening, but you're actually

25:20

stopping, you know, criminals and spies and

25:22

things from being successful. You don't get

25:24

to do that if you're the clerk

25:27

at, you know, the seven of the lemon, right? So it's

25:30

an added benefit, a motivation

25:32

factor for info sec professionals.

25:35

Yeah, it's fun and it's cool. I

25:37

love making bad people sad. Yo,

25:40

I love that. Oh,

25:43

my new motto. That's

25:46

another t-shirt. I definitely

25:48

stole that from someone. That's not

25:50

a Selena original, but it

25:53

exists somewhere. It is now. It is

25:55

now. All

25:58

right, well, I think that's a great.