APAC Threats, Iran’s Digital Shift, and The Phish Bowl Debut

Show Notes

In the debut of The Phish Bowl, hosts Mike Kosak and Stephanie Schneider explore cyber threats in the Asia-Pacific region, from China’s strategic campaigns to North Korea’s exploits. Special guest Nate Blumenthal joins to unpack Iran’s evolving tactics and the shift to digital warfare. Subscribe, follow along, and don't take the bait.

🔗 https://info.lastpass.com/threat-reports - Want the data behind the discussion? Download the companion report for deeper analysis, regional stats, and expert insights.

Transcript

Mike: 0:00

Welcome, everyone, to the inaugural episode of The Fish Bowl. We are your hosts. I am Mike Kosak.

Steph: 0:13

And I'm Stephanie Schneider.

Mike: 0:14

And each month on this, we'll be taking a plunge into cybersecurity threats, nation state threats, cyber crime trends, and just sort of general cybersecurity issues that we're seeing and tracking as cyber threat intelligence analysts. This month, we're going to be doing a deep dive looking at the Asia Pacific region. We're going to be doing this every month and rotating through quarterly through different regions. This will be kind of a regional threat overview. So this month, we're starting with APAC. Next month, we'll be looking at Europe, the Middle East and Africa. And then the following month, we'll be looking at the Americas and then we'll start all over again. So this is really an opportunity to dig in a little bit on that. We've also got a really exciting episode today as well, because we've got Nate Blumenthal, who was the former senior director for intelligence and the advisor to the cybersecurity and infrastructure security agency for intelligence. We've got a conversation with him about the recent events in Iran and how that affects the cybersecurity threat environment. So we've got a really exciting episode for you today and we'll jump right in. So since this is our first episode, we figured it makes a little sense to kind of take a minute and introduce ourselves. I am, as I said already, Mike Kosak. I have been with LastPass now for two and a half years now. As a senior intelligence analyst, prior to that, I led the strategic cyber threat intelligence team at Bank of America, led the cyber threat intelligence team at TIAA, which is, for folks listening outside the United States, a large retirement company, retirement savings company here in the United States. First half of my career was actually in the United States government, in the intelligence community. I was with Defense Intelligence Agency working on counterterrorism. So I was a senior intelligence officer there working on that, and then about 10 years ago made the jump into cybersecurity.

Steph: 2:11

Hi, I'm Stephanie Schneider. It is hard to follow up Mike with that impressive resume. But I worked with Mike over at Bank of America in the cyber threat intelligence strategic team. And I focused on nation state threats there. And I actually came over from cybersecurity from international affairs space. I worked for some transatlantic think tanks in Washington, DC. So I love talking about nation state threats and everything else that we're gonna be talking about today. We

Mike: 2:41

Figured to kind of frame things and start things off, let's just kind of take a quick look at the region, at the Asia Pacific region and what the cyber threat environment looks like there at a high level. You know, if we look at it statistically, IBM, we're going to draw from a couple of really good reports here to help kind of frame it. So IBM put out a report earlier this year talking about the cyber threat environment. Generally, they noted that the Asia Pacific region accounted for 34% of the incidents that they were tracking and that that represented a 13% increase over the previous year. So not only making up the majority of, or I guess the plurality of the incidents that they were tracking but also a lot of growth year over year. So kind of setting the stage for not only a high threat environment, but continuing to expand as a very dynamic region from the cybersecurity perspective. So manufacturing was the most targeted industry they found as well within the region. followed by finance, insurance, and transportation. So, you know, really broad range of targets that they're seeing. And a lot of that really revolves around cybercrime. We'll dig in a bit more on that in a minute. Stolen credentials, obviously a big deal for us here at LastPass, but really a common theme in what was found as far as the Verizon data breach incident or data breach incident Incident report that came out earlier this year, 55% of breach victims they noted within the region involved stolen credentials. And then also from a ransomware perspective, very, very active as well. Australia is in the top 10 for targeted countries based on some reporting. Taiwan, Singapore, Japan, also very common targets of ransomware gangs based on the reporting coming out of these groups. So Very, very active region. And that's just kind of at a very high level. So we're going to dig in here a little bit more on nation states and cyber crimes. We'll break it down a little bit more. So, you know, when we think about. nation-state threats within the region, the first two that always jump to mind are China and North Korea. You know, when you think about nation-state threat actors, those make up two of the big four, if you think about China, North Korea, Iran, and Russia.

Steph: 5:14

Yeah, I mean... China has a lot going on right now, but they've been really focused on going after intellectual property from foreign entities. So that poses a big risk to businesses, really not just based in China, but globally. We see them really honing in on specific industries as well, like semiconductors, which make a lot of sense because there's this global semiconductor shortage and there's a US sanctions and restrictions on semiconductors. exports of those. We also see them going after military plans, things like that. So a lot of the activity that we see from China makes a lot of sense when you think about some of the geopolitical drivers of what they're interested in. We also have seen a lot of activity from China looking at telecoms. There was actually, there's been a string of reporting with China being accused of, you know, really going after, you know, multiple telecom providers in the U.S. and some global ones as well across dozens of countries. So, Viasat, which is a prominent telecoms provider, just recently disclosed a security breach by China-backed Salt Typhoon. Earlier in June, NSA and CISA officials also reported mentioned Comcast and Digital Realty as that they were potentially compromised in the Salt Typhoon telecom attack. So really, we're just seeing them go after and try to, you know, collect as much information as possible so that they can use it for a variety of reasons, but really just focus on collecting information.

Mike: 7:06

Yeah. And it's interesting, too, with China because it's they're pretty upfront about what they're going after. You look at the five year strategic plans. You read that, you get a really good understanding of what their targets are going to be. And then you can align it later with subsequent attacks and they line up almost one for one. So that's almost helpful from China's perspective that they're kind of giving you a strategic roadmap of where they're going from a cyber threat perspective. But let's move on to North Korea a little bit. If we're looking at the big threat actors in the region, obviously, A lot of the conversation when it comes to North Korea is around cybercrime and financially motivated crime. It really is state-sponsored, financially motivated activity. And this takes place in a couple of different ways. There's the classic bank targeting, which has sort of fallen out of favor with North Korea over the last couple of years, if you think about it. and the Bank of Bangladesh breach back in 2016, that was really sort of the high watermark for their financial targeting of sort of classic financial institutions. And then what we've seen over the last couple of years and you see regionally as well, is a real focus on crypto for a number of reasons. One, it's, you know, obviously it's easier to launder and, you know, that's part of it. But then really all this money is stolen to feed into the weapons programs. And these thefts make up a substantial portion of North Korea's GDP. So it really effective for North Korea too. And then also there's the IT worker threat that we've seen over the last couple of years really growing and that we've seen some, a series of reports from Western governments in particular about activity related to North Korea using North Korean workers or North Korean assets posing as IT workers and getting hired by Western companies for the purpose of gaining access, stealing money, stealing intellectual property, you know, really basically sort of in-person supply chain attacks to try and get in and further their crypto thefts. And that's not even to get into some of the other nation state actors that are growing in their capabilities. You can't leave out Vietnam and some of their activities. They're highly capable. They're not at that top tier that we often talk about within cybersecurity, but definitely very capable. Same with Pakistan, same with India. And then just there's obviously a whole bevy of international tensions across and among and between all of those countries that make it a really unique cyber threat environment at the nation state perspective. And that's really just on the nation state side. Steph, do you want to talk a little bit about what's going on with cyber crime and some of the issues we see there within the region?

Steph: 9:58

Yeah, I definitely want to revisit some of the high level trends that you mentioned earlier. One of those is ransomware, and there's a really timely and relevant story that we just recently saw where the Australian airline Qantas was breached by a scattered spider and they're back at their old tricks doing social engineering tactics back in early July and they were able to steal data including customer names, email addresses, phone numbers, birth dates of up to their 6 million customers were potentially breached in this latest attack. And we've seen Scattered Spider conduct really high-level attacks against high-profile victims like MGM, Riot Games, Marks & Spencer, and now Qantas. And they've also been targeting US-based airlines in recent weeks. So it's not only going after regional targets. They're really opportunistic in nature. This has pretty significant impact. And as of while we're recording this episode, so this might change, but Qantas said it was contacted by Scattered Spider. They haven't confirmed if they demanded a hacking ransom payment, which we do frequently see from Scattered Spider. And really, this incident is the latest in a series of attacks on large companies in Australia over the last few years. including the country's association of superannuation funds earlier this year, which I'll circle back to in just a moment, as well as Medibank in 2024, last year, Optus 2022. So it's just a series of really significant, pretty high impact attacks targeting Australian companies. Back in March, there was a credential stuffing campaign that targeted several large Australian superannuation funds. And that comprised over 20,000 member accounts that were potentially impacted. I haven't seen definitive numbers about the actual impact, but certainly the potential for significant impact is there. And some of these companies or superannuation funds confirmed that there were some breaches in these attacks and the attackers were really after trying to commit fraud, you know, attempting the fund transfers, follow the money, and there's a lot of money held in these funds. So it just makes sense that this is a high value target for them. And this was a coordinated OAuth token manipulation campaign. And they actually coupled this with an advanced credential stuffing technique that went after API vulnerabilities in the fund's member portals. And Credential stuffing, the attack itself is not particularly sophisticated. It really just takes advantage of users who reuse email and password combinations. I know a lot of folks do it, but our listeners certainly, I'm sure, are more careful than that and more savvy to not reuse email and password combos. And this campaign also seem to have used a distributed botnet that used compromised credentials from previous breaches. We see so many breaches and exposed data out there now. The latest was the 16 billion credentials that were leaked just the other day. A lot of that was old, recycled credentials and information. And the campaign also took advantage of accounts without multi-factor authentication in place, which is just an extra layer of security. If you don't have that, Red Actors, if they get your credentials, they can just plug it in and are off to the races. So with MFA, it's not 100%. fail safe, but it does add that extra level of security that threat actors have to go after and makes you not the lowest hanging fruit at the very least.

Mike: 14:14

Well, if I learned nothing else from watching The Beekeeper, and I promise you I did not, but targeting retirement funds is a great way to get sideways with Jason Statham, and that doesn't end well for anybody. Let's move on to our conversation with Nate. Now we've kind of set the stage and talked about some of the threats in the Asia-Pacific region. We wanted to dig in on a really timely issue here and what's been happening in Iran and the recent conflict in the region. So, yeah, let's have that conversation with Nate. Let's bring him in and talk this through with him. All right, well, now we're going to have a little bit of a deeper dive discussion with our friend Nate Blumenthal. Nate is the former senior counsel to the director of the Cybersecurity and Infrastructure Security Agency on Intelligence. Thanks for coming on.

Nate: 15:12

I'm really honored to be here with you and Stephanie today and looking forward to chatting. So thanks for having me on.

Mike: 15:17

You know, as we're taking a step back, kind of the theme for this particular podcast is as we're digging in is the geopolitical threat environment as it's informing cybersecurity right now. And obviously there's a lot of moving parts. There's a lot of US policy shifts and that sort of thing. There's a lot of international conflict. Specifically, I think the hottest topic on everybody's mind over the last couple of weeks has been the recent conflict with Iran. And we've certainly seen some reporting coming out on that. I mean, I'd love to kind of kick it off with your perspective perspective on where you see things right now as far as the cyber threat environment, especially in relation to Iran. Like, what are you concerned about? What do you see as the biggest issues as this conflict has sort of reared up?

Nate: 16:07

Sure, Mike. It has been a crazy and interesting few months for sure in that region, as well as kind of our involvement in it. You know, I think maybe the biggest thing at least that worries me is the private sector angle, right? And so unfortunately in this world we're in, To put it pretty simply, I think a lot of countries out there cannot necessarily match us in the traditional military sense. And so they have been very heavily investing in working on asymmetrical means to be able to hold us at bay or to, you know, have effects on us, right? And Iran is one of those actors for sure. And so I think we have seen over the past few years for sure Iran and maybe Iranian-linked hacktivist groups, at least according to like what CISA and other folks have been saying, have targeted a range of private sector entities, whether that's healthcare, that's water, wastewater folks. And so I think the biggest thing for me right now is that I think the private sector, I'm really hopeful that they had their shields up the past couple of weeks and we'll see where this conflict goes, but I hope they continue to keep it up because for better or worse in the world that we're in right now, they are a prime target.

Steph: 17:22

How would you... say the Israel-Iran conflict has really redefined the role of cyber operations in modern warfare. Is it kind of more of what we've seen with this kind of rise of hybrid conflict, or do you see it kind of taking a different direction?

Nate: 17:41

Yeah, definitely, Stephanie. I mean, I think it is in many ways kind of the actual implementation or the actualization of a lot of things that we were talking about for a long time. We had two adversaries who definitely, I mean, we all saw the images of the ICBMs over Tel Aviv and the things that happened in Tehran, the physical damages, right? But there have been a lot of news reports coming out about the hot or ongoing cyber conflict between the two countries. In those attacks, as you mentioned, Stephanie, have not targeted just traditional military sites. And so I think it's, again, as I kind of mentioned, the realization, the actualization of the stuff that we were very worried about for an extremely long time. And look, on the plus side, this seems to have been largely at this point contained to that region, which is a benefit, but the administration did put out a warning right when hostilities kind of commenced about the need for the state and local governments and private sector folks to be aware to have shields up. They released this warning through the National Terrorism Advisory System. It was a bulletin, NTAS in government speak, which is available on DHS's website. And then the Bureau and DHS and NSA and DOD element called DC3 also released a warning about a week ago to private sector folks across across the country, as well as, I think, state and local governments that they should maintain and continue to have shields up. So, Stephanie, that was a really long answer, but bottom line is I think this was, again, kind of the actualization of something we were kind of expecting to happen in warfare.

Mike: 19:21

I think it's really interesting, too, if we think about it, because, you know, going back to when you and I were in the government, Nate, and focusing on the Middle East, and when we would talk about Iranian capabilities, one of the issues, like the primary issue we were concerned about, especially at the start of Operation Iraqi Freedom and whenever things would kind of, you know, heat up within Iraq, was really more around Iranian activity through IRGC Quds Force or leveraging Lebanese Hezbollah. And the fact that now here we are 20 years later, and really those don't even enter into the conversation when these conflicts rise up, you know, it's really, I think, demonstrates that shift away from sort of either the asymmetric warfare, like kinetic asymmetric warfare with terrorism or something like that, and really a reliance more on cyber terrorism or cyber attacks. And I just think that's, I think that really shows to your point how things have changed and how these sort of dynamics of conflict have changed just so drastically in the last 20 years.

Nate: 20:26

Mike, I think that's extremely well put. I couldn't agree more. Yeah, and to that end, right, you know, the non-kinetic kind of hybrid stuff, I know I kind of keep beating this drum, but unfortunately, look, the private sector and state and local governments and similar entities are prime targets, right? Because it is going to be, I would guess, probably difficult for IRGC could force or Iran, broadly speaking, or Iranian lane hacktivists to target the US government in any significant way. But based on what we have seen, it is completely possible that they can go after the private sector. So,

Mike: 21:02

you know, when we think about some of the things that Iran has demonstrated, to your point about, you know, their capabilities, there were the attacks in Saudi Arabia a couple of years ago targeting the petroleum facilities that they had done in conjunction with Russia, which demonstrate that capability that, again, like they have it. I think there's one of the things that's really interesting to me, too, is when we look at Iranian activities over the last couple of years, the sort of measure of restraint that they've demonstrated, or at least in their signaling in doing some of these activities that I think is is pretty sharp in their attempts to try and limit the conflict, at least as far as retaliation. So even like, you know, the missile launches at Al-Adid and stuff like that, where there was very clear communication to Qatar, clear communication to everybody, even the response to Soleimani when that happened, you know, it seemed like there were, there was a lot of open channel or back channel, but open communications going on in the background, which I think sort of demonstrates, you know, at least when I think about what Iran's capabilities are, I think they're more than we've seen, but I think they understand what's on the table now and that responses are going to be a lot less, you know, I guess, predictable. And it's interesting that they've sort of tailored their responses based on that.

Nate: 22:19

Yeah, I mean, again, Mike, I guess I'm going to be the best, best, best guess because I agree with you. I think they're very thoughtful about the actions they take and then and how far to take those actions. You know, that said, though, right, like if you are a potential entrepreneur, target of these folks, right? Like, you know, you're sitting out there in the private sector right now and thinking, oh, tensions have calmed down. I can kind of put my shields down. I think it's probably fair to say that at least I would personally recommend that not be the case and that you keep those shields up for a few reasons, right? Like, I mean, holy moly, this conflict, that region has been having issues For quite a bit of time, unlikely to end. And the second thing is, like I think we've all seen, is that these types of conflicts can absolutely spiral and lead to unintended things. So if things were to become hot again, which is completely possible, then things could spiral out of control. So anyway, Mike, I agree. I think it is also very important for folks to keep their shields up for what it's worth.

Mike: 23:23

That's a great point. Like if you look at like WannaCry or NotPetya or any of those where they spun out of So quickly and in what was supposed to be regional, well, not so much WannaCry, but NotPetya was originally a regionally targeted response that then just went global immediately. That's exactly right. The potential for these things to escalate beyond even the intent of the threat actors is so high that you can't put... Put your threat levels down.

Nate: 23:52

I mean, to that end, right? Like, I mean, Iran has targeted the 20 presidential election, right? They targeted the 24 presidential election, right? Like, lots of disinformation. I think they were, in part, attempting to... hinder President Trump's ability to get reelected. But there were also hacking into the Biden campaign and the Trump campaign. I think there were, in 20, there were attempts to get after some voter registration sites. This is all to say, Primaries start in the spring. Midterms are coming. Who knows if they're going to be involved again, right? And that could absolutely be one of those things that leads to escalatory actions and such. And or they become more willing to take other steps, Mike. They feel the bounds a little bit. So anyway, a few points.

Mike: 24:41

Yeah, that's and you're absolutely right, because that is when we talk about misinformation and disinformation and those attempts to affect elections. That does seem like it's become, especially over the last eight years, almost an accepted part of cyber espionage. You know, there's countermeasures, but you don't really see retaliations. You don't really see the sort of responses that you'd expect. So it's almost become kind of. you know, part of state craft and accepted part of state craft almost. So yeah, I think we will, I think you're right. We'll see this start to spin up again. You know, the reports, it's always interesting to read the reports that OpenAI puts out on, you know, nation state usage of AI to craft mis- and disinformation campaigns and that sort of thing, because it's out there for everybody to use. You get a lot of insight from their reporting as well. Some of the other private sector stuff that comes out is really insightful what they're up to and where they're going to go next.

Steph: 25:39

Nate, you were talking about how, you know, really hoping that companies and organizations across the board have their shields up. And, you know, with cyber attacks now targeting international companies and infrastructure, you know, how do you think global businesses or even smaller companies as well should prepare for the potential for this geopolitical cyber spillover?

Nate: 26:06

Yeah, completely. I mean, I think first is a first step. I think that, you know, C-suite and the boards need to realize that this needs to be a priority, right? And that the threat is only increasing and the likelihood that it impacts their ability to conduct operations, to generate revenue, you know, ensure shareholder value is increasingly put at risk, at least in my view, right? And to that end, after investing some money, I think there's like, in my view, there's so many things that need to be done, Stephanie and Mike, but like four core things. They're super boring. I'm hoping you two don't fall asleep when I throw them out there. But look, patch, patch, patch, update, update, update immediately, period. I think that even some of the warnings that came out recently from the administration on Iran highlighted their attempts to get after CVEs and stuff and folks' failures to update their systems. So very, very important. The second thing is Got to use strong passwords. And third along that is MFA. MFA. I know that CISA has been pushing that hard for quite a long time. I think that that guidance still remains true. The last thing, Stephanie, I would throw out there, and Mike, this kind of gets back to your reference to open AI, is I think... The threat is only going to increase, continue to get worse. And I think in part, that's going to be because of AI, which I think that can be leveraged a bunch of different ways to affect private sector entities. And for one, I would immediately prioritize creating training for employees on how AI can be used for phishing, social engineering. And to ensure that their awareness and kind of, you know, being thinking critically about what pops into their inbox is on the rise. That needs to increase. So those would just be four kind of quick things I think that would be worth companies out there, Stephanie, doing. Again, though, the first step is that really the C-suite and boards need to understand the importance to their companies and put some money towards this stuff.

Mike: 28:11

Well, yeah. Thanks, Nate. Really appreciate you coming on and chatting. with us and sharing your insights. I mean, those four things you call that are absolutely critical and I think a great place, you know, a great way to kind of summarize what companies need to do, irrespective of the threat environment, but especially right now. So thanks again for coming on. Really appreciate having you here. And yeah, stay in touch.

Nate: 28:38

We'll talk to you soon. Mike, Stephanie, thanks. And everyone, keep your shields up. Be prepared. Thanks for having me on, y'all.

Mike: 28:49

All right. Well, that wraps it up. Our first episode here with the Fish Bowl. Thank you to Nate for joining us. Thanks to you, Steph, for being an awesome co-host and to our listeners for joining. Apologies to anybody who listened to this thinking that it was going to be a deep discussion of the 90s jam band Fish. Please direct all complaints to our social media. We'll be back next month with a deep dive on Europe, the Middle East and Africa. So we'll be doing the same thing and kind of a discussion of the threat environment there. Make sure to subscribe to the podcast so you don't miss that and smash that like button. Check out our LastPass Labs blog and we'll see you next month. Thanks for listening.