Podcast: CRINK: The Cyber Threat Accelerating Right Now

Hello, everyone. Welcome back to the Cyber Resilience Brief, a SafeReach podcast, where we stop guessing about security and start validating it. I’m your host, Tobe Dvorin. And I’m Adrian Culley, your resident offensive cyber security engineer and professional paranoid. Okay, Adrian. Today, we are digging into something that sounds like a rejected Marvel supervillain team, or a pejorative, but is actually a very serious geopolitical shift. We’re talking about the Crink Alliance. Right. China, Russia, Iran, and North Korea. The chaos quartet, if you will. They will have to correct you immediately on that one. Wait. You’re correcting the host in the first three seconds. That’s a new record. I have to. I was reading the Safe Breach briefing note we got. Apparently, some people online started calling this group the Chaos Quartet, but the report points out that’s actually a review for a literal musical group called the Chaos Quartet. So we sadly aren’t dealing with any angry string musicians, are we? Sadly, no. We’re dealing with what the report calls an organic alignment of adversarial interests. It’s less of a formal military pact and more of a trinity of opportunism. Trinity of opportunism. I like that. It captures the vibe perfectly. We have this detailed report, the asymmetric nexus, and it paints a pretty grim picture here. These four nations, China, Russia, Iran, and North Korea, are collaborating ways that are deeply asymmetric. They aren’t just fighting wars. They are using cyber as the primary tool of statecraft. Exactly. And what’s scary for the defenders listening, the CSOs and the SecOps teams, is that these guys aren’t just hitting one vector. They’re hitting everything. We’ve got espionage, financial theft, political interference, and prepositioning for sabotage. Very important, boss. It’s a full spectrum assault. Okay. This is already a lot, so let’s break it down because the report makes it very clear. They might be working together, but each of these players wants very different things. Let’s start with the heavy hitters. Let’s start with Russia. Russia’s the brute here, not the bear for nothing. Their cyber strategy is a direct extension of their military. Since the Ukraine invasion, groups like APT twenty eight Fancy Bear and Sandworm APT forty four have gone full hybrid warfare. They want to break things, and they want to influence minds. Right. So the report mentions the Nott Petit attack, which we’ve referenced before, and the breach of that Norwegian dam. That’s already physical disruption. It is, and they’re getting smarter about it. They’re using what we call living off the land techniques, but they’re also leveraging NTLM hash attacks, for example, to move laterally once they’re inside. But here’s the kicker. They aren’t doing it alone anymore. The report highlights this blurring between state actors and cybercriminals. We’re seeing Russian criminal networks hitting Ukrainian targets just because. Is it patriotism, or is it payroll? A bit of both. It gives the state plausible deniability. It wasn’t the GRU. It was just some hackers in the basement. Yeah. Sure it was. Now contrast that with China. If Russia is the brute breaking the door down, China seems to be the one who’s quietly picking the lock and sitting on the couch waiting for you to come home. That’s a terrifying analogy, Toffit, but accurate. China’s strategy is military civil fusion. They’re playing the long game. Our our briefing highlights Volt Typhoon, which we’ve talked about before specifically in this instance. Right. Vault Typhoon has been all over the news, and it’s within the first ten episodes of this podcast. So if you haven’t listened to it yet, go back and have a good listen. And and please listen carefully, and for good reason, they aren’t just stealing IP anymore, although they do do plenty of that. Vault Typhoon is prepositioning. They are compromising critical infrastructure, energy, water, transportation, and then just waiting, sitting in the blind spots. The National Security Agency and CISA in the USA believe this is to enable sabotage if a conflict breaks out, specifically over Taiwan. And the report mentions that they are using living off the land techniques extensively, like we mentioned. Right. And this is where traditional security fails. Living off the land means they’re using your tools against you. PowerShell, a Windows management interface, WMI, existing admin tools. If your security controls are just looking for malware. Exe, for want of a better phrase, you will never see Vault Typhoon. They look like your IT admin, just logging in at three AM. Yikes. And if you’re an IT professional listening to this, don’t log in at three AM, you will now look suspicious. But anyway, this brings us to the frenemies part of the Crink Alliance. The report had a fascinating nugget about China and Russia and that relationship. Oh, the the limitless partnership that actually has quite a few limits. Exactly. The report cites a leaked FSB document calling China an enemy. Because China keeps hacking them, which is seems to be a reasonable description of an enemy. Chinese groups are stealing military secrets from Russian defense contractors to see how Russian tech holds up in the Ukraine. They are learning from China’s from Russia’s war to prepare for China’s own war. It’s a trust but verify relationship, but without the trust bit so much. It reminds me of something we’ve said before on this podcast, which is there’s no such thing as an advanced persistent friend. No. Exactly that’s over. Okay. Let’s pivot to the other two pillars. That’s Iran and North Korea. These feel more like the wild cards of the group. Iran is the retaliator. Their program really played up after Stuxnet, which which hit them badly. Now they focus on sabotage and regime survival, but the interesting evolution here is their collaboration with ransomware guns. Yes. This report mentioned Pioneer Kitten. Great name, terrible people. Pioneer Kitten acts as an initial access broker. They break in, establish persistence, and then sell that access to criminal ransomware guns like Alfie, Black Cat. This blurs the line again. It is a state attack? Is it a state attack? Is it not a state attack? Is it a crime? It’s both. And then there’s North Korea. Yeah. And they’re pretty much bank robbers. Literally. The report says that they’re the only nation in the world whose primary cyber objective is revenue generation, which I have to say actually makes them sound less threatening, but we know what they’re using that money for. It’s wild. They stole an estimated three billion US dollars between two thousand and seventeen and twenty twenty three. The Latteras Group is essentially a crime syndicate run by the government. But, Clover, that tactic that really worries me is the disguised IT worker. Yes, I read that part. North Korean operatives are pretending to be remote IT workers to get hired by Western companies, which is wild. Yes, and they do get hired. They do the work. They get paid, which is all goes to the regime, and occasionally, they use the access to steal data or inject vulnerabilities. It’s the ultimate insider threat because you invited them in. So we have this crank nexus. Russia creates chaos. China prepositions for war. Iran sabotages, and North Korea steals the money to pay for it all. And they are sharing tools, intelligence, and sometimes even infrastructure. It’s a full stack threat landscape, and this is where I get on my soapbox over. Woah, an Adrian rant. Let’s go for it. Well, I I like to think of it not so much as a rant, but a plea for sanity. Look, our research makes it clear that these actors are exploiting legacy systems, lack of segmentation, and known vulnerabilities. But they are also using advanced techniques like living off the land that bypass standard detection. So how do we defend against a four headed monster like this? It’s the the four horsemen of the cybersecurity apocalypse. The report suggests intelligence sharing and patching, but that feels, frankly, like a standard message and very reactive. So that is reactive against the four horsemen of the cybersecurity apocalypse, and patching is great advice, but if you have ten thousand vulnerabilities, which do you patch first? And also, what about the vulnerabilities you don’t know about? Bring your own vulnerable driver. They’ll introduce a vulnerability. No patching program is gonna patch what you don’t know exists. The one Volt Typhoon is using or the one Lazarus is using, you can’t guess. You have to know. Well, of course, this is where the safe breach approach comes in. We talk about BaaS, breach and attack simulation, cart, coupon carting, continuous automated red teaming, and AEV, the adversarial exposure validation, which wraps it all and connects the dots for us. Sure. Let’s take the continuous threat exposure buzzed element first. Specific APT groups like APT twenty nine, Vault Typhoon, Lazarus, We have playbooks for these for these actors. You can literally ask the platform, run the Lazarus Group simulation against my financial zone. So instead of waiting for North Korea to try and steal your crypto, you can simulate their exact TTPs, that’s tactics, safely. Exactly the clue is in our name. You simulate the behavior. Can they move laterally? Can they exfiltrate data over that specific port? If the simulation gets through, you know you have a gap before the real attack happens. You validate your controls against the specific threat intelligence that that Sagebridge provides. Okay. That handles the known threats. But what about the unknowns? The report talks about Iran selling access to ransomware groups. You might not know who is coming, just that they are coming. That’s where CART comes in, Continuous Automated Red Teaming. A lot of organizations have a flat network. Once you’re in, you’re everywhere, the absence of micro segmentation. Our research uncovers that Russia is using compromised websites for command and control c two. Acts like a relentless red teamer. It tries to find those paths of least resistance that a human pen tester might miss because they only have two weeks. CART runs twenty four seven, three six five. It works when you sleep. It finds the choke points where you can stop an attacker regardless of whether they are Russian, Iranian, or a teenager in a basement. And I wanna touch on AAV, that’s adversarial exposure validation, because the report mentions these actors love known exploitive vulnerabilities. This was the game changer for the patching problem I mentioned to you earlier. You have a scanner that says you have a critical vulnerability on a server. But is that server actually reachable? Is there a compensating control in front of it? AV takes that vulnerability and safely attempts to exploit it. So it proves that the door is actually open or if it just looks open? Precisely, it’s over. If AAV can’t exploit it, you can deprioritise that patch. It doesn’t mean it goes away, but you can deprioritise it. If you can exploit it, you drop everything and fix it. It’s it’s helping you apply weightings to your risk management, which which is absolutely essential. With groups like a p t thirty three aggressively exploiting edge devices, like Citrix and f five boxes, you don’t have time to punch things that don’t matter. AEV tells you what matters. It sounds like the key here overall is moving from assuming you’re safe to proving you are safe. Trust but verify is dead in the age of crink. It’s never trust, always validate. Our our research shows that these nations are relying on asymmetry. They want to use low cost cyber attacks to cause high impact damage. Our job collectively is to flip that asymmetry. Let’s make it expensive for them. Let’s make their attacks fail so often that they move on to a softer target. And you do that by knowing your own weaknesses better than they do. Amen to that. So before we wrap up, I wanna highlight the next step for our listeners. What we’ve shared about Crank, about China, Russia, Iran, and North Korea is a lot. It’s a lot to digest. There are many different attacks. It is over, but don’t let it paralyze you or any of our listeners. Absolutely. So first of all, if you are not a SafeReach customer and you’d like to learn more, I recommend that you subscribe to the podcast if you aren’t already, and stay tuned, because we have a long series of episodes going deep into each of these threat actors waiting for you on your listening dial, so stay tuned. And if you are listening to this after its release, go on to the SafeBreach website and check out some of the material that we’ve now added about China, Russia, Iran, and North Korea. And if you are a SafeBreach customer, you can run simulations. Isn’t that right, Adrian? Absolutely. We we we have detailed simulations for each of these threat actors. You could create a custom simulation that’s all within one lump, but I recommend that you keep each simulation discrete to each threat actor so that you can prioritize your remediation and actions per threat actor. But we have extensive information in our playbooks. Right. And if you aren’t a customer yet, you want to ask yourself, do I know if my controls would stop a Volt Typhoon living off the land attack? If the answer is I think so, that’s not good enough. Absolutely. Everything only ever gets more complex. This access of upheaval, this nexus isn’t going away, but the good news is neither are we. That’s right. Thanks, Adrian. Thank you so much for listening to the Cyber Resilience Brief. Until next time, stay paranoid, stay validated, and stay safe with SafeBreach. The cyber resilience brief is a SafeBreach podcast. Executive produced by Tova Devoren and Adrian Cully. Sound provided by Adobe Music. Editing done with Adobe podcasts. Distribution and tracking provided by Podbean. If you enjoy the podcast and like to learn more, please check us out at w w w dot safe breach dot com, s a f e b r e a c h dot com. And don’t forget to leave us a five star review on Spotify, Apple Podcasts, or wherever you get your podcasts.