Podcast: Cyber threats in Ukraine and beyond
Disclosure: The opinions expressed by Eurasia Group analysts in this podcast episode are their own, and may differ from those of Microsoft and its affiliates.
Annalaura Gallo: we're seeing that cyberspace is emerging as a domain of conflict, and we feel that the industry, which is responsible for the domain needs to be as much as possible involved in the political discussions that are happening, especially at the UN level
Tom Burt: We've seen Ukraine as a test bed for cyber-attacks for a number of years and disproportionately so//attacks within Ukraine constituted almost one-fifth of all the attacks that we observe across the world// And that's why we and the government of Ukraine remain very concerned about the cybersecurity risk of the current conflict and tensions within Ukraine.
Ali Wyne: Welcome to Patching the System, a special podcast for the Global Stage series, a partnership between GZERO Media and Microsoft. I'm your host, Ali Wyne, a senior analyst at Eurasia Group. Over the course of five episodes, we're going to tackle some of the biggest risks and challenges in cyberspace today. Topics like conflict between nations and cyberspace, cybercrime, and protecting the Internet of Things.
Throughout this series, we'll hear from expert voices and leaders from technology firms that have signed on to the Cybersecurity Tech Accord, a public commitment from more than 150 global technology companies dedicated to creating a safer cyber world for all of us. Later in the show, we'll hear from the Tech Accord's head of the secretariat, Annalaura Gallo.
But first, it could happen to any of us. You wake up, you click a link in an email and bam, your computer becomes completely inoperable. Now, most people know what malware is and they know the kinds of headaches it can cause for individual users. Well, it's increasingly being used by governments for espionage and even for hybrid warfare.
As thousands of Russian troops gather on the border with Ukraine, NATO and other regional powers are working to counter and respond to these activities. Ukraine is also facing hybrid threats, including a widespread malware attack that targeted government and private systems. Microsoft and other technology organizations have been working to detect and identify how malware is being used strategically in the region.
For more on that, we're joined by Tom Burt, Microsoft's corporate vice president for customer security and trust. Tom, welcome to the podcast.
Tom Burt: Hi, Ali. Thanks for having me.
Ali Wyne: No. Our pleasure. Tom, just to kick things off. Microsoft recently called out malware that it had discovered in Ukraine. It was targeting government agencies, and in the past year, you've called out a number of state-sponsored attacks, including the SolarWinds hack, the Microsoft Exchange attack. Tell us, how dangerous are these attacks and what are nation-state actors really after?
Tom Burt: Well, the attacks that you mentioned are a great illustration of the breadth of different kinds of nation-state attacks that we are seeing. SolarWinds, as an example, was a very sophisticated espionage attack where the goal was to infiltrate key targets and steal information of interest to the attackers.
In the HAFNIUM attacks, as we called them, that was the name of the activity group, but the attacks, widespread attacks against on-premises exchange servers, we actually were never able to determine what the end goal of the nation-state actor was in that case, because although they got tens of thousands of web shells installed around the globe on these exchange servers, there was very little evidence that those web shell back doors were ever actually used by the attacker for any purpose.
And then the activity we've seen in Ukraine in recent weeks as the conflict has escalated, as tensions have escalated, have covered both of those kinds of efforts. For example, we issued a blog on an attack in which we saw malware that we call WhisperGate installed on the servers of a wide range of government, nonprofit and other organizations within Ukraine.
It was masquerading as ransomware, actually posted a ransomware note, but behind the scenes, it wasn't ransomware at all. It was a wiper that was working to wipe off the data that was on those machines to basically render them inoperable. So it was a destructive attack. Since then, we've actually, again, issued a blog about activity that we've seen in Ukraine from a group we call Actinium.
At Microsoft, we use these element names to identify different nation-state actors. That's a group that we see operating from the Crimea region that we and others have studied for some time. We saw them very active in engaging what looked like more traditional espionage kinds of activities, where there was not a destructive character to the malware, but rather the actor was trying to steal information.
So you see this broad range of nation-state activity, whether they're just engaged in espionage activity trying to steal information, or actually destructive attacks. Things like the NotPetya attack in 2017 in Ukraine, which was a very destructive attack that targeted a wide range of organizations and had significant impacts on the citizens of Ukraine, but also extended to outside Ukraine, to multinational companies doing business in Ukraine that were virtually shut down. The world's leading shipping company, Maersk, was almost completely shut down as a result of that attack for some period of time.
Ali Wyne: You already in your answer, you covered a wide range of attacks and you talked about some of these blog posts discussing various attacks. It sounds like Microsoft, it also plays a role in attributing these attacks as well.
Tom Burt: Yes. Our Microsoft Threat Intelligence Center, which we refer to as MSTIC, is a group of highly, highly talented, incredibly hard-working cyber sleuths who are constantly looking at anomalous activity that we see on the internet, and especially tracking the activity of known groups that we have determined over a number of years of observation.
We've been able to assign activity to those groups based on the character of the way they operate in conducting their attacks and a number of other pieces of evidence, and in considering the analysis done by other cybersecurity researchers. We take all that together to determine that a particular activity group is responsible for a particular attack.
At Microsoft, we do not typically assign attribution to government operators. We don't have the data to tell us who is in control of these activity groups, but we can, and often do, assign a zone of operation so that we will know from convincing evidence that the activity group is operating from a particular region or a particular country. We provide that information when we do attributions.
Ali Wyne: We've been talking a little bit, just this morning, we've been talking a little bit about Russia, Ukraine, obviously it is sort of the urgent security crisis dominating the agenda of policymakers and analysts across the world. Let's sort of open up the aperture a little bit. Take us a little bit beyond Russia, Ukraine. Tell us about the global threat landscape and a little bit more about what we should be keeping our eyes for about these attacks going forward.
Tom Burt: Well, there has been a remarkable escalation in the number and the sophistication of attacks. I'm using the term attack to cover both nation-state operations, both espionage and destructive operations, but also cybercrime attacks. And what we're seeing is increasing connections between the cybercriminal world and the nation-state world. We see nation-state actors using technology developed by cybercriminals, such as ransomware, in nation-state attacks.
We have written about nation-state attacks where we've seen ransomware used to target critical infrastructure or government operations in various locations around the world. We've also seen in a number of instances, nation-state attackers using ransomware as the cover for a different destructive attack, such as the one that we just talked about in Ukraine. We see cybercriminals using technologies developed by nation-state attackers.
When nation-state attackers learn of and develop technology to exploit a so-called zero-day vulnerability in someone's technology, then we see cybercriminals as fast followers. As soon as they learn of that vulnerability, they then start to take advantage of it as well.
Because the ecosystem as a whole is slow to patch their technologies, the vendors, Microsoft, the leading technology vendors around the world all quickly research any of these vulnerabilities that are disclosed and provide patches for their technologies to protect customers, but customers have to apply those patches. That happens at a surprisingly low rate because it can be burdensome to do it. It's a cyber hygiene thing that the organization isn't budgeted or staffed to do.
As a result, you see cybercriminals taking advantages of these vulnerabilities that have long since been patched by the vendors, but customers haven't applied the patches. You have a wide range of these different kinds of attacks, and they continue to grow in sophistication. They continue to escalate around the world.
Our numbers as we reflect each year in the Microsoft Digital Defense Report, we continue to see increasing numbers, more and more participants. We see most of the nation-state activity emanating from four key countries. Russia, China, Iran, and North Korea.
We recently saw a significant increase in the total volume of attacks coming from Russian-based actors and Iranian-based actors as they use password spray, which was a high-volume attack with a low percentage of success, but they don't care that the success rate is low because it's an inexpensive way to engage in broad scale attacks. Many different approaches are being used by these nation-state actors.
As a result, there's just more that we need to do both in the private sector, the public sector in partnership with the private sector. We need the ecosystem broadly, the users of systems to know what they need to do to apply cyber hygiene to protect themselves. But to take it back to current events just for a moment, notwithstanding this huge escalation, we've seen Ukraine as a test bed for cyber-attacks for a number of years and disproportionately so. In our most recent data that I referred to in the Microsoft Digital Defense Report, we reported that attacks within Ukraine constituted almost one-fifth of all the attacks that we observe across the world.
So a very disproportionate percentage of attacks. That's why we and the government of Ukraine remain very concerned about the cybersecurity risk of the current conflict and tensions within Ukraine.
Ali Wyne: I mean, that one-fifth figure that you just said, I hadn't heard of that. I mean, it's a staggering figure. To imagine that just one-fifth associated with one country or with one conflict, it's really quite a striking proportion. I want to sort of expand our conversation a little bit and we're going to talk about what the tech industry globally can do to help foster greater stability and structure in cyberspace.
Tom, in your answers this morning, you've given us some flavor of what Microsoft has been doing to help foster greater stability and structure in cyberspace. I want to bring in another guest, Annalaura Gallo, who is the head of the secretariat of the Cybersecurity Tech Accord to help flesh out the conversation. Annalaura, welcome.
Annalaura Gallo: Hi Ali. Thanks for having me here.
Ali Wyne: Annalaura, so first explain to listeners, obviously the Cybersecurity Tech Accord, it's a major undertaking, but perhaps some of our listeners, they might not be familiar with it. Just give us kind of the 101. What is this Tech Accord, and what has it set out to accomplish?
Annalaura Gallo: The Cybersecurity Tech Accord is a coalition of over 150 technology companies. It serves as the voice of this industry on matters of peace and security in cyberspace. So we're seeing that cyberspace is emerging as a domain of conflict, and we feel that the industry, which is responsible for the domain needs to be as much as possible involved in the political discussions that are happening, especially at the UN level.
So we have been engaging with the UN and with governments in order to contribute our perspective and our expertise. The Tech Accord mission revolves around four principles. When companies want to become signatories they want to abide by these principles. The first is about protecting users and customers everywhere, irrespective of their technical acumen or their culture, or the motive of the malicious attack that is targeting them.
We do this by delivering and designing products that are secure. We're also committed to not knowingly undermine the security of the online environment and with also by protecting against efforts also by governments to tamper with our products and services. We also strongly believe in the importance of capacity building, so we help governments and other actors, and also raising awareness about cyber risks and way to mitigate them.
We truly believe that no organization can solve today's cybersecurity challenges alone. Finally, we are all for collective response. We think we can achieve more together and we're partnering up and we'll partner up with other entities and groups to address critical cybersecurity challenges.
Ali Wyne: Something you just said I think it aligns really, really nicely with something that Tom said. This notion of collective response. Tom talked about the imperative of governments working hand in hand with businesses, with actors in the private sector, the imperative of a collective response to keep pace with these growing threats.
Ali Wyne: You also mentioned that collective response kind of is one of the pillars of the Cybersecurity Tech Accord. We've been talking a little bit today about some of these large-scale cyber-attacks, such as the one that we just saw in Ukraine, that Tom discussed. How big a concern are those kinds of attacks for the accord, and what are some of the concrete steps that you think can be taken to prevent them from occurring in the future?
Annalaura Gallo: The attacks that we're seeing in Ukraine are a good example of how cyber conflict is becoming increasingly part of conflict between states, and as such it needs clear boundaries and rules, similar to others domain of air, land, sea, space.
It's important to remember that these attacks do not occur in a complete legal vacuum, even if most of them don't reach the threshold of the use of force and therefore cannot trigger responses that military operations vote. But states have agreed that international law applies to cyberspace and we should operate in this framework.
The Tech Accord has been engaging with the UN, especially in the context of the dialogues on responsible state behavior in cyberspace. What we've done is really encouraging states to further develop their framework of norms that guides states operations in cyberspace. Also, to try and clarify how in their view international law applies to cyberspace, because it needs to be much more detailed, the framework, in order to be put in action more easily.
We're also looking at this from the angle of increasing the security of products and services. Promoting practices such as cyber hygiene, because this would help prevent the vast majority of cyber-attacks. We've been focusing a lot on the Internet of Things for in instance, because we see that these technologies are increasingly targeted by cyber-attackers. And once they've been compromised, they couldn't be used to conduct cyber-attacks of a larger scale.
We're looking at this from different angles and we hope to be able to continue to support governments and other actors and provide recommendations on how these threats can be mitigated.
Ali Wyne: Tom, I want to bring you back in the conversation now that you've heard as well a little bit about Annalaura's thinking about the Cybersecurity Tech Accord. Of course Microsoft is one of the signatories, one of the more than 150 signatories to the accord.
In your earlier response, you talked about the imperative of collective response, but I want to zoom in on the private sector and the role of the private sector in that collective response. Tom, what do you see as the role of private technology companies in both defending against the kinds of attacks that we've been taught about, but also finding security solutions going forward?
Tom Burt: There's a number of things that the private sector needs to continue to improve on, and in which we're investing in heavily at Microsoft. But let me begin with the requirement that we engage in the best possible security engineering practices. And we at Microsoft pioneered the concept of secure development lifecycle in our engineering practices a number of years ago when we saw the beginnings of this increase in both cybercriminal and nation-state attacks.
We continued to evolve those principles and to automate those principles to improve the security of our technologies. Across the private sector that needs to continue to be a focus. We also need to continue to detect when we see these attacks occurring and to improve our technology so that we can observe that activity, perhaps even before it has had impact and has harmed our customers so that we can notify customers and they can take steps to protect themselves.
That is something that we're rapidly evolving across the private sector here at Microsoft alone, we get 24 trillion signals a day that come in from our network on our ecosystem. That gives our defender teams this wealth of data from which they can look for anomalous activity in the internet, and then zoom in on that activity to see if it's a malign activity by a nation-state actor or a cybercriminal.
We continue to work on developing artificial intelligence technologies that will be able to do this rapidly enough, that we can perhaps find and stop this activity in an automated way. There's a lot of investment going into what we can do to both defend and deter. But we also need to work to make it easier for our customers to defend themselves and to take the steps necessary to protect against these attacks. That's something that we've been working on.
I know the Tech Accord has been very engaged on as well, which is just spreading the word of the critical importance of basic cyber hygiene. We published a blog from our identity team three years ago now, in which our analysis was that 99.8% of all attacks would've been prevented if the victim had had multifactor authentication installed on their account, and that remains the number one best defense. It's not perfect defense.
But it's the most significant thing that people can do, is to make sure that all of your accounts have two-factor or multifactor authentication or passwordless identity or some similar system that would significantly defend against the principle means of cyber-attacks, which are phishing and other identity-related attacks.
Then there are other basic cybersecurity hygiene steps that have to be taken that we need to continue to make easier and spread the word. People need to patch their systems. Those who administer networks need to use zero-trust architecture within their networks. These are techniques that are well understood.
There's lots of information out there about them, but if we're really going to stop these cyber-attacks and significantly decrease the number and impact of cybercrime and nation-state attacks, basic cybersecurity hygiene will go a long way. The last thing in which there's heavy investment across the private sector is moving to the cloud, because it's in the cloud where all vendors, Microsoft and all our cloud competitors are investing our most resources and most innovation on how we can improve the cybersecurity of the cloud.
It's just obvious, within the cloud we can keep everybody patched, within the cloud we can utilize very modern versions of identity to ensure that some of these cyber-attacks cannot be launched. It's there that we can provide all consumers with the best possible security, and that's going to continue to be true for many years.
The last part is to continue to do the work that we are working on, that the Tech Accord has been very engaged on, which is working across international efforts to create enforceable rules governing nation-state conduct in cyberspace. This is a critical step that we've made a lot of progress over the last several years, but we have a very long way to go. And those norms of conduct should apply both to nation-state actors that are government-sponsored actors, but also to cybercriminals that are known to be operating from a particular geography.
Nations need to do more to identify and take action against those cybercriminal operators. These are principles that are being discussed through important multi-stakeholder processes, like the Paris Call, where both the Tech Accord and Microsoft, and many others have been very active in the key principles of the Paris Call and in the follow-up working groups that have been conducted.
Also in the processes before the United Nations, the Oxford Process, which is where a number of the world's leading legal experts have been convening to address the application of international law in cyberspace. There are a number of these efforts underway in which we need more private sector engagement so that the policymakers of the world have the perspective of the private sector. Frankly, it's been one of the greatest contributions of the Cybersecurity Tech Accord, is to have this very broad multinational, as you mentioned, 150 different technology companies joining together to form consensus views on these key cybersecurity principles.
Ali Wyne: Two numbers from your answer jumped out. The first one made me feel a little bit pessimistic. The second one made me feel a little bit better. You said that every 24 hours Microsoft is processing approximately 24 trillion, trillion, security signals. That kind of makes you think, "My goodness, how are we going to get a handle on this problem when you're processing such a torrent of data?"
But then you said 99.8, so almost, almost a hundred percent of cyber-attacks that users experience on a day-to-day basis could be mitigated or maybe even prevented by just taking basic precautionary measures, such as step two-factor authentication.
Annalaura, when you hear those two numbers, the 24 trillion security signals that Microsoft is processing every 24 hours, but also the reality that close to a hundred percent of cyber-attacks that folks are experiencing on a day-to-day basis, they can be remedied by just taking basic precautions, do you think that cyber threats are just the new normal, and should we just expect further escalation going forward? Or are there plausible pathways where we could actually see a reduction in these cyber threats?
Annalaura Gallo: So cyberattacks are unfortunately increasingly common, but at the same time, we cannot allow this to become the new normal because it would jeopardize the benefits that digital technology brings. We've seen how much of an enabler technology has being during the pandemic as well.
First of all, we need to be always vigilant when we use technology products and services, but this changing threat environment also means that there are greater responsibilities for all stakeholders involved for the industry to develop and maintain more secure products, but also for governments to pursue responsible regulation, and as we said before, to uphold expectations on the limit of their actions in cyberspace.
Finally, also for consumers that use technology in order for them to do it more responsibly. There also needs to be greater collaboration across sectors, because we have seen that cyber-attacks do not spare any type of organization and sector, but they actually target the ones that are most vulnerable. In terms of further escalation, we're definitely seeing an increase of these attacks.
We look into organization concerns a little bit further in 2020 by launching a survey in partnership with the Economist Intelligence Unit. What we found is that organizations from all sectors are very concerned about the increase in cyber-attacks and in particular cyber-attacks that are coming from state actors.
They also responded that this concern had increased in the past five years and that they would see these tensions as continuing, and that their organizations could be the target also over the next years. There was also an important call to action for governments really to take control of the situation and to try and find political solution to mitigate this threat. Not only technical solution, but also going back to the framework of international norms. We hope that we can build on this call to action, because this is what in our view can stop further escalation.
Ali Wyne: Tom, you heard what Annalaura said right now. I think a cautiously optimistic view that there are steps that governments can take, that the private sector can take, that technology companies can take, but also recognizing that we are facing an escalating cyber threat landscape. How do we begin to confront that reality? What role do you see Microsoft is playing in confronting this new reality of escalating cyber challenges or cyber threats?
Tom Burt: I think Microsoft's role is to continue to work across as many domains as we can to raise the visibility of these challenges and to work across the private sector and the public sector, and all interested parties to develop solutions to these challenges. I agree completely with Annalaura that this cannot be considered a new normal.
We all, the private sector, the citizens, the customers, government officials, policymakers, none of us can accept that this degree of cyber-attack and cybercrime can be considered a new normal. We simply shouldn't tolerate it. It will create a world in which the benefits that the internet can bring to us all, the economic benefits, but also art and collaboration and communication and education across all of these different dimensions, the internet can bring great benefit, but not if there is associated great risk. We have to confront this.
We're doing that in a number of ways. First, we are working actively, as I mentioned, with multi-stakeholder groups like the Paris Call by being a supporter of the work of the Cybersecurity Tech Accord, through our own engagements with policymakers and government leaders, with the United nations processes and seeking to get a multi-stakeholder voice in those processes and working with leading governments around the world as they formulate cybersecurity policy.
All of these are steps that we need to take to confront this challenge. We also need to continue to make it easier for our customers to apply those basic cybersecurity hygiene practices.
And we need to continue to work together across the private sector on how we can collaborate to better defend against these attacks and help our customers respond when they do occur. I do want to clarify one thing just for your listeners, the 24 trillion signals we get a day, and this will lift your pessimism maybe just a bit, those are not all cybersecurity signals. That's the total number of signals we get from all activity across our ecosystem.
Ali Wyne: Got it.
Tom Burt: The positive part about that though, is it's that kind of data that enables the application of the kind of investigations we're doing now and the innovation that we are bringing to bear to that data, to help us rapidly detect and respond to threats that we see through anomalous activity in the internet.
As we can build better technologies to take that data and look for things that shouldn't be there and then respond quickly to notify targets to actually block that activity automatically through technology, these are all things that should give us optimism that we can build a safer internet. The private sector needs to work hard together with the public sector and civic society to build a safer internet to start with.
We also need those enforceable rules of nation-state conduct as norms that are widely observed across the world to really get us to a place where the full benefit of the internet can be realized by everyone in every region of the world.
Ali Wyne: Tom, thank you so much for clarifying the 24 trillion number. It does make me feel a little bit better. Annalaura, I want to give you the last word. We've been talking about a number of different kinds of cyber-attacks this morning, but beyond the kinds of attacks that we've been discussing what do you see as the most pressing issues for the cyber world right now and going forward?
Annalaura Gallo: The most pressing issue that we see is the generally escalating threat environment. We see more sophisticated and damaging attacks, but we also see more of them overall. A growing threat surface, meaning more entry points for attackers to exploit, and also growing numbers of malicious actors that are driving the proliferation, not only criminal organizations, but as we said, also governments.
Also the so-called cyber mercenaries, which are private companies that develop cyber surveillance tools, and then sell them to foreign governments and other customers. What we think is urgently needed is a greater recognition of this challenge, but also an approach by the international community that can really meet the scale of this challenge.
This means continuing the dialogues on responsible state behavior in cyberspace, further developing the framework of norms, understanding what are the responsibilities of states in cyberspace. But also ensuring that these dialogues become more inclusive on non-governmental stakeholders, especially the one at the UN.
The UN has a very long history of multi-stakeholder inclusion that in many cases has made the political solutions to many problems having more legitimacy. Last year to highlight this even more, we published a study in the context of our work with the Paris Call for Trust and Security in Cyberspace, where we really made a case for this greater inclusivity of these dialogues. This means inclusion, not only of the industry, but also of academia and civil society.
All the relevant stakeholders that have expertise and that can really contribute their input, especially considering that cyberspace is a very complex area where the responsibility of all stakeholders overlap. What we think should happen is that this dialogue should become more inclusive. This means this inclusivity should be a bit more structured.
For instance, that there are channels for non-governmental stakeholders to provide input, but also that our inclusions become a little bit more regular. This has not been the case in the past. We think that this could really deliver solutions that are fit for purpose, and that can meet the challenges that we're facing today.
Ali Wyne: Annalaura Gallo, head of the secretariat of the Cybersecurity Tech Accord, Tom Burt, corporate vice president of customer security and trust at Microsoft, thank you both so much for being here.
Tom Burt: Thank you, Ali.
Annalaura Gallo: Thank you very much.
Ali Wyne: Well, that's it for this episode of Patching the System. In the coming weeks, we'll tackle everything from cyber mercenaries, which you just heard about, to the Internet of Things. You can catch this podcast as a special drop in Ian Bremmer's GZERO World feed anywhere you get your podcast. I'm Ali Wyne. Thanks so much for listening.
- Highlights from our live conversation on cybersecurity challenges ... ›
- "We're identifying new cyber threats and attacks every day ... ›
- How Russian cyberwarfare could impact Ukraine & NATO response ... ›
- A (global) solution for cybercrime - GZERO Media ›
- Brad Smith: Russia's war in Ukraine started on Feb 23 in cyberspace - GZERO Media ›
- Finland “investing in security and stability” with NATO push - GZERO Media ›
- Podcast: How the US will fight cyber wars - GZERO Media ›
