Alex Holden has a knack for tracking Russian cyber criminals. The Ukrainian-born cybersecurity expert understands what it takes to infiltrate ransomware outfits, learn their secrets and help organizations protect themselves against their tactics. Beyond that, his firm is responsible for detecting some of the biggest breaches in recent history. In this episode, Alex talks about his approach to tracking the world's most notorious criminal hackers, the current cyber threat in Eastern Europe and his own journey from Kyiv to the American midwest.
Alex Holden has a knack for tracking Russian cyber criminals. The Ukrainian-born cybersecurity expert understands what it takes to infiltrate ransomware outfits, learn their secrets and help organizations protect themselves against their tactics. Beyond that, his firm is responsible for detecting some of the biggest breaches in recent history. In this episode, Alex talks about his approach to tracking the world's most notorious criminal hackers, the current cyber threat in Eastern Europe and his own journey from Kyiv to the American midwest.
Why should listen:
* Get the inside story of how the Conti ransomware gang and other Eastern European cybercrime syndicates operate.
* Hear about how the current Ukrainian War could shift the cyber threat landscape.
* Discover how one of the leading threat intelligence researchers uncovered some of the biggest data breaches in history.
Key quotes:
* "Russia knows how to wage cyber warfare. And they continuously keep showing us that they can ... So I think Russia is in [a] very powerful position to flex their cyber muscle to do damage."
* "We are watching a huge change in the cybersecurity threat landscape in Eastern Europe. Ukrainian cybercrime is not dead. They're still doing certain things in the western part of Ukraine. Some of them are moving into Eastern Europe ... The same is happening in Russia. Cyber criminals are afraid that the recent crackdown of the Russian government against them will continue."
* "If you are at all interested in threat intelligence or in cybersecurity, I would recommend sitting down and reading [the Conti leaks] because you're going to see how the real criminals work, how they think, how they evolve and how the everyday gang works."
Links:
Jeremiah Roe: [00:00:00] Welcome to the show, Alex. It's a, it's certainly great to have you here. It's a pleasure. It's nice to meet you. Um, getting started, I'd like to focus a little bit around your background and sort of the transition from, um, immigrating from the Ukraine to the United States. I know you've got a really interesting background there.
It kinda was wondering if you could let us all know, um, how that transition happened and how you got first into the business of Cypress.
Alex Holden: Absolutely. And it's a very interesting journey indeed, because, uh, uh, never in my life, I thought that it would be in this position in this country. Um, um, and, uh, looking at the world from the vantage point that I, um, I'm looking at the right now. Uh, I was born in the key of Ukraine, uh, many, many, many years ago.
Um, and, um, um, my family lived in a cave for a very, very long time. Uh, in fact, uh, my, uh, [00:01:00] grandmother, uh, moved into. What we now call the heart of key of, um, the means a square back in the 19, 19, and that's where all these events are unfolding right now. So everything that I'm seeing, I saw as a child, as a peaceful landscape, uh, but after Chernobyl, um, my life, my family life had changed because, uh, the Chernobyl disaster, uh, required us to escape care, uh, for several
Jeremiah Roe: were you around Chernobyl? That that was wow.
Alex Holden: Uh, Kia is actually about a hundred miles south from Chernobyl. So the, um, uh, the incident really happened in very close proximity. The entire population of Kiev got this terrible dose over radiation, not as bad as, um, sums up, uh, neighboring, uh, places to which normal, but, um, uh, The, um, [00:02:00] escaping, um, process from here.
Uh, for me being just in the middle school was a very traumatic experience. Um, then we came back to care for just for a couple months, uh, for my parents to find other, um, an option to move to Moldova. Um, but, um, uh, in, from that. Yeah, 86 to 1988 will live in Moldova. My parents really did not, uh, couldn't find their own, um, uh, way of life in this other, uh, Soviet Republic.
So they decided to leave, um, uh, Soviet union. This was not the first time they tried to leave the Soviet union. The first time they tried in 1979. And they were, uh, terribly prosecuted for that, uh, because of, uh, Olympics, uh, and Afghanistan. So they were courageous enough in 1998, try to do it again. And they were successful.
We are refugees from the Soviet [00:03:00] union in United States. And, um, um, I call Milwaukee home for the past 32 years. Uh, very proudly. Um, and, uh, when I came here, I was very awkward kid, uh, because I was, uh, I couldn't find my spot, um, uh, being brainwashed by Soviet regime. Uh, Yeah. Um, I found, uh, that, uh, my parents worked bailed me emotionally since I was five to be an engineer.
So, you know, every single I could remember as an adult, uh, you know, w was like, you know, from age of five, like you're going to be an engineer. You're going to be an engineer. but after my first semester, uh, As an engineer.
I got a job for professor at a university of Milwaukee, Wisconsin. Um, and, [00:04:00] uh, at the, uh, the job was a developer for visual basic do the interview. I was asked if I know much about the visual basic. I said yes, after that, I went to the library to figure out what visual basic is. Uh, But I successfully, uh, started working there, uh, exploring technology.
I was in the right place at the right time. eventually I started working in [00:05:00] it, uh, abandoning my, uh, pursuit of engineering degree and, uh, start being Jack of all trades. The pivotal component was that my interest in cybersecurity started in nineties. Uh, but only the nine 11 had changed my life quite significantly. Uh, when nine 11 happened, I was working for a year and a half, uh, already in the, uh, investment, um, company in large brokerage firm.
In the, uh, on September 14th, 2001, I w went into the office of our CIO and I asked him a question, what the F the next attack is a cyber attack. he said, well, why don't you investigate that? So he gave [00:06:00] me, uh, old, uh, server. The server was 140 pounds.
Uh, so, uh, me and a couple of co-workers carried it to my car and I drove it around, uh, for a while, until my friends came over and, uh, um, helped me get it to my home. But this server became the basis of our technology.
Bella DeShantz-Cook: Hearing you talk about this. Like, I think it's really clear how. You can just like, you can sense your passion and excitement, even when you're talking about things like from years ago. Right. Um, and you mentioned like, kind of, sort of falling into cybersecurity and being at the right place at the right time being, being there when all of this was just starting to happen.
What was that like? What was driving you in these moments where you're, where you're kind of just so deep in cybersecurity in this re research, like what was, what was motivating you? I guess I'm just curious. Cause I think like for me, I was not in cybersecurity at its kind of beginnings and it always makes me really interested and excited to hear from folks that were there in kind of the early days.
Like what was the motivation? What was the energy there?
Alex Holden: There was curiosity and [00:10:00] curiosity was the main driving force, but the second driving force was, uh, the realization that the volt is not perfect. Um, you know, I always say that in the nineties with cyber secure, Couldn't exist at the same level as it was in 2007 later on because our computers didn't stay up.
Long enough to be exploited in terms of trying to run something. It just crashes. It's, uh, the play there that, um, response to not only vulnerabilities, but the regular use, but as technology start, uh, evolving, you know, we were the first ones asking the right question. Is this secure, uh, is, uh, secure by design.
And when they started getting answers from companies, um, the companies that, uh, you know, we kind of idolize, um, like Microsoft McAfee, uh, Cisco, Hey, it's secure. And when we prove them wrong, that's the greatest satisfaction ever. So [00:11:00] that kind of lasted the entire decade from 2000 to 2010. And that was a kind of a great experience for me.
Bella DeShantz-Cook: So shifting to more [00:13:00] like current day, what we've got going on in cybersecurity, um, you know, does your specific backgrounds, we've talked a little bit about your background, where you're from, um, does your background, and maybe even like your language experience, um, the knowledge that you have of places like Russia and Ukraine, does this help inform some of the work that you do today in regards to dark web monitoring?
Like, are you able to maybe access certain things or understand certain things that other folks in this industry just might not.
Alex Holden: Absolutely. So just to finish the story that I started, uh, about my background in, um, uh, 2009, um, and even before that, uh, the financial award, uh, went through. Big change. And, uh, I decided to make a transition away from the financial industry in early 2010. I left, I started, uh, working for a small startup, um, in the, in that startup, um, uh, heading the cybersecurity group.
I was asked by [00:14:00] customers, uh, time and again, why did this happen? So we were not only doing a pen testing, not only finding the vulnerabilities, but we're coming in to the incident. Uh, some people said, okay, where's my data. Where, who did this? Why is this happening? And I realized that first 10 years of experience, even being chief information security officer for major financial organization and never ask a question who is on the other side, So I started looking and I started trying to figure out the linguistics in their cultural background did play a pivotal role because I could understand certain things I can, um, interpret and then also understand the set of mind of the, these, uh, folks.
No, I have to tell you that my Russian, uh, language is very weak because they left as a child and my linguistic development, uh, stopped quite a bit. So I, uh, [00:15:00] talk with accent, but I write with quite a few errors. Um, so kind of got stuck in the middle with my Ukrainian, um, is, um, you know, I understand that a hundred percent, but, uh, unfortunately I don't have any practice speaking.
Understanding the culture and sending the people gave me an opportunity to make that next step, uh, and start trying to figure out who the bad guys are having. Idea of how defense works. I was able to quickly understand how offensive Bart works in. I figured one thing that's still probably, uh, most folks don't get is that, uh, catching up with technology is extremely difficult.
The ones and zeros with running across our virus, uh, They are always mutating. They are encrypted with ways that we can't decrypt them ever, but we have one [00:16:00] vulnerable part continuously of this chain, which is. And, uh, we have a lot of legal, um, uh, safeguards saying that even if I know that this is a bad guy, it's their system.
You can't pack it. There's nothing, um, in the law. About, um, performing sequel, injection or buffer overflow on the hacker spraying themselves. So, uh, starting to work on social engineering, I was, um, able to understand the cybercriminals much. I start, uh, building the practice and, um, eventually a Wolverine that startup was where I was working, uh, into my own company.
And we built, um, components around three basic things. Around social jeering, building a CIA level practice, uh, on the dark web, not [00:17:00] only in the Russian, but other communities. So I Chinese and, um, many other, uh, different, uh, threat markets. We built the clouds that are supporting our communications with the bad guys and also, uh, allowing us to get into their systems seamlessly once they buy that.
And the last thing is an artificial intelligence because we are heavily leveraging human brain. We can let humans be teachers of, up with our kids, uh, you know, uh, virtual kids in artificial intelligence and they can find more information faster and learning to be more like.
Bella DeShantz-Cook: So you mentioned like this practice of getting in inside the mind of the hackers are getting inside the mind of the attacker and kind of understanding their motivation and where they're coming from. What is that? What does that look like for you? Or what are, what are some of the things that you find you are able to [00:18:00] understand about an attacker that maybe other folks wouldn't.
Alex Holden: Most of the. Normal human beings. Yes. They're criminals, um, that is given, but, um, many of us, uh, had, uh, ability to interact with, uh, other fourth humans. Um, at the end of the day, um, you figure out what kind of person you're dealing with, uh, and you figure out what, not what their weaknesses are, but what makes them, um, A lot of us are not motivations per se, that one of the things that, what I'm trying to explain is that the, the, what we, most people call dark web, um, is, uh, they call forums forums.
To me. It's not dark web, it's a marketplace, it's a public marketplace. Um, This is an introduction point for many folks, it's, um, ability [00:19:00] to meet new people sources. So to speak. What we are doing is we are establishing one-on-one conversations, going into kinships rather than friendships or anything else.
And we, uh, create to the bad guy F best friend, this best friend, they going to be confining to when somebody is selling something I'm not going to buy. I don't buy stolen data. I. Actually social engineers, that person to talk to me, to tell me a story, to tell their story, I'm not going to ask them anything.
I'm going to keep talking to them in. After a certain amount of time, they're going to offer me everything they have as a bragging, as I'm filing in through this type of a kinship of even friendship, I'm going to get much further into the game I'm going to get introduced to right. I'm going to have a friend [00:20:00] at a protector in that particular group getting much better vantage point, then any technology can afford.
Bella DeShantz-Cook: So you're almost like infiltrating, you know, as a, not malicious actor, you're, you're literally getting into the, into the spaces of the internet where bad actors are having those conversations about what they're doing and why they're doing it. Is that, is that.
Alex Holden: Absolutely. And then, uh, once we get there, we, uh, start talking on one through normal means of communication opposite virtually. And then at the end of the day, we are starting to get further. We starting to converse, um, quite significantly to get inside of their head.
Jeremiah Roe: establishing a level of trust and comradery almost.
Alex Holden: Uh, precisely. And, um, you know, it's also an art because, um, when I talk to them personally, I'm going to have the same [00:21:00] hobbies, same interests that they do. It may take several approaches. 'cause uh, in order to figure out their hobbies and interests. I need to tell them something about me, but if things don't work out my next person approaching them, going to be exactly similar to them, but professionally I'm going to be.
I'm going to be completely opposite to their needs. So if they're a leader, I'm a follower, they're technologists, I'm a creative person and I'm going to be, um, really that, uh, professional, uh, second half to that person, because that's where this friendship can exist. There is no competition in how. Well, we don't really compete with our friends on our hobbies, like fishing or anything like that.
So we will talk and we will actually share a lot of points of view.
Jeremiah Roe: so being sort of what these individuals need you to [00:22:00] be an acting in a very complimentary way to establish trust, as obviously led you to be able to identify some information about these individuals and things that they're doing and, and maybe some, some critical, uh, critical discoveries that, that, that maybe others have not been able to come to first.
And so. I know with your background and you often talk about some of these discoveries that, that, that you've been able to, um, obtain through these methods. I was wondering if you could let our listeners know some of what these things.
Alex Holden: Um, my company's resume. It's very storied, uh, was, um, uh, different, um, breach discoveries. Um, I'm going to name a couple and then there maybe zero in on a few, uh, we were the ones who discovered the breach. At Adobe where almost everything that Adobe had including source code and that data was stolen. [00:23:00] Um, we discovered the target breach, which is, um, probably the ones that landmark major breaches, uh, over 2010s.
We discovered, um, components of, uh, many breaches, like, um, um, they're equal facts, a breach. Uh, we, uh, we're the ones who discovered the JP Morgan. Uh, chief's breach in 40 14. But before that we found that the game had breached, uh, 420,000 websites stealing, uh, at the time unsinkable 1.2 billion credentials.
Uh, we were the ones who discovered the Yahoo breach in, um, most of the mega breaches of, uh, uh, 2016. Um, just a couple of years ago we found, uh, the U S. Hospitals under attack from the Reich, um, ransomware gang and so on and so forth. Most of this came as a combination of technology and social media.[00:24:00]
Jeremiah Roe: and how do you, how do you begin to approach revealing this kind of information to the organizations and company and the public at large?
Alex Holden: Uh, you, you, um, it takes a lot of courage and, um, one of the things, um, you know, I started my. Career in threat intelligence, uh, in monkeys, quite painfully, I do have this weird accent and a PR person was that's weird accent, uh, calling you and telling you that you have a breach, not always, you know, that really compels to shoot the messenger.
Um, Uh, working with a very brilliant individuals. I learned how to do the right approach, how to do it legally, how to do it ethically in, in many cases, um, you know, there, there is a certain, uh, Of engagement, where both sides come out and, um, you'll have this forthcoming relationship. Uh, we work with law enforcement.
We [00:25:00] work with lots of other different groups. Um, it didn't, um, you know, it's not still not coming off, uh, uh, seamlessly, but, um, uh, working with victims, we are able to, uh, give them. Uh, peace of mind, uh, that, Hey, this has happened or is happening, but the waste or work around that, there is a way to, uh, prevent these things from getting.
Jeremiah Roe: yeah. Um, shifting over to what's currently going on in Ukraine and Russia. Uh, if we can, you've been following the situation, I would imagine, uh, fairly closely. Um, I'm kind of curious as to what. Whether you're surprised by the level of cyber activity coming along from both sides or what your perspective is around that.
And have you been able to, do you ultimately expect to see more coming out of Russia with attacking Ukrainian industry?[00:26:00]
Alex Holden: We wished, uh, this, um, unravel as a slow car wreck that, uh, resulted in very unfortunate, uh, situation right now. Um, and the. Um, also big a student of history looking at what had happened before Russia did, um, um, start using cyber warfare about our goal. Uh, we were, uh, He been investigating the, uh, Russian temporary in us elections in 2016, having our report go to us Congress.
Um, so we understood how these things worked, but even before that going into 2007, we watch Russia attack. This attack was not boots on the ground. It was all in cyberspace and was in hours, Russia, dispatch, uh, and, uh, render users. Most of Astonian communication networks, um, [00:27:00] internet, uh, phone signals. Um, they took down much of the government.
Uh, so. They shut down some of the utilities, they, uh, took out the banking system and some of the, uh, businesses small and large. So Russia knows how to wage that cyber warfare. And they continuously keep showing us that they can, including some of the things that we find, um, by a fluke or by investigation, like, uh, solar winds.
So I think Russia is in that very power position. To flex their, uh, cyber muscle to do damage. I don't think they're doing it right. Um, you know, just because of their capabilities and just think that it was their boots on the ground operation, the word that they are waging in Ukraine, they already have access to our, um, do Ukrainian data centers.
They have access to many different assets. So [00:28:00] for them to start doing more damage is relatively trivial that said, um, the hacktivist activities are at. All time high. These are mostly amateurs or, you know, people who have professions in cybersecurity and they waging that war, uh, against, uh, Ukrainians versus Russians.
And, um, uh, there are a lot of different sites pitching in. On very unusual, uh, front. So where we are is very unpredictable, very dangerous. Uh, but, uh, we are getting more and more information about this, um, every day. And, uh, um, it's been shocking as much as, um, you know, uh, understanding what's going on there on the ground.
Bella DeShantz-Cook: I wanted to ask more about the, the, and you already kind of mentioned it. The there've been [00:29:00] a lot of hackers in the United States and really across the globe, um, doing this kind of like hacktivism, uh, work, attacking Russian targets. And I wanted to ask, you know, do you think that this effort is justified or do you think, is it, is it beneficial or do they risk potentially escalating, you know, the cyber side of this conflict?
Or are there other positive or negative aspects of this that we're maybe not thinking.
Alex Holden: I'm going to be critical of this because, um, you know, we need to be a realistic, um, you know, you, if you hear about, uh, you know, start hearing things about folks in Alaska, in their backyards, starting to put, uh, your build a homemade rocket launchers in lobbing, those rockets over the Russia, across, you know, um, uh, the channel, um, that would be still considered to be the correlation of.
But Russians in because a what the Putin is not the most stable and trust [00:30:00] was a person. We don't know what to expect. So for us to start weaponizing our capabilities and launching those attacks from our systems or from other, um, systems against Russia can trigger that unfortunate response. Now our government, uh, in governments around the world are supporting Ukraine.
The defensive position, we help them with their defenses. We are helping, um, we can help them with defending in even teaching their cybersecurity professionals to do what they need to do. You create is at war and it's their war to wage. And we are, we need to support them, perhaps give them. Give them knowledge, but definitely not, uh, joined the ranks because, um, the, uh, response.
Can be quite devastating. [00:31:00] NATO itself has provisions that in case of certain level of cyber attack, they would consider it to be a declaration of war Russia, which is a much less trustworthy and intelligent than NATO. Um, probably has the same thing. So for us to trigger that switch, um, that, um, you know, it's already been triggered by Ukraine, impotence mind.
Uh, that the repercussions are just terrible.
Jeremiah Roe: So what are you seeing overall in terms of Ukraine's effects to coordinating cyber attacks through their it army that they're trying to collectively gather. And are you seeing, is that effective in that approach?
Alex Holden: we are dealing with very ad hoc. Effort, thankfully, uh, amount [00:32:00] of volunteers seeing full the amount of knowledge is not lacking. Hopefully, um, you know, this would build, uh, certain capabilities for cyber defense and even cyber offense. As a more cohesive unit in the future, but now as Ukrainians are starting to struggle like their it army, they are not, uh, always, um, ready and they're not always weaponized, uh, strong enough against Russia.
What helps quite a bit is that the Ukrainian sympathizers inside. Uh, Russia itself. So some of them are opening those proverbial gates, um, uh, for, uh, uh, assuring cyber attacks. So insider threat inside the Russia
Jeremiah Roe: that's interesting. I hadn't even thought about that. Yeah. From a, from an insider perspective.
Alex Holden: And that that's only because there are a lot of, uh, Grinnellians, uh, live in, um, [00:33:00] um, Russia, a lot of them, a lot of Russians understanding the plight of Ukrainians and that there is very little in the Mosty. Uh, Average Russia against the average Ukrainian. So, uh, they are, uh, helping these, helping out, maybe not with the actual opening the gates, but giving the map on how to open the gates and the, you know, just.
Well, we had seen the breaches in, um, gas prom, which is, uh, the biggest, uh, and the chip company in Russia. We've seen breaches at, uh, Roscosmos, which is, um, our NASA, or was in Yandex, which is, um, uh, our equivalent of Google. So think about the impact and then the seriousness of these attacks.
Bella DeShantz-Cook: I recently Brian Krebs published a story that quoted you talking about the use of protest, where, um, and I wanted to, to hear from you what exactly that is, and also how it's being used for.
Alex Holden: Um, the standard ways that we are seeing that a lot of, um, companies today are software companies, hardware companies, refusing to work with Russia and in many different ways, but what can open source community or even closed source community? Do. And a lot of open source maintainers start incorporating their own statements in support of Ukraine in, um, it's war.
They start, uh, putting messages in their open sources, software, uh, harmless mess. They're saying, Hey, we stand as Ukraine. Um, but. All of a [00:35:00] sudden, there is an escalation of this. They are realizing that, um, the, uh, Russian developers, Russian software users are using these plugins using these components in their vault.
So they are starting to write additional code within, uh, their software. Not only to show the support for Ukraine bake, make sure to make sure that that there's a iron curtain that, um, Russian. Uh, citizens surrounded with where they not getting the information they are getting through that curtain with messages within their software.
So they try to detect. If a computer is looking at it in Russia, maybe they look at the time zones. So there is actually a code to detect what times on your end. And if you let's say the mass called time zone or a Magadan time zone or something like that, um, you going to see this message while we are here in USA.
What, what about your [00:36:00] IP address? Is your IP address, um, Russian IP address, or is it, uh, somewhere else in lots of other different components that the sufferer can decide if it's, uh, located in Russia or not. And then it's a became. So propaganda and the support statements are still okay. Now some of the, uh, folks in, um, Ukraine start modifying their code, not only, uh, to show a propaganda statement, but maybe create a backup.
To that system that is in Russia, maybe it will, uh, not only create a backdoor, but, um, maybe it will cripple the operations of a device. Maybe it will, uh, take extra CPU cycles. Maybe it even will encrypt or in fact the system was malware. So all of a sudden, uh, this movement starts getting further. Um, I felt that it's unfortunate [00:37:00] that, um, this.
In implanting of moreover in your open source code that is triggered only in Russia, um, being, uh, picked up by other folks outside of Ukraine, but, uh, it's still, you know, uh, part of support of Ukraine, um, uh, compete there also caveat. What if this software is supporting, uh, systems that used outside of Russia?
Jeremiah Roe: Yeah, that was my question
Alex Holden: Uh, absolutely. So this after maybe incorporated by Russian developers, some of them still working for companies outside of Russia and, uh, the impact, maybe global, what it, you know, and I've seen some really bad code as well, put in by developers, um, Ukrainian developers in there, uh, get cup repositories, for example, they, uh, They trying to do something, but checks are not absolute checks.
So the timezone [00:38:00] check, um, you know, I know, uh, certain folks, uh, who travel with their laptops and the last place they'd been, maybe it was Russia and they'd never changed a timezone. What if somebody sets the time zone by mistake? What if, um, your neighboring areas in. Baltic states in Belarus, in Kazakhstan, um, or anywhere else, uh, set their time to, um, the Russian timezone IP addresses.
Um, you know, we don't always know how things work. I can give you an example. The local daycare here in Milwaukee for a long time, was using a service, uh, to monitor, um, the, uh, the, um, uh, play area, public areas in the, um, uh, this care facility in the service were unfortunately located in Russia because of the.
Uh, sign up for service. Didn't know what what's, uh, you know, he went with [00:39:00] good service. It was a lowest bidder, but some of the monitoring is going, uh, through, uh, the Russian servers. Um, that's not inherently evil, uh, but the side effects the side effects that can keep go further. And. Russians are copying Ukrainians and Ukrainians copying Russians in their attack patterns.
So now, uh, the messages that, uh, let's think about it with think if, uh, now Russian, um, repositories potentially containing malicious court that the trigger ever.
Jeremiah Roe: yeah, I think this directly speaks to. It's sort of a supply chain problem too. Right. And third party, uh, third-party library usage, uh, through the, through the point of open source and things being, uh, specifically, uh, tampered with to affect a goal that is, that is in their eyes, um, [00:40:00] temporary sort of a temporary goal to fix a problem yet it has long lasting impacts that you just mentioned.
That's uh, that's scary to me personally.
Alex Holden: Absolutely for where long while we had a friend, the international community of developers, and a lot of brilliant folks came out from Russia. A lot of them still in Russia, um, who are developers? Not so. Um, and, uh, we didn't draw these lines in integrated, uh, plugins in the software components, um, in the third-party dependencies, uh, into our software, not looking who wrote the software.
And so did Russians. So this, uh, um, B uh, this segmentation of our development investors. Couldn't happen fast in. We can do much about it right now. A lot of updates [00:41:00] are automated or of components are automated. So that's also a terrible thing to think about. Uh,
Bella DeShantz-Cook: I also want to talk about Conti leaks. Um, so, so first can you explain to our listeners, uh, what Conti is, and then also why, um, why these leaks are so. Um,
Alex Holden: my company been monitoring the gang. That's now known as Canty for very long time. We went back over a decade of history of the gang. We heard different names like
Jeremiah Roe: Yeah.
Alex Holden: Riach now Conti and WaterForce don't associate them as one, but there is very clear line of succession as products or as a malicious guys moved from one gang to [00:42:00] another as one gang, uh, stopped existing.
They start evolving into something else. I'm going to give you a brief history of, um, around silver from the skiing, because for me, new year's Riah ransomware was terrorizing, uh, folks around the world. And, um, until 2018, the number six targeted comp country in the world by trade bought slash Reich.
Ransomware was Russia. After 2019 somebody, his side of the group says we are no longer looking at, uh, Russia. We excluding Russia. And for that matter, quite a few former Soviet republics, the gang that Delta's Riach felt that their, uh, ransomware were product is inferior to Conti and they start working quite heavily with Conti.[00:43:00]
Eventually dropping off, ended up discontinuing rack discontinuing the new ransomware product called Davo and Conti became their only, uh, main source of ransom ransomware. Over the past two months, uh, because of political and social tensions, the, um, thrift Budd group dissolved and AMETEK dissolved for the most part as well.
So these groups got, uh, observed into, um, Conti game over the course of years. So this is a really composite of almost thousand people who went through the game on different levels. Over the years and.
Bella DeShantz-Cook: And when you say gang, you mean just to clarify, let me make sure that I'm on the same page, like a group of individuals all working on ransomware. Is
Alex Holden: only ransomware trig. Bart is [00:44:00] also a financial information. Stealer AMETEK is also an infection agent. So imagine that, uh, uh, this is not a game even, but really well organized group of individuals, almost like a real company, because they have different groups. They have H. They have accounting, they got, um, uh, business analytics, they got it, they got developers.
So they really built, um, uh, of, uh, an organization.
Bella DeShantz-Cook: But they're like product or project that they're working on is malicious software,
Alex Holden: Absolutely. So their goal is to steal data and encrypt our systems and extort. So this is a really evil organization, um, that, uh, operated, uh, was in the Russia. But, uh, with some members being outside of Russia [00:45:00] in Belarus, Ukraine, uh, Kazakhstan, um, and they all were trying to, um, use their tactical skills, social skills.
To uh, harm the recipe.
Jeremiah Roe: So a thousand people's a lot of people and operating like an organization is, is, well, it's interesting. Right? I'm curious, how do they not get caught or are they known about, and just allowed to operate?
Alex Holden: Within Russia itself. Uh, you, you can't really exist as a skewed group of people and not have a Russian government pay attention for that matter. You know, if, um, you know, we really create an evil, uh, club that that would be targeting Russia, that I was so, uh, our club would be known to law enforcement in the U S as well.
So it's not like they're invisible. They been in front, uh, headlines in us, um, uh, [00:46:00] publications, uh, in media, they, uh, did a lot of harm. So Russia is not dumb and that's, uh, you know, very definite leak through that. Um, the Russian, uh, law enforcement and government knew about this and they let this gang exist.
So, uh, with a bit more about the game and the game, uh, obviously communicated with each other, but as well, they communicate communicated with certain parties with victims and so on. So forth. In many ways, hold security. Uh, we're trying to monopolize all out of their communication channels. Uh, one of them I'm going to talk about freely, but, uh, some of the social engineering components, again, just describe, so they start hiring people for, um, different.
And in the first and second air on over these applicants are [00:47:00] our endless we're going through the interviews. We are learning, we asking questions. One person could not be that curious to ask 50 questions. But, uh, 10 people asking five questions. Each definitely can get a lot of information. We go through different levels.
We being introduced to the gang as by other gang members. Once we gained some kind of level of respect within gay, we started introducing our friends or ourselves. So we have the social footprint was in the game. And we also have technological footprint within the beginning. Some of the systems that we have visibility with in start working as a data repositories for them, if obviously the communication channels that they use, we are also sitting in those channels, looking at the public.
But also looking at the, what now is known as Conti leaks. Um, I can tell you that, um, every, [00:48:00] uh, line of, um, um, the information that the B the change between, uh, the bad guys we had seen, um, happening nearly like. Or live as they were saying, because you guys, uh, you know, had this, um, uh, torrential downpour of data, uh, dumped at a NASA about two weeks ago.
We've been reading that book line by line, um, for the past several years.
Bella DeShantz-Cook: And what is the goal with that information? And like what makes the leak of this information so important? Especially right
Alex Holden: Uh, the leak of the information that really took out the content game, the county gang was hurting because, um, just two weeks ago, as I mentioned, the trig Bob gang code called it quits, uh, the county gang was, um, struggling for bed, um, you know, and they will try to reinvent themselves. However, uh, at the same time, [00:49:00] uh, we have this unprecedented events unfolding in the world and, um, uh, we got striation of unfolding where, uh, the, uh, contacting start endorsing the Russian government and putting the actions in war, the Ukrainian researcher who, um, been had visibility and access to all this information for.
That, um, it's his part of the war and contribution. It's his position to help the society to get rid of this wild game and he discloses information, but on the social level, if you aren't at all interested in threat intelligence in cybersecurity, I would recommend you sitting down and reading about.
Because you're going to see how the real criminals work, how they think, how they evolve and how the everyday gang works. [00:50:00] This information should be, um, taught in schools for people who want to be in cybersecurity. This information should be, um, uh, studied because these gangs typically work like that. And you know, for me, there are no surprises.
We see this information with some, see some of, uh, similar data every single day for over a decade. For some that, uh, folks who are not for murder they're have wrong impression of how, um, the gangs operate. This is an eye-opener.
Jeremiah Roe: So what do you think will happen with other Russian cyber criminals and sort of, uh, cyber crime games? If the conflict persists, will they be flying to other parts of Europe or maybe even to the Ukrainians?
Alex Holden: We are watching a huge, uh, change in, uh, the cybersecurity [00:51:00] threat landscape in Eastern Europe. That Ukrainian cybercrime. It's not that they're still doing certain things in the Western part of Ukraine. Some of them are moving, uh, time, um, further, um, into Eastern Europe or Kazakhstan or other areas. And same is happening in Russia.
Cyber-criminals are. That, uh, the recent crackdown of Russia government against them will continue. Cyber criminals are afraid that, uh, the financial, uh, restrictions, um, no longer will allow them to get any financial gains. We also see, um, the change in the threat landscape, uh, where, um, cyber criminals don't want to participate in the war.
They don't want to take one side or the other. They are peaceful criminals, so to speak. Um, yet they are trying to get financial advantage, which is [00:52:00] not wearable in, um, uh, Russia or Ukraine right now. I think things will evolve that cyber warfare that's happening right now would get stronger. And I think it will be persistent for years to come.
Bella DeShantz-Cook: Um, I know that this is probably a really difficult time for you with everything that's going on. So, first of all, I want to say a massive thank you for talking about all of this with us. Do you think that there's hope for, of Putin stopping this soon and putting an end to the war?
Alex Holden: I I'm going to give you my opinion. Maybe not a popular opinion, but I'm pacifist. I really think that, uh, people, uh, I need to kill each other. There should be a war of words, but, um, we are civilized enough to sit down and talk that talks, um, and the ability to mediate those stocks should be the [00:53:00] entire walls effort because we existed coexisted with Russia for a century under the current regime of, uh, this fear of mutually assured.
And this should, uh, still, uh, keep us at bay. Unfortunately, the, um, vicious of Russia to dominate Ukraine in every single round up, uh, would get worse. And if not, Uh, negotiated if not reaching some kind of peace accord and then using sanctions and using other, uh, strong arming, uh, on the economic or social level to get put in back, uh, under control that I think is a very, um, important step.
Um, Of war because somebody else has children and dying. It's not putting, uh, kids going there and giving their lives. [00:54:00] And Ukraine is forced to send its kids to die, um, to defend the country Ukrainian causes. Right. But unfortunately I think that, uh, um, you know, amount of, uh, deaths would be, uh, remembered for centuries now.
And sooner we can stop this sooner. We can start, uh, healing from this and, um, you know, trying to restore the world order because right now we are aspiring to toward the end of the world, rather than to the peaceful, uh, existing.
Jeremiah Roe: \ I'm kind of curious as to what sort of the everyday individuals out there that want to help, uh, that maybe want to want to participate in humanitarian efforts. Um, what would you suggest that, that they, that they do
Alex Holden: I, uh, again, it's going to [00:55:00] speak on my behalf and, uh, I'm looking at it and say, okay, well, how can it contribute? Um, you know, uh, my family has been blessed with the ability to, um, uh, build a business. And so we have a certain amount of finances and we are helping, uh, refugees families in the Eastern Europe.
Um, we, uh, also trying to assist, uh, focusing Ukraine. I a cybersecurity professional, know how to, um, help with certain skills with technology, with defenses, and even if needed with offenses, not to intensify conflict, but to really make things better. So think about what. What you have a lot of maybe it's time, maybe it's technology, maybe it's something, but I know personally number folks, um, Ukrainians right now in, um, uh, harm's way that's sitting there at night without electricity, because they're not allowed to turn on bikes [00:56:00] and they're horrified, uh, that, um, you know, they're literally alone.
Don't know what to do sometimes even helping. Uh, helps. So, you know, talking to some folks and they spend them there my late afternoon, sir, just doing that. And I'm saying, Hey, everything's going to be okay. I'm just giving them something instead of fears of loneliness at night, um, to help them, uh, by, um, you know, being a person who speaks for them, uh, that's also lacking in our world and.
Jeremiah Roe: awesome. Well, thank you so much for your time, Alex. It's such a pleasure having you on the show. Um, thank you. Thank you again.
Alex Holden: a pleasure. Thank you very much.