Interview: Chris Krebs – nation-state hacking about ‘causing chaos’

Cyber Daily: You’ve been working with cyber security for a while now, in a whole range of roles involving policy, analysis, and intelligence. After all that time right at the coal face, especially heading up CISA when it started up, what are some of the key changes you’ve seen in the sector?

Chris Krebs: What we’re starting to see is an evolution of cyber and offensive operations as a tool of day in, day out, geopolitical force.

And of course, that goes straight into this surge of ransomware, from 2017, 18, 19, and even 20 was seemingly just about the bucks, about bad guys that are not provided, frankly, probably a lot of economic opportunity, especially in the 18 to 34 age cohort. So maybe they got to figure out a way to make a quick buck.

And over time, what we’re seeing is that the security services in Russia are directing some of these guys to go after certain targets or certain sectors in certain countries to shape behaviours, to create chaos. Cyber in the US – and I think, in the West, Five Eyes nations – tends to have a focus on the technical aspects when our adversaries, Russia and China, specifically, the technical side of the playbook is not very small, but it’s shorter, and the point they’re really trying to drive towards is psychological damage, really hitting their targets, not just screwing up their networks, but creating panic in the streets, creating fear amongst the population.

VIEW ALL

Medibank is a great example where it wasn’t just about compromising the health network and the health systems. It’s about what they have – what sort of information about me, my family, [and] my friends do they have that they could release? Something that could be embarrassing, or that could create some other challenges for us? So we’re seeing this psychological aspect of cyber become much more significant.

And it’s not just about what they can release. For instance, what we’ve seen with the Chinese PLA is we’re finding them prepositioning in civilian infrastructure, and it’s not linked to projection of force or military support – it’s about causing chaos; it’s about causing loss of life.

We’re seeing a much fuller play here than what we used to.

Cyber Daily: So, moving to the modern day, one of the things you’ve said previously is that threat actors are now “walking in using aggressive disinformation/misinformation campaigns to get people to think and act in ways they otherwise wouldn’t”. Could you elaborate on that? Because I think helping businesses understand the way threat actors and criminals are acting is really important.

Chris Krebs: In part, what’s happened over the last five-plus years is that we’re making progress – the good guys … I don’t want to say we’re winning. You know, nobody wins in this game, right?

But we’re making progress on the cyber security side, in terms of awareness at senior leadership levels. What we’re seeing in terms of investments in government, policy, prioritisation, deterrence measures, and pushing back on the bad guys. We’re seeing technological advantages right now. For instance, in AI, the good guys are winning in AI, because we’re investing, we’re testing, we’re training the good guys.

Adversarial use of AI is really limited to detection, or rather research and automation, but they haven’t really hit scale in terms of software development, vulnerability discovery, malware development, things like that – that could be down the road. But again, the good guys are winning here.

So, what do the bad guys have to do?

They have to go to some of the spots that are in the less trod areas of the network, the edge, for instance, with some of these legacy devices that are sitting out there that may have default credentials [that] may not be properly updated, and then they’re just hitting those less than monitored, less than managed services and devices, and that allows them to then jump into that network. Now, it’s not necessarily easy going because some of those areas don’t allow real full access – ingress and egress in and out of the network.

And then the second thing is, they’re still making a lot of hay getting legit, authorised users to turn over credentials. We’ve seen plenty of social engineering cases over the last couple of years, including Scattered Spider and the MGM hack and Caesars hacks of 2023. So, you go after the Help Desk. What does the Help Desk want to do? Help Desk wants to help you get back into the account. They’re trying to take advantage of these business process facilitation resources.

We’re also seeing, particularly during COVID, and I suspect we’re about to see it coming up again as we see some potentially global economic stressors, where folks may be experiencing financial hardship and other types of challenges in their life. And so somebody shows up and says, “Hey, $10,000 for 30 minutes of using your credits to get into the network”. We’ve seen it before. We’ll see it again. Insider threat, I think, is one of the big areas of focus of 2025 and going into 2026.

Cyber Daily: Something that we’re starting to see now in Australia is ransomware gangs going after companies that shut down years ago, but obviously, somewhere, there’s still an active server running that no one now has responsibility for. We had a law firm get hit last year, and all of its client data was compromised on the dark web, but the law firm shut down. So what do you do then?

Chris Krebs: That’s probably not even one of the more extreme cases, right?

I mean, how many cases do you have where existing companies that have zero likelihood of going away anytime soon, have a bunch of orphaned or forgotten tenants, where some engineer provisioned a test server years ago, didn’t document it, forgot about it, got fired, got hit by a truck, went on a a scuba trip and just never came back.

What I think we have to keep in mind is that no one is immune from these sorts of challenges, these sorts of issues. Even the Cyber Safety Review Board, in reviewing the Microsoft Exchange hack from a couple years ago, talked about something similar, where there was a test tenant provision, and that just lay there until the Chinese found it. So these things happen. It speaks to the importance of communication, documentation, active tracking of what you have up and running and live in production.

But to your point, companies do go out like that. For instance, I just sold my company, SentinelOne, a year and a half ago. Thank God I’ve got a great CISO in Alex Stamos, [who] was able to get our arms around everything we had and turn it off. But that’s not always the case. People are like, “You know what? I’m done, I’m walking out”. So, as a user of these services, as a partner, as a supply chain partner, as a vendor, it really is that much more important that you document what information you’re turning over to your vendors and your partners.

Cyber Daily: You’ve also said that cyber security should be something that everybody in a company should be aware of. Not just the security team, not just the CISO, not just your security ops guys, but everyone. How does that work, making everyone part of, effectively, your security

Chris Krebs: More so than ever before, we’re plugging stuff in. Everything is getting connected. And it’s not just about products and services that we’re offering, but when you think about business operations and business processes alone …

In just the last five years since COVID, we’ve seen tons of business operations get outsourced to SaaS and third-party providers that have some cloud-based solution for payroll, for HR management. AI this, AI that. And it’s not always the case that the CISO team, the security team, is brought into vendor selection processes on tech validation.

So what we are seeing more of, thankfully, is a governance approach where the chief technology officer, or the chief financial officer, whatever the procurement shop is, starts huddling up earlier on in the process, asking questions like, what are we trying to accomplish with this initiative, with this strategic undertaking, what are the security considerations? What are the financial considerations?

If you know what you’re looking for and what your non-negotiables are, and then it kind of flows down from there – it’s always a more efficient process than bolting security on at the end, when, in many cases, it’s too late and you’re signing off and accepting risk in a way that you probably could have addressed much earlier had you been brought in at the beginning.

Cyber Daily: So let’s close off on the matter of elections. We’ve got an election coming up in Australia in May, but the US has just come out of an election, and I know we saw some interesting cyber activity in the lead-up to that. So, what are some of the lessons learnt from that angle in the US process that might be applicable to our upcoming election?

Chris Krebs: If you’re going to kind of try to focus on the smallest component pieces, one is the actual systems that are used in administering elections. So voter registration, polls, voting, voting equipment, tabulation, some of this stuff is uniquely American. It’s very distributed. It would be very challenging for an adversary to be able to get in undetected and change the outcome of an election.

Again, these things are uniquely American, but there’s the other side of the coin, which is much more about the information environment and what elections really rely upon. And that’s trust in the process, trust in the institutions that are administering that your vote actually does matter and does count. So what we’ve seen over the last two-, three-plus election cycles here in the US, as well as in Europe and elsewhere, is adversaries – Russia, China, Iran and others – really starting to attack the trust component of democracy.

In the 2024 election here in the US, we had the successor organisations or operations to Prigozhin’s Internet Research Agency, infamous for messing around in the previous election cycle. That organisation is dead now, but the idea was that these groups used AI to generate video in at least one case that represented an illegal immigrant who had a fake ID that they alleged they were using to vote in the state of Georgia, multiple times. Georgia’s a swing state, one of six or seven, that’s pivotal to the outcome of elections of late.

And the FBI got on it within 24 hours. But it doesn’t matter, right? We’ve all seen how initial fake or false claims on social media far, far, far outstrip the corrections and the clarifications that come even an hour later. So, the bad guys have really kind of figured out how to use this, even if it’s garbage – because not everybody’s as discerning as we might be in terms of really evaluating accuracy, evaluating the legitimacy of content. If it aligns with their prior beliefs, they’re going to run with it, they’re going to push it, and they’re going to amplify it.

And that’s really what the bad guys want here; they just want to drop seeds. And it’s not one, it’s hundreds. They drop them. And all they really need, it’s almost like spear phishing, is a conversion rate of 1 per cent is going to get them what they want here.

So that’s what I would really focus on and expect to see in the Australian election, is likely the Chinese, given proximity, given tensions, probably even the Russians – anybody that is supportive of Ukraine is going to be a target of their ire.

On social media, they’ll just flood the zone with nonsense.