ISMG Editors: How Police Nabbed the Notorious Zeekill HackerAlso: The New Cold 'Cyber' War; Is the Time Right for Cyber Innovation?
In the latest weekly update, four editors at Information Security Media Group discuss important cybersecurity and privacy issues, including cybersecurity innovation in today's market, how French police nabbed notorious Finnish hacker Zeekill and whether we are in a new form of cold war - specifically, an ongoing cyberwar.
The panelists - Anna Delaney, director, productions; Tony Morbin, executive news editor, EU; Tom Field, senior vice president, editorial; and Mathew Schwartz, executive editor, DataBreachToday and Europe - discuss:
- Key takeaways from an interview with, Alberto Yépez of Forgepoint on the state of cybersecurity investments and innovation in 2023;
- How French police have arrested notorious hacker Aleksanteri Tomminpoika Kivimäki, who is suspected of forming part of an extortion scheme that targeted a Finnish psychotherapy practice and its patients;
- How the West is increasingly applying offensive cyber operations in its ongoing cyberwar against criminals and the autocratic regimes that shield them or attack them directly.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Jan. 27 edition, which considers why ransomware profits are dipping, and the Feb. 3 edition, which considers whether the U.S. takedown of ransomware group Hive marks its demise.
Anna Delaney: Hello, I'm Anna Delaney, and thank you very much for joining us for episode 100 of the ISMG Editors' panel. Can you believe that it's almost been two years since we began our editorial discussions, and thank you so much for being with us on that journey? To commemorate this special anniversary, we are bringing back the panelists from our very first episode, you know them well. Yes, it is senior vice president of editorial Tom Field, our executive editor of DataBreachToday and Europe, Matthew Schwartz, and our executive editor for the EU, none other than Tony Morbin. Congratulations team and happy anniversary.
Tom Field: Indeed! You know, it strikes me, Anna. When we started this almost two years ago, four of us had never met, personally, in person. Now we have.
Delaney: That is true. Though, I had met Tony.
Field: I'd met Matt.
Delaney: Yeah, exactly. And I wish we can do that again soon. Tom, you started off the year discussing the state of cybersecurity investments in 2023. And this is something of great interest at the moment. It's sparking a lot of conversations and opinions and predictions as to what will happen to the market. Tell us about your conversation you had with industry veteran Alberto Yépez.
Field: Indeed, as you know, he's the managing director of Forgepoint Capital. And we've had a good relationship for a number of years now as things were going up, as things are stabilizing, as things are in question. So I sat down with him just a few weeks back to talk not just about the state of cybersecurity investment based on the economy. We've seen mergers and acquisitions, we've seen public companies go private, and we've seen massive layoffs, so much going on. So I did want to ask him about the state of the economy and the state of cybersecurity investment. But also, what does this mean for innovation? Because we've seen broad layoffs in the industry. What haven't we seen, we haven't seen the adversaries layoff anyone. If anything, they are hiring, they're bringing on new people, they're adding new automated tools. And so they're putting additional pressure on enterprises with automated and just relentless attacks. So you've got to respond somehow. You can't not spend on cybersecurity, you can't not look into innovation. So I asked him very specifically, what does all this mean, about the market and the mindset for innovation? Do you mind if I share his response?
Delaney: Please do.
Alberto Yépez: Again, I think it's nonstop because the established companies and the maturing sectors will drive for consolidation, but the new areas that are emerging that are becoming top of mind, and you're not going to get that innovation from established businesses. Many people asked us questions about what are the sectors that you are trying to focus on? And I'll just give you a quick illustration from one of our decks. This shows you while cybersecurity - the core - is about protecting information, applications, devices, networks, we're moving towards how do you enable more payments and fraud? How do we protect privacy, AI software being treated as black boxes and open source? Who knows that somebody has put a backdoor and I stopped where it can stop in the stock exchange firm we're doing. So they are enabling technology of blockchain. How do you deal with insurance that you see a couple of the first wave of insurance companies trying to underwrite hybrid policies, but they realize they didn't do it right. They didn't use analytics, they didn't use the appropriate stuff and now out there stepping back and saying, hey, what do we need to do about it? And then when you look at the productivity of the developers in the migration to cloud, which is not as simple as one color, one flavor or the other. It's going to be a multi-cloud hybrid environment. So how am I going to get my arms around? So we view this as a lot of adjacencies. And you can see that, I would say, tell me one company that is established as the leader, not many emerging ones, and there will be the ones that are either going to complete somebody else's stack to be able to do that. So it just gives you a little bit of a bit of "how do we think about it?" So we develop investment thesis in each one of the areas, we kind of looked at the companies that are emerging, and we proactively reach out to them to be able to work with them. I hope that answers your question.
Field: In fact, it did answer my question. It spawned a number of others about specific areas of investment and in the market for innovation and continued growth. So fascinating stuff. It's a long interview, but I recommend that people sit down for an informed view on what the marketplace looks like this year.
Delaney: Yeah, absolutely. It's a thoughtful and encouraging interview. And more generally, Tom, what are you hearing from CISOs at roundtables about their thoughts about the state of the economy?
Field: It's a consistent theme. I've been hearing this since late last fall. Cybersecurity budgets and investments aren't down, they might be flat in some cases. But the growing in a lot of cases, where you're seeing budget cuts is in technology, in refreshes, I think that you're going in new investments. IT departments are having a hard time getting budgets, cybersecurity organizations are not. And that has been a pretty consistent theme. Now, if you're the cybersecurity leader, that's having to continue to support and defend in plug legacy technology, you got continued issues. I don't see that going away.
Delaney: And as Alberto said earlier on, doing more than less is definitely a theme that he's hearing.
Field: I'm not sure if the Chinese have to do more with less in the New Year, but if they did, this would be the year of do more with less.
Delaney: All the criminals. Well, Matt, last week, we discussed the disruption of the Hive ransomware group by the FBI and international partners. And we were talking about the fact that there were no arrests or whether that made a difference in the long run. This week, we're focusing on an arrest of a notorious hacker. So tell us more.
Mathew Schwartz: Well, it's a notorious hacker, and we're oftentimes not allowed to say that because until someone's been proven guilty, you're not going to refer them as a hacker. Except in this case, we have a suspect who's suspected of doing crimes, who's already been found guilty as a hacker. Hacker named Zeekill, also known as Ryan, and I'm going to mangle his Finnish name. So my apologies to my Finnish friends out there. But we've had the arrest recently of Aleksanteri Kivimäki, a 25-year old. This isn't his first brush with the law. He was arrested when he was around 15-years old. , he was 15 or 16 years old when he committed crimes. And that's below the age of adulthood in Finland, which is 18. And so in 2015, he was found guilty of carrying out - not one, not two - but more than 50,000 distributed denial-of-service attacks under the banner of the notorious DDoS gang, Lizard Squad. They were disrupting everybody, it seems left, right and center. You might remember in the early 2010s, it seemed like there was a DDoS attack every Christmas, certainly against gaming websites, but just against everybody. And so he was one of the youths, pretty much typically often youths, mid-teens that were found to be carrying out these attacks. So he didn't serve time, he was a child. He did have to have his internet use monitored for a while. He's turned up again, though. He is suspected by Finland, of being at least one of the people behind two data breaches involving a mental health services clinic based in Helsinki, which had about 25 different clinics around Finland, privately run. And there was a huge amount of fallout from these data breaches. One of the fallouts and certainly not the worst one, but one of the fallouts was the clinic declared bankruptcy. So apparently it suffered a data breach In November 2018, suffered another data breach in March 2019, which is right before it got sold to some investors by its founders. And when these data breaches later came to light, because this data was being used to blackmail, not just the clinic, but also hundreds of thousands of its patients. This came to light after the clinic had agreed to get sold to somebody else. And they turned around and said, you lied to us. Somebody inside the clinic knew there was records from an investigation that was done. Someone inside the clinic knew about these data breaches, and you failed to disclose those to us when we offered you millions of dollars to buy it. So the founder who had founded it with his parents, and then sold it said, look, it wasn't me, it was these two guys I hired who, unbeknownst to me had been convicted of computer crime, which little only later came out. So you've got this crazy story, because this whole saga that's continuing, and it's unusually a case in which a data breach or in this case, two data breaches, has led to the bankruptcy of a company. It needed to declare bankruptcy because of the attacks and its loss of value, and was also belatedly fined by Finland's data protection watchdog. It was fined about 600,000 euros for multiple data privacy violations. When you dig into what was being done, patient records, people sharing their innermost thoughts, we're talking drug use, adultery, all sorts of things, people with mental health problems, very vulnerable people, and their records were entered into a SQL database. And it was very poorly protected. The people who came in to do a data forensic investigation said you could have driven a truck through all of the lives that were here. And that's what the data privacy watchdog found as well. So huge problems with how this data was being stored. Who is to blame is a very long and detailed story that has been chronicled by others. Wired did a great report in 2021 into this, looking at all of the faults that were allowed to occur basically, under the watch of the Finnish government, which heavily regulates how mental health data is handled, if it's the National Health System, but psychotherapy was in a kind of a gray zone. And it seemed to escape the amount of attention that it should have been receiving. So crazy case, and within the last week, we've had French police acting on an Interpol Red Notice also European arrest warrant. Arrest of Kivimäki, who as I said, is known to law enforcement, and in fact, had been the subject of this arrest warrant. So he has been posting on Reddit and Twitter saying, as this has gone on, as these charges were unveiled in October, and his restaurant was issued, he said look, no secret why I am happy to have a telephone conversation with the police and tell them why I am innocent. Well, that wasn't good enough for the Finnish police. You have the arrest warrant, and although the suspect said that he was living in London, it transpired that when he was arrested, he was in France and there was this domestic disturbance in an apartment that alarmed someone's housemate. They phoned police. And as they were getting ready because no one had answered the door to ram the door and stormed the premises. The young woman who had phoned him open the door and said that her young housemate, young adult housemate Frank had brought back this guy from a nightclub. He was super belligerent, scaring her, so they wake him up. He comes out and shows them some ID. He's Romanian. They look at this 6'3", blond-haired, green-eyed guy. They're like, I don't know. And they look at France's database of known suspects and boom, they get a match. So we're going to see some extradition, I'm pretty sure how long that'll take to happen is unclear. But isn't it fascinating that this guy who when he was 15 years old, all his DDoS attacks have come back onto the radar 10 years later and been charged with what is one of the worst, I think, medical data breaches we've seen. I don't know if I mentioned but the victims were not just ... I did mention the victims were not just the clinic but also the patients were being extorted. Their records were leaked as well. So horrific crime. Again, people very vulnerable already. And they're finding all their secrets getting spilled on Torrent data sharing websites. So horrible. It's good to have a suspect. he's innocent until proven guilty, but we'll see how this case continues to unfold.
Delaney: Crazy case, over 50,000 computer crimes in itself is crazy. And you say in your article that this data breach was a watershed moment in how Finland use privacy. What was the impact?
Schwartz: Well, the impact was the accountability that was missing in terms of how this again, psychotherapy data, it was a bit of a perfect storm. Most mental health data would be restricted, or maybe wouldn't be entered into the electronic health record system. The one used by the National Health Service is very robust, apparently. But the guy who started up these clinics didn't like it, it didn't have what he thought was necessary for a psychotherapy clinic. So he created his own. As we know, so often rolling your own security can be an afterthought. And there's been a lot of finger pointing about who is to blame. But data privacy was definitely in the spotlight here. So too was mental health. I think it's not something that's often talked about in many countries. That was the case in Finland with a great health service. But I think it brought out into the open just how many people were seeking mental health services - politicians, well-known figures in the community, besides them as well. So there's a lot of soul searching going on, and hopefully, a lot more data security since then.
Delaney: Well, let's see how and if he serves time, and how long for but, that's the case to watch closely. Thank you, Matt. Tony, you are discussing a topic we've focused on a fair bit throughout these episodes, and that is cyber war.
Tony Morbin: Cyber war and offensive cyber, so in case anyone hasn't noticed, the gloves are now off on ongoing cyber war against criminals and autocratic regimes that shield them, all those who attack us directly. Our political and criminal adversaries have long been overtly and covertly using offensive cyber, such as ransomware gangs after our cash, states undertaking intelligence and espionage. There's a host of examples to choose from, but includes 2020 SolarWinds hack attributed to Russian intelligence service SVR, Chinese military hackers indicted for the 27 hack of Equifax reported 1.2 billion in crypto thefts attributed to North Korea, and there had been numerous attacks by Iranian hackers on Israel among others. But of course, you can ask, don't we use offensive cyber? Well, yes, of course. The use of offensive cyber by the West is not new. It's not one way traffic. The Stuxnet worm on Iran's Natanz nuclear power station back in 2010, was probably the most dramatic example, and reportedly conducted by the U.S. and Israel. And then there were a host of activities of the NSA and U.K.'s GCHQ revealed by Snowden. Israel has its infamous Unit 8200 Army Cyber unit and a strong surveillance industry. While the U.K. also now has the National Cyber Force specifically authorized for offensive cyberattacks against hostile powers. And let's not forget the assaulted cyber warriors that have arisen attacking Russian assets on Ukraine's behalf.
Delaney: Tony, what's different now?
Morbin: Well, what's changing is that open, acknowledged, in fact, publicized cyberattacks are becoming part of the stated playbook of Western powers, not just as deterrence, but both as a cyber response to cyberattack and even preemptive action to prevent hostile activity. And this is becoming stated policy. As Matt has said, we've had takedowns of criminal infrastructure by law enforcement before, but you are now seeing an uptick. And the example that his report - the takedown at the ransomware group Hive, which he covered on this program last week, where the FBI plus German and Dutch law enforcement agencies infiltrated the gang's infrastructure, seized their servers, and prevented the transfer of $130 million of ransomware payments, or even this week, police in the Netherlands, Belgium and Poland, raided 80 addresses after intercepting and then decrypting messages on the Exclu encrypted messaging app. But the big change is at the state level. For decades, the West thought that economic liberalization would not just lift Russian and Chinese citizens out of poverty, but it would pay some political change towards the true multiparty democracy. That hasn't happened. And if anything, their attacks on the West have increased and become more blatant to the point where they couldn't be excused or ignored, but had to be responded to. The last straw was probably the Colonial Pipeline attack in May 2021 by the DarkSide crime syndicate, not just because of its impact on the critical issue of U.S. fuel supply, but also because at the same time, the world's largest meat producer JBS got hit by ransomware, driving up food prices and Ireland's health system was brought to a near standstill from a ransomware attack. That brought up the whole issue of safe havens for gangs being protected from international law enforcement, particularly by the Russian state, which potentially was even colluding with them. At the same time, or , it was a week earlier in the U.S., an 81 page report combating ransomware was delivered to the Biden administration written and compiled by top executives from cybersecurity technology firms calling for an international coalition to fight ransomware criminals. Among its recommendations was the execution of a defend-forward, sustained-aggressive, whole government, intelligence-driven, anti-ransomware campaign. Some of the fruits of which we're now seeing. Sometime over the next couple of months, we're going to be seeing the new U.S. national cybersecurity strategy. And as our colleague Steve King at CyberEdBoard has reported, it imposes mandatory regulations on American industries and authorizes U.S. defense intelligence and law enforcement agencies to go on the offensive, hacking into the computer networks of criminals and foreign governments in retaliation to and/or preempting their attacks on American networks. So organizations are being explicitly authorized to adopt the hit back, hack first battle tactic.
Delaney: But Tony, aren't there a few dangers associated with that approach? Not least on how can you be sure of attribution when it's so easy to spoof?
Morbin: You're absolutely right. In all types of warfare, there will be a danger of mistakes. If you've got missiles firing at you, you can generally identify and fire back at the source. When you're under cyberattack, you can have course, just suffer it. Or you can use the intelligence available to make a judgment based on probability, including motivation. And if you believe that there's overwhelming evidence, this new doctrine endorses action. Yes, there are other problems, adversaries will use this policy for false flag attacks. There is also going to be the possibility of offensive cybersecurity tools being obtained and reused by malicious actors as we've seen in the past. And there's also a danger of offensive cyberattacks triggering a cycle of retaliatory and escalatory tit for tat strikes. So, it is a danger of are we going into a new Cold War, even going to world war three? Well, certainly we are going into a new form of Cold War. Specifically, it's an ongoing cyber war. It's been happening for some time, but we're only acknowledging it now. And escalation is a genuine concern. And we are effectively going back to the days of relying on the concept of mutually assured destruction. But as one commentator Matt Turpin observed, a cold war is far preferable to two alternatives - capitulation, or hot war between nuclear powers.
Delaney: It was a fascinating overview, Tony and we're living an interesting times, and I know Matt has done a lot on cyber warfare this year as well and you'll be coming out with a report looking at the one year anniversary of the invasion of Ukraine by Russia. So that plays into this as well. But in the interest of time, because I know, you've opened a can of worms here, Tony, we want to explore but I know we're coming to the end of our 20 minutes. So to lift the mood slightly, and because it's 100th episode, we are going to party because everybody has good music and good singing of course. What would be your cybersecurity karaoke or even party song or piece? Go on.
Field: "Next phase, New Wave, dance craze, anyways…It's Still Rock & Roll To Me." Everything old is new again in cybersecurity.
Delaney: That is well-thought out. How long does it take you to come up with that? Very quick. Matt?
Schwartz: I am going to spare everybody by not singing but Gloria Gaynor's "I will survive." I just think if you're going to do incident response and you're going to have a good attitude, you need some disco.
Field: I think I would like to see you perform this, Matt.
Morbin: And I've certainly been criticized for my singing so I can't sing. So I'm going to show my age, first band I ever saw - The Who, and "Won’t Get Fooled Again" and I'm repurposing it as an anti-phishing song.
Delaney: The Bee Gees' "Stayin' Alive?" because that's what we're doing. We strive to stay alive, but like I will survive. So here we go. We've got great four tunes. We can play them on loop. It will be a wonderful party.
Field: And no one at the age of 30 knows them.
Delaney: Tom, Matt, Tony, it's been an excellent discussion and an excellent couple of years; so, thank you very much.
Field: To the next 200.
Delaney: Thanks so much for watching. Until next time.