Login

Promote Your Company       |     Contact

Independent Cyber News.

The Voice of Cyber®

KBKAST
Episode 329 Deep Dive: John Hultquist | An Overview of Australia’s Threat Landscape
ANZ | Artificial Intelligence | Critical Infrastructure | Regional News | Threat Intelligence
First Aired: August 13, 2025
Click Here
Click Here
Click Here
Click Here
Click Here
Click Here
Click Here
Click Here
Click Here
Click Here

In this episode, we sit down with John Hultquist, Chief Analyst at Mandiant Intelligence, now part of Google Cloud, as he shares his insights on Australia’s evolving cybersecurity threat landscape. John explores the increasing complexity and velocity of threats, spotlighting both nation-state actors—particularly from China—and financially motivated cybercriminal groups like Scattered Spider. He addresses the psychological and structural drivers behind rising attacks, including the troubling pattern of minors engaging in increasingly aggressive cybercrime. The discussion further examines the targeting of critical sectors such as healthcare, the growing use of advanced techniques to evade detection, and the influence of geopolitics and emerging technologies like AI on intelligence operations.

John Hultquist – Chief Analyst, Mandiant Threat Intelligence

John Hultquist serves as the Chief Analyst at Mandiant Intelligence, now part of Google Cloud. In this senior leadership role, he oversees global threat intelligence operations—tracking cyber espionage, hacktivism, ransomware, and state-aligned threat actors. He regularly advises C-suite and public-sector leaders on cyber risk strategy and prioritisation.

John’s unique background—spanning military intelligence, U.S. government service, private sector leadership, and real-time cyber conflict analysis—positions him as one of the most respected voices in global threat intelligence. He brings a strategic mindset focused equally on technical insights, geopolitical awareness, and operational impact.

Help Us Improve

Please take two minutes to write a quick and honest review on your perception of KBKast, and what value it brings to you professionally. The button below will open a new tab, and allow you to add your thoughts to either (or both!) of the two podcast review aggregators, Apple Podcasts or Podchaser.

Rate KBKast

Other Recent Podcasts

No results found.

Episode Transcription

These transcriptions are automatically generated. Please excuse any errors in the text.

John Hultquist [00:00:00]:
It’s important to know who your adversary is so that you can evolve. Right. And if, if you’re doing security without sort of recognizing who they are, you’re just building walls and the adversary could have planes. Right. You have to think about who’s coming and how they operate.

Karissa Breen [00:00:35]:
Joining me now in person is John Hulquist, chief analyst at Google Threat Intelligence Group. And today we’re discussing John’s view on Australia’s threat landscape. So, John, thanks for joining me and welcome.

John Hultquist [00:00:46]:
Thanks for having me.

Karissa Breen [00:00:47]:
Okay, so you know what, when I say the word the threat landscape, and it’s really interesting and I mean, you would obviously know a lot more about this than I would, but I, it, it changes all the time, especially in my role in media, like, amount of things that we’re seeing that come through our desk and how things are changing in terms of the velocity and the speed in which it does change. So I want to sort of start there, giving your background, given your role, walk us through your thoughts and insights around the threat landscape. Maybe start with globe in and let’s sort of then hone in on Australia.

John Hultquist [00:01:16]:
Sure. I think you said velocity or, you know, like the rate of change. I think that’s been a big thing I’ve had to get used to, to my, my career. I remember when I first started doing this, I, I, I could remember just about every major incident or case or, and now there’s so many, there’s so many more actors than there used to be and, and it is a lot harder to keep track of. But the things that really sort of change or cause all that change are technology’s constantly changing. Right. I think obviously we’ve entered this age of, of AI that’s going to, is going to create, create a lot of change. Geopolitics are constantly changing and the adversary is constantly changing.

John Hultquist [00:01:56]:
One of the things I think that we’re concerned about when it comes to the threat actors from, from China, for instance, is, is that they have evolved. We’ve come up with a lot of good solutions to sort of deal with their activity. And so they’ve gotten better and they’ve come up with a new pro, they’ve created new, new issues. Australia, I think the threats that I, I’ve tend to talk about when I, when I talk about Australia that, that stand out the most to me, I think are probably those Threats from state actors out of China, as well as the criminal threat, which everybody faces. But Australia’s had obviously some very recent incidents that, that sort of demonstrate the seriousness of that threat. Last, last time I was in the country too, I, I was talking about the threat of these North Korean IT workers, which is something that hasn’t got entirely gone away yet. And it’s pretty serious.

Karissa Breen [00:02:48]:
So you mentioned before when you sort of started your career in terms of like, where it is now, and it’s very, very hard to keep up. You’re right, because things are happening each day. So would you say, do we say people are just tired? Like, oh, it’s just this. If it’s not that, like even, like I said, even from our perspective, it’s hard to cover everything. Right. We just don’t have enough time in the day. So how do people really feel at the end of the day once they’ve done, you know, all of the things they need to do at work? And then there’s like, oh, now there’s another thing. Like, how do you think generally people are feeling?

John Hultquist [00:03:19]:
A lot of people are probably feel pretty beleaguered, unfortunately. You know, there are, there are people that sort of compare our field to safety sometimes. Right. And I think there are a lot of lessons we can learn from the safety profession. But the biggest difference between us and the safety profession is safety people are really facing or facing off with the immutable laws of physics. The threats that we’re dealing with change every day. And so unfortunately, we’re essentially on a treadmill. Right.

John Hultquist [00:03:50]:
That we never get to get off of. And any solution, you know, that we create, while it might mitigate some problem, there’s always the actor will change and the problem, new threats will arise and we’ll have to deal with those as well. That could be. That can be rough.

Karissa Breen [00:04:07]:
Yeah, that. Yeah. This is so interesting. Okay, so, and then I know that we’ve obviously spoken a lot about the global in Australia more specifically, and you mentioned before, like, the STAT act is out of China, et cetera. But now there’s a lot of these other sort of smaller breaches happening in terms of they are state actors per se, but we’ve heard a lot about scattered spider, which has been discussed a lot in the industry, for example, as it pertains to the recent Qantas breach.

John Hultquist [00:04:34]:
Sure.

Karissa Breen [00:04:34]:
So maybe walk us through what’s happening here then.

John Hultquist [00:04:37]:
Well, really strange phenomena. So most, you know, most of these cyber criminal activity that we see are a lot of the cyber criminal activity. There’s different, different types of it. But a lot of the really scaled cyber, cyber criminal activity comes out of Russian speaking countries, particularly Russia. But we’ve seen some out of Ukraine and other places as well. It’s comes out of essentially the, the, the underground. Right. It’s a, there’s a marketplace where all these actors interact and they sell services to each other.

John Hultquist [00:05:08]:
And in intrusion, the average ransomware incident for instance is actually a series of transactions in this Russian speaking marketplace. But one of the strange phenomena that we’ve seen in the last few years is this rise of English speaking criminals. And these BAs, they basically came out of a you know, group of, of kids that were largely sort of organizing after Covid hit. They, they kind of dove into an online world and, and you know, they were doing some criminal activity. They were doing some just highly unethical, very aggressive, nasty activity like squatting and things like that. And out of this, these sort of spaces we started seeing real serious criminal threats arise. Sort of cells like scattered spider started to grow where groups of, of these kids were, were starting to actually really get a, I would almost say competitive capability together. And those actors have, have really demonstrated some flaws in our security.

Karissa Breen [00:06:16]:
So when you say kids, what sort of age range are you talking? Because I mean like as older people like anyone sort of feels like a kid nowadays. But like how young are we sort of talking here?

John Hultquist [00:06:25]:
Well, I would say late, you know, late teens, 17s to early 20s and maybe even younger than that. But you know, many of them, many, many of them are minors. They know that, that by doing this activity while they’re minors that they probably not going to face the same consequences. It appears many of them have probably been arrested and then rearrested, meaning that they don’t seem to actually be very concerned about the consequences. And I think, you know, the fact that they’re young may be why they’re, they’re so incredibly aggressive because it may not have the same risk management concerns you would expect from an adult. Right. There’s a reason why we don’t let kids do some of the more dangerous activities because they don’t think the same way.

Karissa Breen [00:07:10]:
Yeah. Okay, so this is interesting. So going back to scattered spider then from moments, my understanding is they’re a bit more financially motivated, the younger kids, you know, so in terms of their motivation, obviously it’s financial for sure. But are we going to start to see more of these groups propagate? Because as you mentioned, if they’re minors it’s hard to be held accountable or there’s Not a lot of repercussions can be easy money for these people. I mean, I was listening to something a while ago about a guy who was living in the United States and then he just ran. He was really desperate to pay his car repayment off and someone said, oh, you know, you steal these credit cards and he, he did all of this back in like the 80s or something. Right. But he said it was just too easy.

Karissa Breen [00:07:51]:
So because it’s so easy to get into, you don’t have to leave your house. Are we going to start to see more of a rise of this type of criminal activity? I mean, no one’s going nowadays, you know, with a, with a sack on their back to rob a bank anymore. You know, can they just do it from their home?

John Hultquist [00:08:05]:
I, I think that within this community that’s exactly what we are seeing. These actors are sort of feeding their egos and it. By sharing their exploits with each other. And that probably is only going to cause more and more people to get into the business. They also think that there’s even maybe some recruiting that’s going on here and we’ve definitely seen reports of that based on the fact that they need. That minors are at less risk. Right. And so that if you want to do some of this stuff, you may want to actually bring other people in to help.

John Hultquist [00:08:36]:
And so yeah, I think this is a problem that could be growing.

Karissa Breen [00:08:39]:
Okay, so then in terms of. So we’ve got the group, so like state sponsored, a nation state. You’ve got the site, you know, scattered spider that are obviously driven financially. If you had to sort of weight it, where do you sort of see that weight being distributed in terms of these groups?

John Hultquist [00:08:54]:
That’s a good question. So every organization sort of has a different profile. Right. And so it’s, it’s not the same for everyone. If you are in the defense industry, for instance, your major concern is going to be state actors. The average defense industry defense organization gets targeted by multiple states simultaneously and then from those states, multiple teams. If you are in some of the, you know, more traditional enterprises, particularly like say like retail for instance, your, your major concern is probably going to be criminal activity. Right.

John Hultquist [00:09:30]:
And if you could break that down too, your major concern may not be disruption from ransomware. It may actually be effects on your brand. One of the things that criminals learned a few years ago when they started leaking data is that people are, the companies are way more concerned about brand than they are disruption. And we can see that play out in the activity that they carry out. We know that it takes about two days usually for a threat actor to get, get in place, to carry out or to deploy ransomware. Takes about a week for them to, to steal enough data for leaking, but they’re willing to put in that extra five days because they know that it’s way more likely that they’ll get paid if they do.

Karissa Breen [00:10:12]:
So would you say, and I mean, even working the field myself historically, before doing the media side of it, I mean, we were sort of saying more than 10 years ago, like a lot of it historically wasn’t driven by financial. So would you start to see now, given what you do day to day, will that start to overtake now? Because, you know, obviously with how the world is and, you know, geopolitics, things arising, the cost of living, are we going to start to see this become maybe the key driver leading the way in terms of these criminal groups?

John Hultquist [00:10:44]:
Yeah, yeah, it’s a great question. I think one of the issues that we’ve got, that we’ve got a problem with here is that there’s really, it’s very difficult to disrupt this, right? It’s a lot of it’s coming out of Russia, for instance. These actors aren’t going to quit anytime soon. They’re not going to go to jail. Sorry, I mentioned this marketplace, right? This underground marketplace. Well, if your incident is three separate players working together, somebody who got access to your organization, who sold that access to an intrusion group, and that intrusion group brought in a ransomware service, and any one of those goes down at some point, they’ve got an entire marketplace of replacements. And so it’s very difficult to push back on a marketplace place. And so we’re, we’re sort of facing a problem that is structurally resilient.

John Hultquist [00:11:35]:
That’s not, not very, very good news. You mentioned, you know, in the past this wasn’t as big a problem. And I’ll tell you, you know, as somebody who has, has sort of, you know, sold intelligence or, you know, an intelligence product, the people he really only cared about criminal intelligence or cybercrime intelligence were banks and retail. And the reason they care, cared about that is because those actors were really only focused on fraud. What’s changed, though, is that suddenly they found a new way to, to monetize. Instead of selling little, you know, records for fractions of a cent, they can ask directly for cryptocurrency, right? And now, so the whole game for them now is what do I have to do to a target until they pay me in cryptocurrency? And that could be ransomware it could be leaking, it could be threatening a CEO’s family. That’s the world that we’re living in now.

Karissa Breen [00:12:33]:
So you mentioned before disrupt it. Do you mean as in to sort of combat it? Like, it’s just, is this going to start spiraling out of control?

John Hultquist [00:12:40]:
The worst examples that I can think of is right around the time of COVID a lot of these actors came forward willingly and said, hey, we’re not monsters. We’re not not going to target healthcare in the middle of COVID Right. And they said that’s too far. One or two did it anyway. They didn’t care. But since that’s happened, we’ve seen so many actors go back to targeting healthcare. There’s already evidence that people are getting hurt and potentially dying because of these disruptive attacks. If these continue, critical infrastructure is going to go down.

John Hultquist [00:13:14]:
Somebody’s going to get more and more people are going to get, get hurt. We could say that it’s already spiraling out of control.

Karissa Breen [00:13:20]:
Okay, so going back to the healthcare. So you mentioned, no, we’re not going to do that. Not once is. But then it happened. So then what was the motivation then for that?

John Hultquist [00:13:26]:
Great question. So here’s what, here’s what’s interesting when it comes to, particularly with ransomware disrupting, you know, disrupting systems is it takes time for an actor to get into an organization and get in place to deploy ransomware. Like two days usually. If I put in all that time, I want to get paid. Right. And the best way to get, make, ensure that you get paid is to pick a target who’s going to pay. Right. There are some, some organizations who just don’t care and they will slowly get back online and they’ll live with that.

John Hultquist [00:13:59]:
But hospitals need those systems now and they, they can get sued that people’s lives are on the line. They’re ethically and financially and legally required to get on to stay online. And that means they’ll probably pay out and the adversary knows that. And so they’re going to target hospitals.

Karissa Breen [00:14:20]:
So then they’re saying they’re not monsters, but then they are. Because in the last few days I’ve actually been at a hospital like my grandmother was, is really sick and, and has now passed away recently last few days. But I was sitting there and I thought, imagine if something happened, how critical that would be. And that’s me as a granddaughter, but that’s also me as a cyber person. Right. Like, I don’t know if sometimes we as cyber people really get on the front line. And go into these hospitals and go, imagine if something happened, these people could die. That is a lot.

Karissa Breen [00:14:55]:
I mean, I worked in a bank in cybersecurity. I mean, I’ve spoken about this. You’re going to get your money back, but you can’t get your grandmother back if something of this caliber were to happen.

John Hultquist [00:15:07]:
The scenario is really simple to. The concern we had, for instance, during COVID wasn’t that, you know, that they were going to, you know, break something irretrievably or, you know, that we couldn’t get something back online. The concern we had was that especially during COVID every second counted because the system was already overloaded. Right. And when that happens, essentially what that you rely on is your ability to efficiently administer that healthcare system. Right. And that is all done through. And if that it goes away, you can’t efficiently administer things.

John Hultquist [00:15:43]:
People can’t get drugs in time, they can’t get treatment in time. People are left out in the waiting room for too long and. And you have a really dangerous situation. If you think about it as sort of like the target is the, your ability to efficiently administer. And what happens when those things break. You can sort of draw that out to other problems. Right. There are, I think historically the disruptive targets that have really been successful for a lot of organizations or for a lot of criminals and state actors have been things like logistics.

John Hultquist [00:16:19]:
It wasn’t necessarily that, you know, those things aren’t going to get where they needed to go eventually is that they couldn’t get there in time or the system starts breaking in such a way that things start having cascading problems. Right. So one thing doesn’t show up with one place and then it’s in the, you know, it doesn’t end up on the truck, it’s supposed to go the other place. And the whole system sort of starts cracking. And so we, you know, these disruptive incidents can have these major impacts, so.

Karissa Breen [00:16:46]:
We’Re going to start to see more of these cyber like degenerates. And what I mean by that is just the lack of moral compass. Like you said before, we’re not one of monsters. But that’s exactly what you are when, you know, people, like I said, like, money is money, it comes and goes and, you know, we can, we can give it back. But someone’s life, like, I mean that this is getting into really extreme territory now, so they just don’t care. Is it just. Oh, well, like you said, people need hospitals to operate, so therefore it’s easy to get money out of them. So what does that, where does that leave us, like, as an industry, but also as a society that, like, people are now going to this level for money?

John Hultquist [00:17:22]:
I think, well, one, I think it makes it, what we do 10 times more important. Right. I think this isn’t just, this isn’t just about money anymore, unfortunately. The nature of this, this activity is, is far more dangerous. There are plenty of unfortunately degenerates carrying out this activity now. They’ve gotten far more aggressive. We can see them threatening people’s families on multiple occasions now, unfortunately, because they recognize that they can essentially do anything until you pay them through cryptocurrency, it’s only going to get worse. And we, we’re, we are going to have to continue to step in and fight that.

Karissa Breen [00:18:00]:
So what does worse look like in your eyes?

John Hultquist [00:18:02]:
Well, okay, so, you know, it started off with ransomware, right? So I would disrupt your systems until you paid me directly. And somebody realized, well, you know, people actually are more interested in their stuff being leaked. So they leak stuff until, until they pay you. But, and, and then now increasingly we see people realize that they can just make threats until they pay. But I think it’s a, it’s kind of up to the adversary’s imagination. What do they have to do to push your, you know, buttons until you pay. And I think, unfortunately, there’s going to be some big surprises on how far they could, or how far they’re going to take it, especially for actors who feel like they’re above the law and not really concerned about retribution. And I could possibly imagine some of those things, but I’m afraid that there are going to be scenarios that we can’t even, we can’t even think about.

Karissa Breen [00:18:53]:
So I remember a while ago I was talking to a cyber advisor, I mean, this was years ago, and he was sort of saying in his presentation, you know, cybercrime is what the old crime used to be. So when obviously the Internet started or became more ubiquitous in the 90s, the crime went online. But would you sort of say, listening to what you’re saying now, if I were to go out there and literally physically get into someone’s face, not that I ever would, but I’m just playing out a scenario and say, give me the money, give me the money. That’s a hell of a lot different to sitting in my home and doing something remotely and virtually because I’m not seeing these people, I’m not seeing their emotions. So would you say that whilst. Yes, of course, crime’s gone online because of the Internet, etc, however, it’s escalated because people aren’t in front of people and seeing perhaps their emotions. Like you can’t. Out of sight, out of mind.

Karissa Breen [00:19:42]:
Right. Like, if I look up 10,000 credit card dealers, I don’t know who John Smith is in his family and his life story, and maybe he’s suffering from something mentally. Like when you’re physically going up to someone and you’re demanding that, that’s a lot different and there is some conscience there. Well, I hope so. But when you’re doing it remote, these people are just a number on a screen for you.

John Hultquist [00:20:02]:
I think you’re pro, you’re, you’re absolutely right. There’s a psychological phenomenon here where people feel like they’re not actually causing that much trouble or. Right. And, and I can tell you, you know, when you talk about like a lot of the criminals that we have seen historically in the past, they would always sort of carry themselves or sort of talk about themselves as if they were not that. Right. They would say, listen, we are, we are business people. We are doing free penetration testing or we’re doing unannounced penetration testing or something along those lines. And you’re insured.

John Hultquist [00:20:39]:
Right. And they would always sort of take a very like, almost sort of friendly line to the whole thing. Right. And I remember stories of conversations where something had gone wrong with it with a group and, and they, they were actually apologetic. Unfortunately, though, I think that the, the, the, the way that the dynamics of sort of being able to pay money directly to, to an adversary, though, means that somebody will come along who’s not interested in, in all that civility. Right. And, and we’ll always, we’re going to drift in that direction. It’ll always be somebody who, even even though all these other actors said we wouldn’t hit hospitals in that time frame, there was one actor we watched who was literally lining up dozens and dozens of hospitals for attack to the point where we, we could, we, we just couldn’t believe it was shocking.

John Hultquist [00:21:34]:
There’s always somebody who’s willing to push that line and unfortunately that that line sometimes gets pushed for everyone when somebody proves that it’s possible. Because this is like a, a marketplace people follow.

Karissa Breen [00:21:47]:
So I want to talk about China now. It’s is a very controversial sort of area, but I think it’s important now, and you would have heard on the news, obviously United States now is trying to beat them in the quantum game, the AI game, etc, because they’re thinking, well, we’ve got to overpower them because if we don’t that weakens our position. So talk a little bit more about what’s going here. What do you know? What do you think people don’t know about China? I’m keen to, keen to get into this one.

John Hultquist [00:22:13]:
Sure. They have been fielding a number of intrusion teams for several years now that carry out this activity all across the world. But they have for a very long time carried out activity in Australia. You know, Australia’s government, critical infrastructure, defense industries and some of multiple other industries have been historically targeted and they are currently being targeted by, by a number of different actors. The big thing that that has changed is that they’re just a lot better than they used to be. They have invested and they have built out an ecosystem that it, that gives them access to zero days and cutting edge techniques and things like supply chain, you know, activity and all those things are what we expect now rather than the, the exception, which is what they were in a long time ago.

Karissa Breen [00:23:11]:
And would you say China is better at covering their tracks now?

John Hultquist [00:23:14]:
Oh, they’re way better at covering their tracks. That’s one of that sort of their, the areas where they really invested. A good example, you know, if you looked at the activity, I started a million years ago working at the State Department doing this stuff. And when you looked at the activity back then it was generally you get a spearfish. It was the worst, you know, the worst written spearfish you’ve ever seen. The user would immediately recognize that something was wrong, right. And raise the alarm. Maybe they would click on it.

John Hultquist [00:23:46]:
Maybe. But it was very rare. Once the act, once that the actor got on the machine, they would use this terrible malware that was clunky and loud and, and you know, we were easy to find. And then they would call out, I kid you not, back. I remember them calling out directly to Shanghai, not even bothering to mask their command and control. What it looks like now is they instead of targeting with social engineering more frequently, they target the network edge. Ironically, they really like to target security products that sit on the network edge because those products are very difficult to monitor. You cannot put most modern EDR solutions on the security devices sitting on their edge.

John Hultquist [00:24:29]:
It’s sort of like you are defending an island and you can’t watch the beaches. And so they get a beachhead really easily in a place where most of us can’t see. And they move through the network increasingly using living off the land techniques rather than malware. And then when they call out their command and control, instead of calling back to Shanghai or calling back to a VPN that they use again and again and again. We can see that our. The VPs they use again and again and again. We can see them using what we call these networks of compromised systems, compromised routers, small office, home office routers. So if they hit a target here in Sydney, it wouldn’t be unusual for them to come through a home office router that’s right down the street.

John Hultquist [00:25:15]:
They look like they’re coming from really close by. They also consistently burn those routers. They don’t use them for very long burn. And so any IP address that you might have or, you know, might be, a good piece of forensic data that you might use to find them is worthless pretty quickly because they’ve burned it. We’re not detecting them. When the user sees the terrible Spearfish, we’re not detecting them because on the edge, because there’s no detection capability. When they move across the network, they’re using less and less malware, which means all of our, you know, malware detection capabilities, which have grown and become much better, are ineffectual. And then they call out to an IP address that we can’t use for very long.

John Hultquist [00:25:58]:
And so they’ve gotten much, much more stealthy than they used to be. When the Volt typhoon activity started being found in the United States, it was started to be discovered in the United States and is later discovered here too. The question that people were constantly asking for is give us the. The IOCs. And I think I heard, I was at a conference and somebody from the NSA said there are none. That’s how. That’s how advanced, you know, they’ve become.

Karissa Breen [00:26:25]:
Okay, so I have so many questions. Okay, so I want to zoom out for a moment. So now with our, you know, the United States going in, trying to overpower China, as I said, the AI and the quantum game. Right? So depending on who you listen to now, I listen to people from all walks of life in terms of YouTube and podcasts. Just so hypothetically, China wins the arbitrary AI quantum game. What does that then mean for the United States? Because it’s important, because as an Australian, we are part of the five eyes sort of countries. Right? There’s an alliance, there’s an allegiance there. What does that then mean? Given everything that we spoke about in terms of the threat landscape, then I.

John Hultquist [00:27:03]:
Can tell you that AI is being used, you know, already by, by threat actors. And, and it’s so. But it’s more importantly also being used in for security. Right. So we’re definitely in a period where we can see them sort of. I’D say experimenting with, with AI. Most of that’s in the social engineering space, right? So you would see a lot of like the content that they need for, for social engineering, like the fake email or the fake Persona that sits on LinkedIn. Increasingly we’re seeing hints that they’re using it in adversaries, are using it in their malware.

John Hultquist [00:27:39]:
So rather than writing hard coding a command into the malware, we saw an actor basically call out to an LLM and have the LLM build the command. That way it would always change and be harder to sort of track and look for. And we expect a lot of other advances along those lines too. But the good news is that, you know, we’re already leveraging this stuff to find, to find malicious activity. You know, the really cool thing that we did just the other day at Google, we had some minor evidence that an adversary was essentially staging a zero day. We didn’t know what the zero, we, we didn’t know what the exploit was. We just had evidence that it was, was potentially in a certain type of software. And we used our, an AI tool to essentially uncover that zero day.

John Hultquist [00:28:35]:
And then we were able to, to work to get a patch out before that adversary could field the zero day. So I mean, in the intel space that is, you know, wins like that are rare and as good as it gets, right, to actually beat the adversary before they can even field their malicious activity. There’s a ton of real value that we can bring on the, on the defensive side too.

Karissa Breen [00:29:01]:
So then I’m curious to understand what’s North Korea’s play then? What, what, what’s going on with them?

John Hultquist [00:29:06]:
North Korea is, is very interested in cash, right? So, you know, they’ve always had cyber capabilities or cyber espionage capabilities. They’ve always done these disruptive and destructive attacks, particularly in South Korea. What changes? Several years ago we saw them basically start knocking over banks. They were doing these long term heists in banks where it basically ended with them trying to wire themselves like $100 million. This huge incident and that led to a ton of different schemes for them to basically bring money back to the regime, most of which were focused on cryptocurrency. And you know, they would be like, for instance, they were hitting cryptocurrency exchanges, right, or doing these massive supply chain incidents where they got that down to all kinds of targets. What they’re really looking for was it was crypto wallets, things like that. But one of the ways that we see, we saw them sort of targeting the cryptocurrency industry was we could see them getting jobs at these places a few years ago.

John Hultquist [00:30:13]:
And increasingly we could see them taking jobs at all kinds of all kinds of different companies. And mostly at first it was focused in South Korea and the United States, but since then it’s happened everywhere. We know that it’s happening in Australia as well. But what’s. We call it the, the IT worker problem. So what basically is happening is North Koreans are going out into the world and taking these remote IT positions at companies all over the world. For the most part, when they get these jobs, they just, their goal is to just work them and keep them because they want that paycheck rolling in. And so it’s not unusual to have one IT worker working multiple jobs simultaneously.

John Hultquist [00:31:03]:
And we’ve even been told in many occasions that they did a good job, they were competent, reliable workers. For the most part, the scheme is actually labor for money.

Karissa Breen [00:31:14]:
So from my understanding, China and North Korea, they, they get along. So do you see them teaming up a lot more to go against United States and friends or where do you sort of see this now escalating to?

John Hultquist [00:31:27]:
I get those questions a lot, like not just for that, but Russia, Iran and other in other sort of possible teaming up situations. But I’ll tell you, for the most part on the cyber side, these guys are, these services are actually quite competitive with each other. And we can see in multiple cases we’ve seen them target each other. So they have to collect on, they don’t trust each other, I think ultimately. Right. And so when you don’t trust your, your peers, you target them with, target them with, with your capability. And so we’ve seen all kinds of sort of strange ways that’s play that’s played out. For instance, the Russians have set on top of an Iranian intrusion set where they basically hacked the Iranian intrusion set and then leveraged the Iranian set.

John Hultquist [00:32:18]:
They basically masqueraded as that set in some occasions, but sat on top of it and could see anything the Iranians were taking. So they basically let the Iranians do all the hacking for them. And one occasion, you know, Russia carried out an attack and they tried to make it look like North Korea did it. It’s very, very common to see actors from all of these countries, Tara, the other, the other country, in intrusions usually against government organizations because they wanted, they want insight into what those, those company countries are doing, just like they do everywhere else. I don’t think there’s just not a lot of trust when it comes to these capabilities. That’s the Good news. The bad news with North Korea is that they do some of this activity from China and many other countries where they’re sort of allowed to operate out of. So these IT workers are not all based in Pyongyang.

John Hultquist [00:33:09]:
Some of them are in China and many other countries.

Karissa Breen [00:33:12]:
Okay, so there’s so many questions I have. We are running out of time. But one question I do have for you is in terms of power, power gives you a lot more capability to do things. So given your experience, what country would you say at the moment, as in today we have the most power in the cyber AI, even quantum game?

John Hultquist [00:33:36]:
You mentioned the Five Eyes, right? And I think that’s probably the best way to think about the group or the, you know, the US and Australia, they’re really a part of a really tight knit group and they probably have the most power, cyber power. But there is a downside to that. That power comes directly from the fact that we are the most advanced and structurally complex economies in the world. And that also means that we have, because we have all that power, we also have incredible vulnerability, right? We have a lot of critical infrastructure that is online. We have way more, you know, way more complex systems that, that were a lot that could lead when they go down, could lead those cascading effects, right? And so the downside of, of cyber power in a lot of cases is cyber vulnerability. Story that I think about all the time is when whenever we, I think there was an incident with Iran, this is several years ago, when the Pentagon basically took credit for, or it was reported the Pentagon carried out some sort of hacking operation against Iran. What it’s important to remember is that, you know, when Iran, when that happens, Iran, Iran doesn’t target the Pentagon. That’s not what they’re going to, how they’re going to respond.

John Hultquist [00:34:56]:
They’re going to respond against oil and gas or telecoms or some other critical infrastructure target within the United States. Your offensive capability is not the same as your defensive capability. Your, the Pentagon is not the target for these, most of these actors, right. In those cases, their targets are going to be critical infrastructure which largely lies in private hands.

Karissa Breen [00:35:22]:
So, John, do you have any closing comments or final thoughts you’d like to leave our audience with today?

John Hultquist [00:35:27]:
If you talk to a lot of cybersecurity folks there worried that they sort of tend towards paint by numbers, right? And I think there are really, it’s really important to do hygiene, right, and be. And be brilliant in the basics. Absolutely important. But it’s also really important to know who the adversary is. I’m a military veteran and I was deployed as part of a situation where we were really, we weren’t really designed for the military that I deployed with wasn’t really ready for the situation that we, we were deployed for. Right.

Karissa Breen [00:36:00]:
Right.

John Hultquist [00:36:00]:
And we had, we had to evolve. But it’s important to know who your adversary is so that you can evolve. Right. And if, if you’re doing security without sort of recognizing who they are, you’re just building walls and the adversary could have planes. Right. You have to think about who’s coming and how they operate and move in that direction.

John Hultquist [00:00:00]:
It’s important to know who your adversary is so that you can evolve. Right. And if, if you’re doing security without sort of recognizing who they are, you’re just building walls and the adversary could have planes. Right. You have to think about who’s coming and how they operate.

Karissa Breen [00:00:35]:
Joining me now in person is John Hulquist, chief analyst at Google Threat Intelligence Group. And today we’re discussing John’s view on Australia’s threat landscape. So, John, thanks for joining me and welcome.

John Hultquist [00:00:46]:
Thanks for having me.

Karissa Breen [00:00:47]:
Okay, so you know what, when I say the word the threat landscape, and it’s really interesting and I mean, you would obviously know a lot more about this than I would, but I, it, it changes all the time, especially in my role in media, like, amount of things that we’re seeing that come through our desk and how things are changing in terms of the velocity and the speed in which it does change. So I want to sort of start there, giving your background, given your role, walk us through your thoughts and insights around the threat landscape. Maybe start with globe in and let’s sort of then hone in on Australia.

John Hultquist [00:01:16]:
Sure. I think you said velocity or, you know, like the rate of change. I think that’s been a big thing I’ve had to get used to, to my, my career. I remember when I first started doing this, I, I, I could remember just about every major incident or case or, and now there’s so many, there’s so many more actors than there used to be and, and it is a lot harder to keep track of. But the things that really sort of change or cause all that change are technology’s constantly changing. Right. I think obviously we’ve entered this age of, of AI that’s going to, is going to create, create a lot of change. Geopolitics are constantly changing and the adversary is constantly changing.

John Hultquist [00:01:56]:
One of the things I think that we’re concerned about when it comes to the threat actors from, from China, for instance, is, is that they have evolved. We’ve come up with a lot of good solutions to sort of deal with their activity. And so they’ve gotten better and they’ve come up with a new pro, they’ve created new, new issues. Australia, I think the threats that I, I’ve tend to talk about when I, when I talk about Australia that, that stand out the most to me, I think are probably those Threats from state actors out of China, as well as the criminal threat, which everybody faces. But Australia’s had obviously some very recent incidents that, that sort of demonstrate the seriousness of that threat. Last, last time I was in the country too, I, I was talking about the threat of these North Korean IT workers, which is something that hasn’t got entirely gone away yet. And it’s pretty serious.

Karissa Breen [00:02:48]:
So you mentioned before when you sort of started your career in terms of like, where it is now, and it’s very, very hard to keep up. You’re right, because things are happening each day. So would you say, do we say people are just tired? Like, oh, it’s just this. If it’s not that, like even, like I said, even from our perspective, it’s hard to cover everything. Right. We just don’t have enough time in the day. So how do people really feel at the end of the day once they’ve done, you know, all of the things they need to do at work? And then there’s like, oh, now there’s another thing. Like, how do you think generally people are feeling?

John Hultquist [00:03:19]:
A lot of people are probably feel pretty beleaguered, unfortunately. You know, there are, there are people that sort of compare our field to safety sometimes. Right. And I think there are a lot of lessons we can learn from the safety profession. But the biggest difference between us and the safety profession is safety people are really facing or facing off with the immutable laws of physics. The threats that we’re dealing with change every day. And so unfortunately, we’re essentially on a treadmill. Right.

John Hultquist [00:03:50]:
That we never get to get off of. And any solution, you know, that we create, while it might mitigate some problem, there’s always the actor will change and the problem, new threats will arise and we’ll have to deal with those as well. That could be. That can be rough.

Karissa Breen [00:04:07]:
Yeah, that. Yeah. This is so interesting. Okay, so, and then I know that we’ve obviously spoken a lot about the global in Australia more specifically, and you mentioned before, like, the STAT act is out of China, et cetera. But now there’s a lot of these other sort of smaller breaches happening in terms of they are state actors per se, but we’ve heard a lot about scattered spider, which has been discussed a lot in the industry, for example, as it pertains to the recent Qantas breach.

John Hultquist [00:04:34]:
Sure.

Karissa Breen [00:04:34]:
So maybe walk us through what’s happening here then.

John Hultquist [00:04:37]:
Well, really strange phenomena. So most, you know, most of these cyber criminal activity that we see are a lot of the cyber criminal activity. There’s different, different types of it. But a lot of the really scaled cyber, cyber criminal activity comes out of Russian speaking countries, particularly Russia. But we’ve seen some out of Ukraine and other places as well. It’s comes out of essentially the, the, the underground. Right. It’s a, there’s a marketplace where all these actors interact and they sell services to each other.

John Hultquist [00:05:08]:
And in intrusion, the average ransomware incident for instance is actually a series of transactions in this Russian speaking marketplace. But one of the strange phenomena that we’ve seen in the last few years is this rise of English speaking criminals. And these BAs, they basically came out of a you know, group of, of kids that were largely sort of organizing after Covid hit. They, they kind of dove into an online world and, and you know, they were doing some criminal activity. They were doing some just highly unethical, very aggressive, nasty activity like squatting and things like that. And out of this, these sort of spaces we started seeing real serious criminal threats arise. Sort of cells like scattered spider started to grow where groups of, of these kids were, were starting to actually really get a, I would almost say competitive capability together. And those actors have, have really demonstrated some flaws in our security.

Karissa Breen [00:06:16]:
So when you say kids, what sort of age range are you talking? Because I mean like as older people like anyone sort of feels like a kid nowadays. But like how young are we sort of talking here?

John Hultquist [00:06:25]:
Well, I would say late, you know, late teens, 17s to early 20s and maybe even younger than that. But you know, many of them, many, many of them are minors. They know that, that by doing this activity while they’re minors that they probably not going to face the same consequences. It appears many of them have probably been arrested and then rearrested, meaning that they don’t seem to actually be very concerned about the consequences. And I think, you know, the fact that they’re young may be why they’re, they’re so incredibly aggressive because it may not have the same risk management concerns you would expect from an adult. Right. There’s a reason why we don’t let kids do some of the more dangerous activities because they don’t think the same way.

Karissa Breen [00:07:10]:
Yeah. Okay, so this is interesting. So going back to scattered spider then from moments, my understanding is they’re a bit more financially motivated, the younger kids, you know, so in terms of their motivation, obviously it’s financial for sure. But are we going to start to see more of these groups propagate? Because as you mentioned, if they’re minors it’s hard to be held accountable or there’s Not a lot of repercussions can be easy money for these people. I mean, I was listening to something a while ago about a guy who was living in the United States and then he just ran. He was really desperate to pay his car repayment off and someone said, oh, you know, you steal these credit cards and he, he did all of this back in like the 80s or something. Right. But he said it was just too easy.

Karissa Breen [00:07:51]:
So because it’s so easy to get into, you don’t have to leave your house. Are we going to start to see more of a rise of this type of criminal activity? I mean, no one’s going nowadays, you know, with a, with a sack on their back to rob a bank anymore. You know, can they just do it from their home?

John Hultquist [00:08:05]:
I, I think that within this community that’s exactly what we are seeing. These actors are sort of feeding their egos and it. By sharing their exploits with each other. And that probably is only going to cause more and more people to get into the business. They also think that there’s even maybe some recruiting that’s going on here and we’ve definitely seen reports of that based on the fact that they need. That minors are at less risk. Right. And so that if you want to do some of this stuff, you may want to actually bring other people in to help.

John Hultquist [00:08:36]:
And so yeah, I think this is a problem that could be growing.

Karissa Breen [00:08:39]:
Okay, so then in terms of. So we’ve got the group, so like state sponsored, a nation state. You’ve got the site, you know, scattered spider that are obviously driven financially. If you had to sort of weight it, where do you sort of see that weight being distributed in terms of these groups?

John Hultquist [00:08:54]:
That’s a good question. So every organization sort of has a different profile. Right. And so it’s, it’s not the same for everyone. If you are in the defense industry, for instance, your major concern is going to be state actors. The average defense industry defense organization gets targeted by multiple states simultaneously and then from those states, multiple teams. If you are in some of the, you know, more traditional enterprises, particularly like say like retail for instance, your, your major concern is probably going to be criminal activity. Right.

John Hultquist [00:09:30]:
And if you could break that down too, your major concern may not be disruption from ransomware. It may actually be effects on your brand. One of the things that criminals learned a few years ago when they started leaking data is that people are, the companies are way more concerned about brand than they are disruption. And we can see that play out in the activity that they carry out. We know that it takes about two days usually for a threat actor to get, get in place, to carry out or to deploy ransomware. Takes about a week for them to, to steal enough data for leaking, but they’re willing to put in that extra five days because they know that it’s way more likely that they’ll get paid if they do.

Karissa Breen [00:10:12]:
So would you say, and I mean, even working the field myself historically, before doing the media side of it, I mean, we were sort of saying more than 10 years ago, like a lot of it historically wasn’t driven by financial. So would you start to see now, given what you do day to day, will that start to overtake now? Because, you know, obviously with how the world is and, you know, geopolitics, things arising, the cost of living, are we going to start to see this become maybe the key driver leading the way in terms of these criminal groups?

John Hultquist [00:10:44]:
Yeah, yeah, it’s a great question. I think one of the issues that we’ve got, that we’ve got a problem with here is that there’s really, it’s very difficult to disrupt this, right? It’s a lot of it’s coming out of Russia, for instance. These actors aren’t going to quit anytime soon. They’re not going to go to jail. Sorry, I mentioned this marketplace, right? This underground marketplace. Well, if your incident is three separate players working together, somebody who got access to your organization, who sold that access to an intrusion group, and that intrusion group brought in a ransomware service, and any one of those goes down at some point, they’ve got an entire marketplace of replacements. And so it’s very difficult to push back on a marketplace place. And so we’re, we’re sort of facing a problem that is structurally resilient.

John Hultquist [00:11:35]:
That’s not, not very, very good news. You mentioned, you know, in the past this wasn’t as big a problem. And I’ll tell you, you know, as somebody who has, has sort of, you know, sold intelligence or, you know, an intelligence product, the people he really only cared about criminal intelligence or cybercrime intelligence were banks and retail. And the reason they care, cared about that is because those actors were really only focused on fraud. What’s changed, though, is that suddenly they found a new way to, to monetize. Instead of selling little, you know, records for fractions of a cent, they can ask directly for cryptocurrency, right? And now, so the whole game for them now is what do I have to do to a target until they pay me in cryptocurrency? And that could be ransomware it could be leaking, it could be threatening a CEO’s family. That’s the world that we’re living in now.

Karissa Breen [00:12:33]:
So you mentioned before disrupt it. Do you mean as in to sort of combat it? Like, it’s just, is this going to start spiraling out of control?

John Hultquist [00:12:40]:
The worst examples that I can think of is right around the time of COVID a lot of these actors came forward willingly and said, hey, we’re not monsters. We’re not not going to target healthcare in the middle of COVID Right. And they said that’s too far. One or two did it anyway. They didn’t care. But since that’s happened, we’ve seen so many actors go back to targeting healthcare. There’s already evidence that people are getting hurt and potentially dying because of these disruptive attacks. If these continue, critical infrastructure is going to go down.

John Hultquist [00:13:14]:
Somebody’s going to get more and more people are going to get, get hurt. We could say that it’s already spiraling out of control.

Karissa Breen [00:13:20]:
Okay, so going back to the healthcare. So you mentioned, no, we’re not going to do that. Not once is. But then it happened. So then what was the motivation then for that?

John Hultquist [00:13:26]:
Great question. So here’s what, here’s what’s interesting when it comes to, particularly with ransomware disrupting, you know, disrupting systems is it takes time for an actor to get into an organization and get in place to deploy ransomware. Like two days usually. If I put in all that time, I want to get paid. Right. And the best way to get, make, ensure that you get paid is to pick a target who’s going to pay. Right. There are some, some organizations who just don’t care and they will slowly get back online and they’ll live with that.

John Hultquist [00:13:59]:
But hospitals need those systems now and they, they can get sued that people’s lives are on the line. They’re ethically and financially and legally required to get on to stay online. And that means they’ll probably pay out and the adversary knows that. And so they’re going to target hospitals.

Karissa Breen [00:14:20]:
So then they’re saying they’re not monsters, but then they are. Because in the last few days I’ve actually been at a hospital like my grandmother was, is really sick and, and has now passed away recently last few days. But I was sitting there and I thought, imagine if something happened, how critical that would be. And that’s me as a granddaughter, but that’s also me as a cyber person. Right. Like, I don’t know if sometimes we as cyber people really get on the front line. And go into these hospitals and go, imagine if something happened, these people could die. That is a lot.

Karissa Breen [00:14:55]:
I mean, I worked in a bank in cybersecurity. I mean, I’ve spoken about this. You’re going to get your money back, but you can’t get your grandmother back if something of this caliber were to happen.

John Hultquist [00:15:07]:
The scenario is really simple to. The concern we had, for instance, during COVID wasn’t that, you know, that they were going to, you know, break something irretrievably or, you know, that we couldn’t get something back online. The concern we had was that especially during COVID every second counted because the system was already overloaded. Right. And when that happens, essentially what that you rely on is your ability to efficiently administer that healthcare system. Right. And that is all done through. And if that it goes away, you can’t efficiently administer things.

John Hultquist [00:15:43]:
People can’t get drugs in time, they can’t get treatment in time. People are left out in the waiting room for too long and. And you have a really dangerous situation. If you think about it as sort of like the target is the, your ability to efficiently administer. And what happens when those things break. You can sort of draw that out to other problems. Right. There are, I think historically the disruptive targets that have really been successful for a lot of organizations or for a lot of criminals and state actors have been things like logistics.

John Hultquist [00:16:19]:
It wasn’t necessarily that, you know, those things aren’t going to get where they needed to go eventually is that they couldn’t get there in time or the system starts breaking in such a way that things start having cascading problems. Right. So one thing doesn’t show up with one place and then it’s in the, you know, it doesn’t end up on the truck, it’s supposed to go the other place. And the whole system sort of starts cracking. And so we, you know, these disruptive incidents can have these major impacts, so.

Karissa Breen [00:16:46]:
We’Re going to start to see more of these cyber like degenerates. And what I mean by that is just the lack of moral compass. Like you said before, we’re not one of monsters. But that’s exactly what you are when, you know, people, like I said, like, money is money, it comes and goes and, you know, we can, we can give it back. But someone’s life, like, I mean that this is getting into really extreme territory now, so they just don’t care. Is it just. Oh, well, like you said, people need hospitals to operate, so therefore it’s easy to get money out of them. So what does that, where does that leave us, like, as an industry, but also as a society that, like, people are now going to this level for money?

John Hultquist [00:17:22]:
I think, well, one, I think it makes it, what we do 10 times more important. Right. I think this isn’t just, this isn’t just about money anymore, unfortunately. The nature of this, this activity is, is far more dangerous. There are plenty of unfortunately degenerates carrying out this activity now. They’ve gotten far more aggressive. We can see them threatening people’s families on multiple occasions now, unfortunately, because they recognize that they can essentially do anything until you pay them through cryptocurrency, it’s only going to get worse. And we, we’re, we are going to have to continue to step in and fight that.

Karissa Breen [00:18:00]:
So what does worse look like in your eyes?

John Hultquist [00:18:02]:
Well, okay, so, you know, it started off with ransomware, right? So I would disrupt your systems until you paid me directly. And somebody realized, well, you know, people actually are more interested in their stuff being leaked. So they leak stuff until, until they pay you. But, and, and then now increasingly we see people realize that they can just make threats until they pay. But I think it’s a, it’s kind of up to the adversary’s imagination. What do they have to do to push your, you know, buttons until you pay. And I think, unfortunately, there’s going to be some big surprises on how far they could, or how far they’re going to take it, especially for actors who feel like they’re above the law and not really concerned about retribution. And I could possibly imagine some of those things, but I’m afraid that there are going to be scenarios that we can’t even, we can’t even think about.

Karissa Breen [00:18:53]:
So I remember a while ago I was talking to a cyber advisor, I mean, this was years ago, and he was sort of saying in his presentation, you know, cybercrime is what the old crime used to be. So when obviously the Internet started or became more ubiquitous in the 90s, the crime went online. But would you sort of say, listening to what you’re saying now, if I were to go out there and literally physically get into someone’s face, not that I ever would, but I’m just playing out a scenario and say, give me the money, give me the money. That’s a hell of a lot different to sitting in my home and doing something remotely and virtually because I’m not seeing these people, I’m not seeing their emotions. So would you say that whilst. Yes, of course, crime’s gone online because of the Internet, etc, however, it’s escalated because people aren’t in front of people and seeing perhaps their emotions. Like you can’t. Out of sight, out of mind.

Karissa Breen [00:19:42]:
Right. Like, if I look up 10,000 credit card dealers, I don’t know who John Smith is in his family and his life story, and maybe he’s suffering from something mentally. Like when you’re physically going up to someone and you’re demanding that, that’s a lot different and there is some conscience there. Well, I hope so. But when you’re doing it remote, these people are just a number on a screen for you.

John Hultquist [00:20:02]:
I think you’re pro, you’re, you’re absolutely right. There’s a psychological phenomenon here where people feel like they’re not actually causing that much trouble or. Right. And, and I can tell you, you know, when you talk about like a lot of the criminals that we have seen historically in the past, they would always sort of carry themselves or sort of talk about themselves as if they were not that. Right. They would say, listen, we are, we are business people. We are doing free penetration testing or we’re doing unannounced penetration testing or something along those lines. And you’re insured.

John Hultquist [00:20:39]:
Right. And they would always sort of take a very like, almost sort of friendly line to the whole thing. Right. And I remember stories of conversations where something had gone wrong with it with a group and, and they, they were actually apologetic. Unfortunately, though, I think that the, the, the, the way that the dynamics of sort of being able to pay money directly to, to an adversary, though, means that somebody will come along who’s not interested in, in all that civility. Right. And, and we’ll always, we’re going to drift in that direction. It’ll always be somebody who, even even though all these other actors said we wouldn’t hit hospitals in that time frame, there was one actor we watched who was literally lining up dozens and dozens of hospitals for attack to the point where we, we could, we, we just couldn’t believe it was shocking.

John Hultquist [00:21:34]:
There’s always somebody who’s willing to push that line and unfortunately that that line sometimes gets pushed for everyone when somebody proves that it’s possible. Because this is like a, a marketplace people follow.

Karissa Breen [00:21:47]:
So I want to talk about China now. It’s is a very controversial sort of area, but I think it’s important now, and you would have heard on the news, obviously United States now is trying to beat them in the quantum game, the AI game, etc, because they’re thinking, well, we’ve got to overpower them because if we don’t that weakens our position. So talk a little bit more about what’s going here. What do you know? What do you think people don’t know about China? I’m keen to, keen to get into this one.

John Hultquist [00:22:13]:
Sure. They have been fielding a number of intrusion teams for several years now that carry out this activity all across the world. But they have for a very long time carried out activity in Australia. You know, Australia’s government, critical infrastructure, defense industries and some of multiple other industries have been historically targeted and they are currently being targeted by, by a number of different actors. The big thing that that has changed is that they’re just a lot better than they used to be. They have invested and they have built out an ecosystem that it, that gives them access to zero days and cutting edge techniques and things like supply chain, you know, activity and all those things are what we expect now rather than the, the exception, which is what they were in a long time ago.

Karissa Breen [00:23:11]:
And would you say China is better at covering their tracks now?

John Hultquist [00:23:14]:
Oh, they’re way better at covering their tracks. That’s one of that sort of their, the areas where they really invested. A good example, you know, if you looked at the activity, I started a million years ago working at the State Department doing this stuff. And when you looked at the activity back then it was generally you get a spearfish. It was the worst, you know, the worst written spearfish you’ve ever seen. The user would immediately recognize that something was wrong, right. And raise the alarm. Maybe they would click on it.

John Hultquist [00:23:46]:
Maybe. But it was very rare. Once the act, once that the actor got on the machine, they would use this terrible malware that was clunky and loud and, and you know, we were easy to find. And then they would call out, I kid you not, back. I remember them calling out directly to Shanghai, not even bothering to mask their command and control. What it looks like now is they instead of targeting with social engineering more frequently, they target the network edge. Ironically, they really like to target security products that sit on the network edge because those products are very difficult to monitor. You cannot put most modern EDR solutions on the security devices sitting on their edge.

John Hultquist [00:24:29]:
It’s sort of like you are defending an island and you can’t watch the beaches. And so they get a beachhead really easily in a place where most of us can’t see. And they move through the network increasingly using living off the land techniques rather than malware. And then when they call out their command and control, instead of calling back to Shanghai or calling back to a VPN that they use again and again and again. We can see that our. The VPs they use again and again and again. We can see them using what we call these networks of compromised systems, compromised routers, small office, home office routers. So if they hit a target here in Sydney, it wouldn’t be unusual for them to come through a home office router that’s right down the street.

John Hultquist [00:25:15]:
They look like they’re coming from really close by. They also consistently burn those routers. They don’t use them for very long burn. And so any IP address that you might have or, you know, might be, a good piece of forensic data that you might use to find them is worthless pretty quickly because they’ve burned it. We’re not detecting them. When the user sees the terrible Spearfish, we’re not detecting them because on the edge, because there’s no detection capability. When they move across the network, they’re using less and less malware, which means all of our, you know, malware detection capabilities, which have grown and become much better, are ineffectual. And then they call out to an IP address that we can’t use for very long.

John Hultquist [00:25:58]:
And so they’ve gotten much, much more stealthy than they used to be. When the Volt typhoon activity started being found in the United States, it was started to be discovered in the United States and is later discovered here too. The question that people were constantly asking for is give us the. The IOCs. And I think I heard, I was at a conference and somebody from the NSA said there are none. That’s how. That’s how advanced, you know, they’ve become.

Karissa Breen [00:26:25]:
Okay, so I have so many questions. Okay, so I want to zoom out for a moment. So now with our, you know, the United States going in, trying to overpower China, as I said, the AI and the quantum game. Right? So depending on who you listen to now, I listen to people from all walks of life in terms of YouTube and podcasts. Just so hypothetically, China wins the arbitrary AI quantum game. What does that then mean for the United States? Because it’s important, because as an Australian, we are part of the five eyes sort of countries. Right? There’s an alliance, there’s an allegiance there. What does that then mean? Given everything that we spoke about in terms of the threat landscape, then I.

John Hultquist [00:27:03]:
Can tell you that AI is being used, you know, already by, by threat actors. And, and it’s so. But it’s more importantly also being used in for security. Right. So we’re definitely in a period where we can see them sort of. I’D say experimenting with, with AI. Most of that’s in the social engineering space, right? So you would see a lot of like the content that they need for, for social engineering, like the fake email or the fake Persona that sits on LinkedIn. Increasingly we’re seeing hints that they’re using it in adversaries, are using it in their malware.

John Hultquist [00:27:39]:
So rather than writing hard coding a command into the malware, we saw an actor basically call out to an LLM and have the LLM build the command. That way it would always change and be harder to sort of track and look for. And we expect a lot of other advances along those lines too. But the good news is that, you know, we’re already leveraging this stuff to find, to find malicious activity. You know, the really cool thing that we did just the other day at Google, we had some minor evidence that an adversary was essentially staging a zero day. We didn’t know what the zero, we, we didn’t know what the exploit was. We just had evidence that it was, was potentially in a certain type of software. And we used our, an AI tool to essentially uncover that zero day.

John Hultquist [00:28:35]:
And then we were able to, to work to get a patch out before that adversary could field the zero day. So I mean, in the intel space that is, you know, wins like that are rare and as good as it gets, right, to actually beat the adversary before they can even field their malicious activity. There’s a ton of real value that we can bring on the, on the defensive side too.

Karissa Breen [00:29:01]:
So then I’m curious to understand what’s North Korea’s play then? What, what, what’s going on with them?

John Hultquist [00:29:06]:
North Korea is, is very interested in cash, right? So, you know, they’ve always had cyber capabilities or cyber espionage capabilities. They’ve always done these disruptive and destructive attacks, particularly in South Korea. What changes? Several years ago we saw them basically start knocking over banks. They were doing these long term heists in banks where it basically ended with them trying to wire themselves like $100 million. This huge incident and that led to a ton of different schemes for them to basically bring money back to the regime, most of which were focused on cryptocurrency. And you know, they would be like, for instance, they were hitting cryptocurrency exchanges, right, or doing these massive supply chain incidents where they got that down to all kinds of targets. What they’re really looking for was it was crypto wallets, things like that. But one of the ways that we see, we saw them sort of targeting the cryptocurrency industry was we could see them getting jobs at these places a few years ago.

John Hultquist [00:30:13]:
And increasingly we could see them taking jobs at all kinds of all kinds of different companies. And mostly at first it was focused in South Korea and the United States, but since then it’s happened everywhere. We know that it’s happening in Australia as well. But what’s. We call it the, the IT worker problem. So what basically is happening is North Koreans are going out into the world and taking these remote IT positions at companies all over the world. For the most part, when they get these jobs, they just, their goal is to just work them and keep them because they want that paycheck rolling in. And so it’s not unusual to have one IT worker working multiple jobs simultaneously.

John Hultquist [00:31:03]:
And we’ve even been told in many occasions that they did a good job, they were competent, reliable workers. For the most part, the scheme is actually labor for money.

Karissa Breen [00:31:14]:
So from my understanding, China and North Korea, they, they get along. So do you see them teaming up a lot more to go against United States and friends or where do you sort of see this now escalating to?

John Hultquist [00:31:27]:
I get those questions a lot, like not just for that, but Russia, Iran and other in other sort of possible teaming up situations. But I’ll tell you, for the most part on the cyber side, these guys are, these services are actually quite competitive with each other. And we can see in multiple cases we’ve seen them target each other. So they have to collect on, they don’t trust each other, I think ultimately. Right. And so when you don’t trust your, your peers, you target them with, target them with, with your capability. And so we’ve seen all kinds of sort of strange ways that’s play that’s played out. For instance, the Russians have set on top of an Iranian intrusion set where they basically hacked the Iranian intrusion set and then leveraged the Iranian set.

John Hultquist [00:32:18]:
They basically masqueraded as that set in some occasions, but sat on top of it and could see anything the Iranians were taking. So they basically let the Iranians do all the hacking for them. And one occasion, you know, Russia carried out an attack and they tried to make it look like North Korea did it. It’s very, very common to see actors from all of these countries, Tara, the other, the other country, in intrusions usually against government organizations because they wanted, they want insight into what those, those company countries are doing, just like they do everywhere else. I don’t think there’s just not a lot of trust when it comes to these capabilities. That’s the Good news. The bad news with North Korea is that they do some of this activity from China and many other countries where they’re sort of allowed to operate out of. So these IT workers are not all based in Pyongyang.

John Hultquist [00:33:09]:
Some of them are in China and many other countries.

Karissa Breen [00:33:12]:
Okay, so there’s so many questions I have. We are running out of time. But one question I do have for you is in terms of power, power gives you a lot more capability to do things. So given your experience, what country would you say at the moment, as in today we have the most power in the cyber AI, even quantum game?

John Hultquist [00:33:36]:
You mentioned the Five Eyes, right? And I think that’s probably the best way to think about the group or the, you know, the US and Australia, they’re really a part of a really tight knit group and they probably have the most power, cyber power. But there is a downside to that. That power comes directly from the fact that we are the most advanced and structurally complex economies in the world. And that also means that we have, because we have all that power, we also have incredible vulnerability, right? We have a lot of critical infrastructure that is online. We have way more, you know, way more complex systems that, that were a lot that could lead when they go down, could lead those cascading effects, right? And so the downside of, of cyber power in a lot of cases is cyber vulnerability. Story that I think about all the time is when whenever we, I think there was an incident with Iran, this is several years ago, when the Pentagon basically took credit for, or it was reported the Pentagon carried out some sort of hacking operation against Iran. What it’s important to remember is that, you know, when Iran, when that happens, Iran, Iran doesn’t target the Pentagon. That’s not what they’re going to, how they’re going to respond.

John Hultquist [00:34:56]:
They’re going to respond against oil and gas or telecoms or some other critical infrastructure target within the United States. Your offensive capability is not the same as your defensive capability. Your, the Pentagon is not the target for these, most of these actors, right. In those cases, their targets are going to be critical infrastructure which largely lies in private hands.

Karissa Breen [00:35:22]:
So, John, do you have any closing comments or final thoughts you’d like to leave our audience with today?

John Hultquist [00:35:27]:
If you talk to a lot of cybersecurity folks there worried that they sort of tend towards paint by numbers, right? And I think there are really, it’s really important to do hygiene, right, and be. And be brilliant in the basics. Absolutely important. But it’s also really important to know who the adversary is. I’m a military veteran and I was deployed as part of a situation where we were really, we weren’t really designed for the military that I deployed with wasn’t really ready for the situation that we, we were deployed for. Right.

Karissa Breen [00:36:00]:
Right.

John Hultquist [00:36:00]:
And we had, we had to evolve. But it’s important to know who your adversary is so that you can evolve. Right. And if, if you’re doing security without sort of recognizing who they are, you’re just building walls and the adversary could have planes. Right. You have to think about who’s coming and how they operate and move in that direction.

Share This