 Yeah, so I'm on the Sherpa Committee for that. So we organized this where we bring out the staffers. Obviously representatives Lou and Landerman didn't walk the floor this time. But they were actually out here as a part of that. And their staffers, they actually went through the villages. And so we organized the schedule. And then we have multiple private events outside of here also with them. And I just think that's really cool because, I mean, one of these things, yeah. So I mean, the ICS Village that's right over there, we're a nonprofit. We're a 501C3. And a lot of what we're doing is advocating for education awareness, particularly with folks who actually control legislation that kind of affects our lives. So it's great that they're actually out here at this and not just scared of all the dirty hackers that are here at DEF CON. It's all really frightening. So, all right, we'll get started. I like this to be interactive. There's two ways for this to be interactive. Where you guys can voluntarily interact or I can help you to do it. If any of you who've ever seen me speak before, you know how uncomfortable that can get. So what we're gonna go through is we're gonna go through a threat landscape of what have we, what did we see in 2018 in the industrial control system and internet of things landscape. So what was actually happening, where possible, let's establish attribution, who was doing it. At the end of the day, while conferences like this were focused a lot on the technical side of how we might do these things. And we'll talk through that to some degree. I think it's important to recognize that particularly when we're looking at the fact that there's nation state on nation state, it's not just a technical question. There are multiple arrows in the quiver. Cyber is just one of them to cause those effects. So, who am I? I founded Grimm and Scythe and then with Tom Van Norman, we both co-founded the ICS Village over here. We've been doing this for many years. I'm also on the board of advisors for the Army Cyber Institute and the fellow at the National Security Institute. Basically, I don't have a life. So, like I said, we're going to walk through the landscape. We're going to talk through particular types. And then I'm going to give you some references as well as give you a take home lab. So, who saw on the news what the Russians did this week? Nobody saw on the news what the Russians did this week. Did you even look at the news because they do something every week? Raymond Blaine, what did they do? Damn it, you're the only name I see. Is there anybody else I know in here? Didn't they arrest a bunch of folks? The Russians, I feel like that's every day, kind of sucks to live there. Right, kleptocracy. Okay, so the Russians just got caught using IoT devices for lateral movement. So, there were three categories of devices. Microsoft's the one who caught them. And what they were doing was, first of all, compromising the IoT device and environment. Which, guess what, really easy to do. I gave a talk showing how you can do that against tens of thousands of devices across the planet with no technical expertise. True story. I gave it at B-Sides Las Vegas this week. I've been giving this talk for two years. And what I was primarily trying to show is we get too focused on, as consumers, the creepiness of our IoT. Somebody's going to get into my webcam and watch me get out of the shower. As you can tell, nobody wants that. So, that's not a problem. But that's not the real threat model. The real threat model is exactly what the Russians just did this week. I can easily get into an IoT device. And more importantly, that device gives me a pivot point to get something that I do want. Something that is interesting. So, I actually give you a take-home lab where you can do that in the comfort of your own home. All right, so we've got through that. Okay, so in 2018, courtesy of Kaspersky, no irony there, a lot of companies get attacked. Most companies have had a breach. And we see this kind of thing in the news all the time. We're all going to hell in a handbasket. We're all going to die tomorrow. The electric grid is fucked. What are we going to do? Yet, here we are. So, let's start with my very complex diagram, explaining how OT is different from IT. Has everybody heard of OT before? Do you know what that is? So, OT, operational technologies. This is how we are segregating that the traditional infrastructure that we're used to and that we're playing around with our computers and our daily jobs is separate from these computers that are what's providing us water and electricity and all the different parts of the infrastructure that underpins modern society. Without these, we go back to the Stone Age. So, like I said, we have a very complex diagram to show that those are two different things. The other joke of Kaspersky is that they're air-gapped. Everyone know what an air-gap is? Has anyone actually seen a real air-gap? No, because they don't actually exist. An air-gap is not an air-gap is not an air-gap. Not a single time in my entire life of pen testing in industrial control environments where someone's like, these are air-gapped. And I go, I just kind of stop and pause, like raise the eyebrow, and they go, well, I mean, except when we do this or every other Wednesday when we do this, there's always something that means they're not air-gapped. So, of course, we hear all this and we understand that computers increase our surface area, which increases our risk. So, why are we introducing computers into something like the electric grid? If this is causing these problems, why are we doing it? Why don't we just make it simpler? Why don't we just go back to complete analog? Anybody got a guess? Why are we doing this? What changed, right? Something had to have changed. If we go back 30, 40 years ago, there were kind of computer things then. Something in the last 30 to 40 years substantially shifted the environment that has caused us to be here. Any guesses? Eye contact, what is it? No, you can't look away after I point at you. Technology, well, yeah. So, the reason there's more technology is technology. Yes, sir? Because I want to work remotely, right? That drives efficiency, but I mean, if it really was that kind of risk, then I would say, you know, I'm not going to let you do that. But yeah, that is a factor, but what is the significant change? The what? The managers? The managers like to look cool? No, because it looks cool if you work for technology. Who doesn't like pretty colors? See, I was in the military. This is how you made generals happy. Every general had some color that he liked or she liked. And you'd be like, ah, he's the light blue one. She kind of likes an aqua. And God forbid you put the wrong color in there, because it didn't matter what the content was. Funny, but no, not true. So, what actually changed is, 30 years ago, power was generated at a plant and transmitted to you the consumer. One direction. Today, it's no longer one direction, right? Consumers through renewables like solar energy now contribute power back into the grid. And what used to be a very simple unidirectional where I had to worry about remote administration and efficiencies. And I was looking for those kinds of things. Now, I'd need the computers to handle the exponentially more complex electric grid of the fact that, well, it sounds like it's easier because one way this way and one way that way, except for the physics of electricity, make that a much more complex problem. That's why we're here. OK, here's our actors. Anybody out there that surprises you? Nope, we know who they are, right? Whenever you hear people talking about the complexities of attribution, at the end of the day, I think we can kind of look at motives and determine a lot of what's happening. You don't always have to do all the technical forensics to figure it out. So I would argue there is one flag that's not up here that should be. Any guesses? Who? That is China. America, UK, China, Israel, Russia, North Korea, and Iran. Vietnam. In the last year, we have seen the Vietnamese conducting nation-state espionage at an extreme level, where the part that has been publicly disclosed and everything I say is going to be an open source, of course. They are hacking all of the car manufacturing plants in their countries and stealing everything out of it. So Vietnam gets honorable mention. All right, let's start with the first one, Olympic destroyer. So originated during the 2018 Olympics, hence the name, started with spear fishing. So targeted fishing with a weaponized document. People popped that open, created a network that then started warming its way through things. One of the things they did that was interesting is this concept of a data wiper. What a data wiper is is exactly what it sounds like. I'm going to do destructive things. I'm going to be on any computer I go on. I'm going to start deleting things. Now there's two reasons why I want to do that. One, could be that my interest is chaos and I'm trying to actually cause destruction on your network. The second is it's also awfully hard to do forensics in an instant response when I'm destroying the data of what you're trying to find. The reason that there are three flags up here for attribution is because a significant amount of deception has been used in this. So it's kind of difficult. We know it's one of these three. From a motive perspective, we saw Olympic destroyer appear again attacking European biolabs. Does anybody remember how the Russians didn't cheat in the Olympics? Yeah, it's like every Rocky movie, right? So from a motive perspective, that would seem to be the Russians. However, some of the techniques and tradecraft and the fact that there was a focus on money indicates either China or North Korea. The North Koreans in particular, who remembers the Cold War? Come on, if you're old, raise your hand. Most of us are old at this point. The Soviet Union had rubles. Do you remember, have you ever seen rubles before, like the fall of communism? No, rubles were worthless. Rubles only mattered inside the Soviet Union and even then they barely did. They needed hard currency. The US dollar is the currency of choice across the world for the financial system. It underpins everything. You can trade in and out of it. You couldn't do that with rubles. So as a Soviet, you needed to get your hands on hard currency dollars to be able to do things overseas or of course, get luxury goods for the aparachics at the top of the communist chain there. North Koreans, same kind of problem. Nobody cares about their currency. They're in a closed economy. They're locked out of the world stage. So if, you know, dear leader wants whiskey and Ferraris, he can't buy it with the local currency. He needs the US dollars. He needs hard currency. He needs a foreign currency. So their primary motive from the cyber perspective is theft. And we see this where they're attacking banks and they're attacking different cards of critical infrastructure from a financial perspective. UN report that just came out the other week that the UN has classified that they have managed to steal $2 billion alone. One or Cry. So One or Cry was not in 2018. It originally appeared in 2017 targeting windows. We all remember that one. Took down a significant part of hospital system in the United Kingdom. But what is interesting is a variant reappeared in 2018. So when I gave this talk at RSA, it's funny. I just happened to meet the CISO at Apple the night before for drinks. And I was about to tell them how I had this slide laid out because the Taiwanese manufacturer went down. That's not an error. A quarter of a billion dollars of impact. And the word on the street was actually that Apple's shipping was delayed because the entire manufacturing plant went down. How it was introduced was, and this is a problem that we see a lot in manufacturing plants in industrial control systems, is the gold image that was used because these things are old, couldn't be patched, was susceptible. Supplier brought it in, installed it on a system inside the manufacturing plant. And then because One or Cry actually couldn't beacon out, it compromised everything it could touch and continue to move, trying to find its way out and took the entire plant down. North Korea. By accident. They didn't intend to infect it. This was a supplier who just happened to have had an image that was infected and introduced it. I know, it's great, isn't it? All right, Trisys. So also started off in 2017. They used a combination of fishing and a watering hole approach. So watering hole is, I study the habits of the employees at your company and I look for the forums and I look for the websites that they go to. Forums are great because there are a lot of errors in parsing, so it's really easy for me to post something there that creates malicious content that then is served to anybody that goes there. And of course, since I've profiled that your employees go there, particularly you. Sorry, somebody else I know. I get them. Another example of, again, we see them targeting IT with trying to move laterally over to operational technology because again, where's that air gap? In the 2017 attack, they were attacking the safety instrumented system. That's a big deal. So in industrial control systems, this is the thing that's operating all of the sensors in the computers that are actually changing things in the physical environment. This is my view as a safety engineer of understanding what exactly is happening and if it's intolerance. Most compute, like a PLC, which is actually what's changing what's happening in the physical environment for industrial controls, they're dumb computers. All they do, I don't have to hack a PLC. All I have to do is tell a PLC what to do. They don't validate me. They don't look for authority. They don't even go, that sounds like a stupid idea. I'm gonna be doing this if I do it. They don't have that kind of understanding. That's what the SIS does. And so that attack in 2017 was incredibly dangerous because of that. We saw it appear in 2018 targeting the US oil and natural gas pipelines. So a variant came out. This one is great because of how it leaked. This is again, putting on my I am the Calvary hat, one of the reasons why the responsible disclosure is so important. In this instance, that 2017 malware was uploaded to VirusTotal, where it was freely available for anybody to download. So the reason why we have no attribution is anybody anywhere in the world was able to download that malware, make a few modifications, and then launch it again in 2018 against the US. We remember this one, right? 2016. However, did you notice nothing happened in 2018? So this is where we credit the Russians for what happened in 2016 and credit them for their attempts in 2018. However, the American flag goes up there. The US government deployed a different strategy in responding to, and this is, I'm putting this under the critical infrastructure piece because obviously voting machines aren't industrial control systems. But first, Cyber Command found the Russian agents, or I mean the glorious patriots, who were conducting these campaigns, and on their computers a message popped up that said, hi, we're the US government, we know what you're doing. Now, the problem with that is, as scary as that might be to anybody individually, that the US government is saying hello, it's not as scary as the GRU agent who's right behind you, who's like you will continue, right? So, all right, I'm gonna keep doing that. So, I have a phrase, a hacker can't hack what they can't touch. So, just like that, what Cyber Command did is they actually took down the entire IT infrastructure of the internet research agency in Leningrad, so they weren't even able to get out. So it didn't even matter what their intent was anymore, they weren't able to effectively meddle because they were taken offline. So, summary of what we saw in 2018. First of all, we saw more activity. Guess what happens when I do this again next year for 2019, we're gonna see more. The primary point here is that what we're seeing in critical infrastructure attacks is these are iterative intelligence campaigns. We don't have much proof that what is intended is destructive, what we definitely have proof of is intent to learn and to move and to continue to worm into the infrastructure. Ransomware is becoming popular. Ransomware has two benefits. One, it's destructive. Two, it looks like it's not intended. It can be destructive by accident, so it kind of questions what the intent is. Doing one of my five-year kind of predictions, and this is gonna kind of, hopefully you won't feel bad, but we'll try to end on a positive note somewhere. At some point in the next five years, I think that somewhere in the world somebody's gonna literally wake up next morning, they'll come from DEF CON, they'll probably be hung over. They're gonna get their coffee, they're gonna work their way down to their car to go to work, and the second they turn on that car, the infotainment system is gonna pop up Ransomware, send three Bitcoins to turn it on. I promise you, within five years, that's gonna happen somewhere in the world. I have it, it sounds funny, but it sucks. Living off the land, attackers aren't bringing their own tools to the game. They are taking what's already there in that environment and using it against you. Supply chain, just like we saw with the hack against the Taiwanese manufacturing plant, suppliers are a part of your risk model. Anything that touches your infrastructure is a part of your risk model. It's no longer just you anymore. Boo. All right. So we're gonna quick go through some consumer devices here. This was me last year with Yahoo Finance walking the floor of the Consumer Electronic Show, actually here in Vegas. If you think DEF CON is big, imagine six times as many people in the city, it's ridiculous. And what we saw is every device there, first of all, all of these IoT devices, everything is trying to go to the cloud. If you wanna really have fun, plug an IoT device in your home, check the packets and see where they're going. I have not seen a single device yet that I've plugged in that is not going to China. Now I'm not suggesting that's nefarious or malicious, I'm just suggesting every single one goes to China. Wait, where are they made? And then the other thing of course is now we wanna talk to our devices. So these devices are always listening to you and they're always talking somewhere else. Did you know that a smart TV costs less than a TV with no functionality? Why is that? Anyone got a guess? What's that? Yes, they make money off your telemetry, they make money off your data. You are no longer just making the Devil's Bargain when you're on Facebook, you're now making it when you buy a TV. You're also making it when you buy a car now. There are multiple models where the car manufacturers are looking at how and what they can take from you from your data when you drive your car. So, state of affairs. This is the IoT hack I was talking about. They targeted, the Russians this week just got caught by Microsoft targeting three IoT categories. I will share the lab so you can do this at home. It'll show you how to find them, how to deploy proof of concepts if you don't want to write your own proof of concepts, just go to GitHub and type in IoT POC or IoT vulnerability. There are 28,000 commits after the last time I looked. So, free code out there to do it. Who patches their devices at home? No, it'll work. I am not suggesting you do that on anything other than your own equipment in your own house, right? Let's not break the law. But Microsoft caught them, we don't know what the intent was because they weren't able to latterly move to their targets of interest, but they were able to get there and then they were then started employing traditional implant, IT implants to move further. All right, so in IoT other than lateral vector, which I just mentioned, we see pretty much three common attacks. The first of all is what I'd like to describe is the Brian Krebs attack. This is where Mariah, we saw a million devices harness to take him down and it worked. I mean, there was nothing anybody could do against that. These devices by themselves, not a lot of computational power, not a lot of bandwidth, times a million, this would be a lot. Ransomware we already described and then depending on whenever John McAfee tells us something is unhackable in Bitcoin, that drives the prices. Crypto jacking is stealing your cycles to harvest coins. So, first problem we see is two kinds of attacks that are primarily out there in the wild. One is the Mariah type attack. Something like 90% of all IoT devices are shipped with about 10 different combinations of user IDs and passwords. All I gotta do is try them. That's how Mariah got millions of devices, that was it. Anything I saw, I just tried those combinations. Do you think they even locked you out after three? How many people in this room monitor the devices on their own network at home? Yeah, right? So, and you're not doing it in real time so you're not gonna stop me before I get there. So, I can brute force that. More complex is the Reaper IO Troop. So, I just talked about the number of commits on GitHub that provide this kinds of proof of concept. What they did is they went and found 65 proof of concepts throughout their end days and of course we're not patching these. And all they did was at every device they went, they enumerated it, aka fingerprinted. I know exactly this device. I match it to my catalog of exploits and I'm in. Those are the two primary campaigns we've seen. That's all it takes. Oh, this is kind of a fun one. So, one other example of lateral movement is, did you know a casino here in Las Vegas was compromised by a fish tank? So, I believe you were the one who said remote administration? Yeah, so they had a vendor who had remote access to monitor the temperature of the fish tank. Popped the fish tank. Once we were in the fish tank, we looked around, moved in and robbed the casino. We think that was the Iranians. So, references for more info, of course. My non-profit, the ICS Village, IoT Security Foundation and I am the cavalry. Come look for me on Twitter at Brison Board. That's where the GitHub is published if you wanna do the take home lab so you can do your own on your own devices, compromise and movement. Any questions? Brison, do you have that congressional people talking about what you alluded to earlier? Yeah. You also alluded to data from TVs, vehicles, et cetera, making the vendors money. Are you having any discussion with the consumers getting value in their own data? With those congressional? So, the question is where companies are selling out our data, am I educating Congress on that? Yes. All right, well, thank you. If you haven't seen the CTF or haven't seen the ICS Village, go check it out. Appreciate your attention.