EXCLUSIVE: Ep.

41: Rounding up a cyber posse for Ukraine

DINA TEMPLE-RASTON: America has been concerned about destructive cyber attacks for
decades. The obvious solution has always been for Washington and tech companies to come
join forces in some sort of public private partnership

ART COVIELLO: We've been talking about it since 2003 when Richard Clark had the first
strategy to secure cyberspace in the US.

TEMPLE-RASTON: Richard Clark was on the National Security Council during the Bush
administration. And the idea does have a certain logic: The National Security Agency and
Cyber Command often have intelligence about attacks either before or while they are
happening, and cybersecurity companies have the tools and expertise to block them. Even
so, the idea never really got off the ground.

COVIELLO: It seemed like every six years there was another effort to get it going again.

TEMPLE-RASTON: That’s Art Coviello. He used to be the CEO of RSA Security, a network
security company that was all about encryption. Now he runs a venture capital firm that
invests exclusively in cybersecurity companies.

So six years pass. Enter the Obama administration:

BARACK OBAMA: We meet today at a transformational moment — a moment in history

when our interconnected world presents us, at once, with great promise but also great peril.

COVEILLO: In 2009, Obama did a 60 day study….

TEMPLE-RASTON: A 60 day study to look at public-private partnerships. And then, the

North Koreans hack Sony Pictures.

ABC NEWS: Billboards once advertising the movie that took comedic aim at the North
Korean dictator now covered up. Many are asking, Are we simply giving into the hackers?

TEMPLE-RASTON: President Obama sanctioned Kim Jong-un, did a little stealthy hack back,
and then brought a bunch of leaders from the tech world to a summit at Stanford
University to talk about, you guessed it…

1
OBAMA: We will strengthen public-private partnerships that are critical to this endeavor.

COVIELLO: The upshot was we should have a public private partnership, and nothing ever
happened.

TEMPLE-RASTON: And then, finally, this past February, the whole public private partnership
thing actually took off. But here’s the surprise: The government the tech world is partnering
with isn’t in Washington. It’s in Kyiv.

[THEME MUSIC]

TEMPLE-RASTON: I’m Dina Temple-Raston, and this is Click Here, a podcast about all things
cyber and intelligence. Today, what does it take to make a public-private partnership
happen?

After years of discussion, a handful of tech executives in the West took matters into their
own hands. We have an exclusive look at what they’re doing.

TEMPLE-RASTON: This feels like a cyber Marshall plan. Is that a good way to describe it?

VOLODYMYR PAVELKO: Yeah, I think… I think it is.

TEMPLE-RASTON: Stay with us.

[BREAK]

TEMPLE-RASTON: Volodymyr Pavelko was at a business meeting in the Carpathian

mountains when Russian tanks began rolling into Ukraine.

PAVELKO: February 24th, at five o'clock, I was woken up by my daughter, my elder daughter.
And she was crying. She said, uh, ‘yes, it has begun.’

[MUSIC]

[EXPLOSIONS, SIRENS]

2
PAVELKO: I am from Irpin.

TEMPLE-RASTON: That’s a suburb of Kyiv.

PAVELKO: You see, we have been expecting it for months already. We have been living in
such a situation for years. At least from 2014.

TEMPLE-RASTON: Such a situation. He means a quasi war footing for nearly a decade. 2014
is when Russia began the annexation of Crimea. And then, just before Christmas a year
later, Russian hackers did something no other hacking group had ever done before: They
took down a power grid.

CBS: Parts of the Ukrainian capital, Kyiv, went dark.

TEMPLE-RASTON: A quarter of a million people lost power for as long as six hours.

CBS: …with a click.

TEMPLE-RASTON: And it was the middle of winter.

[MUSIC]

TEMPLE-RASTON: Fast forward to Ukraine today.

PAVELKO: I'm trying to get warm. Yeah, no electricity.

TEMPLE-RASTON: That’s Volodyrmyr again, he says Americans just call him Vol. When we
first started talking to him last month, he was sitting in a book lined office wearing a
beautiful fur-lined vest.

PAVELKO: Yeah, it’'s from Carpathian Mountains from, uh, special animals. Yeah, giving
their warmth to us.

TEMPLE-RASTON: When we caught up to him again, a few weeks later, the power situation
hadn’t improved much.

PAVELKO: So we don't have, uh, electricity for 12 hours per day.

3
TEMPLE-RASTON: Do you have a generator?

PAVELKO: Yes, I have. But unfortunately, generator doesn't work with all electricity
equipment. So, uh, electrician, this is my second profession right now.

TEMPLE-RASTON: How are you doing?

PAVELKO: Very badly because I'm not a technical guy.

TEMPLE-RASTON: Not a technical guy, he says, which is ironic because he’s the co-founder
and CEO of a Ukrainian think tank called the Global Cyber Cooperative Center, or GC3,
which is all about cyber and technology.

PAVELKO: Which is founded in Ukraine to be connected globally.

TEMPLE-RASTON: And one of his jobs is to help the Ukrainian government partner with tech
companies to better defend against cyber attacks. The thinking over the years now was that
if Russia was willing to turn out the lights in 2015, it probably wouldn’t hesitate to do it
again —particularly now that there’s war.

[MISSILE SOUND]

TEMPLE-RASTON: Given that history, the Ukrainian government had been paying special
attention to the country's largest state-owned oil and gas company, something called
Naftogaz.

GREG RATTRAY: Naftogaz is a very large organization.

TEMPLE-RASTON: Greg Rattray used to be the Chief Information Security Officer at JP

Morgan Chase. He’s retired Air Force, and before the war he’d been working with Ukraine to
develop a cyber strategy. They were focused on how to protect infrastructure and
companies like Naftogaz.

RATTRAY: And they are a large target with significant exposure because to perform their
mission and to do it and to use technology to do so, creates a big attack surface.

4
TEMPLE-RASTON: In other words, if Russia were to attack Naftogaz and manage to take the
company off line, it could have enormous consequences. People wouldn’t get oil or gas or
electricity, which could explain why months before the tanks rolled in, Naftogaz was already
bracing for impact. Vol, sitting in his house in a furry vest, thought GC3, his public-private
partnership could help.

[MUSIC]

TEMPLE-RASTON: It was the Ukrainian version of one of those old Brooklyn deals: He knew a
guy who knew a guy who might know some other people who might lend a hand. It turns
out that around the same time Vol began looking for extra help protecting Naftogaz and
other critical infrastructure in Ukraine, Greg Rattray was looking for ways he could help.

GREG RATTRAY: I think the invasion was on a Thursday. On the Monday following, I started
to call people.

TEMPLE-RASTON: Greg had been working with the Ukrainians on a national cyber strategy
since 2020. So he knew people in the Ukrainian government, and he also knew players in
the U.S. cybersecurity and threat intelligence community. So he asked if maybe they could
get together.

RATTRAY: They all were very positive.

TEMPLE-RASTON: It wasn’t presented as a public private partnership as much as a call for

help: Art Coviello, Kevin Mandia, the CEO of Mandiant, threat intelligence companies like
Looking Glass and Recorded Future, software giants like Microsoft. The list of people who
said, ‘sign me up’ kept getting longer.

RATTRAY: I think it was easier because of the sort of clear transgressions of the Russians of
people's basic values for what I'm doing. It's mostly involving security companies and the
Ukraine was a place where people were willing to volunteer, you know, quickly to try to
figure out what could be done.

TEMPLE-RASTON: Did that surprise you?

RATTRAY: It, it, it surprised me In a good way. Just sort of, Greg, we're there. Let's figure out, you
know, let's figure out how to do it the right way.

5
TEMPLE-RASTON: They started calling themselves the Cyber Defense Assistance
Collaborative, or CDAC. And they began talking about how they could provide commercially
available threat intelligence platforms or licenses and services, and advice. So someone who
knew someone who knew someone introduced Greg to Vol. And this new cyber posse found
a partner.

[MUSIC]

TEMPLE-RASTON: And then, four months into the war, Greg and Vol found themselves
sitting around a makeshift conference table in Midtown Manhattan.

[CONFERENCE ROOM NOISE]

TEMPLE-RASTON: The view was vintage New York: Empire State Building, Penn Station,
Hudson Yards. And the roll call of attendees included members of the Ukrainian cyber
police, Ukrainian government officials and representatives from Naftogaz.

PAVELKO: There were up to six, seven people from the U.S. side, but online there were a
dozen more.

TEMPLE-RASTON: And it was supposed to be a short stop. So short that they brought their
suitcases with them, rolling them out of the elevators and parking them in the corner of the
conference room.

PAVELKO: After the acquaintances, we began to share the present situation — what
challenges do we have, and what kind of needs do we have.

[MUSIC]

TEMPLE-RASTON: One of the representatives from Naftogaz kicked it off, and his list of
particulars was dire. There were old fashioned kinetic attacks…

PAVELKO: Data Centers were bombed.. But after several days and when the war became
more severe, they began to expect the same in the cyber sphere.

TEMPLE-RASTON: And then there were quiet battles in cyberspace: denial of service attacks,
Russian hackers lurking in networks.

6
‘Have you thought about mobile data centers?’ One of the American tech executives asked.
Instead of housing your servers in a building, a mobile data center is in a standard shipping
container. Think of it as an IT center in a box, essentially. They’re harder to find so harder to
bomb.

The Mandiant representative piped up: Do you guys have attack surface monitoring, or end
point detection? That’s like a home alarm for your network…

[HOUSE ALARM]

TEMPLE-RASTON: If someone who isn’t supposed to be there breaks in, it lets you know. End
point detection tracks anything in your network that touches the internet. Sort of like
putting trip wires on the doors and windows.

The discussion continued this way for hours and it slowly dawned on Vol and the delegation
that the very thing they never dreamed could happen actually did: They threw a Hail Mary
pass and CDAC caught it.

PAVELKO: After our meeting, I felt for sure that our collaboration will come to another level.
A lot of people are standing together with Ukraine.

TEMPLE-RASTON: A few days after that meeting, Mandiant contacted Naftogaz. They offered
to take a look at their networks and what they found surprised them all.

Stay with us.

[BREAK]

TEMPLE-RASTON: Ron Bushar is a chief technology officer at Mandiant. It’s a cybersecurity

company owned by Google now. And just a few days after the New York meeting, he called
Naftogaz and asked if they’d want some hunt teams to come look at their networks.

RON BUSHAR: We wanna go find out what's happening, right?

7
TEMPLE-RASTON: Bushar said, given that Russia had turned out the lights in Ukraine in
2015, there was a general sense that they were probably lurking in Naftogaz networks —
possibly wanting to do it again. The trick mwas finding them.

BUSHAR: Let's say you have one, you know, energy sector victim. It's likely that others have
been targeted, right?

TEMPLE-RASTON: When people in cyber talk about hunt teams or doing network sweeps,
they’re talking about deploying special software programs that survey a potential crime
scene at breakneck speed.

Think of it as the cyber version of looking for signs of a break-in: Dusting for prints, looking
to see if something was stolen and, most importantly, whether anything – like malicious
code – had been left behind.

BUSHAR: And so we just do that across thousands and thousands of systems very, very
rapidly. And if we see, you know, something from that sweep, we will then pivot to that
system and then do a further deep dive of that system.

TEMPLE-RASTON: In the early days of the war, Russian hacking teams had put a number of
slow burn, low grade attacks in motion — all over the country, not just targeting Naftogaz.
They were things that were more irritating than sophisticated or destructive. Like erasing
hard drives or hobbling authentication systems so employees couldn’t log in.

BUSHAR: So what we got engaged with many of those in the early days just as a, Hey, we
need help. We need to understand, A) what's happening, and B) how to fight it, right? How
to make it stop.

TEMPLE-RASTON: Cybersecurity experts will tell you that hunt teams solve puzzles. This
thing is happening. So why is it happening and where is it coming from? And the puzzle for
Ron and the team at Naftogaz was this: The network perimeter – the walls around their
computer systems – looked solid and secure. But somehow wiper malware kept reappearing
in their systems. Passwords and log-in were being stolen. They could see it was happening,
but they couldn’t explain why. And then, it dawned on them. They were thinking about this
all wrong.

BUSHAR: You have to adopt a military mindset.

8
TEMPLE-RASTON: What’s different about defending computer networks during a war, Ron
realized, is that the perimeter you think you secured is always changing.

BUSHAR: In eastern parts of the country, as Russia was taking territory, they were obviously
occupying critical facilities, right?

TEMPLE-RASTON: Critical facilities like Naftogaz data centers, or local telecoms and ministry
offices.

BUSHAR: So we were able to definitively point to, you know, systems IP addresses that were
physically located in captured territory, where we were seeing these attacks coming from.

TEMPLE-RASTON: Sometimes the attacks looked like they were coming from inside
Naftogaz not because they had breached the perimeter, but because…

BUSHAR: Russia was coming from inside the building, right? Or inside the network because
they had physically captured that data center or that system so they could plug in their own
systems.

TEMPLE-RASTON: Then they could attack other parts of Naftogaz.

BUSHAR: It's almost like you’re dealing with almost like an insider threat.

[MUSIC]

TEMPLE-RASTON: So they adjusted.

BUSHAR: If you know they're about to fall, if you're retreating from a certain province, we
were starting to recommend that you start to segment those systems off of the network
before they fell into enemy hands.

TEMPLE-RASTON: Naftogaz told employees to contact supervisors if their towns were

overrun by Russian soldiers so their access to the network could be cut. And employees did
just as they were told. Vol, from the GC3 think tank, said people in towns that were occupied
by Russian soldiers would literally call Naftogaz as they were fleeing.

PAVELKO: And just five minutes after they cross the checkpoint and have to turn over their
computer they call the supervisor.

9
TEMPLE-RASTON: Once that kind of reporting started happening, and Naftogaz could adjust
perimeter security to reflect events on the ground, Ron said the mysterious insider threats
went away.

[MUSIC]

TEMPLE-RASTON: Of course, these are all things that you learn on the fly, in the moment.
Sometimes conflict has to happen for the creative solutions to appear in response. The
Ukrainians have been fighting a low grade cyber war with Russia for almost a decade so
they had the basics. And Greg and Vol and the members of CDAC’s cyber posse upgraded
them.

COVIELLO: Look, I mean, the Ukrainians had a capability. I mean, the fact that a lot of
companies had development sites in Ukraine speaks to the technical capability and the
education that was available there.

TEMPLE-RASTON: This is Art Coviello again, the one who has been part of public private
partnership talks for decades.

COVIELLO: They just had never had the opportunity, or perhaps the financial resources, to
invest in their own defenses as we have here in the US.

[MUSIC]

TEMPLE-RASTON: These days, more than two dozen members of CDAC convene meetings
once a week. Vol acts as a bridge between Ukrainian officials and the U.S. tech world:
Collecting lists of what Ukraine needs, presenting them at virtual meetings. And the Cyber
Posse tries to find someone who can help.

PAVELKO: Licenses, technical solutions and consultations till today on the free of charge
basis.

TEMPLE-RASTON: Back in 1948… President Truman offered a ravaged Europe a hand.

HARRY TRUMAN: As I made a statement a while ago, wars never settle problems. They only
create new ones…

10
TEMPLE-RASTON: That’s President Truman talking about the Marshall Plan.

TRUMAN: In Europe, nearly all the countries were torn up and devastated and destroyed.

TEMPLE-RASTON: That was largely a cash operation. The collaborative helping Ukraine now
isn’t offering money. It’s donating technology and volunteering know-how. And it all began
with a few phone calls — a guy who knew a guy who knew a guy who knew a guy in a furry
vest who knew someone else who was willing to help.

PAVELKO: The spirit, which was in the room, uh, that time, um, showed us that a lot of
people are standing together with Ukraine.

TEMPLE-RASTON: And this could be a model for public private partnerships going forward.
The question is whether you need a crisis — or a war — to do it.

This is Click Here.

[B SEGMENT MUSIC]

TEMPLE-RASTON: : By now, we’ve all been told not to click on links we don’t recognize or
open email attachments from strangers. That’s cyber hygiene 101. But scammers can be
creative and crafty. Take the scam that is making the rounds now. It combines stealthy
malware with a good old-fashioned phone call.

Click Here’s Will Jarvis reports.

WILL JARVIS: John Fokker spends his days hunting cyber criminals online. He’s the head of
threat intelligence at a cyber security company called Trellix.

JOHN FOKKER: And this is a funny story and oh, she's gonna hate me for this, but this is
gonna be funny.

JARVIS: The she, in this case, is John’s mother-in-law.

FOKKER: I came to Christmas and she says like, Oh, John, yeah, I installed McAfee.

11
JARVIS: McAfee. it makes antivirus and security software.

FOKKER: I was like, Really? Oh, let me see. And I was like, There's no McAfee installed in this
computer. I was like, Do you have an invoice? Where did you get it from? And uh, she's like,
Here, yeah, I really paid for it. McAfee! And I looked at the invoice and I was like, this is
fraud!

JARVIS: Turns out, his mother-in-law had gotten an email — allegedly from McAfee — that
said all she had to do is call a number. So she did.

FOKKER: And obviously the person at the phone was really helpful and they did a net stock
scan and they said there was everything wrong, which was just benign network traffic.

JARVIS: But how could she know? They said it was bad, and she believed them. Then she
paid them by credit card to fix what was wrong, beef up her security, get her some new
software.

FOKKER: And they played it really well cuz it was around Christmas. And on Christmas Eve
they called her saying that there was something wrong and they need to up the license
model. She was like, No, I'm preparing this Christmas dinner. So, uh, bye.

JARVIS: John’s mother-in-law had been scammed. The story has a relatively happy ending:
They got the charges reversed, John cleaned up her computer (nice to have a cyber security
guy in the family).

But John’s mother-in-law is not alone. Old-school phone scams with modern malware mixed
in are on the rise. So much that last month, John and his team at Trellix released a report
about one of them. Something they dubbed “Bazaar Call.”

It gets its name from “Bazaar Loader” – a backdoor that’s often used to deploy malware
onto a computer system.

FOKKER: But it's very interesting to see, like, linking the call center aspect towards
deploying malware. It's humanizing it, but at the same time, it's an evolution in building the
con.

12
JARVIS: It begins, as most scams do, with the bait. For example, victims might get an email
from someone pretending they’re Geek Squad, saying, “Thanks for your payment!” The
invoice has the victim's email on it and a helpful number to call.

FOKKER: And certain people are very susceptible to say like, Hey, I wanna figure out how
this works. And they feel like if they call a phone number and if it's a 1-800 number, they
feel like, Okay, this is legit. I'm calling the company cuz I need to rectify this false invoice.

JARVIS: No sketchy link, nothing to double click. But when John’s team started digging into
it, following up on some of those emails and calling those 800 numbers, they discovered
that this was no fly-by-night operation.

FOKKER: It’s almost like you're looking at Oceans Eleven, when they're talking about the
different cons. And it is the same way.

[MUSIC]

JARVIS: Here’s how it works: The victim dials up a call center…

[DIALING]

JARVIS: Then, a little ruse.

SCAM CALL: You are at position two in this queue. Please wait to be connected
Customer support. Technical support, how may I help you?

JARVIS: And when the victim asks to cancel this subscription they didn’t want, the call
center says: happy to help!But then, they ask, Are you sure you wanna do that?

FOKKER: It goes through all these stages of emotions like, it's important to have security
stuff. Do you really wanna proceed?. And it makes you feel — as the victim — it makes you
kind of feel that you're in control. But that's the whole art of the con!

[MUSIC]

JARVIS: Trellix wouldn’t release any of the audio they got during their research. But you can
find a lot of examples of people trying to expose the scam on YouTube.

13
Like this one…

YOUTUBER: it says access now. Start free trial…

SCAMMER: Yes, exactly….

But why do I have to download it to cancel?

JARVIS: The call center employee — someone hired out by the cyber criminals — tries to
work his magic.

YOUTUBER: Well, how do I, how, how do I know this isn't a scam?

SCAMMER: Everything is in front of your own eyes.

YOUTUBER: But I might be able to download this program and then you can gain access to
my computer.

SCAMMER: How it…how it’s possible?

JARVIS: How is it possible? The scammer asks. But then, he slips.

[MUSIC RETURNING]

YOUTUBER: So you do know about programs that you take over people's computers. So how
do I know this is not that?

SCAMMER: Okay. Do you want to do it? You can do it. Otherwise, no problem sir.

YOUTUBER: No, I want you to refund it and cancel it.

[END CALL SOUND]

JARVIS: The scammer hangs up.

YOUTUBER: (laughs)

JARVIS: Mission accomplished.

14
[MUSIC OUT]

JARVIS: As for who’s behind this, John Fokker, from Trellix, says they think there’s a link
between Bazaar and a ransomware group he follows called Conti. It's Russian.

FOKKER:, I wouldn't be surprised that there's a strong former Soviet Union country and
Russian connection who are eventually behind the scenes making the play.

[B SEG MUSIC START]

JARVIS: For now, John is hoping to spread the word to watch out for Bazaar Call, and he’s
holding onto those scammer tapes for the company Christmas party.

FOKKER: We have 'em for safe keepings, and on our Christmas party, we can play them on a
loud stereo, uh, across our team.

[B SEG THEME]

JARVIS: I’m Will Jarvis, and this is Click Here.

[HEADLINE MUSIC]

TEMPLE-RASTON: Here are some of top cyber and intelligence stories of the past week:

The European Commission proposed a new cybersecurity policy aimed at helping member
states coordinate their cyber defenses. It calls on members to beef up their investments in
modern military cyber defenses. And the European commission has said it will set up
computer emergency response teams, known as CERTS, and to begin developing EU cyber
defense exercises. Ukraine, which has been battling Russia in cyberspace for years, already
has a CERT.

—-

15
The Australian Federal Police say they have identified the hackers behind the ransomware
attack on Medibank, one of Australia’s largest insurers. The police commissioner told
journalists that their intelligence suggests a group of loosely affiliated cyber criminals were
likely responsible. He didn’t name any specific group.

Medibank said that it wouldn’t succumb to any ransom demands. Hackers appear to have
gained access to 9.7 million current and former Medibank customers, including 1.8 million
people living abroad. The data includes sensitive healthcare information for about half a
million people and the information includes details about drug addiction treatments and
abortions.

The Australians have launched something called Operation Guardian, an effort to scour the
dark web to find and identify people who are accessing the Medibank information and trying
to profit from it.

And finally, an alleged member of the notorious LockBit ransomware gang has been
arrested in Canada and is being extradited to the United States. According to a statement
from the Justice Department, Mikhail Vasiliev, a 33-year-old Russian and Canadian national
living in Ontario, is in custody on charges related to LockBit attacks.

The Justice Department unsealed a criminal complaint filed in New Jersey. DOJ said his
arrest came after a three-year investigation into the group. Vasiliev is facing a roster of
charges including conspiracy to intentionally damage protected computers and the
transmission of ransom demands. If convicted, he faces a maximum sentence of five years
in prison.

[THEME MUSIC]

Click HereClick Here is a production of The Record by Recorded Future. I’m Dina
Temple-Raston, your host, writer and executive producer.

Sean Powers is our senior producer and marketing director, and Will Jarvis is our producer
and helps with writing. Karen Duffin and Lu Olkowski are our editors. Darren Ankrom is our
fact checker. Ben Levingston composes our theme, and our other music comes from
BlueDot Sessions.

16
And we want to hear from you. Please leave us a review and rating wherever you get your
podcasts, and connect with us by email: Click Here [at] Recorded Future [dot] com or on our
website at ClickHereshow [dot] com. I’m Dina Temple-Raston. We’ll be back on Tuesday..

17