How the cybersecurity industry is trying to keep up with foreign threat actors
44:56 Share

Running a business comes with a lot of what-ifs. But luckily, there's a simple answer to them. Shopify. It's the commerce platform behind millions of businesses, including Thrive Cosmetics and Momofuku. And it'll help you with everything you need. From website design and marketing to boosting sales and expanding operations, Shopify can get the job done and make your dream a reality. Turn those what-ifs into... Sign up for your $1 per month trial at shopify.com slash special offer.

Support for this podcast comes from It's Revolutionary, a podcast from Massachusetts 250. Northampton isn't just a place, it's a promise. A promise of safety, identity, and belonging. Stick around until the end of this episode for the story of how one drag king found home there. WBUR Podcasts, Boston. This is On Point. I'm Meghna Chakrabarty.

In 2021, Zaki Manyan was needing help building his crypto finance startup.

At the time, he'd had trouble finding competent coders with years of experience in blockchain development. But one freelancer stood above the pack, and his resume showed an extensive work history. So Mannion hired him. And then he brought on someone he said he had worked with, and collectively they were able to do the work. You know, I would frequently have to, like, meet with them late at night because they said they were in Singapore, but they were quite technically competent.

Because of the time zone differences and pandemic-era restrictions in Asia, Mannion never saw his new hires in person.

But nothing seemed out of the ordinary. You send them chat messages late at night. You tell them what deadlines need to be hit. They try to hit them. They get stuck. You try and help them. Like, you know, it's like having any sort of, you know, mid-level contractor that you hired anywhere. Like if you hired someone in India or you hired someone in China or you hired someone in Vietnam, your interactions would be very similar.

The freelancers eventually finished the work and got paid. And after that, it wasn't something Mannion gave a lot of thought to until two years later when an email from the FBI landed in his mailbox.

Turns out those two workers were not from Singapore. They were from North Korea. And they were funneling most of their salaries into North Korea's weapons program. It was worrying because, like, you were worried that you broke the wall. You didn't know what consequences there were there, what other collateral consequences there might be. You were worried about reputational consequences. The FBI investigated. The Treasury Department subpoenaed Mannion's company...

Ultimately, though, the company was not penalized and the code that they created still works safely. But that didn't prevent many of his colleagues from viewing his work as tainted.

Part of the dream of cryptocurrency was we're trying to build a global system that like anyone can contribute to. So you could be like, you know, it shouldn't matter what school you went to. It shouldn't matter what country you live in. Like that was the whole point of building this thing like that. And I think what we've seen with North Korea is enormously taking advantage of those values, enormously taking advantage of like the idea of an open Internet.

These North Korean IT worker scams are not just in crypto. The FBI says they've infiltrated hundreds of Fortune 500 companies. According to a report from the United Nations, the fake employee program earns Kim Jong-un's regime between 250 and 600 million dollars per year.

Workers are often under duress by the North Korean regime. They're forced into cramped office conditions where they're constantly monitored. And they also work grueling hours and must fulfill strict income quotas.

Mianyan says now, when a job applicant makes it to the interviewed stage with his company, he asks them to perform a very specific task. At this point, it's become so absurd, you know, that it's like just normal when you're interviewing anyone basically you've never met in real life to basically be like type in King Jong-il is fat.

and like push enter and like this will eliminate 100% of the North Koreans. But like, so like for us, you know, I'd say the screening process is just like now an annoyance and inconvenience. You feel bad for the

In Menon's case, that screening he does eliminates almost half of the applicants.

This North Korean IT worker scam is part of a recent uptick in cybersecurity threats from state-sponsored actors. Some researchers show a 47% spike in cyber attacks just this year. We're only halfway through the year. High-profile hacks have seemingly hit every part of American life.

A China-sponsored hacker gained access to Treasury workstations and documents earlier this month. What happened at Fall River schools is in fact a ransomware attack, and the FBI is involved. Multiple sources have shared a pop-up message with me where the health care network was given 72 hours to contact the group behind the attack and negotiate. And I don't mean to alarm you, but we are in the midst of a national emergency because Krispy Kreme online orders were disrupted in a cyber attack.

We can't let hackers take our donuts. They already have our cookies. Funny, but also very serious because these threat actors have been so successful. They're even starting to infiltrate the people who have the most experience dealing with cybersecurity threats, cybersecurity companies themselves.

So this hour, we're going to talk about the ever-changing world of cybercrime and how companies can and must protect themselves from new generations of foreign threats. And Tom Hagel joins us. He's a distinguished threat researcher with the prominent cybersecurity company SentinelOne. And recently, Sentinel Labs published an article titled Top Tier Target, What It Takes to Defend a Cybersecurity Company from Today's Adversaries. Tom, welcome to On Pointe.

Hi, thanks for having me. So has Sentinel-1 itself been the target of cybersecurity attacks?

Yes, absolutely. We receive attacks from all types of adversaries. And the North Korean threat has been one of the most interesting that we've observed over the last few years. And that's ultimately seeking to get inside jobs, similar to the previous cases you've already mentioned. Okay, so tell me more. Why do you think that the North Koreans want to get inside a place like Sentinel?

Yeah, absolutely. So you have to remember that the North Korean cyber domain is quite complex and intertwined between multiple objectives. Now, the IT worker scheme where they're trying to get inside jobs, get salaries, the primary objective there is for funding the regime's cyber and weapon program.

Now, when you start to involve additional targeting of trying to get inside jobs at very strategic organizations, be it banking, large cryptocurrency organizations or cybersecurity companies, the objectives start to blur.

So these organizations within North Korea, they intertwine so much with various missions. And when you start to look at the targeting of these more top tier targets, that's when we see the objective shift potentially towards long-term espionage, supply chain intrusions into our customer networks and things like that. So it complicates it. And you have to remember that this is a very individualistic organization.

approach that they have to take. But ultimately, it depends on the scenario. What can they do to benefit the most from each victim? And they'll try various things to try and make the most money or most impact for the regime. Right. And just to be clear, I mean, just to put it in layperson's terms, trying to infiltrate a company like SentinelOne would ostensibly also give those attackers access to the very software that you are creating to keep other companies secure. Right.

Yeah, absolutely. So we were successful in stopping any of their attempts to get in. Very happy to say we stopped 100% of them to even get trying to get in. But the interesting piece is North Korean threat actors have a long history of doing that very much what you just explained, which was what we call like a supply chain intrusion, where they compromise or get access to the insides of one organization and then

abuse that access to get into a separate organization. So there was a case just a few years ago where an entity very closely intertwined with the IT workers group out of North Korea performed multiple layers of supply chain intrusions where they compromised one organization to get into a separate organization to get into a third organization for the

the final goal of financial theft through cryptocurrency. So very strategic, long play missions here. Wow. Okay. What I'd love to do is spend a little bit of time sort of talking through each of the different kinds of

attacks that Sentinel-1 itself has rebuffed. Because as you said in the article that you published, it's very unusual for a cybersecurity company to even talk about the fact that they themselves have been targeted by international, especially state-sponsored hackers. I mean, why did you decide to write up this article and just talk about the fact that it had also happened to you?

Yeah, that's a great question. And I would say we're in a unique position within my team, which is Sentinel Labs. We're focused on the ultimate community benefits of our research. So day-to-day, we track adversaries of all types, and that includes defending our

customers, defending our own organization. But instead of turning around and trying to monetize that, our goal is to turn around and try and impose some sort of cost on the actors themselves to make it more difficult for them to do what they're doing and try and directly help impacted organizations. So in cases like this, where we see them coming after us, it's kind of like the goldmine for allowing us to collect the most valuable cyber threat intelligence that

that you can as a, as a target yourself, you get really interesting perspectives of their capabilities, their persistence in trying to get in and so forth. So yeah,

The ultimate goal here is to share more widely. We do a lot of collaborating under the table with our partners across the industry, public and private sector. And when it comes to releasing things publicly like this, it's kind of just like waving a flag, being like, everyone needs to pay attention to this. This is a huge problem. And cybersecurity vendors have a history of being very quiet about the things they see unless it's strategically benefit to them. So saying we are a target is,

kind of raising that flag to be like everyone else is likely a target too. And not only a target, but it seems like most other companies would have a more difficult time in understanding when or the volume of attacks that they're experiencing versus Sentinel-1, who this is like what you do.

Exactly. Yeah. Yeah. This is what we do. So we we tend to be a little bit more successful in stopping it and even being able to identify it overall. You know, we can we can have applicants and we can collaborate with our our partners across the industry and get really high confidence on the exact locations of these applicants and and the attribution of of the efforts.

But if it's an everyday organization, small business, or even just like a IT consulting company or crypto company, the chances of them being able to link it to North Koreans or just the IT worker scheme in general is in many cases nearly impossible.

So, yeah, it's it's kind of like raising the flag, trying to show everyone this exists and give people the opportunities to try and catch this stuff. Yeah. Well, when we come back, we're going to talk about exactly the kinds of attacks that you've you've noticed and how they work and how people and other companies can protect themselves from it. So, Tom Hagel, stand on standby for just a second. We'll be back. This is On Point. On Point.

Support for On Point comes from Indeed. You just realized that your business needed to hire someone yesterday. How can you find amazing candidates fast? Easy, just use Indeed. There's no need to wait. You can speed up your hiring with Indeed.

Indeed is all you need.

Support for this podcast comes from It's Revolutionary, a podcast from Massachusetts 250. In a place like Northampton, Massachusetts, the freedom to be yourself is not just celebrated, it's embraced. For one drag king, it's where he's found the space to live his truth. I really do think about it all the time. Like, I don't think there's anywhere else I could have lived my lived experience and do what I do besides Massachusetts. Stick around until the end of this podcast for his story.

Job applicants from North Korea. I have to say, it wasn't until recently that I heard that this was even a phenomenon.

But in your article, you said that there were early reports that drew attention to these efforts, how the infrastructure that the North Koreans use to get the jobs and to launder the money that they're earning. But you said neither gave a sense of the staggering volume of ongoing infiltration attempts. This particular vector far outpaces any other insider threat vector we monitor. So how many fake North Korean job applicants have you received?

Yeah, it's a great question. So Sentinel-1 in particular, as a one target in this case, we have a history of about 10,

Two or three years of very clean attribution to North Korean applications in the numbers of about 1,000-plus applicants. And the unique personas around each of those applications is around 350. So you have about 350 fake individuals applying for thousands of jobs for our organization alone. Okay, so fake individuals. So these are like entirely fabricated applications.

resumes, pictures even? Like, how fake are we talking? Yeah, they will go through any means possible to have a very realistic picture

And that includes completely fabricating names, emails, resumes, or just going to straight up stealing it from public individuals that are out there that may not be aware of it. So forged identity documents, forged resumes. We've seen cases where they're using AI tools to generate resumes specific to this application. So it's all forged to look as great.

To make them look as great of an applicant as possible for that role. And it works quite well. And I presume they're also masking sort of the origin points of the information they're sending you.

Yeah, absolutely. A lot of it they tend to reuse, which is, to be honest with you, it's an interesting way of how we do a lot of the linking to a lot of these different personas back to North Korea. They reuse a lot of attributes about it, and it's an automated toolkit to ultimately get these names in the resumes, get fake phone numbers, and they're using tools and technologies that kind of muddy the...

the North Korean link, but also make it more difficult for us to see where it came from. Sometimes they will just go and copy a name of a well-known individual though. - Okay. And then they're also oftentimes using each other, these fake personas are using each other as references.

Yeah, absolutely. It's not uncommon for one persona or one individual to get into an organization and for them to attempt to hire more colleagues out of North Korea. And we've also seen cases where they try and contact employees of organizations that are openly trying to recruit and get referrals.

Okay. I'm going to ask you a little bit more about the other things they do because you talked about how the adversaries adapt to the friction they encounter. But hold on to that thought for a second. Okay.

It occurred to me that I keep calling them fake. I mean, so the personas are clearly fake, right? You just described how. Not in Sentinel One's case, but I'm thinking back to the blockchain example we had at the top of the show when they're actually, in his case, they were actually hired and they did the work, right? So in that case, the work wasn't fake. It's just the person who was doing it was fake. I mean, I'm just trying to understand like what to call these attempts, right?

Yeah, you're not alone in this kind of being very confusing. So it's important to remember that when one of these individuals gets hired, it's in the application process and the interview process. This is often done by multiple individuals that work as a team that are specialized in that task.

So after the fact, when they're hired, it's usually managed by multiple people that are technically capable and trained from a young age to be able to do that task. Typical software engineering, IT work, engineering.

etc. So you have a legitimate, technically savvy individual working for you. Now, how they're abusing that access is a whole different story. But yeah, you're looking at multiple individuals just to get into a single organization. Okay. And then also you write about how it's not just the personas of the individual applicants, but there's a sort of this sprawling network of front companies, of fake front companies. What is that?

Absolutely. And this is where it gets really messy, because when you have to pay these individuals or money comes into the equation here, how does the money get from a U.S. company back to the North Korean regime?

So they go through multiple money laundering attempts. And this is a very dynamically evolving process for the regime. So these front companies, we wrote about a lot of them being based in China. The FBI has seized these front companies in some cases, their websites, their infrastructure, and they just pop up like crazy. So

What you're seeing here is an individual that claims to be an American or is working for an American company. They're getting paid into a bank account and that bank account transfers it to like a bank account in China or a cryptocurrency firm. And then it goes through multiple hops. And these front companies are used to

both launder the money to eventually get it back to the regime, but in some cases have another persona as an organization, like a consulting organization rather than an individual. So back to that main point I mentioned earlier is, um,

This is all so dynamic and so individually operated that you see a lot of experimentation, a lot of creativity in how these things operate. Is that what you're talking about in the article when you say the way they adapt to the friction they encounter? Absolutely. It's just like when we raised the flag with this article saying, here's how we see them.

We see an immediate shift. We know they watch what we're talking about, and they use our tools, they test our technology, and they're using that to quickly adapt because it's an endless cat and mouse game with these guys, as with any cyber actor. Whatever we do, they are going to react and try and make it more difficult to catch new techniques, new methods, and so forth. How did you determine that there was a thousand of fake applicants coming from these 300-ish personas?

Yeah, I'm really lucky to have a great team of individuals that their careers are based on how can we track these personas through different means, different technology sources like emails, open source intelligence around location data, network traffic. So it's a long history of tracking one persona that we're really confident on and seeing how they shift and what they link to over the years. And this is all not possible without people

the partners in the public and private sectors that work tirelessly to disrupt these guys under the table outside of public view. So there's a lot of collaboration, but there's a lot of really skilled individuals that this is their careers to focus on tracking these guys. Okay.

I want to put a pin in that because for companies that are not Sentinel-1, like, okay, you could buy a cybersecurity firm's products for sure, but I'm thinking that there's a great associated cost with being the victim of these kinds of increasingly sophisticated attacks. But, Tom, I just want to take a moment to talk about how there are also sort of links to this activity on U.S. soil because scammers will sometimes recruit people

Americans to build laptop farms to assist these overseas IT workers that are posing as U.S. citizens. Elizabeth Pelker is a special agent on the FBI's Cybercrimes Task Force. And she talked about this during a panel discussion at an IT security conference on April 28th.

Generally, these individuals have been recruited online to just host these laptops, thinking that the overseas actors are kind of based in China and they're just kind of doing these guys a favor. It starts with maybe one or two laptops, and then we'll see upwards of 90 laptops at one person's residence.

Tom, can you talk about this? I mean, so they're also recruiting Americans to go to Micro Center and buy a bunch of laptops and just like plug them in for Chinese use? Yeah, it's a surprisingly successful way for them to appear as U.S. based. So and this is one of those things that makes it even more difficult to defend against these as a corporation in the United States. How do you detect these if they're already inside your network?

So what we're seeing here is these North Korean operators, when they get hired, they have to use the corporation's, the victim's equipment. In many cases, they're getting like a corporate laptop. And that corporate laptop has typical security controls on it that need to be used to access that company's network. You know, you get hired for a job, you're using that company's equipment.

So when they get hired, they have a proxy entity that they pay within the U S we see it in Europe as well. It's not just the U S and they pay those individuals to just basically plug the laptop in. Let us use your internet connection and everything we do from North Korea is going to hop through your home network to that laptop. And then laptop looks like a U S based individual to that corporation. So basically,

They go through ways of trying to recruit individuals to this. Some know they're working for North Korea that have been caught. Some might not know. They might just be technically illiterate that just don't see the risks and sketchiness of the whole thing. But it's a very successful way for them to, from a technical perspective, appear that they are based in the location of the employee rather than China or North Korea. Okay. In the news, you can use category, folks.

If someone seems to send you an innocuous request to buy a bunch of laptops and plug them into your home internet, you should probably alert authorities about that. Okay. Definitely. So the fake personas was just so fascinating to me, Tom. I'm sorry I spent a lot of time on that. The other one which I think –

most people have heard of is ransomware, right? And you talked about that in your article too. And it just seems like with year after year, we see this exponential growth in ransomware attacks and successful ones. And so Sentinel-1 has even been, has detected attempts at ransomware coming up against your own company? Yeah.

So the interesting thing about the ransomware part is rather than ransomware attempting to be used against our organization, that is more so attempting to test our ability to defend against that organization to help defend our customers. You know, we have our product is deployed on machines worldwide and these ransomware operators are encountering our product and want to know how to bypass it so ransomware can run.

So what we ultimately see is them trying to get access to our product for testing, detection, evasion, and, you know, basically trying to white glove a scenario looking like a legitimate business to try and get access to a product. They'll attempt to purchase it. They'll attempt to gain access to it illicitly through like stolen product from other victims. But yeah, the ultimate goal in this case is to

look at our product and see how they can avoid, how they can successfully infect people that are using it to defend themselves. So it's another cat and mouse game, but yeah, they're trying to avoid getting caught. Okay. And you mentioned something called Black Basta. Can you talk about that?

Yeah, it's ultimately another one of the many, many ransomware clusters of activity. Ransomware is interesting because you think of like a group of hackers using ransomware. That's kind of how it started is like there's this group of close-knit individuals that work together to create this malicious software that infects people and holds their network to ransom. And then that same group demands a ransom and makes the money.

Nowadays, what we see are what we call ransomware as a service, where we have one group of individuals create a product that is used to deploy ransomware or manage ransomware infections, and they sell it to whoever's going to pay.

So I, as an individual, can go and buy a ransomware tool that works very, very well and deploy it to whatever organization I want. And then that ransomware operator makes a little bit of a cut out of it, but I get the money and I operated the infection. I operated the payment coordination and so forth. So it's a whole complex economy of trying to make money and it's working incredibly well. But again, just like the North Korean stuff, this is

another adversary that is evolving based off of new ways for us to catch them and track them. It's an endless cat and mouse game. Wow. Okay, so we've been focusing on North Korea a lot, but is it fair to say that behind this there's also state-sponsored activities coming from places like China? Oh, 100%. Yeah, we... Many...

On my small team, we have a long history of tracking specific Chinese state-sponsored entities that are using ransomware as a distraction to very strategic...

espionage and collection against government, private sector across the world. So we see ransomware used for financial gain by individuals, but it's also an amazing way to cloak your true intentions and attribution to very strategic, politically motivated intrusions across governments, critical infrastructure, and anything you can imagine.

Tell me more about that. I'm not quite sure. So it's like the ransomware isn't actually the point. The point is some sort of deeper kind of espionage? Yeah, absolutely. So amazing examples existed in the Ukraine conflict. When that conflict kicked off, it's a really good example to show multiple intentions of malware. So we saw cases where malware that was deployed in an attempt to hold...

Networks ransom appear trying to appear as financially motivated operators. But the goal was to just disrupt operations of that victim and never actually try and facilitate ransom and restoration of that company.

So modern day today, like more recently, that's exactly what's kind of going on as we see this Chinese espionage group that their objective is to either like steal intellectual property or gain access to telecom communications. They'll go into this network.

And they will deploy this ransomware that they purchased from somebody like Black Basta or anybody that is well known. And they'll deploy it widely. And that organization is in complete chaos. There's machines for all 30,000 employees are all shutting down. Operations are going offline. At the same time, this very, very technically skilled organization out of China is going through and pilfering out this very valued data that they've been seeking for years. I see. Okay.

So, Tom, when we come back, we've got to talk about, well, what to do to defend against these very creative and sophisticated cyber attacks. So that'll be in just a moment. This is On Point. They say that since I worked full time, I wouldn't be able to go to school. But with WGU, I was able to do my classes on my own time and take all my tests online when it suited me best. Learn more at WGU.edu.

In a world of automation, is it pretty safe to say that in some sectors, let's say like the tech sector, that these fake job applicants are coming into like, what, I don't know, like almost every job that gets posted?

Yeah, great question. We see them basically apply in an automated fashion at mass scale. So if you are a company that has jobs hosted online that you can apply remotely from, and those jobs are technical in nature, and it's a remote job, they will often apply. So we see them apply almost...

And not just in the United States, right?

That's correct. The start of this right around the pandemic was predominantly the United States. And I think we have caught on to it quite a lot and have made some significant strides in disrupting that efforts in the United States.

And since then, they have since moved to throughout Europe. And they've moved out of just IT software engineering. And now they're doing a bit more like consulting in terms of like graphic design, CAD engineering, anything on the technical level that they can do remotely with success. Wow.

Okay, so Tom, hang on here for just a second, because let's listen to a bit from Brett Winterford. He's vice president of another big player in the cybersecurity industry. It's called Okta Threat Intelligence. And he's been following foreign hacking campaigns for years, especially from North Korea. We're learning about this as we go forward.

And the sophistication of their scams is pretty surprising. I think it's a bit dangerous for anyone to assume that they haven't been touched by this threat at all, particularly in the technology sector. And Winterford says the newest threat is AI, which can craft convincing resumes, cover letters, headshots.

So let's say they want to go for a job as a full stack developer for a particular company. What they'll do is they'll actually advertise precisely the same role, but it's a fake role, in order to take in CVs and cover letters from legitimate job applicants and use that as a training set to then identify people

what are the kind of features or traits in a job application that are likely to be successful at at least getting past the first stage

of most recruitment, which is automated applicant tracking systems. I don't know. You kind of have to give them credit for being that creative, creating a job posting to get data on what kind of applicants would want that job. Now, Winterford says it's important for hiring teams to be aware of red flags when, of course, screening their applicants, such as if they refuse to be on camera or won't show an ID card or...

Or if they have answers that seem a little too scripted. If the candidate's face for even a second flickers in such a way that it looks like it could be digital altered and they refuse to hold their hand up or an object up in front of their face, that is a very good sign because the deepfake technology at this stage, it's very noticeable if you ask the candidate to put their hand in front of their face and

you'll be able to tell that there is a deepfake overlay. So that's Brett Winterford, vice president at Okta Threat Intelligence. Okay, Tom, so what else should companies do on the job applicant front to screen out potential bad players?

Yeah, it's an ever-evolving effort for sure. As AI technology, as Brett just explained, quickly evolves, ways of catching them are rotating on a weekly basis. So some of the more interesting ways of filtering these individuals out that we've seen are just kind of optimizing.

operating with a sense of skepticism of why they're applying, communicate with them exactly why they're applying. If they can't be specific in terms of what they applied for, that's another interesting thing. But from the visual perspective, you obviously have the face mimicking, like Brett explained, using AI tools and so forth. The interesting thing is

These are all remote jobs. So if there's ever an opportunity to ask them about the location they're at for specifics of what they recommend in that area and so forth,

they will tend to not have an understanding of the source of their application process. If they're saying they're from Boston, they very much likely not have any concept of local details of Boston. But these are all games, in my opinion. These are all very temporary, interesting things to go about, the way of catching them. Yeah.

Reminding that these are all remote jobs, the number one way that we've caught them if they've ever attempted to get even close to a job is asking to meet in person. If they have the ability to fly them into the location or visit somebody that's at that location in your employments already, having somebody vet them physically and that they actually exist is the easiest way to get past a lot of these games for sure. But yeah, you have to be careful because

Everything they're doing evolves from,

So they are going to now this hand waving thing in front of your camera, they're going to come up with ways to avoid that or being able to, to say anything malicious or you know, offensive to the regime. Those are short lived techniques of catching them. So you just have to be thorough references, lots of vetting, lots of confidence building, clear communication, and don't just hire without being able to even turn on a webcam. Right. Okay. So,

It actually seems very plausible to me, even if expensive, that when you get to a sort of final group of applicants for a job, you

that a company should consider, like you said, flying them in IRL. I can just put it that way and see if this person exists. But then again, I can already imagine that, well, maybe they're not going to send someone from North Korea. But as you talked about sort of the international nature of these scams, they could just fly someone else in to be a fake person. Right.

Yeah, yeah, exactly. There's, there's going to be some scheme. If you're that strategic of a target for them, they're going to put in significant effort to get past a lot of that. Yeah. But, you know, I think another important piece is to not forget that these, um, these individuals that are applying tend to reuse or try and have the same face for the interview, for the in-person meeting, for the jobs. So, you know,

See what they look like at each stage of the interview, if they're the same person, the voice changes and so forth. But yeah. OK, so let me ask this, though, Tom, given the not just the political environment we're in, but I'm thinking of, you know, the companies that firms like yours serve in terms of providing cybersecurity products. I mean, this seems like a national security issue as well. Right. Absolutely. And so why not?

Take the next step. It might seem extreme, but why not say, well, job applicants have to be based in the United States, even if they're working remotely?

Yeah, it's a very tough problem to solve. And it's very difficult to tell a small business that they have to hire a US-based individual to do their engineering. Just like at the top of the hour when you mentioned that there or when there's an individual that needed kind of some cheap labor to be able to develop a product. It's very expensive and very difficult for these small businesses in the United States to be able to justify that.

out of this potential threat that it could be an adversary. They're a small business. They're trying to just save the pennies rather than worrying about national security. So it's tough. And I think it's just a lot of it tends to be knowing that this threat exists and knowing the risks of not properly vetting your employees is critical. You know, if this individual at the top of the hour was held accountable for

Funding the regime. That's a very very big problem for that individual Luckily, I didn't happen in their case. But at what point does the blame shift from? the adversary to

on U.S. companies to do proper vetting of these people that they are hiring and paying U.S. currency. I guess that's a question for lawmakers and lawyers, right? Yeah, exactly. But you're raising a really important point here. I completely hear you about small businesses. So they can do as much as they can to vet their employees, but at a certain point, there will always be cracks in the system. I mean, it sounds like

This is yet another kind of arms race going on. Sentinel-1 will continue to get better and better and better, but so will the hackers. Yeah.

Absolutely. Yeah. And this is the goal of a lot of our public and private collaboration on these fronts are, you know, we might have the intelligence of the many, many applicants that are out there that use these emails that are reused across many organizations or these same personas. So these small businesses that are using these job boards and so forth are

we might not be able to go to every small business and help them defend themselves, but we can go back to the technology that that small business uses to defend them at that level. So rather than stopping the job application, let's go to the email that that fake applicant uses and get them shut down at the email level and disrupt them there. And then ultimately it's

Provide our intelligence to the people that can go and knock on doors and try and make a difference at that level like the government Okay, so this is a perfect segue to another thing that Brett Winifred at Okta threat intelligence told us I mean because we asked him what can government agencies like the FBI do to help private companies Combat these foreign cyber security threats. I think the US government has done a great job historically on disrupting

cybercrime ecosystems, ransomware groups, etc., with some of their offensive security capabilities. And I guess my message is that we need those individuals in the U.S. government that are doing that super important work to feel supported and to be resourced appropriately given the magnitude of the threat. So, Tom, specifically, what would you like to see happening

being further resourced or made more vigorous in terms of government investigation or regulation? Yeah, it's a great question. And a lot of it comes down to greater coordination and resources to the specific threat in mind. Over the years past when cyber threat intelligence really kind of kicked off, the predominant topic was Chinese intellectual property theft.

And nowadays, it needs to shift more towards insider threats of North Korean individuals just because of the pure scale of this activity. So greater collaboration between public and private sector. You know, we are Sentinel-1.

we will openly share and privately share with our business competitors and governments that are friendly to us and so forth. So if there's a way to collaborate, to make impact, we need to do more of that. And that includes collaborating with and forcing large technology companies that don't work in cybersecurity,

like email, telecom, to also help make an impact or be required to make an impact when we identify malicious activity domestic within our own countries. Tell me more about that. What do you mean? That would be things like if they have social media profiles, LinkedIn profiles, Twitter accounts, these companies should be responsible for properly disrupting those accounts to stop those personas from further abusing it.

Think about things like email. A lot of these applicants will use specific email providers that and they'll just go and make thousands of these fake emails and then use those to apply for these jobs. If we're tracking these emails, let's go to that email provider and they should be forced to shut those down when there's evidence that they are being maliciously used.

And that collaborative effort needs to be very fluid, needs to be very quick. And that's ultimately how we defend these small businesses that are getting attacked and have no idea that's even happening is we stop them at the application process before they even

have the opportunity to target these small businesses. Okay, so then what you just described, that process of the tracking, for example, and then bringing that evidence to a large email provider, is that not already part of the culture of cybersecurity and companies and their clients writ large? It is in a way, but it's not formal enough to make a very, like,

recurring level of success. A lot of this is based off of heroes in this, these individual tech companies that are just going outside their box to be able to make an impact.

There's great teams that like you look at like Google's Mandiant team. They do amazing work at tracking this and collaborating at this level. But then there's other organizations that these operators are using that also have really well-known email services. And those are organizations that aren't really inclined because they're not required legally to collaborate or disrupt or share intelligence back.

So it depends on the organization, but a lot of this is based off of just really lucky teams within these larger corporations that are just kind of going outside their capabilities to be able to make this happen for us. Lucky meaning what? Like they're lucky that they get to do the work or they're lucky in terms of what they find? Yeah.

They're lucky in ways that they're not constrained by legal requirements, by their own legal staff, in addition to having access to the right data. The bigger the corporation, the more difficult it is for these researchers to be able to see the data because of privacy restrictions and so forth. Or they're not allowed to share with others in the industry that they know this email address, they're abusing their service, is tied to this actor.

So there's a lot of hesitation, restrictions internally in the corporation. And then culturally, you can't, you can't, you also have to mention that like this is happening in the U S and across Europe, there needs to be cultural barriers kind of broken down to make this happen.

Well, Tom Hagel is the Distinguished Threat Researcher and Research Lead with Sentinel-1. It's a prominent cybersecurity company. And Tom, it's been very fascinating speaking with you today. Thank you so very much. Thank you. It's been a pleasure. I'm Meghna Chakrabarty. This is On Point.

Support for this podcast comes from It's Revolutionary, a podcast from Massachusetts 250. Listen on for the story of one drag king's self-expression, pride, and transformation in Northampton, Massachusetts. You're listening to It's Revolutionary, a podcast celebrating 250 years since the shot heard around the world was fired right here in Massachusetts. I'm Jay Feinstein. ♪

From revolution to revolution, we're exploring the people and places in Massachusetts that shape America. Today, we found ourselves in Northampton, Massachusetts, home of some pretty rad rainbow crosswalks. They're nothing small. They're pretty, it's a pretty chunky, very obvious rainbow.

That's Ross, better known as the drag king Victor Evangelica. I carry the spirit of Victor everywhere I go. He spreads the good word. I met up with him at the Cafe T-Roots on Main Street, the city's main drag, to talk about how Northampton might be revolutionary as an oasis of queer life.

I want to make sure they know that they can bother us for food. Of course, after we ordered some delicious food. Oh, thank you so much. Oh, that looks so yummy. And he said revolutionary doesn't even begin to describe Northampton. You know, this is a place where Sojourner Truth lived, Frederick Douglass visited. There is a long history of people who have been critical to our culture,

understandings of the human experience and people's struggles that have found refuge in this area. Revolutionary War veteran Daniel Shays, best known for Shays' Rebellion, lived around this area too. And today, Northampton continues to be an oasis for artists, queer people, and anyone who might not have somewhere else to go. You know, it's a very zany population here, I'm very proud to say.

It's a place he feels he can really be himself. The queer joy and honestly like self-expression that I can have here is something that I genuinely feel it's some of the best in the world. This is like one of the best places in our world to be queer.

I think about that and I think about the struggles I still face and sometimes it's disheartening, but it's also, it brings me so much joy that there is such a resilient group of people around here who are very friendly, you know, want to help you. If you talk to somebody about confusing parking meters in this area, somebody's going to help you out. If you talk to somebody about where's this thing or that that's a local, they're probably going to know where to point you and what's the best place to eat.

And he's right, it was Victor's suggestion that brought me to T-Roots in the first place. But I was also in town to see Victor perform, where he dressed up in a costume made of wires and chains and Super Nintendo cartridges. One of the parts of the big reveal is I take off this, like, inhibiting jacket made out of wires, and I shed these things, and I'm able to move more freely throughout this number, and...

show people that act of transformation and freeing yourself from that kind of personal bond you might have. I mean, it just sounds like it gives you a level of joy. I'm just watching the smile on your face as you describe the character. Yeah, I kind of do a lot of 80s riffs that are nostalgic for me, just based off of what my parents were into a lot growing up. And that's really what makes me

feel the most at home I feel and is the easiest for me to fit into. It's a lot of fun. So that night we joined an eclectic crowd in an arcade called The Quarters to see some drag.

Before the show, we caught up with a few audience members. Yeah, what are you hoping to see tonight? Craziness, fun, queer love, joy, you know, that kind of thing. Most of the time, there's usually a drag show happening somewhere. So whether it's like here, a couple towns over, there's usually like some place to go to see it. I just love drag as an expression of...

like individuality and what people can do with their craft and their skills. It's fun to see how creative people get with it. I mean, the way people do their makeup and what they wear, it's amazing to see people just go up there and just be their authentic selves. And being authentic is what it's all about, says Victor. The best drag that people see is truly reflective of people who know themselves and...

reflective of people who are so proud of the person that they are that they're able to go on stage and serve a fantasy. And he sees drag like that and art like that all over the Northampton area. I think when you get people who can live as their authentic selves as an area, you get

art. You get people who are doing things for real. And I'm, you know, I really do think about it all the time. Like, I don't think there's any where else I could have lived my lived experience and do what I do besides Massachusetts. It's Revolutionary is a podcast from MA250. For more stories, check out Massachusetts250.org or WBUR.org slash MA250.