Specials & Interviews / Amit Serper Interview – Holiday Special Episode
It’s the holidays and everyone’s on vacation - but the Internet never rests and neither do the bad guys in cybersecurity. So, for this holiday special, we figured we’ll air an interesting interview we did a few weeks back with Amit Serper, Principal Security Researcher at Cybereason, NotPetya vaccinator, and former cyber warrior for the Israeli government.
Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 10 million downloads as of Aug. 2017.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.
Many of you may have already heard of Amit: he is the researcher who made headlines last June, 2017, when he found a workaround solution that disabled the infamous NotPetya Ransomware. Amit is a long time hacker and spends most of his time reverse engineering malware. Prior to his current position in Cybereason, Amit was a member of an Elite cyber unit in the Israeli government.
[Ran]: Hi Amit.
[Ran]: Introduce yourself.
[Amit]: My name is Amit Serper. In the past three years, I’ve been working as a principal security researcher at Cybereason and before that, I was a security researcher for nine years at a certain government intelligence agency in Israel.
[Ran]: And what drew you to information security?
[Amit]: I started messing around with security-related stuff when I was – I want to say like 14 or 15. I really liked taking apart stuff and understanding what makes software work the way it does. I also – I think the year was 2001 in Israel. Back in the day, they were rolling out the infrastructure for a fast internet service. Back then it was on cable and basically they were looking for beta testers and I was lucky enough to be selected.
So at the year 2001, I basically got an uncapped cable connection.
[Ran]: Pretty rare back at the time.
[Amit]: Yeah. At the time, yeah, and I had a bunch of – I think I had three or four servers in my room where I grew up at my parents’ house. I had my computer and then like another three or four computers running Linux, Windows, BSD and I was selling hosting services from my bedroom when I was 15.
It was an interesting time because totally by accident or totally by chance, I found out that I can see all the traffic that my – all the traffic of my neighbors because of the way that the network was built. So I could basically just open up like a sniffer.
[Ran]: Snoop all the packets and see what’s going on in the network.
[Amit]: And see what’s going on. I then wrote the cable provider an anonymous letter, telling them that the engineering job that they did wasn’t that good. That was arrogant 15-year-old me.
[Ran]: It was true probably.
[Amit]: Yeah, it was true. We fixed it. Yeah. I just kind of rolled with it and then when I was 17, I got – you know, in Israel, the army and all of that. I started to get letters from different units. They wanted to interview me because that’s how they roll and I’ve done a bunch of interviews for a bunch of units and then eventually I ended up doing my military service at the Prime Minister’s Office and then after I finished my military service, I stayed there. So in total, I was there for nine years.
[Ran]: And you describe yourself as back then being a nation state hacker.
[Ran]: Actor, sorry. And I mean you were doing that as a sanctioned soldier of the IDF. You were a formal soldier. But now, the – let’s say the way things are going as we go on year by year, that some nation states such as Russia and China and North Korea are actually using civilians as kind of proxy when working with hacking groups and they are in a sort sponsored by nations. So how do you see these kinds of relationships? I mean they are actually doing probably much of the same work that you used to be doing maybe. But you were a soldier. But now there are civilians. Is there any problem that you can see with that sort of arrangement in terms of the day to the day operations?
[Amit]: It’s an interesting question. I mean personally, I think – I mean I don’t know how things work in Russia or China or whatever. It’s usually Russia when this attribution of like groups – they’re not really part of the whole nation state thing. It’s groups. They’re basically like proxies. That’s what’s always on the media.
Personally, I don’t really know how it works. However, it makes sense that – especially Russia and everything is based on things that I read on the media. I’m not an expert –
[Ran]: We don’t know what goes on behind the scenes of course.
[Amit]: Yeah. But a lot of people are saying and people that know way better than I am, they say that the mentality is very different and the way that things work in those countries is very different than what we know from the US or like more Western countries.
[Ran]: What about the quality of work that you think can be expected from these actors? Really I’m talking about the quality of software tools, methods of work, when they’re talking about civilian hacking groups that you cannot really control that well when you employ them as kind of proxies, as opposed to people in – who are in your service, your soldiers. I think they should be very different qualities and methodologies – or is it quite the same?
[Amit]: Well, I think it very much depends on whoever is doing the work. You could have groups within a nation state actors that – you know, not doing a very good job and you can have groups that are outside of the nation state theater, so to say, but they are really good. I mean in my work today, I reverse engineer a lot of malware and I look at a lot of attacks. I’m doing a lot of post-mortem analysis or sometimes even – you know, we catch an attack while it’s actually happening and what’s called an interactive attack or like someone on the other side actually like –
[Ran]: Real time.
[Amit]: Real time working on his keyboard and owning some machine and some organization, which is our – basically our customers. You see a lot of interesting things. Like we’ve seen an APT that was attributed to – I think it was China and we saw clearly that there were two groups in there involved in this attack. One of them was – let’s call it like the battering iron, right? Like what penetrates the door and gets people in and then there was another group that once the first group got them into the network, they started spreading all around and use completely different tools. The level and the quality of that work between those two groups was very, very, very different. It’s like one group was like using publicly available tools, doing a lot of mistakes, like not typing the right commands or like typing in with mistakes. It was really interesting to see that and the other group was like, you know, a bunch of ninjas.
So I think that everywhere – I mean it’s only the employer. If you work for some sort of a nation state actor, I think that today it’s just an employer. You have good people. You have less good people.
[Ran]: While you were looking at the attack, working against the attackers, could you speculate while examining their actions, behavior, which were nation state proper and which were like civilian hackers employed by the government or is it – you can’t really tell?
[Amit]: We based our assumptions based on the tools and the TTPs, the methods that were used throughout the attack. About that case that I’m talking about, it was a breach against – a very large company in Asia was breached and we were there when it happened. As I said, we saw everything happening in real time and we had no doubt that it was a nation state sponsored attack because of the target. Our customer was a very, very high valued target. They knew exactly where they were going on in the network. They had all the intelligence about it, which is the way that these attacks work.
Like you usually have a lot of intelligence about the structure of the network, where all of the assets that you want to access – you know, what’s important basically? Then the hackers themselves are taking this intelligence and going the right way.
We saw that happening in that attack. Like there was no doubt. The data that they were going after, the way that they were basically taking a leisurely walk around the network, as if it was their own network.
[Ran]: They knew exactly the topology, the architecture.
[Amit]: Yeah, they knew everything and I remember one conversation we had with one of the people that are in charge of security in that company. We were like, hey, we can see that they’re using this password to access some resources. Do you recognize this password? And they’re like, “Oh my god. We changed this password yesterday,” and we’re like, “Yeah, you should be pretty worried right now,” and they’re like, “Yeah, we are pretty worried right now.”
So you could see it by the way that the attackers basically knew when – owned the network. Sometimes they knew the network better than the people who actually owned the network.
[Ran]: From your experience generally talking, without exposing of course real world customers, what are nation state actors looking for? What sort of information are they looking for when breaching companies?
[Amit]: OK. So for example, let’s assume that you own a large – let’s say a large supermarket, a chain of supermarkets, right? In wherever you’re from. So let’s say that you’re an American and you own – I don’t know. I think about a local network like Starmarket, right? It’s a large chain of supermarkets that feeds a lot of people. Let’s say that you can cause chaos, so that people won’t get their food. Or you know what? Maybe a supermarket – actually let’s not use this example. I have a better example.
Let’s say that you have a company that provides cell service, right? You’re AT&T and although AT&T is – you know, it’s a big company. But like it has so many customers and so many people relying on their service that it’s – it’s a critical infrastructure, right? If I can as an attacker, as a nation state attacker, if I can control AT&T’s switching network or I can bring it down maybe or I can track its users or listen on their conversations – so this is a really interesting target.
[Ran]: You mean not only during war times but in the day to day.
[Ran]: Just having that information –
[Amit]: It’s a platform for espionage. We’re both Israeli. I don’t live in Israel anymore. But like when I still lived there a few years ago, I remember in one year, two of the largest cellular providers in Israel suffered – yeah. Suffered massive downtime. One of them was down for like more than a day. So that’s more than a day – you know, more than a million people couldn’t use their phones and if I recall correctly, what happened there was that the – I forgot the name of the component in the network. It was basically the main switching unit was down and I have the conspirative mind and I don’t think that main switching units and the major telecommunications provider stop working just because.
Like there has to be something fishy around it. Then it happened to another provider about eight or nine months after. I think it was 2013 and like – I remember saying to myself like this is not happening in a vacuum leak. There is something there, like two major providers suffering the exact same problem.
[Ran]: But we never got any confirmation, government or otherwise, that there was any attack against them.
[Amit]: Would you expect them to say? Oh, yeah, we –
[Ran]: To say that an attack was absorbed and we learned our lesson. Why keep it a secret?
[Amit]: That’s a good question. Personally, you know, as a customer, I don’t know which of the truths is better. I don’t know if I want to hear my provider saying, “Oh, yeah, we were breached really bad. We were owned, but like we’ve learned our lesson. We’re OK now.” How can I trust them?
On the other hand, if I have a weird feeling, like a sort of a gut feeling that they were breached and they’re not telling me, what are they hiding?
[Amit]: So it’s like Schrödinger’s cat or something, Schrödinger’s breach.
[Ran]: I mean based on – of course it’s all – I’m not trying to speculate, but critical infrastructures in the US. We’re talking about electricity, water, nuclear power plants, whatever. What are the chances that they have been already breached and penetrated by Russia, China, whatever?
[Amit]: Well, again, I don’t really know about what’s going on in the US or in any other place. But I wouldn’t be surprised if there is some sort of an agent installed on one of the computers or networks that control the water, electricity, at least in one state in the US, because –
[Ran]: It’s probably that it –
[Ran]: At least in some cases, that –
[Amit]: Yeah. It’s very probable because the thing about cyber and like it’s a big word. Cyber-warfare, which personally I dislike. But the thing about cyber is – and also it’s a cliché. You know, when – in the old times, olden days. You know, in order to hurt your adversary, you had to have soldiers or operatives in the field or you had to blow up a power plant or blow up a water treatment.
[Ran]: Physically harm the facility.
[Amit]: Yeah, like physically put a bomb and make it go boom. Today, you just put a bunch of really smart people in one room. You tell them this is what we want to do. This is the target. You have infinite budget. Do whatever you want and that’s what I know. Once you are targeted by an entity that’s backed by a nation state actor, we used to say in cyber – we used to say penetration is inevitable. Like you will get owned. You will get hacked. It’s just a matter of time. The success rate is 100 percent.
[Ran]: When we’re talking about critical infrastructure, do you think based on your experience that putting smart people in the same room is enough to cause real damage or does a nation state need to actually have people on the ground, intelligence operatives, gathering information that maybe isn’t available via pure cyber warfare methods? Do we need some physical access to the system when we’re talking about critical infrastructure?
[Amit]: So I think it all depends on your target. But let’s – let’s think about it. Let’s say that I am a nation state attacker, right? I want to gain access to a network in some sort of – I don’t know – a power plant or a very sensitive – a sensitive nuclear power plant here in the state of Massachusetts where we’re at now, right? Let’s say that the people who are in charge of physical and information security in that facility, they did a good job, right? Their network isn’t connected to the internet. It’s very hard to physically get there. But what if there is one disgruntled employee that you can take advantage of, right? That’s called human intelligence.
You talk to him. You do some social engineering on him. You tell him – I don’t know. You find some – you find everything you can about him and then you find what his weak spots are. Like, where is his weakness? I don’t know. Maybe he has a gambling problem. Maybe he has – and you use that and you say, “Well, we know you have a gambling problem or we know that you’re like in debt. We can take care of that. But we need you to take this thumb drive and put it somewhere.”
[Ran]: In the machine somewhere, yeah.
[Amit]: And then –
[Ran]: Not too far from what the KGB was doing in the US like 50 years ago.
[Amit]: Yeah. And those things always work. So sometimes, yeah, while your target isn’t easy to get to – through the cyber stuff, through the internet or through some other network, there’s the human factor and it’s always like – it’s a problem between chair and keyboard. There’s always the human in the middle where he has feelings and you can social engineer him. You can affect him. You can manipulate him into doing something and then all you need him to do is just put this thumb drive in there. Once he does that, then you can access the machine.
Again, theoretically. But intelligence – and, you know, this world of spying and nation state actor, it’s like it’s very dark. It’s very morbid. It’s not all about – it’s not always a bunch of really smart – it’s not just about really smart people sitting in a room. There’s also people that talk to people and make them do stuff so that the bunch of the smart people that are sitting in that room somewhere could actually do their thing.
[Ran]: It’s an organization that works together.
[Amit]: Yeah. Yeah. Sometimes you have boots on the ground and sometimes you have millions and millions and millions of dollars invested in an operation. Cyber operations are not only about cyber and they are so complex and so elaborate and they take years sometimes. You talked about Stuxnet and again, this is all based on public information. It took years. It was a gigantic project and this is only – Stuxnet is public. There are more operations that happened that we don’t know about them. We might never know about and those things take years out of other people’s lives.
You know, development and testing and exploitation and research. It’s a lot of work.
[Ran]: That brings me to another interesting question. For example a few years back, two years back, I think Ukraine suffered an attack against its power grid. It got some great publicity about it. I remember I mean reading about the incident of the lengths that the attacker went to, to penetrate the system, et cetera.
Then the electricity was restored within I think six, seven hours because basically the end of the chain of technology, there was a manual switch and someone went with a car, drove there with a car, pulled the switch up and electricity restored. So maybe you want more than – maybe you are overestimating the importance of cyber operations in terms of what they really can do, what damage they can cause to a country. Nobody has – at least as I know, nobody died of a cyber-attack and although it is a very sophisticated attack, the damage was relatively contained in all of them. Are we overestimating cyber?
[Amit]: I don’t think so and also nobody died. That depends on how you define a cyber-attack because let’s say that a cyber-attack was used to gain intelligence about the whereabouts of certain people that certain nation states want them – wanted them dead.
[Ran]: Their location, whatever.
[Amit]: And a bunch of smart people sat in a room, hacked to one guy’s computer and knew that he was going to be at this street at this time. I don’t know. Two hours later, a bomb was dropped in that building and erased it from the face of the earth. Was it a cyber-attack that killed someone or was it a rocket that killed someone or was it both?
So I don’t think we’re underestimating it and again as I said, I think that it is the most efficient tool that a nation state has because it’s a bunch of people sitting in a room. You don’t need – in most cases or – you know, or even if you have boots on the ground. It’s not dangerous. There aren’t any weapons involved. No live ammunition. So it is –
[Ran]: Less risky probably.
[Amit]: Yeah. And that’s like – it’s such a cliché but that’s like the battlefield of the future. That’s like the sexy thing that thought leaders like to say. It’s the battlefield of the future. But I really do believe that – and we’re there. I almost said this is where we’re going. But Stuxnet was seven years ago. Yeah. That was so sophisticated and happened almost a decade ago.
So like think about where we’re at now. Last summer in Black Hat 2017, I saw a talk about one of those attacks in the Ukrainian – I think it was the Ukrainian power grid, by a bunch of guys from ESET and another American – I think called Argos and it was the both of them. It was a bunch of researchers from that company and a bunch of researchers from ESET and it was probably the best black hat talk that I’ve ever seen where they actually demonstrated and showed videos of what happened throughout this attack. You could see there that the attackers had – and again, if I recall correctly, the attackers had complete control over some physical switches.
There were a few switches. The attackers flipped them all down and while the technicians in the power plant went – physically got up their seats and went to flick those switches back up, the attackers took over their machines and they showed a video. In the talk, they showed a video of like the mouse moving by itself and like things are written on the screen.
They basically took advantage of them not being present next to their machines and then they took over their machines. They showed how they did it and again you said no one died. What if a hospital lost its power? Then people die and then it’s a cyber-attack that killed someone and WannaCry.
When WannaCry happened, the NHS, the British NHS, the National Health Service of the UK, suffered a massive hit from WannaCry. Maybe people died. I don’t know because of that. Like honestly, I don’t know. But like if a doctor has to administer some kind of medicine to a patient, even in an ER. You know, there was a car accident. Someone was shot. I don’t know. And this guy is being brought to the hospital and it’s an emergency. They need to check his records if he has any allergy for whatever it is they’re going to give him and the doctor is locked out of his machine. People can die.
[Ran]: We should also remember a thing that in an actual war, there won’t be only one attack. It will be many attacks in parallel. So we’re talking about no electricity, no cell phone availability.
[Amit]: Maybe no water, maybe no traffic lights. I don’t know. All of those things are critical infrastructure.
[Ran]: This brings me to another interesting question. I mean lately we were talking about the US versus North Korea for example and this is a good example of non-symmetric cyber-warfare. I mean here we have the US cyber superpower. I mean the NSA, lots of budget, et cetera. We have North Korea which is basically a small, poor country. In these kinds of conflicts in cyberspace, right? Who has the upper hand technically speaking? I mean is it the super power who has lots of budget, lots of tools whatever, but is very vulnerable because its infrastructure is totally dependent on technology or maybe the smaller state is more vulnerable because it has less sophisticated tools, yet maybe there’s not so much things to attack?
[Amit]: Yeah. You actually hit the nail on the head when you asked the question because you say you have the US. You know, lots of budget, lots of different agencies doing cyber stuff and then you have North Korea, a poor country. But the citizens of North Korea are poor and hungry. The military is well-fed. Their security researchers are well-fed and well-equipped because all the money that the country has goes to the nuclear industries and, I don’t know, security research, right?
So that group is well-equipped. It’s the people, the citizens. You know, your average North Korean Joe who is very hungry and very poor. So the term “asymmetrical” is also kind of weird in that aspect.
[Ran]: Is it not so asymmetrical as it is in the physical world for example?
[Amit]: Maybe, maybe. Like I remember when I was doing my service in Israel. We saw our adversaries. Like the progress that they made was exponential within months. Like we saw – I remember looking at one malware. That was 2007 and it was pretty lame. Like it wasn’t even trying to hide itself. The way it was connecting to the outside world and to its command and control service, it wasn’t even encrypted.
[Ran]: Naïve attack.
[Amit]: Yeah. The next version that they released three months after, a world of difference and that’s the thing about cyber. A rocket or a missile or a bomb that is created today and the next iteration of it in three months will not have so – it won’t have exponential process in its development and its features. But in this field, it’s completely different and you have so –
[Ran]: Things are moving faster.
[Amit]: Yeah, and you have so many talented people. It’s crazy. I’ve been doing this – like I will be turning 31 in December. I’ve been doing this for the majority of my adult life, more than probably I want to say half of my lifetime since I was 15 and about a year and a half ago, I was still in Israel. It’s cyber – we did some mentoring for some high school kids and I saw two 17-year-old girls working on one of the challenges, opening IDA Pro, which is a disassembler. You take a compiled file. You load it into IDA Pro and you see the assembly code and you can – if you can read assembly, you know what the program does and disassembling the challenge was completely unnecessary, yet the two young 16 or 17-year-old girls opened IDA Pro and they finished the challenge before it even started because they were thinking outside of the box and they were so damn good.
I stood there and I was like, “Oh my god. I need to learn from them,” and they were like half my age because they were so talented and you have more and more talented people because today, it’s so easy to learn and there’s so much talent out there and I didn’t have YouTube when I was 15. But they had it and there’s so much stuff on YouTube for free. Just learn.
So the progress and the growth and it’s just exponential. It gets better or harder. It depends on how you look at it every month. So –
[Ran]: So who’s growing faster? Who’s moving faster, the attackers or the defenders?
[Amit]: I think the attackers.
[Amit]: Because an attacker only needs to be right one time and as a defender, it’s hard. I work for a company that makes a cyber-security product, a product that was meant to defend you and my job as a security researcher is – I wrote a lot of malware and a lot of attacking tools to test our own system against them. So on the defending side, I need to cover every aspect I can think of when I’m building capability to defend a computer, right? So I need to find all the possible ways the operating system could be compromised.
But an attacker only needs to find one that works and speaking of asymmetrical and that’s the challenge.
[Ran]: So maybe these sorts of conflict, they are – the smaller nations do have relatively – I mean big power compared to what they would have if you’re talking about physical warfare.
[Amit]: Yeah, maybe, because as a small country, I don’t know, your air force or your artillery or your infantry or whatever, they might be ill-equipped. They might be untrained. Their equipment might be obsolete. But if you put the budgets, if you aim the budget towards – I don’t know, teach people C and C++ and reverse engineering and buy them good computers. It’s cheaper than a tank and the effect is – in today’s world, maybe a computer is stronger than a tank. It’s such a cliché. Like I feel like throwing up in my own mouth just saying it. But it’s like – it’s the bits of ones and zeros. Maybe they are more lethal than a bullet or a bomb.
[Ran]: But there is something that a big superpower has that a smaller one doesn’t and that’s the capability of actually using the information gained from cyber-operations or even cyber-operations as part of a physical attack. To give you an example, Israel struck a Syrian nuclear facility 10 years back I think it was.
[Amit]: 2007, yeah.
[Ran]: 2007. And part of that attack according to all the sources, the public sources was an earlier attack or a parallel attack on the capabilities of the defenses of the Syrians and that’s maybe – you know, something that’s lacking in – when you’re talking about weaker countries, they can’t capitalize on these kinds of benefits of the cyber-operation maybe. Is that important?
[Amit]: How do you think that they were able to jam their air defense system? That was a cyber-attack too. So we’re always coming back to this point and yes, what – if we take Israel and Syria, Israel obviously has a superior military force than Syria. Even though Israel is a tiny country and Syria is much bigger, Israel’s military force is stronger. But what if the Syrians had a good cyber capability and they could stop all the stoplights in Israel or – I don’t know – mess with the water supply or –
[Amit]: Yeah, or maybe it was them that killed the phones for two days, right? That’s powerful too and it’s not always about who drops the biggest bomb because if you drop a big bomb, you end it. It’s like you end it. It’s a bomb and that’s it. It’s done. But I also think that it’s not about the destination. It’s also about getting there. So OK, so Israel will drop the bomb and that’s the final word. But until Israel dropped the bomb – and theoretically, right? It never happened. But until Israel dropped the bomb, it didn’t have traffic lights for three days and water supply was interrupted and the cell phones were down. Did it cost damage? Yes, of course. We had to resort all the way to drop a bomb on another country. Again, theoretically never happened. But it’s just – it’s food for thought. I think that we’re going there and I’m not an optimistic person. I’m a cold-blooded realist and it kind of scares me. Seeing what I see today and the things that I saw back then, it’s scary. It’s like it’s fun and games when you work at it and it’s a job. Like for me, it was a job. Like after the first month, I was like yeah, it’s a job.
But once I – and I was there for so long. Once I left and like I started seeing things from a different angle, like when I saw our clients getting hit by APTs, it was like that’s not funny. That’s not –
[Ran]: There are real implications of what they’re doing.
[Amit]: Yeah. People in the Ukraine didn’t have power for a few days and it’s – I think it was in the winter. It’s cold. It sucks.
[Ran]: That’s an interesting note to kind of finish the interview. Kind of pessimistic but that’s the reality.
[Amit]: I’m sorry. I’m like the worst guy in a party.
[Ran]: Thank you Amit for a very interesting conversation.
[Amit]: Thank you for having me.