Episode 62
Chloé Messdaghi:
On the last episode with Chris Kubecka we left off, she was in the bus with several others and they were heading towards a way to get out. Unfortunately, bombings were starting to go off in that area. They then take a U-turn to try to find a different place to get out of Ukraine. Join us for this episode. We hope you enjoy it.
Chris Kubecka:
As we were finally through the Ukrainian part of the exit procedure, and we got past this sign for Romania, that we had entered the zone for immigration there, it was kind of bittersweet because some people were obviously very happy, crying for joy, because we had survived. But at the same time, Michael got a phone call as we're in that line that the godparents of his children had been killed.
Joseph Carson:
That can be devastating. I mean, I've heard loads of similar stories and that's what's really hurting. And, just watching such an amazing people that this happening to. Yeah, it's difficult to even relate to and see how you can actually experience that.
Chris Kubecka:
Yeah. So then Frontex, which is kind of like the EU border guard, they ended up interviewing me with the remaining authorities, as to gather any sort of intelligence on what was going on on the other side. I notified them of the Wiper virus and why things were slowing down. They were like, "Oh that explains a lot." And they asked me if we had to pay any bribes, which I said no. Because they had gotten intel from some other Westerners, Americans having to pay around a thousand dollars each to get through the border.
Joseph Carson:
Okay.
Chris Kubecka:
And then they ask, how did this guy of fighting age get out? And so I explained the story and they were rather shocked because they hadn't seen any men get out. So one of the things I had promised the passengers, I had this little mini of champagne from the mini bar, and as soon as we were out we were going to have each a little tiny sip. So we ended up doing that and it also turns out that one of the Romanians with us is possibly the most famous Romanian to the point where, the SMUD emergency volunteers were like, "Can we take a picture with him?"
So that was interesting. But once we were able to get through the interview and everything, that was fantastic. We got food, we got all sorts of supplies. They even gave us a pizza, sim cards, asked if people needed rides, so some from the bus were like, "Yeah we need a ride to Bucharest." So they're like, "Yep, just jump in this car. Go, go, go, go, go." It was really great and luckily some of my American friends from this very late night call I do every week, had arranged with some of their friends in Bucharest and they got me and the other family a hotel room about an hour south of Siret, and we all took a shower, they were going to meet me for dinner but I fell asleep. I was so tired.
Joseph Carson:
After That couple of days would be severely exhausting?
Chris Kubecka:
Oh yeah.
Joseph Carson:
Not just physically but also mentally. Because lots come through your mind as well.
Chris Kubecka:
Oh yeah, definitely. And I woke up at about 2:30 in the morning local time and got a message from a friend, some former special forces friends and they were like, "Hey, we got this guy Maurice in Mykolaiv, Ukraine and he can't get out, can you help him get out?" And I was like, "Yeah sure," whoever this Maurice person was. Maurice Creek, I don't follow basketball.
Joseph Carson:
Yeah. But I think it wasn't, I remember they were in... Kharkiv or somewhere even further deep than you were. So I mean that's quite significantly closer to the Russian border as well.
Chris Kubecka:
Yeah.
Joseph Carson:
I think it was Kharkiv, wasn't it? That's where they were located.
Chris Kubecka:
Yeah. We had some people in Kharkiv, Sumy, Kherson... Yeah. And their experience was even worse because when we tried to get the people out of Kherson and Sumy, by the time they figured out what was going on, the Russians were already there because they were so close to the border.
Joseph Carson:
Yep. And they can quickly circle those towns. I mean I think Kharkiv is only 30, 40 kilometers from the Russian border, so it's quite close and we've already, quickly overtaken but it's not much time to react.
Chris Kubecka:
No, no, not at all. Especially in the case of the international students, they're not from Ukraine and suddenly they got caught up in this whole mess. Some as young as 16, some with families because they were doing medical studies there for a while, or other different types of studies. A lot of computer science people by the way, and what do you do, especially if there's thousands of you like in the case of Sumy, and the university there did not have time to react quickly enough to get people out.
Joseph Carson:
So a question, so I was recently at the FIRST conference, which is all about, it's the Forum for Incident Response and Security Teams. And so, I got to listen to the Ukrainian CERT's, their story into what happened and it was really... Listening to the things that they were dealing with in the lead up, even as early as... Even in the beginning, early January where a lot of what looked to be ransomware attacks, but as you mentioned they were secretly Wiper. They actually were not ransomware, they were ransomware in disguise, but actually they were intentionally for wiping systems. What types of services were you experiencing the impact? I remember, because when I was listening to that story from the Ukrainian CERT team, it brought back memories for me from back in Estonia in 2007. I started seeing similarities and it was very similar, you had government offices, you had the telecommunications, the news were impacted, the financial ATMs. What types of kind of services, what was completely offline and what was kind of sporadically still working?
Chris Kubecka:
Well some of the things that ended up being completely offline, and this was very unfortunate, were they ended up wiping the orphan database. So children in care, and this became really bad because there were a good deal of orphanages in Ukraine.
Joseph Carson:
Yeah. Ukraine has quite a lot, even really good friends of mine actually adopted a orphan from Ukraine, 10 plus years ago. And for those familiar with it, Ukraine does have a significant large orphan population. So it's devastating to hear that, you don't know your heritage anymore or where you came from. That can be tough on many people.
Chris Kubecka:
Yeah.
Chloé Messdaghi:
It's surrogates too.
Joseph Carson:
Yeah.
Chloé Messdaghi:
A lot of children from surrogates in Ukraine.
Chris Kubecka:
Yep. So it made it extremely difficult to get those children out of a direct fire. Even, one of the organizations I was working with was trying to arrange, putting them in care homes in Poland and Romania, et cetera. But they couldn't get over the border because unfortunately human trafficking of children had already started and that forced some of the kids and their caretakers back into Ukraine, trying to find safe areas. And, in one particular case because we couldn't get them out, they ended up going back to Mariupol. And about 50 cases were in that theater that got bombed even though they had a sign on the outside, don't bomb children inside. Yeah. And all because of a Wiper virus, they could have had the opportunity to get out and they weren't permitted. And it also led to issues, especially in the east for these humanitarian corridors. If the Russian showed up with buses, they then forced them over to the Russian side. And so there's, I think over 200,000 children who have been taken to Russia and some of them might no longer have identities and can't prove that they were Ukrainian.
Joseph Carson:
Yeah, I mean this isn't the first time this happened. Even if you hear from Estonia, there's the lost... Hundreds and thousands of trains that took people from Estonia to Siberia back in, I can't remember which years, but where people actually shipped off to Siberia to do hard labor. And it's hearing that young children don't know eventually where they've come from. It was just, it's unfortunate that in this year, in society, that those things continue to happen.
Chris Kubecka:
Yeah, no definitely. I mean it's almost as if there's these playbooks that occur when it comes to Russia. The telecom, the banking, trying to wipe identifications out any way, shape or form. Taking people, taking children, trying to affect any sort of satellite communications. That's another thing they tried to take out Zelensky's satellite communications. But the way that everything is interconnected, it ended up affecting the French space agency, a ton of wind turbines in Europe and also maritime traffic because that's one of the ways that the large vessels communicate.
Joseph Carson:
Yep. DPS and satellites. Yeah.
Chris Kubecka:
Yeah. So it affected much more than just Ukraine.
Joseph Carson:
That was one thing that I raised with NATO was that these kind of dying supply types of attacks were, and there was quite a few of them that came through, ultimately I think it was the financial sector and communications that ultimately affected, I think it was Latvia and Lithuania. And I was raising the whole article five question at the time. Eventually I do get NATOs kind of responses, especially from the cyber perspective. They did put a statement up indicating that there is a certain... It's not just a cyber attack happens in a NATO country, but it does have to have certain severity and a certain impact to society, which is where that kind of the response was. But I was glad that they actually made a response, because otherwise you're left in this gray unknown area. But, well what if we do have a cyber attack?
Is NATO ever going to respond? But they kind of clarified that it was all about the severity of it and the impact it... And also intentional motive as well would've also had to be there. But you're absolutely right, I mean that's... A question for you as well, because I was going back and forward and there was the community response was also, whether this was a cyber war and the feedback that I got that it was, there was cyber elements but it was much more of an information war. It was more about propaganda, was more about altering the truth. What was the feeling that you had? Was it an information more or did you see more of a cyber perspective?
Chris Kubecka:
Well I saw both. And definitely there was a lot of misinformation going around. I remember we were at a hotel in Bucharest and I think the second or third day that we were there, one of the hotel clerks made this flippant remark to me that only the wealthy people were able to get out of Ukraine. And I had been warned by my Romanian friends, this is what was going around on Facebook and it was complete BS. And I told the lady, "So you think that the family that's staying with me is so wealthy, they only have a bag of clothes between them?" But these were the types of things that were not only hitting into Romania but also Bulgaria, Hungary, it was particularly bad, Poland, et cetera, and Moldova. And when I was in Moldova last month, I went between... was it last month? God, I'm losing track. Between Moldova and Transnistria and there was a ton of it going around.
But at the same time, whilst I was in Moldova, there were some very interesting things going on. Moldova is not an EU or NATO member, but they were getting hit with suspicious ransomware attacks that were actually wiping things, even though there's a law that was supposed to establish the CERT team in Moldova, the previous leader was per Russian. And basically inside information decided since "Russia would never attack us," to not actually build up that CERT team properly and give them the resources they needed. So that was very problematic because Moldova barely has an army, much less cyber defensive capability. And then, when speaking with friends in Romania and also the NCSE Romania, it had gotten so bad in Romania, a NATO member, that they had to shut off access to government websites to anyone who was not physically located in Romania. And they were getting hammered, absolutely hammered.
Joseph Carson:
It's the same as what happened in Estonia 2007 was the only way we could... At least maintain the severity happened for about two days in a row, that things were down to the same point. The ATMs couldn't get cash, Websites were all flying, internet was slow. The only way to regain control was to really cut off the outside of Estonia is, any inbound connection was severed. It means that if you're in Estonia, you could actually access other sites around the world. But if you were in let's say Finland or Sweden, you couldn't access Estonian sites. And that's definitely, I mean that's one of the responses that I've seen and it seems that even today it is the way to at least maintain some type of control, if you are being bombarded. And especially not just Wipers but DDoS attacks, which also have been probably one of the most popular techniques that's been used.
Just looking at here, I think the cyber attacks that we use for things like phishing was actually (I've got a list here) it was like over 300 phishing attacks, malware distribution, DDoS, exploiting vulnerabilities, current compromise and network compromise. And they were targeting the telecommunication IT infrastructure in Ukraine, energy sector, commercial, financial, military government. So that's what you have to deal with, especially all of those types of industries being impacted. And these are not just impacting government sites, these are citizens services that you can be very dependent on today.
Chris Kubecka:
Yeah, exactly.
Chloé Messdaghi:
Question for you, how can the cybersecurity community help out on this front? Because that's the one question that everyone keeps asking and it's usually like, "Oh you could donate," but there's other ways I know. What are some ways that people can get involved?
Chris Kubecka:
Absolutely. So one of the things I've noticed, at least here in Europe that they've been trying to get for instance security researchers involved is, if you happen to see something going on in Ukraine, for example, doing what I would say a proactive non-destructive scan because we don't want to add any extra traffic and burden to Ukraine. If you happen to find open systems that shouldn't be or things of that nature, get the information in a secure and encrypted manner using PGP keys to your local country's Computer Emergency Response Team or EU CERT.
Joseph Carson:
Absolutely. And a question, one of the things I find, and you mentioned earlier Chris as well was the open source intelligence community. I find, for me, I find that fascinating when people were looking at pieces of information on social media and going through the process and I just... Some of the techniques was just impressive and how much the open source intelligence community were really verifying what was being spread.
I think for me, that was one area that I find interesting was definitely a way of finding out a picture or media or news, whether it was real or not. And going through the details and process of verifying the location, the timing, the knowledge, the signs, the shadows of the determining the time of day or the angle of what the picture was taking. I find that area was really, and we mentioned was that also kind of watching the process has been fascinating. I think that's definitely one area, I think the community can help is just going through and if they see something is trying to verify the origin and the source of if it's truth or not. Because I think that's where definitely information more, that's where it's damaging is people's minds being turned. And if you can really find the source of the truth, I think is critical.
Chris Kubecka:
Definitely. Another way that the OSINT community has definitely helped my efforts out and the efforts of groups that I work with is, in some of the cases we have had situations where we've been asked to help evacuate a family and it turns out it's not a family, it's actually Russian troops there to kidnap our aid workers and demand ransom. Or, because a lot of NGOs, their main focus is helping people, not cyber security, they might not know how to. We've also had situations where there were real families, but Russian troops got to them first and they were found murdered.
So another way that people can help out is, if you have the skills and the determination, directly contact some of those NGOs who are doing work and say, "Hey, I'm a cybersecurity person, how can I help you secure your stuff?" Because they've been getting hit with malware, surveillance ware, disruption of communications. And then for that verification piece of trying to make sure people are actually there, is a great thing. And also some of the aid workers have been hit with really bad slander suddenly on social media, especially Facebook, Russian operatives will post that they're actually pedophiles and all sorts of stuff or try to dox them. So people can help out by watching out and lending their skills.
Joseph Carson:
Yeah. Troll factories are definitely, I mean we had Jessikka Aro on a while back, who wrote the book about Putin's Trolls, and was the journalist from Finland who uncovered the whole background into... And that was a fascinating just and then unfortunately she became the target of the troll factory and watching how they operate and how they spread malicious content is shocking. It's seeing people becoming victims that, it's tough on their lives as it is, so.
Chris Kubecka:
Yeah, no, definitely. And there's also been other very interesting aspects of the Ukraine war. So, one of the families I helped get out, they were of Jewish origin and luckily through my contacts at the Middle East Institute, they put me directly in touch with the incoming ambassador to Bucharest in Romania from Israel. And he was able to process their paperwork within 24 hours. But he said that the typical officer who did that, was recalled back to Israel because while Ukraine is popping off, the Iranian government has increased some of the physical and cyber attacks in the region as well. I mean you can only spread yourself out so far without being then very, very thin as well. So that's definitely increased. And I heard a bit more about it when I was in Tel Aviv last week as well. I had to remember where it was last week.
Joseph Carson:
Cyber week.
Chris Kubecka:
Yes. Yes.
Joseph Carson:
So Chloe, just interested on any insights that you've kind of been seeing, from observing and watching all of the feeds. Anything that you caught your eye during the time?
Chloé Messdaghi:
I mean, it makes me question social media a lot, I'll be honest. The massive misinformation out there, I started questioning, is this even good for us to have? I mean, even our mental health is really becoming a problem, our attention span, and it just makes me think about how can we do better on that front. But also hearing the stories of people evacuating and being separated from their families. Like, my mom's family is from Iran and they had to flee during the revolution and they left a little bit too late.
So I mean a lot of this stuff is resonating because it reminds me of my mom's history, my family's history in Iran and it's hard, that one suitcase you want to have, the bare basics and the most important things and you want to use jewelry. And I remember hearing that, always have jewelry on at all times because it will save you. Money might not, because money might not matter as much-
Joseph Carson:
The value-
Chloé Messdaghi:
The value. Yeah, I mean I've heard stories of people using it as toilet paper at one point. So yeah, jewelry is one of those things to have, so yeah.
Joseph Carson:
I think we've all been... I grew up in Belfast during the Troubles times and I've always got memories and when I was watching what was happening, it just brought back memories of them as well. So it's always tough watching countries and people going through really hard unthinkable experiences and... For me, absolutely, there's the good things that social media brings, which it brings people together. But there is that very malicious aspect of it that can actually tear people apart. And the question is that, is the good over weigh and provide the positive that kind of negate the evil part of it? I struggle with it as well. So, Chloe I'm with you. The aspects, I think for me it's always about social media should be really classified as news and it should be controlled and it definitely... They should have ways of showing origin of information. Where did it originate from? And how verified can they make it? Just like you have verified accounts, they have to merely go down to the point of verifying the source of information and, otherwise people will take majority of it as the truth, where it's unfortunately not.
Chloé Messdaghi:
And news, sensationalized news, I think that's another big one.
Joseph Carson:
Yeah. And so Chris, what's next for you? Just, what's the plan? I mean, now that you're healing.
Chloé Messdaghi:
Are you well? Are you okay?
Chris Kubecka:
Yes. Yes.
Joseph Carson:
What can the community do to help you and support you?
Chloé Messdaghi:
Yeah. You want us to ship you melatonin and alcohol? You just let us know.
Chris Kubecka:
That sounds great. Well one of the things is, if you happen to see something that I'm going, "Hey, I need particular help with this or particular help with that," I might not tell, obviously put the whole story out on social media, but be sure to respond if you happen to have those skills, because this is still ongoing and there are still tensions in certain areas. I was in Transnistria for victory day, of all things, one of the times I was there it was surreal. I definitely got exposed to completely different people than I was used to.
But I think that's also a good thing. Also on the social media front. Chloe, try to make sure that before you go, "Hey let me spread this thing out," that it's actually real because that's quite important. Because once it gets picked up by the algorithms, no matter how fake it is, it can become real to a lot of people. It can also be latched onto by various conspiracy folks. Like Q is very big into this.
Chloé Messdaghi:
Yeah.
Chris Kubecka:
One of the channels I monitor is a QAnon channel and let's just say, they don't believe that there's an actual war. And yeah, there's all sorts of things they believe. Try not to feed into that, because it's an easy trap to fall into where somebody picks up your social media, runs with it and then a whole bunch of people... Oh it can be terrible. Absolutely terrible. So yeah, think about how your information can be used by evil.
Chloé Messdaghi:
Yeah, everything you do, everything you say.
Chris Kubecka:
It's crazy.
Chloé Messdaghi:
You have to be careful.
Chris Kubecka:
Be wise.
Chloé Messdaghi:
Also they say fake news and lies spread faster than actual truth. Yeah.
Joseph Carson:
Yeah, unfortunately the algorithms, it's all about... When you get an... it's the impact and impression it makes. It's not the actually verification of the information itself that the algorithms like. It's the impression it makes. And unfortunately, it's the fake news that's focused on the impression than it is that the reality. And it's always the things, for me, watching how the algorithms do not support the truth unfortunately, so. Absolutely. And I mean Chris, it's amazing hearing your story and I think for the audience, definitely is a lot of lessons learned here. But definitely one is that it's still happening as you mentioned. Other news is unfortunately overtaking the majority of what's happening there in Ukraine. And I think this is something that we have to just keep supporting and keep the focus on and keep voicing. What more we can do? And I think absolutely Chloe brings up the important point of what the social media side of things.
We really do have to make sure that what we are sharing, that we think about two times before doing, sharing something or recording something or mentioning something that we really have to make sure that what is the impact of this. Absolutely. I mean it's fascinating. I just hope that for you, that you're healthy and safe now and that the community definitely can reach out, and whenever you do ask for help, I'm definitely sure that the community is always there. I mean, we have such a great community out there in Info security, that there's so many people that's willing to help and willing to even go beyond and do what they can. So definitely when we see anyone in need or anyone that knows somebody else in needs, we're definitely there to help for sure. Any final things, Chloe, that you have that you would like to ask Chris?
Chloé Messdaghi:
I mean, I have loads, but I mean I can always message her, but. And everyone, if you have questions after hearing this or seeing this, message her. Chris responds and yeah, I always come to you I think, or whenever I see her at a conference, it's always like a new story I hear. And yes, it's fascinating, but it's one of those things where I feel like we should talk more about in InfoSec, is all these other issues that you bring up today.
Joseph Carson:
Yeah. It's the impact InfoSec has in society. That's what really it comes down to is that, yes, we see data breaches all the time, but when it impacts, when the experience that Chris you mentioned, when you can't get money from an atm, that's a real impact. When orphans lose their history and their society, where they came from, that has real impact, not just for a day or two, but for lifetime. And this is really where it comes on to is that, I think Info security, there's one element that we talk about in the news, but I think the ones that happens on every day that has real human impact, I think that's the ones that we really need to be bringing up and discussing about, what can we do to make sure that that cannot happen in the future?
Or, what can we do to make sure that we reduce the possibility of that happening? And I think that's where we can all focus our energy and attention. And I think Chris brought up the point to think at Cyber week as well, that we had to think about the humans and that's, the humans are not the weakest link. They are the most important link,. They're the most important aspect of all of this. And that's where we definitely need to meet, looking at focusing our attention on. Any final words or comments that you would like to leave the audience with?
Chris Kubecka:
Yeah, certainly. One thing we also have to remember is, although we might see on the news and think that this is something that is far away, it's actually affecting the world in many different ways from food shortages, rising prices, et cetera. And also., So many different countries are being attacked in different ways right now, including the US. That you never know if you're going to find yourself in a situation where you are going to be directly affected by this. So keep that in mind and also try to have as much empathy as you possibly can towards the situation. Because I certainly did not wake up at the first of this year and go, "Oh, I think I'll help discover the world's first Geneva convention violation via malware and have to flee a war." So you don't know what's going to happen, especially since digital weaponry gets proliferated around the world and moves at the speed of light. So definitely remember the humans and that you are a human and that this affects us all.
Joseph Carson:
Absolutely. Wise words. Many thanks for having you, Chris it's always great to hear your stories and listen to your experiences and you've got such a wealth of knowledge to share. So I really appreciate and thank you for joining us again on the show. And I definitely make sure that, definitely won't be the last time. I'm sure there'd be many more opportunities to chat with you again in the future. And Chloe, great having you as the co-host and join me on the episodes going forward. So, definitely for the audience, stay safe, lessons learned, make sure that you keep an eye out when anyone's in need. Dude, let's do what we can to help them. So this is another episode of 401 Access Denied. Stay Safe. Join us every two weeks and look forward to seeing us all again in the future. Thank you very much. All the best.