Huntress CEO On FBI Disrupting Russian Hackers: ‘I’m Pumped’
“I think [this disruption] is going to be the first of many especially since the NSA started using new words like ‘defend forward’ where they said, ‘We’re going to defend, but we’re going to use an offensive approach to defense. We’re going to see where they’re going to come and before they actually do an attack, we’re going to step in,’ says Huntress CEO Kyle Hanslovan.
Kyle Hanslovan, co-founder and CEO of threat research firm Huntress Labs, applauded WatchGuard and Asus for taking action following the FBI pre-emptively disrupting a Russian hacking operation by taking control of thousands of routers and firewall appliances it used to access devices.
“[The hackers] just went around infecting all of these WatchGuard and Asus devices to make this botnet so they can do mass actions,” Hanslovan told CRN.
Sometimes those mass actions are aimed at gathering data, taking down the internet, or sending a lot of traffic to a particular target to overload them, he said.
“Forever, all of the guidance for 20-some years has been, ‘Patch your devices, patch your devices,’” he said. “And for the most part we think about that as laptops, servers and workstations. This is one of those cases where it’s our IoT devices and our embedded devices—the firewalls, the routers.”
WatchGuard said on its website that it “investigated and developed a remediation for Cyclops Blink, a sophisticated state-sponsored botnet that may have affected a limited number of WatchGuard firewall appliances.”
It then gave partners a four-step plan on how to diagnose and remediate the problem.
Asus has also provided updates on its website for partners regarding the botnets.
The U.S. Department of Justice issued a statement Wednesday.
“Through close collaboration with WatchGuard and our law enforcement partners, we identified, disrupted and exposed yet another example of the Russian GRU’s hacking of innocent victims in the United States and around the world,” said U.S. Attorney Cindy K. Chung for the Western District of Pennsylvania.
Hanslovan said he’s glad to see others step up and take down hackers, adding that Huntress is usually behind the scenes “pulling the strings” to help remediate cyberattacks.
“We actually didn’t participate in this one,” he said. “What’s really exciting for us is we didn’t have to be there. Other people are stepping up too.
“It’s super exciting that the government is going toe-to-toe a little bit more publicly and not just behind closed doors where this usually happens,” he added.
CRN spoke with Hanslovan about his thoughts on the FBI disrupting hackers and how MSPs can save their reputations when cyberattacks hit.
What are your thoughts on the FBI disrupting these Russian hackers?
This is the second big time that the DOJ has done coordinated offensive measures. The first one was with Microsoft Exchange and all of those web shells, so I’m pretty pumped. This looks like it could be an appropriate use of offense in support of defense.
The government stated about a year ago, after the Colonial Pipeline hack, that it would be doubling down on cybersecurity and now it’s taking action. What are your thoughts on how swiftly the government is moving?
My gut reaction is [I’m] pumped. The reason you’re seeing government action is because for the first time we have people in cybersecurity [who are] policy decision-makers who have real offensive background. It doesn’t surprise me to see us stepping up because for forever a lot of the people in charge, the cybersecurity czars, were the people who knew basic defense. I’m the one that says, ‘Hey look, the best defense is a great offense.’
You’re seeing that play out here. I think it’s going to be the first of many especially since the NSA started using new words like ‘defend forward’ where they said, ‘We’re going to defend, but we’re going to use an offensive approach to defense. We’re going to see where they’re going to come and before they actually do an attack, we’re going to step in.’ This is the NSA, this is the FBI, this is the government defending forward.
What should MSPs using WatchGuard and Asus be doing now to protect themselves?
The same day this advisory came out, WatchGuard released a remediation tool for users with WatchGuard devices. That’s an easy call to action because they made it easier to go and restore your appliances to a clean state, they’ve made it easy to update to the latest version of their Fireware OS. They really have come out and said, ‘Look, if you don’t a plan to remediate this immediately we really suggest you take your appliance offline until you remove this botnet.’
What actions should all MSPs be taking in the wake of this?
These types of IoT device vulnerabilities are constant. Even though Cyclops Blink specifically was targeting WatchGuard and Asus, I can tell you we have seen almost an endless amount of embedded devices be used as the initial access point. Nobody updates their IoT devices, your printers, your routers, firewalls—they’re an afterthought. It’s hard enough to patch your laptop, servers and workstations alone. The majority of cybercrime incident responses we do here at Huntress, we see a vast majority of them are unpatched SonicWall devices. It’s the reality that nobody patches IoT devices.
What do you think about Russian hackers hitting the small guys? They’re not hitting Wall Street, they’re hitting Main Street.
It’s a bit of a diversion tactic. They can use a whole bunch of small businesses to amplify their attack on Main Street, meaning compromising thousands of routers, firewalls or Internet of Things devices. And even though that’s the initial attack, they’re going to hack into these things to get access to be able to do something bigger. It’s preparation for a bigger operation. We would’ve seen something bigger had this not been disrupted.
What’s the economic impact to MSPs?
The realist in me says this is obviously going to impact reputations. Could you imagine if you got a notice from WatchGuard to your direct customer, or a notice from the FBI saying hackers are on your router? [The client] is going to blame the MSP. But the other side of me says this is 2020 and beyond, in this decade, hacking happens. It’s like credit card theft. Even though those clients would get upset, I think it’s important that MSPs have to be able to communicate. This is a lot like a hurricane. You don’t stop a hurricane from coming—when the hurricane comes you need to be able to respond as quickly as possible.
These new waves of attacks against small and midsize businesses, this is the hurricane. And if you’re not communicating that to your clients that incidents are going to happen and it’s about what you do after the hurricane hits you, I think [MSPs] are going to become flat-footed and lose revenue. Just how the NSA is defending forward, our partners need to defend forward with their communication and educate people that this is kind of like credit card fraud. It’s going to happen, and when it happens they need to give their clients confidence that they are prepared to be able to handle it.