The Rise of Cyber Mercenaries: Governments' Secret Weapons in Cyber Warfare

Jim [: 00:00:00

Welcome to another edition of Razor Wire. Now, today we're going to be talking all things cybermercenaries. We're going to be talking about how things are done in the underground, about nation states paying off criminal groups in order to engage in activities that are plausible deniability associated with it, whether or not there's kind of almost legitimized missionary groups and feasibly what they do and how they work. It's going to be an interesting set of subject matters that we're going to be talking about. I have Ian and Chris, my beloved co hosts, who are going to be here having a chat with me about exactly this, and let's see if we can get to the bottom of how this all works. Welcome to the Razor Wire podcast, where we discuss all things in the information security and cybersecurity world, from current events and trends through to commentary from experts in the field, providing vital advisory on what it is to work in the information security and cybersecurity space. Today, as I just mentioned, we're going to be talking about cyber mercenaries, the criminal gang side of things, the fact that nation states have been funding them for a while, and some of the details that we've had recently in the last couple of months with specifically, for instance, the balkan files, where it came out that a legitimate information security company in a particular country, who may or may not be having some kind of altercation with another country nearby, up in the northern part of the hemisphere, who speaks, know, utilize them to build and manage a lot of their tools that they use to break into things, and also allegedly have been a good part of the training and have actually engaged in that facility for that nation state. Now, the question I have, before I hand it over to the wonderful world of Chris and Ian, is that in warfare, you have certain know, you have land, which is where you were, Chris.

Jim [: 00:02:16

You have sea, you have air, which is Ian, who was part of the RAF. I'm going to let them argue over who was better and who wasn't. But there's been a lot of discussion for a long time now about the fourth domain, which is cyberspace. Now, in some countries, they roll it into, like the navy, or they roll it into the air force, and it seems to be evolving to the point where it's actually kind of becoming its own kind of area. Now, I see a lot of talk that it's being pulled out of the various different domains that it originally sat in because it's become so important. But the question I have is we have people like the Wagner group. We all know who the details between them recently who get paid by nation states to go and get involved in altercations with other locations. And I'm not stupid enough to think that there's a lot of other similar types of groups around the world who deal in the same kind of way with countries in the western world and obviously countries in other parts of the world.

Jim [: 00:03:22

And obviously they tend to share locations as well. Now, are we looking in the future at their popping up companies like the one outlined in the Vulcan files, or Vulcan as they were called, but in the western world? Or is it already happening?

Chris Dawson [: 00:03:39

It's definitely already happening, isn't it? Even from many, many years ago, just sending out bots on marketing and bits and bobs and getting people's opinions and trying to sway votes and the bits and bobs and having an impact on social engineering side that's come from a nation state. Not saying it's true or no one knows, but the elections, Us elections, heavily reported to be infiltrated by our friends up north and swayed votes and swayed this and swayed the whatnot. So it's definitely happening more on a social level, which we can see as opposed to no government's going to kind of admit that the national grid has been hacked by a mercenary group living out of a basement in Chizwick. I don't know why I picked Chizzick.

Iain Pye [: 00:04:26

But yeah, unfortunately Chris is right. It has been going on for years and years.

Chris Dawson [: 00:04:39

The Internet. Can you say that again?

Iain Pye [: 00:04:42

Chris is right to an extent.

Jim [: 00:04:46

You can never quite let him have it, can you?

Iain Pye [: 00:04:48

No.

Chris Dawson [: 00:04:49

God no. I was trying to think it's been.

Iain Pye [: 00:04:53

Going back since the late 90s when it's all kind of the Internet came from fruition from there. So you've got things like, was it Kosovo? Like in the early ninety s the NATO's public affairs website was taken down, although not related to Kosovo. Sympathizers and stuff like that. So you've got state actors using mercenaries or hacker groups and stuff like that to push their information operations. I think it comes under the banner of cyber warfare in terms of through that channel as well. If you look at it, it still follows the same pdps of traditional land warfare, but they just as in use mercenaries when you can. Although a certain red state that didn't work too well. But yeah, it's still the same premise.

Iain Pye [: 00:05:46

It's just a different plane to put it as. It's not the physical, it's more the digital. That's what is happening.

Chris Dawson [: 00:05:53

But they do turn that digital into physical. Don't they? And you can do. So let's look at what's the big one with hick cameras, for instance, the back door that they just found into hick vision cameras just said, yeah, that are plastered all over our government buildings. And then a mercenary group from China, let's say. I think maybe jumping in and just watching us and taking intel for no reason. It could just be watching people walk into work. But you're going back to the watching people again. I know you're going back to cold war tactics for being able to use digitalized.

Jim [: 00:06:38

Well, I guess in many respects. I guess the reason I ask is we've known for a long time now that certain nation states and a number of nation states have engaged criminal gangs to do this piece of work. But as we well know, a lot of those criminal gangs aren't particularly reliable at the best of times. And in a world where we do have far more reliable groups that could perform the same function, are we going to see militarization or private militarization of this particular space, the information sort of sphere, from legitimate companies? Because things like Vulcan, for instance, we'll have to use them as. They're the main one we've had information about. They're doing business legitimately, allegedly, they're doing business legitimately with key organizations within that region, and they've got all the same capabilities and could even be much better funded in a more legitimate fashion. Why wouldn't this be done elsewhere? I mean, obviously, leave the clandestine stuff down to the really stuff you really don't want to get associated with, down to some of them. But you could easily kind of level a lot of the.

Jim [: 00:07:55

What am I trying to get at? You can level the playing field quite a bit with a legitimate company who you can say, no, they're just here for defense. We all know they're not. There's all kinds of defense. There's more passive defense where you sit there and you hope your defenses will hold, but then you have proactive defense, a more proactive defense, which is where you go out and you do them before they do you. You're the military guys.

Chris Dawson [: 00:08:20

Come on. Militarize because it's such a vast network. Every single person is digitized now. Everyone's online, everyone's doing something. We're not getting information by watching people. And because it's so big, I think that's probably one of the reasons to use mercenaries, is because if you have a section, which I'm sure they do have, that focus on targets a, B and C, but what about the rest of them. How do we monitor them and we get the cheapest possible people to look at as much information as physically possible. And I'd say that was pretty much the bulk of it.

Iain Pye [: 00:09:01

Basically what you're saying is it's just the government being the government, as per usual, whereas we don't have the resources or the funding to do it. So let's get a contractor in who's bidded the cheapest amount and will give us a shocking service in the process. They'll give you a shocking service, for example. It's the same principle.

Chris Dawson [: 00:09:20

Yeah. They're going to give you a shocking service, but they're going to give you a service where they're going to look at 10 million people, I suppose, to.

Iain Pye [: 00:09:28

Provide that capability to hoover up that.

Chris Dawson [: 00:09:32

Research and reconnaissance and then move it on to the next stage. That will filter out the dribble, and then the next stage will filter out even more dribble. And then by the time it gets to the RAF or the army or the cyber intelligence side of that mi six and whatnot, it should have been filtered out that much.

Iain Pye [: 00:09:49

They've got the targets. Yeah.

Chris Dawson [: 00:09:51

It's actually worth looking at. Granted, with that, though, you're going to miss then filtration levels have got to be governed and run properly. And I think that's probably where the downfall is. The major downfall, what you're on about there.

Iain Pye [: 00:10:04

Yeah, it's the filter. So that's in the physical plane, the way you're on about potentially, you think about it from the digital plane, two planes, essentially, if you think about it, the law of armed conflict, which basically governs of how, when and where you can strike. It's basically the set of rules of don't shoot people parachuting down because they're in a vulnerable state. But if they start shooting at you for a game, shoot that. It's those set of rules that are put in place with the digital plane now, whereas you can do a kinetic strike, you can do the bdas, the battle damage assessments and stuff like that prior a strike, and say, yeah, there's no schools, hospitals, great, we're not going to affect any of that. The issue then with then I've kind of gone off track here. But the issue then with the DiS, you don't know the full knockout offense because you can't do the full BDA. If you knock down, say, the colonial pipeline that affected schools and I had a knock on effect and now it's not within lower.

Iain Pye [: 00:11:06

And I admit your pesky people from red flag countries aren't going to follow to. What you are going to invite is more of that activity by using the mercenaries and stuff like that, the guns far higher, who technically, yes, Lok does actually, as does the Geneva Convention still apply to them, but they're not going to kick two hoops about it anyway. So you're going to have a bit of a. More of a. If they're given free remit, whereas you're saying, just gathering. But at the end of the day, they're going to turn around and say, all right, you've chosen the title, it's great, go do it. Go do what you need to do. Take that nuclear power plant offline for five minutes or something like that, or colonial pipeline.

Iain Pye [: 00:11:51

There's going to be more and more of that where it doesn't fall within the lines of loak itself and it's going to end up harming the innocents as well.

Chris Dawson [: 00:12:00

Yeah, no, it is, but you're always going to get collateral damage. Although a physical war and a digital war are two totally separate entities, they're pretty much the same, aren't they? They have the same end goal. So using mercenaries to take down the UK, for instance. Okay, we're going to focus on supply chain, we're going to focus on national grid. So you get a mercenary hack group. Can you infiltrate the national grid and shut down the power to the UK, which will stop any military. Sorry, will dampen any military invasion to wherever that's going to hit. But it's also going to affect schools and hospitals.

Chris Dawson [: 00:12:39

But you're not aiming for that, but you can't have one without the other.

Iain Pye [: 00:12:43

I remember what Loaak says is a term and it's measurable and proportional action, it's along those lines. So in terms of if you're going to do a strike, and that's the one issue you have when you're conducting cyber warfare, be it from a mercenary or a national state, you can't always know what end result is going to be.

Chris Dawson [: 00:13:08

Yeah.

Iain Pye [: 00:13:08

Because you don't know if you sit with collateral damage assessment, I call the BDA. That's after, obviously, but do the collateral damage. You can say, I got a great big bomb on this Rom's chair. Great.

Jim [: 00:13:23

Happy days.

Iain Pye [: 00:13:24

Close is this wide. It's going to affect this radius, it's going to be contained here. There's no schools, there's no hospitals. It's definitely not that it's a legitimate target, it's military use, et cetera, like that. You don't get that because you can say, yeah, we're going to do that. If you look at Stuxnet, you think about that. That was targeting one. Was it spin of centrifuges just to tilt them off by a degree or something like that to then really mess up the centrifuge itself that stuck in it.

Iain Pye [: 00:13:53

The way it was written was it was self propagating, wasn't it? So it just constantly was on the hunt for a new environment. I'd go, have you got the XYZ? These are my parameters. If you have, great, I'm going to do my business and knock off these centrifuges. That itself is not within the stuckness. If you think about it, it's not within the come on the low act because it's gone past that boundary of this is our target. We're actually after these set of centrifuges. But then it's self propagated and it gets carried on and it ended up impacting businesses and stuff like that, didn't it? Because the way it kept going and going, that in itself falls out the bounds of the lower because it's not proportional. I really have to google it, but it's not down to a target.

Iain Pye [: 00:14:38

So back to the point of using Bob down the road mercenaries type thing. You're going to get more, in my eyes, more and more of that type of thing happening and it's going to hinder further down the line to more. Is it, people?

Chris Dawson [: 00:14:55

Yeah, using Merc, you're always going to.

Iain Pye [: 00:14:57

Get collateral damage, part of war, but got to take steps to minimize that. But they're not going to do that if they're doing it on the cheap, are you?

Chris Dawson [: 00:15:05

No, they're not going to say, okay, we can hit the national grid, but we can also isolate all the hospitals and keep them up and running, for instance, and only hit government bills.

Iain Pye [: 00:15:14

They're just going to go national grid. Hopefully the hospitals have got the BCP in place.

Jim [: 00:15:19

But this is my point. There is the old saying, you get what you pay for. Now, I know, kind of, you've got Lockheed Martin, you've got a number of the big contractors in this particular space. They produce a certain type of bang bang, or lots of different types of bang bangs in lots of different types of ways. Why wouldn't they have units for sale to create either the software that can do what you've just kind of described, but in a more targeted way, quality solutions and providing quality people. And I'm trying desperately not to be unfair to the beloved governments out there, but let's face it, they don't pay as well as the commercial markets. They don't tend to get as good quality individuals with the skill sets that they're going to need without going to the commercial world and without providing a certain amount of protection to that commercial concern. Whether they do it quietly, like good Vulcan's case, or whether they do it a little bit more openly, I mean, everybody knows that lockheed Martin, Rolls Royce and so on and so forth all create different things that either go bang or devices or vehicles, and there's a whole million million companies out there that do it.

Jim [: 00:16:38

And the government doesn't seem to. I mean, you were in the military, you probably know better than either. They don't tend to scrimp quite as much when it comes to that kind of thing. As opposed to who's going to look after our NHS database, where you normally get someone like an organization who may or may not have found themselves in hot water recently because they didn't look after their defense in depth section that says third party and third party assurance, which for me was a bit of a laugh considering the amount of money they get from government contracts. Do you think they would go cheap with that? Because, I mean, I kind of see it as if they're going with criminal control. You can't control a criminal gang. You could say, go and destabilize this, or we'll pay you some money to go and cause havoc in this area. As Ian said, they're not going to give stuff about collateral damage.

Jim [: 00:17:29

They don't care. They've just been paid a bunch of cash to go and do some stuff. Then there might be some leverage with people who are known to certain information gathering groups and sort of networks, spy networks, that kind of thing. But not all of them are going to be known. Maybe some of the key ringleaders. Would it not be better to just create a purpose built organization who can professionally do what you want to do? Like Vulcan seems to be to that particular state that we've been talking, or nation that we've been talking about, but for others, because there was an italian company that was a hacker for hire group for nation states, wasn't it? They got called out. I can't remember the name of them.

Iain Pye [: 00:18:06

Who did? The colonial pipeline with dark side, wasn't it called?

Jim [: 00:18:11

I think it's a defunct group now. They broke up afterwards and then reformed as something else.

Iain Pye [: 00:18:16

Didn't they get actually caught? Dark side or something like that?

Jim [: 00:18:19

Was it conti? And then they split up because obviously we had the Conti files, which told us how criminal gangs kind of work behind the scenes, which was very much like an organization. They had their own departments and everything, have their own bloody HR people, which is quite laughable when you're considering what they get up to and the areas that they kind of work in. But, no, I just see that criminal gang. Okay. Yeah, you're going to get some really good hackers in there. I don't like calling them hackers or crackers, but for want of a better term, you're going to get some really good talent in there, but you're not going to be able to control that talent if you're kind of engaging in anything, a cold type of engagement or an engagement of destabilization or misinformation. I mean, look at Cambridge analytics, who were implicated in all the jiggery pokery.

Iain Pye [: 00:19:14

Around the elections, turning 5G mums into Trump sporters and all that jazz.

Chris Dawson [: 00:19:22

And just ripping everyone's data, just taking it off and selling to the highest biding, which I've got no problem with, obviously.

Iain Pye [: 00:19:30

You're on board with that, though, aren't you?

Jim [: 00:19:33

But I guess, in any respect, when you look and you analyze the type of engagements that you're going to be doing, when you're doing cyber warfare, you're going to be preempting a lot of the more direct stuff with that kind of stuff. Destabilizing social infrastructure, seat descent, that kind of thing. It's a lot easier to do that nowadays than it feasibly was, say, during World War II, where you'd have to send people in physically who would then cause havoc and what have you. Nowadays, all it takes is a number of people to put out a deep fake of the prime minister doing something terrible to a pig's head. Well, I don't actually know that actually happened.

Chris Dawson [: 00:20:14

That was real?

Jim [: 00:20:16

Yeah, that was real.

Iain Pye [: 00:20:19

A black mirror.

Jim [: 00:20:22

All I'm saying is you want a professional service, and if it means a lot to you, you're not going to pay the clandestine people. You're going to pay the people that you know are going to do what you want them to do when you want them to do it. Or am I completely off? Because, I mean, if you were to go and get the services of a traditional mercenary group, like the Wagner group or whatever, not having walked in that circle, great catering.

Iain Pye [: 00:20:45

Isn't that how they started, as a catering group or something? A hot dog vendor or something like that, and then they end up becoming, like, one of the largest mercenary groups in Russia. It's crazy.

Chris Dawson [: 00:20:56

Thousand people, I presume.

Jim [: 00:20:58

You basically go in, you have a chat with someone, you say, this is what I want done. I want some protection when I go through here or I want you to go and if you're a nation state, I want you to go and support these troops over there. They will then come back like any company and say, okay, that'll cost you x amount with this amount of soldiers, this amount of kit, this amount of support, yada, yada, yada and all the rest of it. You pay your money and then they go and do what you pay them to do. Maybe with a bonus at the end of it if they do it well, is that roughly what occurs?

Chris Dawson [: 00:21:28

Pretty much. So I would probably move away from the Wagner because that didn't go according to plan.

Jim [: 00:21:34

No, obviously, but any mercenary group, we'll just take Libya.

Chris Dawson [: 00:21:40

In the last 20 years, how many different rebel groups have the US and UK government backed to overthrow the government regime and then gone? Yeah, that. Well done. Thanks for that. Oh, actually you're not very good. We need another rebel group now and we'll back you until they find the one they want. I'm pretty sure that's public knowledge. Unless someone's living in a cave, literally.

Jim [: 00:22:06

Yeah. No, it just seems to me that if you're going to be doing this kind of thing, you're going to have the reliable people and the people who just so chaos and you're just going to go to the people who so chaos and say, here's loads of cash, just go and cause trouble. Just go and cause all as much trouble and as much noise as you can. Try not to get caught. See you later. Take your 10 million quid.

Chris Dawson [: 00:22:24

Yeah, but also if you do get caught, they're nothing to do with you.

Jim [: 00:22:27

Yeah, exactly.

Chris Dawson [: 00:22:29

So it's a great way to use lighting.

Jim [: 00:22:32

But then sure you're going to have the more professional precision groups because if you can't attract that talent, you're going to have to get that kind of talent elsewhere. And whilst you will maintain a cybersecurity division, for instance, as I said, pardon me if I'm wrong, but they're normally youngish individuals who are serving for a certain period of time, so they'll get their training during their service and then when they come out into the commercial world, they have to have additional training to then skill up to the level that's required out in city street. Yeah, I'm about to get beaten up by a load of ex forces for saying that.

Chris Dawson [: 00:23:19

But I think, yeah, using mercenaries is going to be in the digital side is exactly the same as the physical side. They are the cannon fodder. They're going to go and find you, they're going to cause chaos, they're going to find you vulnerabilities that then when the vulnerabilities are found, that's when again, we filtered up. So we found a vulnerability. Now we handed it over to the professionals to try and infiltrate that vulnerability properly, as opposed to just causing the chaos. And they're going to sit on the.

Iain Pye [: 00:23:48

Winks, I suppose you got to have your tears, shall we say, merceries of guys who actually got to go out and do so at the bottom. And you'll have your lower hackers and all that jars the ones that you just give it on a quid tune. Go forth and you'll have your lights of like the actual known, proper well organized, which some of them really are. And they all, as you said, have their own hr and stuff like that. It's like cozy Bear, the APt 29. They went after the Covid-19 research, rushing back to try and get their own, according to the press, before I get, yeah, they are higher tier, they're more organized, they know what they're doing. And you're going to use a better quit organized mercenary group, cyber group, as you know, to actually go out. And a lot of these guys, as you said, have come out the forces and then gone.

Iain Pye [: 00:24:49

Right. I know we use these guys commercially, right. I'm going to see if I can get into that group and then get paid from them and then scale up that way. And to be honest, it's like any other person coming out of horses. You're going to use your connections and what you're good at. What have you done in the past to then go work at Raytheon or the armed producers for those, for the military industrial system type thing that you're part of. So it's no different. It's just literally a different plane of operations at the end of the day.

Chris Dawson [: 00:25:23

Yeah. You can hide behind the keyboard as opposed to hide behind a mask. I think that's pretty much the only difference.

Iain Pye [: 00:25:28

Yeah.

Jim [: 00:25:29

Do you think that the big contractors in this world are skilling their people up?

Iain Pye [: 00:25:36

Certainly. Otherwise you're just going to have churn all the time. It's like running a business, isn't it? You don't want to lose your good people, so you want to upskill them, make sure that they stay, give them the support and stuff like that. They are run like businesses, these bigger mercenary groups. So you are going to ensure that they got the right equipment, the right skills, the right tool sets for doing these kind of operations. It's in that organization's benefit for them to be better. That means you get more lucrative contracts as well. You can be trusted again.

Iain Pye [: 00:26:12

It's all about building Trust, isn't it? At the end of the day, with your client, it's a client. At the end of the day, it just so happens to be an asian state.

Jim [: 00:26:20

It's no different sort of plausible deniability.

Iain Pye [: 00:26:23

Yeah, exactly.

Chris Dawson [: 00:26:24

You've got plausible. You know, if the UK government, for instance, I don't know, using cozy bear, I know it's russian, but if they say, right, you're the best out there at the moment, we're going to pay you and we'd like you to look at this, look at that, look at that. While they're looking at that, looking at that. And you're paying for that, they're not looking at you, they're not trying to infiltrate you. So I suppose it's a way of defense.

Iain Pye [: 00:26:48

A really good example of this is the Georgia south. The settle thing I think we talked about at a previous podcast. It's just all. Georgia was like, really was one of the first countries to be online. Everything was done that way. When was Georgia? Was that 2005 or 2007? When South SETI happened? But they were one of the first nations to really embrace doing your government online and everything like that. It just so happened when the tanks, the russian tanks rolled across that border, everything went down and the Russians went. Not us.

Iain Pye [: 00:27:27

Not us. South of SETI. Sympathizers, not us.

Jim [: 00:27:32

This is part of the problem again, I'm going to be in trouble with that particular red flag country. But they said the exact same thing, though, about the doping, didn't they, with the.

Iain Pye [: 00:27:41

They're always going to say, no, they didn't do it.

Jim [: 00:27:45

Even to the point where somebody had actually owned up and said, you know.

Iain Pye [: 00:27:50

They'Ve been paid through, like, Cayman island accounts from another account to another account to try and trace. The money is poor.

Jim [: 00:28:02

If you're using one of the big defense contractors. Anyway, this is a line item, isn't it? You can say, okay, we'll put down that we bought 10,000 ground to air bang bangs, rather than you giving us the bang bangs. We'll just say we fired them off in anger at a tree stump somewhere out in Botswana.

Chris Dawson [: 00:28:24

One ballistic missile cost him 50 million. No one's going to want to look at it.

Jim [: 00:28:29

Yeah. It's just one amongst many that can get lost when in actual fact, they're paying for a group of skilled cyber mercenaries. Cyber mercenary. There's a cool term, cyber mercenary to work hard to kind of get into the banking institutions within that particular geographical organization. Maybe change a few figures, maybe do the old Superman three. Favorite one with Richard Pryor, which is take all the half pieces of currency and just amalgamate it all and pay off another group. But you've got to watch out when using criminal gangs anyway, because if you are, I say, a western country paying off a red flag based associated gang, then what's to stop them from just taking your money? Yeah, doing okay what you ask them to do, but then turning around and say, okay, by the way, guys, give us some money. Otherwise what we're going to do is we're going to tell the whole world that you just paid us to go and attack yada, yada.

Jim [: 00:29:28

They're not reliable. They're not a reliable mercenary group.

Chris Dawson [: 00:29:31

They're criminals.

Jim [: 00:29:33

Well, they are, yeah. They're not going to be honest, are they? I mean, to be honest, they'd be a bit crazy to do that, I suppose. Because then it puts you on a particularly large list of people who are going to go get a nice orange jumpsuit and wind up somewhere in a hot, humid climate being beaten with bamboo sticks. Or, you know, if they never leave Russia, they're not going to give us stuff.

Iain Pye [: 00:29:54

Yeah, true, but look at the dark side guys at the colonial pipeline. The DHA USDHA actually said that they managed to receive a significant portion of the raptor payment back because they found their crypto wallet or something like that. Oh, yeah, whatever, they seized it, but that's not going to really do much.

Jim [: 00:30:23

I think one of the things that I laugh quite a bit about in this space is the amount of information you don't get and the amount of misinformation that's around there. Let's move over to that sort of briefly. It's like, look at the various different well publicized security breaches recently where they say, oh, it was only 1000 records that were affected. Week goes by, okay, it was 10,000 records that were affected. You got stuff when somebody else goes, actually, no, it was 10,000. And then another three weeks down the line, it's, oh, well, yeah, actually it was like 10 million across various different groups who deal with your tv licensing and deal with your forces recruitment and so on and so forth.

Iain Pye [: 00:31:08

Is it the capital one, which is all the pension groups?

Jim [: 00:31:11

I wasn't going to mention the name, but, yeah, basically.

Chris Dawson [: 00:31:17

You can get away with lying a little bit for that, can't you? Because there was only 1000 files that was taken, but within them files, each of them have 10,000. There's another million files in each file.

Jim [: 00:31:30

Well, this is the other thing. Even if they do get fined for that, it's not going to become anywhere close to the amount they've earned off of the full contracts that they've gotten. Anyway, Cambridge Analytica, once they started getting caught, they were really desperately trying to use their own methods they'd been using to try to get themselves out of the shit they'd put themselves in. Criminal gangs. They just don't care, do they? They're just going to do whatever and just say, yeah, all right, whatever. And then occasionally you'll see the nation state that may or may not have funded them. Roll some bloke across a video camera and say, hi, yeah, we caught him. We caught the guy that did it.

Jim [: 00:32:12

I think it was funny. They did a video breaking in some poor sod's house. Yeah, we caught the three people doing it and we got their money as well. And there was like 10,000 rubles and three guys being lent on by some very nasty large military types who are obviously not treating. We don't know who these guys are.

Chris Dawson [: 00:32:32

Yeah. So anyone working for the government, unless you are literally in the army or the Navy or working for the intelligence, even the intelligence services have people that did go, oh, no, we have no idea who that person is. They never work for us. If you know something's going to bite you in the ass, you're going to use a third party as much as.

Jim [: 00:32:52

You possibly can, you're not going to roll. Who are the best at mean, let's face it, the US government have been well known for that. Look at Frank Abagnail, who went and defrauded various different people organizations for tons and tons of cash, like hundreds of thousands, millions. And then they stuck him in, finally, obviously caught up with him, stuck him in prison and just went, finds your job helping us out. Figure out how some of these people are doing exactly what you've just been caught. Yeah, sure. He's in Infosec now. He works on the form of a number of infosec things.

Jim [: 00:33:33

I've seen an interview with him. He's really interesting. He did say that his life didn't quite go how it was portrayed, the film. There were a few things in there.

Chris Dawson [: 00:33:42

That were, when they say crime doesn't pay.

Jim [: 00:33:48

This is it.

Iain Pye [: 00:33:49

I think pays quite lucrative, but this is it.

Jim [: 00:33:52

I think unfortunately crime doesn't pay if you're lower on the echelons, if you're not that good at it, then no one's going to care. They'll catch up with you. I think in this case, they'll use your scapegoat and all the rest of it if you're part of one of these nation state associated criminal gangs. But if you're really good at it, really good at it, they'll look after you. They don't want you going anywhere. They want you carrying on, doing what you're doing.

Chris Dawson [: 00:34:19

Yeah. And that's what, like I said before, if you're paying the best that's out there or one of the best that's out there while you're doing that and you can monitor it, they're not attacking you. So it's a defense mechanism straight off.

Jim [: 00:34:32

But then there's also, because this is where the Conti files kind of showed what happened there. And I'm sure one of the viewers will tell me if I'm wrong. I think what happened there was some of the ukrainian group members kind of got annoyed that the special operation was going off against them and then proceeded to roll on the rest of the group. They got really disgruntled and then grabbed all the chat files, grabbed all the information, and that became the Conti files leaked. You're not protected from that in any way, shape or form. I mean, if you were the UK government and you wanted to take a shot, another nation that you're about to go to war with, why would you use a criminal gang? Why wouldn't you use a more professional outfit? Why bother with the pr problems that come with it?

Chris Dawson [: 00:35:19

Because I think you can get rid of them pr problems, can't you? I could post online that the government has hired me to do x, Y and z, and they can just deny it's literally just my word versus theirs.

Jim [: 00:35:32

I suppose, but, I mean, it's a little bit more difficult. They must have some kind of discussions and chats and chats. Any savvy cyber mercenary, let's term it as that is going to make absolutely certain anybody asking them to do anything has all the chat logs, all of the stuff ready to go in a little encrypted package that, should they get rolled on or thrown under the bus, they can say, right, actually, screw you guys, I'm going to release that and let everybody know what you've been doing.

Chris Dawson [: 00:36:00

Yeah, but we're talking about cybercriminals and we're just saying about you're going to pay the lowest common denominator and say, right, this is what it is and they're not going to have that, nor are they going to want to jeopardize. And if they get found out with any recordings or bits and bobs, it's going to be controlled by. If it was me, I'd be like, right, okay, it's controlled on our side. We control the talks, we control what's going into it. We pick the venues, we pick this. So you have no hard evidence that this ever happened.

Jim [: 00:36:30

Suppose you'll have middlemen, won't you? Is that how it works in the real world?

Chris Dawson [: 00:36:33

Yeah. So Richard Sunak's not going to knock on Wagner's door, is he? And couldn't lose a favour, could you? Any chance of whacking some tanks and rolling up to Moscow? He's going to have people that no one cares about their raft. They're going to ask them.

Jim [: 00:36:48

I don't think doing that anyway, is.

Chris Dawson [: 00:36:50

He.

Iain Pye [: 00:36:52

Seems like a lot like hard work, mate. And get it out my hotel room.

Jim [: 00:36:56

He's got plenty of meetings where he's got to whack up that old interest rate as high as possible to deal with the old printing of that quantitative easing issue that is still going on and saying, everything will be fine, don't worry, your mortgages will all be good.

Chris Dawson [: 00:37:12

Stand your ground.

Iain Pye [: 00:37:13

Yeah, thanks, mate.

Chris Dawson [: 00:37:16

I mean, to be fair, he is standing his ground any, because I think he's just lost in shares 10 million off the 400 million he's worth wise.

Jim [: 00:37:26

Oh, yeah. Must bite really hard there.

Chris Dawson [: 00:37:30

Yeah. So I think he's going to drop, I think this week he's going from Waitrose maybe to Sainsbury's.

Iain Pye [: 00:37:37

That's what it is.

Jim [: 00:37:38

Oh, it must be terrible. Must be terrible. But then obviously we're coming up to the end now. There's been a lot of back and forth about kind of this. Do you think this is a thing going forward? Do you think there are going to be purpose built cyber mercenaries who are going to band together and say, right, we're not going to do crime or we're only going to do attacks for contracts? Yeah, you contract us to do that. And if you're part of this group of countries in this kind of region, if you're a NATO country or if you're a BRICS country, let's be fair, it'll be all kinds of people. We'll do your work for you. So you can deny all knowledge of it, but it'll cost you this and a bit of immunity.

Chris Dawson [: 00:38:25

100% I'll be surprised if it's not already in full fruition, not even just like the tip of the iceberg sort of thing. It's got to be happening properly deep and not just against, not nation states, against nation in house as well. Political party versus political party. They must be doing that. Surely they've got the same thing.

Jim [: 00:38:48

Well, I mean, I suppose at the end of the day, if a newspaper can pay a group of similar individuals to buy on people's phones, either through some sort of software or hardware based.

Chris Dawson [: 00:39:03

News of the world.

Iain Pye [: 00:39:04

Yeah.

Chris Dawson [: 00:39:07

The Clybos now, anyway. Yeah, exactly.

Jim [: 00:39:10

They ran away and closed down before they could get a horribly, horribly sued, let's be honest. Well, I think they still did, but.

Iain Pye [: 00:39:16

In fact, one of the reporters that was doing it, he now does talks at infosec type events as well.

Jim [: 00:39:23

Yeah.

Iain Pye [: 00:39:23

So he goes into how they did it and what they were doing and stuff. It's really interesting, actually. Was he a proof sec or something like that? I saw him at once, yeah.

Chris Dawson [: 00:39:33

And that's the way it works, isn't it? Who owned it? Was it Rupert Murdoch owned world?

Jim [: 00:39:38

Who else does he own?

Chris Dawson [: 00:39:40

Everything. Yeah. So, I mean, we're going to do this for this government. If you get in government and you back us, we'll do this. Thanks very much.

Jim [: 00:39:48

So do you reckon the same group are going to be doing corporate stuff as well, then? Because, I mean, if you're going to be doing this for a nation state, you've already got a certain level of immunity that you're going to negotiate there as part of your contract for doing that kind of thing is the next step on the side of things. When you're not engaged with that, you're doing pay for corporate espionage, because we know that goes on. Do you reckon the same groups are going to be doing the same thing? Because that is criminal.

Iain Pye [: 00:40:15

But it's the same business though, isn't it? Yeah, it's the same business. At the end of the day, it's a different client and yet there's more risk to doing that if you get caught. But why not? Because the operations around it and the way that you go about it, pretty much the same, isn't it? You just lift one, set procedures to the other. Makes sense too, as well.

Chris Dawson [: 00:40:38

I'd say it was slightly less risk. If I'm an amazing hacker and then I'm working for the UK government, trying to hack into a russian state, for instance, and Russians catch me, I'd rather much be done for corporate espionage and spend five years in five years in a UK prison than I would be in an orange jumpsuit somewhere and going all day.

Jim [: 00:41:01

But we have reached a point where it's so lucrative now to be an infosec, whether you're on one side or whether you're on the other side. I suppose if you're on the more larsonous, not so legal side, you're probably going to get paid a hell of a lot more.

Chris Dawson [: 00:41:15

Yeah, but then you got the risks that come with it.

Jim [: 00:41:18

Well, you just become a cyber mercenary and then you just technically work for a government and you get covered by them. Just don't go anywhere that somebody can send you to a country you don't want to go to.

Iain Pye [: 00:41:29

Just go to a country with no extradition. Yeah.

Jim [: 00:41:32

Or maybe it'll just be done through the existing mercenary groups that already exist. They've already got their own hacking department.

Chris Dawson [: 00:41:39

You'd like to think that. Well, not like to think, because that'd be a terrible idea, but from a business point of view, as a mercenary group, if I was in general mercenary group, I'd be like, right, we need to get a cyber division up and running here and we can do this and we can push this out as not only can we storm cities with our tanks and cause a bit of havoc, we can also shut down grids and mess around with pensions and bits and bobs and really cause a bit of havoc to the highest bidder against wherever you want to send us.

Jim [: 00:42:10

I'd attack Ian's crypto wallet.

Iain Pye [: 00:42:12

I don't have one. What? Feel free. I'd like to see how far you get if I've got one.

Jim [: 00:42:21

Tell me, what kind of techie are you? Don't have a cyber wallet. Damn you.

Iain Pye [: 00:42:25

Because I'm a techie. That's paranoid of people.

Jim [: 00:42:30

Anyway, we're reaching to the top of the hour. It's been an interesting but unlivly debate. I don't think we've really come to a conclusion, really, at the end, other than it is bound to happen. But whether or not it's going to be quiet, small groups behind the scenes or groups like the Vulcan group, maybe it will come out that there are a couple out there a bit like the Vulcan group in this.

Chris Dawson [: 00:42:57

I think it'll be quiet for a long, long time. Unless something big gets hit, because it's not like a physical mercenary group where you can see them. They're not blowing anything up. Nothing's going to go bang for people to actually notice. So unless if a government gets hacked or something happens, unless they shut down the national grid. Unless they collateral damage that comes with it. They can pretty much hide it away, can't they?

Jim [: 00:43:22

Well, that's a danger of cyber warfare, isn't it? You can see a burning building. You can't see a digital infrastructure that's been compromised until it's too late.

Chris Dawson [: 00:43:32

Yeah, and then when it is compromised, if it's going, I'm sure the press side of that government will be like, okay, what's this going to cost us to admit this? Can we literally just sweep it under the carpet and try and fix it? And nine times out of ten, they can do that for a little bit, and then when it does come out, they've already gone, oh, yeah, this did happen. But don't worry, we fixed it all. And everyone goes, okay. Because we know no better. There is nothing on fire. We cannot physically see anything on fire. So everyone goes, okay.

Iain Pye [: 00:44:04

It's a good business to get into because you got plausible deniability. Yeah.

Jim [: 00:44:10

Ian's like, right, how could I do get for sale one of my former consultants. We'll have a discussion, right? Okay, fantastic. Well, thank you, Ian. Thank you, Chris, my beloved co host. I always enjoy these lively debates where both of you have a poke at one another. In a friendly sense, or not that friendly. It's absolutely fantastic to be sitting down having a chat with you guys. So look after yourselves, and we'll be back soon.

Jim [: 00:44:45

Thank you for listening to the Rosewire podcast. If you like the podcast, if you love the podcast, please feel free to subscribe, and if you have any questions, please get in touch. Thank you very much and have a great day. You.