Retired head of global security for Sony Pictures Stevan Bernard wrangled a targeted North Korean cyber attack. In this episode, he walks host Niki Christoff through the hours, days, and weeks after state-sponsored hackers infiltrated the corporate computer network. The conversation covers cybercrime, gunslingers on the Dark Web, the Lazarus Group, multi-factor authentication, password managers, and the importance of having a survival mentality.
Niki: I’m Niki Christoff and welcome to Tech’ed Up. Today we’re talking about cyber crime with Steve Bernard who led global security at Sony Pictures when North Korea hacked the company. Steve describes how the crisis unfolded and provides advice on how you can protect yourself when you’re targeted by a cyber attack. He says that’s a matter of when, not if. Yikes! Stay safe on the interwebs, everybody.
Niki: Welcome Steve Bernard to Tech’ed Up. Thank you for coming on the show today.
Steve: Thank you for the invite.
Niki: This is our first-ever remote recording. You're in California. So, we're going to say a little prayer to the WiFi gods that everything goes smoothly, which I'm sure it will. I wanted to first introduce you- how I met you, which is we are both advisors to a corporate security company.
And when I was giving my bio, I mentioned that I have done some crisis communications occasionally for cyber breaches. And then, you, were like, “Hold my beer. [both laugh] I was in charge of Sony's global security when we got hacked by the Lazarus Group,” which is a North Korean hacking group. And I immediately started Googling your career and what that meant and your involvement.
And I thought you'd make a great guest to break some of this down for people.
Steve: Well, thank you. I, um, you know what I've found over many years and is that a lot of companies that have been victimized through cyber attacks. Nobody's allowed to talk about it. And, you know, I left Sony, I retired from Sony about three and a half years ago, and, uh, I found a way to talk about it without pointing fingers.
And I think the point of it is that there's a lot to be learned. Right? And you know, if you can mitigate, um, a cyber breach, you know, or prevent it, uh, or not be befuddled when it happens, that's really good.
Niki: Yeah. And I think there are three things I'd like to cover. What the North Koreans are up to is sort of fascinating and the way they have constructed some of these hacking groups and where they operate. So I'd like to talk about that. I'd like to talk about something I've heard you discuss before, which is the psychological impact of employees when their organization is hacked.
Niki: And then the last thing is just organizational resiliency. Like most of us are not going to ever end up with a destructive breach from a criminal nation-state. Um, That's focused on shaming us or destroying us, hopefully, but there are still lessons to be learned. And I know that's something you help companies and organizations do now.
But let's start with the very first thing. So I didn't know what the Lazarus Group is or what it's doing.
Steve: The Lazarus Group is another way of identifying this group in North Korea that actually was created out of the reconnaissance general bureau: RCG. And another term for it is APT 38. There's also APT 37, and, uh, apt is “applied persistent threat.” So a breach happens and they're in and they really don't want you to know they're in and they want to be in for a long time and they want to take whatever they can take for various reasons of espionage or, competitive intelligence or whatever.
So this group, y’know, I think was originally was created in more of a militaristic way. They've also turned to cyber crime and criminality, and they're very good at it. And just to give you a couple of examples: Dark Soul, which was the attack on the ATM's and the banks in South Korea. Wanna Cry 2.0 - North Korea. The Sony pictures attack, no question. The swift bank heist. Many, many other attempts...the Bangladesh banks, that could have been a couple of billion dollars. And there's many more that, that have occurred, are occurring. And part of it is that, you and I talked about this, is that their economy is, uh, weak, they struggle to feed their people.
Criminality through cyber is a way they can reach any corner of the world and they don't just do it anymore out of North Korea, they have their quote unquote “agents” operating out of several countries around the world.
Niki: Not only is their economy weak, but it's weak because we've sanctioned them within an inch of their life. The global community has, right? They’re a Hermit Kingdom, partly, through their own design to control information. And partly because we've sanctioned them.
So they've turned to cyber crime and I wanted to touch on exactly where you were going, which is where are these havens? Their hackers are operating because they don't have great connectivity. [Steve: Right] When you look at a map of lights that are on around the world, North Korea is always dark.
They don't have great infrastructure. And so, they clearly have hackers who are, I assume, North Korean nationals around the world. And, where are those havens for them? Because they must be connecting to the internet somewhere.
Steve: Um, [slight pause] All of what you said is correct. They estimate there are about 16 organizations, operating in 11 countries that are all driven by North Korea. What goes on there from a standpoint of, y’know, young people, very young people who they've identified as having certain cognitive skills, analytic skills, mathematic skills are recruited at a very young age and trained and developed in cybersecurity and are very capable, very good at what they do. And each of them has a different role or responsibility. It may be something purely for the benefit of the country. It may be something where they're generating revenue, that they shouldn't be. Who knows? It's all over and you know, they're in parts of Europe. I know they're in China, Russia, Romania, to name a few.
Niki: I'd like to shift to... you had a really bad day at work in November, 2014. So you were the head of all global security at Sony. So physical security, cyber security, data privacy, intellectual property, 50 countries, 150 offices.
And you discovered on that day, although it probably didn't happen that day. That you were the victim of a destructive cyber breach. What was that day like and how did it unfold?
Steve: We were aware that DPRK was not happy with us in summer of 2014. When we became aware of the attack was, uh, November 24th, 2014. And DPRK had written a letter to the President of the United States and also one to the UN. And they said, if we released the movie, “The Interview,” they would consider it an act of war. Underscore act of war.
Never underestimate your enemy. And remember, that every day when you wake up, you may have a new one or a new, y’know, how many? who knows! Depends on what you're doing.
The fact that it was seven years ago, almost, it could be seven minutes ago, the same tactics, the same malware's for sale on the Dark Web. A lot of people know how to use it today and it's pretty sophisticated, by the way, it's a wiper malware, right?
So, if they want to use it that way not only are they going to get in, they're going to exfiltrate, they're going to surf around. They're going to take whatever they want to take. And they're going to start to wipe you out. So, imagine that, and let's say that you were me at 7:00 AM that morning, on a Monday morning, on Thanksgiving week. Of course it's a holiday. [Niki: Of course] Right? [Niki: laughs] And why is that? Because a lot of people that are decision makers, you can't find ‘em, right? [Niki: Yeah. This is intentional!] Absolutely! [Niki: Yes] The Saudi Aramco attack where 40,000 laptops were wiped out. Same thing. It was a holiday when it happened.
So, someone came into my office and they showed me a screenshot on their..and it was a red devil and it said, “Guardians of Peace.” And it was kind of an extortion attempt. It was a threat. And then there were some links which none of them worked. But what we realized then is anybody who turned their equipment on and tried to connect was not only frozen, right?
Like a ransomware attack. But their data was dissolving. So that, that's what allowed the malware to wipe, You had to be connected. So probably 3,500 people in the LA area on the studio lot and other ancillary properties. And we took copy paper and we ran, we wrote on one and said, DO NOT turn your computer on and we did desk drops [Niki: [hushed] WOW] all over the place. And then we realized we couldn't really use email to connect in 50 other countries.
Steve: We were able to save a lot of data. But remember, the intent of North Korea, I think was don't release the film: shame, embarrass, exfiltrate data, including the Bond script for the film that just came out [chuckles] [Niki: mm-hmm] which they had to rewrite and destroy it. You have someone who is very capable, who was very angry, who, who wanted to make a statement. [Niki: mm-hmm] And, and certainly there was a statement made. It didn't stop there.
It started there. But the other decisions were Day One decisions that I, I really have to emphasize how important they are. Um, it was who are you going to call? [Niki: mm-hmm] Right? What are you going to do?
Are you going to bring in law enforcement? It's a criminal matter, obviously, and in this case, we pretty well knew who the adversary was. And, we had a pretty good idea what their intent was. So, um, we called the FBI, um, after some debate over losing legal privilege and some of those issues that everybody worries about. And my response to that, early on, was, y’know, when they- when I was told, well, we're going to lose control. My response was: we already lost control.
Niki: [chuckle] Yes. We have a red devil on our screens, [Steve: Right] melting our employees’ and executives’ information [Steve: Right] and leaking the Bond script.
Steve: There you go! You know what? To this day we never regretted calling the Bureau. That afternoon I had six cyber agents in my office. One of whom was South Korean, who had been in South Korea and helped them investigate Dark Soul and was familiar with the same malware that was being used against us.
So, one of the things about the attack, though, that, y’know, people, I know most people would say. You said it, oh a nation-state attacking me with the intent to destroy me- very unlikely. Okay. It is very unlikely intent to destroy [Niki: mm-hmm], but destruction can occur through other means. Right? They siphoned millions of dollars off, or they steal your assets and they go public on PaySend, or there's a bunch of other ways they can get to you. The other thing we decided to do, and this is a hard, hard decision and you probably, most people don't plan for it was to disconnect or unplug worldwide.
No more connectivity, no more internet, no more email. Now, you have a crisis to manage and you have a business to run, and there's a distinction there. So you need people, including leadership, who can focus on continuing the business and others who can just deal with that crisis. And, by the way, the crisis didn't stop coming.
Y’know, every other day there was something new and social media around the world. They were all over this for three weeks. The hottest story in the world. Y’know, it just didn't end. Nobody got sleep. I can also say to you that when you walked out on the lot, on the studio lot, that day, the day after, the day after, it was like some people you look at they're like zombies, right?
If you think that your employees are not also victims when you have a cyber attack, you're mistaken. So, don't forget that. And you need them [Niki: Yeah] You need them to help you. Day three, we brought the FBI's victims unit out and we commandeered one of our large soundstages. We had probably 600 or more people in each of eight sessions and the Bureau said, “you are victims.” Here are your victim rights. Here's what you should do. And here's what you should know.
And by the way, some of our employees got emails from the Guardians of Peace suggesting to them that they should influence their employer to not have that film release, or there's going to be a price to pay. Think about that! They individualized it.
Niki: Right! And this is where I sort of laughed off- you know, it's unlikely that I'm going to be the victim of a destructive nation-state targeted cyber breach. But [pause] Sony pictures, not Sony pictures in LA, but Sony is a Japanese-based company [Steve: Right] within, I think you mentioned this to me, within missile strike distance of North Korea.
I mean, the North Koreans abduct the Japanese from their beaches. Right? So, I mean, [Steve: Right] so I think that actually, it might be a psychological effect when you're at a company where a, a, large number of employees at the umbrella company are so close, but psychologically, clearly the impact is enormous.
If you can't turn on your computer, you can't use your work email. Your job has changed. Potentially indefinitely. And your company is literally having it's-[chuckle] I think you used the word, did you say wiping or melting their data behind the scenes? [Steve: They were wiping.] Wiping it, so it's yeah, it's absolutely terrifying. And then you get a note to your personal email telling you to get your employer, not to release a movie.
What are companies doing or should they be doing with, with regards to this?
Steve: One is you got to increase the awareness level of employees and have them be much more aware of what to watch for. What are the tricks and tactics that people are using today? Both at work and at home. It happens, and on your mobile device, right? They're getting really good at this.
If I send an email to somebody at Sony pictures, right now, when they receive it, there's a red banner or whatever color, yellow, it is. Um, something like, just so you know, this email originated from outside Sony pictures network. Period. It doesn't mean it's bad. It just means you should pay more attention to that. And especially in business email compromise attacks where they're trying to get your money, to get you to move money. That's a red flag. That's a good one.
And then, the other thing that is so important is, don't expect your employees to figure it out on their own. Especially in the work from home environment we have today or work from anywhere. Educate ‘em, you know, mandatory training and, and, and the training has to be, uh, such that it, it rewards good behavior, not punishes bad behavior.
Niki: What do you mean by that?
Steve: Well, the guy that, you know, opens everything, it doesn't pay any attention he needs to be talked to, but he doesn't need to be shamed.
Niki: [interrupts] Mmmm…Oh! should we start? We should have a different tactic with all our parents, then? [Both laugh] [Steve: Yeah] Then all of us, all of us are going around looking at this stuff our parents have downloaded. Umm..[Both chuckle]
Steve: If you teach them to have good cyber hygiene at work, do it in a way that you're teaching them to have good cyber hygiene away from work, at home, personally. And they can educate their family and their friends and their relatives. That's a big deal. Cause who isn't connected anymore?
Niki: Right, and what, and I think one of the things you were talking about, which is crisis planning and I've done some crisis planning, but never have I envisioned a world in which my company couldn't communicate on our own systems.
So, we would have plans where you follow the sun, right? You'd have somebody in each time zone set up, we'd have ahead of time, cross-functional teams set up. We would have regular phone trees so we could call them, but we've never really, I've never worked at a company where we thought about being completely unplugged.
Now I've worked at tech companies, some of whom I worked at Google, right. They're one of the most secure companies in the world. But even so, just even thinking through that, especially if you're at a smaller or mid-size organization or a government agency, that concept that you couldn't plug in, what do you do then? And having a plan for that sounds like it's something people should be thinking about now.
Steve: So, on the planet what I would encourage is next week, next month, don't wait too long. How you build your networks and systems and design them today, the architecture, if you will, um, you can do it in ways that you contain and you create segments. It's like the Colonial Pipeline attack, [Niki: mm-hmm] the operating technology system and the IT systems, um, were pretty well built so they were, they had the ability to separate, right? So when the attack occurred, that's why the whole thing didn't go down and why they were able to come back pretty quickly.
So think about how you do that. And so, compartmentalizing is a big deal. You want– ask yourself, honestly. Do you really need 12 years in your archive of your email?
Steve: No, you don't. [Niki: laughs] I cannot imagine, seriously. And all the documents and the attachments. You really need that? No you don't. And, and boy, when you say so, so here's an example of a way to do it. 90 days on your work surface, all your email and all that stuff is active and your folders and everything. If you want to go back further than that, you have to go through a different network into a different server.
Niki: So my side of the ledger in a crisis, yours is making sure that the systems are secure, but it also helps you legally to have automatic deletion policies. Just people, do not. I mean, who knows what people are slacking about, but just delete that. Regularly. [Steve: Right] Do not keep it.
Steve: Think about the money you save on storage. And, and just the management of all that data. Oh my God! Every chance you have on everything you access, you should try to have multi factor authentication. It takes a few extra seconds. And it really makes a difference.
Niki: So, multi-factor authentication, don't shame people. Shame is not an effective cudgel at getting people not to click on things. Have people be aware of what's happening around them. Delete old data. By the way, Tim Cook is doing me a favor, ‘cause he keeps trying to get me to pay 99 cents a month. And I'll be goddamned [chuckles] if I'm going to pay 99 cents a month for extra cloud storage. So I've been deleting a bunch of stuff from my iCloud account. Deleting old legacy files, or making it harder for people to get to them. I actually think deleting data is good in general because it's a practice as opposed to a cover-up.
It's just something you do as good hygiene. One thing I have a question about, and I've had this debate with my new associate, which is password managers. And I feel like if Sony can get hacked by the North Koreans and a little red devil is going to come up and tell you that you have to do X, Y, Z, and not release this movie, can't they hack into my password manager?
Steve: You know, there's been some instances where that's occurred. The one I use, they're going to a web management system [Niki: mm-hmm], which kind of bothers me. I need to take another look at it. ‘Cause I'm, I'm pretty trusting of them with my information and they tell me the only way anyone can get in there is if they have my master password. Right? They can't get in. Nobody can.
Well, but, but guys that have the right scanning tools [Niki: Right! You’re typing your master- yeah] [crosstalk] Boy, they can get into stuff this, this long. I mean, so I don't know. I, I’m really debating whether or not I want to go back, because I'm religious about it. And I have probably, I don't know, 30 pages, little handwritten notes of my passwords because I don't ever use two of the same. I never repeat. And I change most of them every 90 days.
Niki: Oh man. You're leading by example.
Steve: That's my habit. And by the way [Niki: mm-hmm] that I use, I use 12 character or more. But the thing about that is today, people say, oh my God, I can't remember one, let alone, thirty phrases [Niki: mm-hmm]. Phrases that only, you know, right? You don't have to be, y’know, up and down and hashtags…A phrase that's, y’know 25 characters. It's not hard and only you know, and maybe, it relates to certain apps that you're getting into, but not to others. So you mix it up a little bit, cause, you don't want, the last thing you want [Niki: mm-hmm] is somebody to get that and then, you know, be able to penetrate everything else.
Niki: I think that the guy who told all of us, and I think it was a gentleman, who said that we all needed zeros and pounds, exclamation points, whatever. He has since said just longer is better. [Steve: Right] To your point and something that someone won't guess. We had a trick, uh, at my last company that you would use the first letter of a phrase. So say it was four score and seven years ago, but you'd use the first letters of a phrase that was in your head and make it really long.
But you know, now we're all going around using the same exclamation points, or whatever [chuckle]. [Steve: Yeah, yeah] So it's not, not safer than if they're just long, but I mean, you've really- I think most people, even people who are conscious are doing what you're doing, which is changing every 90 days and two factor authentication on everything but if you're reusing that password, it's not that hard for people to get in. Which leads me to the last topic I wanted to discuss. You mentioned it's not just nation-states and it's not just state actors, but a lot of people have the access to malware and they're on the dark web. Can you talk about that a little bit?
Steve: Yeah. I think what's really, created a whole new profession, if I can use that term loosely, of criminals, is ransomware and the amount of money that can be made with largely with impunity, right? So there are certain countries we know that are safe harbors for cyber criminals, as long as the cyber criminal doesn't attack the host nation or embarrass them. But what's happening on the dark web is that everything's for sale, right? And the dark web is different than the deep web. The deep web is where, you know, lots of people do a lot of legitimate things.
The dark web, a little harder to get into, but ransomware as a service is for sale. The malware, the tools that you need to, to break in and penetrate, you know, the tactics that you need. There are people that, that, for hire, will help you negotiate the ransom. Will help you transfer payments. Will help you y’know, wipe out a system. Whatever it is you would like to have, and they get a percentage of whatever the take is. And, and honestly, y’know, among all of these individuals that have different offerings there's is an element of trust because everybody's getting paid. [Niki: mm-hmm]
We've got to get together, there's strength in numbers. And, y’know, if, if 20 nations say to, uh, the head of a particular nation, I won't mention the country. We can guess. Enough's enough! If it doesn't stop, we're gonna, we're gonna go at it. I don't mean go at it and drop bombs. I mean, there's a lot of ways to get to these people. And, and the problem that exists is, in some of these nations, maybe a half a dozen, we don't have any extradition treaty rights. So, even though we know who did it, you know, we know who did the Sony attack. [Niki: mm-hmm]
Right? His name is Park. [Niki: Hmmh!] Uh, he's done several others and there are warrants for his arrest. But do you think he's ever going to go somewhere where he can be extradited? Not unless he's, you know, high on something. [Niki: mm-hmm]
Niki: This actually leads into the next episode we're going to have, which is, we have a woman coming on to talk about these attacks as acts of war. And you said that you got the notice, right, right before Thanksgiving saying if you release this parody film it's an act of war. But there's an argument to be made that these attacks are acts of war. And we should talk about the policy implications of that, which we're going to do on our next episode. The last thing I want to end up with again, is shame.
Niki: So, if there are billions of attacks every day [pause] and companies are afraid of being seen as being caught. Not just as a person, an individual, but the companies or the organizations or the governments themselves, or an agency themselves as having missed it, are they more reluctant to come forward? Like, is it more frequent than we know because people are ashamed to come forward and say what's happened or they're worried about liability?
Steve: Yeah, there's a lot of reasons why they should worry. Right. Publicly traded companies, small and medium sized businesses. What's coming, is going to be a mandatory reporting of incidents [Niki: mm-hmm] for all, all suppliers. Well, it'll be for the government, but, but also for all of their suppliers that do contract business with the government, that if they have a cyber incident, that they're going to have a period of time to report it, and it's not going to be long.
And then the question with that is, do you, do you reward them or do you punish them for reporting it? And I think, again, carrot and stick [Niki: mm-hmm], I think what we're going to see is they're going to try, creating some rewards and the rewards may be we're going to come in and help you with this. That could be pretty cool. Right? But, but if anybody crosses that line and it becomes punitive, that's a problem.
Ultimately there are no secrets in cyberspace, things become public and you've got to get in front of it and you might as well. And y’know, within reason be forthright. Let, let your people know, let the public know, let your shareholders know, let your customers know. Let me say this about the Sony pictures attack. Nobody wanted to connect with us for awhile [Niki: mm-hmm]. Right. And that was understandable.
But guess what? AMC theaters, they were threatened with 9/11 type attacks if they showed the film. I had a company, a production company in the UK who was making a film about DPRK and they, they wanted my advice and you know what? I couldn't give them any assurances. So they shut it down. So the ripple effect of this is huge. Even the US government, when we were attacked, they were worried about, well, if they can do it to Sony Pictures [Niki: Yeah], because we had pretty good cybersecurity, then they can do it to anybody. Right?
Niki: Well, that's, it's chilling. [crosstalk] [laughs] We can end on the chilling notice that, even the United States government was freaked out about it. [Steve: Yeah] So, your message basically is start planning now. Don't plan for if, but when. Have a set of decisions, pre-made to the extent you can, including whether or not you're going to use law enforcement and engage them. And, be sure that you have all your employees engaged and their eyes open to what's happening.
Steve: And have a survival mentality in everything you do.
Niki: Yeah. Very good. Okay. Well, thank you for coming on the show and taking the time.
Steve: Thank you very much. I enjoyed it.
Niki: Next week our guest in the studio is Niloo Razi Howe, a cybersecurity expert and tech investor. She’ll unpack some of the reasons cyberspace feels like a hot mess and how we can fix it. Be sure to follow Tech’ed Up wherever you get your podcasts. New episodes come out every Thursday and video content is available on YouTube. The link is in the show notes.