Welcome to CyberFocus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I'm your host, Frank Cilluffo, and today I have the privilege to sit down with Michael Barnhart, aka Barney. Barney served 18 years as an intelligence officer, started out at U.S. army as a human intelligence collector, and then went on to support special operations and others. He is currently at Mandiant and leads all
of the North Korean operations and team at Mandient. So, Barney, pleasure to have you today. Thank you for joining us. Thanks for having me. So you came out with a major report and just for our viewers on APT 45, before we go deep on APT 45, I think it might help some of our viewers to understand how we designate advanced persistent threats and not get into the whole lexicon name game issue. But anything you want to shed there in terms of what an
APT is and then we can go into your new report. Absolutely. And I think
you kind of nailed it on the head right there in regards to a cyber group, because this is an apt is just another name for a cyber group. But the things that come with an APT designation is really what brings it extra resources, renewed focus. It's us naming Andariel, common name Andariel, as APT45. It's not a new threat and it's not something we're just now tracking. This is an actor that's been
around since 2009. What we're doing here is that we wanted to roll out our investigation and all of our findings because of it met certain thresholds that we knew. Oh, I think we need to really focus on these guys. Here's some renewed efforts. We want to work with our partners and really send a message globally and what we're dealing with. Awesome. Thank you, Barney. And I think when we look at APT
45, I think it would help our viewers and listeners to sort of get a snapshot in terms of some of your key findings. And I just want to underscore here, Mandiant has done some phenomenal work. I was just sharing with Barney. I happen to be testifying years ago ago with, I think it was Kevin Mandia and Richard Batewick on APT1. And now we're actually able to talk about threat actors in ways
that some of us could have gotten in a whole lot of trouble. So, Barney, you want to maybe give us a quick little bit of a snapshot about APT 45 and then more generally how it differentiates from other North Korean actors? Yeah, so
we could. We could talk really the ecosystem might actually highlight a little bit better. So you have in North Korea as in itself is very, it's very different in many, many different ways. And obviously cyber isn't going to change the mold. Everything's, it's, everything they do is a little bit odd, it's a little bit unique and it's very, very agile. So really we kind of in our team, you know, we don't really see them as a government regime as much as we see them as a
cyber crime. A single, single mafia family. When you start putting it into a very criminal framework, you actually kind of understand them just a little bit better. And in the same ways that you know, your other adversaries or allies, you know, it's top down. Funding North Korea is not like that. They're bottom up. And so every piece of the puzzle, all of the cyber units do play a part into the larger
whole. So apt 45 their job, they're the ones that are getting the blueprints. If you really want to sum them up in anything, it's hey, I need to build pharmaceuticals, I need to build weapons of mass destruction, I need to increase my own grid, I need to build it. These are the guys you're going to call to actually get the job done and get the, get the plans made how that plays into the other the system. You can kind of look back at Apt 43. That
was another one that we, our team worked very, very hard on. Those guys again everything is to serve the regime as a whole. So if you're not financing the regime. So I'm a crypto apt. I'm there to steal money to finance the entire government. I'm with APT 37 or more ministry of State Security focused. I'm focused on the people so they don't defect and we can continue the government. Apt 43 was trying to find out what people were saying that was the de facto embassy. So
again all playing a part in APT 45. Those are going to be the guys to take the blueprints to actually make everything that is stolen or everything that they're trying to do operational. And what the interesting part here is. That how successful they
are, which is great and I want to pull that thread a little bit further. But maybe, but disagree with me here. I mean traditionally organized crime tries to penetrate the state. In North Korea's case, it's the state penetrating organized crime. Is that fair? In essence, they've been cut out of the international economy. And the reality is, is they used to be deeply engaged in counterfeiting currency, the so called super bills and
what have you. And this is today's equivalent of that. Is that fair? I don't
know if you can hit the hammer on the nail better. Yes, 100%. I mean, like you said, these are the guys we're with, you know, at one point running ops through like crime families in, in the Yakuza, I believe, out of Japan. They were the ones that knocked over the Bangladesh heist. Again, it was a very flawed attempt at that. And they're running it through. And the mules coming through the casinos there. Yeah, it is a, it is a very, it's. They are cut off, but
they, you know, they, they, they get the job done by any means necessary. And I think they've really taken a shine to that. They're opportunistic. They're going to play the game with the cards dealt. And I want to get to some of that
as well. But before doing that, I mean, not all hacks are the same, not all hackers are the same. Intentions vary, capabilities vary, the tactics, techniques and procedures they deploy, and tools and targets vary. I think in your report you also underscored the significance and somewhat unique from a DPRK perspective, that they're also targeting critical infrastructure. Is that correct? Absolutely. And that's actually what kind of got us into this mess. Again,
Mandiant, we were doing our own things for a while. We have been tracking them since really the genesis of kind of how our company started again, that's post dating even whenever they came online. But it's not the renewed focus, the apt that we're
doing here, that came from a criminal effort. Again, this all started at a little hospital in Kansas that got hit by ransomware and authorities started working it and then find out that it's not criminals that were ransoming the hospital, it's actually nation state. And so once we pulled that thread, that's when they caught my eye and I
wanted to play. And so we brought our extra resources and it's just, it's so fascinating to me again to try to blend in with the cybercrime, try to blend in with the other criminal groups coming out of eastern in Europe trying to target hospitals. This is right after Covid too. So they knew hospitals were going to pay up and all of it had nothing to do what they're doing. It literally was just to finance what they were doing so they could turn around and go and
chase missiles like they actually wanted. And I might note just on the heels or
at the same time as your report, The Department of Justice did indict an individual who worked for allegedly rgb, which is intelligence service for North Korea. So this is, I mean, it's sometimes hard to discern who's the puppet, who's the master. But clearly in this case, this is state. State driven. Yes, absolutely. And again, they didn't want
it. This is a, this is a, an organization. Organization. This is a country that definitely doesn't want you to pay attention to them. They operate being underestimated. They like that. Again, when they were trying to fund their own operations and doing the ransomware activities, they were using Lock bit, they were using Maui, they were using things that didn't say North Korea. It was on, you know, until you start really peeling back
the onion, that's when you get into it. And as you said with those indictments, those are some of the. Just kudos to them for, you know, pushing those at the time. This was the people that we worked with on this, some of the top notch I've ever had a hand in with. So it was really, really just kudos to them on that. And truth is, is we have to get to the
point where we flip the equation, stop blaming victims and start blaming the perpetrators. And I'm not sure we'll ever arrest our way out of this problem, but that has to be part of the solution. So I'm all in on law enforcement disruptive activities, as well as obviously the indictments and the like. Hey, one thing I'd be curious. I think you also highlighted in your report the potential that most criminal organizations are
utilizing tools that are widely available to others. But are they developing their own malware and ransomware in particular, do you think? Yeah, they. Again, part of the infrastructure. Whenever
you start peeling back the ransomware and the actual malware that they're using, you would see the top ties back to. Okay, this is actually how you start finding it and you tie it to the actual main country and the RGB and how their investigation, they did that. But yeah, this is. They. They have their own signature malware. And our, our malware guy, he, we, we. We had fun naming some of the malware. Everything kind of had a little bit of an art theme to it. Art
curator, frame, picture. We kept it in a theme. And it was almost because it was like an art heist at times. You know, they were off grabbing these things. But a lot of signature malware and really a lot of it stems back from that old D track malware. They targeted an Indian power plant, which I know that we had kind of done some investigations on too. So they definitely are skilled. They have a couple different operators on their team and inside their holdings that are specifically
for malware. And you highlighted the significance, what I refer to as CNE or computer
network exploit or espionage. And do you envision that APT45 could transition to more of a CNA threat? Or is it a computer network attack or is it already. Yeah,
absolutely. And I think that's also kind of the scary part too. If you can
exploit, you can attack, right? I mean that's the bottom line from a cybersecurity perspective. Yeah, sorry, go ahead. Yeah, this is the same group as Dark Soul. They did,
they took down, I believe some, I believe was media in South Korea. They have done destructive attacks for sure and they weren't far in the investigations going on. With the Indian power plant, you see kind of the cme, is it about to become CNA again, different trip wires weren't crossed. So you don't really know. But you don't know. But the Sony attack, again, that's not quite this group. But North Korea will
switch to a destructive attack. Andariel has done destructive attacks in the past. And do
you sort of come up with indicators that you think could delineate that they may transition from exploit? Is that something you and your team assess and evaluate? I know there's a bit of art to that. It's not purely a science. If it were, we wouldn't have problems, we'd be stopping it. But. But what are your thoughts there?
I think if we're going predictive analysis based on things that we've seen in the past, coupled with the holdings that we have and the partnerships and collaborations that we continue to leverage, I would say yes. And I don't think it's going to be now. I think it would be in a time of conflict and I think it would involve. During this investigation we saw a lot of the North Korea IT workers
and we're starting to see a lot more overlaps between them and apts. And seeing how an IT worker might as an insider threat might allow an APT to come in and how well adjusted they were to apt 45. I think of this. Has North Korea done in the past Sony hack Dark Soul? Yeah, they'll blow it up. Has North Korea put an insider threat someplace? Yeah, we're seeing it now. Will they push the button? I think in a moment of conflict we might try to see
insider threats doing destructive attacks on the inside. You know, Apt 45 included. So this is absolutely, absolutely. I think, I think the writing's on the wall and I think people are definitely waking up to it. That's a great point. And the reality is
it assumes that the perpetrator, if they can exploit it, depends in large part upon time and their intentions at that moment. Right. And I think you also underscored in the report on APT 45 that they did target Indian nuclear facilities, which clearly enables their nuclear aspirations. Correct? Absolutely. In fact, some of the investigations, you know what Andariel,
APT 45, as we now call them, you know what they're after. They're looking for research and development. And if they're going after a pharmaceutical company, it's very easy to say, I'm just going to assume. Where's your research and development department? They probably got hit. So whenever we see some victim that we were working on, our team, we would look at them and we go, okay, Apt 45 has hit these guys and they're, they're taking, you know, xfil. Why do they hate them? We'd have to dig
for hours. And then you, then you stumble on it. And there's a, oh, this certain part is for a high heat mold. Mold for a jet fighter, you know, pilot or jet fighter plane or a weapon that match destruction. Like, okay, I knew it was going to be somewhere in here. This makes sense now. So, yeah, you can definitely kind of piece out what's, what's going on and some of that stuff.
Fascinating. And you touched on the whole IT worker situation. Could, could you shed a little more light? This is a pretty big deal, is it not? Yes, sir. And
it's definitely, as you know, whenever you're starting to move around your teams and getting finished with these big projects like we did with APT45, you're looking for your next thing. And our next thing was circled before we even done. And it's IT workers. Yeah, I didn't know the IT worker problem set and the intrusion set until I started working this specific one. It's traditionally they are IT workers. Again, these guys are here to make a dollar any way, shape or form to fund the regime. IT
workers are trying to get jobs, insider threats. They just, I'd rather work. And they're there to make money, so they're not trying to blow up their spot. But an IT worker that gets a job at a strategic intelligence requirement location, such as a nuclear facility, a bank, if they're trying to make money, something big, that's whenever you might see an apt, come and tap them on the shoulder saying, hey, step to the side. I want to have a hand in this. And as we look at
APT 45, we'd see more IT workers and more IT workers. And now we're seeing them across everybody. But APT 45 seem to have some of the more hands on approaches that, that the IT workers did. So that's definitely one we're going to take seriously too. And when you think about it, it does redefine the insider threat models
we're all struggling with. Right. I mean it requires a whole reexamination because your insiders and your outsider is actually an insider. So yeah, it throws the. Not even to
mention too. And it's. The crazy part is, is that every day I feel like it gets more and more complicated. Now we're looking at fac. So the person on the screen isn't going to be sometimes a North Korean looking person. It's going to be someone who looks just like me or you and they're there just to secure the job. And then once they get the job, keep the laptop camera off and then they'll continue working or steal code or blow something up. It is very, very
redefining. I think that's a good way to put it. We're going to have to definitely reevaluate everything too. And that is a big deal. Just because a lot of
our assumptions and risk models are based on what potentially will have to be at the very least updated and. Absolutely. And if North Korea can do it, others can too. I would assume so. Yeah. Trendsetters. Not in a good way. Yeah, exactly. So one of the things that I struggle with a little bit maybe I think our viewers would be interested. And you look at a map at night, you see Korea and you see South Korea very lit up. You see North Korea pretty dark, not
a whole lot of activity there. How is it they are a cyber power and are they benefiting from safe havens elsewhere? Witting or unwitting? Can you help me unpack that a little bit? Unpack is a good word there. Yeah, it is definitely a
nut roll. It is accurate though. And that's, it's definitely. They're also unsuspecting too. And that goes into the whole overestimating or underestimating them really the actual operators. Those guys are vetted at a very young age, you know, made sure that they're going to be loyal to the regime. They usually never get to leave, you know, cross the borders into neighboring countries at all. This is a. They stay in and they're, they're.
There's reporting on them called cyber slaves, like they're so good that it's almost, you know, to their own detriment how good they are, but they're very, very in and they're squared away at such a young age. They're not just going after a computer scientist, the sciences, they're going after problem solving skills. They want to make sure that no matter what situation you're thrown into, you can absolutely adapt to your environment and
get the job done. So, so the. There's not many people that have access to a computer, but like an operator or one of the guys that do have access, they're extremely skilled and I hate giving, you know, the adversary any type of credit, but whenever you think of North Korea operators, agile and adaptable and fast and that's, that's something with them for sure. But the problem is, is that again, there's so much infrastructure coming out of North Korea that you really have to rely on externals
IT workers. Your actual, not your operators, your malware developers. Again, those guys were located in the Sin Weiju area and in Pyongyang, again, right down there next to the Friendship Bridge near Dandong. There's some operations happening there. Based on what we saw in the indictments, we know some of their headquarters are out in Pyongyang. But you're low. You're every person that has to hey, I've got the order, but you need to
go execute it. He might be in any one of allied, their allied countries and that's where they can operate. And it blends in with the noise. It looks like it's coming out of a country that's not North Korea. So you're already not suspecting it. And again, blending in, doing little different types of ops and then funneling the money, physically funding, funneling the information digitally back into North Korea. That's really the easiest
part of the whole process for them. Yeah. And I was surprised at just how
much specificity was in the Department of Justice's indictment. Basically signaling that they had to, they had to take the currency and make it real and bring it back. And I think they even identified the ATMs and where they were located, which that's pretty unique in an indictment. Yeah. And the guy that was in the indictment wasn't the
money guy. He was there receiving funds from the actual operations and he was the one that was using those laundered funds to actually do it. The actual. There's unidentified co conspirators in the indictments too. And that's more some of the actual laundering operations. But yeah, you cross over from that, that Sin Weiju over into those ATMs over there. You know, pull out the cash immediately, have it deposited into the bank accounts
that go over there. Pull out the actual local currency from the stolen Bitcoin or the Bitcoin from the ransomware payouts from the hospitals. And from that, once you have that, once you get your OTC trader, that's the kind of the middleman that actually gets the money to it. Once he has the money, then the trail goes cold.
It could be either in bunches traveling over the bridge into North Korea. It could be purchasing infrastructure for actual operations, targeting like we saw on nuclear facilities, things of that matter. So it's very interesting. And crypto for them is definitely their strong suit, for sure. Yeah, yeah, and I'm glad you brought that up. Do you see a
day where we can actually scale some of the. Not just recouping funding, but, but, but also making it harder for the adversary. And I know this is outside of the North Korean discussion, but. No, no, it's. We're seeing all sorts of creative steps and, and we need to look at it as an industry. Right, an illicit industry in this case, but to know where you can have biggest impact and consequence. I hope we can get to that stage at some point, at least to. Not the
old adage, take a bite out of crime. In this case with a yeah, in.
The way they have it too. It's just, you know, anything technology crime is criminal elements are always going to respond to advances in technology before anyone has a chance to defend them. And a lot of times with software or anything, you're building it to work and then thinking at security as an afterthought. If this was, if I say this a lot, but if like Furbies were big right now, they'd be selling those to Megan's me. But right now, crypto no one seems to. Again, they were
the very first on the scene. They were learning it as it came out. They were there, part of the development process. So you and me and people, you know, the common person that doesn't know about crypto, we are years and years and years behind them. So they are, they're masters in that space. And that's something we have to really kind of keep an eye on and stuff like this. This is super important, getting the word out. Awareness is key, for sure. Yeah, And I was going
to pick up on that point as well. I mean, I know that NSA Justice, CISA counterparts from South Korea and the uk I think the National Cybersecurity Center There put out an alert with indicators of compromise. And I think they are very transparent in terms of what we're looking at. What else would you be recommending to companies or governments, whether big or small, at the state and local. I consider state, local, tribal, territorial to be a soft spot in the United States. But what would you
be, what would you recommend to them now? Well, regarding this particular, really just actors. This particular actor. And then, then, then wax on if you'd like because I don't think you can completely divorce the two. So please. Yeah, and I do think they
go hand in hand too. And it's that you know, a lot what these guys were doing specifically, they're operating at speed. And the speed is really what caught everyone off guard because you can be a very, very secure environment, you can be doing all the right things. But these guys were just paying attention to open source and listening to criminal forums and they wanted to see what the latest thing was. So they would wake up in the morning, they would see that a vulnerability was out
targeting a specific thing. And then they would sit around and they would scan the Internet looking does anyone that I care about is this affecting them? And then they would wait for an exploit. Again, these guys are just waiting for someone else to do the work for them and then they're going to hurry up and hit an organization, an important one, before the organization has patched that vulnerability. So you could be
doing the right thing. Next patch Tuesday. I'm going to patch on patch Tuesday. I'm going to do all the things, do all the right things. These guys are just staying up late at night and hurrying up attacking you before you've built up your defenses. And that is, that is fascinating. Like that how successful that is is, is really something. I think that's the word to the, the industry for sure. So speed
and you don't even have to be perfect. They don't care if they make a mistake along the way. They don't have to be perfect all the time, whereas the, the good guys sort of do. Hey Barney, since the end of the, I like to say since the end of the Cold War, threat forecasting has made astrology look respectable. But I think it's obvious that the, that the threat environment is here. What, what do you think looking ahead in, in terms of DPRK's capabilities, intentions? I
think we discussed the transition from C and E to cna. If the time and place makes it worthwhile, anything else we ought to be thinking there? I think if
again, predictive analysis based on the World everything, like you're saying. I'd say because you can't look at. Cyber in isolation of broader geopolitics. Right. I think you have to
be a North Korea specialist and a cyber specialist simultaneously and work with teams that include both. Right, absolutely. And I, and I think crypto in the insider threats with
APT qualifications are the two things we're going to have to circle on our calendar. We're going to circle on our to do list. I'm not a big crypto guy, but my friends are, so I lean on them and on this stuff. But collaboration is the only way we're going to be able to take them, you know, be
able to handle the speed that they're doing. But I'd say as North Korea leans into AI and automation, really just the crypto and insider threats that have destructive capabilities, I think that's where we need to really look at it because the weapons testing is already off the, you know, that's already done like that. We're seeing it. It's happening in apt 45. Clearly had a hand in that too. Like their weapons tests are effective because of this secret stolen by this group. So. Which is a very
big deal. I want people to let that sink in. So computer network exploit or espionage through cyber means has helped enable. That's the truth of it. And, and led to some successes in their tests, right? Absolutely. These missiles are blowing up in the
launch pad years ago and now they're doing so well that they're selling them to other countries. So, yeah, they've advanced for sure. So if anyone asks why cyber matters,
that's a pretty darn strong reason right there. And I think it's not just Pyongyang, but Tehran and others have intentions where clearly cyber will be an enabler to some of that as well. Hey, Barney, I think you answered the. I always ask why this matters. You can't have a stronger statement than you just made on why this matters. Michael, thank you for joining us today. Thank you for your dedication and focus
on such an important set of issues. Thank you for your service over the years and your continued service through different means today, and really appreciate it and whatever we can do to help you fight the good fight, we're here. So onward and upward and hopefully we can host you in D.C. soon. So thank you. No, thank you.
I appreciate you so much. Thanks. Thank you for joining us for this episode of
Cyberfocus. If you liked what you heard, please consider subscribing your ratings and reviews. Help us reach more listeners. Drop us a line. If you have any ideas in terms of topics, themes, or individuals you'd like for us to host. Until next time, stay safe, stay informed, and stay curious.