4n6strider- Interview with a Threat Hunter
Frank entered the room and put down a coffee on George’s desk. “Is it still crunching numbers?” Frank asked as he sipped his own caffeine-filled beverage, “Sure is. It’ll be done soon, I’m just making sure that it all goes fine.” George sounded nervous. The computations were taking longer than they should, but the computer had to work with giant amounts of data.
The two colleagues had been working tirelessly to setup honeypots, fake vulnerable computers, to entice hackers into trying to hack them. The honeypots collect data on these attacks, which George’s server is currently munching through. The result? A giant map. Nodes represent adversaries or victims and connections between them represent an attack or communication.
At last the program stopped. “So?” Frank asked. George said nothing, he just displayed the output graph on the large wall-mounted screen. Silence. Analysis. “It’s not random at all.” George said and continued “Look! You see those three?” George pointed at three large nodes…
In this interview I got to sit down with 4n6strider, or as some know him, Jindra. A researcher for Trend Micro focusing on Threat Intelligence.
Interview Section
Could you introduce yourself a bit, for a start?
Hello, my name is Jindra and I look for vulnerabilities. Now to introduce myself for real. I am a researcher and am currently working for Trend Micro. My job is to search for new malware campaigns, examine threats in cyberspace or anything to do with cyberspace.
So for example, in the last year some of my research had to do with the war in Ukraine. There the threats in cyberspace translate to the real world.
So do you focus a lot on the war?
Well, when it started I was helping out with some monitoring and I was more focused on the threats tied to the war. Currently about 70% of my time is focused on my research project and the remaining 30% I analyze or hunt campaigns that I find, or that someone sends me. Sometimes I also find interesting malware or uncover some APT’s activities.
If you’re still monitoring the war, do you feel like the amount of cyber attacks have lowered since the start? It has been going for some time now after all.
Before it was more of a recon operation, now they are performing actual attacks against specific targets. They have mapped out the level of security of their targets, and then pick-and-choose who to attack. For example, recently they hacked a Czech news station, going through… I think it was AlgoTech? It was a supply-chain attack. That shows that they knew exactly what to do.
In general they’ve started targeting more of our media, or perform spearphishing against government offices and specific politicians. So there is still lots of activity. I would say that it has changed from the “carpet bombing” of our critical infrastructure, and instead they are performing more focused attacks.
Have you noticed any hack-back attacks? From Ukraine against Russia?
I guess you’re asking me about the cyber-guerrillas?
Sure.
I’d rather not speak about them. And I can’t really offer any insight on this, because I’ve lost the eyes I had in Russia.
I understand. Now to talk about your work at Trend Micro, how did you get there? I guess this wasn’t where you started.
To give you the whole story, I started as a chemist at Charles University. While I was doing my PhD, I realized that this is not for me and that I’d like to do something else. This is when I started learning some basics of python and SQL, which I was displaying on the internet. Thanks to this I was headhunted into the company Baxter, where I worked as a LIMS admin. This was where I got the opportunity to learn more about IT.
From here I got headhunted again by Novartis. They were opening a brand new big office in the Pankrác area of Prague, but it started in Basel. There I got the chance to meet some interesting people, which later helped me. At Novartis I started as a Quality Assurance Manager. This had more to do with the testing of software and processes, and it was about as boring as it sounds. Even worse actually, because I was responsible for things that I often could not change.
It wasn’t all bad though, it taught how to work with data, for example. Later I got to work at Novartis’s SOC, thanks to the people I met in Basel. Even though I had no security background and did not study IT they gave me the chance to learn on the job. Which I did.
At the SOC I started out as an L1 analyst, which like what people see in movies. The center operates 24/7, you dismiss boring tickets, which tires you out and makes you miss the important stuff… so you look stupid. Later I moved to the SIEM Platform Support, where I learned to work with the backend SIEM system of the SOC. While doing this job, I used whatever free time I had to hunt down the interesting things we found, the attacks against Novartis.I did this because it annoyed me that I knew next to nothing about the attacks. Who was doing it, why they did it, how they did it?
This is how I started Threat Hunting, and while doing so I was mapping out the info into these visualizations, graphs. I was publishing these and hoping that some security company would notice me, which after about a year, someone did. Like this I joined Trend Micro, where I’ve been for 6 years and very happy.
It was a long journey and a long story, but that’s how I happened.
So TrendMicro found you thanks to the maps? Or the visualizations, graphs.
I was posting the images to LinkedIn. I also have a website, which I’m going to disable, because I made it when I was young and now I’d do things differently. So they found me through the website.
Maybe the analysed some keywords and found that I’m working on things, that they would like for me to work on with them.
You have an NFT project linked on your website. Are those the maps?
It’s not about the selling of NFTs. I just wanted to commit my findings to the blockchain, this was before I had the opportunity to publish my work to a wider audience. So often I would read about someone coming to the same conclusion as me, but later, only they wrote about it. That disappointed me, so I wanted to use something that would definitively prove that I found the same things, and when.
Did you create the images with the goal of being recruited? Or did it start as a hobby and then you realised that they may be useful?
Actually, I just wanted to make my work in the SOC more efficient, so I could have more time to study. That lead me to data analysis, graph theory and so on. Then my colleagues, who were looking over my shoulder, told me that they are nice pictures and that I should show them off somewhere.
So I put them on my website. But I also knew that the more visible my work is, the higher my chances of becoming a researcher.
So this helped you with automation in your job?
Yeah, I would say so. You can find things that you’d otherwise miss, thanks to the graph algorithms.
Were these things that you learned at university? Or did you learn them on your own? I’m referring to graph theory, clustering etc.
Our math at Uni stopped a few steps after integrals. I was actually making up my own methods that I later Googled and found-out that they are a part of graph theory. So I didn’t really re-invent the wheel there. It was a little embarrassing actually, because I could have saved myself some time.
It helped me a lot though, because I feel like it really caught-on only recently in our field. Graphs weren’t a big thing when I was starting out at TrendMicro, even in neural networks.
So it really helped you at work?
It did! When I started with my first research project, I created a set of honeypots. Then, thanks to graph theory, I identified the server that was orchestrating ssh bruteforce attacks. Which is something you see often, but people assume that it’s being done by some single automated system or a bored hacker because of how simple the attack is.
But I created a massive graph from the collected data, where I identified key systems. And after further analysis I got to certain named entities that I found on forums. One of them forgot to change his FTP password, so I managed to take his half-written scripts. It’s a silly little thing, but it made me happy.
Not at all, I like it! Is graph theory something that you still use, or have you moved on to different techniques?
I still use it a lot, but I’ve also moved on to new things. For example, I combine graph theory with Large Language Models. They are very popular now, but I’d just like to point out that I started with Google BERT about a year ago. Only now will I be testing to see if ChatGPT is also usable.
So they [LLMs] are useful to you?
A lot. My current main research project is focused on cognitive warfare. Here I rely not only on OSINT data from Threat Hunting, but also on the comprehension of text, methods of forensic linguistics to understand the motivation behind these texts, or to see how many people wrote it. It helps a lot when I don’t have to use my own head and can instead rely on a large neural network.
Got it. Could you maybe explain the term cognitive warfare a bit? To make sure I understand it correctly.
I was avoiding the term misinformation on purpose, because I saw that you already did some interviews on this topic. But it’s also part of my research. Or to be more specific, I work on creating a methodology that can be automated and used to uncover these cyber enabled influence operations. Misinformation is just a part of these influence operations, another part may be hacking or attacking strategic targets.
My hypothesis is that we will get interesting results if the graph is robust enough so that you can mathematically represent both the OSINT data, and the data from Natural Language Processing. And the results are promising! I have some working prototypes, the problem is that I’m not a very good programmer so I wrote them in python and the prototypes are pretty slow. So I take these working prototypes and give them to someone that turns it into an “enterprise” solution. That’s the plan, at least.
So you use the LLMs in your automation to improve data collection?
No, I use them for Topic Modeling, understanding what the texts are about. For this I use multiple methods, like Named Entity Recognition… which you probably know. Then I use methods to identify Parts of Speech, discerning what is a verb, noun and so on. I also analyse text sentiment and do Topic Modeling. Then I put all of this together into a nice structure.
From here you can actually put together something like a fingerprint for each operation, where each part of the influence operation has its own fingerprint. This allows you to correlate data that don’t seem related at first glance.
Just to make sure that I understand correctly. You can identify a larger misinformation campaign, made-up of seemingly unrelated parts, but that comes from one source?
Not really a campaign, more like a troll farm or something like that. More people do this though, I don’t see it as a particular breakthrough. I am doing it to show the cybersecurity community that this is a problem, and a problem that we as researchers, or even pentesters can help with. As long as the people behind it use a computer, there are opportunities for analysis or to disturb their operation.
Do you expect it [influence operations] to get worse now? With the wide adoption of ChatGPT, LLMs and a general boom in text generation.
ChatGPT throws specific error messages, that are pretty easy to look for. I was looking for them on Twitter, and I did this twice. The first time around there were a lot of error messages. Recently I looked again and I thought that it’d be even worse. But from a whole month of Twitter data, the whole stream, I extracted only like 70. From that we can see that they’ve learned to do it well and so it’s a lot worse than we thought.
They [Twitter] have been limiting access to their API latelly, you also need to login to view tweets and so on. Is this a problem for the community?
It’s a big problem. Thankfully I have ways to bypass these restrictions, on which I will not elaborate. So there are still methods of getting data from Twitter, that I use. I don’t scrape the public site though, or use the API. The API was pretty limited even before Musk limited it completely.
For example, I wanted to map-out a Chinese botnet on there. I could only list something like 100 connections every 10 minutes. But there were thousands of accounts to analyse, so it takes days. It made no sense to use this service, because you have to map the bots as fast as possible, due to their short lifespan.
You spoke about cognitive warfare, you’ve worked on malware and in our chat before you also mentioned phishing. Are you free to work on whatever?
I have relative freedom in what to research, as long as it contributes to the good name of the company and somehow enriches the security community. The best case scenario is if it also has a positive impact on our brand. So something like uncovering a new malware campaign, ideally before our competitors. We can then write a blog post about it, or if someone else writes about me, that is also good.
So do you go to conferences and present often?
Yeah. It took a while before I found something noteworthy to present at a conference, and before I was more comfortable with public speaking. But I’ve done pretty well in the last two years.
With regards to speaking or the research?
Well, the topics of cognitive warfare and counter-intelligence are pretty hot right now, so they have a higher “acceptance”. People like this topic now, and it’s always good to hear what others have noticed when we talk at conferences. You go for a beer, chat and gain a new perspective on things.
You’re more comfortable with public speaking now? Was it difficult at the start?
It was, and still is. Public speaking, or speaking in general is not really in my nature. I’m the type of person that is comfortable with coming to work and having headphones on the whole day, not talking to anyone. So any type of speaking is really me overcoming something. But, if I feel that it has a purpose, then I don’t mind.
I guess this is why I couldn’t do marketing presentations, in the cases where you don’t have direct contact with the product or are more distant from it. Now, this is my neck on the line. I’m presenting my research, and if people like it or laugh me out of the room, is down to my quality of work.
When starting out at Trend, did you start with malware research? Or did you focus on a different area?
At first I was working with telemetry data from our products. This comes from people that use our product, and allow us to receive anonymous telemetry. My task was to identify trends in the data, which I managed to do thanks to graph theory and so on. Thanks to this I managed to remove some data, that looks important on paper, but never amounts to anything. It helped to make the telemetry more transparent.
It was mostly down to Windows servers actually. They talk a lot, but never share anything of substance. You need to know what to look for. So this was my first task.
This was actually where my previous work experience really helped out. I learned a lot about Splunk during my time at Novartis, which really helped get through my trial period at work.
I was also really nervous, because I didn’t study at an IT university which gave me a bit of Impostor Syndrome. Which I still feel sometimes, like I have no business being here. Part of that are the great and really smart colleagues that I have, so it’s very hard to have a bit of an ego. They are a bunch of pretty genius people, especially to a newcomer.
I understand, I also feel the Impostor Syndrome.
So we understand each other.
Just to be clear, you were given the telemetry task. You didn’t choose it?
My boss is in Taiwan, so I got to speak with him after my first week at the office. You know, after you learn not to play with matches or jay-walk.
After learning that I had a call with my boss, who asked me what I wanted to work on. I told him, that I want to be a researcher but didn’t know how. So he assigned the telemetry work to me, and told me to work on it and if I had any ideas along the way, then that could be my project. It’s good for us to cover all parts of Threat Intelligence: the tactical, operational and strategic parts.
For the tactical part I was analyzing data, for the operational part I created honeypots, but it took me a while to get to the strategic part. After a while I was mentioned in Forbes, thanks to my work on the graphs, and I was invited to speak at a conference. Trend was happy, so they asked if they could something for me and I asked for the CTI course from SANS. Which really helped me improve.
I found out that I know most of the stuff, but the course helped me separate the knowledge into neat buckets and develop processes that allow you to work well with others. You know where you stand and what to do next. Thanks to that I was able to start my project on cognitive warfare.
The misinformation project is a long-term one, and on the side you’re still hunting botnets, malware and so on?
I still work with telemetry, and often visit the so called “darkweb”. I visit the usual places and then analyse what I find. I’m not a reverse engineer though. Doing some static and dynamic analysis of samples is fine, but only to a certain limit. Which is enough for my needs. If the sample is really interesting, then I still need someone else to validate my findings. And if I see that it’s not of interest, then I don’t bug my colleagues… usually. I miss some.
Besides that I’m also working on the project [on cognitive warfare]. It’s actually grown quite a bit, to the point that I’m now collaborating with Universities. At first it was an OSINT project, but at one point I realized that for it to progress I need people that understand cognitive science. I’m not one of them, so I reached out and found some smart people, whose names I can’t share. We have a rough idea of how the methodology should look like, what we need to work on and we’re doing that.
One part of that is figuring out how to reverse the psychological effects on individuals. That is where we use the LLMs mentioned before. We map out the vector space of the operation, then we map the reaction of the “public mind” and using vector algebra we find out how to counter this.
I think that this is pretty cool. Honestly, I thought that anyone studying mathematics would think of this, but apparently not.
Will there be a publication?
Yeah. One I’ve already submitted to the Polish Naval Academy and also gave a lecture about it there. That invitation really flattered me.
Writing a blog or a news-piece about this [cognitive warfare] is not difficult, it’s a hot topic. But to write a research paper, you need to finish your research, which isn’t our case. In-fact, it’s on-going and expanding.
I also feel like you’ve taken on more and more work, instead of focusing on a specific area. Am I right?
Exactly, because it’s all really interesting and I want to know a bit of everything. I’m the type of person that likes to have a general knowledge of things, and then I pick what to go deep on.
Others in our team have a deeper understanding of something, but don’t know that much about other topics. It’s like the two approaches in graph theory: depth-first or breadth-first. I’m the latter.
I did, or still do, have a stint of helping people recover their hacked Instagram accounts.
And how did you do that? If you can share.
Sure… I was contacted by a fashion model, that I won’t name. Most of these ladies are actually pretty well known.
Sorry to interject, are most of these victims female?
I’ll get to that. The targets of this specific campaign were all female, but not in general.
It all started when she [the model] heard from a friend, that I’m some sort of hacker and she wanted to get her hacked account back. It turned out that she fell victim to some pretty basic phishing, she had no antivirus, 2-factor authentication, just nothing. I do get it though, security is not what they do… I couldn’t walk a runway.
So I was helping her, and she liked how I communicated with her, so she recommended me to her friends. And they would text me day and night: “Is it done? Is it done yet?”. Back then I tried to do it like with ransomware, find out who the actor is and negotiate.
The hacker didn’t want to give the accounts back, so I created a fake hacker group and thanks to my work I could fake a big hack… to make him want to join us. But I wanted him to demonstrate, that he really is a hacker. I essentially social engineered him, lured him in and created interest. Slowly but surely I managed to manipulate him into giving the accounts back… I also found out some things about the hacker.
This was about two months of work, which helped me map-out a Turkish gang that hacked the accounts of about 35 thousand ladies. They made a lot of money doing this, because the models would often send nude or risqué pictures through Instagram. So the hackers would blackmail them, threatening to publish the photos. Or the classic: “Send me Bitcoin and boobs”.
Back then they didn’t even use mixers, so I could track their wallets and found over a million dollars. And that’s not all. We dug our hands in and found that they used the money to buy weapons. So what the scammers had leftover was just scraps. Like five dollars and maybe some nice pictures. Then the hacked profiles with larger followings were used to spread Turkish propaganda. They used the fact that the profiles already had a big following, and used it to spread their sites.
I was really into this… so much so that my colleague at work started calling me “Vzteklej Pes” (Mad Dog). Eventually, with the help of this colleague and his friends at Interpol, we managed get in contact with some people in Turkey and arrest one of the people involved. The rest of the gang disappeared. Except when this happens, then another gang appears in the next village. But this was my first real victory, so I was really happy about it.
Talk about me being the guy that gets you your hacked Instagram back started to spread. This was because the organizer of one Miss event, I won’t name which one specifically, would tell her models about me. So I was being contacted by tens of models.
Now, why do they target the models? It’s pretty smart actually. The attackers pick accounts that have a decently large following, but not hundreds of thousands of followers and they don’t have the “verification blue badge”. But the models think they deserve it [the badge]. So when someone impersonates Instagram or their employee and offers them the badge, they jump after it and do whatever they can. Like asking for pictures of their government ID. The models want this, because it gives you access to better demographic data, which they can use to get better sponsorship deals.
This is a neat trick, that the Turks got good at and used it often. The targets weren’t just Czech models, but a surprising number of them were Czech. I actually visualized this whole thing and put it on OpenSea as an NFT.
So you don’t do this anymore?
There were many more models, I wanted to help them and I felt sorry. It’s easy to get emotionally attached, because I really did feel sorry for them. They lost brand deals, their livelihood. They need to be seen to make a living.
So I really wanted to help them all, but I couldn’t. Creating a fake hacking group for each of them would drive me insane. Thankfully I managed to get in contact with someone at Facebook, and so I would collect IOCs to prove something to the Policy Checking Manager. That the ladies were in-fact the real owners and that it was stolen from them. We had an agreement where I would send stuff over, they’d check it and quickly return the accounts.
But there were so many attacks, and I got the feeling that something changed at Facebook and Instagram. I got ghosted about half a year later. At that time I was already well-known as the guy that gets your account back. I returned… maybe not hundreds, I’m not sure. You lose count after a bit, but I returned a lot of them.
And that is something I just can’t get rid of. People still write to me, hoping that I can get them their account back. A lot of them are still models, cause they spread the word around. Sometimes I get contacted by a company, that their profile was hacked.
I just say sorry, that I can’t anymore. I still try… but Meta just doesn’t talk with me about this.
That’s strange. I would expect that Meta would want to return the accounts.
I was asking for us to make a pipeline for this stuff. So that I wouldn’t have to bug just a few people with emails, instead just give me a generic email that I can send this stuff to and your support can sort it out. I helped return so many accounts that I thought we had a certain trust. But it was against some of their regulation.
And the guy that I was in contact with at Meta, in California, he got angry and left… which killed to collaboration completely. Although, I guess you could say that I have a small “in” at Meta now.
On Facebook when you pay to host an ad, they can’t really check them all, if it’s all legal or that the ads aren’t spreading malware. And so there’s a long running campaign on Facebook, aggressively targeting Google Bard. While it may not be available here [Czech Republic], it makes sense for American victims. Here you can tell immediately that this is fishy. The ad tells you to click and get access to the latest Google Bard, fully offline and with $50 credit as well.
If you click the ad it takes you to Google Disk, which is hard to takedown, or to a Google Cloud VPS that is hidden behind CloudFlare… so also pretty hard to takedown. To make things worse, the URLs in the ads are shortened, so they can easily switch them and blocking specific URLs makes no sense.
Anyway, after clicking through you download an encrypted .rar archive, your instruction are to download, extract and install. The most common password is 999. After extracting the archive you get a .msi package to install, which is a stealer. Currently it targets Facebook logins, with a lot of people also enabling a connection between their Facebook and Instagram accounts… so they steal both. And since the stealer takes your session cookie, it bypasses 2FA. They don’t keep the profiles forever, but they do have them for a while.
If they hack a company [Facebook] page, then they can use their ad budget to push their own content or just random stuff. Or they just post a link with some really hardcore porn, Facebook removes it and they won’t deal with you anymore. I saw this happen, when some people from Ostrava wrote to me, owners of a chocolate bar. Completely benign, no point in targeting them. But someone payed a hacker, that got access to their page and put porn in their ads, to destroy their Facebook page. I just don’t get it, they were juts a chocolate maker.
I don’t get it either.
My experience is that if it looks really malicious, then it is often a “crime of passion”. Like ex-business partners or some unresolved romantic business. Those are the worst actually. Or with the models that I was helping, sometimes it was their “best friend”. I found this out when I helped return the account, that the friend payed a hacker, found the Turkish gang just because of jealousy.
Okay… I really wouldn’t expect that. I also didn’t expect it to be so organized and commercial. That you’d pay someone to takedown a chocolate shop.
Before though you mentioned that your knowledge is wider and others go deeper…
Some. I meant to say that we complement each other.
I understand. So is it common that you help each other? Or do you work as individuals and compliment each other in the team?
I’ll admit that I work solo a lot, but that’s not because I don’t want to collaborate or something. But because I do so much, go so wide, then I have something going when someone needs help, and I just can’t. I do try and help though, and if I need help then the guys help.
Which is not that common with researchers by the way, that we’re not competing. Often in their goals, researchers need to have the most publications in a team or something. Or maybe not the most, but their KPIs are set in such a way to encourage competitive behavior instead of collaboration. That’s not our case.
That’s good. I’d expect it to be common for researchers to collaborate. When I did my interview with maxploit, who does Vulnerability Research or Husky Hacks a Red Teamer, they mentioned that collaboration is common in the community and in the office.
We do collaborate in the community. But I’ve heard that researchers in the same office don’t share information or just don’t help each other, which is not our case. And I wouldn’t want that, it’s just really toxic.
So there isn’t really much overlap in what you’re working on in the team?
I’m doing my best to maneuver around what my colleagues are doing, so our work doesn’t overlap and so that it makes sense for me to work on my projects and for me to be there. If 5 people are working on the same thing, then it’s questionable if so many of them should be doing it.
We work on different areas; automotive security, some focus on Linux, some on Windows, Artificial Intelligence and stuff like that. I’m more of a data scientist or Cyber Threat Intel guy. Essentially counter-intelligence and stuff to do with spyware, that is really interesting to me.
Does that include APTs? Are they a part of your focus?
Yes, but I don’t do the common thing of monitoring what others find and pile up that information. I’d rather wait in places, where I know the APTs will strike, and I prepare those places to collect data. That’s like preparing a honeypot, or I tell the person that “When this happens, you do this and send it to me like this.”
This allows me to get fresh spear-phishing document samples, untouched an unopened. Often the documents include macros that allow it to be opened a limited number of times, then it gets blocked to make research more difficult. Like this I have the chance to see the document as its meant to be.
Oh, that’s cool. I didn’t know that happens. [The macro defence]
Yeah, I got a spear-phishing email recently as well. Some older primitive malware, but in the spirit of an APT attack. I took that and did a talk about it to some from the government to show them that: “You’ll get this type of email, and it will look like this. Here is the code to analyse it and whatever you do, don’t click on anything.” It was a never version of Houdini, and that can do some damage.
Do you have a favorite APT or do you know how APTs operate in general and then wait for them to poke their head out?
I don’t really go for specific APTs. Instead I wait at places like universities, government institutions or companies like Tatra. Or even weapon manufactures, although I’ve had a hard time establishing regular communication with them. We bump into each other, speak a bit, but then “out of sight, out of mind” and they forget to send me the things.
Another interesting thing that I’m monitoring and would like to write about, are influence operations against academia. They have two master plans that are spreading, the first: One China Policy and adding Chinese topics and culture into the research space and public discourse, or the second: Opening doors to Chinese money, and to convince people that our Western democratic culture wouldn’t work in China, that they have a different mentality and so China is actually doing it correctly. These kind of narratives. Not to sound like a conspiracy guy, but I have noticed that it is having an influence on professors, the academic senate and students. There’s even some level of orchestration by student groups.
One thing that really shocked me had to do with martial arts. I really like martially arts, back when I was doing them the Japanese and Chinese arts were about improving yourself and your combat skills. But now the Kung-Fu schools here offer very cheap or free Chinese lessons, as part of learning about the culture, but the lessons are full of propaganda and cultural enlightenment, as they call it. They motivate the students by saying, that for you to be a master you need to know the culture, which I agree with. But for example with the Japanese arts, I haven’t noticed this. Sure, they are teaching the pacifism that was brought about by Americans near the end of World War 2. But it’s not organized by Japan.
A long story… not really related to cybersecurity.
Still interesting! What really struck me was the talk of the Kung-Fu schools and Chinese martial arts. Do you think that this is being pushed by China directly, or is this an initiative of individuals?
The Chinese, unlike Russia, do things slow and stealthy. Time is on their side and they know it. Or until recently, now they might be rushing a bit.
So you think that they are pushing more?
Because of the growing tensions with America. And because of the disagreements over Taiwan with other countries adding their voices to the conflict, like the Spratly Islands. I feel like they are pushing it more, yeah. It could also be my cognitive bias though, that I didn’t have enough information before.
This spring [2023] I’ve started collaborating with some of my colleagues in Asia, to monitor influence operations on a global scale. So thanks to them I have more data, or better data. From Taiwan, the Philippines, Japan… so now I have my eyes there as well. It’s possible that this has been going on for a while, and I just didn’t see it.
Are the activities of Huawei a part of this monitoring? I know they’re not exactly an APT, or malware or whatever. But there is a consensus…
Let me put it like this. I think that Huawei are monitoring me, because I’ve received several job offers from them. I’ll admit that I thought about the last one, they were offering me over 420k a month [about 17471 euros at time of writing]. There is good money in my field, but this like double or triple of the going rate, way over.
So this is a recruiting operation on their side?
Exactly. Or I was contacted by a Chinese person, that they’re really interested in my work and would like to collaborate in threat hunting. Some people do reach out like this, and I like it. So they might have been used to researchers liking this, but I just couldn’t find anything about them.
Does this happen to you often?
The Chinese person contacted me in the middle of COVID lockdowns, during the long home offices. The thing with Huawei was at the start of this year [2023].
So does it happen it often that someone reaches it with malicious intent? Or that they want to get information from you, or you find out that a hacker group or a nation state was behind them. China is a pretty specific case, was there anyone else? Surely you must be an interesting target.
That’s the thing. On one side you need to keep a certain level of OPSEC, on the other side I am a researcher in the commercial sector… so I need to be seen, speak about my work. Striking a balance between what to say and what not to is difficult, and still remain interesting enough. I can’t lie obviously, what I say must be the truth, but I can’t say everything so as to not put myself in harms way.
It’s a balancing act. We’ve mentioned the Chinese, but I’ve also been contacted over Facebook by a proxy profile of two APTs. Or maybe not APTs, but groups operating in Ukraine. People from KillNet, which is related to activity groups GhostWriter and Joker.
You haven’t had the feeling of being physically tailed?
No. And if I would, I’d just laugh at myself for being paranoid.
Back to your colleagues. We’ve talked about your work not overlapping, that you go wide and they go in-depth. But I’d be interested in how they got there, because their journeys must have been pretty different to yours. So I’d like to know how people become researchers? And what you’d recommend.
Well, everyone but me studied some form of IT, at CTU FIT, CTU FEL, Pilsen, Ostrava, these universities. We share a common interest in the field and that we’ve learned how to learn in a way that allows us to do the work.
In the last 6 years that I’ve been doing this, I’ve met more people like me. That they started out with the “life sciences”. And they’ve been telling us that it’s good, because you have a different view of the Intelligence in Threat Intelligence. We bring another point of view than the IT people, and you need people in your team to be competent at different things and to be diverse. I know, it sounds very “sunshine and rainbows” but it really is like that. Having multiple differing points of view helps achieve better results.
Depends what you expect from tracking down hackers. It sounds fantastic when you say it like this, but let’s be honest you spend your youth looking at Excel sheets, Splunk and databases. Sure, you can make it interesting for yourself, but there are always the more mundane parts of the job. You need to be able to deal with that.
And starting out? I’d say it’s good to study security, because then you don’t have to learn so many things on the side, like I did. I’d actually recommend this to all. You can learn a lot from books, but I still find things that are basic to people that studied security at uni. Something you learn in your first year, algorithms, processor clock cycles or stuff like that. I don’t know this stuff, because I didn’t study it so some things take longer than they should, and I don’t know why. So it helps to have the background yourself, or to have colleagues that are willing to help out.
What are the characteristics that you all share? I guess you’re curious, driven, but is there something more?
You need to be creative. I also think that we’re not legendary programmers, because that requires a different mindset.
Otherwise I’m not sure, we all have a different background. The team was picked to be as diverse as possible, so picking out what we share is difficult.
It’s important to have some sort of higher calling. The money in this field is good, and that’s great, but we have a higher goal of securing the digital space. Hackers often do nasty things, like extorting people, sharing stolen data, people lose money, people go bankrupt. It feels good to prevent this and help people. I won’t even mention war, because that has the interesting aspect of two sides being involved. From the perspective of one of the sides it is always in the right and the other is bad. I believe that there are plenty of Russian hackers that might be brainwashed by propaganda from our perspective, but they believe that they are doing good. Just like I believe that I am.
Now I’ll ask my last question, it can be difficult. If you would give advice to your younger self, what would you say?
My big dream in life was to be a scientist that would use molecular biology to find new medicine and prevent animal testing. I didn’t end up doing that.
So my second dream became understanding hackers and getting to them, which I did manage.
I’d tell myself that it’s alright to change everything half-way through your life or career. But if you do decide to do it, then you really have to study and go for it. If I had studied a little less back then, then I just wouldn’t have made it. So go all out.
Closing Thoughts
Getting to speak with Jindra was fascinating. I had to cut the interview short, because we could have gone on for hours. An all around great guy, professional and amazing researcher. Thank you!
Thank you to the readers that made it this far through the article, it’s a long one.
You can find Jindra over at Twitter or checkout his LinkTree.
Have any feedback, questions or suggestions? Let me know here on medium or twitter!
