Security Vendors Are Constantly Being Attacked

Written by

Tom Uren

Policy & Intelligence

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray . It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Dropzone AI .

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed .

Security firm SentinelOne has published a new report that takes a deep dive into all the weird and wonderful ways threat actors are targeting it. Attacks against security vendors are nothing new, but they've scaled up and are now a constant threat. And as best we can remember, this is the first time a security company has publicly described the range of threats they're facing in detail. 

The report first looked at the North Korean (DPRK) IT worker threat, where North Koreans use fake identities to apply for legitimate remote jobs, is evolving and occurring at "staggering volume":

These actors are not just applying blindly — they are refining their process, leveraging stolen or fabricated personas, and adapting their outreach tactics to mirror legitimate job seekers in increasingly convincing ways. Our team has tracked roughly 360 fake personas and over 1,000 job applications linked to DPRK IT worker operations applying for roles at SentinelOne — even including brazen attempts to secure positions on the SentinelLabs intelligence engineering team itself.

Instead of just deleting the applications and moving on, the company turned the tables on the North Korean applicants. In an effort to learn more about their fraudulent job application techniques, it strung them along in tailored recruitment processes. SentinelOne says it was able to make its detection processes more effective by bringing frontline teams such as recruiting and sales into the tent. By sharing potential threat information, recruiters were able to identify suspicious patterns. Those patterns were then used in automated systems to identify and even block dodgy applications. A kind of virtuous cross-team circle. 

The company says meaningful progress on the IT worker threat will "depend on collaboration between the security research community and public sector partners".

Speaking to Risky Business host Patrick Gray at a live podcast* recording at RSA, SentinelOne's CISO Alex Stamos speculated about why the company was being targeted. 

"I think we have to assume the reason they're coming after us… [is] not because we are the easiest way for them to make money", he said. 

"It's probably specifically because we have significant penetration in the crypto industry."

Stamos also thinks SentinelOne was targeted by a Chinese state-backed group in at least one supply chain attack. An IT services organisation that managed the company's hardware logistics was compromised and, given its small client list, Stamos believes that his company was the ultimate target. 

In both these cases, it appears that SentinelOne was targeted because a successful hack may provide access to the networks and endpoints that its products operate on. 

Using security firms in supply chain hacks isn't a new idea and this isn't just a SentinelOne problem. 

In 2018, for example, security company Avast was compromised and its CCleaner computer cleanup software was modified in a supply chain attack. The malicious CCleaner version was downloaded more than two million times, although the hackers carried out second stage operations on only 40 computers.

Security firms are high-value targets. In addition to the potential opportunity for access, their products are also an impediment for hackers to overcome.  

Back in 2011, for example, Chinese state-sponsored actors stole the secret keys or 'seeds' for RSA's SecurID system. At the time, SecurID used a hardware token to provide extra security to username and password authentication. Stealing the seeds allowed the hackers to bypass that important security safeguard. Their theft was linked to the breaches of defence contractors Lockheed Martin, Northrup Grumman and L-3 in that year.

There have also been cases where security firms have been hacked for espionage purposes. Both Mandiant and CrowdStrike were targeted in the 2020 compromise of SolarWinds. Russian security firm Kaspersky was compromised in separate incidents in 2015 and 2023 . 

Cybercriminals, on the other hand, generally don't target security firms directly, but want to develop tools and techniques that work against security products that might hamper their hacking. 

In SentinelOne's case, cyber criminals are attempting to bypass the company's Endpoint Detection and Response (EDR) platform. Ideally, they'd like to test and refine their techniques to maximise chances of success when deploying them in real-world attacks. 

It's not straightforward for cybercriminals to buy enterprise security products to carry out this kind of testing. Vendors try to actively prevent sales to illegitimate users, but there is a work-around. Per the report:

There is an increasingly mature and active underground economy built around the buying, selling, and renting of access to enterprise security tools. For the right price, aspiring threat actors continually attempt to obtain time-bound or persistent access to our EDR platform and administrative consoles. Well-known cybercrime forums are filled with vendors openly advertising such access—and just as many buyers actively seeking it.

SentinelOne describes these testing services as "semi-private". These testbeds for criminals are firewalled so that when malicious software is detected on-device it is not shipped off to the security vendor for further analysis. 

Cybercriminals can also buy stolen credentials (such as from infostealer logs ) that can be used to directly gain access to enterprises. Sometimes these credentials work on the enterprise's security tools, so the hackers can immediately change their settings so malicious activity is less likely to be noticed. 

Although SentinelOne has bucked a trend by being public about these threats, we are sure that every security company of significance faces similar ones. At RSA, Stamos told Gray he suspects that each security firm has a Chinese cyberespionage team focussed on it. 

"When you stop 'em, they don't go away," Stamos said.

"They go home, they come back the next morning, they have their local culturally appropriate caffeinated beverage, they get a little talk from their bosses and then they start again."

The threats SentinelOne describes are a natural consequence of cyber security firms being high-value targets. It's not surprising that the targeting of cyber security firms is now standard practice. Hopefully, transparency about these types of threats will follow suit. 

*Disclaimer: SentinelOne is a Risky Business sponsor, and the podcast discussion with Steve Stone and Alex Stamos was a sponsored activity. However, Tom Uren independently chose to cover this report on its editorial merit.

For Better or Worse, Everything Happens on Signal

An interesting report from Semafor describes how Signal and WhatsApp group chats have become "a kind of dark matter of American politics and media". 

Political journalist Mark Halperin told Semafor that "some of the smartest and most sophisticated Trump supporters in the nation from coast to coast are part of an overlapping set of text chains that allow their members to share links, intel, tactics, strategy, and ad hoc assignments. Also: clever and invigorating jokes. And they do this (not kidding) like 20 hours a day, including on weekends."

This explains the administration's use of Signal even for sensitive discussions — it is the default way of communicating. In the group chats Semafor describes, it appears that being involved was also important for self-esteem. Some participants joked that writing in group chats was at the very pinnacle of Maslow's Hierarchy of Needs.   

It is not at all surprising, then, that US Secretary of Defense Pete Hegseth wanted his Signal fix while at work in the Pentagon.

The Associated Press says Hegseth had "an internet connection that bypassed the Pentagon's security protocols set up in his office to use the Signal messaging app on a personal computer". This is clearly horrendous from a security perspective. An unmanaged personal device in Hegseth's office would be a bonanza for foreign intelligence services.  

However, a Defense department spokesperson told CBS News the system was more like a security camera pointed at Hegseth's personal device:

The spokesperson said there's a physical line running between the computer monitor in the defense secretary's office and his cellphone, which is kept immediately outside his office. The monitor alerts him to messages so that he can step out to check his phone. The official said it's currently set up as a one-way line.

The system described by the DoD official seems reasonable to us. It is exactly the sort of slightly clunky but secure workaround that DoD IT security would devise when the big boss makes an unconventional demand so he won't miss the "invigorating jokes" and sick emojis.

Of course, keeping personal devices physically separated from secure systems doesn't make a lick of difference if you copy secret material into unclassified group chats.

When we first wrote about Signalgate , we wondered why, in a group chat containing the US's top national security officials, did no one say "hey, perhaps we should talk about this elsewhere"? 

Semafor's article on the importance of Signal group chats gives us a glimpse into the answer. When group chats are the lifeblood of policy conversations, isolation is political exile.   

Watch Patrick Gray and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

1. Infosec community supports Krebs: The Electronic Frontier Foundation has published a letter signed by over thirty cyber security experts in which they "unequivocally condemn the political persecution of Chris Krebs and SentinelOne". Chris Krebs, former head of CISA, was targeted by President Trump in a presidential memorandum . 
2. FBI disruption operations in high gear: Speaking at the RSA conference, FBI Deputy Assistant Director for Cyber Operations Crime Brett Leatherman said that the agency and its partners had conducted 17 "joint seamless operations" last year. These operations targeted both criminal and state actors.  
3. How to spend five years in Paris: A Belarussian, arrested in Georgia, has been sentenced in Paris to five years in prison for extorting French victims with ransomware. 

Sponsor Section

In this Risky Business News sponsor interview, Catalin Cimpanu talks with Edward Wu, founder and CEO of Dropzone AI. Edward talks about the impact of AI in modern-day SOC teams and how its role slowly becomes a force multiplier and productivity boost rather than workforce replacement.

Shorts

Big Bank Wants Nice Things

J.P. Morgan Chase's Chief Information Security Officer, Patrick Opet, has published an open letter asking software-as-a-service (SaaS) providers to prioritise security over rushing features to market.  

Opet says that market concentration in a small number of service providers results in a "concentration risk to global critical infrastructure". This concentration risk is made worse by software providers prioritising "rapid feature development over robust security". 

We must establish new security principles and implement robust controls that enable the swift adoption of cloud services while protecting customers from their providers' vulnerabilities. Traditional measures like network segmentation, tiering, and protocol termination were durable in legacy principles but may no longer be viable today in a SaaS integration model. Instead, we need sophisticated authorization methods, advanced detection capabilities, and proactive measures to prevent the abuse of interconnected systems.

Opet doesn't specifically mention CISA's Secure By Design campaign , but the thrust is the same. Here's hoping that other large purchasers echo Opet's call and demand secure software. 

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed ( RSS , iTunes or Spotify ).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq discuss the Southeast Asian criminal syndicates that run online scam compounds. Should  organisations like US Cyber Command or the UK's National Cyber Force target these gangs with disruption operations?

Or watch it on YouTube!

From Risky Bulletin :

French government grows a spine and calls out Russia's hacks: After years and years of pretending like nothing serious happened, the French government has finally grown a spine and formally called out Russia for using military cyber units to meddle in its elections and to carry out destructive cyberattacks against French targets—a big no-no for countries not at war.

In a statement on Tuesday, the French Ministry of Foreign Affairs says that hackers linked to Russia's GRU military intelligence agency were behind some of the most notorious hacks in France's history, such as:

• MacronLeaks : a hack-and-leak operation that tried to sway voters ahead of France's 2017 presidential election using over 20,000 emails stolen from the Macron campaign.
• TV5 hack : a destructive hack that almost took offline French broadcaster TV5. The hack was conducted by GRU hackers under the guise of an ISIS hacktivist group named the Cyber Caliphate.
• Paris Olympics hacks: a mix of DDoS attacks and influence operations meant to disrupt and downplay the success of the 2024 Paris Olympic Games.

[ more on Risky Bulletin ]

NFC card malware keeps evolving in Russia, a bad omen for the future: After a few years of stagnation and repetitive, copy-pasted malware strains, the Android banking malware scene is seeing a leap forward in innovation and tactics.

This new evolution is targeting contactless payments, a feature of modern banking that allows individuals to pay by using a smartphone or credit/debit card that has an NFC chip inside it. In 2025, the feature is ubiquitous, and very few banks don't support it.

For over a decade, it was believed that contactless payments were the future because nobody could clone or intercept NFC transactions.

This initial sense of safety was shattered in 2020 with NFCGate , a piece of academic research that created an open-source toolkit capable of intercepting, relaying, and replaying NFC data streams from a victim to a new device.

[ Risky Bulletin has more , including the evolution of NFC cloning from academic oddity to an increasingly common attack vector]

FBI IC3, Verizon DBIR, Google M-Trends reports are out—here's the conclusions!

There are a handful of seminal reports in the cybersecurity industry, and lo and behold, three of them were released on Wednesday.

Mandiant's team, now part of Google Cloud, released M-Trends , Verizon released its Data Breach Investigations Report (aka DBIR), and the FBI Internet Crime Complaint Center (IC3) released its yearly Internet Crime Report [PDF] .

All put together, amount to an astounding 256 pages, or the equivalent of a damn book. But don't worry because we got you covered. Below are extracts of the most important conclusions, trends, and talking points from each report.

[ more on Risky Bulletin ]