The Microsoft Threat Intelligence Podcast 10.25.23
Ep 4 | 10.25.23

China Threat Landscape: Meet the Typhoon


Sherrod DeGrippo: Welcome to the "Microsoft Threat Intelligence" podcast. I'm Sherrod DeGrippo. Ever wanted to step into the shadowy realm of digital espionage, cybercrime, social engineering, fraud? Well, each week, dive deep with us into the underground. Come here from Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries, and shape the future of cybersecurity. It might get a little weird. But don't worry, I'm your guide to the back alleys of the threat landscape. Hello, everyone. Welcome back to the "Microsoft Threat Intelligence" podcast. I'm here with Graham Dietz, one of our threat intelligence analysts. Graham focuses on China, also known as the Typhoon family of threat actors. And, Graham, I want to welcome you. Thanks for joining us.

Graham Dietz: Thanks, Sherrod. It's great to join you here and talk a little bit about China.

Sherrod DeGrippo: Yeah, so, China's been really active since, I guess, the beginning of the concept of named and numbered APTs really. Can you kind of give us a rundown? Like let's jump right into it. China has got a full capacity when it comes to APT. They're considered one of those top programs out there when we think about APT and nation-sponsored programs. We talk about it in Microsoft as part of the Typhoon family. So, can you kind of give us an overview of what the APT landscape looks like coming out of China?

Graham Dietz: Yeah, for sure. And like you said, yeah, they date back pretty far in terms of China's cyber network operations, the very first like APT report, APT1 back in 2014, that was on China, that was on a PLA unit. And back then, and kind of to an extent today, we still really think of China when we think of APTs, of these advanced persistent threats where they're going after specific organizations or specific types of organizations, or individuals even. China does have a very robust program. And it includes a lot of different targets and also a lot of different people on the back end making things happen. So, from a targeting perspective, the way we see it as potential targets and potential victims of these Chinese cyber network operations, we see them targeting a few different groups of people. We see them targeting domestic individuals so folks within China or directly related to the kind of domestic Chinese politics that the Chinese Communist Party views as undesirable or subversive. We see them targeting internationally diplomatic efforts and diplomatic organizations, so we see them going after different departments of state of various countries around the world for the purpose of gathering information, just a kind of traditional espionage. And we also see them performing industrial espionage. So, the made-in-China strategy of leap-frogging private industries around the world to get China on top in terms of its economic power, trying to get information related to that. Those are the big kind of areas that we see them focusing on. The kind of caveat to that is that we also know that China develops things like cyber warfare capabilities and kinetic capabilities that are kind of less visible and that we know less about. So, the darker area of that kind of Chinese cyber activity. But all of this is fueled by China's domestic supply of hacking talent basically. So, in addition to folks within the People's Liberation Army and folks within private contractors, there are hackers within China who fall into like what we call patriotic hackers who just do it for their own reasons, there is a thriving Chinese cybercriminal kind of underground, and there's just a lot of education around developing computer-related talent, that means that these folks are just kind of floating around and available and create this very large pool for China to draw off of. So, that's kind of a high-level view of what we see China doing and what we think we see on kind of the backend fueling that activity.

Sherrod DeGrippo: So, you mentioned a couple of things that I have questions on. First, PLA unit, what does that mean?

Graham Dietz: Yeah, so PLA unit, so People's Liberation Army is China's military basically, and they have several different units that we know of that are involved in cyber warfare, electronic warfare, and that kind of just fuel their offensive network operations in general. So, it's a really big part of China's kind of separate power is that they do a lot of those in-house, within the military, it's fully state-controlled and even, you know, like I said the APT1 report, that was on the PLA unit back in 2014 that they believed was behind these Chinese cyberattacks. Today there are times when we're able to pin specific incidents to specific units within China's military. And there are a lot of China watchers, just kind of on the net and around the world that try to do the same thing. But we generally don't get to see that level of specificity when we're attributing these incidents that we see day to day, we just keep in mind that there are a lot of Chinese units within the military that also perform these cyber operations.

Sherrod DeGrippo: And you talked a little bit about patriotic hackers. So, we've certainly seen that in all of the countries that we consider to kind of have some nation-state capability. Iran is definitely one that has quite a bit of that. It's like culturally ingrained that they're focused on their domestic concerns and their own country. We see that in Russia, but we certainly see it in Iran. And I want to know a little bit about that for China. What is the kind of scene like there if you're a patriotic hacker? What sorts of things are you doing?

Graham Dietz: Yeah, I mean, it's -- I don't know how much day-to-day detail I'll be able to give you, but like you said, we know that a lot of countries kind of draw on these patriotic hackers, China is not an exception there. And it's kind of -- it kind of ties into a few different strategies that they have going on, you know, developing computer and information security talent, on the one hand, and a kind of long-running program of kind of shaping popular consciousness and patriotism at a large scale within the country, so trying to create cultures that are hostile basically to certain countries, including the United States to a degree, Japan, places that they would consider enemies and that we would consider to be likely targets of Chinese activity and cross that with what we know about this talent development within China and we see a decent number of folks who have the capability to perform certain types of cyberattacks, targeting these countries, and who will do it just kind of on their own without a whole lot of prodding, just with messaging that comes through the Chinese state apparatus. So, as far as the kind of day-to-day what will they be doing? It's kind of hard to say, but we know that we've seen attackers doing things as simple as denial of service attacks, as web defacements. And likely things as sophisticated as performing compromises on devices at, you know, that kind of a lower level of sophistication. Exactly where the line is between a patriotic hacker and kind of state-permitted or state-allowed attackers, it's kind of blurry because at the same time, like I said, we have a thriving Chinese cybercrime culture and as well as Chinese communities that do things like, you know, bug hunting and tool development, and these kinds of like hacking tools that Chinese individuals develop are used by a wide variety of folks. And sometimes there's overlap between what's used by known state-sponsored attackers. There can be an overlap between what's used by these known state-sponsored attackers and patriotic hackers, or just folks kind of doing less sophisticated activity. So, it varies a lot. And only those folks who are plugged in real deep with China's day-to-day cybercriminal forums and communities could tell you I think what they're doing at any given time, but it varies, and there's a wide range of capabilities I would say.

Sherrod DeGrippo: Do you think there's much of a pipeline there from a China kid hacking away for domestic patriotism, maybe thinking they can get hired into a state-sponsored intelligence role?

Graham Dietz: Yeah. We know that there is. We've seen a couple of cases where we were able to trace individuals who start off on Chinese cybercrime forums or just collecting bug bounties, basically having -- getting famous for their hacker handle essentially, then getting picked up by a larger company that does offensive cyber network operations as part of its business, or as a contractor for the government. And then once actual intelligence agencies or military agencies get involved that the trail usually goes cold. But we do see a lot of exchange between those private organizations and contractors, military, etc. So, we assume that that stage of the pipeline exists as well. But we know for a fact that folks who start off on these kind of individual bases, cybercriminal forum or bug bounty or doing their own exploit writing, tool writing, if they have an eye to getting into an organization where they, you know, get paid to do that, they can absolutely do that.

Sherrod DeGrippo: That's really interesting. I think it's sort of like me that I love the United States Postal Service and always dream one day of becoming a real letter carrier. That will never happen. But I guess when you're an amateur, you dream someday of going pro and it's kind of the same thing for China patriotic hackers over there.

Graham Dietz: Yeah, I guess so. I kind of wonder what they dream about getting into when they start off with this.

Sherrod DeGrippo: So, let me -- speaking of dreams, in terms of crime coming out of China, that's not something that's super on the radar, we don't typically think of China as having a large Western-facing cybercrime capability. Are you seeing that come up? Is that still the case? What's the threat actor landscape for cybercrime based in China?

Graham Dietz: Yeah. It exists but it is a lot quieter. There could be multiple reasons for that but I think the biggest one is just the size of the Eastern European cybercrime operation is that it kind of drowns out what else we see there. There's likely also some differences in targeting Eastern Asians, Southeast Asia, easier targets for folks based in China with language, culture proximity, time zone, what have you. But the biggest reason why we don't see a ton of it here in the US making headlines is just that it does get kind of drowned out with what's going on coming from Eastern Europe, the CIS countries where they're able to mount these huge like ransomware operations and not get caught basically. The last thing that kind of factors in there is that a lot of what these Chinese cybercriminals are doing is developing services, tools, other things that are going to be used by other cybercriminals and that don't ever actually face the victim directly. Whereas these Eastern European attackers are the ones developing the actual ransomware that will end up on an end-user system, things that are easier to trace back and that kind of form that direct connection between the victim and the perpetrator.

Sherrod DeGrippo: So, that kind of speaks to something I wanted to ask about as well. It sounds like the China operations are focusing a lot on edge network devices as opposed to doing a lot of host-based malware that we traditionally see. It sounds like they've been able to focus on edge network devices and kind of sit on those for a while. Is that something they've been doing for years? Is that part of a strategic focus on just owning networks as opposed to being on end-user devices?

Graham Dietz: It's true that we do see a good number of Chinese actors that seem to get that initial access or get through edge devices and not dig that much deeper, at least not visibly. But we do see a lot of Chinese actors that do perform activity on host devices, target devices deeper within the network, or on cloud devices as well. I would say it depends and it varies. The capabilities are definitely there. We see them using malware that they create themselves or that is shared by multiple Chinese actors as well as commodity power, kind of a big thing is within tracking China actors is that attribution can be difficult because we'll see them using commodity tools like Mimikatz is a well-known one that listeners might know that's used for dumping passwords off of a compromised Windows system that is openly and publicly available. That's just one of the tools that Chinese hackers will use on an end device, the host device once they've gotten access.

Sherrod DeGrippo: So, it sounds like they have the ability to use what you're saying like off-the-shelf software like Mimikatz, they're using that and then they're also doing home-grown malware too for access.

Graham Dietz: Yeah. So, we see them using both. The rule of thumb kind of for tracking China actors is that you can count on them using the edge commodity malware whenever possible just because it's less attributable. So, it's harder to say that because you see this piece of malware on a system that this is definitely a Chinese campaign. And we believe that's a strategic choice that when Chinese attackers develop a piece of malware, they share it among multiple groups, or otherwise they will use commodity malware in order to make it more difficult to say who is behind the attack. That seems to be one of their priorities. So, I would say while a lot of the edge malware that Chinese actors use like China Chopper, eponymously named, is pretty well known, they do still conduct a fair amount of host activity that's just harder to attribute. There is also value for these actors that do just kind of get partway into the network or compromise edge devices on a network to get in just in terms of laying the groundwork for later operations. We do believe that Chinese attack groups kind of divide up the labor so that one certain group will do the low sophistication initial compromise of systems and then pass it over to a higher-tier basically group that will conduct the more advanced activity, and then perhaps another tier will find the actual information of final interest and act on that. So, some of what you described probably fits into that pipeline. And then finally, we do also like a lot of adversaries see China compromising edge devices just to use for their own purposes basically. So, between all of that, I would say it's fair to say that we see a lot of Chinese activity focusing on edge devices.

Sherrod DeGrippo: And what do you think is typically the primary initial access factor? Is it those edge devices, is it malware, is it something network? Are they leveraging end-point exploits? Is there anything that's like a pattern that they typically prefer for that initial access?

Graham Dietz: So, it varies quite a bit by actor group, so different Chinese actor groups will prefer different initial access methods. Some of them will use email, they'll send phishing emails that include malicious documents or malicious links, and achieve initial access that way. Some actors that we track, we know, for example, Twill Typhoon is one of the Chinese actors that we track is kind of famous for using compromised USB devices, which is a kind of unusual method within the broader information security ecosystem, but it is just their preferred mode of access from what we can tell. Planting malware on USB devices, which then will spread around as they're plugged into computers. A lot of the actors that we track that make the news, so Flax Typhoon, Volt Typhoon, groups like that are just getting in through those edge devices. So, Flax Typhoon and Volt Typhoon both we know achieve initial access through edge devices, Flax Typhoon in particular. Every time that we have been able to confirm initial access and compromise by that actor, we find that they've achieved initial access via a known vulnerability or an N-day vulnerability in one of those edge devices. So, this is a vulnerability that should have been patched, sometimes years ago, and where there's a public proof of concept exploit or other code that is readily available that they can use to compromise those devices basically. So, pretty low sophistication. Chinese actors are big fans of work smarter, not harder. In cases of those kinds of actors like Volt Typhoon and Flax Typhoon, they definitely seem to prefer to rely on available or easily developed exploits for those public-facing applications and servers.

Sherrod DeGrippo: So, Twill Typhoon is actually doing like the USB drop in the parking lot stuff like form a movie.

Graham Dietz: Something like that, we think. It's impossible to know exactly what a physical view of things looks like. But we know that they develop and distribute malware that is spread via USB devices, exactly how that is like initially working is kind of hard to say. It's possible that they are developing these devices themselves and dropping them physically places where they can be passed around, spread around. That certainly wouldn't be abnormal. It's also possible that they are basically using malware outside of our visibility to infect USB devices that happen to be plugged into systems that they have already compromised.

Sherrod DeGrippo: So, like a double compromise almost in order to have that visibility. Like they've got the USB side of it and they've potentially done something on the host or the edge device as well. That sounds like a very high-value target. If you're getting it from both sides --

Graham Dietz: Yeah, basically.

Sherrod DeGrippo: -- of one of these actors, I feel like you're a pretty juicy target at that point.

Graham Dietz: Exactly.

Sherrod DeGrippo: And that's interesting too. I wonder to what degree so much of the move to the cloud has impacted some of that USB attack chain capability because I can't remember the last time I really plugged anything into my computer other than a monitor. And you don't typically find the monitor lying in the parking lot. So, that old-style USB drop where, you know, a portable hard drive, USB drop, people don't need those really anymore. A lot of them just use the cloud unless you're doing something that you definitely don't want in the cloud, which might be part of that attack as well. It's almost as if with physical USB attacks like that, there is some element of social engineering to get that person to plug it into their machine.

Graham Dietz: There may be. Yeah. There may be social engineering. It's also -- it is kind of like the whole situation with Twill Typhoon and the USB storage reminds me of when I was working in Washington DC, I worked there at a think-tank for a few years. And in DC, like number one, you're around a bunch of government folks who are often not given access to all of the latest and greatest in terms of technology tools. And so, things like cloud storage might be a little less available depending on the agency, depending on their business. But also like there are just tons of talks, lectures, events, conferences going on all the time. And, of course, every one of those comes with swag and sometimes that swag include things like USB devices. And probably folks at like Black Hat, CYBERWARCON, and the rest, know better than to distribute USB devices and not have people assume that they're infected with something. But in DC, I can definitely see that happening. And we know that Twill Typhoon, for example, does target government organizations and I do have to wonder if those government organizations, especially in lesser developed nations like parts of Southeast Asia or East Asia, but really anywhere including Europe, which we know that they target quite a bit, I have to wonder if those areas, the kind of government towns, they are also kind of operating with a similar dynamic in a situation where they're ready to accept a free USB drive from somewhere or to let someone, you know, give them access to documents via USB drive for one reason or another.

Sherrod DeGrippo: So, you've set yourself up perfectly for this next question which is, Graham, what should people do if they're handed an unknown USB device by a stranger?

Graham Dietz: Oh, boy. Yeah, that is a tough one for most people. I would say the right thing to do is just take it to e-waste, basically.

Sherrod DeGrippo: So, throw it in the trash. Reduce, reuse, recycle it.

Graham Dietz: Kind of. I mean, like if it was me, I would probably plug it into like a Linux system or something that is less likely to be targeted and see what was on it before, you know, formatting it and maybe using it. But it's hard to say. And it does depend on your threat model because, you know, for those of us who work in the information security industry, we have to be a little paranoid. So, I'm not sure that I would even do that because some malware that is distributed on the basis like that can hide itself really well and can be hard to detect, hard to remove. But for normal day-to-day people who don't work in information security, I mean, I would still worry about something like that having something nasty like adware or some kind of tracking information, or a credential stealer like these, you know -- we see, you know, banking Trojans popping up all over the place. I would still be kind of worried about that just because I'm a paranoid individual like that.

Sherrod DeGrippo: My advice would be, unless -- well, no, you know what, I'll say this. I wouldn't eat food handed to me by a random stranger, I don't think I would plug in a USB device handed to me by a random stranger.

Graham Dietz: Right. Yeah, that's the analogy I've heard.

Sherrod DeGrippo: Yeah, take it to your local electronic superstore, have them -- they have recycle bins usually in the front for batteries and stuff, you can recycle it. Be kind to the Earth, sustainability, it's important. But I don't think you should probably plug that stuff in, you know.

Graham Dietz: Probably not. I suppose you could hand it to an adventurous, you know, information security professional that you know who is in the habit of looking for trouble like that and seeing what they can find on that stuff.

Sherrod DeGrippo: We work with a lot of people that are looking for trouble like that, yeah. I think a lot of the Microsoft IR also formerly known as Dark Team people would be excited by that. Microsoft Incident Response, they're a little wild, they drop out of helicopters and jump over canyons and all that kind of stuff. So, they live an adventurous life.

Graham Dietz: That's crazy. They do.

Sherrod DeGrippo: So, let me ask you one more question about threat actor and then I want to kind of move on to a little bit about your background. If you could kind of define what sets China apart? In terms of being an APT, what's something that you kind of say is maybe like a hallmark or an indicator or, oh, this is something China does, this is something China likes to do? Is there anything like that?

Graham Dietz: I would say that in terms of differentiating them from other state-sponsored threat actors, the big thing is that they're pretty loud comparatively. Like China, we see a lot about China state-sponsored attacks targeting, you know, companies or governments, and sometimes even those kinds of vulnerable individuals. Like I mentioned, we see stuff like that making the news more frequently because it's hiding the fact that this kind of stuff is happening is not a top priority for Beijing. Like as long as they have the plausible deniability of saying, "This is not under our control. This is just, you know, individuals. And we promise, we pinky swear we'll look into it to try and find out who they are." As long as they can say something along those lines, they're happy. And so, the activity that a lot of these Chinese state-sponsored actors perform is pretty loud. And when it comes to those exploits on network edge devices, it's the perfect case. Like that kind of activity is something that in a mature organization with a good information security practice that would hopefully set off alarm bells and prompt a response to, you know, patch vulnerabilities or look for compromise, what have you. Of course, China, most of the time what they're looking for is kind of that path of least resistance. So, they are not trying to target one specific company and create bespoke malware that is going to remain completely undetected, as far as we know. And, of course, that is dependent on the visibility. But we do see them a lot of the time, a lot more than we see with other countries that we know conduct these kinds of operations, we see them performing these kind of larger untargeted attacks where they will compromise a large number of devices and kind of narrow down to see what's interesting and then go from there. It's a little different, like I mentioned with those vulnerable individuals who are targeted by the Chinese government, but we do still see them showing up, again, because it's just not kind of in their mandate to make sure that no one knows that anything ever happened for most of these cases. So, I would say for a lot of the China threat actors that we see out there, the big differentiator from the perspective of the targets, us, the good guys, the blue team as it were is these are folks who are mostly going to get you if you aren't patching your servers, if you aren't keeping your anti-spam, anti-phishing, and phishing training programs up to date. Or if you plug in USB drives like you would swallow a pill you found on the street. A lot of it is stuff that is fairly preventable.

Sherrod DeGrippo: Would you swallow a pill you found on the street?

Graham Dietz: No, no way.

Sherrod DeGrippo: I wouldn't. But I know some people who would.

Graham Dietz: But I do have to admit one time -- really?

Sherrod DeGrippo: Okay. One time what? Did you pick up a pill off the street?

Graham Dietz: Just one time. No, I didn't, but I was at a bar in Virginia, in Reston near DC with some other cybersecurity folks and someone pulled out a USB drive that they had actually found lying around or something. So, I said -- you know, we were all just kind of hanging out, so I just said, "Yeah, well, I have an adapter in my bag. Let me plug it into my Android phone." Because it's, you know, up-to-date Android Linux-based phone, I figured, you know, if it's targeting Windows or if it's targeting iOS, this isn't going to do anything but maybe I'll get to see what's on there. Plugged it in and it was just a bunch of boring stuff. It was just like advertisements and documents from the organization they got it from, which was kind of disappointing. But they were all freaking out for a minute, which was pretty amusing. So, I feel like it was worth it just to see that.

Sherrod DeGrippo: Did anyone try to stop you?

Graham Dietz: They did. They did. But I was just -- I was really curious, number one. And I was pretty confident, number two, that even if there was something on there, it wouldn't be anything that would affect me if I plugged it in basically.

Sherrod DeGrippo: Well, I'm on your side. I would definitely be encouraging you to do that if I was there and telling you that it was a good idea. That's definitely something I would love to see another person do, but not me.

Graham Dietz: Exactly, right.

Sherrod DeGrippo: Everyone listening, you need to decide if you witness this, would you be the person that says, no, no, don't do it? Or would you be the person that says, yeah, let's see what's on there? You have to figure out who you are.

Graham Dietz: It was bad practice but it was pretty funny. And, no, this didn't have anything that time, fortunately.

Sherrod DeGrippo: Your luck is holding strong in your use of randomly found USB devices. So, speaking of your luck, let's talk about why you got into China, why you got into threat intelligence. How did you start in this line of work?

Graham Dietz: Yeah. So, I kind of got into China-related things before I got into cyber-related things. So, I started out in DC, working in a think-tank space, looking at US-Japan relations and that meant, of course, studying a lot of China-related things. So, China's kind of domestic policies, economic policies, security policies, things like that. So, it gave me a good kind of strategic-level view of what to expect from China. So, from there, I was lucky enough to get some of the training in cybersecurity. So, basically, the folks I was working for at the time were willing to sponsor some extra training because I already had some IT background, and they wanted someone who would be able to help them kind of decode the burgeoning field of cyber diplomatic relations basically in cybersecurity, security policy, joint cybersecurity policy, things like that, which Japan was just starting to kind of get its feet wet with at that time. And so, I was able to kind of read of, get trained up, learn a fair bit, and all this while, I was writing reports basically and the kinds of analyses that most intelligence folks would recognize all stuff that I trained on in college as well, which was lucky. From there, I moved into the digital contractors space in DC, working with civilian agencies as well as commercial organizations doing the basic cybersecurity stuff like security operation center or SOC or incident response work, or IR work, and then eventually doing things more along the lines of kind of intelligence style analysis. So, learning about different ongoing activities in the cybersecurity world and then writing those up for folks higher up the chain who needed to kind of consider this as part of their strategic decisions. In addition to helping them understand things like economic threats. So, part of which kind of set me up for what I'm doing today is learning about the economic tool bag that China uses in its kind of warfare kit essentially. So, China does have an ongoing policy of trying to kind of usurp existing leaders or early leaders in what they expect to be top fields in the future basically, the high-tech fields, and learning about how it is that they target those companies, get intellectual property, or just get control over the company themselves, and then use that to capture this market's activity to become part of the Chinese economic engine. Learning all of that was really helpful for understanding the strategies that would be driving China's cyber operations. When I finally did get into cyber threat intelligence, as a kind of proper analyst I've studied a bunch of different types of threats kind of across the board for a while but because I already had a bunch of background in East Asia, a lot of it usually wound up focusing on either North Korea or China, and China is just such a huge producer of offensive cyber network operations that basically anywhere you go, there's going to be a need for more attention on China in terms of producing that cyber threat intelligence. And that goes for Microsoft too. We collect and analyze so many signals every day and a lot of them are going to have to do with China because of the size of their operation, and there is never not something interesting to study when it comes to China and its cyber threat landscape. So, here at Microsoft, I work with a team of very talented people, some of them are linguists, some of them are experts in specific policies like the China Belt and Road Initiative, for example. And some of them are technical experts who do analysis of specific pieces of malware and tools, and they know how to pick those apart and understand exactly what they do and look for kind of fingerprints that might get them a clue as to who developed them as well. And with all these folks working together, I help to produce the kind of reports that end up in front of customers that summarize hopefully in a fairly comprehensible way what all is going on with these Chinese threat actors, with the tools that they're using and with their strategic goals to kind of help customers know if a threat is relevant to them and if it is, what they can do to protect themselves.

Sherrod DeGrippo: I love it. So, before we wrap up, I want to ask you, you can no longer in this scenario, you can no longer specialize in China. You have the following choices, Iran, Russia, DPRK, Palestine, or crimeware? What do you choose?

Graham Dietz: I would probably move to DPRK.

Sherrod DeGrippo: Oh, you already did DPRK a little bit though.

Graham Dietz: I know. It's what's so curious. I guess if I had to get out of East Asia, which is like that would be fair I guess, I would probably -- I would probably start looking at Palestine just because the Middle East area is kind of an outlier in terms of the types of capabilities and kind of how cyber warfare is used. And in the past, any time I've had to deal with anything relating to Israel, Palestine, Iran, Saudi Arabia, what have you, that's always been pretty quirky and unusual. And that's pretty different from what we see between China and its typical adversaries in East Asia, Southeast Asia, and North America from my perspective. So, that would be the most interesting shift if I was going to try to do something totally different from where I'm working on right now.

Sherrod DeGrippo: I like to know what people would want to work on if they did something totally different. And I did get some of the Peach Sandstorm APT Iran folks to say they would join me in my love of crimeware. So, I got Simian and Lauren, I think, to say they would do crimeware, and Amele, I think, said he wanted to do Russia. Which I was like, oh, well. But Graham, thank you so much for joining us on the "Microsoft Threat Intelligence" podcast. I hope we can have you back again when there's more developments in China for us to talk about.

Graham Dietz: Thanks, Sherrod. Yeah, it's been a lot of fun talking to you. And I hope to see you again soon.

Sherrod DeGrippo: Thanks, everyone. Thanks for listening to the "Microsoft Threat Intelligence" podcast. We'd love to hear from you, email us with your ideas at Every episode will decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out for more and subscribe on your favorite podcast app.