Wikistrat’s Jeffrey Caruso on New Methods in Cyber-Physical Attacks

In this episode of The Future of Threat Intelligence, Jeffrey Caruso, Senior Analyst at Wikistrat & Author of Inside Cyber Warfare, shares examples of how teams with minimal budgets achieved kinetic effects through OT system manipulation — from destroying missile research facilities to compromising subway systems and burning down FSB-affiliated banks. His findings, based on two years documenting Ukrainian cyber operations, demonstrate how deep supply chain understanding and innovative attack methods are proving more effective than conventional nation-state capabilities. 

Through methodical vendor system compromise and strategic engineering documentation exfiltration, he tells with David how these teams have developed techniques for creating cascading physical effects without entering Russian territory. Notably, they've demonstrated that successful cyber-physical attacks don't require massive resources; instead, success comes from understanding system interdependencies and supply chain relationships, combined with the ability to interrogate key technical personnel about specific system behaviors. 

This research challenges traditional security models that emphasize tool stacks over team composition and suggests that adversary categorization (nation-state vs. criminal) may be less relevant than previously thought.

Topics discussed:

• How Ukrainian teams executed cyber-physical attacks by compromising vendor systems to obtain engineering diagrams and documentation, then exploiting OT vulnerabilities to create kinetic effects.
• Why commercial security tools face limitations in addressing these attack methods due to business model constraints and design approach.
• Technical examination of supply chain compromise techniques enabling physical infrastructure attacks, with examples of vendor system exploitation.
• Evidence supporting an "adversary agnostic" approach to defense rather than traditional threat actor categorization.
• Practical insights on building security teams by prioritizing mission focus and institutional loyalty over technical credentials.
• Analysis of how OT system trial-and-error testing creates new risks for critical infrastructure protection

Key Takeaways: 

• Implement an adversary-agnostic defense strategy rather than focusing on threat actor categorization, as demonstrated by Ukrainian operations showing how even small teams can achieve nation-state-level impacts.
• Prioritize supply chain security assessments by mapping vendor relationships and identifying potential engineering documentation exposure points that could enable cyber-physical attacks.
• Establish comprehensive OT system monitoring to detect trial-and-error testing patterns that could indicate attackers attempting to understand system behavior for kinetic effects.
• Transform security team building by prioritizing veteran hiring and mission focus over technical credentials alone, focusing on demonstrated loyalty and motivation.
• Design resilient backup systems and fail-safes for critical infrastructure, operating under the assumption that primary defenses will be compromised.
• Evaluate commercial security tools against their fundamental design limitations and business model constraints rather than feature lists alone.
• Document all subsystems and interdependencies in OT environments to understand potential cascade effects that could be exploited for physical impact.
• Build security team loyalty through comprehensive support services, competitive compensation, and burnout prevention rather than relying on high-paid "superstar" hires.
• Develop verification checkpoints throughout automated security processes rather than assuming tool effectiveness, particularly for critical infrastructure protection.
• Create architectural resilience by assuming breach scenarios and implementing multiple layers of manual oversight for critical system changes.

Join us for the 15th anniversary of RISE in San Francisco this April 8-9, where cybersecurity professionals, law enforcement, and threat intelligence analysts come together for two days of TLP-RED content sharing and hands-on collaboration in the fight against cybercrime. 

Apply now at http://www.cymru.com/rise.  

Listen to more episodes: 

Apple 

Spotify