Symantec's discovery isn't actually the first time that Cobra DocGuard has been used to distribute malware. Cybersecurity firm ESET found that in September of last year a malicious update to the same application was used to breach a Hong Kong gambling company and plant a variant of the same Korplug code. ESET found that the gambling company also had been breached via the same method in 2021.

ESET pinned that earlier attack on the hacker group known as LuckyMouse, APT27, or Budworm, which is widely believed to be based in China and has for more than a decade targeted government agencies and government-related industries, including aerospace and defense. But despite the Korplug and CobraGuard connections, Symantec says it's too early to link the wider supply chain attack it has uncovered to the group behind the previous incidents.

“You can't rule out the idea that one APT group compromises this software, and then it becomes known that this software is vulnerable to this kind of compromise, and somebody else does it as well,” says Symantec's O'Brien, using the term APT to mean “advanced, persistent threat,” a common industry term for state-sponsored hacker groups. “We don't want to jump to conclusions.” O'Brien notes that another Chinese group, known as APT41 or Barium, has also carried out numerous supply chain attacks—perhaps more than any other team of hackers—and has used Korplug, too.

To add to the attack's stealth, the CarderBee hackers managed to somehow deceive Microsoft into lending extra legitimacy to their malware: They tricked the company into signing the Korplug backdoor with the certificates Microsoft uses in its Windows Hardware Compatibility Publisher program to designate trusted code, making it look far more legit than it is. That program typically requires a developer to register with Microsoft as a business entity and submit their code to Microsoft for approval. But the hackers appear to have obtained a Microsoft signature through either developer accounts they created themselves or obtained from other registered developers. Microsoft didn't respond to WIRED's request for more information on how it ended up signing malware used in the hackers' supply chain attack.

Malware that's signed by Microsoft is a long-running problem. Getting access to a registered developer account represents a hurdle to hackers, says Jake Williams, a former US National Security Agency hacker now on faculty at the Institute for Applied Network Security. But once that account is obtained, Microsoft is known to take a lax approach to vetting registered developers' code. “They typically sign whatever you, as the developer, submit,” Williams says. And those signatures can, in fact, make malware far harder to spot, he adds. “So many folks, when they threat-hunt, they start by exempting things that are signed by Microsoft,” Williams says.

That code-signing trick, combined with a well-executed supply chain attack, suggests a level of sophistication that makes CarderBee uniquely worthy of tracking, says Symantec's O'Brien—even for those outside of its current targeting in Hong Kong or Chinese neighbor countries. Regardless of whether you’re in China’s orbit, says O’Brien, “it’s certainly one to look out for.”

New Delhi, August 1, 2023 – Microsoft today announced Puneet Chandok’s appointment as Corporate Vice President of Microsoft India and South Asia. Effective September 1, 2023, he will assume the operational responsibilities from Anant Maheshwari.

Supported by a strong leadership team, Puneet will oversee the integration of Microsoft’s businesses across South Asia, including Bangladesh, Bhutan, Maldives, Nepal, and Sri Lanka, further boosting the company’s presence in the region, while deepening its focus on key industries through a customer-centric approach with generative AI at its core.

“We are delighted to announce that Puneet will be joining Microsoft India,” said Ahmed Mazhari, President, Microsoft Asia. “Puneet has a strong track record of building and growing technology businesses and leveraging technology to deliver impact and change. As we embrace an AI-led future, Puneet’s leadership will play a vital role in ensuring Microsoft’s ongoing success in South Asia, and I extend my thanks to Anant Maheshwari for setting us on a growth path.”

Commenting on his appointment, Puneet Chandok said, “I am inspired by Microsoft’s mission to empower every person and every organization on the planet to achieve more. As India expands its own digital public infrastructure, I believe that this mission is more relevant here than ever before, and I am thrilled to be joining the One Microsoft team to make this mission a reality.”

“It has been a privilege to participate in Microsoft India’s remarkable growth over the last seven years,” said Anant Maheshwari. “I am filled with gratitude for an exceptionally talented team with a strong set of leaders driving this momentum. The Microsoft India team has created a strong foundation of trust and entrepreneurial business models.”

Puneet’s appointment comes at a time of continued market expansion for Microsoft as a leader in cloud technology and digital innovation. With the largest partner ecosystem globally, including a 17,000 strong network in India generating high cloud revenue, and new investments in local infrastructure including the intent to establish a new data center in Hyderabad, Microsoft’s growth aligns with India’s emergence as a global innovation hub.  Microsoft remains deeply committed to serving the market with transformative digital technology, to power India’s economic progress and its inclusive growth agenda.

Puneet joins Microsoft from AWS, where he led the company’s India and South Asia business, working closely with enterprises, digital businesses, startups, and SMBs to help them reduce technical debt, bring in agility, and innovate. Prior to this, Puneet was a Partner at McKinsey in India and Asia, and also held senior regional and global roles in IBM. Puneet holds a master’s in business administration (MBA) from the Indian Institute of Management Calcutta, a bachelor’s degree in commerce, and diplomas in Computer Programming, Networking, and High-level Computer Systems.

About Microsoft India

Microsoft (Nasdaq “MSFT” @microsoft) enables digital transformation for the era of an intelligent cloud and an intelligent edge. Its mission is to empower every person and every organization on the planet to achieve more. Microsoft set up its India operations in 1990. Today, Microsoft entities in India have over 20,000 employees, engaged in sales and marketing, research, development, customer support, and industry solutions across 10 Indian cities – Ahmedabad, Bengaluru, Chennai, New Delhi, Gurugram, Hyderabad, Kolkata, Mumbai, Noida, and Pune. Microsoft offers its global cloud services from local data centers to accelerate digital transformation across Indian startups, businesses, and government organizations.

Artificial intelligence (AI), particularly generative AI apps such as ChatGPT and Bard, have dominated the news cycle since they became widely available starting in November 2022. GPT (Generative Pre-trained Transformer) is often used to generate text trained on large volumes of text data.

Undoubtedly impressive, gen AI has composed new songs, created images and drafted emails (and much more), all while raising legitimate ethical and practical concerns about how it could be used or misused. However, when you introduce the concept of gen AI into the operational technology (OT) space, it brings up significant questions about potential impacts, how to best test it and how it can be used effectively and safely. 

Impact, testing, and reliability of AI in OT

In the OT world, operations are all about repetition and consistency. The goal is to have the same inputs and outputs so that you can predict the outcome of any situation. When something unpredictable occurs, there’s always a human operator behind the desk, ready to make decisions quickly based on the possible ramifications — particularly in critical infrastructure environments.

In Information technology (IT), the consequences are often much less, such as losing data. On the other hand, in OT, if an oil refinery ignites, there is the potential cost of life, negative impacts on the environment, significant liability concerns, as well as long-term brand damage. This emphasizes the importance of making quick — and accurate — decisions during times of crisis. And this is ultimately why relying solely on AI or other tools is not perfect for OT operations, as the consequences of an error are immense. 

AI technologies use a lot of data to build decisions and set up logic to provide appropriate answers. In OT, if AI doesn’t make the right call, the potential negative impacts are serious and wide-ranging, while liability remains an open question.

Microsoft, for one, has proposed a blueprint for the public governance of AI to address current and emerging issues through public policy, law and regulation, building on the AI Risk Management Framework recently launched by the U.S. National Institute of Standards and Technology (NIST). The blueprint calls for government-led AI safety frameworks and safety brakes for AI systems that control critical infrastructure as society seeks to determine how to appropriately control AI as new capabilities emerge.

Elevate red team and blue team exercises

The concepts of “red team” and “blue team” refer to different approaches to testing and improving the security of a system or network. The terms originated in military exercises and have since been adopted by the cybersecurity community.

To better secure OT systems, the red team and the blue team work collaboratively, but from different perspectives: The red team tries to find vulnerabilities, while the blue team focuses on defending against those vulnerabilities. The goal is to create a realistic scenario where the red team mimics real-world attackers, and the blue team responds and improves their defenses based on the insights gained from the exercise.

Cyber teams could use AI to simulate cyberattacks and test ways that the system could be both attacked and defended. Leveraging AI technology in a red team blue team exercise would be incredibly helpful to close the skills gap where there may be a shortage of skilled labor or lack of budget for expensive resources, or even to provide a new challenge to well-trained and staffed teams. AI could help identify attack vectors or even highlight vulnerabilities that may not have been found in previous assessments. 

This type of exercise will highlight various ways that might compromise the control system or other prize assets. Additionally, AI could be used defensively to provide various ways to shut down an intrusive attack plan from a red team. This may shine a light on new ways to defend production systems and Strengthen the overall security of the systems as a whole, ultimately improving overall defense and creating appropriate response plans to protect critical infrastructure. 

Potential for digital twins + AI

Many advanced organizations have already built a digital replica of their OT environment — for example, a virtual version of an oil refinery or power plant. These replicas are built on the company’s comprehensive data set to match their environment. In an isolated digital twin environment, which is controlled and enclosed, you could use AI to stress test or optimize different technologies.

This environment provides a safe way to see what would happen if you changed something, for example, tried a new system or installed a different-sized pipe. A digital twin will allow operators to test and validate technology before implementing it in a production operation. Using AI, you could use your own environment and information to look for ways to increase throughput or minimize required downtimes. On the cybersecurity side, it offers more potential benefits. 

In a real-world production environment, however, there are incredibly large risks to providing access or control over something that can result in real-world impacts. At this point, it remains to be seen how much testing in the digital twin is sufficient before applying those changes in the real world.

The negative impacts if the test results are not completely accurate could include blackouts, severe environmental impacts or even worse outcomes, depending on the industry. For these reasons, the adoption of AI technology into the world of OT will likely be slow and cautious, providing time for long-term AI governance plans to take shape and risk management frameworks to be put in place. 

Enhance SOC capabilities and minimize noise for operators

AI can also be used in a safe means away from production equipment and processes to support the security and growth of OT businesses in a security operations center (SOC) environment. Organizations can leverage AI tools to act almost as an SOC analyst to review for abnormalities and to interpret rule sets from various OT systems.

This again comes back to using emerging technologies to close the skills gap in OT and cybersecurity. AI tools could also be used to minimize noise in alarm management or asset visibility tools with recommended actions or to review data based on risk scoring and rule structures to alleviate time for staff members to focus on the highest priority and greatest impact tasks.

What’s next for AI and OT?

Already, AI is quickly being adopted on the IT side. That adoption may also impact OT as, increasingly, these two environments continue to merge. An incident on the IT side can have OT implications, as the Colonial pipeline demonstrated when a ransomware attack resulted in a halt to pipeline operations. Increased use of AI in IT, therefore, may cause concern for OT environments. 

The first step is to put checks and balances in place for AI, limiting adoption to lower-impact areas to ensure that availability is not compromised. Organizations that have an OT lab must test AI extensively in an environment that is not connected to the broader internet.

Like air-gapped systems that do not allow outside communication, we need closed AI built on internal data that remains protected and secure within the environment to safely leverage the capabilities gen AI and other AI technologies can offer without putting sensitive information and environments, human beings or the broader environment at risk.

A taste of the future — today

The potential of AI to Strengthen our systems, safety and efficiency is almost endless, but we need to prioritize safety and reliability throughout this interesting time. All of this isn’t to say that we’re not seeing the benefits of AI and machine learning (ML) today. 

So, while we need to be aware of the risks AI and ML present in the OT environment, as an industry, we must also do what we do every time there is a new technology type added to the equation: Learn how to safely leverage it for its benefits. 

Matt Wiseman is senior product manager at OPSWAT.

© 2023 Benzinga.com. Benzinga does not provide investment advice. All rights reserved.

Each of the Big Four firms — having committed themselves to billions of dollars worth of investments in generative AI, as well as entering strategic alliances with tech companies like Microsoft, Google and OpenAI — are hard at work building an AI infrastructure that, over the long term, will support the technology's integration into nearly every aspect of their practices. 

Like many things, the key to these AI ambitions is data. All four firms possess massive stores of data, collected over the years from thousands of routine operations. Leaders plan to leverage this data to train their own custom AI models — and this is not a plan for the far-off future. Each has already begun doing so, sometimes through creating something new and other times through adding generative AI capacities onto existing solutions. 

Joe Atkinson, chief products and technology officer with PwC, said they are in the middle of piloting what, internally, is being called "ChatPwC," which is essentially a ChatGPT-like model operating within the firm's secure environment. People have uploaded information to this secure environment over many years. ChatPwC is trained on this data and, so far, it is used to assist staff members with certain administrative and research tasks. 

"[ChatPwC] takes advantage of that data to make first drafts of memos and reports and to analyze large documents and figure out risk factors to see where we need to dig in. It's in pilot, but we're expecting to scale it, so we're evaluating the impact and the cost because generative AI models are expensive to operate," he said. 

Will Bible, Deloitte's audit and assurance digital transformation and innovation leader, confirmed that his firm, too, is developing a chatbot that draws upon massive amounts of internal data to generate intelligent responses and provide insights to people on technical subject matters. At the moment, he said, they are in the middle of performing quality control on the bot to fine-tune its accuracy, which he said still can be iffy. The plan right now is to have the bot available for internal use only, but leaders are also evaluating whether it should be broadly available as part of its technical library. 

"The research chatbot is a fairly direct use case. You've seen a lot of chatbots in the news, which makes a lot of sense with a natural language interface, but there are other areas where generative AI can play a role in terms of evaluating documents, summarization, those kinds of things. So our R&D is prototyping around applying these capabilities," he said.

E&Y, meanwhile, has added AI capacity to its already-existing EY Canvas platform, which supports over 120,000 staff members on top of 350,000 clients worldwide, though it is not described as a chatbot but rather a "recommendation engine" that runs on more classical AI software. The program draws on the huge amount of data stored on the system, generated by day-to-day activities on the platform by E&Y professionals. This allows the AI to observe how people conduct processes and tasks in an engagement, which then informs its own insights and suggestions.

Richard Jackson, an E&Y assurance partner who specializes in technology, said it is the equivalent of drawing upon the collective knowledge and experience of 10,000 professionals on what they did in similar situations. He compared it to bumping into an experienced colleague at the water cooler and talking out a problem, except on a mass scale. 

"So instead of 'Who is Richard speaking to?' it's more I get to have a machine to help me tap into the thousands of client insights we have. The mechanics of what I do are similar to what I do now in applying my own professional judgment, but now my frame of reference, and my input to that thought process, is not just the people in the office but a global scale," he said, adding it is a great example of how E&Y is seeking to augment, rather than replace, accountants. (See "Big Four: AI will augment, not replace, accountants.")

Rodrigo Madanes, E&Y's global AI leader, added in an email that the firm is also working on a variety of, specifically, generative AI applications both for internal use and for clients. recent technological advances, he said, allow generative AI chatbots to be integrated into databases and other types of structured data, which gives rise to better user experiences. He raised the example of the EY Intelligent Payroll Chatbot, launched in March 2023 with the ability to answer employee payroll questions and personalize the employee experience. However, he added that while the firm is highly interested in generative AI, it is keenly aware of its inherent risks. 

"EY is ... following responsible AI guidelines. We are being careful in the development of our 'chatbots' or conversational interfaces, as there are a number of well-known issues including hallucinations and biases. We have developed 'Responsible AI' guidelines in order to ensure our technology is safe and that it augments the capabilities of people," he said. 

On the audit and assurance side of things, E&Y is in the development and testing phase for specific generative AI use cases.

Cliff Justice, KPMG U.S. enterprise innovation leader, said that its focus hasn't been on a single generative AI tool but a range of different ones for different purposes. Working in direct partnership with Microsoft, it is using chatbots for a range of tasks. Already professionals in KPMG's advisory and tax practices already have access to GPT-like tools for tasks such as creating content, summarizing long documents, conducting research and assisting with code development; KPMG Tax, meanwhile, is combining the tools with a cloud technology platform, Digital Gateway, to assist in ESG reporting; and advisory staff are integrating generative AI with already existing tools.

"As you can imagine, we have lots of data. We have existing data, the data created by our people, so we combine that and those tools and customize the output and software with the AI platforms to help automate, streamline and Strengthen productivity across the firm," he said. 

KPMG Australia also touted its internal KymChat bot, described as a proprietary version of ChatGPT, which acts as an assistant for internal staff members. While its main use cases for now pertain to efficiency and innovation within the firm, it is expected that leaders will eventually scale up its capacities to provide more functionality. 

Who's data is it?

An oft-cited concern regarding AI bots is data privacy, especially given that some of the most popular, publicly available applications store all conversations on their servers. This is why many firms, while enthusiastic about ChatGPT, hesitate on using it for serious client work (see previous story). Given professional rules about client privacy, entering client data into ChatGPT (or other models like Bard or Claude) could represent an ethics violation. 

This is not a major concern for the Big Four firms, however, all of whom develop their AIs in their own secure environment, behind their own firewalls. The bots feed only on the data given them by the firms, and disclose nothing to the outside world. Much of this is possible due to the firm's partnerships with major players in the AI space, which gives them access to development tools generally not available to the public. By having direct access to these tools, they can train their models inside their secure environment without releasing client data. 

PwC's Atkinson said they are not pursuing these developments for their own sake but, rather, because their clients are likely doing so as well. If they expect to be able to service their clients in the future, he said, it will be necessary to meet them where they are, which means increasing their own AI capabilities. 

"Today we see the overwhelming majority of services have a technology component to them. Tomorrow, in the AI world, all of them do. There is no delivery without application of AI in smart ways. I am confident we can deliver a ton of value today, but our capacity to deliver value will explode in an AI world," he said.