State of Cybercrime

U.S. Defense Papers Leak

Episode Summary

It’s being called the biggest U.S. defense leak since WikiLeaks. More than one hundred classified U.S. defense documents have been circulated, including details about the Russia-Ukraine war and U.S. intelligence collection methods — and analysts suggest there is more damage to come. Join Matt Radolec and special guest Rob Sobers for a State of Cybercrime episode that discusses the latest findings on what type of intel has been shared, how that data was compromised, and the implications this makes for needed procedural changes within the Pentagon.

Episode Notes

Links mentioned in this episode: 

• Video course (free) on building an IR plan: https://info.varonis.com/thank-you/course/cyber-incident-response 

• Blog post about LockBit: https://www.varonis.com/blog/anatomy-of-a-ransomware-attack

• Blog post about HardBit: https://www.varonis.com/blog/hardbit-2.0-ransomware

Episode Transcription

[00:00:00]

Matt Radolec: Hello everyone and welcome to another episode of State of Cybercrime. I'm joined today by a guest star, Rob Sobers. Who is Varonis's CMO. Rob, you wanna say hello? 

Rob Robers: Hey everybody. Thanks for having me, Matt. David's out today and I'll try to rival his dad joke abilities, but not sure I'll be able to compete. 

Matt Radolec: I think between the dad jokes and the puns those are some gigantic shoes to fill. But with that said, [00:01:00] let's get into it. 

Again, everyone, my name's Matt Radolec, Senior Director Incidence Response and Cloud Operations at Varonis and host of State of Cybercrime. Our co-host is on vacation, but we got Rob, who's a great stand in.

We're gonna go through a few of our usual segments today, talking about I think the story that's got a lot of people buzzing regarding some leaks look like they came from the Department of Defense. 

We'll cover if there's any good news, as it seems to always be these days. We'll talk about some Vulnerable Vulnerabilities. Talk about some threat actors and their happenings when we cover the Danger Zone. 

For those of you that are coming for the first time today, we do always like to start the show with some good news. As oftentimes in cyber, everything is doom and gloom, the outlook is grim, and we always like to show that the good guys are getting ahead, and I think maybe even a little more than that today, if we're gonna give you a hint.

So first and foremost, the Genesis Market got shut down by the police. This was a joint effort between the US Department of Justice, Interpol. If I remember correctly, I think [00:02:00] this was called Operation Cookie Monster. And as a result of that, the ability for someone to go and actually rent different hacking tools or hire hackers for hire has been taken away.

So not just going after the source and actually arresting a hacker, but actually going after the toolkits that those hackers used is one of the more prolific impacts of Operation Cookie Monster. Anything you wanted to add there, Rob? 

Rob Robers: Yeah, Matt, this was a cool one. Genesis Market is a little bit unique in terms of the type of marketplace it is.

Usually you think of these dark web marketplaces as you download big archives of PII or passwords, whatever it is that's leaked and you trade them and it's all about leaked data and grabbing a dataset. Here, you could actually buy a user's session effectively. So think about the sites that allow you to rent RDP access into an organization. This is basically renting Matt Radolec's session and you're logged into his Gmail and his Amazon account, and then you can commit a bunch of fraud. [00:03:00] So the technology was actually really unique and cool, if I'm being honest. Not only was it your cookies that it had, but all of the fingerprints. 

It actually impersonated all of the apps you had installed in Chrome. So it would build an exact replica of your session so that it wouldn't trigger an email alert to you saying, Hey Matt, you're logged in from a Samsung Galaxy s3. And you're like, wait, I don't have a Samsung Galaxy s3. You wouldn't get that alert because they're literally fingerprinting you. Not literally, digitally fingerprinting you and then replicating it. So that ability has been taken down. 

They shut down the site. They're making some arrests. But the interesting thing is one of the people from this group is just like, Hey, they just seized our domain, so we'll be back in business, we'll buy some new domains. 

So it'll be interesting to see. I hope this stays good news, but in a lot of these seizures, they do just seize the domain. The actual infrastructure is still there. They just need to have a new domain. 

Matt Radolec: And I think we talked about this a lot, as we go back to like episodes of the show from last year, thinking about we had [00:04:00] REvi l and then DarkSide and BlackMatter and all these ransomware groups that seemingly appeared the same, but there would be some effort by law enforcement to take it down. And then the next week, another ransomware group would come along and it would sure look the same and sound the same, even though they had a different mantra. And the TTPs were the same, but the attacker group was called something different. 

Now that's not the only good news that we have to share though it seems like Spain's biggest hacker now, I think it's biggest hacker, not in terms of physical size, but biggest hacker in terms of felt impact, has been arrested. Now Rob, anything you wanted to add on that?

Rob Robers: Yeah, so his name's Jose Luis Huertas, and he's 19 years old and has been arrested in Spain. He's being held without bail until his trial. So he can't get out because they consider him an extreme flight risk, not only a flight risk, but also someone who would do damage, attempt to continue on his career of crime between now and his trial.

It'll be interesting to see how that turns out. Now he claims to have [00:05:00] the PII of 90% of Spain's citizenry. He's been known for doing things like extortion and bribery and impersonation, all sorts of different crimes, has a big bank of crypto apparently that police are attempting to seize.

I'm curious, Matt, this gentleman probably could have had an amazing career. He seems very smart. Why do you think he turned to crime at such an early age, right? Like obviously the money is an allure, but surely he could have made a lot of money being a cybersecurity pro. 

Matt Radolec: To have 90% of the data on people in Spain, maybe that was more advantageous, like it was a faster but more risky path to wealth or to success.

I also think that when we think of like the motivations behind different hackers sometimes unclear, obviously there's the financial motivations, there's also political motivations. One of the themes that we see with young people as well though, is just the ease. That it really does prove how easy it is for someone [00:06:00]with a little bit of tech savviness to watch some YouTube videos and carry out or rent a session, forget about actually learning how to do an intrusion, just visit the Genesis Market and rent a session and gain access to corporate information or someone's sensitive data.

I would probably hypothesize it's ease of use and maybe a little bit of the thrill. 

But right back at you though. When we were deciding today, which good news to share on the show, there was a lot of competition. Do you guys see more good news this year in 2023 than what we've seen in the past regarding arrests, joint efforts between multiple nations to take down cyber criminals?

Even going beyond the things that we cover on the show, is there a shift where we're starting to see the quote unquote good guys do more and win more often? Or is it just being magnified? 

Rob Robers: I certainly feel that this year there's been so many bright spots. It is really hard to choose stories for this segment, right? Because there are so many good bright spots. 

In the [00:07:00] chat, David said maybe lack of ethics and guidance in that regard, I do think it has to be worked into the curriculum from a young age about ethics in computer science, in obviously AI. There's a big moral and ethical component to that. So I think you hit the nail on the head. 

And clearly actually in this situation, you know, the picture we have on screen here, Jose's giving an interview about the crime he's committing. So maybe some of the motivation here was attention and notoriety. Some people thrive on that, especially in the days of social media. You may view being the world's most popular Twitch streamer and being the world's most popular cyber criminal as 

Matt Radolec: or Spain's biggest hacker as you put it. 

Rob Robers: Exactly. That's how he's being described. And so maybe that had something to do with it, which is obviously something that at an early age, if we can teach people, is not something to aspire to.

Matt Radolec: I like the comment from Herin, which was that maybe one of the reasons law enforcement's being more successful is cuz there's more regulation on crypto transactions. So it's a little bit harder to get away [00:08:00] with cybercrime where crypto is the method of taking the money or funneling and laundering the money.

Rob Robers: Great point.

Matt Radolec: So in our next segment we'll cover some of the vulnerabilities that should be top of mind. Hopefully this isn't the first time that you're hearing about these, but if they are, and I'm probably gonna tell you guys this again, you should probably patch them. Because if we're covering them here on the show, it usually means that active exploits were found in the wild, attacker groups are known to have using them, or even potentially are actively carrying out compromises because of those.

Now the first one, I think we all could get a little bit excited when we think about having to pay our taxes and the chances that there is a side loaded DLL into some e-file JavaScript that's going to exfiltrate some of the data that we might be inputting into a web form to file our taxes when we go to a government website. 

Rob Robers: Absolutely. And sometimes we visit these government [00:09:00] websites. I'm not sure if it's the same outside of the US or if it's really the same state to state, but sometimes when you're using some of these web apps, you're thinking yourself, was this designed in the late nineties. 

And Matt, I'm wondering , do you think that has anything to do with the fact that, every year it seems like during tax season we hear about some sort of government run tax filing app getting compromised or, being involved in some sort of phishing scheme. And in this case yeah, some malicious JavaScript made its way under their web server and was being served to people who are trying to e-file. 

Matt Radolec: I live in the DC area and there's always this saying here how government is 10 to 20 years behind private sector and public sector due to the regulation, due to process, due to just the way that big government works and getting things done. And while we see the opposite of that, when we look at the Department of Justice actively targeting, active cyber campaigns and disrupting cyber criminals, maybe some of that shift should go [00:10:00] towards building secure tax applications or having assessments done ahead of time of that type of software. 

We do typically find whether it's a state agency or a federal agency where the web app might have been developed like as you said, five years ago or 10 years ago.

And I think some of that's also around the motivation of where are those developers now? They're at some of the larger tech companies, the ones that we read about, the ones that we use every day, and maybe not at reprogramming a legacy tax filing application. 

Good comment from the chat came in around the Shields Up campaign from CISA to really encouraging critical infrastructure or state government entities in doing these proactive security reviews to try and prevent these things from happening. Thanks for shouting that out, Zachary.

Rob Robers: And I've never worked for a government agency, Matt, but I do have to wonder, do the developers at these agencies have access to best-in-class tools? Are they using[00:11:00]AWS and Kubernetes and do they have a red team and security checks and CICD tools?

I wonder, are they fighting with one hand behind their back because they're constrained either by budget or bureaucracy?

Matt Radolec: It's been a decade for me since working on various different government projects and I think sometimes when I reflect on that, there's just a lot of process and the process has good intent, right? Like that app would go through a secure code review, but maybe it would only happen once before release as opposed to continuously, annually, and quarterly after the app gets stood up.

Just due to the fact that those that build the app are often not those that run the app. Unlike in a corporation where the employees stay the same and they bring the app to market, they run the app, they update the app over time. I'm almost thinking about you know how Varonis works. 

Rob Robers: Yeah. Matt, are you saying that, are you saying that the IRS's code should be audited?

Matt Radolec: You know what? Yes, you can quote me on that, Rob. Someone should be auditing their code to determine if it has weakness. [00:12:00]

Now, that's not the only audits that are going on of code and I think mobile code coming up here. We had two zero days for iPhones in the last week. And they're both in the browser. I wanna say this is in the web kit of Safari or really the underlying technology that Safari uses to interact with the operating system. Vulnerabilities were found there, and it seems like browsers are a target but also a place that we're constantly talking about where zero days are occurring. 

Rob Robers: Yeah. This is one that, just sort of as an end user, I don't really think about, I just take auto updates on my iOS devices and I'm a Mac user, so same thing with with my Mac OS. But maybe this needs to be more front and center. And, different IT teams push and enforce updates and mandatory restarts at different intervals.

Is that just the answer to this, Matt, is that organizations just have automated patching for their OS's and browsers? 

Matt Radolec: Or yeah more aggressive. Do we kind of get back to that kind of bigger. Government question? Do we focus more on finding these before they're actively used in [00:13:00] exploits or used by state actors? Do we try to put just as much resources towards identifying zero days and commonly used devices and applications before a state actor uses it and then someone finds out about it in a post incident report? Because for Apple, for these two zero days at least, these are under active exploit, so the sense of urgency is definitely there to patch as there's not any other option.

Your users won't know that this arbitrary code is getting loaded from a webpage through Safari on their device unless you patch it. That's the only way that you'll be able to prevent it. You won't actually know that, there's no indicator, there's no alert that your phone is gonna throw if that got actively exploited.

Now, Apple's not the only ones with some zero days and some web browsers. There is one more. Another zero day was found in Internet Explorer. This one wasn't in Chrome, or in Edge. It was Internet Explorer right, Rob? And this had to deal with the MS HTML engine, or specifically Microsoft's branch of the HTML that loads into Internet Explorer [00:14:00] page browsers.

What would actually, through this vulnerability, allow someone to drop ransomware and execute ransomware on the disk of the server that was running Internet Explorer. So the downstream impact, or what we would call arbitrary code execution or ACE type vulnerability, is the case here.

And again, what is the answer that we always talk about whenever we have a vulnerable vulnerability? Unless the patch isn't out yet, it's patch, right? It's applied patches to those systems. So if you're still running Internet Explorer, if you've got users carrying around iOS devices, make sure to push for updates.

If you're in a position where you don't have the authority to do that, then maybe share some articles with those that do on increasing the sense of urgency around getting your users to deploy these patches as the detective controls aren't there. These mobile devices and laptops are often out there on the internet not going through firewalls or proxies.

These aren't gonna be things that like, you don't run your EDR on your iPhone so you're not gonna be able to pick up on some type of active exploit attempt on your [00:15:00] iPhone. These are things that the patching really is the only way to mitigate the attack. I don't think you can tell your users not to use Safari or Internet Explorer.

Rob Robers: One other quick note on, as relates to the Microsoft one it's an issue in ActiveX as well, which if those of you are probably familiar with this, it allows you to load HTML content in Office docs. And so it's not just IE. It's also Word and other Office docs that 

Matt Radolec: Yeah, if you have the ActiveX settings that allow the ActiveX content to load in the Office doc, then that would be another kind of vehicle for that exploit to get delivered to you.

Rob Robers: Yeah, I'm waiting for the day when ActiveX and macros are not a story for security teams to care about. But until then we'll keep covering these types of exploits. 

Matt Radolec: Yeah. And let's jump into our next segment: the Danger Zone. 

Now, this is where we usually talk about the most interesting security happenings. This is usually also where we get to cover the title of the show. And I think the defense leak has got everybody buzzing from [00:16:00] a lot of different angles. 

So when the story first broke, this was a, I don't know I don't think we can call them a hacker, I'm not sure they actually leveraged a hacker toolkit, but we could call them a leaker.

This leaker named OG posted some classified intelligence material at first onto a Discord via transcription, meaning that they saw some material in some type of classified information processing facility and they either took some notes or remembered it and then shared it on the discord. Later on that move to actually showing entire documents.

Even since then we've seen, and there's a lot of buzz online about this, misinformation campaigns being launched from altered copies of those documents that were originally posted on the Discord. 

And then today, and this is for people that might be keeping up with all of the happenings, the story broke that, not only by the Wall Street Journal, where this person came from, that they were likely from the DOD, I think it was the Massachusetts National Guard, but it also seems law enforcement in [00:17:00] collaboration with the New York Times has actually identified the true identity of this hacker, OG, and that we expect an arrest to be happening I think in the next day or two.

Did I get that right, Rob? 

Rob Robers: Yeah. Yeah. And people are posting in the chat. The leaker has been identified as Air National Guard member, Jack Teixeira, and the contents of these documents over the past few days has been causing a massive tidal wave of concern amongst the US, our allies, Ukraine.

This isn't just any PII leak.

Matt Radolec: If I'm going to recall it correctly, we have information regarding troop movements in Ukraine, the support that gets delivered potentially from the US to Ukraine, whether from like a kinetic weapon support or even intelligence support related to ongoing offensive and even the fact that we know about, we the United States, know about planned offenses from Russian actors, as well as just the simplicity of misinformation that can then be done from altered copies [00:18:00] of information about casualties. 

I think we've also heard a lot of people talk about like, how could this have happened, right? When we think of the facilities where this information has been processed, and I'm not sure if there's anybody out there that knows what a skiff is when we say that, but you've got armed guards at the doors, you've got that you have to check your phone, and these are classified facilities, housing classified information.

They're perceived as some of the most locked down places that data can exist. Yet an insider threat still seems to be the thing that everybody has to face. 

One thing that was unclear to me, and Rob I know we were talking just before the show started to air today, which is what is the perceived motivation behind this person for leaking this information?

I even saw someone in the chat talk about maybe that there's some whistle blowing that's going on? 

Rob Robers: Yeah, I think this remains to be seen, but this is the trouble with insider threats is that there's so many different motivators. We think about Snowden, or Chelsea Manning, [00:19:00]Reality Winner, right?

Even within just naming ones from the US government, there's been countless other insider threats, obviously in the commercial space, but there's financial motivation, there's political motivation, there's I wanted to do it for fun. Like we just talked about with the Spanish hacker, there's notoriety, there's so many different motivations.

It will be interesting to see what happened here and what was going on inside this person's mind to leak something that's so critical and has so many implications on so many human beings. 

Matt Radolec: Chris makes the point maybe it's just embarrass the administration. Right, it's politically motivated. 

Rob Robers: Who knows? 

Matt Radolec: Curious to see if anybody has a unique angle on what they think or what a potential motivation might be behind someone leaking National Security data, Department of Defense, troop information and intelligence information.

I've seen a couple of things come across already. A few people asking like, this person had a clearance? Yeah, it is clear that they had access to cleared information. I think everyone in the National Guard has at least some level of clearance, maybe [00:20:00] even just public trust. But it's likely if you're an operator in the intel field, you have something even more than that, like a secret or a top secret, or even what they call a TSC I, meaning that you get access to sensitive compartmentalized information.

Now, that wasn't the only Dangerous happening. I think one of the other things we wanted to point out is we'll often cover on the show the first time that an incident happens. And we do often have a follow up around it when there's something as well. But the Dish outage, and the long stem business impact from the ransomware attack on Dish, is one we wanted to share back with you to just highlight the importance of planning for these things ahead of time, even doing stuff like simulations, because Dish Network is still dealing with fallout as it relates to their ransomware incident that I wanna say was what, almost six months ago, Rob? I might have to check the dates here. 

Rob Robers: Yeah, something like that. And we talk about preventing data breaches all the time at Varonis, right? It's [00:21:00] kind of our mission, right? Stopping data breaches. That is really the end goal. 

And when we see something like this where it just haunts you, and even though it was so long ago, it's just the lawsuits and the penalties and the recovery and the rebuilding of the trust. It's just something that , if you can prevent it, you really have to put as much effort as you can into doing just so, because, as we're seeing with Dish, it just keeps on culminating. 

Matt Radolec: Another thing we always talk about is the blast radius, right? Could you have limited the damage potential of a ransomware incident by having better defenses or a more secure or least privileged by design architecture, so that your resilience was such that you wouldn't have as long stemming impacts.

I saw a good quote from the IBM's incident response report, which was that if you had a pre response plan for ransomware and they carried out, this was a on a post in Dark Reading, and they carried out an investigation on your behalf, the damages were about, it was either 18 or 20% less than companies that did [00:22:00] not have a pre response plan. So meaning that you just had something written down on what you would do in the case of a ransomware incident. 

Now, I'll be curious from our audience, we got a couple hundred people on here today, how many of you guys have a response plan for any type of incident? And then maybe I'll also say, and what about for a ransomware incident? 

Rob Robers: Yeah, and while people are typing that into the chat, looks like two yeses so far, from where I sit as a CMO, my team handles crisis communication and you can't know what your crisis is gonna be, whether it's a breach or something else that causes you to have to respond publicly and have a message together, the most critical thing you could do is know who to assemble. Like you don't always know what you'll say because that's largely gonna be based on what happened. So you can't pre-write scripts for every possible public response, but you have to know who to summon to the table, you know, the CISO in the case of a security issue, your chief counsel or whomever's on your legal side, your external contractors. Who would you have to call to the table to [00:23:00] figure out what to do next? And that is super important as it relates to cyber. 

And in fact we developed a little video course a couple years ago with an external expert who is really good at creating IR plans. This is on your side, Matt, your side of the house. while the course is a couple years old, the principles are still the same about how you'd build an incident response plan. And it'd be great if you go to your leadership team and say, Hey look, I know we don't have this, here's a skeleton we can use if we're interested in doing this. 

Matt Radolec: Think the other thing I'd like to undertone is when you think about testing a plan like this, everyone's so quick in cyber to think, oh, we have to, simulate a ransomware attack and that's absolutely important. You should have some type of regular live attack simulation where you are either putting your systems into a lab and training your team on how to respond, you're safely deploying some type of ransomware, simulating some type of ransomware on your own network, what's your response gonna look like? 

But you should also separate out, and either at the same time or separately, do a simulation with your executive team, with people like your CMO, with [00:24:00] your legal counsel on like, all right, this ransomware attack has occurred. What do we do next? Do we need to make a press release? Do we need to notify our insurance provider? Do we have compliance regulations that require us to notify regulatory authorities? When do we tell our customers? What do we tell our customers? 

Having gone through and helping so many of our customers and prospective customers through these intensive moments, the customers that had done something before and the organizations that we work with that had a plan in place, their teams were way better prepared in navigating that and there was less tension in the air. 

For anyone that's ever worked an incident live, you know what I mean when I say the tension in the air, where everyone feels like the lifeblood of an organization is on the line.

I mean, It's just like anything else, like a sport, if you practice it before you actually go to the game and you play, you're probably going to do better and cyber doesn't escape that that common saying. 

Rob Robers: Absolutely, probably more important in cyber than in most disciplines. 

Matt Radolec: One [00:25:00] vulnerability turned into supply chain attack was in the 3CX phone system. Now what's interesting about this is this is a strategic compromise. 

So when you look at an attacker, and in this case I do believe North Korea might be being attributed to it, and using some shell code from the Lazarus group where we targeted a company that provides IP, telephony and phone systems to organizations. You're likely not targeting them because you need their IP. IP telephony is largely a commodity in 2023. You're probably targeting them because of how many organizations use that. 

So it's similar to a SolarWinds breach when you think about the potential impact. You get in through the provider, through the person that makes this, you obviously put a software package on the system, you execute a malicious DLL, that DLL talks to another one, from one of the payload URLs so that you have some obfuscation in place to avoid detection of that known Lazarus shell that gets dropped in the environment. [00:26:00] Now you've got all that malicious code, you execute the final payload. You've got a presence on a network that you didn't have before through this backend via the 3CX appliance. 

And I think for me, when we talk about predictions or whenever we're asked, what are we going to see more of? This is the kind of thing you're gonna see more of is state actors going after the suppliers, the manufacturers, to have that what I would call almost like a network effect of a breach where hacking one organization and getting side loaded into one organization and their infrastructure allows you to diverge and hack into a lot of others.

We saw this with the Kaseya Managed Security Service Provider attack. We saw this with SolarWinds. We saw this with things like proxy log on and zero log on going after Microsoft Technologies, for instance. 

Rob Robers: Absolutely. Yeah. The suppliers or anything that has its tentacles into a large number of organizations is a prime target.

Matt Radolec: And I think just to shout out one defense that's already in place for this [00:27:00] ,Chrome actually blocks the MSI from being downloaded as a malicious file. 

Rob Robers: Yeah, I saw that. Good on Google. 

Matt Radolec: And we're going a little bit off topic here, but it seems like a few people in the chat and I'll ask our hosts to help us validate this, are saying that an arrest has actually been made and the defense papers leak live while we're here hosting the show.

So I'll ask our moderators to take a look at that and validate that and maybe we can we can confirm that here by the end. 

But Rob you had also wanted to talk about, and I had trouble pronouncing it, roar, I'm not even gonna try this Ransomware group. 

Rob Robers: Rorschach, it seems. 

Matt Radolec: Rorschach, yeah. 

Rob Robers: Yeah it's said to have been deployed by abusing Palo Alto Network's Cortex XDR Dump Service Tool. It's cy.exe to side load library. That's another DLL side loading type of attack. And I'm not sure if it's been attributed yet. I think there was some discrepancies as to who was behind this, but yeah, this seems like a nasty one again, used to deploy [00:28:00] ransomware. 

Matt Radolec: It did have a loader in it that was similar to the one that Darkside used where they wanna see if it's a commonwealth of independent states country where the IP of the machine that they get the host on is. And if it is, then they don't unleash the attack, which when we investigated that related to Darkside, we thought that likely meant that the actors were in one of those states.

I think one of the other really interesting things here was how much this ransomware, Rorscharch, thank you Rob. I'll have to work on that. Say that five times fast. 

Was looked like Babuk and LockBit 2.0. 

Rob Robers: Yeah, and if you're interested what that means, we have a good post on LockBit on our blog. You just search for LockBit Varonis also HardBit. I don't believe we've ever written and done a full analysis in reverse engineering of Babuk, but yeah, so many of these strains are just borrowing from each other, so they're very similar and usually they just tweak it so that the same TTPs and IOCs can't [00:29:00] be used. So very similar. 

Matt Radolec: Yeah. The mantra here is if you get caught, just change it up a little bit. And re-release or rebrand yourself. 

And David always says it's like playing whack-a-mole, right? With Hackers, it's when you actually get to arrest the individuals that are behind it, it seems where we really do have a lull from that particular hacker group like we saw with I wanna say it was REvil. And then, what was the 16 year old, have so many different hacker groups to keep up with, the 16 year olds that were from Brazil and the UK, Lapsus$, the Lapsus$ hacking group, where they actually found some of the members of that group and took them down. That seems to actually make these groups go under the radar for a little while.

Now, there's another leak. This one's called the Vulcan Files. This sort of the same thing that's going on in the DOD right now, but it looks like it's happening from a Russian IT firm that might be working in conjunction with the Russian military. Rob, did you have any more about this one that you could share?

Rob Robers: Yeah, I haven't really been super briefed on this one, but it is a parallel, right? We're [00:30:00] dealing the DOD losing some intelligence as it relates to the war in Ukraine, and now the Russian side's losing some very sensitive information that pertains to the war in Ukraine. 

Matt Radolec: And specifically disinformation campaigns is what I recalled about this, where this IT company was helping carry out some various different projects, I think they had some code names. One was called like Skan and one was Amezit , and it was all around disinformation related to putting out some things or what we call PSYOPs, , it's psychological warfare. If you can get someone to believe something, can act a certain way based on that information, or you could also call it maybe being called counterintelligence if it's specifically intel made to change the decisions made by tactical commanders on the other side. 

And the Vulcan leak reveals some of how that was being carried out by Russia. And I think if we look back in time, one of Vulcan's clients was Sandworm, which was behind the attack on the 2018 [00:31:00] Winter Olympics opening ceremony.

So definitely some ties to state entities. 

Rob Robers: Definitely. Yeah. So it reveals, like you said, Matt, this disinformation campaign that Russia was carrying out, but also leaked documents show potential targets in the United States and Europe. So real world critical infrastructure targets and so I'm sure the Russian military is not super happy about those targets being leaked as well. 

So again it's an eerie parallel to what we're dealing with with the DOD. 

Matt Radolec: Now we're gonna comb through and look through the chat. I know a lot of good questions have come in so far. One right off the top that I know we want to get to drawing some parallels to the current leak and the Snowden leak that we'll want to comment on.

But one thing if it's not abundantly clear, everyone, and this is really one of the reasons why we host this show, every single one of these incidents and breaches and vulnerabilities, ultimately, the target was some bit of information, whether the source was from the inside, like an insider [00:32:00]threat that didn't use an exploit, or it was a supply chain vulnerability and an IP telephony system that led to malware being dropped on thousands of organizations, computers, or it's a drive-by download due to a vulnerability in Internet Explorer, to deploy ransomware, the means change, but the end was the same. They went after the data. And so when we talk about stuff like patching and applying least privilege, you might hear that theme a lot, but it really all come back to the same, is that's the common target of every actor that we talked about on the show today.

And I do wanna cover that question. Yeah, go ahead Rob. 

Rob Robers: Just think about it, Matt. You won't turn on the news today or see on the front page of Wall Street Journal tomorrow, anything about the Apple Zero Days or Babuk ransomware or anything like that, because it's the technical stuff, right?

It's our world, but when the data gets compromised and it's data of any kind of like material importance, it's front page news for everyone, right? Because we understand that the information is what is [00:33:00]valuable. Whether it's Australia and dealing with all of their citizen data being leaked last year, or like we're dealing with now with military intelligence getting leaked.

It's actually the information itself, which just happens to be digital and stored in information systems that, we need to now protect. That's what the essence of cybersecurity is. It's data security. 

Matt Radolec: Absolutely. Rob, the question came in from Abdullah, which is this leak bigger than the Snowden leak?

Now, let's start using the analogy we did with the Spanish hacker. It is not as many files as the Snowden leak.

So if we're measuring bigger based on n number of files, no, it is not as big as the Snowden leak. Is it bigger than the Snowden leak in the implications? I'm not sure.

Personally, what the Snowden leak for me showed was this warrantless surveillance of US citizens under the guise of the Patriot Act.

And so it did have a [00:34:00] profound impact on the perception, at least me, as a US citizen did, of how much the government could and was listening to. I'm not sure for me personally yet that this is bigger.

But I think we don't know enough to say. Maybe if you come back to another episode and ask us again, we might know a little bit more about just how bad this data getting out is and how that might paint, as one of our audience members put, you know, the current administration.

We also got a question, what are you hearing about, and thanks Mark for this one, what are you hearing about Typhon Reborn V2? 

I'm gonna say that I don't know on that one yet, but I am gonna definitely throw that at our security research team if they're not already here and watching the show with us today.

We will redirect that towards them and potentially cover that on an upcoming episode as well.

Same thing Chris, around the Pegasus issue. Maybe between the Typhoon Reborn V2 and the Pegasus issue we will even have enough to do another show here in the coming weeks.[00:35:00]

And with that, everyone, I do always like to close the show, this show is made possible because of you, our viewers.

So thank you, and thank you Rob for for jumping on in David's absence. We miss you, David. If you're out there on the beach and you're watching, we miss you a lot. We wish you were here today, but thanks Rob for filling in. 

Rob Robers: Of course. Yeah. Thanks for having me. I always watch and it's fun to be on. Thank you everybody for giving us some time today.