A 26-year-old man in Ontario, Canada has been arrested for allegedly stealing information from and extorting greater than 160 corporations that used the cloud information service Snowflake.
Image: https://www.pomerium.com/blog/the-real-lessons-from-the-snowflake-breach
On October 30, Canadian authorities arrested Alexander Moucka, a.ok.a. Connor Riley Moucka of Kitchener, Ontario, on a provisional arrest warrant from the United States. Bloomberg first reported Moucka’s alleged ties to the Snowflake hacks on Monday.
At the tip of 2023, malicious hackers discovered that many massive corporations had uploaded big volumes of delicate buyer information to Snowflake accounts that had been protected with little greater than a username and password (no multi-factor authentication required). After scouring darknet markets for stolen Snowflake account credentials, the hackers started raiding the information storage repositories utilized by a few of the world’s largest firms.
Among these was AT&T, which disclosed in July that cybercriminals had stolen private info and cellphone and textual content message information for roughly 110 million folks — almost all of its clients. Wired.com reported in July that AT&T paid a hacker $370,000 to delete stolen cellphone information.
A report on the extortion assaults from the incident response agency Mandiant notes that Snowflake sufferer corporations had been privately approached by the hackers, who demanded a ransom in alternate for a promise to not promote or leak the stolen information. All informed, greater than 160 Snowflake clients had been relieved of knowledge, together with TicketMaster, Lending Tree, Advance Auto Parts and Neiman Marcus.
Moucka is alleged to have used the hacker handles Judische and Waifu, amongst many others. These monikers correspond to a prolific cybercriminal whose exploits had been the topic of a current story printed right here in regards to the overlap between Western, English-speaking cybercriminals and extremist teams that harass and extort minors into harming themselves or others.
On May 2, 2024, Judische claimed on the fraud-focused Telegram channel Star Chat that that they had hacked Santander Bank, one of many first recognized Snowflake victims. Judische would repeat that declare in Star Chat on May 13 — the day earlier than Santander publicly disclosed an information breach — and would periodically blurt out the names of different Snowflake victims earlier than their information even went up on the market on the cybercrime boards.
404 Media experiences that at a court docket listening to in Ontario this morning, Moucka known as in from a jail cellphone and mentioned he was searching for authorized assist to rent an lawyer.
KrebsOnSecurity has discovered that Moucka is presently named in a number of indictments issued by U.S. prosecutors and federal regulation enforcement companies. However, it’s unclear which particular fees the indictments comprise, as all of these circumstances stay below seal.
TELECOM DOMINOES
Mandiant has attributed the Snowflake compromises to a gaggle it calls “UNC5537,” with members based mostly in North America and Turkey. Sources near the investigation inform KrebsOnSecurity the UNC5537 member in Turkey is John Erin Binns, an elusive American man indicted by the U.S. Department of Justice (DOJ) for a 2021 breach at T-Mobile that uncovered the private info of at the very least 76.6 million clients.
In a press release on Moucka’s arrest, Mandiant mentioned UNC5537 aka Alexander ‘Connor’ Moucka has confirmed to be one of the vital consequential risk actors of 2024.
“In April 2024, UNC5537 launched a campaign, systematically compromising misconfigured SaaS instances across over a hundred organizations,” wrote Austin Larsen, Mandiant’s senior risk analyst. “The operation, which left organizations reeling from significant data loss and extortion attempts, highlighted the alarming scale of harm an individual can cause using off-the-shelf tools.”
Sources concerned within the investigation mentioned UNC5537 has targeted on hacking into telecommunications corporations all over the world. Those sources informed KrebsOnSecurity that Binns and Judische are suspected of stealing information from India’s largest state-run telecommunications agency Bharat Sanchar Nigam Ltd (BNSL), and that the duo even bragged about with the ability to intercept or divert cellphone calls and textual content messages for a big portion of the inhabitants of India.
Judische seems to have outsourced the sale of databases from sufferer corporations who refuse to pay, delegating a few of that work to a cybercriminal who makes use of the nickname Kiberphant0m on a number of boards. In late May 2024, Kiberphant0m started promoting the sale of lots of of gigabytes of knowledge stolen from BSNL.
“Information is worth several million dollars but I’m selling for pretty cheap,” Kiberphant0m wrote of the BSNL information in a publish on the English-language cybercrime neighborhood Breach Forums. “Negotiate a deal in Telegram.”
Also in May 2024, Kiberphant0m took to the Russian-language hacking discussion board XSS to promote greater than 250 gigabytes of knowledge stolen from an unnamed cell telecom supplier in Asia, together with a database of all energetic clients and software program permitting the sending of textual content messages to all clients.
On September 3, 2024, Kiberphant0m posted a gross sales thread on XSS titled “Selling American Telecom Access (100B+ Revenue).” Kiberphant0m’s asking worth of $200,000 was apparently too excessive as a result of they reposted the gross sales thread on Breach Forums a month later, with a headline that extra clearly defined the information was stolen from Verizon‘s “push-to-talk” (PTT) clients — primarily U.S. authorities companies and first responders.
404Media reported just lately that the breach doesn’t seem to impression the principle client Verizon community. Rather, the hackers broke into a 3rd get together supplier and stole information on Verizon’s PTT methods, that are a separate product marketed in direction of public sector companies, enterprises, and small companies to speak internally.
INTERVIEW WITH JUDISCHE
Investigators say Moucka shared a house in Kitchener with different tenants, however not his household. His mom was born in Chechnya, and he speaks Russian along with French and English. Moucka’s father died of a drug overdose at age 26, when the defendant was roughly 5 years previous.
An individual claiming to be Judische started speaking with this creator greater than three months in the past on Signal after KrebsOnSecurity began asking round about hacker nicknames beforehand utilized by Judische through the years.
Judische admitted to stealing and ransoming information from Snowflake clients, however he mentioned he’s not all in favour of promoting the data, and that others have completed this with a few of the information units he stole.
“I’m not really someone that sells data unless it’s crypto [databases] or credit cards because they’re the only thing I can find buyers for that actually have money for the data,” Judische informed KrebsOnSecurity. “The rest is just ransom.”
Judische has despatched this reporter dozens of unsolicited and sometimes profane messages from a number of totally different Signal accounts, all of which claimed to be an nameless tipster sharing totally different figuring out particulars for Judische. This seems to have been an elaborate effort by Judische to “detrace” his actions on-line and muddy the waters about his identification.
Judische regularly claimed he had unparalleled “opsec” or operational safety, a time period that refers back to the means to compartmentalize and obfuscate one’s tracks on-line. In an effort to indicate he was one step forward of investigators, Judische shared info indicating somebody had given him a Mandiant researcher’s evaluation of who and the place they thought he was. Mandiant says these had been dialogue factors shared with choose reporters upfront of the researcher’s current speak on the LabsCon safety convention.
But in a dialog with KrebsOnSecurity on October 26, Judische acknowledged it was possible that the authorities had been closing in on him, and mentioned he would significantly reply sure questions on his private life.
“They’re coming after me for sure,” he mentioned.
In a number of earlier conversations, Judische referenced affected by an unspecified persona dysfunction, and when pressed mentioned he has a situation known as “schizotypal personality disorder” (STPD).
According to the Cleveland Clinic, schizotypal persona dysfunction is marked by a constant sample of intense discomfort with relationships and social interactions: “People with STPD have unusual thoughts, speech and behaviors, which usually hinder their ability to form and maintain relationships.”
Judische mentioned he was prescribed remedy for his psychological points, however that he doesn’t take his meds. Which would possibly clarify why he by no means leaves his residence.
“I never go outside,” Judische allowed. “I’ve never had a friend or true relationship not online nor in person. I see people as vehicles to achieve my ends no matter how friendly I may seem on the surface, which you can see by how fast I discard people who are loyal or [that] I’ve known a long time.”
Judische later admitted he doesn’t have an official STPD analysis from a doctor, however mentioned he is aware of that he displays all of the indicators of somebody with this situation.
“I can’t actually get diagnosed with that either,” Judische shared. “Most countries put you on lists and restrict you from certain things if you have it.”
Asked whether or not he has all the time lived at his present residence, Judische replied that he needed to depart his hometown for his personal security.
“I can’t live safely where I’m from without getting robbed or arrested,” he mentioned, with out providing extra particulars.
A supply aware of the investigation mentioned Moucka beforehand lived in Quebec, which he allegedly fled after being charged with harassing others on the social community Discord.
Judische claims to have made at the very least $4 million in his Snowflake extortions. Judische mentioned he and others regularly focused enterprise course of outsourcing (BPO) corporations, staffing corporations that deal with customer support for a variety of organizations. They additionally went after managed service suppliers (MSPs) that oversee IT help and safety for a number of corporations, he claimed.
“Snowflake isn’t even the biggest BPO/MSP multi-company dataset on our networks, but what’s been exfiltrated from them is well over 100TB,” Judische bragged. “Only ones that don’t pay get disclosed (unless they disclose it themselves). A lot of them don’t even do their SEC filing and just pay us to fuck off.”
INTEL SECRETS
The different half of UNC5537 — 24-year-old John Erin Binns — was arrested in Turkey in late May 2024, and presently resides in a Turkish jail. However, it’s unclear if Binns faces any speedy risk of extradition to the United States, the place he’s presently needed on prison hacking fees tied to the 2021 breach at T-Mobile.
An individual aware of the investigation mentioned Binns’s utility for Turkish citizenship was inexplicably permitted after his incarceration, resulting in hypothesis that Binns might have purchased his approach out of a sticky authorized scenario.
Under the Turkish structure, a Turkish citizen can’t be extradited to a overseas state. Turkey has been criticized for its “golden passport” program, which supplies citizenship and sanctuary for anybody prepared to pay a number of hundred thousand {dollars}.
This is a picture of a passport that Binns shared in considered one of many unsolicited emails to KrebsOnSecurity since 2021. Binns by no means defined why he despatched this in Feb. 2023.
Binns’s alleged hacker alter egos — “IRDev” and “IntelSecrets” — had been without delay feared and revered on a number of cybercrime-focused Telegram communities, as a result of he was recognized to own a robust weapon: An enormous botnet. From reviewing the Telegram channels Binns frequented, we are able to see that others in these communities — together with Judische — closely relied on Binns and his botnet for a wide range of cybercriminal functions.
The IntelSecrets nickname corresponds to a person who has claimed duty for modifying the supply code for the Mirai “Internet of Things” botnet to create a variant often known as “Satori,” and supplying it to others who used it for prison achieve and had been later caught and prosecuted.
Since 2020, Binns has filed a flood of lawsuits naming varied federal regulation enforcement officers and companies — together with the FBI, the CIA, and the U.S. Special Operations Command (PDF), demanding that the federal government flip over info collected about him and searching for restitution for his alleged kidnapping by the hands of the CIA.
Binns claims he was kidnapped in Turkey and subjected to varied types of psychological and bodily torture. According to Binns, the U.S. Central Intelligence Agency (CIA) falsely informed their counterparts in Turkey that he was a supporter or member of the Islamic State (ISIS), a declare he says led to his detention and torture by the Turkish authorities.
However, in a 2020 lawsuit he filed in opposition to the CIA, Binns himself acknowledged having visited a beforehand ISIS-controlled space of Syria previous to shifting to Turkey in 2017.
A phase of a lawsuit Binns filed in 2020 in opposition to the CIA, wherein he alleges U.S. put him on a terror watch checklist after he traveled to Syria in 2017.
Sources aware of the investigation informed KrebsOnSecurity that Binns was so paranoid about attainable surveillance on him by American and Turkish intelligence companies that his erratic conduct and on-line communications really introduced in regards to the very authorities snooping that he feared.
In a number of on-line chats in late 2023 on Discord, IRDev lamented being lured right into a regulation enforcement sting operation after attempting to purchase a rocket launcher on-line. An individual near the investigation confirmed that originally of 2023, IRDev started making earnest inquiries about easy methods to buy a Stinger, an American-made moveable weapon that operates as an infrared surface-to-air missile.
Sources informed KrebsOnSecurity Binns’ repeated efforts to buy the projectile earned him a number of visits from the Turkish authorities, who had been justifiably curious why he stored searching for to accumulate such a robust weapon.
WAIFU
A cautious examine of Judische’s postings on Telegram and Discord since 2019 reveals this consumer is extra extensively recognized below the nickname “Waifu,” a moniker that corresponds to one of many extra completed “SIM swappers” within the English-language cybercrime neighborhood through the years.
SIM swapping entails phishing, tricking or bribing cell phone firm staff for credentials wanted to redirect a goal’s cell phone quantity to a tool the attackers management — permitting thieves to intercept incoming textual content messages and cellphone calls.
Several SIM-swapping channels on Telegram preserve a regularly up to date leaderboard of the 100 richest SIM-swappers, in addition to the hacker handles related to particular cybercrime teams (Waifu is ranked #24). That checklist has lengthy included Waifu on a roster of hackers for a gaggle that known as itself “Beige.”
The time period “Beige Group” got here up in reporting on two tales printed right here in 2020. The first was in an August 2020 piece known as Voice Phishers Targeting Corporate VPNs, which warned that the COVID-19 epidemic had introduced a wave of focused voice phishing assaults that attempted to trick work-at-home staff into offering entry to their employers’ networks. Frequent targets of the Beige group included staff at quite a few high U.S. banks, ISPs, and cell phone suppliers.
The second time Beige Group was talked about by sources was in reporting on a breach on the area registrar GoDaddy. In November 2020, intruders considered related to the Beige Group tricked a GoDaddy worker into putting in malicious software program, and with that entry they had been in a position to redirect the net and e mail visitors for a number of cryptocurrency buying and selling platforms. Other frequent targets of the Beige group included staff at quite a few high U.S. banks, ISPs, and cell phone suppliers.
Judische’s varied Telegram identities have lengthy claimed involvement within the 2020 GoDaddy breach, and he didn’t deny his alleged position when requested instantly. Judische mentioned he prefers voice phishing or “vishing” assaults that outcome within the goal putting in data-stealing malware, versus tricking the consumer into getting into their username, password and one-time code.
“Most of my ops involve malware [because] credential access burns too fast,” Judische defined.
CRACKDOWN ON HARM GROUPS?
The Telegram channels that the Judische/Waifu accounts frequented through the years present this consumer divided their time between posting in channels devoted to monetary cybercrime, and harassing and stalking others in hurt communities like Leak Society and Court.
Both of those Telegram communities are recognized for victimizing youngsters by coordinated on-line campaigns of extortion, doxing, swatting and harassment. People affiliated with hurt teams like Court and Leak Society will typically recruit new members by lurking on gaming platforms, social media websites and cell purposes which might be common with younger folks, together with Discord, Minecraft, Roblox, Steam, Telegram, and Twitch.
“This type of offence usually starts with a direct message through gaming platforms and can move to more private chatrooms on other virtual platforms, typically one with video enabled features, where the conversation quickly becomes sexualized or violent,” warns a current alert from the Royal Canadian Mounted Police (RCMP) in regards to the rise of sextortion teams on social media channels.
“One of the tactics being used by these actors is sextortion, however, they are not using it to extract money or for sexual gratification,” the RCMP continued. “Instead they use it to further manipulate and control victims to produce more harmful and violent content as part of their ideological objectives and radicalization pathway.”
Some of the biggest such recognized teams embody those who go by the names 764, CVLT, Kaskar, 7997, 8884, 2992, 6996, 555, Slit Town, 545, 404, NMK, 303, and H3ll.
On the assorted cybercrime-oriented channels Judische frequented, he typically lied about his or others’ involvement in varied breaches. But Judische additionally at occasions shared nuggets of reality about his previous, significantly when discussing the early historical past and membership of particular Telegram- and Discord-based cybercrime and hurt teams.
Judische claimed in a number of chats, together with on Leak Society and Court, that they had been an early member of the Atomwaffen Division (AWD), a white supremacy group whose members are suspected of getting dedicated a number of murders within the U.S. since 2017.
In 2019, KrebsOnSecurity uncovered how a loose-knit group of neo-Nazis, a few of whom had been affiliated with AWD, had doxed and/or swatted almost three dozen journalists at a spread of media publications. Swatting entails speaking a false police report of a bomb risk or hostage scenario and tricking authorities into sending a closely armed police response to a focused tackle.
Judsiche additionally informed a fellow denizen of Court that years in the past he was energetic in an older hurt neighborhood known as “RapeLash,” a very vile Discord server recognized for attracting Atomwaffen members. A 2018 retrospective on RapeLash posted to the now defunct neo-Nazi discussion board Fascist Forge explains that RapeLash was awash in gory, violent pictures and youngster pornography.
A Fascist Forge member named “Huddy” recalled that RapeLash was the third incarnation of an extremist neighborhood also called “FashWave,” brief for Fascist Wave.
“I have no real knowledge of what happened with the intermediary phase known as ‘FashWave 2.0,’ but FashWave 3.0 houses multiple known Satanists and other degenerates connected with AWD, one of which got arrested on possession of child pornography charges, last I heard,” Huddy shared.
In June 2024, a Mandiant worker informed Bloomberg that UNC5537 members have made dying threats in opposition to cybersecurity specialists investigating the hackers, and that in a single case the group used synthetic intelligence to create pretend nude pictures of a researcher to harass them.
Allison Nixon is chief analysis officer with the New York-based cybersecurity agency Unit 221B. Nixon is amongst a number of researchers who’ve confronted harassment and particular threats of bodily violence from Judische.
Nixon mentioned Judische is prone to argue in court docket that his self-described psychological dysfunction(s) ought to in some way excuse his lengthy profession in cybercrime and in harming others.
“They ran a misinformation campaign in a sloppy attempt to cover up the hacking campaign,” Nixon mentioned of Judische. “Coverups are an acknowledgment of guilt, which will undermine a mental illness defense in court. We expect that violent hackers from the [cybercrime community] will experience increasingly harsh sentences as the crackdown continues.”
5:34 p.m. ET: Updated story to incorporate a clarification from Mandiant.