Welcome back to the Cyber Resilience Brief, a SafeReach podcast. And today, we’re continuing our exploration of Russian nation state backed threat actors in our second of six episodes taking a closer look at Russian state hacking. We’ve established that the connection to Russia is indirect, but that doesn’t make people breaking into our networks any less dangerous. Today, we’re looking at the Western cybercrime ecosystem. And Adrian, as we’ve discussed before, our research often goes back and forth about this group called The Comm, which we’ve covered in episode, I want to say thirty three, The Comm, which we’ve covered in a previous episode. Can we refresh the memory for our listeners? What’s The Comm? Okay. Thanks, Tyrone. And again, welcome to everybody listening to us in episode two. The comm is both fascinating and disturbing, but very blend blended strange group. We we have previously talked about them, as you mentioned, in an earlier podcast episode, but let’s refresh within the context of how they are useful to Russian intelligence, the the point of this six part deep dive. It’s they’re described as a toxic online subculture known for glorifying criminal activity. The comm is a community where, hence the name, where members share info skills and overlapping memberships. So in other words, it’s a digital game. It is exactly that. And out of this comm, you get a subset called HackerCom, which focuses on technical crimes, SIM swapping, IP theft, malware development. This is the breeding ground for the groups we know, Lapsus, Scattered Spider, and Shiny Hunters. Interesting. So they are starting to merge capabilities. Is that right? Absolutely. Since twenty twenty three, they’ve demonstrated such significant connections that we effectively see them under a banner called Scattered Lapsus Hunters. That is not an easy name to say, but let’s look at who they are. The demographic profile here is shocking compared to what we know about traditional nation state actors. As you say, Tovia, the name really trips off the tongue, and it really is shocking. Unlike the GRU or the FSB, these groups are composed predominantly of English speaking teens and young adults. They’re believed to reside primarily in the United States and the United Kingdom. Although we should remind our listeners that just because one speaks English does not mean that one is an English speaking country. But yes. Does the report mention any specific arrests? It does, Tyver. UK nationals such as Thala Gebeare, Owen Flowers, these folks aren’t military officers in the bunker in Saint Petersburg. They’re young people in their bedrooms in the suburbs. So besides for presumably money, what motivates young people in the suburbs to join a hacking group? So we don’t believe they’re politically motivated and they’re rabid Vladimir Putin funds or Russian adherence. We think it is, as you say, financial motivation overwhelmingly. Possibly a drive for notoriety and some sort of publicity. And we often use a phrase describing this blend of motivation in analysis of Madman theory. The Madman theory. Why that particular term? Why not disgruntled Gen Zs? So the Madman theory, it’s not only scattered lapses hunters that that issues about. It’s where the an approach is driven by chaos and unpredictability. This contrasts sharply with the disciplined professional goals of long term state espionage. A spy wants to be invisible. These guys, scattered spiders lapses, want to be famous. But that seems contradictory. I mean, you think about fame and fortune are usually two contradictory things. They don’t always go hand in hand. And those who are aiming to get rich usually don’t want to be famous for various reasons. And from an offensive security perspective, does their madness or their rush for fame then make them less effective? Because then they’re not focused on the money part. So paradoxically, Tovar, it actually makes them more dangerous in the short term. They have a disregard stroke complete lack of knowledge about operational state stability, trade craft. They don’t care if they burn the house down. And despite being loosely organized and occasionally involving juveniles, their success rate against Fortune one hundred corporations is alarming. It’s interesting if it’s occasionally involving juveniles that might also explain the loosely organized part that comes with life experience. But anyway, if they are this successful against Fortune one hundred corporations, how on earth are they getting in? Are they using these million dollar zero day exploits? How does a young person go about getting their hands on a million dollar zero day exploit? So this is really not intuitive. No, they’re not. It’s not what you would think it may be. This is a critical lesson for our breach and attack simulation and continuous automated red teaming customers. The success of these groups is not rooted in advanced zero days. It’s rooted in highly organized and coordinated social engineering. So what you’re saying is it’s the human element? Explicitly. Scattered Spider specialises in bypassing stringent security controls by focusing on the weakest link, the human. They impersonate employees or contractors to deceive IT help desks. Hold on. Quick pause. We have gone over this a few times. What are we going to add in this section that makes it new? That’s my question. So I would say it’s not all new here. It’s it’s it’s a refresher. As we said at the start. Okay. So we haven’t got over six episodes, we can’t have brand new stuff in every episode. What we’re covering is is this story arc of how intelligence is working. So this particular episode is a little bit of a anomaly because we’re looking just at Scattered Spider. But as we said at the start, it’s in the context of Russian intelligence, which would Yeah, that’s fair. And I understand that not everything needs to be new. I just want to make sure that we’re not being overly redundant. And that is a risk, but I don’t think it’s going be a massive issue. All right. I’ll try to spice it up a bit. Okay. So the help desk, as we’ve discussed before, those help phone calls, they have their big vulnerabilities, and they’re a big reason not to pick up a phone call from anyone you don’t know. They’re a massive vulnerability. Whether it’s somebody with really good interpersonal skills being able to do this on the fly as improvisationally, or whether it’s artificial intelligence driven. Everybody listening to this should be aware and should be very cautious. One, you shouldn’t have any of your own voice on your voicemail. You’re still using voicemail. Don’t have your own voice on that. Use somebody else’s voice. Why? And secondly, be very wary of unsolicited phone calls. I pretty much personally don’t accept them anymore. If I don’t know who you are, I don’t need to answer the phone. If it’s important, you’ll get hold of me. Why do I do that? AI driven voice recreation is now so efficient. It only needs fifteen seconds of your voice for to recreate you saying anything. It’s it’s it’s not a couple of years ago they needed you to read out a series of standard phrases. Any of you who’ve used online dictation software over the last thirty years will be used to priming it when you plug it in, and you have to spend an hour to two hours giving it key phrases. Today, with AI driven recreation, fifteen seconds of your voice is all that is needed to then spoof you saying anything and everything. So Scattered Spider are notorious for mastering the techniques needed to deliver this deceptive social engineering against help desks and obtain things like Okta identity credentials, multifactor authentication codes, SIM swapping, and VoIP spoofing. Yeah. It gives more justification for those of us who don’t pick up the phone even when it is someone we know. And a reminder, if you’re of a certain generation, there’s no reason to use voicemail anymore. Use voice WhatsApp, it’s probably less of a likely target for you. But anyway, for our listeners, I don’t think we’ve talked about SIM swapping before in any real context. Can we explain it a little bit? Absolutely, Tova. They trick a mobile carrier into transferring the victim’s phone number to a SIM card the attacker controls. Now when I say a mobile phone carrier, very often it it’s some poor innocent in a health call center who’s told to help people, and they get bamboozled by the hacker to do a SIM card swap onto another phone. Now because it’s a phone that’s controlled by the attacker, when you your multifactor two factor authentication kicks in, they’re getting your codes. It’s noisy, but it’s extremely effective for an account takeover. And to put this into context, they’re not sitting with a single phone that represents your mobile phone. There’s been high profile arrests around the world in the last two months. They will have dedicated cyber sweatshop centers with thousands of phones, And that was partly why it’s noisy that they’re working on game theory, throwing darts. If they attempt this against enough phones simultaneously, some of them will be successful. Wow. So they essentially get the keys to the castle by both brute force asking nicely at the help desk. What do they do after that? Then they pivot. This is the operational specialization. Scattered Spider acts as the access broker, very high value service in hacking. They use that access to partner with the ransomware service groups, like Black Cat, who we know is a thin veil for Russian intelligence, to deploy ransomware like Dragon Force. So they commoditize sorry. They commoditize the access. Exactly. They have commoditize the national access. They sell the open door to the Russians. The separation of duties, Western kids do the breach, Russian criminals do the encryption, is what creates the indirect nexus that we talked about in episode one. Right, and it minimizes the risk for the Russians as well. They have a scapegoat, they have a fall guy, they have agents that are doing the dirty work for them. Exactly, Tova. Intelligence agencies like the shadows, they like staying in the grey, but like not being recognised, They like other people taking risk. So that’s exactly what’s happening. It maximizes profitability for everyone. It maximizes operational reach for the intelligence services. And it’s a progression from simple data leaks to full blown ransomware service integration. So if I’m a CISO or another security practitioner listening to this, and I’m only testing my firewalls, that means I’m failing. You’re failing completely. You need to be testing your processes. You need to use continuous automated red teaming to simulate these social engineering attacks. Can your help desk auto spoofed VoIP call? Does your multifactor authentication hold up against SIM swapping? Which facilities have you outsourced to third parties? Are you testing third parties providing services to you? You should be, you must. Why? Well, because the attackers are testing them all the time. Right. Well, you, Adrian. I think we’re going to get to the solutions in a later episode, but next coming up next week, sorry. But in our next episode in this series, we’re going to look at the other side of this handshake. We’ve met the teams. Now let’s meet the spies. Aren’t you, Togo? Thanks, Adrianne. And to our listeners, until next time, stay safe, stay safe with SafeReach.
