Full Report
Cameron Wagenius faces a maximum of 27 years in prison. A researcher that helped with the investigation called this ‘one of the most significant wins in the fight against cybercrime.' The post Former Army soldier pleads guilty to widespread attack spree linked to AT&T, Snowflake and others appeared first on CyberScoop.
Analysis Summary
# Incident Report: Former Soldier Pleads Guilty in Multi-Victim Extortion and Hacking Scheme
## Executive Summary
A former U.S. Army soldier, Cameron John Wagenius ("kiberphant0m"), pleaded guilty to conspiring to commit wire fraud, computer fraud extortion, and aggravated identity theft related to a multi-year campaign targeting telecommunications companies, including AT&T. The criminal activity involved accessing victim networks, stealing extensive customer data (some linked to the broader Snowflake breach attacks), and attempting extortion, culminating in his arrest in December. The successful prosecution is highlighted as a significant win against cybercrime, resulting in Wagenius facing a maximum sentence of 27 years.
## Incident Details
- **Discovery Date:** Not explicitly stated for the first incident, but the broader coordinated scheme spanned years, detected through ongoing investigation and victim reports.
- **Incident Date:** Activity conducted over several years, with specific extortion attempts mentioned in November (prior to December arrest).
- **Affected Organization:** Multiple organizations, including a major telecommunications company (AT&T confirmed victim).
- **Sector:** Telecommunications, Cloud Services (through targeting Snowflake customers).
- **Geography:** United States (origin of the soldier, alleged defection destination Russia).
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing over several years leading up to the arrest. Specifics vary per victim.
- **Vector:** Obtaining login credentials for victim organization networks.
- **Details:** Defrauding at least 10 victim organizations by obtaining network access credentials. Some data originates from the broader attack spree targeting Snowflake customers.
### Lateral Movement
- **Details:** Not explicitly detailed, but access to victim networks was achieved, enabling the theft of data, including call records of high-ranking officials.
### Data Exfiltration/Impact
- **Details:** Stolen data included six months of phone and text records of "nearly all" of AT&T's customers (accessed via their Snowflake environment). Stolen data was sold to perpetuate other frauds (e.g., SIM-swapping) and used in extortion attempts. Thousands of stolen ID documents and large amounts of cryptocurrency were seized from devices.
### Detection & Response
- **How it was discovered:** Ongoing work by cybersecurity workers aiding victims and federal law enforcement investigations. Arrest occurred in December.
- **Response actions taken:** Federal arrest in December. Wagenius pleaded guilty to multiple felony charges without a plea bargain. Co-conspirators (Moucka, Binns) were indicted previously. Government is reportedly still pursuing additional charges.
## Attack Methodology
- **Initial Access:** Obtaining organization network login credentials through unknown means (likely phishing or credential theft against employees/systems).
- **Persistence:** Not explicitly detailed, but activities spanned years while Wagenius was on active duty.
- **Privilege Escalation:** Not explicitly detailed.
- **Defense Evasion:** The attacker maintained operational security while on active duty, living on base in Texas. Attempted to evade capture by seeking to defect to Russia or another country.
- **Credential Access:** Likely involved credential theft leading to initial network access.
- **Discovery:** Not explicitly detailed.
- **Lateral Movement:** Access was gained to victim networks, including cloud platforms like Snowflake used by victims.
- **Collection:** Stole call records of high-ranking officials and extensive customer data (text/call records) from telecommunications firms.
- **Exfiltration:** Stolen data was sold, used for fraud (SIM-swapping), and leveraged for extortion.
- **Impact:** Extortion demands (e.g., $500,000 threat against a major telco) and large-scale data theft impacting numerous customers.
## Impact Assessment
- **Financial:** Extortion demands reached at least $1 million from victim data owners. Successful sale of some stolen data occurred.
- **Data Breach:** Six months of nearly all customer phone and text records for one major carrier (AT&T). Thousands of stolen identification documents.
- **Operational:** Disruption occurred at multiple victim companies, particularly concerning data integrity and security posture related to cloud usage (Snowflake).
- **Reputational:** Significant negative impact on the reputation of compromised telecommunications providers.
## Indicators of Compromise
- **Network indicators:** (None provided in defanged format, as focus was on criminal prosecution)
- **File indicators:** (None provided)
- **Behavioral indicators:** Attempting to sell stolen information to foreign intelligence services to avoid arrest; using online aliases ("kiberphant0m," "cyb3rph4nt0m"); leveraging data for SIM-swapping fraud.
## Response Actions
- **Containment measures:** Details not specified, but likely involved immediate credential revocation and patching/segmentation following discovery.
- **Eradication steps:** Arrest and successful prosecution of the primary actor responsible for the access.
- **Recovery actions:** Victims likely engaged in sweeping credential resets, auditing cloud configurations (post-Snowflake exposure), and notifying affected customers.
## Lessons Learned
- The threat posed by insider/aspiring insider threats (former soldier operating while on active duty) remains significant.
- Criminals are being successfully prosecuted, destroying the myth that anonymity shields sophisticated actors from multi-decade prison sentences.
- The interconnected nature of cloud compromises (Snowflake attacks) leads to widespread collateral damage.
## Recommendations
- Enhance multi-factor authentication and strict zero-trust principles across all employee and contractor access points, including those on active duty or operating from sensitive locations.
- Implement rigorous logging and anomalous access monitoring, especially concerning access to highly sensitive data sets (like historical call records).
- Continue aggressive pursuit and prosecution of cybercriminals, emphasizing that failure to update threat models regarding personal risk (i.e., likelihood of long-term incarceration) will lead to severe consequences.