Full Report
Federal authorities have arrested and indicted a 20-year-old U.S. Army soldier on suspicion of being Kiberphant0m, a cybercriminal who has been selling and leaking sensitive customer call records stolen earlier this year from AT&T and Verizon. As first reported by KrebsOnSecurity last month, the accused is a communications specialist who was recently stationed in South Korea.
Analysis Summary
# Threat Actor: Kiberphant0m
## Attribution & Identity
The primary actor is identified as **Cameron John Wagenius**, a 20-year-old U.S. Army soldier, specifically a communications specialist stationed in South Korea prior to arrest.
**Known Aliases:** Kiberphant0m.
**Associated Groups/Individuals:** Associated with **Connor Riley Moucka** (a.k.a. “Judische”), a cybercriminal arrested for Snowflake data extortion.
## Activity Summary
Kiberphant0m was involved in selling and leaking sensitive customer call records stolen from major telecommunication firms. The actor claimed responsibility for hacking into at least 15 telecommunications firms, including **AT&T** and **Verizon**. Following the arrest of associate Judische, Kiberphant0m threatened to leak AT&T call logs belonging to **President-elect Donald J. Trump** and **Vice President Kamala Harris**. The actor also claimed to have stolen a "data schema" from the **U.S. National Security Agency (NSA)** via AT&T. In a separate 2023 activity, Kiberphant0m sold remote access credentials for a major U.S. defense contractor.
## Tactics, Techniques & Procedures
- Selling/Leaking stolen data (e.g., call records).
- Maintaining and utilizing a large botnet for **Distributed Denial-of-Service (DDoS)** attacks against websites, users, and networks.
- Offering "SIM-swapping" services, likely using credentials phished or stolen from mobile phone company employees to divert targets' communications.
- Exfiltration of internal system data/schematics (claimed NSA data schema).
- Using hacker forums (**BreachForums**) for sales, threats, and communication.
## Targeting
- **Sectors:** Telecommunications (Telecoms), U.S. Government/Agencies, Defense contracting.
- **Geography:** Primarily U.S.-focused targets, with the actor being a U.S. Army soldier stationed in South Korea.
- **Victims:** AT&T, Verizon (specifically their push-to-talk (PTT) customers, including U.S. government agencies and emergency first responders), a major U.S. defense contractor, and high-profile political figures (President-elect Trump and VP Harris).
## Tools & Infrastructure
- **Malware Families Used:** Not explicitly detailed, but utilized a large **botnet** for DDoS operations.
- **Infrastructure:** Utilized the hacker community/forum **BreachForums** and the platform **Telegram** for operations and communication.
## Implications
The activities highlight a significant insider threat, leveraging existing access or knowledge potentially gained through military service or association with trusted networks. The successful theft and attempted sale/leaking of high-profile government and PTT customer data demonstrate a risk to national security and critical infrastructure. Law enforcement response time to identify and arrest this actor was notably fast, suggesting improving capabilities against domestic cybercriminals leveraging foreign operational bases (South Korea tour).
## Mitigations
- Enhanced vetting and monitoring of military personnel with high-level network access, especially those in communications roles.
- Stronger controls and segmentation around sensitive customer data held by telecom providers (AT&T, Verizon).
- Increased awareness and investigation into the sale of SIM-swapping services targeting employee credentials.
- Continuous monitoring of hacker forums (like BreachForums) and encrypted channels (like Telegram) for targeted threats against critical infrastructure components.