Full Report
Cameron John Wagenius pleaded guilty to hacking AT&T and Verizon and stealing a massive trove of phone records from the companies, according to court records filed on Wednesday. Wagenius, who was a U.S. Army soldier, pleaded guilty to two counts of “unlawful transfer of confidential phone records information” on an online forum and via an […] © 2024 TechCrunch. All rights reserved. For personal use only.
Analysis Summary
# Incident Report: US Army Soldier Pleads Guilty to AT&T and Verizon Data Theft
## Executive Summary
A US Army soldier, Cameron John Wagenius, pleaded guilty to illegally obtaining and transferring confidential phone records from telecommunications giants AT&T and Verizon. The breaches, which involved the same intrusion vector that linked to the compromise of Snowflake cloud services in 2024, resulted in the theft of massive troves of sensitive communications data. Wagenius faces significant fines and potential prison time following his admission of guilt for the unauthorized transfer of confidential information.
## Incident Details
- **Discovery Date:** Not explicitly stated, but legal proceedings confirming the guilty plea occurred around February 19, 2025. The underlying intrusion likely occurred earlier, potentially linked to 2024 activity.
- **Incident Date:** Activity occurred prior to the January 2025 indictment and February 2025 guilty plea.
- **Affected Organization:** AT&T and Verizon (Telecommunications Providers).
- **Sector:** Telecommunications / Data Services.
- **Geography:** United States (Implied due to federal charges and organizations involved).
## Timeline of Events
### Initial Access
- **Date/Time:** Not specified in detail, but related to intrusions occurring prior to the indictment.
- **Vector:** The article strongly implies the intrusions into AT&T and Verizon arose from the "same computer intrusion and extortion" linked to the broader breaches impacting Snowflake customers in 2024, suggesting sophisticated network compromise or supply chain/third-party access.
- **Details:** Wagenius pleaded guilty to two counts of "unlawful transfer of confidential phone records information."
### Lateral Movement
- Details not provided regarding internal network movement, but the outcome was access to vast amounts of phone records.
### Data Exfiltration/Impact
- Theft of a "massive trove of phone records" from both AT&T and Verizon.
### Detection & Response
- **How it was discovered:** Investigation by U.S. prosecutors leading to the arrest and indictment of Wagenius in the preceding year (2024).
- **Response actions taken:** Wagenius was arrested, indicted, and subsequently pleaded guilty to two federal counts.
## Attack Methodology
- **Initial Access:** Related to a significant computer intrusion affecting major entities, though the specific initial vector used by Wagenius to gain access to the carriers' systems is not detailed, only that his actions were linked to the broader 2024 breaches.
- **Persistence:** Not specified.
- **Privilege Escalation:** Not specified.
- **Defense Evasion:** Not specified.
- **Credential Access:** Not specified.
- **Discovery:** Not specified, beyond the ability to pinpoint and extract phone records.
- **Lateral Movement:** Not specified.
- **Collection:** Focused on acquiring and compiling large volumes of "confidential phone records information."
- **Exfiltration:** Transferring the stolen records "on an online forum and via an online communications platform."
- **Impact:** Unauthorized disclosure and potential sale of sensitive subscriber data.
## Impact Assessment
- **Financial:** Wagenius faces a maximum fine of $250,000. Specific corporate losses for AT&T/Verizon are not detailed.
- **Data Breach:** A "massive trove of phone records" from two major U.S. carriers.
- **Operational:** Not specified regarding carrier operations, but a significant blow to customer data security.
- **Reputational:** Reputational damage for AT&T and Verizon regarding the security of customer data.
## Indicators of Compromise
- **Network indicators - defanged:** Access via "an online forum and via an online communications platform" (Specific URLs/handles not provided).
- **File indicators:** N/A (Focus on data access, not malware deployment).
- **Behavioral indicators:** Unlawful transfer of confidential phone records information.
## Response Actions
- **Containment measures:** Not detailed, but the investigation and subsequent prosecution served as the primary response mechanism leading to the halt of Wagenius's activities.
- **Eradication steps:** Related legal action leading to the guilty plea.
- **Recovery actions:** Not specified regarding system remediation by the carriers.
## Lessons Learned
- **Key takeaways:** Insider threat vector (US Army soldier) presents a significant risk, even across supposedly independent major corporations. The connection to the larger 2024 cloud breaches highlights potential shared attack chains or subsequent exploitation of data flows.
- **What could have been done better:** Improved internal controls within the telecom providers to prevent the systematic unlawful transfer of bulk records.
## Recommendations
- Implement stronger access controls and robust monitoring for bulk data extraction of customer records, especially for personnel with privileged access who may also have external affiliations.
- Enhance vetting and ongoing monitoring of personnel, particularly those in sensitive military positions who may have motivation or capability to target infrastructure.
- Review security posture across vendors and interconnected services, given the link between this incident and the wider 2024 data breaches.