Full Report
A U.S. Army soldier who pleaded guilty last week to leaking phone records for high-ranking U.S. government officials searched online for non-extradition countries and for an answer to the question "can hacking be treason?" prosecutors in the case said Wednesday. The government disclosed the details in a court motion to keep the defendant in custody until he is discharged from the military.
Analysis Summary
# Incident Report: Snowflake Data Extortion and Insider Leak by US Army Soldier
## Executive Summary
A US Army communications specialist, Cameron John Wagenius (aka Kiberphant0m), was arrested for unlawfully transferring confidential phone records, stemming from participation in a criminal trio that leveraged stolen credentials to breach corporate Snowflake accounts. This group extorted numerous large companies, including AT&T, demanding ransoms to prevent the public release of sensitive customer data, leading to internal investigation and eventual guilty plea by Wagenius.
## Incident Details
- Discovery Date: Mid-to-Late 2023 (When data theft from Snowflake instances began); Public extortion attempts noted in November 2024.
- Incident Date: Activity spanned throughout 2023 and into late 2024.
- Affected Organization: Primarily involved the extortion of numerous organizations whose data was stored in vulnerable Snowflake instances, notably AT&T (extortion victim).
- Sector: Telecommunications, Retail, Financial Services (Multiple sectors impacted via data breach).
- Geography: Initial Access via online means; Wagenius stationed in South Korea; Arrest in Texas; Investigation spanning US, Turkey, and Canada (due to co-conspirators).
## Timeline of Events
### Initial Access
- Date/Time: End of 2023 (when hackers learned about vulnerable Snowflake accounts).
- Vector: Compromised credentials leading to unauthorized access to corporate data repositories hosted on Snowflake.
- Details: Hackers acquired stolen Snowflake credentials, often lacking MFA protection, via darknet markets.
### Lateral Movement
- Details: The primary activity involved accessing and copying large volumes of sensitive data from compromised Snowflake instances belonging to major corporations (e.g., AT&T, TicketMaster).
### Data Exfiltration/Impact
- Date/Time: Extortion threats made in November 2024.
- Details: Personal information, phone call records, and text message records belonging to roughly 110 million AT&T customers were stolen. Over 160 other Snowflake customers were also compromised. Wagenius was found with over 17,000 files including passports and driver's licenses.
### Detection & Response
- Date/Time: Arrest on December 20 (year implied as 2024); Guilty plea on February 19 (implied 2025).
- Details: Detection involved the hackers publicly threatening to release data on cybercrime forums starting in November 2024. AT&T reportedly paid an initial hacker $370,000 to delete stolen records. Wagenius was arrested by the US Army near Fort Cavazos, Texas. Prosecutors moved to keep him detained, citing flight risk based on his online searches for non-extradition countries.
## Attack Methodology
- Initial Access: Acquiring stolen username/password credentials for Snowflake accounts via darknet markets.
- Persistence: Not explicitly detailed for Wagenius's military account, but the overall structure implies maintaining access until data was exfiltrated and leveraged for extortion.
- Privilege Escalation: Not explicitly detailed, but access to highly sensitive corporate databases suggests elevated access within the third-party cloud storage environment (Snowflake).
- Defense Evasion: Utilizing stolen, valid credentials to bypass initial login security controls (lack of MFA on target Snowflake instances).
- Credential Access: Indirectly—through purchasing stolen credentials on the dark web.
- Discovery: Searching for and identifying high-value targets with insecure Snowflake configurations.
- Lateral Movement: Moving between compromised Snowflake environments belonging to various large corporations.
- Collection: Exfiltrating massive volumes of PII and communication records (phone/text logs).
- Exfiltration: Uploading/transferring stolen data, which was later used for public threats and private extortion demands ($500,000 from Victim-1/AT&T).
- Impact: Financial extortion, significant PII data exposure across multiple industries.
## Impact Assessment
- Financial: AT&T reportedly paid a hacker $370,000. Wagenius faced potential fines up to $250,000 per count.
- Data Breach: Personal information and phone/text message records for approximately 110 million AT&T customers; PII (passports, licenses) belonging to thousands of other victims found on Wagenius's laptop.
- Operational: Inferred operational disruption due to data compromise and subsequent investigation for over 160 companies.
- Reputational: Significant reputational damage to AT&T and potentially other named victims due to massive data leaks tied to extortion.
## Indicators of Compromise
- Network indicators (Defanged): Communications with an email address believed to belong to Country-1’s military intelligence service (November 2024).
- File indicators: Over 17,000 files containing passports, driver’s licenses, and other identity cards; fake identification document found on an online account.
- Behavioral indicators: Searches related to defecting from the US military, inquiring about Russian citizenship/deflection countries, and searching "can hacking be treason." Public threatening posts on English-language cybercrime forums using the handle Kiberphant0m.
## Response Actions
- Containment: Arrest of Cameron Wagenius (Dec 20) and initial efforts by AT&T to mitigate extortion demands (paying $370k). Arrest of co-conspirators (Binns in Turkey, Moucka in Canada).
- Eradication: Wagenius pleaded guilty to unlawful transfer charges (Feb 19). Efforts to remove the threat posed by the trio through prosecution.
- Recovery Actions: Not fully detailed, but the legal proceedings marked the conclusion of the active threat posed by Wagenius.
## Lessons Learned
- Cloud Security Posture Management: The entire incident hinged on the lack of mandatory Multi-Factor Authentication (MFA) on corporate Snowflake accounts, exposing massive datasets.
- Insider Threat Vulnerability: Military personnel with high-level access (communications specialist) actively participated in criminal extortion schemes, highlighting vetting and monitoring failures.
- Flight Risk Management: Indicators of planning to defect (searching for non-extradition countries) emerged prior to arrest, emphasizing the need for proactive monitoring when insider threats are suspected.
## Recommendations
- Immediately mandate MFA enforcement across ALL cloud data storage platforms (e.g., Snowflake) utilized by the organization and its vendors.
- Enhance monitoring and behavioral analytics for personnel accessing sensitive data, looking for anomalous late-night activity, large data transfers, and off-hours system access, especially when linked to privileged accounts.
- Revamp discharge/separation procedures for personnel involved in security or communications roles who are under legal investigation to prevent unauthorized data transfer during processing.