Court docket paperwork unsealed Monday present that US authorities have arrested a 20-year-old soldier, Cameron John Wagenius, charged with two counts of promoting or making an attempt to promote confidential cellphone data with out the client’s authorization.
However behind the scant particulars supplied within the cost sheet submitted to the US District Court docket for the Western District of Washington at Seattle lies a a lot greater story, in line with cybersecurity journalist Brian Krebs.
The cellphone data Wagenius is charged with promoting may embody these Vice President Kamala Harris and President-elect Donald Trump, a part of a trove of AT&T and Verizon name data leaked in November by a hacker utilizing the moniker ‘Kiberphant0m’.
In line with Krebs, the authorities now imagine Wagenius is Kiberphant0m, one of many fundamental protagonists of the UNC5537 hacking group that carried out a sequence of assaults on Snowflake prospects.
One other alleged member of that group, Connor Riley Moucka (aka ‘Judische’) was arrested in Canada in November. A 3rd accused of being concerned within the Snowflake incident, US citizen John Erin Binns, was arrested by the Turkish authorities in Might in reference to a separate 2021 assault on T-Cellular.
Within the case towards Wagenius, the army connection seems vital. Krebs reported in November that evaluation of Kiberphant0m’s on-line accounts by researchers courting again to early 2022 uncovered hints that he is perhaps a US soldier not too long ago primarily based in South Korea.
Researchers together with Unit 221B’s Allison Nixon had been in a position to be a part of among the dots traced by the hacker’s at occasions careless and boastful on-line exercise throughout a number of personas and platforms. As documented by Nixon on Bluesky, this included hackers issuing threats to her and different researchers making an attempt to attach on-line personas to actual identities.
The proof discovered throughout this analysis was revealing sufficient to recommend it was solely a matter of time earlier than the actual identification of Kiberphant0m was uncovered.
Sharing accountability for security
Earlier than the Snowflake breach, the corporate’s title was simply one other in at present’s enterprise provide chain that normally will get virtually no consideration. Then it turned out that quite a few enterprises had been utilizing it to retailer massive quantities of delicate firm knowledge.
A few of these accounts had been protected with nothing greater than a password and username, in different phrases with no multi-factor authentication (MFA) enabled. That gave the hackers an thought: why not scour darknet boards for the passwords and usernames to interrupt into these accounts?
This hunch led to an estimated 160 Snowflake prospects having the info they saved on the platform breached, together with Ticketmaster, Advance Auto Components, Neiman Marcus and Santander. The criminals demanded ransoms, receiving no less than $2.5 million from unnamed victims, it was later alleged in court docket paperwork.
What was Snowflake’s accountability on this? Arguably, none. It was as much as prospects to activate MFA in the event that they selected to whereas securing their password credentials. Whereas true, this led to criticism that if there was a method for admins to implement MFA on their Snowflake customers, it wasn’t simple to implement or enabled by default.
It’s a very good instance of gray areas that also afflict the shared accountability mannequin of cloud security: which security controls ought to be left to prospects, and that are the platform’s job?
In September, Snowflake introduced that from October all consumer accounts would have MFA enforced by default with minimal password size upped from eight to 14 characters.
