Four of the arrested individuals of the cybercriminal gang, known for hacking MGM and Caesars, are American, all of whom could face up to 27 years in prison for the charges against them.

Source: Gregg Vignal via Alamy Stock Photo

Today the Department of Justice (DoJ) unsealed criminal charges against five individuals who belong to the hacking group "Scattered Spider," which is the cybercriminal group known for recruiting young people and carrying out high-profile cyberattacks, including last year's offensives against MGM Resorts and Caesar's Palace in Las Vegas.

The defendants allegedly targeted employees of companies across the United States via phishing messages, using the harvested employee credentials to log in to systems and steal private company data, including intellectual property, and personal identifying information, such as account credentials, names, email addresses, and telephone numbers. The indictment also says the group gained unauthorized access to individuals' cryptocurrency accounts and wallets, and stole millions of dollars of virtual currency.

Four of the defendants are American, ranging from 20 to 25 years old; the eldest, Joel Martin Evans, aka "joeleoli," of Jacksonville, N.C., made his first appearance in court yesterday after being arrested the day before by the FBI. All four of them are charged with one count of conspiracy to commit wire fraud, one count of conspiracy, and one count of aggravated identity theft.

The fifth individual, Tyler Robert Buchanan, 22, is located in the United Kingdom and is facing charges of conspiracy to commit wire fraud, conspiracy, wire fraud, and aggravated identity theft.

"These individuals, and other actors that they have collaborated with, have caused so much pain and financial harm to organizations across North America through their disruptive intrusions," Charles Carmakal, Mandiant Consulting CTO at Google Cloud, wrote in an emailed statement to Dark Reading. "We hope this sends a message to the other actors they collaborate with that they aren't immune to consequences."

If convicted, each of the defendants would face a statutory maximum sentence of 20 years in federal prison for conspiracy to commit wire fraud, up to five years for conspiracy, and two years for aggravated identity theft. Buchanan would face an additional 20 years for the wire fraud count.

Scattered Spider Cybercrime Members Face Prison Time

The company gave details for the first time on its approach to combating organized criminal networks behind the devastating scams.

Years into the escalating, multibillion-dollar global crisis of pig butchering scams, social media giant Meta released information for the first time on Thursday about its approach to combating the forced-labor compounds that fuel scam activity on its platforms and across the web.

The company says that for more than two years it has been focused on collaborating with global law enforcement and other tech companies to address the underlying problem of organized crime syndicates driving scam activity in Southeast Asia and the United Arab Emirates.

Meta says that so far this year it has done takedowns of more than 2 million accounts connected to scam compounds in Myanmar, Laos, Cambodia, the Philippines, and the UAE. The company has also been collaborating with external experts, including tech companies, NGOs, and coalitions working to counter online scams. As pig butchering scams generate significant revenue for criminals, though, and spread around the world, Meta notes that it has focused on working with law enforcement to directly track criminal syndicates.

“This is a highly adversarial space where we expect well-resourced and persistent criminal organizations to constantly evolve their tactics (both online and offline) in response to detection and enforcement to try and reconstitute across the internet,” a Meta spokesperson wrote in a statement. The company declined to share how many accounts it had removed prior to this year.

Longtime pig butchering researchers say that Meta has been slow to publicly and directly acknowledge the problem and the role its many platforms play in connecting scammers with potential victims. They emphasize that Meta’s services are far from the only platforms that scammers use to reach victims. But platforms like Facebook and Instagram are recognizable and trusted around the world, so it is inevitable, the researchers say, that scammers will gravitate to them. And Meta has warned its users broadly about investment and romance scams.

“I'm glad that Meta is finally starting to talk about this work, but in the research community, we feel like we've been trying to get their attention for a long time and collaborate with them and they often aren't engaging with us,” says Ronnie Tokazowski, a longtime pig butchering researcher and cofounder of the nonprofit Intelligence for Good.

Since roughly 2020, when the earliest pig butchering scams started to emerge, more than 200,000 people have been trafficked and held in compounds—mostly in Myanmar, Cambodia, and Laos—where they are forced to play the role of an online scammer. If they refuse, the criminals who own the scam compounds, which are typically connected to Chinese organized crime, often beat or torture them. People have been trafficked from more than 60 countries around the world—often after seeing online ads promising them jobs that are too good to be true.

The forced scammers are compelled to send thousands of online messages to potential victims around the world on a daily basis. They are tasked with building relationships, often with the lure of friendship or romance, and eventually persuade their victims to send them money as part of lucrative “investment opportunities.” Individually, victims have lost hundreds of thousands of dollars, while the pig butchering criminal enterprises have collectively conned people out of around $75 billion in recent years.

“These scams can start on dating apps, text message, email, social media, or messaging apps, then ultimately move to scammer-controlled accounts on crypto apps or scam websites masquerading as investment platforms,” Meta writes in its report. “In addition to disrupting scam centers, teams across Meta are constantly rolling out new product features to help protect people on our apps from known scam tactics at scale.”

Pig butchering scams drive toward financial theft, but they start with either one-to-one cold communication between scammers and potential victims or contact that originates from social media groups or other communal forums. For example, Gary Warner, director of intelligence at the cybersecurity firm DarkTower, says that he tracks thousands of Facebook groups dedicated to luring people into cryptocurrency investment scams as well as groups that purport to be community dating resources where scammers are lurking.

Online moderation of scammers is a difficult and longstanding issue for Big Tech. As is the case with many types of inauthentic content, some pig butchering activity can skirt tech company standards—even when they are doing a large number of account takedowns—because the content isn’t explicit enough to meet the criteria for removal.

"So much of what is on platform is clearly the prelude to pig butchering, but Meta says it ‘doesn't violate community standards,’” Warner says.

Meta emphasizes, though, that in addition to its account takedowns and monitoring for scam activity on its platforms, the company is focused on working to directly combat scam compounds using its policies around dangerous organizations and individuals, as well as wider safety policies.

However, the owners of scam compounds have been quick to adopt new technologies into their operations, partly to make their scamming more efficient, but likely also to evade law enforcement and technology clampdowns. In recent months, researchers have spotted pig butchering scammers using artificial intelligence tools, integrating deepfakes into their campaigns, and using malware to expand their capabilities. For example, scammers are now able to easily generate understandable content in many languages using AI translation tools for both the scripts and messages they send potential victims, as well as job advertisements luring prospective workers into scam compounds.

Meta says one recent scam compound that it took action against, which was targeting Japanese and Chinese speakers, followed a tip from OpenAI threat researchers who had spotted the criminal operation using ChatGPT to translate messages that could be used in pig butchering.

A “cluster” of accounts that all appeared to come from Cambodia were spotted translating and generating comments using ChatGPT, OpenAI spokesperson Liz Bourgeois tells WIRED. The comments generated using AI would be shared on social media and appeared to be linked to scam activity. Bourgeois says OpenAI banned the accounts and reported the social media activity to Meta.

Meta Finally Breaks Its Silence on Pig Butchering

Five alleged members of the notorious Scattered Spider hacking group have been charged with executing a sophisticated phishing…

Five alleged members of the notorious Scattered Spider hacking group have been charged with executing a sophisticated phishing scheme that netted them millions of dollars in stolen cryptocurrency and sensitive company data.

The United States govemnet has confirmed arresting and charging five individuals allegedly linked to the **Scattered Spider group** (aka 0ktapus and UNC3944). This notorious hacking collective is accused of masterminding a sophisticated phishing scheme that targeted employees across the United States.

The feds unsealed the charges against the five defendants on November 20, revealing a scheme that relied on mass text message campaigns. According to the US Justice Department’s **press release**, investigators identified four defendants the citizens of the United States and one from the United Kingdom.

*   **Joel Martin Evans (25) – United States**
*   **Noah Michael Urban (20) – United States**
*   **Evans Onyeaka Osiebo (20) – United States**
*   **Tyler Robert Buchanan (22) – United Kingdom**
*   **Ahmed Hossam Eldin Elbadawy (23) – United States**

As previously **reported by Hackread.com**, the gang targeted cryptocurrency users and investers along with the Federal Communications Commission (FCC) employees with phishing messages warning them about account deactivation and linked them to phishing websites that resembled legitimate ones.

The group directed recipients to provide confidential information, including login credentials, and sometimes employees were sent two-factor authentication requests sent to their mobile phones.

Once clicked, the links led to phony websites that mimicked real company login pages. Unsuspecting victims, believing they were accessing official company portals, unintentionally gave away their login credentials.

Using this stolen information, the Scattered Spider crew allegedly gained unauthorized access to corporate computer systems. Once inside, they stole a treasure trove of sensitive data, including intellectual property and proprietary information, as well as personal information from hundreds of thousands of individuals, according to United States Attorney Martin Estrada.

The group also, allegedly, used the stolen credentials they also gained unauthorized access to numerous individuals’ cryptocurrency accounts and wallets, stealing millions of dollars’ worth of virtual currency from victim company intrusions and leaked data sets.

It is worth noting that Scattered Spider was also behind the **cyberattack on MGM Resorts** International in September 2023 in which it collaborated with the ALPHV ransomware group, also known as BlackCat.

“The defendants allegedly preyed on unsuspecting victims in this phishing scheme and used their personal information as a gateway to steal millions in their cryptocurrency accounts,” stated the FBI’s Los Angeles Field Office’s Assistant Director in Charge, Akil Davis.

Authorities say the group operated from September 2021 to April 2023 and caused significant financial losses, not just to targeted companies but also to individual victims who lost their hard-earned cryptocurrency. It is worth noting that cryptocurrency custodian Fortress Trust lost $15 million in customer funds **due to a phishing attack** on third-party vendor, Retool, supposedly launched by the same group. 

If convicted, the defendants face a maximum sentence of 20 years in federal prison for a conspiracy to commit wire fraud case, up to five years for the conspiracy count, and a mandatory two-year consecutive sentence for aggravated identity theft.

**William Wright**, CEO of Closed Door Security, highlighted Scattered Spiders’ sophisticated tactics in targeting MGM Resorts, including tracking an employee on LinkedIn and exploiting IT helpdesk processes to reset a password. This was followed by an MFA fatigue attack, granting system access. Wright emphasized the need for organizations to test their networks and train employees to counter such advanced social engineering threats.

1.  **FBI Disrupts Chinese State-Backed Volt Typhoon’s KV Botnet**
2.  **Goldoon Botnet Hiy D-Link Devices, Exploits 9-Year-Old Flaw**
3.  **LockBit Ransomware Gang Domains Seized in Global Operation**
4.  **Operator of Proxy Botnet ‘IPStorm’ Arrested, Pleads Guilty in US**
5.  **4 Arrested as Operation Endgame Disrupts Ransomware Botnets**

US Charges 5 Suspected MGM Hackers from Scattered Spider Gang

MIAMI, Florida, 21st November 2024, CyberNewsWire

**MIAMI, Florida, November 21st, 2024, CyberNewsWire**

Halo Security, a leader in external attack surface management and penetration testing, has announced the launch of its new Slack® app, empowering cybersecurity teams to receive real-time alerts on newly discovered assets, vulnerabilities, and other essential security updates directly within the Slack collaboration software.

This new integration allows Halo Security’s customers to seamlessly incorporate important security notifications into their existing Slack workflows, improving response time and enhancing collaboration across security and IT teams. Previously, Halo Security offered Slack alerts through a Zapier integration, but this new, direct integration delivers a more streamlined experience, giving customers greater control with minimal configuration.

Halo Security’s platform offers comprehensive external attack surface management, encompassing asset discovery, risk and vulnerability assessment, and penetration testing in a single, user-friendly dashboard. Built by a team of experienced penetration testers, security engineers, and reformed hackers, Halo Security provides organizations with an attacker’s perspective to help identify and address vulnerabilities. With the new Slack integration, customers are notified as soon as new issues and vulnerabilities are detected, unknown assets or open ports are discovered, and new technologies appear on their websites, helping teams stay ahead of emerging threats without being overwhelmed by irrelevant alerts.

> “Organizations need real-time, customized alerts for emerging security threats, but too many notifications can lead to alert fatigue,” said Ben Tyler, CTO of Halo Security. “Our direct Slack integration is easily configurable, giving customers precise control over which alerts they receive and allowing them to focus on the most critical issues directly within their existing workflows.”

**How to Get Started with Halo Security’s Slack Integration**

Halo Security customers can activate the Slack app today directly from their accounts. New users interested in trying the Halo Security platform can sign up for a 7-day free trial at halosecurity.com.

**About Halo Security**

Halo Security is a comprehensive external attack surface management platform that provides asset discovery, risk assessment, and penetration testing in a single, easy-to-use dashboard. Founded by cybersecurity experts with backgrounds at McAfee, Intel, Kenna Security, OneLogin, and WhiteHat Security, Halo Security delivers a unique attacker-based approach to help organizations safeguard against potential threats. Users can learn more at halosecurity.com.

Slack is a registered trademark and service mark of Slack Technologies, Inc.

**Contact**

**VP of Marketing**  
**Nicholas Hemenway**  
**Halo Security**  
**\[email protected\]**

Halo Security Launches Slack Integration for Real-Time Alerts on New Assets and Vulnerabilities

The future of cybersecurity isn't about preventing every breach — it's about learning and growing stronger with each attack.

Akhil Mittal, Senior Manager, Black Duck Software

November 21, 2024

6 Min Read

Source: Brain light via Alamy Stock Photo

COMMENTARY

Despite massive investments in cybersecurity, breaches are still on the rise, and attackers seem to evolve faster than defenses can keep up. The IBM "Cost of a Data Breach Report 2024" estimates the average global breach cost has reached a staggering $4.88 million. But the true damage goes beyond the financial — it's about how quickly your organization can recover and grow stronger. Focusing only on prevention is outdated. It's time to shift the mindset: Every breach is an opportunity to innovate. 

**Turning Breaches Into Opportunities**

Breaches are no longer theoretical. They're happening right now — AI-powered hacks, supply chain vulnerabilities, and social engineering make them inevitable. IBM's report shows that 83% of organizations faced multiple breaches last year. One retail client I worked with had the same mindset: focusing on prevention and detection alone. But after facing multiple breaches, the company flipped its approach — each breach became a learning opportunity. Instead of panic, the company built resilience.

**Strengthening Defenses After Each Breach**

Organizations need to shift from asking, "How do we stop breaches?" to "How do we get stronger from breaches?" Here are five strategies that I've seen make a significant impact: 

**1\. From Breach to Micro-Incident **

Not every breach needs to be a disaster. By treating breaches as micro-incidents, you can contain the damage and quickly move forward. With network segmentation and behavioral analytics, threats can be isolated and stopped from spreading. One financial client cut its recovery time by 50% by adopting self-isolating networks. When suspicious activity was detected, the network kicked into action, isolating the threat and stopping its spread. 

**2\. Stress Test Daily **

Running breach simulations once or twice a year is no longer enough. Leading organizations are stress-testing their defenses daily. This goes beyond testing — it's about actively rehearsing for real-world scenarios, ensuring your teams are battle-ready. Think of it like chaos engineering: You aren't just hoping for the best. You're deliberately looking for weaknesses so you can fix them before attackers find them. This approach helped another client find multiple weak points that were missed in its regular annual penetration tests. 

**3\. Minimize Human Intervention **

When a breach hits, speed is everything. Self-healing systems powered by AI automatically isolate compromised systems and begin repairs without the need for human intervention. One of my e-commerce clients cut its recovery time in half with self-healing technology. Its teams could stop putting out fires and focus on strategic long-term improvements. 

**4\. Adaptive Defense **

Every breach is an opportunity to learn and improve. One of the financial clients created a feedback loop that used AI-powered systems to analyze each breach. Machine learning models adapted defenses, spotting patterns in the attacks, adjusting firewall rules, and fine-tuning detection algorithms. Gartner predicts that by 2026, 30% of enterprises will automate more than half of their network activities, using AI to detect and respond to threats in minutes. 

**5\. Collective Defense **

No one fights cyber threats alone. A healthcare consortium I know began sharing real-time threat intelligence with other organizations. This collective defense approach helped it detect and stop attacks faster. Participating in networks like Information Sharing and Analysis Centers (ISACs) or using platforms like MITRE ATT&CK can boost defenses across industries by pooling insights and data. 

**Cybersecurity as a Competitive Advantage**

Resilience is the new competitive advantage. You can't prevent every breach, but how quickly you respond is what sets you apart. Accenture found that 87% of consumers trust companies that handle breaches with transparency and resilience. It's not the breach itself that builds trust, of course — it's how you respond. 

In industries like finance, healthcare, and technology, resilience not only helps you recover but also fosters customer loyalty. As cyber threats become more global, regulations like GDPR in Europe demand fast, transparent responses. In the Asia-Pacific region, rapid digital transformation is creating new attack surfaces. Wherever your business operates, resilience is key to success.

**Actionable Steps for CISOs**

Here's how chief information security officers (CISOs) can turn breaches into growth opportunities: 

*   Run continuous breach simulations: Make breach simulations part of your daily routine. Simulate phishing, ransomware, and supply chain attacks to identify vulnerabilities before real attackers exploit them. Leading companies, inspired by chaos engineering, run controlled breach tests every day, treating each one as an opportunity to fine-tune their incident response plans. 
    
*   Adopt self-healing systems: AI-powered self-healing systems minimize downtime by automatically detecting and isolating compromised systems, ensuring your business keeps running. With 24/7 monitoring tools, you can spot unusual behavior fast, allowing your teams to focus on strategic initiatives instead of reactive firefighting. 
    
*   Leverage AI-driven threat intelligence sharing: Join intelligence-sharing networks like ISACs to collaborate with peers. Real-time threat data allows organizations to stay ahead of emerging threats. Platforms like MITRE ATT&CK help teams analyze adversary behaviors, enabling them to fine-tune defense strategies. 
    
*   Prepare for quantum computing: While quantum computing is still emerging, it could eventually break today's encryption standards. Start preparing now by researching quantum-resistant encryption and staying informed on the latest industry developments. 
    
*   Create a resilience-first culture: Resilience shouldn't just be a buzzword — it must become part of your company's DNA. Encourage your teams to learn from every incident, find gaps in your defenses, and use them as opportunities to build stronger systems. Regularly debrief after breaches to reflect on what went right, not just what went wrong. This helps create a culture of continuous improvement, ensuring that your organization gets stronger after every incident. 
    

Resilience isn't just the CISO's job. CEOs and compliance officers also play crucial roles in aligning the entire organization with resilience strategies. Regulatory frameworks like Europe's General Data Protection Regulation (GDPR) and the US Portability and Accountability Act (HIPAA) demand transparent recovery protocols, and how leadership handles breaches impacts brand trust, shareholder confidence, and customer loyalty.

**Leading With Resilience**

The future of cybersecurity isn't about preventing every breach — it's about learning and growing stronger with each attack. Companies that turn breaches into opportunities for innovation won't just survive — they'll lead. By adopting resilience-first strategies, continuous improvement, and adaptive defenses, your organization can turn security challenges into competitive advantages. 

**About the Author**

Senior Manager, Black Duck Software

Akhil Mittal is a recognized cybersecurity leader with more than two decades of experience in application security, cloud security, and DevSecOps. As a Gartner Cybersecurity ambassador and senior manager at Black Duck Software, he leads key security initiatives, helping global organizations strengthen their defenses against advanced cyber threats. Akhil has worked closely with chief information security officers (CISOs) and executive leadership to align security strategies with business goals, ensuring robust protection across industries. He also contributes his expertise through leading cybersecurity publications and serves as a judge for top industry awards and hackathons. Certified in CISSP and CCSP, his work continues to shape the future of cybersecurity, driving innovation and resilience worldwide.

Cybersecurity Is Critical, but Breaches Don't Have to Be Disasters

View CSAF
1. EXECUTIVE SUMMARY
CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Schneider Electric
Equipment: PowerLogic PM5300 Series
Vulnerability: Uncontrolled Resource Consumption
2. RISK EVALUATION
Successful exploitation of this vulnerability could cause the device to become unresponsive resulting in communication loss.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Schneider Electric reports that the following PowerLogic energy meters are affected:
PowerLogic PM5320: Versions 2.3.8 and prior
PowerLogic PM5340: Versions 2.3.8 and prior
PowerLogic PM5341: Versions 2.6.6 and prior
3.2 Vulnerability Overview
3.2.1 UNCONTROLLED RESOURCE CONSUMPTION CWE-400
An uncontrolled resource consumption vulnerability exists that could cause Schneider Electric PowerLogic PM5300 Series devices to become unresponsive resulting in communication loss when a large amount of IGMP packets is present in the network.
CVE-2024-9409 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2024-9409. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND
CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: France
3.4 RESEARCHER
Schneider Electric reported this vulnerability to CISA.
4. MITIGATIONS
Schneider Electric has identified the following remediations users can apply to reduce risk:
PowerLogic PM5320: Version 2.4.0 of PowerLogic PM5320 includes a fix for this vulnerability.
PowerLogic PM5340: Version 2.4.0 of PowerLogic PM5340 includes a fix for this vulnerability.
PowerLogic PM5341: Version 2.7.0 of PowerLogic PM5341 includes a fix for this vulnerability.
If users choose not to apply the remediation provided above, Schneider Electric recommends immediately applying the following steps to reduce the risk of exploitation:
Enable IGMP Snooping: Ensure that IGMP Snooping is enabled on the switch. This feature allows the switch to intelligently forward multicast traffic only to the necessary ports where interested hosts reside. It prevents unnecessary flooding of multicast traffic across all ports, thereby enhancing network efficiency and minimizing unnecessary load on network resources.
Configure VLAN Interface Settings: Set up VLAN interface settings on the switch. It's important to have distinct configurations for each VLAN to ensure proper IGMP operation.
Multicast Filtering: Use IGMP filtering to control the propagation of IGMP traffic through the network. This involves configuring filters on a switch virtual interface (SVI), per-port, or per-port per-VLAN basis. Multicast filtering helps manage IGMP snooping and controls multicast traffic forwarding effectively.
Schneider Electric strongly recommend the following industry cybersecurity best practices:
Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
Place all controllers in locked cabinets and never leave them in the "Program" mode.
Never connect programming software to any network other than the network intended for that device.
Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version
available. Also, understand that VPNs are only as secure as the connected devices.
For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document and the associated Schneider Electric Security Notification SEVD-2024-317-01 in PDF and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY
November 21, 2024: Initial Publication

Schneider Electric PowerLogic PM5300 Series

Chinese black market operators are openly recruiting government agency insiders, paying them for access to surveillance data and then reselling it online—no questions asked.

China has long been a billion-plus-person experiment in total state surveillance, with virtually no legal checks on the government's ability to physically and digitally monitor its citizens. When so much control of citizens' private data amasses within a few government agencies, however, it doesn't stay there. Instead, that bounty of private info has also leaked onto a lively black market—one where insiders sell off their own access to any scammer or stalker willing to pay.

At the Cyberwarcon security conference in Arlington, Virginia, on Friday, researchers from the cybersecurity firm SpyCloud plan to present their findings from monitoring a collection of black market services that offer cheap and easy searches of Chinese citizens' data. The vendors in many cases obtain that sensitive information by recruiting insiders from Chinese surveillance agencies and government contractors and then reselling their access, no questions asked, to online buyers. The result is an ecosystem that operates in full public view where, for as little as a few dollars worth of cryptocurrency, anyone can query phone numbers, banking details, hotel and flight records, or even location data on target individuals.

A screenshot of one of the Telegram-based data broker services' recruitment posts. The large text in Chinese translates to "Sincere cooperation, recruiting public security insiders."

Courtesy of SpyCloud

“China has created this massive surveillance apparatus,” says Aurora Johnson, one of the two SpyCloud researchers who has tracked how surveillance data leaks to the black market. “And ordinary individuals find themselves working in a system where there's not much economic and social mobility and where they have unfettered access to these databases of information based on their jobs in government or at technology companies. So they're abusing that access, in many cases by stealing data and selling it in criminal marketplaces.”

The SpyCloud researchers focused on Chinese-language data vendors that offer their services in accounts on the messaging service Telegram, including ones called Carllnet, DogeSGK, and X-Ray. The services, each of which has tens of thousands of members in its Telegram group, describe themselves as SGKs or “shègōng kù,” which the researchers translate as “social engineering libraries”—a name that suggests the services are perhaps primarily used by scammers. All three services use a point system in which customers can make payments—usually in the cryptocurrency Tether, though in some cases the Chinese payment services WePay and Alipay are accepted—for “points,” or earn them by inviting other customers. Customers can then cash in those credits to carry out searches based on identifiers ranging from names or email addresses to phone numbers to usernames on China's QQ, WeChat, or Weibo social networks.

In response to those search queries, the services promise data and records on targets including phone numbers, call records, bank accounts, marriage records, vehicle registrations, hotel bookings, and myriad other personal information. For higher payments that range into the hundreds of dollars, the services also offer premium searches for even more sensitive information like passport images or geolocation records, the SpyCloud researchers say, though they only conducted limited experiments on those premium searches. Some of the services specifically promise detailed access to data from China's “big three” state-owned telecommunications firms: China Telecom, China Unicom, and China Mobile.

WIRED reached out to Carllnet, DogeSGK, and X-Ray via Telegram, as well as the big three Chinese telecoms whose data they claim to have access to, but none of them responded to requests for comment.

In some cases, the services appear to draw on breached databases—collections of data that have been leaked online by hackers—as well as commercially collected data sources similar to those offered by Western data brokers, such as the location data hoovered up by many free smartphone apps. But they also appear to offer information from insiders at tech and telecom firms, banks, and China's state surveillance agencies, and even openly post ads seeking to recruit staffers of those organizations looking for an extra source of income. “Sincerely looking for public security personnel to establish cooperation,” reads one ad posted to Telegram, as translated by SpyCloud.

A translated screenshot of a post from one of the Telegram-based data brokers showing an example of geolocation tracking for a target individual.

Courtesy of SpyCloud

Another post from the X-Ray Telegram feed invites “internal personnel” from “public security, civil affairs, \[and\] banks” to cooperate with the service. “We welcome elites from all industries who have internal search conditions to join us!” reads a translation of the post.

According to one ad, insiders are paid more than 10,000 yuan—or nearly $1,400—a day, while another recruitment post promises twice that much and says some sources will receive payments as high as 70,000 yuan daily, or nearly $10,000. “There are many comrades who cooperate with us and have been cooperating with us stably for several years,” reads one recruitment post. To further assuage fears, it promises “a complete risk avoidance plan to protect you.”

Payment to those sources, one ad suggests, comes in the form of “virtual currency,” and offers training in “mixing” and other withdrawal methods “comparable to those of dark network black market personnel,” according to SpyCloud's translation—suggesting that the insiders are likely paid in cryptocurrency, given that “mixing” services are typically used to defeat blockchain analysis-based cryptocurrency tracing. “You can receive money with peace of mind and withdraw money with confidence,” it reads.

As further evidence of government surveillance insiders moonlighting in the data broker market, the SpyCloud researchers point to a leak earlier this year of communications and documents from I-Soon, a cyberespionage contractor to the Ministry of Public Security and the Ministry of State Security. In one leaked chat conversation, one employee of the company suggests to another that “I am just hear here to sell qb,” and “sell some qb yourself.” The SpyCloud researchers interpret “qb” to mean “qíngbào,” or “intelligence.”

Given that the average annual salary in China, even at a state-owned IT company, is only around $30,000, the promise—however credible or dubious—of making nearly a third of that daily in exchange for selling access to surveillance data represents a strong temptation, the SpyCloud researchers argue. “These are not necessarily masterminds,” says Johnson. “They're people with opportunity and motive to make a little money on the side.”

That some government insiders are in fact cashing in on their access to surveillance data is to be expected amid China's perpetual struggle against corruption, says Dakota Cary, a China-focused policy and cybersecurity researcher at cybersecurity firm SentinelOne, who reviewed SpyCloud's findings. Transparency International, for instance, ranks China 76th in the world out of 180 countries in its Corruption Index, well below every EU country other than Hungary—with which it tied—including Bulgaria and Romania. Corruption is “prevalent in the security services, in the military, in all parts of the government,” says Cary. “It's a top-down cultural attitude in the current political climate. It’s not at all surprising that individuals with this kind of data are effectively renting out the access they have as part of their job.”

In their research, SpyCloud's analysts went so far as to attempt to use the Telegram-based data brokers to search for personal information on certain high-ranking officials of the Chinese Communist Party and the People's Liberation Army, individual Chinese state-sponsored hackers who have been identified in US indictments, and the CEO of cybersecurity company I-Soon, Wu Haibo. The results of those queries included a grab bag of phone numbers, email addresses, bank card numbers, car registration records, and “hashed” passwords—passwords likely obtained through a data breach that are protected with a form of encryption but sometimes vulnerable to cracking—for those government officials and contractors.

In some cases, the data brokers do at least claim to restrict searches to exclude celebrities or government officials. But the researchers say they were usually able to find a workaround. “You can always find another service that's willing to do the search and get some documents on them,” says SpyCloud researcher Kyla Cardona.

The result, as Cardona describes it, is an even more unexpected consequence of a system that collects such vast and centralized data on every citizen in the country: Not only does that surveillance data leak into private hands, it also leaks into the hands of those who are watching the watchers.

"It's a double-edged sword,” says Cardona. “This data is collected for them and by them. But it can also be used against them.”

China’s Surveillance State Is Selling Citizen Data as a Side Hustle

Efficiency is the name of the game for the security operations center — and 91% of cybersecurity pros say artificial intelligence and machine learning are winning that game.

Only 9% of cybersecurity professionals said that new artificial intelligence (AI) and machine learning (ML) tools have not improved their security operations center (SOC) functionality, according to Dark Reading's latest research on enterprise security. The vast majority of respondents saw noticeable rises in speed, accuracy, and efficiency — good news for those frontline workers.

In Dark Reading's Artificial Intelligence and Machine Learning in Cybersecurity Survey, an equal number of respondents (31%) said AI and ML tools contributed to SOC performance by improving threat detection, automating routine tasks, and speeding up responses to threats. All of these improvements directly reflect the value that automation brings to improving response accuracy and operational efficiency in the SOC.

One of the greatest challenges that SOC analysts face now is an overwhelming volume of false positives raised by their security tools. Analysts have to sift through system alerts and discern which ones are false positives and which ones are potential threats. The tediousness of that work can lead to missed warnings, slower incident response times, and dissatisfaction that can result in burnout. The good news is that AI and ML are perfectly suited for handling this kind of donkeywork.

In fact, 24% said that AI and ML tools improved their SOC operations by reducing the volume of false positives.

For 28% of Dark Reading respondents, AI and ML tools provided better visibility into security events, and 24% cited improved efficiency in handling security events. A quarter of respondents cited quicker response times from SOC personnel as a positive effect of these tools. AI and ML tools are gaining traction in enterprises, and these responses show those technologies are already making a positive impact on enterprise security posture.

For more on the impact of AI and ML on cybersecurity, download the Dark Reading report "The State of Artificial Intelligence and Machine Learning in Cybersecurity."

**About the Author**

It's Near-Unanimous: AI, ML Make the SOC Better

In US Senate testimony, a CrowdStrike exec explained how this advanced persistent threat penetrated telcos in Asia and Africa, gathering SMS messages, unique identifiers, and other metadata along the way.

Source: Jakub Krechowicz via Alamy Stock Photo

A newly unveiled threat actor has been spying on mobile phones in Asia and Africa for more than four years. 

On Nov. 19, Adam Meyers, senior vice president for counter-adversary operations at CrowdStrike, testified before the US Senate Judiciary Subcommittee on Privacy, Technology, and the Law, on the subject of Chinese cyber threats to critical infrastructure. In the process, he unveiled Liminal Panda, an advanced persistent threat (APT) hyper-focused on gathering intelligence from telecommunications networks.

Since 2020, Liminal Panda has been using network-based attacks to penetrate and pivot between telcos across geographic regions, gathering SMS messages, unique identifiers, and other metadata associated with mobile phones that could be of political or economic use to the Chinese state.

**Liminal Panda's MO**

Though the aim is to obtain data transmitted over telecommunications channels, a typical Liminal Panda attack might look a lot like any regular network breach.

"Your cellphone has a radio that talks to a tower, called a base station controller. And those things are connected, typically, by Internet-type protocols — network technology," Meyers explained. Where some attackers might focus on the towers and their transmissions, Liminal Panda targets the IT network infrastructure underpinning the system. "They're going to go in through the gateway of the telco, and inside there's going to be a lot of traditional IT systems."

Once inside a telco's network — so often staffed by outdated legacy systems — Liminal Panda has tools for collecting call and text records and other sensitive identifying data on large groups or individual targets. "When you send a text message from your mobile device, it goes to the tower via SMS that gets passed back into the core of the telco. Routing decisions are made, and then it goes to the next destination," he says. Liminal Panda malware acts on that interim step.

To facilitate the exfiltration of that information, the group's command-and-control (C2) setup emulates the Global System for Mobile Communications (GSM). GSM is a mobile communications standard that enables calling, texting, and the use of mobile data, and is the most widespread such standard in the world, used in more than 193 countries.

**Hopping Between Telcos**

Besides attacking specific telcos, Liminal Panda has also been observed hopping between them.

"When you go from one part of the country to another, or when you go from one country to another, you need to have interoperability. And there's a lot of infrastructure that goes into making that happen," Meyers said. Thing is: The open lines of communication between telecommunications providers, and their infrastructure over long distances, can also be weaponized. "There are multiple threat actors from China who really understand how telecommunications infrastructure works. They understand how it's all connected together, and they're able to abuse that in order to go between providers."

Though its understanding of industry-specific protocols helps, Liminal Panda also jumps between providers simply by abusing the Domain Name System (DNS). By the end of a campaign, the group has often established multiple, redundant routes for traveling between providers.

**China's End Goals**

Oppressive governments have long used telecommunications breaches to spy on foreign officials, internal political dissidents, journalists, and academics. "All of these groups are targeting telcos to perform bulk collection, because it gives them the opportunity to then \[hone in on\] an individual — see who they're texting, who they're calling, who they're with," Meyers explained.

If Liminal Panda is indeed working on behalf of China, as CrowdStrike assesses with admittedly low confidence, then this sort of spying might have a dual economic benefit as well. In his Senate testimony, Meyers highlighted how major national projects like the Belt and Road Initiative, Made in China 2025, the 2035 Vision, the Global China 2049, and the country's regular Five-Year Plans provide impetus for economic espionage.

"If you're doing a deal in that region, I want to know who you're meeting with. I can collect that information, if you're sending text messages about the deal," he says. "Or I can intercept them if you're meeting with somebody that is politically problematic for me."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

China's 'Liminal Panda' APT Attacks Telcos, Steals Phone Data

Cybersecurity investigators found the leaked data to be information from a third party, not Ford itself, that is already accessible to the public and not sensitive in nature.

Source: imageBROKER.com GmbH & Co. KG via Alamy Stock Photo

On Nov. 17, hackers that go by the aliases IntelBroker and EnergyWeaponUser claimed to have breached Ford customer records, laying out their "success" in a post on BreachForums.

The hackers claimed that they had stolen 44,000 Ford customer records that included names, physical addresses, and acquisition information. In truth, after making the data sample public, it was found that the data only included physical addresses of car dealers from around the world, data that is likely already public and not considered sensitive.

The initial claims, however, prompted an investigation by Ford, which determined that there was no breach of its systems or compromised customer data involved. The leaked information actually originated from a third-party supplier, according to the automotive giant.

This isn't the first time IntelBroker has pulled a stunt such as this; though its victims do suffer from some type of breach, the hacker's claims of its attacks' magnitude are often exaggerated. Nonetheless, it's important to carefully vet any hacker claims, according to Roger Grimes, data-driven defense evangelist at KnowBe4.

"Any stolen confidential information, like purchasing habits, is something that can be used in a targeted spear phishing attack to trick more potential victims,” he wrote in an emailed statement to Dark Reading. "So, you can't completely discount any data breach no matter how innocuous it first seems."

**About the Author**

Tag

#intel