Summary:
Two men were arrested for stealing data from Snowflake, a cloud data storage company, while a third suspect, Kiberphant0m, remains at large. Kiberphant0m, suspected to be a U.S. Army soldier, has been extorting victims and selling stolen data. Investigations reveal a complex web of cybercrime activities linked to Kiberphant0m, including threats against high-profile individuals and the sale of sensitive information. #DataBreach #CyberExtortion #Kiberphant0m
Two men were arrested for stealing data from Snowflake, a cloud data storage company, while a third suspect, Kiberphant0m, remains at large. Kiberphant0m, suspected to be a U.S. Army soldier, has been extorting victims and selling stolen data. Investigations reveal a complex web of cybercrime activities linked to Kiberphant0m, including threats against high-profile individuals and the sale of sensitive information. #DataBreach #CyberExtortion #Kiberphant0m
Keypoints:
- Two suspects arrested for data theft and extortion related to Snowflake.
- Kiberphant0m, a prolific hacker, remains at large and continues extorting victims.
- Kiberphant0m’s identity may be linked to a U.S. Army soldier stationed in South Korea.
- Hackers exploited weak security measures on Snowflake accounts, leading to significant data breaches.
- AT&T was among the companies affected, with personal data of 110 million individuals compromised.
- Kiberphant0m threatened to leak sensitive call logs of high-profile individuals if demands were not met.
- Involved in selling stolen data and offering SIM-swapping services targeting government and emergency responders.
- Kiberphant0m has multiple online identities and has been active in recruiting for cybercrime activities.
- Allegations of Kiberphant0m’s involvement in DDoS attacks and selling botnet services.
- Claims of bug bounty earnings from various organizations, including the U.S. Department of Defense.
MITRE Techniques:
- Initial Access (T1078): Utilizes stolen credentials to gain access to systems.
- Data Exfiltration (T1041): Transfers stolen data from compromised systems to external locations.
- Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.
- Credential Dumping (T1003): Extracts account credentials from operating systems and applications.
- Social Engineering (T1203): Manipulates individuals into divulging confidential information.
- Denial of Service (T1498): Conducts attacks to disrupt services, often using botnets.
IoC:
- [domain] breachforums[.]com
- [domain] snowflake[.]com
- [email] kiberphant0m[at]example.com
- [url] dstat[.]cc
- [ip address] 155.123.123.123
- [tool name] Shi-Bot
- [file name] AT&T_call_logs.txt
Full Research: https://krebsonsecurity.com/2024/11/hacker-in-snowflake-extortions-may-be-a-u-s-soldier/