Court documents released Monday show that US authorities have arrested a 20-year-old soldier, Cameron John Wagenius, on two counts of selling or attempting to sell secret phones without the customer’s consent.
But behind the small details provided in the charge sheet filed in the US District Court for the District of Washington in Seattle lies a much larger story, according to cyber security reporter Brian Krebs.
The phone records Wagenius is accused of selling may include those of Vice President Kamala Harris and President-elect Donald Trump, part of the AT&T and Verizon phone records leaked in November by a hacker using the moniker ‘Kiberphant0m’.
According to Krebs, authorities now believe that Wagenius is Cyberphant0m, one of the main characters of the UNC5537 hacking group that attacked a series of Snowflake clients.
Another alleged member of the group, Connor Riley Moucka (aka ‘Judische’) was arrested in Canada in November. A third person suspected of involvement in the Snowflake incident, American citizen John Erin Binns, was arrested by Turkish authorities in May in connection with a separate attack on T-Mobile in 2021.
In the case against Wagenius, the military connection seems to be important. Krebs reported in November that an analysis of Cyberphant0m’s online accounts by researchers dating back to early 2022 revealed that he may be a US soldier recently stationed in South Korea.
Researchers including Allison Nixon of Unit 221B were able to join other dots followed by the hacker’s sometimes careless online activity and bragging to the public and social media. As Nixon wrote in Bluesky, this includes hackers issuing threats to him and other researchers trying to link people online to real identities.
The evidence found during this investigation was revealing enough to suggest that it was only a matter of time before the true identity of Cyberphant0m was revealed.
Sharing responsibility for security
Before the Snowflake breach, the company’s name wasn’t just another in today’s list of frequently overlooked business offerings. Then it turned out that many businesses were using it to store a lot of sensitive company information.
Some of those accounts were protected without a password and username, in other words without multi-factor authentication (MFA) allowed. That gave hackers an idea: why not scour darknet forums for passwords and usernames to hack into those accounts?
The breach resulted in approximately 160 Snowflake customers having their data breached on the platform, including Ticketmaster, Advance Auto Parts, Neiman Marcus and Santander. The criminals demanded payment, receiving at least $2.5 million from unnamed victims, it was later alleged in court documents.
What was Snowflake’s responsibility in this? Undoubtedly, there is none. It was up to customers to enable MFA if they chose while protecting their password information. While true, this has led to criticism that if there was a way for administrators to enforce MFA on their Snowflake users, it would not be easy to implement or automatically allowed.
It’s a good example of the gray areas that still plague the shared responsibility model of cloud security: what security controls should be left to customers, and what is the responsibility of the platform?
In September, Snowflake announced that starting in October all user accounts will be automatically MFA-enforced with the minimum password length increased from eight to fourteen characters.
Source link