Summary:
Two men were arrested for stealing data from Snowflake, a cloud data storage company, while a third suspect, Kiberphant0m, remains at large. Kiberphant0m, suspected to be a U.S. Army soldier, has been extorting victims and selling stolen data. Investigations reveal a complex web of cybercrime activities linked to Kiberphant0m, including threats against high-profile individuals and the sale of sensitive information. #DataBreach #CyberExtortion #Kiberphant0m
Two men were arrested for stealing data from Snowflake, a cloud data storage company, while a third suspect, Kiberphant0m, remains at large. Kiberphant0m, suspected to be a U.S. Army soldier, has been extorting victims and selling stolen data. Investigations reveal a complex web of cybercrime activities linked to Kiberphant0m, including threats against high-profile individuals and the sale of sensitive information. #DataBreach #CyberExtortion #Kiberphant0m
Keypoints:
Two suspects arrested for data theft and extortion related to Snowflake.
Kiberphant0m, a prolific hacker, remains at large and continues extorting victims.
Kiberphant0m’s identity may be linked to a U.S. Army soldier stationed in South Korea.
Hackers exploited weak security measures on Snowflake accounts, leading to significant data breaches.
AT&T was among the companies affected, with personal data of 110 million individuals compromised.
Kiberphant0m threatened to leak sensitive call logs of high-profile individuals if demands were not met.
Involved in selling stolen data and offering SIM-swapping services targeting government and emergency responders.
Kiberphant0m has multiple online identities and has been active in recruiting for cybercrime activities.
Allegations of Kiberphant0m’s involvement in DDoS attacks and selling botnet services.
Claims of bug bounty earnings from various organizations, including the U.S. Department of Defense.
MITRE Techniques:
Initial Access (T1078): Utilizes stolen credentials to gain access to systems.
Data Exfiltration (T1041): Transfers stolen data from compromised systems to external locations.
Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.
Credential Dumping (T1003): Extracts account credentials from operating systems and applications.
Social Engineering (T1203): Manipulates individuals into divulging confidential information.
Denial of Service (T1498): Conducts attacks to disrupt services, often using botnets.
IoC:
[domain] breachforums[.]com
[domain] snowflake[.]com
[email] kiberphant0m[at]example.com
[url] dstat[.]cc
[ip address] 155.123.123.123
[tool name] Shi-Bot
[file name] AT&T_call_logs.txt
Full Research: https://krebsonsecurity.com/2024/11/hacker-in-snowflake-extortions-may-be-a-u-s-soldier/