Risky Bulletin Podcast Summary

Episode: Between Two Nerds: Beating back state espionage
Date: December 1, 2025
Host: Tom Uren (A), with guest The Grugq (B)

Overview

This episode delves into the impact and effectiveness of massive intelligence leaks on state-sponsored cyber-espionage groups. Sparked by the recent, comprehensive leak of documents tied to the Iranian APT group “Charming Kitten” (APT35), Tom Uren and The Grugq discuss:

• Whether such leaks can truly disrupt or deter state intelligence operations
• Historical precedents like the APT1/Mandiant and Snowden/Shadow Brokers leaks
• The differences between various state intelligence structures
• The efficacy and potential consequences of repeated "outing" of threat actors

Key Discussion Points & Insights

1. Can Leaks Disrupt State Espionage? (00:13–03:25)

• Charming Kitten Leak Context:

  • A massive trove of data was released, outing every operator, front company, and key detail of APT35.
  • The leak originated from “Iran International,” with suspicions about Israeli intelligence involvement.

• Immediate Impact vs. Long-term Deterrence:

  • Leaks are disruptive and painful but rarely cause a state to stop collecting intelligence.
  • Tom (A): “You're not going to disrupt a state from doing intelligence. Iran is going to keep wanting to collect intelligence. It's not going to stop just because some foot soldiers have been named.” [00:45]
  • Operations are disrupted, but states reorganize and persist.

2. Historical Parallels: China, the US, and Beyond (02:16–04:38)

• APT1/Mandiant Report:

  • Detailed exposure led to major disruption and apparent restructuring in the implicated Chinese PLA unit.
  • However, China didn't stop espionage – it simply adapted.
  • A: “So you would have to say that that's a win.” [03:00]

• Snowden & Shadow Brokers:

  • Globally disruptive for the NSA and Five Eyes partners.
  • Prompted massive countermeasures like widespread adoption of SSL and the closing of key intelligence collection points (e.g., Google inter-data center links).
  • B: “Soden was very disruptive to the NSA. It did stop them at least on some collection operations that they were doing.” [04:04]

• Key Insight: Leaks accelerate defensive measures on the part of both the exposed intelligence agencies and their targets (organizations, companies).

3. The Psychological and Organizational Fallout (05:10–13:17)

• Short- to Medium-term Disruption:

  • Governments’ sensitivities drive responses (e.g., restructuring, countermeasures).
  • Outing facilities/offices doesn’t necessarily halt operations—especially domestically.

• Targeted/Leaked Victims React:

  • Listed companies may upgrade their cyber defense postures after being exposed as targets.
  • B: "Maybe we should invest in that patching cycle that we've been putting off." [06:25]

• Purpose and Strategy of Leaks:

  • The repeated, timed leaks against APT35 seem designed for maximum psychological and operational disruption.
  • B: “This... repeated ... these hits that just keep coming on a regular basis...” [09:01]
  • Drawn out over weeks, this strategy contrasts with the “get it all out at once” model, aiming to sustain pressure.

• Possible Organizational Consequences:

  • Leadership (e.g., IRGC) might lose trust in exposed operators, triggering firings or resourcing changes.
  • Replacement is likely but involves loss of institutional knowledge and relationships.
  • B: “There might be some institutional knowledge that is being lost [...] ways of doing business that have been established over years that will have to be rebuilt. And while they're being rebuilt, they'll be very inefficient.” [10:09]

4. Unique Aspects of Iran’s Cyber-Espionage Model (13:17–15:25)

• Contractor Reliance:

  • Iran’s ecosystem is heavily contractor-based—unlike most state agencies that are vertically integrated.
  • Disrupting contractors may deter others and cause broader operational havoc.

• Scale and Targeting Difficulty:

  • The size of APT35 (≈60 people) is notable for Iran but minuscule compared to China’s ecosystem.
  • Disrupting smaller organizations is more feasible; larger ones are resilient due to sheer numbers.
  • A: "If it's China, it's probably, I don't know, 100 fold bigger thousand." [14:13]

• Potential Ripple (Deterrence) Effect:

  • Going after top-tier, long-operating teams acts as a warning to the rest (“if even the best can fall...”).
  • Not necessarily practical or impactful for large, competitive or collaborative contractor networks (e.g., China).

5. “Contractor Ecosystem” and Strategic Implications (15:26–19:32)

• Whack-a-Mole Problem:

  • With many contractors, taking down one or two just creates openings for others.
  • Disrupting one can increase opportunity and competition for the remainder.

• Effect on Agencies:

  • Attribution and doxing might motivate agencies to move away from vulnerable contractors, restructuring to rely more on internal teams.
  • B: “Let's make a concerted effort to move away from this [contractor] and restructure around internal capability and do some capacity building.” [18:02]

• Resource Allocation:

  • Focusing on the most disruptive or dangerous groups can yield “outsized” impact.
  • A: “Even if it's, like, 10% or 15% over a long period of time, just slow them down... that probably is still a good use of resources.” [19:12]

6. Choosing Targets and Counterintelligence Lessons (19:32–23:51)

• Target the Most Capable:

  • Disrupting ‘top dog’ teams delivers the most value; similar to the FBI targeting highly effective KGB officers to remove competence and foster easier surveillance.
  • B: “If there's someone who's easy to monitor, you leave him in place. Because that's like, that's ideal... anyone who's good, you get rid of them...” [21:03]
  • In cyber, impossible to “evict” actors from the Internet, but the concept remains: keep the vulnerable, disrupt the dangerous.

• Potential for Backfire or Counterproductive Outcomes:

  • Doxed groups might wear exposure as a “badge of honor,” bolstering internal reputation instead of deterring activity.
  • B: “Would it go from, you know, ‘Oh, my God, we've been burned, everything's terrible,’ to ‘We are such a big deal that the Israelis bent over backwards ... because we're so good’?” [23:51]

7. Uniqueness of the Iranian Case & Limitations of Generalization (24:55–27:41)

• Goldilocks State:

  • Iran is the right size and structure—large enough to matter, small and contractor-based enough to be disruptable.
  • Other nations are either too small to attract this pressure or too large/diverse to be crippled by it.

• Comparisons to Pakistan & India:

  • Both have hybrid military-civilian cyber structures, but using a doxing campaign could trigger reciprocal behavior.

• Severity of Operations:

  • Iran’s use of contractors in severe actions (e.g., assassination attempts) increases both vulnerability and reputational fallout.
  • “Many of the operations were in support of pretty extreme things like assassination attempts in foreign countries. ...It makes them more susceptible to the doxing because it seems more outrageous.” [26:23]

Notable Quotes & Memorable Moments

• Tom Uren:

  • “You're not going to disrupt a state from doing intelligence. ...It's not going to stop just because some foot soldiers have been named.” [00:45]
  • “This does seem like as bad as it could possibly get for a state intelligence service. Like it's the gold standard for state doxing, I suppose.” [12:40]
  • “That probably is still a good use of resources.” [19:12]
  • (On APT35’s outing) “Maybe that destroys their relationship with their higher ups, in which case maybe it's super effective. Or it could be exactly what you said. ...It's totally unclear to me.” [24:03]

• The Grugq:

  • “Soden was very disruptive to the NSA... it did stop them at least on some collection operations that they were doing.” [04:04]
  • “If you reveal like the location of a safe house in London, that safe house can no longer be used. ...Whereas... if you reveal the location of an office in Tehran... they can still go there tomorrow.” [05:38]
  • “I think this might be unique to the Iranian intelligence apparatus because they rely so heavily on this ecosystem of contractors.” [13:17]
  • “At some point they're going to get acclimated to it, you know, ‘Oh, what's it this week? They've published your internals.’ ...By the fifth one, it's like, okay, we get it already.” [11:00]
  • “If there's someone who's easy to monitor, you leave him in place. ...anyone who's good, you get rid of them because they're a problem.” [21:03]
  • “It ended up becoming a sort of badge of honor … you are so competent and good at your job that the Americans have singled you out for praise.” [23:15]
  • “Probably you can find elements of what Iran is doing in other countries... but are there countries that do assassinations using contractors?” [27:05]

Important Timestamps

• 00:13 — Introduction to Charming Kitten leak & opening question
• 02:16 — Historical precedents: APT1 and impact on China
• 04:04 — Snowden/Shadow Brokers and impact on the NSA
• 06:25 — Target organizations’ reactions and countermeasure adoption
• 09:01 — “Death by a thousand leaks”—repeated leak as a tactic
• 13:17 — Iran’s contractor model and vulnerability
• 14:13 — Comparison with Chinese and larger state networks
• 19:12–19:32 — Resource prioritization: targeting the 20% doing 80% of the harm
• 21:03 — Analogies to traditional counterintelligence
• 24:03 — Will public exposure actually disrupt or embolden operators?
• 26:23 — Unique reputational risks of Iran’s operations

Conclusion

The hosts conclude the sustained leaks against APT35 are the "gold standard" in state-level doxing and disruption, possibly uniquely effective due to Iran’s reliance on contractors, organization scale, and the nature of their operations. However, they remain cautious about generalizing to larger, more resilient or differently structured state intelligence agencies (like China or Western states), emphasizing the need for continued observation and context-sensitive strategies.
[27:41]