A

Hello everyone, this is Tommy Wren. I'm here with the Grok for another between two nerds. G', day, Grok. How are you?

B

G', day, Tom. Fine, and yourself?

A

I'm good. This week's edition is brought to you by Octa. On the podcast channel. I have an interview with Okta's VP of Threat Intel, Brett Winterford. All about Okta FastPass, what it is and why threat actors hate when you use it. So, Grak, I'm looking at this headline here. It's in the Register. Oh, great. Three notorious cybercrime gangs appear to be collaborating and it's.

B

That's.

A

That's the headline and talks about scattered Spider Shiny Hunters and Lapsus spent the weekend bragging to each other on a telegram channel. So I guess the, you know, the discussion today is, is this at all significant? Does it mean anything? Now, as background, my thinking about these groups has evolved over time. So they're basically, it appears, offshoots of a larger community. This large community is called the Comm. And FBI has said something like thousands of individuals, like, how do you define an online community? They talk on discord and telegram and then parts of them break off and are very, very effective at breaking into organizations and utterly wrecking them. And so the different names have been given to different, I guess you'd call them projects. So maybe the Snowflake data breaches was one project. I can't remember which one did that. Lapsus did a whole lot of stealing of source code, for example. And it seems like they've got themes that they roll on and heck, in a couple of weeks, several organizations, like very well resourced organizations, scattered Spider famously did casinos. Most recently they've done airlines. Now, my original thinking was that it was kind of like the FBI said, a whole lot of people who would just form teams and not like proper teams, but just work together for like, you know, a couple of weeks or whatever. And at that time my thinking was arrests probably aren't going to do all that much because in one article I likened it to Hollywood. If you arrest the cast and crew of one movie, are you going to stop Hollywood? No, it'll probably make not much difference.

B

Yeah.

A

Now, more recently, a couple of different threat intel companies have said there's three key individuals. They didn't name them, but they said and that they were driving the activity. And when I thought about Tom, Dick.

B

And Harry.

A

And when I thought about it, this makes a lot of sense because in any organization or team that I've been in, there are key individuals who Drive things. I spoke to Adam Walo about this and he said, yeah, there's people who have the kind of vision to come up with a project and how to execute it. And so whether you call them leadership or management or whatever, it's.

B

I mean, I think that those. That might be a little bit formal for what we're. I mean, to me it seems a bit more like the case of there's a bully with some hangers on, right. And like the bully is sort of like the key individual. But if you get rid of the bully, one of the hackers on might step up into that role. And like they'd sort of been. They'd been kept down by having someone above them, but if you remove that person, then now they can shine as. Yeah, yep, yep.

A

So it's like a pecking order thing, right? So once you remove Top Dog, everyone moves one step up, everyone goes up one. So I guess the questions we have are, does it make any difference? So the headline used the word collaborating. And then also the secondary question is, will arrests make any difference?

B

Yeah. So to stick with your Hollywood analogy for just one second more, if you arrest one, one movie crew, does it shut down Hollywood versus if you arrest the lead actors, y. Does it shut down a movie? And it's, you know, I think that it's. Yes, you do. Like, there's a few key players in a movie production that if you remove them, it will fall apart.

A

Right. Like if you don't get Tom Cruise, there is no movie in certain cases.

B

Like you can't do another Mission Impossible if he says no, that sort of thing where, like, it's just they're not replaceable. Is that the case? Or is it that if the director of the latest Marvel movie steps out, are they going to be able to find someone else to produce another cookie cutter movie?

A

Right.

B

Yes, absolutely right. It's not going to be a problem. So the question is very much, are we talking about like Director of the Week or Tom Cruise?

A

Well, I guess it's the director as. Is it auteur, you know, the driving force behind a project? Or is it like by the Numbers movie?

B

Yeah, I think that's an interesting. Like, that's an interesting question. I don't know that we can answer it without being directly involved in these communities. But my sense is that you have a bunch of asshole teenagers who are goading each other into doing stuff. Some of them are like the top dogs, the highest of the pecking order because they're willing to do stuff for status within the Community like they're more willing to be the leads and they enjoy that position of being the boss of this group. But if you remove them, does the crew fall apart or is the next person in line just going to step up and take over? My gut feel is that there's probably a small number of people who are willing to take that role. And it might be that there's two of them in this group. One of them is currently leading, then one is his lieutenant and then you've got a whole bunch of people who are just sort of laughing and encouraging them from the sidelines, like an audience almost.

A

Right, right. So from the point of view of human dynamics, that kind of makes sense to me in that if you're not the target, top dog in a group or you're not the lead protagonist, like you go find a different, you go find a different playground.

B

I mean, I think that there's probably a set of characteristics, right. That would make someone the head of this. There probably has to be a certain set of mental disorders in a way. Like you have to be a little bit of a sociopath and you have to be a little bit narcissistic and you need to have, you know, bad empathy but a high value of yourself and various different things that obviously none of us can relate to.

A

But I'm sure no one who works in cyber has any of those traits.

B

Yeah, like high sense of self worth. It's just, it's not the sort of person that gets attracted to cyber. Right. It's. But yeah, so that's my feel is that what you will have is that there's these just groups of guys who sort of fallen into each other as like they don't necessarily get on in other places. They find this a little bit attractive and then that's who they start hanging out with. Much like when people become Neo Nazis, they don't go from regular Joe Schmo to like Hitler worshipper overnight. Right. They sort of get groomed into it. Like Neo Nazis are very deliberate about their grooming and that. I don't think that that's the case here. I think it's a lot more self selective. Like in the academic sphere they call this like a community of practice. Like these are guys who do a certain type of hacking as their community of practice. Right. It's this like social engineering. It's paying for things, it's just hammering away with password lists, you know, infosteelogs, things like there's this low skill level, high reward set of techniques that they can use.

A

It Seems that you don't need to. Some of them actually are like very, maybe not highly skilled, but very practiced. Like they know what works and they can string it together very quickly.

B

Right.

A

And some of it is in a sense state of the art in the defenses don't work against them, basically.

B

I think skill might be the wrong term actually. I think sophistication is the right word. So like these are highly skilled, low sophistication practitioners. Right. So the stuff that they do doesn't take a lot of sophistication, but doing it the way that they do so successfully does demonstrate skill. Like it's. They have shown that like they know what they're doing. Right. So if I had to do like sim swapping to take over an account to do this, like I wouldn't know where to start and I would get. I mean, I'd feel bad about the whole thing and not do it, but quite frankly I wouldn't know what I was doing. Right.

A

Yeah.

B

I do think that these are communities of practice. I think that these are like just a group of people that sort of do similar things and, and so they're sharing techniques.

A

So that's the community and practice part is right.

B

And that they sort of, they then compete for status within that community. So it's sort of like.

A

And the sharing of the technique is the status. Right. So that's why they're.

B

Yeah, right. Yeah, right. So that would be one of the ways of claiming status. But I'm pretty sure that these are very much like if you've ever been on an Internet forum or an IRC channel or a Discord Chat, I guess. Guess. I mean, I haven't been on one, but I'm assuming it's very similar. There might be like there's going to be 20 people who are involved, but there'll be like a few key players who sort of drive most of the discussion. Right. And there's going to be like this huge number of people that you recognize as, I'm going to say bit players, which isn't quite fair to them. But like they aren't driving the conversation. They will chime in. They might have expertise in some area that you will turn to them, but most of the effort is being done by a small group of people. And my thinking is that that's exactly what these groups like Lapsus or Shiny Scattered Hunters Spiders or Spider Hunter Scattered Chinese or you could think of it like the comm is basically Reddit and then these subreddits are doing specific hacks. Right. That's sort of. There's thousands of people involved and it's like. Yeah, but most of them are just there to like.

A

I think is an interesting example in that you. There's a lot of people on Reddit, but there's a relatively small number of people who have a whole lot of. What do they call it? Is it clout or kudos?

B

Karma.

A

Karma, that's the one.

B

Karma.

A

Yeah, yeah, yeah. And so the same sort of dynamic.

B

Yeah. And it's going to be a power curve. Right. There'll be like one at the top, and then you go way down until you get the next one. That's exactly the dynamic I envisioned for these because that's how a lot of just human communities are.

A

So to me, it sounds like in terms of the question of these three gangs appear to be collaborating, that makes actually kind of no sense in this model in that they've always been talking, they're overlapping. Collaborating is not actually what they're doing. They're just.

B

I don't think they even can collaborate because it's like you can't have three main characters sharing the set. Right. Like, I don't think they can collaborate in that way.

A

Right, Right.

B

Someone's going to have to be the king.

A

Yeah. So you think each of these is driven by a small number of like. So Scattered Spider is driven by two, three, maybe at most. Key people, Shiny Hunters, likewise. And they've. These key people have their different interests and that's why they appear as different threat actors.

B

Right, right. And then in terms of collaboration, it's probably much more of a, like, hey, Dave is doing a cool thing. You know, he wants a bit of help. Well, you know, if I help him, then it shows that I'm the superior person who is deigning to give him assistance because he needs it. And from the other guy's point of view, it's like he has to come to me to give me what I want. So obviously I have the higher status in this. I wouldn't say transactional so much as, like, they're just like, they can't work together like you could on a team.

A

Like, I guess the dynamic you're describing, the reward is individual status, and you can't collaborate on individual status. Like, that doesn't.

B

Right.

A

Now, moving on, one of the Scattered Spider kids, he recently got sentenced to 10 years in federal prison.

B

Right.

A

So, in fact, we'd actually podcasted about this guy and it was BTN 103. And there was. We were riffing off a YouTube video talking about hacking unreleased music, if I recall correctly.

B

Yeah.

A

And so part of his. A couple of his aliases, King Bob and Sosa. So those appear. I think we mentioned that in that video. So he is 20 years old. He's been sentenced to 10 years and ordered to pay roughly $13 million in restitution to victims. So, like, he's done financially. I mean, he's going to prison, so that's not good. But, like, $13 million when you're 20, presumably got that. He's been arrested for a while.

B

Yeah.

A

That's a lot of money.

B

That is. But you know what? To me, I'm gonna say that's a lot like back to Hollywood. It's like child actors, you know, they're super rich by the time they're 18, but it just never ends well. Right. Like, at all. Like, that's not a good age to be super rich. Like, you need to be a certain age before you can handle responsibility, because before then you're just an idiot. And that's having been an idiot most of my life. I can assure you that, like, it takes a long time until you're capable of dealing with things like that. I would say that one of the big examples is being the emperor of the Roman Empire. Right. Pretty much anyone that got it under 40 was a disaster. Right. Anyone that got it at 20 was, like, guaranteed to. To wreck things. Like, they're just.

A

This is our Roman Empire, part of the podcast.

B

So Nero, for example, was dead at 25 is all I'm saying.

A

So Brian Krebs has written up a piece on. His name was Michael Noah. Michael Urban.

B

Right.

A

So he did some fishing, Netted Urban and others. So not necessarily entirely. Access to more than 130 companies, including Twilio, LastPass, DoorDash, Mailchimp, and Plex. So he stole music and he also did cryptocurrency thefts.

B

You know what? I'm going to throw out a conspiracy. I bet you that he was turned in by Lazarus, who didn't like competition. Not true. But, I mean, I think that's the way it should work.

A

Some of the players have been doxxed online, and it seems like some of that eventually does lead to law enforcement attention. So although you describe it as a conspiracy theory, I think it has happened for some of the people involved.

B

Yeah, well, the conspiracy theory is that it's Lazarus.

A

Right.

B

Trying to level the playing field.

A

I thought you said Lapsis. I misheard all.

B

Yeah, no, that's. That's right. No, that, like, Lazarus is just upset because you Know, they could go to a concentration camp if they don't make money and here's someone stealing bread out of their kids mouths, essentially. So for them it would make sense. Sense to, you know, put the kibosh on, on these groups, which I don't think is actually happening, but I think it would be very funny.

A

Right. Yeah.

B

I do think that competition between them could very easily lead to doxing because. Right. You're dealing with asshole teenagers. They will have petty squabbles and beef with each other over nothing. Particularly if you've got these sort of. Maybe alpha personalities isn't quite right. But you've got these sort of bully narcissist characters who can very easily call them lead actors. There we go. We've got these lead actors and the room's not big enough for the both of them sort of thing. I think that there's a lot of. There's a lot of opportunity for people like this who don't necessarily think of other people as being real people. Right. Of deserving of empathy of, you know, that sort of thing. Speculation on my part. But they would find it funny to dock someone and have them sent to jail. Right. Because it's their own fault for having a Facebook in the first place or whatever. Right.

A

Certainly the group seems like totally unrestrained. So part of, part of Krebs story mentions that while he was in custody, the magistrate judge's email account was hacked to steal the indictment of Urban's indictment. It's not clear from this exactly who did the hacking, but as a group it's like anything goes, doesn't matter.

B

Right. And that would have been something that would be a high status achievement to share with the community. Right.

A

Yeah. So just looking at Krebs write up, Urban sounds like a lead actor to me in that he got involved in so much stuff. To me, it just doesn't make sense that a supporting character would get involved in so much stuff. And so that makes me optimistic that arresting people like Urban will actually make a dent. Now I'm not convinced it'll make a long term dent because.

B

Right. People that would assume that there's no more lead actors ever being created.

A

That's right. Yeah.

B

Yeah. No, I, I agree with you. And the thing is, I wonder, like there's. There's obviously a finite number like the, the com like this, this broad community of practice is potentially large, you know, thousands or more people. Sure. But of them, how many are actual lead actors and how many are just there for the lulls? How many are just there because they want to be part of something. And, like, they will, you know, help set up the website or, you know, use their HTML skill to make the phishing page look better. You know, something that they can contribute without being exposed to risk in the same way.

A

I mean, I would agree that they're finite, but it's also, like, it's an evolving thing, Right. So there's new players coming in, Right.

B

And. And there's people obviously graduating up the ranks because, you know, as we framed it, it's. It's low sophistication, but high skill.

A

Yeah.

B

And so you are going to have people who there might be in a supporting role simply because they don't have the. The set of skills developed yet, but once they have developed those skills, then they will naturally graduate. Like, graduate.

A

Yeah, yeah. So it feels like a rolling educational.

B

Process going after a block of jelly with a hammer. It's just the wrong tool for the job in a way. But I don't know what else you can do. So I think to a degree, I'm very much not one of those law and order, crime and punishment type guys, but I do think that there's actually a good deterrent in going after these leaders. I'm not sure it'll actually work. Okay, so here's the thing, right? I think that in order to do this stuff in a way that you have to feel like you're never going to get caught because you're the best. And people that you looked up to when they get caught, well, it's actually because they're idiots and you didn't really look up to them. If you think about it, you were young and naive last week. Now you know better. They got caught, so obviously they're not good. So I think, to quote from the Wire, it's that thing of, like, you know, all you have to be is a little bit short, a little bit late, a little bit slow. And how can you never be a little bit slow and a little bit late? Like, that's life. That's just. It's what happens. You will never be perfect 100% of the time. The problem of hoping that there'll be, like, a deterrence element of these arrests is that none of the people involved as these lead actors think that they are fallible and that they will get caught.

A

Yeah.

B

I think that that's probably a prerequisite for doing this. Right. Like, yeah.

A

I think the problem is if you.

B

Think you're going to make mistakes and go to jail, you're probably not going.

A

To be yeah, yeah, that's right. I think the problem with deterring teenagers with poor impulse control is like it's trying to deter goldfish.

B

Yeah. Like teenagers are not necessarily known for their long term thinking and you know, what are the consequences of these actions? Yeah.

A

I think also part of the problem is that they have a whole suite of insecure practices and for 99.999% of the time it doesn't make any difference. Like there's no repercussions and. But Right, but at some point they become priority number one or two or three.

B

Yeah. At some point you owe $13 million to people.

A

That's right. Yeah.

B

At which point. Yeah, at which point the game changes.

A

Yeah, yeah. And so for the vast majority of people, doing what they're doing is fine.

B

Right.

A

Like the FBI hanging out on Discord.

B

Or on Telegram and just talking to your friends while they do something stupid. It's not great. It's not what I would recommend. But it's not a fatal, like it's not a fatal error that's going to lead to a lifetime in jail.

A

Yeah, that's. Yeah.

B

Being the guy that's encouraged to actually break into the car or, you know, do the actual criminal act. That's the guy who has a problem.

A

Yeah, yeah. So they don't get feedback on what mistakes they're making, I guess is what I was trying to get at.

B

Yes. Yeah. They're operating in a lax security environment. Here's the thing. Right. I think that even if they did get feedback, they're not in a position to incorporate it properly. So one of the interesting things that happened during the 80s was when all of the cartels from Colombia, they had to find a way to get the guys who were doing the smuggling to cooperate with them and not with the police. Right. So they had pamphlets that they printed up and would give out to people before they would do the smuggling thing. And it'd be like, here's what you're going. Like if you get caught, here's what you can expect. Like, here's how the interrogation works. Here are your rights. If you keep quiet, we will pay for your lawyer, we will put money on your books and we will take care of your family and whatever. And if you don't, then you're on your own and maybe your wife's not going to be here when you come back. But then when they were paying for the lawyers, they would have the lawyers do discovery like crazy to try and understand the investigation techniques that were being used against them. These lawyers saying how did the FBI get that wiretap? Okay, to get that wiretap, what was the evidence that they needed? Okay, how did they get that evidence? What were they using to collect? What was the standard that they had to reach? And so they would build up these dossiers of understanding how law enforcement worked so that they could then adjust their own practices. And that's a thing you can do if you're leading a group where you can sacrifice pawns to figure out how the other side is working. Whereas the way that these groups work is they don't have pawns. Like everything's being done by the lead actor and the pawns are behind them, not in front. And so they cannot learn from other people's mistakes because they're the ones doing the stuff. They're going to make the mistakes.

A

Right, right, right.

B

You know, there's no one else there for them to take the fall. Right. So I think that, you know, you're absolutely right in that they are not well positioned to learn from what they're doing. In a way, like when they make a. When they make a security mistake, the only person that's going to learn from it is the person who's going to jail and it's not going to do him any good.

A

Yeah, it's too late for him.

B

And no one else is going to look at it and be like, I won't make those mistakes. They're just going to be like, look at that idiot. Look at that idiot. What sort of idiot would sign up for a car forum using their real email when they knew that that would ultimately get linked to them? What a dumbass.

A

I guess in the cartel example, if we sort of convert that into Hollywood, it's the. It's the supporting cast who are getting arrested and the lead actors are learning off the supporting cast. But in the dynamic with Scattered Spider, it's that the FBI doesn't care about the supporting cast. The FBI or whoever only cares about the lead actors. And so they.

B

Right.

A

They're the only ones who are getting arrested. And they. So they can never learn off the supporting cast.

B

But on the other hand, everyone always wants to be the lead actor. No one goes to Hollywood to be a key grip.

A

Or lady chewing gum number two.

B

Okay, So I think what we've covered is that we have this community of practice where there's just a whole bunch of young people competing for status, some of whom have the skill set to actually achieve that status. Others don't. Others might not want to be in that position because they don't have that risk appetite. Like, there's a bunch of people who are going to Hollywood to be stars.

A

Yeah.

B

And a bunch of people who are sort of going to Hollywood to be around stars. And I think however many stars burn out or get arrested, there's still going to be people in Kansas and Iowa and wherever going. I'm going to go to Hollywood.

A

And I guess just participating is the equivalent of waiting tables in Los Angeles.

B

I'm actually a hacker, but, you know, for now, I'm at Starbucks. But what I really want to do is hack.

A

Thanks a lot.