Risky Business #804 — Phrack’s DPRK Hacker is Probably a Chinese APT Guy
August 27, 2025
Host: Patrick Gray
Co-host: Adam Boileau

Overview

This episode covers a wild week in global information security, blending geopolitics, hands-on hacking, and the growing synergy between crime, nation-state operations, and technological advances. Main stories include revelations about Iran’s efforts to orchestrate anti-Semitic attacks in Australia, ongoing cyber sabotage in Iranian shipping, the dark side of Microsoft’s China-related business dealings, a high-profile hacking attribution misstep involving FRACK magazine and supposed North Korean APTs, mind-blowing AI prompt injection research, persistent threat actor naming chaos, major criminal cases, ransomware’s unrelenting impact, evolving residential proxy networks, and the state-driven Russian Max Messenger app.

Key Discussion Points & Insights

1. Iran Behind Violent Attacks in Australia ([00:00–05:09])

• Summary: The Australian government expelled the Iranian ambassador after discovering Iran orchestrated a series of anti-Semitic attacks using local criminals. Patrick notes he’d previously suggested a possible Terragram/neo-Nazi connection, but was corrected by journalist Cam Wilson (who was proven right).
  • Quote: “Turns out that Iran was actually orchestrating violent anti-Semitic attacks in Australia, which is just wild times.” (Patrick, [01:50])
• Investigation Details: Iranian operatives paid “local criminals” (often with no political motivation, e.g., “meth heads”) to target Israeli-linked sites.
  • Quote: “I would have thought burning a synagogue, you don’t need a lot of geopolitical nous…” (Adam, [03:20])
• Cyber Element?: ASIO traced the money and may have used cyber capabilities.

2. Iranian Maritime SATCOM Hacking ([05:09–06:55])

• Summary: Hacktivists sabotaged satellite comms on Iranian vessels, causing real-world disruption for tens of ships. The attacks align suspiciously with U.S. actions to rein in Iranian oil smuggling.
  • “They … destroyed the disks … rendered the SATCOM systems … inoperable … crippled … 39 oil tankers, 25 cargo ships …” (Adam, [05:39–06:14])
• Implication: Suggests cyber activism tightly coupled with geopolitical flashpoints.

3. Microsoft’s China Dilemma(s) — MAP Leaks and DoD Cloud Support ([06:55–10:35])

• SharePoint MAP Leaks:
  • Microsoft shared vuln data pre-release with multiple Chinese orgs; after potential leaks, they’re scaling back such access.
  • “There were a lot of Chinese orgs … Microsoft is now scaling back the number of Chinese orgs that get this early access.” (Patrick, [06:55])
• Chinese Outsourced Support for DoD Cloud:
  • ProPublica revealed Microsoft’s support for DoD clouds involved unclear disclosures about Chinese staff.
  • “It’s really hard to imagine that DoD would have signed off on that.” (Patrick, [08:24])
  • “Apparently … in the middle of the document …[they mention] Staff that aren’t cleared, but doesn’t say … people in mainland China.” (Adam, [09:16])
• Security Governance Laxity: Raises questions about transparency and the risk profile of major vendors, even in sensitive national security contexts.

4. Phrack 40th: APT Attribution Debacle – DPRK or China? ([10:35–13:56])

• Summary: Legendary hacker ezine FRACK published an article “doxxing” an APT operator, claiming North Korean ties. Patrick’s sources call the attribution “thin”—intelligence points to a Chinese threat actor instead.
  • Quote: “One of [my contacts] said it’s not a North Korean threat actor. They’re Chinese. … I think they might have got it wrong. Nonetheless, still a very fun read.” (Patrick, [11:30])
• Attack Details: Hackers compromised the APT’s Linux VM and used access to pivot to the attacker’s Windows environment (“Opsec,” or lack thereof, is hilariously poor).
  • “They had their Windows C drive mounted inside the VM … trivial to move out into the Windows VM … pop the virtual private server.” (Adam, [12:14])
• Notable Impact: Data from the dump helped unravel additional Chinese APT infrastructure.

5. Trail of Bits Unveils Multimodal Prompt Injection ([13:56–17:48])

• Research Highlight: Trail of Bits shows how AI models ingesting images can be tricked via clever encoding: malicious prompts are revealed when images are downscaled, influencing LLM output in ways users wouldn’t see.
  • “At full resolution [the image] doesn’t contain any text. But when you scale them down, text pops out …” (Adam, [13:56])
• Broader Risks: This method could be expanded to audio, video, etc.—poses deep challenges for secure human/AI co-working.
  • “We are left wondering what on earth are we going to do about computers that mix data and code?” (Adam, [17:10])
• Memorable Analogy: “Used to joke about heavy metal music backwards … now it’s music that tells you to scan your inbox for credit card numbers.” (Patrick, [17:48])

6. Russian Hackers Exploit 7-Year-Old Cisco Vuln ([18:07–18:52])

• FBI warning: FSB-linked actors are actively exploiting CVE-2018-0171, a seven-year-old bug in end-of-life Cisco hardware.
  • “What are we even doing? Why do we even turn up?” (Patrick, [18:40])
  • “The FBI has to put out a warning that says, hey, patch your stuff … it is the year 2025 AD.” (Adam, [18:52])

7. Threat Group Naming Chaos: CrowdStrike v. Microsoft ([19:21–21:02])

• No progress has been made towards universal naming conventions; CrowdStrike’s “Murky Panda” is Microsoft’s “Silk Typhoon.”
  • “Clearly hasn’t happened yet because … CrowdStrike warns of uptick in silk typhoon attacks…” (Patrick, [19:21])
• Browser and Cloud Exploits: Attackers heavily targeting Citrix Netscaler zero-days, often to attack cloud service providers and their downstream customers.

8. Criminal Cases: Botnets, Celebrity Crypto Heists, and More ([21:02–26:41])

• RapperBot Operator Arrested: 22-year-old Ethan Fault arrested for running a huge botnet-for-hire, capable of 2–3 Tbps DDoS attacks. ([21:38])
• Chinese Actor Hacks BTS Members: Hackers break into SKorean telecoms to loot $30m from celebrities, including BTS. Patrick quips this should become a TV drama. ([22:20-23:31])
• “Scattered Spider” Operator “King Bob” Sentenced: SIM swapper sentenced to 10 years for $800k crypto theft—more than prosecutors requested, possibly because a friend hacked the judge during trial. ([23:32–25:49])
  • “You feel like this might even send a message.” (Patrick, [24:51])
• Ohio Network Engineer Sets “Kill Switch,” Gets 4 Years: Chinese national sets up logic bomb to disable employer’s network if he’s fired. Drama ensues. ([25:49–26:41])

9. Nevada State Government Ransomware Outage ([26:41–28:45])

• Nevada government’s infrastructure crippled by cyberattack; offices physically closed and systems offline for days.
  • “It looks pretty bad because this has been going on a couple of days now.” (Patrick, [27:04])
• Ransomware Measurement is Hard: Quantifying success against ransomware remains elusive, both in impact and prevention metrics.

10. The Evolution of Residential Proxy Networks ([29:07–33:03])

• Brian Krebs’s exposé on DSL Root, a network that pays individuals to host proxy equipment; now these operations are moving to a “malware on home PC” model for scale.
  • “What’s really interesting … the sun is setting on these types of residential proxy networks that actually use dedicated hardware … next generation is just getting people to basically install malware.” (Patrick, [29:07])
• Funny Moment: The Reddit user who hosted DSL Root devices works in the Air National Guard and has a TS clearance. ([30:49])

11. Leaky Russian Data and Open-Source Intelligence ([33:03–34:21])

• Brian Krebs doxes the operator behind DSL Root, using Russian food delivery data breaches to identify home addresses and pizza preferences!
  • “Brian’s got his home address and figured out how often he orders pizza … a great example of OSINT.” (Adam, [33:20])
• Russia’s infamous data leaks provide open-source investigators with unprecedented visibility.

12. Russia’s Max Messenger: Surveillance, State Support, and Prayer ([34:21–38:08])

• Russia’s Answer to WeChat: The Kremlin pressures citizens onto Max, disabling rival apps/ degrading their performance. Max is riddled with privacy issues—always-on location tracking, weak/no encryption, confirmed by security researchers (anonymously).
  • “You sort of never know when [Google Meet] is going to work or it’s not. Again, this is just a way to funnel people into Max.” (Patrick, [35:00])
• Surreal Moment: Russian Orthodox monk calls for prayers for Max Messenger so people can “use earthly goods to achieve useful results.” ([36:38])
  • “A representative of the Russian Orthodox Church called on Russians to pray for the National Messenger Max.” (Patrick, [36:38])
• Repression Escalates: Criticism of Max Messenger may soon be policed as “unjustified criticism.” ([37:41])

Sponsor Interview: Corelight’s New AI Capabilities (Greg Bell) ([38:29–52:45])

Corelight’s AI Expansion ([39:43–52:45])

• Open Source AI Integration: Corelight leverages the fact that LLMs have been “trained on decades of [Zeek] content” for native understanding of their data, enabling strong GenAI capabilities for alert triage, workflow automation, and SoC support.
  • “We’ve delivered a GenAI triage … focused on removing drudgery, providing just-in-time context.” (Greg, [41:30])
• MCP Server, Playbooks, and Prompt Books: The new Model Context Protocol server is released alongside extensive playbooks—a way to guide models through complex, repetitive security investigation tasks.
  • “We’ve packed … hundreds of engineer hours … into playbooks and prompt books that help guide the model to do the right thing … work surprisingly independently…” (Greg, [40:35])
• Design Philosophy: Meeting customers where they are—integrating with tools like Splunk rather than forcing data migration.
  • “We’re bringing all this capability to where the customers already keep their data.” (Greg, [41:57])
• Real-World User Value: Automating multi-step investigations, pivoting across logs, surfacing context—freeing analysts from repetitive “click, pivot, lookup” work.
  • “There’s no reason you can’t get a model to do it.” (Patrick, [44:39])
• Challenges & Limitations:
  • “Without the prompt books … you’ll get more hallucinations, you’ll get illogic … You really have to apply QA…” (Greg, [47:11])
• Open Source v. Commercial: Still discussing how much to open. Bias toward open sourcing, but new features still being trialed with design partners.
• AI Trajectory: Greg is a moderate optimist—practical benefits are real and growing, regardless of the AGI hype.
  • “What matters is whether there’s demonstrated impact and we’re finding repeatedly there’s demonstrated impact…” (Greg, [51:25])
• Patrick’s Humorous Skepticism: Laments current AI’s limitations with a story about being told to check the “fuel system” on his electric car!

Memorable Quotes & Moments

• “Totally legitimate activist behaviour to me. The timing is a complete coincidence, of course.” (Patrick, on sanctions timing vs. hacks, [06:55])
• “We need to do something. This is something. So we’ll do it. That old chestnut.” (Patrick, on Microsoft’s response, [08:24])
• “It’s such a leaky environment. I mean you think America’s bad … then you see what you can just torrent in Russia…” (Patrick, [33:20])
• “Blessing technology is not that unusual. … The monk said one should pray for Max messenger because of a person's desire to use earthly goods to achieve useful results.” (Adam, [37:10])

Timestamps of Notable Segments

• Foreign orchestration of attacks in Australia ([00:00–05:09])
• Iranian Satcom hacking by hacktivists ([05:09–06:55])
• Microsoft/China disclosure issues ([06:55–10:35])
• FRACK APT attribution debunked ([10:35–13:56])
• Trail of Bits prompt injection research ([13:56–17:48])
• Russian hackers exploit ancient Cisco vuln ([18:07–18:52])
• Residential proxy network exposé ([29:07–33:03])
• Nevada ransomware crisis ([26:41–28:45])
• Corelight AI sponsor interview with Greg Bell ([38:29–52:45])

Closing Thoughts

This episode encapsulates the intersection of geopolitics, persistent technical threats, and tech industry growing pains around AI and security—seasoned with recurring themes of opsec failures, compromised infrastructures, and the never-ending race between attackers, defenders, and regulators. The show’s blend of serious reporting, skepticism, and security community in-jokes is on full display.

Patrick and Adam’s advice, as always: patch your stuff, embrace AI carefully, expect hackers (and the state) to be one step ahead, and never underestimate the weirdness of the internet.