shift change 2024-01-30

Will

4 min read

Welcome to your shift change, reports from the off-going watch to the oncoming on anything interesting in privacy, security, or intelligence. 

Your CTI team at the Summit.

1. SANS CTI Summit 2024 — Day 2 starts at 09:20 with Slow Cooking & Cyber Threat Intelligence: Cooking a High Performing Team. “Let ‘em cook” already made an appearance yesterday, but I have to imagine I will hear “let ‘em cook” at least…twice…for today’s session.

The Summit is free for virtual attendees, the sessions are outstanding (both the new-to-CTI track and regular track—and kudos to SANS for even having a new-to-CTI track! CTI is not some secret society, it’s a tool kit for decision making. Stop gatekeeping intelligence.

Highlights from yesterday’s sessions include my buzzword bingo only lasting through the first session after “Cliff Stoll/Cuckoo’s Egg/$.75” was referenced in the opening remarks, and great examples of mobile indicators of compromise were presented from Citizen Lab’s investigation of NSO Group. 

This lasted through the opening remarks and about halfway in to the first session...sigh

Also Andy Piazza reminding us all how fragile and limited our view of the whole field is, and how are analysis should reflect our own understanding of how little we see, and how we should weight what we do see.

2. North Korean hackers learn about the economics of diminishing return—if profits go down, will they seek greener pastures?

Quark finding out profits are down...
Among the 20 hacks by North Korean-affiliated cybercriminals, the total amount of crypto assets snagged was slightly over $1 billion, a $700 million decline from 2022, according to data from Chainalysis released Wednesday. 
Meanwhile, a separate report released by a blockchain intelligence company TRM Labs earlier in January stated that the stolen amount was even less, at $600 million, accounting for almost a third of all funds stolen in crypto attacks in 2023.

3. Crypto Lawyers—just the worst.

He gets it.
Scott was a partner at the international law firm Locke Lord LLP when he was introduced to Ruja Ignatova, a.k.a. the “Crypto Queen,” who marketed OneCoin as the next Bitcoin at flashy events around the world and set up a massive multi-level marketing network to spread the OneCoin gospel. In reality, the coin had no blockchain, and Ignatova disappeared in 2017 as investigations into the scheme were intensifying.
In early 2016, Scott set up fake private equity investment funds in the British Virgin Islands, which he called “Fenero Funds.” About $400 million of proceeds from the OneCoin scheme were disguised as investments from “wealthy European families,” according to the DOJ, hidden in accounts in the Cayman Islands and in the Republic of Ireland. The money was then transferred back to Ignatova and others, purportedly for “outbound investments.”
Scott was paid more than $50 million for his services.
“Scott, an equity partner at a prominent international law firm, had boasted of earning ‘[$50 million] by 50.’ Indeed, Scott accomplished his goal, but by fraud and deception, and will now spend a decade in prison and has been ordered to forfeit all of his illegal proceeds,” said U.S. Attorney Damian Williams of the Southern District of New York.

Fortunately the courts of New York disbarred Mr. Scott. However, the courts of Florida thought a suspension would do, pending, more investigation? Good look, Florida.

4. SolarWinds moves to dismiss the case, presenting their best version of events, just like the complaint was the best version of the prosecutor’s version of events. 

"It's not material, it's not material" they scream into the void.

A quick look at the motion’s table of contents (a great first look at what type of arguments SolarWinds is making) shows, as expected, they are arguing SolarWinds did not commit fraud—so nothing unexpected there.

The arguments boil down to: what we knew and what we said were not material to the value of the company, and what we knew and what we said were not meant to be criminal so they shouldn’t be treated as criminal. The internal communications passed between the security team will shed a lot of light, and judges don’t like arguments that imply regular people just cannot understand how star spangled smart the information security industry is—bold move SolarWinds.

Direct link to the motion to dismiss and SolarWinds’ best-version-of-events: here.

## The shift change is a collection of timely stories of interest in the security, privacy, and intelligence worlds. Thanks for reading, and feel free to reach out to will@signaltonoise.fyi for any questions, comments, or thoughts on items you’d like to see highlighted.

Read more