On Nov. 5, 2024, Bloomberg and 404 Media reported that Alexander “Connor” Moucka was detained Oct. 30, 2024, by Canadian authorities on a provisional arrest warrant by request of the U.S. Charges against Moucka have not been released, but he is alleged to be a threat actor who went by nicknames including @judische and ellyel8 and is suspected to have been behind the most prominent data breach event in 2024. The incident involved the compromise of login credentials for clients of Snowflake, a data warehousing and cloud infrastructure provider. The actor ellyel8 falls in the sphere of “Com,” or “TheCom,” which are terms used by threat actors themselves to describe online criminal communities that associate on cybercrime forums and messaging platforms including Telegram and Discord. The Com (believed to be the origins of well-known intrusion clusters such as Scattered Spider, Starfraud, 0ktapus, UNC3944, Scatter Swine and Muddled Libra), is associated with data breaches, ransomware, extortion, identity theft, cryptocurrency theft and at times real-world violence. Actors in these online communities use online platforms to coordinate attacks, sell stolen data, trade tools and techniques and engage in never-ending streams of misogynistic, racist and threatening banter. This post will examine ellyel8’s activity across these platforms, intrusions the actor claimed credit for and how enterprises can defend against Com-related tactics, techniques and procedures (TTPs).
Threat Actor Profile: ‘ellyel8’
The ellyel8 persona was registered on the Raid Forums cybercrime forum in June 2020. The actor initially offered leaked databases and credentials but was active on the forum for less than a month before being banned for allegedly scamming. The ellyel8 persona has been active on Telegram since December 2022 and demonstrated knowledge of actors and researchers engaged in Com investigations. The actor was a member of more than 25 Telegram channels and groups, authoring more than 1,400 posts from 2023 to 2024. The groups and channels are associated with adult content, leaked datasets, malware logs and subscriber identity module (SIM) card-swapping. On chat channels, ellyel8 made unverifiable claims of data breaches and intrusions and was often unable to provide proof to back up claims. This tendency, which is a common trait among underground threat actors, somewhat clouded the initial picture surrounding the Snowflake-related breaches. However, the actor appeared to be skilled in mounting attacks centered on the compromise of authentication credentials, allowing the actor entry into systems in search of high-value data stores for exfiltration. The actor has used many monikers, including zfa, catist, elly el8, elly-el8, waifu, noctulian, Laplanius$Support and lavrentiy_beria_1488. This list is not exhaustive.
The actor ellyel8 has been a key figure within Telegram channels and groups, including Star Sanctuary and Star Chat — also known as the Star Fraud Telegram group — which collectively is one of the biggest SIM-swapping communities operating on Telegram since August 2022. SIM swapping involves tricking telecommunications companies into transferring someone’s phone to a new SIM card or virtual SIM. Controlling a victim’s phone number gives attackers leverage, allowing them to receive multifactor authentication (MFA) codes and opening other avenues for account takeovers. This technique has often been used in thefts of cryptocurrency and enterprise intrusions. These Telegram groups are also associated with other types of underground activity, including caller services, checker services, other MFA bypass methods, phishing-as-a-service (PhaaS), access brokering, personal information lookup services, SMS spamming and violence. Two other suspected high-profile actors with the Star Sanctuary ecosystem, Noah Michael Urban (Sosa) and Tyler Buchanan (Tylerb), have been arrested.
Similar to other Com actors, ellyel8 frequently made racist and misogynistic comments and threatened information security professionals. Those comments, some made under other monikers linked to ellyel8 and zfa, have included calling for slitting the throat of a prominent information security company founder and for waterboarding a security researcher.
Snowflake Accounts Compromised
The most far-reaching data breach of 2024 was not a single breach but rather a string of breaches involving Snowflake. In May 2024, large organizations that used Snowflake began disclosing data breaches. However, Snowflake found no vulnerabilities in its systems. Incident response investigations conducted by Mandiant concluded the intrusions occurred following the theft of login credentials for the affected organizations’ Snowflake accounts by information-stealing malware, including Vidar, RisePro, Raccoon stealer, Lumma, RedLine and Meta (see blog post “RedLine and Meta: The Story of Two Disrupted Infostealers”). In some cases, those credential thefts occurred on work computers that had been used for gaming or software downloads, which often result in the inadvertent installation of malware. The credentials, some of which were collected by infostealers as far back as 2020, accessed accounts that did not have MFA enabled. Mandiant notified 165 organizations whose Snowflake accounts may have been unlawfully accessed. It is conceivable, however, considering Snowflake’s large customer base, that many more organizations may have been affected. Mandiant attributed the activity to the group UNC5537, which it determined was systematically compromising Snowflake customers, then mounting extortion attempts and selling the data on cybercrime forums. Mandiant attributed UNC5537 to individuals in North America who collaborated with another individual in Turkey whom this post will address later.
On May 2, 2024, the actor ellyel8 — using the @judische Telegram username — made the first Snowflake victim-related comment, claiming to have hacked Santander bank. Three weeks later, new threat actor personas appeared on cybercrime forums attempting to sell stolen data from large companies. On May 23, 2024, the actor whitewarlock posted an offer on the Exploit underground forum to sell a dataset allegedly exfiltrated from Santander. The actor claimed the compromised data impacted subsidiaries in Chile, Spain and Uruguay and sought 30 bitcoins (about US $2 million) for the information. A week later, the actor lowered the price to US $1 million.
On May 27, 2024, a new member of the Exploit cybercrime forum, the actor SpidermanData, offered to sell a dataset allegedly with 560 million user records purportedly exfiltrated from Live Nation Entertainment Inc. and the Ticketmaster Entertainment LLC subsidiary. The actor claimed the leaked data included email addresses, full names, partial payment card data, residential addresses, phone numbers and ticket order information for customers. The total volume of exfiltrated data allegedly was 1.3 TB. The actor sought US $500,000 for the dataset and claimed to be ready to conduct a transaction via an escrow provider.
Another moniker, Sp1d3r, was registered on the BreachForums cybercrime forum, which also offered to sell information from intrusions linked to ellyel8. Additionally, the actor ShinyHunters posted an advertisement for the Ticketmaster data.
On June 5, 2024, sp1d3r offered to sell a 3 TB dataset, which allegedly included personal data for 380 million customers, data from 44 million loyalty cards, sales history and employee personal data exfiltrated from the North Carolina, U.S.-based automotive aftermarket retailer Advance Auto Parts Inc. The actor sought US $1.5 million for the dataset and claimed to be ready to conduct a transaction via the forum’s escrow service. A sample was provided as proof of the claim.
As all of this stolen data appeared on cybercrime forums, in the background were ongoing extortion attempts aimed at coaxing victims into paying ransoms for data to be deleted. These negotiations did not appear to be occurring directly between ellyel8 and those affected but instead in part via a cyber threat intelligence researcher going by the moniker Reddington. Reddington offered a negotiation service, acting as a go-between for attackers and victims. This arrangement surfaced publicly in a 404 Media story Sept. 20, 2024.
In some cases, it appears that intrusion victims were successfully extorted. On July 12, 2024, the Texas, U.S.-based telecommunications company AT&T Inc. disclosed a data leak of phone and text records of "nearly all" of its customers. In a press statement and in a Form 8-K filing with U.S. authorities, AT&T revealed the “customer data was illegally downloaded from [a] third-party cloud platform” between April 14, 2024, and April 25, 2024. Not long before AT&T’s given time span for the breach, ellyel8 — posting under yet another alias, Gelöschtes Konto — claimed April 3, 2024, to have compromised AT&T (see image below).
Wired reported July 14, 2024, that based on blockchain data and comments from the actor Reddington, a bitcoin ransom of about US $370,000 was paid to have the data deleted.
The actor ellyel8 is believed to have conducted most of the Snowflake-related intrusions alone save for one partner: the actor John Erin Binns aka IRDEV, IntelSecrets, V0rtex, SubVirt. Binns, a U.S. citizen, was arrested in May 2024 in Turkey. Binns was indicted in the U.S. in March 2022 for allegedly breaching the systems of T-Mobile in 2021, exposing data on 48 million subscribers and then trying to sell it on. The indictment, which is under seal, surfaced in the media, and a related court document not under seal was published. The U.S. continues to seek Binns’ extradition.
By early September 2024, ellyel8 appeared to be under increasing pressure, indicating a belief that arrest may be imminent and had a plan to cease criminal activity. The actor claimed to have an inventory of stolen data that encompassed undisclosed managed service providers (MSPs) and telecommunications companies. The actor deactivated some related Telegram accounts in an apparent effort to be less visible.
Assessment
The Snowflake intrusions highlighted how the pervasiveness of infostealer malware can lead to significant supply chain breaches. Numerous marketplaces and other sources such as Telegram allow attackers to easily purchase login credentials for specific companies and services that have been collected by infostealers. The distribution of infostealers is constant and relentless, as malware distributors disguise infostealers as benign files, software and games. The lack of MFA on the Snowflake accounts allowed these attackers to immediately capitalize on those credentials, successfully extorting some organizations.
These attacks were not sophisticated, but rather represented a highly opportunistic use of cybercrime-as-a-service data available in underground markets and weak identity and access management (IAM) controls. It proved to have a devastating effect on dozens upon dozens of organizations and ultimately, on individuals whose sensitive information was exposed. While awareness of the need to employ MFA on accounts that have access to highly sensitive data is wide, organizations should audit their IAM systems to ensure the security controls are commensurate with the threat environment. These threat actors run highly targeted phishing campaigns often in combination with social engineering to gain access credentials, reset MFA tokens and ultimately gain footholds into organizations to steal valuable data. At the end of this post are recommendations for strengthening defenses against phishing, social engineering and account takeover attempts.
The arrest of this particular actor adds to several others made so far in 2024 in the sphere of Com. However, these dispersed groups of threat actors are very large, collectively comprising as many as 1,000 individuals. Law enforcement investigations continue, but are intensive, long-running and difficult. More broadly, Com-related activity continues at a steady pace. In one example, Intel 471 has monitored a campaign since August 2024 run by a likely Com intrusion cluster that targets reseller stores of large U.S. telecommunications providers. The campaign is primarily aimed at harvesting employees' login credentials and MFA codes, which enables attackers to gain unauthorized access to the victim’s professional resources, which could be used for SIM swapping and looking up personal information. From Aug. 13, 2024, to Oct. 9, 2024, we identified 41 new phishing sites potentially linked to the intrusion cluster.
These sites were sometimes only live for short periods that ranged from 30 minutes to 1 1/2 hours. These short time periods capitalize on the window of opportunity before a site is flagged by anti-phishing blacklists as well as thwart security researcher analysis. When a phishing site goes live, actors quickly call retail employees using Google Voice accounts and try to get them to visit and enter credentials. If entered, the credentials are sent to a group chat via a Telegram bot. While one engages the victim on the call, another quickly inputs the stolen credentials and MFA codes into the actual service website. Despite possessing substantial resources to target company employees, the group's attacks often fail due to victims recognizing irregularities. This may indicate increased awareness among employees in the telecommunications sector regarding phishing attacks. Nevertheless, the group persists, which suggests it still perceives benefits in targeting company employees.
Tactics, Techniques, Procedures
This report uses the MITRE Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) framework. The actor’s ellyel8’s TTPs include:
Maintaining accounts on underground forums and instant messaging (IM) platforms.
Engaging in SIM-swapping attacks.
Bypassing MFA.
Obtaining harvested information stealer logs.
Committing physical threats to cybersecurity researchers.
Possibly compromising email accounts and corporate networks.
Threat Hunting Infostealers
Intel 471’s HUNTER471 platform has a collection of detection packages that have been specifically put together to help organizations detect in their security information and event management (SIEM) platforms or other logging systems as well as prevent infostealers such as the ones used related to the Snowflake incident. Register for the Community Edition of HUNTER471 to get access to free threat hunt packages and visibility into other ones that could help your organization. The image below contains a small sampling of the infostealer threat hunting packages in HUNTER471.
Phishing Mitigation Strategies
Phishing is one of the most common attack vectors Com-related cybercriminals use. Common mitigation strategies organizations can implement according to the MITRE Detection, Denial and Disruption Framework Empowering Network Defense (D3FEND) knowledge graph of cybersecurity measures include:
Harden
MFA: Though these intrusion clusters are effective at circumventing MFA, it still provides a useful layer of security that can delay an actor gaining access to a network.
U2F: Use the Universal 2nd Factor (U2F) authentication that involves a physical hardware key that interacts directly with the website. If the domain displayed in the browser's address bar does not match the domain expected for the connection, the communication will be interrupted. This security measure ensures the authentication process can only proceed with the correct, designated domain.
Least privilege access: Apply strict access controls across all technology stacks to ensure users have only the permissions necessary to perform their tasks, minimizing potential breach impacts.
Conditional access policies: Implement conditional access policies that evaluate authentication requests based on identity-driven signals such as IP address location and device status.
Detect
URL analysis: Scrutinize URLs to ensure they are legitimate and if uncertain pass them to the security team for further analysis.
User behavior analysis: Establish a baseline of normal user behavior to detect anomalies. Monitoring for irregular activities can help identify potential security breaches early.
Monitor logs for suspicious activity: Continuously monitor system logs for suspicious logins and other indicators of initial access attempts that exploit cloud identity.
Prevent
Employee awareness training: Conduct regular training sessions for employees to recognize and respond to smishing and phishing scams. Teach them how these scams operate, how to identify phishing texts or emails and how to report them.
Teach identification of adversary-in-the-middle (AITM) phishing pages: Train employees on how to identify AITM phishing pages used to capture credentials and secondary authentication tokens, focusing on URL and website content scrutiny.