Know Your Adversary Podcast

Episode 7: KYA – Investigating the T-Mobile Hack: Direct Threat Actor Engagement with John Binns

Episode 7 | December 8, 2021

Our guest is ShadowByte Head of Research, Vinny Troia, a security researcher who directly interacted with John Binns.

Episode 7 | December 8, 2021

Our guest is ShadowByte Head of Research, Vinny Troia, a security researcher who directly interacted with John Binns.

In Episode 7 of Know Your Adversary™, we detail the August 2021 compromise disclosure of T-Mobile. A typical compromise of a sophisticated production network starts with an unwitting employee executing malware on their device. The threat actor then spends significant time moving laterally from the corporate network to the production network. 

However, in August 2021, John Binns, a US Citizen living in Turkey, disclosed that he compromised T-Mobile customer data by directly accessing the T-Mobile production network. While he initially stated his motivations were in response to physical abuse by nation-state governments, further investigation indicated that Binns was driven primarily by financial gain.

Our guest is ShadowByte Head of Research, Vinny Troia, a security researcher who directly interacted with John Binns. Listen now to learn the details of the attack execution and the motivation of John Binns.

Key Takeaways Covered:

  1. Like any enterprise, cyber-criminals are generally financially motivated; gathering enough data, including interacting directly with the threat actor and conducting the proper analysis, can peel back the motivations and provide context. 
  2. The proper context can outline if an organization is a target of attack or opportunity, and this does not need to be a costly endeavor. This can then inform the proper security controls.
  3. Outcomes facilitated by public enforcement:
    1. Disclosure of attacker TTPs, victimology
    2. Attribution (when we have it)
    3. Share IOCs
    4. Provide context
  4. Further, sometimes attribution and unmasking are the strongest deterrents to cease malicious activity. Some examples of this working effectively are:\
    1. Contacting the perpetrator’s family members or employer and demanding them to stop
    2. Law enforcement conducting a “knock and talk” without prioritizing prosecution 
    3. Rolling back anonymity by filing civil lawsuits and sending cease and desist letters
    4. Working with law enforcement to prioritize prosecution
    5. Security controls
    6. Administrative termination or account deletion