- Unmasking cybercriminals is hard work, depending on their operational security, but imagine if the attribution of a major hack of a telecommunications company was as easy as querying a Department of Homeland Security employment verification database. That's the story of August, 2021 attack against T-Mobile, in which a man by the name of John Binns, a US citizen residing in Turkey, came out and admitted to conducting the attack that resulted in millions of compromised customers being leaked to the internet. While the unmasking was uncharacteristically easy, determining the motivation was a bit more of a challenge, and ultimately, the most interesting part of the story. Was it your typical financial motivation? Or is it deeper than that? This is the seventh episode of "Know Your Adversary". Let's set the stage with some context. In August, 2021, the "Wall Street Journal" reported a Virginia native living in Turkey named John Binns admitted being the driving force behind a massive attack, that compromised over 15 billion customers of telecommunications giant T-Mobile. According to the story, the breach was allegedly done to retaliate against the US for kidnapping and torturing of Binns in Germany, by the CIA and Turkish intelligence agents in 2019. The breach compromised names, addresses, dates of birth, phone numbers, even IMEIs and MCs, which are corresponding mobile handset numbers and SIM card identifiers to a customer's unique phone number, or what's called an MSISDN. Reading the "Wall Street Journal" article, it almost sounded made up. Why would someone in their real name come right out and admit to compromising a major telecommunications giant, like T-Mobile? Let's dive in. - Funny thing, you know, I wasn't necessarily involved in the investigation. I just thought it was a really interesting story. - This is Vinny Troia. Vinny is a well-known security researcher who investigates cyber crimes and often engages directly with the threat actors. - You know, I'd heard, I'd seen some chatter online and I just decided to reach out to him. I mean, he was certainly accessible. I mean, we were both in a couple of private chat rooms together, and so I just, honestly, I started talking to him. He goes by IRDev online. The story had come out, I think by "Wall Street Journal" and a few others that his name was John Binns, and I had spoken, you know, extensively with Bloomberg at the time 'cause nobody had really confirmed whether or not his name was even Binns. No one seemed to have any confirmation. It's just like, this is what information was floating around, and nobody really knew if he was just taking on someone else's persona or if this was really him, right? I mean, it's just, this is a name. He basically came out, said, '"Hi, I'm John Binns. I hacked T-Mobile." Like, who does that, right? - I can tell you from doing these types of investigations the last six years that hardly ever did hackers come out with their real name and admit to violating the Computer Fraud and Abuse Act. Furthermore, many times when recruiting intelligence assets, they often indicate their motives are far reaching, and what is reality, including saying they are a victim of abuse. It can often take months and sometimes years to find out the real truth of what the motivation is for a crime, if you ever find out. So what's the harm in reaching out to him and finding out? - So I decided to reach out to him and I started talking to him, and the first thing that I found, sort of, right away, he has a very colorful history, right? He is currently living in Turkey and he is upset at the US for what he believes, basically, he believes that members of the US government were involved in allowing him to be taken by the German government and tortured by them, and so he's come back, I guess, from being arrested over there, and he's very upset, obviously at the US and all these other governments, because he feels that he was detained unlawfully and tortured by them. And so, this was the first time I'd ever come across a hacker with that kind of a story, right? So there was that aspect of it, but then, you know, he and I, you know, the more we talked, he really wanted me to know that his hacking of T-Mobile wasn't really, wasn't like a traditional, "Hey, I'm gonna hack you and sell your data," kind of thing. It was really politically motivated, and this was like a, "I wanna get everybody's attention," kind of thing, and "Hey, look, what I did. I did this because the US government sucks," so that's kind of where our conversation started, and he was really upfront about everything, and the more you talk to him, I don't know whether or not the stories are real, right? I know he believes them, or at least I believe he believes them, and, you know, I don't know. Maybe he needs to be medicated. Maybe these are delusions. Maybe they really happened. I honestly can't say. What I can tell you is he really believes that this stuff is real. - In his mind he believes they're real, but do we honestly believe this? While Turkey may have questionable human rights, at least according to what's in the media, I don't believe the Germans have a reputation for torturing people. This doesn't sound real, and probably just a cover for the real reason why he hacked T-Mobile, which almost is certainly financially motivated, but how did Vinny actually validate it was John Binns from Northern Virginia? Let's start there. - He and I had done a couple of video calls together. Basically he wanted to prove to me who he was and he did, and, you know, I was still skeptical about his identity, and so I looked him up places like Lexus Nexus, where you can get people's social security numbers and stuff. So Department of Homeland Security allows employment verification. They have a website you can go to and verify that people are real when you're wanting to hire them, and so I ran him through their employment verification system and he kept coming up as invalid, so I was like, "Okay, what the ?" So I told him, I'm like, "Dude, your story's not checking out. This is what I did. I put it in your social. What's up?" and he's like, "Oh no, no. That's not my social. That was a social I gave, I basically, I signed, tried to sign up for a credit card with the wrong social, and that's the number I gave them, but here's my real social security number." I'm like, "Okay," and it was off by a number, so fine. So I went back to DHS's website and I ran it again and sure enough, it came right up, John Binns. It even gave me his passport photo. I'm actually looking at it right now, and sure enough, it was the exact photo on his passport that he shared with me so it's like, "Okay." He was a real US citizen. So that was interesting. So, okay, so now we have this guy who hacked T-Mobile, who came out and said, "Hey, I hacked T-Mobile and this is really me," and it turns out that it's actually him. - This has to be the easiest attribution case in history, so far. A query was the actual social security number, just off by a digit, was valid in the Department of Homeland Security employment database, that matches the passport photo. That part checks out. I'm not sure about his motivation, but at least his identity checks out. But how did he execute the attack? - He shared a lot of details about the T-Mobile hack, and I don't know how much of this stuff has been published. I'm not sure much of it, but he basically explained to me, and this, honestly, it was pretty new to me. There was like these GGSN three G nodes, I guess that are telephone nodes, and he said he used a software called sgsnemu, S-G-S-N-E-M-U, that essentially allows him to connect to any of these GGSN servers, as long as he has, basically, what was like an ASN number to the server, and the ASN numbers are all public information is what I'm finding out. You can get a list of these GGSN servers and you know, which company is assigned to which ASN number, and apparently with this tool, you can just connect to them and you don't need a password to log in or anything. So this was discovered, I think in 2016, when T-Mobile was hacked the first time, and he used the same information to get into the same node, and while he was in, he was able to somehow tunnel into T-Mobile's production network by essentially brute forcing their passwords, and what I thought was really interesting is he said he spent about a week going through different passwords and different employees and trying to get in, but ultimately, he got into the Oracle servers by using the password, "oracleoracle", and he's like, there were others where it was literally just like "routeroute" or "adminadmin", and it blew his mind, and honestly, it kind of blows mine. - As usual, this gets complicated, and so let's break this down to someone who isn't technical in telecommunications networks. A GGSN or gateway GPRS support node is part of a core network that connects GSM-based 3G networks to the internet. Also known as a wireless router, it works in tandem with a SGSN or serving GPRS support node to keep mobile users connected to the internet and IP-based applications. Telecommunications networks are complicated, but at the most basic level, this router infrastructure keeps users connected to the internet and allows them to start an internet session at any time. So what he did was he emulated some tooling, that tested 3G infrastructure's wireless routers, and guessed the right passwords to break into the infrastructure and tunneled to the production databases that hold sensitive T-Mobile customer data, and just like that, he compromised T-Mobile. "routeroute" and "adminadmin" are typically the highest privilege accesses in a Linux environment, which makes up most production networks. Simple password combinations are still the primary way to compromise major production databases and security professionals always scream bloody murder that this is usually too easy, and it usually is, but on the flip side, you have to look at it from the view of the administrator. Imagine if you had to be responsible for hundreds of thousands of username and password combinations. A lot gets overlooked and passwords don't get changed often. So how sensitive was the data that he exfiltrated? - While he was there, you know, he was pivoting around all their databases and he actually sent me a list, basically, different T-Mobile databases, and there's literally thousands of them, but the one they grabbed was called "Onyx", which was the main customer data, and then, they also grabbed another one, like it was prepaid mobile data, which contained IMEI numbers and phone IMSISDN numbers, and even pin numbers for these phones, which I thought was really cool, and that became the data. And it was, you know, I think there was like 110 million records and John shared it with me. You know, I told him, "Like, look. We run a website called breachcheck.io, and it's essentially like a "Have I Been Pwned?" The difference is, if you put in your email address, we won't just tell you that, you know, your email has been listed in a breach. We'll actually give you back the data that was breached so you have some idea of what data was exposed. You know, we'll send you a document with your passwords or your, you know, any API that was exposed, et cetera." So I said, "Look, if this is really a political statement, why don't you just give me the data for the site and let me notify the customers, let me put it out there that we've got this data, and then if they want to see, you know, their data's been exposed, they can look it up?" and he did. He gave me a full copy of the database and we loaded it into the platform and now people can search for it. People can search for their phone number, but I mean, it was cool of him, right? I mean, typically, traditional hackers won't do stuff like that. They're not gonna give you a copy of their data so that you can inform the public. And so, that was definitely pretty cool. - Pretty cool that he hacked a major telecommunications database and gave up the data so easily that victims could be alerted? Something isn't making sense. He walked right in that easily? Usually how these attacks work is an attacker phishes some low-level IT employee that's on the corporate network, and then they have to escalate to administrator and they wait for them to access the production networks. They then have to spend a tremendous amount of resources compromising the entire production databases, which is oftentimes the customer lists. Sometimes, it's even geolocation tower data showing which phones connect to which towers, and then after all this is done, and after all this is collected, they have to exfiltrate it, and they typically exfiltrate it out through some corporate network or they have to find their production network exfiltration path, but he didn't have to do any of that. He just walked right in through some telecommunications infrastructure. - He walked right in. I mean, it's essentially like he had a web browser that allowed him to connect to different cell phone networks would be a really simplistic way of putting it, and this is where it gets sticky, so I don't know enough about how these old 3G networks operate to really know kind of where in the stack he was, but when he is telling me that, and this was reported, as well, but when he's telling me that he was able to get right into these GGSN servers, I believe that. - So a simple brute force of a GGSN router allowed access to all this production, mobile subscriber data? - I don't know. I just don't know where in the stack that fits. You know, looking at the list of databases that he gave me, there's a lot of databases here. I mean, there's even some law enforcement databases. There's a lot of stuff here, and so he only grabbed what appears to be like the customer database and the prepaid customer database, as well. Now, I don't know if there's others lingering around, but I mean, at the end of day, it was about 110 million records, and when we did our analysis on it, about 54 million unique social security numbers came out of that, so it's a lot of people. - Sure is a lot of people. So how did T-Mobile find out? - I don't remember how it came out. I don't think he informed T-Mobile. I feel like the story came out. Somebody reported on it that somebody was selling the T-Mobile data if I remember correctly, and when this reporter reached out to him, I don't know if it was Joe Cox or Lorenzo or one of those guys reached out to him, and he basically just, he gave them the information on the story. He said, "Hey, look, yeah, I acted. I'm John Binns. This is my info," and he went with it. - So he's out there on the internet, putting this data around. Going back to the original points, that he did this for political gains, supposedly. Or did he do what every other hacker does and sell it for profit? That would make more sense. Let's find out. - He did sell it. Admittedly, he did sell it to one person who supposedly was out of China, and I think he got a couple of hundred thousand dollars for it. - Ah, here we go. Sold it to someone out of China for a couple of hundred thousand dollars. This is starting to make more sense. Who did he sell it to? - No, and I wouldn't ask. - Dang. That would have been a good piece of information to learn who he sold the information to. A couple of hundred thousand dollars to someone in China, has me thinking of a lot of different espionage scenarios. Someone who had paid John Binns for T-Mobile customer data, but alas. After he sold the data, you saw these copies of it? What kind of infrastructure was he hosting for all this? - I mean, he's got his own elastic server running with the data still on it, and actually, you know what? Looking at it, he sent me some screenshots. There's some databases here with different ISDN numbers. Like, one of these databases has almost a billion records. I don't even know what this is, but the records go back to 2004 and these are different IMEI numbers that are associated with phone numbers, and then customer database looks like 58 million. - So clearly his motivations are hardly political. He was financially motivated and perhaps politically motivated, but still seems like a far-fetched story. That has to be pretty rare compared to most hackers out there. - I think it's a little bit of both. I think he hacked T-Mobile because there's certainly monetary gain there, and there's a huge target, and why not, right? But at the same time, I think he also did use it as a platform to say, "Hey, look at me," you know? And he was sort of waving his hands around saying, "You know, I feel like the government has wronged me." And, "Hey." He got the media attention he wanted, so I mean, mission accomplished. But anyways, going back, I mean, I've never personally been in contact with anybody who's done these types of hacks that have had this type of political motivation. One of the big hackers now is this kid PomPompurin who I believe was also at the core of like Shiny Hunters and Gnostic Players and a lot of those old groups. He's just dumping databases all the time. Most recently, he dumped a database for ActMobile, which is the parent company of FreeVPN, and so, you know, he released, not only all their user records, but all of the IP addresses and connection logs for the VPN. So, that's really interesting data to have. And I mean, he just dumps it all just right out there for no reason whatsoever. I mean, he claims he has no financial motivation, which I don't necessarily believe. I think a lot of it is media attention, but he's certainly a different MO, right? But I think the majority of these guys, at some level, are financially motivated. - As a corollary, just to understand how ransomware actors get unmasked and attributed, and honestly understand how difficult it is compared to this case, listen to Vinny describe. - There's a lot of threat intelligence, soft tools out there that will allow you to search through historical records and things like that, and a couple of years ago, when I had first started looking into some of these groups, the Dark Overlords, specifically, I ended up developing my own software to do this because I, you know, I wasn't really feeling a lot of software that was on the market. It just, it didn't really have a lot of what I needed so I just kind of wrote my own, and as I was doing that, you know, we're compiling all these databases and all these forums, and, you know, we were sort of writing all these scrapers, and the whole point of all of this was basically to keep an eye on certain aliases, number one. So whenever they would post anywhere, we'd get information on what they were posting about. We could see, like, active chat logs, things like that, and they often drop clues, especially when they argue with each other. It's so funny to watch when hackers start going at each other, cause there's always, like, conflict, and then they always end up leaking information about each other, so that's fun. You just kind of have to watch out for it, and then basically, once you have a little bit of information to go on, whether it's just a username or email address, you can start to kind of go backwards and look through some of the data breach history of saying, "Okay, well, this username is associated with this email address," or, you know, vice versa, and then we can start recursively searching and looking for similar passwords because, I mean, criminals reuse passwords, just like everybody else, and so one of the main actors that I had mentioned involved with the Dark Overlord and some of these other groups, he had this one password in particular that he used a lot. I think it was like "brown2cow1s" or something like that. And that password, which happened to be associated with one email in particular, opened up, literally, a gateway to easily 50 or 60 other email addresses that he was also using, and that gave us more of his aliases and more of his usernames, and so it, essentially, becomes like this big tree of information that you just start to map out. And so, I mean, I use like a mind-mapping tool called MindNode and I literally just draw out the connections and, you know, just being able to really keep a handle on all of that is, I've learned throughout the years, to just take better notes and take screenshots of everything. I regret so many times just not having taken that one screenshot that I needed like a year later. For anyone doing this, I mean, just be as diligent as possible. That's like the one piece of advice I can really give you. Just take screenshots of everything, if you can. - What Vinny's describing is a combination of art and science, mixed in with hackers talking smack about each other and being in the right forum to catch the right potential clues about their real personalities to match up with their online life. We call this stylometric attributes, matching selectors by the hundreds that can unwind it all the way back until hacker makes a mistake and matches his hacker life with his real life. And that's how you get them unmasked and attributed. As I've described in numerous podcasts before this, this is what Nisos and so many online investigators like Vinny do so well and have so much success, but it's not always easy, and sometimes it takes months and even sometimes years to unwind these cases, depending on the sophistication of the adversary, but criminals also make mistakes. Whether it's calling their family at home or visiting their girlfriend or sending money to the wrong person, or even using a password that gives key details about their life, they always slip up and the good guys are always watching. Think any cyber criminal is immune to not getting unmasked? - If you have the right data, I would think so. Now I will say that there are some actors and I'm not gonna name who in particular, but there's this one actor who I'm just so impressed with because every time I've looked into him, the aliases always ended up going back to soccer players, and I know he'll listen to this, and so I'll give him a big thumbs up for that, but his aliases have aliases. Like, he has, honestly, the best OPSEC I've ever come across, and every time I think I'm getting close to figuring out who he is, it's just, I run into another soccer player's name and says is the one who did it. It's just so funny, and you know, maybe he does happen to share a name with, like, a famous soccer player, not just, you know, I'm wrong, but he's just so good at creating all these aliases with fake names associated with them. Like, he's left a trail, like a year's long, of different fake information. I mean, it's really impressive, and so, some of the better actors you'll find that with, and so, in this case, I mean, he's just, he's really slick, and so, the guys who've been around for a long time, I mean, you can tell. You know, typically people will, I mean, deny, deny, deny, right? And it's funny, like, when I've unmasked people, they'll go out of their way to say that I'm wrong and that I suck at what I'm doing because my information is wrong, and they really like go out of their way, but I gotta be honest. If I was wrong in naming them, they wouldn't really care, right? I mean, because I named the wrong person, no big deal, but obviously the more that they care, like, the more I know I'm right. So here's the thing. I'm always skeptical when people come out and say, "I'm this person," because usually, like, usually there's a lot of people who dox themselves with fake information just to throw you off, and that's pretty common. - Doxing is a term when a hacker gets unmasked on the internet, typically by other hackers, but sometimes they even dox themselves to throw investigators off the trail. - So even this PomPompurin kid, there's plenty of doxes that they've put out, literally, about themselves, which is completely fake information. There was just one document I saw on him that, you know, led back to, I think a police officer in Italy or something like that. It was something just outrageous. Meanwhile, I know he's this kid who's living out in Calgary and it's pretty common for people to put out these fake doxes on themselves just to like throw off law enforcement or anything like that, and so with, with Binns, it was different because I had gone in with that assumption that, "Okay, there's no possible way that this guy did this hack and it's really him," and so verifying that he was real took, you know, a bit of effort and honestly, give it up for Department of Homeland Security's employment verification system. If it wasn't for that, I'd still have questions. - Thank you to Vinny Troia for joining "Know Your Adversary". While unmasking is often difficult, sometimes it's helpful to have full context behind the adversaries on why they do what they do. Sometimes, it's not financial motivation. Sometimes, it's espionage and political ideology. Sometimes, it's a combination of both. What makes people tick is often the most interesting parts of these investigations and with the right data and the analysis, finding out the why is often the hardest, but at the same time, the most useful, because it allows companies to understand their adversaries and make determinations if they are a target of opportunity or target of attack, that should involve more resources to reduce and eliminate the risk. In the end, the business exists to make money just like the adversary's. And when we're enterprised with information to make the bad guy's job harder. Sometimes it's all we can do, and this doesn't need to be a costly endeavor. However, and final, it's helpful when controls are in place to give them at least a fighting chance to make it more expensive for the adversary. Thank you for joining us.