Court documents unsealed Monday show that US authorities have arrested a 20-year-old soldier, Cameron John Wagenius, charged with two counts of selling or attempting to sell confidential phone records without the customer’s authorization.
But behind the scant details provided in the charge sheet submitted to the US District Court for the Western District of Washington at Seattle lies a much bigger story, according to cybersecurity journalist Brian Krebs.
The phone records Wagenius is charged with selling could include those Vice President Kamala Harris and President-elect Donald Trump, part of a trove of AT&T and Verizon call records leaked in November by a hacker using the moniker ‘Kiberphant0m’.
According to Krebs, the authorities now believe Wagenius is Kiberphant0m, one of the main protagonists of the UNC5537 hacking group that carried out a series of attacks on Snowflake customers.
Another alleged member of that group, Connor Riley Moucka (aka ‘Judische’) was arrested in Canada in November. A third accused of being involved in the Snowflake incident, US citizen John Erin Binns, was arrested by the Turkish authorities in May in connection with a separate 2021 attack on T-Mobile.
In the case against Wagenius, the military connection looks significant. Krebs reported in November that analysis of Kiberphant0m’s online accounts by researchers dating back to early 2022 uncovered hints that he might be a US soldier recently based in South Korea.
Researchers including Unit 221B’s Allison Nixon were able to join some of the dots traced by the hacker’s at times careless and boastful online activity across multiple personas and platforms. As documented by Nixon on Bluesky, this included hackers issuing threats to her and other researchers trying to connect online personas to real identities.
The evidence found during this research was revealing enough to suggest it was only a matter of time before the real identity of Kiberphant0m was uncovered.
Sharing responsibility for security
Before the Snowflake breach, the company’s name was just another in today’s business supply chain that usually gets almost no attention. Then it turned out that numerous enterprises were using it to store large amounts of sensitive company data.
Some of those accounts were protected with nothing more than a password and username, in other words with no multi-factor authentication (MFA) enabled. That gave the hackers an idea: why not scour darknet forums for the passwords and usernames to break into those accounts?
This hunch led to an estimated 160 Snowflake customers having the data they stored on the platform breached, including Ticketmaster, Advance Auto Parts, Neiman Marcus and Santander. The criminals demanded ransoms, receiving at least $2.5 million from unnamed victims, it was later alleged in court documents.
What was Snowflake’s responsibility in this? Arguably, none. It was up to customers to turn on MFA if they chose to while securing their password credentials. While true, this led to criticism that if there was a way for admins to enforce MFA on their Snowflake users, it wasn’t easy to implement or enabled by default.
It’s a good example of grey areas that still afflict the shared responsibility model of cloud security: which security controls should be left to customers, and which are the platform’s job?
In September, Snowflake announced that from October all user accounts would have MFA enforced by default with minimum password length upped from eight to fourteen characters.
