A Peek Inside Microsoft’s Global Fight Against Cyber Threats

Sherrod DeGrippo: Welcome to the Microsoft Threat Intelligence Podcast. I'm Sherrod DeGrippo. Ever wanted to step into the shadowy realm of digital espionage, cybercrime, social engineering, fraud? Well, each week, dive deep with us into the underground. Come here for Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries, and shape the future of cybersecurity. It might get a little weird. But don't worry, I'm your guide to the back alleys of the threat landscape. [ Music ] My name is Sherrod DeGrippo. I am Director of Threat Intelligence Strategy at Microsoft. I've been in security and threat intelligence for 21 years and spent the past 19 years exclusively at Secureworks. So I was at Symantec in those days, if that means anything to many of you. I was there. Tom was there. Many of us were there, but Symantec, Secureworks, and then spending almost a decade at ProofPoint where I focus on threats to email, cloud, and network. I really, really love understanding what threat actors are doing, looking at the psychology behind their choices, and then finding ways to disrupt those threat actors so that we don't see them on the landscape anymore and we can cut them out of whatever malicious activity they're doing. And I'll go next to one of my most favorite coworkers. It's true. You're one of my faves.

Jeremy Dallman: One of the most favorite.

Sherrod DeGrippo: One of the faves. No, I have like a top -- I have like a top eight, like MySpace.

Jeremy Dallman: Okay. I'll take the eighth slot.

Sherrod DeGrippo: You're definitely in my top eight. This is Jeremy Dallman. Jeremy, I would love for you to give a quick intro.

Jeremy Dallman: Sure. So hey, everybody, Jeremy Dallman. I'm with the Microsoft Threat Intelligence Center, MSTIC. You probably read a lot of our blogs out there. My team are the ones that author those blogs and get those out. I've been at Microsoft for 22 years. I've been in security almost that entire time, a number of different roles, from everything from the operating system to the browser to security policy. Did a bunch of other things outside of security, which is kind of fun, in the Xbox space and IoT space, and then about 10 years ago now, John Lambert, who founded MSTIC, reached out to me and said, "Hey, we're going to do something serious about threat intelligence. I want you to come over and help out." So I went over and joined MSTIC and I've been there ever since. I've been a part of a lot of the different components of it. Currently, the team I own is called "Inside Microsoft." We don't use this term externally very often, but we're called "Customer-Ready Intelligence," and we're a division of MSTIC that's responsible for making sure all the intelligence that Microsoft and MSTIC collect and research on is transposed into human-readable format and connected to the detections and alerts in our products so that we can give you, the customer, the what, the why, the how, and what to do about it when it comes to a threat in your environment. So that's what my team does. Super happy to be here. I like doing these things. I like talking to customers. So hopefully have some good stories for you and give you some good guidance. Mr. Masada, over to you.

Steven Masada: Is this on? Can you guys hear me? Is that on? I want my introduction, Sherrod.

Sherrod DeGrippo: Oh, you're getting it. You ready? Okay, this is Steve Masada, you guys. So Steve works in -- there are two -- no, no, no, wait. No, no, no.

Steven Masada: I'm the CFO. We have a top eight. That's --

Sherrod DeGrippo: Oh, no, you're definitely -- you're in the top eight. Don't worry about that.

Steven Masada: This is what she wanted to say. She said, "Steven, out of all the people that I know, Steven is definitely one of them."

Sherrod DeGrippo: One of them, I -- one of the people that I know. So, okay, but the problem now is that we're getting into my favorite teams at Microsoft in addition to my favorite people. So I have two favorite teams. So one of my favorite teams is the AI Red Team. They're freaky weird. They just do very weird stuff. They're very cool. They're spooky. But the DCU, Steve works with the DCU. So --

Steven Masada: I appreciate it. Good to meet you all. My name is Steven Masada. I run the Digital Crimes Unit at Microsoft. I've been at Microsoft for about three years, so not quite as long as some of my colleagues up here. Before that, I was at the Department of Justice where I prosecuted cybercrime for about a, you know, about a dozen years or so. The Digital Crimes Unit, as some of my colleagues have mentioned, we're kind of a unique team. I would say unique to the industry, unique to the globe, to be candid. We're the team or global team of about 30 investigators, attorneys, analysts, business professionals, and we work and partner with others across the team, including MSTIC, including Ghost, some of the other groups that you may hear about in this conference and in others, and we're the ones that take that data, enrich it, and figure out where we can actually take proactive action using our relationships with law enforcement. I see some law enforcement colleagues in the room here, alright Elvis. We're known for taking civil action. We use our legal authorities. We're the ones that will bring legal action against malware variants, nation-state threat actors, providers of cybercriminal tool sets. Throughout our history, since 2010, we've filed 31 legal actions to disrupt cyberthreats by taking down their infrastructure, identifying bad actors, and basically taking those actors offline. Hopefully, we'll be up to 32 within the next 30 days or so. So there's a little foreshadowing for you.

Sherrod DeGrippo: Before we start, I just want to mention something really cool about DCU that I love. It's very unique. There aren't a lot of organizations, companies in the world that have this team of, and I'm going to say it, Steven, wild lawyers, real wild. Like, I feel that there's a lot of lawyers at Microsoft, as you might imagine, but the kind of wild, chaotic ones go to DCU and they come up with some of the most creative concepts and ideas, like using copyright to go after threat actors, using all kinds of different legal mechanisms to cut off infrastructure, to do domain seizures, and I think that that's something that you really don't see in the commercial world, that level of creativity. So we'll get into that deeper, but that's why DCU is in my top two faves.

Steven Masada: Well, I appreciate that, and I think that's completely accurate, and I think that's a testament to Microsoft that it provides the freedom, the flexibility, and frankly, the funding for the DCU to do what it does. Other companies out there, they try to sort of replicate and to say that they do affirmative litigation, and they do, but it tends to be abuse in our marketplace or abuse of our brand name or a trademark. Our mission is different. It's much broader. It's find those threats that we can disrupt with always a customer focus. How do we protect our customers? How do we protect the digital ecosystem? In many ways, our mission can be boiled down to we're the ones that sort of meddle with those that meddle with us, and again, as Sherrod mentioned, Microsoft provides us the freedom and flexibility to just continually innovate, both legally, coming up with legal theories, really innovative.

Sherrod DeGrippo: Wild and creative.

Steven Masada: Wild and creative. You know, it's all, it's, you know, hey, I'll take wild and crazy, but both legally, but also technically. We have some of the best analysts and engineers who are always in the thinking of ways we can automate and disrupt at scale. So it's one of the unique things about Microsoft, the Digital Crimes Unit.

Sherrod DeGrippo: Yeah, if you've ever met a, like, highly technical engineering personality lawyer, hoo, they're something. So what I want to do really quickly is ask the audience, if you have a preference and you can only track one, would you rather track crime or nation-sponsored? Everyone for crime? Ooh, everyone for nation-sponsored? Jeremy, you're up.

Jeremy Dallman: Nice. I cover crime, too, but I'm going to tap you in on that one.

Sherrod DeGrippo: I know, I know. So at Microsoft, we absolutely look at both of those very seriously, as well as mis and disinformation, which we call "influence operations." We look at things like hacktivism, but the largest part of the threat landscape is always going to be those two motivating factors, nation-sponsored and crime. With nation-sponsored, obviously, those are threat actors that are tasked by their respective governments with their objectives. They take actions on those objectives to obtain espionage data or to sit and wait to do disruption or do something to affect global affairs, get into data and information, get around sanctions, and in the case, obviously, of North Korea, obtain things like cryptocurrency to finance their operations in the regime.

Jeremy Dallman: Money.

Sherrod DeGrippo: Money.

Jeremy Dallman: Yeah, make money. Also, sanctions. North Korea is big at that.

Sherrod DeGrippo: Yeah, so let's go through a little bit of the nation-sponsored landscape.

Jeremy Dallman: The approach I like to really take, though, and I've started doing this with a lot of customers, rather than telling scary stories about one Russian actor set, the way I'm trying to encourage customers to think about this is techniques and approaching the threats from a technique perspective, because most of the nation-state threat actors are using similar tool belts. They're putting the same techniques. They're all using the same techniques. So if you start in your SOC, you start going after, I don't know, Moonstone Sleet or Midnight Blizzard from Russia or someplace like that, individual actors, you're playing whack-a-mole. If you can go after the technique, you're actually going to get a one-to-many benefit from that. Sure, the old things like password spray and some of the old techniques are going to still work in some cases, but what we're seeing them do is add new tools to their tool belt or start using them more prolifically, things like Adversary-in-the-Middle attacks. We've seen a lot of device code phishing lately. So these are the kind of techniques that they're going for. The other thing we really see them targeting is the IT layer in your organizations. If Moonstone Sleet can get in, a lot of times the North Korean IT workers is another. That's the third thing I was going to bring up was, they also are leaning into humans, so where actors can't get in through technology or sophisticated actors with the resources at their disposal, they'll bring in humans, and they will use humans to social engineer their way into your organization. North Korea has become prolific at this, setting up entire companies, fake companies. They have recruiters who will go out and post profiles on LinkedIn, lure a candidate into a company, set up an interview, do an interview evaluation test and send them a link, and that's basically a click-fix type of problem where the person will click on this test, this Evaluate Your Skills test for an IT worker, and when they click on that link, it redirects to a website, drops them out, we're on the machine, Moonstone Sleet has an entry. They also just have a lot of IT workers that are coming in and interviewing under the auspices of legitimate U.S.-based humans and they pass the interviews. They will come in as remote workers. And then there's laptop farms that will support them, so when you do hire them, they'll route the laptops off to the laptop farm that they've employed. It'll come from a U.S. IP address. So there's humans, I won't go on, we can talk about that more later, but there's humans that come into effect here as well. So we have to think about all these different things that state-sponsored actors are leaning in on and look for new solutions to how we mitigate these threats, whether it's your HR team bolstering the background checks, having new requirements for the questions you ask in an interview, requiring them to be on the camera. Like I said earlier, blocking RMM software from being downloaded, because a lot of times the North Korean workers, as soon as they do get hired, the first thing you see them do is drop a random third-party RMM and a VPN, so then they can continue working and, you know, basically access through their farm. So those are the types of things you have to be thinking about as you think about nation-state threat actors, not just going after password spray or, you know, a Sandworm type of actor who's going to drop a malware on your machine and you can identify it at the end point.

Sherrod DeGrippo: Well, I think, like, talking a little bit quickly about North Korea, and we do have an incredibly highly trained expert on North Korea in the audience right now, so I'm going to be very careful.

Jeremy Dallman: He actually spoke on the topic yesterday.

Sherrod DeGrippo: So we're like in front of the, like, ultimate North Korea expert right now, but I think one of the things that's really interesting specifically about North Korea is that a couple months ago we found that they had two zero-day Chrome browser vaults, which, for those of you who've been in this game a long time, browser vaults are not a thing anymore. That's like wearing bell bottoms. It's the equivalent of, you know, like a pet rock. It's very vintage, it's very retro, but it's bringing that back around again where it makes me kind of feel like North Korea has a very unique personality and approach where I would say that Russia and China have relatively similar profiles a lot of the times in terms of the TTPs they go after, or the TTPs that they employ. Is everybody here familiar with David Bianco's Pyramid of Pain? So the Pyramid of Pain, essentially, is, at the bottom, we have the things that hurt the threat actors the least when you take them away, and, you know, you're talking about IOCs, IP addresses, domains, things like that, but at the very top of the pyramid is techniques, and if we can take those away from the threat actors, that hurts them the most, and I think that's kind of what you were saying in terms of looking at what they're actually doing and focusing on securing from that perspective as opposed to chasing a particular actor.

Jeremy Dallman: Yeah, exactly, because they're going to be changing techniques a lot. I mean, I'm kind of talking a lot about North Korea because they are kind of the most -- one of the most novel actors right now in the techniques that they're using. A few years ago, Iran was doing some interesting things, and doing some interesting, I don't know, like social engineering and those kind of techniques. North Korea is doing that. Like this Moonstone Sleet actor is fascinating. We've seen them, and Greg, you can chime in here, but, like, you know, they started dropping, like, I think it was putty. It was like a piece of malware that they were just dropping in email, and then they moved to like a malicious PDF. Then they pivoted their techniques. They actually went out and built a full-scale online tank war game.

Sherrod DeGrippo: Oh, yeah.

Jeremy Dallman: It was like a community of -- and everybody, like, and they, you know, tried to get people on their targeted organizations, IT workers and software developers to download this tank game, and, I mean, it's a full-blown tank game with a download installer, but it was malicious. And then, you know, we saw them then get into the ransomware game, because, again, North Korea trying to offset sanctions. They tried to get in -- they got into the ransomware game and they had -- they built their own ransomware. I think it was called "FakePenny," I think is what we called it. Then recently, we've seen them actually pivot from even using their own ransomware to using Qilin, which is a mainstream ransomware offering, and now they're basically a ransomware service broker for Qilin. So, you know, it's an actor from North Korea that's really diversifying their tool belt, as I started with, and using everything they can to throw into this. China's using all the more same novel types of things that they have for a long time, continued sophistication, building their own malware, exploiting zero days. They love to go after the network devices, the VPNs, the RMNs, those kind of things to get in and infiltrate and then exfil and do their work. But the novel kind of cool stories come out of North Korea, and those are actually the challenging ones because it brings in your HR department. Who would have thought your HR department was going to get involved in, like, countering a state-sponsored actor?

Sherrod DeGrippo: We've seen some of the samples, too, of the fake driver's licenses that the North Korean IT workers upload and it's quite interesting to see.

Jeremy Dallman: They're getting better, though. They're actually using AI.

Sherrod DeGrippo: No, they're using AI to create profiles and create documentation that proves that they're legal to work and things like that, and just to be clear, a strange twist on that is that they actually do the work. The assignments from the contracts they're given, they write the code. It might not be super high-quality code, but they do the work, which is, I think, another perplexing aspect of that. It's sort of, you know --

Jeremy Dallman: It's persistent. It's just a different way of persisting.

Sherrod DeGrippo: And there's also a weird aspect of, like, labor. They're having to put in the work to get the espionage and the financial gain. So it's a very interesting threat landscape there. I want to talk really quickly about China specifically.

Jeremy Dallman: Sure.

Sherrod DeGrippo: We see China active all the time. They're very well planned out. They're operationalized. They have objectives and march towards those. And then a couple of years ago, I guess it's been maybe two years now since Volt Typhoon really started. We started seeing, you know, attacks against U.S. critical infrastructure from a threat actor group known as "Volt Typhoon," and it was a really interesting one for me, particularly because they held access at those critical infrastructure organizations and didn't exfil data, particularly because these places don't really have a lot of great espionage data, right? Like a water plant, an electrical company. What do they have that's of espionage value? And that was when I think a lot of analysts started thinking more about motivation and it's pretty clear that that's a disruptive focus, which is not something that we always see, holding persistence for the potential to disrupt critical infrastructure.

Jeremy Dallman: Yeah, and it's for a disruption for a point in the future. I mean, we see China, obviously, you know, they're going to be targeting things for their geopolitical interest, going after things like Taiwan and those types of things regionally, or even other countries in the region that compete with them on the trade level and doing espionage work there. But yeah, coming back against the United States and the Volt Typhoon activity, they're targeting telecommunications. They're targeting critical infrastructure where they could potentially disrupt because, like you said, there's not a high, like, espionage value out of that. So disruption is the likely objective there, not dissimilar to what Russia does -- is doing in Ukraine. So, you know, the difference is, is I think China tends to play -- like, Russia tends to have operations and then act on them fairly immediately. They do have some more sophisticated actors, like I think Secret Blizzard is one that we track, Forest Blizzard and some others that are kind of more subversive. They get in, they persist, and they wait for the right opportunity. Fortunately, we were able to stop some of that from Secret Blizzard and some others leading into the Ukraine war. We continue to track that. Russia's largely been distracted on the cyber operation side, largely been distracted by the Ukraine war, which is why I'm not talking a lot about Russia today. But on the China side, what their operational objective ultimately will be, we'll see. Right now, the game we're playing is making sure we understand their infrastructure. We're tracking the actors, where they're moving, who they're targeting, what they're building reconnaissance on so that we can anticipate and hopefully prevent them from infiltrating critical infrastructure, infiltrating some telecommunications and some of these other entities to avoid the objective that they ultimately would want to do around destruction.

Sherrod DeGrippo: So before we move to the next topic, I just want to talk really quickly about Star Blizzard and BadPilot. We now, at Microsoft, to kind of talk about the attribution side of things, we name these threat actors because we want to be able to track their activity. We don't know what they're actually called, so we have our own naming convention internally, and there's a particular actor that we have been tracking for some time, found out that they had actually recruited a sort of front-facing go team, I guess you could say, that is really tasked only with initial access. So they've almost taken this tiered model of bring in a really great person who can pick locks and have them open doors, and then we send in the more highly skilled cat burglar type personality. But there is this front-facing capability that they've developed now, and I think the lesson from that is threat actors are constantly figuring out ways to be more efficient and to do better and have higher efficacy in their attacks. If that means building a small team that's highly specialized on this one thing that opens doors for them and that they come in afterward, then they'll do that. The reality is threat actors will always change what they're doing to get what they want, and we can never kind of say like, here's what they're doing, and that's what we need to deal with, and it'll kind of persist forever. They're always changing, even if they stay the same for a little while.

Jeremy Dallman: Yeah, I think we even saw, speaking of Russia, we saw for the first time two different FSB units that never actually worked with each other. We saw them collaborating. So an actor we call "Aqua Blizzard" was actually going out and stealing the credentials and then passing those back over to another actor, I think it was Secret Blizzard, who ran the operation against a Ukraine target on some critical infrastructure over there. So we do see them in more sophisticated ways than in the past where a lot of times those units have their operational objectives and they would run with their objective. They're now working with other units to hand off. Similar to, you know, we're actually seeing a lot more state-sponsored actors using criminal infrastructure. Like I said, Moonstone Sleet going out and tapping Qilin on the ransomware side, which was just a commercial, you know, financially motivated actor piece of malware that had been developed, and they take that off and use that in their state-sponsored actor objectives. So we are seeing a lot more of a handoff, state sponsor to state sponsor, not so much like China to Russia, but it's like Russia Unit 1 to Russia Unit 2, or we're seeing state-sponsored actors taking advantage of criminal infrastructure.

Sherrod DeGrippo: I think, too, that's very similar to all of us in legitimate business. We're trying to be more collaborative. We're trying to have teams work together better. We're trying to, you know, maximize resources. This team has this tool. Why isn't this other team using it? It's the same for a lot of threat actor groups. They, you know, collaborate, especially if they have the same espionage goals. So --

Jeremy Dallman: Let's pivot to -- let's pivot to crime.

Sherrod DeGrippo: It is crime time, everyone. So Steven, tell us a little bit about what the crime landscape looks like, and I personally love crime. Threat intelligence in the crime space is, it tends to be really big volume. They tend to not really particularly care about OPSEC, which is, they don't want to hide. They just want to be effective as much as they can, and for the most part, they're not really hiding their tracks, which makes it fun, and I also feel like crime threat actors tend to push the limits of what they can get away with and makes it a little interesting. So what's happening on crime landscape?

Steven Masada: Well, I appreciate that, and I'd like to echo what was stated earlier. I mean, I think we can always go after these actors, and in the cybercriminal space, just like in the national security space, most of the sophisticated actors that we're looking at on the nation-state and the cybercriminal sides, they're persistent, and they're going to adapt their tactics, so we can take down their infrastructure, we can target them directly, but they're going to change and adapt. So the most effective ways that we can combat them and disrupt them is, as Jeremy mentioned, going after their activity or their tools or their supply chain. I mean, there is a burgeoning ecosystem of cybercrime supply chain where, if we're able to take, what is it, the one-to-many that you mentioned earlier? If you're able to take that common point of failure out of the ecosystem, you're able to disrupt multiple actors at the same time. Just before we jump over to cybercrime, just thinking of in the nation-state space, some of the things that we do in DCU, we realize that persistent actors, particularly in nation-state, are going to adapt. They're going to adjust. So what people don't -- not everyone knows what we do. When we disrupt an action, not only do we take their domains, we identify their botnets, we identify their infected -- the domains they're using, the URLs, not only do we sever them from it so they cannot use them, we actually -- what we do at the DCU is we actually redirect all those domains to sinkholes that we own. So we are, in fact, then gathering intelligence, which we then enrich, show, call, feed back to the product team, and, in fact, we actually provide this to subscribers through a program we call "CTIP," Cybercrime Threat Intelligence Program, for free. So that's one of the interesting things we do. Another interesting thing that we do as part of our persistent disruption activity is we seek court permission to get what we call "court monitors." So it's an individual appointed by the court that we're allowed to go back to if we see cybercriminals or nation-state actors adapt their techniques or rebuild their infrastructure, which we know they're going to do. Perfect example, let's turn the clock back to 2016. It was actually the first time that the DCU and Microsoft used our toolkit that historically has targeted malware, the first time we used it to target a nation-state actor, and it was following the 2016 election where Forest Blizzard, yup, hacked the Hillary Clinton campaign. Some of you may remember it. And that was the first time that the DCU took action against a nation-state actor. I can only imagine the debates that went on at the highest levels on whether we are going to poke this bear, but we did. We did a disruption action, but we then -- and as part of that action, we secured that court monitor. Fast forward to 2022, invasion of Ukraine, just as Jeremy mentioned, Forest Blizzard was one of the many Russian actors that were coordinating to disrupt Ukrainian infrastructure, again, thinking that this would be a quick and easy win for the Russian military. Again, an example of hybrid warfare, kinetic and cyber warfare. Fast forward to 2022, we see Forest Blizzard, again, doing this similar activity. We simply at DCU went back to our court monitor, seized the domains that Forest Blizzard was using, took them offline at a critical moment in time where Ukraine was again trying to attack Ukrainian infrastructure as part of the war.

Jeremy Dallman: Lawyers can be more disruptive than analysts in a lot of ways.

Sherrod DeGrippo: Let me just mention really quickly on the monitor side, first, I'm sorry to do this, I'm going to do it, go listen to the episode of the Microsoft Threat Intelligence Podcast about Cobalt Strike. It is --

Jeremy Dallman: I was just going to bring that up.

Sherrod DeGrippo: It is a rip-roaring good time.

Jeremy Dallman: Yeah, there's another part of my team that does actor infrastructure fingerprinting and goes out and identifies where that is, and one of the things that my team was fortunate to do was to go out and fingerprint, I think it was like 80% of the Cobalt Strike infrastructure, pass that over to DCU, and they were actually able to take that and, I think it was a couple of years ago, you were able to see Cobalt Strike just drop, and we did the same thing with QuakBot and fed some of that same information in there, and you saw QuakBot disruption with Bureau and Department of Justice and a lot of those actions. So we're going to keep doing that, keep trying to take those actions and working with Steve because it's not just the state-sponsored actors. It's those botnets. It's that malware that's pervasive, like malicious Cobalt Strike and QuakBot, that's just all over the place in the infrastructure, and you can knock it.

Steven Masada: Oh yeah, Cobalt Strike is the perfect example. When you talk about tools, what -- I don't know if everyone in the room is familiar with Cobalt Strike, but it is a legitimate cybersecurity tool, but it got out in the wild. We call it "cracked versions," but basically unlicensed versions got out in the wild, and it became probably the favorite tool of cybercriminals and nation-state actors for years. Basically, every -- I won't say "every," that might be an overstatement, but the bulk of major cybersecurity incidents you'd see Cobalt Strikes. It was a tool in every toolkit. It's like a hammer, right? The most common tool you could see. And so what DCU did in partnership with MSTIC, thanks to the fingerprinting and the analysis and the assessments, we partnered with Fortra, who is now the legal owner of the legitimate Cobalt Strike and brought a legal action, I believe it was in 2023, '22/'23, and basically cleaned the infrastructure that we had legal jurisdiction over, and again, we've continued at this. In addition, we fed all the data we obtained into our CTIP program, another plug for CTIP, but I believe that Fortra published their most recent update maybe less than a month ago, and I believe that the number of infected devices with Cobalt Strike had plummeted, I believe it was almost 90%. I mean, that's tremendous. And, of course, bad actors, they're going to figure out ways to, again, rebuild their infrastructure, but what this is forcing them to do, again, part of our deterrent efforts, is it pushes them to the margin. So they have to build their infrastructure in jurisdictions that are perhaps more permissive that the U.S. or some of our allies cannot reach, but then there are other measures that sort of protect customers and users in place, because, again, if you're using infrastructure solely based in China, that there are things in place that protect you and your systems from use of those tools.

Sherrod DeGrippo: And you can get some really good in-depth insight out of that podcast, but one of the things that I found the most interesting about the cracked Cobalt Strike action was there is automation running all the time looking for those cracked Cobalt Strike servers. That automation, when it finds one, automatically creates a complaint in the correct jurisdiction, and the legal mechanism for this, is everybody, like, familiar with the DMCA, the Digital Millennium Copyright Act?

Steven Masada: Well done.

Sherrod DeGrippo: One of the -- oh, let me tell you, I know some DMCA, okay? One of the things I find fascinating about this action is that it leveraged a copyright complaint to disrupt a criminal digital threat actor. That's just such a creative thing, and I think it's such a beautiful example of how creative the DCU and our legal teams can be at Microsoft for finding ways to disrupt.

Steven Masada: I appreciate that, and that is a perfect example of the DMCA and how we used just legal innovation. We use the word "innovation."

Sherrod DeGrippo: Wild and crazy, they're calling it.

Steven Masada: Again, Microsoft gives us the ability to sort of test the limits, because, again, a court could reject it and say, like, "That's too far afield. We don't believe it." But we have created precedent that we now bring to jurisdictions across the United States in bringing cases like this. Now, DMCA is a well-accepted tool in the legal tool belt to bring these types of actions. What Sher was mentioning is, again, a combination of where legal and technical innovation come together, because since then, the DCU has developed a program called -- we call it the "Statutory Automated Disruption Program." Again, this is an example where we have these crawlers that are out in the system as they identify, like you said, Cobalt-infected devices. It generates notices that send it out to the providers that are hosting this and put the onus on the providers, the service providers out there to basically clean up their services, and so they're doing the disruption for us.

Sherrod DeGrippo: It's incredible. It's a really interesting example of some of the things that the DCU does that I feel are, frankly, unique to Microsoft. I just don't see this happening from other organizations. So let's talk a little bit about something that most people aren't familiar with. It's called "AI." Have you heard of AI? Have you heard of it? No? Let's talk a little bit, like, Jeremy, what are some things that you've seen in terms of AI on the threat landscape, threat actors using AI?

Jeremy Dallman: Sure.

Sherrod DeGrippo: Where are we seeing that? So I actually talked about this last year in this same room, so some of you probably might have been here, and quite frankly, from a state-sponsored actor use perspective of AI, the story hasn't changed much from when I was here this year, or last year, which I think is good, but I'll go into it a little bit more. So nation-state threat actors right now are using AI much like we do. It's a productivity tool for them. So what they're using it for is to go out and expedite their investigation, collect knowledge, enhance their existing operations, write better scripts, write faster scripts for their malware delivery. They're using it for translation services. We see Iran using it to improve their phishing lures to make them more convincing. We've seen Russia using it to go out and improve their research on satellite reconnaissance technology and satellite systems that are being used in wartime scenarios. China uses it for a number of different things. Like, they actually use it for a lot of the scripting work as well. North Korea is largely using it for reconnaissance and understanding of actors and downstream targets and that sort of a thing. So all that to say, right now, the actors are largely using it as a productivity tool. The benefit Microsoft has is that deep partnership with the OpenAI team. In working with OpenAI, our knowledge and visibility of the actor infrastructure can inform them so that they know when a malicious actor is on their platform and that malicious actor's activity is going to result in malicious use of AI. They can take action and take that down. We published a blog about it last year. They published a blog I think just last month where they detailed the open AIs and threat intel team that we work with, detailed all the actions they're taking, what they were seeing, especially around deepfakes. A lot of this was around influence operations and dee fake type of use of AI, and then the actions they were taking to identify those accounts and take them offline and take them down. So there's a disruption action happening there on the actors, even at that utility level of use of AI. The great part, I'll say, is for the future, that partnership we developed with OpenAI and that connection of our intelligence mechanisms will allow us to anticipate and see where the actors are going next. So as they start developing more and more sophisticated use of AI, we hope to be able to see it, anticipate it, and be able to get ahead of it in protecting our customers. And something to point out here is when we do see threat actors leveraging AI for malicious purposes, we disrupt those as well. We cut them off from those platforms, and so there is an element there, I think, of kind of cleaning up a little bit of what, you know, threat actors are going and using these platforms, disrupting them and kicking them out. Obviously, it's a never-ending process, but it's something that we work on. And, Steven, do you want to talk about 2139 at all?

Steven Masada: Happy to, happy to. Microsoft has robust guardrails in place to protect its AI services, but like I said, unfortunately, the sad reality is, bad actors, malicious actors, they're some of the most innovative people on earth and they're going to find a way, loopholes, gaps in even the best guardrails to get through them and then obviously we adapt. It's a little bit of cat and mouse. And part of my team, what we do is, those people that do get through, we try to hold them accountable. We disrupt them. We hold them accountable by sharing information with law enforcement so that they can use their criminal tools and authorities to, again, bring them to justice. 2139, we call it "Fiz" internally, but that's one example. The DCU has taken two actions against, I would say, AI-related cases. 2139 came out very recently. We filed an action in December, unsealed in January, and then we filed a supplemental pleadings at the end of February. This group, global group of people, individuals, and they figured out a very sophisticated way and developed a tool set that circumvented these guardrails. You might imagine that there are certain things that our Azure OpenAI services just won't do. You couldn't go on a consumer service and get this service to generate certain types of content, right? Just stuff, harmful content, imagery, things that used in fraud, stuff of that nature. This group figured out a way to sort of bypass those guardrails by basically prowling the Internet for exposed keys by basically people out there that had bad hygiene. And they collected these API keys and plugged it into their tools that basically ran queries at Microsoft as well as other AI services. So we weren't -- it wasn't just us. It was across the whole industry. And these tools identified the keys that gave them access to certain accounts that had AI services enabled with the additional ability to either toggle either low guardrail features, either they had been lowered by the customer or they were able to be changed and toggled to their benefit. That enabled them to basically access enterprise-level Azure services, Azure OpenAI services and create content that they could never create through consumer services. And of course, what did they do? They're all financially motivated. They sold it, and then you had a large number of customers who were able to generate illicit content, some of the harmful stuff you might imagine, celebrity deepfakes, pornography, you know, just really nasty, racist, harmful, misogynistic imagery and content. So what we did through the DCU is we investigated this and identified the main developers. We filed an initial lawsuit, like I said, in December that seized their main website where it was kind of a repository where they shared images and through which they communicated. We took them offline, did a splash page, disrupted the whole operation, but again, we persist. So what we did thereafter is we used the information gathered through the sinkholes, through the things that we've talked about, through civil discovery that we had access to because we filed the lawsuit, and we were able to identify, I would say, a dozen or so of the main actors, and then again in February, we amended our pleadings to name as defendants for the main developers. We didn't name everyone we identified. We used our discretion and named the four developers that we thought were the most prolific and culpable for this type of activity. In combination with that, we provided extensive law enforcement referrals to the FBI, to Europol, and to others where we believe these individuals and others are located that we were able to identify.

Jeremy Dallman: If I recall, we worked -- I think some of those keys had been leaked on GitHub and some other places, so we worked with our colleagues at GitHub to be able to go out and do scans and identify where these keys have been exposed, because a lot of it was just people who had copy and pasted code and dropped it into GitHub repos, and then it just got copy and pasted again, and then somebody else copy and pasted it again. That's basically the keys that they were using. So we were able to work with GitHub to disrupt them there as well.

Sherrod DeGrippo: Steven, let me ask really quickly just because I'm a legal nerd hobbyist. Was that action based on copyright or misuse of services in terms of service violations?

Steven Masada: Yes. That lawsuit was based on copyright. It was based in intellectual property. Again, they were abusing the tools that they had used, abused our APIs, which, again, are copyrightable under the law. That's one of the issues where we talk about legally impermissible versus, you know, abuse of our terms and services. Certainly an abuse of our terms of service. I guess the correct answer would be both, but our primary basis is always in the IP space.

Sherrod DeGrippo: I love that, that we're able to use these very interesting mechanisms, put resources at Microsoft behind it to figure out the ways to do this. I just find it really fascinating. People ask me all the time, "Oh, I want to get into threat intelligence. What should I do? I want to get into threat intelligence." Everybody wants to get into threat intelligence. I get it, it's fun, but they always ask me, "What should I do? Where can I start?" And the number one thing I say is, start reading indictments, start reading legal filings, because those have this beautiful narrative structure, and I look at some of the ones that we do and they're very easy to follow, and they're very structured, and it will give you kind of an understanding of what the story is, where it ended up, and then, ultimately, a lot of times, you know, it will explain what that party wants done, and it gives you kind of an understanding of what threat intelligence really should be.

Jeremy Dallman: Something tells me undergraduate students of cybersecurity are reading --

Sherrod DeGrippo: Are reading, right?

Jeremy Dallman: Are reading legal indictment.

Sherrod DeGrippo: They need to be reading it.

Steven Masada: I can be badgered.

Jeremy Dallman: I'm going to line that up for all my interns, "Here's 15 indictments to go read."

Sherrod DeGrippo: They're good. They're very good. Sometimes they're really interesting, and a lot of times they've got, you know, screenshots and images, and even sometimes they'll have diagrams explaining the attack chains and things.

Steven Masada: And the good thing about it is, you know, Jeremy's blogs are amazing. I read them, I review them. I understand about 60% of it because it's so highly technical, but one of the jobs that we do, you know, when you're filing legal paperwork is we have to frankly kind of dumb it down a little bit for the court so that they understand what we're saying but in language that the ordinary individual without the technical background could understand and appreciate. Another thing about reading lawsuits or reading blogs is you learn a lot about what the bad actors are doing. Another example was an action we took against another group, a Vietnamese group called Storm 1152. Interestingly enough, we talked, going back to the supply chain, you know, how do these -- how do all these cybercriminal nation-state actors -- the cybercrime as a service is a thing, right? Just like software as a service is a thing, and that ecosystem operates a lot like the legitimate ecosystem. So what this group was doing was effectively creating, I mean, hundreds of millions, perhaps billions of fraudulent email accounts that they then sold to nation-state actors, to cybercriminal groups, including Scattered Spider, Octo Tempest. You know, one of the most prolific ransomware groups out there was one of their biggest customers. But interestingly enough, this group, again, speaking of using AI, they've used AI in their tools to basically bypass CAPTCHA. Everyone knows what CAPTCHA is, right? Click on the stoplights, click on the scooters. We can debate whether a scooter is a motorcycle, which always gets me, but they created an automated process where they were creating, I think at their peak, 30 million fake email accounts on Microsoft alone per month. I think the total was up to over 750 million fake email accounts on Microsoft services. Again, they were doing this at Google, at Yahoo, across the board, selling them. So what we did is, again, we disrupted them, took all their infrastructure down. Interestingly enough, what we saw is them rebuild. We filed a supplemental pleadings taking down their infrastructure. Again, part of our mission is not just to disrupt, it's to deter, and our investigators, they operate like maybe law enforcement in some ways where they will be on covertly some of these channels, some of these messaging apps. Some of these groups are marketing and selling their services, and what we saw was quite amazing. One, we saw the actual efficacy of this group drop to near zero, so they went from 30 million to almost zero accounts created per month. But in monitoring the messaging app and the communications, what was interesting is we saw the chatter that was going on in these groups, and what was pretty clear is this group and one of their main competitors basically stated to the world, announced that they were ceasing operations as it pertained to Microsoft, that Microsoft is aggressive in going after this type of activity on their services, so this product, their Microsoft product, was no longer available for sale. So again, that would be an example, I would say, a success story where disruption led to deterrence.

Sherrod DeGrippo: And, like, building that reputation, don't mess around with Microsoft, Microsoft FAFO, right? No, I --

Steven Masada: That's our new slogan.

Sherrod DeGrippo: That's the new CELA tagline.

Jeremy Dallman: I do want to say one thing. Disruption, Steven's world is disruption. I love that, that DCU has the legal vehicles to go disrupt the actor. MSTIC, on our side, for a long time, I mean, if any of you are from the intelligence community, we were signal operators. We collected a lot of signal. We built good detection so the product is identified and the customer could address it. In our new world, with our new CISO and in the last year, we're really leaning in a lot more aggressively. The blogs that we're starting to put out have an intent of not just inform or, like, applaud Microsoft's awesome threat intelligence capabilities. It's not just about thought leadership in TI. Now our intended focus for our blogs is to disrupt the actor. Put information out there that, to Steven's point, like, sets the developers of this ransomware back, makes them stop attacking and go rewrite their code in a completely different language, forces the nation-state actors' infrastructure to get completely exposed so they have to roll back and try to reset. So that disruption action, I'm super excited about it, the disruption of the actor has become one of our key missions.

Steven Masada: I mean, I think we work in partnership. It's almost hip to hip. I mean, when you think of disruption holistically, we work together. Star Blizzard is a perfect example. We filed an action against Star Blizzard to disrupt their activities, frankly, and lead up to the most recent election, and what do we see them do? We see them pivot, right? We see them pivot to WhatsApp. Totally changed how they operate, but again, to increase their operational costs, slow them down, distract them from actually harming people by focusing on rebuilding their infrastructure.

Jeremy Dallman: And the great thing is, is with a blog, we can get the message out to even our industry peers who are our competitors, because the actor is going to -- maybe they'll move off of, like, One Drive, they'll move off of Microsoft infrastructure, that just means they're going to move to somebody else's infrastructure. So if we can expose their TTPs and our colleagues at Google or AWS or other places where the actors are inevitably going to move can learn that and catch them when they land there, we're just keeping the actor moving all the time and we're disrupting them, not just us, but as a community effort.

Sherrod DeGrippo: Well, I appreciate all of your time. We are at the end. Thank you so much for coming, and thank you to my fantastic panelists, two of my top eight. [ Music and applause ] Thanks for listening to the Microsoft Threat Intelligence Podcast. We'd love to hear from you. Email us with your ideas at tipodcast@microsoft.com. Every episode will decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out, msthreatintelpodcast.com for more, and subscribe on your favorite podcast app. [ Music ]