logoalt Hacker News

nailertoday at 3:14 PM1 replyview on HN

Good question. My understand is that it was licensing:

Hackers cloaked IP address -> VPN license -> Windows GDID -> Hacker's name.


Replies

llm_nerdtoday at 3:25 PM

From the reading of the document, I really don't think that's it. The suspects used phishing to get access to one company's servers, then used those servers to push software to other servers.

It 100% reads that they enlisted Microsoft to correlate telemetry data with some known activities, backtracking from that. Barring specific additional data, this should be extraordinarily concerning. Repeatedly the documents cite "Microsoft's records" for the activity - installing ngrok, accessing certain sites, RDP connections, etc.

show 1 reply