| ▲ | nailer an hour ago | |||||||
Good question. My understand is that it was licensing: Hackers cloaked IP address -> VPN license -> Windows GDID -> Hacker's name. | ||||||||
| ▲ | llm_nerd an hour ago | parent [-] | |||||||
From the reading of the document, I really don't think that's it. The suspects used phishing to get access to one company's servers, then used those servers to push software to other servers. It 100% reads that they enlisted Microsoft to correlate telemetry data with some known activities, backtracking from that. Barring specific additional data, this should be extraordinarily concerning. Repeatedly the documents cite "Microsoft's records" for the activity - installing ngrok, accessing certain sites, RDP connections, etc. | ||||||||
| ||||||||