Source: Ransomware Interviews
Interviewer: Erez Yalon
Subject: “T” (speaking for himself, not the group)
Translation: Google Translate (Hebrew → English)
Q: Your X account (which has already been blocked) displayed Israel in its location and was opened in October 2023. Additionally, in one of your campaigns you ran a wiper malware called “Kamikaze” that specifically targets victims from Iran. On the other hand, you hacked Israeli companies like Aqua (Trivy) and Checkmarx. Can you explain the apparent contradiction in the nature of the activity, which side are you on, if at all?
These countries and the people they serve are simply evil.
Iran is a regime that murders protesters in cold blood and funds terrorists, while the Israeli government is a government of warmongers, and the security tools produced there serve countries with similar behavior, making them a prime target.
The wiper against Iran was more for fun. We put it in because we can, and if it causes collateral damage along the way, then we sleep better at night.
People always tell us to choose a side. Why? I don’t negotiate with evil. I’m angry at the way these people use power and faith. It negatively affects everyone.
Q: You have collaborations with LAPSUS$, Breached, etc. Why collaborate with other groups instead of running the entire attack chain independently?
There are many approaches here. It’s better to create an ecosystem and connections, that way it’s easier to sell the information quickly and transfer approaches. LAPSUS$ were good to work with, they’re very reliable, and they brought what was needed to drive the activity.
Things are managed internally with us much more than you think, but the final result is not always published under our groups, what is published with us is usually only the quick hacks.
Q: In the recent GitHub internals hack, you are offering source code from 4,000 repositories for sale for $50,000. What is the strategy behind selling the information in this way? Why not approach GitHub directly and demand a ransom?
First come, first served. We are not extortionists, we are here for money, and as quickly as possible. If GitHub wanted the repositories to remain private, they would have offered as high a price for them as everyone else, or asked for our final price.
[Erez: As of the time of the interview, and according to the group’s version, the highest offer they received is $95k]
Q: Most ransomware groups focus on encrypting the victim’s files, but it seems that you are focused on stealing identification data, compromising the supply chain, stealing and selling the information, without encryption. Why did you choose this approach?
TeamPCP originally started as a group that encrypts and extorts, but that is simply no longer needed. We get paid the same anyway, while it takes much less time and causes much less business disruption.
I would also add that after the Vect debacle, we lost a lot of interest in encryption after seeing the results that could be achieved without it. That stopped us from continuing in that direction.
Q: How many organizations have been affected by your attacks since you started? And do you think that stolen credentials lose value over time, as organizations realize they have been hacked and start to revoke them?
Tens of thousands of companies have been affected. The number of developers is probably in the millions.
Large organizations and credentials that are about to expire are prioritized.
It doesn’t bother us if companies revoke credentials on a large scale, as has already happened. We’ll just find another way to get in through the supply chain.
Q: What made TeamPCP start this activity in the first place? Have any of you been on the “white” side of cyberspace before? If so, what made you switch to the other side?
I was trying to find a job in the legal offensive line, a kind of contractor work, and my potential employer did something very unethical. So I continued to operate as a blackhat separately.
If what happened had happened differently, it could have turned out very differently. But yes, I wanted to in the past, and I still want to do something like that.
The attention we get is not good, and we already make enough money to eat, pay for a house, and take care of my team. Some of us have even started donating our profits, because we simply don’t need them to survive anymore, and that’s all that matters. We don’t want to and don’t need to be rich, and we don’t like to harm people, but bad security costs money.
Q: Your campaigns are very focused on the supply chain. What advice would you give to organizations that want to protect themselves from these attacks?
Only use libraries with a minimum age, hash versioning, tokens with precise permissions, know what plugins your developers are using in their IDE or limit them.
Socket will find the malware before the package can reach your machine, and they will publish all IOCs and remediation steps for you, or your company’s security team, if you are affected.
[Erez: Sounds like marketing content, haha. Of course, the above should not be seen as any recommendation on my part]
Q: Attackers who create a lot of noise and damage are constantly faced with better defenses, pressure from law enforcement agencies, and faster response to incidents. What do you do to stay one step ahead of organizations and law enforcement agencies?
We will always get along with defense teams.
As for law enforcement agencies, my risk-reward ratio tells me that soon it will be time for me to stop operating.
Q: Do you use AI tools as part of your activities?
Yes. We write our malware manually but also with the help of AI. The learning of the various mechanisms in the tools we exploit is done entirely by a human.
You can give any child LLM scripts, and they still won’t be able to reproduce our attacks, even if the source code and post-incident reports are completely public. That speaks for itself.
Q: Is there anything else you would like to say? Or share with my followers on the channel?
Our results speak for themselves.
Q: Bonus question: I noticed that your nickname on Tox is “the jellyfish who jumped up the mountain”, is that a reference to a Shpongle track, right? According to the band, the title refers to a metaphor of evolution that even a jellyfish can climb a mountain if you take one small step at a time, over millions of years. What’s the story behind choosing this nickname? Is it related to the evolution of the group?
Well, my circumstances weren’t very good, and I just kept moving forward and learning as much as I could, trying to find loopholes, writing malware and failing, sometimes without money for food or rent, 24/7/365.
I am the jellyfish who jumped up the mountain.