Peter Stokes, the 19-year-old American-Estonian extradited from Finland to face Scattered Spider hacking charges in the United States, is allegedly tied to a US$8 million ($11.5 million) ransom demand largely through a Microsoft global device identifier (GDID), a court affidavit suggests. The US Federal Bureau of Investigation (FBI) alleged in its complaint that “criminal referrals from Microsoft” were among the evidence presented for Stokes’ alleged offending. “Cyber security researchers at Microsoft, through the course of their job, have access to data, such as computer machine IDs, IP addresses, and malware samples associated with sophisticated cybergroups,” the FBI said in its affidavit. Stokes allegedly hid his device behind a virtual private network (VPN) server which he then used to open an account on the ngrok secure tunnelling service. But doing so did not mask the unique GDID of the Windows installation he used. Microsoft identified that GDID for investigators after a court order, based on ngrok’s time-stamped access records. Such GDIDs are typically used for diagnostic and crash reporting, feature-usage analysis, and detecting abuse patterns such as one machine repeatedly claiming free trials or licences. Security teams also use this kind of device-level correlation defensively, since a login from an unfamiliar
Read More
Microsoft device telemetry key to unmasking alleged Scattered Spider hacker – iTnews

Microsoft device telemetry key to unmasking alleged Scattered Spider hacker – iTnews