Midnight Blizzard | How Russian Intelligence Breached Microsoft

With guest CISO Co-Host Alyssa Robinson, CISO at HubSpot

In late 2023, a Russian state-sponsored threat actor known as Midnight Blizzard (also called NOBELIUM and widely associated with APT29) began probing Microsoft the old-fashioned way: password spraying.

No zero-day. No smash-and-grab.

Just patience, repetition, and one legacy gap.

Microsoft says the actor compromised a legacy, non-production test tenant account and used that foothold to access a very small percentage of Microsoft corporate email accounts, including members of senior leadership and employees in cybersecurity and legal, then exfiltrated some emails and attached documents. Microsoft detected the attack on January 12, 2024, and disclosed it publicly on January 19, 2024.
Microsoft

This was espionage, not extortion: Microsoft assessed the actor was initially seeking information related to Midnight Blizzard itself, essentially trying to learn what Microsoft knew about their operations.
Microsoft
+1

In this episode of The CISO Signal | True Cybercrime Podcast, we break down how a nation-state operation targets the most valuable asset in modern security: identity. We explore why executive inboxes are intelligence gold, why slow intrusions are so hard to see in real time, and what incident response looks like when the adversary is collecting insight, not detonating ransomware.

🎙 Guest CISO Co-Host

Alyssa Robinson
Chief Information Security Officer, HubSpot

🔍 Episode Topics

• How password spraying still works at massive scale
• Why legacy test tenants and exceptions become the entry point
• Executive identity risk and the “convenience gap”
• What changes when the attacker is a nation state
• The trust question: what downstream organizations must assume

🧊 The aftershock

Microsoft later reported evidence that the actor was using exfiltrated information to pursue additional unauthorized access, including some source code repositories and internal systems, while stating it found no evidence that Microsoft-hosted customer-facing systems were compromised.
Microsoft

CISA also issued guidance on SVR / APT29 tradecraft for initial cloud access (AA24-057A) and an Emergency Directive tied to this compromise (ED 24-02).
CISA
+1

🧩 About The CISO Signal
True cybercrime storytelling with real CISO lessons. Subscribe so you never miss an investigation.
👉 / @thecisosignal
www.linkedin.com/company/the-ciso-signal

#CISOSignal #MicrosoftBreach #MidnightBlizzard #APT29 #NOBELIUM
#CyberEspionage #IdentitySecurity #CloudSecurity #CISO #TrueCybercrime

The HubSpot Hack | The SaaS Backdoor to Bitcoin - ft. Scott Kisser (CISO, Swan Bitcoin)
When attackers breached HubSpot in March 2022, they weren’t after HubSpot at all.

They were after the customers of its customers.

Crypto firms like Trezor, BlockFi, and Swan Bitcoin suddenly saw their users targeted by near-perfect phishing emails designed to steal recovery seeds and drain wallets. And just weeks later, another SaaS provider, Klaviyo, was hit the same way. The message was clear:

You can defend your castle…
but attackers will go after the people guarding your gates.

This week on The CISO Signal | True Cybercrime Podcast, we dissect the SaaS-supply-chain breach that shook the crypto world and the coordinated response that stopped it from becoming a full-scale disaster.

🎙 Guest CISO Co-Host: Scott Kisser
Chief Information Security Officer – Swan Bitcoin
Former security leader at Salesforce, DocuSign, Amazon, and F5.

Scott takes us inside the incident response:
• How a single phished employee put the SaaS ecosystem at risk
• Why crypto companies were the downstream target
• The race to warn customers before attackers drained wallets
• How CISOs must rethink vendor access and trust assumptions
• Why no major funds were stolen — and why that victory matters

This wasn’t a tale of ransomware, it was a breach of trust.
And a reminder that SaaS is now part of every organization’s attack surface.

🔍 Episode Topics

• Vendor compromise → internal tool access → crypto user phishing

• The human element behind SaaS security

• What leadership communication looks like when trust is shaken

• The new rules of defending against third-party attack vectors

🏴‍☠️ Key Players
• HubSpot — initial breach vector
• Klaviyo — second SaaS compromise
• Trezor & Swan Bitcoin — downstream targets
• Crypto customers — the true victims
• CISOs — left to restore confidence & reshape strategy

💡 Takeaway for CISOs
“You’re only as strong as the SaaS identities you can’t see.”

🧩 About The CISO Signal
Hollywood-style storytelling meets real cybersecurity lessons.
Every episode, CISOs break down the world’s most notorious cyberattacks — what happened, what broke, and what must change.

Subscribe & ring the bell so you never miss an investigation. 🛎️
👉 / @thecisosignal

📣 Connect with Us
🌐 Website: thecisosignal.transistor.fm
🔗 LinkedIn: linkedin.com/company/the-ciso-signal
Subscribe & share to stay ahead of the world’s most sophisticated cyber threats.

🔥 Hashtags
#CISOSignal #HubSpotBreach #Klaviyo #SaaSSecurity #CryptoSecurity #SupplyChainAttack #SocialEngineering #Phishing #SecurityPodcast #TrueCybercrime #ScottKisser #SwanBitcoin #Trezor

In late 2023, the world’s most trusted identity provider experienced the kind of breach it was designed to prevent. Attackers quietly infiltrated Okta’s customer support system, stole session tokens hidden inside HAR files and used them to impersonate users across some of the most secure organizations on earth.

For two full weeks, the intruders operated in silence. No alerts. No red flags. No detection.

When the truth came out, it wasn't just a security incident, it was a crisis of trust in the infrastructure that underpins modern authentication.
How did a company synonymous with identity become a cautionary tale? What does this breach reveal about session tokens as the new crown jewels, third-party risk, and the blind spots that even top-tier security teams can miss? And what lessons does every CISO need to take from the Okta compromise before history repeats itself?

In this episode of The CISO Signal: True Cybercrime Podcast, host Jeremy Ladner is joined by Oren Zenescu, CISO at Plarium, to break down every layer of the Okta breach, from the silent entry and token theft to the fallout across the cybersecurity community and what it means for the future of identity security.

💡 In this episode, we discuss:
🔹 How attackers harvested HAR files and hijacked live session tokens
🔹 Why session tokens are becoming the primary target for modern attackers
🔹 The two-week detection delay and what it says about support system security
🔹 What the Okta breach means for zero trust, vendor reliance, and third-party risk
🔹 Lessons CISOs must take from Okta’s incident history Lapsus$, source code theft, and beyond

🎙 Featured Guest
Oren Zenescu | Global CISO at Plarium
Member of Team8 CISO Village, with 15+ years of enterprise security leadership across finance, gaming, and global tech.

Follow The CISO Signal
🌐 Website: thecisosignal.transistor.fm
🔗 LinkedIn: linkedin.com/company/the-ciso-signal
Subscribe & share to stay ahead of the world’s most sophisticated cyber threats.

#CyberSecurity #OktaBreach #IdentitySecurity #TokenHijacking #ZeroTrust #CISO #IncidentResponse #SupplyChainSecurity #CyberCrime #TheCisoSignal

The $610 Million Poly Network Hack: The Greatest Heist That Never Was

In one of the most shocking moments in crypto history, a lone hacker exploited a vulnerability in Poly Network’s cross-chain protocol—draining over $610 million in digital assets across Ethereum, Binance Smart Chain, and Polygon.

Then, in a twist no one saw coming… they gave it all back.

Was it a white-hat test gone wrong? A hacker with a conscience? Or a sophisticated cover-up by an insider? To this day, the attacker’s true identity remains a mystery—and the world is still searching for answers.

In this episode of The CISO Signal: True Cybercrime Podcast, host Jeremy Ladner is joined by Christopher Russell, CISO at tZERO Group, to dissect the technical brilliance, psychological intrigue, and geopolitical implications of what might be the largest digital heist in history—and the most bizarre ending cybersecurity has ever seen.

💡 In this episode, we discuss:
🔹 How a flaw in Poly Network’s cross-chain manager enabled the $610M exploit
🔹 Why the hacker chose to return every stolen token
🔹 The role of decentralized finance (DeFi) in enabling modern cybercrime
🔹 What CISOs can learn from the blockchain’s weakest link
🔹 Why attribution in crypto attacks remains nearly impossible

Follow The CISO Signal:
🌐 Website: www.thecisosignal.transistor.fm

🔗 LinkedIn: www.linkedin.com/company/the-ciso-signal

Don’t forget to like, subscribe, and share — to stay ahead of the world’s most sophisticated cyberattacks.

#CyberSecurity #CryptoHack #PolyNetwork #DeFi #BlockchainSecurity #CISO #TheCisoSignal #CyberCrime #CryptoHeist

The $25 Million Arup Deepfake: AI's Most Convincing Con

In a world where AI can mimic voices and faces perfectly, even the most secure companies can fall victim. The Arup Deepfake Hack shocked the corporate world when attackers used AI-generated video of the company’s CFO to trick an employee into wiring $25 million to a fraudulent account.

This was not just another phishing attempt, it was a sophisticated manipulation that blurred the line between reality and digital deception. The incident highlights how AI-driven attacks are evolving and why every cybersecurity leader must rethink traditional defense strategies.

In this episode of The CISO Signal: True Cybercrime Podcast, host Jeremy Ladner is joined by Mark Dorsi, CISO at Netlify, to break down one of the most alarming corporate scams of our time. Mark brings decades of experience building security programs for high-growth technology organizations, including HelloSign, Cloud Lending Solutions, and Qualys, and now leads security at Netlify. Together, they unpack how the deepfake attack happened, why traditional security controls failed, and what actionable steps leaders can take to protect their organizations from AI-powered social engineering.

💡 In this episode, we discuss:
🔹 How attackers used AI and a video conference to impersonate the CFO
🔹 The psychological tactics behind the $25 million wire transfer
🔹 Why traditional security measures were not enough to prevent the attack
🔹 Emerging strategies to defend against deepfake and AI-driven threats
🔹 Key lessons every CISO can use to strengthen their security posture

Follow The CISO Signal:
🌐 Website: www.thecisosignal.transistor.fm

🔗 LinkedIn: www.linkedin.com/company/the-ciso-signal

Don’t forget to like, subscribe, and share to stay ahead of the world’s most sophisticated cyberattacks.

#Cybersecurity #DeepfakeHack #ArupHack #CISO #TheCisoSignal #AIThreats #CyberCrime

THE SONY HACK: HOLLYWOOD, NORTH KOREA & THE CYBER WAR THAT CHANGED EVERYTHING
In 2014, Sony Pictures became ground zero for the first major nation-state cyberattack on a global corporation. The “Guardians of Peace,” linked to North Korea, crippled Sony’s networks, leaked unreleased films, and exposed troves of executive emails that forced high-level resignations. At the center of it all: The Interview, a comedy starring Seth Rogen and James Franco about a CIA plot to kill Kim Jong-un.

What started as a movie scandal quickly escalated into an international incident and a turning point for every CISO and cybersecurity leader. The Sony Hack showed the world how geopolitics, culture, and cyber warfare could collide in ways that devastate private companies.

In this episode of THE CISO SIGNAL: TRUE CYBERCRIME PODCAST, host Jeremy Ladner takes you inside the breach that changed corporate security forever. We unpack how Sony responded under pressure, why their crisis management is still debated a decade later, and what today’s security leaders must learn to defend against state-sponsored threats.

💡 IN THIS EPISODE, WE DISCUSS:
👉 How The Interview triggered a nation-state cyberattack
🔹 The impact of leaked emails and unreleased Sony films
⚠️ Why Sony’s response became a leadership case study
🛡️ How the Sony Hack reshaped global cybersecurity strategy
📈 Actionable CISO lessons for preparing against nation-state adversaries

🎙️ ABOUT OUR GUEST:
Dror Hevlin — VP Security & CISO at Cynomi. With 20+ years in defense, critical infrastructure, and enterprise security, Dror brings unique insight into nation-state threats. Learn more 👉 https://www.cynomi.com

FOLLOW "THE CISO SIGNAL" ON:
🌐 Website: www.thecisosignal.transistor.fm
🔗 LinkedIn: www.linkedin.com/company/the-ciso-signal

👍 Don’t forget to LIKE, SUBSCRIBE & SHARE to stay ahead of the world’s most dangerous cyberattacks!

#Cybersecurity #SonyHack #TheInterview #NorthKorea #NationStateAttack #CISO #TheCisoSignal

SIN CITY CYBERATTACK: INSIDE THE MGM & CAESARS CASINO BREACHES

In September 2023, Las Vegas turned into ground zero for one of the most disruptive cyberattacks in U.S. history. MGM Resorts, owner of iconic casinos on the Strip, saw slot machines go dark, hotel check-ins grind to a halt, and operations paralyzed for days. At the same time, Caesars Entertainment quietly faced its own breach, but unlike MGM, Caesars chose to pay the ransom.

In this episode of THE CISO SIGNAL: TRUE CYBERCRIME PODCAST, we take you inside the MGM Casino $100M ransomware hack and contrast it with the Caesars breach. We break down how attackers from the Scattered Spider/ALPHV ransomware group gained access, why MGM refused to pay, and what every CISO can learn from the two very different incident response strategies.

Our special guest co-host is PAZ SHWARTZ, CISO and CEO at Persist Security, who joins us to analyze the attacks, share real-world insights, and outline how leaders should prepare for ransomware scenarios that strike at the heart of critical business operations.

IN THIS EPISODE, WE DISCUSS:

👉 How the Scattered Spider group used social engineering to breach MGM and Caesars

🔹 Why MGM Resorts refused to pay ransom and Caesars paid up

⚠️ The operational and financial fallout for both casino giants

🛡️ Actionable strategies CISOs can deploy to prepare for high-stakes ransomware incidents

📈 Key leadership lessons for crisis response under public and shareholder pressure

ABOUT OUR GUEST:

Paz Shwartz is the CEO and CISO of Persist Security, with deep expertise in cybersecurity strategy, risk management, and incident response for global enterprises.

FOLLOW "THE CISO SIGNAL" ON:

🌐 Website: www.thecisosignal.transistor.fm

🔗 LinkedIn: www.linkedin.com/company/the-ciso-signal

DON'T FORGET TO LIKE, SUBSCRIBE, AND SHARE TO STAY AHEAD OF THE LATEST CYBERCRIME THREATS!

#Cybersecurity #MGM #Caesars #CasinoHack #Ransomware #CISO #TheCisoSignal

The CISO Signal | INSIDE CNA's $40M BITCOIN RANSOM | The Hack That Changed Cybersecurity - EP 4

In this episode of The CISO Signal, we go deep inside the cyberattack that shook the financial world.

Join us as we unravel the haunting details of the 2021 ransomware attack on CNA Financial, which resulted in a record-breaking $40 million ransom payment in Bitcoin.

This wasn't just another breach. This was a black swan event cloaked in silence, executed by a mysterious threat actor known as Phoenix. They slid past defenses, encrypted over 15,000 devices, and vanished with a payday big enough to fund a small nation-state.

How did one of the largest U.S. insurers, an industry built on managing risk become the ultimate risk?

🧠 GUEST CISO CO-HOST: Matan Eli Matalon

We’re joined by Matan Eli Matalon, CISO of OP Innovate. With a battlefield-hardened perspective from years in offensive and defensive cybersecurity, Matan brings a rare blend of red team psychology and blue team pragmatism to decode the dark mechanics behind this quiet catastrophe.

From ransomware tactics and insurance industry blind spots to negotiating with digital extortionists, Matan provides unparalleled insights.

📌 In This Episode:

ATTACK ANATOMY: How the CNA ransomware attackers gained access and detonated their payload.

ROOT CAUSE: The critical role of stolen credentials, Active Directory, and legacy systems.

THE RANSOM DECISION: Why a $40M ransom was paid and what it signals for future attacks.

THE AFTERMATH: The eerie silence that followed and the legal/PR playbook that unfolded.

KEY TAKEAWAYS: What security leaders can learn from CNA’s nightmare to prevent the next one.

🔐 FOR CISOs, BY CISOs.
The CISO Signal is a cinematic, story-driven podcast for security leaders, SOC professionals, and infosec veterans. Each week, we dissect high-stakes breaches with the insight of top CISOs and the pace of a true crime thriller.

SUBSCRIBE NOW! for weekly episodes that go beyond the headlines and deep into the shadows of today’s cyber underworld.

👍 LIKE, COMMENT, and SHARE this episode with your security team.
🌐 Visit thecisosignal.transistor.fm for full episodes, bios, and more.

#CNAFinancial #RansomwareAttack #Cybersecurity #CISOPodcast #TrueCybercrime #Infosec #Ransomware #CyberInsurance #SecurityLeadership #BreachAnalysis #IncidentResponse #SOC #CyberRisk #CIO #CTO #Hacking #DigitalExtortion #Cyberthreats #CybersecurityNews #Datasecurity #MatanMatalon