009.1: CRASH COURSE: IRAN | Geopolitics, Cyber Threat Groups and Operations

012.1: WANNACRY

On May 12, 2017, a piece of code quietly executed somewhere in Asia and within hours had locked computers across 150 countries. WannaCry wasn't just a ransomware attack — it was the collision of an NSA cyber weapon, a mysterious group of leakers, a sanctioned rogue nation, and a 22-year-old malware analyst working from his bedroom. In this episode, explore the full WannaCry story — the technical execution, the geopolitical chain of custody, the chaos it caused, and the harder questions nobody fully answered: Should the NSA have disclosed the vulnerability? Was this North Korea's best effort or a mistake that escaped? And what does it mean when the most dangerous cyber weapon in history gets stopped by a $10 domain registration? Call to Action: * Subscribe to the podcast for more episodes on high-profile cyber intrusions. * Visit our website at intrusionsindepth.com for additional stories and insights. * Share your thoughts on social media using #IntrusionsInDepth. Links and Resources: * https://techspective.net/2017/09/26/wannacry-ransomware-detailed-analysis-attack/ [https://techspective.net/2017/09/26/wannacry-ransomware-detailed-analysis-attack/] * https://www.nksc.lt/doc/ENISA-WannaCry-v1.0.pdf [https://www.nksc.lt/doc/ENISA-WannaCry-v1.0.pdf] * https://www.elastic.co/blog/wcrywanacry-ransomware-technical-analysis [https://www.elastic.co/blog/wcrywanacry-ransomware-technical-analysis] * https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3681065/national-security-agency-announces-retirement-of-cybersecurity-director/ [https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3681065/national-security-agency-announces-retirement-of-cybersecurity-director/] * https://en.wikipedia.org/wiki/WannaCry_ransomware_attack [https://en.wikipedia.org/wiki/WannaCry_ransomware_attack] * https://en.wikipedia.org/wiki/Tailored_Access_Operations [https://en.wikipedia.org/wiki/Tailored_Access_Operations] * https://en.wikipedia.org/wiki/Michael_Hayden_(general) [https://en.wikipedia.org/wiki/Michael_Hayden_(general)] * https://upload.wikimedia.org/wikipedia/commons/7/7d/ARN30043-ATP_7-100.2-000-WEB-2_-_North_Korean_Tactics_%28July_2020%29.pdf [https://upload.wikimedia.org/wikipedia/commons/7/7d/ARN30043-ATP_7-100.2-000-WEB-2_-_North_Korean_Tactics_%28July_2020%29.pdf] * https://commons.wikimedia.org/wiki/File:ARN30043-ATP_7-100.2-000-WEB-2_-_North_Korean_Tactics_(July_2020).pdf [https://commons.wikimedia.org/wiki/File:ARN30043-ATP_7-100.2-000-WEB-2_-_North_Korean_Tactics_(July_2020).pdf] * https://www.securityweek.com/us-army-report-describes-north-koreas-cyber-warfare-capabilities/ [https://www.securityweek.com/us-army-report-describes-north-koreas-cyber-warfare-capabilities/] * https://www.cs2ai.org/post/u-s-army-report-describes-north-korea-s-cyber-warfare-capabilities [https://www.cs2ai.org/post/u-s-army-report-describes-north-korea-s-cyber-warfare-capabilities] * https://cloud.google.com/blog/topics/threat-intelligence/mapping-dprk-groups-to-government [https://cloud.google.com/blog/topics/threat-intelligence/mapping-dprk-groups-to-government] * https://www.cloudflare.com/learning/security/ransomware/wannacry-ransomware/ [https://www.cloudflare.com/learning/security/ransomware/wannacry-ransomware/] * https://www.darkreading.com/cyberattacks-data-breaches/three-years-after-wannacry-ransomware-accelerating-while-patching-still-problematic [https://www.darkreading.com/cyberattacks-data-breaches/three-years-after-wannacry-ransomware-accelerating-while-patching-still-problematic] * https://www.bankinfosecurity.com/blogs/wannacrys-ransom-note-great-in-chinese-poor-in-korean-p-2481 [https://www.bankinfosecurity.com/blogs/wannacrys-ransom-note-great-in-chinese-poor-in-korean-p-2481] * https://trumpwhitehouse.archives.gov/briefings-statements/press-briefing-on-the-attribution-of-the-wannacry-malware-attack-to-north-korea-121917/ [https://trumpwhitehouse.archives.gov/briefings-statements/press-briefing-on-the-attribution-of-the-wannacry-malware-attack-to-north-korea-121917/] * https://securelist.com/wannacry-and-lazarus-group-the-missing-link/78431/ [https://securelist.com/wannacry-and-lazarus-group-the-missing-link/78431/] * https://www.wired.com/story/confessions-marcus-hutchins-hacker-who-saved-the-internet/ [https://www.wired.com/story/confessions-marcus-hutchins-hacker-who-saved-the-internet/] * https://en.wikipedia.org/wiki/WannaCry_ransomware_attack [https://en.wikipedia.org/wiki/WannaCry_ransomware_attack] * https://cloud.google.com/blog/topics/threat-intelligence/mapping-dprk-groups-to-government [https://cloud.google.com/blog/topics/threat-intelligence/mapping-dprk-groups-to-government] * https://cloud.google.com/blog/topics/threat-intelligence/north-korea-cyber-structure-alignment-2023/ [https://cloud.google.com/blog/topics/threat-intelligence/north-korea-cyber-structure-alignment-2023/] * https://www.wired.com/story/confessions-marcus-hutchins-hacker-who-saved-the-internet/ [https://www.wired.com/story/confessions-marcus-hutchins-hacker-who-saved-the-internet/] * https://darknetdiaries.com/transcript/158/ [https://darknetdiaries.com/transcript/158/] * https://www.britannica.com/biography/Kim-Yo-Jong * https://thediplomat.com/2026/02/why-kim-ju-aes-path-to-power-is-structurally-blocked/ * https://www.tripwire.com/state-of-security/malwaretech-wannacry-kronos-understanding-connections Books: * The Psychology of Totalitarianism [https://amzn.to/4rQjHLx] by Mattias Desmet * The Lazarus Heist [https://amzn.to/3Nf0AeX] by Geoff White * Fancy Bear Goes Phishing: The Dark History of the Information Age, in Five Extraordinary Hacks [https://amzn.to/42N4q2y] by Scott J. Shapiro * Host: Josh Stepp * Produced by: Josh Stepp Thank you for tuning in to IntrusionsinDepth. Stay informed, stay safe, and see you in the next episode! Get full access to IntrusionsInDepth at www.intrusionsindepth.com/subscribe [https://www.intrusionsindepth.com/subscribe?utm_medium=podcast&utm_campaign=CTA_4]

011.2: Cognitive Maps for AI ADOPTION, GEOPOLITICS & BAD SCIENCE

Key Topics: * Early-stage AI hype vs. real economic impact * Cultural backlash in creative communities * Geopolitical and energy constraints on AI scaling * Job disruption, education failure, and potential social unrest * Critique of Anthropic’s safety approach and effective altruism ties Call to Action: * Subscribe to the podcast for more episodes on high-profile cyber intrusions. * Visit our website at intrusionsindepth.com for additional stories and insights. * Share your thoughts on social media using #IntrusionsInDepth. Books: * Game Theory: A Very Short Introduction [https://amzn.to/3ZoABV0] by Ken Binmore * Theory of Games and Economic Behavior [https://amzn.to/4klXS3z] by John Von Neumann , Oskar Morgenstern Links and Resources: * https://retractionwatch.com/2025/12/03/authors-retract-nature-paper-projecting-high-costs-of-climate-change/ * https://www.nytimes.com/2025/12/03/business/economy/study-climate-damage-retracted.html * https://www.euronews.com/green/2025/12/04/major-study-on-catastrophic-cost-of-climate-change-retracted-but-revised-figures-remain-al * https://www.techbuzz.ai/articles/anthropic-s-daniela-amodei-safe-ai-will-win-the-market-war * https://nypost.com/2025/11/09/business/ai-giant-anthropics-ties-to-cult-like-effective-altruism-democrat-megadonors-on-trump-admins-radar/ * https://www.cnbc.com/2025/10/21/anthropic-ceo-trump-sacks-woke.html * https://en.wikipedia.org/wiki/Effective_altruism * https://thehackernews.com/2025/11/chinese-hackers-use-anthropics-ai-to.html * https://en.wikipedia.org/wiki/Longtermism * https://aeon.co/essays/why-longtermism-is-the-worlds-most-dangerous-secular-credo * https://en.wikipedia.org/wiki/Intelligentsia * https://geopoliticalfutures.com/intellectuals-thugs-russian-revolution/ * https://lexfridman.com/dario-amodei * https://cepr.org/voxeu/columns/ai-and-paperclip-problem * Host: Josh Stepp * Produced by: Josh Stepp Thank you for tuning in to IntrusionsinDepth. Stay informed, stay safe, and see you in the next episode! Get full access to IntrusionsInDepth at www.intrusionsindepth.com/subscribe [https://www.intrusionsindepth.com/subscribe?utm_medium=podcast&utm_campaign=CTA_4]

011.1: Anthropic's AI Attack Report

Key Topics: * State of the frontier AI landscape and competitive dynamics (2026 perspective) * Description and breakdown of the Anthropic-reported AI-orchestrated cyber espionage campaign (GTG-1002) * Technical limitations, hallucinations, and operational skepticism Call to Action: * Subscribe to the podcast for more episodes on high-profile cyber intrusions. * Visit our website at intrusionsindepth.com for additional stories and insights. * Share your thoughts on social media using #IntrusionsInDepth. Links and Resources: * https://www.anthropic.com/news/disrupting-AI-espionage * https://assets.anthropic.com/m/ec212e6566a0d47/original/Disrupting-the-first-reported-AI-orchestrated-cyber-espionage-campaign.pdf * https://openai.com/index/disrupting-malicious-uses-of-ai-by-state-affiliated-threat-actors/ * https://cyberscoop.com/anthropic-ai-orchestrated-attack-required-many-human-hands/ * https://arstechnica.com/security/2025/11/researchers-question-anthropic-claim-that-ai-assisted-attack-was-90-autonomous/ * https://arxiv.org/pdf/2412.19437 * Host: Josh Stepp * Produced by: Josh Stepp Thank you for tuning in to IntrusionsinDepth. Stay informed, stay safe, and see you in the next episode! Get full access to IntrusionsInDepth at www.intrusionsindepth.com/subscribe [https://www.intrusionsindepth.com/subscribe?utm_medium=podcast&utm_campaign=CTA_4]

010.1: LAB DOOKHTEGAN | The Role of Hacktivism in the Modern World

AUDIO NOTE: There are some portions of audio with slight static. I’m blaming solar flares. On a serious note, I’m troubleshooting this, but the episode is still listenable. Key Topics: * Lab Dookhtegan’s emergence as an Iranian hacktivist group targeting the regime through hack-and-leak operations, data leaks, and sabotage since 2019. * Key attacks, including the 2019 leak of APT34 tools, multiple doxings of IRGC officials from 2020 to 2024, and election interference exposures. * Destructive maritime cyber attacks in March and August of 2025 disrupted 116 and 64 Iranian sanction-evading ships via supply chain compromise. * Speculations on Lab Dookhtegan’s potential ties to nation-states like the US or Israel for plausible deniability in proxy operations. * Comparisons to other hacktivist groups like KillNet (Russian-backed) and Blackjack (Ukrainian-aligned), highlighting overlaps between hacktivism and state-sponsored cyber activities. Call to Action: * Subscribe to the podcast for more episodes on high-profile cyber intrusions. * Visit our website at intrusionsindepth.com for additional stories and insights. * Share your thoughts on social media using #IntrusionsInDepth. Books: * Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers [https://amzn.to/43pWgOY] by Andy Greenberg Links and Resources: * https://cybershafarat.com/2023/10/09/lab-dookhtegan-supports-us-against-hamas-hezbollah/ [https://cybershafarat.com/2023/10/09/lab-dookhtegan-supports-us-against-hamas-hezbollah/] https://www.rferl.org/a/farda-briefing-iran-water-crisis-israel-help/33503264.html [https://www.rferl.org/a/farda-briefing-iran-water-crisis-israel-help/33503264.html] https://www.wired.com/story/iran-hackers-oilrig-read-my-lips/ [https://www.wired.com/story/iran-hackers-oilrig-read-my-lips/] https://securityaffairs.com/117506/apt/iran-state-sponsored-ransomware.html [https://securityaffairs.com/117506/apt/iran-state-sponsored-ransomware.html] https://flashpoint.io/blog/second-iranian-ransomware-operation-project-signal-emerges/ [https://flashpoint.io/blog/second-iranian-ransomware-operation-project-signal-emerges/] https://assets.recordedfuture.com/insikt-report-pdfs/2020/cta-2020-0409.pdf [https://assets.recordedfuture.com/insikt-report-pdfs/2020/cta-2020-0409.pdf] https://assets.recordedfuture.com/insikt-report-pdfs/2020/cta-2020-0409.pdf [https://assets.recordedfuture.com/insikt-report-pdfs/2020/cta-2020-0409.pdf] https://blog.sekoia.io/iran-cyber-threat-overview/ [https://blog.sekoia.io/iran-cyber-threat-overview/] https://x.com/LabDookhtegan2/status/1754860930599403851 [https://x.com/LabDookhtegan2/status/1754860930599403851] https://x.com/LabDookhtegan2/status/1737531151424565421 [https://x.com/LabDookhtegan2/status/1737531151424565421] https://x.com/LabDookhtegan2/status/1734144401687842971 [https://x.com/LabDookhtegan2/status/1734144401687842971] https://x.com/LabDookhtegan2/status/1757333667242770769 https://home.treasury.gov/news/press-releases/jy2072 [https://home.treasury.gov/news/press-releases/jy2072] https://x.com/LabDookhtegan2/status/1767939764966047877 [https://x.com/LabDookhtegan2/status/1767939764966047877] https://blogs.microsoft.com/on-the-issues/2024/08/08/iran-targeting-2024-us-election/ [https://blogs.microsoft.com/on-the-issues/2024/08/08/iran-targeting-2024-us-election/] https://x.com/LabDookhtegan2/status/1824131756884365386 [https://x.com/LabDookhtegan2/status/1824131756884365386] https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/final/en-us/microsoft-brand/documents/5bc57431-a7a9-49ad-944d-b93b7d35d0fc.pdf [https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/final/en-us/microsoft-brand/documents/5bc57431-a7a9-49ad-944d-b93b7d35d0fc.pdf] https://cybershafarat.com/2021/11/26/lab-dookhtegan-the-regime-and-me-we-aint-mates-huge-data-reveal/ [https://cybershafarat.com/2021/11/26/lab-dookhtegan-the-regime-and-me-we-aint-mates-huge-data-reveal/] https://cydome.io/lab-dookhtegan-cyberattack-second-wave-findings-aug-2025/ [https://cydome.io/lab-dookhtegan-cyberattack-second-wave-findings-aug-2025/] https://cloud.google.com/blog/topics/threat-intelligence/apt44-unearthing-sandworm [https://cloud.google.com/blog/topics/threat-intelligence/apt44-unearthing-sandworm] https://cloud.google.com/blog/topics/threat-intelligence/gru-rise-telegram-minions [https://cloud.google.com/blog/topics/threat-intelligence/gru-rise-telegram-minions] https://en.wikipedia.org/wiki/Killnet [https://en.wikipedia.org/wiki/Killnet] https://therecord.media/russian-hacker-group-killnet-returns-with-new-identity [https://therecord.media/russian-hacker-group-killnet-returns-with-new-identity] https://cydome.io/lab-dookhtegan-cyber-attack-on-iranian-oil-tankers-disrupts-operations/ [https://cydome.io/lab-dookhtegan-cyber-attack-on-iranian-oil-tankers-disrupts-operations/] https://blog.narimangharib.com/posts/2025%2F08%2F1755854831605?lang=en [https://blog.narimangharib.com/posts/2025%2F08%2F1755854831605?lang=en] https://en.wikipedia.org/wiki/LulzSec [https://en.wikipedia.org/wiki/LulzSec]https://citizenlab.ca/2023/01/uncovering-irans-mobile-legal-intercept-system/https://go.recordedfuture.com/hubfs/reports/cta-2024-0125.pdfhttps://blogs.microsoft.com/on-the-issues/2024/08/08/iran-targeting-2024-us-election/https://assets.recordedfuture.com/insikt-report-pdfs/2020/cta-2020-0409.pdfhttps://home.treasury.gov/news/press-releases/jy2072https://en.wikipedia.org/wiki/March%E2%80%93May_2025_United_States_attacks_in_Yemenhttps://cybershafarat.com/2024/11/01/the-attempt-of-shahid-shushtri-also-known-as-emennet-pasargad-a-cyber-group-affiliated-with-the-islamic-revolutionary-guard-corps-to-interfere-in-the-upcoming-american-elections-iran-internatio/ * Host: Josh Stepp * Produced by: Josh Stepp Thank you for tuning in to IntrusionsinDepth. Stay informed, stay safe, and see you in the next episode! Get full access to IntrusionsInDepth at www.intrusionsindepth.com/subscribe [https://www.intrusionsindepth.com/subscribe?utm_medium=podcast&utm_campaign=CTA_4]

009.1: CRASH COURSE: IRAN | Geopolitics, Cyber Threat Groups and Operations

Key Topics: * US-Iran Historical Tensions * Iran’s Demographics & Strategy * Nuclear Program & 2025 Strikes * Proxy Networks (Axis of Resistance) * Iranian Cyber Threat Actors Call to Action: * Subscribe to the podcast for more episodes on high-profile cyber intrusions. * Visit our website at intrusionsindepth.com for additional stories and insights. * Share your thoughts on social media using #IntrusionsInDepth. Books: * Stuxnet and the Launch of the World’s First Digital Weapon Countdown to Zero Day [https://amzn.to/4o77zU8] - Kim Zetter * Iran’s Perilous Pursuit of Nuclear Weapons [https://amzn.to/4nAwwHu] — David Albright & Sarah Burkhard * From Intel to Iran: The Defection of Monica Witt [https://amzn.to/3VLf5YG] — Borna Ahadi Links and Resources: * https://en.wikipedia.org/wiki/Judicial_system_of_the_Islamic_Republic_of_Iran [https://en.wikipedia.org/wiki/Judicial_system_of_the_Islamic_Republic_of_Iran] * https://attack.mitre.org/groups/G0069/ * https://learn.microsoft.com/en-us/unified-secops-platform/microsoft-threat-actor-naming [https://learn.microsoft.com/en-us/unified-secops-platform/microsoft-threat-actor-naming] * https://cloud.google.com/security/resources/insights/apt-groups#global-threats-iran * https://en.wikipedia.org/wiki/Shamoon [https://en.wikipedia.org/wiki/Shamoon] * https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-055a * https://cyberscoop.com/hack-and-leak-group-black-shadow-keeps-targeting-israeli-victims/ [https://cyberscoop.com/hack-and-leak-group-black-shadow-keeps-targeting-israeli-victims/] * https://iapp.org/news/b/black-shadow-hackers-re-emerge-with-second-israeli-breach * https://www.securiwiser.com/news/black-shadow-hits-cyberserve-and-lgbtq-dating-app-client/ [https://www.securiwiser.com/news/black-shadow-hits-cyberserve-and-lgbtq-dating-app-client/] * https://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations [https://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations] * https://cloud.google.com/blog/topics/threat-intelligence/uncovering-iranian-counterintelligence-operation [https://cloud.google.com/blog/topics/threat-intelligence/uncovering-iranian-counterintelligence-operation] * https://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks [https://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks] * https://www.mei.edu/publications/iranian-apts-overview [https://www.mei.edu/publications/iranian-apts-overview] * https://cloud.google.com/blog/topics/threat-intelligence/apt42-charms-cons-compromises [https://cloud.google.com/blog/topics/threat-intelligence/apt42-charms-cons-compromises] * https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents * https://darknetdiaries.com/transcript/30/ * https://risky.biz/why-iran-is-a-scaredy-cat-cyber-chicken/ * https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-releases-cybersecurity-advisory-on-previously-undisclosed-iranian-malware-used-to-monitor-dissidents-and-travel-and-telecommunications-companies [https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-releases-cybersecurity-advisory-on-previously-undisclosed-iranian-malware-used-to-monitor-dissidents-and-travel-and-telecommunications-companies] * https://home.treasury.gov/news/press-releases/sm1127 [https://home.treasury.gov/news/press-releases/sm1127] * https://mjolnirsecurity.com/the-asymmetric-battlefield-an-anthropological-and-geopolitical-analysis-of-iranian-cyber-threats-to-north-american-critical-infrastructure/ [https://mjolnirsecurity.com/the-asymmetric-battlefield-an-anthropological-and-geopolitical-analysis-of-iranian-cyber-threats-to-north-american-critical-infrastructure/] * https://cloud.google.com/blog/topics/threat-intelligence/apt33-insights-into-iranian-cyber-espionage [https://cloud.google.com/blog/topics/threat-intelligence/apt33-insights-into-iranian-cyber-espionage] * https://www.picussecurity.com/resource/blog/understanding-active-iranian-apt-groups [https://www.picussecurity.com/resource/blog/understanding-active-iranian-apt-groups] * https://therecord.media/iran-state-backed-hackers-industrial-attacks-spring-2025 [https://therecord.media/iran-state-backed-hackers-industrial-attacks-spring-2025] * https://www.mei.edu/publications/iranian-apts-overview [https://www.mei.edu/publications/iranian-apts-overview] * https://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks [https://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks] * https://cloud.google.com/blog/topics/threat-intelligence/uncovering-iranian-counterintelligence-operation * https://www.darkreading.com/vulnerabilities-threats/anatomy-of-the-new-iranian-apt * https://www.infopoint-security.de/medien/fireeye-operation-saffron-rose.pdf * https://narimangharib.com/ * https://darknetdiaries.com/transcript/30/ * https://www.youtube.com/playlist?list=PLjiTz6DAEpuINUjE8zp5bAFAKtyGJvnew * https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/ * https://cloud.google.com/blog/topics/threat-intelligence/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware * Host: Josh Stepp * Produced by: Josh Stepp Thank you for tuning in to IntrusionsinDepth. Stay informed, stay safe, and see you in the next episode! Get full access to IntrusionsInDepth at www.intrusionsindepth.com/subscribe [https://www.intrusionsindepth.com/subscribe?utm_medium=podcast&utm_campaign=CTA_4]