Rethinking APT Attribution: Dakota Cary on Chinese Contractors and Espionage-as-a-Service

August 1st, 2025  |  1 hr 51 mins

apt research, cyberespionage, nation-state, ransomware, zero-day

Three Buddy Problem - Episode 56: China-focused researcher Dakota Cary joins the buddies to dig into China’s sprawling cyber ecosystem, from the HAFNIUM indictments and MSS tasking pipelines to the murky world of APT contractors and the ransomware hustle. We break down China’s “entrepreneurial” model of intelligence collection, why public visibility into these threat actors is so hard to get right, and how companies like Microsoft get caught in the geopolitical crossfire.

Plus: a deep dive on suspected MAPP leaks and Sharepoint zero-days, Singapore targeted by extremely sophisticated China-nexus hacking group, soft censorship in corporate threat-intel, and whether the U.S. should rethink how it fills its intelligence gaps.

Cast: Dakota Cary, Ryan Naraine, Costin Raiu and Juan Andres Guerrero-Saade.

How did China get Microsoft's zero-day exploits?

July 10th, 2025  |  1 hr 49 mins

apt research, cyberespionage, drone, nation-state, ransomware, zero-day

Three Buddy Problem - Episode 53: We dig into news of the first-ever arrest of a Chinese intelligence-linked hacker in Italy, unpack the mystery behind HAFNIUM and how they somehow got their hands on the same Microsoft Exchange zero-days that researcher Orange Tsai discovered - was it coincidence, inside access, or something more sinister?

Plus, China's massive cyber capabilities pipeline, ‘theCom’ teenagers arrested in the UK after ransomware binge, and spyware attacks against Russian organizations.

Cast: Ryan Naraine, Costin Raiu and Juan Andres Guerrero-Saade.

The dark hole of 'friendlies' and Western APTs

May 30th, 2025  |  2 hrs 11 mins

apt research, cyberespionage, nation-state, ransomware, zero-day

Three Buddy Problem - Episode 48: We unpack a Dutch intelligence agencies report on ‘Laundry Bear’ and Microsoft’s parallel ‘Void Blizzard’ write-up, finding major gaps and bemoaning the absence of IOCs. Plus, discussion on why threat-intel naming is so messy, how initial-access brokers are powering even nation-state break-ins, and whether customers (or vendors) are to blame for the confusion.

Plus, thoughts on an academic paper on the vanishing art of Western companies exposing Western (friendly) APT operations, debate whether stealth or self-censorship is to blame, and the long-tail effects on cyber paleontology.

We also dig into Sean Heelan’s proof that OpenAI’s new reasoning model can spot a Linux kernel 0-day and the implications for humans in the bug-hunting chain.

Cast: Costin Raiu, Juan Andres Guerrero-Saade and Ryan Naraine.

JAG-S on big-game malware hunting and a very mysterious APT

October 17th, 2022  |  52 mins 40 secs

apts, cyberespionage, exploits, zero-day

• Episode sponsors: Binarly and FwHunt - Protecting devices from emerging firmware and hardware threats using modern artificial intelligence.

SentinelLabs malware hunter Juan Andres Guerrero-Saade (JAG-S) returns to the show to discuss how big-game attribution has changed over the years, the nation-state APT landscape, Mudge and the nightmares facing CISOs, and a mysterious actor named Metador.