1
00:00:01,639 --> 00:00:11,679
Produced by p I Media. Hi
i'm Ran Levy, Welcome to CP Radio.

2
00:00:17,399 --> 00:00:21,480
In the wake of the terrorist attack
on October seventh, which claimed the

3
00:00:21,480 --> 00:00:26,079
lives of around one thousand, two
hundred civilians in Israel and led to the

4
00:00:26,120 --> 00:00:31,239
capture of over two hundred more,
Iran, which provides support for mass as

5
00:00:31,280 --> 00:00:36,920
well as related terrorist outfits like Chris
Bullah in Lebanon and the Rutis in Yemen,

6
00:00:37,399 --> 00:00:42,719
has over and over threatened to get
involved. Its Minister of Foreign Affairs

7
00:00:42,920 --> 00:00:48,000
has spoken about how quote if the
Zionist aggressions do not stop, the hands

8
00:00:48,039 --> 00:00:53,079
of all parties in the region are
on the trigger and quote expansion of the

9
00:00:53,200 --> 00:00:58,799
scope of the war has become inevitable
end quote, with the prospect of a

10
00:00:58,799 --> 00:01:03,760
wider war. As spotlight has turned
to Iran's military capabilities, though its army

11
00:01:03,920 --> 00:01:10,159
isn't so feared, its nuclear capabilities
are, and even before all that,

12
00:01:10,319 --> 00:01:15,439
history shows we might choose to utilize
the power of cyber attacks. Four years

13
00:01:15,439 --> 00:01:21,040
now, Iran's state sponsored hackers have
been some of the most prolific in the

14
00:01:21,079 --> 00:01:27,040
world, but prolific does not necessarily
mean sophisticated. Its attacks haven't quite impressed

15
00:01:27,079 --> 00:01:32,000
in the way that the US,
Russia, and China's do, they are

16
00:01:32,040 --> 00:01:38,840
more comparable, perhaps to lesser powers
like North Korea and Azerbaijan. Consider,

17
00:01:38,959 --> 00:01:44,719
for example, the group Checkpoint tracks
as Scarred Mandicore. Since twenty nineteen,

18
00:01:45,000 --> 00:01:51,560
Scarred Mandicor has been carrying out espionage
campaigns in countries largely concentrated in the Middle

19
00:01:51,640 --> 00:01:57,200
East, sometimes successfully, but using
back doors that don't look so different from

20
00:01:57,200 --> 00:02:02,079
what you'd see with non state sponsored
cyber communal groups. Some of them appear

21
00:02:02,159 --> 00:02:10,240
to be modified version of publicly available
tools Amittai benchushan el threat intelligence analysis team

22
00:02:10,319 --> 00:02:15,120
lead at Checkpoint Research. One of
them is the Tuna webshell, which is

23
00:02:15,240 --> 00:02:22,400
used to tunnel traffic over a webshell
over at GTP. Tuna was Scarred Manticore's

24
00:02:22,479 --> 00:02:25,919
first known too. You can download
it yourself from GitHub. Hundreds of people

25
00:02:27,080 --> 00:02:30,560
have already. According to its creator, it enables a red teamer or hacker

26
00:02:30,879 --> 00:02:37,120
to wrap and tunnel their TCP Internet
traffic, hence the name Tuna, bypassing

27
00:02:37,199 --> 00:02:44,120
network protections in fireworld environments, and
as we deep dived into the evolution of

28
00:02:44,159 --> 00:02:50,039
this specific Tuna webshell, we saw
that they implemented their own mechanisms into it

29
00:02:50,439 --> 00:02:55,000
and slowly started giving it their own
versioning and embedding additional functionalities within it.

30
00:02:55,520 --> 00:03:00,479
As Scarred Manicore iterated on Tuna in
bits and PA, over time, it

31
00:03:00,520 --> 00:03:06,840
began to look different enough to be
considered its own malware checkpoint, named the

32
00:03:07,000 --> 00:03:14,400
modified Tuna backdoor Foxshell, fox Shehell
became a favorite go to weapon. Over

33
00:03:14,479 --> 00:03:20,039
time, it turned into a very
unique backdoor, a very unique webshell that

34
00:03:20,159 --> 00:03:24,960
was also used in a text against
Albania as reported by CISA. We were

35
00:03:25,000 --> 00:03:31,199
also able to tie that some of
the webshells and internal DLLs that are used

36
00:03:31,199 --> 00:03:37,159
as resources in it to another backdoor
that was used in the Middle East called

37
00:03:37,159 --> 00:03:40,919
the SDD backdoor, a backdoor that
was used in targeted attacks in Saudi Arabia.

38
00:03:40,960 --> 00:03:46,879
It seems it was analyzed by a
Saudi researcher that we referencing the report

39
00:03:47,000 --> 00:03:53,879
and most recently it was tied to
sophisticated the implant called wind Topics, which

40
00:03:53,919 --> 00:03:58,800
is a driver based implant that was
reported by Fortinet. Showing the evolution.

41
00:03:58,879 --> 00:04:03,439
You know, we started from this
open source webshell Tuna, slowly turning it

42
00:04:03,520 --> 00:04:11,879
into something custom, adding more functionalities, ending internal resources. Then we see

43
00:04:11,919 --> 00:04:15,240
the backdoor, the acidy vector,
and then the wind tapic drivers actually takes

44
00:04:15,879 --> 00:04:20,680
the best of those bursts of both
words and embeds them into this sophisticated implant

45
00:04:20,720 --> 00:04:27,439
that utilizes the driver to inject code
and hide functionalities. Fact show was,

46
00:04:27,519 --> 00:04:32,199
in retrospect, a harbinger of things
to come. Whereas the Iranian threat actor

47
00:04:32,319 --> 00:04:38,480
started off at a level akin to
ordinary cyber communal groups. Here they were

48
00:04:38,519 --> 00:04:43,639
demonstrating that they could distinguish their work, that they could create a unique and

49
00:04:43,800 --> 00:04:48,759
powerful mailware tool capable enough to be
used in successful campaigns across a number of

50
00:04:48,800 --> 00:04:56,759
countries. And then just recently,
Iran arguably truly announced itself as a global

51
00:04:57,000 --> 00:05:02,560
CyberPower, and a campaign recently uncovered
by three cybersecurity groups Checkpoint, Signia and

52
00:05:02,759 --> 00:05:10,040
Cisco Talus, Scarred Manticore, unleashed
tools and tactics unlike anything we've seen from

53
00:05:10,079 --> 00:05:15,600
the Islamic Republic before. If before
they were at the kid's table, this

54
00:05:15,839 --> 00:05:25,519
latest campaign suggests that they might have
just moved up. The story of this

55
00:05:25,639 --> 00:05:32,439
campaign begins with a dynamic link library
or DLL. DLLs are shared libraries groupings

56
00:05:32,480 --> 00:05:38,839
of code stored in memory that can
be evoked by any given application. They're

57
00:05:39,040 --> 00:05:43,759
terribly useful since there are certain things
lots of programs need to be able to

58
00:05:43,800 --> 00:05:47,399
do, and it wouldn't be all
that efficient if every one of them needed

59
00:05:47,399 --> 00:05:51,360
the code to do it. It's
like how every person needs to be able

60
00:05:51,399 --> 00:05:57,360
to use the bathroom, but not
every person in your office needs their own

61
00:05:57,360 --> 00:06:01,839
individual bathroom as much as i'd of
my own office bathroom. By having a

62
00:06:01,879 --> 00:06:08,839
couple that everyone shares, you save
a massive amount of square footage and everybody

63
00:06:09,000 --> 00:06:14,040
still gets to poop. Plus it's
much easier for the janitor to replace the

64
00:06:14,120 --> 00:06:17,199
soap or toilet paper if he doesn't
have to run around doing it in twenty

65
00:06:17,319 --> 00:06:25,680
different bathrooms. DLLs are useful and
utterly normal on every PC. But the

66
00:06:25,759 --> 00:06:31,000
DLL an Italianist colleagues who were facing
was not your average file. So when

67
00:06:31,000 --> 00:06:35,000
we came across the DLL, it
was very strange to us. It was

68
00:06:35,040 --> 00:06:41,279
located in the system thirty two,
which is a legitimate path besides the folder

69
00:06:41,439 --> 00:06:46,519
system thirty two. The DLL file
names themselves also seemed rather ordinary. There

70
00:06:46,639 --> 00:06:54,759
was WLBS control dot DLL and w
LANAPI dot DLL. W LAN, of

71
00:06:54,759 --> 00:06:59,600
course, is very basic and ubiquitous
Wi Fi technology. In other words,

72
00:06:59,839 --> 00:07:03,800
these were the kinds of folders and
files you find everywhere on any PC.

73
00:07:04,480 --> 00:07:09,959
Usually, if you're looking for something
in particular, like malware, you'll scroll

74
00:07:10,079 --> 00:07:15,079
past them without thinking twice. And
as we deep dived into the artifact related

75
00:07:15,439 --> 00:07:20,040
to what we found, we saw
that the dls really were sideloaded by a

76
00:07:20,120 --> 00:07:26,319
legitimate service, a side loaded DLL. This is something you hear a lot

77
00:07:26,360 --> 00:07:36,319
about nowadays, but it wasn't always
so. For years, when they wanted

78
00:07:36,360 --> 00:07:43,079
to load malware on your computer,
hackers sent Microsoft Office files where it documents,

79
00:07:43,120 --> 00:07:47,079
Excel files, and so on,
containing malicious macros, which are shortcuts

80
00:07:47,079 --> 00:07:51,439
for running custom code. If you
okay the macros in a phishing file,

81
00:07:51,800 --> 00:07:57,120
you open the window for hackers to
plant, say a malware loader on your

82
00:07:57,160 --> 00:08:01,680
computer, which could retrieve and execute
a backdoor ransomware, or anything else you

83
00:08:01,720 --> 00:08:07,720
can imagine. But on the episode
how Microsoft changed cyberspace with one decision were

84
00:08:07,720 --> 00:08:13,560
discussed on this podcast how after years
of macro abuse, Microsoft decided to block

85
00:08:13,720 --> 00:08:20,680
Internet downloaded macros by default. Hackers
now needed new ways to get malware on

86
00:08:20,720 --> 00:08:26,439
your machine. One of the most
popular alternatives they've since landed on is DLL

87
00:08:26,680 --> 00:08:31,159
sideloading. Instead of a file hiding
malware, the attacker sends the victim a

88
00:08:31,320 --> 00:08:39,960
legitimate program with an illegitimate DLL.
Any executable program will come with a manifest,

89
00:08:41,120 --> 00:08:45,679
a kind of a rule book that
specifies which DLLs will load and in

90
00:08:45,720 --> 00:08:50,000
what order. If these instructions aren't
specific enough, though, hackers can take

91
00:08:50,039 --> 00:08:56,879
advantage sneaking their dirty code inside of
a DLL that basically fits the bill.

92
00:08:56,440 --> 00:09:01,559
So you're running a totally normal software
program, but unbeknownst to you or your

93
00:09:01,639 --> 00:09:07,600
computer, the program loads and attackers
malware. In this case, Scarred Manticore

94
00:09:07,879 --> 00:09:13,639
did one better, taking advantage of
an absence of certain DLLs in certain Windows

95
00:09:13,679 --> 00:09:20,200
servers OS versions. So a program
that looks to evoke the DLL in question

96
00:09:20,600 --> 00:09:24,240
shouldn't find it in such distributions,
but in this case, it thinks it

97
00:09:24,320 --> 00:09:31,440
does, and it's the attackers code. This required an intimate knowledge of the

98
00:09:31,480 --> 00:09:37,919
operating system to an agree not many
people anywhere really have. At this point,

99
00:09:37,960 --> 00:09:43,600
I think we realized that this was
a very unique kind of attack,

100
00:09:43,639 --> 00:09:48,600
and a very sophisticated one. But
this was only the very beginning of the

101
00:09:48,639 --> 00:09:56,159
attack. Even more sophisticated tricks were
it to come. When we looked into

102
00:09:56,240 --> 00:09:58,879
the DLL itself, like after we
understand how it was loaded and now the

103
00:10:00,000 --> 00:10:05,360
attack was carried out, we also
saw that it uses some interesting features that

104
00:10:05,440 --> 00:10:11,320
are undocumented in the Windows operating system. Again, the attackers were toying not

105
00:10:11,519 --> 00:10:18,120
with ordinary software, but the fundamental
functions of the OS itself. If a

106
00:10:18,159 --> 00:10:22,559
Windows PC were the Earth, they
were way way below the surface, digging

107
00:10:22,720 --> 00:10:31,000
at its core. More specifically,
it was using undocumented cores of the HTTPCS

108
00:10:31,159 --> 00:10:37,200
driver, which is the Windows driver
that handles all the incoming HTP requests for

109
00:10:37,240 --> 00:10:43,480
Windows servers. The way that it
happens in the background is that actually cause

110
00:10:43,799 --> 00:10:48,679
internal functionalities of the operating systems that
are not supposed to be used by users

111
00:10:48,159 --> 00:10:54,679
like me and you. Even a
programmers shouldn't access those kinds of functionalities directly.

112
00:10:54,639 --> 00:11:01,559
To reiterate, not only were scarred
manticore manipulating httis a kernel level driver

113
00:11:01,759 --> 00:11:07,919
that nobody, even programmers, are
supposed to touch, but they were engaging

114
00:11:07,159 --> 00:11:15,559
with undocumented features within it. Totally
unprecedented stuff because this kind of method,

115
00:11:15,679 --> 00:11:20,320
specifically involving the GTPCS driver, was
never observed in the wild, and we

116
00:11:20,440 --> 00:11:24,519
had to try to understand ourselves how
it works and what happens because it's not

117
00:11:24,559 --> 00:11:31,960
documented anywhere. It's not a legitimately
documented functionality of this driver. Specifically,

118
00:11:33,200 --> 00:11:39,840
the malware utilized device input and output
controls or ioctls, which enable an application

119
00:11:39,080 --> 00:11:46,320
to interface directly with a driver.
The attackers had absolutely no business knowing about

120
00:11:46,399 --> 00:11:52,919
the HTP dot CS ioctls, and
it allowed their malicious code to skip anything

121
00:11:52,960 --> 00:11:58,720
in between them and this kernel level
driver. This direct line to the heart

122
00:11:58,799 --> 00:12:03,200
of a PC was just powerful.
It made the attack substantially more difficult to

123
00:12:03,399 --> 00:12:13,480
identify and rooted out. Usually security
measures are monitoring the legitimate kind of calls

124
00:12:13,519 --> 00:12:18,799
the API calls for such things,
so an advanced attacker usually tries to go

125
00:12:20,440 --> 00:12:24,440
lower in the operating system to try
to fascillate those kind of functionalities that are

126
00:12:24,519 --> 00:12:31,399
not legitimate and not shouldn't be used
by normal users. If you're not yet

127
00:12:31,480 --> 00:12:37,919
convinced how cutting edge this attack path
was, here's something to consider. We

128
00:12:37,000 --> 00:12:43,559
don't even know how they did all
this. After all their investigating in collaboration

129
00:12:43,759 --> 00:12:48,720
with a second cybersecurity company as well. Amitaianist colleagues can only take guesses at

130
00:12:48,799 --> 00:12:54,039
house card maticore managed to get that
kind of access and do what they did.

131
00:12:54,960 --> 00:13:00,759
It's quite hard to tell what was
the process behind it, but they

132
00:13:00,759 --> 00:13:07,639
would eventually need to either reverse engineered
the driver itself to understand the undocumented functionalities

133
00:13:07,679 --> 00:13:13,159
in it, which would require knowledge
and understanding of reverse engineering, or they

134
00:13:13,200 --> 00:13:18,440
could do some trial and error,
which is less likely to be successful.

135
00:13:18,000 --> 00:13:22,840
The way that they carried out suggest
that they knew exactly what they were doing,

136
00:13:24,159 --> 00:13:28,600
so I would assume they probably had
to reverse engineer some of the Windows

137
00:13:30,279 --> 00:13:39,960
driver. Amid all this groundbreaking technical
wizardry, you might have forgotten that we

138
00:13:39,200 --> 00:13:45,919
haven't even gotten to what the hackers
malware actually did. Yet, it too

139
00:13:46,279 --> 00:13:52,519
did something novel. Picture a bit
of mailware latching onto the HTTP dot sys

140
00:13:52,639 --> 00:14:00,360
driver like a parasite. By fascinating
the https's driver, they were intercepting incoming

141
00:14:00,399 --> 00:14:07,279
connections. The parasitic malware placed just
above the driver intercepted incoming HTTP traffic,

142
00:14:07,679 --> 00:14:11,840
so if a user, say,
visited a website, mailware was the first

143
00:14:11,919 --> 00:14:16,440
to know about it. The point
of this, though, was to listen

144
00:14:16,519 --> 00:14:22,519
for a very particular request, a
request with a specific URL prefix defined by

145
00:14:22,559 --> 00:14:26,000
the attackers. If such a URL
was evoked, the malware would intercept the

146
00:14:26,039 --> 00:14:31,519
message, decode it, and from
the HTTP requests initiated by the attackers they

147
00:14:31,559 --> 00:14:37,360
extracted payloads and in memory, they
decrypted those and loaded a set of shell

148
00:14:37,399 --> 00:14:43,320
codes which appeared to be part of
a larger framework of malware that we dubbed

149
00:14:43,360 --> 00:14:50,320
Liontail. Liontail is the name we'll
use to describe the whole category of malware

150
00:14:50,600 --> 00:14:54,200
used in this campaign, from the
payload loader to the many other tools it

151
00:14:54,320 --> 00:15:03,159
contained Therein, using this framework could
carry out a lot of kind of activities.

152
00:15:03,200 --> 00:15:07,360
We've seen them do credential harvesting,
We've seen them do reconnaissance. We

153
00:15:07,399 --> 00:15:13,559
saw them use this framework to run
commands, running commands, uploading and downloading

154
00:15:13,600 --> 00:15:20,039
files, and various other info stealing
related activities like credential harvesting and lateral movement

155
00:15:20,279 --> 00:15:26,080
over the target network. And being
a framework, lion Tail contained some parts

156
00:15:26,200 --> 00:15:30,519
it could evoke or ignore based on
the system it was running on. For

157
00:15:30,559 --> 00:15:35,679
example, one of the back doors
that we reported on is something that we

158
00:15:35,840 --> 00:15:43,320
call Lionhead, which is some sort
of web forwarder that is installed on exchange

159
00:15:43,360 --> 00:15:48,279
servers, and what it does is
actually fascinating. The same functionality of the

160
00:15:48,360 --> 00:15:56,879
htpc's driver to forward incoming requests to
specific exchange end points. Essentially, Lionhead

161
00:15:58,279 --> 00:16:03,519
was to email what then on tail
backdoor we described was two HTTP and by

162
00:16:03,559 --> 00:16:11,120
doing so it allows the threat actor
to easily download mails. The robustness of

163
00:16:11,240 --> 00:16:18,080
lion Tail and the remarkable means Scarred
Manticore used to plant it on target systems

164
00:16:18,360 --> 00:16:22,879
allowed the group to run through some
serious victims. The campaigns included attacks across

165
00:16:22,960 --> 00:16:27,480
Israel, Iraq, Jordan, Kuwait, Oman, Saudi Arabia, and the

166
00:16:27,679 --> 00:16:36,399
United Arab Emirates. Each one of
the targets was extremely interesting and very relevant

167
00:16:36,639 --> 00:16:41,320
to the Iranian cause. We're seeing
governmental organizations, we're seeing military organizations,

168
00:16:41,360 --> 00:16:47,120
and we're seeing a lot of telecommunications
organizations that are targeted by Scart, mendicor.

169
00:16:47,159 --> 00:16:52,279
This is very telling of their goals
of collection and espionage. It's not

170
00:16:52,399 --> 00:16:56,919
yet known what the group might have
stolen from any one of these targets,

171
00:16:57,480 --> 00:17:03,960
but these details are almost beside the
point. Some of those targets were interesting

172
00:17:03,960 --> 00:17:08,920
also in that aspect that you wouldn't
think it's very easy to infiltrate those kind

173
00:17:08,920 --> 00:17:12,920
of organizations. I'm sure it wasn't
easy, but those guys managed to do

174
00:17:14,000 --> 00:17:19,279
so, which indicates how good they
are. Scarred Mandicore is now very sophisticated,

175
00:17:19,599 --> 00:17:26,000
and that in itself has broader implications. I've been looking at Iranian threat

176
00:17:26,039 --> 00:17:30,079
actors for quite some times, and
I could say that the evolution of Scarred

177
00:17:30,119 --> 00:17:37,359
Menicore specifically is worrying in the sense
that they are starting to create like costum

178
00:17:37,480 --> 00:17:44,359
tools that are not trivial. Even
if Vranian actors in the past have created

179
00:17:44,400 --> 00:17:48,359
their own Tuesday were always, you
know, a little bit more of the

180
00:17:48,440 --> 00:17:52,079
same. You had backdoors that are
more sophisticated. Some of them started to

181
00:17:52,200 --> 00:17:59,319
use like emails as exfiltration channel in
the more sophisticated one. But seeing this

182
00:17:59,640 --> 00:18:04,799
actor or that utilizes undocumented functionalities of
drivers, for example, is something that

183
00:18:06,240 --> 00:18:11,039
I haven't seen personally in any Iranian
group. And considering the fact that we

184
00:18:11,200 --> 00:18:15,960
see where it started in twenty nineteen
from an open source webshell to where it

185
00:18:17,000 --> 00:18:23,559
is today, that's quite a thing
to consider. In only four years,

186
00:18:23,759 --> 00:18:30,720
Scarred Manticore went from forgettable to groundbreaking. The impact that could have on the

187
00:18:30,759 --> 00:18:37,440
cybersecurity landscape and geopolitics more generally are
significant because it's not like we're talking about

188
00:18:37,640 --> 00:18:42,599
no way of the size shells here, we have evidence that in the path

189
00:18:42,759 --> 00:18:49,640
their access was actually utilized to conduct
destructive attacks. Certain weapons in Scarred Manticore's

190
00:18:49,640 --> 00:18:56,319
toolset overlap with those used by the
Iranian state hackers known as Homeland Justice in

191
00:18:56,359 --> 00:19:03,200
a campaign against Albania in May of
That case might have appeared like espionage at

192
00:19:03,240 --> 00:19:08,039
first, as the attackers spent over
a year moving within their target networks and

193
00:19:08,200 --> 00:19:15,599
expeltrating sensitive data, but then all
at once they deployed ransomware and wiper manware,

194
00:19:15,720 --> 00:19:22,839
taking down government websites and services,
posting political messages and leaking sensitive data.

195
00:19:22,960 --> 00:19:30,279
Even those kinds of stealthy attacks and
spionage motivated thread actors sometimes utilize their

196
00:19:32,000 --> 00:19:37,759
access for destructive means. And that's
important to remember because the fact that this

197
00:19:37,880 --> 00:19:41,400
thread actor has been in your network
and collected information for a certain period of

198
00:19:41,440 --> 00:19:45,920
time does not mean that one day
it won't exploit in your network and like

199
00:19:45,039 --> 00:19:52,000
start deploying wipers and ransomware. And
we actually seen some indications that this is

200
00:19:52,039 --> 00:19:57,680
happening in Israel as well. We
haven't covered it in the report yet,

201
00:19:57,720 --> 00:20:06,720
but we do know that some of
the confirmed Scared Menicore's victims experienced destructive attacks

202
00:20:06,720 --> 00:20:11,319
in Israel, wiper attacks and leakage
in some of using some fake personas.

203
00:20:12,400 --> 00:20:18,960
As Iran loves cyberbombs into Israel and
the rest of the Middle East, everybody

204
00:20:18,079 --> 00:20:29,359
will be forced to take notice or
else. I think a lot of researchers

205
00:20:29,559 --> 00:20:36,079
don't fully understand the evolution that we're
seeing from Iranian actors over the last few

206
00:20:36,160 --> 00:20:38,920
years. In the realm of like
the Big Four, like Iran, North

207
00:20:40,000 --> 00:20:44,079
Korea, Russia, and China.
Iran is also has always looked as like

208
00:20:44,119 --> 00:20:49,680
the kitten, the non harming,
very simple, very unsophisticated threat actor,

209
00:20:49,720 --> 00:20:56,279
which was true at a certain point, but I think this one Scared Manicore

210
00:20:56,480 --> 00:21:02,960
completely changes that. I think in
certain aspect it's more sophisticated than a lot

211
00:21:03,000 --> 00:21:07,920
of Chinese, Russian or North Korean
actors that I've analyzed in the past,

212
00:21:10,279 --> 00:21:12,079
and that's important to remember. Like
a lot of times, I had this

213
00:21:12,200 --> 00:21:18,319
debate with my friends over the term
APT like advanced persistent threat, which turned

214
00:21:18,359 --> 00:21:25,680
into a name for any state sponsored
actor in the cyber threat intelligence field,

215
00:21:25,680 --> 00:21:30,759
but originally meant like very advanced attackers. And my friends who aren't really deep

216
00:21:30,799 --> 00:21:36,799
into intelligence or like, you can't
call Iranian actors apts because they're not really

217
00:21:36,880 --> 00:21:41,640
advanced, and I think this one
completely shatters this perception of Iranian actors.

218
00:21:48,279 --> 00:21:52,440
That's it for this episode. Thank
you for listening. For past episodes,

219
00:21:52,559 --> 00:21:59,200
visit Checkpoints Research blog at research dot
checkpoint dot com and you can follow Checkpoint

220
00:21:59,240 --> 00:22:03,680
Research on there or follow me at
ed rand Levy. That's r A n

221
00:22:03,960 --> 00:22:07,359
L e v I CEPY Radio is
produced by p I Media, written by

222
00:22:07,440 --> 00:22:12,680
Nate Nielson, produced by Hila Shemish, and edited and narrated by Rand Levy.

223
00:22:14,119 --> 00:22:22,160
See you next time. Bye bye
m