Ryan McFarlane

Yeah, so my name's Ryan McFarlane.

I'm the IR practice lead at Trusted Tech, but at the time I was a cyber agent.

I was coming from DC where I spent two years at our National Cyber Investigative Joint Task Force working whole of government counter operations against China and was transferring back to Cleveland and got to Cleveland and the first thing

I ended up getting asked to do was to work with Stacey on this case.

You know, I land in Cleveland and start working this case with Stacey.

And I spent the first, you know, six months to a year just going after all the infrastructure that these actors were using and working with

the U.S.

Attorney's Office in Cleveland and CSIPS to get legal process and a ton of technical coverage on the Bay Route group.

And the Romanian National Police were great.

And they would go and they'd come back and they'd say, you know, we just talked to a really nice school teacher.

And we were sending the Romanian National Police all over Romania.

And they were just, you know, the more doors they knocked on, the more we realized something was going on that we just didn't understand.

Right around this time, we're in pursuit mode, right?

So we're trying to get as much visibility into their infrastructure.

And around this time, we get a data intercept on their systems that are controlling all their malware.

So they had a multi-layer command and control infrastructure.

where all the malware was reporting up to the first layer, and then that layer was forwarding on to a couple of servers that were hosted in different places.

And we were able to, as a team, figure out where those servers were located.

So we went with legal process.

We got a data intercept on a couple of these top-level command and control servers, and we were able to see the communications for all the botnet, which meant that we got to see when they updated their malware,