The Gately Report: Todyl IDs Foreign Threat Actors Using U.S.-Based ISPs

Todyl is tracking foreign threat actors who appear to be using U.S.-based internet service providers (ISPs) to facilitate business email compromise (BEC) scams.

David Langlands, Todyl’s chief security officer, discussed these latest findings, as well as how his company is working with MSPs. Its cloud-first, single-agent platform delivers enterprise security and networking capabilities.

Todyl’s latest report revealed a 558% increase in BEC and account takeover incidents in 2024, with suspected foreign threat actors positioning infrastructure within the United States to evade geographic filters.

The U.S.-based infrastructure has grown from about 6,300 hosts last July to over 8,500 hosts this month, Langlands said.

“They're focusing not just on the United States, but when they do attack U.S.-based customers, they are attacking them from the United States,” he said.

Foreign Threat Actors Using ISPs Hard To Identify

It’s difficult to identify and track this activity because it looks like normal online activity, Langlands said. Therefore, it tends to evade law enforcement.

“It looks just like regular user access,” he said. “So I may send you a phishing email and capture your credentials, and maybe your multifactor authentication (MFA) token, which is a very important part because most of us are using that now. So I'll capture that and I'll immediately go to some other local server and just log in a few times and capture a few of these session tokens, and those session tokens can be reused. They can be reused today, or in some cases, depending on the settings, 30 days from now so I don't have to initiate an attack right away. I just have to continually, slowly log in. That was essentially the activity that we uncovered. Once we uncovered this, it identified a pattern that we've been following. Of course, there are many different solutions that identify this type of activity. We happen to think we have the best.”

Todyl’s customer base includes MSPs with hundreds, if not thousands, of customers, so it has a broad view of what’s going on across many different industries, Langlands said.

“That includes defense contractors and many different sectors of the economy, everything from the most secure defense industrial base down to dry cleaners and that sort of thing, something you wouldn't expect to be attacked,” he said. “So the research has really been helpful in uncovering a pattern, being able to identify where else these patterns exist, and being able to track these threat actor groups and how they're using local infrastructure. The fact that the infrastructure isn't getting shut down is the key focus here that we've been most intrigued by. Why aren't the local law enforcement or perhaps federal law enforcement in these particular jurisdictions stepping in and shutting down these systems? So it's an ongoing fight for us.”

Scroll through our slideshow above for more from Todyl’s David Langlands.