This Uber verdict really is going to destroy CISO positions. If one can brief legal, obtain approval by the CEO, & still be hung out to dry for response actions that a hundred other firms have likely taken with far less structural cover, then there can't be enough $$ to sign on
TFW you are passing through a border police checkpoint and the screen is merely showing “exploit.bat”.
@ANSSI_FR
may wish to look at network at CDG airport.
Unconfirmed reports from ransomware continuing criminal enterprise that a major technology sector victim has executed reciprocal intrusion, encrypting threat actor's own infrastructure. Not the first private sector CCO if true, just rare example where adversary acknowledges
A lot of cyber intel shops are in wartime ops tempo for the first time. Remember mandatory rest cycles. Keep in mind battlefield rhythms in combatants time zone, & across their reachback teams. Rotate folks that are up, & make sure formal handoff briefs happen. It gets worse yet
The uninitiated reacting to Linux mailing list exchanges, for the first time realizing that one of the most complex things ever built by human hands that drives their phone, entertainment, car, banking, medical care, food & retail, power, & water exists because one man…
The number of replies in this thread that fail to recognize the unprecedented nature of criminal charges for a dispute over the extent of incident disclosure, imposed retroactively, is precisely why future CISO candidates will be watching reactions to this case & walk away
@mr_james_c
Bulterian jihad consequences. Mentat capacity becomes bottleneck to complex financial instruments. Otherwise calculating variables across interstellar distances and at generational time scales of an ossified feudalist empire becomes impossible.
If you are watching more than a half million dollars change hands for a jpg, you are looking at money laundering, or something so close to it as to be functionally indistinguishable.
The full cryptanalytic story behind these intercepts & breaks is likely to be groundbreaking. The use of such intelligence in this context is also nearly unprecedented.
In a long, encrypted phone call (apparently not too well encrypted), Putin aide Surkov coaches Boroday, and takes requests from him. They both laugh after Boroday explains Donetsk is a "humanitarian disaster" that will need to survive on Russian aid.
@AmyZegart
It was not OSINT that led to this. It was uncritical media simply relaying adversary propaganda issued within minutes of events. As in many earlier cases. This time they were called on it.
Russian legalization of software piracy 🏴☠️ in the face of de facto economic blockade has very different meaning in cloud era, will effectively require ongoing intrusion to sustain some options. Anticipate state support & new ops initiated against novel target problems.
Offensive implant devs seem to have a new option to avoid high bandwidth exfil of full audio take from compromised targets by generating automated transcripts at the endpoint. Pair with lightweight selectors to flag topics in selected segments for priority review. P&E to edge
Interesting analysis. I would argue however it is not that GRU is suddenly incompetent, but rather that their tradecraft had never really been tested by the contemporary ops environment in a way that had forced US & other services to evolve. First time facing new realities
"There are two possible explanations for an apparent operational breakdown of this scale: either one of the most elite elements within the GRU has become grossly incompetent, or the Kremlin has been scattering breadcrumbs deliberately."
First the story about alleged covert action against Nord Stream supposedly involves a whole fleet exercise & fancy new sonar tech built for purpose. Now the tale shifts to something about a yacht with a commando crew. Next we are gonna find out it was a drunken fisherman’s boat…
The mental gymnastics required of those who wish to downplay or ignore offensive cyber ops in Ukraine are becoming increasingly elaborate. Especially as delay in reporting of more recent incidents, & continued limited victimology disclosure, impose greater lag in intel picture
Perhaps if some 30K+ vehicles had not been abandoned in Afghanistan we would not have to debate how quickly DOD recapitalized its transport for electric. Especially given the far higher priority spend for things that will be needed for fight in Pacific mud, jungle, & salt water
Given magnitude of current public health crisis, it is well past time to consider prompt .mil responses to ransomware against medical sector targets. Up to & including options for lethal kinetic actions. Break a hospital for profit during pandemic & be treated like a war criminal
The Russian military is used to thinking about fighting those who have to go to war with the equipment they have. Facing an agile, responsive group of hardcore engineers that can ship updates under fire to gear that is built for this is simply outside of their military experience
@SpacePadreIsle
Some Starlink terminals near conflict areas were being jammed for several hours at a time. Our latest software update bypasses the jamming.
Am curious to see what’s next!
Every time one sees an official advocating for a ransomware payment ban, the correct response is not to debate the policy failure modes that result from such a proposal. It is to call out that having failed to provide for the common defense & thereby abdicated Westphalian…
@Dave_Maynor
Criminal verdicts make this an entirely different proposition. Esp when the lawyer that was intended to keep proposed courses of action within boundaries of what was permissible is granted immunity, whilst GC maintains plausible deniability.
Pleased to note that my paper on "Offensive Cyber Operations and Future Littoral Operating Concepts" has been published in Military Cyber Affairs. Given the recent focus on ships fighting forts, it is more timely than expected when the research started.
It seems we are apparently now less than a generation out from an autonomous UAV swarm tracing a Langford fractal over a major urban area. Mass basilisk stare as performance art, via poison pen culture jamming of political / corporate advertising
If the international community wanted to be serious about hostage release it would not be talking payment & concessions but rather countervalue economic targeting of HAMAS leadership finance, including through offensive cyber ops, for every soul abducted every day held
Seeing tactical COMINT from the battlefield routinely published openly by a state service engaged in active combat within 48-72 hours of collect will never cease to be entirely surprising. This is a level of visibility unprecedented in war since the introduction of signal service
That moment when CNO & illegals programs are burned so hard in the same week that it costs the CPC a consulate, & station is forced to execute a crash teardown.
.
@HoustonFire
responded to reports of fires breaking out inside the consulate, but were not able to enter because of Chinese sovereignty.
Chinese officials were reportedly burning documents in the consulate's courtyard.
The fact that the former Oculus business unit could not provide their executives with advanced warning of design form & tech specs for the most significant new entry to the VR / AR marketplace is perhaps the worst competitive intel failure acknowledged in quite some time.
Irregular warfare in Russian rear lines, & associated disputes between mercenary warlords, is giving off some serious early 1600s vibes right now. More than half expecting another False Dmitri to emerge, cementing a neo smuta.
One suspects that attempts to purge open source offensive tooling from common public code repositories may well merely worsen the current proliferation problem space through greater information asymmetries, & opportunities for adversaries to abuse more closely knit red team COI
Ultimately these cases come about because of abdication of government responsibility to protect the trade & industry within their states. Government monopoly on legitimate violence, even virtual, is granted by contract to defend those who forgo own recourse. Abandon this at peril
Further evidence in the revolution in intelligence affairs, as commercial space situational awareness tracks what they assess is an attempted clandestine deployment of an overhead ELINT satellite. One infers that TsNIRTI & ROSCOSMOS will be forced to react in future launches.
⚠️ We've detected a secondary object in close proximity to Object C, a payload released by Russian satellite COSMOS 2570 around October 30.
Our radar measurements indicate that this newest object was released by Object C, possibly on November 23 at 14:00 UTC.
This floor-to-ceiling diagram, known as a Morrison Wall, was created by Bletchley Park's SIXTA team.
SIXTA were tasked with mapping enemy communications, figuring out who was talking to who.
You can find out more about SIXTA over on our podcast ⬇️
If Google can’t stop it’s serial product murder spree from killing something as fundamental as domain services, there is almost no chance that it will sustain expensive, esoteric AI platforms should customers be foolish enough to anchor mission critical functions to empty hope
I have been struggling for more than a week to find any words that would do justice to the loss we have suffered in the death of
@Calaquendi44
. She was the best of us.
When speaking of the fragility of capabilities pipelines her work was so often the illustrative case, as she…
Case also illustrates several fallacies of common strawman arguments against private sector hackback. Targets can be identified, & collateral damage can be avoided with professional planning & execution. Motivations are not merely revenge, & outcomes are not simply emotional lvl
Since there is much focus today on evaluating long range estimative accuracy, let us look back at 1923 forecasts of war in 2023. Starting of course with prehistory of cyber, in one of the earliest assessments of SIGINT strategic value: which could have been written about RUS-UKR
From victim's perspective, this is a damage limitation operation. It prevents leaks for further extortion pressure, reduces potential loss of proprietary info & trade secrets, & provides strong bargaining leverage in negotiations with criminal actor
I am pleased to note that my article looking at conditions under which counter-cyber operations may risk escalation has been published
@Intel_IJIC
. It explores multiple scenarios in which loss of espionage & direct action access in crisis might lead to war
Folks studying contested logistics ought well take note of port protests over past few days. & expect exponentially worse on first days of next war, as cadres & fellow travelers are mobilized to make good on those longstanding paychecks at what will be the worst time for delays…
I remain uninterested in analysis of cyber threats that does not actually look at any hostile observables. Making word clouds out of Beltway fog does not produce insight. Nor does attempts to mash various glossy statistics together absent any understanding of underlying incidents
Once again live cases entirely invalidate the argument for mandated backdoors. Sufficient investment in the cryptanalytic & offensive cyber enterprise, for use solely against narrowly selected targets, can & will meet mission requirements without arbitrary insecurity by gov fiat
One bug was introduced by iOS 6. Another one was introduced by iOS 3. That is, this grandpa bug also affects the very first generation of iPhone. It has survived more than 10 years. Honestly I don’t believe that I’m the first one who found this.
Dying for the needs of the service is easy. Doing more than twenty years in gulag because the adversary turned the asset you were trying to save is a whole different level of hard. Never forget the sacrifices of those who came before.
#OTD
1952,
@CIA
officers John Downey and Richard Fecteau were shot down in a C47 over China trying to exfiltrate an agent. Unknown to them, the agent had been captured & turned to lay a trap. Both officers were captured by China. Fecteau was released in 1971, Downey in 1973.
The detail that jumps out the most in this new revisionist tale is the supposed detection of explosive residue on a table aboard a yacht. & no journalist thought to ask the basic question of how such residue would be transferred from a properly waterproofed IED to said table.
Expect similar lawfare tactics to expand to cyber threat intel firms attributing intrusions to .cn nexus actors. Truth is an absolute defense, but the process is punishment.
Breaking: Beijing threatens to sue me for libel (slander). An unprecedented threat against a foreign academic. Also likely designed to intimidate media outlets & others re collaborating with me, or doing similar research. Attempt to isolate myself (and ASPI).
Long term cognitive corrosion: Search is increasingly just broken. Censorship, bots, & manually interactive malign influence campaigns poison what little discourse is possible in narrow slivers of ad-choked UI. Subscription services outputs have fallen, & become ever more shallow
That employees of a firm working on behalf of sanctioned state intel services for a regime engaged in a war of territorial aggression are allowed to attend a cybersecurity industry conference unchallenged by organizers or other attendees is a travesty. This does not get better…
It says something about the anticipated level of coming civil unrest when sophisticated denial & deception to protect critical infrastructure not only makes sense but immediately inspires further demand.
Unexpectedly an entire generation of hackers suddenly had serious financial incentives to upskill on GPU driver reversing & modification (even if only to cash cryptobro paychecks). Will likely be able to trace the genesis of many future firmware implants found downstream ITW here
Pleased to see that a new article by Richard Aldrich and I has just dropped open access
@IntelNatSecJnl
. Here we look at the declassified record of
@GCHQ
in securing Project Spaceman, an early UK MoD mainframe built by ICL
Exceptionally excited to see
@Maxwsmeets
&
@BobbyChesney
book looking at cyber as an intelligence contest now in hardcopy from
@Georgetown_UP
. I am honoured to have contributed a chapter assessing private actors who are involved in cyber conflict “by way of necessity”.
NBD, just a researcher at
#CYBERWARCON
disclosing APT28 attributed compromise of SATCOM with impact to natural gas pipeline operators in spring of this year… your shop did have this targeting interest on your I&W matrix before threat action was disclosed, didn’t you?
@MicroSFF
The basic function for wormable malware delivery, invented in arcane form. The curse payload that follows becomes more interesting thereafter...
@RidT
Re intel visibility, one may also suggest that whatever window that offered this insight may now be closed, given willingness to leverage in indictments. Or the stakes of impressing upon the Kremlin the degree of which they have been burned matter more, to prevent new adventurism
Somewhere an officer or analyst needs to hear this: You may one day find yourself the repository of unique insight on tradecraft or target. Do not let others hold you back from cultivating & sharing properly. Keep pushing one day your work may be more pivotal than you can imagine
The Starlink constellation reaching the 3500 sat threshold this week with little fanfare seems to at last prove retroactively that BRILLIANT PEBBLES was a viable concept of operations, & that marginal cost ratios could be met. What if the adversary leverages this knowledge first?
In the 90s, concern over possible deliberate maritime oil release due to ongoing Middle East conflict prompted a standing DOD mission to monitor & prepare crisis response options. By the 20s, just another day in ongoing .sy war, tracked in OSINT via overhead multispectral & SAR
We're continuing to monitor the oil spill from Baniyas in
#Syria
and the cross-boundary marine pollution risk for Cyprus and Turkey coasts. Here's the latest
@sentinel_hub
S-1 SAR imagery from Sept 4 & 5 showing the oil steamers moving north and west due to wind and currents
Several shipping containers worth of autonomous Skyborg / Loyal Wingman UCAVs strapped to the deck of light amphibs in disaggregated ops are likely to prove more decisive in the war that is coming than entire carrier strike groups
The first decisive indication that classical encryption algorithms have been broken by novel quantum cryptanalytic attack will almost certainly be a large number of dead human intelligence assets
Not just Vietnam era. Somewhere there is a picture of me & some folks circa mid 90s running RHIBs in an exercise against a nuclear power facility, all wearing woodland over (rather muddy) jeans; after a long night supporting insertion & exfil of the cool kids.
During the Vietnam War, it was not uncommon for U.S. Navy SEALs to wear blue jeans in combat. In the jungle environment, the SEALs found that Levi's jeans were more comfortable and durable than their issued fatigue pants. Plus it made a fierce fashion statement.
#FunFactFriday
Tired: F-22 as an exquisite sensor that brings unprecedented situational awareness to ensure battlespace dominance
Wired: Conflicting pilot accounts prevent DOD from describing unknown contact engaged over domestic airspace
Inspired: Commercial overhead IMINT platforms weigh in?
Imagine an alternate history in which Germany possessed not only energy security & resilience but also a sufficiently robust offensive cyber program to hold .ru gas infrastructure at risk, as mutual counter-value response to attempted economic coercion.
A new issue of
@Intel_IJIC
has finalized. For those folks obsessed with Russian intelligence service behavior, includes a look at doctrine & practice for operational games & combinations towards disinformation objectives.
When researchers said no more free bugs, they were serious. This includes red teams. If vendors fail to appropriately incentivize disclosure against prevailing market rates, somebody is gonna pay the bills.
Given Hamas operational history delivering incendiary devices via balloon, one cannot rule out that airport “protest” may serve as a dry run for attack against flights. Whether on approach or departure, or on flight line (especially when fueling). Calls for immediate anti…
If as an intelligence professional you spend your time yelling about politics in public & industry forums, do not be surprised when one day you find your product ignored, because consumers & leadership remember comportment, or lack thereof. Politicization will be presumed to have…
I am starting to believe the Russian army might well lose this thing. It is perhaps one of the most dramatic reversal of fortunes in war in history. & it essentially happens 1st as an intelligence victory. The prospect of VVP desperate in defeat may be worse than if he had won.
Tactical SIGINT along the M2 highway is almost certainly the highest priority collection target in the world... One wonders how many FSB officers remain sober to even work the mission...
Given open source reporting that FSB had multiple days warning of imminent action by PMC Wagner forces, it seems sustained intrusion operations likely provided the highest measure of advantage. Whether this was squandered by decisionmakers will await history's judgement
Gang warfare is the wrong analogy to what we have seen over the past 24 hours. It is a simple argument seductive in its reductionism. But this elides the complex military dimensions of the organizations supporting both factions wielding a kind of sovereignty we have not grappled…
The effective global blockade developing against Russia is increasingly at the network & financial levels a thing of private sector power, independent of state policy. Counterparty risk decisions cannot tolerate regime destabilizing order. But makes offramps harder to negotiate
Estimates of Russian offensive cyber retaliation should no longer be framed as a reaction to the problem of sanctions, but rather as now shifting to a profoundly more existential problem of contesting de facto blockade warfare. Because Kremlin planners likely perceive it this way
If your live fire exercise is not an over the horizon engagement under denied spectrum where ISR target custody is actively contested by deception & where you face wicked weaponeering problems against multiple targets due to munitions shortages, & have to account for aggressive…
Someone needs to coin a new term for “false flag” m-type deception supporting lawfare with deliberately scoped blowback intent. The old saw “let’s you & him fight” does not seem to do this justice.
The first season of
@GreatDismal
's The Peripheral ends, & suddenly
@NCA_UK
is announcing raids as crackdown on the klept? Seems like some folks might now be determined to reshape this present stub in light of imagined futures...
It seems we are apparently now less than a generation out from an autonomous UAV swarm tracing a Langford fractal over a major urban area. Mass basilisk stare as performance art, via poison pen culture jamming of political / corporate advertising
For those only now catching up on the Predatory Sparrow campaign, you may find of interest earlier analysis of the actors’ signaling, restraint, & efforts towards responsible offensive ops.
Anticipated nationalization of Russian aviation assets whose current operations have been rendered untenable due to developing economic blockade will likely drive immediate tactical req for intrusion against manufacturer networks, as part of surge needs towards Moscow's own juche
The effective global blockade developing against Russia is increasingly at the network & financial levels a thing of private sector power, independent of state policy. Counterparty risk decisions cannot tolerate regime destabilizing order. But makes offramps harder to negotiate
It should not be a surprise that when the cyber threat intel ecosystem has prioritized finding novelty in new binary artifacts above all other reporting prioritization criteria, adversary adapts to the least interesting access modes in living off the land
Since revision of certain authorities is back in the news, it is a useful moment to consider how the debate over US government policy options & the realities of process came to be. It appears less may now change than critics anticipated, but there are solid apolitical reasons why
Seeing extreme sports influencer midair videos of wing suit drop on long glide path off the coast of Venezuela & it perhaps makes The Peripheral one of the most accurate
@GreatDismal
predictions of cover for action for JSOC clandestine insertion one could have ever written
When the debate over cyberwar in Ukraine has gone so far off the rails that NATO intelligence feels the need to publicly correct the record… an overdue but much needed contribution that one is glad to see.
The product I most wish cyber intel shops would publish is evaluation of their own collection coverage & analytic production performance. Forcing formal review of known misses creates basis for gap analysis in later FINTEL. But increasingly clear this isn’t even done internally
@Aviation_Intel
High condensation conditions would be precisely the reason why these would not be suitable for zero defect mission critical applications. Form factor is one thing, component specification another.
Lockbit claim of hit on TSMC certainly requires skepticism until extent of impact, if any, is known. But this is a good opportunity for many shops, & mission planners, to evaluate day 1 wartime scenarios.
Who among us has not been so lucky as to have the host nation police service destroy one’s forgotten stingray as a suspected IED after having been caught after two too many bottles of good vin in Paris? Can only imagine how many fingers are crossed hoping antiforensics works
A note on analytic distinctions: APT44 / SANDWORM / VOODOO BEAR is not merely a sabotage unit, although this is among their missions. They are also a cyberwarfare unit, in both Russian and US doctrine. Let us not forget what they intend when they come out to fight.
Russian paranoia about Starlink constellations as a de facto on orbit ASAT / space control architecture were just increased by several thousand basis points.
Simple rule for threat intel. If you write on an activity cluster more than 3 times, or brief to senior leaders even once, it needs a descriptive cryptonym. Not arbitrary numerical designators. Executive level audiences simply will not remember, or even care, about your UNC or TG
The Olympic drone swarm seems as much a soft power demonstration of dual purpose capability as art. Cyberpunk dystopian technology visualized at the most militarized border.
If your cyber intel shop is not already working on estimating reactions to .cn chip industry wide “decapitation” as a result of sweeping new export control restrictions, it is already late to need. Almost certain that MSS, PLA, & contractor planners are working on FUOPS surge…