Join @austinlarsen.me and me next Tuesday for a deep-dive into PRC-nexus threat actor capabilities! Learn about advanced social engineering tactics, novel malware delivery, and strategies to defend your organization. www.brighttalk.com/webcast/7451...

A story in two acts

Major Update: We now believe this incident impacts other Salesloft Drift integrations, not just Salesforce. We’re advising Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised.

A threat actor (UNC6395) is accessing Salesforce accounts and data through the Salesloft Drift AI chat agent cloud.google.com/blog/topics/...

An actor we are tracking as UNC6395 is targeting Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application. This is ongoing and widespread. cloud.google.com/blog/topics/...

APT folks... is UNC3886 becoming a top-tier actor? www.trendmicro.com/en_us/resear... www.sygnia.co/blog/fire-an... supportportal.juniper.net/s/article/20... cloud.google.com/blog/topics/...

New @mandiant.com research: UNC6032 (Vietnam-nexus actor 🇻🇳) is exploiting interest in AI tools, using fake AI video generator sites & malicious ads to spread malware. The campaign, active since mid-2024, aims to steal credentials, cookies & financial data.

🚨 Heads up! 🚨 APT41 is using Google Calendar 🗓️ as their latest C2 trick. GTIG just pulled back the curtain 🎭 on the TOUGHPROGRESS malware campaign and how we shut it down 💪. Dive into the details here: 🚀https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics

Confirming that CISA has stopped using VirusTotal and Censys. "Makes their jobs a lot harder," a person familiar with the matter told me, adding, "There's a possibility that more services might be limited or cut due to budget."

Excellent breakdown of the “Rogue RDP” TTP we’ve seen susp Russian APT UNC5837 using in their campaigns written by my colleague Rohit (@IzySec over on X)

In 25 years of covering national security, I’ve never seen a story like this: Senior Trump officials discussed planning for the U.S. attack on Yemen in a Signal group--and inadvertently added the editor-in-chief of The Atlantic. www.theatlantic.com/politics/arc...

🚨 Following a months-long investigation stemming back to mid-2024, Mandiant just published details on a campaign by China-nexus actor UNC3886 targeting Juniper routers. Our investigation uncovered a custom malware ecosystem on end-of-life Juniper MX devices. cloud.google.com/blog/topics/...

Hundreds protested at the national labs today in Boulder, Colorado. #SaveOurServices #resist #NOAA #NIST #NCAR #ScienceSavesLives

Today was a grim, terrible day for the United States and the cause of democracy. Putin, along with other dictators around the world, can finally look at Trump with confidence and think: one of us. www.theatlantic.com/ideas/archiv...

A 21-year-old U.S. Army soldier linked to last year's Snowflake attack spree allegedly tried to sell stolen data to a foreign intelligence service after searching for information about how to defect to Russia. Hat tip to @nixonnixoff.bsky.social @austinlarsen.me cyberscoop.com/army-soldier...

The no-opsec Army guy who was part of the group that leaked Trump's call logs (and worse, threatened me) google searched how to defect to Russia and "can hacking be treason" 💀💀💀💀 He was never going to get away.

For the US to side with Russia and North Korea to oppose a UN resolution condemning the illegal invasion of Ukraine defies all common sense and adds insult to the countless injuries suffered by the brave Ukrainian people. edition.cnn.com/2025/02/24/p...

Today, Google Threat Intelligence is alerting the community to increasing efforts from several Russia state-aligned threat actors (GRU, FSB, etc.) to compromise Signal Messenger accounts. cloud.google.com/blog/topics/...

DHS has terminated the memberships of everyone on its advisory committees. This includes several cyber committees, like CISA's advisory panel and the Cyber Safety Review Board, which was investigating Salt Typhoon. That review is "dead," person familiar says. www.documentcloud.org/documents/25...

A bug in Cloudflare (and just the nature of how CDNs work) let an attacker learn the broad location of Discord, Signal, Twitter users by just sending them an image, according to a security researcher. It works because check which data center cached the image www.404media.co/cloudflare-i...

"FBI leaders have warned that they believe hackers who broke into AT&T Inc.’s system last year stole months of their agents’ call and text logs, setting off a race within the bureau to protect the identities of confidential informants." www.bloomberg.com/news/article...

🔥 new blog detailing 0day exploitation of Ivanti appliances as well as some newly observed malware families tracked as PHASEJAM and DRYHOOK. We also detail activity related to the previously observed SPAWN* malware ecosystem tied to China-nexus cluster UNC5337. cloud.google.com/blog/topics/...

🚨 New: Zero-day vulnerability #CVE-2025-0282 in Ivanti Connect Secure VPN is being actively exploited, including by suspected China-nexus cyber espionage groups. Our team at Mandiant in partnership with Ivanti just published our initial findings. 🧵 cloud.google.com/blog/topics/...

Probably the most comprehensive narrative to date about the Volt and Salt Typhoon campaigns.

>IQ levels when you are a cybercriminal that tries to extort the president, but you are government property and Krebs is calling your mom :(

Something completely underappreciated in how Google Chrome revolutionized the web and security and software in general — was the silent background auto-update + and non-admin user-level installs. It set a bar that changed everything on ability to make progress & address threats. Broke IT paradigms.

Who wants to be next? (Waifu arrest footage released by WSJ) www.wsj.com/tech/cyberse...

Who wants to be next? (radio edition) www.cbc.ca/listen/live-...

BREAKING: #ExxonMobil lobbyist investigated over hacking of American nonprofits. Hacked material fed PR campaigns & lawsuits against environmental advocacy orgs. Latest chapter in sprawling #infosec & #cybersecurity tale 1/ By @raphae.li & @chrisbing.bsky.social www.reuters.com/business/ene...

Russian spies—likely Russia's GRU intelligence agency—used a new trick to hack a victim in Washington, DC: They remotely infected another network in a building across the street, hijacked a laptop there, then breached the target organization via its Wifi. www.wired.com/story/russia...

EXCLUSIVE: Connor Moucka, the Kitchener, Ont. man accused in the massive Snowflake customer hacking case, mused online about obtaining firearms and carrying out mass killings, authorities allege. www.theglobeandmail.com/business/art...

I’ve been tracking this group including Joel since 2022, great to see this!

NEW: The U.S. government has announced charges against five alleged hackers who targeted several companies stealing millions of dollars in crypto, and corporate data. DOJ says the hackers are part of the infamous Scattered Spider cybercrime group. techcrunch.com/2024/11/20/u...

WIRED has tracked thousands of US military & intel personnel coming & going from classified sites, incl. NSA hubs & nuclear vaults. We know where they sleep, what they eat, and which brothels they visit. It's an ocean of blackmail & national secrets within reach of every spy agency in the world.

Last week a DOJ indictment was unsealed, charging Alexander ‘Connor’ Moucka AKA #UNC5537, and his co-conspirator, John Binns AKA #UNC2978, with 20 counts of conspiracy, computer fraud and abuse, wire fraud, and aggravated identity theft. www.theregister.com/2024/11/12/s...

US confirms China-backed hackers breached telecom providers to steal wiretap data

NEW: The U.S. government accused two hackers of stealing 50 billion customer records from AT&T, including call and text logs. The hackers, Connor Moucka and John Binns, were charged with a series of data breaches linked to cloud giant Snowflake. techcrunch.com/2024/11/12/s...

New from 404 Media: the hacker suspected to be behind the recent wave of Snowflake breaches has been arrested in Canada. The hacker went dark on Telegram last week, started to tell me their origin story. Canada confirmed it’s arrested Connor Moucka www.404media.co/suspected-sn...

New from 404 Media: the walls are closing in on the Snowflake hacker. Mandiant has tracked the hacker for months, had servers shutdown in Ukraine, working with US authorities. I got leaked texts showing how a researcher works on extortions with the hacker www.404media.co/the-walls-ar...

NEW: This is the behind-the-scenes story of how the FBI and Google's Mandiant caught a "serial hacker" who tried to fake his own death to avoid paying child support. Jesse Kipf worked for years as a pro cybercriminal selling access to sites and systems he had hacked. techcrunch.com/2024/10/01/h...

Our team at Mandiant just released details on 🇨🇳 #UNC5325, who exploited CVE-2024-21893 and CVE-2024-21887 to deploy novel malware in an attempt to remain embedded in compromised Ivanti appliances even through factory resets, system upgrades, and patches. www.mandiant.com/resources/bl...

Mandiant’s new blog post provides our latest assessment of North Korea’s 🇰🇵 cyber program and operations in 2023. The shifting DPRK cyber landscape is increasingly characterized by resource sharing and temporary collaboration. www.mandiant.com/resources/bl...

My thoughts on the ridiculous note posted by the ALPHV / BlackCat ransomware group after the attack on MGM Casinos. ransomwaresommelier.com/p/you-are-th...

In the this episode of Geopolitics Decanted, I sat down with Bryan Vorndran, FBI Assistant Director of Cyber Division, to discuss why 702 is by far the most valuable intelligence program of US government. We talked about its successes and compliance issues

Our team at Mandiant just released additional information on the #UNC4841 🇨🇳 espionage campaign that targeted Barracuda ESG appliances. The report includes newly identified malware families, IOCs and details on targeting and attribution.  www.mandiant.com/resources/bl...

#Mandiant is releasing details on a targeted North Korean 🇰🇵 supply chain attack that leveraged JumpCloud. Our investigation at a downstream victim uncovered useful MacOS artifacts, OPSEC fumbles, and continued targeting of cryptocurrency verticals.

Chinese hackers target European embassies with HTML smuggling technique.

huge reporting from some unreal mandiant analysts yesterday that has already garnered official denials 🫠 https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally