bk (Ben Koehl)

State of Statecraft (SOS) is a new security and intelligence conference purposed to bring together observers of espionage, sabotage, influence, and other unique forms of covert statecraft to share their work with a community hyper-focused on tackling state-sponsored ops.

Do you find analyzing Rust binaries/malware tedious and unpleasant? You’re not alone! If you’re attending #REcon this year, our own @hackingump1 will be unveiling #RIFT today at 2PM EST (not at REcon? We got you covered, stay tuned). We have been using RIFT internally for some time and it has truly transformed the way we handle and analyze Rust binaries. cfp.recon.cx/recon-2025/tal… #RIFT #Rust #REon25 #MSTIC #MIRAGE

@cyb3rops @JohnLaTwC Still true

@cyb3rops Wise words from @JohnLaTwC from 2017 on this topic: youtu.be/F4_y9E5P10U?si…

Reading Microsoft’s new Void Blizzard report, one thing stands out (again): Everything is about credential theft, phishing, and tokens. Initial access comes from buying or stealing creds - often through low-effort phishing. All the real action happens in the cloud, not on endpoints. Gone are the days of multi-stage attacks where you’d see lateral movement, privilege escalation, or fancy malware on file servers. Now it’s just: steal creds, log in to cloud, exfiltrate data, repeat. Detection? Only possible if you have access to expensive cloud logs. No logs, no chance. The perimeter has shifted from endpoints to identity. The detection surface shrank from your whole network down to some logs you might get from your cloud provider if you pay extra. Honestly, not sure if that’s “progress” or just shifting the visibility problem somewhere else.

In 2024, FBI and our partners raised the alarm about China’s hacking of US telecommunications infrastructure. This year, we’re going after the individuals responsible for the intrusions. If you have information about Salt Typhoon, we want to hear from you: ic3.gov/PSA/2025/PSA25… ______________________________ 2024年，联邦调查局与我们的伙伴针对中国黑客入侵美国电信系统的行动发出警示。今年，我们计划将从事入侵行动的人员绳之以法。如果您有任何关于盐台风的信息，我们希望您跟我们联系: ic3.gov/PSA/2025/PSA25…

Come help me create mechanical advantage in defense. If you love threat hunting, learning from incidents, building new ways to find attackers, and empowering others, this may be the perfect job for you. Help expand defense from the relational world of hunting to graphs, anomalies, embeddings, and beyond. This is a hands on role. You will be hunting, creating, and applying. You will be using your ideas on current incidents helping us gain speed on attackers. Due to the collaborative nature of the work, I am only considering US working hours/time zone for this position. #msftsecurity #jobs #security #securityresearch Principal Security Researcher Redmond, Washington, United States ➡️jobs.careers.microsoft.com/global/en/job/…

SINCON 2025 is coming! 🚀 As a proud partner of HITCON, we invite you to explore cutting-edge cybersecurity at SINCON 2025! 📅 22-23 May 2025 | 📍 voco Orchard, SG 💡 Use “SINCON25-SUPPORTER” for S$100 off! 🔗infosec-city.com/sin-25

. @JohnHultquist we need more #cyberwarcon

Come work with me and the team! We have a large global team focused on extremely interesting work with a large opportunity to have impact. Principal Security Researcher (US) jobs.careers.microsoft.com/global/en/shar… Do you enjoy security research?

When in Taipei…. Enjoy a good cocktail and shellcode at instagram.com/h4ck3rbar

🚨 Speaker Spotlight 🚨 Join us at #CYBERWARCON to hear from James Elliott, a seasoned expert with 25+ years of experience! Currently at MSTIC, James has built threat intel teams for the DoD and private sector. 🎟️ Don't miss out! Get your tickets now: cyberwarcon.com

Cyber intel reunion / epic conference 2024 👇

It simplifies the process of keeping analyst work and notes in a structured and queryable format AND allows that work to be reflected to analysts perusing the same data as soon as it's recorded. Tag, bag, comment, feed to automation - whatever your needs are.

🆕🚨 analysis from @Google on APT42 activity against 🇺🇸 and 🇮🇱. A ton of work from folks over the past few months dedicated to protecting users disrupting campaigns, and making life hard for the actors. More to come! blog.google/threat-analysi…

We are looking for a strategic threat intel analyst to join @ESETresearch. Interested in cyber-espionage and geopolitics? Apply! ca.linkedin.com/jobs/view/anal…

Back then, that was definitely one of the most interesting courses of actions I had seen. Some countries would write blogs, work with others to out the activity, maybe name the specific actors, arrest people, etc. I believe there was also an official tweet that covered this. Maybe an act of demonstrating escalation dominance? I think the actor at the time was either “benny” or “ Adam Swift“?

Since it turns out there's interest in cyber war stories, let me give you a cyber and war story combined and drop another bomb. Literally speaking. This is most topical as it covers Israel's (Air Force) air strike carried out on Hamas "cyber HQ" in 2019. I want to heavily caveat this by saying: I am not saying the below is the reason why the strike was conducted. This is just my personal opinion based on the data I had available to my at the time and could be very far from the truth. But I am going to address a very important issue, and that's kinetic strikes in retaliation for cyber attacks. For those who didn't hear about it, check here: timesofisrael.com/idf-says-it-th… To set the scene let me describe real-world happenings around the time. Hamas were firing rockets into Israel and Israel's "Iron Dome" system was being used to intercept said rockets, and was seemingly quite successful in doing so. At the time I had zero interest in this and was going about research trying to find state actors. One day I came across a C2 that had just been setup and was running the BeEF framework. This was relatively uninteresting, but it had been a pretty a slow week (research is like that) so I decided to put some time in. Beyond looking at the overall setup of the box (which was fairly thin beyond BeEF) I started to look at the victims who were beaconing in. Weirdly, there wasn't many but they were all located in Israel. Without connecting real-world events with this I continued research to identify the victims. (pro tip: victimology plays a part in attribution and is always worth following). One was a university in Israel, the second I couldn't find out (and gave up on) and the third.... well.... was surprising to say the least. I'm not going to name the org or give too many details here, but the org had direct influence over how the Iron Dome operated. I'm leaving out a lot in this part. To settle a hunch I started to look at the actor's side of comms. Yeah, right out of PS (at least when they failed to connect to their VPN). At this point no strikes had been carried out and so I noted down all the details for later reporting and went on with my day. Around 12 hours later the IDF carried out the air strike on Hamas "cyber HQ", which at the time got major attention from international media and of course resulted in a lot of "expert opinions" and crying on Twitter. Whether or not this exact action triggered Israel's air strike I will never know. I doubt it. But one thing is abundantly clear: Hamas were targeting the Iron Dome interception system at the same time they were pounding civilian towns/cities with rockets. I'm going to stop right here before I give you my personal opinion as to whether I think the air strike was morally right or not. Actually I will. Yes, and I'd do the same thing - get the F out of civil defence systems. The following day Hamas fired a further ~700 rockets into Israel. All but a few were stopped by the Iron Dome. Actions have consequences. Hamas are lucky the IDF warned them before carrying out the strike. Most countries wouldn't. Again, this is just my little view of goings on around that time.

🗓️ SAVE THE DATE: 11.22.24 #CYBERWARCON is a one-day conference focused on the specter of destruction, disruption, and malicious influence on our society through cyber capabilities. ⚡ For CFP updates, sign up to subscribe on our website: cyberwarcon.com!

@wxs @billyleonard There can only be one emoji king and it’s @billyleonard

Persistent: Gingham Typhoon has continuously targeted Australia for years. They also ebb and flow to different countries in the region as strategically important issues drive collection efforts. You may run into activity Raspberry Typhoon during the same investigations as both appear to have a small overlap in targeting. cyber.gov.au/about-us/view-… 👏to @ASDGovAu for releasing information on their activity.