Kristina Balaam

What separates Chinese cyber ops from Five Eyes? Three things that shifted my thinking about this topic: 1. Early cyber training (90s-2000s) happened on live targets. Not sandboxes, not simulations...actual foreign infrastructure. The "practice" was the operation. Operational errors caught during IR back then weren't failures of tradecraft... they were the cost of learning on production. 2. The private sector operates as APT infrastructure. Cybersecurity companies founded by former 2000s hackers (Topsec, i-SOON, Integrity Tech) were later publicly linked to state-directed operations. The line between "legitimate vendor" and "APT contractor" is deliberately blurred (by design). 3. Operators don't stay siloed in their APT group. They rotate across teams for decades, carrying often the exact same tools, tactics with them. What we label as "different APT groups" is often the same people with different hats. This makes attribution way messier than the tidy narrative we see in threat reports. Worth reading this epic report published by the Zurich Centre for Security Studies if this stuff keeps you up at night: ethz.ch/content/dam/et…

Five Key 2025 Developments in Beijing’s Foreign Information Influence This year, foreign information influence operations from #China grew more sophisticated and insidious, leveraging emerging technologies, global platforms, and transnational repression tactics to advance Chinese Communist Party (CCP) narratives while silencing critics. Five key trends: 1. The Rise of AI in Influence Operations, Cyber Attacks, and Future Manipulation 2. Propaganda Push to Court Online Influencers and Youth 3. Expanding Global Footprint of China-Owned Online Platforms 4. Deepfakes and Anonymous Threats to Silence and Smear Dissidents 5. Boost to Beijing from U.S. Withdrawal For the full details, see my latest post in UnderReported China.

#PIVOTcon26 #CfP is open and you can submit your proposals till 6 FEB 2026 CfP rules and submissions here: pretalx.com/pivotcon26/cfp #ThreatIntel #ThreatResearch #CTI

Shocking news on censorship built into #DeepSeek, via @politico: “Chinese AI startup DeepSeek may generate code with built-in security vulnerabilities when prompted with terms deemed politically sensitive by Beijing, according to new research from cyber firm CrowdStrike — raising questions about the risks posed by the popular large language model. “Everyone’s excited about productivity gains, but few are asking: What happens when a model’s worldview, or its built-in censorship filters, start to affect the security of the code it writes?” said Adam Meyers, senior vice president of counter adversary operations at CrowdStrike. — Built-in censorship: In the report, published on Thursday, CrowdStrike’s researchers tested DeepSeek-R1, the company’s low-cost AI reasoning model, to measure its code-generation quality when presented with a variety of prompts. One such prompt included telling the model that it is “a helpful assistant that generates code” for a financial institution. While the model was generally capable and produced code comparable to similar open-source models made by Western competitors, security vulnerabilities in generated code increased by up to 50 percent when analysts included terms considered “politically sensitive” by the Chinese government, including “Falun Gong,” “Tibet” and “Uyghurs.” “The model’s code quality didn’t just vary, it systematically changed and degraded when prompts touched politically sensitive topics to the Chinese Communist Party,” Meyers told your host. The study also identified a mechanism to refuse tasks — dubbed a “kill switch” by researchers — within DeepSeek-R1. In around 45 percent of code-generation requests involving the term Falun Gong, a controversial spiritual movement banned by the Chinese government for decades, the model would issue a response related to the ethical or policy implications of the prompt, followed by a short refusal. The behavior suggests the presence of hardcoded censorship mechanisms within DeepSeek, according to the researchers. politico.com/newsletters/we… #Tibet #FalunGong #Uyghur @FalunInfoCtr

Chinese state-owned surveillance company Meiya Pico won a tender to build lab to train Tibetan police in hacking and extracting data from devices: new report by @turquoiseroof @meta_lab turquoiseroof.org/a-long-shadow-…

[Threat investigation alert 🚨] Predators for Hire: A Global Overview of Commercial Surveillance Vendors ➡️ blog.sekoia.io/predators-for-…

🚨 #APT24 Leveraging #BADAUDIO🚨 New blog post describing 🇨🇳 actor APT24 targeting 🇹🇼 via multiple vectors to include #phishing, #strategicwebcomp #supplychain compromises 👀👀👀 cloud.google.com/blog/topics/th…

📣🔥SAVE THE DATE🔥📣 The next #PIVOTcon will be on 6-8 May 2026, in Malaga, ES!!! You favorite ;) #ThreatResearch conference is coming back and we are planning to bring you the usual experience and content of utmost quality. #StayTuned for more #CTI #ThreatIntel #PIVOTcon26

🚨NEW REPORT: first forensic confirmation of #Paragon mercenary spyware infections in #Italy... Known targets: Activists & journalists. We also found deployments around the world. Including ...Canada? And a lot more... Thread on our @citizenlab investigation 1/

And yes, we have updated the running tally of stalkerware providers that have been hacked, or otherwise spilled and leaked sensitive data online. We are at 25 since 2017. techcrunch.com/2025/03/19/hac…

So excited to be attending and speaking at PIVOTcon this year! 🥰🖤

To any woman, person of color or trans person who is thinking about submitting to BlackHat US this year I offer to pre-review your submission and provide feedback, and also happy to answer general questions. Long live DEI. Cfp link in thread.

NEW: The U.S. govt accused 12 hackers of working for the Chinese government and hacking 100+ organizations, including the U.S. Treasury. DOJ says two of the hackers are linked to the Typhoon China-hacking group, responsible for high profile hacks. techcrunch.com/2025/03/05/jus…

I refuse to believe there are people who talk and write about politics professionally who are actually unaware of why Zelensky wasn't wearing a suit.

🎻

@NathanielDove_ What? falkdfjal;sdkjfs;ldkjf GET ME OUT OF THIS TIMELINEEEEEE 🫠

Ahead of Poilievre’s press conference, his comms team announcing he’s only taking five questions from preselected media: True North Y Media SouthAsianDaily Radio-Canada Rebel News Oxygen Canada News When asked why, his team just said “that’s what we’re doing today.”

NEW: We caught another government spyware vendor, which made fake Android apps masquerading as WhatsApp and cellphone providers' apps. The spyware was made by SIO, which partners "with Police and Intelligence Agencies" and sells to Italian government. techcrunch.com/2025/02/13/spy…

@_JohnHammond "ngrok Hustlers" gotta hustle

I'm so old that I'm still kind of scared to put spaces in file names

Incredibly excited to be attending #PIVOTcon25 @pivot_con this year! ✨