
Rob T. Lee
6K posts

Rob T. Lee
@robtlee
Chief AI Officer, Chief of Research, @SANSInstitute | Cybersecurity Expert & Threat Hunter | Godfather of DFIR | Technical Advisor to US Govt











Monday’s @Google Threat Intelligence report got a fraction of the attention it earned. Call it Salt Typhoon Jr.: a PRC-linked group sat inside North American military research and medical networks for more than a year, undetected, and walked out with the research that decides who wins the next decade. It was easy to miss under the flood of Mythos, Fable, and zero-days-for-days coverage. (Which tells you we still rank threats by how frightening they sound to a general audience, not by what they cost national security.) GTIG tracks the group as UNC6508. Their collection list reads like a tasking order: nearly 150 keywords spanning: Defense intelligence Indo-Pacific operations Artificial intelligence (AI) Uncrewed systems Cyber offensive programs Medical research This was public-health surveillance running inside a military espionage campaign, out of the same institutions, on the same wire. The attackers used a Google Workspace content-compliance rule to silently BCC matching emails to a Gmail account they controlled. Any operator can copy that playbook tomorrow against every university, hospital, and defense contractor running Workspace. This is a clean test case for the question I get in CISO rooms: where would AI have helped the defenders? 1. Admin control-plane monitoring. A brand-new rule that BCC-forwards sensitive mail to a consumer Gmail account should trip an alert the day it is created. That is pattern-spotting across thousands of admin events, which is what a model is good for. 2. Cross-victim correlation. The same campaign hit multiple organizations at once, and each intrusion looked isolated because nobody had visibility across all of them. Correlation across organizations, identity providers, and SaaS logs could have surfaced the pattern months earlier. 3. Behavioral EDR over the dwell window. INFINITERED sat on the REDCap server for more than a year, harvesting credentials, before the attackers used them to pivot into the internal network. That is a long baseline, long enough for behavior-based detection to flag a novel dropper and its callbacks even on malware nobody had seen before. (In theory. In practice, most shops never tuned the baseline.) Where AI would not have helped? What should you do this week? Read here: robtlee73.substack.com/p/salt-typhoon…
















