Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
John Hultquist Profile picture
John Hultquist
@JohnHultquist
Chief Analyst, Mandiant Intelligence @Google. @CYBERWARCON and @SLEUTHCON founder. Johns Hopkins professor. Army vet.
Oct 31 8 tweets 2 min read
A few thoughts on election threats as we enter the final stretch. There is a pretty established history of last-minute activity from some of the foreign malign actors possibly in play and they are very aware of the unique criticality and opportunity in this short time frame. 1/x The GRU has previously waited until the final moments of elections to distribute leaks. They have also taken action as tallied votes were shared. In Ukraine they leveraged access to official systems to disrupt the display of tallies and to claim a losing candidate had won. 2/x
Apr 17 5 tweets 1 min read
The Russian cyberattacks on US water, Polish water, and a French dam are complicated. We had established that CARR was being used as a front for Sandworm/APT44 (Russian GRU) prior to the incidents and that they were even involved in creating some of CARR's online presence. 1/x But without evidence of their involvement we had to allow for the possibility of other CARR affiliates acting outside of the direction of Sandworm/APT44. In that case what does Sandworm/APT44 have to do with it? 2/x
Oct 10, 2023 4 tweets 1 min read
We are currently seeing pro-Iran information operations actors promoting content across various social media channels, in favor of Hamas and critical of Israel’s response to the attacks. 1/x For example, we observed inauthentic accounts that have promoted content - in Arabic - highlighting perceived failures by Israeli intelligence that intended to portray Israeli soldiers as defeated. 2/x
Sep 7, 2022 4 tweets 2 min read
Albania is severing diplomatic relations with Iran in response to the cyberattack that crippled government services in July. This is one of the strongest diplomatic responses to cyberattacks I've ever seen. For more on the attack and our attribution see: mandiant.com/resources/blog… The Albania incident and the more recent incident in Montenegro, unrelated though they are, are reminders that critical systems in NATO countries are still vulnerable.
Feb 3, 2022 4 tweets 1 min read
Somewhat related: Fabricated content has been used in recent info ops activity. For instance, we’ve seen them fake images of NATO troops desecrating cemeteries or hitting civilians with military vehicles. 1/x This is a fake image that’s supposed to be German NATO troops desecrating a Jewish cemetery in the baltics. 2/x Image
Feb 1, 2022 4 tweets 3 min read
Intelligence successes rarely get the attention they deserve, but they are real. In fall of 2020, Trickbot actors were on a tear through healthcare, when @Mandiant, @CISA, @HoldSecurity and other unsung heroes raised the alarm. 1/x wired.com/story/ransomwa… Despite the overwhelming cybersecurity challenges of the elections, cyber intelligence professionals from many teams put a spotlight on the threat to healthcare posed by this actor, offering warning and real steps defenders could take. 2/x
mandiant.com/resources/kegt…
Apr 13, 2021 14 tweets 6 min read
ODNI just dropped their annual threat report which is filled with insight on cyberthreats. 1/x dni.gov/files/ODNI/doc… They underscore the threat from the big four: Russia, China, Iran, and North Korea and highlight the symbiotic relationship between states and cybercriminals. 2/x
Oct 23, 2020 21 tweets 8 min read
1/ Follow this thread as I highlight @blar51
as part of the #sharethemicincyber campaign. I am proud to give this talented #cybersecurity practitioner the spotlight. #BlackNatSec #BlackTechTwitter 2/ Meet @blar51, an incredibly talented cybersecurity practitioner you should know all know! Born and raised in Detroit, MI, Brandon has an associate’s degree in Computer Networking from Washtenaw Community College and works at Proofpoint.
Oct 22, 2020 4 tweets 1 min read
The motive behind the Iranian Proud Boy operation is not transparent, but it's interesting that the email campaign and the video preyed on distinct fears from both sides of the partisan divide. 1/x I'm not of the opinion that the emails were expected to keep a significant number of people away from the polls. I think it's more likely that they were designed to reinforce existing fears of voter intimidation. The focus here was probably Democrats. 2/x
Oct 19, 2020 14 tweets 4 min read
Today's indictments are a laundry list of Sandworm's misdeeds, some of which were never officially recognized until now. They are the most aggressive actor I have ever encountered and they have been my greatest concern for the upcoming election. 1/x fbi.gov/wanted/cyber/g… In addition to the 2016 US election interference, Sandworm was responsible for:
-Intrusions into US critical infrastructure
-Ukraine blackouts and other infrastructure targeting
-NotPetya
-MacronLeaks
-Pyeongchang Olympics attack
The latter two are very important right now. 2/x
Aug 18, 2020 7 tweets 4 min read
Volume 5 of the Senate's report on Russian active measures and interference in the 2016 election is out. 1/x intelligence.senate.gov/sites/default/… The report calls Konstanin Kliminik a Russian intelligence officer and suggests he may have been aware of the hack and leak operation. 2/x ImageImage
Jul 29, 2020 8 tweets 4 min read
We are releasing reporting on Ghostwriter, IO activity focused on Poland, Lithuania, and Latvia, which leverages false narratives and fabricated content often planted on compromised media sites. The activity is consistent with Russian interests. 1/x fireeye.com/content/dam/fi… Ghostwriter began as early as 2017 and is still going strong, pushing Anti-NATO sentiment on the frontiers of the alliance. NATO soldiers hosted in these countries are portrayed as carjackers and blamed for desecrating cemetaries. Now they are portrayed as COVID-19 carriers. 2/x
Jul 21, 2020 9 tweets 4 min read
The indictment of two Chinese nationals who carried out intrusions for the MSS is full of interesting insights on the state of Chinese cyber espionage. 1/x justice.gov/opa/press-rele… First off, consider the efficiency of this capability. Two guys responsible for stealing hundreds of millions in intellectual property. And better yet, they're contractors, so limited overhead for the PRC! 2/x
Jan 5, 2020 13 tweets 4 min read
Some coalescing thoughts on Iran's cyber capability. The first is that while cyberattack (disruption/destruction) is on the table, the most consequential capability may be cyber espionage. There will be cyber espionage against gov/mil targets as well as personnel of interest. 1/x Iran, like others, has recently focused on moving upstream by compromising telecoms and travel. That way they can identify and track specific people. These operations put people in physical danger, especially in terrorism scenarios. 2/x fireeye.com/blog/threat-re…
Jan 29, 2019 11 tweets 4 min read
ODNI's Worldwide Threat Assessment starts with cyber, singling out China and Russia as posing the greatest espionage and attack threat. Notes the integration of espionage, attack, and influence operations. #WorldwideThreat 1/x Report indicates Chinese espionage (to include key technology targeting) may need authorization from Beijing when alternatives are exhausted, suggesting restraint. Also noted is China's danger to critical infrastructure (a result of combining 3PLA/4PLA missions in the SSF?) 2/x
Aug 3, 2018 5 tweets 2 min read
"Imagine a future “first strike” cyberattack in which a nation burrowed its way deeply into the industrial and commercial networks of another state and deployed ransomware across its entire private sector." -GRU persona in early '16 after their Ukraine blackout succeeded. 1/x h/t to @emptywheel who points out that line was actually lifted from a Forbes article. 2/x

forbes.com/sites/kalevlee…