On 30 January 2026, CERT.PL published findings concerning an electric sector attack on Poland in December 2025. This report, presumably the most complete on the incident covering multiple sources and coming from those directly responding to the total incident, arrived after earlier reporting from commercial organizations on elements of the Read more
A core part of my teaching at Paralus is guiding attendees towards mechanisms of fusing internal telemetry and understanding with external data sources and feeds to arrive at a more robust understanding of threat actor operations and behaviors. This perspective is reflected in my work on intelligence production and development Read more
In July 2025, NSA officials at a conference in New York City made a surprising claim: “The good news is, [Volt Typhoon] really failed. They wanted to persist in domestic networks very quietly for a very long time so that if and when they needed to disrupt those networks, they Read more
On 17 July 2025, Bloomberg (no stranger to interesting information security reporting) issued a gated report on a non–public Recorded Future item related to Salt Typhoon activity. As previously noted in this space, Salt Typhoon operations are both incredibly significant given their targeting and scope, while also poorly understood and Read more
Salt Typhoon first emerged in the public consciousness with media reporting in late 2024. The previously unknown (or overlooked) threat actor was quickly linked to widespread intrusions in major US-based telecommunications companies, and targeting of both specific systems used to enable lawful intercept operations as well as the communications of Read more
I recently came across a job posting for a cyber threat intelligence (CTI) analyst position. Given recent issues in the CTI marketplace with many individuals finding themselves in need of new roles, this at first glance appeared an excellent opportunity to pass on to those looking for work. However, with Read more
On 11 January 2023, the “Ghost Security Group” (commonly referred to as “GhostSec”) issued a bold claim (captured on Twitter, among other places) that they “encrypted the first RTU in history.” The claim rapidly came under scrutiny from several directions – for an excellent analysis of this specific case and Read more
Updated 23 Nov 1355 MST: Added some additional observations related to logon spoofing infrastructure. Domain “hunting” is a process of identifying new (or at least, newly identified) network infrastructure associated with threat actors of interest. Such a process does not start in a void, but rather requires understanding tendencies and Read more
Background On 12 April 2022, the Ukrainian CERT and ESET disclosed the existence of Industroyer2, a successor to the malware targeting Ukrainian electric distribution and transmission operations in 2016. Industroyer2 arrived after multiple disruptive cyber incidents of varying degrees of success surrounding Russia’s brutal invasion of Ukraine, as presented in Read more
Iranian security company Amnpardaz Soft published an intriguing report on 28 December 2021 concerning a firmware-level rootkit in HP Integrated Lights Out (iLO) products. While frustratingly containing no Indicators of Compromise (IOCs) – not so much for defensive purposes, but for validating research and independently analyzing artifacts – the report Read more