John Hultquist
@hultquist.bsky.social
Mandiant Intelligence at Google. CYBERWARCON and SLEUTHCON founder. Johns Hopkins professor. Army vet.
As for Russian intent, the recent incident in Poland is a stark reminder that the motivation is stronger than ever. I don’t think they are going to be bashful about deploying these capabilities, especially when they’re so easily deniable. 4/x
February 5, 2026 at 1:01 PM
As for Russian intent, the recent incident in Poland is a stark reminder that the motivation is stronger than ever. I don’t think they are going to be bashful about deploying these capabilities, especially when they’re so easily deniable. 4/x
I’m most concerned about DDOS attacks, which have been en vogue lately with hacktivist groups with Russian government ties. DDOS attacks are generally temporary, but when timed right, they can be quite powerful. 3/x
February 5, 2026 at 1:01 PM
I’m most concerned about DDOS attacks, which have been en vogue lately with hacktivist groups with Russian government ties. DDOS attacks are generally temporary, but when timed right, they can be quite powerful. 3/x
The goal is to take some of the shine off the Games, and by extension its participants, and generally that’s best done by disrupting the complex and carefully orchestrated event. Attacks on critical infrastructure like transit are precedented. So are attacks on the broadcast. 2/x
February 5, 2026 at 1:01 PM
The goal is to take some of the shine off the Games, and by extension its participants, and generally that’s best done by disrupting the complex and carefully orchestrated event. Attacks on critical infrastructure like transit are precedented. So are attacks on the broadcast. 2/x
The conditions are absolutely ripe for cyberattacks on the Winter Games. In addition to historic precedent like Sandworm’s attempted disruption of the Pyeongchang opening ceremonies, Russian sabotage and cyberattack in Europe right now is reaching fever pitch. 1/x
February 5, 2026 at 1:01 PM
The conditions are absolutely ripe for cyberattacks on the Winter Games. In addition to historic precedent like Sandworm’s attempted disruption of the Pyeongchang opening ceremonies, Russian sabotage and cyberattack in Europe right now is reaching fever pitch. 1/x
Notepad++ compromised in supply chain attack from June to December 2025 by “likely Chinese state-sponsored actor”. notepad-plus-plus.org/news/hijacke...
Notepad++ Hijacked by State-Sponsored Hackers | Notepad++
notepad-plus-plus.org
February 2, 2026 at 11:50 AM
Notepad++ compromised in supply chain attack from June to December 2025 by “likely Chinese state-sponsored actor”. notepad-plus-plus.org/news/hijacke...
Reposted by John Hultquist
"The actor Poland has identified is notable for a lengthy history of digging into global critical infrastructure while holding back on actual attacks," @hultquist.bsky.social says. "If they have finally pulled the trigger, that would be a major departure from over a decade of restraint."
January 30, 2026 at 7:06 PM
"The actor Poland has identified is notable for a lengthy history of digging into global critical infrastructure while holding back on actual attacks," @hultquist.bsky.social says. "If they have finally pulled the trigger, that would be a major departure from over a decade of restraint."
Perhaps most disconcerting is that if this is Berserk Bear/Dragonfly/Isotope/FSB, then they are now in play. Their ops were notable by the fact that they have not carried out an attack. Especially disconcerting considering the decade of quiet intrusions they have carried out. 3/x
January 30, 2026 at 2:02 PM
Perhaps most disconcerting is that if this is Berserk Bear/Dragonfly/Isotope/FSB, then they are now in play. Their ops were notable by the fact that they have not carried out an attack. Especially disconcerting considering the decade of quiet intrusions they have carried out. 3/x
Russian cyberattacks in Europe have been slowly ramping up, just like physical sabotage. They are boiling the frog, ratcheting up pressure while avoiding major blowback. There will be more incidents. I’m particularly concerned about the Winter Olympics. 2/x
January 30, 2026 at 2:02 PM
Russian cyberattacks in Europe have been slowly ramping up, just like physical sabotage. They are boiling the frog, ratcheting up pressure while avoiding major blowback. There will be more incidents. I’m particularly concerned about the Winter Olympics. 2/x
Poland releases details on December’s cyberattack on their energy infrastructure, noting similarities to prior FSB activity. The wiper has been attributed by others to Sandworm (GRU). Attribution is definitely not super clear yet. 1/x cert.pl/uploads/docs...
cert.pl
January 30, 2026 at 2:02 PM
Poland releases details on December’s cyberattack on their energy infrastructure, noting similarities to prior FSB activity. The wiper has been attributed by others to Sandworm (GRU). Attribution is definitely not super clear yet. 1/x cert.pl/uploads/docs...
Reposted by John Hultquist
Ready to put your analysis skills to the test? Join us on Nov 18 (pre-CYBERWARCON) for a Synapse challenge using a real-world scenario. There will be snacks and limited-edition challenge coins! vertex.link/events/cyber...
November 6, 2025 at 6:13 PM
Ready to put your analysis skills to the test? Join us on Nov 18 (pre-CYBERWARCON) for a Synapse challenge using a real-world scenario. There will be snacks and limited-edition challenge coins! vertex.link/events/cyber...
Reposted by John Hultquist
Meet our speaker: Kevin Hoganson! He leverages a broad skill set across cyber threat intelligence, digital forensics & incident response.
His talk highlights commercial spyware actors' cleanup of forensic artifacts which prevents meaningful analysis of mobile device infections.
www.cyberwarcon.com
His talk highlights commercial spyware actors' cleanup of forensic artifacts which prevents meaningful analysis of mobile device infections.
www.cyberwarcon.com
October 30, 2025 at 3:59 PM
Meet our speaker: Kevin Hoganson! He leverages a broad skill set across cyber threat intelligence, digital forensics & incident response.
His talk highlights commercial spyware actors' cleanup of forensic artifacts which prevents meaningful analysis of mobile device infections.
www.cyberwarcon.com
His talk highlights commercial spyware actors' cleanup of forensic artifacts which prevents meaningful analysis of mobile device infections.
www.cyberwarcon.com
Reposted by John Hultquist
October 30, 2025 at 3:36 PM
Reposted by John Hultquist
Meet our speaker Dlshad Othman!
He has fifteen+ years of experience in threat intelligence, and has built a career at the intersection of cybersecurity and geopolitics.
He will be joining David Magnotti for their talk "Ping First, Boom Second", which will focus on Iranian cyber threat groups.
He has fifteen+ years of experience in threat intelligence, and has built a career at the intersection of cybersecurity and geopolitics.
He will be joining David Magnotti for their talk "Ping First, Boom Second", which will focus on Iranian cyber threat groups.
October 24, 2025 at 1:04 PM
Meet our speaker Dlshad Othman!
He has fifteen+ years of experience in threat intelligence, and has built a career at the intersection of cybersecurity and geopolitics.
He will be joining David Magnotti for their talk "Ping First, Boom Second", which will focus on Iranian cyber threat groups.
He has fifteen+ years of experience in threat intelligence, and has built a career at the intersection of cybersecurity and geopolitics.
He will be joining David Magnotti for their talk "Ping First, Boom Second", which will focus on Iranian cyber threat groups.
If you’ve been laid off from a cyber threat intel position, and you want a ticket to CYBERWARCON, please reach out.
October 23, 2025 at 1:27 PM
If you’ve been laid off from a cyber threat intel position, and you want a ticket to CYBERWARCON, please reach out.
An opinion piece I wrote for Cipher Brief on the next wave of AI threats. The speed and scale of this activity will change the nature of cybersecurity. In order to compete with adversary use of this technology we must adopt it wholeheartedly into defense. www.thecipherbrief.com/ai-cyberatta...
AI-Powered Adversaries Require AI-Driven Defenses
OPINION — The use of artificial intelligence by adversaries has been the subject of exhaustive speculation. No one doubts that the technology will be abused by criminals and state actors, but it can b...
www.thecipherbrief.com
October 22, 2025 at 7:33 PM
An opinion piece I wrote for Cipher Brief on the next wave of AI threats. The speed and scale of this activity will change the nature of cybersecurity. In order to compete with adversary use of this technology we must adopt it wholeheartedly into defense. www.thecipherbrief.com/ai-cyberatta...
Reposted by John Hultquist
Meet our speaker Caleb Marquis!
His work played a central role in the landmark indictment of North Korean hacker Rim Jong Hyok. He has received the FBI Medal of Excellence and the Department of Justice Attorney General Award for Distinguished Service.
His work played a central role in the landmark indictment of North Korean hacker Rim Jong Hyok. He has received the FBI Medal of Excellence and the Department of Justice Attorney General Award for Distinguished Service.
October 22, 2025 at 7:00 PM
Meet our speaker Caleb Marquis!
His work played a central role in the landmark indictment of North Korean hacker Rim Jong Hyok. He has received the FBI Medal of Excellence and the Department of Justice Attorney General Award for Distinguished Service.
His work played a central role in the landmark indictment of North Korean hacker Rim Jong Hyok. He has received the FBI Medal of Excellence and the Department of Justice Attorney General Award for Distinguished Service.
Reposted by John Hultquist
We're excited to have Eric Kerr join us at CYBERWARCON! His talk, "From Hacker to Help Desk: The Surprising Story of a North Korean Cyber Operator", will cover the activities of Andariel, a North Korean hacking group that steals military & nuclear technology from US & South Korean defense networks.
October 22, 2025 at 5:28 PM
We're excited to have Eric Kerr join us at CYBERWARCON! His talk, "From Hacker to Help Desk: The Surprising Story of a North Korean Cyber Operator", will cover the activities of Andariel, a North Korean hacking group that steals military & nuclear technology from US & South Korean defense networks.
Reposted by John Hultquist
We're proud to announce Ruarigh Thornton is joining us this year at CYBERWARCON! Head of Research and Disruption at PGI, with experience in threats including counter espionage, hostile state information operations + more. He has led 100+ digital investigations.
www.cyberwarcon.com
www.cyberwarcon.com
October 17, 2025 at 2:49 PM
We're proud to announce Ruarigh Thornton is joining us this year at CYBERWARCON! Head of Research and Disruption at PGI, with experience in threats including counter espionage, hostile state information operations + more. He has led 100+ digital investigations.
www.cyberwarcon.com
www.cyberwarcon.com
Reposted by John Hultquist
I won’t be at CYBERWARCON this year so I need someone to give @hultquist.bsky.social a hard time for me. I don’t yet know why he deserves this, but I’m sure a reason will present itself between now and then. The man never disappoints in the shenanigans and tomfoolery department.
October 8, 2025 at 6:54 PM
I won’t be at CYBERWARCON this year so I need someone to give @hultquist.bsky.social a hard time for me. I don’t yet know why he deserves this, but I’m sure a reason will present itself between now and then. The man never disappoints in the shenanigans and tomfoolery department.
Reposted by John Hultquist
Have you ever wanted to see two terminally online nerds really (and I mean *really*) get into the SVR deep lore while continuing the eternal goal of making 2016 last forever?
Gosh does @cyberwarcon.bsky.social have a talk for you!
Gosh does @cyberwarcon.bsky.social have a talk for you!
Oil Into The Fire — CYBERWARCON
www.cyberwarcon.com
October 8, 2025 at 6:09 PM
Have you ever wanted to see two terminally online nerds really (and I mean *really*) get into the SVR deep lore while continuing the eternal goal of making 2016 last forever?
Gosh does @cyberwarcon.bsky.social have a talk for you!
Gosh does @cyberwarcon.bsky.social have a talk for you!
CYBERWARCON is gooooooooo! This year’s agenda is live! Thank you submitters.
Announcing this year's CYBERWARCON speaker lineup and agenda! We've got some fantastic talks this year, and more will be announced soon.
Don't miss your chance to register now! Thank you everyone who submitted to the CFP. The selection was a truly grueling process!
Don't miss your chance to register now! Thank you everyone who submitted to the CFP. The selection was a truly grueling process!
October 8, 2025 at 4:18 PM
CYBERWARCON is gooooooooo! This year’s agenda is live! Thank you submitters.
Reposted by John Hultquist
Announcing this year's CYBERWARCON speaker lineup and agenda! We've got some fantastic talks this year, and more will be announced soon.
Don't miss your chance to register now! Thank you everyone who submitted to the CFP. The selection was a truly grueling process!
Don't miss your chance to register now! Thank you everyone who submitted to the CFP. The selection was a truly grueling process!
October 8, 2025 at 4:08 PM
Announcing this year's CYBERWARCON speaker lineup and agenda! We've got some fantastic talks this year, and more will be announced soon.
Don't miss your chance to register now! Thank you everyone who submitted to the CFP. The selection was a truly grueling process!
Don't miss your chance to register now! Thank you everyone who submitted to the CFP. The selection was a truly grueling process!
Reposted by John Hultquist
October 8, 2025 at 2:59 PM
Reposted by John Hultquist
🚨🚨🚨 Google released a report on "Brickstorm" this morning — a next-level, suspected China-linked campaign targeting U.S. firms. Ultra-stealthy, 400+ day dwell times, focus on stealing IP, finding zero-days, and focused on long-term cyberespionage. cyberscoop.com/chinese-cybe...
Brickstorm malware powering ‘next-level’ Chinese cyberespionage campaign
Mandiant and Google have identified “Brickstorm,” a sophisticated, suspected China-linked hacking campaign targeting U.S. tech firms, legal organizations, and BPOs. The operation often goes undetected...
cyberscoop.com
September 24, 2025 at 2:03 PM
🚨🚨🚨 Google released a report on "Brickstorm" this morning — a next-level, suspected China-linked campaign targeting U.S. firms. Ultra-stealthy, 400+ day dwell times, focus on stealing IP, finding zero-days, and focused on long-term cyberespionage. cyberscoop.com/chinese-cybe...