John Hultquist's Avatar

John Hultquist

@hultquist.bsky.social

Mandiant Intelligence at Google. CYBERWARCON and SLEUTHCON founder. Johns Hopkins professor. Army vet.

9,114 Followers  |  309 Following  |  213 Posts  |  Joined: 04.05.2023  |  1.7085

Latest posts by hultquist.bsky.social on Bluesky

"The actor Poland has identified is notable for a lengthy history of digging into global critical infrastructure while holding back on actual attacks," @hultquist.bsky.social says. "If they have finally pulled the trigger, that would be a major departure from over a decade of restraint."

30.01.2026 19:06 β€” πŸ‘ 3    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0

Perhaps most disconcerting is that if this is Berserk Bear/Dragonfly/Isotope/FSB, then they are now in play. Their ops were notable by the fact that they have not carried out an attack. Especially disconcerting considering the decade of quiet intrusions they have carried out. 3/x

30.01.2026 14:02 β€” πŸ‘ 7    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0

Russian cyberattacks in Europe have been slowly ramping up, just like physical sabotage. They are boiling the frog, ratcheting up pressure while avoiding major blowback. There will be more incidents. I’m particularly concerned about the Winter Olympics. 2/x

30.01.2026 14:02 β€” πŸ‘ 4    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0

Poland releases details on December’s cyberattack on their energy infrastructure, noting similarities to prior FSB activity. The wiper has been attributed by others to Sandworm (GRU). Attribution is definitely not super clear yet. 1/x cert.pl/uploads/docs...

30.01.2026 14:02 β€” πŸ‘ 11    πŸ” 5    πŸ’¬ 2    πŸ“Œ 0
Post image

Ready to put your analysis skills to the test? Join us on Nov 18 (pre-CYBERWARCON) for a Synapse challenge using a real-world scenario. There will be snacks and limited-edition challenge coins! vertex.link/events/cyber...

06.11.2025 18:13 β€” πŸ‘ 10    πŸ” 5    πŸ’¬ 0    πŸ“Œ 1
Post image

Meet our speaker: Kevin Hoganson! He leverages a broad skill set across cyber threat intelligence, digital forensics & incident response.

His talk highlights commercial spyware actors' cleanup of forensic artifacts which prevents meaningful analysis of mobile device infections.

www.cyberwarcon.com

30.10.2025 15:59 β€” πŸ‘ 6    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Video thumbnail

Tickets are almost sold out. Nerds.

www.cyberwarcon.com

30.10.2025 15:36 β€” πŸ‘ 11    πŸ” 5    πŸ’¬ 1    πŸ“Œ 3
Post image

Meet our speaker Dlshad Othman!

He has fifteen+ years of experience in threat intelligence, and has built a career at the intersection of cybersecurity and geopolitics.

He will be joining David Magnotti for their talk "Ping First, Boom Second", which will focus on Iranian cyber threat groups.

24.10.2025 13:04 β€” πŸ‘ 10    πŸ” 4    πŸ’¬ 0    πŸ“Œ 0

If you’ve been laid off from a cyber threat intel position, and you want a ticket to CYBERWARCON, please reach out.

23.10.2025 13:27 β€” πŸ‘ 25    πŸ” 23    πŸ’¬ 0    πŸ“Œ 0
Preview
AI-Powered Adversaries Require AI-Driven Defenses OPINION β€” The use of artificial intelligence by adversaries has been the subject of exhaustive speculation. No one doubts that the technology will be abused by criminals and state actors, but it can b...

An opinion piece I wrote for Cipher Brief on the next wave of AI threats. The speed and scale of this activity will change the nature of cybersecurity. In order to compete with adversary use of this technology we must adopt it wholeheartedly into defense. www.thecipherbrief.com/ai-cyberatta...

22.10.2025 19:33 β€” πŸ‘ 11    πŸ” 7    πŸ’¬ 0    πŸ“Œ 0
Post image

Meet our speaker Caleb Marquis!

His work played a central role in the landmark indictment of North Korean hacker Rim Jong Hyok. He has received the FBI Medal of Excellence and the Department of Justice Attorney General Award for Distinguished Service.

22.10.2025 19:00 β€” πŸ‘ 3    πŸ” 2    πŸ’¬ 1    πŸ“Œ 0
Post image

We're excited to have Eric Kerr join us at CYBERWARCON! His talk, "From Hacker to Help Desk: The Surprising Story of a North Korean Cyber Operator", will cover the activities of Andariel, a North Korean hacking group that steals military & nuclear technology from US & South Korean defense networks.

22.10.2025 17:28 β€” πŸ‘ 5    πŸ” 2    πŸ’¬ 1    πŸ“Œ 0
Post image

We're proud to announce Ruarigh Thornton is joining us this year at CYBERWARCON! Head of Research and Disruption at PGI, with experience in threats including counter espionage, hostile state information operations + more. He has led 100+ digital investigations.

www.cyberwarcon.com

17.10.2025 14:49 β€” πŸ‘ 1    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0

I won’t be at CYBERWARCON this year so I need someone to give @hultquist.bsky.social a hard time for me. I don’t yet know why he deserves this, but I’m sure a reason will present itself between now and then. The man never disappoints in the shenanigans and tomfoolery department.

08.10.2025 18:54 β€” πŸ‘ 5    πŸ” 1    πŸ’¬ 1    πŸ“Œ 0
Preview
Oil Into The Fire β€” CYBERWARCON

Have you ever wanted to see two terminally online nerds really (and I mean *really*) get into the SVR deep lore while continuing the eternal goal of making 2016 last forever?

Gosh does @cyberwarcon.bsky.social have a talk for you!

08.10.2025 18:09 β€” πŸ‘ 44    πŸ” 8    πŸ’¬ 2    πŸ“Œ 3

CYBERWARCON is gooooooooo! This year’s agenda is live! Thank you submitters.

08.10.2025 16:18 β€” πŸ‘ 13    πŸ” 5    πŸ’¬ 1    πŸ“Œ 0
Post image

Announcing this year's CYBERWARCON speaker lineup and agenda! We've got some fantastic talks this year, and more will be announced soon.

Don't miss your chance to register now! Thank you everyone who submitted to the CFP. The selection was a truly grueling process!

08.10.2025 16:08 β€” πŸ‘ 10    πŸ” 5    πŸ’¬ 0    πŸ“Œ 1

What's that?

www.cyberwarcon.com/oil-into-the...

08.10.2025 14:59 β€” πŸ‘ 20    πŸ” 5    πŸ’¬ 1    πŸ“Œ 2
Preview
Brickstorm malware powering β€˜next-level’ Chinese cyberespionage campaign Mandiant and Google have identified β€œBrickstorm,” a sophisticated, suspected China-linked hacking campaign targeting U.S. tech firms, legal organizations, and BPOs. The operation often goes undetected...

🚨🚨🚨 Google released a report on "Brickstorm" this morning β€” a next-level, suspected China-linked campaign targeting U.S. firms. Ultra-stealthy, 400+ day dwell times, focus on stealing IP, finding zero-days, and focused on long-term cyberespionage. cyberscoop.com/chinese-cybe...

24.09.2025 14:03 β€” πŸ‘ 68    πŸ” 48    πŸ’¬ 8    πŸ“Œ 1

We are expecting several organizations who use this tool and actively hunt for this threat will find that this actor has been active in their networks for some time.

24.09.2025 14:43 β€” πŸ‘ 25    πŸ” 6    πŸ’¬ 1    πŸ“Œ 1
Preview
Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors | Google Cloud Blog BRICKSTORM is a stealthy backdoor used by suspected China-nexus actors for long-term espionage.

We are releasing details on BRICKSTORM malware activity, a China-based threat hitting US tech to potentially target downstream customers and hunt for data on vulnerabilities in products. This actor is stealthy, and we've provided a tool to hunt for them. cloud.google.com/blog/topics/...

24.09.2025 14:31 β€” πŸ‘ 22    πŸ” 14    πŸ’¬ 0    πŸ“Œ 5
Post image

This is unironically one of the wildest photos ever taken.

23.09.2025 19:23 β€” πŸ‘ 119    πŸ” 17    πŸ’¬ 7    πŸ“Œ 2

Last week to get your @CYBERWARCON submissions in! Don’t miss out!

23.09.2025 13:08 β€” πŸ‘ 1    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0

We've got some good submissions flowing into the @CYBERWARCON CFP, but there's still time for more. If you have good content, and you're worried the honorarium won't cover your travel, please submit, and we'll work it out. We do this because we believe this research matters.

18.09.2025 14:18 β€” πŸ‘ 5    πŸ” 3    πŸ’¬ 0    πŸ“Œ 0

Finland is so small that I once visited and Mikko found me in a bookstore.

17.09.2025 12:04 β€” πŸ‘ 12    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
picture

picture

PAPERS PLEASE!
#BSidesPyongyang2025 πŸ‡°πŸ‡΅

Submit your CFP now:
https://forms.gle/y6QRMeYuJPYXZi1k9

16.09.2025 12:00 β€” πŸ‘ 2    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0

Tech startup idea: instead of starting your car with your key, you get in, turn on the display panel, enter your password, get your phone out, open the authenticator app, enter your pin, enter the timed passcode, then open the start menu, then helpdesk, then "request engine start", then submit a tic

05.09.2025 12:30 β€” πŸ‘ 808    πŸ” 133    πŸ’¬ 50    πŸ“Œ 16

Yo! #CYBERWARCON CFP & Reg is LIVE! You know what to do. AI can't do it for you...or wear these socks.

@hultquist.bsky.social @cyberwarcon.bsky.social

29.08.2025 19:32 β€” πŸ‘ 1    πŸ” 3    πŸ’¬ 0    πŸ“Œ 0

Major Update: We now believe this incident impacts other Salesloft Drift integrations, not just Salesforce. We’re advising Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised.

29.08.2025 14:43 β€” πŸ‘ 15    πŸ” 11    πŸ’¬ 0    πŸ“Œ 0

@hultquist is following 20 prominent accounts