Danny Moore
@moore.bsky.social
Cyber-warfare | PhD from KCL | Author of 'Offensive Cyber Operations' | Security @ Meta
Pinned
Danny Moore
@moore.bsky.social
· Oct 21
www.amazon.com
Since so many joined here, resharing that I have a book out called "Offensive Cyber Operations" that's been really well received and is a helpful all-round look at how different countries use offensive cyber!
www.amazon.com/Offensive-Cy...
www.amazon.com/Offensive-Cy...
One of our biggest issues as a cybersecurity community and industry is that we inflicted dozens of partly overlapping cryptonyms on the world and just expect them to deal with it because we can't.
A interesting read. Always felt a bit odd covering cyber attacks, then writing it was carried out by 'Vengeful Hamster' or 'Creeping Groundhog' or something
...then also having to use a paragraph to detail all the different names different companies call the same group.
www.wsj.com/tech/cyber-s...
...then also having to use a paragraph to detail all the different names different companies call the same group.
www.wsj.com/tech/cyber-s...
‘We’re Not Naming Care Bears.’ Hacker Code Names Are Getting Too Cute
Cartoonish naming conventions for potentially catastrophic cyberattacks are dividing security professionals
www.wsj.com
June 23, 2025 at 10:28 AM
One of our biggest issues as a cybersecurity community and industry is that we inflicted dozens of partly overlapping cryptonyms on the world and just expect them to deal with it because we can't.
Still consistently the best cyber-related podcast out there
-CoinMarketCap hacked via animated logo
-White House rejects NSA & CyberCom nomination
-FCC probes US Cyber Trust Mark program
-Cyberattack disrupts Russian animal processing industry
-Iran hacks Albania's capital Tirana
Podcast: risky.biz/RBNEWS441/
Newsletter: news.risky.biz/risky-bullet...
-White House rejects NSA & CyberCom nomination
-FCC probes US Cyber Trust Mark program
-Cyberattack disrupts Russian animal processing industry
-Iran hacks Albania's capital Tirana
Podcast: risky.biz/RBNEWS441/
Newsletter: news.risky.biz/risky-bullet...
June 23, 2025 at 8:02 AM
Still consistently the best cyber-related podcast out there
Considering that one of Israel's overt goals for the war is to destabilize the Iranian government, a nation-wide shutdown of public internet access plays well into Israel's hands.
And it may not even stop further attacks.
And it may not even stop further attacks.
NEW: Iran's government has now admitted it took down the internet in the country, arguing it was to protect against Israeli cyberattacks.
I spoke to two Iranians who live abroad and can't communicate with their loved ones back home.
"I haven’t heard from them in two days," said @ammir.bsky.social.
I spoke to two Iranians who live abroad and can't communicate with their loved ones back home.
"I haven’t heard from them in two days," said @ammir.bsky.social.
Iran's government says it shut down internet to protect against cyberattacks | TechCrunch
The government cited the recent hacks on Bank Sepah and cryptocurrency exchange Nobite as reasons to shut down internet access to virtually all Iranians.
techcrunch.com
June 21, 2025 at 9:12 AM
Considering that one of Israel's overt goals for the war is to destabilize the Iranian government, a nation-wide shutdown of public internet access plays well into Israel's hands.
And it may not even stop further attacks.
And it may not even stop further attacks.
Reposted by Danny Moore
Predatory Sparrow has dumped the Nobitex crytpo platform source code on Telegram
They previously stole $90mil worth of assets in a hack yesterday
t.me/gonjeshkdara...
They previously stole $90mil worth of assets in a hack yesterday
t.me/gonjeshkdara...
June 19, 2025 at 12:00 PM
Predatory Sparrow has dumped the Nobitex crytpo platform source code on Telegram
They previously stole $90mil worth of assets in a hack yesterday
t.me/gonjeshkdara...
They previously stole $90mil worth of assets in a hack yesterday
t.me/gonjeshkdara...
My hot take is that it isn't a lack of strategy, Israel has many viable, ambitious strategies.
It's a constant failure of political will, unity, and patience to enact a strategy.
It's a constant failure of political will, unity, and patience to enact a strategy.
June 13, 2025 at 7:32 PM
My hot take is that it isn't a lack of strategy, Israel has many viable, ambitious strategies.
It's a constant failure of political will, unity, and patience to enact a strategy.
It's a constant failure of political will, unity, and patience to enact a strategy.
Interesting! In my book, Offensive Cyber Operations, I talk a lot about the convergence of tactical offensive cyber and electronic warfare.
The resources, approach and desired outcomes are deeply connected.
The UK's move is in line with trends seen elsewhere. Will dive more into it all later.
The resources, approach and desired outcomes are deeply connected.
The UK's move is in line with trends seen elsewhere. Will dive more into it all later.
1/ In run-up to SDR, UK has announced a new "Cyber and Electromagnetic Command". Temptation is to focus on offensive tasks. What MoD says is that it will "lead defensive cyber operations" for military networks and "coordinate" offensive ones with the National Cyber Force, which was set up in 2020.
May 29, 2025 at 7:49 AM
Interesting! In my book, Offensive Cyber Operations, I talk a lot about the convergence of tactical offensive cyber and electronic warfare.
The resources, approach and desired outcomes are deeply connected.
The UK's move is in line with trends seen elsewhere. Will dive more into it all later.
The resources, approach and desired outcomes are deeply connected.
The UK's move is in line with trends seen elsewhere. Will dive more into it all later.
The most interesting bit here is that the best Western gov cyber outfits overhauled their operational approach after the mid-10s to focus more on avoiding detection.
The era of the "factory ops" was too risky with the rise of threat intel.
Harder to reliably spot 2025's Regin, Careto, Flame, etc
The era of the "factory ops" was too risky with the rise of threat intel.
Harder to reliably spot 2025's Regin, Careto, Flame, etc
NEW: More than a decade ago, Kaspersky discovered a mysterious "elite" hacking group it called Careto (aka “The Mask”), which then vanished and only resurfaced last year.
We can now reveal that the researchers who investigated it were confident that the Spanish government was behind it.
We can now reveal that the researchers who investigated it were confident that the Spanish government was behind it.
Mysterious hacking group Careto was run by the Spanish government, sources say | TechCrunch
The elusive hacking group Careto was never publicly linked to a specific government, but TechCrunch has learned researchers concluded privately that the Spanish government was behind the group.
techcrunch.com
May 26, 2025 at 7:55 AM
The most interesting bit here is that the best Western gov cyber outfits overhauled their operational approach after the mid-10s to focus more on avoiding detection.
The era of the "factory ops" was too risky with the rise of threat intel.
Harder to reliably spot 2025's Regin, Careto, Flame, etc
The era of the "factory ops" was too risky with the rise of threat intel.
Harder to reliably spot 2025's Regin, Careto, Flame, etc
"the technical team's analysis indicates that the attacker's methods and related technical proficiency were relatively low-level."
Nothing in the article to explain what makes this "cyber warfare".
Nothing in the article to explain what makes this "cyber warfare".
A threat actor has allegedly breached and disrupted the backend systems of a sci-tech company based out of Guangzhou, China.
Chinese officials claimed the hack had a "clear political background and [showed] distinct signs of cyber warfare."
www.globaltimes.cn/page/202505/...
Chinese officials claimed the hack had a "clear political background and [showed] distinct signs of cyber warfare."
www.globaltimes.cn/page/202505/...
May 20, 2025 at 2:01 PM
"the technical team's analysis indicates that the attacker's methods and related technical proficiency were relatively low-level."
Nothing in the article to explain what makes this "cyber warfare".
Nothing in the article to explain what makes this "cyber warfare".
Reposted by Danny Moore
If you’ve been laid off from a cyber intel position, please reach out if you’d like to come to @sleuthcon.bsky.social.
May 20, 2025 at 1:18 PM
If you’ve been laid off from a cyber intel position, please reach out if you’d like to come to @sleuthcon.bsky.social.
Reposted by Danny Moore
NEW: Hundreds of victims are surfacing across the world from zero-day cyberattacks on SAP, in a campaign that one leading cyber expert is comparing to the vast Chinese government-linked Salt Typhoon and Volt Typhoon breaches. cyberscoop.com/sap-cyberatt...
SAP cyberattack widens, drawing Salt Typhoon and Volt Typhoon comparisons
Hundreds of victims are surfacing across the world from zero-day cyberattacks on Europe’s biggest software manufacturer and company.
cyberscoop.com
May 15, 2025 at 5:32 PM
NEW: Hundreds of victims are surfacing across the world from zero-day cyberattacks on SAP, in a campaign that one leading cyber expert is comparing to the vast Chinese government-linked Salt Typhoon and Volt Typhoon breaches. cyberscoop.com/sap-cyberatt...
Reposted by Danny Moore
Drama over at X/xAI.
Whatever you ask Grok, it pivots to “white genocide” in South Africa.
The last panel is what Grok claims was a “verbatim” system prompt that caused the behavior. Jury out.
It’s now fixed but they haven’t yet bothered explaining.
This, not those AGI fantastical scenarios.
Whatever you ask Grok, it pivots to “white genocide” in South Africa.
The last panel is what Grok claims was a “verbatim” system prompt that caused the behavior. Jury out.
It’s now fixed but they haven’t yet bothered explaining.
This, not those AGI fantastical scenarios.
May 15, 2025 at 6:24 PM
Drama over at X/xAI.
Whatever you ask Grok, it pivots to “white genocide” in South Africa.
The last panel is what Grok claims was a “verbatim” system prompt that caused the behavior. Jury out.
It’s now fixed but they haven’t yet bothered explaining.
This, not those AGI fantastical scenarios.
Whatever you ask Grok, it pivots to “white genocide” in South Africa.
The last panel is what Grok claims was a “verbatim” system prompt that caused the behavior. Jury out.
It’s now fixed but they haven’t yet bothered explaining.
This, not those AGI fantastical scenarios.
Reposted by Danny Moore
New from 404 Media: the Signal clone the Trump administration uses was just hacked. TeleMessage makes a modified version of Signal that archives messages for government agencies, Waltz used it. A hacker got some users' messages, group chats. Hugely significant breach www.404media.co/the-signal-c...
The Signal Clone the Trump Admin Uses Was Hacked
TeleMessage, a company that makes a modified version of Signal that archives messages for government agencies, was hacked.
www.404media.co
May 4, 2025 at 10:01 PM
New from 404 Media: the Signal clone the Trump administration uses was just hacked. TeleMessage makes a modified version of Signal that archives messages for government agencies, Waltz used it. A hacker got some users' messages, group chats. Hugely significant breach www.404media.co/the-signal-c...
The literal birth of my firstborn child was less anxiety inducing than a full week of driving and parking in Tel Aviv.
April 15, 2025 at 8:17 PM
The literal birth of my firstborn child was less anxiety inducing than a full week of driving and parking in Tel Aviv.
New tech class, new vulnerability class
LLMs hallucinating nonexistent software packages with plausible names leads to a new malware vulnerability: "slopsquatting."
LLMs can't stop making up software dependencies and sabotaging everything
: Hallucinated package names fuel 'slopsquatting'
www.theregister.com
April 13, 2025 at 5:20 AM
New tech class, new vulnerability class
Reposted by Danny Moore
THREAD: When @thekrebscycle.bsky.social and his workplace, @sentinelone.com, were singled out by Donald Trump on Wednesday, I thought it was an opportunity to weigh the cybersecurity industry's rhetoric against their real world actions.
April 11, 2025 at 4:55 PM
THREAD: When @thekrebscycle.bsky.social and his workplace, @sentinelone.com, were singled out by Donald Trump on Wednesday, I thought it was an opportunity to weigh the cybersecurity industry's rhetoric against their real world actions.
Cybersecurity is built on trust, I can only imagine how CISA staff must be feeling.
New: Current CISA employees — picture patriotic, hardworking nerds not used to the spotlight, often with narrow focuses like identifying how hackers break into the industrial control systems that run our water and electric facilities — are sick of Trump's cuts and the politicization of their work.
U.S. cyber defenders shaken by Trump's attack on their former boss
“Every day feels somehow more bizarre than the last. It is incredibly difficult to focus on our mission,” one current Cybersecurity and Infrastructure Security Agency employee said.
www.nbcnews.com
April 11, 2025 at 8:32 AM
Cybersecurity is built on trust, I can only imagine how CISA staff must be feeling.
Reposted by Danny Moore
👀 China reportedly acknowledged to outgoing Biden officials in December that it was responsible for the Volt Typhoon critical infrastructure intrusions, linking them to "increasing U.S. policy support for Taiwan." www.wsj.com/politics/nat...
April 10, 2025 at 7:30 PM
👀 China reportedly acknowledged to outgoing Biden officials in December that it was responsible for the Volt Typhoon critical infrastructure intrusions, linking them to "increasing U.S. policy support for Taiwan." www.wsj.com/politics/nat...
Reposted by Danny Moore
I was there. It was meant literally.
“JD Work — now on the US NSC — shocked some by warning that the US would take lethal action against malicious actors in commercial cyber operations.
Participants who heard [it said] they were unsure if it was meant literally or figuratively”
“JD Work — now on the US NSC — shocked some by warning that the US would take lethal action against malicious actors in commercial cyber operations.
Participants who heard [it said] they were unsure if it was meant literally or figuratively”
The Pall Mall Process — a diplomatic initiative designed to reform the commercial spyware and hacking market — has added more nations as it confronts an industry that is more complex than ever. https://therecord.media/pall-mall-process-commercial-spyware-hacking-paris-diplomacy
As spyware market continues to expand, diplomatic Pall Mall Process hits a pivot point
The Pall Mall Process — a diplomatic initiative designed to reform the commercial spyware and hacking market — has added more nations as it confronts an industry that is more complex than ever.
therecord.media
April 9, 2025 at 8:46 PM
I was there. It was meant literally.
“JD Work — now on the US NSC — shocked some by warning that the US would take lethal action against malicious actors in commercial cyber operations.
Participants who heard [it said] they were unsure if it was meant literally or figuratively”
“JD Work — now on the US NSC — shocked some by warning that the US would take lethal action against malicious actors in commercial cyber operations.
Participants who heard [it said] they were unsure if it was meant literally or figuratively”
Reposted by Danny Moore
The Swiss population doesn’t want to buy the F35 anymore, given everything that’s going on in Trump’s US.
In 2020, a 50,1% majority had voted for the acquisition in a referendum.
www.watson.ch/schweiz/wirt...
In 2020, a 50,1% majority had voted for the acquisition in a referendum.
www.watson.ch/schweiz/wirt...
March 27, 2025 at 3:07 PM
The Swiss population doesn’t want to buy the F35 anymore, given everything that’s going on in Trump’s US.
In 2020, a 50,1% majority had voted for the acquisition in a referendum.
www.watson.ch/schweiz/wirt...
In 2020, a 50,1% majority had voted for the acquisition in a referendum.
www.watson.ch/schweiz/wirt...
Reposted by Danny Moore
Why is the headline on all X outage stories about Musk blaming Ukraine for the DDoS? Why aren't media outlets putting the emphasis on the security lapse that allowed script kiddies (or whoever) to launch the attack against X as well as the lack of any evidence that the traffic came from Ukraine IPs?
March 11, 2025 at 11:58 PM
Why is the headline on all X outage stories about Musk blaming Ukraine for the DDoS? Why aren't media outlets putting the emphasis on the security lapse that allowed script kiddies (or whoever) to launch the attack against X as well as the lack of any evidence that the traffic came from Ukraine IPs?
DDoS attacks frequently use compromised or otherwise co-opted IP addresses. The global distribution helps avoid geofencing defenses.
Public high-confidence attribution takes time and effort. So take any quickfire claims with healthy skepticism.
Public high-confidence attribution takes time and effort. So take any quickfire claims with healthy skepticism.
Updated with Musk's claim about the apparent DDoS: The IP addresses originated in "the Ukraine area."
Besides the geographical ambiguity (isn't Russia in the Ukraine area?), this is also total nonsense. A big DDoS uses hacked devices from around the world. Says nothing about where the attacker is.
Besides the geographical ambiguity (isn't Russia in the Ukraine area?), this is also total nonsense. A big DDoS uses hacked devices from around the world. Says nothing about where the attacker is.
X sees major outages as Musk claims 'massive cyberattack' hit platform
Three separate outages appear to have hit the social media site Monday.
www.nbcnews.com
March 10, 2025 at 9:29 PM
DDoS attacks frequently use compromised or otherwise co-opted IP addresses. The global distribution helps avoid geofencing defenses.
Public high-confidence attribution takes time and effort. So take any quickfire claims with healthy skepticism.
Public high-confidence attribution takes time and effort. So take any quickfire claims with healthy skepticism.
Great coverage by @kimzetter.bsky.social. In this ecosystem we need to be doubly suspicious of major claims even if published by reputable sources.
Considering the denials it's hard to pin down the truth. That said if things continue we may still see a gradual derisking of Russia by the US.
Considering the denials it's hard to pin down the truth. That said if things continue we may still see a gradual derisking of Russia by the US.
Two stories published Friday reporting that Trump admin had ordered US Cyber Command and CISA to "stand down" on their work to detect/counter Russian cyber threats. But new info has come out to contradict them. I dug into what we know and don't know. www.zetter-zeroday.com/did-trump-ad...
Did Trump Admin Order U.S. Cyber Command and CISA to Stand Down on Russia?
Two blockbuster stories published on Friday that appear to confirm what many Americans suspected would occur under the Trump administration – that the new regime is going to be softer on Russia than p...
www.zetter-zeroday.com
March 5, 2025 at 10:01 AM
Great coverage by @kimzetter.bsky.social. In this ecosystem we need to be doubly suspicious of major claims even if published by reputable sources.
Considering the denials it's hard to pin down the truth. That said if things continue we may still see a gradual derisking of Russia by the US.
Considering the denials it's hard to pin down the truth. That said if things continue we may still see a gradual derisking of Russia by the US.
That's genuinely lovely but if we are to establish soft power diplomatic momentum that isn't dependent on the US establishment maybe do it on a network that isn't Elon's X.
In an extraordinary display of public support, heads of state, heads of government, and foreign ministers from all over Europe and Canada are posting in support of Ukraine in response to the Oval Office meeting with Trump, Zelenskyy, and Vance.
March 1, 2025 at 10:32 AM
That's genuinely lovely but if we are to establish soft power diplomatic momentum that isn't dependent on the US establishment maybe do it on a network that isn't Elon's X.
Madness
The secretary of Defense has ordered U.S. Cyber Command to stand down from all planning against Russia, including offensive digital actions, sources tell Recorded Future News. https://therecord.media/hegseth-orders-cyber-command-stand-down-russia-planning
Exclusive: Hegseth orders Cyber Command to stand down on Russia planning
The secretary of Defense has ordered U.S. Cyber Command to stand down from all planning against Russia, including offensive digital actions, sources tell Recorded Future News.
therecord.media
February 28, 2025 at 8:10 PM
Madness
Reposted by Danny Moore
New from 404 Media: anyone can push updates to the Doge.gov site. Two sources independently found the issue, one made their own decision to deface the site. "THESE 'EXPERTS' LEFT THEIR DATABASE OPEN."
www.404media.co/anyone-can-p...
www.404media.co/anyone-can-p...
February 14, 2025 at 7:06 AM
New from 404 Media: anyone can push updates to the Doge.gov site. Two sources independently found the issue, one made their own decision to deface the site. "THESE 'EXPERTS' LEFT THEIR DATABASE OPEN."
www.404media.co/anyone-can-p...
www.404media.co/anyone-can-p...