China’s ‘Typhoons’ changing the way FBI hunts sophisticated threats
| CyberScoop By Tim Starks September 10, 202 Major cyber intrusions by the Chinese hacking groups known as Salt Typhoon and Volt Typhoon have forced the FBI to change its methods of hunting sophisticated threats, a top FBI cyber official said Wednesday. U.S. officials, allied governments and threat researchers have identified Salt Typhoon as the group behind the massive telecommunications hack revealed last fall but that could have been ongoing for years. Investigators have pointed at Volt Typhoon as a group that has infiltrated critical infrastructure to cause disruptions in the United States if China invades Taiwan and Americans intervene. Those hacks were stealthier than in the past, and more patient, said Jason Bilnoski, deputy assistant director of the FBI’s cyber division. The Typhoons have focused on persistent access and gotten better at hiding their infiltration by using “living off the land” techniques that involve using legitimate tools within systems to camouflage their efforts, he said. That in turn has complicated FBI efforts to share indicators of compromise (IOCs). “We’re having to now hunt as if they’re already on the network, and we’re hunting in ways we hadn’t before,” he said at the Billington Cybersecurity Summit. “They’re not dropping tools and malware that we used to see, and perhaps there’s not a lot of IOCs that we’d be able to share in certain situations.” The hackers used to be “noisy,” with an emphasis on hitting a target quickly, stealing data and then escaping, Bilnoski said. But now for nation-backed attackers, “we’re watching exponential leaps” in tactics, techniques and procedures, he said. Jermaine Roebuck, associate director for threat hunting at the Cybersecurity and Infrastructure Security Agency, said his agency is also seeing those kinds of changes in the level of stealth from sophisticated hackers, in addition to “a significant change” in their intentions and targeting. “We saw a lot of espionage over the last several years, but here lately, there’s been a decided shift into computer network attack, prepositioning or disruption in terms of capabilities,” he said at the same conference. The targeting has changed as organizations, including government agencies, have shifted to the cloud. “Well, guess what?” he asked. “The actors are going toward the cloud” in response. They’ve also focused on “edge devices,” like devices that supply virtual private network connections or other services provided by managed service providers, Roebuck said. Organizations have less insight into the attacks those devices and providers are facing than more direct intrusions, he said.
Google previews cyber ‘disruption unit’ as U.S. government, industry weigh going heavier on offense | CyberScoop
cyberscoop.com article By Tim Starks August 27, 2025 Google says it is starting a cyber “disruption unit,” a development that arrives in a potentially shifting U.S. landscape toward more offensive-oriented approaches in cyberspace. But the contours of that larger shift are still unclear, and whether or to what extent it’s even possible. While there’s some momentum in policymaking and industry circles to put a greater emphasis on more aggressive strategies and tactics to respond to cyberattacks, there are also major barriers. Sandra Joyce, vice president of Google Threat Intelligence Group, said at a conference Tuesday that more details of the disruption unit would be forthcoming in future months, but the company was looking for “legal and ethical disruption” options as part of the unit’s work. “What we’re doing in the Google Threat Intelligence Group is intelligence-led proactive identification of opportunities where we can actually take down some type of campaign or operation,” she said at the Center for Cybersecurity Policy and Law event, where she called for partners in the project. “We have to get from a reactive position to a proactive one … if we’re going to make a difference right now.” The boundaries in the cyber domain between actions considered “cyber offense” and those meant to deter cyberattacks are often unclear. The tradeoff between “active defense” vs. “hacking back” is a common dividing line. On the less aggressive end, “active defense” can include tactics like setting up honeypots designed to lure and trick attackers. At the more extreme end, “hacking back” would typically involve actions that attempt to deliberately destroy an attacker’s systems or networks. Disruption operations might fall between the two, like Microsoft taking down botnet infrastructure in court or the Justice Department seizing stolen cryptocurrency from hackers. Trump administration officials and some in Congress have been advocating for the U.S. government to go on offense in cyberspace, saying that foreign hackers and criminals aren’t suffering sufficient consequences. Much-criticized legislation to authorize private sector “hacking back” has long stalled in Congress, but some have recently pushed a version of the idea where the president would give “letters of marque” like those for early-U.S. sea privateers to companies authorizing them to legally conduct offensive cyber operations currently forbidden under U.S. law. The private sector has some catching up to do if there’s to be a worthy field of firms able to focus on offense, experts say. John Keefe, a former National Security Council official from 2022 to 2024 and National Security Agency official before that, said there had been government talks about a “narrow” letters of marque approach “with the private sector companies that we thought had the capabilities.” The concept was centered on ransomware, Russia and rules of the road for those companies to operate. “It wasn’t going to be the Wild West,” said Keefe, now founder of Ex Astris Scientia, speaking like others in this story at Tuesday’s conference. The companies with an emphasis on offense largely have only one customer — and that’s governments, said Joe McCaffrey, chief information security officer at defense tech company Anduril Industries. “It’s a really tough business to be in,” he said. “If you develop an exploit, you get to sell to one person legally, and then it gets burned, and you’re back again.” By their nature, offensive cyber operations in the federal government are already very time- and manpower-intensive, said Brandon Wales, a former top official at the Cybersecurity and Infrastructure Security Agency and now vice president of cybersecurity at SentinelOne. Private sector companies could make their mark by innovating ways to speed up and expand the number of those operations, he said. Overall, among the options of companies that could do more offensive work, the “industry doesn’t exist yet, but I think it’s coming,” said Andrew McClure, managing director at Forgepoint Capital. Certainly Congress would have to clarify what companies are able to do legally as well, Wales said. But that’s just the industry side. There’s plenty more to weigh when stepping up offense. “However we start, we need to make sure that we are having the ability to measure impact,” said Megan Stifel, chief strategy officer for the Institute for Security and Technology. “Is this working? How do we know?” If there was a consensus at the conference it’s that the United States — be it the government or private sector — needs to do more to deter adversaries in cyberspace by going after them more in cyberspace. One knock on that idea has been that the United States can least afford to get into a cyber shooting match, since it’s more reliant on tech than other nations and an escalation would hurt the U.S. the most by presenting more vulnerable targets for enemies. But Dmitri Alperovitch, chairman of the Silverado Policy Accelerator, said that idea was wrong for a couple reasons, among them that other nations have become just as reliant on tech, too. And “the very idea that in this current bleak state of affairs, engaging in cyber offense is escalatory, I propose to you, is laughable,” he said. “After all, what are our adversaries going to escalate to in response? Ransom more of our hospitals, penetrate more of our water and electric utilities, steal even more of our IP and financial assets?” Alperovitch continued: “Not only is engaging in thoughtful and careful cyber offense not escalatory, but not doing so is.”
