Latest news with #Hultquist
Techday NZ
01-08-2025
- Techday NZ
Exclusive: Google's John Hultquist warns cyber attackers are getting younger & faster
Children and teenagers are behind some of the most aggressive and profitable cyberattacks in the world, and many are getting away with it because they know they're unlikely to face serious consequences. It comes as John Hultquist, Chief Analyst at Google's Threat Intelligence Group, spoke with TechDay exclusively to reveal who exactly is behind these attacks. "We're talking tens of millions - if not hundreds of millions - of dollars that these kids are making," Hultquist said. "There's clearly a financial motive, but it's also about reputation. They feed off the praise they get from peers in this subculture." The average cybercriminal today is not a shadowy figure backed by a government agency, but often a teenager with a high tolerance for risk and little fear of repercussions. And according to Hultquist, that combination is proving incredibly difficult for law enforcement to counter. "There's no deterrent," he said. "They know they're unlikely to face serious consequences, and they exploit that. One reason I wouldn't do cybercrime - aside from the ethical one - is I don't want to go to jail. These kids know they probably won't." His concern is echoed by Mandiant Consulting's latest global data. In 2024, 55% of cyberattacks were financially motivated, the majority involving ransomware or extortion. Mandiant also observed that teen-driven groups like UNC3944 (aka Scattered Spider) are behind many of the most damaging breaches, often relying on stolen credentials and social engineering to bypass defences. "Younger actors are willing to cross lines even the Russian criminals won't - threatening families, for example," Hultquist said. "They don't worry about norms outside their subculture. Inside their world, they're being praised." Even when authorities know who is behind an attack, bringing them to justice is rarely fast. "Building a case takes years. In the meantime, they can do serious damage," he said. The urgency is underscored by the pace at which attackers now move. According to Mandiant, the median global dwell time - the time it takes to detect an intruder - has dropped to just 11 days, and in ransomware cases, often as little as 6 days. More than 56% of ransomware attacks are discovered within a week, showing just how rapidly these operations unfold. Though many of these actors operate independently, some operate in blurred lines between criminal enterprises and state-sanctioned campaigns. Hultquist explained that governments - particularly in Russia and Iran - often outsource cyber operations to criminal groups, giving them protection in exchange for service. "It's a Faustian bargain," he said. "The government lets them continue their criminal activity as long as they're also doing work on its behalf." Google's acquisition of Mandiant in 2022 has enabled Hultquist and his team to monitor global threats more effectively by combining Google's in-house security team with Mandiant's threat intelligence capabilities. This merger formed the Google Threat Intelligence Group, which Hultquist described as a "juggernaut". "We've got great visibility on threats all over the world," he said. "We get to see the threats targeting Google users." That level of access and scale has allowed Google's team to take cyber defence to unprecedented levels. In one recent case, they used an AI model to uncover and neutralise a zero-day vulnerability before attackers could use it. "It literally found the zero-day," Hultquist said. "The adversary was preparing their attack, and we shut it down. It doesn't get any better than that." AI is becoming both an asset and a threat. While Google uses it to pre-emptively defend systems, attackers are beginning to leverage it to enhance their own capabilities. Fake images, videos, and text have long been used in phishing and disinformation campaigns, but Hultquist said the next phase is far more concerning. "We've seen malware that calls out to AI to write its own commands on the fly," he said. "That makes it harder to detect because the commands are always changing." He warned that AI could soon automate entire intrusions, allowing cybercriminals to break into networks, escalate privileges, and deploy ransomware faster than defenders can respond. "If someone can move through your network at machine speed, they might ransom you before you even know what's happening," he said. "Your response window gets smaller and smaller." As attackers evolve, many defenders still rely on outdated mental models, particularly when it comes to cloud security. "People are still thinking like they're defending old-school, on-prem systems," Hultquist said. "One of the biggest problems in cloud is identity - especially third-party access. That's where your crown jewels might be, and you don't always have full control." And while some worry about cyber threats to governments, Hultquist said the private sector is often the true target. "If a country retaliates against the Five Eyes, they're not going after military or intelligence," he said. "They'll go after privately held critical infrastructure. That's always been the asymmetrical advantage." Despite the constant evolution of threats, Hultquist said progress has been made on both sides. He recalled the early days of Chinese state-backed attacks, where errors in spelling and grammar made their emails laughable - and traceable. "We used to print them out and tack them to our cubicle walls," he said. "Now, they're incredibly sophisticated. But the reason they've improved is because we've gotten better. Our defences have evolved." And according to Hultquist, that cat-and-mouse game won't be ending anytime soon. "We're not fighting the laws of physics like safety engineers," Hultquist said. "Our adversaries adapt. If we fix everything, they'll just change to overcome it."
Newsweek
19-06-2025
- Business
- Newsweek
America Faces Billion-Dollar Threat From New Cyberattack
Based on facts, either observed and verified firsthand by the reporter, or reported and verified from knowledgeable sources. Newsweek AI is in beta. Translations may contain inaccuracies—please refer to the original content. The group behind the cyberattacks that rattled American and British retail companies earlier this year has turned its attention toward the insurance sector, and experts warn that the financial fallout could be in the billions. On Monday, John Hultquist, the chief analyst of the Google Threat Intelligence Group, warned that "multiple intrusions" had been observed, including those targeting insurance companies, and issued a "high alert" warning for the sector. He added that these attacks "bear the hallmarks" of Scattered Spider. This prolific hacker collective has gained notoriety in recent years for its impersonation tactics and the use of "ransomware," a type of software that compromises victims' computer systems until an extortion payment is made. The group, also known as UNC3944, is believed to be behind the attacks earlier this year, which targeted U.K. chains Marks & Spencer and Co-Op, as well as U.S. retailers. Hultquist said in a post on X, formerly Twitter, that Scattered Spider has "a habit of working their way through a sector," and that insurance firms should now "be on the lookout for social engineering schemes targeting their call centers." The warning coincided with reports from two American insurance firms, Erie Insurance and Philadelphia Insurance Companies, of anomalies in their systems; however, neither has confirmed a suspect or motive. The latter's website is still down as its team works "around the clock to fully resume business operations," while Erie on Tuesday said there was no longer any indication "of ongoing threat actor activity." Charles Carmakal, chief technology officer of Google Cloud's Mandiant Cybersecurity Consulting, confirmed to Newsweek that there were already more than one U.S.-based victim in the insurance sector, and that the latest wave of attacks started "approximately 1.5 weeks ago." Illustrative image. Illustrative image. GDA illustration via AP Images However, should the attacks spread to the broader insurance sector, valued in the trillions and considered a cornerstone of the entire U.S. economy, experts believe the reputational and financial toll could far exceed that of the earlier attacks. "When insurers bleed, the economy feels the pain," said cybersecurity expert and former White House Chief Information Officer Theresa Payton. "Scattered Spider could turn a sector safeguard into a financial sinkhole." Payton told Newsweek that a Scattered Spider attack could disrupt insurers' ability to access accounts, process claims, or make payments, and that a sector-wide attack could "cost hundreds of millions, possibly billions," given the "vast troves" of sensitive data that insurance companies hold, which could be exploited. James E. Lee, president of the Identity Theft Resource Center (ITRC), similarly estimated the potential impact of "a large-scale series of attacks" in the billions of dollars, given the costs associated with the small number of successful attacks on the retail sector. Marks & Spencer, the primary target of these attacks, estimated that these would result in a £300 million ($403 million) hit to this year's profits. This is in addition to the harm caused to those who rely on uninterrupted insurance payouts, and the "widespread erosion" of customer trust, with resulting "regulatory scrutiny," Payton said, would befall the industry. Both experts also noted that the insurance industry's vast size and complexity make it an ideal target for Scattered Spider's signature playbook, particularly the use of employee impersonation to gain access to computer systems. "Everyone is a target," said Payton, "however, the insurance sector is a prime candidate for Scattered Spider due to its data-rich environment, decentralized IT systems, and reliance on third-party vendors." She added that the use of "social engineering tactics" could exploit human vulnerabilities in call centers, and that insurers hoards of data from personal and information to health records "are lucrative for extortion or dark web sales." However, beyond the outsize risks posed to the insurance industry, Payton told Newsweek that another "hidden threat" was emerging, which could "supercharge" the social engineering tactics of groups such as Scattered Spider. "With generative AI, attackers no longer need fluent English or clunky translations; they can craft bespoke phishing emails or impersonate a high-ranking U.S. official from D.C., mimicking their voice or likeness in real-time interactive calls or video chats," she said. "This technology, widely accessible, amplifies their ability to deceive employees and bypass digital defenses." A countermeasure to this, Payton argues, is for companies to "go analogue." "Use in-person verification or a deepfake-combating passphrase—unique, unguessable, and not derived from social media, public records, or breached data—to thwart these hyper-realistic scams."
Newsweek
17-06-2025
- Business
- Newsweek
Google Issues 'High Alert' Warning for Insurance Sector
Based on facts, either observed and verified firsthand by the reporter, or reported and verified from knowledgeable sources. Newsweek AI is in beta. Translations may contain inaccuracies—please refer to the original content. A cybersecurity expert from Google's Threat Intelligence Group has warned that the insurance industry should be on "high alert" for attacks by a hacker group linked to the recent assault on the U.S. and U.K. retail sector. Why It Matters The wave of attacks attributed to the group in April—which targeted British retail chain M&S, French fashion house Dior and several U.S. firms—resulted in mass data theft, as well as financial losses totaling hundreds of millions of dollars. Google's warning follows disclosures from at least one insurance firm about disruptions and potential attacks, meaning hacker collective Scattered Spider may have already expanded its efforts into the sector. What To Know Scattered Spider, also known as UNC3944, is believed to be a trans-Atlantic coalition of hackers, whose past targets have included large firms across the technology, telecommunications and financial services sectors, according to Google, and more recently U.K. and U.S. retail chains. "Google Threat Intelligence Group is now aware of multiple intrusions in the U.S. which bear all the hallmarks of Scattered Spider activity. We are now seeing incidents in the insurance industry," chief analyst John Hultquist told The Register tech website on Monday. Hultquist added that, given the actor's history of "focusing on a sector at a time," the industry should be on "high alert," particularly for "social engineering schemes, which target their help desk and call centers." Newsweek has reached out to Google for further information on which companies may have been subject to the latest attacks linked to the group. The April attacks involved the group employing its signature technique of impersonating employees to infiltrate companies' networks. M&S, one of the primary targets, was forced to pause online orders as it dealt with the fallout. The company said disruptions are likely to continue into July, and estimates that the attack will result in a £300 million ($407 million) hit to this year's profits, the BBC reports. Following these attacks, Google updated its guidance on how firms can protect themselves from similar social engineering attacks. Recommendations included on-camera or in-person verifications by help-desk personnel, and to avoid relying on publicly available personal data. Stock image of a password being entered on a laptop keyboard. Inset: A smartphone screen displays the Google app logo. Stock image of a password being entered on a laptop keyboard. Inset: A smartphone screen displays the Google app logo. Oliver Berg / Cheng Xin/picture-alliance/dpa/AP Images / Getty Images Google's latest warning for the insurance sector comes as U.S. companies have begun reporting outages and disruptions. Earlier this month, Erie Insurance, which operates in 12 states and has more than 6 million active policies, reported "unusual network activity," and is working with law enforcement while taking measures to "gain full understanding of the event." In a June 11 regulatory filing, Erie said: "Upon learning of this activity, the company activated its incident response protocols and took immediate action to respond to the situation to safeguard our systems." Philadelphia Insurance Companies similarly reported "suspicious activity," and later determined that "unauthorized access" was gained to its network. The company's website remains offline, redirecting users to a notice stating it has been working "around the clock to resolve this issue as quickly as possible." What People Are Saying Google Threat Intelligence, in guidance released following the retail sector attacks, urged companies to "enhance strong authentication criteria," while also enforcing "rigorous identity controls for password resets and multi-factor authentication registration." It added that companies should "educate and communicate the importance of remaining vigilant against modern-day social engineering attacks / campaigns," and that Scattered Spider campaigns "not only target end-users, but also IT and administrative personnel within enterprise environments." What Happens Next? Neither the Erie Insurance disruptions nor the Philadelphia Insurance Companies intrusion have been linked to Scattered Spider.
Yahoo
20-05-2025
- Business
- Yahoo
‘Aggressive' hackers of UK retailers are now targeting US stores, says Google
Alphabet's Google warned on Wednesday that hackers responsible for paralyzing disruptions of UK retailers are turning their attention to similar companies in the United States. 'US retailers should take note. These actors are aggressive, creative, and particularly effective at circumventing mature security programs,' John Hultquist, an analyst at Google's cybersecurity arm, said in an email sent on Wednesday. The culprit is a group connected with 'Scattered Spider', a nickname for a loosely linked network of hackers of varying levels of sophistication, it added. Scattered Spider is widely reported to have been behind the particularly disruptive hack at M&S, one of the best-known names in British business, whose online operations have been frozen since 25 April. It has a history of focusing on a single sector at a time and is likely to target retail for a while longer, Hultquist said. Related: How 'native English' Scattered Spider group linked to M&S attack operate Just a day before Google's warning, M&S announced that some customer data had been accessed, but this did not include usable payment or card details, or any account passwords. The Guardian understands the details taken are names, addresses and order histories. M&S said personal information had been accessed because of the 'sophisticated nature of the incident'. 'Today, we are writing to customers informing them that due to the sophisticated nature of the incident, some of their personal customer data has been taken,' the company said. Hackers from the Scattered Spider ecosystem have been behind a slew of disruptive break-ins on both sides of the Atlantic. In 2023, hackers tied to the group made headlines for hacking the casino operators MGM Resorts International and Caesars Entertainment. Law enforcement has struggled to get a handle on the Scattered Spider hacking groups, in part because of their amorphousness, the hackers' youth, and a lack of cooperation from cybercrime victims.
Business Mayor
17-05-2025
- Business
- Business Mayor
‘Aggressive' hackers of UK retailers are now targeting US stores, says Google
Alphabet's Google warned on Wednesday that hackers responsible for paralyzing disruptions of UK retailers are turning their attention to similar companies in the United States. 'US retailers should take note. These actors are aggressive, creative, and particularly effective at circumventing mature security programs,' John Hultquist, an analyst at Google's cybersecurity arm, said in an email sent on Wednesday. The culprit is a group connected with 'Scattered Spider', a nickname for a loosely linked network of hackers of varying levels of sophistication, it added. Scattered Spider is widely reported to have been behind the particularly disruptive hack at M&S, one of the best-known names in British business, whose online operations have been frozen since 25 April. It has a history of focusing on a single sector at a time and is likely to target retail for a while longer, Hultquist said. skip past newsletter promotion A weekly dive in to how technology is shaping our lives Privacy Notice: Newsletters may contain info about charities, online ads, and content funded by outside parties. For more information see our Privacy Policy. We use Google reCaptcha to protect our website and the Google Privacy Policy and Terms of Service apply. after newsletter promotion Just a day before Google's warning, M&S announced that some customer data had been accessed, but this did not include usable payment or card details, or any account passwords. The Guardian understands the details taken are names, addresses and order histories. M&S said personal information had been accessed because of the 'sophisticated nature of the incident'. 'Today, we are writing to customers informing them that due to the sophisticated nature of the incident, some of their personal customer data has been taken,' the company said. Hackers from the Scattered Spider ecosystem have been behind a slew of disruptive break-ins on both sides of the Atlantic. In 2023, hackers tied to the group made headlines for hacking the casino operators MGM Resorts International and Caesars Entertainment. Law enforcement has struggled to get a handle on the Scattered Spider hacking groups, in part because of their amorphousness, the hackers' youth, and a lack of cooperation from cybercrime victims.
