OODA Loop readers will know more than most the two biggest uses of the term “Open Source.” We frequently write about both. In the context of intelligence, Open Source means information that does not come from classified channels. In terms of software, Open Source means software developed and managed in an open way, generally using open source licenses that allow code to be modified and used freely.  This has always introduced some ambiguity for technologists who operate at the nexus of technology and national security. Now it is getting even more complicated. In this post, for example, we provide some open source intelligence on open source software threats. 

The recent breach of the industry-standard, cloud-based single sign-on (SSO) authentification service provider Okta is a consequential cyber incident. Following is a timeline of the Okta Breach and the recent Lapsus$ ransomware rampage, concluding with technical guidance and recommendations gleaned from a handful of ongoing technical investigations underway by law enforcement, Okta, Microsoft, Nvidia and cybersecurity researchers worldwide.

Deputy National Security Adviser for Cyber and Emerging Technology Anne Neuberger took to the podium yesterday to announce that U.S. Intelligence continues to investigate the Feb 24th hack of a European satellite company, Viasat, which provides internet connectivity to Europe, including the Ukrainian government and military. In light of this attack, on March 17th the U.S. Cybersecurity & Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint statement which warned of the “possible threats to U.S. and international satellite communication (SATCOM) networks.”

In early February, a cybercrime crackdown by Russian authorities included the arrest of members of the REvil gang. Overall, follow-up reports suggested a growing sentiment that the Russian authorities were out to optimize the appeasement value to the U.S. of the arrests. We later suggested that the REvil Gang arrest was possibly a false flag operation. Our suggested scenario at the time:  The Russians gave up the REvil Gang while still planning to lean on non-state actors for the plausible deniability of cyberwar operations. Our latter assumption has proven true.  A few days ago, the Conti Gang announced their support for the Russian Government.

Cybersecurity researchers at Cisco Talos identified a campaign conducted by advanced persistent threat group MuddyWater targeting high-profile entities in Turkey. MuddyWater is a state-sponsored Iranian hacking group that has been linked to campaigns in the Middle East, Israel, the US, and Europe in the past. The group has ties to

Initial Access Brokers (IAB) are poised to become a force in 2022, due to a unique skill set that positions them as a valuable commodity for the deployment of hostile cybercrime activity. IABs serve as middlemen, specializing in the exploitation of victims and gaining initial entry. Once achieved and sustained, these actors sell these unique accesses to interested customers on dark web forums and markets. In this capacity, they execute the first phase of a cyber-attack chain, performing the necessary research prior to conducting an operation. Emilio Iaisiello explores the implications of the growth of IABs.

Microsoft has issued an alert regarding the exploitation of systems running Zoho ManageEngine ADSeflService Plus. Microsoft Threat Intelligence Center (MSTIC) has detected exploits originating from a sophisticated Chinese hacker group. Microsoft stated that the group is targeting an obscure bug in the Zoho software to install a web shell. The

The U.S. Department of Justice (DoJ) recently fined three former National Security Agency (NSA) hackers who worked as service contractors for a United Arab Emirates (UAE) cybersecurity company named DarkMatter. These three individuals were not the only former ex-U.S. Intelligence officers working for the company. DarkMatter employed more than a dozen former NSA hackers who would use the skills and techniques learned from the NSA to help the UAE target and compromise the phones and computers of its enemies. These “enemies” included human rights activists, journalists, and political rivals. At the core of this issue is the fact that these ex-intelligence operatives used cutting-edge cyber-espionage tools learned from their time in the U.S. Intelligence Community on behalf of a foreign intelligence service.

Hacking group Edalat-e Ali has allegedly released silent videos capturing the living conditions inside Tehran’s Evin Prison after compromising their systems and accessing surveillance footage. The prison typically houses political prisoners, according to reports. Iran International confirmed that they received the images and video footage from the hacking group on