Exclusive: Google's John Hultquist warns cyber attackers are getting younger & faster
It comes as John Hultquist, Chief Analyst at Google's Threat Intelligence Group, spoke with TechDay exclusively to reveal who exactly is behind these attacks.
"We're talking tens of millions - if not hundreds of millions - of dollars that these kids are making," Hultquist said. "There's clearly a financial motive, but it's also about reputation. They feed off the praise they get from peers in this subculture."
The average cybercriminal today is not a shadowy figure backed by a government agency, but often a teenager with a high tolerance for risk and little fear of repercussions.
And according to Hultquist, that combination is proving incredibly difficult for law enforcement to counter.
"There's no deterrent," he said. "They know they're unlikely to face serious consequences, and they exploit that. One reason I wouldn't do cybercrime - aside from the ethical one - is I don't want to go to jail. These kids know they probably won't."
His concern is echoed by Mandiant Consulting's latest global data.
In 2024, 55% of cyberattacks were financially motivated, the majority involving ransomware or extortion.
Mandiant also observed that teen-driven groups like UNC3944 (aka Scattered Spider) are behind many of the most damaging breaches, often relying on stolen credentials and social engineering to bypass defences.
"Younger actors are willing to cross lines even the Russian criminals won't - threatening families, for example," Hultquist said. "They don't worry about norms outside their subculture. Inside their world, they're being praised."
Even when authorities know who is behind an attack, bringing them to justice is rarely fast. "Building a case takes years. In the meantime, they can do serious damage," he said.
The urgency is underscored by the pace at which attackers now move.
According to Mandiant, the median global dwell time - the time it takes to detect an intruder - has dropped to just 11 days, and in ransomware cases, often as little as 6 days. More than 56% of ransomware attacks are discovered within a week, showing just how rapidly these operations unfold.
Though many of these actors operate independently, some operate in blurred lines between criminal enterprises and state-sanctioned campaigns. Hultquist explained that governments - particularly in Russia and Iran - often outsource cyber operations to criminal groups, giving them protection in exchange for service.
"It's a Faustian bargain," he said. "The government lets them continue their criminal activity as long as they're also doing work on its behalf."
Google's acquisition of Mandiant in 2022 has enabled Hultquist and his team to monitor global threats more effectively by combining Google's in-house security team with Mandiant's threat intelligence capabilities.
This merger formed the Google Threat Intelligence Group, which Hultquist described as a "juggernaut".
"We've got great visibility on threats all over the world," he said. "We get to see the threats targeting Google users."
That level of access and scale has allowed Google's team to take cyber defence to unprecedented levels. In one recent case, they used an AI model to uncover and neutralise a zero-day vulnerability before attackers could use it.
"It literally found the zero-day," Hultquist said. "The adversary was preparing their attack, and we shut it down. It doesn't get any better than that."
AI is becoming both an asset and a threat. While Google uses it to pre-emptively defend systems, attackers are beginning to leverage it to enhance their own capabilities. Fake images, videos, and text have long been used in phishing and disinformation campaigns, but Hultquist said the next phase is far more concerning.
"We've seen malware that calls out to AI to write its own commands on the fly," he said. "That makes it harder to detect because the commands are always changing."
He warned that AI could soon automate entire intrusions, allowing cybercriminals to break into networks, escalate privileges, and deploy ransomware faster than defenders can respond.
"If someone can move through your network at machine speed, they might ransom you before you even know what's happening," he said. "Your response window gets smaller and smaller."
As attackers evolve, many defenders still rely on outdated mental models, particularly when it comes to cloud security.
"People are still thinking like they're defending old-school, on-prem systems," Hultquist said. "One of the biggest problems in cloud is identity - especially third-party access. That's where your crown jewels might be, and you don't always have full control."
And while some worry about cyber threats to governments, Hultquist said the private sector is often the true target.
"If a country retaliates against the Five Eyes, they're not going after military or intelligence," he said. "They'll go after privately held critical infrastructure. That's always been the asymmetrical advantage."
Despite the constant evolution of threats, Hultquist said progress has been made on both sides. He recalled the early days of Chinese state-backed attacks, where errors in spelling and grammar made their emails laughable - and traceable.
"We used to print them out and tack them to our cubicle walls," he said. "Now, they're incredibly sophisticated. But the reason they've improved is because we've gotten better. Our defences have evolved."
And according to Hultquist, that cat-and-mouse game won't be ending anytime soon.
"We're not fighting the laws of physics like safety engineers," Hultquist said. "Our adversaries adapt. If we fix everything, they'll just change to overcome it."
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
RNZ News
15 hours ago
- RNZ News
Tech Tuesday with Tim Batt: YouTube using AI to check users age
technology media 35 minutes ago Tech giant Google is taking action to verify how old YouTube users are. It says it will use AI to estimate the age of users and then show them age appropriate content. The move comes after Australia confirmed it would ban children under 16 from using YouTube. Tim shares details with Emile.
NZ Herald
a day ago
- NZ Herald
The tactic is to block tech giants and provide a controlled and monitored alternative
The idea, experts say, is to migrate more Russians from an open internet dominated by the products of Western tech giants to a censored online ecosystem, where Russians primarily use software under the gaze and influence of the state. The effort has advanced significantly amid wartime repression, but it is unclear how far it will go. 'The goal here is absolute control,' said Anastasiia Kruope, a researcher at Human Rights Watch who wrote a recent report on declining Russian internet freedoms. Kruope said the Kremlin wants to control not only the information available online but also where and how internet traffic flows, so the Russian internet can function in isolation and be switched on and off at will. Russia's technical capabilities for clamping down are improving, she added. 'They are not perfect,' Kruope said. 'They are not nearly at the level they would like them to be. But they are getting better, and this is the reason to start paying attention.' The Russian opposition leader Alexei Navalny in Moscow on August 2, 2013. The Kremlin began to see internet freedom as a threat, particularly after the rise of Navalny. Photo / Sergey Ponomarev, The New York Times Vanishing freedoms Unlike China, where users have been restricted since the dawn of the internet, Russia long boasted one of the most open and freewheeling environments anywhere online. Operating with virtually no barriers, millions of Russians flocked to Western tech platforms, posted critical news and freely expressed their thoughts on the web. The Kremlin began to see that freedom as a threat, particularly after the rise of opposition activist Alexei Navalny, who died in prison last year. His exposes of the Putin elite, initially publicised in Live Journal blog posts and later in popular YouTube videos, gave him millions of followers online and the power to mobilise mass protests on the street. Since the first decade of Putin's rule, Moscow had been articulating a vision for what it called a 'sovereign' internet that would sever Russia as much as possible from the rest of the online world and strip power from foreign tech companies, which didn't always give in to the Kremlin's demands. But Putin's full-scale invasion of Ukraine in 2022 gave the Government the opportunity to accelerate the plan. On the eve of the invasion, the state indirectly took over VK, the country's biggest social network, harnessing a platform with millions of existing users to popularise Russian alternatives to Western tech products. The son of Putin's powerful first deputy chief of staff, Sergei Kiriyenko, was tapped to run the company. Moscow banned Facebook, Instagram, and Twitter outright and took steps that caused TikTok to disable functions in Russia. Lawmakers passed draconian laws stifling free expression in the streets and online. Last year, after creating a video-streaming service on VK, Russia began throttling YouTube, pushing users towards the domestic alternative, though with mixed success. Meta's headquarters in Menlo Park, California. WhatsApp, owned by Meta, has nearly 100 million monthly users in Russia. Photo / Jason Henry, The New York Times Now, with the introduction of MAX, authorities have signalled they may take aim at foreign messaging apps, in particular WhatsApp, which is owned by Meta and counts nearly 100 million monthly users in Russia. Telegram could be a target as well. Anton Gorelkin, deputy head of the information technology committee in Russia's lower house of parliament, said last month that WhatsApp should 'prepare to leave the Russian market'. He said Russians would replace the app with MAX. At an economic forum in June, Gorelkin also called Telegram, based in the United Arab Emirates and owned by Russian-born internet entrepreneur Pavel Durov, 'an entity that worries the state'. But he said previously that the app would not be banned. 'I am very afraid that other methods of communication are going to be blocked,' said Mikhail Klimarev, head of the Internet Protection Society, an exiled Russian digital-rights group. Beyond messaging, Telegram allows Russians access to content from exiled journalists, activists and artists, who post in channels. At the same time, the Kremlin uses Telegram to distribute its propaganda, giving the app a chance of survival. Klimarev said a Telegram blockage would devastate the Russian internet. 'Russia will turn into Mordor,' he said, referring to the dark realm ruled by evil in the writings of J.R.R. Tolkien. Firefighters and other first responders at the scene of a Russian bomb attack on an apartment building in Kharkiv, Ukraine, last month. Russia's full-scale invasion of Ukraine in 2022 gave it the opportunity to accelerate a crackdown on internet freedom. Photo / David Guttenfelder, The New York Times The Russian WeChat Through MAX, Russian officials are hoping to create their own version of China's WeChat, an app that remains indispensable for millions of Chinese despite being both censored and monitored. Apart from messaging and uploading posts, WeChat users can pay utility bills, book train tickets, make payments for goods and services, apply for marriage licenses and in some places even file for divorce. Moscow is following that model. A new law says government services must be offered through MAX. Officials across all levels of Russian government are being told to install the app. Already, local authorities have been testing the use of MAX by schools and signalling that teachers will be required to use it to communicate with students and parents. 'You need to bring it into the daily life of people to the extent that you cannot avoid this app anymore,' said Philipp Dietrich, an analyst at the German Council on Foreign Relations. 'The whole point of doing this is the same reason China is doing WeChat: the more information you can gather against your citizens, the better,' Dietrich added. MAX's future in part will boil down to how well it functions. Already, Russian internet users have parodied its rollout with memes. A well-known Russian singer and influencer was ridiculed for touting the app to her 5.3 million followers on Instagram — which is itself banned — and boasting about its ability to get service 'even in the parking garage'. Klimarev noted that Russia had tried to push its own messaging apps before and failed. He also expressed scepticism that Russians, who are aware of government surveillance, will start speaking, messaging, or posting freely on MAX. If WhatsApp and Telegram are blocked, Klimarev said, Russians may still gain access to them using virtual private networks, or VPNs, services that reroute internet traffic to circumvent restrictions. Many Russians still use YouTube, Instagram, and Facebook through VPNs, though the blockage has significantly dented Russian traffic to the services. Although VPNs are not explicitly illegal, Moscow is expanding an effort to block them and prevent their usage by everyday Russians. As of late last year, Russian authorities had blocked nearly 200 VPNs, Human Rights Watch said, in what has become a regular cat-and-mouse game between authorities and nimble providers. Authorities have also pressured foreign companies like Apple to remove VPN software from app stores. And they have begun exploring new ways to identify and block VPN traffic deeper in the internet's infrastructure, according to Human Rights Watch. Putin signed a new law last week that bans the advertisement of VPN services, making it harder for Russians to find out about new ones as old ones are blocked. New rules also make using a VPN to commit a crime an 'aggravating circumstance' that will increase fines and prison sentences. The Russian leader signed another broad law that criminalises the act of searching for 'extremist' content. Videos from Navalny's anti-corruption group, for example, are labelled 'extremist' in Russia. Even without banning Telegram, Russia has found ways to limit critical content on the platform. Igor Girkin, an ultranationalist who developed a following on Telegram and criticised the Russian military, was sentenced to four years in prison on extremism charges, chilling other criticism from extreme pro-war military bloggers. In recent days, authorities arrested the head of the tabloid-style Telegram channel Baza, known for publishing videos of Russian law-enforcement raids, and accused him of paying off Russian officials for exclusive information. He denied the charges. Russian authorities once sought to pressure foreign tech giants into obeying Kremlin demands with threats, fines and other penalties, said Andrey Zakharov, the author of a new book about the Russian internet. But the approach has changed with the war. 'Now the tactic is to block them, kill them and provide an alternative,' Zakharov said, noting also that corruption and incompetence often undermined the follow-through. 'MAX is a continuation of that story.' This article originally appeared in The New York Times. Written by: Paul Sonne Photographs by: Nanna Heitmann, Sergey Ponomarev, Jason Henry, David Guttenfelder ©2025 THE NEW YORK TIMES
Techday NZ
a day ago
- Techday NZ
SquareX to unveil browser, passkey flaws at Black Hat, DEF CON
SquareX researchers are set to present a series of vulnerability disclosures relating to browser security at two major security events in August. During Black Hat USA and DEF CON 33, SquareX will reveal a number of architectural vulnerabilities impacting passkey authentication systems, enterprise data loss prevention solutions, and browser extensions. The company's researchers plan to deliver multiple talks that aim to detail new techniques attackers may use to circumvent existing security measures. Browser-first world At Black Hat USA, the presentation titled "Browser-Native Security in a Browser First World" will be delivered by Vivek Ramachandran, Founder of SquareX. This talk is expected to cover the growing dependency enterprises have on web browsers and the resulting security challenges. With staff reportedly spending up to 80% of their device usage time within browsers, defending against browser-based threats has become a critical concern. Ramachandran's talk will highlight current tactics, techniques, and procedures (TTPs) that enable attackers to bypass technologies such as Secure Access Service Edge (SASE), endpoint detection and response (EDR), and endpoint data loss prevention (DLP) tools. Passkey vulnerabilities DEF CON 33 will feature Shourya Pratap Singh, Jonathan Lin and Daniel Seetoh presenting research under the session title "Passkeys Pwned: Turning WebAuthn Against Itself." This discussion will focus on a new technique designed to subvert passkey authentication. Passkeys, which have seen significant uptake among major technology providers such as Apple, Google, and Microsoft, are promoted as a more secure alternative to traditional passwords. Despite this positioning, SquareX's research asserts that vulnerabilities still exist. "Over the past year, we have been releasing bleeding edge research on architectural browser vulnerabilities as part of the Year of Browser Bugs project. We believe that deeply understanding the attacker mindset is the only way to defend against the newest threat vectors, and we believe that it is critical to share these findings at industry leading conferences like Black Hat and DEF CON. This year's research demonstrates critical gaps that traditional security solutions simply cannot address - everything from passkey to browser extension vulnerabilities. We will also be sharing multiple open source browser-native security tools that enterprises need to plug the browser security gap," said Vivek Ramachandran, Founder of SquareX. Browser extension threats In addition to the mainstage talks, Nishant Sharma and Shourya Pratap Singh will present "Plug and Prey: Scanning and Scoring Browser Extensions" at Recon Village. Their session introduces ExtHuntr, an open-source tool developed to scan for installed browser extensions, analyse their permissions and behaviour, and generate risk scores. ExtHuntr aims to provide security teams with greater visibility into potential risks posed by browser extensions. SquareX will also run a demonstration called "Copycat: Identity Stealer Extension" and a session titled "Angry Magpie: DLP Bypass Simulator" at DEF CON 33 Demo Labs, underscoring the firm's focus on practical, real-world attack simulation tools related to browser security. Cloud security workshop Nishant Sharma, Head of Security Research at SquareX, is scheduled to conduct a workshop at Cloud Village, titled "Serverless but Not Defenceless: A Security Deep Dive into Cloud Run." The workshop will provide attendees with detailed guidance on how to deploy and manage services on Google Cloud Run securely, using principles drawn from DevSecOps and related practices. Security field manual Audrey Adeline, a SquareX researcher, will participate in "The Trailblazer's Guide to Cybersecurity" discussion at Black Hat USA. Topics will include the experiences of professionals who are first-generation entrants to the cybersecurity sector. Adeline will also share information about the release of The Browser Security Field Manual, a book written in collaboration with chief information security officers (CISOs) from Fortune 500 companies and major technology firms. The manual addresses contemporary attacks targeting employees via browsers and provides guidance on defensive techniques. Event schedule In addition to the headline talks, SquareX researchers will lead several demonstration sessions and workshops at both Black Hat USA and DEF CON 33. These include practical labs showing browser-based identity theft and DLP bypass scenarios, as well as further engagements focusing on serverless security and browser-native security tools. The presentations are designed to highlight what SquareX claims are critical gaps in existing security technology, particularly where traditional solutions may not adequately address emerging attack vectors related to browsers, passkeys, and extensions.
