Ukraine:Russia
24 March 2023 - It's been a year, we've probably seen all the new tricks, either you're watching or you won't see this either.  Dropping to Guarded
03 November 2022 - Russia warns of mutual destruction without formal Digital Rules of Engagement. More info.
03 November 2022 - UK prepares for Russian cyber-attacks. More info.
01 November 2022 - Russia looking for excuse to target UK infrastructure. More info.
28 October 2022 - Russia is accusing the US and EU of conducting a campaign of cyber “sabotage” against Russia. More info.
15 September 2022 - More reports of Russia hacking Ukraine. More info.
10 September 2022 - More reports of Russia hacking Ukraine. More info.
02 September 2022 - Although politicians and cybersecurity experts have warned about the potential for widespread hacks in the wake of Russia’s invasion of Ukraine, a new study finds that attacks linked to the conflict have had minor impact and are unlikely to escalate further. More info.
18 August 2022> - The cyber fallout from the war in Ukraine continues.  The number of observed distributed denial-of-service (DDoS) attacks nearly trebled during the first six months of 2022. More info.
16 February 2022 - Reports are coming in of various cyberattacks on Ukraine Defence Ministry and Armed Forces. More info.
Other countries are preparing for spillover as well.  More info.
03 February 2022 - Raised the Alert Level to High, based on activity identified by CND.
28 January 2022 - UK has now warned of potential cyberattacks from Russia as well. - More info.
25 January 2022 - We've raised a GeoPolitical Subject Alert for the increased activity around Ukraine and Russia. Russian troop buildup at the Ukraine border has created a tense situation, with cyberattacks increasing as tensions rise.
Hactivists say they hacked Belarus rail system to stop Russian military buildup - More info.
US has warned of potential cyberattacks from Russia if it responds to Ukraine invasion. - More info.
US and UK have recalled embassy staff and families. More info. And here.
Ukraine Government websites weather Cyber Attack Campaign. More info.
US, NATO Discuss Ukrainian cyber aid amid tensions. More info.

Taiwan:China

20 October 2022 - Lowered to Guarded.
23 September 2022 - The war of words continues in public, with other nations stirring the pot at times. More info.
31 August 2022 - Taiwan shoots at a Chinese drone, so there are still tensions. More info.
04 August 2022 - Taiwanese military reports DDoS.
More info.
02 August 2022 - Nancy Pelosi's visit to Taipei has increased tensions between Taiwan and China (and US) with increases in hacking activity and military exercises.  Unlikely to escalate beyond this, we hope.
More info. And here. And here. And here.

Apache Log4j

17 December, 2021 - Lowered to Guarded.
14 December, 2021 - Lowered back to Increased, as it's pretty much known and this is a long term issue. ISC statement here.
13 December, 2021 - Raised to High, as the exploit scans continue while vendors scramble to identify and patch.
Used to implant coin miners - more info.
Microsoft Guidance for preventing, detecting, and hunting for CVE-2021-44228 Log4j 2 exploitation here.
10 December, 2021 - Apache Log4j has a 0-day Remote Code Execution vulnerability with PoC exploits in the JNDI lookup feature. CVSSv3 score of 10. More info.
Patches are available. More info.
CERT-EU bulletin here.

Microsoft Exchange Server

17 March, 2021 - Microsoft has published a bulletin, Guidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities.
More info.
15 March, 2021 - Microsoft has published a one-click Mitigation tool for the Exchange vulnerabilities, which patches and attempts to reverse changes made by identified threats.
More info.
CISA has added seven Malware Analysis Reports (MAR) to their Alert. Each MAR identifies a webshell associated with exploitation of the vulnerabilities in Microsoft Exchange Server products.
More info.
Dropping the Subject Alert, as it's been running for some time now, either you're aware and taking action, or you're not looking here anyway...
10 March, 2021 - FBI and CISA released a joint advisory.
More info.
Brian Krebs has a decent timeline of events. More info.
09 March, 2021 - Microsoft has released updates for out of support versions of Exchange Server that address the 4 most critical vulnerabilities.
More info. And here. And here. And here.
08 March, 2021 - Microsoft has released an updated script that scans Exchange log files for indicators of compromise (IOCs) associated with the vulnerabilities.
CISA bulletin here.
Microsoft has released mitigation steps for organizations that cannot upgrade immediately. See their blog entry here.
Dropping level to Increased, it's been nearly a week...
05 March, 2021 - CISA has updated their Alert to add "CISA recommends investigating for signs of a compromise from at least September 1, 2020 through present."
CISA report here.
Note there is an issue when installing Exchange patches manually where they appear to install, but not fix the vulnerability. Be sure to check the Microsoft support document for details on verifying.
Microsoft support document here.
04 March, 2021 - CISA has published an Emergency Directive. Dropping to High.
CISA report here.
03 March, 2021 - ISC has published a summary, and Volexity has published their research.
ISC's blog entry. Volexity report here.
02 March, 2021 - Microsoft has published an update that fixes 7 RCE vulnerabilities, to address multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China.
Microsoft's bulletin. An article here. And another article here.

SolarWinds Breach

06 January, 2021 - Dropping the Subject Alert, we all know about it...
28 December, 2020 - SolarWinds is reporting an authentication API vulnerability that is being used to install malware.
More info.
21 December, 2020 - It's still going, but everyone is aware and looking, so we're dropping this to High.
14 December, 2020 - SolarWinds is aware that their systems experienced a manual supply chain attack on SolarWinds Orion Platform, released between March 2020 and June 2020. This attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack. Updated software is available. A second hotfix will be available 15 December that replaces the compromised component and provides several additional security enhancements.
SolarWinds advisory. FireEye report. ISC/SANS report.
Microsoft has a writeup.
16 December, 2020 - CERT-EU has an Advisory.

Healthcare Ransomware

06 November, 2020 - Dropped to Guarded.
02 November, 2020 - Vendors are now publishing bulletins with mitigation instructions.
Spacelabs Healthcare info. BD info. GE Healthcare info. Philips info.
30 October, 2020 - Governments are warning of Ransomware attacks targeting the Healthcare industry. US Bulletin here.  Australia bulletin here. UK statement here.  Canadian statement here.
An article about recent Hospital attacks.  More info.

Windows DNS Servers

20 July, 2020 - Seems to be rolling along, no huge, mass compromises, dropping to Guarded
15 July, 2020 - Windows DNS is vulnerable to wormable RCE vulnerability with a CVSSv3 score of 10. Named "SigRed". A server is vulnerable if the DNS role is enabled. Note that Active Directory and Kerberos require DNS, and domain controllers usually have the DNS role enabled. This will put the domain controller at risk. More here. And here.

India:China

08 July, 2020 - India and China are now in their third disengagement series.  Reducing to Guarded.
More here.  Opinion piece here.
07 July, 2020 - China has pulled back from the disputed border.
More here.
01 July, 2020 - It appears other countries are closely looking at their relationship with China.  US has declared Huawei and ZTE National Security threats, and it looks like UK may change their decision to allow the vendors in their 5G networks.
More here. And here.
30 June, 2020 - The Indian government has banned 59 Chinese mobile applications on the grounds of national security, according to a government mandate. This comes after the Indian military clashed with Chinese forces in the region of Ladakh on 15 June.
More here.

Citrix

24 Jan, 2020 - Dropped to Guarded, as the patches are all out as of today.
24 Jan, 2020 - Dropped to Guarded, as the patches are all out as of today.
Public exploits have been released for Citrix ADC (NetScaler) vulnerabilities from a bulletin released 17 Dec yet thousands of servers are still vulnerable.

US:Iran

24 Jan, 2020 - There has been little talk of US:Iran in the news lately, although cyber aggressions may continue. Dropping Alert to Guarded.
13 Jan, 2020 - The public aggressions have ceased, although the cyber warfare may continue. Dropping Alert to Increased.
08 Jan, 2020 - Iran launched missiles at a US military facility in Iraq. More here.
07 Jan, 2020 - The US Maritime Administration website has renewed its warning about threats to U.S. commercial vessels from Iran and its proxies in the Gulf and surrounding area. More here.
CISA has also published an Alert for Iranian cyber activity, with an overview of past activity and patterns of Iranian APT. More here.
04 Jan, 2020 - US DHS publishes a Terrorism Advisory System bulletin as the words escalate. More here.
03 Jan, 2020 - Raising the US:Iran Alert level to High after General Qassim Soleimani was killed in a US airstrike at Baghdad's international airport, an assassination that marks a major escalation in US-Iran tensions. More here.
01 Jan, 2020 - After the storming of the US Embassy in Baghdad, Marines are deployed and Iran is accused of being behind the attack. More here.

Middle East

20 Nov, 2019 - How long before it's not news anymore? I guess this long...
16 Oct, 2019 - Reuters confirms Cyber attacks on Iran after Saudi oil facility attack. And of course, actual fighting in Turkey, Syria. More here.
16 Sep, 2019 - We have raised a GeoPolitical Alert for the Middle East. After the bombing of Saudi Aramco, tensions in the Middle East are increasing. The players involved are many, and others would take advantage while the world's eyes are elsewhere. More here, here, here, here, and here.

US:Iran

12 Aug 2019 - It seems this new level of tension between US:Iran and others has become the norm, so we're dropping this geopolitical alert.  Should things escalate higher, we'll raise a new alert.
06 Aug 2019 - More warships, now from UK, to the Strait of Hormuz to defend oil tankers.  More info.
Another tanker seized by Iran.  More info.
29 July, 2019 - More warships to the Strait of Hormuz to defend oil tankers.  More info.  And here.
More words from both sides, leading to nothing.  More info.
22 July, 2019 - Iran has seized a British-flagged oil tanker.  More info. 
They also report to have identified Iranian citizens working for the CIA and executed some.  More info.
18 July, 2019 - Iran has reported seizure of a tanker smuggling oil.  More info.
15 July, 2019 - Iran has attacked Iraq’s Kurdistan region.  More info.
11 July, 2019 - A British warship forced three Iranian boats to back off after they sought to block a British tanker.  More info.
8 July, 2019 - Iran is going to enrich Uranium, and President Trump responds.  More info.
5 July, 2019 - Britian seized an Iranian oil tanker, Iran threatens to seize a British one.  More info.
26 June, 2019 - Cyber is still the preferred attack vector in this conflict, but things are quiet.
24 June, 2019 - dropping a level as it seems quiet for the moment.
23 June, 2019 - After the reported Cyber Attack on Iranian weapons systems, CISA has reported increased Cyber Attacks on US interests.  More info.  And here.
20 June, 2019 - Iran has shot down a US drone.  More info.
19 June, 2019 - One US Oil company is evacuating staff after several rocket strikes in as many days, the most recent hitting the headquarters.  More info.
18 June, 2019
Tensions continue after the tanker attacks in the Gulf of Oman, and US sends more troops to the Gulf area. Time to be a bit more wary of what else is happening on the Cyber front.  More info.  And here.

BlackHat

12 Aug, 2019 - Removed Subject Alert.
06 Aug, 2019 - It's Hacker Summer Camp, hijinx and disclosures may ensue. Pay attention to the news from BlackHat and DefCon.

DNS Poisoning

18 July, 2019 - Removed Subject Alert.
15 July, 2019 - In January 2019 the NCSC published an alert to highlight a large-scale global campaign to hijack DNS. Activity continues, with victims of DNS hijacking identified across multiple regions and sectors. Please take steps to protect yourselves..  More info.  And here.

US:IRAN - May 2019

21 May, 2019 - Removed the Geopolitical Alert
17 May, 2019 - Still lots of rhetoric out there, we will leave this alert over the weekend at least.
15 May, 2019 - US is pulling people from Iraq, we're keeping the the Alert at Increased.  The story.
13 May, 2019 - Raised Geopolitical Alert for US:Iran
During times of political conflict, cyberactivity increases as well. US and Iran are currently escalating, the latest story is here.

INDIA:PAKISTAN - Feb-Mar 2019

04 March, 2019 - Reduced Alert State to Guarded.
27 February, 2019 - Created Subject Alert for India:Pakistan based on News reports of increased tensions in the Kashir area, Indian air strikes in Pakistan, and Indian fighter jets shot down over Kashmir. Increased geopolitical tensions typically result in increased cyber activity as well. More info.
A live blog of activity can be seen here.

IRAN:US Aug 2018

21 September, 2018 - Removed Subject Alert for US:Iran
13 August, 2018 - Created Subject Alert for US:Iran based on expected Iranian response to US sanctions.  Given the quantity of ICS/SCADA, Building, and Infrastructure alerts we have posted lately, the attack surface is broad in several areas.  More info.

VPNFILTER - May-Jun 2018

20 June, 2018 - Removed Subject Alert, no new news, everyone that cares already knows.
18 June, 2018 - Lowered state to Guarded, there has been no new coverage since 12 June, except that SMBs aren't heeding the warnings.
07 June, 2018 - Raised back to High, based on Talos research group's latest report that the malware hits more brands, and can infect endpoints.  More info.
06 June, 2018 - Lowered state to Increased, based on waning news coverage.
05 June, 2018 - More News Coverage.  VPNFilter continues to target the Ukraine (more info).
29 May, 2018 - FBI has taken control of C&C domain toknowall.com, and is asking everyone to reboot their routers.  More info.
24 May, 2018 - Raised a Subject Alert State for VPNFilter and set it at High.  Cisco Talos is warning of a sophisticated modular malware system known as VPNFilter.  They estimate the number of infected devices to be at least 500,000 in at least 54 countries. The known devices affected by VPNFilter are Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices. Note Cisco is not in this list.  Research is not complete, but risks are high.  More info.

 IRAN:US May 2018

24 May, 2018 - Removed Subject Alert
23 May, 2018 - Reduced Subject Alert State to Guarded.  Let's see what happens...
11 May, 2018 - Subject Alert State modified to Iran:USA based on the idea that cyber activity will increase as a result of US sanctions.
     https://www.recordedfuture.com/iran-hacker-hierarchy/
11 May, 2018 - Subject Alert State added and set to Increased for Israel:Iran.  Expect increased cyber activity.

RUSSIA:US, UK, FRANCE Apr-May 2018

11 May, 2018 - Subject Alert State for France, UK, US removed
03 May, 2018 - Subject Alert State for France, UK, US lowered to Guarded
17 April, 2018 - Subject Alert State for France, UK, US set to Increased based on escalating tensions between Russia and the ally group.  Following the Syrian drone strikes by the ally group, tensions are increasing. 
https://www.securityweek.com/us-britain-warn-russian-campaign-hack-networks
https://www.theregister.co.uk/2018/04/16/russian_hackers_internet_routers/
https://www.securityweek.com/us-britain-warn-russian-campaign-hack-networks
https://www.mirror.co.uk/news/politics/britain-braces-putins-dirty-cyber-12370560
https://www.mirror.co.uk/news/politics/russia-hacking-millions-computers-pave-12374598
http://www.dailymail.co.uk/news/article-5619039/Fears-retaliation-Putin-Syria-strikes.html
https://www.telegraph.co.uk/politics/2018/04/15/russia-launches-cyber-war-uk-dirty-tricks-campaign-boris-johnson/
https://www.us-cert.gov/ncas/alerts/TA18-106A
https://www.ncsc.gov.uk/alerts/russian-state-sponsored-cyber-actors-targeting-network-infrastructure-devices 
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180416-tsa18-106a

RUSSIA:UK Mar-Apr 2018

16 April, 2018 - Removed subject alert.
26 March, 2018 - Subject Alert State reduced to Guarded after a few more quiet days.
22 March, 2018 - Subject Alert State reduced to Increased after a few quiet days.
19 March, 2018:  Subject Alert state for Russia:UK raised to High.  The UK National Cyber Security Centre (NCSC) put the National Grid on alert.  More info.
UPDATE:  Russia said they had no motive for the attack on Sergei Skripal and his daughter.  PM May to "announce measures".  More info.
16 March, 2018:  US has issued sanctions in support of the UK and in response to reports that Russia is responsible for cyberactivity targeting US Infrastructure.  More info.
13 March, 2018 - Subject Alert State for Russia:UK set to Increased based on escalating tensions between Russia and the UK.  Following the Weapon of Mass Destruction attack on the UK mainland, allegedly by Russia, the UK have given Russia until midnight (GMT) on 13 March to respond.  UK media are speculating that the likely response from the UK will be a cyber attack against Russia.  More info.

RUSSIA:US CNI Mar 2018

23 March, 2018 - Subject Alert State removed.
22 March, 2018 - Subject Alert State reduced to Guarded after a few quiet days.
19 March, 2018:  Subject Alert created for Russia:US CNI and set to Increased.  US-CERT detailed report on "Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors" here.

APT on CRITICAL INFRASTRUCTURE Oct 2017

23 Oct, 2017 - Subject Alert State for APT for Critical Infrastucture set to Increased based on CERT report of advanced persistent threat (APT) actions targeting government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors.  More info.

BLACKHAT/BROADCOM WI-FI Jul 2017

30 July, 2017 - Subject Alert State for BlackHat removed, since BlackHat and DefCon are over.
24 July, 2017 - Subject Alert State for BlackHat set to Increased based on Broadcom Wi-Fi chipset vulnerabilities and the upcoming BlackHat presentation.  Both Apple and Google have addressed this in recent updates for iOS, Boot Camp, and Android.  Apple's bulletins for iOS and Boot Camp, Google's bulletin for Android.

PETYA RANSOMWARE Jun 2017

30 June, 2017 - Removed the Subject Alert, we all know about it and the myriad of ideas around it.
29 June, 2017 - Subject Alert State set to Increased, Petya has run it's course for the most part, and it is in post-analysis and recovery stage.  Some wariness is still required, and patch, patch patch!
27 June, 2017 - Created a Subject Alert state for Ransomware set to High, based on fast spreading infections of a ransomware called "Petya".  Starting in Eastern Europe, and hitting financial and infrastructure hard.  The ransomware uses the Microsoft SMB vulnerability as WannaCry.

WINDOWS Apr 2017

17 April, 2017 - Subject Alert for Windows removed.
13 April, 2017 - Set to Increased, since updates should be rolling...
12 April, 2017 - A Subject Alert for Windows was added and set at High, to highlight the patch for the Office and WordPad 0-day announced a few days ago.  Exploitation of this issue has increased, indicating a need to patch quickly.  Also, Vista is now officially EOL, with no new security updates.

WANNACRY RANSOMWARE May 2017

16 May, 2017 - Removed, nothing left but the patching...
15 May, 2017 - Lowered to Guarded with little new reporting
13 May, 2017 - Lowered to Increased based on the registration of the domain that acted as a kill switch, and Microsoft publication of patches for unsupported versions of the software.
12 May, 2017 - Raised to High based on the pace of infections...
12 May, 2017 - Created a Subject Alert state for Ransomware set to Increased, based on fast spreading infections of a ransomware called "WannaCry".  ISPs, Hospitals, and Energy Infrastructure companies are among the victims.  The ransomware uses a Microsoft SMB vulnerability patched in March, 2017.  More info here and here.