APT Hacking Intelligence

Large phishing campaign targets EMEA and APAC governments (Pierluigi Paganini, Security Affairs)

Security researchers uncovered a large phishing campaign targeting multiple government departments in APAC and EMEA countries

Large phishing campaign targets EMEA and APAC governmentsSecurity Affairs


British military intel chief has ‘ambitious plans’ for automation (Vivienne Machi, Defense News)

British defense analysts have access to more data and information sources than ever before, but are desperate for mature automation tools to properly sift through them all, said the nation’s top intelligence officer.

The U.K.’s defense intelligence arm has “ambitious plans” to increase the use of automation systems across its enterprise, and relieve its human analysts of performing repetitive tasks, said British Army Lt. Gen. James Hockenhull, chief of defense intelligence.

British military intel chief has ‘ambitious plans’ for automation (


Intelligence. Spying 101 (Gabrielle Sierra, Emily Harding, Edward Lucas, CFR)

The glamour and thrill of espionage, brought to life on screen by characters such as James Bond, have long captivated imaginations. But this profession is deeply misunderstood, and it is always changing. Today, spycraft hangs in the balance as new technologies emerge and societies change.

Spying 101 | Council on Foreign Relations (


Decoding intelligence on Afghanistan (The Interpreter)


Did the US intelligence community fail by not accurately predicting the speed and scale of the Taliban’s victory? A familiar blame game is now underway in Washington with administration officials and intelligence sources each backgrounding the media with their respective sides of the story. An official inquiry, such as that conducted after 9/11 terrorist attacks, would be a better way to answer the question ­about what was or should have been foretold – as well as much larger questions about US failure in Afghanistan.

Decoding intelligence on Afghanistan | The Interpreter (


Artificial Intelligence in the Intelligence Community: Culture is Critical (Just Security)

Several weeks ago, I wrote an article praising the widespread, bipartisan support for the U.S. Innovation and Competition Act (USICA), which would dramatically expand federal government support for U.S. technological growth and innovation in the face of the global AI race. In that article, I argued that for the Intelligence Community (IC) to take advantage of AI in this supportive environment, it must overcome several critical implementation challenges, and quickly. In particular, the IC must more rapidly and nimbly navigate U.S. government budget and acquisition processes, create a simple but effective risk assessment framework, and work with congressional overseers to streamline engagement and improve the partnership between Congress and the IC. Each of these areas is in dire need of radical re-imagining, without which any one of them could be the Achilles’ heel for AI in the IC. I will address each of these in my next few articles.

Artificial Intelligence in the Intelligence Community: Culture is Critical – Just Security


(USA) Promote Open Source to a Full Member of the Intelligence Community (Defense One)

Mark Quantock, David Dillow, McDaniel Wicker write for Defense One: The U.S. intelligence community should elevate open-source intelligence to a core “int,” alongside signal intelligence, human intelligence, and geospatial intelligence, and its agencies should better “integrate OSINT into collection and analytic tradecraft.” That’s what the Center for Strategic and International Studies (CSIS) recently recommended, and based on our extensive experience in the intelligence community and DoD, including multiple combat tours to the Middle East and South Asia, we firmly concur.

go to Defense One website: Promote Open Source to a Full Member of the Intelligence Community – Defense One


Negotiation/Intelligence/Israel – The Intelligence Factor in Negotiations, Absent Too Often (Gilead Sher, Yahel Arnon, Yoel Guzansky, INSS)


In its classical sense, the intelligence component in negotiations should provide decision makers with relevant information about the abilities and intentions of the various actors. (1) This resource not only identifies threats, but also positive trends and opportunities that might coincide with or mature during a negotiation process. Nevertheless, the involvement of intelligence resources in negotiations is a complex professional and governmental challenge that is far from self-evident.

Intelligence bodies face numerous challenges during a negotiation process. First, the challenge of gathering intelligence throughout what is necessarily a dynamic process is subject to influences and spoilers from both within and beyond. Therefore, the intelligence body must undertake intelligence gathering, prove operational capacities, and provide assessments based upon ongoing research and changing evaluations. Second, a relatively new challenge for intelligence bodies is the need to integrate flexibly and dynamically a myriad of disciplines and data, such as in-depth analyses of cultural, social, economic, and psychological trends. Finally, in an era of truth decay, cyber warfare, fake news, and manipulative data intrusion, intelligence bodies face additional difficulties in addressing their negotiation-related tasks.

This article addresses the operational framework of the intelligence bodies, their roles in the negotiation process, and their inherent potential to serve as a decision supporting framework. It analyzes intelligence capabilities in the context of negotiations and proposes a framework for managing the negotiation-oriented intelligence unit as an integral and inseparable part of the negotiation team, both in roles behind the scenes and as a participant in the talks.

Intelligence and the Negotiation Process

Intelligence is involved in all stages of negotiation, from the moment an intention to enter such a process is considered, detected, or indicated. Intelligence can identify a negotiation-entering option based on ongoing analysis and evaluation of the opponent’s capabilities and the intentions, pressures, and factors affecting it, alongside international, regional, and internal developments. In turn, intelligence bodies can offer recommendations to leaders on the advancement or rejection of negotiations. If they decide to pursue the negotiation option, the intelligence gathering bodies must be “readied” to focus their efforts and establish an intelligence gathering plan that can be launched rapidly and run with a degree of flexibility, as well as be prepared to take part in the integrative collaboration with other relevant bodies.

Intelligence support in negotiations plays the largest role when negotiations have materialized. Negotiation processes are conducted at a shifting pace, often intertwined with domestic political constraints, violence, and terror at various intensities, compounded by numerous additional elements and variables. Intelligence is therefore required to maintain alertness, vigilance, and focus throughout the process, be it months, years or decades. Cognitive tactics and psychological warfare are often employed to leverage advantages against the opponent’s weaknesses so that desired outcomes may be achieved.

Whether or not the leader choses to use them, the intelligence bodies established for negotiations must be available, cocked, and ready.

The intelligence activity continues when negotiations reach their final stages, since at this point the intelligence bodies must focus on how the other party is likely to comply with an agreement once it is attained. Intelligence guidance after finalizing the agreement is also necessary, and it is therefore recommended not to dismantle the negotiations administration—if such a body has indeed been established—after talks have ended, but rather to maintain its capabilities.

Intelligence guidance and input in negotiations is a critical and central tool, which lends the leaders and the persons in charge on their behalf during negotiations an advantage when they come to take decisions at both tactical and strategic levels. The limits and framework of the intelligence bodies must be clearly, systemically, and structurally defined in order to enable the leader to best handle negotiations. Whether or not the leader choses to use them, the intelligence bodies established for negotiations must be available, cocked, and ready.

Dilemmas Surrounding the Use of Intelligence

The value of the intelligence community as a central and integral component in national and international decision making processes is indisputable. It has been drawn on by the highest political ranks; however, the involvement of intelligence in a peace process is not self-evident. Despite the potential contribution that intelligence can make for decision makers, there are leaders who prefer to not involve intelligence in peace processes. For example, in 1970 United States President Richard M. Nixon chose not to update the intelligence bodies on his policy vis-à-vis China or his intentions to invade Cambodia, probably because he anticipated potential objections. And indeed, it is the privilege of every leader to use the intelligence resources as he deems fit. However, when a leader does decide to involve intelligence in the process, he gains access to an efficient tool that will both serve his need and the need of his constituency.

Israeli negotiator Michael Herzog claimed that while there is a need to collect information and intelligence on the negotiators’ personal aspects and motivations, this kind of information can also damage the negotiations process and promote distrust between parties. For example, intelligence gathered on intimate information such as private conversations risks revealing a lack of trust between the parties, which in turn might be harmful when entering a peace negotiation process. This drawback is counterbalanced by the value of understanding the motivation of all negotiators, and in turn gaining greater insight into their goals.

Intelligence during Peace Negotiations

Intelligence allocates a great deal of data collection and research abilities to follow the other side and understand its movements, usually in preparation for war (Yadlin, 2004). The same resources can also be allocated for peace negotiations purposes. Intelligence bodies provide information on various levels—tactical, operational, and strategic regarding the respective parties involved in the process. All these efforts enable the leaders and the negotiating teams to best prepare for dialogue and maximize the potential outcomes from the process (Ravid-Kochavi, 2001).

During peace processes, intelligence can make two main contributions. The first is the ability to prevent surprises and provide alerts on changes regarding the relationship between the parties. The second is the ability to provide exclusive information on the other side’s positions and level of commitment to the process.

During peace processes, intelligence can make two main contributions. The first is the ability to prevent surprises and provide alerts on changes regarding the relationship between the parties. The second is the ability to provide exclusive information on the other side’s positions and level of commitment to the process. Here, intelligence bodies aspire to be more than just information providers, and they emphasize the value of their analytical abilities.

While providing tactical intelligence to the leader, the administration, and the negotiation team, the coordination between the various intelligence bodies may significantly enhance the quality of a range of activities.. For example, during the 2000 Camp David summit the Israeli intelligence bodies constantly assessed the aspirations, intentions, and actions of the US mediators, in case the summit failed. In addition, they continually assessed the United States’ attitude toward each side, in order to determine if there were signs of bias toward a particular party (Ravid-Kochavi 2001). The difficulties and barriers that may arise as a result of intelligence gathering on a mediator lie in a potential crisis of trust between the investigating party and the mediating one, as well as reservations on the mediator portraying himself as objective and neutral.

The signing of the Sharm A Shiekh memorandum between Israel & the Palestinians. In the photo, PM Ehud Barak (L) & PA chairman Yasser Arafat signing the agreement. Moshe Milner/GPO.

The Intelligence Purview

The information gathered by intelligence bodies focuses on the intentions, capabilities, constraints, and limitations of the other party or parties. Analyzing the opponent’s balance of powers includes looking into internal rankings, power struggles, and the intensity of internal friction, differing interests, coalitions, oppositions, beliefs, and perceptions. This type of analysis requires an in-depth understanding of the internal dynamics of the opponent’s team, mandates, coalitions, mindsets, and personalities, and a focus on the relationship between them and their leaders. The negotiation team itself may also contribute significant information for the production of these products, since it is exposed to the internal dynamics of the opponent’s team; hence it has a main role in enriching the comprehensive intelligence picture, of which it too is a major consumer (Kimchi, 2007).

The use of intelligence extends beyond simply understanding the opponent. In fact, intelligence can be utilized to gather information on a wide range of issues, including but not limited to economic changes, the influence of religion, and the counterpart’s civil society and its impact on the decision making process. It can also anticipate the reaction a peace process and resulting agreement will generate among the general public and on social media. Intelligence during negotiations cannot operate removed from the leader’s considerations; implications of the policy for international and regional factors; implications for militarization; implications of the negotiations for civil society; and possible effects on the leadership level. A large part of these information sectors and data banks will not necessarily have been fostered or processed by the intelligence bodies during their routine work, and some of them lie out of their reach or expertise.

In addition to gathering information, intelligence sources are responsible for providing an assessment that includes, inter alia, a set of possible scenarios, cases, and responses. This evaluation addresses the opponent’s negotiation capabilities and tools at its disposal; the way those with vested interests impact on conduct—both in the negotiation room and outside it; the systemic vision of the opponent, which includes red lines and flexible or rigid maneuvering areas; and strategies for achieving goals, as well as action tactics. This systemic vision also relates, to the extent possible, to the counterpart’s assessments of its strengths, limitations, and weaknesses.

Part of the information required for this evaluation should be made transparent by the negotiations team. It has a live view of the conduct displayed by the other party or parties, which is critical feedback for the intelligence bodies, as it may allow them to narrow and focus their efforts. They will, in turn, transmit their insights to the negotiations team in a back and forth process (a “complete intelligence cycle”). This relationship requires sensitivity and professionalism in order to reduce the risk of exposing the negotiators’ sources. Furthermore, one may assume the parties on the other side operate a parallel intelligence division that analyzes the conduct of their adversaries. Therefore, part of the intelligence input should be “fire-walling”: addressing certain aspects on how to best guard and secure the planning information, tools, and tactics while carrying out negotiations.

In some circumstances, it is wiser for a side to expose its weaknesses and concede its inability to meet some of the other sides’ requests. In such cases, intelligence bodies can verify the authenticity of the other side’s lack of capabilities. While some might interpret vulnerability as a sign of weakness, displaying it in a negotiation process can build trust, which is crucial for successful negotiations. Of course, if the intelligence body finds the other party’s claim to be false, it will severely damage the negotiations, and might even cause its demise.

Structural Dimensions

In order to meet the negotiation objectives, a small and highly trusted team is generally appointed under a confidant, who will lead the team and report back to the chief negotiator. In turn, the chief negotiator appoints his ad hoc team. In addition, the leader can also be assisted by a negotiation administration, staff, or headquarters, designed and adapted according to the circumstances and needs of the negotiation process.

Negotiation administration requires organizational, structural, and process flexibility. For political negotiations, depending on the objectives, the setup, the circumstances and the subject matters of the negotiations, certain expertise in language, history, political science, media, nuclear capabilities, psychology, economics, demography, academy, ecology, energy, religion, culture, law—and of course, political, military, and security components—as well as intelligence is pertinent. A person’s capability to successfully adapt to new cultural settings is also essential in political and international negotiations, because it has special relevance to multicultural settings and global contexts.

Lessons drawn from past experience reflect the difficulty of synchronizing the government, whose head defines the negotiation strategy, and the intelligence bodies in the security and defense establishment (but not only), who hold the relevant levers and implement the political strategy. Synchronization becomes more complex due to the sheer number of entities participating in the process, particularly when the negotiation process goes through rapid developments and is characterized by multiple perspectives. Among these difficulties is the need to decipher what data should be gathered by intelligence, in what manner, and by whom within the respective bodies.


As long as there is a commitment from the higher rank to integrate intelligence bodies in the negotiation process, these bodies must deepen collaborations and operate in conjunction with government ministries, actors in the private market (such as survey and polling institutions), think tanks, hi-tech, and cyber companies—some or all if necessary, depending on subject and context. In addition, in order to operate most efficiently, the intelligence function in negotiations must be constantly updated with developments on all matters of the process, both inside and outside the negotiations room. All fields of knowledge may assist the intelligence bodies in presenting how the leadership of the opposing party views the negotiations, while indicating how far or close the parties are to reaching negotiation terms of reference and defining negotiated topics.

An organizational framework, which will build up capabilities and preserve knowledge, whose activity can be adapted based on needs and circumstances, is essential. Within this context, intelligence is one of the most indispensable components.

It is essential to establish a permanent administration that serves as the leader’s headquarters for the entire process, and to create (to the extent possible, since the leader will select whomever he deems fit) a professional and experienced negotiation team, and establish an intelligence body that will support the leader with intelligence and assessments on a strategic level, and the negotiation team on a tactical one.

Negotiating is a process that requires enormous attention from the leader and the broader state leadership as well as considerable national resources and many inputs, often over a long period of time and even beyond political tenures of a singular leader. An organizational framework, which will build up capabilities and preserve knowledge, whose activity can be adapted based on needs and circumstances, is essential. Within this context, intelligence is one of the most indispensable components. This organization framework should be built prior to the initiation of the negotiation process in order to allow those chosen to convene and prepare on short notice for each assignment. The unit should preferably be headed by a leading knowledgeable intelligence officer, and it should have the ability to integrate all resources, utilize gathering and other tools, and define an authority vis-à-vis all community entities.

Since the unit defined as the “Intelligence Leader” is agreed upon only shortly before the beginning of negotiations, it is appropriate that the responsibility for maintaining readiness be placed in the hands of an entity flexible enough to adapt to various circumstances.

The negotiation administration, serving as the central organizational framework to manage a multi-dimensional negotiation effort, should act to form and gather the elements required for the intelligence input in negotiations; design the intelligence function in its framework based on needs and context; promote cooperation between intelligence bodies; and build a network for the intelligence function throughout the various circles of influence, ranging from occurrences at the negotiation table, and broader trends and developments outside. The likelihood of renewing and conducting political negotiations is constantly changing. This is precisely why planning, preparing, and building up capabilities are indispensable for setting up an administrative negotiation-supporting intelligence framework.


  • Gilead Sher – Adv. Gilead Sher, a former Israeli senior peace negotiator who was Chief of Staff and Policy Coordinator under Prime Minister Ehud Barak, is a senior research fellow at INSS. In 2019, Adv. Sher was a visiting professor at Georgetown University.
  • Yahel Arnon – Yahel Arnon, whose expertise is in the field of intelligence, is a senior figure in the intelligence community within Israel’s security establishment and a senior researcher at INSS.
  • Yoel Guzansky – Dr. Yoel Guzansky is a senior research fellow at INSS and a non-resident scholar at the Middle East Institute. He previously served in Israel’s National Security Council in the Prime Minister’s Office, coordinating the work on Iran and the Gulf, and is currently a consultant to several ministries. He was a visiting fellow at Stanford University, an Israel Institute postdoctoral fellow, and a Fulbright scholar.


Kimchi, S. (2007). A psychological portrait of an Opposing Leader as a complementing layer for Intelligence Evaluation. Studies in Intelligence, 1(1), 82-92 [in Hebrew].

Lowenthal, M. (2006). Intelligence: From secrets to policy. Washington, DC: CQ Press.

Ravid-Kochavi, A. (2011). Intelligence support in peace negotiations: The Israeli case (1993-2001). (Master’s thesis). Tel Aviv University, Tel Aviv [in Hebrew].

Shine, S. (2004). Different perspectives on intelligence-decision maker relations. InO. Kazimirsky, N. Grossman-Aloni, & S. Alodi (Eds.), Intelligence and the decision maker (pp. 33-41). Tel Aviv: Ministry of Defense [in Hebrew].

Yadlin, A. (2004). Intelligence and the decision maker. InO. Kazimirsky, N. Grossman-Aloni, & S. Alodi (Eds.), Intelligence and the decision maker (chapter 1). Tel Aviv: Ministry of Defense [in Hebrew].

 Download article


Cybersecurity – RedFoxtrot operations linked to China’s PLA Unit 69010 due to bad opsec (Pierluigi Paganini, Security Affairs)

Experts attribute a series of cyber-espionage campaigns dating back to 2014, and focused on gathering military intelligence, to China-linked Unit 69010.

Experts from Recorded Future’s Insikt Group linked a series of attacks, part of RedFoxtrot China-linked campaigns, to the PLA China-linked Unit 69010

The cyber-espionage campaigns dated back 2014 and focused on gathering military intelligence from neighboring countries were attributed to a Chinese military unit operating out of the city of Ürümqi in the province of Xinjiang.

According to a report released today by Recorded Future’s Insikt Group, the People’s Liberation Army (PLA) Unit 69010 is believed to have been behind a series of cyber-espionage campaigns dating back to 2014 that have focused on gathering military intelligence from neighboring countries.

“RedFoxtrot has primarily targeted aerospace and defense, government, telecommunications, mining, and research organizations in Afghanistan, India, Kazakhstan, Kyrgyzstan, Pakistan, Tajikistan, and Uzbekistan. These targets suggest the group is likely interested in gathering intelligence on military technology and defense” reads the report published by the Insikt Group.

Insikt Group tracked the threat actors behind the campaigns as RedFoxtrot threat actor, the cyberspies targeted government, defense, and telecommunications sectors across Central Asia, India, and Pakistan,

“Activity over this period showed a particular focus on Indian targets, which occurred at a time of heightened border tensions between India and the People’s Republic of China (PRC).” continues the report.

RedFoxtrot targets

Experts noticed that RedFoxtrot activity overlaps with groups tracked by other security firms as Temp.Trident and Nomad Panda. The threat actors behind the RedFoxtrot operations employed both custom malware and publicly available malicious code. The arsenal of the group included malware employed in campaigns linked to Chinese cyber espionage groups, including IcefogPlugXRoyalRoadPoison IvyShadowPad, and PCShare.

Insikt researchers linked Chinese nation-state activity to RedFoxtrot and PLA Unit 69010 due to the lax operational security (OpSec) of one of the members of the group behind the long-running campaign.

“Due to lax operational security measures employed by this individual, we uncovered a connection to the likely physical address of the headquarters of PLA Unit 69010, No. 553, Wenquan East Road, Shuimogou District, Ürümqi, Xinjiang (新疆乌鲁木齐市水磨沟区温泉东路553 号).” states the report. “Insikt Group is not publicly disclosing the identity of this individual; however, an extensive online presence provided corroborating evidence indicating that this individual is located in Ürümqi, has an interest in hacking, and also has a suspected historical affiliation with the PLA’s former Communications Command Academy1 (通信指挥学院) located in Wuhan.”

The researchers reported that in 2020, RedFoxtrot, alongside multiple other PLA and MSS-affiliated nation-state groups, likely gained access to the ShadowPad backdoor.

“With continued activity from suspected PLA groups such as Tonto Team, Tick, Naikon, and RedFoxtrot, and the emergence of new Chinese threat activity groups with suspected PLA links, Insikt Group believes that PLA-affiliated groups remain prominent within the Chinese cyber espionage sphere despite increased attention on their MSS counterparts.” concludes the report.


(Australia) Securing the legal foundation for Australia’s intelligence agencies (Miah Hammond-Errey, The Interpreter)

The Richardson review, released last month, amounts to the most significant review of Australia’s intelligence legislative framework since the Hope Royal Commission on Intelligence and Security in the 1970s. Back then, as David Irvine has noted, former judge Robert Hope laid out operating principles to ensure the intelligence community was properly managed and accountable. Dennis Richardson, a veteran public servant, former head of ASIO and the departments of Defence and Foreign Affairs, as well as ambassador to Washington 2005–2010, has sought to ensure the intelligence community of the modern era is still subject to the same goals following sweeping changes.

The public release of the $18 million Richardson review was delayed be almost 12 months due to the Covid-19 pandemic. Officially known as the Comprehensive Review of the Legal Framework of the National Intelligence Community, it amounted to the first wide-ranging consideration of the many national security laws passed since the 11 September 2001 terror attacks (allowing that the Independent National Security Legislation Monitor conducts reviews on specific matters). The legislative framework governing intelligence agencies has evolved considerably since the Australian Security Intelligence Organisation Act 1979 and the Intelligence Services Act 2001 were first introduced.

The Richardson review was timely to account for a dramatically changed world, too. This is a transformative time for the intelligence community. The impact of technology is disrupting aspects of operations, just as it is in society more broadly. There are specific implications for intelligence in a digitally connected, data abundant world. The threat landscape too is evolving – featuring extremism, malign influence, foreign interference, adversarial technology and a less stable international order. That was all before the pandemic.

The publicly released version of the review is part of a larger classified report, which had broad terms of reference. A large and anticipated change was the recommendation to bring together the Telecommunications (Interception and Access) Act and the Surveillance Devices Act into one piece of law – an electronic surveillance act, intended to overcome technical assumptions from another era.

Veteran public servant Dennis Richardson in 2017 while Secretary of the Department of Defence (Defence Department)

The Richardson review found that the key principles underpinning Aust­ralia’s intelligence legislation, cemented by Hope, are sound and of enduring relevance. The terms of reference tell us that the review considered the appropriateness of maintaining the current distinction between “foreign intelligence” and “security intelligence”, and legislative distinctions and restrictions relating to intelligence collection onshore and offshore, about Australians and non-Australians. The nature of foreign activities and domestic and the task of delineating onshore and offshore have been questioned in a big-data, globalised world. The review finds that these distinctions were deliberate “decisions by parliament” and remain important for a liberal democracy such as Australia.

Perhaps in a quest to be better understood by the Australian people, the past 18 months have featured unprecedented levels of public engagement by some of the Australian intelligence agencies. The Australian Signals Directorate joined Twitter in 2018, while in August last year ASIO followed suit. Since 2019, the Director-General of Security, Mike Burgess, has made more public statements than in the previous years combined, including the inaugural Annual Threat Assessment in February 2020 and the IPAA podcast in June 2020. In November 2020, ASIO launched its first-ever public information campaign: think before you link.

In December 2019, Australian Secret Intelligence Service Director-General Paul Symon gave his first-ever public interview to the Australia in the World podcast, and in October last year carried out a series of video interviews with ASPI. The previous ASIS chief Nick Warner had given a single public lecture in 2012.

Yet despite this outreach, the agencies are also sending mixed signals on openness and transparency, as historian Peter Edwards argues. In September last year ASD Director-General Rachel Noble gave a speech to the ANU National Security College, following on from an earlier lecture at the Lowy Institute on “Offensive Cyber”, while an ASD employee gave an interview on ABC Radio National. But a contract with ANU to produce an official history of the agency which had been commissioned in 2019 was subsequently cancelled, and it is now unclear if the historical account will go ahead.

Page 1 of 2
1 2