Ex-NATO hacker: ‘In the cyber world, there’s no such thing as a ceasefire’

#### [Cyber-crime](/security/cyber_crime/)**5** Ex-NATO hacker: ‘In the cyber world, there’s no such thing as a ceasefire’==========================================================================**5** Watch out for supply chain hacks especially——————————————-[Jessica Lyons](/Author/Jessica-Lyons ‘Read more by this author’) Sat 28 Jun 2025 // 14:01 UTC [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/06/28/exnato_hacker_ceasefire_iran/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Ex-NATO%20hacker%3a%20%27In%20the%20cyber%20world%2c%20there%27s%20no%20such%20thing%20as%20a%20ceasefire%27) [](https://twitter.com/intent/tweet?text=Ex-NATO%20hacker%3a%20%27In%20the%20cyber%20world%2c%20there%27s%20no%20such%20thing%20as%20a%20ceasefire%27&url=https://www.theregister.com/2025/06/28/exnato_hacker_ceasefire_iran/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/06/28/exnato_hacker_ceasefire_iran/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/06/28/exnato_hacker_ceasefire_iran/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Ex-NATO%20hacker%3a%20%27In%20the%20cyber%20world%2c%20there%27s%20no%20such%20thing%20as%20a%20ceasefire%27&summary=Watch%20out%20for%20supply%20chain%20hacks%20especially) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/06/28/exnato_hacker_ceasefire_iran/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) interview The ceasefire between Iran and Israel may prevent the two countries from firing missiles at each other, but it won’t carry any weight in cyberspace, according to former NATO hacker Candan Bolukbas.’In the cyber world, there’s no such thing as a ceasefire,’ he told *The Register*.> If we see something in cyberspace that can disrupt us, we’re going to attack it first, and we have that under US Cyber Command’s missionBolukbas is chief technology officer and founder of Black Kite, a cyber-risk intelligence firm that assesses businesses’ third-party supplier risks. His company also shares and receives threat intel with and from the US National Security Agency (NSA), as do other private security firms.Prior to founding Black Kite in 2016, Bolukbas worked for NATO as a part of its counter cyberterrorism task force, helping member and partner countries harden their network defenses by simulating offensive cyber attacks against government agencies.His final mission with NATO involved red-teaming a critical power grid in Kiev, Ukraine. Most of the facilities’ systems were airgapped, isolated from external networks, which made it more difficult to break into. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cybercrime&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aGA74pRdo6uMpfE1AaBPjwAAAQw&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0)’It wasn’t easy to target, so I said, ‘OK, let me find the suppliers for this organization’,’ Bolukbas recalled. ‘I found 20 of them, picked one that would be the easiest to find and target, and used that to access the grid control panel, literally one command away from taking down the grid.’ ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cybercrime&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aGA74pRdo6uMpfE1AaBPjwAAAQw&t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0) ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cybercrime&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aGA74pRdo6uMpfE1AaBPjwAAAQw&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0)Shortly after, in 2015, Russia’s Sandworm did [shut off part of Ukraine’s electricity grid](https://www.theregister.com/2016/01/04/blackenergy_drains_files_from_ukraine_media_energy_organisations/), resulting in power outages for tens of thousands of Ukraine residents for a number of hours.Ten years later, Bolukbas says he’s worried about one of Iran’s cyber-arms doing something similar to Israeli or American critical infrastructure in retaliation for the air strikes earlier this month.> My belief is that they’re going to go after the supply chain, because that’s our weak spot’My belief is that they’re going to go after the supply chain, because that’s our weak spot,’ Bolukbas said, adding that while it’s really difficult to breach the Pentagon’s networks directly, Iran is ‘going to go after the supply chains of Israel and US Department of Defense suppliers.’He pointed to Russia compromising Western logistics firms and tech companies, including email providers, as a means of collecting valuable intel about Ukrainian targets and military strategy in that ongoing conflict. Russian cyberspies also breached internet-connected cameras at Ukrainian border crossings to track aid shipments, and targeted at least one provider of industrial control system (ICS) components for railway management, according to a [joint government advisory](https://www.theregister.com/2025/05/21/russias_fancy_bear_alert/) issued last month. ![](https://pubads.g.doubleclick.net/gampad/ad?co=1&iu=/6978/reg_security/cybercrime&sz=300×50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aGA74pRdo6uMpfE1AaBPjwAAAQw&t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0)Similarly, smart TVs and other home IoT devices can be easily compromised and used to [build a botnet](https://www.theregister.com/2025/06/11/badbox_round_three/) for distributed denial of service attacks, or a [massive network of connected boxes](https://www.theregister.com/2025/06/23/lapdog_orb_network_attack_campaign/) to route traffic and [launch cyberattacks against high-value targets](https://www.theregister.com/2025/03/12/volt_tyhoon_experience_interview_with_gm/).’It’s very unlikely that they can launch a sophisticated attack against the NSA, Pentagon, or those kinds of bigger organizations,’ Bolukbas said. ‘Those are outside of Iran’s reach unless Russia or China backs them,’ which he believes is also highly unlikely.Giving Iranian cyber operatives access to some critical American network after Russia and China did the dirty work of breaking in, or blowing a zero-day exploit to aid Iran, isn’t in either of these countries’ best interests, Bolukbas explained. It’s more likely that Moscow and Beijing would want to save this stealthy access and/or cyber weapons, and use them at a time that will benefit their geopolitical or military goals.’Iran is alone in this game, but they can go after the low-hanging fruit,’ Bolukbas said.### Remember Stuxnet?While ‘we haven’t seen any ceasefire happening’ in terms of Iranian cyber campaigns, especially when it comes to [phishing](https://www.theregister.com/2025/06/26/that_whatsapp_from_an_israeli/) for high-value individuals’ credentials and sensitive military info, ‘we also do this,’ Bolukbas said, referring to the United States.Case in point: Stuxnet, a malware deployed against Iran’s nuclear fuel centrifuges, [was a joint American-Israeli op](https://www.theregister.com/2012/06/01/stuxnet_joint_us_israeli_op/). ‘And that, of course, was during a ceasefire. We were not in a war with Iran,’ Bolukbas said.’The US has the biggest cyber army, strategic or talent-wise,’ he added. ‘The NSA is known for having the biggest zero-day arsenal on the planet. We have a doctrine on something called [defense forward](https://www.cybercom.mil/Media/News/Article/3198878/cyber-101-defend-forward-and-persistent-engagement/) that says if we see something in cyberspace that can disrupt us, we’re going to attack it first, and we have that under US Cyber Command’s mission.’> The NSA is known for having the biggest zero-day arsenal on the planetAnd while Bolukbas doesn’t expect to see the US unleash any major cyber weapons against Iran at this point in the conflict, he suspects cyber espionage, influence operations, hack-and-leaks, and poking holes in Iran’s military and cyber infrastructure are all regular occurrences.The US didn’t enter the Iran-Israel war with bombs, he contended. ‘That was started in cyberspace a long time ago.’* [That WhatsApp from an Israeli infosec expert could be a Iranian phish](https://www.theregister.com/2025/06/26/that_whatsapp_from_an_israeli/)* [Iran cyberattacks against US biz more likely following air strikes](https://www.theregister.com/2025/06/23/iran_cyberattacks_against_us/)* [Amazon CISO: Iranian hacking crews ‘on high alert’ since Israel attack](https://www.theregister.com/2025/06/18/amazon_ciso_agentic_acceleration/)* [Cyber weapons in the Israel-Iran conflict may hit the US](https://www.theregister.com/2025/06/13/cyber_weapons_israel_iran/)Bolukbas also has advice for network defenders to protect against Iranian cyber threats. ‘Be careful with [phishing attacks](https://www.theregister.com/2025/01/31/state_spies_google_gemini/),’ he said. ‘That’s very common because Iran doesn’t have a lot of zero days, so they go heavy on social attacks. Be careful what you’re clicking on.’Second: don’t believe everything you read or see, according to Bolukbas. Iran, along with Russia and China, are getting really good at [using generative AI](https://www.theregister.com/2024/05/30/openai_stops_five_ineffective_ai/) for [fake news and social media posts](https://www.theregister.com/2024/10/25/russia_china_iran_election_disinfo/) that aim to manipulate public opinion.’Last but not least: patch your systems, including IoT for end users and residential people,’ Bolukbas said. ‘Patch your external-facing systems quickly, not a week or 10 days or a month later, because time is ticking from the day that the vulnerability is disclosed. Iranian groups are trying to develop an exploit. If they develop the exploit before the patch, they’re not going to hesitate to use that.’ ® [Sponsored: 6 questions every Board should ask its CISO](https://go.theregister.com/tl/3156/shttps://go.theregister.com/k/6_questions_CISO) Share [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/06/28/exnato_hacker_ceasefire_iran/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Ex-NATO%20hacker%3a%20%27In%20the%20cyber%20world%2c%20there%27s%20no%20such%20thing%20as%20a%20ceasefire%27) [](https://twitter.com/intent/tweet?text=Ex-NATO%20hacker%3a%20%27In%20the%20cyber%20world%2c%20there%27s%20no%20such%20thing%20as%20a%20ceasefire%27&url=https://www.theregister.com/2025/06/28/exnato_hacker_ceasefire_iran/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/06/28/exnato_hacker_ceasefire_iran/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/06/28/exnato_hacker_ceasefire_iran/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Ex-NATO%20hacker%3a%20%27In%20the%20cyber%20world%2c%20there%27s%20no%20such%20thing%20as%20a%20ceasefire%27&summary=Watch%20out%20for%20supply%20chain%20hacks%20especially) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/06/28/exnato_hacker_ceasefire_iran/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) #### More about* [Iran](/Tag/Iran/)* [Security](/Tag/Security/) More like these × ### More about* [Iran](/Tag/Iran/)* [Security](/Tag/Security/) ### Narrower topics* [2FA](/Tag/2FA/)* [Advanced persistent threat](/Tag/Advanced%20persistent%20threat/)* [Application Delivery Controller](/Tag/Application%20Delivery%20Controller/)* [Authentication](/Tag/Authentication/)* [BEC](/Tag/BEC/)* [Black Hat](/Tag/Black%20Hat/)* [BSides](/Tag/BSides/)* [Bug Bounty](/Tag/Bug%20Bounty/)* [CHERI](/Tag/CHERI/)* [CISO](/Tag/CISO/)* [Common Vulnerability Scoring System](/Tag/Common%20Vulnerability%20Scoring%20System/)* [Cybercrime](/Tag/Cybercrime/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Cybersecurity Information Sharing Act](/Tag/Cybersecurity%20Information%20Sharing%20Act/)* [Data Breach](/Tag/Data%20Breach/)* [Data Protection](/Tag/Data%20Protection/)* [Data Theft](/Tag/Data%20Theft/)* [DDoS](/Tag/DDoS/)* [DEF CON](/Tag/DEF%20CON/)* [Digital certificate](/Tag/Digital%20certificate/)* [Encryption](/Tag/Encryption/)* [End Point Protection](/Tag/End%20Point%20Protection/)* [Exploit](/Tag/Exploit/)* [Firewall](/Tag/Firewall/)* [Hacker](/Tag/Hacker/)* [Hacking](/Tag/Hacking/)* [Hacktivism](/Tag/Hacktivism/)* [Identity Theft](/Tag/Identity%20Theft/)* [Incident response](/Tag/Incident%20response/)* [Infosec](/Tag/Infosec/)* [Infrastructure Security](/Tag/Infrastructure%20Security/)* [Kenna Security](/Tag/Kenna%20Security/)* [NCSAM](/Tag/NCSAM/)* [NCSC](/Tag/NCSC/)* [Palo Alto Networks](/Tag/Palo%20Alto%20Networks/)* [Password](/Tag/Password/)* [Personally Identifiable Information](/Tag/Personally%20Identifiable%20Information/)* [Phishing](/Tag/Phishing/)* [Quantum key distribution](/Tag/Quantum%20key%20distribution/)* [Ransomware](/Tag/Ransomware/)* [Remote Access Trojan](/Tag/Remote%20Access%20Trojan/)* [REvil](/Tag/REvil/)* [RSA Conference](/Tag/RSA%20Conference/)* [Spamming](/Tag/Spamming/)* [Spyware](/Tag/Spyware/)* [Surveillance](/Tag/Surveillance/)* [TLS](/Tag/TLS/)* [Trojan](/Tag/Trojan/)* [Trusted Platform Module](/Tag/Trusted%20Platform%20Module/)* [Vulnerability](/Tag/Vulnerability/)* [Wannacry](/Tag/Wannacry/)* [Zero trust](/Tag/Zero%20trust/) ### Broader topics* [EMEA](/Tag/EMEA/) #### More aboutShare [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/06/28/exnato_hacker_ceasefire_iran/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Ex-NATO%20hacker%3a%20%27In%20the%20cyber%20world%2c%20there%27s%20no%20such%20thing%20as%20a%20ceasefire%27) [](https://twitter.com/intent/tweet?text=Ex-NATO%20hacker%3a%20%27In%20the%20cyber%20world%2c%20there%27s%20no%20such%20thing%20as%20a%20ceasefire%27&url=https://www.theregister.com/2025/06/28/exnato_hacker_ceasefire_iran/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/06/28/exnato_hacker_ceasefire_iran/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/06/28/exnato_hacker_ceasefire_iran/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Ex-NATO%20hacker%3a%20%27In%20the%20cyber%20world%2c%20there%27s%20no%20such%20thing%20as%20a%20ceasefire%27&summary=Watch%20out%20for%20supply%20chain%20hacks%20especially) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/06/28/exnato_hacker_ceasefire_iran/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) **5** COMMENTS #### More about* [Iran](/Tag/Iran/)* [Security](/Tag/Security/) More like these × ### More about* [Iran](/Tag/Iran/)* [Security](/Tag/Security/) ### Narrower topics* [2FA](/Tag/2FA/)* [Advanced persistent threat](/Tag/Advanced%20persistent%20threat/)* [Application Delivery Controller](/Tag/Application%20Delivery%20Controller/)* [Authentication](/Tag/Authentication/)* [BEC](/Tag/BEC/)* [Black Hat](/Tag/Black%20Hat/)* [BSides](/Tag/BSides/)* [Bug Bounty](/Tag/Bug%20Bounty/)* [CHERI](/Tag/CHERI/)* [CISO](/Tag/CISO/)* [Common Vulnerability Scoring System](/Tag/Common%20Vulnerability%20Scoring%20System/)* [Cybercrime](/Tag/Cybercrime/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Cybersecurity Information Sharing Act](/Tag/Cybersecurity%20Information%20Sharing%20Act/)* [Data Breach](/Tag/Data%20Breach/)* [Data Protection](/Tag/Data%20Protection/)* [Data Theft](/Tag/Data%20Theft/)* [DDoS](/Tag/DDoS/)* [DEF CON](/Tag/DEF%20CON/)* [Digital certificate](/Tag/Digital%20certificate/)* [Encryption](/Tag/Encryption/)* [End Point Protection](/Tag/End%20Point%20Protection/)* [Exploit](/Tag/Exploit/)* [Firewall](/Tag/Firewall/)* [Hacker](/Tag/Hacker/)* [Hacking](/Tag/Hacking/)* [Hacktivism](/Tag/Hacktivism/)* [Identity Theft](/Tag/Identity%20Theft/)* [Incident response](/Tag/Incident%20response/)* [Infosec](/Tag/Infosec/)* [Infrastructure Security](/Tag/Infrastructure%20Security/)* [Kenna Security](/Tag/Kenna%20Security/)* [NCSAM](/Tag/NCSAM/)* [NCSC](/Tag/NCSC/)* [Palo Alto Networks](/Tag/Palo%20Alto%20Networks/)* [Password](/Tag/Password/)* [Personally Identifiable Information](/Tag/Personally%20Identifiable%20Information/)* [Phishing](/Tag/Phishing/)* [Quantum key distribution](/Tag/Quantum%20key%20distribution/)* [Ransomware](/Tag/Ransomware/)* [Remote Access Trojan](/Tag/Remote%20Access%20Trojan/)* [REvil](/Tag/REvil/)* [RSA Conference](/Tag/RSA%20Conference/)* [Spamming](/Tag/Spamming/)* [Spyware](/Tag/Spyware/)* [Surveillance](/Tag/Surveillance/)* [TLS](/Tag/TLS/)* [Trojan](/Tag/Trojan/)* [Trusted Platform Module](/Tag/Trusted%20Platform%20Module/)* [Vulnerability](/Tag/Vulnerability/)* [Wannacry](/Tag/Wannacry/)* [Zero trust](/Tag/Zero%20trust/) ### Broader topics* [EMEA](/Tag/EMEA/) #### TIP US OFF[Send us news](https://www.theregister.com/Profile/contact/)[#### Iran cyberattacks against US biz more likely following air strikesPlus ‘low-level’ hacktivist attemptsCyber-crime5 days -| 32](/2025/06/23/iran_cyberattacks_against_us/?td=keepreading) [#### Cyber weapons in the Israel-Iran conflict may hit the USWith Tehran’s military weakened, digital retaliation likely, experts tell *The Reg*Security15 days -| 28](/2025/06/13/cyber_weapons_israel_iran/?td=keepreading) [#### That WhatsApp from an Israeli infosec expert could be a Iranian phishCharming Kitten unsheathes its claws and tries to catch credentialsCyber-crime3 days -| 2](/2025/06/26/that_whatsapp_from_an_israeli/?td=keepreading) [#### AI and virtualization are two major headaches for CIOs. Can storage help solve them both?It’s about evolution not revolution, says LenovoSponsored feature](/2025/05/22/lenovo_ai_virtualization_headaches/?td=keepreading) [#### Back in black: Microsoft Blue Screen of Death is going darkAt least the BSOD acronym will still workOSes2 days -| 54](/2025/06/26/microsoft_bsod_goes_black/?td=keepreading) [#### AWS locks down cloud security, hits 100% MFA enforcement for root usersPlus adds a ton more security capabilities for cloud customers at re:InforceSecurity11 days -| 1](/2025/06/17/aws_enforces_mfa_root_users/?td=keepreading) [#### Enterprises are getting stuck in AI pilot hell, say Chatterbox Labs execsInterview Security, not model performance, is what’s stalling adoptionAI + ML20 days -| 31](/2025/06/08/chatterbox_labs_ai_adoption/?td=keepreading) [#### Uncle Sam wants you — to use memory-safe programming languages’Memory vulnerabilities pose serious risks to national security and critical infrastructure,’ say CISA and NSADevops23 hrs -| 25](/2025/06/27/cisa_nsa_call_formemory_safe_languages/?td=keepreading) [#### Iran’s internet goes offline for hours amid claims of ‘enemy abuse’Bank and crypto outfits hit after Israeli commander mentioned attacks expanding to ‘other areas’Public Sector10 days -| 13](/2025/06/19/iran_internet_outage/?td=keepreading) [#### Citrix bleeds again: This time a zero-day exploited – patch nowTwo emergency patches issued in two weeksPatches3 days -| 1](/2025/06/25/citrix_netscaler_critical_bug_exploited/?td=keepreading) [#### Amazon’s Ring can now use AI to ‘learn the routines of your residence’It’s meant to cut down on false positives but could be a trove for mischief-makersSecurity3 days -| 65](/2025/06/25/amazons_ring_ai_video_description/?td=keepreading) [#### Don’t panic, but it’s only a matter of time before critical ‘CitrixBleed 2’ is under attackWhy are you even reading this story? Patch now!Patches4 days -| 7](/2025/06/24/critical_citrix_bug_citrixbleed/?td=keepreading)

Related Tags:
NAICS: 921 – Executive

Legislative

Other General Government Support

NAICS: 54 – Professional

Scientific

Technical Services

NAICS: 927 – Space Research And Technology

NAICS: 541 – Professional

Scientific

Technical Services

NAICS: 518 – Computing Infrastructure Providers

Data Processing

Web Hosting

Related Services

NAICS: 92 – Public Administration

NAICS: 51 – Information

NAICS: 928 – National Security And International Affairs

Phosphorus

Associated Indicators:

Threat Intel Solutions

Ex-NATO hacker: ‘In the cyber world, there’s no such thing as a ceasefire’

Search

Popular Posts

Dangerous runC flaws could allow hackers to escape Docker containers

Lost iPhone? Don’t fall for phishing texts saying it was found

NAKIVO Introduces v11.1 with Upgraded Disaster Recovery and MSP Features

Categories

Pages

Archives

Tags

Follow Us