The IT Nerd

A reader pointed me to this Google Threat Intelligence Group blog post that details a case of hacking that uses AI to pull this hack off.

From the blog post:

Since our February 2026 report on AI-related threat activity, Google Threat Intelligence Group (GTIG) has continued to track a maturing transition from nascent AI-enabled operations to the industrial-scale application of generative models within adversarial workflows. This report, based on insights derived from Mandiant incident response engagements, Gemini, and GTIG’s proactive research, highlights the dual nature of the current threat environment where AI serves as both a sophisticated engine for adversary operations and a high-value target for attacks.

So is anyone actually shocked by this? I am not. It was only a matter of time before AI was used to be part of an attack chain. And I fully expect more of this in the future.

Google has issued a new warning urging companies that they should now prepare for Q-Day in 2029:

As a pioneer in both quantum and PQC, it’s our responsibility to lead by example and share an ambitious timeline. By doing this, we hope to provide the clarity and urgency needed to accelerate digital transitions not only for Google, but also across the industry.

Quantum computers will pose a significant threat to current cryptographic standards, and specifically to encryption and digital signatures. The threat to encryption is relevant today with store-now-decrypt-later attacks, while digital signatures are a future threat that require the transition to PQC prior to a Cryptographically Relevant Quantum Computer (CRQC). That’s why we’ve adjusted our threat model to prioritize PQC migration for authentication services — an important component of online security and digital signature migrations. We recommend that other engineering teams follow suit.

The full statement can be found here: https://blog.google/innovation-and-ai/technology/safety-security/cryptography-migration-timeline/

Lieutenant General Ross Coffman (U.S. Army, Ret.) who currently serves as President of Forward Edge-AI, provided the following comment:

“I am elated by Google’s announcement. We’ve been saying it for two years. The shot clock has started. We don’t know when, but we know Q-Day is coming. It’s time to get ready.” 

This is a real threat that organizations need to prepare for. And preparations need to begin today because 2029 seems like a long time. But it isn’t/

This week, Google will start shutting down its dark web monitoring tool — the Dark Web Report — which was designed to scan the dark web for users’ exposed personal information. Users who want to stay “in the loop” should seek other tools.

Shutdown timeline

• January 15, 2026: The scans for new dark web breaches stop.
• February 16, 2026: The dark web report is no longer available, all data related to the report will be deleted.

Google previously stated its intention to focus on tools that provide customers with clearer, more actionable steps to protect their online information. However, no concrete announcements regarding new cybersecurity tools have been made by the company to date.

Karolis Arbaciauskas, head of product at the cybersecurity company NordPass, comments:

“It’s a useful tool. But I guess it’s time for something new, especially since other similar tools already offer prescriptive advice and practical recommendations for users whose data is found on the dark web. Google often replaces its products and features with new ones instead of updating them. Users should look for reliable tools that are dedicated to this task and are constantly supported and updated.

“Proactively monitoring the dark web for your credentials is a critical security habit. Fortunately, Google’s tool was never the only option. Security-conscious users who wish to continue scanning the dark web can utilize the tools offered by modern password managers.

“These integrated tools have evolved significantly in recent years. Advanced password managers now feature built-in scanners that operate 24/7, continuously monitoring the dark web and instantly alerting users if credentials or credit card data are detected. This enables individuals to take swift action before threats escalate.

“In case of a breach, the key is to act quickly. If you get an alert about your data being exposed, take immediate steps: change all affected passwords, cancel compromised credit cards, and review your account activity for anything suspicious.”

I’m currently looking around for a tool or tools to replace this. If I come across any, I will let you know. But if you have any suggestions, please leave a comment and let us all know.

 Google is shutting down its Dark Web Monitoring tool in February 2026 (less than 2 years after its launch). Google is sending out emails to anyone who signed up for a dark web monitoring profile, explaining that the service is shutting down. The company will stop monitoring for new results on January 15, 2026, and data will no longer be available from February 16, 2026.

Marcelo Casto Escalada, Senior Product Manager at Outpost24, has weighed in with this commentary: 

“Google’s decision to sunset its Dark Web Monitoring tool isn’t surprising. It reinforces a long-standing reality in threat intelligence: dark web monitoring is a specialized discipline, not a feature you can simply bolt onto an account management platform. Alerting users that their email may appear in illicit forums is very different from delivering actionable intelligence with context, prioritization, and clear remediation. Real threat intelligence is built on deep collection, expert analysis, and operational relevance — capabilities that mature providers have developed over many years. Organizations looking to genuinely reduce risk need proven expertise, not lightweight add-ons.”

While all of that is accurate, at least what Google was doing was something that you could use along with other tools. Now there’s one less tool in the toolkit that defenders can rely on. That’s a shame.

Researchers have tracked a stealthy “next-level” Chinese hacking campaign dubbed “BRICKSTONE” that targets and maintains persistent access to legal services and technology companies by stealing intellectual property, mining intelligence on national security and trade while developing other cyberattacks for the future.

More details are available here: https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign

Ensar Seker, CISO at SOCRadar, commented:

“This Brickstorm campaign marks a striking evolution in adversary tradecraft. What makes it “next level” is not simply the long dwell times or precision targeting, though both are alarming, but rather the strategic layering of access, reconnaissance, and supply-chain influence. By infiltrating tech security and legal services firms, the attackers don’t just get to access those environments, they gain pathways into their clients and partners, giving them a multiplier effect on reach. Some of those downstream systems may not even realize they’ve been compromised yet.

“The motivation here is long-term, not opportunistic. Brickstorm’s operators are methodically exfiltrating intellectual property and internal designs, which gives them a unique insight into how to bypass defenses and identify zero-day opportunities. In effect, they’re embedding themselves into the ecosystem, harvesting the same tools and knowledge base they hope to exploit later. That kind of foresight suggests a campaign designed not just for espionage, but for building capabilities that can support multiple future attacks.

“From a defensive posture, this raises the bar. Security firms, the very guardians of trust, must now treat themselves as high-priority targets in their own right. That means rethinking how we design isolation, telemetry, and insider-monitoring within security operations. It means segmenting access zones not just for customers, but even among internal service components. It demands relentless threat hunting, especially in trust relationships and client integrations. In practical terms, organizations should assume that any vendor they trust may be compromised, not eventually, but right now. That means requiring stricter attestation, enforcing zero-trust architectures around vendor connections, validating every cross-tenant data flow, and adopting reciprocal visibility with those vendors. The fact that Brickstorm is already leveraging downstream infiltration highlights just how fragile the boundary between ‘client’ and ‘supplier’ has become.

“In a nutshell, Brickstorm is a wake-up call: adversaries are no longer treating high-value firms as endpoints to exploit, but as nodes in a broader intelligence and access network. Defending against that requires that we think in ecosystems and assume compromise, not just for ourselves, but for every connected party.”

I am actually quite disturbed by this as this sounds like the cold war all over again. This highlights the fact that the bad guys come in all shapes and sizes as well as agendas.

UPDATE: Cybercrime expert and VP of Cyber Risk for HITRUST, Tom Kellermann had this to say

“Since the Titan Rain campaign, China has pursued an insurgency strategy in American cyberspace, maintaining persistent access through sophisticated backdoors, like BRICKSTORM that serve as the cornerstone of their economic espionage operations. These initial compromises enable secondary infections and lateral movement across networks, creating a cascading security threat that must be systematically eradicated to protect both national and economic security.”