Role of CTI in NIST

NIST and CTI: The Perfect Match for Building a Cyber Resilient Organization

To establish and maintain robust standards for cybersecurity and protecting sensitive data — the NIST Cybersecurity Framework (NSF) has become ubiquitous. The NSF outlines five key functions to support organizations in understanding, managing and reducing cybersecurity risk — Identify, Protect, Detect, Respond and Recover.  In this article, we will take a closer look under the hood at each of the five functions, and how, aligned with the NIST framework — Cyber Threat Intelligence (CTI) can support meeting and exceeding regulatory compliance. 
breachforums seizure

BreachForums Seized by FBI: Inside the Notorious Cybercrime Marketplace

On May 15, 2024, both the TOR and clear-web BreachForums domains, as well as Telegram channels associated with BreachForums were seized by the FBI. KELA presents the activity on BreachForums (Breached) and its predecessor, RaidForums, the most popular English-speaking cybercrime forums for sharing leaked databases and other information, in numbers. 
Lockbit Horoshev Dmitry

Catch Me If You Can: The LockBit Edition – Explained

It’s Not Over, Yet…  Law enforcement has once again targeted LockBit, the notorious ransomware gang, but the end of this group remains uncertain. Despite multiple high-profile crackdowns, LockBit’s operations continue unabated, illustrating their resilience against law enforcement efforts. This ongoing challenge is highlighted by insights from KELA’s threat researchers, recently featured on As we delve deeper into LockBit’s history and recent takedown attempts, it becomes clear why a full shutdown might still be a distant goal.

Sharing is Caring: Ransomware and Extortion Actors Increase Threat Levels through Cooperation

Intimidating victims is all part of the game when ransomware and extortion actors steal data and aim to grab a pay day from the potential leak by demanding a ransom in return for not publicizing their haul. At KELA, we’ve noticed that threat actors have started leveraging one another’s data to maximize the level of threat, and sometimes even collaborating to distribute stolen information more widely. Really warms the heart, eh?
Database Dumps - Is There a Reason for Concern blog

How Scary is that Data Leak, Really? According to Cyber Threat Intelligence, You Might Be Able to Sleep Easy

Threat actors — such attention seekers, #amiright? Always coveting the spotlight by doing diabolical deeds like stealing and compromising information, from passwords and usernames to social security numbers, emails and more. Of course, stolen databases are a genuine worry for security teams, as when a stolen database is sold or leaked for free by cybercriminals, attackers can use them to launch attacks or gain a foothold into their organization. So it’s no wonder that when a threat actor claims to have stolen data from a “big name” company, it attracts a whole lot of interest and fear.  But, is there always a reason to be afraid? From false claims and exaggerations, to readily-available data scraped from public sources — here are three reasons you might want to question the next flashy database dump headline.
Fake Ransomware - The New Cyber Deceit blog

New Phone, Who Dis? The Importance of Verifying Threats in the Age of Fake RaaS

They say imitation is the sincerest form of flattery. If that’s the case, some ransomware-as-a-service (RaaS) threat actors must be feeling seriously good about themselves lately.  With ransomware operations hitting the headlines, and the global cost of ransomware damage predicted to hit $231B by 2031, threat actors are increasingly creating fake operations, often leveraging the fame of other actors to get more attention to their own activities in order to get a slice of the action.
Blog I-Soon image

I-Soon leak: KELA’s insights

On February 16, 2024, a repository titled “I-S00N” was uploaded to Github, allegedly intended to expose insider information about I-Soon (Anxun Information Technology Co., 安洵信息技术有限公司,i-soon[.]net), a Chinese technology company in the cybersecurity field. The dump may indeed be a breach of I-Soon and contains documentation related to the company’s products, including spyware and offensive tools and services. AP News reported that two anonymous employees of I-Soon confirmed that the leak originated from the company. However, the cause and the leaker are still unclear.  KELA acquired and analyzed the leaked data. This blog outlines the most interesting insights, such as the structure of the leak, clients and potential targets of I-Soon, the company’s connection to advanced persistent threats (APTs), and discussions about zero-day vulnerabilities.  
Russia-Ukraine war: pro-Russian hacktivist activity two years on

Russia-Ukraine war: pro-Russian hacktivist activity two years on

It has been two years since Russian forces invaded Ukraine. The war is not only being fought on the ground, but also in cyberspace. Russian state-sponsored APT groups have been observed targeting Ukrainian entities, including government organizations and telecommunication companies. Moreover, the Ukrainian government has also been observed claiming to have conducted attacks against Russian organizations.