Cybersecurity professionals must remember they are fighting real people, not abstract threats, and recognise the increasingly blurred lines between cybercriminals and nation-states.
This was the message from John Fokker, head of threat intelligence at Trellix Advanced Research Center, during his RSA Conference 2025 keynote. Drawing on his background as a former Dutch high-tech crime unit officer, Fokker stressed the human element. "So often we forget that these cyber criminals are real people," he said. "It's tempting to anonymize threats ... but really they're just bad people, regular names sitting behind a keyboard."
Fokker, whose Trellix team provides threat intelligence to critical sectors, cautioned against over-focusing on advanced attacker tech. "A cybercriminal will always prefer a victim with weak passwords, bad patching and no MFA," he noted from experience.
A key theme was the convergence of financially motivated crime and state agendas. "In the past, you had very clear lanes of demarcation," Fokker explained. "Now those lines have blurred. Nation states are using proxies ... using cyber criminals ... causing disruption and stealing data."
He illustrated this with an investigation into the Black Basta ransomware group, leveraging leaked internal chats that revealed the group's leader, "Oleg" (formerly "Tramp" in the Conti group), and a concerning incident. "Last year, Oleg... flew from Moscow to Armenia. However, he was arrested upon arrival,” said Fokker. “Three days later, he escaped custody, and he was back in Russia."
According to the chats, Fokker said: "Oleg claimed government officials flew to Armenia to ensure he was escorted back safely," referencing a "green corridor" escape route allegedly arranged by a high-level official known as "number one." While these chat claims are unproven, Fokker asserted, "this story is just one example of the blurring lines between nation states and cyber criminals".
Despite potential state backing, attackers are fallible. Fokker described a Black Basta attack on a US healthcare firm where their encryption tool failed. "They made a major mistake," he said, which forced them to pivot to data leak threats after their primary extortion method failed.
Fokker championed collaborative intelligence sharing as the crucial defence. By mapping attackers' tactics, techniques, and procedures (TTPs) – the hardest elements for them to change – the security community can maintain detection even post-rebranding. "Once we know how they operate at the TTP level, we can spot them the moment they launch the next offensive, and that's where we hold the real power," he declared.
He concluded with a call for unity: "When you see your adversary... in clear daylight, fear melts away... Let's keep building, keep collaborating... because when we work as one community, there is no question we will reach the top."
-
Using WinRAR? Update now to avoid falling victim to this file path flawNews WinRAR users have been urged to update after a patch was issued for a serious vulnerability.
-
Amazon CEO Andy Jassy doubles down on the company's AI focusNews Amazon CEO Andy Jassy thinks companies need to "lean into" AI and embrace the technology despite concerns over job losses.
-
RSAC in focus: Key takeaways for CISOsThe RSAC Conference 2025 spotlighted pivotal advancements in agentic AI, identity security, and collaborative defense strategies, shaping the evolving mandate for CISOs.
-
RSAC in focus: Quantum computing and securityExperts at RSAC 2025 emphasize the need for urgent action to secure data against future cryptographic risks posed by quantum computing
-
RSAC in focus: How AI is improving cybersecurityAI is revolutionizing cybersecurity by enhancing threat detection, automating defenses, and letting IT professionals tackle evolving digital challenges.
-
RSAC in focus: Collaboration in cybersecurityExperts at RSA Conference 2025 emphasised that collaboration across sectors and shared intelligence are pivotal to addressing the evolving challenges of cybersecurity.
-
RSAC in focus: Considerations and possibilities for the remainder of 2025As 2025 unfolds, RSAC explores the pivotal considerations and emerging possibilities shaping the cybersecurity landscape
-
RSAC Conference 2025: The front line of cyber innovationITPro Podcast Ransomware, quantum computing, and an unsurprising focus on AI were highlights of this year's event
-
RSAC Conference 2025: AI and quantum complicate securityOrganizations are grappling with the complications of adopting AI for security
-
RSAC Conference 2025 was a sobering reminder of the challenges facing cybersecurity professionalsAnalysis Despite widespread optimism on how AI can help those in cybersecurity, it’s clear that the threat landscape is more complex than ever
