Google has announced the formation of a cyber "disruption unit" aimed at proactively disrupting threat actor campaigns. This reflects a growing appetite among industry and governments for more aggressive private sector approaches and a gradual move towards government-endorsed private sector hacking.Sandra Joyce, vice president of Google Threat Intelligence Group, said at a conference Tuesday that the company was looking for "legal and ethical disruption" options as part of the unit’s work. "What we're doing in the Google Threat Intelligence Group is intelligence-led proactive identification of opportunities where we can actually take down some type of campaign or operation," she said. "We have to get from a reactive position to a proactive one … if we're going to make a difference right now."
Google has experience with court-endorsed botnet takedowns such as Glupteba in 2021 and BadBox 2.0 in July 2025. These efforts follow in a tradition pioneered by Microsoft, which has led multiple botnet disruption initiatives since 2010.
The new unit is expected not just to increase the volume of such operations, but also to push the boundaries of what is possible in legal and ethical cyber disruption.
This announcement was made at a conference exploring hacking back and offensive cyber operations, highlighting a potential strategic path forward for these activities.
Sophos offers a real-world example of ethical hacking back, having deployed kernel implants to adversary-controlled devices to observe exploit development in real time and respond by improving defenses before vulnerabilities became widely exploited.
Google is well-positioned to undertake such operations, given its product reach and legal frameworks such as its Terms of Service that could provide legal cover. The company’s expertise enables it to manage the technical risks of operations that push boundaries.
Compared to controversial legislative proposals for broad private-sector hacking powers, Google's approach is more narrowly focused on protecting its own products, a much more tightly scoped and potentially effective strategy.
Salt Typhoon Outed But Not Evicted
Cybersecurity agencies from 13 countries have attributed the Salt Typhoon intrusions to three Chinese companies linked to the PRC military and intelligence services. Despite this public designation, Salt Typhoon continues its operations, indicating that it has not been evicted from key target networks.
Salt Typhoon’s campaigns have reached over 80 countries and compromised more than 200 American organizations, targeting telecommunications infrastructure and other sectors to aid Chinese intelligence in tracking global communications and movements.
This exposure has been seen by some as a failure on the part of the PRC’s intelligence outsourcing, yet the group’s persistence suggests a strategy of relentless digital presence despite diplomatic setbacks.
Death of Apple's UK Encryption Fight Greatly Exaggerated
Contrary to recent media reports, the conflict between Apple and the UK government over lawful access to iCloud data remains unresolved. Documents reveal government orders requiring Apple to provide extensive, global access to user data, including messages and passwords.
This ongoing legal battle continues to raise important questions about privacy, lawful access, and encryption.
Three Reasons to Be Cheerful This Week
- Spain cancels a €10 million Huawei contract for its RedIRIS academic network.
- The EU's Cybersecurity Reserve moves closer with ENISA appointed to manage surge incident response.
- Ransomware gangs are fracturing following law enforcement takedowns, resulting in new variants and decreased trust among cybercriminals.
Sponsored interview with Push Security co-founder Jacques Louw discussing the evolution of phishing techniques and their publicly available taxonomy.