All news with #nation state actor tag

🔒 Dutch intelligence has uncovered a large-scale campaign by Russian state actors to hijack Signal and WhatsApp accounts belonging to military, government and other high-value individuals worldwide. The attackers impersonate support bots, request SMS verification codes or PINs, and exploit linked-device QR flows to add devices. Authorities warn these consumer apps, while end-to-end encrypted, are unsuitable for classified material and have issued guidance to detect and remediate account takeovers.

🔒 Since April 2024, Russian state-sponsored APT28 has deployed a customized variant of the open-source Covenant post-exploitation framework alongside a modern implant called BeardShell. The dual-implant approach enabled long-term surveillance of Ukrainian military personnel and central executive bodies, researchers at ESET and CERT-UA report. Attacks exploited the CVE-2026-21509 Microsoft Office vulnerability using malicious DOC files. APT28 modified Covenant with deterministic implant IDs, altered execution flows to evade behavioral detection, and added new cloud-based communication channels.

🔐Russian state-sponsored actors are tied to a targeted phishing campaign that hijacks Signal and WhatsApp accounts to monitor messages of government officials, military personnel, and journalists. The Dutch MIVD and AIVD warn attackers use fake support chats, SMS verification-code prompts, Signal PIN requests, and malicious QR links to link attacker devices. Signal says its infrastructure is intact and urges users never to share codes or PINs and to review linked devices immediately.

🚨 The FBI has acknowledged a suspected intrusion on a network used to manage wiretaps and foreign intelligence surveillance warrants, telling CNN it "identified and addressed suspicious activities" and leveraged technical capabilities to respond. The agency provided limited detail, prompting concerns about potential state-linked actors such as China. Past FBI IT security problems and a reported February 2023 field office breach have heightened scrutiny.

🚨 The U.S. Federal Bureau of Investigation confirmed it is investigating a breach that affected systems used to manage surveillance and court-authorized wiretap warrants. The agency said it identified and addressed suspicious activity on FBI networks and has leveraged technical capabilities to respond, but declined to provide details on scope or impact. CNN reported an anonymous source saying the intrusion affected systems supporting wiretapping and foreign surveillance. Security observers note similarities with prior activity attributed to the state-linked group Salt Typhoon.

🎯Multiple outlets report that Israel hacked Iranian traffic cameras and used the access to facilitate the targeting and killing of Iranian leaders. The New York Times details the broader intelligence operation and strategic context. The revelations raise questions about the use of civilian infrastructure in lethal operations and potential international legal and escalation risks. Security experts note that camera networks, often insecure and internet-connected, create an attack surface exploited by state actors.

📱 The Iranian prayer-timing app BadeSaba Calendar — installed by over five million users from the Google Play Store — delivered a rapid series of push notifications shortly after a set of explosions, beginning at 9:52 a.m. Tehran time. The alerts, starting with the phrase 'Help has arrived', reached users over roughly 30 minutes. No one has claimed responsibility; analysts say the speed and scale point to a likely state operation, with the US and Israel named as plausible actors.

⚠️ Dragos reports that multiple state-affiliated threat groups have shifted from long-term access to actively mapping and preparing disruptive attacks against industrial control systems. Adversaries tracked as Voltzite, Kamacite, Electrum, and others have been observed harvesting engineering workstation files, scanning device types to map control loops, and staging wiper and firmware-corruption capabilities. The access-broker model — exemplified by Sylvanite handing footholds to operational teams — shortens the timeline from intrusion to operational readiness. With under 10% of OT environments monitored, many sites lack the visibility needed to detect or respond to these preparations.

🕵️ In episode 457 of the Smashing Security podcast, Graham Cluley and guest Carl Miller unpack a startling insider-abuse case where a defence contractor's leak of zero-day exploits apparently led to an internal investigation run by the leaker, who then framed an innocent colleague. The episode cites reporting and US government actions — including a DOJ sentencing and Treasury sanctions — that trace a network selling stolen government cyber tools to a Russia-linked broker. It also examines emerging concerns that nation states may attempt to manipulate AI by poisoning training data and influencing large language models, with broad implications for trust and national security.

⚠️ FortiGuard Labs reports a surge of regional cyber activity in the 24–48 hours following U.S.-Israeli strikes on Iranian targets, including defacements, broadcast intrusions, Telegram claims, and internet disruptions, but no confirmed large-scale destructive campaign tied directly to the strikes. Many observed events appear to be psychological operations, hacktivist signaling, or opportunistic exploitation of geopolitical noise rather than coordinated state-level retaliation. The report warns that access is often pre-positioned and that activations can be delayed, so organizations should harden basic controls and preparedness now. Recommended actions include enabling MFA, automating patching, isolated backups, segmentation, active monitoring, and exercising incident response playbooks.

⚠️ Five days into the US-Israel–Iran conflict, widescale Iranian cyber retaliation has not yet materialized, but security agencies warn the danger is acute and ongoing. The UK NCSC and Canada CCCS issued broad advisories while CISA has not updated since October. Observed DDoS activity is limited, yet vendors highlight the greater risk from destructive wipers (e.g., Shamoon) and an arsenal of 15+ Iranian families. High‑profile APTs such as APT35/APT42 and APT33 remain concerning; organizations should harden OT, remove unmanaged RMM tools, implement phishing‑resistant MFA (FIDO2/WebAuthn), patch VPNs and monitor endpoints for wiper indicators.

🔒 Check Point disclosed an advanced persistent threat dubbed Silver Dragon, active since mid-2024 and assessed to operate under the APT41 umbrella. The group gains access via vulnerable public servers and phishing, deploying loaders such as MonikerLoader and the C++ BamboLoader to stage Cobalt Strike beacons. Post-exploitation tools include screen capture, SSH utilities, and a Google Drive backdoor used for file-based C2.

⚠ Operation Epic Fury — the US administration's sustained kinetic pressure on core Iranian regime assets — creates an immediate layer of operational risk for multinationals with people, infrastructure, or supply dependencies in the Middle East and beyond. Briefings from Washington offer situational context but do not capture the operational exposure that surfaces as hostilities begin. CISOs, CSOs, and chief risk officers must validate assumptions, set evacuation and wellness protocols, and apply travel thresholds. Cyber posture should be hardened with accelerated patching, edge device controls, and OT segmentation to reduce attack surface.

⚠️ Beginning Feb. 28, 2026, Unit 42 observed a rapid escalation in cyber activity tied to Iran following joint U.S.–Israeli strikes, coinciding with an internal internet outage that reduced connectivity in Iran to 1–4%. That loss likely constrains coordinated state-aligned campaigns from inside Iran while enabling decentralized and geographically dispersed actors to increase disruptive operations. Unit 42 identified a phishing campaign using a malicious replica of the Israeli Home Front Command RedAlert APK and tracked about 60 active hacktivist groups claiming DDoS, wiper, and hack-and-leak operations. Organizations should prioritize multi-layered defenses, offline backups, strict out-of-band verification, patching, monitoring, and incident response preparedness; Palo Alto Networks and Unit 42 offer protections and services to assist.

⚠ John Hultquist, chief analyst of Google’s Threat Intelligence Group, warned that Iran will "absolutely" respond to recent US and Israeli air strikes with cyber-attacks targeting a broad array of organisations across the Middle East and beyond. He said the focus will shift from well-defended states like Israel to nations with less mature security, expanding the global attack surface. Hultquist highlighted the blurred lines between state actors, criminal groups and hacktivist fronts, noting the likely use of ransomware and proxy operations by the IRGC to obfuscate attribution. The UK’s NCSC has advised organisations with Middle East ties to urgently review and strengthen their cybersecurity posture.

🌐 A sharp escalation in the Middle East has entered a hybrid phase combining military strikes with large-scale cyber operations following joint Israeli–US strikes on Iran on 28 February 2026. CloudSek reported a sweeping cyber campaign that reduced Iran's internet to roughly 4% of normal capacity, disrupting government services, media and parts of energy and aviation. Security firm Halcyon warns of rising DDoS, hacktivist and ransomware activity and urges organisations to increase monitoring, enforce multi-factor authentication and maintain offline backups against supply-chain and regional spillover risks.

🔍 Iran’s cyber ecosystem combines state-aligned clusters, deniable operators, and hacktivists linked to IRGC and MOIS. These actors pursue espionage, disruption and destructive operations—DDoS, pseudo-ransomware, and wipers—often paired with information operations and coordinated amplification. Activity is intensifying amid the current crisis and is expected to broaden across the Middle East, the United States, and other regions.

🔒Iran's January 2026 communications blackout was a comprehensive shutdown that disabled mobile networks, landlines, and even Starlink, extending beyond conventional URL blocking to dismantle both physical and logical connectivity. The regime is formalizing a two-tiered model—white SIM cards and data-center whitelists—that preserves full access for officials while isolating ordinary citizens. By removing social features and disabling local chat channels, the state aims to atomize the population and prevent real-time coordination. The author urges policy and technical measures—such as expanded humanitarian licensing and D2C satellite access—to give repressed populations resilient means of connectivity.

🔐 This practical Q&A guide helps leaders translate evolving threats into actionable resilience measures. It highlights why national cyber security urgency has increased as adversaries shift from theft to persistent, disruptive positioning that can affect fuel, hospitals, elections, markets, and public trust. The brief recommends adoption of NIST frameworks, Zero Trust principles, and AI governance to mitigate cloud, OT, and supply chain risks. Leaders receive concise operational steps to align policy, technology, and cross‑sector coordination.

🛡️ Google disrupted a China-linked espionage group that repurposed Google Sheets as a covert command-and-control channel to manage a custom backdoor tracked as UNC2814 and named GRIDTIDE. The backdoor abused legitimate Sheets API calls to send commands, retrieve stolen data, poll spreadsheets frequently, and wipe rows to erase traces. Mandiant flagged unusual activity on a CentOS server, leading to discovery of intrusions at 53 organizations across 42 countries focused on telecoms and government systems. Google terminated attacker Cloud projects, revoked API access, sinkholed domains, and published IOCs.