< ciso
brief />
Tag Banner

All news with #nation state actor tag

192 articles · page 2 of 10

Responding to State-Sponsored Intrusions: Rethinking Trust

🔒 Most organizations assume assets inside their trust boundary are trustworthy, but state-sponsored actors deliberately exploit that assumption by operating through legitimate tooling and valid credentials. These adversaries are patient, disciplined, and often pursue espionage or long-term data extraction rather than noisy disruption, making standard playbooks inadequate. Adopting zero trust, continuous baselining across identity, endpoints, network, and cloud, and expanding detection beyond host telemetry are essential. Preparation must include robust logging, privileged access controls, legal and government coordination, and tailored playbooks for supply chain, insider, and OT scenarios.
read more →

Inside Department 4: Russia's Secret Hacker School

🔍 A joint investigation uncovered a covert faculty at Bauman Moscow State Technical University, known as Department 4, that appears to funnel students into GRU-linked hacking units. Leaked documents show the GRU controls admissions, curricula, and graduate postings, teaching malware development, penetration testing, and physical surveillance. The report highlights a state-run pipeline producing highly trained cyber operators.
read more →

PAN‑OS Firewall RCE Zero‑Day Exploited Since April 9

🔴 Palo Alto Networks warns that suspected state‑sponsored actors have exploited a critical PAN‑OS zero‑day (CVE-2026-0300) in the User‑ID Authentication Portal, enabling unauthenticated remote code execution as root on exposed PA‑ and VM‑Series firewalls. Unit 42 says initial probing began April 9, with successful exploitation occurring about a week later; attackers cleaned logs and deployed tunneling tools. Palo Alto notes Cloud NGFW and Panorama are not affected and will issue patches starting May 13; administrators should restrict or disable the authentication portal until updates are applied.
read more →

DarkSword: iOS Full-Chain Exploit Compromising Devices

🚨 DarkSword is a newly identified iOS full-chain exploit that chained multiple zero-day vulnerabilities to achieve full device compromise. Google Threat Intelligence Group (GTIG) links the chain to commercial surveillance vendors and suspected state-sponsored operators active since at least November 2025, with observed targeting in Saudi Arabia, Turkey, Malaysia, and Ukraine. The exploit supports iOS 18.4–18.7 and installs one of three final-stage payload families—GHOSTBLADE, GHOSTKNIFE, or GHOSTSABER. A version leaked online a week after discovery; ensure devices are patched promptly.
read more →

UAT-8302: China-Nexus APT Targeting Government Networks

🔒 Cisco Talos discloses UAT-8302, a China-nexus APT targeting government entities in South America and southeastern Europe since late 2024 into 2025. Post-compromise activity includes reconnaissance, credential theft, and lateral movement using tools like Impacket, plus deployment of multiple custom backdoors such as NetDraft, CloudSorcerer v3, and VSHELL with stagers SNOWLIGHT and SNOWRUST. Talos links these artifacts to other China-nexus clusters and publishes IOCs, ClamAV signatures, and Snort rules to assist defenders.
read more →

Small US Defense Contractors Lack Network Telemetry

🛡️ Small and mid-size US defense contractors lack the network telemetry needed to detect nation-state reconnaissance and pre-positioning operations, Team Cymru analyst Stephen Campbell warns. He says state-backed groups are increasingly targeting edge infrastructure — routers, firewalls and VPN gateways — and using living-off-the-land techniques and legitimate cloud services to evade endpoint alerts. Campbell urges firms to deploy NetFlow pattern recognition, map infrastructure, patch and segment systems, and hunt for anomalous DNS and lateral movement to uncover stealthy access.
read more →

Fast16 Malware: State-Sponsored Sabotage Targeting Iran

🔍 Researchers have reverse-engineered a sophisticated malware strain called Fast16, concluding it is almost certainly state-sponsored and likely of US origin. The malware was reportedly deployed against Iranian targets years before Stuxnet, and it propagates automatically across networks while avoiding overt disruption. Instead of crashing systems, Fast16 silently tampers with numerical computations inside specialized simulation and engineering applications, altering results in ways that can turn routine analyses into faulty designs or trigger catastrophic equipment failures.
read more →

Handala Hackers Leak US Marines' Data, Send Threats

🚨 US Marines stationed near the Persian Gulf reported receiving chilling WhatsApp messages beginning Monday that urged them to call home and make final goodbyes. The messages were signed by the Iran-linked Handala hacking group and allegedly originated from a Bahraini phone number that was likely spoofed or hijacked. A day later, Handala posted that it had published names and phone numbers of 2,379 Marines and boasted of possessing addresses, family details and daily routines. While authorities caution that such claims may rely on scraped or recycled data rather than a fresh breach, the campaign’s intent to intimidate service members is clear.
read more →

Alleged Silk Typhoon Hacker Extradited to U.S. Courts

🛡️ A Chinese national, identified as Xu Zewei, has been extradited from Italy to the United States to face charges accusing him of conducting cyberespionage on behalf of China's Ministry of State Security (MSS). Prosecutors allege Xu worked as a contracted hacker for the group known as Silk Typhoon (also called Hafnium), carrying out intrusions from February 2020 to June 2021. The indictment ties him to attacks on COVID-19 research organizations and widespread exploitation of Microsoft Exchange zero-day vulnerabilities in late 2020, during which web shells were deployed to access mailboxes, move laterally, and exfiltrate data. Xu is expected to appear in federal court on multiple counts related to computer intrusions and conspiracy.
read more →

Chinese National Posed as US Researcher to Get NASA Tech

🛰️ The NASA Office of Inspector General (OIG) says a Chinese national, identified in a 2024 indictment as Song Wu, posed as U.S. researchers to obtain sensitive aerospace modeling software and source code from NASA employees, universities, and private firms. The campaign ran from January 2017 through December 2021 and also targeted multiple U.S. government agencies. Song faces wire fraud and aggravated identity theft charges and remains at large.
read more →

China-aligned GopherWhisper APT Targets Mongolian Government

🛡️ ESET reports a previously undocumented China-aligned APT, tracked as GopherWhisper, has compromised Mongolian governmental systems with a modular suite of backdoors and loaders. The actor primarily uses tools written in Go and abuses legitimate services — including Discord, Slack, Microsoft 365 Outlook, and file[.]io — for command-and-control and data exfiltration. ESET found about 12 infected systems at one institution and telemetry from attacker-controlled Discord and Slack suggests additional victims. Message timestamps and Slack locale align with China Standard Time, supporting a China-aligned assessment.
read more →

GopherWhisper: China-aligned APT uses Go-based malware

🐿️ ESET researchers identified a previously undocumented China‑aligned APT group they named GopherWhisper, which targeted a Mongolian governmental entity and employed a broad toolkit of custom, mostly Go‑based malware. The group used injectors, loaders and multiple backdoors (notably LaxGopher, RatGopher and BoxOfFriends) and abused legitimate services—Slack, Discord, Microsoft 365 Outlook and file.io—for C&C and exfiltration. Recovery of attacker-operated Slack and Discord channels and Outlook draft messages provided extensive visibility into operator activity, development references and an operational cadence consistent with UTC+8.
read more →

UK Faces 'Perfect Storm' of Nation-State Cyber Threats

⚠️ Richard Horne, CEO of the NCSC, warned at the tenth annual CYBERUK in Glasgow that the UK faces a “perfect storm” driven by rising geopolitical tensions and rapid AI-led technological change. He said nationally significant incidents remain broadly steady since the NCSC's last review, but the most serious threats now originate from nation states — notably Russia, China and Iran. The briefing urged organisations to shift from a prevention-only posture to a resilience mindset and to ensure fundamentals such as full visibility, 24/7 monitoring and correct configuration are in place.
read more →

State-Sponsored & Phishing Trends: Printers, M365 Risks

🔍 This podcast episode examines the 2025 Talos Year in Review, highlighting a sharp increase in internal phishing that evades traditional perimeter defenses. Hosts Amy Ciminnisi and Martin Lee explain how Microsoft 365's Direct Send feature has been broadly weaponized to deliver trusted-looking internal mail. They also unpack blended state-sponsored campaigns from China and North Korea that pair zero-day exploitation with advanced social engineering.
read more →

Handala, CyberAv3ngers and Iran’s Proxy Cyber Ops Activities

🔍 US authorities issued an April 7 advisory warning that Iranian-affiliated APTs could be conducting infrastructural cyberattacks, citing links to 2023 water and wastewater incidents attributed to CyberAv3ngers. The article examines two prominent groups — Handala Hack Team and CyberAv3ngers — and argues they function as proxy or false-flag operations likely tied to Iran’s Ministry of Intelligence. It describes a broader pattern of gray warfare, where state actors obscure involvement to retain plausible deniability while exerting persistent pressure on adversaries.
read more →

State-Sponsored Threats: Shared Access Paths, Varied Goals

🔍 Talos' 2025 Year in Review documents state-sponsored activity from China, Russia, North Korea, and Iran, each pursuing different goals such as espionage, disruption, and financial gain. Despite varied motives, adversaries consistently exploit both newly disclosed and long-known vulnerabilities, and rely on identity-based access and stealthy persistence. Notable examples include rapid exploitation and web shells from China, geopolitically timed campaigns and common malware families from Russia, North Korean social-engineering and a $1.5B crypto theft, and Iran's mix of visible disruption and stealthy APT activity such as ShroudedSnooper. Defenders are urged to prioritise patching, identity security, network visibility, and hunts for long-term presence.
read more →

German military warns: Hybrid attacks on infrastructure

🔒 Vice Admiral Thomas Daum warned that hybrid attacks on Germany's critical infrastructure and Bundeswehr forces abroad have risen noticeably since 2022. At NATO's Locked Shields exercise he cited targeted intrusions against Bundeswehr data centres, alleged phone tapping of deployed personnel and disinformation campaigns in Lithuania. Authorities suspect state actors including Russia, China, Iran and North Korea, while energy firms, banks and local authorities remain at risk.
read more →

Nearly 4,000 US Rockwell PLCs Exposed in Iranian Attacks

🔒 A joint U.S. federal advisory warns that Iranian state-backed hackers have been targeting Rockwell Automation/Allen‑Bradley PLCs since March 2026, extracting project files and manipulating HMI/SCADA displays. Researcher Censys found 5,219 EtherNet/IP hosts exposed online globally, with 3,891 (74.6%) in the United States and a notable share on cellular carrier ASNs. Agencies urge disconnecting or firewalling PLCs, enforcing MFA, applying updates, disabling unused services, and monitoring OT ports and logs for suspicious overseas traffic.
read more →

Germany Identifies 'UNKN' as Head of REvil and GandCrab

🔍 German authorities have identified 31‑year‑old Daniil Maksimovich Shchukin as the hacker known as 'UNKN', alleging he led the GandCrab and REvil ransomware operations. The Bundeskriminalamt says Shchukin and an associate extorted nearly €2 million in roughly two dozen attacks between 2019 and 2021, causing over €35 million in damage. Investigators cite cryptocurrency traces, forum links and a mugshot match; he is believed to be abroad, likely in Russia.
read more →

China-linked TA416 Targets European Diplomatic Networks

🔍 A China-aligned threat cluster identified as TA416 has resumed focused operations against European government and diplomatic entities since mid-2025, according to Proofpoint. The campaign combined web bugs and malware delivery to deploy the PlugX backdoor via Azure Blob, Google Drive, compromised SharePoint, and attacker-controlled domains. Attackers repeatedly altered infection chains—abusing Cloudflare Turnstile pages, OAuth redirection through Microsoft Entra ID, and MSBuild-based C# project files with DLL side-loading—to enhance stealth and persistence. The group also expanded targeting to Middle Eastern governments following the February 2026 regional conflict.
read more →