< ciso
brief />
Tag Banner

All news with #nation state actor tag

192 articles · page 3 of 10

Alleged Leak of US iPhone Hacking Tool Coruna Reveals

🔓 Google researchers released a report describing Coruna, a sophisticated iPhone exploitation toolkit that chains 23 distinct iOS vulnerabilities into five full exploit techniques capable of bypassing device defenses and silently installing malware when a user visits a crafted website. Analysts note the code’s professional, English-language provenance and say it bears hallmarks of previously attributed US government modules. Reporting from TechCrunch cites former L3Harris employees who say the company’s Trenchant surveillance division helped develop parts of the toolkit and that an insider may have sold components to foreign actors, raising urgent questions about loss of control over offensive cyber capabilities.
read more →

U.S. Cyber Strategy Signals Possible Private Hackback

🛡️ The 2026 U.S. Cyber Strategy for America largely reiterates longstanding White House cyber priorities but adopts a noticeably more aggressive tone. One sentence — “We will unleash the private sector by creating incentives to identify and disrupt adversary networks and scale our national capabilities.” — reads like an explicit invitation for corporate hackback. The author argues this is a dangerous and ill-considered idea because it risks misattribution, vigilantism, extrajudicial punishment, and escalation rather than strengthening security.
read more →

Critical Infrastructure Threats: Identity, Persistence

🔐 Microsoft Threat Intelligence warns that the cyber threat to critical infrastructure has shifted from opportunistic data theft to long-term, identity-driven persistence aimed at operational disruption. Hybrid IT–OT architectures, cloud-based identity, and exposed remote services enable adversaries—including nation-state actors—to establish low-visibility footholds using living-off-the-land techniques and valid credentials. Microsoft recommends continuous readiness, reducing exposure, and validating defenses through proactive compromise assessments to detect active or dormant intrusions before they are activated.
read more →

China-linked clusters target Southeast Asian government

🔒 Palo Alto Networks' Unit 42 reports three China-aligned activity clusters targeted a Southeast Asian government organization in 2025, executing a sustained, well-resourced operation aimed at persistent access. The campaigns deployed multiple loaders and backdoors, notably HIUPAN (USBFect), PUBLOAD, EggStremeFuel/EggStremeLoader, MASOL RAT, TrackBak, and FluffyGh0st, alongside components such as Claimloader and Hypnosis Loader. Unit 42 notes significant TTP overlap with known groups including Mustang Panda and clusters linked to Earth Estries, Crimson Palace, and Unfading Sea Haze.
read more →

Geopolitics and Cyber Conflict: Europe’s Strategic Reckoning

🛡️ Rising geopolitical tensions have made cyber operations a central instrument of statecraft, forcing European organizations to rethink digital architectures and trust assumptions. The article reviews state-linked campaigns from the mid-2000s through 2025, the evolution of hacktivism into state‑aligned actors, and the persistence of cyber extortion ecosystems. It highlights trends—identity- and edge-focused attacks, supply-chain and appliance compromises—and recommends prevention, detection, incident response, and public‑private coordination, including tabletop rehearsals and recovery drills.
read more →

FCC Bans Import and Sale of All Foreign-Made Routers

🔒 The FCC has banned the import and sale of all consumer-grade internet routers manufactured in foreign countries, saying they pose an 'unacceptable risk' to US national security. The rule, announced on 23 March, allows only devices with conditional DoD or DHS approval, effectively blocking most future consumer models because many are made abroad. The agency cited incidents such as the Volt, Flax and Salt Typhoon attacks, while industry experts caution that governance, patching and lifecycle management — not just country of origin — drive much of the risk.
read more →

North America Cyber Risk in 2026: Concentration and Repeat

🔍 The North America threat landscape hardened in 2025, with incidents becoming more concentrated, repeated and driven by persistent adversaries. Publicly recorded incidents were dominated by the United States, which accounted for roughly 93% of cases. The report highlights three dynamics shaping risk, including a stable, competitive extortion economy, recurring attack patterns, and predictable windows of opportunity. Organizations should expect pressure over surprise into 2026 and adjust defenses accordingly.
read more →

Silver Fox Campaigns Shift Toward Dual Espionage and Crime

🦊 Sekoia has identified a series of Silver Fox campaigns from 2025–2026 that blend espionage and financially motivated cybercrime. Attackers used tax- and payroll-themed phishing lures, SEO poisoning and malicious ads to deliver tools such as ValleyRAT, HoldingHands and a custom Python credential stealer disguised as a WhatsApp app. Targets included organizations across Taiwan, Japan and multiple Southeast Asian countries. Researchers say the group’s modular approach enables rapid tool changes while preserving persistence in compromised networks.
read more →

OFAC Sanctions DPRK IT Worker Network Funding WMDs

🚨 The U.S. Department of the Treasury's Office of Foreign Assets Control has sanctioned six individuals and two entities tied to a DPRK-run IT worker scheme that secured remote jobs, stole data, and funneled salaries back to North Korea to finance weapons programs. The operation—tracked as Coral Sleet/Jasper Sleet (also called PurpleDelta/Wagemole)—used stolen identities, fabricated personas, VPN services, and AI-enabled tools to conceal origins, launder funds, and deploy malware or extort victims. OFAC named Amnokgang Technology Development Company and several facilitators, currency converters, and account enablers; security firms and Microsoft warn the campaign leverages Astrill VPN, AI faceswaps, agentic LLM misuse, and offshore operations to maintain persistent, low-cost access.
read more →

DarkSword: Full-Chain iOS Exploit Targeting iOS 18.4–18.7

🔒 Google Threat Intelligence Group (GTIG) disclosed a JavaScript full-chain iOS exploit named 'DarkSword,' observed since November 2025, that chains six vulnerabilities to fully compromise devices running iOS 18.4–18.7. Multiple operators — including commercial vendor PARS Defense and suspected state actors (UNC6748, UNC6353) — used DarkSword to deploy implants GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER. Apple has issued patches (culminating in iOS 26.3); GTIG recommends updating immediately or enabling Lockdown Mode if updates are not possible.
read more →

EU Imposes Sanctions on Chinese and Iranian Cyber Firms

🔒 The Council of the European Union has sanctioned three companies and two individuals from China and Iran for cyberoperations that targeted devices and critical infrastructure. The measures name Integrity Technology Group (linked to the Raptor Train botnet), Anxun Information Technology (i‑Soon) and Iranian firm Emennet Pasargad. Listed parties face asset freezes and prohibitions on accessing funds, and natural persons are subject to travel bans through EU territory.
read more →

Over Half of UK Firms Hit by Nation-State Cyber Attacks

🛡️ The 2026 Armis Cyberwarfare Report found that 54% of UK companies experienced nation-state attacks last year, up from 47% previously. Based on interviews with 1,900 IT decision-makers (including 500 in the UK) and Armis Labs data, the study highlights growing fear over AI-powered threats and the weakening deterrent effect of "mutually assured disruption." Respondents identified Russia, China and North Korea as the greatest risks.
read more →

Cyber fallout from Iran conflict: risks and defenses

🔒 The war in the Middle East has expanded cyber risk globally, from physical strikes on AWS data centers to waves of Iran-aligned cyber activity. Within hours of kinetic operations, hacktivists and state-aligned APTs mobilized, using DDoS, defacement, wipers and supply-chain compromises. Organizations should prioritize inventorying internet-facing assets, enforcing phishing-resistant MFA, auditing MSP and cloud dependencies, and preparing offline backups. The guidance focuses on pragmatic hardening where adversaries historically find weak spots.
read more →

X Suspended 800M Accounts in 2024; Manipulation Remains

🛡️ X told British MPs it suspended 800 million accounts in 2024 for breaching rules on platform manipulation and spam. Company government affairs executive Wifredo Fernández said Russia was the most active state-backed manipulator, followed by Iran and China, and that efforts to influence elections and 'flood the zone' persist. Despite Elon Musk's prior pledge to purge bots, X acknowledges hundreds of millions of inauthentic accounts are removed annually, raising concerns about uncaught actors and moderation practices.
read more →

APT28 Uses BEARDSHELL and COVENANT for Ukrainian Espionage

🛰️ ESET researchers say the Russian state‑sponsored group APT28 has deployed two implants, BEARDSHELL and COVENANT, alongside a keylogger dubbed SLIMAGENT to conduct long‑term surveillance of Ukrainian military personnel since April 2024. BEARDSHELL executes PowerShell commands and uses Icedrive for command‑and‑control, while the group’s modified COVENANT has abused Filen for cloud‑based C2 since July 2025. ESET links SLIMAGENT to older XAgent samples and notes shared obfuscation techniques as evidence of APT28 attribution.
read more →

Russian Campaign Targets Signal and WhatsApp Accounts

🔒 Dutch intelligence has uncovered a large-scale campaign by Russian state actors to hijack Signal and WhatsApp accounts belonging to military, government and other high-value individuals worldwide. The attackers impersonate support bots, request SMS verification codes or PINs, and exploit linked-device QR flows to add devices. Authorities warn these consumer apps, while end-to-end encrypted, are unsuitable for classified material and have issued guidance to detect and remediate account takeovers.
read more →

APT28 Deploys Customized Covenant Variant for Espionage

🔒 Since April 2024, Russian state-sponsored APT28 has deployed a customized variant of the open-source Covenant post-exploitation framework alongside a modern implant called BeardShell. The dual-implant approach enabled long-term surveillance of Ukrainian military personnel and central executive bodies, researchers at ESET and CERT-UA report. Attacks exploited the CVE-2026-21509 Microsoft Office vulnerability using malicious DOC files. APT28 modified Covenant with deterministic implant IDs, altered execution flows to evade behavioral detection, and added new cloud-based communication channels.
read more →

Dutch govt warns of Signal and WhatsApp hijacking campaigns

🔐Russian state-sponsored actors are tied to a targeted phishing campaign that hijacks Signal and WhatsApp accounts to monitor messages of government officials, military personnel, and journalists. The Dutch MIVD and AIVD warn attackers use fake support chats, SMS verification-code prompts, Signal PIN requests, and malicious QR links to link attacker devices. Signal says its infrastructure is intact and urges users never to share codes or PINs and to review linked devices immediately.
read more →

FBI Investigates Suspected Breach of Wiretap Systems

🚨 The FBI has acknowledged a suspected intrusion on a network used to manage wiretaps and foreign intelligence surveillance warrants, telling CNN it "identified and addressed suspicious activities" and leveraged technical capabilities to respond. The agency provided limited detail, prompting concerns about potential state-linked actors such as China. Past FBI IT security problems and a reported February 2023 field office breach have heightened scrutiny.
read more →

FBI investigates breach of surveillance and wiretap systems

🚨 The U.S. Federal Bureau of Investigation confirmed it is investigating a breach that affected systems used to manage surveillance and court-authorized wiretap warrants. The agency said it identified and addressed suspicious activity on FBI networks and has leveraged technical capabilities to respond, but declined to provide details on scope or impact. CNN reported an anonymous source saying the intrusion affected systems supporting wiretapping and foreign surveillance. Security observers note similarities with prior activity attributed to the state-linked group Salt Typhoon.
read more →