< ciso
brief />
Tag Banner

All news with #nation state actor tag

192 articles · page 4 of 10

Israel Hacked Iranian Traffic Cameras, Aiding Assassinations

🎯Multiple outlets report that Israel hacked Iranian traffic cameras and used the access to facilitate the targeting and killing of Iranian leaders. The New York Times details the broader intelligence operation and strategic context. The revelations raise questions about the use of civilian infrastructure in lethal operations and potential international legal and escalation risks. Security experts note that camera networks, often insecure and internet-connected, create an attack surface exploited by state actors.
read more →

Hacked Prayer App Linked to US/Israeli Campaign Against Iran

📱 The Iranian prayer-timing app BadeSaba Calendar — installed by over five million users from the Google Play Store — delivered a rapid series of push notifications shortly after a set of explosions, beginning at 9:52 a.m. Tehran time. The alerts, starting with the phrase 'Help has arrived', reached users over roughly 30 minutes. No one has claimed responsibility; analysts say the speed and scale point to a likely state operation, with the US and Israel named as plausible actors.
read more →

State-affiliated groups prepare disruptive OT attacks

⚠️ Dragos reports that multiple state-affiliated threat groups have shifted from long-term access to actively mapping and preparing disruptive attacks against industrial control systems. Adversaries tracked as Voltzite, Kamacite, Electrum, and others have been observed harvesting engineering workstation files, scanning device types to map control loops, and staging wiper and firmware-corruption capabilities. The access-broker model — exemplified by Sylvanite handing footholds to operational teams — shortens the timeline from intrusion to operational readiness. With under 10% of OT environments monitored, many sites lack the visibility needed to detect or respond to these preparations.
read more →

Smashing Security Podcast #457: Insider Leak and AI Risks

🕵️ In episode 457 of the Smashing Security podcast, Graham Cluley and guest Carl Miller unpack a startling insider-abuse case where a defence contractor's leak of zero-day exploits apparently led to an internal investigation run by the leaker, who then framed an innocent colleague. The episode cites reporting and US government actions — including a DOJ sentencing and Treasury sanctions — that trace a network selling stolen government cyber tools to a Russia-linked broker. It also examines emerging concerns that nation states may attempt to manipulate AI by poisoning training data and influencing large language models, with broad implications for trust and national security.
read more →

Cyber Fallout After the Strikes: Signal, Noise, Next Steps

⚠️ FortiGuard Labs reports a surge of regional cyber activity in the 24–48 hours following U.S.-Israeli strikes on Iranian targets, including defacements, broadcast intrusions, Telegram claims, and internet disruptions, but no confirmed large-scale destructive campaign tied directly to the strikes. Many observed events appear to be psychological operations, hacktivist signaling, or opportunistic exploitation of geopolitical noise rather than coordinated state-level retaliation. The report warns that access is often pre-positioned and that activations can be delayed, so organizations should harden basic controls and preparedness now. Recommended actions include enabling MFA, automating patching, isolated backups, segmentation, active monitoring, and exercising incident response playbooks.
read more →

Iranian Cyberattacks Largely Absent So Far, Risks Remain

⚠️ Five days into the US-Israel–Iran conflict, widescale Iranian cyber retaliation has not yet materialized, but security agencies warn the danger is acute and ongoing. The UK NCSC and Canada CCCS issued broad advisories while CISA has not updated since October. Observed DDoS activity is limited, yet vendors highlight the greater risk from destructive wipers (e.g., Shamoon) and an arsenal of 15+ Iranian families. High‑profile APTs such as APT35/APT42 and APT33 remain concerning; organizations should harden OT, remove unmanaged RMM tools, implement phishing‑resistant MFA (FIDO2/WebAuthn), patch VPNs and monitor endpoints for wiper indicators.
read more →

APT41-Linked Silver Dragon Targets Europe and Asia

🔒 Check Point disclosed an advanced persistent threat dubbed Silver Dragon, active since mid-2024 and assessed to operate under the APT41 umbrella. The group gains access via vulnerable public servers and phishing, deploying loaders such as MonikerLoader and the C++ BamboLoader to stage Cobalt Strike beacons. Post-exploitation tools include screen capture, SSH utilities, and a Google Drive backdoor used for file-based C2.
read more →

Operation Epic Fury Adds New Enterprise Risk Layer

⚠ Operation Epic Fury — the US administration's sustained kinetic pressure on core Iranian regime assets — creates an immediate layer of operational risk for multinationals with people, infrastructure, or supply dependencies in the Middle East and beyond. Briefings from Washington offer situational context but do not capture the operational exposure that surfaces as hostilities begin. CISOs, CSOs, and chief risk officers must validate assumptions, set evacuation and wellness protocols, and apply travel thresholds. Cyber posture should be hardened with accelerated patching, edge device controls, and OT segmentation to reduce attack surface.
read more →

Threat Brief: March 2026 Iran-Related Cyber Escalation

⚠️ Beginning Feb. 28, 2026, Unit 42 observed a rapid escalation in cyber activity tied to Iran following joint U.S.–Israeli strikes, coinciding with an internal internet outage that reduced connectivity in Iran to 1–4%. That loss likely constrains coordinated state-aligned campaigns from inside Iran while enabling decentralized and geographically dispersed actors to increase disruptive operations. Unit 42 identified a phishing campaign using a malicious replica of the Israeli Home Front Command RedAlert APK and tracked about 60 active hacktivist groups claiming DDoS, wiper, and hack-and-leak operations. Organizations should prioritize multi-layered defenses, offline backups, strict out-of-band verification, patching, monitoring, and incident response preparedness; Palo Alto Networks and Unit 42 offer protections and services to assist.
read more →

Google Warns Iran Will Launch Global Cyber-Attacks

⚠ John Hultquist, chief analyst of Google’s Threat Intelligence Group, warned that Iran will "absolutely" respond to recent US and Israeli air strikes with cyber-attacks targeting a broad array of organisations across the Middle East and beyond. He said the focus will shift from well-defended states like Israel to nations with less mature security, expanding the global attack surface. Hultquist highlighted the blurred lines between state actors, criminal groups and hacktivist fronts, noting the likely use of ransomware and proxy operations by the IRGC to obfuscate attribution. The UK’s NCSC has advised organisations with Middle East ties to urgently review and strengthen their cybersecurity posture.
read more →

Hybrid Middle East Conflict Sparks Global Cyber Surge

🌐 A sharp escalation in the Middle East has entered a hybrid phase combining military strikes with large-scale cyber operations following joint Israeli–US strikes on Iran on 28 February 2026. CloudSek reported a sweeping cyber campaign that reduced Iran's internet to roughly 4% of normal capacity, disrupting government services, media and parts of energy and aviation. Security firm Halcyon warns of rising DDoS, hacktivist and ransomware activity and urges organisations to increase monitoring, enforce multi-factor authentication and maintain offline backups against supply-chain and regional spillover risks.
read more →

Iran's Cyber Capabilities: What Defenders Should Know

🔍 Iran’s cyber ecosystem combines state-aligned clusters, deniable operators, and hacktivists linked to IRGC and MOIS. These actors pursue espionage, disruption and destructive operations—DDoS, pseudo-ransomware, and wipers—often paired with information operations and coordinated amplification. Activity is intensifying amid the current crisis and is expected to broaden across the Middle East, the United States, and other regions.
read more →

Tehran's Two-Tiered Internet and Its Global Risks Today

🔒Iran's January 2026 communications blackout was a comprehensive shutdown that disabled mobile networks, landlines, and even Starlink, extending beyond conventional URL blocking to dismantle both physical and logical connectivity. The regime is formalizing a two-tiered model—white SIM cards and data-center whitelists—that preserves full access for officials while isolating ordinary citizens. By removing social features and disabling local chat channels, the state aims to atomize the population and prevent real-time coordination. The author urges policy and technical measures—such as expanded humanitarian licensing and D2C satellite access—to give repressed populations resilient means of connectivity.
read more →

National Cyber Resilience in the AI Era: A Leadership Guide

🔐 This practical Q&A guide helps leaders translate evolving threats into actionable resilience measures. It highlights why national cyber security urgency has increased as adversaries shift from theft to persistent, disruptive positioning that can affect fuel, hospitals, elections, markets, and public trust. The brief recommends adoption of NIST frameworks, Zero Trust principles, and AI governance to mitigate cloud, OT, and supply chain risks. Leaders receive concise operational steps to align policy, technology, and cross‑sector coordination.
read more →

China-linked Hackers Used Google Sheets for Espionage

🛡️ Google disrupted a China-linked espionage group that repurposed Google Sheets as a covert command-and-control channel to manage a custom backdoor tracked as UNC2814 and named GRIDTIDE. The backdoor abused legitimate Sheets API calls to send commands, retrieve stolen data, poll spreadsheets frequently, and wipe rows to erase traces. Mandiant flagged unusual activity on a CentOS server, leading to discovery of intrusions at 53 organizations across 42 countries focused on telecoms and government systems. Google terminated attacker Cloud projects, revoked API access, sinkholed domains, and published IOCs.
read more →

Disrupting GRIDTIDE: Global Telecom Cyber Espionage

🛡️ Google Threat Intelligence Group, Mandiant, and partners executed a coordinated disruption against a global espionage campaign attributed to UNC2814 that abused cloud services for covert command and control. Investigators identified a novel C-based backdoor called GRIDTIDE that uses Google Sheets APIs as a high-availability C2 channel, protected by an AES-128-CBC key and service account credentials. Actions included terminating attacker-controlled Google Cloud projects, disabling accounts and Sheets API access, sinkholing infrastructure, and publishing IOCs and detection guidance to support defenders.
read more →

U.S. Sanctions Russian Exploit Broker for Stolen Zero‑Days

🔒 The U.S. Treasury Department's Office of Foreign Assets Control designated Matrix LLC (doing business as Operation Zero) and its owner, Sergey Zelenyuk, under the Protecting American Intellectual Property Act, marking the first use of that law. The move coincided with the sentencing of former L3Harris manager Peter Williams, who was given 87 months for stealing eight zero‑day exploits and selling them to Operation Zero for about $1.3 million in cryptocurrency. OFAC also named related companies and individuals, including a UAE front company and a suspected Trickbot affiliate, freezing U.S. assets and warning of potential secondary sanctions for U.S. persons who transact with the designated parties.
read more →

Defense Contractor Employee Jailed for Selling Zero-Days

🔒 Peter Williams, a 39-year-old former senior employee at L3Harris, was sentenced to just over seven years in prison after pleading guilty to selling eight zero-day exploits to the Russian exploit broker Operation Zero. Prosecutors say he received up to $4 million in cryptocurrency and has been ordered to forfeit proceeds, including properties and luxury items. The theft, which occurred between 2022 and 2025, targeted tools intended for sale only to the U.S. government and select allies and prompted criminal charges and sanctions.
read more →

AI-assisted attacker compromises 600+ FortiGate firewalls

🛡️ AWS security researchers report a Russian-speaking attacker compromised more than 600 FortiGate firewalls between January 11 and February 18, 2026, by exploiting weak or default passwords rather than product vulnerabilities. The actor used a Google Gemini-based AI tool to pivot to additional hosts and deployed reconnaissance tools written in Go and Python. Analysts found clear signs of AI-assisted code generation. Experts urge strong passwords and enabling MFA.
read more →

CRESCENTHARVEST Campaign Targets Iran Protest Supporters

🛡️ Acronis Threat Research Unit disclosed CRESCENTHARVEST, a campaign observed after January 9 that targets Farsi-speaking supporters of Iran's protests with a remote access trojan and information stealer. Attackers lure victims with protest-themed archives and double-extension .LNK shortcuts that run PowerShell to fetch a secondary ZIP while opening benign media. The payload sideloads DLLs via a Google-signed software_reporter_tool.exe, extracts Chrome app-bound keys, harvests browser and Telegram data, logs keystrokes, and communicates with a WinHTTP C2 at servicelog-information[.]com.
read more →