< ciso
brief />
Tag Banner

All news with #nation state actor tag

192 articles · page 5 of 10

Munich Cybersecurity Conference 2026: Politics Meet Industry

🔐 At the Munich Cybersecurity Conference (MCSC) 2026, representatives from the White House, FBI, Europol, OECD, BSI, BND, the European Commission and Japan's National Cybersecurity Office convened to discuss the rising global cyber threat environment. Speakers emphasized the need for stronger public-private cooperation and the industrialization of cybersecurity to better protect critical digital infrastructure. Panelists warned that geopolitical tensions - notably involving North Korea, China and Russia - and transnational cybercrime demand coordinated international responses.
read more →

Google Links Suspected Russian Actor to CANFAIL Attacks

⚠️ Google Threat Intelligence Group (GTIG) attributes a previously undocumented actor, likely linked to Russian intelligence, to campaigns using CANFAIL against Ukrainian defense, military, government, and energy organizations. The actor has expanded interest to aerospace, defense-adjacent manufacturing, nuclear and chemical research, and humanitarian groups, often impersonating Ukrainian and Romanian energy firms in phishing. Operators used LLMs to produce reconnaissance and social-engineering lures, embedding Google Drive links to RAR archives that deliver obfuscated JavaScript which spawns PowerShell memory-only droppers. GTIG links this activity to the PhantomCaptcha campaign disclosed by SentinelOne SentinelLABS in October 2025.
read more →

Google Ties State-Linked Actors to Defense Sector Attacks

🔎 Google Threat Intelligence Group (GTIG) warns that state-sponsored actors from China, Iran, Russia, and North Korea are conducting sustained cyber operations against the defense industrial base (DIB). GTIG highlights four themes: targeting battlefield technologies like drones, exploiting hiring and personnel processes, leveraging edge devices for initial access, and capitalizing on manufacturing supply chain breaches. Observed tactics include bespoke malware families, abuse of secure messaging linking, careful endpoint-evasion techniques, and use of relay networks to complicate detection and attribution.
read more →

Nation-State Actors Leverage Gemini AI in Cyber Campaigns

🔍 Google’s Threat Intelligence Group and DeepMind found that government-backed APTs increasingly use Gemini and other generative AI for reconnaissance, target profiling and sophisticated social engineering. Observed actors include Iran’s APT42 and North Korea’s UNC2970 using models to harvest email addresses and synthesize OSINT, while TEMP.Hex and APT31 applied AI for vulnerability research and automated testing. The report also details a rise in model extraction attempts, an underground jailbreak ecosystem (notably the Xanthorox toolkit), abuse of public sharing to host malicious instructions, and cases such as Honestcue leveraging Gemini APIs to generate in-memory malicious code; Google has disabled associated assets and warns of intellectual-property theft risks.
read more →

Google: Hackers Abusing Gemini AI Across All Attack Stages

🛡️ Google Threat Intelligence Group warns state-backed actors are abusing Gemini across the full attack lifecycle, from reconnaissance and phishing-lure generation to C2 development and data exfiltration. Groups linked to China, Iran, North Korea, and Russia used the model for target profiling, code generation, translation, vulnerability testing, and troubleshooting. Google says it has disabled abusive accounts and implemented targeted classifier defenses to make misuse harder.
read more →

DPRK Operatives Use Real LinkedIn Identities to Apply

🔍 DPRK-linked IT operatives are escalating a long-running fraud by applying to remote positions using genuine LinkedIn profiles they impersonate, often including verified workplace emails and identity badges. Security Alliance and other researchers warn this helps attackers bypass basic vetting and gain administrative access to sensitive codebases. Parallel social engineering
read more →

Cyber Threats to the Defense Industrial Base & Supply Chain

🛡️ Google Threat Intelligence Group (GTIG) details persistent, multi-vector cyber threats to the defense industrial base. State-sponsored and hacktivist actors target UAVs and battlefield systems, exploit personnel and hiring processes, and increasingly compromise edge devices and appliances to bypass EDR. The report documents campaigns against messaging apps, Android and Windows malware, and recruitment-themed lures. It also highlights ransomware and supply‑chain risks that can disrupt production and surge capacity.
read more →

Singapore Disrupts Chinese APT Targeting Telco Networks

🔒 Singapore’s Cyber Security Agency disclosed that Operation Cyber Guardian disrupted attacks by Chinese-linked APT UNC3886 targeting the nation’s four major telcos between summer 2025 and early 2026. The response involved over 100 cyber defenders across six agencies and identified use of a zero-day and rootkits to maintain persistent access. CSA reported no evidence of service disruption or sensitive personal data exfiltration and implemented remediation and enhanced monitoring. Telcos have been urged to continue strengthening systems and vigilance against re-entry attempts.
read more →

NCSC Warns CNI Operators of Severe Cyber-Attacks Now

⚠️ The NCSC has issued an urgent alert to critical national infrastructure (CNI) providers after December's coordinated malware attacks against Poland's energy sector, urging operators to act now to defend UK assets. Director Jonathan Ellison stressed the need to follow recent NCSC guidance on monitoring, situational awareness and hardening network defences. Recommended measures include patching, access controls and MFA, secure-by-design management and robust resilience and recovery plans.
read more →

Chinese UNC3886 Cyberspies Breach Singapore Telcos

🔒 Singapore's Cyber Security Agency says China-linked threat actor UNC3886 breached the country's four largest telcos — Singtel, StarHub, M1, and Simba — at least once last year, gaining limited access to critical systems but failing to disrupt services or exfiltrate confirmed customer data. Investigators found a zero-day used to bypass perimeter firewalls and rootkits employed for stealth and persistence. The government launched Operation Cyber Guardian, mobilized multiple agencies, and contained the intrusions while increasing monitoring across critical sectors.
read more →

China-linked UNC3886 Targets Singapore Telecoms Systems

🛡️ Singapore's Cyber Security Agency (CSA) disclosed that the China-linked espionage group UNC3886 executed a deliberate, targeted campaign against the nation's telecommunications sector, naming M1, SIMBA Telecom, Singtel and StarHub as targets. The agency said the actor used sophisticated tools, including a weaponized zero-day and kernel-level rootkits, to gain unauthorized access to portions of telco networks. CSA reported no evidence of customer personal data exfiltration or service disruption and said a defensive operation called CYBER GUARDIAN has closed the group's access points and expanded monitoring across affected operators.
read more →

State-Linked 'Shadow Campaigns' Target 155 Countries

🕵️‍♂️ Palo Alto Networks' Unit 42 reports a state-sponsored threat actor tracked as TGR-STA-1030/UNC6619 has run global-scale "Shadow Campaigns," compromising at least 70 government and critical infrastructure organizations across 37 countries and conducting reconnaissance tied to 155 countries. The actor has been active since at least January 2024 and is assessed to operate from Asia. Initial access combined tailored phishing lures hosted on Mega.nz with exploitation of known flaws in SAP Solution Manager, Microsoft Exchange, D-Link, and Windows to deploy loaders such as Diaoyu. Victim environments were instrumented with Cobalt Strike, webshells, tunneling tools, and a bespoke Linux eBPF rootkit named ShadowGuard to hide activity and evade detection.
read more →

TGR-STA-1030: Asian State-Linked Group Breaches 70 Targets

🔒 Palo Alto Networks Unit 42 reports an Asia-origin, state-backed actor tracked as TGR-STA-1030 breached at least 70 government and critical-infrastructure organizations across 37 countries and scanned infrastructure tied to 155 countries in late 2025. Active since January 2024, the group used MEGA-hosted phishing ZIPs to deliver a guarded loader, Diaoyu Loader, which requires a zero-byte pic1.png and checks for select AV processes before pulling images from GitHub to stage a Cobalt Strike payload. It also exploited N-day flaws, deployed web shells, tunnelers and an eBPF Linux rootkit ShadowGuard, maintaining prolonged access for intelligence collection.
read more →

Asian APT Compromises 70 Government and Infrastructure

🔎 Palo Alto Networks has identified a new Asia-based cyberespionage group, tracked as TGR-STA-1030 (UNC6619), that has compromised 70 government and critical-infrastructure organizations across 37 countries over the past year. The actor employs phishing, N-day exploits, and a multifaceted toolset including a custom loader named Diaoyu, Cobalt Strike implants, multiple web shells, and a bespoke eBPF-based Linux rootkit called ShadowGuard. Researchers report the group conducts extensive scanning and targeted reconnaissance tied to regional events, operates on GMT+8 hours, and shows indicators consistent with nation-state activity.
read more →

Reducing Attack Surface from End-of-Support Edge Devices

🔒 This fact sheet from CISA, the FBI, and the U.K. NCSC urges organizations to mitigate risks posed by end-of-support (EOS) edge devices such as firewalls, routers, load balancers, and VPN gateways. It highlights BOD 26-02 for U.S. federal agencies and recommends maintaining asset inventories, replacing EOS hardware, and applying timely updates and patches to reduce exposure to nation-state threat actors.
read more →

Shadow Campaigns: Global State-Aligned Cyber Espionage

🔎 Unit 42 details a newly tracked, state-aligned cyberespionage group labeled TGR-STA-1030 that has targeted government and critical infrastructure across 37 countries. The report documents coordinated phishing using a Diaoyu loader, exploitation of known N-day vulnerabilities, and a transition from Cobalt Strike to Go-based C2 frameworks. It also describes a bespoke Linux eBPF rootkit, ShadowGuard, and provides actionable IoCs (IPs, domains, hashes) to support defenders.
read more →

Italy Repels Russian Cyber Attacks Ahead of Olympics

🛡️ Italy says it repelled multiple cyberattacks of Russian origin days before the Winter Olympic Games in Milan and Cortina d'Ampezzo. Targets included sites connected to the Games and several hotels in Cortina; facilities of the Foreign Ministry were also affected. Foreign Minister Antonio Tajani thanked security teams and said authorities coordinated defenses with event organizers.
read more →

Germany and Israel Conduct Joint Cyberattack Defense Drill

🛡️ Germany and Israel jointly conducted a first-ever exercise, called “Blue Horizon,” to practice defending against a major cyberattack as part of a recent bilateral cyber and security pact. The drill aims to familiarize experts and advance the planned construction of a German “Cyberdome”, modeled on Israeli systems that consolidate data and use AI to detect network vulnerabilities and warn organizations. The pact also foresees closer cooperation on cybercrime, artificial intelligence and drone defense.
read more →

Russian ELECTRUM Linked to December 2025 Polish Grid Attack

🔎 Dragos attributes a coordinated late-December 2025 cyber attack on multiple Polish power grid sites to the Russian state-sponsored crew ELECTRUM with medium confidence. The campaign targeted communication and control systems at combined heat and power facilities and systems managing distributed energy resources, including wind and solar dispatch. Although no blackouts were reported, attackers gained access to OT networks and disabled some equipment beyond repair. Dragos notes the operation blended IT-to-OT tradecraft, with KAMACITE enabling access and ELECTRUM executing ICS-focused actions.
read more →

Public Sector Cyber Outlook 2026: Identity and AI Trust

🔒 AI integration has shifted public-sector cybersecurity in 2026, forcing agencies to adopt AI-native detection and autonomous response, continuous identity verification, and secure-by-design AI deployments. Nation-state actors now automate intrusion, deception, and tailored malware, expanding risk to IT, OT and research environments. Agencies must consolidate platforms, accelerate post-quantum planning, and govern AI at mission scale.
read more →