All news with #nation state actor tag

🔎 Palo Alto Networks has identified a new Asia-based cyberespionage group, tracked as TGR-STA-1030 (UNC6619), that has compromised 70 government and critical-infrastructure organizations across 37 countries over the past year. The actor employs phishing, N-day exploits, and a multifaceted toolset including a custom loader named Diaoyu, Cobalt Strike implants, multiple web shells, and a bespoke eBPF-based Linux rootkit called ShadowGuard. Researchers report the group conducts extensive scanning and targeted reconnaissance tied to regional events, operates on GMT+8 hours, and shows indicators consistent with nation-state activity.

🔒 This fact sheet from CISA, the FBI, and the U.K. NCSC urges organizations to mitigate risks posed by end-of-support (EOS) edge devices such as firewalls, routers, load balancers, and VPN gateways. It highlights BOD 26-02 for U.S. federal agencies and recommends maintaining asset inventories, replacing EOS hardware, and applying timely updates and patches to reduce exposure to nation-state threat actors.

🔎 Unit 42 details a newly tracked, state-aligned cyberespionage group labeled TGR-STA-1030 that has targeted government and critical infrastructure across 37 countries. The report documents coordinated phishing using a Diaoyu loader, exploitation of known N-day vulnerabilities, and a transition from Cobalt Strike to Go-based C2 frameworks. It also describes a bespoke Linux eBPF rootkit, ShadowGuard, and provides actionable IoCs (IPs, domains, hashes) to support defenders.

🛡️ Italy says it repelled multiple cyberattacks of Russian origin days before the Winter Olympic Games in Milan and Cortina d'Ampezzo. Targets included sites connected to the Games and several hotels in Cortina; facilities of the Foreign Ministry were also affected. Foreign Minister Antonio Tajani thanked security teams and said authorities coordinated defenses with event organizers.

🛡️ Germany and Israel jointly conducted a first-ever exercise, called “Blue Horizon,” to practice defending against a major cyberattack as part of a recent bilateral cyber and security pact. The drill aims to familiarize experts and advance the planned construction of a German “Cyberdome”, modeled on Israeli systems that consolidate data and use AI to detect network vulnerabilities and warn organizations. The pact also foresees closer cooperation on cybercrime, artificial intelligence and drone defense.

🔎 Dragos attributes a coordinated late-December 2025 cyber attack on multiple Polish power grid sites to the Russian state-sponsored crew ELECTRUM with medium confidence. The campaign targeted communication and control systems at combined heat and power facilities and systems managing distributed energy resources, including wind and solar dispatch. Although no blackouts were reported, attackers gained access to OT networks and disabled some equipment beyond repair. Dragos notes the operation blended IT-to-OT tradecraft, with KAMACITE enabling access and ELECTRUM executing ICS-focused actions.

🔒 AI integration has shifted public-sector cybersecurity in 2026, forcing agencies to adopt AI-native detection and autonomous response, continuous identity verification, and secure-by-design AI deployments. Nation-state actors now automate intrusion, deception, and tailored malware, expanding risk to IT, OT and research environments. Agencies must consolidate platforms, accelerate post-quantum planning, and govern AI at mission scale.

🛡️ Germany plans to adopt a more offensive cyber posture, saying it will "strike back, also abroad," and aim to disrupt attackers and destroy their infrastructure. The Interior Ministry proposes joint operational responsibility for the Federal Criminal Police Office (BKA) and intelligence services and is creating a new defense center against hybrid threats. Minister Alexander Dobrindt said he will introduce laws in the first half of the year to expand intelligence powers for information gathering and operational action.

⚠️ The European Space Agency (ESA) has suffered a further significant cybersecurity breach after a December incident, with the Scattered Lapsus$ Hunters group claiming to exfiltrate roughly 500GB of additional data. The stolen material reportedly includes operational procedures, spacecraft and mission documentation, and proprietary contractor data from partners such as SpaceX, Airbus Group, and Thales Alenia Space. ESA has confirmed a criminal investigation is underway amid concerns about systemic security weaknesses.

🔒 In episode 451 of Smashing Security, host Graham Cluley and guest Ray Redacted explore a prolific intruder who claims to have compromised the U.S. Supreme Court, Veterans Affairs, AmeriCorps and other organisations, posting screenshots and even a victim’s blood type under the account I hacked the government. They also examine research revealing flaws in wireless headphone pairing — notably in Google’s Fast Pair ecosystem — that let attackers hijack earbuds, inject audio and eavesdrop without obvious signs. The episode mixes incident reporting, legal context and consumer privacy implications.

🔍 The near-total internet blackout Iran imposed on January 8 may offer SOC teams a rare chance to observe and digitally fingerprint government-controlled traffic. Vendors argue that with residential and business noise silenced, remaining connections likely originate from state assets, making them high-confidence signals for threat modeling and short-term intelligence collection. Analysts caution, however, that sophisticated state actors can deceive attribution, legitimate government traffic may be benign, and routing artifacts often disappear once services are restored, so captured data should be treated as contextual input, not definitive proof.

🔍 President Donald Trump suggested that U.S. cyber operations or other technical measures were used to cut power in Caracas during strikes that preceded the capture of Nicolás Maduro. If confirmed, this would be a rare, overt instance of U.S. offensive cyber action. Such operations are typically classified, and public details, technical indicators, and independent verification remain scarce. The claim raises significant legal and diplomatic concerns.

⚠️ Taiwan's National Security Agency reported that Chinese cyberattacks targeting the island's critical infrastructure rose 6% in 2025, averaging 2.6 million attacks per day. The assaults mainly focused on the energy sector, hospitals, banks and emergency services, and extended to the semiconductor industry, including TSMC. Attackers employed large-scale denial-of-service and man-in-the-middle techniques to disrupt operations and exfiltrate data. Many incidents reportedly coincided with Chinese military exercises and high-profile political events, while Beijing denies involvement.

🛡️ The Danish Defence Intelligence Service (DDIS) said on December 18, 2025 that Russian-aligned actors were responsible for recent destructive and disruptive cyber activity against Denmark. The agency named pro‑Russian hacktivist groups Z‑Pentest for a destructive 2024 intrusion at a water utility and NoName057(16) for DDoS campaigns targeting websites ahead of the 2025 municipal and regional elections. DDIS assessed both groups have links to the Russian state and are being used as instruments of a hybrid campaign to create insecurity and penalise countries supporting Ukraine. The statement followed a global advisory, co-signed by 23 law enforcement and intelligence bodies, which catalogued related TTPs.

🔒 Danish intelligence (DDIS) attributed a destructive cyberattack on a water utility to Russian-linked actors, identifying Z-Pentest as responsible for the sabotage and NoName057(16) for election-period DDoS operations. The agency said these actions are part of Moscow's broader hybrid campaign to punish countries supporting Ukraine. Officials will summon the Russian ambassador and warned the attacks undermine public security.

🚨Chainalysis reports North Korea's crypto thefts surged in 2025, exceeding $2bn and pushing the regime's cumulative haul to over $6.7bn. The firm says DPRK actors accounted for 60% of funds stolen this year, with the Bybit breach alone yielding an unprecedented $1.5bn; attackers are increasingly embedding IT workers inside exchanges and custodians to gain privileged access. They favor Chinese-language services, cross-chain bridges and mixers for laundering, while personal wallet thefts tripled in incidents but fell in average value to $713m overall.

🛡️The Greens say recent findings of Russian influence operations during the federal election confirm that existing protections for parliamentary democracy are inadequate. Although Germany implemented the NIS-2 law on December 6, 2024, it covers the federal administration and Bundestag administration but not the Bundestag as an institution or MPs' constituency offices. The federal government attributes an August 2024 cyberattack on air traffic control to the GRU-linked group Fancy Bear and says the campaign "Storm 1516" targeted the election with disinformation; the Russian ambassador was summoned.

🔍 A Russian state-sponsored cyberespionage group has shifted to exploiting misconfigurations in network-edge devices to target energy companies and critical infrastructure. Amazon Threat Intelligence found the actor, active since at least 2021, pivoted from known CVEs to passive credential harvesting via compromised routers, VPN concentrators and management appliances. Telemetry shows overlaps with GRU-linked Sandworm and Bitdefender’s Curly COMrades, with attackers intercepting traffic to replay credentials. Amazon urges audits of edge devices, isolation of management interfaces, enforcement of MFA and monitoring for anomalous authentication.

🔒 Amazon Threat Intelligence disrupted active operations attributed to GRU-linked hackers who targeted customer cloud infrastructure by abusing misconfigured edge devices. The multi-year campaign, observed since 2021 and focused on Western critical infrastructure and the energy sector, shifted in 2025 from zero-day exploitation to targeting exposed management interfaces on routers, VPN gateways, and network management appliances. Amazon isolated compromised EC2 instances, shared indicators, and advised audits, credential monitoring, and AWS controls like isolating management interfaces, restricting security groups, and enabling CloudTrail, GuardDuty, and VPC Flow Logs.

🛡️ Amazon's threat intelligence team disclosed a years-long campaign tied with high confidence to the GRU-affiliated APT44 (also tracked as FROZENBARENTS/Sandworm), which targeted Western critical infrastructure from 2021–2025. The actor shifted from zero-day exploitation to abusing misconfigured customer network edge devices and exposed management interfaces on AWS-hosted instances, enabling packet capture, credential harvesting, and credential replay against energy, telecom, and cloud providers. Amazon observed exploitation of WatchGuard (CVE-2022-26318), Atlassian Confluence (CVE-2021-26084, CVE-2023-22518), and Veeam (CVE-2023-27532), notified affected customers, disrupted active operations, and recommended audits, stronger authentication, and monitoring for unexpected access and credential replay.