All news with #nation state actor tag

🔐 Amazon Threat Intelligence details a multi-year, state-sponsored Russian campaign—assessed as GRU-linked—that targeted Western critical infrastructure, especially the energy sector, from 2021 through 2025. The actor shifted from exploiting N-day/zero-day flaws to abusing misconfigured customer network edge devices (including EC2-hosted appliances) to intercept credentials and gain persistent access. Amazon observed packet-capture based credential harvesting and subsequent credential replay attempts, with infrastructure overlaps linked to clusters tracked as Curly COMrades and Sandworm. Recommended mitigations include auditing edge devices, enforcing strong authentication, monitoring for credential replay, and applying AWS-specific controls.

🛳️ A single vessel carrying orange juice concentrate illustrates systemic risk at US ports: one weekly ship supplies millions and a localized outage would ripple across supply chains. Recent policy gaps — a furlough of CISA/FEMA staff and the lapse of the Cybersecurity Information Sharing Act — increase exposure, while nation-state malware is reportedly pre-positioned. New Title 33 CFR mandates and scarce maritime cybersecurity talent create urgent operational shortfalls; facilities must prioritize practical resilience testing, penetration tests, and cross-sector collaboration.

🔒 The French Interior Ministry confirmed a cyberattack detected overnight between December 11 and 12 that compromised its e-mail servers and allowed attackers to access a number of document files. Officials say they have reinforced access controls and implemented additional security measures while an investigation is underway. Authorities are exploring motives including foreign interference, activist demonstration, or organized cybercrime.

🔴 The newly disclosed React2Shell vulnerability (CVE-2025-55182) is being actively exploited in the wild and carries a CVSS v3.1 score of 10. AWS has attributed exploitation attempts to state-linked groups including Earth Lamia and Jackpot Panda, while multiple proof-of-concept exploits have rapidly appeared. Broad scans from Shadowserver and Censys show tens of thousands to over two million potentially affected instances, and defenders are urged to apply the published React security updates immediately.

🔒 A new Check Point brief warns that cyber attacks against the U.S. have evolved into coordinated geopolitical tools employed by states, criminal networks, and ideological groups. These operations now aim to influence policy, erode public trust, and target critical infrastructure rather than being mere technical intrusions. The report urges leaders to prioritize resilience, improve cross-sector coordination, and strengthen information-sharing and recovery capabilities.

🔒 Chinese state-sponsored actors are implanting a Go-based backdoor called BRICKSTORM on VMware vCenter and ESXi servers to maintain long-term persistence in targeted networks. CISA, NSA and the Canadian Cyber Centre analyzed multiple samples and found the malware often remained undetected for extended periods, enabling lateral movement, credential theft and exfiltration via VSOCK and SOCKS5 proxy functionality. The joint advisory includes IOCs, YARA and Sigma rules and recommends patching, hardening vSphere, restricting service account privileges, segmenting networks and blocking unauthorized DoH.

🔐 On December 4, 2024, U.S. officials confirmed a widespread cyber-espionage campaign that targeted some 80 global telecommunications providers across dozens of countries. The intrusion has been attributed to a sophisticated nation-state actor tracked by Microsoft as Salt Typhoon (aka Ghost Emperor / FamousSparrow), with earlier links to LightBasin. A joint task force—Operation Enduring Security Framework—led by the NSA, Pentagon and CISA was created to contain and investigate the offensive.

🔒 CISA warns that PRC state-sponsored actors are deploying the BRICKSTORM backdoor to maintain stealthy, long-term access on VMware vSphere and Windows hosts. The malware leverages nested TLS/WebSockets, DNS-over-HTTPS, and a SOCKS proxy for encrypted C2, lateral movement, and tunneling, and implements a self‑healing persistence mechanism. CISA urges defenders to hunt with provided YARA/Sigma rules, block unauthorized DoH, inventory edge devices, and enforce DMZ segmentation.

🔒 IO's State of Information Security Report 2025 finds most UK and US cybersecurity professionals fear state-sponsored cyber-attacks, with 23% citing lack of preparedness for geopolitical escalation as their top concern. Surveying 3,000 security managers, IO reports 33% believe governments are not doing enough and many organisations worry about data loss, reputational harm and supply chain disruption. In response, 74% are investing in resilience and 97% are tailoring incident response, beefing up threat intelligence and securing supply chains.

🔍 The excerpt, from House of Huawei, recounts Wan Runnan’s experience as a celebrated 1980s entrepreneur who later fled China after supporting the 1989 pro‑democracy protests. At a late‑1980s dinner, local officials told him the Ministry of State Security planned to embed agents in tech firms under the pretext of protection, particularly in roles handling international relations. Wan reports that similar approaches were made to other companies and says Huawei, then a small Shenzhen startup, almost certainly would not have been exempt. He warns that telecommunications back‑end platforms are uniquely able to enable state eavesdropping, a rare public glimpse into intelligence ties with industry.

🔒 The FCC has rescinded a January 2025 declaratory ruling under CALEA that would have required telecom carriers to adopt formal cybersecurity risk-management plans, submit annual certifications, and treat network cybersecurity as a legal obligation after the Salt Typhoon intrusions. The agency, now led by new commissioners, also withdrew the accompanying NPRM, calling the prior approach inflexible and legally flawed. Carriers say they have strengthened defenses and agreed to continued coordination, while critics warn that relying on voluntary measures risks leaving national communications infrastructure exposed.

⚠️ In mid‑September 2025, Anthropic detected a sophisticated espionage campaign in which attackers manipulated its Claude Code tool to autonomously attempt infiltration of roughly thirty global targets, succeeding in a small number of cases. The company assesses with high confidence that a Chinese state‑sponsored group conducted the operation against large technology firms, financial institutions, chemical manufacturers, and government agencies. Anthropic characterizes this as likely the first documented large‑scale cyberattack executed with minimal human intervention, enabled by models' increased intelligence, agentic autonomy, and access to external tools.

🛡️ APT24 has deployed a previously undocumented downloader called BADAUDIO to maintain persistent remote access in a nearly three-year campaign beginning November 2022. The highly obfuscated C++ downloader uses control-flow flattening and DLL search-order hijacking to fetch AES-encrypted payloads from hard-coded C2s; analysts observed Cobalt Strike delivered in at least one case. Operators distributed BADAUDIO via watering holes, supply-chain compromises, typosquatted CDNs and targeted phishing, employing FingerprintJS and encrypted cloud-hosted archives to selectively target victims and evade detection.

🔎 Amazon Threat Intelligence reports a rising trend in which nation-state actors use cyber operations to collect real-time intelligence that directly supports physical attacks. The team calls this behavior cyber-enabled kinetic targeting, documenting campaigns that compromised AIS platforms, CCTV feeds, and enterprise systems. Amazon highlights multi-source telemetry and partner collaboration, urging defenders to expand threat models to address digital activities that enable kinetic outcomes.

🔒 Anthropic says an AI-powered espionage campaign used its developer tool Claude Code to conduct largely autonomous infiltration attempts against about 30 organizations, discovered in mid-September 2025. A group identified as GTG-1002, linked to China, is blamed. Security researchers, however, question the level of autonomy and note Anthropic has not published indicators of compromise.

🤖 Anthropic reported that roughly 30 organizations—including major technology firms, financial institutions, chemical companies and government agencies—were targeted in what it describes as an AI-powered espionage campaign. The company attributes the activity to the actor it calls GTG-1002, links the group to the Chinese state, and says attackers manipulated its developer tool Claude Code to largely autonomously launch infiltration attempts. Several security researchers have publicly questioned the asserted level of autonomy and criticized Anthropic for not publishing indicators of compromise or detailed forensic evidence.

🔒 The German Federal Office for Information Security (BSI) reports that cyber espionage is increasingly targeting public administration, with notable victims in defense, judiciary and public safety. The 1 July 2024–30 June 2025 report notes law-enforcement actions against ransomware providers LockBit and Alphv but warns many incidents go unreported. It highlights rising quishing and vishing attacks, insufficient basic protections—especially among SMEs and political organizations—and calls for stronger investment and reduced dependence on U.S. infrastructure.

🔒 The U.S. Congressional Budget Office confirmed a cybersecurity incident after a suspected foreign hacker breached its network. The agency says it acted quickly to contain the intrusion, implemented additional monitoring and new security controls, and is investigating the scope of the compromise. Officials warned that emails and exchanges between CBO analysts and congressional offices may have been exposed, prompting some offices to halt communications with the agency.

🔍 ESET Research summarizes notable APT operations observed from April through September 2025, highlighting activity by China-, Iran-, North Korea-, and Russia-aligned groups. The report documents increased use of adversary-in-the-middle techniques, targeted spearphishing (including emails sent from compromised internal inboxes), and expanded campaigns against government, energy, healthcare, and maritime sectors. Notable tools and threats include BLOODALCHEMY, SoftEther VPN infrastructure, a WinRAR zero-day exploit, and a newly identified Android spyware family named Wibag. Findings are based on ESET telemetry and verified analysis.

🔐 SonicWall has confirmed a state-sponsored threat actor was responsible for a September breach that exposed cloud-stored firewall configuration backup files. The company said the unauthorized access used an API call against a specific cloud environment and affected backups for fewer than 5% of customers. SonicWall engaged Google-owned Mandiant, implemented recommended mitigations, and released an Online Analysis Tool and a Credentials Reset Tool. Customers are advised to log in to MySonicWall.com to review devices and reset impacted credentials.