All news with #nation state actor tag

🕒 In episode 442 of Smashing Security, Graham Cluley and guest Dave Bittner examine a state-backed actor that spent two years tunnelling toward a nation's master clock, creating the potential for widespread disruption to time-sensitive systems. They also discuss a disturbing case where ransomware negotiators allegedly turned rogue and carried out their own hacks. The discussion highlights investigative findings, operational impacts, and lessons for defenders tasked with protecting critical infrastructure.

🔒 SonicWall says a Mandiant-led investigation concluded that state-sponsored actors accessed cloud-stored firewall configuration backup files in September. The company reports the activity was isolated to a specific cloud environment and did not affect SonicWall products, firmware, source code, or customer networks. As a precaution, customers were advised to reset account credentials, temporary access codes, VPN passwords, and shared IPSec secrets. SonicWall also stated there is no connection between the breach and separate Akira ransomware activity.

⚠️ The Google Threat Intelligence Group (GTIG) reports that adversaries are evolving beyond simple productivity uses of AI toward operational misuse. Observed behaviors include state-sponsored actors from North Korea, Iran and the People's Republic of China using AI for reconnaissance, automated phishing lure creation and data exfiltration. The report documents AI-powered malware that can generate and modify malicious scripts in real time and attackers exploiting deceptive prompts to bypass model guardrails. Google says it has disabled assets linked to abuse and applied intelligence to improve classifiers and harden models against misuse.

🔒 The Google Threat Intelligence Group (GTIG) released a report documenting a clear shift: adversaries are moving beyond benign productivity uses of AI and are experimenting with AI-enabled operations. GTIG observed state-sponsored actors from North Korea, Iran and the People's Republic of China using AI for reconnaissance, tailored phishing lure creation and data exfiltration. Threats described include AI-powered, self-modifying malware, prompt-engineering to bypass safety guardrails, and underground markets selling advanced AI attack capabilities. Google says it has disrupted malicious assets and applied that intelligence to strengthen classifiers and its AI models.

🛡️ The Google Threat Intelligence Group (GTIG) released a November 2025 report describing how adversaries are evolving beyond productivity uses of AI to operationalize novel offensive capabilities. GTIG observed state-sponsored actors (including North Korea, Iran, and the People’s Republic of China) and criminal groups using AI for reconnaissance, tailored phishing-lure generation, prompt-based guardrail evasion, and AI-powered polymorphic malware. Google reports it has disabled malicious assets and applied this intelligence to strengthen both its classifiers and AI model defenses.

🔒 The Cybersecurity Forecast 2026 synthesizes frontline telemetry and expert analysis from Google Cloud security teams to outline the most significant threats and defensive shifts for the coming year. The report emphasizes how adversaries will broadly adopt AI to scale attacks, with specific risks including prompt injection and AI-enabled social engineering. It also highlights persistent cybercrime trends—ransomware, extortion, and on-chain resiliency—and evolving nation‑state campaigns. Organizations are urged to adapt IAM, secure AI agents, and harden virtualization controls to stay ahead.

🔍 CrowdStrike’s 2025 European Threat Landscape Report reveals rising extortion and intensifying nation-state operations across Europe, with Big Game Hunting (BGH) actors naming roughly 2,100 Europe-based victims on more than 100 dedicated leak sites since January 1, 2024. The United Kingdom, Germany, Italy, France and Spain are most targeted, across sectors such as manufacturing, professional services, technology, industrials and retail. The report details an active cybercrime ecosystem — forums, encrypted apps and marketplaces — and notes enabling techniques like voice phishing and fake CAPTCHA lures, while geopolitical conflicts drive expanded Russian-, Chinese-, Iranian- and DPRK-linked operations.

🛡️ Palo Alto Networks Unit 42 linked a suspected nation-state cluster (CL-STA-1009) to a new backdoor named Airstalk that abuses the AirWatch API (now Workspace ONE Unified Endpoint Management) as a covert command-and-control channel. The malware appears in PowerShell and more capable .NET variants and can capture screenshots, harvest browser cookies, history and bookmarks, and enumerate user files. Airstalk misuses MDM custom attributes as a dead-drop resolver and leverages the API blobs feature to exfiltrate large artifacts; some .NET samples were signed with a likely stolen certificate.

🔒 As October 2025 concludes, ESET Chief Security Evangelist Tony Anscombe reviews the month’s most significant cybersecurity developments and what they mean for defenders. He highlights that Windows 10 reached end of support on October 14 and outlines practical options for affected users and organizations. He also warns about info‑stealing malware spread through TikTok videos posing as free activation guides and summarizes Microsoft’s report that Russia, China, Iran and North Korea are increasingly using AI in cyberattacks — alongside China’s accusation of an NSA operation targeting its National Time Service Center.

🔒 In a filing with the SEC, Ribbon Communications disclosed that unauthorized actors, reportedly tied to a nation-state, had access to its IT network, with initial intrusion activity traced as far back as December 2024. The company detected the breach in September 2025, has worked to terminate access, and is collaborating with third-party cybersecurity experts and federal law enforcement. Ribbon says it has not yet found evidence of material corporate data theft, although attackers accessed customer files on two laptops outside the main network.

🛡️ The former general manager of L3Harris cyber-division Trenchant, Australian national Peter Williams, pleaded guilty in a US district court to stealing and selling zero-day exploit components to a Russian cyber broker. Prosecutors allege he exfiltrated at least eight exploit components via encrypted channels in exchange for millions in cryptocurrency and follow-on support payments. Authorities say the code could be worth tens of millions and that the broker’s clients include the Russian government, creating a national security threat. Williams faces up to 20 years in prison and significant fines.

🛡️ We have discovered a new Windows-based malware family named Airstalk that abuses the AirWatch (Workspace ONE UEM) API to establish a covert command-and-control channel and exfiltrate browser artifacts. Two variants were observed: a PowerShell variant focused on Chrome cookie and bookmark theft, and a more advanced .NET variant that adds multi-threaded C2, beaconing, versioning, and support for Microsoft Edge and Island Browser. Several .NET samples were signed with a likely stolen certificate that was revoked shortly after issuance. Unit 42 assesses with medium confidence that a suspected nation-state actor used Airstalk in a likely supply chain compromise and provides IoCs and mitigation guidance.

🔒 A new RUSI report published on 28 October finds cyber-related sanctions seldom fully disrupt state-backed attacks by themselves but can "toxify" networks, forcing intermediaries and collaborators to distance themselves from named actors. The study highlights the US as the most effective practitioner due to long-standing legal frameworks and coordinated use of diplomatic, legal and technical tools, while the EU and UK face operational and coordination limits. RUSI urges clearer strategic goals, cross-domain integration and targeted action against enablers like exchanges and service providers to boost impact.

🛡️ Federal Interior Minister Alexander Dobrindt's proposal for active cyber defense has drawn cross-party, cautious approval as he prepares a legal amendment to counter attacks originating from servers abroad. A ministry spokesperson says the measures would allow intervening steps to stop or mitigate attacks by manipulating or disrupting the IT systems or data traffic used, and stressed this is not about hackback or broad retaliatory strikes. Greens signaled conditional support if the approach follows rule-of-law principles, CDU security figures praised a more proactive stance, and Dobrindt expects to present the amendment to cabinet next year.

🧠 Kaspersky researchers have identified a sophisticated cyber-espionage campaign dubbed PassiveNeuron that has targeted government, financial, and industrial organizations across Asia, Africa, and Latin America since late 2024. The operation uses bespoke implants—Neursite (a C++ modular backdoor) and NeuralExecutor (a .NET loader)—alongside Cobalt Strike, leveraging compromised internal servers as intermediate C2s and a plugin architecture to maintain persistence and adapt tooling. Victims include internet-exposed servers; attackers have used SQL-based remote command execution, attempted ASPX web shells, deployed DLL loaders into the System32 directory, and in 2025 adopted a GitHub-based dead-drop resolver to retrieve C2 addresses.

🔍 China’s security authorities publicly accused the US National Security Agency of a covert operation against the National Time Service Center, alleging an SMS-service vulnerability was exploited beginning March 25, 2022 to compromise staff phones and steal data. Experts told CSO the claim is technically plausible but there is no public forensic evidence to confirm it conclusively. The alleged intrusion could affect Beijing Time, potentially disrupting communications, finance, power, transportation and space operations. Security specialists recommend hardening time infrastructure, avoiding SMS-based privileged logins, validating clocks against multiple trusted references, deploying cryptographic attestation for time signals, and following guidance from CISA.

🔍 China’s Ministry of State Security has accused the U.S. National Security Agency of conducting cyber intrusions against the National Time Service Center in Xi'an, alleging activity beginning in March 2022. The statement says the campaign initially exploited vulnerabilities in employees’ mobile phones and later affected center computers. Beijing warned that the center’s role in providing official time underpins communications, finance and power systems, and that interference could cause major disruptions. U.S. officials did not immediately respond to the allegation.

🕒 The Chinese Ministry of State Security (MSS) has accused the U.S. National Security Agency (NSA) of a "premeditated" multi-stage cyber intrusion targeting the National Time Service Center (NTSC), which manages Beijing Time. The MSS says the campaign began with SMS-based compromises of staff devices in March 2022 and escalated through credential reuse and a deployed "cyber warfare platform" between August 2023 and June 2024. According to the statement, the platform employed 42 specialized tools, forged digital certificates, and high-strength encryption while routing traffic through VPSes across the U.S., Europe, and Asia; Chinese agencies say they detected, neutralized the activity, and reinforced defenses.

🧑‍💻 Three 17-year-olds in the Netherlands are suspected of providing services to a foreign power after one was found communicating with an unnamed Russian-government-affiliated hacking group. Prosecutors say the linked suspect directed the others to repeatedly map Wi‑Fi networks in The Hague and then sold the collected data to the client's contact for a fee. The investigation, opened after a report from the Military Intelligence and Security Service, led to two arrests on 22 September and seizure of devices from a third minor. An updated Criminal Code effective 15 May 2025 now criminalizes digital espionage, carrying up to eight years' imprisonment (or up to 12 years in the most serious cases).

🔒 The Microsoft Digital Defense Report 2025 finds Germany was the most targeted EU country in the first half of 2025, receiving 3.3% of global cyberattacks. Attackers are driven more by profit than espionage, with ransomware used in 52% of incidents and pure espionage accounting for 4%. The report highlights threats linked to Russia, China, North Korea and Iran and recommends MFA—which can block 99.9% of credential-based attacks.