All news with #nation state actor tag

⚠️ F5 has confirmed a nation-state actor maintained persistent access to its development systems, including the BIG-IP product development environment and engineering knowledge management platforms, with discovery in August and customer notification on October 15. The breach included stolen files containing BIG-IP source code and information on undisclosed vulnerabilities. While F5 reports no known active exploitation, it and CISA have urged immediate patching and mitigations, and the US government delayed public disclosure in September after a Justice Department order.

🔒 F5 Networks acknowledged that a highly sophisticated threat actor exfiltrated portions of BIG-IP source code, information about undisclosed vulnerabilities, and configuration data for a small percentage of customers. The company says there is no evidence of modification to its build pipelines or active exploitation of undisclosed critical vulnerabilities. F5 has released security updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG‑IQ, and APM clients and urges customers to apply them immediately. CISA has directed federal agencies to assess internet-exposed BIG-IP devices, and F5 will provide eligible customers a free subscription to CrowdStrike Falcon EDR.

🔒 F5 has released security updates for BIG-IP products to address vulnerabilities whose details were stolen during a state-linked breach detected on August 9, 2025. The vendor patched 44 issues across BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients and says it has not seen evidence the flaws were exploited or publicly disclosed. Customers are urged to apply updates immediately and follow F5's guidance to increase logging and monitoring.

🔒 F5 disclosed that unidentified threat actors accessed its systems and exfiltrated files including portions of BIG-IP source code and documentation on undisclosed product vulnerabilities. The company attributed the intrusion to a highly sophisticated nation-state threat actor, reported detection on August 9, 2025, and said it has contained the activity. F5 engaged Google Mandiant and CrowdStrike, rotated credentials, strengthened controls, and advised customers to apply updates to BIG-IP, F5OS, BIG-IQ, and APM clients.

🔒 F5 disclosed that nation-state attackers breached its systems and exfiltrated portions of BIG-IP source code and information about undisclosed vulnerabilities after gaining persistent access to product development and engineering knowledge platforms. The company says it first detected the intrusion on August 9, 2025, and has found no evidence the stolen data has been exploited or publicly disclosed. F5 reports that its software supply chain was not compromised and no suspicious code modifications were observed, while it continues identifying customers whose configuration or implementation details may have been taken.

⚠ CISA issued Emergency Directive ED 26-01 directing Federal Civilian Executive Branch agencies to inventory and secure F5 BIG-IP hardware and software, assess public internet exposure of management interfaces, and apply vendor patches. Agencies must update specified F5 products by Oct. 22, 2025 (other devices by Oct. 31) and submit inventories to CISA by Oct. 29, 2025. The directive responds to a nation-state actor compromise that exfiltrated BIG-IP source code and vulnerability data.

🛡️ CISA has issued Emergency Directive 26-01 requiring Federal Civilian Executive Branch agencies to install vendor-provided updates for at-risk F5 devices and software — including F5OS, BIG-IP TMOS, BIG-IQ, and BNK/CNF — by October 22, 2025. The action responds to disclosure that a nation-state actor maintained persistent access to F5 development environments and exfiltrated files containing embedded credentials and API keys. CISA will assess and support agency adherence and urges all entities using these products to apply mitigations immediately.

🛡️ OpenAI said it disrupted three clusters that misused ChatGPT to assist malware development, including Russian-language actors refining a RAT and credential stealer, North Korean operators tied to Xeno RAT campaigns, and Chinese-linked accounts targeting semiconductor firms. The company also blocked accounts used for scams, influence operations, and surveillance assistance and said actors worked around direct refusals by composing building-block code. OpenAI emphasized that models often declined explicit malicious prompts and that many outputs were not inherently harmful on their own.

📰 Recorded Future assesses that the Beijing Institute of Electronics Technology and Application (BIETA) is likely directed by China's Ministry of State Security, citing links between at least four BIETA personnel and MSS officers and ties to the University of International Relations. Its subsidiary Beijing Sanxin Times Technology Co., Ltd. (CIII) develops steganography, covert-communications tools, and network-penetration and simulation software. The report warns these capabilities can support intelligence, counterintelligence, military, and other state-aligned cyber operations.

🔍Phantom Taurus, newly designated by Unit 42, is a China-aligned cyber-espionage group that has targeted government and telecommunications organizations across Africa, the Middle East and Asia for at least two and a half years. Researchers traced the activity from earlier cluster tracking through a 2024 campaign codename, noting a 2025 elevation to a distinct group. Phantom Taurus has shifted from email-server exfiltration to directly querying SQL Server databases via a custom mssq.bat executed over WMI, and deploys a previously undocumented .NET IIS malware suite dubbed NET-STAR.

🔍 Two 17-year-old boys in the Netherlands have been arrested on suspicion of espionage after Dutch media reported they were contacted via Telegram by a pro‑Russian hacker, a connection the National Public Prosecution Service has declined to confirm. One suspect was reportedly seen near sensitive buildings in The Hague, including Europol and the Canadian embassy, carrying a Wi‑Fi sniffer. Police seized electronic equipment during a home search; one teen is on house arrest and the other in pre‑trial detention. Prosecutors say the case is linked to foreign interference and are keeping details closed while the inquiry continues.

🔍 Two Dutch 17-year-olds allegedly used a WiFi sniffer to spy near Europol, Eurojust, and the Canadian embassy in The Hague. They were reportedly recruited over Telegram and arrested after a tip from the national intelligence service, the AIVD. Europol says its systems show no signs of compromise. The suspects will remain in custody for at least two weeks while investigators probe the case.

⚠️ Cisco reported active exploitation of multiple zero-day vulnerabilities in ASA and FTD software by a state-sponsored actor tracked as ArcaneDoor. Two CVEs (CVE-2025-20333 and CVE-2025-20362) are being exploited in the wild and a third (CVE-2025-20363) is at high risk for imminent exploitation. Cisco released updates on Sep. 25, 2025, and CISA issued Emergency Directive 25-03; organizations should prioritize immediate patching or apply vendor mitigations when updates are not yet possible.

🔒 Cisco has linked a renewed campaign exploiting Cisco ASA 5500-X devices to the espionage-focused ArcaneDoor threat actor. The operation leveraged zero-day flaws, notably CVE-2025-20333 and CVE-2025-20362, to implant malware, modify ROMMON for persistence and evade detection by disabling logging and intercepting CLI commands. Observed compromises affected older ASA models lacking Secure Boot/Trust Anchor protections; Cisco and national authorities urge immediate remediation. Temporary mitigations include disabling SSL/TLS VPN web services and IKEv2 client services while applying vendor fixes and conducting forensics.

🔒BRICKSTORM is a highly evasive backdoor campaign tracked by GTIG and Mandiant that targets network appliances and virtualization infrastructure to maintain long-term access to US organizations. The actor, tracked as UNC5221, deploys a Go-based malware with SOCKS proxy functionality and uses techniques — including zero‑day exploitation of edge appliances, credential capture via a BRICKSTEAL servlet filter, and VM cloning — to remain undetected for an average of 393 days. GTIG and Mandiant published YARA rules, a scanner, and a focused hunting checklist to help defenders locate infections and harden management interfaces and vSphere deployments.

📵 The U.S. Secret Service says it disrupted a large network of SIM farms near New York City that officials warn could have disabled cellular service during the U.N. General Assembly. Agents seized more than 300 SIM servers and roughly 100,000 SIM cards across sites in New York, New Jersey and Connecticut. Authorities say the equipment could have texted the entire U.S. population within minutes, launched DDoS attacks, and interfered with emergency communications. The agency attributed the operation to nation-state actors working with organised crime, while specific locations and perpetrators remain undisclosed.

🔒 The US Secret Service has seized and dismantled a network of electronic devices across the New York tristate area that could be used to disrupt cellular service ahead of the United Nations General Assembly in New York City. Authorities recovered 300 co-located SIM servers and 100,000 SIM cards, equipment capable of enabling DoS attacks, disabling towers and facilitating anonymous encrypted communications. The operation was led by the agency’s Advanced Threat Interdiction Unit, which says early analysis identified contacts between individuals tied to the network and known nation-state threat actors; the investigation remains ongoing with multiple federal and local partners.

🚨 The U.S. Secret Service announced it dismantled a network of more than 300 co-located SIM servers and roughly 100,000 SIM cards across the New York tri-state area ahead of the United Nations General Assembly. The devices, concentrated within a 35-mile radius of the UN gathering, were used to issue anonymous threats to senior U.S. officials and could be weaponized to disrupt telecommunications or enable encrypted communications. The agency's Advanced Threat Interdiction Unit is leading the investigation and said early evidence shows cellular links between nation-state actors and individuals known to federal law enforcement.

🔍 Leaked documents reveal how Chinese companies build and sell censorship, surveillance, and propaganda systems, showing that firms such as Geedge work with universities, tailor offerings to different government clients, and even reuse competitors’ infrastructure. The account draws clear parallels with Western vendors that began as academic projects and commercialized via government contracts. These disclosures complicate the image of a purely top-down Great Firewall, highlighting corporate incentives and market dynamics behind tools of control.

🔒 The UK's National Crime Agency will chair the Five Eyes Law Enforcement Group (FELEG) and concentrate on disrupting cybercrime, money laundering and online sexual abuse of children over the next two years. The NCA singled out loosely affiliated native-English networks known as 'The Com', which operate across messaging apps, gaming platforms and forums and share violent and child-abuse material. It also linked these groups to data-theft and extortion campaigns involving actors such as Scattered Spider, ShinyHunters and Lapsus$, citing incidents affecting retailers and luxury brands. FELEG has promoted the UK's Counter Terrorism Policing to full member status to strengthen responses to hybrid threats.