< ciso
brief />
Tag Banner

All news with #nation state actor tag

192 articles · page 9 of 10

CISA Emergency Directive Targets Critical F5 Flaws

🛡️ CISA has issued Emergency Directive 26-01 requiring Federal Civilian Executive Branch agencies to install vendor-provided updates for at-risk F5 devices and software — including F5OS, BIG-IP TMOS, BIG-IQ, and BNK/CNF — by October 22, 2025. The action responds to disclosure that a nation-state actor maintained persistent access to F5 development environments and exfiltrated files containing embedded credentials and API keys. CISA will assess and support agency adherence and urges all entities using these products to apply mitigations immediately.
read more →

CISA Orders Federal Agencies to Patch F5 Devices Now

⚠ CISA issued Emergency Directive ED 26-01 directing Federal Civilian Executive Branch agencies to inventory and secure F5 BIG-IP hardware and software, assess public internet exposure of management interfaces, and apply vendor patches. Agencies must update specified F5 products by Oct. 22, 2025 (other devices by Oct. 31) and submit inventories to CISA by Oct. 29, 2025. The directive responds to a nation-state actor compromise that exfiltrated BIG-IP source code and vulnerability data.
read more →

OpenAI Disrupts Malware Abuse by Russian, DPRK, China

🛡️ OpenAI said it disrupted three clusters that misused ChatGPT to assist malware development, including Russian-language actors refining a RAT and credential stealer, North Korean operators tied to Xeno RAT campaigns, and Chinese-linked accounts targeting semiconductor firms. The company also blocked accounts used for scams, influence operations, and surveillance assistance and said actors worked around direct refusals by composing building-block code. OpenAI emphasized that models often declined explicit malicious prompts and that many outputs were not inherently harmful on their own.
read more →

Report Links BIETA Research Firm to China's MSS Operations

📰 Recorded Future assesses that the Beijing Institute of Electronics Technology and Application (BIETA) is likely directed by China's Ministry of State Security, citing links between at least four BIETA personnel and MSS officers and ties to the University of International Relations. Its subsidiary Beijing Sanxin Times Technology Co., Ltd. (CIII) develops steganography, covert-communications tools, and network-penetration and simulation software. The report warns these capabilities can support intelligence, counterintelligence, military, and other state-aligned cyber operations.
read more →

Phantom Taurus: China-Aligned Hackers Target State, Telecom

🔍Phantom Taurus, newly designated by Unit 42, is a China-aligned cyber-espionage group that has targeted government and telecommunications organizations across Africa, the Middle East and Asia for at least two and a half years. Researchers traced the activity from earlier cluster tracking through a 2024 campaign codename, noting a 2025 elevation to a distinct group. Phantom Taurus has shifted from email-server exfiltration to directly querying SQL Server databases via a custom mssq.bat executed over WMI, and deploys a previously undocumented .NET IIS malware suite dubbed NET-STAR.
read more →

Dutch Teens Arrested Over Suspected Foreign Espionage

🔍 Two 17-year-old boys in the Netherlands have been arrested on suspicion of espionage after Dutch media reported they were contacted via Telegram by a pro‑Russian hacker, a connection the National Public Prosecution Service has declined to confirm. One suspect was reportedly seen near sensitive buildings in The Hague, including Europol and the Canadian embassy, carrying a Wi‑Fi sniffer. Police seized electronic equipment during a home search; one teen is on house arrest and the other in pre‑trial detention. Prosecutors say the case is linked to foreign interference and are keeping details closed while the inquiry continues.
read more →

Dutch teens arrested for alleged espionage near Europol

🔍 Two Dutch 17-year-olds allegedly used a WiFi sniffer to spy near Europol, Eurojust, and the Canadian embassy in The Hague. They were reportedly recruited over Telegram and arrested after a tip from the national intelligence service, the AIVD. Europol says its systems show no signs of compromise. The suspects will remain in custody for at least two weeks while investigators probe the case.
read more →

September 2025 Zero-Day Exploits Impact Cisco ASA/FTD

⚠️ Cisco reported active exploitation of multiple zero-day vulnerabilities in ASA and FTD software by a state-sponsored actor tracked as ArcaneDoor. Two CVEs (CVE-2025-20333 and CVE-2025-20362) are being exploited in the wild and a third (CVE-2025-20363) is at high risk for imminent exploitation. Cisco released updates on Sep. 25, 2025, and CISA issued Emergency Directive 25-03; organizations should prioritize immediate patching or apply vendor mitigations when updates are not yet possible.
read more →

ArcaneDoor Targets Cisco ASA Firewalls in New Campaign

🔒 Cisco has linked a renewed campaign exploiting Cisco ASA 5500-X devices to the espionage-focused ArcaneDoor threat actor. The operation leveraged zero-day flaws, notably CVE-2025-20333 and CVE-2025-20362, to implant malware, modify ROMMON for persistence and evade detection by disabling logging and intercepting CLI commands. Observed compromises affected older ASA models lacking Secure Boot/Trust Anchor protections; Cisco and national authorities urge immediate remediation. Temporary mitigations include disabling SSL/TLS VPN web services and IKEv2 client services while applying vendor fixes and conducting forensics.
read more →

BRICKSTORM espionage campaign targeting appliances in US

🔒BRICKSTORM is a highly evasive backdoor campaign tracked by GTIG and Mandiant that targets network appliances and virtualization infrastructure to maintain long-term access to US organizations. The actor, tracked as UNC5221, deploys a Go-based malware with SOCKS proxy functionality and uses techniques — including zero‑day exploitation of edge appliances, credential capture via a BRICKSTEAL servlet filter, and VM cloning — to remain undetected for an average of 393 days. GTIG and Mandiant published YARA rules, a scanner, and a focused hunting checklist to help defenders locate infections and harden management interfaces and vSphere deployments.
read more →

US Secret Service Disrupts Massive SIM Farm Network

📵 The U.S. Secret Service says it disrupted a large network of SIM farms near New York City that officials warn could have disabled cellular service during the U.N. General Assembly. Agents seized more than 300 SIM servers and roughly 100,000 SIM cards across sites in New York, New Jersey and Connecticut. Authorities say the equipment could have texted the entire U.S. population within minutes, launched DDoS attacks, and interfered with emergency communications. The agency attributed the operation to nation-state actors working with organised crime, while specific locations and perpetrators remain undisclosed.
read more →

Cell Tower Hacking Network Dismantled Near UN Event

🔒 The US Secret Service has seized and dismantled a network of electronic devices across the New York tristate area that could be used to disrupt cellular service ahead of the United Nations General Assembly in New York City. Authorities recovered 300 co-located SIM servers and 100,000 SIM cards, equipment capable of enabling DoS attacks, disabling towers and facilitating anonymous encrypted communications. The operation was led by the agency’s Advanced Threat Interdiction Unit, which says early analysis identified contacts between individuals tied to the network and known nation-state threat actors; the investigation remains ongoing with multiple federal and local partners.
read more →

US Secret Service Seizes 300 SIM Servers, 100,000 Cards

🚨 The U.S. Secret Service announced it dismantled a network of more than 300 co-located SIM servers and roughly 100,000 SIM cards across the New York tri-state area ahead of the United Nations General Assembly. The devices, concentrated within a 35-mile radius of the UN gathering, were used to issue anonymous threats to senior U.S. officials and could be weaponized to disrupt telecommunications or enable encrypted communications. The agency's Advanced Threat Interdiction Unit is leading the investigation and said early evidence shows cellular links between nation-state actors and individuals known to federal law enforcement.
read more →

Leaked Documents Reveal Business of Chinese Surveillance

🔍 Leaked documents reveal how Chinese companies build and sell censorship, surveillance, and propaganda systems, showing that firms such as Geedge work with universities, tailor offerings to different government clients, and even reuse competitors’ infrastructure. The account draws clear parallels with Western vendors that began as academic projects and commercialized via government contracts. These disclosures complicate the image of a purely top-down Great Firewall, highlighting corporate incentives and market dynamics behind tools of control.
read more →

NCA to Lead Five Eyes Effort Against 'The Com' Networks

🔒 The UK's National Crime Agency will chair the Five Eyes Law Enforcement Group (FELEG) and concentrate on disrupting cybercrime, money laundering and online sexual abuse of children over the next two years. The NCA singled out loosely affiliated native-English networks known as 'The Com', which operate across messaging apps, gaming platforms and forums and share violent and child-abuse material. It also linked these groups to data-theft and extortion campaigns involving actors such as Scattered Spider, ShinyHunters and Lapsus$, citing incidents affecting retailers and luxury brands. FELEG has promoted the UK's Counter Terrorism Policing to full member status to strengthen responses to hybrid threats.
read more →

China-linked APT41 Targets U.S. Trade Policy Networks

🔒 The House Select Committee on China warned of an ongoing series of targeted cyber-espionage campaigns tied to the PRC that aim at organizations involved in U.S.–China trade talks. Attackers impersonated Rep. John Robert Moolenaar in phishing emails that delivered malware via attachments and links, abusing cloud services and software to conceal activity. The campaign, attributed to APT41, affected trade groups, law firms, think tanks, U.S. government agencies and at least one foreign government.
read more →

Chinese Cyber Espionage Impersonates US Congressman via Email

🕵️ The House Select Committee on Strategic Competition between the US and the CCP says Chinese-affiliated actors impersonated Representative John Moolenaar in multiple recent emails to trusted counterparts, delivering malicious files and links designed to compromise systems. The Committee's technical analysis found the attackers abused cloud services and developer tools to hide activity and exfiltrate data, behaviour it calls state-sponsored tradecraft. A Wall Street Journal report linked one bogus Moolenaar email to the Chinese-associated APT41, and the Committee has shared indicators with the FBI and US Capitol Police. Moolenaar condemned the operations and said the Committee will continue investigative and defensive work to protect sensitive deliberations.
read more →

Czech Agency Warns Against Chinese Tech in Critical Sectors

⚠️ The Czech National Cyber and Information Security Agency (NUKIB) is urging operators of critical infrastructure to avoid using Chinese technology or transferring user data to servers in China, citing a reassessed High risk of significant disruption. NUKIB confirmed malicious activity by Chinese cyber-actors, including an APT31 campaign against the Ministry of Foreign Affairs, and warned that Chinese law can permit state access to data held by domestic providers. The guidance is not an outright legal ban, but entities covered by the Czech Cybersecurity Act must include the threat in their risk analyses and adopt appropriate mitigations.
read more →

U.S. Offers $10M Reward for Info on FSB Cyber Hackers

🛡️ The U.S. Department of State is offering up to $10 million for information on three Russian FSB officers accused of carrying out cyberattacks against U.S. critical infrastructure. The named individuals — Marat Valeryevich Tyukov, Mikhail Mikhailovich Gavrilov, and Pavel Aleksandrovich Akulov — are tied to the FSB's Center 16, tracked under aliases such as Berserk Bear and Dragonfly. Charged in March 2022, the officers are alleged to have run intrusions from 2012–2017 targeting government agencies and energy firms, and recent activity shows exploitation of CVE-2018-0171 in end-of-life Cisco devices. The State Department directs tips to its Rewards for Justice Tor channel; eligible informants could receive rewards and relocation assistance.
read more →

Iran-linked Spear-Phishing Targets 100+ Embassies Worldwide

📧 Israeli cybersecurity company Dream has attributed a coordinated, multi-wave spear-phishing campaign to Iranian-aligned operators connected to Homeland Justice, targeting embassies, consulates, and international organizations globally. Attackers used geopolitical lures and 104 unique compromised sender addresses — including a hacked mailbox at the Oman Ministry of Foreign Affairs in Paris — to distribute Microsoft Word documents that prompt users to Enable Content and run embedded VBA macros. The macros drop executables that establish persistence, contact command-and-control servers, and harvest system information; ClearSky has also documented related activity and linked it to prior Iranian techniques.
read more →