| CyberScoop
cyberscoop.com
Written by Matt Kapko
November 7, 2025
Aleksei Olegovich Volkov served as an initial access broker and was involved in attacks on seven U.S. businesses from July 2021 through November 2022.
A25-year-old Russian national pleaded guilty to multiple charges stemming from their participation in ransomware attacks and faces a maximum penalty up to 53 years in prison.
Aleksei Olegovich Volkov, also known as “chubaka.kor,” served as the initial access broker for the Yanluowang ransomware group while living in Russia from July 2021 through November 2022, according to court records. Prosecutors accuse Volkov and unnamed co-conspirators of attacking seven U.S. businesses during that period, including two that paid a combined $1.5 million in ransoms.
The victims, which included an engineering firm and a bank, said executives received harassing phone calls and their networks were hit with distributed denial of service attacks after their data was stolen and encrypted by Yanluowang ransomware operators.
Cisco wasn’t named in the court filings for Volkov’s case, but the enterprise networking and security vendor said it was impacted by an attack attributed to Yanluowang ransomware in May 2022. Cisco linked the attack to an initial access broker who had ties to UNC2447, Lapsus$ and Yanluowang ransomware operators.
Volkov identified targets, exploited vulnerabilities in their systems, and shared access with co-conspirators for a flat fee or percentage of the ransom paid by the victim, according to prosecutors.
Some of Volkov’s alleged victims were unable to function normally without access to their data and had to temporarily shut down operations in the wake of the attacks. Prosecutors said the total amount demanded in ransoms from all seven victims was $24 million.
The FBI said it traced cryptocurrency transactions related to the payments to accounts reportedly owned by Volkov and a co-conspirator, “CC-1,” who was residing in Indianapolis at the time.
Blockchain analysis allowed the FBI to confirm Volkov’s identity and uncover multiple accounts they used to communicate with co-conspirators about ransomware attacks, payments and splitting illicit proceeds from their criminal activities, according to court records.
Volkov, who is also identified as Aleskey Olegovich Volkov in the unsealed indictment, was arrested Jan. 18, 2024, in Rome, where they were living at the time. Volkov was later extradited to the United States and remains in custody in Indiana.
Volkov previously filed an intention to plead guilty in April in the U.S. District Court for the Eastern District of Pennsylvania and agreed to have their case transferred to the U.S. District Court for the Southern District of Indiana.
Volkov pleaded guilty to six charges Oct. 29, including unlawful transfer of a means of identification, trafficking in access information, access device fraud, aggravated identity theft, conspiracy to commit computer fraud and conspiracy to commit money laundering. Court Watch was the first to report on Volkov’s guilty plea.
The plea agreement, which was filed Monday, did not include an agreed upon sentence, but Volkov is required to pay a combined restitution of nearly $9.2 million to the seven victims. Volkov’s attorney did not respond to a request for comment.
| CyberScoop
cyberscoop.com
Written by Matt Kapko
November 13, 2025
The newspaper said a “bad actor” contacted the company in late September, prompting an investigation that nearly a month later confirmed the extent of compromise.
he Washington Post said it, too, was impacted by the data theft and extortion campaign targeting Oracle E-Business Suite customers, compromising human resources data on nearly 10,000 current and former employees and contractors.
The company was first alerted to the attack and launched an investigation when a “bad actor” contacted the media company Sept. 29 claiming they gained access to the company’s Oracle applications, according to a data breach notification it filed in Maine Wednesday. The Washington Post later determined the attacker had access to its Oracle environment from July 10 to Aug. 22.
The newspaper is among dozens of Oracle customers targeted by the Clop ransomware group, which exploited a zero-day vulnerability affecting Oracle E-Business Suite to steal heaps of data. Other confirmed victims include Envoy Air and GlobalLogic.
The Washington Post said it confirmed the extent of data stolen during the attack on Oct. 27, noting that personal information on 9,720 people, including names, bank account numbers and routing numbers, and Social Security numbers were exposed. The company didn’t explain why it took almost a month to determine the amount of data stolen and has not responded to multiple requests for comment.
Oracle disclosed and issued a patch for the zero-day vulnerability — CVE-2025-61882 affecting Oracle E-Business Suite — in a security advisory Oct. 4, and previously said it was aware some customers had received extortion emails. Mandiant, responding to the immediate fallout from the attacks, said Clop exploited multiple vulnerabilities, including the zero-day to access and steal large amounts of data from Oracle E-Business Suite customer environments.
Oracle, its customers and third-party researchers were not aware of the attacks until executives of alleged victim organizations received extortion emails from members of Clop demanding payment in late September. Cynthia Kaiser, senior vice president of Halcyon’s ransomware research center, previously told CyberScoop ransom demands reached up to $50 million.
Clop’s data-leak site included almost 30 alleged victims as of last week. The notorious ransomware group has threatened to leak alleged victims’ data unless it receives payment.
The ransomware group has intruded multiple technology vendors’ systems before, allowing it to steal data and extort many downstream customers. Clop specializes in exploiting vulnerabilities in file-transfer services and achieved mass exploitation in 2023 when it infiltrated MOVEit environments, ultimately exposing data from more than 2,300 organizations.
thephuketnews.com
By The Phuket News
Friday 14 November 2025 10:13 AM
PHUKET: Multiple international outlets are reporting that the 35-year-old Russian man arrested in Phuket by Thai cyber police earlier this week is likely GRU military intelligence officer Aleksey Lukashev.
The Cyber Crime Investigation Bureau (CCIB) confirmed the arrest on Wednesday (Nov 12), following a coordinated investigation with the FBI, Phuket Immigration, Region 8 Crime Suppression Division, Phuket Provincial Police, the Tourist Police Bureau, the Police Forensic Science Office, and the Office of the Attorney General.
Local Phuket agencies have not posted any reports of the arrest.
According to the CCIB report, Thai authorities were alerted to Lukashev’s presence after CCIB Commissioner Pol Lt Gen Surapol Prembut received intelligence from the FBI that a “world-class hacker” – previously linked to cyberattacks on government institutions in Europe and the US – had entered Thailand and was hiding in Phuket.
The man arrived at Phuket International Airport on Oct 30, 2025, and checked into a hotel in Thalang, said the report. Of note, Thalang District covers the entire north half of the island and includes areas such as Bang Tao and Cherng Talay.
An investigation team from Phuket Immigration tracked his movements before coordinating with prosecutors to issue an arrest warrant under the Extradition Act of 2008, said the CCIB report.
A Criminal Court search warrant was then executed at the hotel, where officers seized laptops, mobile phones and “digital wallets” for forensic examination.
FBI agents were present as observers. The suspect has been formally charged as a person requested for extradition by the United States and has been handed over to the Office of the Attorney General for the formal extradition process, the report noted.
Since then UK media outlet ‘The Sun US’ reported that Thai police have likely detained GRU officer Aleksey Lukashev, linking him to two high-profile operations: the hacking of Hillary Clinton’s 2016 presidential campaign and the GRU operation surrounding the Skripal Novichok poisonings
The report notes that blurred images from the arrest show a strong resemblance to the FBI’s wanted notice for Lukashev, and that FBI personnel were present in Phuket during the operation.
Lukashev, a senior lieutenant in Russia’s GRU Unit 26165 (also known as APT28 or ‘Fancy Bear’), is accused of:
hacking computers belonging to US political organisations during the 2016 election
phishing the email account of Hillary Clinton’s campaign chairman John Podesta
involvement in cyber activity linked to the Skripal case
conducting attacks on government bodies across Europe and the US
Lukashev appears on the FBI’s Most Wanted list and is under UK sanctions.
Overnight, Russia-based investigative outlet ‘The Insider’ independently reported that only one GRU hacker on the FBI’s wanted list matches the age released by Thai police – Aleksey Viktorovich Lukashev.
According to The Insider:
Lukashev, born in Murmansk, is wanted in the US for conspiracy to commit computer intrusions, identity theft, domain fraud, and money laundering.
He used multiple aliases, including ‘Den Katenberg’ and ‘Yuliana Martynova’.
A US federal court issued a warrant for his arrest in 2018.
The hacker group he worked with, APT28/Fancy Bear, has been linked to attacks on the White House, NATO, the IOC, WADA, the German Bundestag, and ministries across Europe.
The same group also targeted Russian opposition figures, NGOs and journalists, including reporters from The Insider.
OPERATION 293
As part of the wider ‘Operation 293’, Thai cyber police also reported seizing digital assets linked to the suspect.
Investigators said malware linked to the man had stolen authentication keys and crypto trading credentials from Thai victims. More than B14 million in cryptocurrency was recovered and returned in cooperation with Tether and Thai exchange Bitkub. At least six Thai victims were identified with total losses exceeding 100,000 USDT.
CCIB in its report stressed that the arrest was made under Thailand’s extradition law rather than through immigration offences or visa cancellation.
The suspect remains in custody and has not been publicly named as the investigation is ongoing.
The CCIB in its report said the case marked a significant step in expanding operational cooperation with the FBI in the global fight against transnational cybercrime.
PHUKET: Multiple international outlets are reporting that the 35-year-old Russian man arrested in Phuket by Thai cyber police earlier this week is likely GRU military intelligence officer Aleksey Lukashev.
Friday 14 November 2025 10:13 AM
- Ars Technica
arstechnica.com
Dan Goodin – 14 nov. 2025 13:20
The results of AI-assisted hacking aren’t as impressive as many might have us believe.
Researchers from Anthropic said they recently observed the “first reported AI-orchestrated cyber espionage campaign” after detecting China-state hackers using the company’s Claude AI tool in a campaign aimed at dozens of targets. Outside researchers are much more measured in describing the significance of the discovery.
Anthropic published the reports on Thursday here and here. In September, the reports said, Anthropic discovered a “highly sophisticated espionage campaign,” carried out by a Chinese state-sponsored group, that used Claude Code to automate up to 90 percent of the work. Human intervention was required “only sporadically (perhaps 4-6 critical decision points per hacking campaign).” Anthropic said the hackers had employed AI agentic capabilities to an “unprecedented” extent.
“This campaign has substantial implications for cybersecurity in the age of AI ‘agents’—systems that can be run autonomously for long periods of time and that complete complex tasks largely independent of human intervention,” Anthropic said. “Agents are valuable for everyday work and productivity—but in the wrong hands, they can substantially increase the viability of large-scale cyberattacks.”
“Ass-kissing, stonewalling, and acid trips”
Outside researchers weren’t convinced the discovery was the watershed moment the Anthropic posts made it out to be. They questioned why these sorts of advances are often attributed to malicious hackers when white-hat hackers and developers of legitimate software keep reporting only incremental gains from their use of AI.
“I continue to refuse to believe that attackers are somehow able to get these models to jump through hoops that nobody else can,” Dan Tentler, executive founder of Phobos Group and a researcher with expertise in complex security breaches, told Ars. “Why do the models give these attackers what they want 90% of the time but the rest of us have to deal with ass-kissing, stonewalling, and acid trips?”
Researchers don’t deny that AI tools can improve workflow and shorten the time required for certain tasks, such as triage, log analysis, and reverse engineering. But the ability for AI to automate a complex chain of tasks with such minimal human interaction remains elusive. Many researchers compare advances from AI in cyberattacks to those provided by hacking tools such as Metasploit or SEToolkit, which have been in use for decades. There’s no doubt that these tools are useful, but their advent didn’t meaningfully increase hackers’ capabilities or the severity of the attacks they produced.
Another reason the results aren’t as impressive as they’re made out to be: The threat actors—which Anthropic tracks as GTG-1002—targeted at least 30 organizations, including major technology corporations and government agencies. Of those, only a “small number” of the attacks succeeded. That, in turn, raises questions. Even assuming so much human interaction was eliminated from the process, what good is that when the success rate is so low? Would the number of successes have increased if the attackers had used more traditional, human-involved methods?
According to Anthropic’s account, the hackers used Claude to orchestrate attacks using readily available open source software and frameworks. These tools have existed for years and are already easy for defenders to detect. Anthropic didn’t detail the specific techniques, tooling, or exploitation that occurred in the attacks, but so far, there’s no indication that the use of AI made them more potent or stealthy than more traditional techniques.
“The threat actors aren’t inventing something new here,” independent researcher Kevin Beaumont said.
Even Anthropic noted “an important limitation” in its findings:
Claude frequently overstated findings and occasionally fabricated data during autonomous operations, claiming to have obtained credentials that didn’t work or identifying critical discoveries that proved to be publicly available information. This AI hallucination in offensive security contexts presented challenges for the actor’s operational effectiveness, requiring careful validation of all claimed results. This remains an obstacle to fully autonomous cyberattacks.
How (Anthropic says) the attack unfolded
Anthropic said GTG-1002 developed an autonomous attack framework that used Claude as an orchestration mechanism that largely eliminated the need for human involvement. This orchestration system broke complex multi-stage attacks into smaller technical tasks such as vulnerability scanning, credential validation, data extraction, and lateral movement.
“The architecture incorporated Claude’s technical capabilities as an execution engine within a larger automated system, where the AI performed specific technical actions based on the human operators’ instructions while the orchestration logic maintained attack state, managed phase transitions, and aggregated results across multiple sessions,” Anthropic said. “This approach allowed the threat actor to achieve operational scale typically associated with nation-state campaigns while maintaining minimal direct involvement, as the framework autonomously progressed through reconnaissance, initial access, persistence, and data exfiltration phases by sequencing Claude’s responses and adapting subsequent requests based on discovered information.”
The attacks followed a five-phase structure that increased AI autonomy through each one.
The life cycle of the cyberattack, showing the move from human-led targeting to largely AI-driven attacks using various tools, often via the Model Context Protocol (MCP). At various points during the attack, the AI returns to its human operator for review and further direction. Credit: Anthropic
The attackers were able to bypass Claude guardrails in part by breaking tasks into small steps that, in isolation, the AI tool didn’t interpret as malicious. In other cases, the attackers couched their inquiries in the context of security professionals trying to use Claude to improve defenses.
As noted last week, AI-developed malware has a long way to go before it poses a real-world threat. There’s no reason to doubt that AI-assisted cyberattacks may one day produce more potent attacks. But the data so far indicates that threat actors—like most others using AI—are seeing mixed results that aren’t nearly as impressive as those in the AI industry claim
bbc.com
Joe Tidy
Cyber correspondent, BBC World Service
One of the world's most prominent cyber-criminals speaks to the BBC in an exclusive interview.
After years of reading about "Tank" and months of planning a visit to him in a Colorado prison, I hear the door click open before I see him walk into the room.
I stand up ready to give this former cyber-crime kingpin a professional hello. But, like a cheeky cartoon character, he pokes his head around a pillar with a giant grin on his face and winks.
Tank, whose real name is Vyacheslav Penchukov, climbed to the top of the cyber-underworld not so much with technical wizardry, but with criminal charm.
"I am a friendly guy, I make friends easily," the 39-year-old Ukrainian says, with a broad smile.
Having friends in high places is said to be one of the reasons Penchukov managed to evade police for so long. He spent nearly 10 years on the FBI's Most Wanted list and was a leader of two separate gangs in two distinct periods of cyber-crime history.
It is rare to speak to such a high-level cyber-criminal who has left so many victims behind him; Penchukov spoke to us for six hours over two days as part of the ongoing podcast series Cyber Hack: Evil Corp.
The exclusive interview - Penchukov's first ever - reveals the inner workings of these prolific cyber-gangs, the mindset of some of the individuals behind them and never-before-known details about hackers still at large - including the alleged leader of the sanctioned Russian group, Evil Corp.
It took more than 15 years for authorities to finally arrest Penchukov in a dramatic operation in Switzerland in 2022.
"There were snipers on the roof and the police put me on the ground and handcuffed me and put a bag on my head on the street in front of my kids. They were scared," he recalls with annoyance.
He is still bitter about how he was arrested, arguing that it was over the top. His thousands of victims around the world would strongly disagree with him: Penchukov and the gangs he either led or was a part of stole tens of millions of pounds from them.
In the late 2000s, he and the infamous Jabber Zeus crew used revolutionary cyber-crime tech to steal directly from the bank accounts of small businesses, local authorities and even charities. Victims saw their savings wiped out and balance sheets upended. In the UK alone, there were more than 600 victims, who lost more than £4m ($5.2m) in just three months.
Between 2018 and 2022, Penchukov set his sights higher, joining the thriving ransomware ecosystem with gangs that targeted international corporations and even a hospital.
Englewood Correctional Facility, where Penchukov is being held, would not let us take any recording equipment inside the prison, so a producer and I make notes during the interview as we are watched over by a guard nearby.
The first thing that stands out about Penchukov is that, although he is eager to be released, he seems in high spirits and is clearly making the most of his time in prison. He tells me he plays a lot of sport, is learning French and English - a well-thumbed Russian-English dictionary stays by his side throughout our interview - and is racking up high-school diplomas. He must be smart, I suggest. "Not smart enough - I'm in prison," he jokes.
Englewood is a low-security prison with good facilities. The low-rise but sprawling building sits in the foothills of the Rocky Mountains in Colorado. The dusty grass verges surrounding the prison are teeming with noisy prairie dogs scurrying into their burrows whenever disturbed by prison vehicles coming and going.
It is a long way from Donetsk, Ukraine, where he ran his first cyber-crime gang after falling into hacking through games cheat forums, where he would look for cheats for his favourite video games like Fifa 99 and Counterstrike.
He became the leader of the prolific Jabber Zeus crew - so named because of their use of the revolutionary Zeus malware and their favourite communication platform, Jabber.
Penchukov worked with a small group of hackers that included Maksim Yakubets - a Russian who would go on to be sanctioned by the US government, accused of leading the infamous cyber-group Evil Corp.
Penchukov says that throughout the late 2000s, the Jabber Zeus crew would work out of an office in the centre of Donetsk, putting in six to seven-hour days stealing money from victims overseas. Penchukov would often end his day with a DJ set in the city, playing under the name DJ Slava Rich.
Cyber-crime in those days was "easy money", he says. The banks had no idea how to stop it and police in the US, Ukraine and the UK could not keep up.
In his early 20s, he was making so much money he bought himself "new cars like they were new clothes". He had six in total - "all expensive German ones".
But police got a breakthrough when they managed to eavesdrop on the criminals' text chats in Jabber and discovered the true identity of Tank using details he had given away about the birth of his daughter.
The net closed in on the Jabber Zeus crew, and an FBI-led operation called Trident Breach saw arrests in Ukraine and the UK. But Penchukov slipped through the net thanks to a tip-off from someone he will not name. And thanks to one of his fast cars.
"I had an Audi S8 with a 500-horsepower Lamborghini engine so when I saw the cops flashing lights in my rear view mirror, I jumped the red light and lost them easily. It gave me a chance to test the full power of my car," he says.
He laid low with a friend for a while, but when the FBI left Ukraine, the local authorities seemed to lose interest in him.
So Penchukov kept under the radar and, he says, went straight. He started a company buying and selling coal, but the FBI was still on the trail.
"I was on holiday in Crimea when I got a message from a friend who saw that I had been put on the FBI Most Wanted list. I thought I had got away with it all - then I realised I have a new problem," he says, an obvious understatement.
His lawyer at the time was calm, though, and advised him not to worry: as long as he did not travel outside of Ukraine or Russia, US police could not do much.
The Ukrainian authorities did eventually come knocking - but not to arrest him.
Penchukov had been outed as a wealthy hacker wanted by the West and he alleges that almost every day, officials would come and shake him down for money.
His coal-selling business was going well until Russia's invasion of Crimea in 2014. President Putin's so-called "Little Green Men" - Russian soldiers in unmarked uniforms - ruined his business and missiles struck his apartment in Donetsk, damaging his daughter's bedroom.
Penchukov says that it was business troubles and the constant payouts to Ukrainian officials that led him to once again fire up his laptop and get back into the cyber-crime life.
"I just decided it was the fastest way to make money to pay them," he says.
His journey charts the evolution of modern cyber-crime - from quick and easy bank account theft to ransomware, today's most pernicious and damaging type of cyber-attack used in high-profile hacks this year, including on UK High Street stalwart Marks & Spencer.
He says ransomware was harder work but the money was good. "Cyber-security had improved a lot, but we were able to make about $200,000 a month. Much higher profits."
In a revealing anecdote, he remembers rumours that started about a crew being paid $20m (£15.3m) from a hospital that had been crippled by ransomware.
Penchukov says the news fired up the hundreds of hackers in the criminal forums who all then went after US medical institutions to repeat the pay day. These hacker communities have a "herd mentality", he says: "People don't care about the medical side of things - all they see is 20 millions being paid."
Penchukov rebuilt his connections and skills to become one of the top affiliates of ransomware services, including Maze, Egregor and the prolific group Conti.
When asked if these criminal groups worked with Russian security services - a regular accusation from the West - Penchukov shrugs and says: "Of course." He says that some ransomware gang members sometimes talked about speaking to "their handlers" in the Russian security services, like the FSB.
The BBC wrote to the Russian Embassy in London, asking if the Russian government or its intelligence agencies engaged with cyber criminals to aid cyber espionage, but received no reply.
Penchukov soon rose to the top again and became a leader of IcedID - a gang that infected more than 150,000 computers with malicious software and led to various types of cyber-attack, including ransomware. Penchukov was in charge of a team of hackers who would sift through the infected computers to work out how best to make money from them.
One victim they infected with ransomware in 2020 was the University of Vermont Medical Center in the US. According to US prosecutors, this led to the loss of more than $30m (£23m) and left the medical centre unable to provide many critical patient services for more than two weeks.
Although no-one died, prosecutors say the attack, which disabled 5,000 hospital computers, created a risk of death or serious injury to patients. Penchukov denies he actually did it, claiming he only admitted to it in order to reduce his sentence.
Overall, Penchukov, who has since changed his surname to Andreev, feels the two nine-year sentences he is serving concurrently are too much for what he did (he is hoping to get out much sooner). He has also been ordered to pay $54m (£41.4m) in restitution to victims.
His view as a young hacker who started in cyber-crime as a teenager is that Western companies and people could afford to lose money and that everything was covered by insurance anyway.
But when I speak to one of his early victims from the Jabber Zeus days, it is clear his attacks did have a harmful impact on innocent people.
Lieber's Luggage, a family-run business in Albuquerque, New Mexico, had $12,000 (£9,200) stolen in one swipe by the gang. Owner Leslee still recalls the shock years later.
"It was just disbelief and horror when the bank called because we had no idea what had happened, and the bank clearly didn't have any idea," she says.
While a modest sum, it was devastating for the business, as the money was used for paying rent, buying merchandise and paying staff.
They did not have any savings to fall back on and, to make matters worse, Leslee's elderly mother was in charge of the company accounts and she blamed herself until the theft was uncovered.
"We had all of those feelings, the anger, the frustration, the fear," she says.
When I ask them what they would like to say to the hackers responsible, they think it is futile to try to change the minds of these callous criminals.
"There's nothing that we could say that would affect him," Leslee says.
"I wouldn't give him the time of day," her husband Frank adds.
Penchukov says he did not think about the victims, and he does not seem to do so much now, either. The only sign of remorse in our conversation was when he talked about a ransomware attack on a disabled children's charity.
His only real regret seems to be that he became too trusting with his fellow hackers, which ultimately led to him and many other criminals being caught.
"You can't make friends in cyber-crime, because the next day, your friends will be arrested and they will become an informant," he says.
"Paranoia is a constant friend of hackers," he says. But success leads to mistakes.
"If you do cyber-crime long enough you lose your edge," he says, wistfully.
As if to highlight the disloyal nature of the cyber underworld, Penchukov says he deliberately avoided any further contact with his one-time Jabber Zeus collaborator and friend Maksim Yakubets after the Russian was outed and sanctioned in 2019 by Western authorities.
Penchukov says that he noticed a distinct change in the hacker community as people shunned working with Yakubets and many of his alleged Evil Corp associates.
Previously Penchukov and "Aqua", as Yakubets was known, had hung out in Moscow drinking and eating in luxury restaurants. "He had bodyguards, which I thought was strange - almost like he wanted to show off his wealth or something," he says.
Being ostracised from the cyber crime world did not deter Evil Corp though and last year, the UK's National Crime Agency accused other members of the Yakubets family of being involved in the decade-long crime spree, sanctioning 16 members of the organisation in total.
But unlike Penchukov, the chances of police collaring him or others in the gang seem low. With a $5m bounty out for information leading to his arrest, Yakubets and his alleged co-conspirators are unlikely to repeat Penchukov's mistake of leaving their country.
| The Record from Recorded Future News
therecord.media
Jonathan Greig
November 13th, 2025
FBI: Akira gang has received nearly $250 million in ransoms
Government agencies in the U.S. and Europe shared new information on Thursday to help organizations defend themselves against the Akira ransomware gang, which has attacked small- and medium-sized businesses since 2023.
The updates to an April 2024 advisory about the group’s operations include a new list of tactics and vulnerabilities being exploited in attacks.
As of late September, Akira is believed to have claimed more than $244 million in ransomware proceeds, according to the advisory.
“Akira ransomware doesn’t just steal money – it disrupts the systems that power our hospitals, schools, and businesses,” said FBI Cyber Division Assistant Director Brett Leatherman. “Behind every compromised network, you’ll find real people and communities harmed by callous cyber criminals.”
In addition to the FBI, the Defense Department and the Health and Human Services Department contributed to the advisory. Europol and law enforcement agencies in France, Germany and the Netherlands were also involved in the updated advisory.
The group has allegedly targeted the manufacturing, education, IT and healthcare sectors.
“Akira threat actors gain access to VPN products, such as SonicWall, by stealing login credentials or exploiting vulnerabilities like CVE-2024-40766,” the agencies said.
“In some instances, they gain initial access through compromised VPN credentials, potentially by using initial access brokers or brute-forcing VPN endpoints. Additionally, Akira threat actors deploy password spraying techniques, using tools such as SharpDomainSpray to gain access to account credentials.”
The group has also abused remote access tools like AnyDesk and LogMeIn to maintain their access to victim networks and blend in with administrator activity. In some cases, incident responders saw Akira uninstall endpoint detection and response (EDR) systems.
The FBI warned that in some incidents Akira threat actors were able to steal data just two hours after initial access.
The advisory links to specific advice for k-12 schools impacted by the ransomware gang.
“The threat of ransomware from groups like Akira is real and organizations need to take it seriously, with swift implementation of mitigation measures,” said Nick Andersen, Executive assistant director for the cybersecurity division at the Cybersecurity and Infrastructure Security Agency.
The advisory notes that Akira has ties to the now-defunct Conti ransomware gang, which launched several high-profile attacks before disbanding at the onset of Russia’s invasion of Ukraine.
On a call with reporters, Andersen confirmed that Akira “may have some connections to the now defunct Conti ransomware group” but declined to say if Akira had ties to the government of Russia.
The FBI’s Leatherman added that while there are no direct ties between Akira and the Russian state, they do know that the “Conti ransomware group at one point did operate within Russia and some actors may be associated with that group.”
“But like with any ransomware group or variant that operates as an affiliate based program, you can have actors located anywhere across the globe. So we do believe that we likely have actors who are in a variety of different countries,” Leatherman told Recorded Future News.
Researchers previously said there are deep similarities between the Akira and Conti ransomware strains. Blockchain analysis showed multiple Akira ransomware transactions to wallets associated with Conti's leadership team.
Akira most recently took credit for a cyberattack on BK Technologies, a Florida-based company that makes radios for U.S. defense companies, as well as dozens of police and fire departments across the country. BK Technologies warned investors last month that it suffered a security incident in September where hackers stole non-public information and data on current and former employees.
Akira has taken credit for dozens of high-profile attacks on entities like Stanford University, the Toronto Zoo, a state-owned bank in South Africa, major foreign exchange broker London Capital Group and other organizations.
13 Nov 2025 - 16:24 Communiqué, Swiss Financial Sector Cyber Security Centre
«Avec cet exercice, nous offrons aux participants une occasion précieuse de simuler ensemble des scénarios de crise réalistes et de renforcer leur capacité de réaction immédiate», explique Alexandra Arni.
L'association Swiss Financial Sector Cyber Security Center (Swiss FS-CSC) a organisé hier, mercredi 12 novembre 2025 à Zurich un exercice opérationnel de grande envergure pour la place financière suisse et liechtensteinoise. Cet exercice contribue de manière significative à renforcer la cyberrésilience des établissements membres ainsi que de la place financière dans son ensemble.
Depuis plusieurs années, les cyberincidents et leurs conséquences constituent un risque majeur pour les établissements financiers. Les attaques deviennent de plus en plus complexes, sophistiquées et, grâce à l'intelligence artificielle, plus faciles et moins coûteuses à mener pour les criminels. Les attaques d’ingénierie sociale, les hameçonnages, les incidents liés aux ransomwares, les attaques DDoS et les attaques qui menacent la continuité des opérations et les fonctions systémiques présentent un risque particulier. De plus, la menace d'attaques contre les chaînes d'approvisionnement et les services cloud augmente. Il est donc essentiel et indispensable de se préparer de manière préventive.
Passer par un scénario réaliste
Le cyberexercice opérationnel d’hier a simulé une cyberattaque complexe en plusieurs étapes contre le secteur financier suisse. Les 134 participants – l'exercice était destiné aux CISO et RSSI, aux responsables de la sécurité, aux responsables et analystes SOC, analystes des menaces et analystes principaux des membres du Swiss FS-CSC – avaient pour mission de reconnaître les signes précurseurs, de limiter les effets, d’échanger et de se coordonner avec d'autres instituts et autorités via la plateforme d’échange du Swiss FS-CSC et d’assurer la continuité des activités. Le scénario a permis de tester les processus réels, les temps de réaction, les mesures techniques de mitigation, la coordination de la communication et la prise de décision sous pression.
Reconnaissance des cyberexercices par la FINMA
La Finma permet aux établissements surveillés des catégories 4 et 5 de remplir leur obligation de réaliser un exercice fondé sur des sceniario en participant à un cyberexercice du Swiss FS-CSC. De plus amples informations à ce sujet figurent dans la Communication Finma sur la surveillance 03/2024.
Améliorer la cyberrésilience
Alexandra Arni, directrice générale du Swiss FS-CSC, a souligné: «Avec cet exercice, nous offrons aux participants une occasion précieuse de simuler ensemble des scénarios de crise réalistes et de renforcer leur capacité de réaction immédiate. Nous contribuons ainsi concrètement à améliorer durablement la cyberrésilience de la place financière suisse.»
mercurynews.com
By Ethan Baron |
‘Top Secret’ files among those allegedly misappropriated by software engineer losing job at Santa Clara chip giant Intel
At first the software engineer did not succeed in making off with a trove of Santa Clara computer chip giant Intel’s trade secrets, but then he tried again.
Jinfeng Luo, at Intel since 2014, had been told July 7 his job at the company would be terminated, effective July 31, according to a lawsuit Intel filed against him Friday.
Eight days before his employment was to end, Luo allegedly hooked up an external hard drive to his Intel laptop, but when he tried to download a file, the company’s internal controls blocked the transfer, the lawsuit claimed.
Five days later, the lawsuit alleged, Luo deployed a different technology, a more sophisticated gadget that resembles a small computer server, called a network storage device.
Over the next three days, Luo downloaded nearly 18,000 files, including some labeled “Intel Top Secret,” the lawsuit in Washington State court said.
It was unclear Wednesday if Luo had a lawyer representing him in the case, and he could not immediately be reached for comment.
Intel, accusing Luo of breaking federal and state trade-secrets laws, is seeking at least $250,000 in compensation from him. The company also wants a court order forcing Luo to hand over his personal electronic devices for inspection, and requiring him to give the company its allegedly misappropriated confidential information.
The Santa Clara chip maker, outshone in the public eye by its consumer-facing Silicon Valley neighbors Google, Apple and Facebook — received a turn in the national spotlight over the summer when President Donald Trump announced that the federal government — using previously issued but mostly unpaid grants and funding pledges — was taking a 10% stake in the company.
The lawsuit did not make clear why Luo, of Seattle, was terminated from his job. Intel said in a June regulatory filing that it planned to slash its workforce by 15% this year.
Intel detected Luo’s alleged data transfers and launched an investigation, the lawsuit said.
For almost three months, the company tried to reach Luo — a rundown of Intel’s efforts to contact him takes up two pages of the 14-page lawsuit — but he never responded to the phone calls, emails and letters, the lawsuit claimed.
“Luo has refused to even engage with Intel,” the lawsuit claimed, “let alone return the files.”
www.politico.com
Katherine Tully-McManus
11/10/2025, 2:01pm ET
Library of Congress employees were informed to take caution when emailing the office of the congressional scorekeeper.
A cybersecurity breach discovered last week affecting the Congressional Budget Office is now considered “ongoing,” threatening both incoming and outgoing correspondence around Congress’ nonpartisan scorekeeper.
Employees at the Library of Congress were warned in a Monday email, obtained by POLITICO, that the CBO cybersecurity incident is “affecting its email communications” and that library staff should take a range of measures to protect themselves.
Library of Congress workers also were told to restrict their communication with the nonpartisan agency tasked with providing economic and budgetary information to lawmakers.
“Do NOT click on any links in emails from CBO. Do NOT share sensitive information with CBO colleagues over email, Microsoft Teams, or Zoom at this time,” the email reads.
“Maintain a high level of vigilance and verify the legitimacy of CBO communications by confirming with the sender via telephone that they sent the message,” the note continues.
Congressional staff are in regular communication with CBO regarding scores of legislation and cost estimates the agency prepares for bills in both the House and Senate.
There was no immediate information Monday about the broader implications that a legislative branch office was continuing to experience cybersecurity vulnerabilities.
A CBO spokesperson said last week that officials had taken “immediate action to contain” the breach as officials investigate the incident.
When asked for comment Monday about ongoing issues, the CBO spokesperson referred to the prior statement.
gbhackers.com
By Divya
November 3, 2025
A severe unauthenticated Remote Code Execution vulnerability in Ubiquiti's UniFi OS that earned a substantial $25,000 bug bounty reward.
Security researchers have uncovered a severe unauthenticated Remote Code Execution vulnerability in Ubiquiti’s UniFi OS that earned a substantial $25,000 bug bounty reward.
Tracked as CVE-2025-52665, this critical flaw allows attackers to gain complete control of UniFi devices without requiring any credentials or user interaction, posing significant risks to organizations using UniFi Dream Machine routers and access control systems.
Misconfigured API Exposes Critical Attack Surface
The vulnerability originated from a misconfigured backup API endpoint at /api/ucore/backup/export that was designed to operate only on the local loopback interface.
However, researchers discovered the endpoint was externally accessible through port 9780, bypassing intended security restrictions.
The flaw stems from improper input validation on the dir parameter, which the backup orchestration system passes directly to shell commands without sanitization or escaping.
When researchers analyzed the UniFi Core service code, they found that the backup operation chains multiple shell commands including mktemp, chmod, and tar that directly interpolate the user-supplied directory path.
This design pattern created a perfect opportunity for command injection attacks, as metacharacters in the input would be interpreted as new shell commands rather than literal path components.
Researchers successfully exploited the vulnerability by crafting a malicious JSON payload that terminated the intended command and injected arbitrary code.
The attack required sending a POST request to the exposed endpoint with a specially formatted dir parameter containing command injection sequences.
By using semicolons to separate commands and hash symbols to comment out remaining shell syntax, attackers could execute arbitrary commands with full system privileges.
The researchers demonstrated the severity by exfiltrating the /etc/passwd file and establishing a reverse shell connection, proving complete interactive access to the compromised device.
Beyond basic system access, the vulnerability provided direct entry into UniFi Access components, granting attackers control over physical door systems and NFC credential management infrastructure.
The investigation revealed multiple unauthenticated API endpoints beyond the primary RCE vulnerability.
Researchers found that /api/v1/user_assets/nfc accepted POST requests to provision new credentials without authentication, while /api/v1/user_assets/touch_pass/keys exposed sensitive credential material including Apple NFC keys and Google Pass authentication data containing PEM-formatted private keys.
These additional exposures compound the security impact, allowing attackers to manipulate access control systems and steal cryptographic credentials that protect mobile and NFC-based authentication mechanisms.
bleepingcomputer.com
By Bill Toulas
November 12, 2025
An advanced threat actor exploited the critical vulnerabilities “Citrix Bleed 2" (CVE-2025-5777) in NetScaler ADC and Gateway, and CVE-2025-20337 affecting Cisco Identity Service Engine (ISE) as zero-days to deploy custom malware.
Amazon’s threat intelligence team, analyzing “MadPot” honeypot data, found that hackers leveraged the two security issues before the security issues were disclosed publicly and patches became available.
“Our Amazon MadPot honeypot service detected exploitation attempts for the Citrix Bleed Two vulnerability (CVE-2025-5777) prior to public disclosure, indicating a threat actor had been exploiting the vulnerability as a zero-day,” explains Amazon.
“Through further investigation of the same threat exploiting the Citrix vulnerability, Amazon Threat Intelligence identified and shared with Cisco an anomalous payload targeting a previously undocumented endpoint in Cisco ISE that used vulnerable deserialization logic.”
Citrix Bleed 2 is a NetScaler ADC and Gateway out-of-bounds memory read problem that the vendor published fixes for in late June.
Although the vendor needed a longer period to confirm that the flaw was leveraged in attacks, despite multiple third-party reports claiming it was used in attacks, exploits became available in early July, and CISA tagged it as exploited.
The flaw in ISE (CVE-2025-20337), with a maximum severity score, was published on July 17, when Cisco warned that it could be exploited to let an unauthenticated attacker store malicious files, execute arbitrary code, or gain root privileges on vulnerable devices.
In less than five days, the vendor reissued its warning about CVE-2025-20337 being actively exploited. On July 28, researcher Bobby Gould published technical details in a write-up that included an exploit chain.
In a report shared with BleepingComputer, Amazon says that both flaws were leveraged in APT attacks before Cisco and Citrix published their initial security bulletins.
The hackers leveraged CVE-2025-20337 to gain pre-auth admin access to Cisco ISE endpoints, and deployed a custom web shell named ‘IdentityAuditAction,’ disguised as a legitimate ISE component.
The web shell registered as an HTTP listener to intercept all requests and used Java reflection to inject into Tomcat server threads.
It also employed DES encryption with non-standard base64 encoding for stealth, required knowledge of specific HTTP headers to access, and left minimal forensic traces behind.
The use of multiple undisclosed zero-day flaws and the advanced knowledge of Java/Tomcat internals and the Cisco ISE architecture all point to a highly resourced and advanced threat actor. However, Amazon could not attribute the activity to a known threat group.
Curiously, though, the targeting appeared indiscriminate, which doesn’t match the typically tight scope of highly targeted operations by such threat actors.
It is recommended to apply the available security updates for CVE-2025-5777 and CVE-2025-20337, and limit access to edge network devices through firewalls and layering.
| TechCrunch
techcrunch.com
Zack Whittaker
4:47 AM PST · November 12, 2025
Australia's intelligence chief warned that Chinese hackers are trying to break into its networks, sometimes successfully, to "pre-position" for sabotage ahead of an anticipated invasion of Taiwan.
Australia’s intelligence head Mike Burgess has warned that China-backed hackers are “probing” the country’s critical infrastructure, and in some cases have gained access.
Burgess, who heads the country’s main intelligence agency, the Australian Security Intelligence Organisation, said that at least two China government-backed hacking groups are pre-positioning for sabotage and espionage.
The comments, made during a conference speech in Melbourne on Wednesday, echo similar remarks by the U.S. government, which has warned that the ongoing hacking campaigns may pose risks of economic and societal disruption.
According to Burgess, a hacker group known as Volt Typhoon is trying to break into critical infrastructure networks such as power, water, and transportation systems. Burgess warned that successful hacks could affect energy and water supplies, and cause widespread outages.
The U.S. has previously said that the Chinese hackers have spent years planting malware on critical infrastructure systems that are capable of causing disruptive cyberattacks when activated. U.S. officials said that Volt Typhoon’s goals are to hamper the U.S.’ response to China’s anticipated future invasion of Taiwan.
“I do not think we — and I mean all of us — truly appreciate how disruptive, how devastating, this could be,” said Burgess, speaking about the threat. He said that once the hackers have access, what happens next is a “matter of intent, not capability.”
Burgess also warned that another China-backed hacking group dubbed Salt Typhoon, known for hacking into the networks of phone and internet companies to steal call records and other sensitive data, was also targeting the country’s telecoms infrastructure.
Salt Typhoon has hacked more than 200 phone and internet companies, according to the FBI, including AT&T, Verizon and Lumen, along with several other cloud and data center providers. The hacks prompted the FBI to urge Americans to switch to end-to-end encrypted messaging apps to avoid having their calls and text messages accessed by the hackers.
The Canadian government also confirmed earlier this year that its telcos were breached as part of China-linked attacks.
China has long denied the hacking allegations.
forbes.com
By Lars Daniel
Nov 10, 2025
Hyundai is alerting millions of customers about a data breach that exposed Social Security numbers and driver's licenses.
Hyundai is alerting millions of customers about a data breach that exposed Social Security numbers and driver's licenses. The breach, which occurred in February but is only now being disclosed, represents the automotive giant's third major security incident in as many years.
How the Breach Happened
Think of Hyundai AutoEver America, or HAEA, as the digital nervous system for Hyundai, Kia and Genesis operations in North America. This California-based company manages everything from the software that enables remote car features to the computer systems dealerships use to process your purchase.
Between February 22 and March 2 of this year, hackers broke into these systems and roamed freely for nine days before being detected. That’s like a burglar having unsupervised access to a bank vault for over a week. Plenty of time to identify and steal important data.
The company discovered the intrusion on March 1st and says it immediately kicked the attackers out and brought in cybersecurity forensics teams. But the investigation took months, and notification letters are now being sent out to those confirmed to be affected: more than seven months after the attack ended.
What Information Was Stolen
The exposed data includes:
Hyundai AutoEver hasn’t said exactly how many people were affected, but regulatory filings show the breach reached multiple states. The upper limit is potentially massive: HAEA’s systems connect to 2.7 million vehicles across North America.
To put that in perspective, that’s roughly the entire population of Chicago potentially at risk. However, only individuals confirmed to be affected will receive notification letters.
This Keeps Happening to Hyundai
This isn’t Hyundai's first rodeo with hackers.
In early 2024, the Black Basta ransomware gang hit Hyundai Motor Europe, claiming to steal 3 terabytes of data, equivalent to about 750,000 digital photos or five hundred hours of high-definition video. That attack exposed everything from HR records to legal documents across multiple departments.
Before that, in 2023, breaches at Hyundai's Italian and French operations leaked customer email addresses, home addresses, and vehicle identification numbers.
Security researchers have also found serious vulnerabilities in Hyundai and Kia’s smartphone apps that could let hackers remotely control vehicles.
The Modern Car Is a Computer on Wheels
Here's what makes automotive breaches particularly concerning: Your car isn't just transportation anymore. It's a rolling data center.
Modern vehicles collect and transmit information constantly:
Where you drive and when
Your home and work addresses
How fast you accelerate and brake
When you service your vehicle
Your purchase and financing details
When hackers breach the IT provider managing this digital ecosystem, they don’t just get your Social Security number. They potentially access a comprehensive profile of your life and habits. It’s like the difference between someone stealing your wallet versus breaking into your phone. The phone contains exponentially more information about you.
What You Should Do Right Now
If you own or lease a Hyundai, Kia, or Genesis vehicle:
Immediate Actions:
Check your credit reports for unauthorized accounts or inquiries. You can get free reports at AnnualCreditReport.com
Monitor bank and credit card statements weekly for suspicious charges
Enable transaction alerts on your financial accounts
If You Receive a Notification Letter:
Enroll in the free credit monitoring within 90 days using the unique code provided
The service runs for two years and monitors all three credit bureaus
Call the dedicated hotline at 855-720-3727 with questions
For Everyone, Breached or Not:
Consider a credit freeze with Equifax, Experian and TransUnion. This prevents identity thieves from opening new accounts in your name
Enable fraud alerts which require creditors to verify your identity before issuing credit
Watch for phishing scams exploiting breach news. Hyundai will never ask for your Social Security number or payment information via email
The Uncomfortable Truth About Data Breaches
Data breaches have become depressingly routine. In 2024 alone, major incidents hit healthcare providers, retailers, financial institutions, and now automotive companies joining the list with alarming frequency.
But there's something particularly unsettling about automotive breaches. You chose your bank and can switch it. You chose your doctor and can change providers. But if you bought a Hyundai three years ago, you're stuck with their security practices until you sell the vehicle. Your data sits in their systems whether you like it or not.
And unlike a credit card breach where the bank typically covers fraudulent charges, identity theft involving Social Security numbers can create problems that take years to resolve. Victims may discover the theft only when they're denied a loan, receive bills for services they never used, or have their tax returns rejected because someone else already filed using their information.
What Hyundai Is Saying
In its breach notification, Hyundai AutoEver stated: "We regret that this incident occurred and take the security of personal information seriously."
The company says it’s investing in "additional security enhancements designed to mitigate future risk." But given this is the third major breach in three years across Hyundai Motor Group entities, many cybersecurity experts argue the company needs more than enhancements: it needs a fundamental security overhaul.
The automotive industry finds itself caught between competing pressures. Customers want connected features: remote start from their phone, navigation that predicts traffic, software updates that add new capabilities. These features require extensive data collection and cloud connectivity.
But every connection creates a potential vulnerability. Every database becomes a target. And when IT providers centralize services for millions of vehicles, they become high-value targets offering hackers a massive potential payoff from a single breach.
The challenge for automakers isn’t just fixing the specific vulnerabilities that enabled this breach. It’s fundamentally rethinking how they secure the growing mountain of customer data their business models now require.
bleepingcomputer.com
By Lawrence Abrams
November 11, 2025
The Rhadamanthys infostealer operation has been disrupted, with numerous
The Rhadamanthys infostealer operation has been disrupted, with numerous “customers” of the malware-as-a-service reporting that they no longer have access to their servers.
Rhadamanthys is an infostealer malware that steals credentials and authentication cookies from browsers, email clients, and other applications. It is commonly distributed through campaigns promoted as software cracks, YouTube videos, or malicious search advertisements.
The malware is offered on a subscription model, where cybercriminals pay the developer a monthly fee for access to the malware, support, and a web panel used to collect stolen data.
According to cybersecurity researchers known as g0njxa and Gi7w0rm, who both monitor malware operations like Rhadamanthys, report that cybercriminals involved in the operation claim that law enforcement gained access to their web panels.
In a post on a hacking forum, some customers state that they lost SSH access to their Rhadamanthys web panels, which now require a certificate to log in rather than their usual root password.
"If your password cannot log in. The server login method has also been changed to certificate login mode, please check and confirm, if so, immediately reinstall your server, erase traces, the German police are acting," wrote one of the customers.
Another Rhadamanthys subscriber claimed they were having the same issues, with their server's SSH access now also requiring certificate-based logins.
"I confirm that guests have visited my server and the password has been deleted.rootServer login became strictly certificate-based, so I had to immediately delete everything and power down the server. Those who installed it manually were probably unscathed, but those who installed it through the "smart panel" were hit hard," wrote another subscriber.
A message from the Rhadamanthys developer says they believe German law enforcement is behind the disruption, as web panels hosted in EU data centers had German IP addresses logging in before the cybercriminals lost access.
G0njxa told BleepingComputer that the Tor onion sites for the malware operation are also offline but do not currently have a police seizure banner, so it is unclear who exactly is behind the disruption.
Multiple researchers who have spoken to BleepingComputer believe this disruption could be related to an upcoming announcement from Operation Endgame, an ongoing law enforcement action targeting malware-as-a-service operations.
Operation Endgame has been behind numerous disruptions since it launched, including against ransomware infrastructure, and the AVCheck site, SmokeLoader, DanaBot, IcedID, Pikabot, Trickbot, Bumblebee, Smokeloader, and SystemBC malware operations.
The Operation Endgame website currently has a timer stating that new action will be disclosed on Thursday.
BleepingComputer contacted the German police, Europol, and the FBI, but has not received a reply at this time.
techdigest.tv
10 November 2025
Chris Price
A catastrophic data breach at Chinese cybersecurity firm Knownsec has exposed a state-backed cyber arsenal and global surveillance targets.
A prominent Chinese cybersecurity firm with ties to the government, Knownsec, has suffered a catastrophic data breach, exposing over 12,000 classified documents detailing the inner workings of China’s state-sponsored cyber espionage program.
The leak of over 12,000 classified documents provides an unprecedented window into the operational infrastructure supporting China’s intelligence-gathering efforts, triggering significant international concern.
The leaked materials initially appeared on GitHub before being removed for terms-of-service violations. They reveal a vast technical arsenal, including sophisticated Remote Access Trojans (RATs) engineered to compromise every major operating system, specifically Linux, Windows, macOS, iOS, and Android.
The documents detail the use of highly specialized surveillance tools. These include Android attack code capable of extracting extensive message histories from popular chat applications, enabling targeted spying on specific individuals.
Even more concerning is the detail on hardware-based attack vectors. The firm allegedly developed a maliciously engineered power bank that can covertly exfiltrate data when connected to a victim’s computer, representing a sophisticated, hands-on supply-chain attack. This highlights the willingness of state-sponsored programs to invest in complex infrastructure to circumvent traditional security controls.
The archives also contain detailed spreadsheets documenting alleged breaches against more than 80 overseas targets. The scale of the data theft is massive, listing 95GB of immigration records from India, 3TB of call records from South Korea’s LG U Plus, and 459GB of road planning data from Taiwan.
The target list explicitly names over twenty countries and regions, including the United Kingdom, Japan, and Nigeria.
Knownsec, founded in 2007 and backed by Tencent, holds a trusted position within China’s security apparatus, providing services to government departments and major financial institutions. This prominence amplifies the significance of the leak.
In response to the disclosure, a Chinese Foreign Ministry spokesperson was evasive, stating unfamiliarity with any Knownsec breach while asserting that China “firmly opposes and combats all forms of cyberattacks.”
Analysts note this measured response avoided denying government support for such operations, underscoring Beijing’s positioning of cyber activities as national security instruments. Cybersecurity specialists worldwide are now studying the exposed data to improve global defense strategies.
Sky News Australia
Max Melzer
An Iranian-backed hacking group has posted plans for Australia's new $7 billion infantry fighting vehicles online following a spate of attacks on Israeli arms companies.
Plans for Australia's new $7 billion Redback infantry fighting vehicles have been stolen and posted online by Iran-backed hackers following a spate of attacks on Israeli arms companies.
Cyber Toufan, a hacking group believed to have ties to the Iranian state, posted classified 3D renderings and technical details of the next generation fighting vehicles on Telegram.
The group claimed to have stolen confidential data from 17 Israeli defence companies in a major cyberattack carried out after it gained access to supply chain firm MAYA Technologies over a year ago.
Israel’s Elbit Systems, which was contracted to provide hi-tech weapons turrets for the Redbacks, was among the companies targetted.
Skynews.com.au has contacted Elbit Systems for comment.
In addition to the exposure of sensitive details about the fighting vehicles' technical specifications, the documents posted by Cyber Toufan also revealed the Australian Defence Force had apparently been weighing whether to purchase Spike NLOS anti-tank missiles from the Israeli company.
It is not fully clear how much data was stolen in the hack or whether the details published online could be used to develop countermeasures to the Redback's defensive and offensive capabilities.
The Australian Army is set to receive 127 of the fighting vehicles under a roughly $7 billion contract with South Korean firm Hanwha Defence.
Elbit Systems' turrets will be affixed to the Redback's under a separate contract worth around $920 million.
The Israeli firm's involvement with the project had drawn criticism due to Israel's war in Gaza, although Defence Industry Minister Pat Conroy has repeatedly defended the company's involvement.
"We make no apology for getting the best possible equipment for the Australian Defence Force," he told the Indo-Pacific Maritime Exposition last week.
Cyber Toufan's attacks underscore the growing threat of hacking groups targetting sensitive military data.
The Australian Signals Directorate warned in its 2025 Cyber Threat Report that government and defence-related information was "an attractive target for state-sponsored cyber actors".
AUKUS remains the principle target for hostile actors, although Australian Security Intelligence Organisation Director-General Mike Burgess revealed even "countries we consider friendly" were attempting to gather intelligence about the nuclear submarine program.
"ASIO has identified foreign services seeking to target AUKUS to position themselves to collect on the capabilities, how Australia intends to use them, and to undermine the confidence of our allies," he warned in his annual threat assessment earlier this year.
Several Australian defence projects have already faced hacks in recent years, including in 2017 when a defence contractor was breached and data on the nation's F-35 program and the Collins-class submarine program was exposed.
Shipbuilder Austal was also successfully targetted by hackers in 2018.
akamai.com
Nov 06, 2025
Akamai is aware of content and connectivity filtering within Russia. Although we have not yet seen wholesale blocking of our platform for users, Russian network operator actions and actions by the Russian government may impact delivery to some users within some networks.
Such blocks often happen without any advance notice and are beyond our control. This is a highly dynamic situation as the nature and targets of filtering and blocking are changing without notice or visibility.
The Akamai network can automatically adapt to some of these impacts. However, it is impossible for us to respond to all Russian government actions (including IP-based blocks, SNI-based blocks, traffic throttling, total network shutdowns, and potential others).
Because of the constantly evolving situation — including active hostilities — ongoing delivery of traffic to users in Russia is provided, unfortunately, on a best-effort basis.
mozilla.org
November 7, 2025
Brian Smith
Firefox Support for Organizations adds a new layer of help for teams and businesses that need confidential, reliable, and customized levels of support.
Increasingly, businesses, schools, and government institutions deploy Firefox at scale for security, resilience, and data sovereignty. Organizations have fine-grained administrative and orchestration control of the browser’s behavior using policies with Firefox and the Extended Support Release (ESR). Today, we’re opening early access to Firefox Support for Organizations, a new program that begins operation in January 2026.
What Firefox Support for Organizations offers
Support for Organizations is a dedicated offering for teams who need private issue triage and escalation, defined response times, custom development options, and close collaboration with Mozilla’s engineering and product teams.
Private support channel: Access a dedicated support system where you can open private help tickets directly with expert support engineers. Issues are triaged by severity level, with defined response times and clear escalation paths to ensure timely resolution.
Discounts on custom development: Paid support customers get discounts on custom development work for integration projects, compatibility testing, or environment-specific needs. With custom development as a paid add-on to support plans, Firefox can adapt with your infrastructure and third-party updates.
Strategic collaboration: Gain early insight into upcoming development and help shape the Firefox Enterprise roadmap through direct collaboration with Mozilla’s team.
Support for Organizations adds a new layer of help for teams and businesses that need confidential, reliable, and customized levels of support. All Firefox users will continue to have full access to existing public resources including documentation, the knowledge base, and community forums, and we’ll keep improving those for everyone in future. Support plans will help us better serve users who rely on Firefox for business-critical and sensitive operations.
The EU Commission has announced that it will "immediately" stop funding individuals or organizations involved in "serious professional misconduct." This follows an investigation by Follow the Money (FtM) which revealed that EU funds amounting to millions of euros have been directly channeled to commercial spyware firms in recent years.
In September, the FtM portal, in collaboration with other media partners, uncovered that the spyware industry is receiving substantial subsidies from the EU while simultaneously surveilling its citizens. According to the report, the Intellexa Group, which developed the Predator state trojan, has, through affiliated companies, secured public funding, particularly through innovation programs. Cognyte, CyGate, and Verint are also reported to have received financial support from EU sources for their surveillance technologies, such as spyware, whose solutions are frequently mentioned in the context of human rights violations.
In response, 39 EU parliamentarians from four political groups have jointly requested concrete answers from the Commission in a letter. The representatives lamented that the EU is, apparently unintentionally, funding instruments that have been or are being used for repressive purposes in member states like Poland, Greece, and Hungary, as well as in authoritarian third countries. This, they argue, undermines fundamental rights and democracy.
According to the letter, the Commission has apparently failed to verify the trustworthiness, ownership structure, and human rights compliance of these companies. The requested end-user clauses or dual-use controls, which assess whether a product can be misused for civilian, military, and police purposes, are apparently not being effectively enforced. The revelations indicate that the Brussels-based governing institution is not sufficiently adhering to recommendations from the parliamentary inquiry committee on spyware scandals in this highly sensitive area.
Commission Stands By
In its statement, according to an FtM newsletter, the Commission explains that law enforcement agencies and intelligence services may "lawfully use spyware for legitimate purposes." However, it fails to list all EU programs from which surveillance companies have benefited. Specifically, information regarding grants from the European Social Fund and another financial pot awarded to the Italian surveillance company Area is missing.
The executive body also fails to mention financial flows to the notorious spyware manufacturer Hacking Team, the report continues. Even recent transfers from the European Investment Fund (EIF) to the Israeli spyware company Paragon Solutions, which is currently at the center of a scandal in Italy, remain unmentioned. Instead of proposing new protective measures, the Commission merely refers to the existing legal framework for protection against the illegal use of spyware.
The EU executive is "hiding behind vague references to 'EU values'," criticizes Aljosa Ajanovic Andelic from the initiative European Digital Rights (EDRi) regarding the response to FtM. It openly admits that "European funds have financed companies whose technologies are used for espionage against journalists and human rights defenders." This, he states, demonstrates a complete lack of effective control mechanisms. Green Party MEP Hannah Neumann criticizes that the Commission has taken hardly any action in the past two years following the committee's report.
| TechCrunch techcrunch.com
Lorenzo Franceschi-Bicchierai
9:35 AM PST · November 6, 2025
WhatsApp notified the consultant, who works for left-wing politicians, that his phone was targeted with spyware made by Paragon.
Francesco Nicodemo, a consultant who works with left-wing politicians in Italy, has gone public as the latest person targeted with Paragon spyware in the country.
On Thursday, Nicodemo said in a Facebook post that for 10 months, he preferred not to publicize his case because he “did not want to be used for political propaganda,” but now “the time has come.”
“It is time to ask a very simple question: Why? Why me? How is it possible that such a sophisticated and complex tool was used to spy on a private citizen, as if he were a drug trafficker or a subversive threat to the country?” Nicodemo wrote. “I have nothing more to say. Others must speak. Others must explain what happened.”
Online news site Fanpage first reported the news that Nicodemo was among the people who received a WhatsApp notification in January.
The revelation that Nicodemo was targeted with Paragon spyware widens the scope — once again — of the ongoing spyware scandal in Italy, which has ensnared several victims from various positions in society: several journalists, immigration activists, prominent business executives, and now a political consultant with a history of working for the center-left Partito Democratico (Democratic Party) and its politicians.
Governments and spyware makers have long claimed that their surveillance products are used against serious criminals and terrorists, but these recent cases show that this isn’t always true.
“The Italian government has given some spyware targets clarity and explained the cases. But others remain troublingly unclear,” said John Scott-Railton, a senior researcher at The Citizen Lab, who has for years investigated spyware companies and their abuses, including some involving the use of Paragon spyware.
“None of this looks good for Paragon, or for Italy. That’s why clarity from the Italian government is so essential. I believe that if they wanted to, Paragon could give everybody a lot more clarity on what’s going on. Until they do, these cases are going to remain a weight around their neck,” said Scott-Railton, who confirmed that Nicodemo received the notification from WhatsApp.
Natale De Gregorio, who works with Nicodemo at their public relations firm Lievito Consulting, told TechCrunch in an email that Nicodemo did not want to comment beyond what he told Fanpage and his public Facebook post.
At this point, it’s unclear who among Paragon customers targeted Nicodemo, but an Italian parliamentary committee confirmed in June that some of the victims in Italy were targeted by Italian intelligence agencies, which are under the purview of right-wing prime minister Giorgia Meloni.
A spokesperson for the Italian prime minister’s office did not respond to a request for comment from TechCrunch.
Jennifer Iras, the vice president of marketing for REDLattice, a cybersecurity company that has merged with Paragon after the Israeli spyware maker was acquired by U.S. private equity giant AE Industrial, also did not respond to a request for comment.
In February, following the revelations of the first wave of victims in Italy, Paragon cut ties with its government customers in Italy, specifically the intelligence agencies AISE and AISI.
Later in June, the Italian Parliamentary Committee for the Security of the Republic, known as COPASIR, concluded that some of the Paragon spyware victims that had been identified publicly, namely the immigration activists, were lawfully hacked by Italian intelligence services.
COPASIR, however, said there was no evidence that Francesco Cancellato, the director of Fanpage.it, an Italian news website that has investigated the youth wing of the far-right ruling party in Italy, led by Meloni, had been targeted by either of Italy’s intelligence agencies, the AISI and AISE.
COPASIR also did not investigate the case of Cancellato’s colleague Ciro Pellegrino.
Paragon, which told TechCrunch that the U.S. government is one of its customers, has an active contract with U.S. Immigration and Customs Enforcement.
