cyberscoop.com
article By
Tim Starks
August 27, 2025
Google says it is starting a cyber “disruption unit,” a development that arrives in a potentially shifting U.S. landscape toward more offensive-oriented approaches in cyberspace.
But the contours of that larger shift are still unclear, and whether or to what extent it’s even possible. While there’s some momentum in policymaking and industry circles to put a greater emphasis on more aggressive strategies and tactics to respond to cyberattacks, there are also major barriers.
Sandra Joyce, vice president of Google Threat Intelligence Group, said at a conference Tuesday that more details of the disruption unit would be forthcoming in future months, but the company was looking for “legal and ethical disruption” options as part of the unit’s work.
“What we’re doing in the Google Threat Intelligence Group is intelligence-led proactive identification of opportunities where we can actually take down some type of campaign or operation,” she said at the Center for Cybersecurity Policy and Law event, where she called for partners in the project. “We have to get from a reactive position to a proactive one … if we’re going to make a difference right now.”
The boundaries in the cyber domain between actions considered “cyber offense” and those meant to deter cyberattacks are often unclear. The tradeoff between “active defense” vs. “hacking back” is a common dividing line. On the less aggressive end, “active defense” can include tactics like setting up honeypots designed to lure and trick attackers. At the more extreme end, “hacking back” would typically involve actions that attempt to deliberately destroy an attacker’s systems or networks. Disruption operations might fall between the two, like Microsoft taking down botnet infrastructure in court or the Justice Department seizing stolen cryptocurrency from hackers.
Trump administration officials and some in Congress have been advocating for the U.S. government to go on offense in cyberspace, saying that foreign hackers and criminals aren’t suffering sufficient consequences. Much-criticized legislation to authorize private sector “hacking back” has long stalled in Congress, but some have recently pushed a version of the idea where the president would give “letters of marque” like those for early-U.S. sea privateers to companies authorizing them to legally conduct offensive cyber operations currently forbidden under U.S. law.
The private sector has some catching up to do if there’s to be a worthy field of firms able to focus on offense, experts say.
John Keefe, a former National Security Council official from 2022 to 2024 and National Security Agency official before that, said there had been government talks about a “narrow” letters of marque approach “with the private sector companies that we thought had the capabilities.” The concept was centered on ransomware, Russia and rules of the road for those companies to operate. “It wasn’t going to be the Wild West,” said Keefe, now founder of Ex Astris Scientia, speaking like others in this story at Tuesday’s conference.
The companies with an emphasis on offense largely have only one customer — and that’s governments, said Joe McCaffrey, chief information security officer at defense tech company Anduril Industries. “It’s a really tough business to be in,” he said. “If you develop an exploit, you get to sell to one person legally, and then it gets burned, and you’re back again.”
By their nature, offensive cyber operations in the federal government are already very time- and manpower-intensive, said Brandon Wales, a former top official at the Cybersecurity and Infrastructure Security Agency and now vice president of cybersecurity at SentinelOne. Private sector companies could make their mark by innovating ways to speed up and expand the number of those operations, he said.
Overall, among the options of companies that could do more offensive work, the “industry doesn’t exist yet, but I think it’s coming,” said Andrew McClure, managing director at Forgepoint Capital.
Certainly Congress would have to clarify what companies are able to do legally as well, Wales said.
But that’s just the industry side. There’s plenty more to weigh when stepping up offense.
“However we start, we need to make sure that we are having the ability to measure impact,” said Megan Stifel, chief strategy officer for the Institute for Security and Technology. “Is this working? How do we know?”
If there was a consensus at the conference it’s that the United States — be it the government or private sector — needs to do more to deter adversaries in cyberspace by going after them more in cyberspace.
One knock on that idea has been that the United States can least afford to get into a cyber shooting match, since it’s more reliant on tech than other nations and an escalation would hurt the U.S. the most by presenting more vulnerable targets for enemies. But Dmitri Alperovitch, chairman of the Silverado Policy Accelerator, said that idea was wrong for a couple reasons, among them that other nations have become just as reliant on tech, too.
And “the very idea that in this current bleak state of affairs, engaging in cyber offense is escalatory, I propose to you, is laughable,” he said. “After all, what are our adversaries going to escalate to in response? Ransom more of our hospitals, penetrate more of our water and electric utilities, steal even more of our IP and financial assets?”
Alperovitch continued: “Not only is engaging in thoughtful and careful cyber offense not escalatory, but not doing so is.”
bloomberg.com 2025-08-26 - Twenty activists urging company to sever ties with Israeli military were arrested last week. Executive Brad Smith said he welcomed discussion but not disruption.
For the better part of a year, Microsoft Corp. has failed to quell a small but persistent revolt by employees bent on forcing the company to sever business ties with Israel over its war in Gaza.
The world’s largest software maker has requested help from the Federal Bureau of Investigation in tracking protests, worked with local authorities to try and prevent them, flagged internal emails containing words like “Gaza” and deleted some internal posts about the protests, according to employees and documents reviewed by Bloomberg. Microsoft has also suspended and fired protesters for disrupting company events.
Despite those efforts, a steady trickle of employees, sometimes joined by outside supporters, continue to speak out in an escalating guerilla campaign of mass emails and noisy public demonstrations. While still relatively small, the employee activism is notable given the weakening job market and the Trump administration’s crackdown on pro-Palestinian protests.
Last week, 20 people were arrested on a plaza at Microsoft’s Redmond, Washington, headquarters after disregarding orders by police to disperse. Instead, they chanted and called out Microsoft executives by name, linking arms as police dismantled their makeshift barricades and, one by one, zip-tied them and led them away.
On Tuesday, protesters occupied the office of Microsoft President Brad Smith, sharing video on the Twitch livestreaming platform that showed them chanting, hanging banners and briefly attempting to barricade a door with furniture. Smith didn’t appear to be there. Police detained at least two people who entered a building that houses the offices of senior executives, said Jill Green, a spokesperson for the Redmond Police Department. Others were protesting outside, she said.
An employee group called No Azure for Apartheid says that by selling software and artificial intelligence tools to Israel’s military, the company’s Azure cloud service is profiting from the deaths of civilians. Microsoft denies that, but the protests threaten to dent its reputation as a thoughtful employer and reasonable actor on the world stage. In recent years, Microsoft has generally stayed above the fray while its industry peers battled antitrust investigations, privacy scandals or controversial treatment of employees.
Now Microsoft is being forced to grapple with perhaps the most politically charged issue of the day: Israel’s treatment of Palestinians. Earlier this month, the company announced an investigation into reports by the Guardian newspaper and other news outlets that Israel’s military surveillance agency intercepted millions of Palestinian mobile phone calls, stored them on Microsoft servers then used the data to select bombing targets in Gaza. An earlier investigation commissioned by Microsoft found no evidence its software was used to harm people.
Microsoft says it expects customers to adhere to international law governing human rights and armed conflict, and that the company’s terms of service prohibit the use of Microsoft products to violate people’s rights. “If we determine that a customer — any customer — is using our technology in ways that violate our terms of service, we will take steps to address that,” Smith said in an interview last week, adding that the investigation should be completed within several weeks. Smith said employees were welcome to discuss the issue internally but that the company will not tolerate activities that disrupt its operation or staffers.
After Hamas’s deadly Oct. 7, 2023 attack on Israel, Microsoft executives were quick to offer condolences and support to employees. “Let us stand together in our shared humanity,” then-human resources chief Kathleen Hogan said in a note a few days after the attacks, which killed some 1,200 people, including civilians and soldiers.
Unity was short-lived: Jewish employees lamented what they said was a troubling rise in antisemitism. Palestinian staffers and their allies accused executives of ignoring concerns about their welfare and the war in Gaza, which has killed tens of thousands. The debate continued in internal chatrooms, meetings with human resources leaders and in question-and-answer sessions with executives. But the chatter was mostly limited to Microsoft’s halls.
That changed in early April at a bash Microsoft hosted to mark the 50th anniversary of the company’s founding. Early that morning, Vaniya Agrawal picked up Ibtihal Aboussad and drove to Microsoft’s campus. The two early-career company engineers — who respectively hail from the Chicago area and Morocco — had both decided to leave Microsoft over its ties to Israel, which had been documented in a series of articles, including by the Associated Press, and reached out to No Azure for Apartheid. “This isn’t just Microsoft Word with a little Clippy in the corner,” said Agrawal, who was arrested on Wednesday. “These are technological weapons. Cloud and AI are just as deadly as bombs and bullets.”
Intel Corporation (INTC) www.intc.com Aug 22, 2025 • 4:53 PM EDT
U.S. Government to make $8.9 billion investment in Intel common stock as company builds upon its more than $100 billion expansion of resilient semiconductor supply chain
SANTA CLARA, Calif.--(BUSINESS WIRE)-- Intel Corporation today announced an agreement with the Trump Administration to support the continued expansion of American technology and manufacturing leadership. Under terms of the agreement, the United States government will make an $8.9 billion investment in Intel common stock, reflecting the confidence the Administration has in Intel to advance key national priorities and the critically important role the company plays in expanding the domestic semiconductor industry.
The government’s equity stake will be funded by the remaining $5.7 billion in grants previously awarded, but not yet paid, to Intel under the U.S. CHIPS and Science Act and $3.2 billion awarded to the company as part of the Secure Enclave program. Intel will continue to deliver on its Secure Enclave obligations and reaffirmed its commitment to delivering trusted and secure semiconductors to the U.S. Department of Defense. The $8.9 billion investment is in addition to the $2.2 billion in CHIPS grants Intel has received to date, making for a total investment of $11.1 billion.
“As the only semiconductor company that does leading-edge logic R&D and manufacturing in the U.S., Intel is deeply committed to ensuring the world’s most advanced technologies are American made,” said Lip-Bu Tan, CEO of Intel. “President Trump’s focus on U.S. chip manufacturing is driving historic investments in a vital industry that is integral to the country’s economic and national security. We are grateful for the confidence the President and the Administration have placed in Intel, and we look forward to working to advance U.S. technology and manufacturing leadership.”
“Intel is excited to welcome the United States of America as a shareholder, helping to create the most advanced chips in the world,” said Howard Lutnick, United States Secretary of Commerce. “As more companies look to invest in America, this administration remains committed to reinforcing our country’s dominance in artificial intelligence while strengthening our national security.”
Under the terms of today’s announcement, the government agrees to purchase 433.3 million primary shares of Intel common stock at a price of $20.47 per share, equivalent to a 9.9 percent stake in the company. This investment provides American taxpayers with a discount to the current market price while enabling the U.S. and existing shareholders to benefit from Intel’s long-term business success.
The government’s investment in Intel will be a passive ownership, with no Board representation or other governance or information rights. The government also agrees to vote with the Company’s Board of Directors on matters requiring shareholder approval, with limited exceptions.
The government will receive a five-year warrant, at $20 per share for an additional five percent of Intel common shares, exercisable only if Intel ceases to own at least 51% of the foundry business.
The existing claw-back and profit-sharing provisions associated with the government’s previously dispersed $2.2 billion grant to Intel under the CHIPS Act will be eliminated to create permanency of capital as the company advances its U.S. investment plans.
Investing in America’s Future
Intel has continued to strategically invest in research, development and manufacturing in the United States since the company’s founding in 1968. Over the last five years, Intel has invested $108 billion in capital and $79 billion in R&D, the majority of which were dedicated to expanding U.S.-based manufacturing capacity and process technology.
Intel is currently undertaking a significant expansion of its domestic chipmaking capacity, investing more than $100 billion to expand its U.S. sites. The company’s newest chip fabrication site in Arizona is expected to begin high-volume production later this year, featuring the most advanced semiconductor manufacturing process technology on U.S. soil.
Since joining the company as CEO in March, Tan has taken swift actions to strengthen Intel’s financial position, drive disciplined execution and revitalize an engineering-first culture. Today’s agreement supports the company’s broader strategy to position Intel for the future.
Strengthening the U.S. Technology Ecosystem
Intel’s U.S. investments come as many leading technology companies support President Trump’s agenda to achieve U.S. technology and manufacturing leadership.
Intel is deeply engaged with current and potential customers and partners who share its commitment to building a strong and resilient U.S. semiconductor supply chain.
Satya Nadella, Chairman and Chief Executive Officer, Microsoft: “The decades-long partnership between Microsoft and Intel has pioneered new frontiers of technology and showcased the very best of American ingenuity and innovation. Intel’s continued investment in strengthening the U.S. semiconductor supply chain, supported by President Trump’s bold strategy to rebuild this critical industry on American soil, will benefit the country and broader technology ecosystem for years to come.”
Michael Dell, Chairman and Chief Executive Officer, Dell Technologies: “The industry needs a strong and resilient U.S. semiconductor industry, and no company is more important to this mission than Intel. It’s great to see Intel and the Trump Administration working together to advance U.S. technology and manufacturing leadership. Dell fully supports these shared priorities, and we look forward to bringing a new generation of products to market powered by American-designed and manufactured Intel chips.”
Enrique Lores, President and CEO, HP: “We share Intel’s and the Trump Administration’s deep commitment to building a strong, resilient and secure U.S. semiconductor industry. Intel’s continued investment in domestic R&D and manufacturing is integral to future innovation and will strengthen the partnership between HP and Intel for years come. This is a defining moment for great American companies to lead the world in cutting-edge technologies that will shape the future.”
Matt Garman, AWS CEO: “Leading-edge semiconductors are the bedrock of every AI technology and cloud platform, making U.S. investment in this critical industry one of the most important technological, economic and national security imperatives of our time. Intel plays a vital role as one of the country’s leading chip manufacturers, and we applaud the Trump administration’s efforts to usher in a new era of American innovation in partnership with American companies.”
PJT Partners acted as Intel’s exclusive financial advisor in connection with this investment agreement.
About Intel
Intel (Nasdaq: INTC) is an industry leader, creating world-changing technology that enables global progress and enriches lives. Inspired by Moore’s Law, we continuously work to advance the design and manufacturing of semiconductors to help address our customers’ greatest challenges. By embedding intelligence in the cloud, network, edge and every kind of computing device, we unleash the potential of data to transform business and society for the better. To learn more about Intel’s innovations, go to newsroom.intel.com and intel.com.
Forward-Looking Statements
This release contains forward-looking statements, including with respect to: the agreement with the U.S. government and its expected benefits, including the anticipated timing of closing and impacts to Intel’s existing agreements with the U.S. government under the CHIPS Act; Intel’s investment plans, including in manufacturing expansion projects and R&D; and the anticipated production using Intel’s latest semiconductor process technology in Arizona later this year. Such statements involve many risks and uncertainties that could cause our actual results to differ materially from those expressed or implied, including those associated with: uncertainties as to the timing of the consummation of the transaction and the receipt of funding; Intel’s ability to effectively use the proceeds and realize and utilize the other anticipated benefits of the transaction as contemplated thereby; the availability of appropriations from the legislative branch of the U.S. government and the ability of the executive branch of the U.S. government to obtain funding and support contemplated by the transaction; the determination by the legislative, judicial or executive branches of the U.S. government that any aspect of the transaction was unauthorized, void or voidable; Intel’s ability to obtain additional or replacement financing, as needed; Intel’s ability to effectively assess, determine and monitor the financial, tax and accounting treatment of the transaction, together with Intel’s and the U.S. government’s obligations thereunder; litigation related to the transaction or otherwise; potential adverse reactions or changes to business relationships resulting from the announcement or completion of the transaction; the timing and achievement of expected business milestones; Intel’s ability to effectively comply with the broader legal and regulatory requirements and heightened scrutiny associated with government partnerships and contracts; the high level of competition and rapid technological change in the semiconductor industry; the significant long-term and inherently risky investments Intel is making in R&D and manufacturing facilities that may not realize a favorable return; the complexities and uncertainties in developing and implementing new semiconductor products and manufacturing process technologies; Intel’s ability to time and scale its capital investments appropriately; changes in demand for Intel’s products; macroeconomic conditions and geopolitical tensions and conflicts, including geopolitical and trade tensions between the U.S. and China, the impacts of Russia's war on Ukraine, tensions and conflict affecting Israel and the Middle East, and rising tensions between mainland China and Taiwan; the evolving market for products with AI capabilities; Intel’s complex global supply chain supporting its manufacturing facilities and incorporating external foundries, including from disruptions, delays, trade tensions and conflicts, or shortages; recently elevated geopolitical tensions, volatility and uncertainty with respect to international trade policies, including tariffs and export controls, impacting Intel’s business, the markets in which it competes and the world economy; product defects, errata and other product issues, particularly as Intel develops next-generation products and implements next-generation manufacturing process technologies; potential security vulnerabilities in Intel’s products; increasing and evolving cybersecurity threats and privacy risks; IP risks including related litigation and regulatory proceedings; the need to attract, retain, and motivate key talent; Intel’s debt obligations and its ability to access sources of capital; complex and evolving laws and regulations across many jurisdictions; fluctuations in currency exchange rates; changes in Intel’s effective tax rate; catastrophic events; environmental, health, safety, and product regulations; and other risks and uncertainties described in this release and Intel’s 2024 Form 10-K, Q1 2025 Form 10-Q, Q2 2025 Form 10-Q, and other filings with the SEC. Readers are cautioned not to place undue reliance on these forward-looking statements, which speak only as of the date they were first made. Intel does not undertake, and expressly disclaims any duty, to update such statements, whether as a result of new information, new developments, or otherwise, except to the extent that disclosure may be required by law.
san.com Aug 23, 2025 at 12:34 AM GMT+2
A hacker breached an airline and stole information on hundreds of thousands of people, including U.S. government employees.
Summary
Exposed IDs
Straight Arrow News examined 2,626 photos of identifying documents such as passports, IDs and birth certificates that were stolen by a hacker.
U.S. government data
The data includes the names, emails and phone numbers of employees from the State Deptartment, ICE, TSA, CBP and more.
Airline denial
Uzbekistan Airways denied that any intrusion took place and even suggested that leaked data may have been generated with artificial intelligence.
Full story
A hacker claims to have stolen information on hundreds of thousands of people — including U.S. government employees — after breaching an international airline. Straight Arrow News obtained a sample of the data, allegedly taken from Uzbekistan Airways, and confirmed the presence of sensitive documents such as scans of thousands of passports.
The data was advertised on Thursday by the hacker, who is known online as ByteToBreach and purports to be a native of the Swiss Alps, on a dark web forum known for hosting leaks, malware and hacking tools. The purportedly 300-gigabyte data cache contains, among other things, the email addresses of 500,000 passengers and 400 airline employees.
The post included a sample of the data, such as alleged credentials for multiple servers and software programs run by the airline. It also showed partial credit card data, as well as scans of 75 passports from the U.S., Russia, Israel, the U.K., South Korea and other nations. The hacker claims to have obtained identifying documents from more than 40 different countries.
The hacker provided Straight Arrow News with a larger data sample than the one posted online, containing 2,626 photos of identifying documents such as passports, IDs, marriage licenses and birth certificates. Numerous passports belonged to babies and young children.
Passports and other identifying data are valuable on underground markets given their potential use for a range of criminal activities, such as fraud and identity theft. Hackers could also leverage the prevalence of data on government employees for phishing attacks.
U.S. government employees’ data compromised
Another document from the sample the hacker provided to SAN contained 285 email addresses belonging to airline employees. A list of email addresses for passengers held 503,410 entries.
A spreadsheet with personal information of 379,603 members of Uzbekistan Airways’ loyalty program exposes names, genders, birthdates, nationalities, email addresses, phone numbers, member IDs and more.
The email addresses indicate that those members include employees of several U.S. government agencies, including the State Department, the Department of Energy, Immigration and Customs Enforcement, Customs and Border Protection and the Transportation Security Administration.
Employees of foreign government agencies from countries like Russia, Uzbekistan and the United Arab Emirates were also in the data.
SAN reached out to several phone numbers of government employees. An apparent TSA employee answered the phone by introducing themselves with the first name listed in the hacked data, as well as their government position. After SAN explained that their data had been exposed, the employee declined to comment and referred a reporter to the Department of Homeland Security’s public affairs office.
The public affairs office did not respond to an email from SAN. An email to the State Department’s office of press operations went unanswered as well.
Four files containing raw reservation and ticketing data mention airlines, airports, flight numbers and other information. The hacker also claimed that the raw data contained partial credit card information, although SAN was unable to independently verify the presence of financial data.
...
edition.cnn.com | CNN Business - Millions of AT&T customers can file claims worth up to $7,500 in cash payments as part of a $177 million settlement related to data breaches in 2024.
The telecommunications company had faced a pair of data breaches, announced in March and July 2024, that were met with lawsuits.
Here’s a breakdown.
What happened?
On March 30, 2024, AT&T announced it was investigating a data leak that had occurred roughly two weeks prior. The breach had affected data until 2019, including Social Security numbers, and the information of 73 million former and current customers was found in a dataset on the dark web.
Four months later, the company blamed an “illegal download” on a third-party cloud platform that it learned about in April for a separate breach. This leak included telephone numbers of “nearly all” of AT&T cellular customers and customers of providers that used the AT&T network between May 1 and October 31, 2022, the company said.
The class-action settlement includes a $149 million cash fund for the first breach and a $28 million payout for the second breach.
Am I eligible for a claim?
AT&T customers whose data was involved in either breach, or both, will be eligible. Customers eligible to file a claim will receive an email notice, according to the settlement website.
AT&T said Kroll Settlement Administration is notifying current and former customers.
How do I file a claim?
The deadline to submit a claim is November 18. The final approval hearing for the settlement is December 3, according to the settlement website, and there could be appeals following an approval “and resolving them can take time.”
“Settlement Class Member Benefits will begin after the Settlement has obtained Court approval and the time for all appeals has expired,” the website states.
How much can I claim?
Customers impacted by the March incident are eligible for a cash payment of up to $5,000. Claims must include documentation of losses that happened in 2019 or later, and that are “fairly traceable” to the AT&T breach.
reuters.com - Aug 13 (Reuters) - U.S. authorities have secretly placed location tracking devices in targeted shipments of advanced chips they see as being at high risk of illegal diversion to China, according to two people with direct knowledge of the previously unreported law enforcement tactic.
The measures aim to detect AI chips being diverted to destinations which are under U.S. export restrictions, and apply only to select shipments under investigation, the people said.
They show the lengths to which the U.S. has gone to enforce its chip export restrictions on China, even as the Trump administration has sought to relax some curbs on Chinese access to advanced American semiconductors.
The trackers can help build cases against people and companies who profit from violating U.S. export controls, said the people, who declined to be named because of the sensitivity of the issue.
Location trackers are a decades-old investigative tool used by U.S. law enforcement agencies to track products subject to export restrictions, such as airplane parts. They have been used to combat the illegal diversion of semiconductors in recent years, one source said.
Five other people actively involved in the AI server supply chain say they are aware of the use of the trackers in shipments of servers from manufacturers such as Dell (DELL.N), opens new tab and Super Micro (SMCI.O), opens new tab, which include chips from Nvidia (NVDA.O), opens new tab and AMD (AMD.O), opens new tab.
Those people said the trackers are typically hidden in the packaging of the server shipments. They did not know which parties were involved in installing them and where along the shipping route they were inserted.
Reuters was not able to determine how often the trackers have been used in chip-related investigations or when U.S. authorities started using them to investigate chip smuggling. The U.S. started restricting the sale of advanced chips by Nvidia, AMD and other manufacturers to China in 2022.
In one 2024 case described by two of the people involved in the server supply chain, a shipment of Dell servers with Nvidia chips included both large trackers on the shipping boxes and smaller, more discreet devices hidden inside the packaging — and even within the servers themselves.
A third person said they had seen images and videos of trackers being removed by other chip resellers from Dell and Super Micro servers. The person said some of the larger trackers were roughly the size of a smartphone.
The U.S. Department of Commerce's Bureau of Industry and Security, which oversees export controls and enforcement, is typically involved, and Homeland Security Investigations and the Federal Bureau of Investigation may take part too, said the sources.
The HSI and FBI both declined to comment. The Commerce Department did not respond to requests for comment.
The Chinese foreign ministry said it was not aware of the matter.
Super Micro said in a statement that it does not disclose its “security practices and policies in place to protect our worldwide operations, partners, and customers.” It declined to comment on any tracking actions by U.S. authorities.
nytimes.com - Documents examined by researchers show how one company in China has collected data on members of Congress and other influential Americans.
The Chinese government is using companies with expertise in artificial intelligence to monitor and manipulate public opinion, giving it a new weapon in information warfare, according to current and former U.S. officials and documents unearthed by researchers.
One company’s internal documents show how it has undertaken influence campaigns in Hong Kong and Taiwan, and collected data on members of Congress and other influential Americans.
While the firm has not mounted a campaign in the United States, American spy agencies have monitored its activity for signs that it might try to influence American elections or political debates, former U.S. officials said.
Artificial intelligence is increasingly the new frontier of espionage and malign influence operations, allowing intelligence services to conduct campaigns far faster, more efficiently and on a larger scale than ever before.
The Chinese government has long struggled to mount information operations targeting other countries, lacking the aggressiveness or effectiveness of Russian intelligence agencies. But U.S. officials and experts say that advances in A.I. could help China overcome its weaknesses.
A new technology can track public debates of interest to the Chinese government, offering the ability to monitor individuals and their arguments as well as broader public sentiment. The technology also has the promise of mass-producing propaganda that can counter shifts in public opinion at home and overseas.
China’s emerging capabilities come as the U.S. government pulls back efforts to counter foreign malign influence campaigns.
U.S. spy agencies still collect information about foreign manipulation, but the Trump administration has dismantled the teams at the State Department, the F.B.I. and the Cybersecurity and Infrastructure Security Agency that warned the public about potential threats. In the last presidential election, the campaigns included Russian videos denigrating Vice President Kamala Harris and falsely claiming that ballots had been destroyed.
The new technology allows the Chinese company GoLaxy to go beyond the election influence campaigns undertaken by Russia in recent years, according to the documents.
In a statement, GoLaxy denied that it was creating any sort of “bot network or psychological profiling tour” or that it had done any work related to Hong Kong or other elections. It called the information presented by The New York Times about the company “misinformation.”
“GoLaxy’s products are mainly based on open-source data, without specially collecting data targeting U.S. officials,” the firm said.
After being contacted by The Times, GoLaxy began altering its website, removing references to its national security work on behalf of the Chinese government.
The documents examined by researchers appear to have been leaked by a disgruntled employee upset about wages and working conditions at the company. While most of the documents are not dated, the majority of those that include dates are from 2020, 2022 and 2023. They were obtained by Vanderbilt University’s Institute of National Security, a nonpartisan research and educational center that studies cybersecurity, intelligence and other critical challenges.
Publicly, GoLaxy advertises itself as a firm that gathers data and analyzes public sentiment for Chinese companies and the government. But in the documents, which were reviewed by The Times, the company privately claims that it can use a new technology to reshape and influence public opinion on behalf of the Chinese government.
politico.com - The identities of confidential court informants are feared compromised in a series of breaches across multiple U.S. states.
The electronic case filing system used by the federal judiciary has been breached in a sweeping cyber intrusion that is believed to have exposed sensitive court data across multiple U.S. states, according to two people with knowledge of the incident.
The hack, which has not been previously reported, is feared to have compromised the identities of confidential informants involved in criminal cases at multiple federal district courts, said the two people, both of whom were granted anonymity because they were not authorized to speak publicly about the hack.
The Administrative Office of the U.S. Courts — which manages the federal court filing system — first determined how serious the issue was around July 4, said the first person. But the office, along with the Justice Department and individual district courts around the country, is still trying to determine the full extent of the incident.
It is not immediately clear who is behind the hack, though nation-state-affiliated actors are widely suspected, the people said. Criminal organizations may also have been involved, they added.
The Administrative Office of the U.S. Courts declined to comment. Asked whether it is investigating the incident, the FBI referred POLITICO to the Justice Department. The Justice Department did not immediately reply to a request for comment.
It is not immediately clear how the hackers got in, but the incident is known to affect the judiciary’s federal core case management system, which includes two overlapping components: Case Management/Electronic Case Files, or CM/ECF, which legal professionals use to upload and manage case documents; and PACER, a system that gives the public limited access to the same data.
In addition to records on witnesses and defendants cooperating with law enforcement, the filing system includes other sensitive information potentially of interest to foreign hackers or criminals, such as sealed indictments detailing non-public information about alleged crimes, and arrests and search warrants that criminal suspects could use to evade capture.
Chief judges of the federal courts in the 8th Circuit — which includes Arkansas, Iowa, Minnesota, Missouri, Nebraska, North Dakota, and South Dakota — were briefed on the hack at a judicial conference last week in Kansas City, said the two people. It is unclear who delivered the brief, though the Director of the Administrative Office of the U.S. Courts, Judge Robert J. Conrad, Jr., was in attendance, per the first person. Supreme Court Justice Brett Kavanaugh was also in attendance but didn’t address the breach in his remarks.
Staff for Conrad, a district judge in the Western District of North Carolina, declined to comment.
The hack is the latest sign that the federal court filing system is struggling to keep pace with a rising wave of cybersecurity threats.
propublica.org - Microsoft announced that Chinese state-sponsored hackers had exploited vulnerabilities in its popular SharePoint software but didn’t mention that it has long used China-based engineers to maintain the product.
ast month, Microsoft announced that Chinese state-sponsored hackers had exploited vulnerabilities in SharePoint, the company’s widely used collaboration software, to access the computer systems of hundreds of companies and government agencies, including the National Nuclear Security Administration and the Department of Homeland Security.
The company did not include in its announcement, however, that support for SharePoint is handled by a China-based engineering team that has been responsible for maintaining the software for years.
ProPublica viewed screenshots of Microsoft’s internal work-tracking system that showed China-based employees recently fixing bugs for SharePoint “OnPrem,” the version of the software involved in last month’s attacks. The term, short for “on premises,” refers to software installed and run on customers’ own computers and servers.
Microsoft said the China-based team “is supervised by a US-based engineer and subject to all security requirements and manager code review. Work is already underway to shift this work to another location.”
It’s unclear if Microsoft’s China-based staff had any role in the SharePoint hack. But experts have said allowing China-based personnel to perform technical support and maintenance on U.S. government systems can pose major security risks. Laws in China grant the country’s officials broad authority to collect data, and experts say it is difficult for any Chinese citizen or company to meaningfully resist a direct request from security forces or law enforcement. The Office of the Director of National Intelligence has deemed China the “most active and persistent cyber threat to U.S. Government, private-sector, and critical infrastructure networks.”
ProPublica revealed in a story published last month that Microsoft has for a decade relied on foreign workers — including those based in China — to maintain the Defense Department’s cloud systems, with oversight coming from U.S.-based personnel known as digital escorts. But those escorts often don’t have the advanced technical expertise to police foreign counterparts with far more advanced skills, leaving highly sensitive information vulnerable, the investigation showed.
ProPublica found that Microsoft developed the escort arrangement to satisfy Defense Department officials who were concerned about the company’s foreign employees, and to meet the department’s requirement that people handling sensitive data be U.S. citizens or permanent residents. Microsoft went on to win federal cloud computing business and has said in earnings reports that it receives “substantial revenue from government contracts.” ProPublica also found that Microsoft uses its China-based engineers to maintain the cloud systems of other federal departments, including parts of Justice, Treasury and Commerce.
In response to the reporting, Microsoft said that it had halted its use of China-based engineers to support Defense Department cloud computing systems, and that it was considering the same change for other government cloud customers. Additionally, Defense Secretary Pete Hegseth launched a review of tech companies’ reliance on foreign-based engineers to support the department. Sens. Tom Cotton, an Arkansas Republican, and Jeanne Shaheen, a New Hampshire Democrat, have written letters to Hegseth, citing ProPublica’s investigation, to demand more information about Microsoft’s China-based support.
Microsoft said its analysis showed that Chinese hackers were exploiting SharePoint weaknesses as early as July 7. The company released a patch on July 8, but hackers were able to bypass it. Microsoft subsequently issued a new patch with “more robust protections.”
The U.S. Cybersecurity and Infrastructure Security Agency said that the vulnerabilities enable hackers “to fully access SharePoint content, including file systems and internal configurations, and execute code over the network.” Hackers have also leveraged their access to spread ransomware, which encrypts victims’ files and demands a payment for their release, CISA said.
san.com - Data stolen by a ransomware gang has exposed highly sensitive information from a Louisiana sheriff’s office, including the names, telephone numbers and Social Security numbers of confidential informants in criminal investigations. Straight Arrow News obtained a copy of the data from DDoSecrets, a non-profit that archives hacked and leaked documents in the public interest.
Medusa, a suspected Russian cybercrime group, said on its Dark Web blog in April 2024 that it had pilfered more than 90 gigabytes of data from the East Baton Rouge Sheriff’s Office.
The sheriff’s office initially claimed the intrusion had been quickly detected and stopped, allowing the hackers to obtain only a limited amount of data, such as “screenshots of file folders and still images from video files, WBRZ-TV reported.
65,000 files
A sample of the stolen files shared at the time by Medusa included payroll information, showing that the breach was more substantial than first claimed by the sheriff’s office. Medusa threatened to release all of the data, which contains over 65,000 files, unless the sheriff’s office paid $300,000. There’s no indication the ransom was ever paid.
The East Baton Rouge Sheriff’s Office did not respond to a request for comment from SAN.
SAN’s analysis of the full data cache provides an insight into just how damaging the breach was. Given the sensitivity of the data, DDoSecrets is only sharing it with approved journalists, researchers and defense attorneys practicing in Baton Rouge.
The data covers both the banal day-to-day operations of a law enforcement agency and the potentially life-and-death details of drug cases and other criminal investigations.
“The East Baton Rouge Sheriff’s Office data is an extraordinary example of the inner workings of a police department, down to Internal Affairs investigations and details about the use of confidential informants,” DDoSecrets co-founder Emma Best told SAN. “While the police are obviously of public interest and deserve no privacy, their targets and victims do. With that in mind, we’re refraining from republishing the full data to the public while encouraging journalists and civil rights advocates to engage with it.”
Best said the data cache was posted by Medusa to the messaging app Telegram, but that their channels were repeatedly shut down. The contents of the breach have not been extensively reported on until now.
Law enforcement entities are common targets for ransomware gangs. In 2021, the Metropolitan Police Department in Washington, D.C., was hacked by a Russian-speaking ransomware group known as Babuk, resulting in the leak of 250 gigabytes of data after the department refused to pay a ransom. The data also included sensitive information on informants and police officers.
Confidential informants
Contracts signed by 34 confidential informants in 2023 are among the exposed data from Louisiana.
A document titled “CI Information” lists the names, dates of birth and Social Security numbers of 200 confidential informants involved in narcotics investigations. Names of deputies overseeing informants and case numbers are included, as well as whether the informants are still active. Deactivation dates, indicating when an informant’s work ended, range from 2020 to 2023.
A folder titled “C.I. G.P.S. routes” contains numerous images of maps detailing the movements of informants across Baton Rouge.
Seized devices
A document last edited in August 2023 lists devices seized by the sheriff’s office, primarily mobile phones. The document notes whether a warrant had been requested or obtained, as well as additional steps that may have been needed to access a device’s contents.
Several phones were turned over to the FBI, the data indicates. Some files mention that cellphone hacking tools were needed to pull data from the devices. Files refer to both Cellebrite, an Israeli company that produces tools for extracting data from mobile devices, and GrayKey, a mobile forensics tool developed by the US-based company Grayshift that similarly unlocks and extracts data from phones.
The data also shows that the Drug Enforcement Agency sought access to historical location data and other information from a target’s cell phone.
Cell phone surveillance
Pen trap and trace search warrants — court orders that allow law enforcement to collect cell phone metadata such as numbers dialed — were issued to cellular service providers T-Mobile, AT&T and Verizon.
Many of the warrants mention the use of a “cell site simulator,” also known as an IMSI catcher, to reveal a suspect’s whereabouts. Cell site simulators, commonly referred to as Stingrays, are devices that mimic cell phone towers and can be used to pinpoint the location of specific phones.
Sock puppet accounts
A presentation about online investigations advises officers to create “sock puppet accounts,” a term used to describe a false online identity created to conceal an individual’s real one.
For instance, deputies were told to use a free VPN browser add-on for Google Chrome to hide their IP addresses. The website thisxdoesnotexist.com is also listed as a resource for deputies to create AI-generated images of everything from fake people to resumes.
Hidden cameras and drones
A folder titled “Tech” includes brochures listing an array of surveillance technology, such as GPS trackers and hidden cameras that can be placed inside items such as clothing, vape pens and Newport menthol cigarette packs.
A list of hidden cameras contains IP addresses, login credentials for remote access and identifying information for both the devices and SIM cards used.
One list shows 19 drones operated by the sheriff’s office, the majority of which are made by the Chinese manufacturer DJI. The drones are used by several divisions of the sheriff’s office, including SWAT and narcotics, for suspect apprehension and search and rescue missions.
A PowerPoint presentation in the data cache shows the default password used to access the internal system for logging drone usage. A folder titled “Operation Photos & Videos” shows both surveillance of criminal suspects as well as overhead images of sheriff’s deputies at a shooting range.
Internal affairs
Internal affairs data, including complaints made against the sheriff’s office, accuse deputies of racial profiling, unwarranted searches and excessive force.
Incidents range from a deputy being reprimanded for letting his 10- and 12-year-old children drive his patrol vehicle to another being arrested for battery and suspended for 30 days after being involved in a “road rage-type” episode.
Polygraph results
Other files detail the results of polygraph tests given to both deputies and suspects.
One file graphically details an alleged sexual assault and concludes that the person being tested had been deceitful. A deputy was also accused of being deceitful after being asked whether he’d referred to homosexuals as “disgusting” when discussing a fellow deputy believed to be gay.
reuters.com - July 30 (Reuters) - More than 90 state and local governments have been targeted using the recently revealed vulnerability in Microsoft server software, according to a U.S. group devoted to helping local authorities collaborate against hacking threats.
The nonprofit Center for Internet Security, which houses an information-sharing group for state, local, tribal, and territorial government entities, provided no further details about the targets, but said it did not have evidence that the hackers had broken through.
None have resulted in confirmed security incidents," Randy Rose, the center's vice president of security operations and intelligence, said in an email.
A wave of hacks hit servers running vulnerable versions of Microsoft SharePoint this month, causing widespread concern. The campaign has claimed at least 400 victims, according to Netherlands-based cybersecurity firm Eye Security. Multiple federal government agencies are reportedly among the victims, and new ones are being identified every day.
On Wednesday, a spokesperson for one of the U.S. Department of Energy's 17 national labs said it was among those hit.
"Attackers did attempt to access Fermilab's SharePoint servers," the spokesperson said, referring to the U.S. Fermi National Accelerator Laboratory. "The attackers were quickly identified, and the impact was minimal, with no sensitive or classified data accessed." The Fermilab incident was first reported by Bloomberg.
The U.S. Department of Energy has previously said the SharePoint security hack has affected "a very small number" of its systems
nytimes.com (29.07.2025) - Gov. Tim Walz of Minnesota activated the National Guard to help the city of St. Paul address a cyberattack that was detected last Friday.
Gov. Tim Walz of Minnesota on Tuesday activated the state National Guard to help officials in St. Paul, the capital, respond to a complex cyberattack that was first detected on Friday.
Mayor Melvin Carter of St. Paul said the city had shut down the bulk of its computer systems as a defensive measure as state and federal investigators tackled what he called “a deliberate, coordinated digital attack, carried out by a sophisticated external actor.”
Mr. Carter said that the F.B.I. and several state agencies were helping assess who was behind the attack. He declined to say whether ransom had been demanded or whether there was any evidence suggesting a foreign government was behind the attack.
City officials said they have yet to ascertain whether sensitive data had been stolen.
Emergency services, including police response systems, were not crippled by the attack, the city said in a statement. The shutdown meant that city employees did not have access to the internet in municipal buildings, and that routine services such as library loans and online payment systems were inaccessible.
Large and small cities across the United States, along with school systems and hospitals, have been targeted in cyberattacks in recent years. Such attacks are often carried out by individuals who compromise networks and encrypt data, then demand ransom payments in order to restore access.
Attackers sometimes steal sensitive data — such as credit card information — that they can later sell online.
St. Paul officials said they detected unusual activity on their network Friday morning and eventually realized the city’s networks had been breached. Deeming it a serious attack, they sought help from the governor and federal law enforcement agencies as well as cybersecurity companies.
Mr. Walz issued an executive order on Tuesday directing the National Guard to assign military computer experts to assist officials in St. Paul. In the order, Mr. Walz said that “the scale and complexity of this incident exceeded both internal and commercial response capabilities.”
therecord.media - Prosecutors said Chapman helped the North Korean IT workers obtain jobs at 309 companies, including a major television network, a car maker, a media company, a Silicon Valley technology company and more.
A U.S. District Court judge sentenced an Arizona woman to eight and a half years in prison for running a laptop farm used by North Korea’s government to perpetrate its IT worker scheme.
Christina Chapman pleaded guilty in February to wire fraud, money laundering and identity theft after the FBI discovered she was an instrumental cog in a wider campaign to get North Koreans hired in six-figure IT roles at prominent companies.
Prosecutors said Chapman helped the North Korean IT workers obtain jobs at 309 companies, including a major television network, a car maker, a media company, a Silicon Valley technology company and more. Members of the same group unsuccessfully tried to get employed at two different U.S. government agencies.
After North Korean officials obtained employment using fake identities, work laptops were sent to a home owned by Chapman, where she enabled the workers to connect remotely to the U.S. companies’ IT networks on a daily basis.
The FBI seized more than 90 laptops from Chapman’s home during an October 2023 raid. In addition to hosting the laptops and installing software that allowed the North Koreans to access them remotely, she also shipped 49 laptops to locations overseas, including multiple shipments to a Chinese city on the North Korean border.
In total, Chapman’s operation helped generate $17 million for the North Korean government. Security companies and law enforcement have not said how many laptop farms they estimate are scattered across North America and Europe but the DOJ called Chapman’s case “one of the largest North Korean IT worker fraud schemes charged by the Department of Justice.”
Her part of the operation involved 68 stolen identities and she reported millions in income to the IRS under the names of the people who had their identity stolen.
She forged payroll checks with the fake identities and typically managed the wages received from U.S. companies through direct deposit. She would then transfer the earnings to people overseas.
District Court Judge Randolph Moss ordered the 50-year-old Chapman to serve a 102-month prison term and three years of supervised release. She will have to forfeit nearly $300,000 that she planned to send to North Korea before her arrest and will pay a fine of more than $175,000.
Chapman was arrested last May as part of a wider takedown of North Korea’s scheme to have hundreds of their citizens hired at unwitting U.S. companies in IT positions.
Chapman was initially charged alongside a 27-year-old Ukrainian, Oleksandr Didenko, for helping at least three workers who operated under the aliases Jiho Han, Chunji Jin and Haoran Xu. The three were hired as software and applications developers with companies in a range of sectors and industries.
U.S. State Department officials said the three North Koreans assisted by Chapman and Didenko “are linked to the DPRK’s Munitions Industry Department, which oversees the development of the DPRK’s ballistic missiles, weapons production, and research and development programs.”
Didenko was arrested in Poland last year and the U.S. is seeking his extradition.
securityweek.com - DragonForce says it stole more than 150 gigabytes of data from US department store chain Belk in a May cyberattack
The DragonForce ransomware gang has claimed responsibility for a disruptive cyberattack on US department store chain Belk.
The incident was identified on May 8 and prompted Belk to disconnect affected systems, restrict network access, reset passwords, and rebuild impacted systems, which disrupted the chain’s online and physical operations for several days. The company’s online store is still offline at the time of publication.
Belk’s investigation into the attack determined that hackers had access to its network between May 7 and May 11, and that they exfiltrated certain documents, including files containing personal information.
In a data breach notification submitted to the New Hampshire Attorney General’s Office, Belk said at least names and Social Security numbers were compromised in the attack.
The company is providing the impacted individuals with 12 months of free credit monitoring and identity restoration services, which also include up to $1 million identity theft insurance.
The company has not named the group responsible for the attack, but the DragonForce ransomware gang has claimed the incident on Monday, adding Belk to its Tor-based leak site.
propublica.org - The Pentagon bans foreign citizens from accessing highly sensitive data, but Microsoft bypasses this by using engineers in China and elsewhere to remotely instruct American “escorts” who may lack expertise to identify malicious code.
Microsoft is using engineers in China to help maintain the Defense Department’s computer systems — with minimal supervision by U.S. personnel — leaving some of the nation’s most sensitive data vulnerable to hacking from its leading cyber adversary, a ProPublica investigation has found.
The arrangement, which was critical to Microsoft winning the federal government’s cloud computing business a decade ago, relies on U.S. citizens with security clearances to oversee the work and serve as a barrier against espionage and sabotage.
But these workers, known as “digital escorts,” often lack the technical expertise to police foreign engineers with far more advanced skills, ProPublica found. Some are former military personnel with little coding experience who are paid barely more than minimum wage for the work.
For many years, data brokers have existed in the shadows, exploiting gaps in privacy laws to harvest our information—all for their own profit. They sell our precise movements without our knowledge or meaningful consent to a variety of private and state actors, including law enforcement agencies. And they show no sign of stopping.
This incentivizes other bad actors. If companies collect any kind of personal data and want to make a quick buck, there’s a data broker willing to buy it and sell it to the highest bidder–often law enforcement and intelligence agencies.
One recent investigation by 404 Media revealed that the Airlines Reporting Corporation (ARC), a data broker owned and operated by at least eight major U.S. airlines, including United Airlines and American Airlines, collected travelers’ domestic flight records and secretly sold access to U.S. Customs and Border Protection (CBP). Despite selling passengers’ names, full flight itineraries, and financial details, the data broker prevented U.S. border forces from revealing it as the origin of the information. So, not only is the government doing an end run around the Fourth Amendment to get information where they would otherwise need a warrant—they’ve also been trying to hide how they know these things about us.
ARC’s Travel Intelligence Program (TIP) aggregates passenger data and contains more than one billion records spanning 39 months of past and future travel by both U.S. and non-U.S. citizens. CBP, which sits within the U.S. Department of Homeland Security (DHS), claims it needs this data to support local and state police keeping track of people of interest. But at a time of growing concerns about increased immigration enforcement at U.S. ports of entry, including unjustified searches, law enforcement officials will use this additional surveillance tool to expand the web of suspicion to even larger numbers of innocent travelers.
More than 200 airlines settle tickets through ARC, with information on more than 54% of flights taken globally. ARC’s board of directors includes representatives from U.S. airlines like JetBlue and Delta, as well as international airlines like Lufthansa, Air France, and Air Canada.
In selling law enforcement agencies bulk access to such sensitive information, these airlines—through their data broker—are putting their own profits over travelers' privacy. U.S. Immigration and Customs Enforcement (ICE) recently detailed its own purchase of personal data from ARC. In the current climate, this can have a detrimental impact on people’s lives.
The unknown individual contacted at least five government officials, including three foreign ministers, a U.S. governor and a member of Congress, according to a State Department cable.
An impostor pretending to be Secretary of State Marco Rubio contacted foreign ministers, a U.S. governor and a member of Congress by sending them voice and text messages that mimic Rubio’s voice and writing style using artificial intelligence-powered software, according to a senior U.S. official and a State Department cable obtained by The Washington Post.
U.S. authorities do not know who is behind the string of impersonation attempts but they believe the culprit was probably attempting to manipulate powerful government officials “with the goal of gaining access to information or accounts,” according to a cable sent by Rubio’s office to State Department employees.
Using both text messaging and the encrypted messaging app Signal, which the Trump administration uses extensively, the impostor “contacted at least five non-Department individuals, including three foreign ministers, a U.S. governor, and a U.S. member of Congress,” said the cable, dated July 3.
The impersonation campaign began in mid-June when the impostor created a Signal account using the display name “Marco.Rubio@state.gov” to contact unsuspecting foreign and domestic diplomats and politicians, said the cable. The display name is not his real email address.
“The actor left voicemails on Signal for at least two targeted individuals and in one instance, sent a text message inviting the individual to communicate on Signal,” said the cable. It also noted that other State Department personnel were impersonated using email.
When asked about the cable, the State Department responded that it would “carry out a thorough investigation and continue to implement safeguards to prevent this from happening in the future.” Officials declined to discuss the contents of the messages or the names of the diplomats and officials who were targeted.
The Scattered Spider hacking group has caused chaos among retailers, insurers, and airlines in recent months. Researchers warn that its flexible structure poses challenges for defense.
Empty grocery store shelves and grounded planes tend to signal a crisis, whether it’s an extreme weather event, public health crisis, or geopolitical emergency. But these scenes of chaos in recent weeks in the United Kingdom, United States, and Canada were caused instead by financially motivated cyberattacks—seemingly perpetrated by a collective of joyriding teens.
A notorious cybercriminal group often called Scattered Spider is known for using social engineering techniques to infiltrate target companies by tricking IT help desk workers into granting them system access. Researchers say that the group seems to gain expertise about the backend systems commonly used by businesses in a particular industry and then uses this knowledge to hit a cluster of targets before moving on to another sector. The group often deploys ransomware or conducts data extortion attacks once it has compromised its victims.
Amid increasing pressure from law enforcement last year, which culminated in charges and arrests of five suspects allegedly linked to Scattered Spider, researchers say that the group was less active in 2024 and seemed to be attempting to lay low. The group’s escalating attacks in recent weeks, though, have shown that, far from being defeated, Scattered Spider is emboldened once again.
“There are some uniquely skilled actors in Scattered Spider when it comes to social engineering, and they have identified a major gap in our security systems that they’re successfully taking advantage of,” says John Hultquist, chief analyst in Google’s threat intelligence group. “This group is carrying out serious attacks on our critical infrastructure, and I hope that we’re not missing the opportunity to address the most imminent threat.”
Though a number of incidents have not been publicly attributed, an overwhelming spree of recent attacks on UK grocery store chains, North American insurers, and international airlines has broadly been tied to Scattered Spider. In May, the UK’s National Crime Agency confirmed it was looking at Scattered Spider in connection to the attacks on British retailers. And the FBI warned in an alert on Friday that it has observed “the cybercriminal group Scattered Spider expanding its targeting to include the airline sector.” The warning came as North American airlines Westjet and Hawaii Airlines said they had been victims of cybercriminal hacks. On Wednesday, the Australian airline Qantas also said it had been hit with a cyberattack, though it was not immediately clear if this attack was part of the group’s campaign.
WASHINGTON, June 30 (Reuters) - Iran-linked hackers have threatened to disclose more emails stolen from U.S. President Donald Trump's circle, after distributing a prior batch to the media ahead of the 2024 U.S. election.
In online chats with Reuters on Sunday and Monday, the hackers, who go by the pseudonym Robert, said they had roughly 100 gigabytes of emails from the accounts of White House Chief of Staff Susie Wiles, Trump lawyer Lindsey Halligan, Trump adviser Roger Stone and porn star-turned-Trump antagonist Stormy Daniels.
July 1, 2025
WASHINGTON Today, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) is designating Aeza Group, a bulletproof hosting (BPH) services provider, for its role in supporting cybercriminal activity targeting victims in the United States and around the world. BPH service providers sell access to specialized servers and other computer infrastructure designed to help cybercriminals like ransomware actors, personal information stealers, and drug vendors evade detection and resist law enforcement attempts to disrupt their malicious activities. OFAC is also designating two affiliated companies and four individuals who are Aeza Group leaders. Finally, in coordination with the United Kingdom’s (UK) National Crime Agency (NCA), OFAC is designating an Aeza Group front company in the UK.
“Cybercriminals continue to rely heavily on BPH service providers like Aeza Group to facilitate disruptive ransomware attacks, steal U.S. technology, and sell black-market drugs,” said Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence Bradley T. Smith. “Treasury, in close coordination with the UK and our other international partners, remains resolved to expose the critical nodes, infrastructure, and individuals that underpin this criminal ecosystem.”
Today’s action is being taken pursuant to Executive Order (E.O.) 13694, as further amended, and builds on OFAC’s February action targeting ZServers BPH. Today’s action also reflects Treasury’s continued work to combat cybercrime and degrade the support networks that enable malicious actors to target U.S. citizens, technology, and critical industries.
AEZA GROUP: KEY TECHNICAL SUPPORT FOR RANSOMWARE GROUPS, CYBERCRIME, AND ILLICIT DRUGS
Aeza Group, headquartered in St. Petersburg, Russia, has provided BPH services to ransomware and malware groups such as the Meduza and Lumma infostealer operators, who have used the hosting service to target the U.S. defense industrial base and technology companies, among other victims globally. Infostealers are often used to harvest personal identifying information, passwords, and other sensitive credentials from compromised victims. These credentials are then often sold on darknet markets for profit, making infostealer operators a key piece of the cybercrime ecosystem.
Aeza Group has also hosted BianLian ransomware, RedLine infostealer panels, and BlackSprut, a Russian darknet marketplace for illicit drugs. Darknet drug marketplaces allow for the anonymous purchase and shipment of narcotics over the internet, making them a present and increasing contributor to drug trafficking to the United States and worldwide. According to Treasury’s Financial Crimes Enforcement Network (FinCEN) and its supplemental advisory on fentanyl, criminal organizations use darknet marketplaces to sell precursor chemicals and manufacturing equipment used for the synthesis of fentanyl and other synthetic opioids, as well as to traffic fentanyl and other narcotics into the United States.
OFAC is designating Aeza Group pursuant to E.O. 13694, as further amended by E.O. 14144 and E.O. 14306, for being responsible or complicit in, or having engaged in, directly or indirectly, cyber-enabled activities originating from, or directed by persons located, in whole or in part, outside the United States that are reasonably likely to result in, or have materially contributed to, a threat to the national security, foreign policy, or economic health or financial stability of the United States, and that have the purpose of or involve causing a misappropriation of funds or economic resources, intellectual property, proprietary or business confidential information, personal identifiers, or financial information for commercial or competitive advantage or private financial gain.
Aeza International Ltd. is the United Kingdom branch of Aeza Group. Aeza Group uses Aeza International to lease IP addresses to cybercriminals, including Meduza infostealer operators.
Aeza Logistic LLC and Cloud Solutions LLC are Russia-based subsidiaries that are 100% owned by Aeza Group. Servers BPH.
