therecord.media | The Record from Recorded Future News
September 1st, 2025

Last week, a contract worth €10 million ($11.7 million) had been awarded to the Spanish multinational Telefónica to use Huawei kit to upgrade the RedIRIS network, effectively more than 16,000km of infrastructure. On Friday, the government reversed course for “reasons of digital strategy and strategic autonomy,” as reported by El País.

The RedIRIS upgrade using Huawei equipment had been negotiated directly with Telefónica as the company had an existing €5.5 million contract from 2020 to boost the network. The Ministry of Digital Transformation argued the new upgrade was urgent due to the demands of new digital services, supercomputing projects and the network’s connections to Spain’s defense establishment.

It was partially driven by a need to improve the RedIRIS network’s resilience to cyberattacks, despite concerns that the use of equipment provided by Chinese vendors could increase the risk of cyberattacks to Western infrastructure.

These fears are often expressed in the context of Beijing’s offensive cyber espionage activities and China’s National Intelligence Law of 2017, which allows the state to “compel anyone in China to do anything,” as summarized by Britain’s National Cyber Security Centre. Huawei has consistently argued that such criticisms are illegitimate.

The company is currently restricted from most 5G networks across the European Union, although Spain has opted out of imposing such restrictions, and faces varying levels of bans in networks of NATO allies such as the United States and the United Kingdom.

Despite the apparent political hesitation regarding restricting Huawei equipment, Spain was among more than a dozen allies who last week warned about Chinese companies compromising global critical infrastructure.

The cancellation of the Telefoníca contract comes amid alarm from Madrid’s allies about the prevalence of the Chinese company’s equipment within the Spanish telecommunications infrastructure, including the core of Telefoníca’s 5G network.

In July, the chairs of the U.S. House and Senate Intelligence panels asked the country’s spy chief to scrutinize any intelligence information the U.S. shares with Spain after the disclosure the country’s wiretap system is underpinned by Huawei technology.

Spanish Prime Minister Pedro Sánchez, who has been among the EU’s most supportive leaders regarding Huawei, has pushed back against the bloc’s efforts to restrict it from 5G networks. Huawei has opened research facilities in Madrid and is a major employer as a technology contractor for a number of public administrations.

Natasha Buckley, a researcher at RUSI and lecturer in cybersecurity at Cranfield University, previously told Recorded Future News that Spain’s approach to the company stood in stark contrast to that of other NATO allies and many EU member states.

“Spain’s stance on high-risk technology vendors places greater emphasis on supply chain reliability than on geopolitical considerations, setting it apart from more restrictive approaches seen in countries like the UK, the Netherlands and Poland.

“While the EU’s 5G Cybersecurity Toolbox recommends limiting or excluding high-risk Chinese suppliers like Huawei, Spain’s implementation has been uneven. Huawei is restricted from some public 5G projects, yet its servers have been approved to store sensitive police wiretap data. The result is a case-by-case approach that falls short of a clearly defined policy towards high-risk vendors,” Buckley said.

therecord.media Alexander Martin
August 27th, 2025

A suspected ransomware attack on a Swedish software provider is believed to have impacted around 200 of the country’s municipal governments.

A suspected ransomware attack on Miljödata, a Swedish software provider used for managing sick leave and similar HR reports, is believed to have impacted around 200 of the country’s municipal governments.

The attack was detected on Saturday, according to the company’s chief executive Erik Hallén. The attackers are attempting to extort Miljödata, police told local newspaper BLT.

Swedish Minister for Civil Defence Carl-Oskar Bohlin wrote in a short update on social media: “The scope of the incident has not yet been clarified, and it is too early to determine the actual consequences.”

Hallén told Swedish press agency TT that around 200 municipalities and regions were affected by the incident. Sweden has 290 municipalities and 21 regions.

Several regional governments have confirmed using Miljödata systems to handle employee data, including “for example, medical certificates, rehabilitation plans, work-related injuries, and more,” according to the local government of the island of Gotland.

Hallén reportedly said Miljödata was “working very intensively with external experts to investigate what happened, what and who was affected, and to restore system functionality.”

“The government is receiving ongoing information about the incident and is in close contact with the relevant authorities,” Bohlin, the civil defense minister, said.

“CERT-SE, which has the task of supporting Swedish society in handling and preventing IT security incidents, has offered advice and support to both the company in question and the affected customers,” the minister added. “The national cybersecurity center is coordinating the measures of the relevant authorities. A police investigation is also underway.”

He stressed the incident underscored the need for high levels of cybersecurity throughout society, and said the Swedish government planned to present a new cybersecurity bill to the Swedish parliament in the near future “that will impose increased requirements on a wide range of actors.”

therecord.media -Germany’s highest court on Thursday ruled that law enforcement cannot use spyware to monitor personal devices in cases that carry less than a three year maximum sentence.

The court was responding to a lawsuit brought by the German digital freedoms organization Digitalcourage.

The plaintiffs argued that a 2017 rules change enabling law enforcement to use spyware to eavesdrop on encrypted chats and messaging platforms could unfairly expose communications belonging to people who are not criminal suspects.

The 2017 change to the German criminal procedure code was not precise enough about when spyware can be used, the court ruled, saying that snooping software is only appropriate in investigations of serious cases.

Such surveillance causes a “very severe interference” with fundamental rights, the court said in a press release.

Law enforcement use of spyware “enables the interception and analysis of all raw data exchanged and thus has an exceptional reach, particularly given the realities of modern information technology and its significance for communication relations,” the press release said.

therecord.media - Multiple cybersecurity incident response firms are warning about the possibility that a zero-day vulnerability in some SonicWall devices is allowing ransomware attacks.
Ransomware gangs may be exploiting an unknown vulnerability in SonicWall devices to launch attacks on dozens of organizations.

Multiple incident response companies released warnings over the weekend about threat actors using the Akira ransomware to target SonicWall firewall devices for initial access. Experts at Arctic Wolf first revealed the incidents on Friday.

SonicWall has not responded to repeated requests for comment about the breaches but published a blog post on Monday afternoon confirming that it is aware of the campaign.

The company said Arctic Wolf, Google and Huntress have warned over the last 72 hours that there has been an increase in cyber incidents involving Gen 7 SonicWall firewalls that use the secure sockets layer (SSL) protocol.

“We are actively investigating these incidents to determine whether they are connected to a previously disclosed vulnerability or if a new vulnerability may be responsible,” the company said.

SonicWall said it is working with researchers, updating customers and will release updated firmware if a new vulnerability is found.

The company echoed the advice of several security firms, telling customers to disable SonicWall VPN services that use the SSL protocol.

At least 20 incidents
Arctic Wolf said on Friday that it has seen multiple intrusions within a short period of time and all of them involved access through SonicWall SSL VPNs.

“While credential access through brute force, dictionary attacks, and credential stuffing have not yet been definitively ruled out in all cases, available evidence points to the existence of a zero-day vulnerability,” the company said. None of the incident response companies have specified what that bug might be.

“In some instances, fully patched SonicWall devices were affected following credential rotation,” Arctic Wolf said, referring to the process of regularly resetting logins or other access.

The researchers added that the ransomware activity involving SonicWall VPNs began around July 15.

When pressed on whether any recent known SonicWall vulnerabilities are to blame for the attacks, an Arctic Wolf spokesperson said the researchers have “seen fully patched devices affected in this campaign, leading us to believe that this is tied to a net new zero day vulnerability.”

Arctic Wolf said in its advisory that given the high likelihood of such a bug, organizations “should consider disabling the SonicWall SSL VPN service until a patch is made available and deployed.”

Over the weekend, Arctic Wolf’s assessment was backed up by incident responders at Huntress, who confirmed several incidents involving the SonicWall SSL VPN.

A Huntress official said they have seen around 20 attacks since July 25 and many of the incidents include the abuse of privileged accounts, lateral movement, credential theft and ransomware deployment.

“This is happening at a pace that suggests exploitation, possibly a zero day exploit in Sonicwall. Threat actors have gained control of accounts that even have MFA deployed,” the official said.

He confirmed that the incidents Huntress examined also involved Akira ransomware.

'This isn't isolated'
Huntress released a lengthy threat advisory on Monday warning of a “likely zero-day vulnerability in SonicWall VPNs” that was being used to facilitate ransomware attacks. Like Arctic Wolf, they urged customers to disable the VPN service immediately.

“Over the last few days, the Huntress Security Operations Center (SOC) has been responding to a wave of high-severity incidents originating from SonicWall Secure Mobile Access (SMA) and firewall appliances,” Huntress explained.

“This isn't isolated; we're seeing this alongside our peers at Arctic Wolf, Sophos, and other security firms. The speed and success of these attacks, even against environments with MFA enabled, strongly suggest a zero-day vulnerability is being exploited in the wild.”

SonicWall devices are frequent targets for hackers because the types of appliances the company produces serve as gateways for secure remote access.

Just two weeks ago, Google warned of a campaign targeting end-of-life SonicWall SMA 100 series appliances through a bug tracked as CVE-2024-38475.

therecord.media 04.08 - Researchers have discovered more than 10 patents for powerful offensive cybersecurity technologies filed by a prominent Chinese company allegedly involved in Beijing’s Silk Typhoon campaign.

Researchers have discovered more than 10 patents for powerful offensive cybersecurity technologies filed by a prominent Chinese company allegedly involved in Beijing’s Silk Typhoon campaign.

SentinelOne's threat researchers pored through recent Justice Department indictments of prominent Chinese hackers and mapped out the country’s evolving web of private companies that are hired to launch cyberattacks on behalf of the government.

The report focuses on intellectual property rights filings by Shanghai Firetech, a company the DOJ said works on behalf of the Shanghai State Security Bureau (SSSB). The company was allegedly involved in many of the Silk Typhoon attacks and was previously identified as part of the Hafnium attacks seen in 2021.

The researchers found previously unseen patents on offensive technologies tied to Shanghai Firetech, SentinelLabs expert Dakota Cary told Recorded Future News.

The findings suggest the company “serves other offensive missions not tied to the Hafnium cluster,” he said.

“The company also has patents on a variety of offensive tools that suggest the capability to monitor individual's homes, like ‘intelligent home appliances analysis platform,’ ‘long-range household computer network intelligentized control software,’ and ‘intelligent home appliances evidence collection software’ which could support surveillance of individuals abroad.”

Cary noted that intelligence agencies like the CIA are known to use similar tools.

Shanghai Firetech also filed patents for software for “remote” evidence collection, and for targeting routers and Apple devices, among other uses.

The patent for Apple computers stood out to the researchers because it allows actors to remotely recover files from devices and was not previously documented as a capability of any Hafnium-related threat actor.

SentinelLabs said the technologies “offer strong, often previously unreported offensive capabilities, from acquisition of encrypted endpoint data, mobile forensics, to collecting traffic from network devices.”

The Justice Department indicted two prominent hackers this month — Xu Zewei and Zhang Yu — that are accused of working with China’s Ministry of State Security (MSS) and its Shanghai bureau. The indictments said Xu and Zhang worked for two firms previously unattributed in the public domain to the Hafnium/Silk Typhoon group.

Xu was arrested after flying into Milan on July 3, and prosecutors accused both men of being deeply involved in China’s cyberattacks on institutions working on COVID-19 vaccines throughout 2020 and 2021. The DOJ obtained emails from Xu to the Shanghai security bureau confirming he had acquired the contents of the COVID-19 researchers’ mailboxes.

therecord.media (01.08.2025) - Authorities in Luxembourg said a nationwide telecommunications outage in July was caused by a deliberately disruptive cyberattack. Huawei networking products were reportedly the target.
Luxembourg’s government announced on Thursday it was formally investigating a nationwide telecommunications outage caused last week by a cyberattack reportedly targeting Huawei equipment inside its national telecoms infrastructure.

The outage on July 23 left the country’s 4G and 5G mobile networks unavailable for more than three hours. Officials are concerned that large parts of the population were unable to call the emergency services as the fallback 2G system became overloaded. Internet access and electronic banking services were also inaccessible.

According to government statements issued to the country’s parliament, the attack was intentionally disruptive rather than an attempt to compromise the telecoms network that accidentally led to a system failure.

Officials said the attackers exploited a vulnerability in a “standardised software component” used by POST Luxembourg, the state-owned enterprise that operates most of the country’s telecommunications infrastructure. The government’s national alert system, which officials had intended to use to warn the population about the incident, failed to reach many people because it also depends on POST’s mobile network.

POST’s director-general described the attack itself as “exceptionally advanced and sophisticated,” but stressed it did not compromise or access internal systems and data. POST itself and the national CSIRT are currently forensically investigating the cause of the outage.

Although the government’s statements avoid naming the affected supplier, Luxembourg magazine Paperjam reported the attack targeted software used in Huawei routers. Paperjam added that the country’s critical infrastructure regulator is currently asking any organisations using Huawei enterprise routers to contact the CSIRT.

Remote denial-of-service vulnerabilities have previously been identified in the VRP network operating system used in Huawei’s enterprise networking products, although none have recently been publicly identified. Huawei’s press office did not respond to a request for comment.

The Luxembourg government convened a special crisis cell within the High Commission for National Protection (HCPN) to handle the response to the incident and to investigate its causes and impacts, alongside the CSIRT and public prosecutor.

The CSIRT’s full forensic investigation is intended to confirm how the attack happened, while the public prosecutor will assess whether a crime has taken place and if a perpetrator can be identified and prosecuted.

The incident has also accelerated Luxembourg’s national resilience review, a process already underway before the attack. Authorities, concerned that a single point of failure had such a dramatic disruptive effect, are now reassessing the robustness of critical infrastructure, including fallback procedures for telecom and emergency services.

Luxembourg is also exploring regulatory changes to allow mobile phones to automatically switch to other operators’ networks during telecom outages, a practice already used in countries like the United Kingdom, Germany and the United States for emergency calls.

therecord.media - Prosecutors said Chapman helped the North Korean IT workers obtain jobs at 309 companies, including a major television network, a car maker, a media company, a Silicon Valley technology company and more.
A U.S. District Court judge sentenced an Arizona woman to eight and a half years in prison for running a laptop farm used by North Korea’s government to perpetrate its IT worker scheme.

Christina Chapman pleaded guilty in February to wire fraud, money laundering and identity theft after the FBI discovered she was an instrumental cog in a wider campaign to get North Koreans hired in six-figure IT roles at prominent companies.

Prosecutors said Chapman helped the North Korean IT workers obtain jobs at 309 companies, including a major television network, a car maker, a media company, a Silicon Valley technology company and more. Members of the same group unsuccessfully tried to get employed at two different U.S. government agencies.

After North Korean officials obtained employment using fake identities, work laptops were sent to a home owned by Chapman, where she enabled the workers to connect remotely to the U.S. companies’ IT networks on a daily basis.

The FBI seized more than 90 laptops from Chapman’s home during an October 2023 raid. In addition to hosting the laptops and installing software that allowed the North Koreans to access them remotely, she also shipped 49 laptops to locations overseas, including multiple shipments to a Chinese city on the North Korean border.

In total, Chapman’s operation helped generate $17 million for the North Korean government. Security companies and law enforcement have not said how many laptop farms they estimate are scattered across North America and Europe but the DOJ called Chapman’s case “one of the largest North Korean IT worker fraud schemes charged by the Department of Justice.”

Her part of the operation involved 68 stolen identities and she reported millions in income to the IRS under the names of the people who had their identity stolen.

She forged payroll checks with the fake identities and typically managed the wages received from U.S. companies through direct deposit. She would then transfer the earnings to people overseas.

District Court Judge Randolph Moss ordered the 50-year-old Chapman to serve a 102-month prison term and three years of supervised release. She will have to forfeit nearly $300,000 that she planned to send to North Korea before her arrest and will pay a fine of more than $175,000.

Chapman was arrested last May as part of a wider takedown of North Korea’s scheme to have hundreds of their citizens hired at unwitting U.S. companies in IT positions.

Chapman was initially charged alongside a 27-year-old Ukrainian, Oleksandr Didenko, for helping at least three workers who operated under the aliases Jiho Han, Chunji Jin and Haoran Xu. The three were hired as software and applications developers with companies in a range of sectors and industries.

U.S. State Department officials said the three North Koreans assisted by Chapman and Didenko “are linked to the DPRK’s Munitions Industry Department, which oversees the development of the DPRK’s ballistic missiles, weapons production, and research and development programs.”

Didenko was arrested in Poland last year and the U.S. is seeking his extradition.

therecord.media - Novabev Group, the Russian maker of Beluga Vodka and other brands, had to stop shipments and temporarily close stores in its WineLab subsidiary after a ransomware attack.

More than 2,000 WineLab liquor stores across Russia have remained shut for three days following a ransomware attack on their parent company, one of Russia’s largest alcohol producers. Signs on WineLab doors said the stores were closed due to “technical issues.”

The attack crippled parts of the Novabev Group’s infrastructure, affecting WineLab’s point-of-sale systems and online services. The company confirmed that the attackers had demanded a ransom but said it refused to negotiate.

“The company maintains a principled position of rejecting any interaction with cybercriminals and refuses to fulfill their demands,” Novabev Group said in a statement on Wednesday. There is no indication so far that customer data has been compromised, though an investigation is ongoing, the company added.
The identity of the attackers remains unknown. No ransomware group has claimed responsibility for the incident, and Novabev has not publicly attributed the attack.

Novabev Group is a major Russian producer and distributor of spirits, including the Beluga and Belenkaya vodka brands.

The cyberattack has halted product shipments from Novabev for at least two days, according to local retailers quoted by Russian media outlet Vedomosti. Customers also reported being unable to pick up orders from retail locations or parcel lockers, with customer service offering to extend storage periods for online purchases.

WineLab’s stores are currently closed in major cities, including Moscow, St. Petersburg and surrounding regions, according to location data from Yandex Maps. Novabev’s website and mobile app also remain offline.

Forbes Russia estimated that each day of downtime could cost WineLab 200 million to 300 million rubles ($2.6 million to $3.8 million) in lost revenue. Cybersecurity experts interviewed by Forbes said they could not recall a comparable case in which a major Russian retail chain was forced to shut down entirely due to a cyberattack.

Novabev said its internal IT team is working “around the clock” with external specialists to restore operations and strengthen defenses against future threats.

Four individuals in Britain were arrested early on Thursday morning by the National Crime Agency on suspicion of involvement in a range of ransomware attacks targeting the British retail sector earlier this year.

The individuals are a 20-year-old British woman from Staffordshire, a 19-year-old Latvian male from the West Midlands, a 19-year-old British man from London and a 17-year-old British male from the West Midlands.

All four are now in custody having been arrested at home, and the NCA said its officers have seized their electronic devices for forensic analysis.

The individuals are suspected of involvement in three incidents in April impacting British retailers Marks & Spencer, the Co-op and the London-based luxury store Harrods.

The NCA said the individuals are suspected of Computer Misuse Act offenses, blackmail, money laundering and participating in the activities of an organized crime group.

“Since these attacks took place, specialist NCA cybercrime investigators have been working at pace and the investigation remains one of the Agency’s highest priorities,” said Paul Foster, the head of the NCA’s National Cyber Crime Unit.

“Today’s arrests are a significant step in that investigation but our work continues, alongside partners in the UK and overseas, to ensure those responsible are identified and brought to justice.

“Cyber attacks can be hugely disruptive for businesses and I’d like to thank M&S, Co-op and Harrods for their support to our investigations. Hopefully this signals to future victims the importance of seeking support and engaging with law enforcement as part of the reporting process. The NCA and policing are here to help.”

therecord.media July 9th, 2025 - DGSE intelligence head Nicolas Lerner said Moscow’s tactics are evolving and increasingly include on-the-ground activities carried out by paid operatives.
France’s top intelligence official has warned that Russia is waging "a war of influence" against the country through hybrid online disinformation, espionage and sabotage operations.

Nicolas Lerner, head of the DGSE foreign intelligence agency, said in an interview with French broadcaster LCI that Moscow’s tactics are evolving and now include physical operations carried out by paid intermediaries. He cited an incident last year in which suspected Russian saboteurs placed coffins near the Eiffel Tower draped in the French flag bearing the inscription “French soldiers of Ukraine.”

“These are not amateur operations,” Lerner said. “They reflect a desire to disrupt our information space and undermine trust in our institutions.”

He said that around 80 Russian agents were active in France before Russia’s full-scale invasion of Ukraine in 2022, and that 50 of them have since been expelled. Paris has also imposed sanctions on individuals linked to Moscow’s intelligence services.

Lerner warned that Russia poses a medium- and long-term “existential threat” to Europe, its democracies and its values.

His comments come amid alarm over a growing wave of alleged Russian hybrid operations across Europe. In recent months, NATO allies and EU member states have reported suspected sabotage, cyberattacks, and disinformation campaigns linked to Moscow.

In June, trains between Amsterdam and The Hague were disrupted in what Dutch authorities suspect was a sabotage attempt tied to the NATO summit. Around the same time, pro-Russian hacktivists claimed responsibility for distributed denial-of-service attacks targeting summit-related organizations.

In France, the high-speed rail network was hit by coordinated sabotage just hours before last year’s Olympic Games opening ceremony, affecting lines around Paris.

Polish officials recently accused Russian intelligence of orchestrating a 2024 fire at a major Warsaw shopping mall. Warsaw responded by shutting down a Russian consulate.

On Tuesday, three South London men were found guilty of carrying out an arson attack on a depot housing humanitarian aid intended for Ukraine. The men were hired by the Wagner Group, a private militia that has acted under the orders of the Kremlin.

European officials have also warned of cyber operations targeting military, government, and critical infrastructure across the continent. On Wednesday, German media reported that a Kremlin-linked hacking group is attempting to steal sensitive data from the German armed forces.

therecord.media - Cybercriminals are extorting the German humanitarian aid group Welthungerhilfe (WHH) for 20 bitcoin. The charity said it will not pay.

Deutsche Welthungerhilfe (WHH), the German charity that aims to develop sustainable food supplies in some of the world’s most impoverished countries, has been attacked by a ransomware gang.

The charity, whose name literally translates as World Hunger Help, reached 16.4 million people in 2023. It is currently providing emergency aid to people in Gaza, Ukraine, Sudan and other countries and regions where there is an urgent need for food, water, medicine and basic necessities.

A spokesperson confirmed to Recorded Future News that WHH had been targeted by a ransomware-as-a-service (RaaS) group which recently listed the charity on its darknet leak site.

The cybercriminals are attempting to sell data stolen from the charity for 20 bitcoin, equivalent to around $2.1 million, although it is not clear whether WHH’s computer networks have also been encrypted. The charity said it would not be making an extortion payment to the criminals behind the attack.

“The affected systems were shut down immediately and external IT experts who specialise in such cases were called in. We have also further strengthened the security of our systems with additional technical protective measures,” said a WHH spokesperson.

“We have informed the relevant data protection authority, consulted our data protection officer and involved the police authorities. We continue to liaise closely with the authorities,” they added.

The charity stressed it was “continuing our work in our project countries unchanged. We continue to stand by the side of the people who need our support. In view of the many humanitarian crises worldwide, our work is more important than ever.”

The RaaS group that is extorting WHH was previously responsible for attacks on multiple hospitals — including The Ann & Robert H. Lurie Children’s Hospital of Chicago and hospitals run by Prospect Medical Holdings — and last year also attempted to extort the disability nonprofit Easterseals.

One of the largest food distributors in the U.S. reported a cyberattack to regulators on Monday, explaining that the incident has disrupted its operations and ability to fulfil customer orders.

United Natural Foods released a public statement and filed documents with the U.S. Securities and Exchange Commission (SEC) saying the cyberattack began on June 5.

The statement said the Rhode Island-based company identified unauthorized activity on its systems on Thursday, prompting officials to take systems offline. The action “has temporarily impacted the Company’s ability to fulfill and distribute customer orders.”

“The incident has caused, and is expected to continue to cause, temporary disruptions to the Company’s business operations,” United Natural Foods said. “The Company has implemented workarounds for certain operations in order to continue servicing its customers where possible. The Company is continuing to work to restore its systems to safely bring them back online.”

Law enforcement has been notified and the company said it has hired a cybersecurity firm to remediate the incident. The investigation into the attack “remains ongoing and is in its early stages.”

The press statement published on Monday said the company is working closely with “customers, suppliers, and associates” to minimize the disruption. The company did not respond to requests for comment.

United Natural Foods is the main supplier for Whole Foods and is considered the largest health and specialty food distributor in the United States and Canada. The company reported $8.2 billion in net sales last quarter.

The hack into the account of the country’s top security official has drawn criticism online.

Malaysia’s home minister had his WhatsApp account hacked and then abused to send malicious links to his contacts, according to police.

The attacker reportedly used a virtual private network (VPN) to compromise the account of Datuk Seri Saifuddin Nasution Ismail, authorities said at a press conference on Friday, adding that no victims have reported financial losses so far. They did not elaborate on how the hack was carried out.

The Ministry of Home Affairs, which oversees law enforcement, immigration and censorship, confirmed the incident and urged the public not to respond to any messages or calls claiming to be from the minister, especially those involving financial or personal requests.

The breach is under investigation and law enforcement is working to determine the hacker’s location.

Mobile phishing scams have become increasingly common in Malaysia. Local media have reported that citizens are frequently targeted by fraudsters posing as police, bank officials or court representatives.

The recent WhatsApp incident follows similar attacks on other high-ranking officials. In March, scammers hijacked the WhatsApp account of parliamentary speaker Johari Abdul and tricked some of his contacts into sending money. In 2022, threat actors accessed Telegram and Signal accounts belonging to former Prime Minister Ismail Sabri. And in 2015, hackers took over the Royal Malaysia Police’s Twitter and Facebook accounts, posting pro-Islamic State group messages.

Nasution Ismail faced online criticism and ridicule following the WhatsApp hack, with local media reporting that citizens questioned the strength of Malaysia’s cybersecurity measures, given that the country’s top security official had been successfully targeted by hackers.

The uptick began in the fourth quarter of 2024 and continued into 2025, with the increases largely attributed to Clop’s exploitation of a popular file sharing service.

Jonathan Braley, director of cyber information sharing organization Food and Ag-ISAC, spoke at the RSA Conference on Thursday and warned of not only the increase in ransomware incidents but the continued lack of visibility into the full scope of the problem.

“A lot of it never gets reported, so a ransomware attack happens and we never get the full details,” he told Recorded Future News on the sidelines of the conference. “I wish companies would be more open in talking about it and sharing ‘Here's what they use, here's how we fixed it,’ so the rest of us can prevent that.”

The uptick began in the fourth quarter of 2024 and continued into 2025, with the increases largely attributed to Clop’s exploitation of a popular file sharing service. But Braley noted that even when they took out the attacks attributed to Clop, groups like RansomHub and Akira were still continuing to attack the food industry relentlessly.

The Food and Ag-ISAC obtained its numbers through a combination of open-source sites, dark web monitoring, member input and information sharing between National Council of ISAC members.

The industry saw 31 attacks in January and 35 in February before a dip to 18 attacks in March.

The 84 attacks seen from January to March were more than double the number seen in Q1 2024.

MTN Group said an “unknown third-party has claimed to have accessed data linked” to parts of its system and that the incident “resulted in unauthorised access to personal information of some MTN customers in certain markets.”

In a sanctions package including more than 150 new measures, the British government said it was closing loopholes being exploited by the Kremlin.

Thousands of students, teachers and administrators had information stolen from the Baltimore City Public Schools system during a ransomware attack in February.

China on Tuesday accused three alleged employees of the U.S. National Security Agency of carrying out cyberattacks on the Asian Winter Games in February.

Targets of the cyberattacks include electronics and home appliances store Boulanger and the retailer Cultura.

Two other employees at the St. Petersburg-based hosting provider Azea Group were arrested. The company has alleged links to state-sponsored disinformation campaigns and cybercriminal infrastructure.