Good Morning Security Gang
We’re kicking off the week with some monumental developments across cybersecurity. We’re diving into Anthropic’s revelation of an AI-run Chinese cyber espionage campaign, Checkout.com’s data breach after an extortion attempt, Logitech and the Washington Post confirming Oracle-based data theft, and Jaguar Land Rover’s $220 million loss from their recent cyber incident. We’ll also look at new developments in ransomware, nation-state operations, and some major law enforcement wins.
Grab your espresso — double if you need it — and let’s get into it.
Anthropic Unveils China-Linked AI-Driven Cyber Espionage Campaign
Anthropic has confirmed that a Chinese threat group, tracked as GTG-1002, used autonomous agentic AI to conduct a large-scale cyber espionage operation targeting more than 30 organizations across multiple sectors, including technology, finance, chemicals, and government agencies.
The campaign, discovered in mid-September 2025, represents the first documented case of AI-run cyber espionage at near-autonomous levels. The attackers used Anthropic’s Claude AI and a series of custom automation frameworks to coordinate tasks such as network reconnaissance, lateral movement, credential harvesting, and data exfiltration — all at machine-level speed.
Each AI instance acted as a specialized sub-agent — one scanning networks, another generating exploits, and another extracting data. The system maintained context and state across sessions, giving the attackers continuity without direct human oversight for most of the operation. While some outputs contained fabricated or “hallucinated” data, the overall process dramatically accelerated intrusion timelines.
“Orchestration, not bespoke malware, is the superpower now. Expect more actors to warp commodity tools with agentic and MCP-style automation to run concurrent intrusions at scale.” James Azar
Anthropic responded by disabling involved accounts, improving AI usage detection capabilities, and sharing findings with authorities. The company’s report emphasizes that autonomous orchestration has lowered the barrier for sophisticated intrusion campaigns, and organizations should expect similar use cases to emerge in the near term.
Security teams are urged to establish explicit egress controls for AI endpoints, monitor for high-volume automated queries, and simulate AI-assisted adversaries during tabletop and red team exercises to evaluate response readiness.
Checkout.com Confirms Data Breach After Extortion Attempt
Payment processing giant Checkout.com disclosed a data breach linked to an old, unused third-party cloud storage repository that was never fully decommissioned. The breach was discovered after a failed extortion attempt by the ShinyHunters group, which claimed to have stolen internal employee data.
The company has confirmed that no customer card data or financial transactions were affected. However, the exposed files may include internal corporate data such as names, emails, and operational information. In a move widely praised across the cybersecurity community, Checkout.com announced that instead of paying the ransom, it would donate the equivalent sum to academic cybersecurity programs to promote education and awareness.
This case underscores the risks of “legacy cloud sprawl,” where abandoned data stores remain active and vulnerable. Organizations should immediately conduct cloud asset discovery audits, validate decommissioning processes, and deploy automated lifecycle management controls for all third-party storage environments.
Logitech Acknowledges Data Theft via Oracle EBS Vulnerability
Logitech confirmed a data breach following an extortion campaign by the Clop ransomware group, which exploited the Oracle E-Business Suite zero-day (CVE-2025-61882). The company reported that data related to employees and internal operations was exfiltrated but clarified that no payment card or national identification data was compromised.
The Oracle EBS zero-day was initially exploited in mid-2025 and continues to impact numerous global enterprises. Organizations using Oracle’s systems should prioritize immediate patching, conduct log reviews for unauthorized export activity, and validate third-party API connections to ensure no secondary compromise occurred.
This incident is another example of how supply chain vulnerabilities within shared enterprise platforms can lead to cascading breaches across multiple industries.
Washington Post Confirms Employee Exposure from Oracle Breach
The Washington Post disclosed that nearly 10,000 employees and contractors were affected by the same Clop-led Oracle EBS breach. Internal investigations revealed that the attackers gained access to limited HR-related data and system credentials tied to Oracle’s backend environment.
The company has initiated credential rotations, API key resets, and policy reviews to minimize risk from residual exposure. The Washington Post’s response aligns with similar disclosures from other Oracle customers in recent weeks, reflecting the widespread and persistent nature of this particular zero-day exploit.
Jaguar Land Rover Reports $220 Million Cyber Incident Loss
Jaguar Land Rover (JLR) has revealed that the ransomware incident that halted its manufacturing operations earlier this year cost the company $220 million in direct financial losses and lost sales.
The disruption impacted production lines and global parts ordering systems, forcing shutdowns and delaying shipments for weeks. Parent company Tata Motors confirmed that JLR’s EBITDA dropped 5.1% year-over-year, attributing the loss primarily to this attack.
The thing about outsourcing IT, which is necessary, it’s a necessary part of doing business because of budget limitations, but you can’t outsource all of it and you can’t give final say.” James Azar
Insider reports suggest that the compromise originated from outsourced IT systems managed through Tata’s technology subsidiaries, which created control gaps between business units. The incident highlights the operational risk of over-centralized IT outsourcing, particularly when decision-making is slowed by corporate hierarchy.
Akira Ransomware Group Amasses $244 Million from Global Attacks
According to a joint intelligence bulletin released by the U.S., France, Germany, and the Netherlands, the Akira ransomware group has accumulated $244 million in ransom payments since its emergence in 2023.
The group primarily targets VMware ESXi hypervisors, Cisco ASA firewalls, and Veeam backup systems, using double extortion tactics to pressure victims into paying. Its most active campaigns have focused on critical infrastructure and manufacturing sectors across North America and Europe.
The success of Akira demonstrates that double extortion remains highly profitable, and attackers continue to focus on infrastructure systems that have long patch cycles and poor segmentation.
Denmark Hit by Pro-Russian DDoS Campaign
Several Danish government ministries experienced service disruptions following a DDoS campaign by a pro-Russian hacktivist collective. Websites belonging to the Ministry of Defense, the Foreign Ministry, and multiple agencies experienced temporary outages and degraded performance.
Officials stated that no data was compromised, but the timing aligns with increased tensions over Denmark’s continued support for Ukraine. The event adds to a growing list of politically motivated cyber operations across Europe.
Fortinet FortiWeb Vulnerability Under Active Exploitation
Fortinet has warned customers of an actively exploited FortiWeb zero-day vulnerability (CVE-2025-64446) allowing attackers to bypass authentication and create unauthorized administrative accounts.
The exploit enables remote access and system control through path traversal techniques, making it particularly dangerous for internet-facing devices. Affected versions include FortiWeb 7.0.x, 7.2.x, and 7.4.x, with patches now available.
Administrators are urged to apply updates immediately, disable external HTTP/HTTPS management interfaces, and review admin logs for unauthorized account creation or modified privileges.
Amazon Finds Worm Flooding NPM with 150,000 Malicious Packages
Security researchers at Amazon uncovered a self-replicating worm that has injected more than 150,000 malicious packages into the NPM open-source registry.
While the majority of these packages are inactive or incomplete, they significantly pollute dependency searches and could be leveraged by other threat actors for supply chain poisoning.
Developers are advised to:
Use private NPM mirrors for internal projects.
Enforce version pinning and dependency allowlists.
Conduct SBOM validation prior to deployment.
Operation Endgame Dismantles European RAT Infrastructure
A coordinated law enforcement action known as Operation Endgame dismantled infrastructure for multiple Remote Access Trojans (RATs) and infostealer campaigns across Europe.
Authorities seized over 1,000 servers and 20 domains associated with malware such as Venom RAT, Rathamontis, and the Elysium botnet. A key arrest was made in Greece, where the alleged Venom RAT operator was detained.
Europol stated that the seized infrastructure held access to over 100,000 compromised cryptocurrency wallets, representing millions in stolen assets. This operation marks another major success in the international crackdown on cybercrime infrastructure.
Russian Hacker Arrested in Thailand, Faces U.S. Extradition
Thai police arrested a Russian national in Phuket at the request of U.S. authorities. The suspect is reportedly linked to GRU officer Alexei Lukashev, one of the individuals indicted for interference in the 2016 U.S. election hacking campaign.
If confirmed, this arrest would represent one of the most significant apprehensions of a Russian state-linked hacker in years. The individual remains in custody in Bangkok pending extradition proceedings.
Five Individuals Plead Guilty to Assisting North Korean IT Operations
Five U.S. citizens have pleaded guilty to wire fraud and identity theft charges for helping North Korean IT operatives obtain jobs at U.S. companies using stolen American identities.
The scheme generated over $1.2 million in fraudulent income, which was transferred to North Korea to finance weapons development programs. The defendants acted as intermediaries, selling stolen identities and managing payrolls on behalf of the DPRK workers.
The case demonstrates how North Korea is increasingly weaponizing legitimate remote work ecosystems to evade sanctions and sustain cyber operations.
Action List
🧠 Implement AI egress and usage monitoring to detect autonomous attack automation.
🧱 Patch Oracle EBS, FortiWeb, and Citrix immediately and rotate all credentials.
🧩 Audit cloud repositories and legacy data stores for unmonitored access.
💾 Segment backup networks and verify offline restore capabilities.
🔍 Review API keys and integration logs for supply chain compromise indicators.
🪪 Strengthen identity verification for remote contractors and offshore developers.
🧰 Run dependency validation for all open-source packages in NPM or PyPI.
🧑💻 Emulate AI-assisted adversaries during tabletop exercises to assess detection speed.
James Azar’s CISO’s Take
The landscape this week proves that automation has transformed the threat model permanently. Anthropic’s findings show that attackers can now scale complex campaigns with near-autonomous precision. The combination of speed, persistence, and distributed coordination means that organizations can no longer depend on manual defense playbooks — detection and response must evolve at machine speed too.
Meanwhile, the wave of Oracle EBS breaches and the Akira ransomware’s quarter-billion haul reinforce a truth we’ve known for years: legacy systems and poor segmentation are the real weak points in enterprise security. Law enforcement’s global wins — from Operation Endgame to the Russian extradition — are encouraging, but the private sector must remain proactive. Our job as CISOs is not just to react — it’s to anticipate.
That’s it for our show this morning. We’ll be back tomorrow at 9 a.m. Eastern here with all the latest. Make sure to check out cyberhubpodcast.com. Over the weekend I released a brand new article: “Moving the Needle: Balancing Risk, Reality and the Relentless Pace of Business.” I kind of take aim at the subscription model, so you may want to give it a read. I’ll be dipping more into the subscription model over the next three to four weeks, so you don’t want to miss it. Until then, have a great rest of your day, have a great week, and most importantly, y’all stay cyber safe!
