Good Morning Security Gang
We’ve got Russia’s Sandworm hitting the energy sector again, battery storage system cyber risks climbing, Venezuela’s oil giant PDVSA under cyber siege, a 700Credit breach impacting 5.8 million Americans, and Fortinet devices actively exploited just days after patch release. Add to that Android malware cloning Play apps, Texas suing TV makers for privacy violations, and President Trump nominating a new head for NSA and Cyber Command, and you’ve got one loaded news morning.
So grab your espresso — I’m on a Black Rifle Double this morning — and coffee cup cheers, y’all! Let’s dive into today’s top stories.
Russia’s GRU Sandworm Targets the U.S. Energy Sector
Russia’s Sandworm hacking group, a known arm of the GRU, is back at it — targeting the U.S. energy grid and operational networks through living-off-the-land techniques, vendor remote access, and exploitable edge devices
They’re focusing heavily on IT and OT crossover points like engineering workstations, historian servers, and remote-access services, using legitimate credentials to move laterally. Reports indicate potential pre-positioning for disruption and infrastructure reconnaissance.
“What I’ve said is what Russia is learning in Ukraine will translate to their playbook for everyone else. So they’re testing it on the Ukrainians. They’re successful against the Ukrainians. They’re then duplicating that success across Europe, the U.S., and other geopolitical strategic environments for the Russians.”
My advice to energy operators and OT defenders:
Enforce phishing-resistant MFA on all vendor and remote access accounts.
Hunt for new local admins and rogue RDP sessions after hours.
Segment your OT environments — HMIs and PLCs should sit behind obfuscation layers, not just firewalls.
Maintain offline immutable backups of controller logic and enforce network obfuscation to keep devices invisible from Shodan scans.
As I said on the show: “In OT, visibility is your weakness — obfuscation is your armor.”
Battery Energy Storage Systems Raise Red Flags
New analysis from Dragos and The Brattle Group warns that Battery Energy Storage Systems (BESS) are becoming a prime target for both nation-state and criminal actors.
These systems often have internet-accessible gateways, third-party monitoring, and weak separation of roles across vendors. A successful compromise could cause equipment damage, grid instability, and even physical safety risks.
With global BESS deployments expected to grow by 25–45% in the next five years, security needs to scale in parallel.
Utilities must enforce secure-by-design installation practices, vendor access control, and field-device firewalls from day one.
The takeaway: treat battery systems like power plants, not warehouses of lithium.
Venezuela’s Oil Giant PDVSA Hit by Cyberattack
Venezuela’s state-run oil company PDVSA suffered a massive cyberattack that disrupted administrative and export systems, halting cargo nominations and terminal paperwork.
Despite official statements claiming “no operational impact,” multiple sources confirmed export suspensions and recovery efforts at major terminals. The attack coincides with U.S. sanctions enforcement, which included the seizure of a Venezuelan oil tanker last week.
“His boats are getting blown up, his drug running operations getting blown up, his oil ships are getting seized, and now their oil giant operations disrupted by a cyber attack... The Maduro, the president of Venezuela, is the one guy sitting there going like, ‘Is it 2026 yet?’ because he wants 2025 to go away.” James Azar
While attribution remains murky, the timing suggests this may be part of economic pressure tactics designed to destabilize the Maduro regime without direct confrontation. As I put it on the show: “If you want to collapse a dictator, you don’t need bombs — just pull the digital plug on his cash flow.”
700Credit Data Breach Impacts 5.8 Million Individuals
Automotive credit service 700Credit confirmed a breach impacting 5.8 million customers across 18,000 dealerships nationwide.
The exposed data includes names, addresses, contact info, and loan application metadata. The breach originated from a third-party API compromise on October 25th, enabling attackers to siphon customer data through dealer integrations.
Expect a spike in synthetic identity fraud and auto financing scams in coming months. Dealers and lenders should:
Enforce IP restrictions on partner APIs.
Tokenize and encrypt all customer credit data.
Audit API traffic logs for mass export behavior.
If you’re a consumer — freeze your credit across all bureaus today.
Fortinet Authentication Bypass Exploited in the Wild
Within days of disclosure, attackers began exploiting Fortinet’s authentication bypass flaws in FortiOS, FortiProxy, and FortiWeb systems.
Unpatched devices are being hijacked to alter configurations, steal credentials, and pivot into internal networks. Unsupported versions are particularly at risk.
Defenders must patch immediately, remove public admin access, and enforce IP allowlisting for management planes. Implement hash-based config integrity monitoring to catch stealth tampering, and where patching lags, deploy virtual patching and WAF rules.
Android “Celiac” Malware Clones Legitimate Apps
Researchers discovered Celiac, a sophisticated Android trojan that clones legitimate Play Store apps — embedding credential stealers and persistence scripts.
The malware abuses accessibility services to hijack MFA, intercept SMS codes, and gain admin privileges. It’s distributed through sideloaded APKs and phishing campaigns, not the official Play Store.
Mitigation tips:
Enforce Mobile Device Management (MDM) for all BYOD devices.
Disable sideloading and USB debugging.
Deploy mobile EDR for executives and high-risk roles.
Revoke accessibility permissions for non-vetted apps.
Celiac is a reminder that Android security posture is only as strong as your policy enforcement.
Texas Sues TV Makers Over Privacy Violations
The Texas Attorney General is suing Samsung, Sony, LG, Hisense, and TCL, alleging smart TVs collect and sell user data without consent.
The lawsuit also cites national security concerns, pointing out that Chinese vendors are legally obligated to share data with Beijing under China’s National Intelligence Law.
While this case spotlights consumer privacy, it also reinforces the importance of vendor privacy reviews for enterprise procurement. If your company’s conference rooms use smart TVs, you may be unknowingly streaming telemetry data to foreign servers.
Trump Nominates New NSA and Cyber Command Chief
President Trump has nominated Lt. Gen. Joshua Rudd, currently Deputy Commander at U.S. Indo-Pacific Command, to lead both Cyber Command and the NSA.
The dual-hatted role has been vacant for eight months following leadership reshuffles and firings earlier this year. Rudd’s appointment reflects the administration’s renewed focus on Indo-Pacific cyber deterrence and China’s growing influence in the region.
Once confirmed, Rudd will become a four-star general, overseeing both offensive cyber operations and national intelligence defense initiatives.
Congress Prepares 2026 Cyber Policy Overhaul
Newly appointed House Homeland Security Chairman Andrew Garbarino (R-NY) outlined his 2026 cyber priorities at the Auburn McCrary Institute forum — including renewing the 2015 Information Sharing Act, developing a national breach notification law, and modernizing AI and privacy legislation.
The goal? End the cycle of fragmented regulation that keeps CISOs guessing and compliance teams drowning.
Action List
⚡ Segment OT networks and deploy network obfuscation for edge devices.
🔋 Lock down BESS environments with vendor access controls and physical segmentation.
⛽ Enforce API rate limits and IP restrictions for fintech and automotive integrations.
🔐 Patch Fortinet devices immediately and validate configurations post-update.
📱 Ban sideloaded apps and enforce mobile threat defense across Android fleets.
📺 Review privacy policies for smart devices and IoT in corporate environments.
🧑✈️ Track federal leadership changes for upcoming shifts in cyber policy direction.
James Azar’s CISO’s Take
Today’s stories paint a clear picture — cyber warfare and cyber policy are colliding. From Sandworm’s persistence in U.S. infrastructure to PDVSA’s economic disruption, cyber is now a primary instrument of statecraft. But the private sector remains on the front lines — often without the tools, authority, or visibility to fight back effectively.
My biggest takeaway? We’re past the age of “reactive cybersecurity.” The mission now is deterrence and design — building systems that don’t just survive attacks but deny value to adversaries. Whether you’re securing a grid, a dealership API, or a BYOD fleet, the rule is simple: if your environment is easy to see, it’s easy to hit.
Part three of how the subscription model broke the CISO’s budget. Real solutions in that article. Had great feedback. Go check it out there, cyberhubpodcast.com. Until then, have a great rest of your day. And most importantly, y’all, stay cyber safe!
