Good Morning Security Gang
Coffee cup cheers, y’all — double Lavazza espresso with that perfect foam keeping me powered through this wild lineup.
And let me tell you — it’s a heavy news day. We’ve got South Korea’s education giant Kyowon confirming a ransomware breach, Poland linking a power grid attack to Russia, Beijing ordering domestic firms to ditch U.S. and Israeli cybersecurity products, Microsoft taking down a $40 million scam infrastructure, and France slapping a €42 million fine on Free Mobile.
We’ll also hit Fortinet’s latest wave of vulnerabilities, critical browser patches from Chrome and Firefox, Predator spyware’s growing stealth, and — because Washington can’t get its act together — the Senate still hasn’t confirmed a CISA director, almost a full year since Jen Easterly’s departure.
So let’s dig in.
Kyowon Confirms Ransomware Attack and Data Theft
South Korea’s Kyowon Group, a national-scale education and EdTech company, confirmed that attackers exfiltrated customer data before encrypting systems in a large-scale ransomware assault
With over 9.6 million accounts and 5.5 million individuals potentially affected, this incident ranks among South Korea’s largest. The attack caused service outages and forced a shutdown of key platforms while investigation teams scrambled to contain damage.
No ransomware group has yet claimed responsibility, but given the data theft prior to encryption, the extortion risk is high. The stolen information likely includes PII, payment details, and internal documents that could be repurposed for phishing or scams targeting families and teachers.
As I said on air:
“When ransomware hits education, it doesn’t just freeze systems — it freezes families.”
This attack underscores why education tech needs network segmentation and resilient offsite backups — not just antivirus and hope.
Poland Blames Russia for Power Grid Cyberattack
Polish officials have attributed a coordinated cyberattack on the national power grid to Russia, calling it a deliberate act of grid-level sabotage
The operation targeted communication links between renewable assets — like solar and wind farms — and electricity distribution operators, bringing the system close to a full blackout. Authorities described it as an attack on telemetry controls across small generators, not just a single plant.
As I explained: “You don’t just ‘restart’ a power plant. Some can take up to eighteen months to recover from a black start scenario — that’s not downtime, that’s national crisis.”
Poland, a major EU energy hub and NATO ally, has long been in Moscow’s crosshairs. This attack mirrors Russia’s hybrid warfare model — applying cyber pressure to weaken energy resilience without crossing NATO’s kinetic threshold.
Beijing Orders Firms to Ditch U.S. and Israeli Cyber Tools
In a major escalation of tech decoupling, China has directed domestic firms to stop using cybersecurity software made by U.S. and Israeli vendors, including Palo Alto Networks, Fortinet, CrowdStrike, Check Point, SentinelOne, and Mandiant
The Chinese government cites “national security concerns” and claims these products could “transmit confidential data abroad.” But let’s call this what it is economic and geopolitical pressure ahead of the Trump–Xi summit in April.
As I said on the show:
“This isn’t about security — it’s about leverage. China can’t match Western defensive software, so it’s banning what it can’t beat.”
Expect Chinese enterprises to shift to state-controlled EDR, VPN, and SIEM tools, tightening surveillance and further restricting cross-border operations. For Western vendors, this is a wake-up call to rethink dependency on Chinese revenue streams.
"If I was those companies, I'd shut down all of my Chinese operations. You know, good luck. Good luck. Walk away. Power play them right back. Power play them right back because China does more sabotage to these companies than they do good."
Microsoft Dismantles $40M RedVDS Scam Network
Microsoft, working with Europol and German authorities, dismantled the RedVDS infrastructure, a cybercrime-as-a-service operation that powered more than $40 million in fraud losses across the U.S. and Europe
The group sold bulletproof VPS services for just $24 a month, enabling phishing, business email compromise (BEC), romance scams, and real estate fraud at scale.
I said it best: “This is the Amazon Web Services of scamming — cheap, automated, and customer-focused.”
Microsoft has filed lawsuits in the U.S. and U.K., and additional IOCs are expected soon. Organizations should implement beneficiary change callbacks, hold periods for new payees, and out-of-band verification to counter this attack model.
France Fines Free Mobile €42 Million for Privacy Failures
France’s CNIL privacy regulator has fined Free Mobile €42 million for a 2024 breach affecting 23 million subscribers, citing failures in data anomaly detection and retention compliance
The regulator ruled that Free Mobile failed to detect suspicious data access patterns and retained personal data longer than permitted under GDPR.
My commentary was blunt:
“The EU doesn’t fine you for being breached — it fines you for not knowing you were.”
The takeaway for organizations operating in Europe:
Implement behavioral anomaly detection for data access, not just perimeter defenses.
Align data retention and consent precisely with user agreements.
Test breach communication playbooks at least twice a year.
Fortinet Faces New Vulnerabilities and MS-ISAC Warning
Fortinet is having a rough start to 2026. Its FortiSIEM product was patched for remote code execution (RCE) and admin credential exposure, while the MS-ISAC flagged additional vulnerabilities across FortiProxy, FortiSwitch, FortiOS, FortiSASE, and more
Admins should:
Patch immediately to the fixed FortiSIEM build.
Rotate admin and API credentials.
Disable public management access.
Watch for new admin account creation or beacon activity from FRP or Sliver implants.
It’s clear Fortinet’s codebase is under active exploitation — and likely targeted by multiple threat groups.
Chrome and Firefox Ship High-Severity Patches
Both Google Chrome (v142) and Firefox (v127) shipped critical security updates this week, addressing use-after-free and sandbox escape vulnerabilities
Given that browser exploits remain the #1 initial access vector for ad-driven malvertising and drive-by downloads, CISOs should:
Force updates via MDM or group policy.
Restrict browser extensions to allowlists.
Block third-party cookies in unmanaged apps.
Google paid $18,500 in bounties for six of the patched bugs, signaling that browser security remains a frontline defense layer.
Predator Spyware Evades Detection
Researchers report that Predator spyware, developed by Intellexa/Psytrix, continues to evade anti-analysis tools and remains one of the most adaptive state-grade surveillance platforms in use
Used primarily by national intelligence agencies, Predator is now considered more active and evasive than Pegasus. The U.S. previously sanctioned its parent company, though recent policy shifts may alter that stance.
For CISOs, this underscores the reality that mobile endpoint security is now an espionage battlefield — and no device is beyond reach.
U.S. Senate Still Blocking CISA Leadership Appointment
Almost a full year after Jen Easterly’s resignation, the Cybersecurity and Infrastructure Security Agency (CISA) still has no confirmed director
President Trump re-nominated Sean Plankey, but Senators Ron Wyden and Rick Scott have placed holds for unrelated political reasons.
As I said with frustration:
"We all care about cyber, but we're going to hold off leadership at CISA for a freaking year. Well done. Well done, DC. Reminding us all why we call it the swamp. Reminding us all why we do that. Get Sean confirmed ASAP and get CISA running already."
This stalemate leaves CISA hamstrung at a time when coordination between government and private sector defenders has never been more vital.
Action List
🇰🇷 Audit education tech vendors and back up student data offline.
🇵🇱 Segment OT networks in energy operations and test recovery scenarios.
🇨🇳 Evaluate exposure to Chinese regulatory shifts and plan exits.
🧩 Adopt out-of-band verification for all financial changes.
🇫🇷 Align GDPR consent and retention policies to avoid fines.
🔐 Patch all Fortinet and FortiSIEM systems and monitor admin activity.
🌐 Force browser updates enterprise-wide and limit risky extensions.
📱 Monitor for mobile spyware IOCs, especially for executives.
🇺🇸 Engage with government coalitions to push for CISA leadership confirmation.
James Azar’s CISO’s Take
Today’s show highlighted how cybersecurity, politics, and power are colliding in real time. From Russia’s grid disruption to China’s cyber bans and the U.S.’s leadership paralysis — it’s clear that cyber is no longer just a technical battlefield; it’s an instrument of global policy and economic control.
My biggest takeaway? 2026 is the year of strategic decoupling — between nations, vendors, and even data itself. Whether it’s Kyowon’s breach or Microsoft’s takedown, the message is clear: security is sovereignty. And for CISOs, that means aligning your playbook not just with compliance — but with geopolitics.
Stay sharp, stay caffeinated, and as always — stay cyber safe.
