Good Morning Security Gang
Today’s show is packed with developments that highlight the growing intersection between geopolitics, infrastructure security, identity attacks, and the supply chain risks shaping modern cybersecurity.
On the docket this morning: the newly released U.S. national cyber strategy, Iranian cyber activity targeting U.S. infrastructure, Russian intelligence targeting Signal and WhatsApp users, a breach affecting Ericsson’s U.S. operations, active exploitation of a Rockwell ICS vulnerability, ShinyHunters going after Salesforce environments, NPM supply-chain malware, phishing moving into Microsoft Teams, leadership changes at NSA and Cyber Command, and the arrest of a major cyber fraud actor tied to romance scams and BEC campaigns.
The thread connecting these stories is simple: cyber conflict is no longer isolated incidents, it’s layered across national policy, supply chains, enterprise platforms, and everyday communications tools we rely on.
Coffee cup cheers, let’s dive in.
New U.S. Cyber Strategy Released
We opened today’s show with the release of the Trump administration’s updated U.S. cybersecurity strategy. The approach represents a shift away from heavy regulatory frameworks and toward market-driven cybersecurity innovation, emphasizing stronger partnerships with the private sector and expanding offensive cyber capabilities as a deterrence mechanism.
The strategy focuses on protecting critical infrastructure, strengthening national cyber resilience, developing the cyber workforce, and integrating security considerations into emerging technologies like AI. It also highlights the importance of empowering industry rather than relying solely on federal mandates to drive improvements in cybersecurity posture.
"I've yet to find any cyber regulation anywhere on the planet that has eliminated or reduced cyber threats in any significant way. I haven't found it. If you have, put it in the comments—I'd love to hear it. Maybe the partnership between public and private needs to be on turning cyber into a selling advantage, not on more policy." James Azar
From my perspective, the strategy challenges the long-standing assumption that regulation alone improves cybersecurity. Instead, it pushes the idea that cybersecurity can become a competitive business advantage, where organizations invest in strong security programs to win trust and business rather than merely comply with regulations.
Iranian Cyber Activity Targets U.S. Critical Infrastructure
Next, we examined new warnings that Iranian-linked cyber actors are actively targeting U.S. critical infrastructure organizations. Current campaigns appear to focus primarily on reconnaissance and credential harvesting rather than immediate destructive attacks.
This behavior aligns with Iran’s historical cyber posture during geopolitical escalation periods — infiltrating networks quietly to establish persistence and position themselves for potential future disruption.
Organizations operating in energy, telecommunications, transportation, or other critical sectors should treat this activity as a warning sign. Credential monitoring, threat intelligence sharing with ISACs, and coordination with CISA and federal partners remain essential to detecting and blocking these campaigns early.
Cloudzy Hosting Platform Linked to Iranian Cyber Operations
One of the more interesting intelligence findings discussed on the show involves a hosting provider called Cloudzy, which appears to function as a front operation connected to Iranian cyber activities.
Investigations suggest the platform may provide infrastructure for various advanced persistent threat groups and ransomware actors, operating without standard identity verification or abuse enforcement policies. Customers can pay through cryptocurrencies such as Bitcoin, Monero, or Zcash, allowing threat actors to operate anonymously.
Infrastructure providers like these highlight how cyber operations increasingly rely on covert hosting environments designed to evade law enforcement and facilitate large-scale malicious activity.
Russian Intelligence Targets Signal and WhatsApp Users
Dutch intelligence agencies are warning that Russian state-sponsored hackers are targeting users of encrypted messaging platforms including Signal and WhatsApp.
Rather than attempting to break encryption itself, attackers are focusing on compromising the devices connected to these platforms or gaining access to accounts through social engineering and phishing attacks.
“Attackers aren’t just targeting networks anymore; they’re targeting the platforms where people communicate.”
This reflects a broader shift in cyber espionage operations. Instead of attacking network infrastructure directly, adversaries are targeting communications platforms used by government officials, journalists, and corporate executives to gain access to sensitive conversations and intelligence.
Ericsson U.S. Data Breach
Ericsson disclosed a breach affecting its U.S. operations tied to a compromised third-party service provider. The exposed data appears limited to internal company information and does not appear to impact core telecommunications infrastructure.
However, this incident underscores the persistent risk of third-party supply chain compromises, where attackers infiltrate vendors or service providers to gain access to larger organizations.
Organizations must enforce strict vendor security requirements, including audit rights and breach notification obligations, to ensure rapid response when third-party incidents occur.
Rockwell ICS Vulnerability Actively Exploited
Security researchers are warning that an older vulnerability affecting Rockwell Automation industrial control systems is now being actively exploited in real-world attacks.
Rockwell systems are widely used across manufacturing and energy sectors, meaning exploitation could impact operational technology environments controlling physical infrastructure.
The renewed exploitation of this vulnerability highlights how attackers continue to leverage unpatched legacy flaws to gain access to ICS environments, particularly during periods of geopolitical tension.
ShinyHunters Target Salesforce Aura Environments
The ShinyHunters threat group is reportedly targeting Salesforce Aura environments in attempts to steal sensitive CRM data.
Aura is a key framework within Salesforce applications, and exploitation could expose customer records and internal company data. ShinyHunters has built a reputation for stealing data from SaaS platforms and using the threat of public exposure as leverage for extortion attempts.
Organizations using CRM platforms should implement strict API access controls and continuous monitoring to prevent unauthorized data access.
Malicious NPM Packages Discovered
Researchers discovered new malicious packages within the NPM ecosystem disguised as legitimate developer tools. Once installed, these packages steal credentials and system information from developer machines.
Supply chain attacks targeting developer ecosystems have increased dramatically in recent years, particularly across NPM, PyPI, and GitHub repositories.
Because compromised developer workstations can provide access to production environments, organizations must implement automated dependency scanning and stricter package verification processes.
Microsoft Teams Phishing Campaigns
Attackers are increasingly using Microsoft Teams messages to deliver phishing links and malware. Because Teams is viewed as an internal collaboration tool, users often trust messages received through the platform more than traditional emails.
Threat actors are exploiting this trust by sending malicious messages that appear to come from colleagues or internal contacts.
Security teams must extend phishing detection and security monitoring to collaboration platforms such as Teams and Slack.
New NSA and Cyber Command Leadership Moves Forward
The U.S. Senate voted to move forward with confirmation proceedings for Army Lieutenant General Joshua Reed to lead both the NSA and U.S. Cyber Command.
"The Senate finally did its job and voted 68-28 to advance Lieutenant General Joshua Reed for NSA and Cyber Command, shutting down Ron Wyden's clown show that he's been doing for the last year in the form of resistance—because nothing is ever good enough for a guy from Oregon." James Azar
The nomination received bipartisan support after months of delays and political disputes. Leadership stability within these organizations is particularly important given current geopolitical tensions and ongoing cyber operations involving Iran and other adversaries.
FBI Warns of Phishing Campaign Impersonating Municipal Officials
The FBI issued a warning about phishing campaigns impersonating city and county officials. These attacks target both businesses and citizens by exploiting the trust associated with local government communications.
Recipients are tricked into opening malicious attachments or links that deliver malware or harvest credentials. Public awareness and employee education remain critical defenses against these increasingly sophisticated phishing campaigns.
Major Cyber Fraud Actor Pleads Guilty
Finally, authorities announced that a Ghanaian national has pleaded guilty to orchestrating a massive cyber fraud scheme involving romance scams and business email compromise attacks that stole over $100 million from victims.
The defendant faces up to 20 years in prison and will be required to pay restitution. This case highlights the global scale of financial cybercrime and the continued importance of international cooperation in pursuing cybercriminals.
Key Action Items for Security Teams
Monitor Iranian threat activity targeting critical infrastructure sectors
Enforce strong credential monitoring and threat intelligence integration
Implement strict vendor risk management and third-party security audits
Patch ICS and OT systems, particularly in manufacturing and energy environments
Deploy API monitoring and access controls for SaaS platforms such as Salesforce
Implement automated dependency scanning for developer environments
Extend phishing detection controls to collaboration platforms like Microsoft Teams
Strengthen mobile device security for users of encrypted messaging platforms
Conduct awareness training for phishing campaigns impersonating government officials
James Azar’s CISOs Take
What stood out to me today is how cybersecurity continues to converge with geopolitics and business operations. Government cyber strategy, nation-state espionage campaigns, supply chain compromises, and SaaS platform attacks are all unfolding simultaneously. The digital battlefield now spans everything from critical infrastructure and telecom networks to collaboration tools and developer ecosystems.
For CISOs and security leaders, the key takeaway is that the fundamentals still matter more than ever. Strong identity controls, segmentation, secure development practices, and vendor risk management remain the backbone of cyber resilience. When organizations execute these basics consistently, they significantly reduce their exposure — even in an environment where threats are evolving faster than ever before.
Stay cyber safe.
