Lawmakers at a hearing Tuesday explored ways to beef up punishments for ransomware attacks against hospitals, possibly by labeling them as more severe crimes.

One proposal floated at the House Homeland Security Committee hearing, to treat ransomware attacks as terrorism, is an idea Congress has flirted with before. Another would be to press prosecutors to pursue homicide charges in attacks on hospitals where death resulted — something German authorities also once pondered.

A former top FBI cyber official, Cynthia Kaiser, put forward both ideas at the hearing, a joint meeting of the subcommittees on Border Security and Enforcement and Cybersecurity and Infrastructure Protection on cybercrime, drawing questions and interest from members.

“I believe there are no penalties too severe for individuals that would target our health care system,” said Mississippi Rep. Michael Guest, chair of the border subcommittee, whose home state of Mississippi’s health care clinics closed following a February ransomware attack.

The suggestions stem from a growing focus by ransomware attackers on the health care sector, with incidents doubling from 238 in 2024 to 460 in 2025 according to FBI statistics, making it the top targeted sector.

Kaiser, now senior vice of the Halcyon ransomware research center, said terrorism designations from the State, Treasury and Justice departments could lead to further sanctions, restricted travel and other punishments. Justice Department guidance on homicide charges could clarify its authorities, she said.

“It sounds like the language is there, it just has not been applied in these circumstances,” said Rep. Lou Correa of California, the top Democrat on Guest’s subpanel.

The notion of more closely entwining cyberattacks and terrorism is something both Congress and the executive branch have examined recently.

The fiscal 2025 Senate intelligence authorization bill would have directly linked ransomware to terrorism, although the final version of the bill that became law was less explicit than the original Senate language. The Treasury Department last month asked for public feedback on changing a terrorism risk insurance program to address cyber-related losses.

A University of Minnesota study from 2023 estimated that hospital ransomware attacks were responsible for dozens of deaths of Medicare patients. German authorities in 2020 opened a negligent homicide investigation following a death in the aftermath of a ransomware attack, but ultimately decided against charges.

The Trump administration’s national cyber strategy advocates for taking a more offensive approach to hackers. It released an executive order on cybercrime and fraud the same day it published the strategy. Kaiser said the proposals are in line with those approaches.

Hackers know their attacks could end lives, she said. “They have simply decided these deaths are someone else’s problem,” Kaiser said.

The post Lawmakers ponder terrorism designations, homicide charges over hospital ransomware attacks appeared first on CyberScoop.

Medtech company Stryker says it’s back to being “fully operational,” three weeks after it became the most prominent victim to date of Iranian hackers, who said they attacked the Michigan-based company in retaliation over the conflict with the United States and Israel.

A March 11 wiper attack from the pro-Palestinian, Iranian government-connected group Handala damaged the company’s order processing, manufacturing and shipping. More recently, Handala claimed to compromise the data of FBI Director Kash Patel, although the FBI said no government information was taken.

“Production is moving rapidly toward peak capacity with discipline and stability, supported by restored commercial, ordering and distribution systems,” the company wrote in an update on its website Wednesday. “Overall product supply remains healthy, with strong availability across most product lines, as we continue to meet customer demand and support patient care.”

Stryker said it continues to work with outside cyber experts, government agencies and industry partners on its investigation and recovery.

“Patient care remains our highest priority, with a continued focus on supporting healthcare providers and the patients they serve,” it said. “This remains a 24/7 effort and the first priority of our entire organization.”

Iranian hackers have been busy since the U.S.-Israel strikes began, but have claimed few successes in the United States. Handala boasted this week about an attack on St. Joseph County, Indiana, where officials said they were investigating a hack of its external fax service.

This week, Handala also claimed to have penetrated the systems of Israel’s air defense systems and leaked documents about it. But Handala also has been accused of overselling its deeds.

The FBI seized some websites associated with Handala last month, and the State Department has offered a reward for information on the hacking group.

The post Medtech giant Stryker says it’s back up after Iranian cyberattack appeared first on CyberScoop.

Iranian hackers claimed Friday to have compromised the personal data of FBI Director Kash Patel, and the bureau confirmed that it knew of the targeting of Patel’s personal email.

The government-connected hacking group, Handala, previously claimed credit for hacking medical device maker Stryker, a boast that threat researchers considered credible.

“All personal and confidential email of Kash Patel, including emails, conversations, documents, and even classified files, is now available for public download,” Handala — also known as Handala Hack — said.

The group said it did so in response to the FBI seizing its domains and the U.S. government offering a $10 million reward for information on members of the group.

The FBI noted that Handala frequently targets government officials, and challenged elements of Handala’s claims, such as that it had brought the FBI’s systems “to its knees,” rather than Patel’s own email.

“The FBI is aware of malicious actors targeting Director Patel’s personal email information, and we have taken all necessary steps to mitigate potential risks associated with this activity,” the FBI said in response to questions from CyberScoop. “The information in question is historical in nature and involves no government information.”

The activist group Distributed Denial of Secrets published what it said was Patel’s email cache.

The FBI pointed to the State Department’s reward program seeking information on members of Handala.

“Consistent with President Trump’s Cyber Strategy for America, the FBI will continue to pursue the actors responsible, support victims, and share actionable intelligence in defense of networks,” it said. “We encourage anyone who experiences a cyber breach, or has information related to malicious cyber activity, to contact their local FBI field office.”

The post Iranian hackers, Handala, claim to compromise FBI Director Kash Patel’s personal data appeared first on CyberScoop.

According to a recent report, the State Department sent a cable urging U.S. diplomats to oppose international data sovereignty regulations like GDPR, characterizing these guardrails as “unnecessarily burdensome.” 

In the cable, the State Department claims that data sovereignty regulations “disrupt global data flows, increase costs and cybersecurity risks, limit Artificial Intelligence (AI) and cloud services, and expand government control in ways that can undermine civil liberties and enable censorship.”

Underpinning this argument is both a legitimate concern and a critical misconception.

The truth is that actual data sovereignty is technical, not territorial. 

Data localization is a blunt instrument trying to solve a sophisticated problem. Mandating that data stay within geographic boundaries doesn’t actually ensure that data owners retain control over how their information is accessed, used, or shared. People move; endpoints move; data must move.

European regulators have already defined what digital sovereignty actually requires. Specifically, in the aftermath of Schrems II, the European Data Protection Board made clear that sovereignty is preserved when data is strongly encrypted and the encryption keys remain solely under the control of the data owner in Europe. That clarity is often lost in broader geopolitical debates. 

True data sovereignty requires governments, enterprises, and citizens to retain cryptographic authority over who can access their information, regardless of where it is processed. Forcing data to sit inside national borders accomplishes little if foreign vendors still hold the keys. Sovereignty is fundamentally a technical challenge: it depends on controlling access through encryption and authentication, not simply controlling physical location.

There is a widespread belief that data sovereignty is disruptive to innovation, commerce, and national security. This is a misconception.

The memo presents a false choice: That we must either accept unfettered cross-border data flows with minimal protections in place for the data owner, or implement burdensome localization requirements that stifle innovation and collaboration.

This is simply not true, and the rise of data-centric security proves it: From the U.S., to Five Eyes nations, to the Indo-Pacific, security leaders are embracing this model. Rather than focusing efforts solely on building a strong perimeter boundary, controls and policies must instead follow the data itself, wherever it moves — providing more resilient and contextual security for the data itself. This is the central pillar of the DoW’s own Zero Trust strategy, and the model for agencies across the U.S. federal government and beyond. 

Even the Department of State’s own ITAR (the U.S. International Traffic in Arms Regulations) treat sensitive munitions data with location-specific requirements. There are good reasons for some types of sensitive information to be shielded from external eyes.

Context matters. We should not dismantle well-established data sovereignty standards without clear technical alternatives in place. Instead, we need to evaluate how to more effectively protect and govern sensitive data, without impeding the free flow of information. 

Data-centric security fortifies data sovereignty and liberates secure data flows. 

By shifting the focus from walls — border-specific protections, localization, and perimeters — to the data itself, you can fundamentally transform global data flows. When data is actually governed, tagged, and understood, it can move safely, through trusted channels, to achieve mission success.

In a data-centric security environment, a government agency can leverage cloud services from any provider while maintaining sovereign control over sensitive information by managing and hosting their own encryption keys, additionally providing resilience from third-party breaches with cloud service providers or other partners. 

This isn’t theoretical. Modern data-centric security architectures are in production today, with open standards like the Trusted Data Format enabling platform-agnostic, global data sharing among partners. It’s the antithesis of a data silo, allowing data to travel under very specific conditions and with governance attached to each data object itself. The U.K.’s Operation Highmast is a prime example of the success that comes from dynamic, intelligent data sharing among trusted partners. 

In an era defined by AI acceleration and geopolitical competition, sovereignty and interoperability must be engineered to reinforce one another — not framed as tradeoffs.

Angel Smith is the president of global public sector for Virtru.

The post No, it’s not ‘unnecessarily burdensome’ to control your own data appeared first on CyberScoop.

The Trump administration is plotting an interagency body to confront malign hackers, pilot programs to secure critical infrastructure across states and other steps tied to its freshly-released cyber strategy, National Cyber Director Sean Cairncross said Monday.

The “interagency cell” will bring together agencies like the Justice Department, the Department of State, the FBI and the Pentagon, which will make it clear that going on cyber offense isn’t just about attacking enemies in cyberspace, Cairncross said.

“Sure, that’s part of it, but that’s not all of it,” he said at an event hosted by USTelecom. It will include diplomatic efforts, arrests and more, he said. “As President Trump has made clear, he expects results, and he’s empowered the team under him to go get them.”

A series of pilot programs will be catered to specific critical infrastructure industries in specific states, such as water in Texas and beef in South Dakota, Cairncross said. Different sectors operate at more or less mature levels, he said.

“One of the things that we are working to do is to align those sectors and prioritize those sectors in a way that makes sense,” he said.

Cairncross said the administration wants to share information with industry better, and will be looking as well at revising regulations in some instances. One of those instances is the Securities and Exchange Commission’s 2023 incident disclosure rule, which drew some of the most vehement industry opposition under the Biden administration’s’ pursuit of cyber regulations. The idea is to make sure they “make sense for industry,” Cairncross said.

But the administration also will have things it seeks from the private sector. That will include bringing together CEOs and sending the message to them that “you need to dedicate some real resources,” he said.

Cairncross has spoken before about wanting to establish an academy to address education and training in a nation with persistent cybersecurity job openings, but there’s more attached to it, he said.

The effort, which Cairncross said the administration would release details on soon, will also include a foundry (which “will be able to scale with private capital new innovation, and deploy it more quickly”) and an accelerator (“so when there’s preceded financing on on projects to really ramp that up and be able to scale as well and overcome some of the procurement hurdles that are often based in in this space”).

Cairncross said at a second event Monday that another forthcoming step was a law enforcement pilot program to better share information with state and local governments.

“We’re looking for ways to streamline information sharing from the USG side,” Cairncross said at a Billington Cybersecurity event, using the acronym for “U.S. government.” “Often, ‘how’ we know things is extremely sensitive, ‘what’ we know is less so,” he said. The goal is “to figure out how to communicate that in a helpful, actionable way.”

Updated, 3/9/26: to include comments about law enforcement pilot program.

The post Sean Cairncross lays out what’s coming next for Trump’s cyber strategy appeared first on CyberScoop.

A cybersecurity official at the State Department called for the public and private sector to more tightly coordinate plans to transition their systems, devices and data to quantum-resistant encryption algorithms.

Gharun Lacy, Deputy Assistant Secretary for the Cyber and Technology Security Directorate at the Department of State, issued a challenge for cybersecurity defenders to view their own individual “post-quantum” encryption plans as a small part in a greater collective project to make the entire digital ecosystem more resilient against longer-term threats like quantum-enabled cyberattacks.

With adversaries like China able to target “entire ecosystems” for digital compromise, Lacy argued for the industries and sectors being plundered to come together in shared interest and create strong and consistent protections across society. In that context, modernization is about more than upgrading your technology or encryption.

“We have to defend holistically as an ecosystem,” said Lacy while speaking at CyberTalks, presented by CyberScoop, in Washington D.C. Thursday. “The organization that goes by themselves in modernization will not succeed.”

The State Department is exploring the potential for predictive attack chain analysis, using historical telemetry and planning to predict “where we’re going to be in the future.” Other countries are doing the same, he said, underscoring how challenges like data harvesting must be addressed for national security purposes.

Modernization plans must do more than update technology to perform the same security functions more effectively. They should also reshape the threat surface while “breaking some of the tendencies that are predictable from our historical data.”

“It’s not just about modernizing hardware, it’s not just about implementing AI faster,” said Lacy. “It’s about injecting that little segment of randomness that means the adversary that’s reading, 10, 20 years of our history cannot use that to deduce” our plans.

U.S. federal agencies and the private sector are working broadly towards the goal of having most or all high-risk systems, data and devices transitioned to newer post-quantum algorithms by 2035. This reflects the long-term nature of the threat, as no one can say for certain when a quantum computer capable of breaking some classical forms of encryption will arrive.

But the Trump administration and private sector cybersecurity officials have been mulling whether the risks around data harvesting and recent advances in quantum computing may merit faster timelines.

Lacy said the risk organizations face around data harvesting – or foreign nations collecting encrypted data today to break later with a quantum computer — will be “like an accordion,” presenting a threat that stretches across time. Individual organizations will need to do more than work with each other to execute their post quantum cryptographic plans. They will have to do it across generations, meaning “we cannot shift priority just because our leadership changes.”

“When you look at long horizon priorities of a nation state actor like China, that means that your data and the risk it poses to you will now outlive leadership cycles,” said Lacy.

The post State Dept. official says post-quantum transition plans will outlive current leadership appeared first on CyberScoop.

The U.S. government wants the rest of the world to adopt its artificial intelligence cybersecurity standards, a top official with the Office of the National Cyber Director said Thursday.

As part of an effort to advance American AI, the administration will be “undertaking diplomacy efforts to promote American AI cybersecurity standards and norms, establishing industry best practices for secure AI deployment and harnessing the full potential of AI tools,” said Alexandra Seymour, principal deputy assistant national cyber director for policy.

Seymour’s comments at the 2026 Identity, Authentication, and the Road Ahead Policy Forum in Washington, D.C. partially reflect the  Trump administration’s AI Action Plan released last summer, which said the departments of Commerce and State would “vigorously advocate for international AI governance approaches that promote innovation, reflect American values, and counter authoritarian influence,” but doesn’t explicitly mention international promotion of cybersecurity standards.

Some of that effort has already materialized, with internationally oriented guides released in both May and December. The United States also isn’t the only one looking to influence international standards for AI security.

AI also figures into the yet-to-be-released national cybersecurity strategy that Seymour’s office has been developing. And it dovetails with a pillar of the strategy focused on defending federal networks.

“While AI is already helping industries enhance security and address the challenge of escalating cyberattacks, this administration will promote the rapid implementation of AI-enabled cyber defensive tools to detect, divert and deceive threat actors who continue targeting our vital systems and sectors on our federal systems,” Seymour said. “We must get our house in order. They need rapid modernization, and we’re working on policies to harden our networks, update our technologies and ensure we’re prepared for a post-quantum future.”

The post US wants to push its view of AI cybersecurity standards to the rest of the world appeared first on CyberScoop.

A 40-year-old Jordanian national pleaded guilty Thursday to operating as an access broker, selling access to at least 50 victim company networks he broke into by exploiting two commercial firewall products in 2023, according to the Justice Department.

Feras Khalil Ahmad Albashiti, who lived in the Republic of Georgia at the time, sold an undercover FBI agent unauthorized access to the victim networks on a cybercrime forum under the moniker “r1z” in May 2023, authorities said in court records.

The undercover FBI agent continued communicating with Albashiti for the next five months, uncovering evidence of additional alleged crimes. He’s accused of selling malware that could turn off endpoint detection and response products from three different companies.

Albashiti proved the malware worked when, unbeknownst to him, the FBI observed him use the EDR-killing malware on an FBI server the agency granted him access to as part of its investigation. 

The undercover agent purchased additional malware from Albashiti capable of elevating internal user privileges without authorization and a modified version of a commercially available pentesting tool, according to an affidavit filed in the U.S. District Court of New Jersey.

Investigators discovered the IP address Albashiti used to access the FBI server was previously used to intrude government systems belonging to a U.S. territory and a ransomware attack against a U.S. manufacturing company in June 2023 that resulted in at least $50 million in losses.

Authorities linked Albashiti to the “r1z” account on the cybercrime forum by tracing the Gmail address he used to establish the account in 2018, which was the same email address Albashiti used to apply to the State Department for a visa to enter the United States in Oct. 2016. 

The FBI said it obtained records for the cybercrime forum as part of an unrelated investigation.

Albashiti was arrested in July 2024 and has been held in custody since then. He waived prosecution by indictment and pleaded guilty to trafficking unauthorized access devices and login credentials. 

Albashiti is scheduled to be sentenced in May and faces up to 10 years in prison and a fine of $250,000, which prosecutors said is double the amount of gains or losses resulting from his crimes.

You can read the affidavit below.

The post Jordanian national pleads guilty after unknowingly selling FBI agent access to 50 company networks appeared first on CyberScoop.

The Trump administration is withdrawing the United States from a handful of international organizations that work to strengthen cybersecurity.

As part of a broader pullback from 66 international organizations, the administration is leaving the Global Forum on Cyber Expertise, the Online Freedom Coalition and the European Centre of Excellence for Countering Hybrid Threats.

Trump’s decision is in line with a president who has expressed hostility toward the existing international order, an approach critics fear creates a leadership power vacuum for U.S. adversaries to fill.

“The Trump Administration has found these institutions to be redundant in their scope, mismanaged, unnecessary, wasteful, poorly run, captured by the interests of actors advancing their own agendas contrary to our own, or a threat to our nation’s sovereignty, freedoms, and general prosperity,” Secretary of State Marco Rubio said in a statement Thursday. “President Trump is clear: It is no longer acceptable to be sending these institutions the blood, sweat, and treasure of the American people, with little to nothing to show for it. The days of billions of dollars in taxpayer money flowing to foreign interests at the expense of our people are over.”

Rubio criticized the international organizations over “DEI mandates,” “‘gender equity’ campaigns” and activities that “constrain American sovereignty.”

The Global Forum on Cyber Expertise works on issues such as critical infrastructure protection, cybercrime, cyber skills and policy and emerging technology. Its members include nations and government organizations like Interpol, but also tech companies like Hewlett Packard, Mastercard and Palo Alto Networks.

The forum says it supports gender inclusivity, asserting that “gender is a cross cutting issue with direct relevance to achieving international peace and security.”

A former president of the Global Forum on Cyber Expertise Foundation, Chris Painter, said he was “ surprised” by the withdrawal.

“It’s a non-political capacity-building platform that the U.S. helped establish and that has done good work in the Western Balkans and Asian Pacific, among other places, that I think advances U.S. interests,” said Painter, also the former top cyber diplomat at the State Department.

Ron Deibert, a professor of political science and the founder and director of the University of Toronto’s Citizen Lab, said the withdrawal from the forum and the cuts at the U.S. Cybersecurity and Infrastructure Security Agency would “further erode network security coordination at a time when the magnitude of cyber threats are rapidly increasing.”

Nina Jankowicz, a former Biden administration disinformation official who now head of the American Sunlight Project, a nonprofit dedicated to fighting disinformation, took note of the Trump administration — “which claims to care about free speech” — exiting the Freedom Online Coalition, which counts as its goals the support of “free expression, association, assembly, and privacy online.”

The coalition has campaigned against cybersecurity laws that suppress human rights and cyberattacks that imperil individual safety.

The European Centre of Excellence for Countering Hybrid Threats works to protect its members, which include members of the North Atlantic Treaty Organization, from an array of threats, among them those that manifest in cyberspace.

The Trump administration also withdrew from other organizations whose work more tangentially touches on cybersecurity, such as the International Law Commission.

Whatever flaws there are with some of the organizations Trump withdrew from, they are contributors to the “international rules-based order,” Deibert said 

“Without state participation, especially the powerful rich states, these forums will grind to a halt,” he said. “Even on a symbolic level, having a government like the U.S. ‘not there’ means very little can happen on a global level. This will likely lead to more regionalization and likely greater spaces for corruption and authoritarian practices to spread.”

The U.S. decision will “inevitably weaken the rights and security of Americans and people around the world for years to come,” said Alexandra Givens, president of the Center for Democracy and Technology.

“Americans should be concerned that their government is abandoning longstanding efforts to advance democracy, defend human rights online, and stop the abuses of spyware, particularly as free expression comes under attack from governments around the world — including our own,” Givens said. “U.S. participation in international collaboration on human rights standards helps keep Americans safe.”

The post Trump pulls US out of international cyber orgs appeared first on CyberScoop.

The FBI said that unknown actors have continued to deploy AI voice cloning tools in an ongoing effort to impersonate U.S government officials and extract sensitive or classified information or conduct scams.

The bureau initially warned back in May that the campaign had been ongoing since at least April 2025. In an update Friday, they revised that initial timeline and said there was evidence of such activity dating back to 2023.

“Activity dating back to 2023 reveals malicious actors have impersonated senior U.S. state government, White House, and Cabinet level officials, as well as members of Congress to target individuals, including officials’ family members and personal acquaintances,” the FBI said in a public service announcement.

These communications include the use of encrypted apps like Signal and AI-powered voice cloning tools to trick victims into believing they’re speaking with high-level government officials, who have regularly used Signal to discuss government business under the Trump administration.

The FBI’s updated timeline would mean that such impersonation efforts may have stretched back to the Biden administration, though the bureau does not specify how many individuals, groups or actors may have been involved over the years.

The update also includes new details around the specific tactics and talking points the impersonators use to ensnare victims.

After starting off by engaging the victim through SMS texting, introducing themselves and suggesting that due to the sensitive nature of the discussions, they move to encrypted messaging apps like Signal or WhatsApp, as well as messaging apps like Telegram.

Once there, the fake government official will engage the victim on a topic they are known to be well-versed in, then propose scheduling a meeting between them and President Trump or another high-ranking government official, or float the possibility of nomination to a company’s board of directors.

That sets up the victim for requests for more sensitive personal data under the guise of vetting, like passport photos, requests to sync their device with the victim’s phone contact list, requests for the victim to broker introductions between associates or wiring funds overseas.

The bureau notes in footnote that access to the targeted individual’s contact list is used “to enable further impersonation efforts or targeting.”

“Once actors have access to the victim’s contact list, they send out another round of smishing or vishing messages, this time impersonating the last victim or another notable figure the new targeted individual would logically come in contact with,” the announcement stated.

In July, the State Department sent a cable to diplomats warning that someone was using AI audio tools and text messages to impersonate Secretary of State Marco Rubio. Under the Biden administration in 2024, a deepfake video of former State Department spokesperson Matthew Miller popped up online appearing to suggest that Russian cities were legitimate targets for Ukraine’s military.

The post FBI says ‘ongoing’ deepfake impersonation of U.S. gov officials dates back to 2023 appeared first on CyberScoop.

The Justice Department has charged a Ukrainian national with conducting cyberattacks on critical infrastructure worldwide as part of two Russian state-sponsored hacking operations that targeted water systems, food processing facilities and government networks across the United States and allied nations.

Victoria Eduardovna Dubranova, 33, was arraigned on a second indictment Tuesday after being extradited to the U.S. earlier this year. She faces charges related to her alleged work with CyberArmyofRussia_Reborn, known as CARR, and NoName057(16), two groups federal prosecutors say received backing from Moscow to advance Russian geopolitical interests. 

Dubranova pleaded not guilty in both cases.

The indictments describe operations that evolved from distributed denial of service attacks to more destructive intrusions into industrial control systems. CARR, according to prosecutors, was founded and funded by Russia’s Main Directorate of the General Staff of the Armed Forces, known as the GRU. NoName057(16) emerged from the Center for the Study and Network Monitoring of the Youth Environment, an information technology organization established by presidential order in Russia in October 2018.

Brett Leatherman, the FBI’s assistant director in its cyber division, said the charges against Dubranova are the first time the U.S. has charged someone under the law designed to protect water systems.

“Let me emphasize, the FBI doesn’t just track cyber adversaries. We call them out and bring them to justice,” Leatherman said on a press call Wednesday. “That’s what today demonstrates.”

Both groups claimed credit for hundreds of attacks beginning in 2022, following the escalation of the Russia-Ukraine conflict. CARR maintained a Telegram channel with more than 75,000 followers and at times had over 100 members, including juveniles, according to the indictment. The group received financial support from a figure using the moniker “Cyber_1ce_Killer,” which federal authorities associate with at least one GRU officer.

The attacks attributed to CARR resulted in tangible damage to U.S. infrastructure. Public drinking water systems in several states experienced damage to control systems that caused hundreds of thousands of gallons of water to spill. In November 2024, an attack on a meat processing facility in Los Angeles spoiled thousands of pounds of meat and triggered an ammonia leak that forced an evacuation. The group also targeted U.S. election infrastructure and websites for nuclear regulatory entities.

NoName057(16) operated differently, developing proprietary software called DDoSia that recruited volunteers worldwide to participate in attacks. The group published daily leaderboards on Telegram ranking participants and paid top volunteers in cryptocurrency. Between March 2022 and June 2025, the group conducted more than 1,500 attacks on government agencies, financial institutions, railways and ports in Ukraine and NATO countries including Estonia, Finland, Lithuania, Norway, Poland and Sweden.

The group targeted Dutch infrastructure during the June 2025 NATO Summit in The Hague. Volunteers who downloaded DDoSia were required to read a manifesto describing pro-Russian geopolitical motivations before participating in attacks on targets selected by administrators.

Federal investigators from multiple agencies, including the FBI, CISA, NSA, Department of Energy and EPA, issued a joint advisory warning that pro-Russia hacktivist groups target minimally secured internet-facing connections to infiltrate operational technology control devices. The EPA emphasized the threat to public water systems, noting the defendant’s actions put communities and drinking water resources at risk.

Chris Butera, CISA’s acting deputy executive assistant director for cybersecurity, said Wednesday that organizations responsible for operating critical infrastructure should understand these groups are “actively engaging in opportunistic, low sophistication, malicious cyber activity across multiple sectors to gain notoriety and create mayhem.”

“The single most important thing people can do to protect themselves is to reduce the number of operational technology devices exposed to the public-facing internet,” Butera said. 

Dubranova faces one count of conspiracy to damage protected computers in the NoName case, carrying a maximum five-year sentence. The CARR indictment charges her with conspiracy to damage protected computers and tamper with public water systems, damaging protected computers, access device fraud and aggravated identity theft. If convicted on all CARR charges, she faces up to 27 years in federal prison.

The State Department announced rewards of up to $2 million for information on individuals associated with CARR and up to $10 million for information related to NoName057(16). Two CARR members, Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko, were previously sanctioned by the Treasury Department in July 2024. Pankratova allegedly served as administrator of CARR, while Degtyarenko is described as a primary hacker who accessed a U.S. energy company’s supervisory control and data acquisition system.

The investigations are part of Operation Red Circus, an FBI initiative to disrupt Russian state-sponsored cyber threats to U.S. critical infrastructure. By late 2024, prosecutors say CARR administrators grew dissatisfied with GRU support and created a new group called Z-Pentest that employs similar tactics.

Trials are scheduled for Feb. 3, 2026, in the NoName matter and April 7, 2026, in the CARR case.

The post US charges hacker tied to Russian groups that targeted water systems and meat plants appeared first on CyberScoop.

The State Department is seeking help to locate a pair of hackers allegedly working for Shahid Shushtari, a malicious cyber unit operating under Iran’s Revolutionary Guard Corps Cyber-Electronic Command. Officials are offering a reward up to $10 million for information about Mohammad Bagher Shirinkar and Fatemeh Sedighian Kashi.

“Help us take the smile off their faces,” the State Department’s Rewards for Justice program posted in a bulletin about the reward on social media last week. 

Shahid Shushtari has targeted multiple critical infrastructure operations, causing financial damage and disruption to businesses and government agencies spanning the news, shipping, travel, energy, financial and telecom sectors in the United States, Europe and the Middle East, officials said. 

The pair are accused of maintaining a close relationship planning and conducting cyberattacks of interest to the Iranian government. 

“Shahid Shushtari is the latest name for Emennet Pasargad which has undergone several front company renames over the last few years,” said Josh Atkins, tech leader of Middle East threat operations at Google Threat Intelligence Group, which tracks the group as UNC5866.

The unit, which is allegedly overseen by Shirinkar, was also previously known as Aria Sepehr Ayandehsazan, Ayandeh Sazan Sepehr Arya, Eeleyanet Gostar and Net Peygard Samavat Co.

Members of the unit allegedly targeted the U.S. presidential election with a multi-faceted campaign that got underway in August 2020, officials said. The unit has also conducted cyberespionage operations, including attacks that used a false-flag persona, the State Department said.

“Target industries are typically government but we’ve seen them target finance, healthcare, tech and generally anything of interest to the regime,” Atkins said. 

The Treasury Department previously designated Emennet, which it was known as at the time, and six of its members in late 2021 for sanctions related to the group’s efforts to influence the 2020 U.S. presidential election. 

The group, which is also tracked as Cotton Sandstorm and Haywire Kitten, has been active since 2018 and exhibited new tradecraft in preparation for future influence operations in 2023, the FBI, Treasury Department and Israel National Cyber Directorate said in a joint cybersecurity advisory in late 2024. 

“Operational tempo from UNC5866 is consistent with the last few years. They’ve been active in both phishing and malware delivery operations at a fairly consistent pace since 2020,” Atkins said.

“There are several groups like this,” he added “The Iranian regime operates a number of contractors and while we believe that some elements of the regime operate under priorities with a longer horizon, IRGC and its contractors tend to be more reactive in nature, demonstrated by their rapidly evolving tradecraft.”

The post Officials offer $10M reward for information on IRGC-linked leader and close associate appeared first on CyberScoop.