The Cybersecurity and Infrastructure Security Agency is urging critical infrastructure owners and operators to plan for delivering essential services under emergency conditions – potentially for months at a time.

The federal government’s top cybersecurity agency warned that state-sponsored hackers, particularly two Chinese groups known as Salt Typhoon and Volt Typhoon, continue to threaten critical sectors like electricity, water, and internet. 

The agency is now working with the private sector to protect operational technology – the systems that control the heavy machinery and equipment that powers most critical infrastructure – from attacks that enter through business IT systems or third-party vendor products.

The initiative  — known as CI Fortify – will include CISA conducting targeted technical assessments of critical infrastructure entities and aims to create plans that “allow for safe operations for weeks to months while isolated” from IT networks and third-party tools, according to the agency’s website.

Nick Andersen, CISA’s acting director, told reporters that the goal is “service delivery [that] can still reach critical infrastructure after the asset owner has disconnected with IT and OT, disconnected from third party vendors and service provider connections and disconnected from third party telecommunications equipment.”

Over the past two years, wars in Ukraine, Gaza, Iran and elsewhere have seen water plants, power substations, data centers and other critical infrastructure targeted by kinetic or cyberattacks.

Andersen said the agency has already begun engaging with some companies to pilot the assessments and expects that work to ramp up considerably as CISA hires additional staff in the coming months.

He declined to name the entities involved in the pilot program, but said they will focus on organizations that support national security, defense, public health and safety and economic continuity. He added that CISA’s assessments will vary from sector to sector depending on their unique needs.

“Water isn’t necessarily designed to prioritize specific customer needs outside of recovery periods, while energy and transportation have more immediate tradeoffs for selecting one load or one set of cargo over another,” Andersen said as an example.

One pillar of CISA’s strategy is isolation: essentially turning off all third-party and business network connections to an OT network when facing an emergency or unknown vulnerability.

Organizations also need to develop an internal plan for what acceptable service levels look like under those conditions and reach understandings with their critical customers, like U.S. military installations and lifeline services.

The second pillar, recovery, involves best practices for organizations: backing up files, documenting systems and having manual backups for operations when normal computer systems are down.

In conversations with cybersecurity specialists who focus on critical infrastructure and operational technology, it is widely assumed that China is not the only nation to have broadly compromised Americans critical infrastructure. That hacking groups tied to other nations have almost surely noticed and exploited the same basic vulnerabilities and hygiene issues found by the Typhoons.

Agencies like the FBI and Federal Communications Commission have touted efforts to purge Chinese hackers and work voluntarily with telecoms to harden their network security. But U.S. national security officials and cybersecurity defenders have consistently said both Salt Typhoon and Volt Typhoon remain active threats to U.S. critical infrastructure.

The post CISA wants critical infrastructure to operate ‘weeks to months’ in isolation during conflict appeared first on CyberScoop.

A new alert from the FBI says criminal enterprises are hacking both brokers and carriers to steal cargo for resale.

The post FBI Warns of Surge in Hacker-Enabled Cargo Theft appeared first on SecurityWeek.

A Chinese national allegedly involved in a massive, pandemic-era attack spree that compromised nearly 13,000 U.S. organizations was extradited from Italy to the United States and formally charged in federal court, the Justice Department said Monday.

Xu Zewei and his co-conspirators are accused of exploiting a string of zero-day vulnerabilities in Microsoft Exchange Server to steal research on COVID-19 vaccines, treatment and testing during the initial wave and subsequent height of the pandemic.

His alleged crimes, directed by China’s intelligence services, were part of a broader espionage campaign known as HAFNIUM, which targeted infectious disease experts, law firms, universities, defense contractors and policy think tanks, according to an indictment filed against Xu and Zhang Yu, who remains at large. 

The China state-sponsored threat group behind those attacks against Microsoft customers, and many other vendors’ customers since, is now more widely known as Silk Typhoon.

“Xu will now answer for his alleged role in HAFNIUM, a group responsible for a vast intrusion campaign directed by China’s Ministry of State Security that compromised more than 12,700 U.S. organizations,” Brett Leatherman, assistant director of the FBI’s Cyber Division, said in a statement.

“He is one of many contractors the Chinese government uses to obscure its hand in cyber operations, and others who do the same face the same risk,” he added.

Xu allegedly committed the attacks while working for Shanghai Powerock Network, one of many companies that conducted attacks for China’s various intelligence services, according to court records.

Italian authorities arrested Xu at the United States’ request in Milan in July. His capture underscores a window of opportunity U.S. officials and allies can take when nation-state attackers travel to countries that cooperate with the United States.

Italy extradited Xu to the United States Saturday but didn’t release his extradition orders until Monday, Simona Candido, his attorney in Italy, told CyberScoop.

Officials said Monday marked Xu’s first appearance in the U.S. District Court for the Southern District of Texas. He is currently being held at a federal prison in Houston.

“We have pursued this moment across years and continents, and the message this office sends today is the same one we sent when we first unsealed this indictment: we will work to protect the American people,” John G.E. Marck, acting U.S. attorney for the Southern District of Texas, said in a statement.

Xu allegedly worked under the direction of China’s Ministry of State Security’s Shanghai State Security Bureau to break into U.S. organizations’ networks, steal data and implant webshells for persistent remote access. Officials also accuse Xu of stealing information regarding U.S. policymakers and government agencies from a global law firm with offices in Washington. 

Microsoft first warned customers about the HAFNIUM campaign in March 2021. The FBI and Cybersecurity and Infrastructure Security Agency followed soon after with a joint advisory about the widespread compromise of Microsoft Exchange Server. 

“Today’s law enforcement action demonstrates the real-world consequences of this state-led activity, which is fueled by a vast network of private companies operating under the direction of the Chinese government,” Aaron Shraberg, senior team lead of global intelligence at Flashpoint, told CyberScoop.

“Extraditing these individuals from countries in coordination with international law enforcement demonstrates a united stance on these actions, and the importance of bringing real-world consequences to China’s notorious targeting of not just the American people and their businesses, but individuals globally as well,” Shraberg added.

Xu is charged with conspiracy to commit wire fraud; two counts of wire fraud; conspiracy to cause damage to and obtain information by unauthorized access to protected computers, to commit wire fraud, and to commit identity theft; two counts of obtaining information by unauthorized access to protected computers; two counts of intentional damage to a protected computer; and aggravated identity theft. 

The 34-year-old faces up to 62 years in prison for his alleged crimes.

The post Chinese national extradited to US for pandemic-era Silk Typhoon attacks appeared first on CyberScoop.

The FBI received over 1 million complaints of malicious activity in 2025, with investment, BEC, and tech support scams causing the highest losses.

The post FBI: Cybercrime Losses Neared $21 Billion in 2025 appeared first on SecurityWeek.

The agency has not named the problematic foreign-made applications, but TikTok and Temu come to mind.

The post FBI Warns of Data Security Risks From China-Made Mobile Apps appeared first on SecurityWeek.

The agency said Iranian hackers targeted the director’s personal email account and noted that the compromised information is old.

The post FBI Confirms Kash Patel Email Hack as US Offers $10M Reward for Hackers appeared first on SecurityWeek.

A top FBI cyber official said Salt Typhoon, the Chinese cyber espionage group behind the widespread compromise of U.S. telecommunications infrastructure in 2024, continues to pose a broad threat to both America’s private and public sectors.

Michael Machtinger, deputy assistant director for cyber intelligence at the FBI, touted improved partnerships between the telecommunications industry and government in the wake of the campaign while speaking at CyberTalks, presented by CyberScoop, in Washington D.C. Thursday.

Companies who engaged with the FBI and federal agencies like CISA early after the campaign went public “have been without a doubt the most successful in mitigating the impact of the Salt Typhoon intrusions,” he claimed.

Last year, CyberScoop’s reporting found that the U.S. telecommunications sector was riddled with basic cybersecurity vulnerabilities and patchwork consolidated networks, and Salt Typhoon took advantage of these weaknesses to gain widespread, persistent access to major telecom networks.

Machtinger echoed a similar sentiment in describing lessons the FBI took away from the episode, saying that “despite all the advances in cybersecurity tools and strategies, it is still the most basic vulnerabilities that provide entry points.”

Cybersecurity leaders and network defenders have a responsibility to understand their own vulnerabilities and implement “fundamental” cybersecurity practices such as zero trust, least-privilege access, secure-by-design principles, end-to-end encryption and other protections.

Despite an increasingly complex threat and technology environment, phishing attacks or targeting vulnerable legacy systems are still the most common ways the FBI sees hacking groups gain access to their victims. While foreign intelligence agencies do use zero-day vulnerabilities and other sophisticated tools to compromise well-defended systems, “by and large this is not what we are seeing, and it is not what we saw in Salt Typhoon.”

“None of these concepts are new…and truthfully they’re not all that advanced, but they are increasingly essential as adversaries adapt their tactics and our attack surface becomes more widespread,” said Machtinger. “If we’re going to safeguard our personal and proprietary information, it is just as important for us to lock the doors inside the house as it is to lock the front door.”

But these lessons haven’t diminished the threat. Machtinger estimated that Salt Typhoon’s intrusions have impacted more than 80 countries, often following the same playbook of pairing broad access with “indiscriminate” targeting and collection.  

It is “important to recognize that the threat posed by Salt Typhoon actors and the rest of the PRC intelligence apparatus and enabling infrastructure is still very, very much ongoing,” Machtinger said.

The post FBI: Threats from Salt Typhoon are ‘still very much ongoing’ appeared first on CyberScoop.

A former federal official who tested and certified voting machines used in Fulton County, Georgia for the 2020 presidential election told a court that the federal government misrepresented key facts and omitted exculpatory public evidence while seeking a warrant in last month’s law enforcement raid.

The raid, carried out by the FBI and overseen by Director of National Intelligence Tulsi Gabbard, saw agents seize ballots and other documentation from the Fulton County election offices. A public affidavit cited five core allegations related to the county’s recordkeeping, electronic ballot image storage,  and election night reporting. Authorities allege these issues point to a potential conspiracy to intentionally manipulate the vote count in favor of Democrat Joe Biden.

Fulton County officials sued the federal government in response, arguing that the affidavit used to obtain a warrant for the raid “does not identify facts that establish probable cause that anyone committed a crime.”

Another filing includes sworn testimony from Ryan Macias, an elections expert who tested and certified the county’s voting machines while at the Election Assistance Commission. In his testimony, Macias told the court that the government’s key claims have already been investigated and have been found to be baseless.  

He said the FBI’s “many individual omissions and misstatements” in its affidavit reflect “gross mischaracterizations” of how elections work and directly contradict the conclusions of multiple prior investigations into the Nov. 2020 election in Fulton County.

“Once the statements and omissions in the Affidavit are corrected and based on my experience administering elections, the Affidavit does not have a substantial basis in reality,” Macias stated.

For instance, the FBI’s affidavit cites the absence of scanned images of all 527,925 ballots for the original count and recount. But Macias, who served as an adviser to Fulton County and witnessed pre and post-election operations in 2020, said this was standard practice.  Jurisdictions typically send only the vote count records from their machines on election night, because ballot images and audit logs are much larger files that can slow down the reporting process.

Macias also notes that the FBI affidavit omits that this issue was already investigated by Republican Secretary of State Brad Raffensperger, who found Georgia election workers weren’t required by law to preserve such images until a state law passed in 2021.

An investigator from Raffensperger’s office later told the Board of Elections that “it was “important to note that ballots can be scanned and tabulated without capturing ballot images,” while general counsel Charlene McGowan testified that ballot images play no role in the vote tabulation process and Fulton County’s paper ballots – counted three times – were the “most important” documents to verify the count.

“These explanations about the storing of ballot images have been publicly available for some time,” Macias noted.

Similarly, the FBI cites instances where some Fulton County ballots were scanned multiple times, claiming it shows evidence of “an intentional tabulation of ballots in a false matter” to make the recount and original vote counts match. The bureau also pointed to small, non-determinative differences between the county’s machine recount and totals from a hand-counted risk-limiting audit.

But the federal government again failed to mention in its petition for a warrant that these claims were “exhaustively” investigated by the Secretary of State’s office, which found the errors were benign, the duplicates weren’t counted, and did not impact the final vote count in the state’s count of the 2020 presidential contest.

According to Macias, the government’s affidavit also contains errors about basic facts about Fulton County’s reporting process. This includes misreporting the correct official vote count and the date and time it was transmitted to state officials for tabulation.

The post Fulton County lawsuit claims feds used ‘gross mischaracterizations’ to justify raid appeared first on CyberScoop.

The FBI said that unknown actors have continued to deploy AI voice cloning tools in an ongoing effort to impersonate U.S government officials and extract sensitive or classified information or conduct scams.

The bureau initially warned back in May that the campaign had been ongoing since at least April 2025. In an update Friday, they revised that initial timeline and said there was evidence of such activity dating back to 2023.

“Activity dating back to 2023 reveals malicious actors have impersonated senior U.S. state government, White House, and Cabinet level officials, as well as members of Congress to target individuals, including officials’ family members and personal acquaintances,” the FBI said in a public service announcement.

These communications include the use of encrypted apps like Signal and AI-powered voice cloning tools to trick victims into believing they’re speaking with high-level government officials, who have regularly used Signal to discuss government business under the Trump administration.

The FBI’s updated timeline would mean that such impersonation efforts may have stretched back to the Biden administration, though the bureau does not specify how many individuals, groups or actors may have been involved over the years.

The update also includes new details around the specific tactics and talking points the impersonators use to ensnare victims.

After starting off by engaging the victim through SMS texting, introducing themselves and suggesting that due to the sensitive nature of the discussions, they move to encrypted messaging apps like Signal or WhatsApp, as well as messaging apps like Telegram.

Once there, the fake government official will engage the victim on a topic they are known to be well-versed in, then propose scheduling a meeting between them and President Trump or another high-ranking government official, or float the possibility of nomination to a company’s board of directors.

That sets up the victim for requests for more sensitive personal data under the guise of vetting, like passport photos, requests to sync their device with the victim’s phone contact list, requests for the victim to broker introductions between associates or wiring funds overseas.

The bureau notes in footnote that access to the targeted individual’s contact list is used “to enable further impersonation efforts or targeting.”

“Once actors have access to the victim’s contact list, they send out another round of smishing or vishing messages, this time impersonating the last victim or another notable figure the new targeted individual would logically come in contact with,” the announcement stated.

In July, the State Department sent a cable to diplomats warning that someone was using AI audio tools and text messages to impersonate Secretary of State Marco Rubio. Under the Biden administration in 2024, a deepfake video of former State Department spokesperson Matthew Miller popped up online appearing to suggest that Russian cities were legitimate targets for Ukraine’s military.

The post FBI says ‘ongoing’ deepfake impersonation of U.S. gov officials dates back to 2023 appeared first on CyberScoop.

The Justice Department has charged a Ukrainian national with conducting cyberattacks on critical infrastructure worldwide as part of two Russian state-sponsored hacking operations that targeted water systems, food processing facilities and government networks across the United States and allied nations.

Victoria Eduardovna Dubranova, 33, was arraigned on a second indictment Tuesday after being extradited to the U.S. earlier this year. She faces charges related to her alleged work with CyberArmyofRussia_Reborn, known as CARR, and NoName057(16), two groups federal prosecutors say received backing from Moscow to advance Russian geopolitical interests. 

Dubranova pleaded not guilty in both cases.

The indictments describe operations that evolved from distributed denial of service attacks to more destructive intrusions into industrial control systems. CARR, according to prosecutors, was founded and funded by Russia’s Main Directorate of the General Staff of the Armed Forces, known as the GRU. NoName057(16) emerged from the Center for the Study and Network Monitoring of the Youth Environment, an information technology organization established by presidential order in Russia in October 2018.

Brett Leatherman, the FBI’s assistant director in its cyber division, said the charges against Dubranova are the first time the U.S. has charged someone under the law designed to protect water systems.

“Let me emphasize, the FBI doesn’t just track cyber adversaries. We call them out and bring them to justice,” Leatherman said on a press call Wednesday. “That’s what today demonstrates.”

Both groups claimed credit for hundreds of attacks beginning in 2022, following the escalation of the Russia-Ukraine conflict. CARR maintained a Telegram channel with more than 75,000 followers and at times had over 100 members, including juveniles, according to the indictment. The group received financial support from a figure using the moniker “Cyber_1ce_Killer,” which federal authorities associate with at least one GRU officer.

The attacks attributed to CARR resulted in tangible damage to U.S. infrastructure. Public drinking water systems in several states experienced damage to control systems that caused hundreds of thousands of gallons of water to spill. In November 2024, an attack on a meat processing facility in Los Angeles spoiled thousands of pounds of meat and triggered an ammonia leak that forced an evacuation. The group also targeted U.S. election infrastructure and websites for nuclear regulatory entities.

NoName057(16) operated differently, developing proprietary software called DDoSia that recruited volunteers worldwide to participate in attacks. The group published daily leaderboards on Telegram ranking participants and paid top volunteers in cryptocurrency. Between March 2022 and June 2025, the group conducted more than 1,500 attacks on government agencies, financial institutions, railways and ports in Ukraine and NATO countries including Estonia, Finland, Lithuania, Norway, Poland and Sweden.

The group targeted Dutch infrastructure during the June 2025 NATO Summit in The Hague. Volunteers who downloaded DDoSia were required to read a manifesto describing pro-Russian geopolitical motivations before participating in attacks on targets selected by administrators.

Federal investigators from multiple agencies, including the FBI, CISA, NSA, Department of Energy and EPA, issued a joint advisory warning that pro-Russia hacktivist groups target minimally secured internet-facing connections to infiltrate operational technology control devices. The EPA emphasized the threat to public water systems, noting the defendant’s actions put communities and drinking water resources at risk.

Chris Butera, CISA’s acting deputy executive assistant director for cybersecurity, said Wednesday that organizations responsible for operating critical infrastructure should understand these groups are “actively engaging in opportunistic, low sophistication, malicious cyber activity across multiple sectors to gain notoriety and create mayhem.”

“The single most important thing people can do to protect themselves is to reduce the number of operational technology devices exposed to the public-facing internet,” Butera said. 

Dubranova faces one count of conspiracy to damage protected computers in the NoName case, carrying a maximum five-year sentence. The CARR indictment charges her with conspiracy to damage protected computers and tamper with public water systems, damaging protected computers, access device fraud and aggravated identity theft. If convicted on all CARR charges, she faces up to 27 years in federal prison.

The State Department announced rewards of up to $2 million for information on individuals associated with CARR and up to $10 million for information related to NoName057(16). Two CARR members, Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko, were previously sanctioned by the Treasury Department in July 2024. Pankratova allegedly served as administrator of CARR, while Degtyarenko is described as a primary hacker who accessed a U.S. energy company’s supervisory control and data acquisition system.

The investigations are part of Operation Red Circus, an FBI initiative to disrupt Russian state-sponsored cyber threats to U.S. critical infrastructure. By late 2024, prosecutors say CARR administrators grew dissatisfied with GRU support and created a new group called Z-Pentest that employs similar tactics.

Trials are scheduled for Feb. 3, 2026, in the NoName matter and April 7, 2026, in the CARR case.

The post US charges hacker tied to Russian groups that targeted water systems and meat plants appeared first on CyberScoop.