Suspected Iranian hackers infiltrated former national security adviser John Bolton’s email account and threatened to release sensitive materials, his indictment alleges.
The indictment on charges that Bolton mishandled classified information, released Thursday, comes after President Donald Trump’s unprecedented public call for the Justice Department to prosecute his enemies. Bolton served under Trump in his first term as national security adviser and since has become a critic.
The passage of the indictment related to the Iranian hackers seeks to demonstrate a representative of Bolton knew his personal emails included information they shouldn’t have.
In early July of 2021, according to the indictment, the Bolton representative contacted the FBI to alert the bureau about the apparent hack, and their suspicion that it was someone from Iran. The indictment states that it was “a cyber actor believed to be associated with the Islamic Republic of Iran.”
The Justice Department had recently closed an investigation into whether Bolton illegally published classified information in a memoir. Later that July, the apparent hackers threatened to release Bolton’s emails, drawing comparisons to the leak of 2016 Democratic presidential candidate Hillary Clinton’s emails.
“I do not think you would be interested in the FBI being aware of the leaked content of John’s email (some of which have been attached), especially after the recent acquittal,” the threatening note from on or about July 25 read, the indictment states. “This could be the biggest scandal since Hillary’s emails were leaked, but this time on the GOP side! Contact me before it’s too late.”
Days later — on or about July 28, the indictment states — Bolton’s representative also told the FBI that they were “[j]ust sending you the text (not the documents [the hacker] attached since there might be sensitive information in them.)”
According to the indictment, “A day later, on or about July 29, 2021, Bolton’s representative told the FBI that Bolton would be deleting the contents of his personal email account that had been hacked.”
Bolton got one more message from the apparent hackers in August. “OK John … As you want (apparently), we’ll disseminate the expurgated sections of your book by reference to your leaked email…” It’s not clear if the hackers followed through on the threat, or what they demanded of Bolton not to release the sections.
Bolton didn’t disclose to the FBI that he had used a hacked email account to share classified information with two unnamed relatives, “nor did he tell the FBI that the hackers now held this information,” the indictment reads.
A search warrant affidavit released last month contains a passage headed “Hack of Bolton AOL Account by Foreign Entity,” but the passage itself is redacted.
Bolton surrendered to authorities on Friday. The law firm of the lawyer defending did not immediately respond to an email about the indictment passages related to the alleged hack, but his attorney, Abbe Lowell, has denied Bolton committed any crimes.
“These charges stem from portions of Ambassador Bolton’s personal diaries over his 45-year career — records that are unclassified, shared only with his immediate family, and known to the FBI as far back as 2021,” Lowell said in a statement. “Like many public officials throughout history, Ambassador Bolton kept diaries — that is not a crime.”
How much private and sensitive data can you get by pointing $600 worth of satellite equipment at the sky?
Quite a bit, it turns out.
Researchers from the University of Maryland and the University of California, San Diego say they were able to intercept sensitive data from the U.S. military, telecommunications firms, major businesses and organizations by passively scanning and collecting unencrypted data from the satellites responsible for beaming that information across the globe.
The satellites they focused on — geostationary satellites — provide modern high-speed communications and services to rural or remote parts of the globe, including television, IP communications, internet and in-flight Wi-Fi capabilities. They also provide backhaul internet services — the links between a core telecom or internet network and its end users — for private networks operating sensitive remote commercial and military equipment.
Using cheap, commercially available equipment, researchers scanned 39 satellites across 25 distinct longitudinal points over seven months.
The goal was to see how much sensitive data they could intercept by “passively scanning as many GEO transmissions from a single vantage point on Earth as possible.” It was also to prove that you don’t need to be a well-resourced foreign intelligence service or have deep pockets to pull it off.
What they found was unsettling: “Many organizations appear to treat satellite[s] as any other internal link in their private networks. Our study provides concrete evidence that network-layer encryption protocols like IPSec are far from standard on internal networks,” write authors Wenyi Zhang, Annie Dai, Keegan Ryan, Dave Levin, Nadia Heninger and Aaron Schulman.
They note that “severity” of their findings suggest “many organizations do not routinely monitor the security of their own satellite communication links” and that content scrambling “is surprisingly unlikely to be used for private networks using GEO satellite to backhaul IP network traffic from remote areas.”
“Given that any individual with a clear view of the sky and $600 can set up their own GEO interception station from Earth, one would expect that GEO satellite links carrying sensitive commercial and government network traffic would use standardized link and/or network layer encryption to prevent eavesdroppers,” the researchers wrote.
Researchers reached out to major businesses and organizations that were leaking data via satellite communications to notify them and address the vulnerabilities, but said they declined to engage in any bug bounties that included a nondisclosure agreement.
The researchers said discussions with the U.S. military, the Mexican government, T-Mobile, AT&T, IntelSat, Panasonic Avionics, WiBo and KPU all took place between December 2024 and July 2025 as the study was ongoing.
Satellites are outfitted with multiple transponders to collect different kinds of telemetry, and here the research focuses on a single type — Ku-Band transponders — that are heavily used for internet and television services. Using their consumer-grade equipment, the researchers were able to tap into 411 different transponders around the globe, collecting reams of sensitive data in the process.
They observed unencrypted data for T-Mobile users, including plaintext user SMS messages, voice call contents, user internet traffic, metadata, browsing history and cellular network signaling protocols, leaking out over the skies. Over a single, nine-hour listening session, the dish picked up phone numbers and metadata for 2,711 individuals. Similar leakages were spotted for calls over Mexican telecoms TelMex and WiBo, and Alaskan telecom KPU Telecommunications.
They also picked up unencrypted and encrypted traffic coming from U.S. military sea vessels, including plaintext that included the ships’ names — something the researchers said allowed them to determine they were all “formerly privately-owned ships” that are now owned by the government. Meanwhile, unencrypted HTTP traffic leaking out through the satellites gave them details into internal applications and systems used for infrastructure, logistics and administrative management.
The researchers say that while this kind of capability isn’t novel, previous research has suggested that only foreign governments and well-resourced companies have the capabilities to conduct such widespread monitoring. Their study, which developed a new way to parse through issues around signal quality, suggests that the barrier of entry is far lower than previously thought, requiring technical knowhow and just a few hundred dollars worth of commercial tech.
“To our knowledge, our threat model of using low-cost consumer grade satellite equipment to comprehensively survey GEO satellite usage has not been explored before in the academic literature.”
The findings underscore how much governments and businesses rely on standard satellite communications today to move their data around, and the lack of security attention these critical nodes receive compared to other technologies.The federal government has designated 16 sectors of society and industry as “critical infrastructure” and prioritized these sectors for additional security investment and assistance. Space is not one of those sectors, though policymakers have pushed the idea as a means to quickly retrofit our space-based communications for security.
A fast-spreading Android spyware is mushrooming across Russia, camouflaging itself as popular apps like TikTok or YouTube, researchers at Zimperium have revealed in a blog post.
The company told CyberScoop they expect the campaign is likely to expand beyond Russian borders, too.
In three months, Zimperium zLabs researchers observed more than 600 samples, the company wrote in a blog post Thursday. Once implanted, the spyware can steal text messages, call logs, device information and more, and wrest control of a phone to do things like take pictures or place phone calls.
“It’s mainly targeting Russia, but they can always adapt to other payloads, and since every inflected phone then becomes an attack vector, it’s likely to become a global campaign,” said Nico Chiaraviglio, chief scientist at Zimperium. “However, it’s not easy to know the attackers’ intentions.”
The spyware, dubbed ClayRat, has some notable tools it uses to infect victims.
“ClayRat poses a serious threat not only because of its extensive surveillance capabilities, but also because of its abuse of Android’s default SMS handler role,” the blog post reads. “This technique allows it to bypass standard runtime permission prompts and gain access to sensitive data without raising alarms.”
It’s also been evolving quickly, Zimperium said, “adding new layers of obfuscation and packing to evade detection.”
Zimperium didn’t say who was behind the spyware. The Russian government is a cyberspace power, but typically hasn’t had to rely on spyware vendors, per se, as it has its own capabilities. Often — but not always — spyware linked to or suspected to be linked to the Kremlin is turned inwards, snooping on domestic targets.
“ClayRat is distributed through a highly orchestrated mix of social engineering and web-based deception, designed to exploit user trust and convenience,” according to Zimperium. “The campaign relies heavily on Telegram channels and phishing websites that impersonate well-known services and applications.”
The German government has said it will oppose a piece of European Union legislation later this month that would subject phones and other devices to mass scanning — prior to encryption — by the government for evidence of child sexual abuse material.
Federal Minister of Justice Stefanie Hubig was one of several officials from the ruling Christian Democratic Union party to reiterate over the past 24 hours that Germany’s position hasn’t changed.
“Mass scanning of private messages must be taboo in a constitutional state,” Hubig said, according to a statement on X from the Ministry of Justice and Consumer Protection Wednesday. “Germany will not agree to such proposals at the EU level.”
Another CDU member, Jens Spahn, told German journalist Phillip Eckstein of ARD-Hauptstadtstudio that those sentiments are widely held within the party.
“We, as the CDU/CSU parliamentary group, are against the random monitoring of chats,” Spahn said, according to a machine-translated transcript. “That would be like opening all letters as a precaution and checking whether there’s anything illegal in them. That’s not possible, and we won’t allow that.”
The statements came after a week where tech experts and privacy activists in Europe publicly warned that Germany — which had opposed the measure since its introduction in 2022 and operated as a key swing vote — was preparing to back the measure in an upcoming Oct. 14 vote.
The German government did not respond to requests for comment from CyberScoop earlier this week, and other parties have said efforts to communicate with German officials about their intentions were met with “silence” and “stonewalling.”
The prospect of having all digital messages — and possibly other content like audio and video — scanned before encryption would defeat the very purpose of encryption and create an untenable situation, according to Meredith Whittaker, CEO of encrypted messaging app Signal. Whittaker threatened that her organization was prepared to pull out of Europe over the proposal.
Germany’s about-face likely won’t mark the end of this dispute. Western governments in the U.S. and Europe have been seeking to place limits on encrypted communications for decades, arguing that end-to-end encryption with no means of access for law enforcement makes it harder to investigate horrific crimes like pedophilia, terrorism and cybercrime.
Earlier this year, Apple pulled its own end-to-end encryption feature in the U.K. after British national security officials sent the company a letter demanding access to encrypted iCloud data for law enforcement and national security investigations.
There are indications that criminal suspects are increasingly turning to encrypted communications to hide evidence of their criminality. But privacy advocates have pointed out that strong encryption also protects many law-abiding citizens from potential government repression.
Tech experts and companies offering encrypted messaging services are warning that pending European regulation, which would grant governments broad authority to scan messages and content on personal devices for criminal activity, could spell “the end” of privacy in Europe.
The European Union will vote Oct. 14 on a legislative proposal from the Danish Presidency known as Chat Control — a law that would require mass scanning of user devices, for abusive or illegal material. Over the weekend, Signal warned that Germany — a longtime opponent and bulwark against the proposal — may now move to vote in favor, giving the measure the support needed to pass into law.
On Monday, Signal CEO Meredith Whittaker warned that her company, which provides end-to-end encrypted communications services, could exit the European market entirely if the proposal is adopted.
“This could end private comms-[and] Signal-in the EU,” Whittaker wrote on BlueSky. “Time’s short and they’re counting on obscurity: please let German politicians know how horrifying their reversal would be.”
According to data privacy experts, Chat Control would require access to the contents of apps like Signal, Telegram, WhatsApp, Threema and others before messages are encrypted. While ostensibly aimed at criminal activity, experts say such features would also undermine and jeopardize the integrity of all other users’ encrypted communications, including journalists, human rights activists, political dissidents, domestic abuse survivors and other victims who rely on the technology for legitimate means.
The pending EU vote is the latest chapter in a decades-long battle between governments and digital privacy proponents about whether, and how, law enforcement should be granted access to encrypted communications in criminal or national security cases.
Supporters point to increasing use of encrypted communications by criminal organizations, child traffickers, and terrorist organizations, arguing that unrestricted encryption impedes law enforcement investigations, and that some means of “lawful access” to that information is technically feasible without imperiling privacy writ-large.
Privacy experts have long argued that there are no technically feasible ways to provide such services without creating a backdoor that could be abused by other bad actors, including foreign governments.
Whittaker reportedly told the German Press Agency that “given a choice between building a surveillance machine into Signal or leaving the market, we would leave the market,” while calling repeated claims from governments that such features could be implemented without weakening encryption “magical thinking that assumes you can create a backdoor that only the good guys can access.”
The Chaos Computer Club, an association of more than 7,000 European hackers, has also opposed the measure, saying its efforts to reach out to Germany’s Home Office, Justice Department and Digital Minister Karsten Wildberger for clarity on the country’s position ahead of the Chat Control vote have been met with “silence” and “stonewalling.”
The association and U.S.-based privacy groups like the Electronic Frontier Foundation have argued that the client-side scanning technology that the EU would implement is error-prone and “invasive.”
“If the government has access to one of the ‘ends’ of an end-to-end encrypted communication, that communication is no longer safe and secure,” wrote EFF’s Thorin Klowsowski.
Beyond the damage Chat Control could cause to privacy, the Chaos Computer Club worried that its adoption by the EU might embolden other countries to pursue similar rules, threatening encryption worldwide.
“If such a law on chat control is introduced, we will not only pay with the loss of our privacy,” Elina Eickstädt, spokesperson for the Chaos Computer Club, said in a statement.“We will also open the floodgates to attacks on secure communications infrastructure.”
The Danish proposal leaves open the potential to use AI technologies to scan user content, calling for such technologies “to be vetted with regard to their effectiveness, their impact on fundamental rights and risks to cybersecurity.”
Because Chat Control is publicly focused on curtailing child sexual abuse material (CSAM), the intital scanning will target both known and newly identified CSAM, focusing on images and internet links. For now, text and audio content, as well as scanning for evidence of grooming — a more difficult crime to define — are excluded.
Still, the Danish proposal specifies that scanning for grooming is “subject to … possible inclusion in the future through a review clause,” which would likely require even more intrusive monitoring of text, audio and video conversations.
It also calls for “specific safeguards applying to technologies for detection in services using end-to-end encryption” but does not specify what those safeguards would be or how they would surmount the technical challenges laid out by digital privacy experts.
A coordinated Israeli-backed network of social media accounts pushed anti-government propaganda — including deepfakes and other AI-generated content — to Iranians as real-world kinetic attacks were happening, with the goal of fomenting revolt among the country’s people, according to researchers at Citizen Lab.
In research released this week, the nonprofit — along with Clemson University disinformation researcher Darren Linvill — said the so-called PRISONBREAK campaign was primarily carried out by a network of 50-some accounts on X created in 2023, but was largely dormant until this year.
The group “routinely used” AI-generated imagery and video in their operations to try to stoke unrest among Iran’s population, mimic real news outlets to spread false content and encourage overthrow of the Iranian government.
Israel’s military campaign in Gaza, launched following a coordinated attack by Hamas in October 2023, eventually expanded to include air strikes in Lebanon and Yemen.
In June, Israel Defense Forces launched an attack against Iranian nuclear facilities while also targeting senior Iranian military leaders and nuclear scientists for assassination. Those strikes expanded to other Iranian targets, like oil facilities, national broadcasters and a strike on Evin Prison in Tehran.
In the early days of the conflict, the networks shared images and videos — of uncertain authenticity — claiming to show Iran in a state of chaos and instability.
A June 13 post from the PRISONBREAK influence campaign depicting Iran as broadly unstable and unsafe. (Image source: Citizen Lab)
One widely circulated video, likely altered with AI, depicted people standing in line at an ATM before breaking into a riot, accompanied by messages like “The Islamic Republic has failed!” and “This regime is the enemy of us, the people!”
(Source: Citizen Lab)
But the bulk of Citizen Lab’s research focused on the period between June 13-24, 2023, during the “12 Day War” between Israel and Iran and social media activity during and after a real June 24 Israeli airstrike on Evin Prison. The facility is known for housing thousands of political prisoners and dissidents of the Iranian regime, and organizations like Human Rights Watch have tracked incidents of mistreatment, torture and executions.
The strike happened between 11:17 a.m. and 12:18 p.m. Iranian local time. By 11:52 a.m., accounts associated with the network began posting about the attack, and at 12:05 p.m., one posted an AI-generated video purporting to show footage of the attack, tricking several news outlets into sharing the content as genuine.
“The exact timing of the video’s posting, while the bombing on the Evin Prison was allegedly still happening, points towards the conclusion that it was part of a premeditated and well-synchronized influence operation,” wrote researchers Alberto Fittarelli, Maia Scott, Ron Deibert, Marcus Michaelsen, and Linvill.
Other accounts from the network began quickly piling on, spreading word of the explosions, and by 12:36 p.m., accounts were explicitly calling for Iranian citizens to march on the prison and free the prisoners.
Most of the posts failed to gain traction with online audiences except for one. A message calling on “kids” to storm Evin Prison to free their “loved ones” also contained a video with AI-generated imagery spliced with real footage of Iranian citizen repression. It managed to rack up more than 46,000 views and 3,500 likes.
“This second video about the Evin Prison, which shows the hallmarks of professional editing and was posted within one hour from the end of the bombings further strongly suggests that the PRISONBREAK network’s operators had prior knowledge of the Israeli military action, and were prepared to coordinate with it,” researchers wrote.
Those posts and others by PRISONBREAK operators led researchers to believe the campaign — still active as of today — is being carried out by either an Israeli government agency or a sub-contractor working on behalf of the Israeli government.
The press office for the Israeli embassy in Washington D.C., did not immediately respond to a request for comment from CyberScoop.
Despots — and democracies — fuel disinformation ecosystem
It’s not the first time the Israeli government has been tied to an online influence campaign related to the Gaza conflict, nor would it be the first time the country has reportedly tapped private industry to wage information warfare.
Last year, researchers at Meta, OpenAI, Digital Forensic Research Lab and independent disinformation researcher Marc Owen Jones all tracked activity from a similar network on Facebook, X and Instagram that targeted Canadian and U.S. users with posts calling for the release of Israeli hostages kidnapped by Hamas, criticism of U.S. campus protests against Israeli military operations and attacks against the United Nations Relief and Works Agency.
Meta and OpenAI both flagged STOIC, a firm based in Tel Aviv that is believed to be working on behalf of the Israeli government, as behind much of the activity.
Citizen Lab’s report identified two other Israeli firms, Team Jorge and Archimedes Group, that sell disinformation-for-hire services to government clients.
“Both companies offered their services to a wide array of clients globally, used advanced technologies to build and conduct their covert campaigns, and advertised existing or prior connections to the Israeli intelligence community,” Citizen Lab researchers wrote.
While Western threat intelligence companies and media outlets can present disinformation campaigns as mostly a tool of autocratic or authoritarian countries, researchers have warned that democratic governments and private industry are increasingly playing key roles in information warfare.
David Agranovich, Meta’s senior policy director for threat disruption, told CyberScoop last year that commercial marketing firms provide governments an additional layer of obfuscation when attempting to manipulate public opinion without leaving direct digital fingerprints.
“These services essentially democratize access to sophisticated influence or surveillance capabilities, while hiding the client who’s behind them,” Agranovich said.
North Korean nationals who conceal their identities to infiltrate businesses as employees or contractors continue to expand their presence beyond technology companies and America’s borders.
Nearly every industry has been duped into hiring North Koreans in violation of sanctions, as technology companies represent only half of all targeted victims, threat researchers at Okta said in a report this week.
Okta Threat Intelligence found evidence confirming North Korean nationals have targeted and sought roles at any organization recruiting remote talent. The North Korean regime will pursue any opportunity to collect and launder payment if the application, interview process and work can be performed remotely, researchers said.
North Koreans are no longer limiting themselves to IT and software engineering positions. According to Okta’s research, more North Koreans are now applying for remote finance positions, such as payments processors, and engineering roles.
While technology firms attract the highest volume of applications and job interviews, other verticals including finance and insurance, health care, manufacturing, public administration and professional services appeared often in Okta’s analysis.
Researchers based the study on more than 130 identities used by facilitators and workers participating in the scheme, and linked those personas to more than 6,500 job interviews spread across about 5,000 companies over a four-year period through mid-2025.
Okta acknowledges this only reflects a small sample of North Korea’s scheme, but said it highlights the extent to which IT worker units are targeting more industries in more countries.
“It’s possible that increased awareness of this threat — as well as government and private sector collaborative efforts to identify and disrupt their operations — may be an additional driver for them to increasingly target roles outside of the US and IT industries,” Okta threat researchers said in the report.
Indeed, threat intelligence firms and officials have consistently warned about the growing pervasiveness of North Korea’s scheme. In April, Mandiant said hundreds of Fortune 500 organizations have unwittingly hired North Korean IT workers.
Okta analysis revealed a global expansion of the North Korea IT worker operation, with 27% of targeted roles based outside of the United States. Researchers observed North Korean operatives targeting roles in the United Kingdom, Canada and Germany, with each country accounting for about 150 to 250 roles.
Other top targeted countries include India, Australia, Singapore, Switzerland, Japan, France and Poland.
Okta cautioned that non-U.S.-based companies are likely less skilled and concerned with finding North Korean job applicants because the scheme was largely viewed as a U.S. technology industry problem. This creates an elevated problem in newly targeted countries, researchers said.
“Years of sustained activity against a broad range of U.S. industries have allowed Democratic People’s Republic of Korea-aligned facilitators and workers to refine their infiltration methods,” Okta said in the report. “Consequently, they are entering new markets with a mature, well-adapted workforce capable of bypassing basic screening controls and exploiting hiring pipelines more effectively.”
An elusive, persistent, newly confirmed China espionage group has hit almost 10 victims of geopolitical importance in the Middle East, Africa and Asia using specific tactics and extreme stealth to avoid detection, according to Palo Alto Networks’ Unit 42.
Phantom Taurus uses tools and a distinct homegrown set of malware and backdoors that sets them apart from other China threat groups, said Assaf Dahan, who’s led an investigation into the group since 2022 as director of threat research at Palo Alto Networks’ Cortex unit.
The discovery of an undocumented threat group conducting long-term intelligence-gathering operations aligned with Beijing’s interests underscores the spread of China’s offensive espionage operations globally. Roughly 3 in 4 nation-state threats originate from or are operating on behalf of the Chinese government’s interests, Dahan told CyberScoop.
Unit 42 did not name Phantom Taurus’ victims but said the group has infiltrated networks operated by ministries of foreign affairs, embassies, diplomats and telecom networks to steal sensitive and timely data around major summits between government leaders or political and economic events.
Phantom Taurus seeks sustained access to highly targeted networks so it can periodically and opportunistically steal data they want at any time. Unit 42 researchers responded to one case involving access going back almost two years, Dahan said.
The threat group remains active and has expanded its scope over time by targeting more organizations. “The latest activity was just a couple of months ago when we saw them highly active in at least two regions of the world,” Dahan said.
Unit 42 expects more victims to be identified as a result of its report, which includes details about the group’s specialized malware, indicators of compromise and tactics, techniques and procedures.
Phantom Taurus uses multiple pieces of malware, including the newly identified NET-STAR malware suite, which consists of three distinct web-based backdoors. These backdoors support in-memory execution of command-line arguments, arbitrary commands and payloads, and the loading and execution of .NET payloads with evasive capabilities designed to avoid detection in more heavily monitored environments, according to Unit 42.
“These pieces of malware are designed for extreme stealth, allowing them to operate clandestinely, under the radar, and infiltrate into really sensitive organizations,” Dahan said. While Phantom Taurus uses some infrastructure and tools that are commonly shared among multiple Chinese espionage groups, Unit 42 isn’t aware of any other groups using the suite of specialized malware.
The group most often breaks into networks by locating internet-facing devices that can be exploited via known vulnerabilities, Dahan said. “The level of sophistication that we’ve seen from this group is really off the charts. But when it comes to how they actually put a foot in the door, it’s as basic as exploiting an unpatched server most of the time,” he added.
Phantom Taurus’ tools, capabilities, targets and other fingerprints left behind by its activities gives Unit 42 confidence the group is unique and does not overlap with a group previously identified by other research firms.
“Their entire playbook seems distinct and quite apart from other Chinese threat actors,” Dahan said. “It’s not something that you can mistake for another group.”
The United Nations is making a push to more directly influence global policy on artificial intelligence, including the promotion of policymaking and technical standards around “safe, secure and trustworthy” AI.
Last month, the world body finalized plans to create a new expert panel focused on developing scientific, technical and policy standards for the emerging technology. The Independent Scientific Panel on AI will be staffed by 40 international experts serving three-year terms and will be drawn from “balanced geographic representation to promote scientific understanding” around the risks and impacts.
The same resolution also created the Global Dialogue on AI Governance, which will aim to bring together governments, businesses and experts together to “discuss international cooperation, share best practices and lessons learned, and to facilitate open, transparent and inclusive discussions on artificial intelligence governance.” The first task listed for the dialogue is “ the development of safe, secure and trustworthy artificial intelligence.”
On Thursday, Secretary-General António Guterres said the actions will help the UN move “from principles to practice” and help further promote the organization as a global forum for shaping AI policy and standards.
It will also be an opportunity to build international consensus on a range of thorny issues, including AI system energy consumption, the technology’s impact on the human workforce, and the best ways to prevent its misuse for malicious ends or repression of citizens.
The UN’s work “will complement existing efforts around the world – including at the OECD, the G7, and regional organizations – and provide an inclusive, stable home for AI governance coordination efforts,” he said. “In short, this is about creating a space where governments, industry and civil society can advance common solutions together.”
Guterres wielded lofty rhetoric to argue that the technology was destined to become integral to the lives of billions of people and fundamentally restructure life on Earth (computer scientists and AI experts have more mixed opinions around this).
“The question is no longer whether AI will transform our world – it already is,” said Guterres. “The question is whether we will govern this transformation together – or let it govern us.”
The UN’s push on safety, security and trust in AI systems comes as high spending, high-adoption countries like the United States, the UK and Europe have either moved away from emphasizing those same concerns, or leaned more heavily into arguing for deregulation to help their industries compete with China.
International tech experts told CyberScoop that this may leave an opening for the UN or another credible body to have a larger voice shaping discussions around safe and responsible AI. But they were also realistic about the UN’s limited authority to do much more than encourage good policy.
Pavlina Pavova, a cyber policy expert at the UN Office on Drugs and Crime in Vienna, Austria, told CyberScoop that the United Nations has been building a foundation to have more substantive discussions around AI and remains “the most inclusive forum for international dialogue” around the technology.
However, she added: “The newly established formats are consultative and lack enforcement authority, playing a confidence-building role at best.”
James Lewis, a senior adviser at the Center for European Policy Analysis, echoed some of those sentiments, saying the UN’s efforts will have “a limited impact.” But he also said it’s clear that the AI industry is “completely incapable of judging risk” and that putting policymakers with real “skin in the game” in charge of developing solutions could help counter that dynamic.
That mirrors an approach taken by organizers of the U.S. Cyberspace Solarium, who filled their commission with influential lawmakers and policy experts in order to get buy-in around concrete proposals. It worked: the commission estimates that 75% of its final recommendations have since been adopted into law.
“The most important thing they can do is have a strong chair, because a strong chair can make sure that the end product is useful,” Lewis said.
Another challenge Lewis pointed to: AI adoption and investment tends to be highest in the US, UK and European Union, all governments that will likely seek to blaze their own trail on AI policies. Those governments may wind up balking at recommendations from a panel staffed by experts from countries with lower AI adoption rates, something Lewis likened to passengers “telling you how to drive the bus.”
For Tiffany Saade, a technology expert and AI policy consultant to the Lebanese government and an adjunct adviser at the Institute for Security and Technology, the inclusion of those nontraditional perspectives is the point, giving them an opportunity to shape policy for a technology that is going to impact their lives very soon.
Saade, who attended UN discussions in New York City this week around AI, told CyberScoop that trust was a major theme, particularly for countries with lesser technological and financial resources.
But any good ideas that come out of the UN’s process will need to have real incentives built in to nudge countries and companies into adopting preferred policies.
“We have to figure out structures around that to incentivize leading governments and frontier labs to comply with [the recommendations] without compromising innovation,” she said.
Ambitious, suspected Chinese hackers with a slew of goals — stealing intellectual property, mining intelligence on national security and trade, developing avenues for future advanced cyberattacks — have been setting up shop inside U.S. target networks for exceptionally long stretches of time, in a breach that the researchers who uncovered it said could present problems for years to come.
Mandiant and Google Threat Intelligence Group (GTIG) researchers described the campaign as exceptionally sophisticated, stealthy and complex, calling those behind it a “next-level threat.” But they don’t yet have a full handle on who the hackers are behind the malware they’ve dubbed Brickstorm, or how far it stretches. A blog post the company posted Wednesday sheds light on the group.
The primary targets are legal services organizations and tech companies that provide security services, the researchers said. But the hackers aren’t limiting their interest to the primary targets, since they’ve used that access to infiltrate “downstream” customers. The researchers declined to describe those downstream customers, or say whether U.S. federal agencies are among those targeted. A great many of them don’t know yet that they’re victims, they said.
By stealing intellectual property from security-as-a-service (SaaS) firms, the hackers aim to find future zero-day vulnerabilities, a kind of vulnerability that is previously unknown and unpatched and thus highly prized, in order to enable more attacks down the line, the researchers from Mandiant and its parent company Google said.
The researchers declined to comment on possible Chinese government agency connections. But they see overlap with Chinese hacking groups like the one they’ve labeled UNC5221 — perhaps best known for exploiting Ivanti flaws, and a group that Mandiant and GTIIG described as the “most prevalent” Chinese-centered threat group right now — and the one Microsoft calls Silk Typhoon, which researchers warned recently has been ramping up its attacks this year, with targets including IT supply chains and the cloud. Silk Typhoon is believed to be Chinese government-sponsored.
The company has also developed a tool for potential victims to discover if they’ve been affected by Brickstorm activity, which Google experts indicated is a distinct possibility that could impact scores of organizations over the coming weeks.
“We have no doubt that organizations will use our tools to hunt for this adversary, and they will find evidence of compromise in their environments,” Charles Carmakal, chief technology officer at Mandiant Consulting, told reporters briefed on the blog post. “And it may be active compromises, it might be historic compromises, but many of our organizations are going to discover that they were dealing with this adversary.”
Sneaky, sneaky
The campaign’s average “dwell time” is 400 days, they said, compared to dwell times more commonly measured in days or weeks.
Several features obscure Brickstorm activity. “It’s very hard to detect them and to investigate them,” said Austin Larsen, principal threat analyst at GTIG.
The hackers target systems that don’t support defenses for finding and tracking threats on endpoints, such as laptops or cell phones. Examples of target systems that don’t support that kind of endpoint detection and response (EDR) include email security gateways or vulnerability scanners. They consistently target VMware vCenter and ESXi hosts, according to the blog post.
The researchers also never see overlap between the internet protocols of the attackers between victims, Larsen said, or another way of identifying attackers: “The hashes when they land on this are different for essentially every system.”
Brickstorm attackers also “clean up after themselves” at times, Carmakal said. “Brickstorm may not exist in a victim environment today, but it could have been there for a year and a half. It might have been deleted back in April this year, back in January this year,” he said.
What they want
Brickstorm also isn’t just about one goal. “It’s an intelligence operation, but not just an intelligence operation,” said John Hultquist, chief analyst at GTIG. “This is a long-term play.”
The hackers are primarily compromising victims through zero-days, but they’re aiming to uncover new ones, too, by going through companies’ proprietary source code. That gives them multiple ways to penetrate new victim networks.
The Brickstorm hackers “hit the SaaS providers, who either hold data for people, or they have some connectivity to downstream,” Hultquist said. Or he said the group can “get a hold of the technology source code and leverage that source code information to gain access or to build out exploits in that technology, which would then give [them] basically a skeleton key to that technology.”
But its victims can be even more precise than that. “As part of this campaign, we observed in some organizations — including some legal organizations — we observed the actor searching the emails of very specific individuals,” Larsen said. The hackers have focused on collecting espionage on international trade and national security from those organizations.
Google has been tracking Brickstorm for a while now. This spring, Belgian cybersecurity company NVISO also shined the spotlight on Brickstorm variants spying on European businesses. Google’s latest blog post identifies Brickstorm activity as far more extensive than previously described.
The response
Mandiant and GTIG have notified U.S. federal agencies and international governments about the campaign.
The tool is a scanner script that can be used on Unix systems, even if YARA (a common security tool used to find and identify malware) isn’t installed. This script is designed to do the same type of search as a specific YARA rule by looking for certain words and patterns that are unique to the Brickstorm backdoor.
“The most important thing here is, if you find Brickstorm, you really need to do a very thorough enterprise investigation, because the adversary that’s dropping this is a very, very advanced adversary that is known for stealing intellectual property from organizations,” Carmakal said. “It’s known for using access from victim companies to get into downstream customer environments.”
It’s all a “very, very significant threat campaign [that’s] very, very hard to defend against in tech,” Carmakal said.
Updated 9/24/25: with additional information about past Brickstorm reporting.
Researchers say a Russian group sanctioned by the European Union and wanted by the U.S. government is behind an influence operation targeting upcoming elections in Moldova.
In a report released Tuesday, researchers at the Atlantic Council’s Digital Forensic Research Lab said that REST Media — an online news outlet launched in June whose posts have quickly amassed millions of views on social media — is actually the work of Rybar, a known Russian disinformation outfit connected to other documented influence campaigns against Western countries and Russian-foes like Ukraine.
REST’s content — spread through its website and social media sites like Telegram, X and TikTok — often hammered Moldova’s pro-EU party, the Party of Action and Solidarity, with claims of electoral corruption, vote selling and other forms of misconduct. The site also sought to explicitly cast Moldova’s anti-disinformation efforts as a form of government censorship.
While REST publishes anonymously-bylined articles on its website meant to mimic news reporting, most of its reach has come from TikTok, which accounts for the overwhelming majority of the 3.1 million views its content has received online.
“The actual scope and reach of REST’s campaign likely extends beyond what is documented in this investigation,” wrote researchers Jakub Kubś and Eto Buziashvili.
REST Media’s social media output received millions of views on platforms like TikTok, X and Telegram. (Source:Digital Forensics Research Lab)
The researchers provide technical evidence that they say shows unavoidable connection and overlap between the online and cloud-based infrastructure hosting REST and online assets from previously known Rybar operations.
For instance, the site shares “identical” server configurations, file transfer protocol settings and control panel software as Rybar’s mapping platform, while a forensic review of REST’s asset metadata found a number of file paths that explicitly reference Rybar.
“These operational security lapses appear to indicate that at least some REST content follows the same production workflow as Rybar,” Kubś and Buziashvili wrote.
Analysis of the domain for REST’s website found it was registered June 20 “through a chain of privacy-focused services that collectively create multiple layers of anonymization.” The registration was processed out by Sarek Oy, a Finland-based domain registrar company with a history of involvement with pirated websites that was denied formal accreditation by international bodies like ICANN.
The listed domain registrant for REST’s website, 1337 (or “LEET”) Services LLC, appears to be a play on common hacker slang, and DFIRLab said the company is tied to a notorious VPN service based in St. Kitts and Nevis in the Caribbean that is known for helping clients hide their identities.
Efforts to reach the site’s operators were not successful. REST’s website, which is still active, contains no information about the identities of editorial staff, regularly publishes stories with anonymous bylines and does not appear to provide any means for readers to contact the publication, though there is a section for readers to leak sensitive documents and apply for employment.
An image from REST Media detailing “electoral corruption” in Moldova targeting Maia Sandu, head of the Pro-EU Party of Action and Solidarity. (Source: Digital Forensics Research Lab)
Kubś and Buziashvili said the new research demonstrates that REST “is more than just another clone in Russian’s information operations ecosystem.”
“It provides granular detail on how actors, such as Rybar, adapt, regenerate, and cloak themselves to continue their efforts to influence,” the authors wrote. “From shared FTP configurations to sloppy metadata, the evidence points to REST being part of a broader strategy to outlast sanctions through proxy brands and technical obfuscation.”
It also underscores “that such influence efforts” from Russia are not siloed “but cross-pollinated across regions, platforms, and political contexts, seeding disinformation that resonates well beyond Moldovan borders.”
No REST from influence campaigns
REST is the latest in a string of information operations targeting Moldova’s elections that have been traced back to the Russian government over the past year, according to Western governments and independent researchers who track state-backed disinformation campaigns.
A risk assessment from the Foreign Information Manipulation and Interference Information Sharing and Analysis Center on Sept. 9 identifies what it described as “persistent Russian-led hybrid threats, including information warfare, illicit financing, cyberattacks, and proxy mobilisation, aimed at undermining the Moldovan government’s pro-EU agenda and boosting pro-Russian actors.”
The assessment pointed to Moldova’s fragmented media landscape — “where banned pro-Russian outlets evade restrictions via mirror websites, apps, and social media platforms such as Telegram and TikTok” — as a vulnerability that is being exploited by Russian actors, alongside the country’s limited regulatory resources and gaps in online political ad regulation. Russian-directed influence activities in Moldova have “evolved significantly” from funding real-life protests and other forms of paid mobilization to “increasingly technology driven operations,” including social media and newer technologies like artificial intelligence.
But such mobilization may still be part of Russia’s plans. Earlier this week, Moldovan authorities carried out 250 raids and detained dozens of individuals that they claimed were part of a Russian-orchestrated plot to incite riots and destabilize the country ahead of next week’s elections.
The goal is to create a society that feels besieged from all sides — facing not only external pressure from Russia abroad but also internal political strife that can prevent a unified front.
“This intersection of external manipulation and internal fragmentation heightens political polarisation, risks disengaging the traditionally pro-European diaspora, and fosters growing public apathy and disillusionment, outcomes that directly threaten electoral integrity and democratic resilience,” the assessment concluded.
It also comes as the U.S. federal government has — often loudly and proudly — moved away from any systemic effort to fight or limit the spread of disinformation domestically and abroad.
The State Department under Secretary Marco Rubio earlier this year shut down the Global Engagement Center, which was created by Congress and functioned as the federal government’s primary diplomatic arm for engaging with other countries on disinformation issues.
In a Sept. 17 statement, State Department principal deputy spokesperson Tommy Pigott confirmed that the department had “ceased all Frameworks to Counter Foreign State Information Manipulation and any associated instruments implemented by the former administration.”
Pigott added that the decision to shutter the office, which focused mostly on foreign disinformation campaigns waged by autocrats abroad, aligns with an executive order on free speech and freedom of expression issued shortly after Trump took office.
“Through free speech, the United States will counter genuine malign propaganda from adversaries that threaten our national security, while protecting Americans’ right to exchange ideas,” Pigott said.
In addition to the State Department, the Trump administration has shut down the foreign influence task force at the FBI and fired officials and eliminated disinformation research at the Cybersecurity and Infrastructure Security Agency.
The Foreign Malign Influence Center, a key office housed within the Office of the Director of National Intelligence, was responsible for piecing together intelligence around burgeoning foreign influence operations targeting U.S. elections and notifying policymakers and the public. According to sources familiar with the matter, the center’s work has largely ground to a halt under Director of National Intelligence Tulsi Gabbard, who is planning to eliminate the center as part of a larger intelligence reorganization plan.
Lindsay Gorman, a former White House official under the Biden administration, told CyberScoop earlier this year that the U.S. needs a way to coordinate with democratic allies and provide effective interventions when their elections and digital infrastructure are being targeted by intelligence services in Russia, China and other adversarial nations.
One way to fight back, Gorman said, is to have “eyes and ears on the ground” on those countries and “to expose covert campaigns for what they are,” something that outfits like the State Department’s Global Engagement Center were explicitly designed to do.
FBI cyber division cuts under President Donald Trump will reduce personnel there by half, a top Democratic senator warned Tuesday, while FBI Director Kash Patel countered that arrests and convictions have risen under the Trump administration.
A contentious Senate Judiciary Committee hearing dominated by clashes over political violence, Patel’s leadership and accusations about the politicization of the bureau nonetheless saw senators probing the FBI’s performance on cybersecurity.
“My office received information that cuts to the bureau’s cyber division will cut personnel by half despite the ever-increasing threat posed by adverse foreign actors,” said Illinois Sen. Dick Durbin, the top Democrat on the panel. The Trump administration has proposed a $500 million cut for the FBI in fiscal 2026.
Sen. Alex Padilla, D-Calif., said that as the FBI has shifted personnel toward immigration and politically motivated investigations like the Tesla task force, it has undercut other missions. “It has an impact on other priorities, like nation-state threats and ransomware investigations,” he said.
Padilla was one of several Senate Democrats, like Cory Booker of New Jersey and Mazie Hirono of Hawaii, who said the FBI’s cyber mission was suffering because its personnel were being directed elsewhere.
Patel told Hirono that the FBI’s cyber branch was one of the bureau’s “most impressive” units, and that it had made 409 arrests, a 42% increase compared to the same period last year, and garnered 169 convictions.
As Padilla questioned him about the FBI’s mission to protect against election interference and the Justice Department ending the Foreign Influence Task Force, Patel answered that the FBI did not “in any way divert or reallocate resources from that critical mission set.” He said it was still working on it through its cyber programs, which had seen a “40, 50, 60%” increase in arrests in cyber threat cases involving critical infrastructure and interference with elections.
Patel said he hadn’t shifted any resources away from any critical missions like terrorism toward things like Tesla vandalism or sending federal personnel to cities like Washington, D.C. “They never left their primary job,” he said. “It is a surge in law enforcement.”
Hirono asked Patel to say who had replaced top officials who had exited the cyber division, but he said only that they were “supremely qualified individuals” and wouldn’t give their names “so you can attack them.” Hirono replied, “you don’t know” when he wouldn’t say who they were.
More broadly, Patel said the FBI was taking the fight to Chinese threat groups like Salt Typhoon and Volt Typhoon, and going after ransomware and malware attackers.
Sen. Amy Klobuchar, D-Minn., said she was concerned about a rise in artificial intelligence-generated election interference, including materials directed at her. Patel said the FBI was looking into it, but that the culprits appeared to be “loose groups overseas, without any central cluster.”
Major cyber intrusions by the Chinese hacking groups known as Salt Typhoon and Volt Typhoon have forced the FBI to change its methods of hunting sophisticated threats, a top FBI cyber official said Wednesday.
U.S. officials, allied governments and threat researchers have identified Salt Typhoon as the group behind the massive telecommunications hack revealed last fall but that could have been ongoing for years. Investigators have pointed at Volt Typhoon as a group that has infiltrated critical infrastructure to cause disruptions in the United States if China invades Taiwan and Americans intervene.
Those hacks were stealthier than in the past, and more patient, said Jason Bilnoski, deputy assistant director of the FBI’s cyber division. The Typhoons have focused on persistent access and gotten better at hiding their infiltration by using “living off the land” techniques that involve using legitimate tools within systems to camouflage their efforts, he said. That in turn has complicated FBI efforts to share indicators of compromise (IOCs).
“We’re having to now hunt as if they’re already on the network, and we’re hunting in ways we hadn’t before,” he said at the Billington Cybersecurity Summit. “They’re not dropping tools and malware that we used to see, and perhaps there’s not a lot of IOCs that we’d be able to share in certain situations.”
The hackers used to be “noisy,” with an emphasis on hitting a target quickly, stealing data and then escaping, Bilnoski said. But now for nation-backed attackers, “we’re watching exponential leaps” in tactics, techniques and procedures, he said.
Jermaine Roebuck, associate director for threat hunting at the Cybersecurity and Infrastructure Security Agency, said his agency is also seeing those kinds of changes in the level of stealth from sophisticated hackers, in addition to “a significant change” in their intentions and targeting.
“We saw a lot of espionage over the last several years, but here lately, there’s been a decided shift into computer network attack, prepositioning or disruption in terms of capabilities,” he said at the same conference.
The targeting has changed as organizations, including government agencies, have shifted to the cloud. “Well, guess what?” he asked. “The actors are going toward the cloud” in response.
They’ve also focused on “edge devices,” like devices that supply virtual private network connections or other services provided by managed service providers, Roebuck said. Organizations have less insight into the attacks those devices and providers are facing than more direct intrusions, he said.
The top cyber official at the National Security Council said Tuesday that he’s dismayed by the lag in security technology embedded in critical infrastructure, saying it pales in comparison to the tech in modern smartphones.
“I worry a lot about critical infrastructure cybersecurity,” Alexei Bulazel said at the Billington Cybersecurity Summit. “I also think about the technology that’s deployed in critical infrastructure contexts. This is not the best-in-class software or hardware.”
Bulazel mentioned the energy sector in particular, given the potential for hackers to turn off the power in the United States. It’s a sector that relies in large measure on supervisory control and data acquisition (SCADA) systems to monitor and control industrial processes.
“I think about the phones in our pockets — Android, iPhone, doesn’t matter — really amazing feats of engineering,” he said. “Imagine if our critical infrastructure, if the SCADA system that ran the power or the water or whatever, was as secure as the phone in your pocket. I think a lot of these threats are mitigated; only the absolute apex predator, top-tier actors can get in.”
As a “White House policymaker,” Bulazel said, many of the questions he deals with go away if the technical mark is raised in critical infrastructure. It’s one of the reasons the Trump administration — despite frequently discussing the need to go on offense in cyberspace — is focused on defensive strategies like secure-by-design, he said.
“We are unapologetically unafraid to do offensive cyber,” he said. “It’s an important tool in the toolbox. It’s not the only tool.”
The Trump administration is trying to shift away from “victims” and more to “villains,” Bulazel said. His comments echoed earlier remarks Tuesday from National Cyber Director Sean Cairncross about shifting the cyber risk burden to adversaries.
It’s important to deter hackers, who aren’t like floods or lightning strikes in that they are intentional and deliberate, he said: “This is because a motivated bad actor is trying to give you a bad day.”
China’s reliance on domestic technology companies to carry out large-scale hacking operations—as highlighted by the U.S. government and its allies this week—is a weakness that poses risks for Beijing, a top FBI official told CyberScoop.
Cyber agencies from around the world published an alert Wednesday about what officials have described as an indiscriminate cyberespionage campaign from Chinese Communist Party-backed hackers like the group known as Salt Typhoon. The alert also named three Chinese companies that it says have assisted that hacking.
“These enabling companies, they failed,” Jason Bilnoski, deputy assistant director in the FBI’s cyber division, told CyberScoop. “This investigation, and that of our partners, are exposing that the use of these enabling companies by the CCP is a failure.”
The lack of control China has over what those companies do precisely created an opening for investigators, Bilnoski said.
“They have this unregulated system of using these enabling companies, and it does create a risk between CCP-sanctioned actions and the mistakes by these enabling private companies that they are utilizing,” he said.
The alert about the hacking campaign tracks activity from Salt Typhoon and other Chinese government-linked groups dating back to 2021, which it says Chinese entities have also assisted.
“These companies provide cyber-related products and services to China’s intelligence services, including multiple units in the People’s Liberation Army and Ministry of State Security,” the alert states. “The data stolen through this activity against foreign telecommunications and Internet service providers (ISPs), as well as intrusions in the lodging and transportation sectors, ultimately can provide Chinese intelligence services with the capability to identify and track their targets’ communications and movements around the world.”
One of the named companies, Sichuan Juxinhe Network Technology, is already the subject of U.S. sanctions. That firm has not responded publicly to the U..S. accusations to date, nor apparently have the other two. The Chinese government routinely denies backing hacking activities.
Under a series of laws that China passed dating back to 2014, the government has imposed obligations on companies that do business domestically on the handling of sensitive data, among other rules.
“Historically, the CCP has used shell companies like those listed here in the [advisory] to conduct this nefarious activity, and no doubt they will continue to do so,” Bilnoski said. “But we’re going to continue after them. We have a long memory, so if it’s today, tomorrow, we’re going to continue to identify, uncover and expose their activities.”
Defending networks can’t just be the role of the government, though, he said — thus the alert that went beyond warnings to the telecommunications companies that Salt Typhoon made headlines by hacking.
The timing of the alert was simple, he said: As the FBI and its partners conducted their investigations, responded to the attacks and assisted victims, they released it as soon as it was ready to go.
“It’s important that we understand that it doesn’t matter if you’re Fortune 500, small business — we should not and we cannot assume that our systems are secure,” Bilnoski said. “We need the American people, we need our partners around the world to take action here, not just with Salt Typhoon, but with all the indiscriminate actions that the CCP has been undertaking over the last few years.”
A notorious Chinese hacking campaign against telecommunications companies has now reached into a variety of additional sectors across the globe, including government, transportation, lodging and military targets, according to an alert U.S. and world cybersecurity agencies published Wednesday.
The alert is an effort to give technical details to potential victims of the campaign from the People’s Republic of China-backed group commonly known as Salt Typhoon, the alleged culprit behind what has been called the most serious telecom breach in U.S. history. Those intrusions may have begun years ago and that first came to light last fall, accompanied by revelations that the hackers targeted U.S. presidential candidates.
“By exposing the tactics used by PRC state-sponsored actors and providing actionable guidance, we are helping organizations strengthen their defenses and protect the systems that underpin our national and economic security,” Madhu Gottumukkala, acting director of the Cybersecurity and Infrastructure Security Agency, said in a news release.
In comments to The Wall Street Journal and Washington Post on Wednesday, the FBI said the scope of the Salt Typhoon campaign includes hitting more than 80 countries and 200 American organizations, beyond the previous nine identified telecom company victims.
The alert also names Chinese companies identified as being part of the campaign. Its recommendations include patching known vulnerabilities that have been actively exploited and securing “edge” devices that the hackers have used to get into networks, such as routers.
Government agencies participating in the alert hailed from Australia, Canada, Czech Republic, Finland, Germany, Italy, the Netherlands, New Zealand, Poland, Spain and the United Kingdom. U.S. agencies besides the FBI and CISA that collaborated on it included the National Security Agency and the Department of Defense’s Cyber Crime Center.
“The advisory outlines how Chinese state-sponsored actors are exploiting vulnerabilities in routers used by telecommunications providers and other infrastructure operators,” according to the news release. “These actors often take steps to evade detection and maintain persistent access, particularly across telecommunications, transportation, lodging, and military networks.”
Telecommunications networks are a valuable target for hackers because they can serve as a hub into other communications. But targeting the other sectors mentioned in the alert can round out the intel profile for the attackers, said John Hultquist, chief analyst at Google Threat Intelligence Group.
“In addition to targeting telecommunications, reported targeting of hospitality and transportation by this actor could be used to closely surveil individuals,” he said in a written statement. “Information from these sectors can be used to develop a full picture of who someone is talking to, where they are, and where they are going.”
Google says it is starting a cyber “disruption unit,” a development that arrives in a potentially shifting U.S. landscape toward more offensive-oriented approaches in cyberspace.
But the contours of that larger shift are still unclear, and whether or to what extent it’s even possible. While there’s some momentum in policymaking and industry circles to put a greater emphasis on more aggressive strategies and tactics to respond to cyberattacks, there are also major barriers.
Sandra Joyce, vice president of Google Threat Intelligence Group, said at a conference Tuesday that more details of the disruption unit would be forthcoming in future months, but the company was looking for “legal and ethical disruption” options as part of the unit’s work.
“What we’re doing in the Google Threat Intelligence Group is intelligence-led proactive identification of opportunities where we can actually take down some type of campaign or operation,” she said at the Center for Cybersecurity Policy and Law event, where she called for partners in the project. “We have to get from a reactive position to a proactive one … if we’re going to make a difference right now.”
The boundaries in the cyber domain between actions considered “cyber offense” and those meant to deter cyberattacks are often unclear. The tradeoff between “active defense” vs. “hacking back” is a common dividing line. On the less aggressive end, “active defense” can include tactics like setting up honeypots designed to lure and trick attackers. At the more extreme end, “hacking back” would typically involve actions that attempt to deliberately destroy an attacker’s systems or networks. Disruption operations might fall between the two, like Microsoft taking down botnet infrastructure in court or the Justice Department seizing stolen cryptocurrency from hackers.
Trump administration officials and some in Congress have been advocating for the U.S. government to go on offense in cyberspace, saying that foreign hackers and criminals aren’t suffering sufficient consequences. Much-criticized legislation to authorize private sector “hacking back” has long stalled in Congress, but some have recently pushed a version of the idea where the president would give “letters of marque” like those for early-U.S. sea privateers to companies authorizing them to legally conduct offensive cyber operations currently forbidden under U.S. law.
The private sector has some catching up to do if there’s to be a worthy field of firms able to focus on offense, experts say.
John Keefe, a former National Security Council official from 2022 to 2024 and National Security Agency official before that, said there had been government talks about a “narrow” letters of marque approach “with the private sector companies that we thought had the capabilities.” The concept was centered on ransomware, Russia and rules of the road for those companies to operate. “It wasn’t going to be the Wild West,” said Keefe, now founder of Ex Astris Scientia, speaking like others in this story at Tuesday’s conference.
The companies with an emphasis on offense largely have only one customer — and that’s governments, said Joe McCaffrey, chief information security officer at defense tech company Anduril Industries. “It’s a really tough business to be in,” he said. “If you develop an exploit, you get to sell to one person legally, and then it gets burned, and you’re back again.”
By their nature, offensive cyber operations in the federal government are already very time- and manpower-intensive, said Brandon Wales, a former top official at the Cybersecurity and Infrastructure Security Agency and now vice president of cybersecurity at SentinelOne. Private sector companies could make their mark by innovating ways to speed up and expand the number of those operations, he said.
Overall, among the options of companies that could do more offensive work, the “industry doesn’t exist yet, but I think it’s coming,” said Andrew McClure, managing director at Forgepoint Capital.
Certainly Congress would have to clarify what companies are able to do legally as well, Wales said.
But that’s just the industry side. There’s plenty more to weigh when stepping up offense.
“However we start, we need to make sure that we are having the ability to measure impact,” said Megan Stifel, chief strategy officer for the Institute for Security and Technology. “Is this working? How do we know?”
If there was a consensus at the conference it’s that the United States — be it the government or private sector — needs to do more to deter adversaries in cyberspace by going after them more in cyberspace.
One knock on that idea has been that the United States can least afford to get into a cyber shooting match, since it’s more reliant on tech than other nations and an escalation would hurt the U.S. the most by presenting more vulnerable targets for enemies. But Dmitri Alperovitch, chairman of the Silverado Policy Accelerator, said that idea was wrong for a couple reasons, among them that other nations have become just as reliant on tech, too.
And “the very idea that in this current bleak state of affairs, engaging in cyber offense is escalatory, I propose to you, is laughable,” he said. “After all, what are our adversaries going to escalate to in response? Ransom more of our hospitals, penetrate more of our water and electric utilities, steal even more of our IP and financial assets?”
Alperovitch continued: “Not only is engaging in thoughtful and careful cyber offense not escalatory, but not doing so is.”
Sen. Ron Wyden on Monday urged Supreme Court Chief Justice John Roberts to seek an independent review of federal court cybersecurity following the latest major hack, accusing the judiciary of “incompetence” and “covering up” its “negligence” over digital defenses.
“The federal judiciary’s current approach to information technology is a severe threat to our national security,” Wyden said. “The courts have been entrusted with some of our nation’s most confidential and sensitive information, including national security documents that could reveal sources and methods to our adversaries, and sealed criminal charging and investigative documents that could enable suspects to flee from justice or target witnesses. Yet, you continue to refuse to require the federal courts to meet mandatory cybersecurity requirements and allow them to routinely ignore basic cybersecurity best practices.”
That, Wyden said, means someone from the outside must conduct a review, naming the National Academy of Sciences as the organization Roberts should choose.
The Administrative Office of the U.S. Courts said on Aug. 7 that it was taking steps to improve cybersecurity “in response to recent escalated cyberattacks of a sophisticated and persistent nature on its case management system,” but was vague about specific changes. In that statement the office touted its collaboration with Congress and federal agencies about cyber defenses.
But Wyden said in his letter the judiciary “stonewalls” congressional oversight. He cited another intrusion in 2020, revealed by then-House Judiciary Chair Jerrold Nadler, D-N.Y., by “three hostile foreign actors,” where Wyden said the judiciary still hasn’t said what happened.
“There is no legitimate need to keep Congress or the public in the dark about that incident so many years later,” Wyden wrote. “I strongly suspect that the judiciary is covering up its own negligence and incompetence which resulted in the security vulnerabilities that the hackers exploited.”
Wyden especially faulted the courts for its slow, under-reliance on strong multifactor authentication, saying the variety the judiciary adopted was not phishing-resistant.
“The glacial speed with which the federal judiciary adopted this inferior cyberdefense, years after government agencies and businesses have migrated to superior solutions, highlights the fact that the judiciary’s cybersecurity problems are not technical, but rather, are the result of incompetence and the total absence of accountability,” he said.
The press office for the Supreme Court did not immediately respond to a request for comment on Wyden’s letter.
Federal Trade Commission Chair Andrew Ferguson warned U.S. tech companies not to accede to laws in foreign countries that weaken Americans’ free speech or data privacy rights.
Specifically, Ferguson cited laws like the European Union’s Digital Service Act and the U.K.’s Online Safety Act as statutes that incentivize U.S. tech companies “to censor speech, including speech outside of Europe.” He said that could lead to heightened surveillance of Americans by foreign governments and increase their risk around identity theft and fraud.
“Companies might be censoring Americans in response to the laws, demands, or expected demands of foreign powers,” Ferguson wrote in letters to 13 different tech companies Thursday. “And the anti-encryption policies of foreign governments might be causing companies to weaken data security measures and other technological means for Americans to vindicate their right to anonymous and private speech.”
Additionally, as companies continue to face fragmented and balkanized internet laws across different countries, Ferguson worried that some companies may opt for maximally invasive or restrictive policies toward its users to stay in compliance with the strictest laws.
“I am also concerned that companies such as your own might attempt to simplify compliance with the laws, demands, or expected demands of foreign governments by censoring Americans or subjecting them to increased foreign surveillance even when the foreign government’s requests do not technically require that,” he wrote.
Ferguson sent the letters to executives at Akamai, Alphabet, Amazon, Apple, Cloudflare, Discord, GoDaddy, Meta, Microsoft, Signal, Snap, Slack and X.
He criticized the Biden administration for “actively” working to censor American speech online. The Supreme Court has largely upheld the constitutionality of the federal government’s conversations with tech companies under the Biden administration.
President Donald Trump has publicly attacked and pressured many of same companies Ferguson is targeting, in some cases threatening to use the power of the federal government to force them to adopt his preferred policies — not only on content moderation and disinformation, but also tariffs, diversity, equity and inclusion programs, unflattering search engine results and numerous other demands. Nevertheless, Ferguson praised Trump for allegedly putting “a swift end” to the weaponization of the federal government against Americans for their speech.
The FTC chair said in his letter that the agency is focused on the importance of offering strong end-to-end encryption to users, regardless of what laws or regulations in other countries may require.
“If a company promises consumers that it encrypts or otherwise keeps secure online communications but adopts weaker security due to the actions of a foreign government, such conduct may deceive consumers who rightfully expect effective security, not the increased susceptibility to breach or intercept desired by a foreign power,” Ferguson wrote.
The FTC’s letters were sent the same week that Director of National Intelligence Tulsi Gabbard announced the U.S. government had successfully engaged with U.K. leaders to drop their demand that Apple provide law enforcement with a means to access encrypted user cloud data for investigations, even for users outside the U.K.
The demand resulted in Apple withdrawing its Advanced Protection Program feature from U.K. iPhones and Apple computers, as privacy advocates continued to argue that any access given to law enforcement would fundamentally weaken the encryption that all its users rely on.
The Chinese state-backed threat group Silk Typhoon has raised the pace of attacks targeting government, technology, legal and professional services in North America since late spring, according to CrowdStrike.
“We were calling this jokingly, ‘the summer of Murky Panda,’ because we’ve seen so much activity from them over the last couple of months,” said Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, using the firm’s nomenclature for the cyberespionage group.
CrowdStrike has worked on more than a dozen cases involving Murky Panda during the past few months, including two active incident response cases, Meyers said. The group, which has been active since at least 2023, is “one of the top-tier Chinese threats that we’ve been seeing a lot this summer,” he said.
Murky Panda exemplifies how Chinese attackers are gaining access to victim networks and infrastructure via vulnerabilities, unmanaged devices, the cloud and pivots between cloud services.
The group’s advanced techniques in cloud environments are evident, as it enables prolonged access and lateral movement to downstream victims by abusing delegated administrative privileges in cloud solution providers, CrowdStrike said in a research report released Thursday.
Once Murky Panda compromises a cloud solutions provider it can access any cloud tenant that has granted them access, Meyers said. These types of ”trusted-relationship compromises” in the cloud are rare and only conducted by a few groups, including Murky Panda, which makes this method of initial access less monitored and harder to detect.
“A lot of organizations have rushed to implement cloud over the last couple of years, and they may have done so without fully understanding or appreciating how the cloud works,” Meyers added.
Murky Panda’s attack pathways are assorted. The group has rapidly exploited n-day and zero-day vulnerabilities, including CVE-2023-3519 affecting Citrix NetScaler products and CVE-2025-3928 affecting Commvault Web Server, according to CrowdStrike. (Editor’s note: After this story’s initial publication, CrowdStrike removed the reference to the Commvault CVE. When asked why by CyberScoop, the company did not elaborate further.)
Researchers have also observed Murky Panda exploiting internet-facing appliances, including small office/home office devices, for initial access.
CrowdStrike’s findings expand upon research Microsoft Threat Intelligence released in March indicating Silk Typhoon shifted tactics in late 2024 to broaden access and enable follow-on attacks against downstream customers of its initial targets.
The Justice Department in March unsealed indictments charging 12 Chinese nationals for their alleged involvement in a vast espionage campaign, including multiple attacks on U.S. government agencies. Two alleged members of Silk Typhoon, Yin Kecheng and Zhou Shuai, were among those indicted.
Yet, attacks from China-sponsored threat groups haven’t waned. CrowdStrike tracked a 40% year-over-year increase in cloud-intrusion activity from China-sponsored threat groups through June, including attacks linked to Murky Panda. Intrusions of all sorts linked to China jumped 150% over the same period.
“A lot of the activity we’ve seen from China is tied to geopolitical issues and initiatives that they’re following, and Murky Panda is a subset of that,” Meyers said. As China continues to “use offensive cyber tools to position their own geopolitical initiatives, you’ll see more intrusions.”
Update, Aug. 22, 2025: This story has been updated to reflect a change in the information shared by CrowdStrike.
Login
