How much private and sensitive data can you get by pointing $600 worth of satellite equipment at the sky?

Quite a bit, it turns out.

Researchers from the University of Maryland and the University of California, San Diego say they were able to intercept sensitive data from the U.S. military, telecommunications firms, major businesses and organizations by passively scanning and collecting unencrypted data from the satellites responsible for beaming that information across the globe.

The satellites they focused on — geostationary satellites — provide modern high-speed communications and services to rural or remote parts of the globe, including television, IP communications, internet and in-flight Wi-Fi capabilities. They also provide backhaul internet services — the links between a core telecom or internet network and its end users — for private networks operating sensitive remote commercial and military equipment.

Using cheap, commercially available equipment, researchers scanned 39 satellites across 25 distinct longitudinal points over seven months.

The goal was to see how much sensitive data they could intercept by “passively scanning as many GEO transmissions from a single vantage point on Earth as possible.” It was also to prove that you don’t need to be a well-resourced foreign intelligence service or have deep pockets to pull it off.

What they found was unsettling: “Many organizations appear to treat satellite[s] as any other internal link in their private networks. Our study provides concrete evidence that network-layer encryption protocols like IPSec are far from standard on internal networks,” write authors Wenyi Zhang, Annie Dai, Keegan Ryan, Dave Levin, Nadia Heninger and Aaron Schulman.

They note that “severity” of their findings suggest “many organizations do not routinely monitor the security of their own satellite communication links” and that content scrambling “is surprisingly unlikely to be used for private networks using GEO satellite to backhaul IP network traffic from remote areas.”

“Given that any individual with a clear view of the sky and $600 can set up their own GEO interception station from Earth, one would expect that GEO satellite links carrying sensitive commercial and government network traffic would use standardized link and/or network layer encryption to prevent eavesdroppers,” the researchers wrote.

Wired first reported on the academic study.

Researchers reached out to major businesses and organizations that were leaking data via satellite communications to notify them and address the vulnerabilities, but said they declined to engage in any bug bounties that included a nondisclosure agreement.  

The researchers said discussions with the U.S. military, the Mexican government, T-Mobile, AT&T, IntelSat, Panasonic Avionics, WiBo and KPU all took place between December 2024 and July 2025 as the study was ongoing.

Satellites are outfitted with multiple transponders to collect different kinds of telemetry, and here the research focuses on a single type — Ku-Band transponders — that are heavily used for internet and television services. Using their consumer-grade equipment, the researchers were able to tap into 411 different transponders around the globe, collecting reams of sensitive data in the process.

They observed unencrypted data for T-Mobile users, including plaintext user SMS messages, voice call contents, user internet traffic, metadata, browsing history and cellular network signaling protocols, leaking out over the skies. Over a single, nine-hour listening session, the dish picked up phone numbers and metadata for 2,711 individuals. Similar leakages were spotted for calls over Mexican telecoms TelMex and WiBo, and Alaskan telecom KPU Telecommunications.

They also picked up unencrypted and encrypted traffic coming from U.S. military sea vessels, including plaintext that included the ships’ names — something the researchers said allowed them to determine they were all “formerly privately-owned ships” that are now owned by the government. Meanwhile, unencrypted HTTP traffic leaking out through the satellites gave them details into internal applications and systems used for infrastructure, logistics and administrative management.

The researchers say that while this kind of capability isn’t novel, previous research has suggested that only foreign governments and well-resourced companies have the capabilities to conduct such widespread monitoring. Their study, which developed a new way to parse through issues around signal quality, suggests that the barrier of entry is far lower than previously thought, requiring technical knowhow and just a few hundred dollars worth of commercial tech.

“To our knowledge, our threat model of using low-cost consumer grade satellite equipment to comprehensively survey GEO satellite usage has not been explored before in the academic literature.”

The findings underscore how much governments and businesses rely on standard satellite communications today to move their data around, and the lack of security attention these critical nodes receive compared to other technologies.The federal government has designated 16 sectors of society and industry as “critical infrastructure” and prioritized these sectors for additional security investment and assistance. Space is not one of those sectors, though policymakers have pushed the idea as a means to quickly retrofit our space-based communications for security. 

The post Researchers find a startlingly cheap way to steal your secrets from space  appeared first on CyberScoop.

New framework from the Cloud Security Alliance helps SaaS customers navigate the shared responsibility model with confidence.

The post CSA Unveils SaaS Security Controls Framework to Ease Complexity appeared first on SecurityWeek.

Videos from SecurityWeek's Attack Surface Management Virtual Summit are now available to watch on demand.

The post Watch Now: Attack Surface Management Summit – All Sessions Available appeared first on SecurityWeek.

With security teams drowning in alerts, many suppress detection rules and accept hidden risks. AI promises relief through automation and triage—but without human oversight, it risks becoming part of the problem.

The post AI Emerges as the Hope—and Risk—for Overloaded SOCs appeared first on SecurityWeek.

A top official at the Cybersecurity and Infrastructure Security Agency on Thursday rejected concerns that personnel and program cuts at CISA have hindered its work.

Nick Andersen, who just began serving as executive assistant director of cybersecurity at CISA this month, said he’s seen the agency function at a high level from both the outside and inside.

“There’s been an awful lot of reporting recently about CISA and the potential for degraded operational capabilities, and I’m telling you, nothing can be further from the truth,” he said at the Billington Cybersecurity Summit. “It is just a fantastic opportunity to see the high-level output and throughput that this team has.

“There is not a single instance where I can think of that somebody reaches out — whether it’s in our remit or not, we are connecting them with the right level of resources, and we are helping them to make themselves right, whether it’s incidents that we see affecting a state/local partner, small- or medium-sized businesses or the largest critical infrastructure owner/operators,” he continued.

The Trump administration has cut or plans to cut more than 1,000 personnel at the agency, a third of its total full-time employees, and has sought nearly half a billion dollars in funding reductions.

CISA’s shuttering of an array of programs has drawn widespread criticism from many in industry as well as from state and local governments who have partnered with the agency, not to mention concerns from Capitol Hill.

But Andersen said CISA has full support from President Donald Trump, who clashed with agency leadership in his first term, and Department of Homeland Security Secretary Kristi Noem.

“We have exceedingly strong relationships with” other government agencies and the private sector, Andersen touted. “The level of commitment within this team is second to none, and we’re just going to continue to hone and focus [on] that operational mission of what CISA should be delivering on. We’re going to continue to sort of separate out the fluff, but we are going to take every single dollar, every single resource, every single manpower hour to deliver an even sharper focus on those core capabilities in keeping with what President Trump identified as our administration priorities.”

Those priorities, Andersen said, include fortifying federal networks. “Raising the collective bar across the dot gov is a big one,” he said.

It also includes strengthening relationships with critical infrastructure owners and operators. “We want to be able to work very closely with our critical infrastructure partners on focused resilience efforts, be able to raise the bar in a sprint between now and 2027 as we prepare for the potential of China making good on its promise … to take Taiwan,” he said, so that “our critical infrastructure is not going to be held hostage.”

And it includes strengthening partnerships with other federal agencies as well as state and local governments, Andersen said.

The post CISA work not ‘degraded’ by Trump administration cuts, top agency official says appeared first on CyberScoop.

The top cyber official at the National Security Council said Tuesday that he’s dismayed by the lag in security technology embedded in critical infrastructure, saying it pales in comparison to the tech in modern smartphones.

“I worry a lot about critical infrastructure cybersecurity,” Alexei Bulazel said at the Billington Cybersecurity Summit. “I also think about the technology that’s deployed in critical infrastructure contexts. This is not the best-in-class software or hardware.”

Bulazel mentioned the energy sector in particular, given the potential for hackers to turn off the power in the United States. It’s a sector that relies in large measure on supervisory control and data acquisition (SCADA) systems to monitor and control industrial processes.

“I think about the phones in our pockets — Android, iPhone, doesn’t matter — really amazing feats of engineering,” he said. “Imagine if our critical infrastructure, if the SCADA system that ran the power or the water or whatever, was as secure as the phone in your pocket. I think a lot of these threats are mitigated; only the absolute apex predator, top-tier actors can get in.”

As a “White House policymaker,” Bulazel said, many of the questions he deals with go away if the technical mark is raised in critical infrastructure. It’s one of the reasons the Trump administration — despite frequently discussing the need to go on offense in cyberspace — is focused on defensive strategies like secure-by-design, he said.

“We are unapologetically unafraid to do offensive cyber,” he said. “It’s an important tool in the toolbox. It’s not the only tool.”

The Trump administration is trying to shift away from “victims” and more to “villains,” Bulazel said. His comments echoed earlier remarks Tuesday from National Cyber Director Sean Cairncross about shifting the cyber risk burden to adversaries.

It’s important to deter hackers, who aren’t like floods or lightning strikes in that they are intentional and deliberate, he said: “This is because a motivated bad actor is trying to give you a bad day.”

The post Critical infrastructure security tech needs to be as good as our smartphones, top NSC cyber official says appeared first on CyberScoop.

Industrial conglomerate Mitsubishi Electric has agreed to acquire OT and IoT cybersecurity specialist Nozomi Networks in a transaction that values the San Francisco-based firm near the $1 billion mark. The deal, slated to close in the fourth quarter of 2025, will see Nozomi Networks become a wholly owned subsidiary while continuing to operate independently.

The acquisition represents Mitsubishi Electric’s largest to date, with the company set to purchase the 93% of Nozomi shares it does not already own for $883 million in cash. Mitsubishi Electric previously acquired a 7% stake through Nozomi’s $100 million Series E funding round in early 2024, a relationship that laid the foundation for the takeover.

Following the transaction’s closure, Nozomi Networks will retain its brand, leadership, and personnel, maintaining its headquarters in San Francisco and its research and development hub in Switzerland. Both parties have indicated there will be no disruption to operations, roadmaps, or external partnerships.

Nozomi Networks focuses on security in operational technology (OT), Internet of Things (IoT), and cyber-physical systems (CPS). Its platform, designed for critical infrastructure and industrial organizations, focuses on asset discovery, continuous monitoring, anomaly detection, and vulnerability management. The company generated $75 million in revenue in 2024, an increase from $62 million the previous year.

The integration of Nozomi’s cloud-first, AI-powered solutions into Mitsubishi Electric’s portfolio grants the Japanese industrial giant a stake in advanced industrial cybersecurity at a time when OT and IoT environments are seeing increased attention due to rising threats of cyberattacks and operational disruptions. 

“By becoming part of Mitsubishi Electric, we will combine our strengths to drive the next generation of industrial security and innovation to bring additional value for customers around the world,” said Edgard Capdevielle, president and CEO of Nozomi Networks. “With the combined global reach and resources of both companies, we can supercharge our innovation engine, helping industrial organizations secure and accelerate their own digital transformations.”

Mitsubishi Electric, which brings more than a century of experience in industrial technology, sees the purchase as a way to accelerate the digital transformation of critical infrastructure clients globally. Combining its operational expertise with Nozomi’s technology is expected to result in the development of new AI-powered solutions tailored for OT and IoT use cases.

“This acquisition will enable us to co-create valuable new services while supporting Nozomi’s commitment to innovation and customer flexibility,” said Satoshi Takeda, Mitsubishi Electric’s senior vice president. “Together, we can help our customers achieve their digital transformation goals while enhancing security, efficiency, and resilience.”

The transaction is expected to receive all necessary regulatory approvals and is anticipated to close by the end of 2025. 

The post Mitsubishi Electric to acquire Nozomi Networks in $1 billion deal appeared first on CyberScoop.

Identity has become the new cybersecurity perimeter. As federal agencies rapidly adopt cloud services, AI-powered tools and hybrid work models, identity security is now central to mission assurance.

However, for many federal leaders, identity management remains a complex puzzle. The abundance of tools — from password managers to identity governance systems — often leads to fragmented environments and operational gaps. Even when agencies understand its importance, aligning identity investments with mission objectives remains a significant hurdle.

Adding to this complexity is a rapidly evolving environment in which cyber threats are becoming more sophisticated. AI-driven attacks mimic human behavior, bypassing traditional defenses with alarming speed. Static controls and perimeter-centric thinking can’t keep up. Identity governance, behavioral analytics and adaptive access controls must work in tandem to stay ahead of AI-enabled threats.

Federal agencies need integrated, adaptive identity architectures that continuously verify users and devices in real time. Implementing these layered protections not only improves security but also enhances user experience by adapting to risk in real time. In addition, agencies that adopt these capabilities are better equipped to defend against emerging threats without sacrificing efficiency.

A trusted partner for identity security

That’s where Optiv + ClearShark makes a difference. We bring a cybersecurity-first approach to identity, helping federal agencies reduce risk, meet compliance and streamline operations. Unlike one-size-fits-all providers, we help agencies optimize their existing investments — whether they use SailPoint, BeyondTrust, Ping or Okta. Our team understands how to integrate these technologies into a framework that fits the federal context. In other words, we tailor solutions to the mission, not the other way around.

In fact, our edge lies in our people. Many of our consultants and engineers are former federal employees with clearances and firsthand experience navigating agency environments. Their insights help bridge the gap between vendor capabilities and federal mission needs.

In the past 18 months, we’ve delivered managed identity services across the defense and intelligence communities. These solutions include secure monitoring and identity operations in highly classified cloud environments, supported through partnerships with AWS, Splunk and others.

By offloading infrastructure and operations to our cleared teams, agencies gained enhanced identity assurance and significant cost savings while maintaining full compliance with federal security standards.

Accelerating modernization with confidence

Modernization doesn’t need to come at the expense of security or compliance. A pilot-driven approach allows agencies to validate identity solutions in their own environments before scaling. This reduces risk, accelerates return on investment and ensures audit readiness.

For example, one civilian agency we supported had invested heavily in identity tools but continued to fail penetration tests and struggled with governance gaps between identity and security teams. By deploying SailPoint and BeyondTrust in a phased, integrated rollout and aligning the solution to compliance and security objectives, we helped the agency pass red team exercises, reduce manual identity processes and establish a scalable identity framework for future growth.

The mission starts with identity

Identity is the most targeted attack surface in federal IT today. Protecting it is not just an IT imperative; it’s a mission-critical requirement. But success requires more than tools. It requires deep expertise, integration and continuous improvement.

With the right strategy and trusted support, agencies can secure their identity infrastructure, meet audit requirements, and modernize with purpose. The stakes have never been higher, and identity has never mattered more in federal cybersecurity.

Learn more about how Optiv + ClearShark takes a cybersecurity-centric approach to identity management for government.

This article was sponsored by Optiv + ClearShark.

The post Why identity is the definitive cyber defense for federal agencies appeared first on CyberScoop.

The Trump administration’s new AI Action Plan calls for companies and governments to lean into the technology when protecting critical infrastructure from cyberattacks.

But it also recognizes that these systems are themselves vulnerable to hacking and manipulation, and calls for industry adoption of “secure by design” technology design standards to limit their attack surfaces.

The White House plan, released Wednesday, calls for critical infrastructure owners — particularly those with “limited financial resources” — to deploy AI tools to protect their information and operational technologies.

“Fortunately, AI systems themselves can be excellent defensive tools,” the plan said. “With continued adoption of AI-enabled cyberdefensive tools, providers of critical infrastructure can stay ahead of emerging threats.”

Over the past year, large language models have shown increasing capacity to write code and conduct certain cybersecurity functions at a much faster rate than humans. But they also leave massive security holes in their code architectures and can be jailbroken or overtaken by other parties through prompt injection and data poisoning attacks, or leak sensitive data by accident.

As such, the administration’s plan builds on a previous initiative by the Cybersecurity and Infrastructure Security Agency under the Biden administration to promote “secure by design” principles for technology and AI vendors. That approach was praised in some quarters for bringing industry together to agree to a set of shared security principles. Others rolled their eyes at the entirely voluntary nature of the commitments, arguing that the approach amounted to a pinky promise from tech companies in lieu of regulation. 

The Trump plan states that “all use of AI in safety-critical or homeland security applications should entail the use of secure-by-design, robust, and resilient AI systems that are instrumented to detect performance shifts, and alert to potential malicious activities like data poisoning or adversarial example attacks.”

The plan also recommends the creation of a new AI-Information Sharing and Analysis Center (AI-ISAC) led by the Department of Homeland Security to share threat intelligence on AI-related threats.

“The U.S. government has a responsibility to ensure the AI systems it relies on — particularly for national security applications — are protected against spurious or malicious inputs,” the plan continues. “While much work has been done to advance the field of AI Assurance, promoting resilient and secure AI development and deployment should be a core activity of the U.S. government.”

The plan does not detail how the administration intends to define which entities or systems are “safety-critical” or constitute “homeland security applications.” Nor does it outline how companies or utilities of limited financial means would pay for and maintain AI defensive systems, which are not currently capable of autonomous cybersecurity work without significant human expertise and direction.

The plan proposes no new spending for the endeavor, and other sections are replete with mentions of the administration’s intentions to review and limit or reduce federal AI funding streams to states that don’t share the White House’s broader deregulatory approach.

Grace Gedye, an AI policy analyst for Consumer Reports, said “it’s unclear which state laws will be considered ‘burdensome’ and which federal funds are on the line.”

The plan also calls for the promotion and maturation of the federal government’s ability to respond to active cyber incidents involving AI systems. The National Institute of Standards and Technology will lead an effort to partner with industry and AI companies to build AI-specific guidance into incident response plans, and CISA will modify existing industry guidance to loop agency chief AI officers into discussions on active incidents.

Initial reactions to the plan included business-friendly groups cheering the administration’s deregulatory approach to AI and negative reactions from privacy and digital rights groups, who say the White House’s overall approach will push the AI industry further toward less-constrained, more dangerous and more exploitative models and applications.

Patrick Hedger, director of policy for NetChoice, a trade association for tech companies and online businesses, praised the plan, calling the difference between the Trump and Biden approaches to AI regulation “night and day.”

“The Biden administration did everything it could to command and control the fledgling but critical sector,” Hedger said. “That is a failed model, evident in the lack of a serious tech sector of any kind in the European Union and its tendency to rush to regulate anything that moves. The Trump AI Action Plan, by contrast, is focused on asking where the government can help the private sector, but otherwise, get out of the way.”

Samir Jain, vice president of policy at the Center for Democracy and Technology, said the plan had “some positive elements,” including “an increased focus on the security of AI systems.”

But ultimately, he called the plan “highly unbalanced, focusing too much on promoting the technology while largely failing to address the ways in which it could potentially harm people.”

Daniel Bardenstein, a former CISA official and cyber strategist who led the agency’s AI Bill of Materials initiative, questioned the lack of a larger framework in the action plan for how mass AI adoption will impact security, privacy and misuse by industry.

“The Action Plan talks about innovation, infrastructure, and diplomacy — but where’s the dedicated pillar for security and trust?” Bardenstein said. “That’s a fundamental blind spot.”

 The White House plan broadly mirrors a set of principles laid out by Vice President JD Vance in a February speech, when he started off saying he was “not here to talk about AI safety” and likened it to a discipline dedicated to preventing “a grown man or woman from accessing an opinion that the government thinks is misinformation.”  

In that speech, Vance made it clear the administration viewed unconstrained support for U.S.-based industry as a key bulwark against the threat of Chinese AI domination. Apart from some issues like ideological bias — where the White House plan takes steps to prevent “Woke AI” — the administration was not interested in tying the hands of industry with AI safety mandates.

That deregulatory posture could undermine any corresponding approach to encourage industry to make AI systems more secure.

“It’s important to remember that AI and privacy is more than one concern,” said Kris Bondi, CEO and co-founder of Mimoto, a startup providing AI-powered identity verification services. “AI has the ability to discover and utilize personal information without regard to impact on privacy or personal rights. Similarly, AI used in advanced cybersecurity technologies may be exploited.”

She noted that “security efforts that rely on surveillance are creating their own version of organizational risks,” and that many organizations will need to hire privacy and security professionals with a background in AI systems.

A separate section on the Federal Trade Commission, meanwhile, calls for a review of all agency investigations, orders, consent decrees and injunctions to ensure they don’t “burden AI innovation.”

That language, Gedye said, could be “interpreted to give free rein to AI developers to create harmful products without any regard for the consequences.” 

The post Trump AI plan pushes critical infrastructure to use AI for cyber defense appeared first on CyberScoop.

United Natural Foods said the cyberattack that prompted the food distributor and wholesaler to completely shut down its network last month resulted in lost sales of up to $400 million. Executives, during a business update call Wednesday with analysts and investors, said the financial impact from the attack is largely contained to the current quarter, which ends in early August.

The operational interruption caused by the cyberattack, which the company discovered June 5 and disclosed four days later, will result in a net income loss of up to $60 million. Executives did not mention a ransom demand or payment during the call.

The attack on Whole Foods Market’s primary distributor was part of an ongoing attack spree linked to Scattered Spider, a financially motivated cybercrime collective that’s hit dozens of companies in the retail, insurance and aviation industries since it regrouped earlier this year.

The orders United Natural Foods was unable to fill — resulting in empty store shelves and spoilage in the wake of the attack — shows the wide financial impact of cybercrime. The company operates 52 distribution centers that fulfill about 250,000 products from more than 11,000 suppliers to 30,000 customer locations in North America.

“Because of the unique role UNFI plays in the food-supply chain, we recognize that this cyber incident impacted our customers and the industry we serve. We never want to be the reason that a local grocer is out of stock on a product that their shoppers count on,” CEO Sandy Douglas said during the call.

Direct costs related to the attack include an estimated $20 million incurred as the company used manual workarounds while systems were offline, and $5 million for remediation costs, including third-party cybersecurity, legal and governance experts brought in to assist with response and recovery efforts.

United Natural Foods expects its cyber insurance policy to sufficiently offset those recovery and remediation costs, but noted that reimbursement will likely arrive in fiscal year 2026, which starts in August.

Meantime, the company has mostly recovered and returned to normal operations. “As of this week, our commercial operating capacity has been restored to normalized levels, average outbound fill rates, on-time deliveries and units shipped are at or close to pre-incident levels, with some variation across distribution centers. We expect continued improvement as we complete our recovery in the coming weeks,” Douglas said.

United Natural Foods restored its primary electronic ordering systems June 16, 10 days after it took systems down, Douglas added. While the restoration is ongoing for some less critical tools, including customized reporting platforms, the company has achieved the bulk of its recovery requirements.

“By June 26 we had safely restored our core systems and broadly returned to more normal operating capacity across our distribution network,” Douglas said. “Since then, we’ve continued working closely with our customers and suppliers to catch up on various business processes, including purchase orders, invoicing and payments that were temporarily delayed during the disruption period.”

The post United Natural Foods loses up to $400M in sales after cyberattack appeared first on CyberScoop.

An Armenian national is in federal custody and faces charges stemming from their alleged involvement in a spree of attacks in 2019 and 2020 involving Ryuk ransomware, the Justice Department said Wednesday.

Karen Serobovich Vardanyan, 33, was extradited from Ukraine to the United States on June 18 and pleaded not guilty to the charges in his first appearance in federal court June 20. Vardanyan is awaiting a seven-day jury trial scheduled to begin Aug. 26.

Prosecutors charged Vardanyan with conspiracy, fraud in connection with computers and extortion in connection with computers. He faces a maximum of five years in federal prison and a fine of $250,000 for each charge.

Vardanyan and his co-conspirators — a pair of 53-year-old Ukrainian nationals, Oleg Nikolayevich Lyulyava and Andrii Leonydovich Prykhodchenko, and 45-year-old Armenian national Levon Georgiyovych Avetisyan — are accused of illegally accessing computer networks to deploy Ryuk ransomware on hundreds of compromised servers and workstations between March 2019 and September 2020.

Avetisyan is awaiting a U.S. extradition request in France, while Lyulyava and Prykhodchenko remain at large. 

Ryuk ransomware was prevalent in 2019 and 2020, infecting thousands of victims globally across the private sector, state and local municipalities, local school districts and critical infrastructure, according to authorities. This includes a wave of attacks on U.S. hospitals and a technology company based in Oregon, where federal prosecutors are trying their case against Vardanyan. 

Victims of Ryuk ransomware attacks include Hollywood Presbyterian Medical Center, Universal Health Services, Electronic Warfare Associates, a North Carolina water utility and multiple U.S. newspapers.

Ryuk ransomware operators extorted victim companies by demanding ransom payments in Bitcoin in exchange for decryption keys. Justice Department officials said Vardanyan and his co-conspirators received about 1,160 bitcoins — valued at more than $15 million at the time — in ransom payments from victim companies.

The post Ryuk ransomware operator extradited to US, faces five years in federal prison appeared first on CyberScoop.

Congress is set to revisit Stuxnet — the malware that wreaked havoc on Iran’s nuclear program 15 years ago  — next week in the hopes that the pioneering attack can guide today’s critical infrastructure policy debate, CyberScoop has learned.

The House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection will hold a hearing July 22 to examine the operation that, according to independent reports, was carried out by the U.S. and Israeli governments and targeted Iran’s nuclear enrichment facilities in Natanz.

Witnesses listed for the hearing are Tatyana Bolton, executive director of the Operational Technology Cybersecurity Coalition; Kim Zetter, cybersecurity journalist and author of “Countdown to Zero Day”; Dragos CEO Robert Lee; and Nate Gleason, Lawrence Livermore National Laboratory program leader, according to a copy of the notice.

Stuxnet malware included a rootkit for programmable logic controllers and was built specifically to target industrial systems. Deployed at the Natanz facility before 2010, it was engineered to covertly manipulate the speed of the rotors used to spin nuclear centrifuges, causing them to accelerate and slow unpredictably. The Institute for Science and International Security estimated in 2010 that the worm led to the damage and removal of more than 1,000 centrifuges, or approximately 10% of Iran’s total enrichment capacity at the time.

But the subcommittee led by Rep. Andrew Garbarino, R-N.Y., is interested in more than a history lesson.

“Stuxnet signaled a new age in the targeting of operational technology, an attack vector that has increased in complexity over the past 15 years,” Garbarino said in a statement to CyberScoop. “This moment showed how malware can be used to target and potentially cripple critical infrastructure operations, which has raised the stakes for critical infrastructure resilience for sectors across the globe.” 

Stuxnet also kicked off an era where many countries — and the United States in particular — have seen its domestic critical infrastructure come under threat from criminal and nation-state hacking groups.

“Today, bad actors will not hesitate to use malware to gain a foothold in the services Americans rely on every day and wreak havoc on our way of life,” Garbarino said. “Given increasing threats to critical infrastructure from actors such as Volt Typhoon, it is important to examine the legacy of Stuxnet – –the world’s first cyber weapon.”

In the 15 years since Stuxnet, U.S. critical infrastructure has itself been pilloried by cybercriminals, ransomware groups and nation-states alike. Policymakers are revisiting Stuxnet in the hopes that it can help them learn to better defend their own domestic industries.

A committee aide told CyberScoop that Stuxnet “is part of the story of OT cybersecurity.”

“It marked a pivotal moment in critical infrastructure resilience and the way we think about both offensive and defensive cyber operations,” the aide said. “Now that we are at the 15-year mark since the discovery of Stuxnet, it is timely to review how the cyber threat landscape has evolved to ensure our OT is resilient, especially as DHS warns about heightened threats from Iran against critical infrastructure.”

The hearing also comes weeks after the U.S dropped a total of 12 “massive ordnance penetrator” bombs on several Iranian nuclear facilities, including Natanz, during Operation Midnight Hammer.

The aide added that the lessons could be valuable to legislators with Congress set to tackle a pair of important cybersecurity laws that are set to expire this year.

“We still see gaps in understanding about the risks [in OT] – something we are striving to address through the reauthorizations of CISA 2015 and the State and Local Cybersecurity Grant Program,” the aide said.

Bolton brings a wealth of cybersecurity experience in the federal government, Congress and the private sector. She has worked at Google and the Cyberspace Solarium Commission, where she helped shepherd a broad slate of cybersecurity legislation through Congress.

Zetter’s book is widely considered the most comprehensive and definitive look at how U.S. and Israeli officials built and then covertly deployed the malware in an effort to damage and slow down Iran’s nuclear program.

Lee, a former NSA and Air Force cyber official, now leads one of the most well-known cybersecurity firms, specifically geared toward operational technology and critical infrastructure.

The post House hearing will use Stuxnet to search for novel ways to confront OT cyberthreats appeared first on CyberScoop.

What happened?

Between 13:09 UTC and 18:51 UTC on 18 March 2025, a platform issue resulted in an impact to a subset of Azure customers in the East US region. Customers may have experienced intermittent connectivity loss and increased network latency sending traffic within as well as in and out of East US Region. 

At 23:21 UTC on 18 March 2025, another impact to network capacity occurred during the recovery of the underlying fiber that customers may have experienced the same intermittent connectivity loss and increased latency sending traffic within, to and from East US Region.

What do we know so far?

We identified multiple fiber cuts affecting a subset of datacenters in the East US region at 13:09 UTC on 18 March 2025. The fiber cut impacted capacity to those datacenters increasing the utilization for the remaining capacity serving the affected datacenters. At 13:55 UTC on 18 March 2025, we began mitigating the impact of the fiber cut by load balancing traffic and restoring some of the impacted capacity; customers should have started to see service recover starting at this time. The restoration of traffic was fully completed by 18:51 UTC on 18 March 2025 and the issue was mitigated. 

At 23:20 UTC on 18 March 2025, another impact was observed during the capacity repair process. This was due to a tooling failure during the recovery process that started adding traffic back into the network before the underlying capacity was ready. The impact was mitigated at 00:30 UTC on 19 March after isolating the capacity impacted by the tooling failure. 

At 01:52 UTC on 19 March, the underlying fiber cut has been fully restored. We continue working to test and restore all capacity to pre-incident levels. 

Our telemetry data shows that the customer impact has been fully mitigated. We are continuing to monitor the situation during our capacity recovery process before confirming complete resolution of the incident.

An update will be provided in 3 hours, or as events warrant

Summary of Impact: As early as 22:00 UTC on 08 Jan 2025, we noticed a partial impact to some of the Azure Services in East US2 due to a configuration change in a regional networking service. The configuration change caused inconsistent service state. This could have resulted in intermittent Virtual machine connectivity issues or failures in allocating resources or communicating with resources in the region. The services impacted include Azure Databricks, Azure Container Apps, Azure Function Apps, Azure App Service, SQL Managed Instances, Azure Data Factory, Azure Container Instances, PowerBI, VMSS, PostgreSQL flexible servers etc. Customers using resources with Private Endpoint NSG communicating with other services would also be impacted.

The impact is limited to a single zone in East US2 region. No other regions are impacted by this issue.

Current Status:

As early as 22:00 UTC on 08 Jan 2025, service monitoring alerted us to a networking issue in East US2 impacting multiple services. As part of the investigation, it was identified that a network configuration issue in one of the zones resulted in three of the Storage partitions going unhealthy. As an immediate remediation measure, traffic was re-routed away from the impacted zone, which brought some relief to the non-zonal services, and helped with newer allocations. However, services that sent zonal requests to the impacted zone continued to be unhealthy. Some of the impacted services initiated their own Disaster Recovery options to mitigate some of them.

Additional workstreams to rehydrate the impacted zone by bringing back the impacted partitions to a healthy state have been ongoing as per the plan. To avoid any further impact, we are validating the fix on one of the partitions, and once that is confirmed, the mitigation will be applied to the other unhealthy partitions as well. We have completed the validation process successfully for one of the partitions and are working on applying the mitigation to all the partitions. Once the mitigation is applied, we intend to complete additional validations before bringing the partitions online.

We do not have an ETA available at this time, but we expect to be able to share more details on our progress in the next update. We continue to advise customers to execute Disaster Recovery to expedite recovery of their impacted services. Customers that have already failed out of the region should not fail back until this incident is fully mitigated. The next update will be provided in 1 hour or as events warrant.

For customers impacted due to Private Link, a patch was applied, and we confirm dependent services should be available.

We have been able to confirm that customers impacted by Azure Databricks, App Services multi-tenant, Azure Function Apps, Logic Apps, and Azure Synapse should start seeing some recovery.

Kent Ickler & Jordan Drysdale // BHIS Webcast and Podcast This post accompanies BHIS’s webcast recorded on August 7, 2018, Active Directory Best Practices to Frustrate Attackers, which you can view below. […]

The post Active Directory Best Practices to Frustrate Attackers: Webcast & Write-up appeared first on Black Hills Information Security, Inc..

John Strand talks about how BHIS pen tests companies who use the cloud. Want to know how you can defend against attacks in your cloud infrastructure? Keep your eyes peeled for […]

The post PODCAST: Attack Tactics Part 3: No Active Directory? No Problem! appeared first on Black Hills Information Security, Inc..

Lee Kagan* // Expanding upon the previous post in this series, I decided to rewrite C2K (find it here) to change its behavior and options for the user. In this […]

The post How to Build a Command & Control Infrastructure with Digital Ocean: C2K Revamped appeared first on Black Hills Information Security, Inc..

Lee Kagan* // Deploying an offensive infrastructure for red teams and penetration tests can be repetitive and complicated. One of my roles on our team is to build-out and maintain […]

The post How to Build a C2 Infrastructure with Digital Ocean – Part 1 appeared first on Black Hills Information Security, Inc..