Rescana@Rescana
//
Amidst escalating regional conflicts, Iran has taken the drastic measure of shutting down internet access for its citizens, a move the government defends as a necessary precaution against Israeli cyberattacks. This disruption has severely impacted communication within the country, leaving Iranians abroad unable to connect with loved ones. One such individual, Amir Rashidi, expressed his anxiety, stating he hadn't heard from his family in two days and was relying on someone else for updates. The situation highlights the growing intersection of cyber warfare and real-world consequences for civilians.
The internet blackout is not the first instance of Iran limiting connectivity. In the past, similar restrictions were imposed during periods of political unrest, such as protests in 2019 and 2022. These shutdowns are implemented by pushing people towards domestic apps, which are often less secure, while also severely restricting access to vital information. Experts like Doug Madory from Kentik have documented significant drops in internet connectivity within Iran following recent Israeli airstrikes, with reductions of 54% initially, followed by further declines of 49% and, subsequently, a staggering 90%.
In a defensive maneuver against cyber threats, Iran is throttling its National Internet Infrastructure. The country claims it is restricting internet connectivity to counter cyber attacks amid regional conflict. The stated aim is to impede cyber intrusions and the synchronization of adversarial operations. An example of the threats Iran faces is demonstrated by the Israeli-linked hackers who seized and burned $90 million from Iran's Nobitex exchange.
Recommended read:
References :
- infosec.exchange: NEW: Iran's government has now admitted that it took down the internet in the country, arguing that it did to protect against Israeli cyberattacks. I spoke to two Iranians who live abroad and can't communicate with their loved ones back home because of the blackout.
- WIRED: Iran is limiting internet connectivity for citizens amid Israeli airstrikes—pushing people towards domestic apps, which may not be secure, and limiting their ability to access vital information. —
- Rescana: Iran National Internet Infrastructure Throttling: Cyber Defense Strategy to Prevent Attacks Amid Regional Conflict
Nicholas Kitonyi@NFTgators
//
A pro-Israel hacking group, known as Predatory Sparrow, has claimed responsibility for a cyberattack against Nobitex, Iran’s largest cryptocurrency exchange. The attack resulted in the theft of approximately $90 million in various cryptocurrencies, including Bitcoin and Dogecoin, as well as over 100 other cryptocurrencies. According to blockchain analytics firm Elliptic, the funds were drained from the exchange’s wallets into blockchain addresses containing anti-government messages explicitly referencing Iran's Islamic Revolutionary Guard Corps (IRGC).
The attackers, instead of attempting to profit financially, intentionally destroyed the stolen cryptocurrency in what has been described as a symbolic political statement. The funds were sent to blockchain addresses with the phrase "F***iRGCTerrorists" embedded within them. Experts say that generating addresses with such specific terms requires significant computing power, suggesting the primary goal was to send a message rather than to gain financially. The incident underscores the rising geopolitical tensions between Israel and Iran and the vulnerability of cryptocurrency exchanges to politically motivated cyberattacks.
The cyberattack on Nobitex is part of a broader pattern of cyber warfare between Israel and Iran. While the physical conflict has seen airstrikes and other military actions, the digital realm has become another battleground, with potentially significant repercussions for both countries and the wider global community. This incident also follows reports of internet restrictions within Iran, limiting citizens' access to information and communication amidst escalating tensions. The global cybersecurity community needs to stay prepared for security repercussions for the two combatants and the wider global community as the cyberwarfare portion of the conflict is already spilling over off the battlefield and outside the region.
Recommended read:
References :
- Zack Whittaker: This article also discusses the attack against Nobitex, noting the financial losses and the involvement of a pro-Israel hacking group.
- techcrunch.com: This news source provides information about the attack against Nobitex, mentioning the theft and destruction of cryptocurrency.
- Metacurity: This article reports on the attack against Nobitex by the Predatory Sparrow group, highlighting the financial impact and geopolitical context of the event.
- NFTgators: This news piece details the financial impact of the attack on Nobitex and the potential geopolitical implications.
- WIRED: This article covers the same event with additional details about the actions of the attacker group and their motives.
- aboutdfir.com: Pro-Israel hackers drained $90 million from Iran crypto exchange, analytics firm says
- fortune.com: Pro-Israel group hacks Iranian crypto exchange for $90 million—but throws away the money
- aboutdfir.com: Israeli-linked hackers seized and burned $90 million from Iran's Nobitex exchange
- www.darknet.org.uk: Israeli-linked hackers seized and destroyed over $90 million from Nobitex, an Iranian crypto exchange.
- SecureWorld News: As kinetic conflict continues to unfold between Israel and Iran, a parallel battle is raging in cyberspace—one that is disrupting financial systems, wiping out crypto holdings, hijacking broadcast channels, and even triggering a near-total internet shutdown.
- www.elliptic.co: The Iran-based Nobitex cryptocurrency exchange suffered a $90 million hack, and the attacker has also promised to imminently release data and source code from the platform.
- Web3 is Going Just Great: Israeli-linked hackers steal and destroy $90 million from Iranian Nobitex exchange The Iran-based Nobitex cryptocurrency exchange suffered a $90 million hack, and the attacker has also promised to imminently release data and source code from the platform.
info@thehackernews.com (The@The Hacker News
//
Scattered Spider, a cybercrime collective known for targeting U.K. and U.S. retailers, has shifted its focus to the U.S. insurance industry, according to warnings issued by Google Threat Intelligence Group (GTIG). The group, tracked as UNC3944, is known for utilizing sophisticated social engineering tactics to breach organizations, often impersonating employees, deceiving IT support teams, and bypassing multi-factor authentication (MFA). Google is urging insurance companies to be on high alert for social engineering schemes targeting help desks and call centers, emphasizing that multiple intrusions bearing the hallmarks of Scattered Spider activity have already been detected in the U.S.
GTIG's warning comes amidst a recent surge in Scattered Spider activity, with multiple U.S.-based insurance companies reportedly impacted over the past week and a half. The threat group has a history of targeting specific industries in clusters, with previous attacks impacting MGM Resorts and other casino companies. Security specialists emphasize that Scattered Spider often targets large enterprises with extensive help desks and outsourced IT functions, making them particularly susceptible to social engineering attacks. The group is also suspected of having ties to Western countries.
The shift in focus towards the insurance sector follows Scattered Spider's previous campaigns targeting retailers, including a wave of ransomware and extortion attacks on retailers and grocery stores in the U.K. in April. To mitigate against Scattered Spider's tactics, security experts recommend enhancing authentication, enforcing rigorous identity controls, implementing access restrictions, and providing comprehensive training to help desk personnel to effectively identify employees before resetting accounts. One insurance company, Erie Insurance, has already reported a cyberattack earlier this month, although the perpetrators have not yet been identified.
Recommended read:
References :
- Threats | CyberScoop: Scattered Spider, fresh off retail sector attack spree, pivots to insurance industry
- The Hacker News: Google Warns of Scattered Spider Attacks Targeting IT Support Teams at U.S. Insurance Firms
- www.cybersecuritydive.com: Threat group linked to UK, US retail attacks now targeting insurance industry
- hackread.com: Scattered Spider Aims at US Insurers After UK Retail Hit, Google Warns
- The Record: Security analysts at Google’s Threat Intelligence Group published a warning this week to insurance companies, writing that it is “now aware of multiple intrusions in the US which bear all the hallmarks of Scattered Spider activity.â€
- www.scworld.com: Scattered Spider group attacking US insurance industry, Google says
- SecureWorld News: Scattered Spider Swarms Insurance Sector with Targeted Cyber Attacks, Google Warns
- Zack Whittaker: Google's John Hultquist says in an emailed statement that the company is seeing "multiple intrusions in the US" that bear the hallmarks of Scattered Spider activity and "now seeing incidents in the insurance industry." Google spokesperson confirmed there's more than one U.S.-based insurance victim.
- cyberscoop.com: Scattered Spider, fresh off retail sector attack spree, pivots to insurance industry
- www.cybersecuritydive.com: Aflac duped by social-engineering attack, marking another hit on insurance industry
- www.cyjax.com: Weaving Chaos – Scattered Spider’s Cyberattacks Spin a Dangerous Web Across the Insurance Industry
- eSecurity Planet: Aflac confirms a cyberattack exposed sensitive customer data, citing social engineering tactics amid a wave of breaches targeting US insurers.
- CYJAX: Weaving Chaos – Scattered Spider’s Cyberattacks Spin a Dangerous Web Across the Insurance Industry
- cyberscoop.com: Aflac duped by social-engineering attack, marking another hit on insurance industry
- DataBreaches.Net: Aflac notifies SEC of breach suspected to be work of Scattered Spider
- Threats | CyberScoop: Aflac duped by social-engineering attack, marking another hit on insurance industry
- www.prnewswire.com: Aflac incorporated discloses cybersecurity incident.
- cyberpress.org: Aflac Incorporated, a major U.S.-based insurance company, reported a significant cybersecurity breach involving unauthorized access to its corporate network.
- www.techradar.com: Reports details on a cyberattack targeting Aflac
- techcrunch.com: US insurance giant Aflac says customers’ personal data stolen during cyberattack
Mayura Kathir@gbhackers.com
//
Scattered Spider, a sophisticated hacking collective known for its social engineering tactics, has allegedly breached Marks & Spencer by targeting the company's IT help desk. The cybercriminals reportedly duped an IT help desk employee into resetting a password, which then granted them access to internal networks. This breach is said to have disrupted M&S's online operations, leading to the temporary suspension of online orders, as reported between April and May 2025. Scattered Spider, also known as UNC3944, Octo Tempest, and Muddled Libra, has become prominent for using social engineering to exploit corporate service desks.
This attack on Marks & Spencer is part of a broader trend impacting UK retailers. The National Cyber Security Centre (NCSC) has issued warnings to organizations, urging them to be wary of phony IT helpdesk calls. Other retailers such as Co-op and Harrods have also been linked to attacks resulting in stolen member data and crippled payment systems. Any organization with a service desk is theoretically vulnerable to these low-tech, high-impact tactics employed by Scattered Spider and similar groups.
Scattered Spider is believed to be composed of young US and UK citizens who are part of a collective known as "The Comm," an underground community of English-speaking criminals that communicates and coordinates using social media platforms like Discord or Telegram. While five users associated with Scattered Spider, including the alleged leader, were detained in the first half of 2024, the complete composition of the group remains undetermined. After a period of relative silence following these arrests, Scattered Spider has resurfaced with this latest string of attacks on UK retail brands, prompting renewed cybersecurity concerns.
Recommended read:
References :
- cyble.com: Cyberattacks Hit Leading UK Retailers as NCSC Urges Stronger Defences
- specopssoft.com: Scattered Spider service desk attacks: How to defend your organization
- Cybersecurity Blog: The Marks and Spencer Cyber Attack: Everything You Need to Know
- www.exponential-e.com: NCSC warns of IT helpdesk impersonation trick being used by ransomware gangs after UK retailers attacked
- www.cysecurity.news: M&S Hackers Conned IT Help Desk Workers Into Accessing Firm Systems
- bsky.app: NCSC warns of IT helpdesk impersonation trick being used by ransomware gangs after UK retailers attacked. https://www.exponential-e.com/blog/ncsc-warns-of-it-helpdesk-impersonation-trick-being-used-by-ransomware-gangs-after-uk-retailers-attacked
- gbhackers.com: Cyberattackers Targeting IT Help Desks for Initial Breach
- Delinea Blog: M&S and Co-op Breaches: Lessons in Identity Security
- Malware ? Graham Cluley: Smashing Security podcast #416: High street hacks, and Disney’s Wingdings woe
- BleepingComputer: M&S says customer data stolen in cyberattack, forces password resets
- ComputerWeekly.com: M&S forces customer password resets after data breach
- www.itpro.com: M&S confirms customer personal data was stolen in recent attack
- BleepingComputer: Hackers behind UK retail attacks now targeting US companies
- ComputerWeekly.com: Scattered Spider retail attacks spreading to US, says Google
- www.cysecurity.news: Marks & Spencer Cyberattack Fallout May Last Months Amid Growing Threat from Scattered Spider
Shivani Tiwari@cysecurity.news
//
The UK's National Cyber Security Centre (NCSC) has issued an advisory following a series of cyberattacks targeting major UK retailers, including Marks & Spencer (M&S), Co-op, and Harrods. These incidents, which began in April 2025, have prompted warnings for organizations to remain vigilant and implement robust cybersecurity measures. The NCSC is working closely with affected organizations to understand the nature of the intrusions and provide targeted advice to the broader retail sector.
The NCSC's advice strongly suggests the involvement of Scattered Spider, a group of English-speaking cyber criminals previously linked to breaches at MGM Resorts and Caesars Entertainment in the U.S. Scattered Spider is believed to have deployed ransomware to encrypt key systems at M&S, causing significant disruption, including the suspension of online sales. Authorities are urging security teams to implement multi-factor authentication, monitor for risky logins, and review help desk login procedures to mitigate potential ransomware attacks.
While investigations are ongoing to determine if the attacks are linked or the work of a single actor, reports suggest that a group called DragonForce may also be involved. DragonForce operates as a ransomware-as-a-service, providing tools and infrastructure for contracted hackers. The NCSC emphasizes that all organizations should follow the advice on its website to ensure they have appropriate measures in place to prevent attacks and effectively respond to and recover from them.
Recommended read:
References :
- bsky.app: Beware phony IT calls after Co-op and M&S hacks, says UK cyber centre. The NCSC advice is the strongest hint yet the hackers are using tactics most commonly associated with a collective of English-speaking cyber criminals nicknamed Scattered Spider.
- slcyber.io: Scattered Spider Linked to Marks & Spencer Cyberattack
- www.cybersecuritydive.com: UK authorities warn of retail-sector risks following cyberattack spree
- cyble.com: Multiple cyberattacks have recently struck some of the UK’s most iconic retailers, prompting concern from industry leaders and cybersecurity authorities. Among the affected organizations are Harrods, Marks & Spencer, and the Co-op, all of which have confirmed incidents targeting their digital infrastructure in late April and early May 2025.
- research.checkpoint.com: For the latest discoveries in cyber research for the week of 5th May, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Three major UK retailers – Co-op, Harrods and Marks & Spencer (M&S) – were hit by cyberattacks that disrupted operations and compromised sensitive data. The attacks are believed linked to the Scattered
- www.itpro.com: Following recent attacks on retailers, the NCSC urges other firms to make sure they don't fall victim too
- www.ncsc.gov.uk: A joint blog post by the NCSC’s National Resilience Director, Jonathon Ellison, and Chief Technology Officer, Ollie Whitehouse.
- BleepingComputer: UK shares security tips after major retail cyberattacks
- cyble.com: Multiple cyberattacks have recently struck some of the UK’s most iconic retailers, prompting concern from industry leaders and cybersecurity authorities. Among the affected organizations are Harrods, Marks & Spencer, and the Co-op, all of which have confirmed incidents targeting their digital infrastructure in late April and early May 2025. The UK’s National Cyber Security Centre (NCSC) is currently working alongside these retailers to investigate the attacks and mitigate potential damage.
- phishingtackle.com: Co-op has revealed that its recent breach was far more serious than initially reported, with a significant amount of data from current and former customers stolen. The National Cyber Security Centre (NCSC) has since warned that cybercriminals are impersonating IT … The post appeared first on .
- bsky.app: NCSC warns of IT helpdesk impersonation trick being used by ransomware gangs after UK retailers attacked. https://www.exponential-e.com/blog/ncsc-warns-of-it-helpdesk-impersonation-trick-being-used-by-ransomware-gangs-after-uk-retailers-attacked
- www.cysecurity.news: The disruption caused by the recent incidents impacting the retail sector are naturally a cause for concern to those businesses affected, their customers and the public,†said NCSC CEO Dr Richard Horne.
- www.exponential-e.com: NCSC warns of IT helpdesk impersonation trick being used by ransomware gangs after UK retailers attacked.
@cyble.com
//
Following a series of cyberattacks targeting major UK retailers including Marks & Spencer, Co-op, and Harrods, the National Cyber Security Centre (NCSC) has issued an urgent alert, urging organizations to bolster their defenses. The attacks, which involved ransomware and data theft, have caused significant operational disruptions and data breaches, highlighting the increasing risk faced by the retail sector. The NCSC anticipates that similar attacks are likely to escalate and emphasizes that preparation is key to ensuring business continuity and minimizing financial losses.
The NCSC advises businesses to take immediate and proactive measures to mitigate risks. A key recommendation is to isolate and contain threats quickly by severing internet connectivity immediately to prevent malware from spreading further across networks. It's equally important to ensure that backup servers remain isolated and unaffected by the attack, so they can be used for disaster recovery. The security agency is also calling on firms to review their password reset policies, and in particular how IT help desks authenticate workers when they make a reset request, especially in the case of senior employees with escalated privileges.
To enhance cyber resilience, the NCSC stresses the importance of implementing multi-factor authentication (MFA) across the board. The agency also warns organizations to be constantly on the lookout for ‘risky logins’ within Microsoft Entra ID Protection, where sign-in attempts are flagged as potentially compromised due to suspicious activity or unusual behaviour. The Information Commissioner's Office (ICO) has similar advice warning organizations to make sure that accounts are protected by a strong password, and that passwords aren't being reused across multiple accounts. While attacks against UK retailers have rocked the industry in recent weeks, the NCSC's guidance aims to help businesses avoid falling victim to similar incidents.
Recommended read:
References :
- DataBreaches.Net: Marks & Spencer breach linked to Scattered Spider ransomware attack
- Davey Winder: Harrods is the latest major U.K. retailer to confirm a cyberattack as M&S continues to struggle with ransomware strike fallout.
- securityaffairs.com: Luxury department store Harrods suffered a cyberattack
- The Register - Security: British govt agents step in as Harrods becomes third mega retailer under cyberattack
- www.itpro.com: Harrods hit by cyber attack as UK retailers battle threats
- Graham Cluley: Uh-oh. Marks & Spencer, Co-op, and now Harrods is the latest high profile UK retailer to be hit by what is (most likely) a attack. No organisation is 100% safe.
- techcrunch.com: UK retail giant Co-op warns of disruption as it battles cyberattack
- Bloomberg Technology: DragonForce hacking gang takes credit for UK retail attacks
- NCSC News Feed: NCSC statement: Incident impacting retailers
- Resources-2: Retail Under Fire: Inside the DragonForce Ransomware Attacks on Industry Giants
- Zack Whittaker: Bloomberg reporting that DragonForce ransomware gang "and its partners" were behind cyberattacks targeting U.K. retail giants Marks & Spencer, Co-op and Harrods. The gang also claimed to have stolen customer data.
- doublepulsar.com: DragonForce Ransomware Cartel attacks on UK high street retailers: walking in the front door
- Metacurity: Harrods becomes the third top UK retailer to fend off a cyberattack
- hackread.com: UK Retailer Harrods Hit by Cyber Attack After M&S, Co-op
- NPR Topics: Technology: Harrods, the iconic luxury department store, has become the latest British retailer to fall victim to a cyberattack.
- bsky.app: Uh-oh. Marks & Spencer, Co-op, and now Harrods is the latest high profile UK retailer to be hit by what is (most likely) a #ransomware attack.
- www.bbc.co.uk: The BBC reports on DragonForce's attacks on Co-op, details data theft.
- www.thetimes.com: The Sunday Times article details the DragonForce attack on Marks & Spencer.
- BleepingComputer: Cybersecurity firm BleepingComputer reported the Co-op's confirmation of significant data theft, contrasting with previous downplayed assessments of the incident.
- Help Net Security: The Co-op hack is detailed with an update of stolen data and the impact on the company's systems.
- DataBreaches.Net: BleepingComputer reports on the escalation of the Co-op cyberattack, with hackers boasting about stealing data from millions of customers.
- arcticwolf.com: Threat Event Timeline 22 April 2025 – Marks & Spencer released a cyber incident update on the London stock exchange website.
- Rescana: Detailed Report on the DragonForce Cyber Attack on Co-op Introduction: The DragonForce cyber attack on Co-op has emerged as a significant...
- Tech Monitor: The Co-op Group has acknowledged a substantial data breach in a cyberattack that was reportedly perpetrated by the DragonForce group.
- arcticwolf.com: Threat Event Timeline 04/22/2025 – Marks & Spencer released a cyber incident update on the London stock exchange website. The incident resulted in the organization having to pause online clothing orders for six days.
- www.techradar.com: Hackers claim to have stolen private information on 20 million Co-op shoppers
- cyble.com: Cyberattacks Hit Leading UK Retailers as NCSC Urges Stronger Defences
- cyble.com: Multiple cyberattacks have recently struck some of the UK’s most iconic retailers, prompting concern from industry leaders and cybersecurity authorities.
- www.cybersecurity-insiders.com: NCSC issues alert against more ransomware attacks on retailers
- www.itpro.com: In an official statement, addressed the situation, saying: “The disruption caused by the recent incidents impacting the retail sector are naturally a cause for concern to those businesses affected, their customers, and the public.
- cyberinsider.com: Cyber Insider reports on Co-op Confirms Member Data Breach Following Cyberattack Incident
- Check Point Research: Three major UK retailers – Co-op, Harrods and Marks & Spencer (M&S) – were hit by cyberattacks that disrupted operations and compromised sensitive data.
- www.bleepingcomputer.com: Marks and Spencer breach linked to Scattered Spider ransomware attack
- cyberinsider.com: NCSC Issues Urgent Guidance After Major UK Retailers Breached by Hackers
- www.cybersecurity-insiders.com: New Cyber threats emerge from Cyber Attacks on UK Companies.
- TechInformed: Recent retail cyber attacks have highlighted growing vulnerabilities in the UK sector.
- techinformed.com: A recent spate of retail cyber attacks has highlighted growing vulnerabilities in the UK sector, with high street names including M&S, the Co-op and Harrods…
- Cybersecurity Blog: The Marks and Spencer Cyber Attack: Everything You Need to Know
- www.exponential-e.com: NCSC warns of IT helpdesk impersonation trick being used by ransomware gangs after UK retailers attacked
- : Co-op has revealed that its recent breach was far more serious than initially reported, with a significant amount of data from current and former customers stolen.
- bsky.app: NCSC warns of IT helpdesk impersonation trick being used by ransomware gangs after UK retailers attacked.
- www.cysecurity.news: The United Kingdom’s National Cyber Security Centre (NCSC) has issued a stark warning following a wave of cyberattacks targeting some of the country’s most prominent retail chains.
Swagath Bandhakavi@Tech Monitor
//
France has officially accused the APT28 hacking group, linked to Russia's military intelligence service (GRU), of orchestrating a series of cyberattacks against French institutions over the past four years. The French foreign ministry condemned these actions "in the strongest possible terms," highlighting the targeting or breaching of a dozen French entities. The attacks have affected a range of organizations, including public services, private companies, and even a sports organization involved in preparations for the 2024 Olympic Games which was hosted in France.
France views these cyber operations as "unacceptable and unworthy" of a permanent member of the UN Security Council, asserting that Russia has violated international norms of responsible behavior in cyberspace. The ministry emphasized that such destabilizing activities undermine the integrity of international relations and security. This public attribution of the attacks to the GRU signifies a firm stance against Russia's malicious cyber activities and a commitment to defending French interests in the digital realm.
France, alongside its partners, is determined to anticipate, deter, and respond to Russia’s malicious cyber behavior, employing all available means. The French foreign ministry's statement also referenced past incidents, including the 2015 sabotage of TV5Monde and attempts to disrupt the 2017 presidential election, underscoring a pattern of APT28's disruptive activities targeting French interests. The French national agency for information systems security (ANSSI) has released a report on the threat linked to APT28 in order to prevent future attacks.
Recommended read:
References :
- therecord.media: In a rare public attribution, the French foreign ministry said it “condemns in the strongest possible terms†the actions of the GRU-linked threat actor known as APT28 for attacks against local entities.
- BleepingComputer: Today, the French foreign ministry blamed the APT28 hacking group linked to Russia's military intelligence service (GRU) for targeting or breaching a dozen French entities over the last four years.
- www.diplomatie.gouv.fr: Government of attributes a wide range of dating back ten years, targeting the French-hosted 2024 Olympics, prior elections, and against entities like television networks, to Russia's GRU
- The Record: Mastodon post referencing the French foreign ministry statement that it “condemns in the strongest possible terms†the actions of the GRU-linked threat actor known as APT28 for attacks against local entities.
- The DefendOps Diaries: The article is about unmasking APT28: The Sophisticated Threat to French Cybersecurity
- bsky.app: Russian military intelligence cyber operations targeting French entities
- www.techradar.com: France accuses Russian GRU hackers of targeting French organizations
- securityaffairs.com: France links Russian APT28 to attacks on dozen French entities
- Metacurity: France accuses Russia's APT28 of a string of serious cyberattacks going back to 2021
- Risky.Biz: Risky Bulletin: French government grows a spine and calls out Russia's hacks
- www.metacurity.com: France accuses Russia's APT28 of a string of serious cyberattacks going back to 2021
- Tech Monitor: France links Russian military-backed hackers APT28 to multiple cyber intrusions
- hackread.com: France accuses Russia’s APT28 hacking group (Fancy Bear) of targeting French government entities in a cyber espionage campaign.
- Risky Business Media: Risky Bulletin: French government grows spine, calls out Russian hacks
- bsky.app: Russian military intelligence cyber operations targeting French entities. Primarily includes governmental, diplomatic, and research entities, as well as think-tanks.
- www.scworld.com: French authorities have condemned a long-term cyber-espionage campaign by a Russian military intelligence group, APT28, targeting various French institutions.
- Andrew ? Brandt ?: The government of attributes a wide range of dating back ten years, targeting the French-hosted 2024 Olympics, prior elections, and against entities like television networks, to Russia's GRU ( ), and condemns them, officially, in a statement posted to their website.
- www.csoonline.com: France has publicly accused Russias GRU military intelligence agency, specifically its APT28 unit, of orchestrating a sustained cyber campaign targeting French institutions to undermine national stability, Reuters reports.
- Industrial Cyber: The French foreign ministry has attributed a series of cyberattacks on national interests to APT28, a group linked...
- industrialcyber.co: The French foreign ministry has attributed a series of cyberattacks on national interests to APT28, a group linked... The post appeared first on .
- hackread.com: From TV5Monde to Critical Infrastructure: France Blames Russia’s APT28 for Persistent Cyberattacks
- securityonline.info: APT28 Cyber Espionage Campaign Targets French Institutions Since 2021
Dissent@DataBreaches.Net
//
China has accused the United States National Security Agency (NSA) of launching "advanced" cyberattacks during the Asian Winter Games in February 2025, targeting essential industries. Police in the northeastern city of Harbin have placed three alleged NSA agents on a wanted list, accusing them of attacking the Winter Games' event information system and key information infrastructure in Heilongjiang province, where Harbin is located. The named NSA agents are Katheryn A. Wilson, Robert J. Snelling, and Stephen W. Johnson, all allegedly members of the NSA's Tailored Access Operations (TAO) offensive cyber unit.
China Daily reports the TAO targeted systems used for registration, timekeeping, and competition entry at the Games, systems which store "vast amounts of sensitive personal data." The publication also stated the TAO appeared to be trying to implant backdoors and used multiple front organizations to purchase servers in Europe and Asia to conceal its tracks and acquire the tools used to breach Chinese systems. A joint report from China's computer emergency response centers (CERTs) stated that over 270,000 attacks on the Asian Winter Games were detected, with 170,000 allegedly launched by the US.
Chinese foreign ministry spokesperson Lin Jian condemned the alleged cyber activity, urging the U.S. to take a responsible attitude on cybersecurity issues and stop any attacks and "groundless vilification against China." Xinhua reported the agents repeatedly carried out cyber attacks on China’s critical information infrastructure and participated in cyber attacks on Huawei and other enterprises. Chinese law enforcement agencies are seeking information that could lead to the arrest of the three NSA operatives, though rewards were not disclosed.
Recommended read:
References :
- The Register - Security: China names alleged US snoops over Asian Winter Games attacks
- www.cybersecurity-insiders.com: China accuses US of launching advanced Cyber Attacks on its infrastructure
- CyberScoop: Chinese law enforcement places NSA operatives on wanted list over alleged cyberattacks
- DataBreaches.Net: China accuses US of launching ‘advanced’ cyberattacks, names alleged NSA agents
- www.scworld.com: China's allegation that NSA hacked Asian Winter Games draws suspicion
- cyberscoop.com: Chinese law enforcement places NSA operatives on wanted list over alleged cyberattacks
- PCMag UK security: Police in the Chinese city of Harbin say three NSA operatives disrupted the 2025 Asian Winter Games and hacked Huawei.
- www.csoonline.com: China accused the United States National Security Agency (NSA) on Tuesday of launching “advanced†cyberattacks during the Asian Winter Games in February, targeting essential industries.
- Metacurity: China accuses NSA of 'advanced cyberattacks' during the Asian Winter Games
- www.metacurity.com: China accuses NSA of 'advanced cyberattacks' during the Asian Winter Games
- www.dailymail.co.uk: China accuses US of launching 'advanced' cyberattacks, names alleged NSA agents
- sysdig.com: UNC5174’s evolution in China’s ongoing cyber warfare: From SNOWLIGHT to VShell
- aboutdfir.com: China Admitted to Volt Typhoon Cyberattacks on US Critical Infrastructure
Sathwik Ram@seqrite.com
//
Pakistan-linked SideCopy APT has escalated its cyber operations, employing new tactics to infiltrate crucial sectors. Seqrite Labs APT team uncovered these new tactics deployed since the last week of December 2024. The Advanced Persistent Threat (APT) group, previously focused on Indian government, defence, maritime sectors, and university students, is expanding its targeting scope.
The group has broadened its targets to include critical sectors such as railways, oil & gas, and external affairs ministries. One notable shift in their recent campaigns is the transition from using HTML Application (HTA) files to adopting Microsoft Installer (MSI) packages as a primary staging mechanism. This evolution is marked by increasingly sophisticated methods, such as reflective DLL loading and AES encryption via PowerShell.
Furthermore, SideCopy is actively repurposing open-source tools like XenoRAT and SparkRAT to enhance their penetration and exploitation capabilities. The group customizes these tools and employs a newly identified Golang-based malware dubbed CurlBack RAT, specifically designed to execute DLL side-loading attacks. Recent campaigns demonstrate an increased use of phishing emails masquerading as government officials to deliver malicious payloads, often using compromised official domains and fake domains mimicking e-governance services.
Recommended read:
References :
- Virus Bulletin: The Seqrite Labs APT team has uncovered new tactics of the Pakistan-linked SideCopy APT. The group has expanded its targets to include critical sectors such as railways, oil & gas, and external affairs ministries and has shifted from using HTA files to MSI packages.
- www.seqrite.com: Seqrite Labs APT team has uncovered new tactics of Pakistan-linked SideCopy APT deployed since the last week of December 2024.
- www.seqrite.com: Seqrite Labs APT team has uncovered new tactics of Pakistan-linked SideCopy APT deployed since the last week of December 2024.
- cyberpress.org: SideCopy APT Poses as Government Personnel to Distribute Open-Source XenoRAT Tool
- gbhackers.com: SideCopy APT Hackers Impersonate Government Officials to Deploy Open-Source XenoRAT Tool
- Cyber Security News: Pakistan-linked adversary group SideCopy has escalated its operations, employing new tactics to infiltrate crucial sectors.
- gbhackers.com: SideCopy APT Hackers Impersonate Government Officials to Deploy Open-Source XenoRAT Tool
- beSpacific: Article on the new tactics of the Pakistan-linked SideCopy APT.
|
|
FlagThis - #Cyberattacks