CyberSecurity news

FlagThis - #cyberwarfare

@x.com //
The ongoing Israel-Iran conflict has expanded into cyberspace, marked by a surge in hacktivist activity and the deployment of new malware campaigns. Pro-Israel and pro-Iranian groups are actively engaging in cyberattacks, including DDoS attacks, website defacements, and data breaches, targeting organizations within each other's territories. This digital warfare mirrors the escalating military tensions between the two nations, turning the internet into a covert combat zone.

Amidst this cyber conflict, a pro-Israel hacktivist group known as Predatory Sparrow has claimed responsibility for hacking Bank Sepah, a major Iranian financial institution. Predatory Sparrow alleges that the bank was used to circumvent international sanctions and finance the Iranian regime's military activities. While independent verification of the attack is pending, reports have emerged of banking disruptions and closed Bank Sepah branches across Iran. The group has targeted Iranian organizations in the past.

The intensification of cyber hostilities between Israel and Iran raises concerns about potential spillover effects, with U.S. companies and critical infrastructure facing increased risks. Cybersecurity experts are urging organizations to brace for potential disruptions and enhance their defenses against cyberattacks. The digital conflict highlights the importance of cybersecurity preparedness in a world where geopolitical tensions increasingly manifest in cyberspace.

Recommended read:
References :
  • thecyberexpress.com: Iran-Israel cyber conflict intensifies with hacktivist attacks and new malware campaigns.
  • SpiderLabs Blog: The Digital Front Line: Israel and Iran Turn the Internet into a Covert Combat Zone
  • aboutdfir.com: U.S. companies brace for Israel-Iran cyber spillover

Ben Weiss@fortune.com //
A pro-Israel hacktivist group known as Predatory Sparrow has claimed responsibility for a cyberattack on Nobitex, Iran's largest cryptocurrency exchange. The attack resulted in the theft and destruction of approximately $90 million in cryptocurrency. The group stated that Nobitex was targeted for allegedly financing terrorism and evading international sanctions for the Iranian regime. This incident highlights the increasing cyber conflict between Israel and Iran, with hacktivist groups playing a significant role in disruptive operations.

The hackers reportedly sent the stolen funds to inaccessible blockchain addresses, effectively "burning" the cryptocurrency and taking it out of circulation. Blockchain analysis firm Elliptic confirmed the transfer of over $90 million to multiple vanity addresses containing variations of "F--kIRGCterrorists" within their public key. This symbolic act suggests the intention was to send a political message rather than financial gain. It has been noted that Nobitex has over 10 million customers, raising concerns about the potential impact of the breach.

The attack on Nobitex follows a recent claim by Predatory Sparrow of hacking Bank Sepah, another major Iranian financial institution. These cyberattacks come amid escalating tensions and exchanges of airstrikes between Israel and Iran. Cybersecurity experts warn of a growing digital conflict unfolding behind the scenes, with the potential for broader spillover effects. The situation emphasizes the vulnerability of cryptocurrency exchanges to sophisticated cyberattacks and the need for enhanced cybersecurity measures.

Recommended read:
References :
  • infosec.exchange: LorenzoFB post on Infosec Exchange about the group claiming responsibility for Iranian Bank Hack.
  • techcrunch.com: TechCrunch article on pro-Israel hacktivist group claiming responsibility for Iranian bank hack
  • Risky Business Media: Risky Bulletin: Israel-linked hackers claim Iran bank disruption
  • techcrunch.com: Iran’s largest crypto exchange Nobitex said it was hacked and funds drained. Pro-Israel hacking group Predatory Sparrow claimed responsibility for the hack, which saw the group steal and destroy some $90 million in cryptocurrency from the Iranian exchange.
  • CyberScoop: Iran’s financial sector takes another hit as largest crypto exchange is targeted
  • fortune.com: The hackers, who call themselves Predatory Sparrow, sent the funds to likely inaccessible blockchain addresses, burning the cryptocurrency.
  • Zack Whittaker: Iran’s largest crypto exchange Nobitex said it was hacked and funds drained. Pro-Israel hacking group Predatory Sparrow claimed responsibility for the hack, which saw the group steal and destroy some $90 million in cryptocurrency from the Iranian exchange.
  • www.nftgators.com: Pro-Israeli Hacker Group Drains $90M from Iranian Crypto Exchange Nobitex
  • bsky.app: My latest for BBC Persian: 'Predatory Sparrow' hackers stole $90 million from Iranian cryptocurrency company to 'send a message'.
  • WIRED: Israel-Tied Predatory Sparrow Hackers Are Waging Cyberwar on Iran’s Financial System
  • NFTgators: Pro-Israeli Hacker Group Drains $90M from Iranian Crypto Exchange Nobitex.
  • Metacurity: Metacurity reports on the Predatory Sparrow group's activities, including the Nobitex attack and other Iranian targets.
  • Risky Business Media: Tom Uren and Patrick Gray talk about a Minnesota man who used people-search services to locate, stalk and eventually murder political targets. They also discuss purported hacktivist group Predatory Sparrow weighing in on the Iran-Israel conflict. It has attacked Iran’s financial system including a bank associated with the Iranian Revolutionary Guard Corp and also burnt USD$90 million worth of cryptocurrency from an Iranian exchange This episode is also available on Youtube.
  • aboutdfir.com: Pro-Israel hackers drain $90 million from Iran crypto exchange, analytics firm says  Iran’s largest cryptocurrency exchange, Nobitex, was hacked for more than $90 million Wednesday, according to blockchain analytics firm Elliptic.
  • SecureWorld News: Israel–Iran Conflict Escalates in Cyberspace: Banks and Crypto Hit, Internet Cut
  • www.metacurity.com: Israeli-linked hackers seized and burned $90 million from Iran's Nobitex exchange
  • aboutdfir.com: Pro-Israel hackers drain $90 million from Iran crypto exchange, analytics firm says 

Jacob Finn@Cisco Talos Blog //
References: Cisco Talos Blog , Cisco Talos , bsky.app ...
A new destructive malware, dubbed PathWiper, has been discovered targeting critical infrastructure in Ukraine. Cisco Talos researchers identified the wiper after observing an attack on a Ukrainian entity. The attackers, believed to be a Russia-nexus APT actor, gained access to a legitimate endpoint administration framework and used it to deploy PathWiper across connected endpoints. The malware is designed to overwrite data with random bytes, effectively disrupting the targeted systems. The discovery highlights the continued cyber threat to Ukrainian critical infrastructure amidst the ongoing conflict.

The attack unfolded through a compromised administrative console. Attackers issued commands via the console, which were received by clients running on the endpoints and executed as batch files. These files contained commands to execute a malicious VBScript file named "uacinstall.vbs", which in turn, dropped and executed the PathWiper executable. The filenames and actions used throughout the attack were designed to mimic those of the administrative utility, suggesting the attackers had prior knowledge of the console and its functionality within the targeted environment.

Once executed, PathWiper identifies connected storage media and overwrites crucial file system artifacts with random data. It targets physical drives, volume names, network drive paths, and critical files like the Master Boot Record (MBR). The malware creates a thread for each drive and volume, overwriting the contents with randomly generated bytes, effectively destroying data and disrupting system operations. While PathWiper shares some similarities with HermeticWiper, another wiper used in previous attacks against Ukraine, there are notable differences in their data corruption mechanisms.

Recommended read:
References :
  • Cisco Talos Blog: Newly identified wiper malware “PathWiper†targets critical infrastructure in Ukraine
  • Cisco Talos: New destructive malware alert: Talos uncovered "PathWiper," a wiper targeting Ukrainian critical infrastructure, which we attribute with high confidence to a Russia-nexus APT actor. Learn how the attack unfolded:
  • securityonline.info: PathWiper: Russia-Linked APT Deploys New Wiper Malware Against Ukrainian Infrastructure
  • bsky.app: Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, using a previously unknown wiper called PathWiper
  • securityonline.info: PathWiper: Russia-Linked APT Deploys New Wiper Malware Against Ukrainian Infrastructure
  • The Hacker News: New PathWiper Data Wiper Malware Disrupts Ukrainian Critical Infrastructure in 2025 Attack
  • bsky.app: Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, using a previously unknown wiper called PathWiper
  • cyberpress.org: New pathWiper Malware Strikes Critical Infrastructure with Admin Tool Deployment
  • securityaffairs.com: Russia-linked threat actors targets Ukraine with PathWiper wiper
  • blog.talosintelligence.com: New destructive malware alert: Talos uncovered "PathWiper," a wiper targeting Ukrainian critical infrastructure, which we attribute with high confidence to a Russia-nexus APT actor. Learn how the attack unfolded:
  • Cisco Talos: New destructive malware alert: Talos uncovered "PathWiper," a wiper targeting Ukrainian critical infrastructure, which we attribute with high confidence to a Russia-nexus APT actor.
  • The Register - Security: Destructive malware has been a hallmark of Putin's multi-modal war A new strain of wiper malware targeting Ukrainian infrastructure is being linked to pro-Russian hackers, in the latest sign of Moscow's evolving cyber tactics.
  • RedPacket Security: Fresh strain of pro-Russian wiper flushes Ukrainian critical infrastructure
  • ciso2ciso.com: Fresh strain of pro-Russian wiper flushes Ukrainian critical infrastructure - Source: go.theregister.com
  • BleepingComputer: A new data wiper malware named 'PathWiper' is being used in targeted attacks against critical infrastructure in Ukraine, aimed at disrupting operations in the country.
  • Cisco Talos Blog: In this week's newsletter, Martin emphasizes that awareness, basic cyber hygiene and preparation are essential for everyone, and highlights Talos' discovery of the new PathWiper malware.
  • Security Affairs: Cisco Talos researchers reported that attackers utilized a legitimate endpoint administration tool, indicating they had access to the administrative console, then used it to deploy PathWiper across the victim network.
  • Catalin Cimpanu: Multiple sources indicate the use of PathWiper malware against Ukrainian critical infrastructure.
  • Industrial Cyber: Industrial Cyber article on PathWiper malware targeting Ukrainian critical infrastructure.
  • hackread.com: News article about a new New PathWiper Malware Strikes Ukraine’s Critical Infrastructure
  • industrialcyber.co: Researchers from Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, involving a previously...
  • www.csoonline.com: A destructive new malware, dubbed PathWiper, has struck Ukraine’s critical infrastructure, erasing data and disabling essential systems, according to a recent Cisco Talos report.
  • www.scworld.com: Ukraine's critical infrastructure subjected to novel PathWiper compromise
  • ciso2ciso.com: New PathWiper Malware Strikes Ukraine’s Critical Infrastructure – Source:hackread.com

@cyble.com //
In May 2025, cybersecurity experts reported a significant surge in hacktivist activity targeting Indian digital infrastructure. This wave of attacks followed the terror attack in Pahalgam, located in the Indian state of Jammu and Kashmir on April 22nd, and India’s retaliatory strikes across the border. A coordinated effort by more than 40 hacktivist groups sought to disrupt and deface numerous Indian websites, leading to widespread alarm across media and social networks as many claimed significant breaches of government, educational, and critical infrastructure websites.

However, detailed technical investigations revealed that the actual impact of these attacks on Indian cyber assets was minimal. Claims of major data breaches, such as a supposed 247 GB breach of the National Informatics Centre (NIC), were largely unfounded as the data was publicly available or fabricated. Website defacements and Distributed Denial of Service (DDoS) attacks, while numerous, were short-lived and ineffective.

Despite the relatively low impact, the cyberattacks highlighted the ongoing tensions in cyberspace between India and Pakistan. Technisanct identified 36 pro-Pakistan hacktivist groups involved in the digital assaults, countered by 14 Indian groups retaliating. The escalation in hacktivist activity serves as a reminder of the persistent and evolving cyber threats facing both nations, even amidst military tensions.

Recommended read:
References :
  • cyble.com: More than 40 hacktivist groups conducted coordinated cyberattacks against India following the April 22 terror attack in Pahalgam in the Indian state of Jammu and Kashmir, which in turn prompted India to respond with targeted strikes aimed at alleged terrorist infrastructure across the border and the Pakistan-Occupied Kashmir region (PoK).
  • thecyberexpress.com: Over 40 Hacktivist Groups Target India in Coordinated Cyber Campaign: High Noise, Low Impact
  • Secure Bulletin: Tactical reality behind the India-Pakistan hacktivist surge
  • securebulletin.com: Tactical reality behind the India-Pakistan hacktivist surge
  • cyble.com: India Experiences Surge in Hacktivist Group Activity Amid Military Tensions
  • thecyberexpress.com: No Ceasefire in the Cyberspace Between India and Pakistan
  • www.cysecurity.news: Cyber War Escalates Between Indian and Pakistani Hacktivists After Pahalgam Attack

Pierluigi Paganini@Security Affairs //
Pro-Russia hacktivist group NoName057(16) is actively targeting Dutch organizations with large-scale distributed denial of service (DDoS) attacks. These attacks are causing significant access problems and service disruptions for targeted entities across both the public and private sectors in the Netherlands. The country's National Cyber Security Center (NCSC) has issued a warning about these ongoing cyber activities. The NCSC confirmed that the attacks also affect European organizations alongside Dutch ones.

The attacks are part of a broader campaign of cyber-attacks claimed by the hacktivist group. These persistent DDoS attacks aim to overwhelm the targeted organizations' systems with malicious traffic, rendering them inaccessible to legitimate users. The goal of these attacks appears to be the disruption of services and potentially the undermining of confidence in the targeted organizations. BleepingComputer reported on this campaign, highlighting the severity and widespread impact of these attacks.

The National Cyber Security Center (NCSC), part of the Dutch Ministry of Justice, released a statement acknowledging the situation. The statement mentioned that both public and private entities within the Netherlands are being targeted by these large-scale DDoS attacks. The NCSC continues to monitor the situation and is working to mitigate the impact of these attacks.

Recommended read:
References :
  • bsky.app: Pro-Russia hacktivists persistently target key public and private organizations in the Netherlands with distributed denial of service (DDoS) attacks, causing access problems and service disruptions.
  • securityaffairs.com: Pro-Russia hacktivist group NoName057(16) is targeting Dutch organizations
  • www.bleepingcomputer.com: Pro-Russia hacktivists bombard Dutch public orgs with DDoS attacks
  • BleepingComputer: Pro-Russian hacktivists persistently target key public and private organizations in the Netherlands with distributed denial of service (DDoS) attacks, causing access problems and service disruptions.
  • bsky.app: Russian group NoName launched DDoS attacks and took down the public websites of several Dutch provinces.
  • www.bleepingcomputer.com: Russia-aligned hacktivists persistently target key public and private organizations in the Netherlands with distributed denial of service (DDoS) attacks, causing access problems and service disruptions.
  • DataBreaches.Net: A large-scale cyberattack hit multiple Dutch municipalities and provinces on Monday morning, rendering the websites of more than twenty local governments inaccessible for several hours.
  • The DefendOps Diaries: Pro-Russian Hacktivists Target Dutch Public Organizations with DDoS Attacks
  • gbhackers.com: Multiple Dutch organizations have experienced significant service disruptions this week due to a series of coordinated Distributed Denial-of-Service (DDoS) attacks.
  • industrialcyber.co: Forescout reports rise of state-sponsored hacktivism, as geopolitics rewrites cyber threat landscape

Dissent@DataBreaches.Net //
China has accused the United States National Security Agency (NSA) of launching "advanced" cyberattacks during the Asian Winter Games in February 2025, targeting essential industries. Police in the northeastern city of Harbin have placed three alleged NSA agents on a wanted list, accusing them of attacking the Winter Games' event information system and key information infrastructure in Heilongjiang province, where Harbin is located. The named NSA agents are Katheryn A. Wilson, Robert J. Snelling, and Stephen W. Johnson, all allegedly members of the NSA's Tailored Access Operations (TAO) offensive cyber unit.

China Daily reports the TAO targeted systems used for registration, timekeeping, and competition entry at the Games, systems which store "vast amounts of sensitive personal data." The publication also stated the TAO appeared to be trying to implant backdoors and used multiple front organizations to purchase servers in Europe and Asia to conceal its tracks and acquire the tools used to breach Chinese systems. A joint report from China's computer emergency response centers (CERTs) stated that over 270,000 attacks on the Asian Winter Games were detected, with 170,000 allegedly launched by the US.

Chinese foreign ministry spokesperson Lin Jian condemned the alleged cyber activity, urging the U.S. to take a responsible attitude on cybersecurity issues and stop any attacks and "groundless vilification against China." Xinhua reported the agents repeatedly carried out cyber attacks on China’s critical information infrastructure and participated in cyber attacks on Huawei and other enterprises. Chinese law enforcement agencies are seeking information that could lead to the arrest of the three NSA operatives, though rewards were not disclosed.

Recommended read:
References :
  • The Register - Security: China names alleged US snoops over Asian Winter Games attacks
  • www.cybersecurity-insiders.com: China accuses US of launching advanced Cyber Attacks on its infrastructure
  • CyberScoop: Chinese law enforcement places NSA operatives on wanted list over alleged cyberattacks
  • DataBreaches.Net: China accuses US of launching ‘advanced’ cyberattacks, names alleged NSA agents
  • www.scworld.com: China's allegation that NSA hacked Asian Winter Games draws suspicion
  • cyberscoop.com: Chinese law enforcement places NSA operatives on wanted list over alleged cyberattacks
  • PCMag UK security: Police in the Chinese city of Harbin say three NSA operatives disrupted the 2025 Asian Winter Games and hacked Huawei.
  • www.csoonline.com: China accused the United States National Security Agency (NSA) on Tuesday of launching “advanced†cyberattacks during the Asian Winter Games in February, targeting essential industries.
  • Metacurity: China accuses NSA of 'advanced cyberattacks' during the Asian Winter Games
  • www.metacurity.com: China accuses NSA of 'advanced cyberattacks' during the Asian Winter Games
  • www.dailymail.co.uk: China accuses US of launching 'advanced' cyberattacks, names alleged NSA agents
  • sysdig.com: UNC5174’s evolution in China’s ongoing cyber warfare: From SNOWLIGHT to VShell
  • aboutdfir.com: China Admitted to Volt Typhoon Cyberattacks on US Critical Infrastructure

@www.wsj.com //
References: Sam Bent , DataBreaches.Net , WIRED ...
China has reportedly acknowledged its role in cyberattacks against U.S. critical infrastructure, specifically those attributed to the Volt Typhoon campaign. This admission occurred during a secret meeting with U.S. officials in December, according to SecurityWeek. U.S. officials noted that Volt Typhoon's actions, which involved infiltrating various industries' systems through zero-day exploits and other advanced tactics, were an attempt to deter U.S. support for Taiwan. Furthermore, cyberespionage by the Chinese state-backed Salt Typhoon group against U.S. telecommunications firms was also discussed, revealing the compromise of U.S. officials' communications.

These attacks are part of a broader pattern of Chinese state-backed hackers increasing their activity against infrastructure in the U.S., Europe, and the Asia-Pacific region. Recent intelligence indicates groups like Volt Typhoon and Salt Typhoon have infiltrated power grids, telecommunications networks, and transportation systems. Their apparent goal is to preposition for potential wartime disruption or coercive retaliation during periods of geopolitical tension. This approach involves installing dormant "logic bombs" designed to be triggered during a conflict or crisis, maintaining persistent access while minimizing detection risk.

The intensified cyber activities are viewed as a component of China's cyber-enabled irregular warfare strategy. Recent incidents include a power grid failure in Taiwan linked to a Volt Typhoon logic bomb, along with similar occurrences reported in European infrastructure. The attacks' sophistication lies in their "Living Off the Land" techniques, blending state-sponsored hacking with proxy groups and disinformation to achieve strategic objectives without triggering conventional military responses. Such actions, as analyzed by IT security professional Simone Kraus, raise concerns due to their potential for devastating real-world consequences if critical infrastructure is compromised.

Recommended read:
References :
  • Sam Bent: In a closed-door Geneva summit, Chinese officials admitted—albeit indirectly—to orchestrating Volt Typhoon cyberattacks on US infrastructure. The move signals escalating covert conflict over Taiwan and exposes the US grid’s vulnerability to prolonged foreign infiltration.
  • DataBreaches.Net: Chinese officials acknowledged in a secret December meeting that Beijing was behind a widespread series of alarming cyberattacks on U.S. infrastructure, according to people familiar with the matter, underscoring how hostilities between the two superpowers are continuing to escalate.
  • www.metacurity.com: China acknowledged US cyberattacks at a secret meeting, report
  • WIRED: China Secretly (and Weirdly) Admits It Hacked US Infrastructure
  • Risky Business Media: China privately admits to hacking American critical infrastructure, the US Treasury was compromised by password spraying, America will sign a global spyware agreement after all, and a Chinese APT is abusing the Windows Sandbox to hide its malware.
  • securityaffairs.com: China admitted its role in Volt Typhoon cyberattacks on U.S. infrastructure, WSJ reports.
  • The Register - Security: China reportedly admitted directing cyberattacks on US infrastructure at a meeting with their American counterparts, according to The Wall Street Journal.…
  • Schneier on Security: China Sort of Admits to Being Behind Volt Typhoon
  • oodaloop.com: China Admitted to Volt Typhoon Cyberattacks on US Critical Infrastructure: Report
  • www.scworld.com: US critical infrastructure attacks reportedly acknowledged by China
  • OODAloop: In a secret meeting that took place late last year between Chinese and American officials, the former confirmed that China had conducted cyberattacks against US infrastructure as part of the campaign known as Volt Typhoon, according to The Wall Street Journal.
  • cybersecuritynews.com: Chinese Hackers Attacking Critical Infrastructure to Sabotage Networks
  • Metacurity: China acknowledged US cyberattacks at a secret meeting, report
  • ciso2ciso.com: China Sort of Admits to Being Behind Volt Typhoon – Source: www.schneier.com
  • WIRED: Brass Typhoon: The Chinese Hacking Group Lurking in the Shadows