Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Cyber Attacks. Show all posts
WhatsApp Security
Banking Malware Cyber Attacks Cybercrime Trends Digital Fraud Identity Theft Malware Threats Online Safety Screen Sharing Scam Social Engineering WhatsApp Security

Screen Sharing on WhatsApp Turns Costly with Major Financial Loss

 


Several disturbing patterns of digital deception have quietly developed in recent months, revealing just how readily everyday communications tools can be turned into instruments of financial ruin in an instant. According to security researchers, there has been an increase in sophisticated cybercriminal schemes utilizing the trust users place in familiar platforms, particularly WhatsApp, to gain access to the internet. 

It is a common occurrence that what initially starts out as a friendly message, an unexpected image, or a polite call claiming that an “urgent issue” with a bank account is a crafted scam which soon unravels into a meticulously crafted scam. It is very possible for malicious software to be installed through downloading an innocuous-looking picture that can allow you to infiltrate banking applications, harvest passwords, and expose personal identification information without your knowledge. 

There have been instances where fraudsters impersonating bank representatives have coaxed users into sharing their screens with the false pretense that they are resolving account discrepancy. When this has happened, these fraudsters can observe every detail in real time - OTP codes, login credentials, account balances - and in some cases, they will convince victims to install remote access programs or screen mirroring programs so they can further control the device. 

It is evident from the intertwined tactics that a troubling trend in digital crime has taken place, emphasizing the need for increased vigilance among Indians and beyond, underscoring a troubling development. There is a fast-growing network of social-engineering groups operating across multiple regions, who are utilizing WhatsApp's screen-sharing capabilities to bypass safety measures and gain control of their financial lives by manipulating their screen-sharing capabilities. 

Investigators have begun piecing together the contours of this network. Initially introduced in 2023 as a convenience feature, screen-sharing has since become a critical point of exploitation for fraudsters who place unsolicited video calls, pretend to be bank officials or service providers, and convince victims to reveal their screens, or install remote-access applications masquerading as diagnostic tools, to exploit their vulnerabilities. 

Almost $700,000 was defrauded by one victim in one of the cases of abuse that spanned from India and the U.K. to Brazil and Hong Kong. This demonstrates how swiftly and precisely these schemes emerge. In describing the technique, it is noted that it is not based on sophisticated malware, but rather on urgency, trust, and psychological manipulation, allowing scammers to circumvent a lot of traditional technical protections. 

Furthermore, criminal networks are enhancing their arsenals by spreading malicious files via WhatsApp Web, including one Brazilian operation that uses self-replicating payloads to hijack contacts, automate fraudulent outreach, and compromise online banking credentials through its use of malicious payloads distributed through WhatsApp Web. 

The investigators of the fraud note that the mechanisms are based less on technical sophistication and more on psychological pressure intended to disarm victims. An unsolicited WhatsApp video call made by a number that appears local can be the start of the scam, usually presented as a bank officer, customer service agent, or even an acquaintance in need of assistance. 

Callers claim to have an urgent problem to solve - an unauthorized transaction, an account suspension threat, or even an error in the verification process - that creates a feeling of panic that encourages their victims to comply without hesitation.

The imposter will initially convince the victim that the issue is being resolved, thereby leading to them sharing their screen or installing a legitimate remote-access application, such as AnyDesk or TeamViewer, which will enable the fraudster to watch every action that occurs on the screen in real time, as they pretend to resolve it. 

By using this live feed, an attacker can access one-time passwords, authentication prompts, banking app interfaces, as well as other sensitive credentials. By doing so, attackers can be able to take control of WhatsApp accounts, initiate unauthorized transfers, or coax the victim into carrying out these actions on their own.

A more elaborate variant consists of guiding the victim into downloading applications that secretly contain keyloggers or spyware that can collect passwords and financial information long after the call has ended, allowing them to collect it all. When scammers have access to personal information such as banking details or social media profiles, they can drain accounts, take over accounts on social networks, and assume the identity of victims to target others on their contact list.

Authorities caution that the success of these schemes depends on trust exploiting, so user vigilance is key. According to the advisories, individuals should be cautious when receiving unknown phone calls, avoid sharing screens with unknown parties, disable installations coming from untrusted sources, and refrain from opening financial apps when they are receiving remote access. 

These measures are crucial in order to prevent these social engineering scams from getting the better of them, as they continue to develop. As far as the most advanced variations of the scam are concerned, the most sophisticated versions of the scam entail criminals installing malicious software through deceptive links or media files in a victim's device, thus granting them complete control of that victim's computer. 

When these kinds of malware are installed, they can record keystrokes, capture screens, gather banking credentials, intercept two-factor authentication codes, and even gain access to sensitive identity documents. It is possible for attackers to take control of cameras and microphones remotely, which allows them to utilize the device as a tool for surveillance, coercion, or a long-term digital impersonation device. 

In addition to financial theft, the extent to which the compromised identity may be exploited goes far beyond immediate financial exploitation, often enabling blackmail and continuous abuse of the victim's identity. 

In light of this backdrop, cybersecurity agencies emphasize the significance of adopting preventative habits that can significantly reduce exposure to cybercriminals. There is still an important role to play in ensuring that users do not download unfamiliar media, disable WhatsApp's automatic download feature, and keep reputable mobile security tools up to date. 

WhatsApp still has the built-in features that allow them to block and report suspicious contacts, while officials urge individuals to spread basic cyber-hygiene knowledge among their communities, pointing out that many people fall victim to cyber-attacks simply because they lack awareness of the dangers that lurk. 

There has been a surge of fraud attempts across messaging platforms, and Indian authorities, including the Indian Cybercrime Coordination Centre, as well as various state cyber cells have issued a number of public advisories about this, and citizens are encouraged to report such attacks to the National Cybercrime Reporting Portal as soon as possible. 

In conjunction with these warnings, these findings shed light on a broader point: even the most ordinary digital interactions are capable of masking sophisticated threats, and sustained vigilance remains the strongest defense against the growing epidemic of social engineering and malware-driven crimes that are booming in modern society. 

As the majority of the fraud is carried out by social-engineering tactics, researchers have also observed a parallel wave of malware campaigns that are utilizing WhatsApp's broader ecosystem, which demonstrates how WhatsApp is capable of serving as a powerful channel for large-scale infection. As an example of self-replicating chains delivered through WhatsApp Web, one of the most striking cases was reported by analysts in Brazil. 

A ZIP archive was sent to the victims, which when opened, triggered the obfuscated VBS installer SORVEPOTEL, which was an obfuscated VBS installer. In this PowerShell routine, the malware used ChromeDriver and Selenium to re-enter the victim's active WhatsApp Web session, enabling the malware to take full control of the victim's active WhatsApp Web session. 

In order to spread the malware, the script retrieved message templates from a command-and-control server, exfiltrated the user's contact list, and automatically distributed the same malicious ZIP file to every network member that was connected with it—often while displaying a fake banner that said "WhatsApp Automation v6.0" to give it the appearance of legitimacy. 

Researchers found that Maverick was a payload that was evasive and highly targeted, and it was also accompanied by a suite of malicious capabilities. It was also packaged inside the ZIP with a Windows LNK file that could execute additional code through the use of a remote server that had the first stage loader on it. As soon as the malware discovered that the device was belonging to a Brazilian user, it launched its banking module only after checking for debugging tools, examining the system locale indicators such as the time zone and language settings. 

A Maverick server monitoring website activity for URLs linked to Latin American financial institutions, when activated, was aligned with credential harvesting and account manipulation against regional banks, aligning its behavior with credential harvesting. As Trend Micro pointed out previously, an account ban could be issued as a result of the sheer volume of outbound messages caused by a similar WhatsApp Web abuse vector, which relied on active sessions to mass-distribute infected ZIP files. 

These malware infections acted primarily as infostealers that targeted Brazilian banking and cryptocurrency platforms, thereby demonstrating the fact that financial fraud objectives can be easily mapped to WhatsApp-based lures when it comes to financial fraud. 

It is important to note, however, that security analysts emphasize that the global screen-sharing scams are not primarily the work of a single sophisticated actor, but rather the work of a diffuse criminal ecosystem that combines trust, urgency, and social manipulation to make them successful. According to ESET researchers, these tactics are fundamentally human-driven rather than based on technical exploits over a long period of time, whereas Brazilian malware operations show clearer signs of being involved in structured criminal activity. 

It is thought that the Maverick Trojan can be linked to the group that has been named Water Saci, whose operations overlap with those of the Coyote banking malware family-which indicates that these groups have been sharing techniques and developing tools within Brazil's underground cybercrime market. 

Even though the associations that have been drawn between WhatsApp and opportunistic scammers still seem to be rooted in moderate confidence, they reveal an evolving threat landscape in which both opportunistic scammers and organized cybercriminals work towards exploiting WhatsApp to their advantage. 

A number of analysts have indicated that the success of the scheme is a function of a carefully orchestrated combination of trust, urgency, and control. By presenting themselves as legitimate entities through video calls that appear to originate from banks, service providers, or other reliable entities, scammers achieve a veneer of legitimacy by appearing authentic.

In addition, they will fabricate a crisis – a fake transaction, a compromised account, or a suspended service – in order to pressure the victim into making a hasty decision. The last step is perhaps the most consequential: convincing the victim to share their screen with the attacker, or installing a remote access tool, which in effect grants the attacker complete access to the device. 

In the event that a phone is gained access to, then every action, notification, and security prompt becomes visible, revealing the phone as an open book that needs to be monitored. Security professionals indicate that preventative measures depend more on vigilance and personal precautions than on technical measures alone. 

Unsolicited calls should be treated with suspicion, particularly those requesting sensitive information or screen access, as soon as they are received, and any alarming claims should be independently verified through official channels before responding to anything unfounded. The use of passwords, OTPs, and banking information should never be disclosed over the telephone or through email, as legitimate institutions would not request such data in this manner. 

Installing remote access apps at the direction of unfamiliar callers should be avoided at all costs, given that remote access applications allow you to control your device completely. It is also recommended to enable WhatsApp's built-in two-step verification feature, which increases the security level even in the event of compromised credentials.

Finally, investigators emphasize that a healthy degree of skepticism remains the most effective defense; if we just pause and check it out independently, we may be able to prevent the cascading damage that these highly persuasive scams intend to cause us.
Read more »
Malware Attack
APT44 Cyber Attacks Cyber Hackers Data Hackers Data protection data security data wipers Data Wiping Malware Hacker attack Malware Attack

Russian Sandworm Hackers Deploy New Data-Wipers Against Ukraine’s Government and Grain Sector

 

Russian state-backed hacking group Sandworm has intensified its destructive cyber operations in Ukraine, deploying several families of data-wiping malware against organizations in the government, education, logistics, energy, and grain industries. According to a new report by cybersecurity firm ESET, the attacks occurred in June and September and form part of a broader pattern of digital sabotage carried out by Sandworm—also known as APT44—throughout the conflict. 

Data wipers differ fundamentally from ransomware, which typically encrypts and steals data for extortion. Wipers are designed solely to destroy information by corrupting files, damaging disk partitions, or deleting master boot records in ways that prevent recovery. The resulting disruption can be severe, especially for critical Ukrainian institutions already strained by wartime pressures. Since Russia’s invasion, Ukraine has faced repeated wiper campaigns attributed to state-aligned actors, including PathWiper, HermeticWiper, CaddyWiper, WhisperGate, and IsaacWiper.

ESET’s report documents advanced persistent threat (APT) activity between April and September 2025 and highlights a notable escalation: targeted attacks against Ukraine’s grain sector. Grain exports remain one of the country’s essential revenue streams, and ESET notes that wiper attacks on this industry reflect an attempt to erode Ukraine’s economic resilience. The company reports that Sandworm deployed multiple variants of wiper malware during both June and September, striking organizations responsible for government operations, energy distribution, logistics networks, and grain production. While each of these sectors has faced previous sabotage attempts, direct attacks on the grain industry remain comparatively rare and underscore a growing focus on undermining Ukraine’s wartime economy. 

Earlier, in April 2025, APT44 used two additional wipers—ZeroLot and Sting—against a Ukrainian university. Investigators discovered that Sting was executed through a Windows scheduled task named after the Hungarian dish goulash, a detail that illustrates the group’s use of deceptive operational techniques. ESET also found that initial access in several incidents was achieved by UAC-0099, a separate threat actor active since 2023, which then passed control to Sandworm for wiper deployment. UAC-0099 has consistently focused its intrusions on Ukrainian institutions, suggesting coordinated efforts between threat groups aligned with Russian interests. 

Although Sandworm has recently engaged in more espionage-driven operations, ESET concludes that destructive attacks remain a persistent and ongoing part of the group’s strategy. The report further identifies cyber activity linked to Iranian interests, though not attributed to a specific Iranian threat group. These clusters involved the use of Go-based wipers derived from open-source code and targeted Israel’s energy and engineering sectors in June 2025. The tactics, techniques, and procedures align with those typically associated with Iranian state-aligned hackers, indicating a parallel rise in destructive cyber operations across regions affected by geopolitical tensions. 

Defending against data-wiping attacks requires a combination of familiar but essential cybersecurity practices. Many of the same measures advised for ransomware—such as maintaining offline, immutable backups—are crucial because wipers aim to permanently destroy data rather than exploit it. Strong endpoint detection systems, modern intrusion prevention technologies, and consistent software patching can help prevent attackers from gaining a foothold in networks. As Ukraine continues to face sophisticated threats from state-backed actors, resilient cybersecurity defenses are increasingly vital for preserving both operational continuity and national stability.
Read more »
Scattered Spider
Cyber Attacks DragonForce Marks & Spencer Ransomware Scattered Spider

M&S Cyberattack: Retailer Issues Fresh Warning to Shoppers

 

Marks & Spencer (M&S) suffered a severe cyberattack in April 2025, orchestrated by the ransomware group known as Scattered Spider, with the ransomware called DragonForce. This breach forced M&S to halt all online transactions for nearly six weeks, disrupting its operations during a traditionally strong trading period around Easter. 

The attackers first infiltrated M&S's network through social engineering tactics aimed at a third-party IT helpdesk contractor, Tata Consultancy Services, tricking staff into granting access. This human error allowed the hackers to steal sensitive customer personal data, including names, addresses, emails, phone numbers, birthdates, and order histories, though no payment details or passwords were compromised.

As a result, M&S had to suspend online shopping completely and revert to manual processes for inventory and logistics, which led to empty shelves and disrupted service in many stores. Contactless payments and order collection systems failed at the outset of the incident, adding to customer frustration. M&S publicly apologized and reset all customer passwords on affected accounts as a precaution against subsequent phishing attacks using the stolen data.

Financially, the incident is estimated to have cost M&S approximately £300 million in lost profits, which significantly impacted its half-year results. Despite the disruption, M&S’s revenue during the affected period remained relatively stable, reflecting growth in grocery and clothing/home segments, though online market share was partly lost to competitors like Next. The full impact on profits and sales was to be revealed in M&S’s upcoming financial report.

The cyber attack highlighted vulnerabilities in traditional cybersecurity defenses focused on inbound threats, as the ransomware attack involved a "double extortion" technique where data was exfiltrated before encryption, and legacy tools failed to detect the outbound data theft. Experts suggest that more advanced anti-data exfiltration capabilities could have mitigated damage. M&S is reviewing its cybersecurity posture and continuing to recover operationally while managing costs and store investments moving forward.

M&S shoppers were urged to remain vigilant against phishing scams, as criminals exploit stolen personal data for targeted attacks. The incident underscores the evolving threats retailers face from ransomware and social engineering attacks on supply chains and third-party vendors. Overall, the attack marked a significant challenge for M&S’s digital and retail operations with a wide-reaching customer impact and financial implications.
Read more »
RaaS
Cloud Cyber Attacks Cyber Attacks. Ransomware Extortion Japan RaaS

Firms in Japan at Risk of Ransomware Threats, Government Measures Insufficient


There is no indication that ransomware assaults against Japanese businesses will stop. Major online retailer Askul Corp. experienced a cyberattack in October that resulted in system interruptions, following an attack on Asahi Group Holdings Ltd. Government authorities are finding it difficult to keep up with the situation.

The ransomware profit 

According to some estimates, a complete system recovery could take several months. Asahi is thought to have been employing a large-scale operations system that linked ordering, shipping, human resources, and accounting administration. 

A hacker collective known as Qilin claimed responsibility for this most recent attack in a statement released on a dark web website on October 27. The group claimed to have stolen approximately 9,300 files totaling at least 27 gigabytes, and they shared 29 photos that they felt showed Asahi's internal documents and employee personal information.

About Quilin

Qilin is thought to be a hacker collective with ties to Russia that was established around 2022. The gang reportedly released over 700 statements claiming responsibility for ransomware attacks in 2025 alone, when it started to become more active. 

Additionally, Qilin uses a business model called "Ransomware as a Service" (RaaS), whereby it offers third parties ransomware programs and attack techniques as a service. Even anyone without a high level of technological competence can conduct assaults utilizing RaaS. 

The creation of ransomware and the implementation of the attacks have been split between many players who split ransom payments, whereas in the past, virus writers frequently carried out the operations individually. These company strategies seem to have gained popularity in recent years.

Attack tactics

Hackers typically breach a company's networks to prevent access to data and threaten to release it. This is referred regarded as a double extortion strategy. 

To make businesses pay, some hackers even go so far as to use triple or quadruple extortion. These include direct threats to the targeted company's clients and business partners or frequent distributed denial-of-service (DDoS) attacks that flood servers with data.  

According to reports, these techniques are become more malevolent. The majority of specialists concur that payments should not be made in principle, and even if a business pays the ransom, there is no assurance that the data would be released.




Read more »
GPS Spoofing
aviation aviation cyber attacks Cyber Attacks Cybersecurity Attack GPS GPS interference GPS Spoofing

Delhi Airport Hit by Rare GPS Spoofing Attacks Causing Flight Delays and Diversions

 


Delhi’s Indira Gandhi International Airport witnessed an unusual series of GPS spoofing incidents this week, where fake satellite signals were transmitted to mislead aircraft about their real positions. These rare cyber disruptions, more common in conflict zones or near sensitive borders, created severe flight congestion and diversions. 

According to reports, more than 400 flights were delayed on Friday alone, as controllers struggled to manage operations amid both spoofing interference and a separate technical glitch in the Air Traffic Control (ATC) system. The cascading impact spread across North India, disrupting schedules at several major airports. Earlier in the week, Delhi Airport ranked second globally for flight delays, as reported by the Times of India. 

At least seven flights had to be diverted to nearby airports such as Jaipur and Lucknow, even though all four of Delhi’s runways were fully operational. On Tuesday, the Navigation Integrity Category value—a critical measure of aircraft positioning accuracy—fell dramatically from 8 to 0, raising alarms within the aviation community. Pilots reported these irregularities within a 60-nautical-mile radius of Delhi, prompting the Directorate General of Civil Aviation (DGCA) to initiate an investigation, as confirmed by The Hindu. 

The situation was worsened by the temporary shutdown of the main runway’s Instrument Landing System (ILS), which provides ground-based precision guidance to pilots during landings. The ILS is currently being upgraded to Category III, which will allow landings even in dense fog—a major requirement ahead of Delhi’s winter season. However, its unavailability has forced aircraft to rely heavily on satellite-based navigation systems, making them more vulnerable to spoofing attacks. GPS spoofing, a complex form of cyber interference, involves the deliberate transmission of counterfeit satellite signals to trick navigation systems. 

Unlike GPS jamming, which blocks genuine signals, spoofing feeds in false ones, making aircraft believe they are in a different location. For example, a jet actually flying over Delhi could appear to be over Chandigarh on cockpit instruments, potentially leading to dangerous course deviations. Such cyber manipulations have grown more frequent worldwide, raising serious safety concerns for both commercial and military aviation. 

In India, GPS spoofing incidents are not entirely new. The Centre informed Parliament earlier this year that 465 such cases were recorded between November 2023 and February 2025 along the India-Pakistan border, primarily near Amritsar and Jammu. A report by the International Air Transport Association (IATA) also revealed that over 430,000 cases of GPS jamming and spoofing were documented globally in 2024, a 62% increase from the previous year. The consequences of such interference have sometimes been deadly. 

In December 2024, an Azerbaijan Airlines aircraft crashed in Kazakhstan, reportedly due to Russian anti-aircraft systems misidentifying it amid GPS signal disruption. Earlier this year, an Indian Air Force aircraft flying humanitarian aid to earthquake-hit Myanmar encountered GPS spoofing suspected to originate from Chinese-enabled systems. Data from the GPSjam portal shows India’s borders with Pakistan and Myanmar among the world’s top five regions with poor navigation accuracy for aircraft. 

With Delhi Airport handling over 1,550 flights daily, even brief interruptions can cause widespread delays and logistical chaos. The Airports Authority of India (AAI) has assured that technical teams are working to strengthen the ATC system and implement safeguards to prevent future interference. As investigations continue, the recent incidents serve as a crucial reminder of the evolving cybersecurity challenges in modern aviation and the urgent need for resilient navigation infrastructure to ensure passenger safety in increasingly contested airspace.
Read more »
Jennings O'Donovan
Cyber Attacks Data Leak Engineering firm Ireland Jennings O'Donovan

Cyber Attack Exposes Data of 861 Irish Defective Block Grant Applicants

 

An engineering firm that assesses applications for Ireland's defective concrete blocks grant scheme has been hit by a cyberattack, potentially exposing the personal data of approximately 861 homeowners across multiple counties. The breach targeted Sligo-based consulting firm Jennings O'Donovan, which works with the Housing Agency to evaluate applications under the enhanced defective concrete blocks scheme. 

The incident, first reported in October 2025, resulted in unauthorized access to a limited portion of the company's IT systems. Affected data includes applicants' names, local authority reference numbers, contact details, and technical reports containing photographs of damaged dwellings. However, the Housing Agency confirmed that no financial or banking information was compromised, as this data was stored securely on unaffected systems.

Donegal County was the most severely impacted, with approximately 685 applicants affected, representing over 30% of all Donegal applications to the scheme. Mayo County had 47 affected applicants, while 176 applications from other counties were also caught in the breach. The defective concrete blocks scheme, commonly known as the mica or pyrite redress scheme, provides grants to homeowners whose properties have been damaged by defective building materials containing excessive levels of mica or pyrite.

According to Jennings O'Donovan, the firm experienced a network disruption involving temporary unauthorized access and immediately activated established IT security protocols. The company worked with external specialists to identify, isolate, and mitigate the disruption. The Housing Agency emphasized that its own systems remained unaffected and the incident appears isolated to the single engineering company.

The Housing Agency has contacted all impacted applicants, advising that homeowners who were not contacted were not affected by the breach. Security experts warn that exposed personal data could potentially be used for targeted phishing or social engineering attacks against vulnerable homeowners. Despite the breach, the Housing Agency stated that no material delays to grant applications are expected.

The incident adds further complications to a scheme already facing criticism for processing delays and administrative challenges. As of June 2025, only 164 of 2,796 applicants had completed remediation work on their homes, with €163 million paid out in grants. The cyberattack highlights cybersecurity vulnerabilities in government contractor systems handling sensitive citizen data.
Read more »
Western Sydney University
Cyber Attacks Data Leak Private Data User Security Western Sydney University

Western Sydney University Hit by Major Cyberattack

 

Western Sydney University has suffered a significant cyberattack, marking the latest in a series of incidents targeting the institution since 2023. Sensitive data belonging to students, staff, and alumni—including tax file numbers, bank account details, passport and driver license information, visa and health data, contact information, and even ethnicities—was compromised when threat actors gained access to the university’s Student Management System hosted on a cloud-based platform by a third-party provider. 


The breach was discovered after two instances of unusual activity on August 6 and August 11, 2025. Investigations revealed that unauthorised access occurred through a chain involving external systems linked to the university’s infrastructure between June 19 and September 3, 2025. The attackers subsequently used this stolen data to send out fraudulent emails to students and graduates on October 6, 2025. 

These emails falsely claimed recipients had been excluded from the university or had their degrees revoked, causing widespread concern. Some scam emails appeared especially credible as they included legitimate student numbers and exploited ongoing web vulnerabilities.

The university responded by immediately initiating investigations, directing its third-party supplier to shut down access, and cooperating closely with the NSW Police Cybercrime Squad’s Strike Force Docker. Notably, in June 2025, police arrested a former student, Birdie Kingston, alleged to have played a role in earlier hacks, although officials stopped short of directly connecting this individual to the latest attack.

In recent statements, Vice-Chancellor Professor George Williams apologised for the disruption and emphasised the institution’s ongoing efforts to rectify the issue and bolster cybersecurity. The attack forms part of a troubling pattern of breaches, including incidents involving Microsoft Office 365 and other IT environments exposed since 2023. Data from previous attacks has surfaced on both the dark web and clear web, affecting thousands of current and former students.

WSU has advised affected community members to change passwords, enable multi-factor authentication, and avoid using the same password across multiple online accounts. Victims are encouraged to follow university guidance and make use of support services available. The institution continues to work with law enforcement and remains on high alert for further attacks.
Read more »
North Korean Hackers
Bybit crypto hack cryptocurrency theft Cyber Attacks DPRK nuclear funding fake remote tech jobs North Korea cyberattacks North Korean Hackers

North Korean Hackers Steal Billions Through Crypto Heists and Fake Remote Jobs to Fund Nuclear Program, Report Reveals

 

North Korean hackers have siphoned off billions of dollars by breaching cryptocurrency exchanges and using false identities to secure remote tech jobs abroad, according to a new international assessment of the country’s cyber operations.

The 138-page report, released by the Multilateral Sanctions Monitoring Team—a coalition including the U.S. and 10 allied nations—found that Pyongyang’s government directs these covert schemes to bankroll its nuclear weapons research and development. The group was established last year to track North Korea’s adherence to U.N. sanctions.

The findings reveal that North Korea has leveraged cryptocurrencies to launder illicit funds and procure military equipment, effectively evading global restrictions tied to its nuclear ambitions. Investigators noted that hackers linked to Pyongyang routinely deploy malware against international corporations and institutions, aiming to disrupt systems and exfiltrate sensitive data.

Despite its isolation and limited economic power, North Korea has made substantial investments in offensive cyber warfare, achieving a level of sophistication that rivals China and Russia, the report concluded. Unlike other major cyber actors such as China, Russia, and Iran, North Korea primarily uses its hacking operations as a financial lifeline—employing cyberattacks and fake employees to generate state revenue.

The report further stated that, aided by actors in Russia and China, North Korea’s cyber campaigns have “been directly linked to the destruction of physical computer equipment, endangerment of human lives, private citizens’ loss of assets and property, and funding for the DPRK’s unlawful weapons of mass destruction and ballistic missile programs.”

The monitoring team—comprising the U.S., Australia, Canada, France, Germany, Italy, Japan, the Netherlands, New Zealand, South Korea, and the United Kingdom—was created after Russia vetoed a U.N. Security Council resolution that previously empowered a panel of experts to oversee North Korea’s sanctions compliance. Its initial report in May examined North Korea’s military aid to Russia.

Earlier this year, hackers tied to North Korea executed one of the largest cryptocurrency thefts in history, stealing $1.5 billion in Ethereum from the exchange Bybit. The FBI later attributed the theft to a hacker collective operating under North Korea’s intelligence agency.

U.S. authorities have also alleged that thousands of North Korean IT professionals are secretly employed by American companies using stolen or fabricated identities. These workers allegedly infiltrate internal systems and redirect their earnings back to the North Korean regime—sometimes juggling multiple remote jobs simultaneously.

A request for comment sent to North Korea’s mission to the U.N. on Wednesday went unanswered.
Read more »
supply chain security
Automotive Industry Cyberattack cyber attack Cyber Attacks cyber resilience Cyber Risk Management Cybersecurity Breach Data Breach impact industrial cybersecurity Jaguar Land Rover Hack supply chain security

Analysts Place JLR Hack at Top of UKs Most Costly Cyber Incidents


 

It has been said by experts that Jaguar Land Rover (JLR) has found itself at the epicentre of the biggest cyber crisis in UK history, an event that has been described as a watershed moment for British industrial resilience. It was in late August that hackers breached the automaker's computer system, causing far more damage than just crippling its computers. 

The breach caused a sudden and unexpected halt for the nation's largest car manufacturer, revealing how vulnerable modern manufacturing networks really are. Jaguar Land Rover's cyberattack has been classified as a Category 3 systemic event by the Cyber Monitoring Centre (CMC), the third-highest severity level on the five-point scale, emphasising the magnitude of the disruption that resulted. 

According to estimates, the company lost between £1.6 billion ($2.1 billion) and £2.1 billion ($2.8 billion) in losses, but experts warned that losses could climb higher if production setbacks persist or deep damage arises to the company's operational technology. It appears by some distance to be, by some distance, that this incident has had a financial impact on the United Kingdom that has been far greater than any other cyber incident that has occurred, according to Ciaran Martin, chairman of the CMC Technical Committee, in a statement to Cybersecurity Dive.

As the British authorities expressed growing concern after a sobering national cybersecurity review which urged organisations to strengthen their digital defences at the board and executive level, his comments came at the same time that the British government was growing increasingly concerned. National Cyber Security Centre reports that in the past year, 204 national-level cyberattacks have been recorded in the United Kingdom, and there have been 18 major incidents in the country. These include a coordinated social-engineering campaign that targeted major retailers, causing hundreds of millions of dollars worth of damage. 

Taking into account the severity level of the cyberattack on Jaguar Land Rover, the Cyber Monitoring Centre (CMC) has officially classified it as a Category 3 event on its five-point severity scale, which indicates the cyberattack resulted in a loss of between £1 billion and £5 billion and affected over 2,700 UK-based businesses.

During the late August break-up of JLR, which began in late August, an extended production freeze was imposed at the company's Solihull, Halewood, and Wolverhampton facilities, which disrupted the manufacturing of approximately 5,000 vehicles every week. As a result of this paralysis, thousands of smaller contractors and dealerships were affected as well, and local businesses that relied upon factory operations were put under severe financial strain.

A £1.5 billion ($2 billion) loan package was approved in September by British officials in response to the automaker's supplier network issues that had stalled the company's recovery efforts. Executives from the company declined to comment on the CMC's findings. However, they confirmed that production has gradually resumed at several plants, including Halewood and its Slovakia operation, indicating that after weeks of costly downtime, there has been some sign of operational restoration. 

Unlike widespread malware outbreaks, which often target a range of sectors indiscriminately in the hope of spreading their malicious code, this was a targeted attack that exposed vulnerabilities deep within one of Britain's most advanced manufacturing ecosystems in a concentrated area. 

While there was no direct threat to human life from the incident, analysts predicted substantial secondary effects on employment and industrial stability, with reduced demand for manufacturing likely to hurt job security, as production capacities remain underutilised despite the incident. 

As a way of cushioning the blow, the Government of the UK announced it would provide a £1.5 billion loan to help the automaker rebuild its supply chain, and JLR itself offered an additional £500 million to help stabilise operations. Based on the data collected by the CMC as of October 17, the estimated financial damage is about £1.9 billion - a figure that is likely to increase as new information becomes available.

However, the Centre clarified that the conclusions it came to were not based on internal JLR disclosures, but on independent financial modelling, public filings, expert analysis and benchmarks specific to each sector. As a consequence, JLR is expected to be unable to fully recover from the incident until January 2026. However, additional shifts may be introduced, and production will be increased to 12 per cent of pre-incident capacity in an effort to speed the company's recovery. 

In a concluding paragraph, the report urges both UK industries to strengthen their IT and operational systems to ensure a successful recovery from large-scale cyber disruptions. It also urged the government to develop a dedicated framework for the provision of assistance to those victims. It has thus far been agreed that Jaguar Land Rover has declined to comment on the CMC’s evaluation of the issue. 

However, the magnitude of the Jaguar Land Rover breach has been heightened by the intricate network of suppliers that make up the British automotive industry. As an example of what a Range Rover luxury vehicle entails, almost 30,000 individual components are sourced from a vast ecosystem of businesses that together sustain more than 104,000 jobs in the UK.

The majority of these firms are small and medium-sized businesses that are heavily reliant on JLR's production schedules and procurement processes. Approximately 5,000 domestic organisations were disrupted as a result of the cyberattack, which was conducted by the Cyber Monitoring Centre (CMC). This includes more than 1,000 tier-one suppliers, as well as thousands more at tiers two and three. 

Based on early data, approximately a quarter of these companies have already had to lay off employees, with another 20 to 25 per cent in danger of experiencing a similar situation if the slowdown continues. In addition to the manufacturing floor, the consequences have rippled out to other parts of the world as well. 

Dealerships have reported sharp declines in sales and commissions; logistics companies have been faced with idle transport fleets and underutilised shipping capacity; and the local economies around the major JLR plants have been affected as restaurants, hotels, and service providers have lost their customers as a result of the recession. 

The disruption has even affected aftermarket specialists, resulting in the inaccessibility of digital parts ordering systems, which caused them to lose access to their online systems. Though there was no direct threat to human lives, the incident has left a profound human impact—manifesting itself in job insecurity, financial strain, and heightened anxiety among the communities that were affected. 

There is a risk that prolonged uncertainty will exacerbate regional inequalities and erode the socioeconomic stability of towns heavily reliant on the automotive supply chain for their livelihoods, according to analysts. Jaguar Land Rover's unprecedented scale breach underscores the close ties that exist between cybersecurity and the stability of the global economy, which is why it is so sobering that there is a deep relationship between cybersecurity and the success of any business. 

Several analysts believe that this incident serves as a reminder that Britain's corporate and policy leadership should emphasise the importance of stronger digital defences, as well as adaptive crisis management frameworks that can protect interconnected supply networks from cyberattacks.

The automotive giant is rebuilding its operations at the moment, and experts stress the importance of organisations anticipating threats, integrating digital infrastructures across sectors, and collaborating across sectors in order to share intelligence and strengthen response mechanisms in order to remain resilient in the modern era. 

Governments are facing increasing pressure to make industrial cybersecurity a part of their national strategy, including providing rapid financial assistance and technical support to prevent systemic failures. Although JLR's recovery roadmap may have the power to restore production on schedule, the wider takeaway is clear: in an age when code and machine are inseparably linked, the health of the nation's manufacturing future is dependent on the security of its digital infrastructure.
Read more »
ransomware attacks
AI in cybersecurity Cyber Attacks Cyber Extortion Microsoft Digital Defense Report nation-state hackers ransomware attacks

Microsoft Warns: Over Half of Cyberattacks Driven by Extortion and Ransomware, Legacy Security Failing to Keep Up

 


More than 50% of cyberattacks are now motivated by extortion and ransomware, according to Microsoft’s latest Digital Defense Report. The tech giant revealed that outdated security systems are no longer capable of defending against today’s evolving cyber threats.

In its sixth annual report, Microsoft highlighted that around 80% of the cyber incidents its security teams investigated last year were financially motivated.

"That’s at least 52% of incidents fueled by financial gain, while attacks focused solely on espionage made up just 4%," said Amy Hogan-Burney, CVP for Customer Security and Trust at Microsoft.

She added, "Nation-state threats remain a serious and persistent threat, but most of the immediate attacks organizations face today come from opportunistic criminals looking to make a profit."

The report noted that critical public sectors, including hospitals and local governments, are prime targets. These institutions often handle highly sensitive information but operate with limited cybersecurity resources and response capabilities. In many cases, healthcare and other essential services are more likely to pay ransoms due to the critical nature of their operations.

Although nation-state-driven attacks account for a smaller share of total incidents, their volume is steadily increasing. Microsoft’s findings show that China continues its aggressive campaigns across industries to steal sensitive data, using covert systems and exploiting internet vulnerabilities to avoid detection.

Iran has widened its scope, targeting sectors from the Middle East to North America, including shipping and logistics companies in Europe and the Persian Gulf to gain access to valuable commercial data.

Meanwhile, Russia has extended its operations beyond Ukraine, focusing on small businesses in pro-Ukraine countries, perceiving them as softer targets compared to larger corporations.

Microsoft also identified North Korea as a major concern for both espionage and revenue-driven cyber operations. Thousands of North Korean IT workers are reportedly employed remotely by global companies, funneling their salaries back to the regime. When exposed, some of these operatives have shifted to extortion tactics.

"The cyber threats posed by nation-states are becoming more expansive and unpredictable," Hogan-Burney warned. "In addition, the shift by at least some nation-state actors to further leveraging the cybercriminal ecosystem will make attribution even more complicated."

She stressed the importance of collaboration: "This underscores the need for organizations to stay abreast of the threats to their industries and work with both industry peers and governments to confront the threats posed by nation-state actors."

Microsoft’s report also underscored how artificial intelligence and automation have empowered cybercriminals, even those with minimal expertise, to execute more complex attacks. AI tools are being used to develop malware faster, generate convincing fake content, and enhance phishing and ransomware campaigns.

More than 97% of identity attacks are now password-related, with a 32% surge in the first half of 2025 alone. Attackers commonly exploit leaked credentials and use large-scale password guessing.

"However, credential leaks aren’t the only place where attackers can obtain credentials," Hogan-Burney explained. "This year, we saw a surge in the use of infostealer malware by cyber criminals. Infostealers can secretly gather credentials and information about your online accounts, like browser session tokens, at scale."

She added, "Cyber criminals can then buy this stolen information on cyber crime forums, making it easy for anyone to access accounts for purposes such as the delivery of ransomware."

The report concludes by urging governments to establish stronger frameworks to ensure credible consequences for cyber activities that breach international laws and norms.


Read more »
Ransomware
Artificial Intelligence China Cyber Attacks NCSC Ransomware

NCSC Warns of Rising Cyber Threats Linked to China, Urges Businesses to Build Defences

 



The United Kingdom’s National Cyber Security Centre (NCSC) has cautioned that hacking groups connected to China are responsible for an increasing number of cyberattacks targeting British organisations. Officials say the country has become one of the most capable and persistent sources of digital threats worldwide, with operations extending across government systems, private firms, and global institutions.

Paul Chichester, the NCSC’s Director of Operations, explained that certain nations, including China, are now using cyber intrusions as part of their broader national strategy to gain intelligence and influence. According to the NCSC’s latest annual report, China remains a “highly sophisticated” threat actor capable of conducting complex and coordinated attacks.

This warning coincides with a government initiative urging major UK companies to take stronger measures to secure their digital infrastructure. Ministers have written to hundreds of business leaders, asking them to review their cyber readiness and adopt more proactive protection strategies against ransomware, data theft, and state-sponsored attacks.

Last year, security agencies from the Five Eyes alliance, comprising the UK, the United States, Canada, Australia, and New Zealand uncovered a large-scale operation by a Chinese company that controlled a botnet of over 260,000 compromised devices. In August, officials again warned that Chinese-backed hackers were targeting telecommunications providers by exploiting vulnerabilities in routers and using infected devices to infiltrate additional networks.

The NCSC also noted that other nations, including Russia, are believed to be “pre-positioning” their cyber capabilities in critical sectors such as energy and transportation. Chichester emphasized that the war in Ukraine has demonstrated how cyber operations are now used as instruments of power, enabling states to disrupt essential services and advance strategic goals.


Artificial Intelligence: A New Tool for Attackers

The report highlights that artificial intelligence is increasingly being used by hostile actors to improve the speed and efficiency of existing attack techniques. The NCSC clarified that, while AI is not currently enabling entirely new forms of attacks, it allows adversaries to automate certain stages of hacking, such as identifying security flaws or crafting convincing phishing emails.

Ollie Whitehouse, the NCSC’s Chief Technology Officer, described AI as a “productivity enhancer” for cybercriminals. He explained that it is helping less experienced hackers conduct sophisticated campaigns and enabling organized groups to expand operations more rapidly. However, he reassured that AI does not currently pose an existential threat to national security.


Ransomware Remains the Most Severe Risk

For UK businesses, ransomware continues to be the most pressing danger. Criminals behind these attacks are financially motivated, often targeting organisations with weak security controls regardless of size or industry. The NCSC reports seeing daily incidents affecting schools, charities, and small enterprises struggling to recover from system lockouts and data loss.

To strengthen national resilience, the upcoming Cyber Security and Resilience Bill will require critical service providers, including data centres and managed service firms, to report cyber incidents within 24 hours. By increasing transparency and response speed, the government hopes to limit the impact of future attacks.

The NCSC urges business leaders to treat cyber risk as a priority at the executive level. Understanding the urgency of action, maintaining up-to-date systems, and investing in employee awareness are essential steps to prevent further damage. As cyber activity grows “more intense, frequent, and intricate,” the agency stresses that a united effort between the government and private sector is crucial to protecting the UK’s digital ecosystem.



Read more »
Identity Theft
Airline Customer Data Cyber Attacks cyberattacks on airline Data Breaches Data Leak data security Hackers Identity Theft

Qantas Data Leak Highlights Rising Airline Cyberattacks and Identity Theft Risks

 

Airlines continue to attract the attention of cybercriminals due to the vast amounts of personal data they collect, with passports and government IDs among the most valuable targets. According to privacy firm Incogni, the exposure of such documents poses a “severe, long-term identity theft risk” since they are difficult to replace and can be exploited for years in fraud schemes involving fake identities, counterfeit documents, and impersonation scams. 

The recent Qantas Airways data breach, claimed by the Scattered LAPSUS$ Hunters group, underscores the sector’s growing vulnerability. The stolen data included names, email addresses, Frequent Flyer details, and limited personal information such as phone numbers and birth dates. Fortunately, Qantas confirmed that no passport details, financial information, or credit card data were compromised. 

However, experts warn that even limited leaks can have serious consequences. “Attackers often combine personal identifiers like names and loyalty program details from multiple breaches to build complete identity profiles,” said Darius Belejevas, Head of Incogni. Such composite records can enable large-scale fraud even without financial data exposure. 

The Qantas incident also highlights the danger of third-party compromises. The breach reportedly stemmed from Salesforce social engineering and vendor vulnerabilities, illustrating how a single compromised supplier can have ripple effects across industries. Belejevas emphasized that “one compromised partner can expose millions of records in a single incident.” 

Data breaches in the airline industry are escalating rapidly. According to Cyble’s threat intelligence database, more than 20 airline-related breaches have been reported on the dark web in 2025 — a 50% increase from 2024. Much of this surge is attributed to coordinated attacks by Scattered Spider and the broader Scattered LAPSUS$ Hunters alliance, although other groups have also begun targeting the aviation sector. 

In a separate incident, the CL0P ransomware group claimed to have breached Envoy Air, a regional carrier of American Airlines. Envoy confirmed the intrusion but stated that no customer data was affected, only limited business information. In contrast, WestJet, which suffered a breach in June 2025, had passports and government-issued IDs exposed, prompting it to offer two years of free identity monitoring to affected customers. Incogni, however, warned that identity theft risks from such documents can persist well beyond two years. 

Experts urge travelers to take preventive security measures. Incogni recommends enrolling in identity theft monitoring, reporting phishing attempts to national anti-fraud agencies, using strong passwords with multi-factor authentication, and removing personal data from data broker sites. 

“Individuals and organizations must do more to safeguard sensitive data,” said Ron Zayas, CEO of Incogni. “In today’s world, data isn’t just being stolen by hackers — it’s also being misused by legitimate entities to manipulate outcomes.”
Read more »
Ransomware attack
Aviation System Collins Aerospace Cyber Attacks European Flights Ransomware attack

Hundreds of European Flights Disrupted by Major Ransomware Attack

 

A major ransomware attack recently caused widespread disruption to airline operations across several key European airports, resulting in hundreds of flight cancellations and delays for passengers. The incident highlights the growing vulnerability of the aviation industry due to its heavy reliance on technology, especially third-party software for critical services such as check-in and baggage handling.

The attack specifically targeted the popular MUSE check-in and boarding system, developed by US-based Collins Aerospace, a subsidiary of RTX. European cybersecurity agency ENISA confirmed on September 22 that ransomware had affected MUSE’s operations, forcing airports in Berlin, Brussels, and London Heathrow to revert to manual systems. 

The impact was severe: Brussels Airport canceled half of its Sunday and Monday flights, and Berlin Airport reported delays exceeding an hour due to nonfunctional check-in systems. At London Heathrow, Terminal 4 experienced significant disruption, with departures delayed by up to two hours and ongoing manual check-ins.

While Collins Aerospace claimed that manual processes could mitigate problems, the scale of the disruptions proved otherwise. Staff struggled to manage operations without technological support, underscoring the risks posed by dependence on software and the critical need for robust cybersecurity measures. Restoration of MUSE was nearly complete by Monday, yet some airports like Dublin experienced minimal disruption, showing varying impacts across different locations.

The broader risk is amplified by the fact that MUSE is used by over 300 airlines at 100 airports worldwide, raising concerns about the possibility of further attacks if vulnerabilities remain unaddressed. Experts caution that a compromised update could still threaten other airports, or that attackers may use initial breaches to extort further ransom from software providers.

This incident is part of a dramatic surge in cyberattacks facing the aviation sector, which saw a staggering 600% increase in 2025 compared to the previous year, according to French aerospace company Thales. Experts point out the economic and geopolitical stakes involved, advocating for a comprehensive cybersecurity strategy, adoption of AI tools, and industry-wide collaboration to address threats. 

The attack highlights that cyberattacks may have objectives beyond operational disruption, potentially targeting sensitive data and system integrity and emphasizing the urgent need for more resilient aviation security protocols.
Read more »
Nation-State Attacks
CISOs Cyber Attacks Cyber Awareness cyber resilience Cyber Threats Cybersecurity CyberWar Digital Defense Identity Security Nation-State Attacks

The Silent Guardians Powering the Frontlines of Cybersecurity

 


There is no doubt that a world increasingly defined by invisible battles and silent warriors has led to a shift from trenches to terminals on which modern warfare is now being waged. As a result, cyberwarfare is no longer a distant, abstract threat; now it is a tangible, relentless struggle with real-world consequences.

Power grids fail, hospitals go dark, and global markets tremble as a result of unseen attacks. It is at this point that a unique breed of defenders stands at the centre of this new conflict: cyber professionals who safeguard the fragile line between digital order and chaos. The official trailer for Semperis Midnight in the War Room, an upcoming documentary about the hidden costs of cyber conflict, has been released, bringing this hidden war to sharp focus. 

Semperis is a provider of AI-powered identity security and cyber resilience. It has an extraordinary lineup of voices – including Chris Inglis, the first U.S. National Cyber Director; General (Ret.) David Petraeus, the former Director of the CIA; Jen Easterly, former Director of the CISA; Marcus Hutchins, one of the WannaCry heroes; and Professor Mary Aiken, a globally recognised cyber psychologist – all of whom are highly respected for their expertise in cybersecurity. 

The film examines the high-stakes battle between attackers, defenders, and reformed hackers who have now taken the risk of exploiting for themselves. As part of this documentary, leading figures from the fields of cybersecurity and national defence gather together in order to present an unprecedented view of the digital battlefield. 

Using their insights into cyber conflicts, Midnight in the War Room explores the increasing threat that cybercrime poses to international relations as well as corporate survival today. A film that sheds light on the crucial role of chief information security officers (CISOs), which consists of who serve as the frontlines of protecting critical infrastructure - from power grids to financial networks - against state-sponsored and criminal cyber threats, is a must-see. 

It is the work of more than fifty international experts, including cyber journalists, intelligence veterans, and reformed hackers, who provide perspectives which demonstrate the ingenuity and exhaustion that those fighting constant digital attacks have in the face. Even though the biggest threat lies not only with the sophistication of adversaries but with complacency itself, Chris Inglis argues that global resilience is an urgent issue at the moment. 

It has been reported that Semperis' Chief Marketing Officer and Executive Producer, Thomas LeDuc, views the project as one of the first of its kind to capture the courage and pressure experienced by defenders. The film is richly enriched by contributions from Professor Mary Aiken, Heath Adams, Marene Allison, Kirsta Arndt, Grace Cassy and several former chief information security officers, such as Anne Coulombe and Simon Hodgkinson, and it provides a sweeping and deeply human perspective on modern cyber warfare. 

With its powerful narrative, Midnight in the War Room explores the human side of cyberwarfare—a struggle that is rarely acknowledged but is marked by courage, resilience and sacrifice in a way that is rarely depicted. A film about those defending the world's most vital systems is a look at the psychological and emotional toll they endure, in which trust is continually at risk and a moment of complacency can trigger devastating consequences. 

The film explores the psychological and emotional tolls endured by those defending those systems. During his remarks at Semperis, Vice President for Asia Pacific and Japan, Mr Sillars, points out that cyber threats do not recognise any borders, and the Asia Pacific region is at the forefront of this digital conflict as a result of cyber threats. 

During the presentation, he emphasises that the documentary seeks to highlight the common challenges cybersecurity professionals face worldwide, as well as to foster collaboration within critical sectors to build identity-driven resilience. As the Chief Marketing Officer at Semperis and Executive Producer, LeDuc describes the project as one of the most ambitious in cybersecurity history—bringing together top intelligence leaders, chief information security officers, journalists, victims and reformed hackers as part of a rare collaborative narrative.

In the film, Cyber Defenders' lives are portrayed through their own experiences as well as the relentless pressure and unwavering resolve they face every day. Among the prominent experts interviewed for the documentary are Marene Allison, former Chief Information Security Officer of Johnson & Johnson; Grace Cassy, co-founder of CyLon; Heather M. Costa, Director of Technology Resilience at the Mayo Clinic; Simon Hodgkinson, former Chief Information Security Officer of BHP; and David Schwed, former Chief Information Security Officer of Robinhood. 

Among those on the panel are Richard Staunton, Founder of IT-Harvest, BBC Cyber Correspondent Joe Tidy, as well as Jesse McGraw, a former hacktivist who has turned his expertise towards safeguarding the internet, known as Ghost Exodus. As Jen Easterly, former Chief Information Security Officer of the U.S. Department of Homeland Security (CISA), points out, defeating malicious cyberattacks requires more than advanced technology—it demands the human mind's ingenuity and curiosity to overcome them. 

A global collaboration was exemplified through the production of this documentary, which was filmed in North America and Europe by cybersecurity and professional organisations, including the CyberRisk Alliance, Cyber Future Foundation, Institute for Critical Infrastructure Technology, (ISC)2 Eastern Massachusetts Chapter, Michigan Council of Women in Technology, and Women in CyberSecurity (WiCyS) Delaware Valley Chapter. 

As part of these partnerships, private screenings, expert discussions, and public outreach will be conducted in order to increase public awareness and cooperation regarding building digital resilience. By providing an insight into the human narratives that underpin cybersecurity, Midnight in the War Room hopes to give a deeper understanding of the modern battlefield and to inspire a collective awareness in the safeguarding of society's systems. 

There is something special about Midnight in the War Room, both as a wake-up call and as a tribute - a cinematic reflection of those who stand up to the threats people face in today's digital age. The film focuses on cyber conflict and invites governments, organisations, and individuals to recognise the importance of cybersecurity not just as a technical problem, but as a responsibility that people all share. 

In light of the continuous evolution of threats, people need stronger international collaborations, investments in identity security, and the development of psychological resilience among those on the front lines to help combat these threats. Semperis' initiative illustrates the power of storytelling to bridge the gap between awareness and action, transforming technical discourse into a powerful narrative that inspires vigilance, empathy, and unity among the community.

Providing a critical insight into the human aspect behind the machines, Midnight in the War Room reinforces a fundamental truth: that is, cybersecurity is not just about defending data, but also about protecting the people, systems, and values that make modern society what it is today.
Read more »
leaked sensitive data
Asahi Beer Cyber Attacks Cyberattacks cybercriminal group CyberSecurity Ransomware Attacks Data Leak Data protection data security leaked sensitive data

Asahi Group Confirms Ransomware Attack Disrupting Operations and Leaking Data

 

Japanese food and beverage conglomerate Asahi Group Holdings has confirmed that a ransomware attack severely disrupted its operations and potentially exposed sensitive data, including employee and financial information. The cyberattack, which occurred on September 29, 2025, forced the company to delay releasing its January–September financial results, originally scheduled for November 12. 

The attack paralyzed Asahi’s domestic order and shipment systems, halting automated operations across Japan. Despite the disruption, the company implemented manual order processing and resumed partial shipments to ensure a continued supply of its popular beverages and food products. 

The Qilin ransomware group has claimed responsibility for the breach, asserting that it stole over 9,300 files containing personal and financial data. On October 8, Asahi confirmed that some of the stolen data was found online, prompting a detailed investigation into the scope and type of compromised information. In a public statement, the company said it is working to identify affected individuals and will issue notifications once the investigation confirms unauthorized data transfer.  

Although the incident primarily impacted systems within Japan, Asahi stated there is no evidence of compromise affecting its global operations. 

Recovery efforts are steadily progressing. Asahi Breweries resumed production at all six of its factories by October 2, restoring shipments of Asahi Super Dry, with other product lines following soon after. Asahi Soft Drinks restarted production at six of its seven plants by October 8, while Asahi Group Foods has also resumed partial operations at all seven domestic facilities.  

However, Asahi’s systems have not yet been fully restored, and the company has not provided a definite recovery timeline. The ongoing disruption has delayed access to critical accounting systems, forcing a postponement of quarterly financial reporting. 

In its official statement, Asahi explained that the financial disclosure delay is necessary to ensure accuracy and compliance amid system recovery. The company issued an apology to shareholders and stakeholders for the inconvenience caused and promised transparent updates as investigations and remediation progress. 

The Asahi Group cyberattack serves as another reminder of the rising frequency and impact of ransomware incidents targeting major corporations worldwide.
Read more »
Hacker attack
Breaches Critical Infrastructure critical infrastructure attack Cyber Attacks Cyberhackers data security F5 Security Hacker attack

Nation-State Hackers Breach F5 Networks, Exposing Thousands of Government and Corporate Systems to Imminent Threat

 

Thousands of networks operated by the U.S. government and Fortune 500 companies are facing an “imminent threat” of cyber intrusion after a major breach at Seattle-based software maker F5 Networks, the federal government warned on Wednesday. The company, known for its BIG-IP networking appliances, confirmed that a nation-state hacking group had infiltrated its systems in what it described as a “sophisticated, long-term intrusion.” 

According to F5, the attackers gained control of the network segment used to develop and distribute updates for its BIG-IP line—a critical infrastructure tool used by 48 of the world’s top 50 corporations. During their time inside F5’s systems, the hackers accessed proprietary source code, documentation of unpatched vulnerabilities, and customer configuration data. Such access provides attackers with an extraordinary understanding of the product’s architecture and weaknesses, raising serious concerns about potential supply-chain attacks targeting thousands of networks worldwide. 

Security analysts suggest that control of F5’s build environment could allow adversaries to manipulate software updates or exploit unpatched flaws within BIG-IP devices. These appliances often sit at the edge of networks, acting as load balancers, firewalls, and encryption gateways—meaning a compromise could provide a direct pathway into sensitive systems. The stolen configuration data also increases the likelihood that hackers could exploit credentials or internal settings for deeper infiltration. 

Despite the severity of the breach, F5 stated that investigations by multiple cybersecurity firms, including IOActive, NCC Group, Mandiant, and CrowdStrike, have not found evidence of tampering within its source code or build pipeline. The assessments further confirmed that no critical vulnerabilities were introduced and no customer or financial data was exfiltrated from F5’s internal systems. However, experts caution that the attackers’ deep access and stolen intelligence could still enable future targeted exploits. 

In response, F5 has issued updates for its BIG-IP, F5OS, BIG-IQ, and APM products and rotated its signing certificates to secure its software distribution process. The company has also provided a threat-hunting guide to assist customers in detecting potential compromise indicators. 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive warning that the breach “poses an unacceptable risk” to federal networks. Agencies using F5 appliances have been ordered to inventory all affected devices, install the latest patches, and follow the company’s threat-hunting protocols. Similarly, the UK’s National Cyber Security Centre (NCSC) has released guidance urging organizations to update their systems immediately. 

While no supply-chain compromise has yet been confirmed, the breach of a vendor as deeply embedded in global enterprise networks as F5 underscores the growing risk of nation-state infiltration in critical infrastructure software. As investigations continue, security officials are urging both government and private organizations to take swift action to mitigate potential downstream threats.
Read more »
Subscribe to: Comments (Atom)