Sunday, Apr 13, 2025 // (IG): BB // GITHUB // SN R&D
Russian Hybrid Attacks Surge Against Baltic and Arctic Undersea Cables
Bottom Line Up Front (BLUF): Russian hybrid operations targeting critical undersea infrastructure (CUI) have escalated across the Baltic and Arctic regions since 2021, with fiber-optic cables increasingly sabotaged. Recent incidents involving Chinese vessels have intensified concerns over possible Russian-Chinese coordination, although direct evidence remains absent. Western nations face serious challenges in deterring these low-threshold attacks due to attribution difficulties.
Analyst Comments: The rise in hybrid attacks on undersea cables highlights a growing Russian strategy to destabilize northern Europe without triggering a conventional military response. The plausible deniability inherent in these operations complicates effective deterrence and signals a dangerous escalation in gray zone conflict tactics. If current countermeasures from NATO and the EU prove insufficient, future disruptions to global internet and communication networks could become more frequent and severe. These developments suggest a strategic shift toward targeting unseen but vital infrastructure in modern hybrid warfare.
FROM THE MEDIA: Since 2021, Russian hybrid attacks on critical undersea cables have steadily increased, beginning with suspicious damage to the LoVe Ocean Observatory cable in northern Norway. In 2022, a crucial fiber-optic cable linking Svalbard to the Norwegian mainland was similarly disrupted. By 2023 and 2024, incidents involving Chinese ships—the New Polar Bearand Yi Peng 3—damaging cables in the Baltic raised alarms over potential Russian-Chinese collaboration, despite a lack of definitive proof. A recent January 2025 case saw the Russian-crewed Silver Dania detained in Norway under sabotage suspicion, though later released due to insufficient evidence. Meanwhile, NATO and the EU have pledged enhanced monitoring and protection of subsea infrastructure to counter these emerging threats.
READ THE STORY: PCMAG // The Jamestown // The Telegraph
China Admits to Volt Typhoon Cyberattacks on U.S. Critical Infrastructure
NOTE:
China's decision to tacitly admit to the Volt Typhoon cyberattacks marks a calculated shift from denial to strategic signaling. By indirectly acknowledging responsibility in a private diplomatic setting, Beijing aimed to convey a clear warning to the United States: continued military and political support for Taiwan could trigger disruptive cyber retaliation. This admission wasn't just about validating attribution—it was about deterrence. It suggests that China views cyber prepositioning in U.S. critical infrastructure not merely as espionage, but as a credible lever of geopolitical influence. The move reflects growing confidence in China's cyber capabilities and a willingness to use them as part of broader statecraft, effectively blurring the line between peace-time operations and acts of war.
Bottom Line Up Front (BLUF): In a secret December 2024 meeting in Geneva, Chinese officials indirectly admitted to cyberattacks on U.S. critical infrastructure tied to the Volt Typhoon campaign. The admission confirms suspicions that China conducted these sophisticated intrusions to deter U.S. support for Taiwan and highlights the growing threat to American critical systems.
Analyst Comments: This rare acknowledgment marks a significant escalation in cyber hostilities between China and the U.S., blending cyber operations with strategic geopolitical signaling. Volt Typhoon’s focus on critical infrastructure signals a shift from espionage to potential pre-positioning for disruption in a Taiwan conflict scenario. Expect intensified U.S. cyber defense initiatives, closer public-private sector coordination, and potentially more aggressive cyber deterrence policies aimed at state-backed actors.
FROM THE MEDIA: Chinese officials acknowledged during a closed-door Geneva summit with outgoing Biden administration representatives that the Volt Typhoon cyberattacks on U.S. critical infrastructure were conducted in response to American support for Taiwan. While their admission was "indirect and ambiguous," U.S. officials interpreted it as confirmation. Volt Typhoon attackers used zero-days and advanced techniques to infiltrate sectors such as communications, energy, manufacturing, and transportation, dwelling within critical systems like the U.S. electric grid for up to 300 days in 2023. The meeting also touched on the Salt Typhoon campaign, which compromised communications of senior U.S. officials, though it was considered standard espionage rather than an act of aggression.
READ THE STORY: SecurityWeek // Wired // WSJ
TP-Link’s US Future Threatened by Persistent China Ties Amid National Security Probe
Bottom Line Up Front (BLUF): US authorities are investigating TP-Link Systems’ restructuring to assess if its ties to China still pose national security risks. Despite its rebranding and new US headquarters, substantial research, development, and manufacturing operations remain in China, raising concerns over compliance with US national security laws. A potential ban could upend TP-Link’s US ambitions and reflects broader tensions over Chinese technology influence.
Analyst Comments: TP-Link’s situation highlights the growing scrutiny facing tech companies perceived as entangled with China’s strategic ecosystem, even after corporate restructuring. As US policy shifts increasingly toward decoupling from Chinese tech supply chains, companies like TP-Link face high hurdles to proving their independence. The case will likely set a precedent for how rigorously US authorities apply national security standards to restructured firms, especially in critical sectors like communications infrastructure.
FROM THE MEDIA: TP-Link Systems, a major Wi-Fi equipment provider, faces a US government probe into whether its separation from its original Chinese parent is sufficient to mitigate national security concerns. Despite claims of independence, Bloomberg News revealed that much of TP-Link’s manufacturing and R&D remains entrenched in China, including through its Shenzhen-based subsidiary Lianzhou. Founder Jeffrey Chao, now based in Irvine, California, claims to be committed to building a secure, US-focused operation, pledging $700 million in investment. However, trade data show most TP-Link components are still sourced from China. US officials worry that Chinese laws could compel companies like TP-Link to assist in espionage activities, even indirectly.
READ THE STORY: Bloomberg UK
China’s Rare Earth Export Restrictions Threaten U.S. Next-Gen Fighter Jet Program
Bottom Line Up Front (BLUF): China has imposed export restrictions on critical rare earth elements, endangering U.S. defense projects like the Next Generation Air Dominance (NGAD) fighter jet program. With China controlling nearly 90% of rare earth processing globally, the U.S. faces serious supply chain vulnerabilities impacting advanced avionics, radar systems, and propulsion technologies.
Analyst Comments: China’s decision reflects a broader strategy to leverage critical resource control as a geopolitical tool, particularly in response to escalating trade tensions. The U.S. must rapidly invest in domestic mining, processing, and recycling of rare earths or risk significant setbacks in defense modernization. This crisis also underscores the fragility of globalized supply chains in national security contexts, potentially accelerating efforts in synthetic material development and strategic resource partnerships with allies.
FROM THE MEDIA: China announced new export restrictions on rare earth elements essential for U.S. military technology, specifically targeting materials vital to the NGAD fighter jet’s avionics and radar systems. The U.S. once dominated rare earth production but ceded ground to China in the 1990s due to economic pressures. Today, critical elements like neodymium, dysprosium, yttrium, and gadolinium—which enable advanced navigation, targeting, and communication—are heavily reliant on Chinese supply chains. Although the Pentagon holds limited stockpiles, they are insufficient for long-term needs. Ongoing U.S. initiatives include expanding domestic mining at Mountain Pass, partnerships with Australia and Canada, and investments in rare earth recycling technologies.
READ THE STORY: Bulgarian Military
Varel, Germany Prepares for Cyberattacks Amid Growing European Fears of Critical Infrastructure Sabotage
Bottom Line Up Front (BLUF): Mayor Gerd-Christian Wagner of Varel, Germany, is urging residents to prepare for potential cyberattacks that could cripple critical infrastructure such as water supplies, electricity, and food systems. Recent EU reports warn of increasing cyber threats from China, Russia, Iran, and North Korea, emphasizing the vulnerabilities of interconnected systems like 5G. European officials are calling for stronger defensive measures as the risk of hybrid warfare escalates.
Analyst Comments: Dependence on technologies from potentially adversarial nations, especially in telecommunications, leaves serious vulnerabilities that could be exploited during geopolitical conflicts. While initiatives like the EU Preparedness Union Strategy show progress, experts criticize the slow pace and limited enforcement. Expect rising investment in local resilience measures and more aggressive policy moves against foreign tech dependencies.
FROM THE MEDIA: Mayor Wagner warned of catastrophic consequences if Varel's infrastructure were attacked, citing scenarios like mass livestock deaths and supermarket looting. His calls for preparedness intensified following the EU's March release of the Preparedness Union Strategy, built on the Niinisto Report highlighting China's growing cyber threat. While direct attacks by China on European infrastructure have not been confirmed, European security agencies note rising risks. The heavy reliance on Huawei for 5G infrastructure — 59% in Germany alone — exacerbates vulnerabilities. Experts like Cristina Vanberghen urge the EU to implement stricter cybersecurity standards and automatic sanctions to counter the increasing threat landscape.
READ THE STORY: Nikkei Asia
Moroccan Hackers Leak 34GB of Algerian Ministry Data Amid Escalating Cyberwar
Bottom Line Up Front (BLUF): Moroccan hacking group MORH4x leaked 34GB of sensitive data from Algeria’s Ministry of Pharmaceutical Industry on April 12, 2025, in retaliation for a prior attack by Algerian hackers. This cyberattack marks a significant escalation in the ongoing digital conflict between Algeria and Morocco, exposing critical personal and governmental information.
Analyst Comments: The cyber exchanges between Morocco and Algeria are evolving from isolated incidents into a structured digital conflict, highlighting the increasing weaponization of cyber capabilities in regional rivalries. As hacker groups shift from disrupting services to leaking sensitive data, the risks to citizen privacy and national security intensify. If left unchecked, this tit-for-tat dynamic could escalate into broader cyberwarfare, drawing in more state and non-state actors and destabilizing regional cybersecurity norms.
FROM THE MEDIA: Moroccan hackers affiliated with the group MORH4x leaked 34GB of confidential data from Algeria’s Ministry of Pharmaceutical Industry on April 12, 2025. The breach was a direct response to an April 8 cyberattack by the Algerian group JabaRoot DZ, which had targeted Morocco’s CNSS and Ministry of Employment. The leaked Algerian data includes pharmaceutical import records, psychotropic substance regulations, internal provincial notes, and personal information about ministry officials and private sector employees. Posted on BreachForums, the leak reveals the expanding ideological dimension of the Algeria-Morocco cyber conflict, raising urgent concerns over data privacy and ethical conduct during cyber hostilities.
READ THE STORY: Yabiladi
Fortinet Warns of Persistent FortiGate Access via SSL-VPN Symlink Exploit
Bottom Line Up Front (BLUF): Fortinet disclosed that threat actors are maintaining read-only access to FortiGate firewalls even after patching known vulnerabilities, by exploiting symbolic links in the SSL-VPN feature. The persistence method bypasses traditional recovery procedures and affects systems dating back to early 2023, according to alerts from Fortinet, CISA, and CERT-FR.
Analyst Comments: The symlink exploit demonstrates how deeply adversaries understand device internals and the patching lifecycle. Organizations relying solely on traditional update protocols may be left vulnerable. Expect increased scrutiny on SSL-VPN modules, greater emphasis on configuration integrity monitoring, and broader guidance from international CERTs as persistent footholds become a preferred tactic for advanced threat actors.
FROM THE MEDIA: Fortinet has issued a warning that attackers are exploiting SSL-VPN vulnerabilities to establish persistent, read-only access to FortiGate devices. Even after patching flaws like CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762, attackers left behind malicious symbolic links that connect the user and root file systems. These links enable visibility into sensitive configurations and evade common detection methods. Fortinet released updates in FortiOS 6.4 through 7.6 to detect and remove these symlinks and adjust the SSL-VPN UI to block future abuse. CISA and CERT-FR have echoed concerns, urging credential resets and, where necessary, disabling SSL-VPN functionality entirely.
READ THE STORY: THN
Defendis: Moroccan Cybersecurity Startup Protecting Africa’s Digital Transformation
Bottom Line Up Front (BLUF): As Africa accelerates its digital transformation, cybersecurity risks are rising sharply. Moroccan startup Defendis is addressing these threats by providing threat intelligence and dark web monitoring services to banks, governments, and businesses, aiming to boost cyber resilience across the continent.
Analyst Comments: Defendis exemplifies the growing role of indigenous African cybersecurity startups in shaping the region’s digital future. By combining technology with an educational outreach strategy, Defendis bridges the critical cybersecurity awareness gap that often hinders proactive defense. Their Pan-African expansion plan reflects a broader trend of localized cybersecurity innovation, signaling that Africa's future digital economy will increasingly rely on homegrown solutions rather than imported models.
FROM THE MEDIA: Launched officially at GITEX Africa 2024, Defendis provides dark web surveillance and actionable threat intelligence, helping organizations detect leaked credentials, payment card data, and confidential documents. Recognizing low cybersecurity awareness levels in Morocco and beyond, Defendis adopts an educational approach to help businesses understand and mitigate external threats. Now planning strategic partnerships across the continent, Defendis aims to make cybersecurity more accessible and integrated into Africa’s growing digital economy, with a major showcase set for GITEX Africa 2025.
READ THE STORY: MWN
Russia’s Storm-2372 APT Bypasses MFA Using Advanced Device Code Phishing
Bottom Line Up Front (BLUF): The Russian state-backed APT group Storm-2372 has adopted a sophisticated "Dynamic Device Code Phishing" technique to bypass Multi-Factor Authentication (MFA) protections. The group is targeting high-value organizations in sectors such as government, defense, finance, healthcare, and media across the US, UK, Ukraine, Germany, Canada, and Australia. Researchers warn that traditional MFA is insufficient against such identity-based attacks.
Analyst Comments: Storm-2372’s evolution toward dynamic device code phishing highlights a dangerous trend in which attackers exploit trusted authentication flows rather than attacking passwords directly. This method significantly reduces the effectiveness of standard MFA defenses, signaling a broader shift toward identity-focused cyberattacks. Organizations must pivot to adaptive, context-aware security models that emphasize real-time anomaly detection, rather than relying solely on static authentication measures. Without strategic adjustments, even "strong" authentication protocols may become obsolete.
FROM THE MEDIA: Storm-2372 uses the OAuth device authorization flow — typically meant for smart devices — to trick users into entering malicious device codes via convincing phishing websites. Unlike older methods, their dynamic approach generates fresh device codes through fake login pages hosted on platforms like Azure Web Apps. These phishing attacks capture tokens that grant prolonged access to victims' Microsoft services, often remaining undetected for up to three months. The campaign, first detailed by Black Hills in 2023 and now improved by Storm-2372, targets major organizations responsible for critical infrastructure and decision-making worldwide.
READ THE STORY: HACKREAD
Items of interest
Ukraine’s Trojan Horse Drones Signal Bold New Era of Cyber-Physical Warfare
NOTE:
Ukraine’s integration of malware into its drones represents a significant and relatively unique development in modern cyberwarfare, creating an entirely new attack vector within their broader guerrilla cyber efforts against Russia. Unlike traditional cyberattacks that target networks or infrastructure remotely, this tactic physically embeds malicious code into hardware that the enemy must interact with — turning captured drones into Trojan Horses. This approach blurs the line between kinetic and cyber operations, allowing Ukraine to extend its influence deep into Russian systems without needing sustained network access. It reflects the ingenuity of Ukraine’s tech-savvy defense sector and highlights a future where cyber capabilities are seamlessly woven into battlefield assets. The tactic's success could inspire other nations and non-state actors to adopt similar hybrid strategies, fundamentally altering how cyber warfare is conducted in contested environments.
Bottom Line Up Front (BLUF): Ukraine has embedded malware into its military drones to sabotage captured units and disrupt Russian forces, pioneering a new form of cyber-physical warfare. These drones employ multi-layered malware strategies to destroy hardware, lock out systems, or covertly collect intelligence. The tactic raises urgent global concerns over drone cybersecurity and the risks inherent in vulnerable supply chains.
Analyst Comments: Ukraine’s innovation marks a significant evolution in integrating cyber operations directly into battlefield tools, accelerating the convergence of digital and physical warfare. This approach not only hampers Russian counter-drone efforts but could also set a precedent for broader adoption of weaponized malware in future conflicts. Global drone manufacturers and military planners will now be under pressure to harden devices against such embedded threats, while adversaries are likely to replicate or escalate these tactics.
FROM THE MEDIA: Three types of malware are deployed: burning out USB ports, locking drone firmware to block reuse, and covert espionage programs that reveal operator locations or hijack repurposed drones. A video circulated on social media and cited by sources showed Russian warnings about these infected drones. Analysts note this strategy not only delays Russian countermeasures but also gives Ukraine a temporary technological edge in the drone arms race. Broader implications include increased cybersecurity demands across the global drone sector and an intensification of cyber-physical warfare tactics.
READ THE STORY: Techi // Done Life // Forbes
Ukraine using drones loaded with malware to disrupt Russian operations (Video)
FROM THE MEDIA: Ukrainian forces are embedding malware into drones to sabotage Russian efforts to reuse captured drones or study their internal systems. The malware can cause physical damage to USB ports, block reprogramming or allow remote hijacking.
Ukrainian Drones: The Digital Ambush (Video)
FROM THE MEDIA: With US tariffs on the rise, experts warn that ASEAN will face increased ChiIn a groundbreaking twist to modern warfare, Ukrainian drones are now equipped with self-infecting malware designed to spread chaos behind enemy lines. When captured or downed, these drones activate a hidden cyber weapon — a virus that infiltrates and disrupts Russian digital systems. What was once just a physical threat becomes a digital ambush, turning every crash into a silent, invisible counterattack.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.