Friday, Apr 25, 2025 // (IG): BB // GITHUB // SN R&D
China-Backed Actors Pose Strategic Cyber Threat to U.S. Power Grid, SCMP confirms
NOTE:
Testimony before the U.S.-China Economic and Security Review Commission described how Chinese state-sponsored actors are systematically embedding themselves in U.S. systems as part of a long-term strategy to disrupt vital infrastructure during geopolitical crises, such as a potential conflict over Taiwan. Citing incidents like the Volt Typhoon breach, experts noted that these intrusions remained undetected for nearly a year, underscoring the sophistication of Chinese cyber operations. While Beijing officially denies involvement, Chinese state-sponsored media have often issued defensive narratives that unintentionally confirm strategic interest and awareness in targeting sovereign U.S. networks. This pattern reinforces U.S. intelligence findings and justifies heightened cybersecurity efforts. In response, the United States is accelerating efforts to secure its power grid, reduce reliance on Chinese components, and strengthen its cybersecurity posture to protect national sovereignty and economic stability.
Bottom Line Up Front (BLUF): Cybersecurity experts have testified before Congress that China-backed actors are actively embedding themselves in U.S. energy infrastructure as part of a broader campaign to pre-position for future disruption. The Volt Typhoon incident underscores the long-term threat of Chinese cyber operations, which aim to create leverage during geopolitical crises, such as over Taiwan.
Analyst Comments: This testimony aligns with a growing body of intelligence that points to China’s strategic intent to weaken U.S. critical infrastructure through stealthy, persistent cyber access. By embedding malware and maintaining access over long periods, these actors can remain dormant until politically advantageous moments arise. Chinese state denial, often repeated in state-controlled media, functions as a tacit admission of awareness—if not outright support—of these actions. The case for replacing or isolating Chinese-made components in American infrastructure is becoming stronger, especially as China’s cyber campaigns are increasingly overt.
FROM THE MEDIA: Patrick Miller, CEO of Ampyx Cyber, warned that Chinese cyber operations are not mere acts of espionage but a “broader campaign to pre-position disruptive capabilities” within the U.S. power grid. The Volt Typhoon group, attributed to Chinese state sponsorship by U.S. agencies, infiltrated a Massachusetts utility’s operational technology systems and remained undetected for over 300 days. Federal officials discovered the intrusion only after an FBI alert, highlighting the sophistication of the threat. Miller also stated that 10–15% of U.S. high-voltage transformers are sourced from China, creating a critical supply chain vulnerability. China’s dominance in energy storage systems compounds the risk, with 70% of global supply tied to Chinese control systems. Meanwhile, state-sponsored Chinese media have dismissed U.S. concerns as “disinformation”—a predictable counter-narrative that often aligns with strategic deception tactics seen in past campaigns.
READ THE STORY: SCMP (STATE SPONSORED)
Lazarus Group Exploits Cross EX and Innorix Flaws in Targeted Attacks on South Korean Firms
Bottom Line Up Front (BLUF): The North Korea-linked Lazarus Group has launched a new campaign, dubbed Operation SyncHole, targeting at least six South Korean organizations through watering hole attacks and software vulnerabilities. The attackers leveraged a one-day vulnerability in Innorix Agent and likely exploited a flaw in Cross EX software to deploy malware including ThreatNeedle, AGAMEMNON, and COPPERHEDGE.
Analyst Comments: The inclusion of a zero-day in Innorix Agent and exploitation of widely used banking security software, Cross EX, indicates deep reconnaissance and a sophisticated approach to initial access and lateral movement. The use of multiple malware stages and evasion techniques, including Hell’s Gate, shows Lazarus’ technical evolution and intent to remain stealthy while compromising high-value targets. Expect further activity as the group continues to weaponize domestic software in supply chain and watering hole attacks.
FROM THE MEDIA: Kaspersky researchers revealed that Lazarus Group targeted six South Korean entities across IT, finance, telecommunications, and semiconductor sectors. The operation began with a watering hole attack via South Korean online media sites, leading to malware deployment through Cross EX software exploitation. ThreatNeedle was first to be dropped, followed by wAgent and SIGNBT for persistence and credential theft. A downloader named Agamemnon and lateral movement tool leveraging a zero-day flaw in Innorix Agent were also used. Kaspersky confirmed that the Innorix vulnerability has since been patched. Lazarus’ toolkit continues to evolve with enhanced C2 communication and data exfiltration methods, suggesting ongoing development of offensive capabilities.
READ THE STORY: THN
Trump’s Frustration with Putin Over Kyiv Strikes Highlights Strained US Peace Push
Bottom Line Up Front (BLUF): President Donald Trump publicly urged Russian President Vladimir Putin to halt missile strikes on Kyiv following Russia’s deadliest assault on the Ukrainian capital in months. While Trump criticized Ukraine’s President Zelenskyy for blocking his peace plan, the White House has also acknowledged that Russia has made limited territorial concessions—raising concerns among NATO allies about potential US pressure on Ukraine to accept an unfavorable peace.
Analyst Comments: Trump’s mixed messaging—scolding Putin while pushing Ukraine to accept territorial losses—reflects the difficult balancing act of his administration’s peace agenda. This approach signals a shift in US strategy toward conflict resolution, possibly at the expense of longstanding Western principles of territorial integrity. European leaders fear that a premature or unjust peace could embolden Russian expansionism and fracture transatlantic unity. As US-Russia backchannel negotiations continue, the credibility of NATO and the future of Ukraine remain in precarious balance.
FROM THE MEDIA: Trump took to Truth Social to denounce Russian airstrikes on Kyiv, which killed at least 12 civilians and injured over 90. Labeling the attacks “awful timing,” Trump called on Putin to stop the violence and urged for a swift peace deal. The remarks followed reports that the Trump administration is pressuring Ukraine to accept changes to its borders, including Russian occupation of Crimea and parts of the Donbas. European allies, including NATO Secretary-General Mark Rutte, expressed alarm, warning that a coerced peace could undermine European security.
READ THE STORY: FT
U.S. Lawmakers Subpoena Chinese Telecom Giants Over National Security Concerns
Bottom Line Up Front (BLUF): In a rare bipartisan move, the U.S. House Select Committee on China has issued subpoenas to China Mobile, China Telecom, and China Unicom, citing security concerns about their continued operations in the U.S. despite prior regulatory bans. Lawmakers allege the firms may be facilitating access to American data and critical infrastructure for the Chinese government, particularly in light of recent high-profile cyber intrusions attributed to Beijing.
Analyst Comments: Despite the FCC revocation of licenses, these telecom giants reportedly maintain infrastructure and cloud services on American soil, circumventing regulation and raising the risk of espionage. The timing—amid confirmation of Chinese-linked Volt Typhoon activity in U.S. infrastructure—strengthens the rationale for preemptive legal and technical countermeasures. If Chinese telecom firms ignore lawful oversight, congressional action, including contempt proceedings, may follow.
FROM THE MEDIA: The House Select Committee on China, chaired by Rep. John Moolenaar (R-MI) and co-led by Rep. Raja Krishnamoorthi (D-IL), acted after the companies failed to respond to a March inquiry. The committee cited evidence suggesting these entities may still operate U.S.-based cloud and data systems, potentially aiding cyber espionage and sabotage efforts. This follows ongoing concerns over Chinese state-sponsored cyberattacks, including Volt Typhoon’s infiltration of U.S. utilities. Though China denies these accusations and calls them "false pretexts," U.S. lawmakers remain united in scrutinizing Beijing’s growing digital footprint.
READ THE STORY: STRAT NEWS GLOBAL
New Linux Rootkit ‘Curing’ Exploits io_uring to Evade System Call-Based Detection
Bottom Line Up Front (BLUF): Security researchers at ARMO have released a proof-of-concept (PoC) rootkit named Curing that abuses the Linux kernel’s io_uring interface to bypass traditional system call monitoring tools. The rootkit communicates with a command-and-control (C2) server and executes commands without invoking observable system calls, rendering many popular runtime detection systems ineffective.
Analyst Comments: This discovery underscores a significant blind spot in current Linux runtime security tooling, particularly those relying solely on syscall hooking, such as Falco and Tetragon. Threat actors could increasingly weaponize it for stealthy persistence and control as io_uring gains traction for performance benefits in modern Linux distributions. Organizations should assess their detection strategies, including deeper kernel behavior monitoring and memory-level analysis, to mitigate these emerging threats.
FROM THE MEDIA: ARMO researchers demonstrated how Curing, a rootkit built using io_uring, allows malware to function without traditional syscall triggers. io_uring, added in Linux kernel 5.1, facilitates asynchronous I/O operations through shared memory buffers between user and kernel space. This architecture enables attackers to sidestep system call visibility. Google had previously flagged io_uring as risky and restricted its use in Android and production servers in 2023. Despite growing concern, current security tools largely remain blind to this vector. The rootkit’s ability to perform remote command execution without standard I/O traces highlights a critical area of vulnerability in modern Linux security postures.
READ THE STORY: THN
Trojanized Alpine Quest App Exposes Russian Soldiers' Locations via Android Spyware
Bottom Line Up Front (BLUF): A tampered version of the popular Alpine Quest mapping app is used to geolocate Russian military personnel and exfiltrate sensitive data. The spyware, identified as Android.Spy.1292.origin, was distributed through fake Telegram channels and disguised as a legitimate update, suggesting a sophisticated and likely state-sponsored operation.
Analyst Comments: This campaign precisely exploits user trust in widely used tactical software, particularly among front-line military units. Extracting geolocation and communications data in real time could significantly enhance battlefield intelligence. While attribution remains speculative, the operation’s targeting profile strongly aligns with Ukraine’s interests in asymmetric cyberwarfare. The incident highlights the growing use of weaponized mobile apps as a tool for digital espionage in kinetic conflict zones.
FROM THE MEDIA: Russian security firm Dr Web reported that a weaponized variant of the Alpine Quest Android app, commonly used by Russian soldiers, had been modified to include a surveillance trojan dubbed Android.Spy.1292.origin. Distributed via a bogus Telegram channel posing as the app’s developer, the malware exfiltrates GPS data, contact lists, app info, and files—particularly those shared via Telegram and WhatsApp. Meanwhile, Kaspersky revealed another malware campaign affecting Windows users in Russia, wherein spoofed ViPNet update packages delivered a backdoor via a loader disguised as msinfo32.exe. These revelations come amid broader cyber conflict, including Russian-led phishing attacks that hijack Microsoft 365 accounts of Ukrainian and European officials through OAuth abuse.
READ THE STORY: The Register
Governor Newsom Pressures California Privacy Agency to Loosen AI Regulations
Bottom Line Up Front (BLUF): California Governor Gavin Newsom has formally urged the California Privacy Protection Agency (CPPA) to scale back proposed AI automation rules that he argues could threaten the state’s dominance in tech innovation. The move aligns Newsom with Big Tech companies and business groups concerned about compliance costs and regulatory overreach.
Analyst Comments: Newsom’s intervention reflects growing tensions between innovation-driven economic interests and emerging consumer protection standards. California, often a bellwether for national tech regulation, is now at a crossroads: pushing forward strong AI safeguards could trigger nationwide impacts. However, softening rules may erode public trust and global leadership in ethical tech. With generative AI rapidly evolving, this debate underscores the need for nuanced governance supporting innovation and accountability.
FROM THE MEDIA: The CPPA’s proposed regulations would allow consumers to opt out of specific automated decision-making processes, such as hiring or health care decisions. Newsom argued such mandates could cost businesses $3.5 billion in the first year and risk the state’s economic leadership. The letter echoed earlier appeals from a bipartisan coalition of state lawmakers and the California Chamber of Commerce. Newsom welcomed the board’s recent decision to consider excluding generative AI tools from some provisions and pledged continued engagement as the November deadline for finalizing the rules approaches.
READ THE STORY: Politico
Trump to Sign Executive Order Advancing Deep-Sea Mining Without UN Oversight
Bottom Line Up Front (BLUF): President Donald Trump is expected to sign an executive order enabling U.S. companies to fast-track deep-sea mining in international waters, bypassing the United Nations-backed International Seabed Authority (ISA). The move aims to boost access to critical minerals like copper and nickel, essential for defense and energy sectors, amid rising competition with China.
Analyst Comments: While it could accelerate American industrial capacity, the move risks triggering geopolitical friction, particularly with states aligned with the UN Law of the Sea Convention. Environmental and legal pushback is also expected, as the order circumvents long-standing international governance mechanisms to regulate oceanic resource exploitation. Additionally, this policy could set a precedent for future unilateral moves in contested global commons.
FROM THE MEDIA: Trump’s executive order will authorize deep-sea mining operations in international waters through a fast-tracked process managed by the U.S. Department of Commerce’s NOAA, allowing companies to sidestep the UN’s ISA review protocols. Due to disagreements among member states, the ISA has not finalized international environmental standards for ocean floor mining. Trump’s administration frames the move as critical to ensuring U.S. access to strategic minerals used in clean energy and national defense technologies. Shares of The Metals Company, a leading firm in the sector, surged 40% following news of the order. Trump has also streamlined domestic mining approvals and invoked national security interests to justify expedited projects. This policy reinforces the administration's strategy to reduce reliance on Chinese-dominated supply chains.
READ THE STORY: Reuters
U.S. Signals Openness to Civilian Nuclear Deal with Iran, but Demands End to Domestic Enrichment
Bottom Line Up Front (BLUF): U.S. Secretary of State Marco Rubio stated that Washington may accept Iran maintaining a civilian nuclear program, provided it ceases all domestic uranium enrichment. This marks a significant shift in negotiation strategy as Trump administration officials prepare for a third round of indirect nuclear talks with Tehran. However, Iran continues to insist on its right to enrich uranium under the Non-Proliferation Treaty (NPT).
Analyst Comments: The Trump administration appears to be softening its stance on Iran’s nuclear capabilities, likely aiming to avoid military escalation while pursuing a political win ahead of upcoming elections. By allowing Iran to maintain a civilian program via imported enriched uranium, Washington is testing a middle ground between prior full-disarmament demands and Tehran’s insistence on sovereign nuclear rights. However, the lack of unity among U.S. officials—some calling for total dismantlement—risks undercutting the offer’s credibility. Tehran’s response may hinge on assurances that this deal won't be reversed under a future administration, a concern that undermined the 2015 accord.
FROM THE MEDIA: Rubio said in a podcast interview that Iran could continue its nuclear program only if it imports enriched uranium and halts enrichment activities domestically. The position reflects ongoing internal debate within the Trump administration, which has sent mixed signals recently. Iranian Foreign Minister Abbas Araghchi reiterated that Iran has a sovereign right to enrich uranium, calling any deviation from NPT standards unacceptable. Indirect negotiations are scheduled to resume this weekend, with technical teams meeting for the first time. Rubio emphasized that the goal is a peaceful agreement, but admitted that a deal remains distant. Iran, for its part, is also leveraging economic incentives, promoting its nuclear energy market as a trillion-dollar opportunity for U.S. enterprises.
READ THE STORY: FT
Inside the Political Pivot: How Trump’s Return Redefined Jeff Bezos’ Washington Strategy
Bottom Line Up Front (BLUF): Jeff Bezos’ once-celebrated integration into Washington’s civic and media circles has dramatically reversed under the second Trump administration. Once viewed as a protector of democratic institutions through his stewardship of The Washington Post, Bezos now faces backlash for intervening editorially, embracing pro-market policies, and aligning with Trump-era power structures.
Analyst Comments: Bezos’ shift reflects a broader transformation in Washington’s power dynamics rather than a personal metamorphosis. The return of Trump, coupled with a culture shift toward transactional politics and ideological loyalty, has made traditional norms of bipartisan respectability obsolete. For moguls like Bezos, adapting to these new rules may be less about personal ideology and more about strategic recalibration in a politicized media and economic environment.
FROM THE MEDIA: Once admired for preserving the integrity of The Washington Post and his symbolic gestures honoring its legacy, Bezos now faces criticism for undermining journalistic independence by canceling a Kamala Harris endorsement and mandating a pro-market editorial shift. Simultaneously, Amazon’s much-hyped HQ2 development in Arlington has stalled, symbolizing waning influence. Bezos' appearance at Trump's 2025 inauguration, deals with Melania Trump, and social realignments in D.C. suggest a pivot toward survival and influence under new political realities.
READ THE STORY: Politico
SK Hynix Sees Surge in HBM Sales as U.S. Firms Stockpile Amid Tariff Fears
Bottom Line Up Front (BLUF): SK Hynix reported a 42% year-over-year revenue increase in Q1 2025, driven by heightened demand for AI memory and preemptive U.S. stockpiling of high-bandwidth memory (HBM). As U.S. tariff policies under the Trump administration remain uncertain, American buyers are securing future HBM supply, pushing SK Hynix's production through 2026 into sold-out status.
Analyst Comments: With SK Hynix deriving 60% of revenue from U.S. customers, tariff risks and geopolitical tensions are fueling procurement surges to guarantee availability. Experts suggest this may not be mere stockpiling out of panic but a calculated move to secure critical AI infrastructure components amid persistent supply constraints. The market’s shift to long-term pricing and capacity commitments signals a more stable and profitable outlook for premium memory makers.
FROM THE MEDIA: This performance was fueled by increased sales of AI-focused products like DDR5 DRAM and 12-layer HBM3E, especially as U.S. firms ramp up inventory ahead of potential tariff hikes. Industry analysts note the company has already sold out of HBM production through 2026. The firm also introduces new memory modules like LPCAMM2 for AI PCs and SOCAMM for servers. Structural changes in the DRAM market and the high stakes of AI infrastructure are driving a strategic evolution from volatile pricing to high-margin, long-term contracts.
READ THE STORY: The Register
Items of interest
Mystery of Elon Musk’s DOGE Team Deepens Inside U.S. Government Agencies
Bottom Line Up Front (BLUF): A covert initiative known as the Department of Government Efficiency (DOGE), reportedly linked to Elon Musk, has embedded operatives across U.S. federal agencies, particularly the General Services Administration (GSA). Despite official denials, WIRED has verified the presence of Musk-affiliated personnel working within secured sections of GSA facilities, raising questions about transparency, legality, and control over federal digital infrastructure.
Analyst Comments: The blurred lines between federal employment and external tech influence, especially with ties to a high-profile figure like Musk, highlight emerging national security and governance concerns. The DOGE initiative’s broad mandate and opaque structure may circumvent oversight mechanisms, positioning private-sector actors within sensitive government roles. Under the guise of government efficiency, this unconventional power dynamic could enable unmonitored access to data systems and policy influence at the highest levels of the federal apparatus.
FROM THE MEDIA: GSA administrator Stephen Ehikian denied the existence of a DOGE team within the agency. However, WIRED uncovered that at least six Musk-linked individuals, including Steve Davis and former Palantir intern Akash Bobba, have active GSA credentials and office space. These operatives are tied to the broader DOGE initiative, which Trump formalized via executive order on January 20. The order mandates DOGE teams across all agencies, but ambiguity over roles and affiliations persists. Critics, including labor unions, have filed lawsuits alleging DOGE’s sweeping access to sensitive data is unlawful and unaccountable. Meanwhile, employees report a visible presence of “tech bros” operating within GSA facilities under high security.
READ THE STORY: WIRED
NLRB whistleblower claims Musk's DOGE potentially caused significant security breach (Video)
FROM THE MEDIA: The National Labor Relations Board protects workers' right to organize and investigates unfair labor practices. A whistleblower complaint filed by an IT staffer claims Elon Musk and his DOGE team gained access to sensitive data that could have led directly to a “significant cybersecurity breach.” Amna Nawaz discussed more with NLRB whistleblower Daniel Berulis and attorney Andrew Bakaj.
DOGE discovery? How the law CAN reveal “really juicy stuff” on Musk’s team (Video)
FROM THE MEDIA: Since President Trump’s first day in office, DOGE has dominated headlines by forcing its way into federal agencies, accessing sensitive and private data, and purportedly slashing grants and contracts long ago committed to states, universities, and others.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.