Saturday, May 03, 2025 // (IG): BB // GITHUB // SN R&D
Deprioritizing Russia’s Cyber Threat Is a Strategic Mistake Amid Escalating Digital Aggression
Bottom Line Up Front (BLUF): The Trump administration’s recent shift from prioritizing Russia as a top-tier cyber threat contradicts longstanding intelligence assessments and exposes U.S. infrastructure to heightened risk. Despite official denials, Russia’s omission from major policy speeches and internal cybersecurity directives suggests a troubling retreat from acknowledging one of the world’s most capable cyber adversaries.
Analyst Comments: This policy reversal comes at a time when Russian cyber aggression is not only persistent but escalating, especially amid ongoing tensions in Ukraine and rising cyber hostilities across Europe. The downplaying of threats posed by state actors like APT28 and APT29, coupled with reduced operational planning against Russia by U.S. Cyber Command, signals a dangerous gap in national cyber defense strategy. If Moscow perceives less scrutiny or consequences, it may feel emboldened to intensify espionage, sabotage, and influence campaigns. Cybersecurity professionals warn that abandoning a deterrent posture risks undermining domestic resilience and allied trust.
FROM THE MEDIA: U.S. intelligence and cybersecurity agencies continue to identify Russia as a leading and enduring cyber threat, yet internal moves within the Trump administration suggest a shift in posture. A memo circulated within CISA omitted Russia from its list of cyber adversaries, while senior officials such as Liesyl Franz failed to mention Russia during significant UN cybersecurity discussions. The Record reports that Defense Secretary Pete Hegseth ordered U.S. Cyber Command to halt cyber operational planning against Russian targets. Meanwhile, allies like France and the UK maintain their focus on Russian-linked threats, such as ransomware group LockBit and GRU-backed APT groups. Experts across the intelligence and cybersecurity communities view this deprioritization as a strategic vulnerability rather than a diplomatic pivot, warning that such changes will weaken U.S. deterrence and embolden adversarial action.
READ THE STORY: Wired
Beijing Weighs Fentanyl Cooperation to Jumpstart U.S. Trade Talks
Bottom Line Up Front (BLUF): China is reportedly considering offering concessions on fentanyl precursor control as a diplomatic lever to reengage in stalled trade talks with the Trump administration. Discussions include the potential dispatch of China's Minister for Public Security to meet with U.S. officials, though negotiations remain tentative amid escalating tariffs and geopolitical strain.
Analyst Comments: The Trump administration's linkage of the fentanyl crisis to trade negotiations marks a strategic pivot, using the opioid epidemic as leverage. China's reported willingness to negotiate on fentanyl-related exports indicates awareness of mounting global pressure, especially as fentanyl trafficking increasingly intersects with cybercrime, such as dark web sales and crypto laundering. However, experts should remain cautious: China's cooperation in the past has been limited and often symbolic. Whether any agreement would yield meaningful enforcement—or be used as a stalling tactic amid rising economic pressure—remains to be seen.
FROM THE MEDIA: Sources familiar with the talks say Beijing may offer actions on fentanyl precursor chemicals in exchange for reduced trade tensions. Minister for Public Security Wang Xiaohong is reportedly being considered for a diplomatic visit to U.S. counterparts, or a meeting in a third country. The Trump administration has tied fentanyl to the broader trade conflict, citing China as the primary source of chemical precursors used by drug cartels. The report comes amid heightened economic tensions, with the U.S. imposing 145% tariffs on Chinese goods and revoking de minimis trade privileges, affecting major e-commerce platforms like Shein and Temu.
READ THE STORY: Reuters
U.S. Establishes Second Military Zone Along Mexico Border Amid Aggressive Immigration Push
Bottom Line Up Front (BLUF): The U.S. military has designated a new "National Defense Area" in Texas, following a similar move in New Mexico, allowing troops to detain migrants temporarily. This expansion is part of President Trump’s broader campaign to militarize immigration enforcement and bypass legal constraints like the Insurrection Act.
Analyst Comments: The creation of military zones along the U.S.-Mexico border reflects a significant shift toward using military infrastructure to handle civilian immigration issues. While the administration argues it avoids invoking the politically sensitive Insurrection Act, these actions raise serious legal, ethical, and operational questions. Critics warn this could normalize military involvement in domestic law enforcement, while supporters view it as a pragmatic step to deter illegal crossings. The implications for civil liberties, federal-state tensions, and U.S.-Mexico relations are substantial, especially as security and sovereignty debates escalate.
FROM THE MEDIA: The U.S. military announced on May 2, 2025, the creation of a "Texas National Defense Area," a 63-mile-long strip along the border in El Paso. This follows a similar 170-square-mile zone in New Mexico established in April. While U.S. Customs and Border Protection retains jurisdiction, the zones allow military personnel to temporarily detain migrants before handing them over to civilian authorities. Texas Governor Greg Abbott has supported the effort with additional border fortifications, while New Mexico Governor Michelle Lujan Grisham has criticized the zones as wasteful and intrusive. The Department of Defense confirmed that 82 individuals have been charged in the New Mexico zone so far, although U.S. troops have carried out no detentions.
READ THE STORY: Reuters
Disney Data Breach Blamed on Russian Hacktivists Was Actually California Hacker with Malware-Laced AI Tool
Bottom Line Up Front (BLUF): A 25-year-old Californian, Ryan Mitchell Kramer, has pleaded guilty to hacking Disney’s internal systems and leaking 1.1TB of sensitive data, which was initially misattributed to Russian hacktivists. The attacker used malware disguised as an AI art app to compromise a Disney employee’s computer, gaining access to Slack channels and confidential company information.
Analyst Comments: Kramer's ruse successfully deflected blame onto a fabricated Russian protest group, “Nullbulge,” exploiting geopolitical tensions and public distrust of AI. While the attack's technical sophistication was limited, its impact was significant—it affected internal communications and employee data and even led to operational changes like Disney’s move from Slack to Microsoft Teams. This case highlights the need for tighter internal controls, employee cyber hygiene, and caution around unvetted third-party software claiming AI capabilities.
FROM THE MEDIA: Initially believed to be a politically motivated Russian hacktivist campaign, the massive Disney data breach in 2024 has now been traced to Ryan Mitchell Kramer, a U.S.-based individual. According to the Department of Justice, Kramer developed and distributed a fake AI art generator laced with malware. When a Disney employee installed the software, Kramer had remote access to internal Slack channels and corporate data, including project files and employee personal information. After failing to elicit a response from his victim, Kramer leaked the data online under the guise of a protest. He now faces up to 10 years in federal prison for accessing protected systems and issuing threats. The breach prompted Disney to abandon Slack, illustrating the downstream consequences of successful phishing and social engineering attacks.
READ THE STORY: The Register
U.S. Charges Yemeni Hacker Behind Black Kingdom Ransomware Attacks on 1,500 Global Systems
Bottom Line Up Front (BLUF): The U.S. Department of Justice has charged Yemeni national Rami Khaled Ahmed for deploying the Black Kingdom ransomware against more than 1,500 systems worldwide between 2021 and 2023. Targets included U.S. hospitals, schools, and businesses, with access gained primarily via Microsoft Exchange ProxyLogon vulnerabilities.
Analyst Comments: The indictment of Ahmed underscores the persistent threat posed by opportunistic actors exploiting widely known vulnerabilities like ProxyLogon, even with relatively unsophisticated ransomware. While Black Kingdom was described as amateurish, its impact was still significant, illustrating that even low-skill actors can inflict substantial damage. The continued decentralization of ransomware operations and the trend toward encryption-less extortion presents evolving challenges for defenders and policymakers. Law enforcement's growing focus on arrests and extraditions may deter future attackers, but the ransomware economy’s adaptability ensures these threats are far from over.
FROM THE MEDIA: By exploiting Microsoft Exchange’s ProxyLogon vulnerabilities, Ahmed and co-conspirators infiltrated victims’ networks across sectors, including healthcare and education. After deploying ransomware, they demanded $10,000 in Bitcoin and threatened data exposure. Black Kingdom—also known as Pydomer—was previously observed targeting VPN flaws and was linked to amateur attackers and even insider recruitment attempts. The case is part of a broader international crackdown on cybercriminals, with recent U.S. actions also targeting affiliates of Nefilim, Scattered Spider, and transnational financial crime networks like Cambodia’s HuiOne Group.
READ THE STORY: THN
Trump Administration Signals Aggressive Shift Toward Normalizing Offensive Cyber Operations
Bottom Line Up Front (BLUF): The Trump administration is preparing to overhaul U.S. cyber strategy by normalizing offensive cyber operations as a routine tool of national power. National Security Council senior cyber director Alexei Bulazel emphasized at the RSA Conference 2025 that inaction invites aggression and that the U.S. must impose higher costs on adversaries through digital retaliation.
Analyst Comments: If implemented, this normalization of offensive capabilities could deter adversaries like China and Iran, but also risks escalating international tensions and cyber conflict norms. The dismissal of top cyber leaders and the sidelining of defensive priorities, such as CISA, suggest rebalancing resources and attention toward digital retaliation. This change in posture may impact global cyber stability, increase legal and ethical concerns, and challenge alliances built on shared cyber defense doctrines.
FROM THE MEDIA: Speaking at the RSA Conference, Alexei Bulazel, now leading cyber strategy at the White House National Security Council, stated the Trump administration aims to “change the script” by actively embracing offensive cyber tools. Citing recent Chinese intrusions into U.S. telecom infrastructure, Bulazel underscored the importance of retaliation and cost-imposition to deter future attacks. This comes amid reductions in CISA’s authority and the controversial firing of U.S. Cyber Command chief Gen. Timothy Haugh. While the administration has provided little detail, Bulazel’s comments reflect a broader effort to liberate U.S. cyber operators from what he called "handcuffs" placed by previous administrations, while also acknowledging the challenges of modernizing cyber defense amid AI and emerging tech threats.
READ THE STORY: The Record
UK Military Drone Training Hampered by Safety and Data Rules, MPs Warn
Bottom Line Up Front (BLUF): The UK Ministry of Defence faces growing criticism from lawmakers over regulations that restrict effective drone and electronic warfare training for soldiers. Citing overly cautious guidelines on data protection and drone safety, MPs warn that British troops risk deploying to high-threat areas, like Eastern Europe, without critical skills in modern drone warfare.
Analyst Comments: The inability to fly drones over troops or practice signal jamming during exercises directly hinders force readiness, especially as drone use becomes central in conflicts like Ukraine. While valid in civilian contexts, data protection and civil aviation rules must be reconciled with operational needs. This underscores a broader trend: Western militaries struggle to adapt training protocols to the demands of digital-age conflict, potentially placing personnel at a disadvantage against more flexible adversaries like Russia, which frequently tests such capabilities in combat zones without domestic constraints.
FROM THE MEDIA: UK soldiers have been barred from flying drones heavier than 250g over each other or engaging in signal-jamming during training due to Civil Aviation Authority regulations and GDPR-related privacy concerns. The Ministry of Defence (MoD) requires special approval for even low-risk scenarios, such as flying drones over unmanned tanks. MPs visiting Salisbury Plain expressed alarm that these limitations prevent troops from acquiring essential drone and EW (electronic warfare) skills. One MP, Fred Thomas, noted that soldiers were taking matters into their own hands, purchasing drone kits online to learn jamming techniques independently. The MoD acknowledged the restrictions but said safety and protecting non-military environments must be balanced with operational training needs. Experts say proposed rule changes may eventually allow drones to fly over personnel with safety briefings, but delays could undermine current readiness.
READ THE STORY: FT
Spain and Portugal Blackouts Raise Cybersecurity Concerns Amid Ongoing Investigation
Bottom Line Up Front (BLUF): Massive power outages across Spain and Portugal in late April 2025 have triggered cyber alarm bells, with authorities unable to rule out the possibility of a sophisticated cyberattack. Though initial assessments pointed to technical failures, investigations are ongoing and could take weeks to confirm or dismiss malicious activity.
Analyst Comments: The inability to swiftly determine whether these outages were cyber-induced reflects persistent gaps in visibility and forensics across European critical infrastructure. As threat actors—particularly state-sponsored ones—increasingly target operational technology (OT), incidents like this serve as a stark reminder of the fragility of digitally connected grids. While there's no public attribution yet, the incident highlights the growing need for cross-sector coordination and investment in OT-specific cybersecurity capabilities. If cyber attribution is eventually confirmed, it may influence regulatory enforcement under NISD2 and bolster momentum for new EU-wide resilience mandates.
FROM THE MEDIA: While the European Union Agency for Cybersecurity initially cited technical malfunctions, Spanish authorities later acknowledged that a cyberattack could not be ruled out. Experts including Dragos CEO Rob Lee noted that distinguishing between a fault and a cyberattack is difficult without clear indicators or claims of responsibility. Forensics teams are currently analyzing OT system logs, network traffic, and suspicious patterns to identify whether malware or unauthorized access was involved. Cyberattacks on infrastructure have been rising in Europe, and recent attribution of long-term Russian cyber campaigns by French officials adds to regional anxieties. A conclusive answer could take weeks or may never be publicly confirmed.
READ THE STORY: WSJ
Iranian Hackers Maintain Two-Year Access to Middle East Infrastructure via VPN Exploits and Custom Malware
Bottom Line Up Front (BLUF): Iranian state-backed group Lemon Sandstorm sustained nearly two years of covert access to a Middle Eastern critical national infrastructure (CNI) network through VPN vulnerabilities and advanced malware. Fortinet researchers identified the campaign as a sophisticated, multi-stage espionage operation, with evidence of prepositioning for potential future sabotage.
Analyst Comments: The extended duration of the intrusion, combined with layered malware and evasion techniques, points to strategic reconnaissance rather than immediate disruption. As critical infrastructure digitizes and converges with IT networks, the risk of OT-adjacent breaches leading to real-world consequences grows. Expect continued targeting of the energy and utilities sector in the Middle East, especially as geopolitical tensions involving Iran persist.
FROM THE MEDIA: From May 2023 to February 2025, attackers exploited VPN flaws in Fortinet, Pulse Secure, and Palo Alto devices to gain access and maintain persistence through custom malware such as HanifNet, HXLibrary, and NeoExpressRAT. Despite countermeasures, the threat actors used chained proxies and newly developed implants to reestablish access and conduct reconnaissance in OT-adjacent environments. The campaign escalated after the victim’s initial containment actions, culminating in spear-phishing campaigns and exploitation of Biotime vulnerabilities (CVE-2023-38950/1/2). Fortinet assessed most attacker activity as hands-on-keyboard, indicating manual control and operational adaptability.
READ THE STORY: THN
Azerbaijan Accuses Russia’s APT29 of Cyberattack Following Diplomatic Rift
Bottom Line Up Front (BLUF): Azerbaijan has publicly accused Russian state-linked threat actor APT29 (Cozy Bear) of orchestrating a cyberattack on its media infrastructure in February 2025. The attack allegedly followed Azerbaijan’s diplomatic moves against Russian cultural and media institutions.
Analyst Comments: This incident highlights how Russia may be expanding its hybrid warfare toolkit beyond traditional Western targets, signaling a potential increase in cyber pressure on former Soviet states asserting independence from Moscow’s influence. If substantiated, the operation reflects cyber-espionage motives and strategic signaling in response to diplomatic setbacks. Azerbaijan’s decision to attribute the incident publicly may mark a shift toward more aggressive cyber diplomacy in the region.
FROM THE MEDIA: Ramid Namazov, head of Azerbaijan’s parliamentary commission on hybrid threats, stated that the February 20 cyberattack targeting Azerbaijani media outlets was conducted by APT29, a group linked to Russia’s military intelligence. According to the state-run APA news agency, the attack was allegedly triggered by Azerbaijan’s closure of the Russian House in Baku and threats to ban Sputnik Radio’s operations. Namazov emphasized that the attackers had infiltrated media networks before launching the campaign, which he framed as a politically motivated act of cyber interference. The incident comes amid already heightened tensions following the downing of an Azerbaijani plane near Russian territory in December 2024.
READ THE STORY: Pravada
Nvidia Redesigns AI Chips for China Amid Tightened U.S. Export Restrictions
Bottom Line Up Front (BLUF): Nvidia is modifying its AI chip designs to comply with tightened U.S. export controls while continuing sales to major Chinese tech firms like Alibaba, ByteDance, and Tencent. The move comes after the U.S. blocked Nvidia’s H20 chips exports to China, potentially costing the company $5.5 billion.
Analyst Comments: The re-engineering effort shows how companies may work around regulatory boundaries while technically complying with the letter of the law. However, this strategy may further accelerate U.S. scrutiny and regulatory tightening, especially if Chinese firms leverage these chips to bolster domestic AI capabilities, including in sectors relevant to cybersecurity and national defense.
FROM THE MEDIA: Nvidia is working on revised AI chip designs that meet U.S. export regulations while maintaining functionality for Chinese customers. The company informed major clients such as Alibaba, ByteDance, and Tencent about the redesigns during CEO Jensen Huang's April 2025 visit to Beijing. These redesigned chips are expected to sample as early as June. The move comes after the U.S. Commerce Department blocked the export of Nvidia’s H20 chips, its last legal offering to China under current export rules. The curbs could cost Nvidia billions in revenue. Nvidia declined to comment, and responses from the Commerce Department and affected Chinese firms are still pending.
READ THE STORY: Reuters
Trump-Sheinbaum Clash Over Cartels Reveals Deepening U.S.-Mexico Security Rift
Bottom Line Up Front (BLUF): U.S. President Donald Trump and Mexican President Claudia Sheinbaum are at odds over Trump's push for direct U.S. military involvement against Mexican drug cartels. Despite cooperation on intelligence sharing and border control, Mexico has firmly rejected any U.S. troop presence, citing sovereignty concerns and historical tensions.
Analyst Comments: This high-level disagreement signals growing friction between Washington and Mexico City amid intensifying pressure to curb the fentanyl crisis. Trump’s aggressive posture—hinting at unilateral military strikes or special forces use—risks undermining decades of bilateral progress on trade and security cooperation. Mexico's firm stance against foreign interference reflects domestic political realities and deep national sensitivities, but it may also embolden cartels if it is not matched with effective internal enforcement. Further escalation could spark diplomatic fallout, complicate trade talks, and test North American security architecture.
FROM THE MEDIA: Sheinbaum refused, agreeing only to intelligence cooperation and troop deployments under Mexican command. Mexico has extradited drug lords, destroyed labs, and deployed 10,000 troops, but insists on full sovereignty. Trump, meanwhile, has warned of unilateral U.S. actions if Mexico fails to dismantle cartels. U.S. officials are also considering drone strikes and expanded special forces operations, though Mexico has rejected any cross-border military collaboration. Despite tensions, both leaders describe their calls as productive, and discussions continue on trade and migration.
READ THE STORY: WSJ
Trump Administration Signals Aggressive Shift Toward Normalizing Offensive Cyber Operations
Bottom Line Up Front (BLUF): The Trump administration is preparing to overhaul U.S. cyber strategy by normalizing offensive cyber operations as a routine tool of national power. National Security Council senior cyber director Alexei Bulazel emphasized at the RSA Conference 2025 that inaction invites aggression and that the U.S. must impose higher costs on adversaries through digital retaliation.
Analyst Comments: If implemented, this normalization of offensive capabilities could deter adversaries like China and Iran, but also risks escalating international tensions and cyber conflict norms. The dismissal of top cyber leaders and the sidelining of defensive priorities, such as CISA, suggest rebalancing resources and attention toward digital retaliation. This change in posture may impact global cyber stability, increase legal and ethical concerns, and challenge alliances built on shared cyber defense doctrines.
FROM THE MEDIA: Speaking at the RSA Conference, Alexei Bulazel, now leading cyber strategy at the White House National Security Council, stated the Trump administration aims to “change the script” by actively embracing offensive cyber tools. Citing recent Chinese intrusions into U.S. telecom infrastructure, Bulazel underscored the importance of retaliation and cost-imposition to deter future attacks. This comes amid reductions in CISA’s authority and the controversial firing of U.S. Cyber Command chief Gen. Timothy Haugh. While the administration has provided little detail, Bulazel’s comments reflect a broader effort to liberate U.S. cyber operators from what he called "handcuffs" placed by previous administrations, while also acknowledging the challenges of modernizing cyber defense amid AI and emerging tech threats.
READ THE STORY: The Record
Items of interest
Spain Probes Possible Cyberattack After Nationwide Blackout Paralyzes Infrastructure
Bottom Line Up Front (BLUF): A massive blackout on April 28, 2025, plunged Spain and parts of Portugal into darkness, disrupting transportation, communication, and industry. Investigations are underway into whether a cyberattack played a role, with early signs pointing to systemic weaknesses in Spain's increasingly renewable-dependent power grid.
Analyst Comments: While the outage’s root cause remains unconfirmed, the blackout highlights the fragile balance between renewable integration and grid stability. Spain’s grid, already strained by the phaseout of nuclear plants and lack of real-time data from decentralized energy sources, was vulnerable to cascading failures. If cyber elements are confirmed, this would follow a broader trend of threat actors targeting national infrastructure to exploit such transitions. Proactive resilience and security by design in smart grids will be critical as Europe continues its energy transition.
FROM THE MEDIA: Affected systems included high-speed railways near Madrid and the Repsol Cartagena refinery. While government officials initially denied renewable energy was at fault, multiple industry reports had previously warned that Spain’s aging grid infrastructure was unprepared for high levels of decentralized solar and wind power. REE (Spain’s grid operator) and the European grid organization ENTSO-E had noted the lack of visibility into smaller renewable producers as a key operational risk. Spanish courts have launched a probe to determine if the incident involved a cyberattack, following similar blackouts in Ukraine and the U.S. linked to threat actors.
READ THE STORY: Reuters
Spain, Portugal & Parts Of France Hit By Massive Power Outage, Trains Stopped, Airports Affected (Video)
FROM THE MEDIA: Spain, Portugal, and parts of France are hit by a massive power outage. The outage is leaving millions without electricity. As per the latest reports, our reports indicate issues with the European electric grid are what is known now.
The Biggest Threats to America’s Critical Infrastructure (Video)
FROM THE MEDIA: Pipelines hacked by China. Russia is breaking into the grid. Iran is launching a cyberattack on a children’s hospital. All things that happened in recent years. America’s critical infrastructure is in our adversaries’ crosshairs.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.