Tuesday, May 27, 2025 // (IG): BB // GITHUB // SN R&D
China’s Cyber and Space Strategy to Counter U.S. Intervention in Taiwan Conflict
Bottom Line Up Front (BLUF): A new analysis from War on the Rocks outlines how China could employ cyber and space capabilities to delay or degrade U.S. military intervention in a Taiwan conflict. The strategy includes preemptive cyberattacks on U.S. command-and-control infrastructure and anti-satellite (ASAT) operations targeting American reconnaissance and communications systems.
Analyst Comments: By aiming to disable or disrupt U.S. military systems before or during a conflict, China seeks to gain critical time and maneuver space in a Taiwan scenario. Cyber operations—especially those targeting logistics and communications—would likely play a leading role in the initial phase of hostilities. This underscores the need for the U.S. to harden its cyber infrastructure and space assets while improving resilience through decentralized and redundant systems.
FROM THE MEDIA: The report suggests China would likely launch coordinated cyberattacks on U.S. and allied logistics networks, targeting transport command, fuel distribution, and communications to delay American response times. Simultaneously, China could use ground-based ASAT weapons or electronic warfare to blind U.S. reconnaissance and degrade satellite communications in the Indo-Pacific theater. This multi-domain disruption strategy limits early U.S. effectiveness and allows rapid Chinese operations against Taiwan. The analysis highlights the PLA’s growing doctrine integrating cyber, space, and conventional power for time-sensitive political-military goals.
READ THE STORY: War On The Rocks
Russia Allegedly Uses Big Tech Cloud Platforms to Coordinate Missile Strikes on Kyiv
Bottom Line Up Front (BLUF): Ukrainian intelligence reports that Russian military units are using primary Western cloud services—such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud—to support the coordination of missile strikes on Kyiv. The platforms are reportedly being used to transmit targeting data and manage battlefield logistics.
Analyst Comments: If confirmed, this would represent a significant abuse of commercial infrastructure by a state actor engaged in armed conflict. Leveraging widely trusted and globally distributed cloud platforms offers both technical advantages and a form of obfuscation—potentially bypassing conventional military monitoring systems. The incident underscores the urgent need for cloud service providers to enhance monitoring for state-sponsored misuse and highlights the blurred lines between civilian tech and military operations. It also raises questions about wartime cybersecurity responsibilities for major technology firms.
FROM THE MEDIA: Ukraine's Main Directorate of Intelligence (GUR) has accused Russian forces of exploiting top U.S.-based cloud platforms to plan and execute missile strikes on Kyiv. According to the report, Russian military operators are allegedly storing and transmitting coordinates, drone surveillance data, and logistical plans using infrastructure hosted on Amazon, Microsoft, and Google services. Ukrainian officials did not disclose technical specifics but stated that such activity had been observed during recent air raids. Kyiv has called on the tech companies involved to investigate and shut down any accounts linked to Russian military or intelligence services. The companies have yet to issue official statements in response.
READ THE STORY: TVP World
DPRK Hackers Exploit Supply Chain Attack to Breach South Korean Defense Contractor
Bottom Line Up Front (BLUF): North Korean state-sponsored hackers are suspected of breaching a South Korean defense contractor through a sophisticated supply chain attack. The malware-laced update originated from a trusted domestic software vendor, allowing attackers to infiltrate internal systems undetected.
Analyst Comments: Targeting a defense contractor signals Pyongyang’s ongoing efforts to gather military and technological intelligence amid rising geopolitical tensions. Using a legitimate software vendor to distribute malware also reveals critical weaknesses in third-party software assurance. Governments and defense firms must strengthen code auditing, software provenance checks, and anomaly detection around trusted tools and updates.
FROM THE MEDIA: South Korean intelligence officials have linked a recent cyberattack on a domestic defense contractor to North Korean threat actors. The breach was carried out through a compromised software update delivered by a local IT services provider regularly used by the contractor. This enabled the attackers to bypass perimeter defenses and implant malware directly within the target’s internal network. Authorities are currently investigating the full scope of the breach, including what data may have been exfiltrated. The National Intelligence Service (NIS) warned that similar supply chain attacks could escalate as North Korea intensifies its cyber espionage operations targeting strategic industries.
READ THE STORY: The Chosun
Chinese Hackers Exploit Cityworks Zero-Day to Breach U.S. Local Government Agencies
Bottom Line Up Front (BLUF): A Chinese state-sponsored hacking group exploits a previously unknown zero-day vulnerability in Cityworks, a widely used public asset and work management platform. The attackers have breached multiple U.S. local government networks, exfiltrating sensitive data and accessing administrative systems.
Analyst Comments: Exploiting Cityworks grants attackers digital and operational intelligence, potentially enabling disruption or surveillance. Using a zero-day also signals a high level of sophistication and forethought. Often under-resourced in cybersecurity, local governments remain vulnerable targets in geopolitical cyber conflicts, particularly as tensions rise between the U.S. and China.
FROM THE MEDIA: Chinese APT group exploited a zero-day vulnerability in Cityworks, a software platform used by hundreds of local governments across the United States for managing infrastructure, maintenance, and asset tracking. The campaign, discovered by threat intelligence firm Sygnia, involved remote code execution via a vulnerability in the Cityworks server API, allowing attackers to gain administrator access and pivot across municipal networks. Victims include city and county agencies responsible for utilities, public safety, and infrastructure. The attackers reportedly exfiltrated confidential project plans, user credentials, and potentially sensitive citizen data. While the vulnerability has been patched, it remained active for weeks before detection.
READ THE STORY: HR
Russia-Linked Hackers Use Weaponized Word Docs to Target Tajikistan Government Agencies
Bottom Line Up Front (BLUF): Russia-linked threat actors have launched a cyber-espionage campaign targeting Tajikistan’s government using malicious Microsoft Word documents. The campaign uses decoy diplomatic content to deploy custom malware and exfiltrate sensitive information.
Analyst Comments: Russia’s continued use of spear-phishing and document-based exploits to conduct intelligence-gathering operations in Central Asia, a region of strategic interest due to its proximity to Afghanistan and China. The use of tailored lures and custom malware suggests a focused effort likely aligned with Moscow’s regional geopolitical goals. These tactics remain effective in environments with limited cybersecurity infrastructure, underlining the need for enhanced regional defenses and international information-sharing to detect and mitigate such nation-state threats.
FROM THE MEDIA: According to researchers at Check Point, the attackers distributed Microsoft Word documents containing diplomatic content to lure officials into enabling macros. Once activated, the macros install a custom backdoor that allows remote access, file theft, and system reconnaissance. The malware includes advanced anti-analysis features and was tailored specifically for the Tajikistani environment. Check Point attributes the campaign to a known Russia-linked APT group, though the exact name was withheld. The operation likely aims to gather intelligence on diplomatic and internal government operations.
READ THE STORY: THN
China’s Plan for London ‘Super Embassy’ Rejected Over Security Concerns
Bottom Line Up Front (BLUF): The UK government has rejected China’s proposal to build a “super embassy” in London’s historic Royal Mint Court due to national security concerns. The decision follows opposition from residents, lawmakers, and intelligence advisors worried about surveillance risks near sensitive sites in the Square Mile.
Analyst Comments: The rejection of China’s embassy expansion signals a firmer UK stance on foreign influence and security in critical urban areas. With increasing concerns over espionage and digital surveillance linked to Chinese state operations, Western governments are reevaluating how foreign diplomatic facilities intersect with cyber and physical security. This move may strain UK-China diplomatic relations and lead to both sides' reciprocal actions or intensified intelligence-gathering efforts. It also reflects growing alignment between local opposition and national security policy on matters of strategic infrastructure.
FROM THE MEDIA: The British government has blocked China’s bid to establish a large embassy complex near the Tower of London in Royal Mint Court. The rejection follows years of legal appeals and vocal opposition, citing security concerns, given the location's proximity to government and financial institutions. Officials reportedly acted on advice from security services about the potential for espionage and digital surveillance. The Chinese government has expressed strong dissatisfaction with the decision, calling it discriminatory. The embassy project was first proposed in 2018 and has faced delays and mounting scrutiny from London councils and national intelligence experts.
READ THE STORY: The Standard
New Android Malware ‘GhostSpy’ Grants Attackers Full Remote Access to Infected Devices
Bottom Line Up Front (BLUF): Security researchers have discovered a new Android malware strain dubbed GhostSpy. This malware grants attackers full remote access and control over infected devices. It is linked to the China-based hacker group APT41 and can exfiltrate sensitive data, record audio, and monitor user activity in real time.
Analyst Comments: Its attribution to APT41 suggests it may be part of a broader cyber-espionage campaign targeting Southeast Asian users. The malware’s use of advanced evasion techniques and control over critical device functions signals a shift toward more militarized mobile cyber operations. Enterprises and individuals using Android devices in sensitive roles should treat this threat as high risk and monitor for indicators of compromise.
FROM THE MEDIA: GhostSpy starts its infection using a dropper APK that abuses Android’s Accessibility Services to install a secondary payload called update.apk automatically. This malware uses simulated clicks to grant itself Device Admin privileges and access to SMS, call logs, camera, microphone, and storage. Once installed, it communicates with C2 domains like stealth[.]gstpainel[.]fun and IPs such as 37[.]60[.]233[.]14, enabling full surveillance and control, including keylogging, screen capturing, GPS tracking, and banking app spoofing. GhostSpy also employs anti-uninstallation techniques using full-screen overlays and system monitoring to deter removal. CYFIRMA researchers note cultural and linguistic indicators suggesting Brazilian threat actor involvement and warn of ongoing malware development and campaign activity.
READ THE STORY: GBhackers
ALPHV/BlackCat Ransomware Group Claims Attack on UnitedHealth Subsidiary Change Healthcare
Bottom Line Up Front (BLUF): The ALPHV/BlackCat ransomware group has claimed responsibility for the February 2024 cyberattack on Change Healthcare, a key UnitedHealth Group subsidiary. The attack caused widespread disruption to healthcare services across the U.S., and the group alleges it received a $22 million ransom payment to unlock encrypted systems.
Analyst Comments: Change Healthcare’s central role in prescription processing and insurance billing made it a high-value target for extortion. The reported $22 million payment underscores the financial stakes and could incentivize further attacks on critical infrastructure. Given ALPHV’s tactics and recent operational disruptions by law enforcement, this disclosure may also indicate internal group tensions or attempts to reclaim credibility.
FROM THE MEDIA: ALPHV/BlackCat ransomware gang has taken responsibility for the February 2024 breach of Change Healthcare, confirming long-standing suspicions within the cybersecurity community. The ransomware group claimed a $22 million ransom was paid in exchange for a decryption key. The attack severely affected pharmacies, payment systems, and healthcare providers across the U.S., prompting congressional investigations and regulatory scrutiny. Though UnitedHealth has not officially confirmed the payment, blockchain researchers had previously tracked a significant cryptocurrency transaction consistent with ransom behavior. The FBI and the Department of Health and Human Services continue to investigate the incident.
READ THE STORY: Insurance Journal
Hackers Use Social Engineering and Deepfake Voice Calls to Breach Corporate Networks
Bottom Line Up Front (BLUF): The FBI has issued a warning to U.S. law firms about ongoing callback phishing attacks by the Luna Moth group, also known as Silent Ransom Group (SRG). These attackers use IT-themed social engineering phone calls and phishing emails to install remote access tools, exfiltrate sensitive data, and extort victims.
Analyst Comments: Luna Moth’s campaign reflects a growing trend of hybrid attacks that combine traditional phishing with live social engineering calls. Their evolving tactics—impersonating internal IT staff and using legitimate remote access tools—make detection difficult and heighten the threat to enterprise environments. The legal sector, often custodians of high-value confidential data, is an attractive target. Organizations should implement stronger user verification for support requests, monitor use of tools like Rclone and WinSCP, and educate employees on recognizing callback phishing attempts.
FROM THE MEDIA: The FBI has issued a Private Industry Notification (PIN) detailing a surge in deepfake-enabled voice phishing (vishing) attacks targeting businesses across multiple sectors. Attackers use publicly available recordings, such as earnings calls and speeches, to train AI models capable of mimicking executives’ voices. These convincing synthetic voices are then used to call company staff, often requesting urgent funds transfers or access to internal systems. In several cases, attackers combined deepfake voice calls with spoofed email domains and phone numbers to increase credibility. The FBI urges companies to implement multi-factor verification for high-risk communications and educate employees on identifying social engineering attempts.
READ THE STORY: THN
Critical GitHub MCP Server Vulnerability Exposes Repositories to Unauthorized Access
Bottom Line Up Front (BLUF): A critical vulnerability affecting GitHub's internal MCP (Monolith Control Plane) server could allow attackers to gain unauthorized access to internal repositories. Security researcher RyotaK reported the flaw, which has been patched, but GitHub rated it as “high severity” due to the potential for lateral movement and source code theft.
Analyst Comments: While there’s no evidence the flaw was exploited in the wild, the potential impact—unauthorized access to GitHub’s internal repositories—could have been severe. It also highlights the critical role of responsible disclosure and ongoing bug bounty programs in securing infrastructure at scale. Users of GitHub services should stay alert for downstream supply chain implications if internal code were compromised before patching.
FROM THE MEDIA: The issue was discovered and responsibly disclosed by RyotaK, a member of GitHub's Security Bug Bounty program. The vulnerability allowed privilege escalation and unauthorized repository access, raising concerns over potential internal source code exposure. GitHub acknowledged the report and swiftly remediated the issue, stating there was no indication of active exploitation. MCP servers are used internally and not exposed publicly, which helps limit the attack surface.
READ THE STORY: GBhackers
Items of interest
Dispelling Myths: What Autonomous Weapon Systems Can—and Can’t—Do Without Human Oversight
Bottom Line Up Front (BLUF): Michael C. Horowitz dispels three major myths surrounding U.S. policy on autonomous weapon systems (AWS), clarifying that current Department of Defense (DoD) directives neither prohibit AWS nor require a human “in the loop” at the tactical level. The 2023 revision of DoD Directive 3000.09 emphasizes human judgment and accountability, but does not restrict the development or deployment of fully autonomous systems.
Analyst Comments: Misunderstandings about AWS policy have become barriers to innovation, with military leaders and external observers often mischaracterizing the regulatory environment. This article emphasizes that autonomy in weapons is legally permissible under strict accountability conditions, and that human oversight exists through command authorization rather than real-time tactical intervention. Clarifying this policy is essential as the U.S. seeks to integrate AI-driven systems into future warfare, especially in communications-denied environments like the Indo-Pacific. The real issue isn’t whether AWS is allowed, but how its use can be aligned with ethical, legal, and operational norms under rapidly advancing technology.
FROM THE MEDIA: DoD Directive 3000.09, first published in 2012 and revised in 2023, does not ban any AWS, nor does it require a human operator to approve each tactical action. Instead, it mandates human judgment at the authorization stage, reinforced by legal and operational review processes. The directive also does not restrict AWS's research, development, or experimentation, only requiring extra scrutiny at the acquisition and deployment stages. Horowitz argues that misinterpreting this policy could hinder the U.S. from responsibly advancing military AI while maintaining global leadership and ethical standards in autonomous warfare.
READ THE STORY: War On The Rocks
Autonomy policy: Shaping the future of warfighting (Video)
FROM THE MEDIA: In a redux of one of Nexus 22's most newsworthy panels, Dr. Michael Horowitz, director of the Pentagon's emerging capabilities policy, returned to the stage with Sunmin Kim, public policy lead at Applied Intuition, for Nexus 23 to discuss a year’s worth of updates on lethal autonomous weapons (LAWS) policy, the role of rigorous T&E and V&V in approving LAWS, and methods of addressing common misconceptions about autonomous weapons systems.
Lethal Autonomous Weapon Systems: Where are we and what's next? (Video)
FROM THE MEDIA: Global diplomatic momentum is growing around the need to regulate Lethal Autonomous Weapon Systems (LAWS), but deep political divides, definitional ambiguity, and rapid technological development challenge progress. A majority of states now support legally binding rules to ensure meaningful human control over autonomous systems, yet consensus in UN-led multilateral processes remains elusive.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.