Wednesday, Jul 16, 2025 // (IG): BB // GITHUB // SN R&D
PROJECT UPDATE:
This scrapes, parses, and dedupes stories every six hours. It’s not evaluated, but it’s a great way to get a glimpse of the news/threat-scape. (click the image)
NEWS:
NSA Says Volt Typhoon Failed to Persist in U.S. Critical Infrastructure
Bottom Line Up Front (BLUF): The NSA and FBI have stated that the Chinese state-sponsored campaign "Volt Typhoon" failed to maintain stealthy access to U.S. critical infrastructure networks, particularly those supporting the Navy and Guam. U.S. agencies, aided by private-sector collaboration, detected and disrupted the campaign’s tactics, forcing Chinese actors to retreat and reassess.
Analyst Comments: Volt Typhoon's failure is significant in operational terms and as a messaging tool to degrade adversary morale and credibility. It demonstrates how transparency, private-sector cooperation, and public attribution can be force multipliers in national cyber defense. However, as China adapts, future campaigns may evolve more quickly, leveraging different techniques such as supply chain compromises or exploiting trusted service models. This underscores the importance of continuous monitoring and rapid threat sharing.
FROM THE MEDIA: At the 2025 International Conference on Cyber Security, NSA’s Kristina Walter and the FBI’s Brett Leatherman confirmed that Volt Typhoon, a Chinese campaign aimed at U.S. critical infrastructure, was disrupted before achieving long-term persistence. The campaign sought to embed itself covertly in networks during a potential conflict over Taiwan. Instead, joint efforts by the NSA, the FBI, and private partners led to its exposure and rollback. Leatherman also described a real-time cyber confrontation between the FBI and Chinese hackers from the Integrity Technology Group, involved in the Flax Typhoon campaign, culminating in the attackers burning their infrastructure after realizing they had targeted U.S. government servers. Officials stressed that China's cyber efforts operate as a sprawling ecosystem involving academia, private companies, and state actors, making attribution and counteraction complex but essential.
READ THE STORY: The Record
Ukrainian cyberattack 'paralyzes' major Russian drone supplier, source claims
Bottom Line Up Front (BLUF): Ukraine’s military intelligence (HUR), in coordination with cyber volunteer groups, has conducted a major cyberattack on Gaskar Group, a key Russian defense contractor. The attack reportedly disabled critical infrastructure, erased 47 terabytes of technical data, and stole sensitive UAV documentation. Gaskar supplies drones to the Russian military, making the incident a significant disruption to Russia’s drone war capabilities.
Analyst Comments: By targeting the backend of Russia's drone production infrastructure, Ukraine aims to disrupt current operations and future UAV development. The exfiltrated technical data could offer Ukraine insights for electronic countermeasures or help reverse-engineer Russian drone models. This attack also underscores the growing fusion of cyber and kinetic operations in modern warfare. However, if confirmed, such actions could raise legal and ethical questions regarding targeting civilian-linked defense industries under international law.
FROM THE MEDIA: On July 15, 2025, sources within Ukraine’s military intelligence told multiple outlets that the HUR, along with the BO Team and Ukrainian Cyber Alliance, carried out a coordinated cyber operation against Moscow-based Gaskar Group. The company, closely linked to Deputy PM Marat Khusnullin, is major in supplying UAVs to the Russian armed forces. Hackers reportedly seized and erased 47TB of drone-related data and wiped 10TB of backups. The attack shut down internet access, accounting systems, and even physical access controls at the company’s development facility, rendering it inoperable. Ukrainian forces now possess design documents and employee records. Gaskar’s website remained online as of publication, but internal operations appear severely affected.
READ THE STORY: The Kyiv Independent // United 24
Ex-US Soldier Pleads Guilty to Telecom Hacking and Extortion Scheme
Bottom Line Up Front (BLUF): Cameron John Wagenius, a former U.S. Army soldier, has pleaded guilty to multiple cybercrime charges, including hacking telecom networks, extortion, and identity theft. Operating under the alias "kiberphant0m," he targeted AT&T and other telecom firms while on active duty, using stolen credentials and brute-force tools to exfiltrate data and extort at least $1 million.
Analyst Comments: Wagenius’s online activity — including attempts to sell data to foreign intelligence and searches on defecting from the U.S. — raises red flags about the risk of disgruntled insiders with access to sensitive infrastructure. His operational sloppiness (e.g., Google searches like “can hacking be treason”) ultimately aided law enforcement. As we advance, telecom providers and government agencies will likely face increased pressure to detect rogue access patterns and enforce stricter personnel vetting, especially among those with access to national communication infrastructure.
FROM THE MEDIA: Wagenius, aged 21, pleaded guilty to a range of federal charges tied to a cybercrime conspiracy from April 2023 to December 2024. He and co-conspirators used brute-force techniques and stolen credentials to gain access to telecom databases, including AT&T and Verizon. They exfiltrated sensitive call logs, some allegedly linked to public figures like Donald Trump and Kamala Harris, and sold or leveraged the data on forums like BreachForums. Wagenius also explored defecting to non-extradition countries and attempted to sell data to a foreign intelligence agency. Prosecutors have also connected him to the high-profile Snowflake extortion campaign in 2024. His sentencing is scheduled for October 6, 2025, where he could face over 20 years in prison.
READ THE STORY: The Register
Iranian APT ‘Intelligence Group 13’ Intensifies Cyber Strikes on U.S. Critical Infrastructure
Bottom Line Up Front (BLUF): A state-sponsored Iranian APT group known as "Intelligence Group 13" has reportedly ramped up cyberattacks on U.S. critical infrastructure, including water systems, in retaliation for recent U.S. actions against Iranian nuclear facilities. Operating under the IRGC’s cyber command, the group uses sophisticated malware and psychological warfare tactics to preposition in ICS environments and sow fear among civilian populations.
Analyst Comments: Intelligence Group 13 appears to operate under a compartmentalized, state-corporate model similar to Chinese and Russian cyber units, suggesting future resilience against sanctions or takedowns. U.S. critical infrastructure, especially ICS-dependent sectors like water and energy, remains a high-value target due to its operational fragility and visibility. The dual-use of propaganda platforms and technical sabotage underscores the growing convergence between information warfare and cyberterrorism.
FROM THE MEDIA: Iran’s Islamic Revolutionary Guard Corps (IRGC) has activated its elite cyber subunit, Intelligence Group 13, to conduct retaliatory cyberattacks on American industrial and civilian systems. This group, operating under the Shahid Kaveh Cyber Group, is responsible for the December 2023 breach of a Pennsylvania water facility using vulnerabilities in Unitronics PLCs. The attacks include malware prepositioning, credential phishing, and infiltration of ICS environments. Leadership includes Hamidreza Lashgarian and Reza Salarvand, with operations reportedly supported by sanctioned Iranian contractors like Ayandeh Sazan Sepehr Aria and Mahak Rayan Afraz. Psychological warfare is also in play, with defacement leaks and taunts disseminated through Telegram via channels like @CyberAveng3rs.
READ THE STORY: GBhackers
NATO Urged to Adapt Article 5 for Hybrid Warfare Amid Rising Russian Threats
Bottom Line Up Front (BLUF): A detailed analysis by Romanian SOF officer Ciprian Clipa argues that NATO’s current framework for collective defense—rooted in conventional warfare—must evolve to address Russia’s increasingly sophisticated hybrid warfare tactics. Drawing on recent attacks in the Wider Black Sea Region, the article proposes a more flexible and regionally focused application of Article 5 that accounts for disinformation, cyberattacks, and algorithmic manipulation.
Analyst Comments: The Romanian case—where Russian-supported disinformation nearly upended democratic governance—highlights how soft-power sabotage can yield strategic results without crossing conventional red lines. A region-specific, effects-based model with graduated response mechanisms could bolster deterrence and operational readiness. NATO must act before such hybrid campaigns escalate into kinetic conflicts, as history has already shown in Georgia and Ukraine.
FROM THE MEDIA: In the latter case, coordinated TikTok manipulation nearly secured a pro-Moscow candidate, prompting Romania’s Constitutional Court to annul the election. Russia’s pattern of cyber, psychological, and sabotage operations in Bulgaria, Moldova, and Ukraine suggests a systematic effort to destabilize NATO’s southeastern flank. While NATO has acknowledged cyber and hybrid threats in recent summits, implementation lags. The piece advocates for a Hybrid Defense Hub in the Black Sea region and calls for NATO to develop proportional offensive cyber capabilities and a scalable Article 5 framework tailored to hybrid threats.
READ THE STORY: Small Wars Journal
Huawei Returns to Spanish Infrastructure with $12M Surveillance Storage Deal
Bottom Line Up Front (BLUF): Huawei has regained a foothold in Spain through a $12 million contract to manage the storage of legally intercepted communications for the country's security agencies. This deal comes despite the company being previously excluded from Spain’s 5G infrastructure over national security concerns.
Analyst Comments: While private telecoms like Telefónica, Orange, and Vodafone have moved away from Huawei due to geopolitical and security pressures, the Spanish government’s decision suggests a risk tradeoff favoring cost efficiency and technical capability. This may set a precedent for other EU nations struggling to balance security concerns with procurement constraints. It also reflects China's continued strategic push into global surveillance and data-handling infrastructure despite Western resistance.
FROM THE MEDIA: The company will supply OceanStor 6800 V5 servers to handle storage of intercepted communications, reviving its presence in Spain's critical systems. Previously, Huawei had been phased out of the nation’s 5G core following pressure from allies and domestic security agencies. Internal opposition reportedly exists within law enforcement entities like the National Police and Civil Guard, which are concerned about entrusting sensitive judicial data to a China-based vendor. However, cost-effectiveness and prior involvement in Spain’s SITEL system likely influenced the decision.
READ THE STORY: CyberNews
Salt Typhoon Hack Exposed: Chinese Group Compromised US National Guard Networks Nationwide
Bottom Line Up Front (BLUF): A newly surfaced Department of Homeland Security memo confirms that the Chinese-linked hacking group Salt Typhoon extensively infiltrated a U.S. state Army National Guard network in 2024. The breach spanned nine months and enabled exfiltration of sensitive interstate data traffic, impacting every other state and at least four U.S. territories.
Analyst Comments: The targeting of National Guard units — often closely tied to state-level critical infrastructure protection — is especially concerning. This breach could weaken decentralized U.S. cyber defense capabilities and compromise threat-sharing operations via state fusion centers. It underscores how state-level assets are increasingly viewed as soft targets in nation-state cyber warfare and may prompt urgent federal investment in securing National Guard cyber infrastructure.
FROM THE MEDIA: The attackers reportedly exfiltrated maps and interconnectivity data, affecting communications with National Guard units nationwide and in four U.S. territories. The DHS and Pentagon highlighted the long-term implications of the breach, warning it could undermine localized cybersecurity efforts and disrupt the flow of cyber threat intelligence. The memo confirms Salt Typhoon's growing reputation as one of the most dangerous and strategically capable Chinese cyber actors, with U.S. officials suspecting the group of preparing for critical infrastructure sabotage. Beijing has denied any involvement.
READ THE STORY: Reuters
Organized Crime Networks Exploiting Insider Threats With Advanced Tactics
Bottom Line Up Front (BLUF): Insider threats are no longer isolated incidents involving disgruntled employees. Criminal organizations are increasingly embedding operatives, coercing staff, and using social engineering and AI-powered deception to gain access to corporate environments. These tactics are being used not only for espionage and sabotage but also to fund nation-state agendas, such as North Korea’s weapons programs.
Analyst Comments: Threat actors exploit economic pressure, social engineering, and anonymity tools to turn employees into access points. Organizations must abandon outdated, reactive approaches in favor of behavioral analytics, zero-trust architectures, and proactive insider threat education. Collaboration across industries and governments is now essential to stay ahead of increasingly professionalized insider recruitment campaigns.
FROM THE MEDIA: Notable examples include North Korean IT operatives infiltrating major Western firms using fake identities, and ransomware groups like LockBit and DoNex bribing employees via dark web channels. Other tactics involve coercion and emotional manipulation, such as the Scattered Spider group impersonating IT staff to trick employees into deploying malware. These campaigns often bypass traditional perimeter defenses and require organizations to reevaluate their internal monitoring, data protection strategies, and employee support programs. Experts stress the need for cross-sector collaboration and the implementation of adaptive, zero-trust-based defense strategies.
READ THE STORY: DR
US Blocks Suirui’s Acquisition of Defense Contractor Jupiter Systems Over China Cyber Ties
Bottom Line Up Front (BLUF): The U.S. government has reversed a 2020 acquisition of Jupiter Systems, a defense-oriented audiovisual technology firm, by Hong Kong-based Suirui International. The Committee on Foreign Investment in the United States (CFIUS) cited national security concerns due to Suirui’s deep past relationship with Integrity Technology Group, a Beijing-based company linked to the Chinese cyberespionage group Flax Typhoon.
Analyst Comments: Although Suirui itself was not under U.S. sanctions, its longstanding role as a top supplier of cyber services to Integrity Technology — a sanctioned firm accused of operating botnets and aiding Chinese state-sponsored hacks — raised sufficient red flags. The divestment suggests that prior commercial ties to state-affiliated Chinese threat actors are now grounds for retroactive review and action, especially when critical U.S. networks or infrastructure are potentially exposed.
FROM THE MEDIA: Jupiter, whose clients include the CIA, NSA, and NASA, was acquired in 2020 by Suirui, a Chinese video-conferencing firm. While neither Suirui nor its parent company is sanctioned, Kharon research revealed that it previously supplied cyber exploitation services to Integrity Technology Group — a Beijing firm designated in 2025 for supporting state-linked cyberattacks. Integrity was connected to the Flax Typhoon campaign and a major botnet takedown announced by the DOJ. Suirui was named as Integrity’s top supplier in 2020 and provided services well beyond its stated business scope. Treasury and CFIUS cited these ties as central to the decision, marking a major escalation in outbound investment security enforcement.
READ THE STORY: Kharon
Curl Creator Considers Ending Bug Bounty Amid Surge in AI-Generated Security Report "Slop"
Bottom Line Up Front (BLUF): Daniel Stenberg, creator of the widely used Curl utility, is considering shutting down its bug bounty program due to an influx of low-quality, AI-generated vulnerability reports. These submissions, which he calls “AI slop,” now account for about 20% of incoming reports in 2025, significantly straining the small security team’s resources. Only 5% of recent reports have turned out to be valid vulnerabilities.
Analyst Comments: As LLMs become more accessible, inexperienced users flood bug bounty programs with unverified, hallucinated flaws. If left unchecked, this could discourage maintainers, reduce meaningful participation, and degrade community trust in responsible disclosure processes. Updated bounty frameworks that adapt to AI-era abuse vectors are urgently needed, especially for high-impact tools like Curl.
FROM THE MEDIA: Curl maintainer Daniel Stenberg reported a surge in invalid bug bounty reports generated with generative AI tools, reaching eight times the usual rate in early July. Since its inception in 2019, Curl’s HackerOne-based bounty program has awarded over $90,000 across 81 findings. However, as AI-generated submissions ballooned in 2025, the proportion of legitimate conclusions plummeted. Currently, Curl’s policy discourages but doesn’t ban AI-assisted submissions. Stenberg says each report can take hours to triage—an unsustainable load for the project’s small team. Other open-source maintainers, including those from Python and Open Collective, have echoed similar concerns about being “flooded” with AI-generated reports.
READ THE STORY: The Register
Items of interest
Russia-Linked Storm-1516 Spoofs Journalists in Sophisticated European Disinformation Campaign
Bottom Line Up Front (BLUF): Researchers have linked recent disinformation attacks across Europe to the Kremlin-backed group Storm-1516. The campaign impersonated real journalists to publish false stories through spoofed media websites, targeting political figures and nuclear companies in France, Armenia, Germany, Moldova, and Norway.
Analyst Comments: Hijacking journalists' identities raises the stakes for media integrity and challenges existing detection mechanisms. With upcoming elections and geopolitical summits, this operation may signal broader plans to sow discord across Western democracies. Governments and media organizations must bolster verification and legal frameworks to counter this increasingly personalized information warfare.
FROM THE MEDIA: Disinformation watchdog Gnida Project uncovered that Storm-1516, a Russian-aligned actor active since at least 2023, launched a campaign using spoofed news websites and real journalists' identities. One fake outlet, “Courrier France 24,” published fabricated stories about French nuclear firm Orano and Armenia's prime minister. Other fake reports targeted German Chancellor Friedrich Merz, Moldovan President Maia Sandu, and Norwegian environmental policy. The articles falsely claimed everything from embezzlement to ecological crises, leveraging honest reporters' names and photos without consent. Journalists and their media outlets are pursuing legal action. Authorities and researchers warn this group’s tactics threaten to undermine European public discourse and trust in legitimate media institutions.
READ THE STORY: The Record
Latest Developments in Combating Russian Influence Operations in CEE: Voice of Europe and Storm 1516 (Video)
FROM THE MEDIA: Ms. Nathalie Vogel discusses "Latest Developments in Combating Russian Influence Operations in CEE: Voice of Europe and Storm 1516."
How a false story about assassinating Tucker Carlson spread from a Russian disinformation campaign (Video)
FROM THE MEDIA: This is how one Russian propaganda campaign started. Successful efforts to spread disinformation, including this false conspiracy theory about Ukraine and #TuckerCarlson, have reached huge American audiences, top political creators and even members of Congress.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.