Tuesday, Jul 22, 2025 // (IG): BB // GITHUB // SN R&D
PROJECT UPDATE:
This scrapes, parses, and dedupes stories every six hours. It’s not evaluated, but it’s a great way to get a glimpse of the news/threat-scape. (click the image)
NEWS:
DNI Gabbard Accuses Obama-Era Intel Officials of 2016 Russia Meddling “Conspiracy,” But Records Contradict Claim
Bottom Line Up Front (BLUF): Director of National Intelligence Tulsi Gabbard has submitted a criminal referral to the Department of Justice, alleging that Obama-era intelligence officials conspired to politicize assessments of Russian interference in the 2016 election. However, declassified records cited in her memo do not support claims of a cover-up or misrepresentation. Public and internal statements from 2016 consistently concluded that Russia did not alter vote counts but did conduct cyber-enabled influence operations.
Analyst Comments: By conflating Russia’s documented information operations with nonexistent cyberattacks on election infrastructure, the ODNI risks undermining confidence in its own analysis. The enduring takeaway from multiple bipartisan investigations is that while Russia’s cyber operations targeted perception, there was no technical compromise of vote tabulation systems. Gabbard’s assertions, absent new evidence, could damage inter-agency trust and weaken the credibility of future intelligence warnings—particularly ahead of 2026 and 2028 election cycles where foreign influence is expected to intensify.
FROM THE MEDIA: She claims internal ODNI documents contradict what officials said publicly. The released memos reiterate that Russia did not manipulate vote counts—a position long held publicly and in sworn congressional testimony. They do not challenge the established finding that Russian actors used cyber means to exfiltrate DNC data and spread it via WikiLeaks and social media. Bipartisan investigations, including a 2020 Senate Intelligence Committee report, continue to affirm that Russia engaged in a broad influence operation to aid Donald Trump’s campaign. Critics, including congressional intelligence leaders, argue that Gabbard’s claims repackage debunked theories and distort historical record.
READ THE STORY: Defense One
UK and OpenAI Forge Strategic Partnership to Advance AI Security and Infrastructure
Bottom Line Up Front (BLUF): The UK government and OpenAI have signed a strategic partnership to deepen collaboration on AI safety and explore investment in British AI infrastructure, including data centers. The agreement aligns with the UK’s ambition to become a global AI leader, as in Prime Minister Keir Starmer’s “AI Opportunities Action Plan.”
Analyst Comments: By formalizing ties with OpenAI, the government is signaling its intent to combine regulatory leadership with practical collaboration in emerging technologies. While the deal promises economic benefits and job creation, it also reflects broader geopolitical dynamics, as the UK seeks to keep pace with AI powerhouses like the U.S., China, and India. However, it may also renew scrutiny over Big Tech’s role in shaping public digital infrastructure and policy.
FROM THE MEDIA: The collaboration includes potential expansion of OpenAI’s London office and involvement in public-sector AI deployments across justice, defense, and education. OpenAI CEO Sam Altman praised the UK’s AI-forward stance, referencing the government’s AI Opportunities Action Plan. The UK has committed £1 billion to enhance its AI computing infrastructure and hopes to increase public compute capacity twentyfold over the next five years. The government believes AI adoption could add £47 billion to the economy annually, improving productivity by 1.5%.
READ THE STORY: Reuters
Salt Typhoon Breach of U.S. National Guard Highlights China’s Strategic Cyber Foothold in Defense Networks
Bottom Line Up Front (BLUF): From March to December 2024, the Chinese state-sponsored group Salt Typhoon compromised a U.S. Army National Guard unit, gaining persistent access to internal communications and sensitive infrastructure data. This access extended to intercepting traffic from Guard networks across all 50 states and four U.S. territories, raising major concerns about the group’s long-term espionage and sabotage capabilities.
Analyst Comments: Salt Typhoon’s focus on creating persistence aligns with Beijing's broader cyber strategy: pre-positioning for disruption in the event of military conflict over Taiwan. Blending state-sponsored cyber units with private contractors accelerates vulnerability discovery and exploitation. Defense and civilian networks integrated with Guard systems—especially those involved in public safety, elections, or law enforcement—should be considered at risk and evaluated for lateral movement.
FROM THE MEDIA: A newly surfaced DHS memo reveals that Chinese APT group Salt Typhoon infiltrated a U.S. Army National Guard network for at least nine months in 2024. The hackers exfiltrated internal maps, communications, and service member PII, and used the breach to intercept data from other state and territory Guard units. The operation did not disrupt missions but is still under investigation. Salt Typhoon has previously compromised major U.S. telecoms, presidential campaigns, and lawful surveillance infrastructure. The memo highlights the group’s shift from pure espionage to maintaining dormant access within defense and critical infrastructure systems. Salt Typhoon, alongside stealthier sibling group Volt Typhoon, is believed to be preparing for rapid digital sabotage in the event of geopolitical escalation.
READ THE STORY: CPO MAG
UK blames Russia’s infamous ‘Fancy Bear’ group for Microsoft cloud hacks
Bottom Line Up Front (BLUF): The UK government has formally attributed recent Microsoft cloud account breaches to Russia's APT28 (Fancy Bear) and imposed sanctions on 18 operatives from GRU units. The attacks leveraged the sophisticated "Authentic Antics" malware to steal credentials from targeted users by exploiting OAuth tokens and spoofed login prompts.
Analyst Comments: This attribution marks a significant escalation in public naming-and-shaming tactics aimed at Russian cyber operations. By outing GRU officers and detailing their malware toolkit, the UK sends a clear deterrence signal while reinforcing transparency as a counterespionage measure. These developments also highlight the shift in nation-state threats toward stealthy, cloud-targeted espionage, posing new challenges for detection and response. As the geopolitical stakes rise, especially around Ukraine and NATO interests, further retaliatory cyber or diplomatic measures are likely.
FROM THE MEDIA: The UK’s National Cyber Security Centre (NCSC) officially linked a series of Microsoft cloud account intrusions to APT28, the Russian GRU-linked hacking group known as Fancy Bear. These intrusions involved “Authentic Antics,” a stealth malware tool designed to steal Office credentials through OAuth token theft and fake login prompts. In response, the UK sanctioned 18 named GRU officers across Units 26165, 29155, and 74455. Foreign Secretary David Lammy described the campaign as part of a broader Russian effort to destabilize Europe and undermine Ukrainian sovereignty. According to NCSC, the malware avoids traditional command-and-control channels, complicating detection and suggesting a highly targeted use against sensitive Western entities.
READ THE STORY: CSO
Spain Awards Huawei Wiretap Contract, Undermining EU Telecom Security Policy
Bottom Line Up Front (BLUF): Spain has granted Huawei a €12.3 million contract to manage police wiretap data, despite EU efforts to eliminate high-risk Chinese vendors from critical infrastructure. This move contradicts European policy on 5G security and exposes sensitive law enforcement communications to potential Chinese state access under China's 2017 Intelligence Law.
Analyst Comments: Spain’s decision reflects Europe’s ongoing struggle to implement a unified stance on Chinese technology risk. While the EU pushes for de-risking through frameworks like the 5G Toolbox and NIS2 Directive, national interests override collective security goals. The Huawei contract reinforces the structural vulnerability created by fragmented implementation of cybersecurity policy across member states. Long term, inconsistent enforcement may erode trust within intelligence-sharing alliances and complicate collective threat response across NATO and the EU.
FROM THE MEDIA: The €12.3 million contract involves Huawei’s OceanStor servers, despite Spain’s prior commitments to remove Chinese vendors from its 5G infrastructure. The move raises concerns over compliance with EU cybersecurity directives and comes amid broader scrutiny of Huawei’s role in critical European infrastructure. Critics point to China’s 2017 National Intelligence Law, which allows the state to compel private companies to share data. The decision highlights the lack of cohesion across EU member states on managing supply chain risk from Chinese ICT vendors.
READ THE STORY: ASPI
Nvidia Brings CUDA to RISC-V as China Accelerates CPU Independence
Bottom Line Up Front (BLUF): Nvidia has announced official support for its CUDA platform on RISC-V CPUs, marking a significant step in broadening GPU compute compatibility beyond x86 and Arm. The announcement was made during the RISC-V Summit in China, where domestic chipmakers like Alibaba’s T-Head and the Xiangshan project are racing to develop high-performance RISC-V CPUs for servers and PCs.
Analyst Comments: This move positions Nvidia to future-proof its GPU ecosystem against shifting geopolitical landscapes and evolving CPU architectures, especially in Asia. By aligning CUDA with RISC-V, Nvidia gains flexibility to support emerging markets like China, which are moving away from Western x86 and Arm processors. If Nvidia pairs RISC-V CPUs with its accelerators in a datacenter setting, it could help reshape the global AI hardware supply chain. However, challenges remain—particularly in large-scale RISC-V systems' software maturity and performance tuning.
FROM THE MEDIA: The announcement was made at the RISC-V Summit in China, a strategic location given China’s push to adopt RISC-V for sovereignty in computing. Chinese companies such as Alibaba’s T-Head (C930 core) and the Xiangshan project are developing chips that rival Arm's Neoverse N2, potentially serving as CUDA-capable hosts. While Nvidia has long embedded RISC-V cores inside GPUs for tasks like power management, it is the first time a full CUDA host support has been enabled. The decision coincides with resumed U.S. export approval for Nvidia’s China-specific H20 GPUs, suggesting coordinated commercial and geopolitical timing.
READ THE STORY: The Register
APT41 Targets African IT Systems in Sophisticated Espionage Campaign
Bottom Line Up Front (BLUF): China-linked APT41 has launched a targeted cyber espionage operation against African government IT infrastructure, leveraging a blend of malware, credential theft tools, and compromised SharePoint servers for command and control. The attack marks a geographic expansion for the group, previously less active in Africa, and utilizes a mix of custom malware and red-team tools to evade detection.
Analyst Comments: The group maintains stealth while compromising critical systems by combining living-off-the-land techniques with publicly available penetration testing frameworks. The use of language pack checks and domain masquerading tactics highlights a deliberate attempt to bypass regional defenses and target specific victims. This underscores the need for African institutions to strengthen internal monitoring and apply zero-trust principles, especially to assets like SharePoint, which are increasingly exploited as covert C2 hubs.
FROM THE MEDIA: Kaspersky has attributed a new cyber espionage campaign to APT41, a Chinese nation-state actor, which is now targeting African IT networks—an area the group historically overlooked. The campaign involves credential harvesting, lateral movement, and the deployment of Cobalt Strike beacons via DLL side-loading. A key tactic was using a compromised internal SharePoint server as a command-and-control system, with attackers distributing malware via SMB and executing commands through a malicious web shell. The malware avoids systems using East Asian language packs and downloads additional payloads from fake domains mimicking GitHub. Tools such as Mimikatz, RawCopy, Impacket, and modified stealers were used to extract credentials, system info, and browser data, blending traditional APT techniques with tools normally seen in red team operations.
READ THE STORY: THN
Google and OpenAI AI Models Win Gold at International Math Olympiad
Bottom Line Up Front (BLUF): For the first time, AI systems from Google and OpenAI earned gold-medal scores at the 2025 International Mathematical Olympiad (IMO), solving five of six complex problems. The breakthrough demonstrates how advanced reasoning models, operating in natural language, are closing in on human-level performance in formal mathematics.
Analyst Comments: This achievement is a milestone in AI’s evolution from pattern recognition to abstract reasoning. It underscores the growing potential of AI not only as a problem-solving assistant and a collaborator in mathematical and scientific research. The shift to natural language reasoning makes AI more accessible and interpretable, but it also raises critical questions about verification, trust, and attribution in academic work. As these models approach the capacity to tackle unsolved research problems, their integration into peer-reviewed science will demand new standards of rigor, reproducibility, and ethical oversight.
FROM THE MEDIA: Both models solved five problems using general-purpose reasoning capabilities, rather than traditional symbolic or formal methods. OpenAI’s success was powered by a new experimental model with extended compute time and massive parallelism. In contrast, Google’s Gemini Deep Think model worked within standard time constraints and used natural language exclusively. Researchers, including former IMO gold medalist and Google scientist Junehyuk Jung, said this breakthrough could lead to AI systems contributing to frontier-level mathematical research within the year. Official IMO judges certified the results, with broader disclosure planned for July 28.
READ THE STORY: Reuters
Ukraine Attributes AI-Driven LameHug Malware Attacks on Defense Sector to Russia-Backed APT28
Bottom Line Up Front (BLUF): CERT-UA has identified a new AI-powered malware campaign dubbed LameHug. The campaign targets Ukraine's defense sector and is attributed with moderate confidence to APT28, a Russian state-aligned threat actor. The malware uses a large language model (LLM) to autonomously generate system commands and exfiltrate sensitive data from infected machines.
Analyst Comments: This AI-enhanced functionality reduces the need for operator input and makes detection more complex due to the variability in behavior. APT28’s continued operations in Ukraine align with broader Russian objectives to weaken and destabilize critical sectors through persistent espionage. Using compromised legitimate infrastructure for command-and-control further blurs attribution and detection, requiring defenders to improve behavioral and AI-driven detection mechanisms.
FROM THE MEDIA: Ukraine’s national CERT (CERT-UA) has discovered a cyber espionage campaign involving a new Python-based malware known as LameHug, which utilizes LLM technology to execute dynamically generated system commands. The malware was distributed via phishing emails masquerading as official communications and embedded in ZIP archives containing PIF executables. Once executed, LameHug collects system data, searches for Office and PDF documents, and exfiltrates them using C2 servers hosted on hijacked legitimate websites. The attacks have been attributed with moderate confidence to APT28, a Russian GRU-linked threat group also known as Fancy Bear or Forest Blizzard. The campaign follows a pattern of recent activity from APT28 across Europe and the UK, where similar malware campaigns were publicly attributed and sanctioned.
READ THE STORY: Industrial
Global Tech Firms Expand AI Capabilities Through Indian Back Offices
Bottom Line Up Front (BLUF): Multinational corporations such as McDonald’s, Bupa, and Tesco are increasingly establishing AI-focused global capability centers (GCCs) in India to overcome hiring shortages and high costs in the U.S. and Europe. These centers, once known for IT support roles, are now handling core business functions—such as big-data analytics, AI model training, and infrastructure monitoring—that directly impact profitability.
Analyst Comments: India’s evolving GCC landscape reflects a structural shift in global tech resourcing, driven by AI talent scarcity in developed economies. This development positions India as a back-office service provider and a central node in strategic AI development pipelines. The move aligns with a broader trend of decentralizing AI operations to tap into emerging-market expertise. However, challenges in digital infrastructure and talent retention could limit scalability, particularly outside tier-one cities. As AI integration becomes critical to competitive advantage, GCCs will likely play a growing role in cybersecurity, model governance, and cross-border data strategy.
FROM THE MEDIA: Tesco has used its 5,000-person Bengaluru center since 2019 for functions such as fridge temperature analytics to reduce food waste. With AI engineers in short supply globally, India’s vast pool of tech workers is helping bridge the gap. Deloitte and Grant Thornton experts note that around 25% of India’s GCCs are shifting from traditional IT support to advanced functions like agentic AI. However, these shifts face hurdles, including infrastructure bottlenecks and high attrition. Karnataka, home to 40% of India’s GCCs, is positioning itself as a key AI innovation hub.
READ THE STORY: FT
U.S. Lawmakers Demand Tech Giants Disclose Security Measures on Submarine Cables Amid China, Russia Concerns
Bottom Line Up Front (BLUF): Three U.S. lawmakers have formally asked CEOs of Alphabet, Meta, Amazon, and Microsoft to disclose their safeguards against potential tampering of global submarine communications cables. The inquiry stems from fears that Chinese and Russian-linked firms may use maintenance roles to covertly compromise this critical infrastructure, which supports 99% of international internet traffic.
Analyst Comments: Subsea cables represent a critical but often overlooked cyber-physical vulnerability. This request highlights growing U.S. concern over adversarial access to the operational layers of global internet infrastructure—particularly via firms like Huawei Marine or China Unicom that have proximity to sensitive cable systems. While public-private cyber defense discussions have traditionally focused on software supply chains, this escalation suggests a broader pivot toward infrastructure-layer threats. Companies must prepare to transparently disclose not only digital protections but also the vetting of third-party cable service providers. More regulatory scrutiny of foreign maintenance firms is likely on the horizon.
FROM THE MEDIA: The lawmakers cited concerns that Chinese entities—including SBSS, Huawei Marine, China Telecom, and China Unicom—are still involved in maintaining or servicing cables linked to U.S. tech firms. The letter asks whether any tampering, signal tapping, or unusual operational events have been detected, with a deadline for response set for August 8. The request follows recent sabotage cases in the Baltic and Red Seas and FCC plans to ban undersea cable connections involving Chinese equipment. Since 2020, U.S. regulators have already blocked multiple projects linking the U.S. to Hong Kong.
READ THE STORY: Reuters
Iranian APT Uses Fake Starlink VPN Apps to Deploy Android Spyware Amid Censorship Crackdown
Bottom Line Up Front (BLUF): The Iranian state-sponsored group MuddyWater is deploying new Android spyware, dubbed DCHSpy, disguised as VPN apps—including one branded with the Starlink name—to target Iranian users seeking uncensored internet access. The malware steals sensitive data, including SMS messages, WhatsApp content, call logs, and audio recordings, and is being distributed via Telegram and other messaging platforms.
Analyst Comments: The spoofing of Starlink, associated with unfiltered internet in Iran, reflects a savvy use of sociopolitical context to increase infection success rates. The malware’s expanded capabilities, including WhatsApp data exfiltration, show a growing emphasis on deep mobile surveillance by Iranian intelligence services. Expect further state-aligned targeting of diaspora and dissident communities through similarly localized lures.
FROM THE MEDIA: Cybersecurity firm Lookout has identified multiple new variants of the Android spyware “DCHSpy,” linked to Iran’s Ministry of Intelligence through the MuddyWater threat group. The malware has been masquerading as VPN apps, including names like “Earth VPN,” “Comodo VPN,” and notably, “Starlink VPN,” to deceive users in Iran looking to circumvent government-imposed internet restrictions. Lookout found that the spyware can steal WhatsApp data and files of interest, along with standard surveillance functions like recording audio and stealing SMS. The spyware’s use surged after Iran's internet throttling during Israeli-U.S. military strikes, capitalizing on user desperation for unfiltered access. Distribution channels include popular apps like Telegram.
READ THE STORY: PCMAG
Items of interest
Kyiv Emerges as the New Espionage Frontline in NATO-Russia Conflict
Bottom Line Up Front (BLUF): Kyiv has become the central hub of modern espionage, paralleling Cold War Berlin, as Russian and Western intelligence agencies escalate cyber, human, and informational warfare operations. Ukraine’s integration into NATO’s intelligence infrastructure is transforming it into a permanent bastion of Western counterintelligence against Russia’s hybrid threat landscape.
Analyst Comments: As cyber and information warfare replace analog spycraft, Russia views Ukraine as a geopolitical prize and a proving ground for destabilization tools. This transformation challenges NATO to expand HUMINT assets, co-develop SIGINT capabilities, and harden cyber defenses in Ukraine—not just to protect Ukrainian sovereignty, but to secure NATO’s eastern flank. With persistent Russian infiltration threats, narrative manipulation, and the blurring of civilian and military infrastructure in cyber operations, Ukraine now plays a pivotal role in defining the West’s strategic response to 21st-century conflict.
FROM THE MEDIA: Russian-backed operations now blend cyber sabotage, disinformation, and traditional HUMINT tradecraft, including infiltration of Ukrainian institutions and recruitment of collaborators. Ukraine’s SBU and HUR, supported by NATO, are ramping up counterintelligence and surveillance efforts. The article calls for NATO to establish permanent cyber intelligence hubs, develop embedded surveillance networks, and institutionalize intelligence-sharing protocols with Ukraine. Strategic messaging, AI-enabled surveillance, and narrative warfare have emerged as decisive elements of the new intelligence battlefield, with Kyiv at its core.
READ THE STORY: Small Wars Journal
Hunting Russian Spies in Norway’s ‘Spy Town’ (Video)
FROM THE MEDIA: Kirkenes, a Norwegian town on the border with Russia, has become a target for espionage operations. The town’s proximity to Russia and nearby NATO bases has made it a target for Russian spies taking photos of military infrastructure, doing covert maritime intelligence operations and more.
Chilling moment Ukrainian intelligence officer assassinated in cold blood (Video)
FROM THE MEDIA: Video has emerged purporting to show the moment a Security Service of Ukraine (SBU) officer was gunned down, as he exited a building while carrying bags. Pro-Putin media outlets are reporting that the officer was responsible for a clandestine operation behind Russian lines, according to East2West News. The SBU's press department told the Kyiv Independent that the murder happened on July 10 in Kyiv. The victim’s name has not been made public.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.