Tuesday, Sep 16, 2025 // (IG): BB // GITHUB // SN R&D
Projects:
News:
China Recasts Cybersecurity as Defensive Struggle Amid Global Criticism
NOTE:
China employs several psychological techniques in constructing its cyber victim narrative:
Projection: Accusing others of exactly what you're doing yourself. China calls the US a "hacker empire" while conducting massive cyber operations. This isn't simple hypocrisy—it's a psychological defense mechanism that deflects criticism by reversing roles.
Splitting: Dividing the world into absolute categories—China as purely defensive victim, the West as aggressive oppressor. This black-and-white thinking eliminates nuance and prevents acknowledgment of China's offensive activities.
Selective attention: Highlighting every instance of foreign criticism or action against China while ignoring or minimizing China's actions against others. The article extensively discusses foreign threats but never mentions Chinese cyber attacks on other nations.
Catastrophizing: Presenting routine international competition as existential threats. Normal technology restrictions become "suppression" and "containment"—language that implies survival is at stake.
Bottom Line Up Front (BLUF): China's State Security Minister Chen Yixin has issued a whiny but worded statement framing China as a primary victim of cyberattacks. His cries accused Western powers—particularly the U.S.—of global cyber aggression. The rhetoric, published in an official state outlet, lays the foundation for tighter domestic cybersecurity controls and promotes China's cyber sovereignty model on the global stage.
Analyst Comments: By mirroring the language of international criticism and projecting it back onto foreign actors, China reframes itself as a defensive player in cyberspace. The blending of legitimate threats like terrorism with political dissent reinforces the government's justification for broad surveillance and censorship. This narrative serves domestic control and strengthens China's bid to export its internet governance model globally.
FROM THE MEDIA: Without explicitly naming the United States, Chen referred to “certain countries” as the “world’s largest hacker empire” and criticized them for exploiting their dominance to “establish cyber hegemony.” He argued that cyberspace has become a key battleground for national power struggles, emphasizing the need to protect critical infrastructure and develop indigenous technologies. Chen also equated political infiltration, terrorism, and extremism, suggesting online platforms are being weaponized against China. His remarks, delivered through a publication run by the Cyberspace Administration of China, double as both a diplomatic statement and an internal policy signal for increased digital control.
READ THE STORY: CHINADAILY (State Sponsored)
DPRK Hackers Use Jailbroken ChatGPT to Forge Military ID in Targeted Phishing Campaign
Bottom Line Up Front (BLUF): North Korea’s Kimsuky threat group used a jailbroken version of ChatGPT to generate a fake South Korean military ID, which was later deployed in spear-phishing attacks targeting South Korean defense institutions. The case highlights the growing abuse of generative AI tools to create fraudulent identification materials and evade traditional cyber defenses.
Analyst Comments: While most AI platforms have built-in safeguards, prompt manipulation and "mock-up" persona tactics can bypass these protections, allowing adversaries to fabricate realistic identity documents. The Kimsuky operation underscores a broader trend where threat actors are increasingly using AI not just for content generation but also for social engineering and deception at scale. As AI adoption expands, organizations—especially in national security—must harden authentication procedures and invest in training to detect AI-forged credentials and narratives.
FROM THE MEDIA: The ID included a publicly sourced headshot and was used in spear-phishing attempts against unnamed South Korean defense institutions. The Genians Security Center disclosed the attack, which confirmed the weaponized ID was generated by tricking ChatGPT into creating a “sample” or “mock-up” layout, bypassing the model's restrictions on generating sensitive or illegal content. Kimsuky, previously linked to cyberattacks on nuclear facilities, the UN, and policy think tanks, continues to refine its tactics through psychological manipulation, AI misuse, and cyber deception.
READ THE STORY: TechRadar
Ukrainian Hackers Disrupt Russian Election Infrastructure with Coordinated Cyberattack
Bottom Line Up Front (BLUF): Ukraine's military intelligence agency (HUR) launched a successful cyberattack targeting Russia's Central Election Commission (CEC), state portal Gosuslugi, and key telecom infrastructure during Russia’s recent unified elections, including those held in occupied Ukrainian territories. The attack focused on disrupting online voting through distributed denial-of-service (DDoS) tactics.
Analyst Comments: The focus on online voting systems—especially in occupied regions—demonstrates a strategic intent to undermine the legitimacy of Russian electoral claims. For Russia, the intrusion exposes weaknesses in state-run IT infrastructure and centralized telecom systems like Rostelecom. The event also previews the cyber dimension in future geopolitical conflicts, where elections and public trust become active battlefields.
FROM THE MEDIA: Ukrainian military intelligence (HUR) executed a DDoS attack against several Russian critical systems during its unified elections, which also included voting in Crimea and other occupied Ukrainian territories. The targets included the Central Election Commission's website, the Gosuslugi digital state services portal, and core routing infrastructure managed by Rostelecom. Russia confirmed disruptions, with CEC head Ella Pamfilova noting intermittent website outages, though she claimed the voting process was unaffected. Rostelecom's president Mikhail Oseevsky admitted the attack strained routers supporting the CEC's online systems and announced plans to upgrade cybersecurity defenses ahead of Russia’s 2026 parliamentary elections.
READ THE STORY: SCMAG
Corruption and Criminal Links Undermine China’s Ambitions as a Space Superpower
Bottom Line Up Front (BLUF): An investigative opinion piece by Hugh Taylor argues that China's space program, while advancing rapidly in both civilian and military domains, is deeply compromised by systemic corruption, leadership instability, and its entanglements with organized crime. Despite technological gains, these internal and external vulnerabilities could critically undermine China's ability to sustain dominance in space.
Analyst Comments: China's collaboration with criminal syndicates like the triads could pose operational risks ranging from cyber compromise to blackmail and sabotage of space infrastructure. The blurred lines between military, civilian, and criminal spheres render Chinese space assets susceptible to instability—creating unexpected openings for adversaries and unforeseen hazards in the orbital domain.
FROM THE MEDIA: He outlines three core vulnerabilities: (1) innate flaws—such as corruption-induced rocket failures and purges within the PLA Rocket Force, (2) trouble by design—highlighting China’s historic collaboration with triad criminal organizations, and (3) external threats, particularly cyber vulnerabilities due to poor defensive posture. Taylor warns that these internal dynamics could lead to criminal exploitation of Chinese space assets, including scenarios involving cyber sabotage, corruption-induced system failure, and even hijacking of orbital platforms for ransom. He argues that China’s space ambitions are real, but fragile, and the U.S. must assess these risks holistically—not just by counting satellites and launches.
READ THE STORY: Via Satellite
APT28 Weaponizes Signal and Cloud APIs in Espionage Campaign Targeting Ukrainian Military
Bottom Line Up Front (BLUF): Russian state-backed APT28 has launched a technically advanced cyber espionage operation targeting Ukrainian military personnel via Signal-based spearphishing. The campaign employs new malware called BeardShell, steganography, and repurposed red-team tools like Covenant, while exploiting cloud storage APIs for covert command-and-control communications.
Analyst Comments: This campaign reflects a trend where espionage groups increasingly blur the lines between offensive cyber operations and red-team tooling—turning legitimate security frameworks into delivery mechanisms. The group’s use of Signal, steganography, and multi-layer payload obfuscation suggests a tailored approach to infiltrate hardened military targets. With infrastructure abuse spanning Koofr, Icedrive, and now Filen, defenders face mounting challenges in identifying malicious behavior masquerading as everyday cloud traffic.
FROM THE MEDIA: The campaign starts with Signal-based social engineering, tricking personnel into opening malicious Office documents via fake compensation or legal messages. These documents deploy BeardShell, a C++ backdoor that communicates via encrypted channels built on the Covenant framework and cloud APIs from services like Koofr and Icedrive. Notably, APT28 uses steganographic techniques to hide shellcode in image files—a first for the group. The attackers have compromised at least 42 hosts and exfiltrated over 100 files related to drone logistics and personnel records. Attribution links the campaign to GRU Unit 26165, with activity continuing through August 2025.
READ THE STORY: Cyber Press
China Imposes 1-Hour Reporting Deadline for Major Cybersecurity Incidents
Bottom Line Up Front (BLUF): Starting November 1, 2025, China's Cyberspace Administration (CAC) will require all network operators to report serious cybersecurity incidents within 60 minutes, or within 30 minutes for “particularly major” cases. The rules apply to a wide range of digital stakeholders and introduce strict penalties for delays or concealment of incidents.
Analyst Comments: The one-hour window sets an extremely high bar compared to the EU’s 72-hour rule or similar frameworks elsewhere, forcing Chinese firms to overhaul detection and incident response capabilities. The move aligns with China’s broader strategy to centralize digital control and monitor data flow in real time, potentially expanding state oversight over domestic and foreign firms operating in the country. It also increases compliance risk in large datasets or sensitive infrastructure sectors.
FROM THE MEDIA: Under these regulations, entities must report serious incidents within 60 minutes of discovery and “preeminent” ones—such as breaches involving 100 million personal records or ¥100 million in damages—within 30 minutes. Reporting requirements are extensive, including technical details, damage assessments, mitigation steps, ransom demands, and forecasts of future harm. Final investigation reports are due within 30 days. Operators who delay, falsify, or omit reporting risk face legal consequences. To enforce rapid compliance, the CAC has also deployed multiple reporting channels, including hotlines, web portals, and WeChat.
READ THE STORY: The Register
Keep reading with a 7-day free trial
Subscribe to Bob’s Newsletter to keep reading this post and get 7 days of free access to the full post archives.