Daily Drop (1185)

11-21-25

Friday, Nov 21, 2025 // (IG): BB // GITHUB // SN R&D

China’s Grip on European Solar Tech Could Threaten Grid Stability

Bottom Line Up Front (BLUF): A detailed report from the European Council on Foreign Relations warns that Europe’s overreliance on Chinese-made solar inverters—many with remote control capabilities—has created a strategic cyber vulnerability in the EU’s power grid. In the absence of 5G-style security controls, hostile actors could exploit this hardware for disruption, coercion, or even sabotage. Experts call for immediate EU-wide bans on high-risk suppliers and conditional financing to prevent further penetration into critical infrastructure.

Analyst Comments: While policy debates have focused on rare earths, AI, and chips, inverters—the control-layer hardware that interfaces solar energy with the grid—have quietly become a significant strategic liability. The concern isn’t hypothetical: these devices are remotely programmable, push software updates over the cloud, and are increasingly produced by firms like Huawei, which European telecom regulators already consider “high-risk.” The 12-hour Iberian Peninsula blackout in April (likely due to grid fragility, not cyberattack) illustrates how even a modest disruption can scale into continent-wide failure. As tensions with Beijing escalate and the CCP’s intelligence laws remain incompatible with EU trust standards, Brussels must treat energy infrastructure with the same rigor as telecoms.

READ THE STORY: EFU

TP-Link Sues Netgear Over Alleged Smear Campaign, as U.S. National Security Scrutiny Intensifies

Bottom Line Up Front (BLUF): TP-Link has filed a federal lawsuit against Netgear, accusing the rival networking hardware firm of orchestrating a smear campaign that falsely linked TP-Link’s technology to Chinese state surveillance. The complaint alleges Netgear’s actions violated a 2024 non-disparagement agreement and cost TP-Link over $1 billion in lost sales. The case unfolds amid growing bipartisan pressure in Washington to label TP-Link a national security threat.

Analyst Comments: Netgear’s alleged tactics—raising concerns about TP-Link’s ties to Beijing in investor calls and media briefings—reflect how nation-of-origin narratives are being weaponized in tech sector rivalries. The stakes are high: TP-Link dominates the U.S. budget router market but faces regulatory risks on multiple fronts, including a criminal antitrust investigation and the potential designation as a foreign-adversary tech vendor, similar to Huawei. Suppose Netgear breached the 2024 settlement agreement. In that case, it may face legal and financial repercussions—but TP-Link, despite its American restructuring, remains vulnerable to escalating national security scrutiny as China-linked hardware becomes a political flashpoint.

READ THE STORY: CN

Shutdown Fallout: Cyberattack Surge Exposes U.S. Vulnerabilities Amid Federal Staff Cuts

Bottom Line Up Front (BLUF): The U.S. government faced a massive surge in cyberattacks—up 85% from September to October—during the ongoing federal shutdown, with sophisticated, targeted intrusions aimed at critical agencies. A Washington Post op-ed warns that deep staff reductions at the Cybersecurity and Infrastructure Security Agency (CISA) and other federal bodies, combined with the expiration of the Cyber Information Sharing Act, have significantly weakened national cyber defenses just as adversaries like China escalate offensive operations.

Analyst Comments: With 65% of CISA staff furloughed, key defensive programs paused, and interagency communication channels cut, this was a gift to state-aligned actors. Add to that the Trump administration’s drive to eliminate 300,000 federal jobs—including cyber roles—and it’s not hard to see why groups like Salt Typhoon are making bold moves. The deactivation of legal protections for private-sector intelligence sharing only adds friction to already fragile collaboration models. Washington is talking about AI and zero trust, but if the human capital and legal underpinnings aren’t there, none of that matters.

READ THE STORY: The Washington Post

Russian Ransomware Profits Laundered Through Kyrgyz Bank to Evade Sanctions and Fund Ukraine Invasion

Bottom Line Up Front (BLUF): UK law enforcement has dismantled a billion-dollar Russian-linked money laundering network that used a Kyrgyz bank—Keremet Bank—to convert ransomware profits into crypto, circumvent Western sanctions, and help fund Russia’s war effort in Ukraine. The scheme, exposed through Operation Destabilise, connected cybercriminal profits from ransomware gangs like Evil Corp, Ryuk, and Conti to geopolitical adversaries and battlefield logistics.

Analyst Comments: By buying control of Keremet Bank in Kyrgyzstan, the Russian-linked TGR network built a financial backdoor into the global economy, turning cybercrime revenue into strategic capital for the Russian state. Funds traced from ransomware victims were used to prop up sanctioned banks like Promsvyazbank, underwrite crypto ventures tied to election interference in Moldova, and support weapons flows into Ukraine. This exposes how cybercrime infrastructure overlaps with Russia’s military-industrial complex, eroding the myth that ransomware crews are merely criminal enterprises. Law enforcement needs to treat crypto laundering not just as a financial crime, but as an enabler of state aggression.

READ THE STORY: Computer Weekly

Operation WrtHug: China-Linked Botnet Hijacks Thousands of End-of-Life ASUS Routers

Bottom Line Up Front (BLUF): Researchers from SecurityScorecard and ASUS have uncovered a cyber-espionage campaign—Operation WrtHug—that’s weaponizing thousands of outdated ASUS routers to build a global relay network. The campaign is attributed to China-aligned threat actors exploiting multiple n-day vulnerabilities in end-of-life routers across Taiwan and Southeast Asia, forming a stealthy infrastructure to obfuscate command-and-control (C2) traffic and facilitate espionage.

Analyst Comments: By targeting consumer- and SMB-grade ASUS routers that are no longer receiving firmware updates, attackers are building a durable, low-cost relay network that masks their operational footprint. The use of a 100-year self-signed TLS certificate on all infected routers isn’t just quirky—it’s a clear marker of long-term planning and tight operational coordination. This mirrors China’s past Operational Relay Box (ORB) tactics, but with a broader and more scalable deployment. No hits in mainland China and a heavy concentration in Taiwan align with state-directed targeting priorities. For defenders, this reinforces why unmanaged edge devices and home-office routers remain prime staging grounds for APT infrastructure—especially in regions of strategic interest.

READ THE STORY: TechRadar

Startup “Twenty” Lands U.S. Military Contracts to Build AI Tools for Offensive Cyber Ops

Bottom Line Up Front (BLUF): Cyber warfare startup Twenty has secured up to $12.6 million in contracts with U.S. Cyber Command and the U.S. Navy to develop artificial intelligence tools designed to automate and accelerate offensive hacking operations. Founded by former military hackers, the company is building systems that turn traditional intrusion workflows into continuous, scalable cyber campaigns—reflecting a broader U.S. policy shift toward proactive digital deterrence. Espionage.

Analyst Comments: Twenty’s emergence—and the rapid investment from firms like In-Q-Tel and Caffeinated Capital—signals that U.S. cyber doctrine is moving from perimeter defense to persistent engagement. Automating intrusion workflows using AI isn’t new in the private sector, but deploying it for nation-state targeting at scale changes the calculus. With President Trump’s $1B budget carve-out for offensive cyber and recent high-profile Chinese intrusions, tools like Twenty’s will likely become standard kit for U.S. cyber operators. However, the rapid integration of AI into military hacking raises clear ethical and operational questions around control, attribution, and escalation.

READ THE STORY: Bloomberg

Charming Kitten Leak Exposes Iranian Military Hackers Behind Espionage on Israeli Defense Sector

Bottom Line Up Front (BLUF): A leaked data trove has exposed Charming Kitten, an elite Iranian cyber unit embedded within the IRGC, revealing the identities of operatives and their global cyber operations. Targets included Israeli defense manufacturers, critical infrastructure, and the Israel Airports Authority, with attempted intrusions into the systems behind Iron Dome. The leak contains operational tools, soldier ranks, command hierarchies, and evidence of long-term campaigns against both Israeli and international targets.

Analyst Comments: The presence of ranked soldiers writing daily reports underscores that this is not a proxy militia or criminal group—it’s a formal state-backed unit, likely part of Iran’s broader hybrid warfare doctrine. Attempted access to missile defense systems and transportation hubs suggests mission scope extends beyond surveillance toward potential disruption or sabotage. The leak’s origin remains unclear, but its level of detail could severely impact Iran’s cyber operations—expect rapid reassessment of tradecraft and retooling of infrastructure.

READ THE STORY: Haaretz

China Accuses NSA of Targeting National Time Service: AI-Powered Espionage Escalates Global Cyber Tensions

Bottom Line Up Front (BLUF): Beijing has accused the U.S. National Security Agency (NSA) of orchestrating a prolonged cyberattack on China’s National Time Service Center, alleging state-level cyber-espionage dating back to 2022. The MSS claims the intrusion aimed to sabotage “Beijing Time”—a critical element of China’s infrastructure. These allegations come as both sides escalate AI-powered cyber operations targeting each other’s vital systems, highlighting a dangerous phase in cyber-enabled geopolitical conflict.

Analyst Comments: The alleged use of advanced malware by the NSA reflects a tier-one capability, but it also echoes the kind of persistent access China has sought through Volt Typhoon operations. Claims of AI-assisted intrusions and retaliatory automation demonstrate that both sides are rapidly integrating autonomous tools into their cyber campaigns. The stakes aren’t just about espionage—this is about control over global synchronization infrastructure. If true, compromising time services could be as disruptive as hitting power grids or DNS. Expect tighter operational security among U.S. critical infrastructure providers and intensified scrutiny of AI use in offensive cyber operations.

READ THE STORY: WPN

Strategic Convergence: Europe and Asia Now a Single Theater in Global Deterrence Architecture

Bottom Line Up Front (BLUF): Defense analyst Jihoon Yu argues that geopolitical fault lines between the Euro-Atlantic and Indo-Pacific have collapsed into a single, integrated security theater. Russia’s war in Ukraine, China’s assertiveness in Asia, and North Korea’s weapons exports to Moscow have fused the defense ecosystems of Europe and Asia. In this new reality, deterrence strategies, defense supply chains, and military planning are no longer regionally siloed but are globally interconnected.

Analyst Comments: European howitzers are defending NATO’s eastern flank while South Korean tanks reinforce Poland. At the same time, Russian tech boosts North Korea’s missile ambitions, and North Korean shells pound Ukrainian trenches. The global defense landscape is no longer defined by geography but by the alignment of authoritarian cooperation across theaters. This has significant implications for security architecture—especially for NATO, which must now coordinate deeply with Indo-Pacific partners or risk strategic incoherence. As China and Russia exploit time and resource asymmetries between regions, Western democracies must ensure their industrial base, logistics, and crisis response are equally trans-regional.

READ THE STORY: The Defense Post

PlushDaemon Deploys ‘EdgeStepper’ in Global Adversary-in-the-Middle Attacks

Bottom Line Up Front (BLUF): Researchers at ESET have uncovered EdgeStepper, a new adversary-in-the-middle (AitM) implant used by China-aligned threat group PlushDaemon to hijack software updates and conduct global cyber-espionage. The group has been active since at least 2018, targeting organizations across Asia-Pacific and North America. The implant redirects DNS traffic to malicious nodes, enabling attackers to inject payloads into otherwise legitimate software update flows.

Analyst Comments: PlushDaemon is operating at a level of technical sophistication consistent with nation-state support—tampering with update channels, hijacking DNS at the network level, and deploying multi-stage toolkits like LittleDaemon and DaemonLogistics. EdgeStepper‘s ability to silently redirect DNS queries means compromised organizations may never realize their update infrastructure has been weaponized. While ESET notes the presence of bioset ELF binaries in the wild, they also admit this is likely just one component of a broader malware ecosystem. This campaign reinforces the need to secure DNS infrastructure, segment update channels, and validate binaries with multiple layers of cryptographic integrity checks.

READ THE STORY: InfoSec Mag

Items of interest

Iran-Linked Hackers Used AIS Data for Missile Targeting in Escalating Cyber-Kinetic Campaigns

Bottom Line Up Front (BLUF): Amazon’s threat intelligence unit has revealed that Iranian state-aligned hackers conducted cyber reconnaissance of maritime tracking systems before an attempted missile strike on a commercial vessel in early 2024. Groups like Imperial Kitten (aka Tortoiseshell) exploited Automatic Identification System (AIS) data and live CCTV feeds to assist Iranian-backed Houthi militants in real-world targeting—underscoring a dangerous evolution in state-sponsored cyber warfare: cyber-enabled kinetic operations.

Analyst Comments: We’re not talking about cyberattacks causing collateral physical damage (e.g., NotPetya, Stuxnet), but deliberate digital ops aimed at guiding missile precision. The AIS exploitation highlights the vulnerability of global maritime infrastructure, which often relies on insecure, unauthenticated systems. The integration of cyber surveillance—such as tapping into live CCTV feeds in Jerusalem—with missile targeting strategies shows just how far threat actors have come in fusing the domains of cyber and physical warfare. Expect increased focus on defending maritime, logistics, and city-wide IoT infrastructure from real-time reconnaissance. This isn’t espionage—it’s pre-strike preparation.

READ THE STORY: THN

AIS: Most Comprehensive Video on Maritime Tracking Technology (Video)

FROM THE MEDIA: If you ever wondered how ships are tracked, then this is the video for you. The technology for broadcasting is not nearly as interesting as the technology for receiving the signal, which includes 100s of satellites covering the globe.

Effective Use of Automatic Identification System AIS | The Nautical Institute (Video)

FROM THE MEDIA: The video explains the Automatic Identification System (AIS), which uses VHF radio waves to broadcast critical information among ships and shore bases to enhance safety, aid traffic management, facilitate search and rescue operations, and gather industry data for improvement purposes.

The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.