Wednesday, Jan 01, 2025 // (IG): BB // GITHUB // SGM Jarrell
Ukraine Innovates with Automated Killer Drones to Counter Russian Advances
Bottom Line Up Front (BLUF): Ukraine is advancing drone warfare by integrating automation into its killer drones, enhancing efficiency and reducing reliance on human pilots. These improvements aim to counter Russian forces more effectively while conserving Ukraine's limited resources. The automation enhances accuracy and resilience against Russian electronic warfare.
Analyst Comments: The Ukrainian approach to drone warfare underscores the role of innovation in asymmetric conflicts. Ukraine demonstrates the value of adapting civilian technologies for military applications by focusing on incremental, cost-effective solutions. The automation of drones boosts operational efficiency and sets a precedent for future military strategies globally. This technology, if scaled, could redefine warfare by emphasizing swarms of affordable, semi-autonomous systems over traditional heavy artillery.
FROM THE MEDIA: Ukraine's 2024 military strategy relied heavily on small, explosive drones, with over a million units produced to target Russian forces. Moving into 2025, Ukrainian developers are enhancing drone automation to improve their chances of reaching and destroying targets. This includes systems that navigate autonomously past electronic warfare and jamming devices, a significant hurdle for current drones. Sine. Engineering, a Ukrainian drone-tech firm, has developed multi-bandwidth communication modules and a new positioning system that allows drones to operate without GPS, which Russian forces frequently disrupt. These innovations enable operators to control multiple drones simultaneously, reducing the expertise and training required for effective deployment. Despite these advancements, fully autonomous swarms remain a distant goal. For now, Ukraine prioritizes practical solutions to bolster frontline operations. The country’s drone-centric strategy has proven vital in offsetting Russian artillery advantages and could shape how future conflicts are fought.
READ THE STORY: WSJ
U.S. Sanctions Russian and Iranian Entities for Election Interference Using AI and Cyber Tactics
Bottom Line Up Front (BLUF): The U.S. Treasury Department sanctioned two entities affiliated with Iran’s IRGC and Russia’s GRU for cyber-enabled election interference in the 2024 presidential elections. Both used advanced technologies, such as generative AI, to create and disseminate disinformation aimed at manipulating public opinion and undermining democratic processes.
Analyst Comments: Using AI-driven disinformation highlights the growing sophistication of foreign interference campaigns. By deploying generative AI, these entities can produce large-scale, high-quality fake content that is difficult to detect. The U.S. sanctions are a critical step in deterring state-sponsored malign influence operations. Still, the escalating capabilities of such actors emphasize the need for stronger defenses, international collaboration, and continued investment in counter-disinformation technologies.
FROM THE MEDIA: The CDPC, linked to Iran’s IRGC, orchestrated influence operations to incite socio-political tensions in the U.S. The CGE, a Moscow-based entity founded by Aleksandr Dugin, conducted cyber warfare and disinformation campaigns with financial and logistical support from Russia’s GRU. These operations included deepfake content and a network of 100 proxy websites posing as legitimate news sources. Treasury detailed that the GRU provided infrastructure and funding to CGE, including maintaining AI servers and paying local U.S. facilitators to execute these operations. Specific examples included a fake video targeting a U.S. vice-presidential candidate to sow discord among voters. These sanctions follow broader U.S. efforts to counter foreign interference, including indictments against Iranian hackers and other operatives involved in similar campaigns in 2020 and 2024.
READ THE STORY: THN
Xi Jinping Declares "No One Can Stop" China's Occupation of Taiwan
Bottom Line Up Front (BLUF): In a New Year’s address, Chinese President Xi “Pooh” Jinping reaffirmed Beijing’s commitment to capturing Taiwan, emphasizing shared cultural and familial ties while refusing to renounce the use of force. The statement intensifies tensions as Taiwan strengthens its defense capabilities and the U.S. prepares for policy shifts under President-elect Donald Trump.
Analyst Comments: Xi’s remarks reflect Beijing’s longstanding goal of asserting sovereignty over Taiwan but come at a time of heightened military and political pressures. Recent Chinese military drills, described as the most extensive in years, suggest Beijing is testing Taiwan’s defenses while signaling resolve to both Taipei and Washington. With the Trump administration expected to adopt a hardline stance on China, including potential tariffs and strengthened ties with Taiwan, the Taiwan Strait may see increased tensions and military posturing in 2025.
FROM THE MEDIA: Chinese President Xi Jinping used his New Year’s speech to underscore Beijing’s determination to achieve unification with Taiwan, reiterating that “no one can stop the historical trend” of reunification. This declaration follows intensified military activity, including large-scale drills near Taiwan in December, which Taiwanese officials have described as the most significant in years. The U.S., Taiwan’s largest strategic ally and arms supplier, has raised concerns about Beijing’s aggressive posturing. Xi’s comments come as the U.S.-China relationship faces further strain, with President-elect Trump vowing to impose tariffs on China and potentially reshaping Washington’s Taiwan policy. Taiwanese President Lai Ching-te, inaugurated in May 2024, has responded by bolstering the island’s defenses and maintaining a firm stance against Beijing’s claims. Meanwhile, China continues to reject the democratic island’s sovereignty, asserting its right to use military force if necessary.
READ THE STORY: The Defense Post
Beijing-Linked Hackers Breach U.S. Treasury Systems, Access Classified Documents
Bottom Line Up Front (BLUF): Chinese state-sponsored hackers infiltrated U.S. Treasury systems by exploiting a security key provided through a third-party software vendor. The breach, disclosed on December 8, 2024, allowed access to employee workstations and classified documents, raising concerns about critical infrastructure vulnerabilities.
Analyst Comments: By targeting third-party providers like BeyondTrust, threat actors gain backdoor access to critical systems. The breach aligns with recent Chinese-linked campaigns targeting U.S. critical infrastructure and telecommunications, underlining Beijing's strategic focus on cyber-enabled espionage. Strengthened federal cybersecurity standards and supply chain monitoring are urgently needed to mitigate such risks.
FROM THE MEDIA: The U.S. Treasury Department confirmed that Chinese state-sponsored hackers compromised its systems, gaining access to classified documents via a stolen security key from BeyondTrust, a third-party software provider. The breach was detected on December 8, but the agency has not disclosed when the initial compromise occurred or the scope of affected workstations. The Treasury noted that the compromised service had been taken offline and found no evidence of continued unauthorized access. FBI and CISA are collaborating with Treasury to investigate the intrusion and assess its impact. The breach follows recent attacks by Chinese-linked groups, including Volt Typhoon and Salt Typhoon, that targeted U.S. critical infrastructure and telecommunications. In response, the Biden administration and lawmakers are preparing to impose stricter cybersecurity standards, with an FCC vote next month to establish new regulations for telecom firms. Chinese Foreign Ministry spokesperson Mao Ning denied the allegations, calling them "unwarranted and groundless" and asserting China's opposition to hacking and disinformation.
READ THE STORY: The Record
Ukraine Halts Russian Gas Transit as Key Agreement Expires
Bottom Line Up Front (BLUF): The transit of Russian natural gas through Ukraine ended on January 1, 2025, following Kyiv's refusal to renew a critical five-year agreement amid ongoing conflict. While Europe has diversified its energy sources, the halt underscores growing geopolitical tensions and impacts countries like Moldova more severely.
Analyst Comments: Canceling Russian gas transit via Ukraine is pivotal in Europe's energy landscape. It reflects the success of EU policies to reduce dependence on Russian gas following the 2022 invasion of Ukraine. However, it also highlights vulnerabilities for nations like Moldova, less integrated into alternative energy networks. In the long term, this shift could weaken Russia's influence in Europe while pushing the EU towards greater energy self-reliance at a financial cost.
FROM THE MEDIA: Ukrainian Energy Minister German Galushchenko described the move as historic, asserting that it would result in financial losses for Russia as Europe moves away from its energy dependency. Gazprom, Russia’s state-owned energy giant, stated that it could no longer supply gas through Ukraine due to Kyiv’s refusal to renew the agreement. The European Commission assured the public that the region's infrastructure could absorb the impact by sourcing gas from liquefied natural gas (LNG) and non-Russian pipeline imports. Countries like Slovakia and Moldova face heightened energy challenges. Slovakian Prime Minister Robert Fico criticized the move, warning of economic fallout across the EU. Due to anticipated disruptions, Moldova, already in a state of emergency, accused the Kremlin of leveraging energy supplies to influence its political direction.
READ THE STORY: Aljazeera // VOA
Finnish Authorities Investigate Russian Tanker Suspected of Sabotaging Baltic Submarine Cables
Bottom Line Up Front (BLUF): Finnish authorities have identified seven suspects aboard the Russian tanker Eagle S, alleged to have deliberately severed multiple submarine cables in the Baltic Sea. The vessel, seized on Christmas Day, is under investigation for disrupting critical telecommunications and power infrastructure.
Analyst Comments: The deliberate nature of the attack, coupled with suspicions of espionage equipment aboard the Eagle S, underscores the broader context of Russia’s increasing use of hybrid warfare tactics. Such actions may prompt NATO and the EU to enhance underwater surveillance and bolster the resilience of subsea networks to prevent future sabotage.
FROM THE MEDIA: The Eagle S, a Russian-flagged oil tanker, was seized by Finnish authorities on December 25, 2024, after allegedly dragging its anchor for miles, severing multiple submarine cables, including the Estlink 2 power cable and four telecommunications cables. Finnish authorities dispatched armed units via helicopter to board the vessel, and the crew did not resist. The National Bureau of Investigation (NBI) has identified seven suspects among the crew and imposed travel bans to ensure their availability for questioning. Initial investigations revealed that the ship’s anchor had been dragged along the seabed for several kilometers, coinciding with the cable disruptions. Reports from Lloyd’s List suggest the vessel was previously equipped with abnormal devices potentially used for monitoring NATO communications and deploying sensor equipment. The Eagle S has been moved to an oil port near Helsinki for further inspection, and underwater investigations are ongoing to confirm the extent of the damage.
READ THE STORY: WSJ
Puerto Rico’s Power Grid Collapses, Plunging Island into Darkness
Bottom Line Up Front (BLUF): Puerto Rico’s fragile power grid failed on New Year’s Eve, leaving 87% of residents without electricity. The outage, attributed to a likely failure in an underground line, highlights longstanding issues with the island’s energy infrastructure. Restoration could take up to 48 hours, with critical facilities prioritized.
Analyst Comments: This latest outage underscores the chronic vulnerabilities in Puerto Rico’s energy infrastructure, which has struggled since Hurricane Maria in 2017. Decades of underinvestment, aging equipment, and management controversies have compounded the grid’s instability. The incoming administration’s task force to address frequent blackouts is a step forward, but systemic reforms and modernization efforts will be critical to achieving long-term reliability. The island’s energy crisis also raises broader questions about resilience in U.S. territories facing climate change and economic constraints.
FROM THE MEDIA: LUMA Energy, responsible for energy distribution, stated preliminary findings about an underground line failure. The outage also caused cascading failures in power plants operated by Genera, another energy provider. While critical facilities such as Centro Medico and Municipal Hospital in San Juan have regained power, the majority of residents remain in the dark. Full restoration is expected to take up to two days. The incident has reignited criticism of LUMA and Genera for failing to modernize the island’s aging grid. Protests against the operators have been frequent, with residents citing years of neglect and insufficient investment. LUMA has attributed the challenges to inheriting a system plagued by decades of abandonment. Incoming Governor Jenniffer González pledged to form an energy task force to address the persistent outages, emphasizing the urgent need for solutions to stabilize the grid and improve the island’s quality of life.
READ THE STORY: Reuters
U.S. Soldier Indicted for Selling Stolen Phone Records in Connection to Major Data Breaches
Bottom Line Up Front (BLUF): Cameron John Wagenius, a U.S. Army soldier, has been charged with unlawfully selling stolen confidential phone records. Allegedly operating under the alias "Kiberphant0m," Wagenius is linked to extensive data breaches targeting telecommunications and cloud storage systems, compromising billions of sensitive documents.
Analyst Comments: This case exemplifies the increasing threat posed by insiders within sensitive organizations and their potential ties to global cybercrime networks. The alleged sale of confidential records highlights the ongoing vulnerabilities in safeguarding high-value data. The association with broader hacking efforts underscores the necessity for stringent data protection measures, including enhanced monitoring for insider threats. The implications of this breach extend beyond individual organizations, stressing the need for international cooperation to combat cyber extortion and data theft.
FROM THE MEDIA: Cameron John Wagenius, 20, was indicted on December 20, 2024, for selling confidential phone records without authorization, including records allegedly linked to high-profile individuals such as President-elect Donald Trump and Vice President Kamala Harris. Wagenius is suspected of being "Kiberphant0m," a cybercriminal associated with breaches of major telecommunications firms like AT&T and Verizon. The indictment, unsealed in Texas, alleges Wagenius collaborated with Connor Moucka, arrested in Canada, and John Binns, currently detained in Turkey, as part of a hacking group targeting Snowflake-hosted environments. The group is accused of accessing billions of records containing sensitive personal and financial information, subsequently extorting victims and selling the stolen data. Cybersecurity expert Allison Nixon identified Wagenius as a group member after receiving threats. She praised the rapid response from law enforcement, describing it as one of the fastest in her career. The arrests are significant in addressing the group's cybercriminal activities, affecting organizations across sectors. the Kremlin of leveraging energy supplies to influence its political direction.
READ THE STORY: Reuters // The Register
U.S. Sanctions Russian and Iranian Entities Over 2024 Election Interference
Bottom Line Up Front (BLUF): The U.S. Treasury Department imposed sanctions on Russian and Iranian organizations for disinformation campaigns and cyber activities to disrupt the 2024 presidential election. The entities, allegedly linked to Russian intelligence and Iran’s Revolutionary Guard Corps, used advanced technologies like generative AI to manipulate public opinion and spread false narratives.
Analyst Comments: These sanctions underscore the persistent threat of foreign influence operations targeting U.S. democratic processes. The use of generative AI to create deepfakes and false narratives represents an evolution in disinformation tactics, complicating detection and mitigation efforts. While the sanctions send a strong message, their effectiveness depends on enforcement and the ability to disrupt the infrastructure supporting these operations. Strengthened collaboration with technology companies and allies will be crucial in countering similar campaigns in the future.
FROM THE MEDIA: The U.S. Treasury announced sanctions on December 31, 2024, targeting Russia’s Center for Geopolitical Expertise (CGE) and Iran’s Cognitive Design Production Center. The CGE, led by Aleksandr Dugin and Valery Korovin, allegedly created deepfake content and operated a network of over 100 disinformation websites with support from Russia’s GRU. One operation involved a viral fake video targeting a vice-presidential candidate to sow discord among voters. Iran’s Cognitive Design Production Center, a subsidiary of the Islamic Revolutionary Guard Corps, conducted influence campaigns to exacerbate political tensions in the U.S. These efforts follow a pattern of election interference seen in previous election cycles, including operations targeting former President Donald Trump’s campaign. The U.S. government has increased its focus on combating foreign influence, leveraging sanctions and legal action to deter malign actors. These efforts are part of broader initiatives to safeguard the integrity of elections against cyber threats and disinformation.
READ THE STORY: The Record
Items of interest
Exploiting JWT Vulnerabilities: A Penetration Tester’s Guide
Bottom Line Up Front (BLUF): JSON Web Tokens (JWTs) are widely used for secure communication between services, but misconfigurations can expose them to vulnerabilities. Exploitation techniques such as algorithm confusion, key tampering, and replay attacks demonstrate the risks of weak JWT implementation. Tools like jwt_tool and Burp Suite extensions help identify these weaknesses during penetration testing.
Analyst Comments: JWT vulnerabilities highlight the consequences of insufficient cryptographic and implementation safeguards. Common issues, such as accepting the none algorithm or failing to verify key integrity, demonstrate systemic gaps in token security. These flaws are exacerbated in complex, multi-service environments like Single Sign-On (SSO). Exploiting JWTs often involves tampering with claims, headers, or signing algorithms, underscoring the importance of rigorous token validation and key management. Regular audits and hardened token policy adoption can prevent breaches compromising sensitive data and authentication processes.
FROM THE MEDIA: JWT misconfigurations often expose systems to critical vulnerabilities. For instance:
Algorithm Confusion:
Changing the algorithm from RS256 (asymmetric) to HS256 (symmetric) allows attackers to use the server’s public key as a symmetric secret for token signing. This issue can lead to complete authentication bypasses if not mitigated.None Algorithm Exploit:
Setting thealgfield tononein the JWT header allows attackers to skip signature verification entirely. This flaw persists in outdated implementations despite being addressed in modern libraries.JWKS Spoofing and Path Traversal:
Modifying thejkuorkidheaders to reference attacker-controlled URLs can result in remote key injection or directory traversal. Such exploits often enable server-side request forgery (SSRF) or unauthorized file access.Replay Attacks in Multi-Service Systems:
Cross-service token replay occurs when tokens generated for one client are accepted by another, often due to inadequate audience validation. This can compromise accounts across interconnected applications.
Tools like jwt_tool simplify exploitation by automating vulnerability discovery and payload crafting. Burp Suite extensions, such as JSON Web Tokens and SignSaboteur, provide integrated options for modifying JWTs during testing. Regular validation of cryptographic algorithms, token claims, and expiry policies is essential to mitigate these risks.
READ THE STORY: HackTricks
{JWT}.{ Misuse}. & Abuse (Video)
FROM THE MEDIA: JWTs are an incredibly flexible tool that makes life easier for developers because they are standardized, widely supported, and include essential security features by default. However, like any powerful tool, JWTs can be dangerous when used incorrectly, or for unintended purposes. In this talk, I aim to shine a light on common JWT misuse and abuse. I'll start by briefly describing JWTs and everyday use cases for them. I'll then present real-world scenarios of misuse and abuse from applications that I've tested as a consultant and written as an engineer.
Operation Clairvoyance: How APT Groups Spy on the Media Industry (Video)
FROM THE MEDIA: Cyber espionage actors have demonstrated great interest in the media industry. These actors seem to like to see Taiwan's daily activities through the "eyes" of these media companies and journalists. During Taiwan's intense 2022, we saw more and more Advanced Persistent Threat (APT) groups infiltrate Taiwan's media industry. In our observation, the media has become the first non-government target of those APT groups.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.