Thursday, Jan 16, 2025 // (IG): BB // GITHUB // SGM Jarrell
CISA Flags Chinese Cyber Espionage Campaign Targeting U.S. Government and Telecoms
Bottom Line Up Front (BLUF): The Chinese hacking group Salt Typhoon infiltrated U.S. federal networks before compromising major telecom providers like AT&T and Verizon. The breaches exposed millions of users to surveillance, allowing attackers to geolocate individuals, access internet traffic, and intercept phone calls. CISA warns this may be just "the tip of the iceberg" amid broader concerns about China targeting critical U.S. infrastructure.
Analyst Comments: The Salt Typhoon espionage campaign underscores China's evolving cyber strategy, focusing on pre-positioning within critical infrastructure to enable disruptive or destructive attacks during a potential crisis. The timing aligns with geopolitical tensions surrounding Taiwan, where Beijing may leverage such intrusions to dissuade U.S. military and public support. The scale of these breaches demonstrates the sophistication of Chinese cyber operations, and their implications for national security highlight the need for tighter private-public sector collaboration and proactive defenses.
FROM THE MEDIA: CISA Director Jen Easterly revealed at a Foundation for Defense of Democracies (FDD) event that Chinese-linked hackers were detected in federal government networks before breaching U.S. telecom systems. These intrusions targeted lawful surveillance systems within telecom infrastructure, enabling Salt Typhoon to monitor and collect sensitive data at will. Private sector collaboration with federal agencies led to the discovery of Salt Typhoon's virtual private servers, facilitating a more extensive investigation by the FBI and other law enforcement bodies. Despite these efforts, Easterly noted that "what we have found is likely just the tip of the iceberg," emphasizing the extent of Chinese cyber intrusions into U.S. critical infrastructure, including water, power, and transportation systems.
READ THE STORY: The Register
CIA Nominee Ratcliffe Advocates for Expanding Offensive Cyber Capabilities
Bottom Line Up Front (BLUF): John Ratcliffe, President-elect Donald Trump's nominee for CIA director, emphasized the importance of developing offensive cyber tools and establishing a cyber-specific deterrence strategy during his Senate Intelligence Committee confirmation hearing. Ratcliffe highlighted the growing threat of cyber intrusions from foreign adversaries and stressed the need for consequences to deter such actions.
Analyst Comments: Ratcliffe’s statements reflect a continuation of the Trump administration's focus on cyber offense as a key element of national security. While the CIA has historically kept its cyber operations classified, Ratcliffe's commitment to enhancing offensive capabilities signals an escalation in response to state-sponsored cyberattacks, particularly from China. However, increasing offensive cyber measures raises concerns about proportionality, the risk of escalation, and potential retaliation, making clear policy guidance critical.
FROM THE MEDIA: During his testimony, Ratcliffe described the cyber domain as a new frontier for conflict, drawing parallels to territorial invasions. He stressed the need for deterrence through consequences for adversaries like China, whose hackers were recently linked to high-profile breaches of U.S. telecommunications companies. Ratcliffe vowed to enhance the CIA's toolkit for offensive cyber operations, noting that deploying these tools would require policy decisions from higher authorities. Ratcliffe's approach aligns with previous Trump-era policies that gave the CIA greater autonomy in cyberspace, leading to operations targeting Iranian infrastructure, among other actions. The nominee’s comments come as cyberattacks, such as the Chinese-linked Salt Typhoon campaign, continue to threaten critical U.S. infrastructure.
READ THE STORY: Cyberscoop
UK Faces Surge in Cyberattacks, Sabotage, and State-Sponsored Threats
Bottom Line Up Front (BLUF): According to Jonathan Allen, Director General for Defence and Intelligence at the Foreign, Commonwealth, and Development Office (FCDO), the UK is experiencing a dramatic 50% increase in state-sponsored threats, including cyberattacks, sabotage, and disinformation. He warned of the country's diminished capacity to respond due to a loss of expertise and called for a "whole society response" to counter these evolving threats.
Analyst Comments: The surge in cyber activity and espionage highlights the evolving tactics of state-backed actors, particularly Russia, China, Iran, and North Korea. Using criminal proxies and hybrid warfare methods such as disinformation and economic coercion reflects a shift toward less overt but highly impactful forms of conflict. The UK’s acknowledgment of diminished resilience signals an urgent need to rebuild national defense capabilities. This could also lead to increased collaboration between government, private sector, and civil society, especially in safeguarding critical infrastructure and fortifying defenses against cyber intrusions.
FROM THE MEDIA: During a speech at the Royal United Services Institute (RUSI), Allen emphasized that state-sponsored threats now encompass cyberattacks, physical sabotage, and assassination attempts. He warned that hostile states are employing terrorist-style tactics via criminal intermediaries, exacerbating the threat landscape. Recent incidents, such as the discovery of a Chinese tracking device in a UK government car and Russian hackers targeting ambulance services, illustrate the growing vulnerabilities. Concerns have been raised over a proposed Chinese “super embassy” near critical communication hubs. Intelligence reports suggest that these actions may be part of a broader strategy to test Western responses and exploit weaknesses in coordination between law enforcement and military agencies. Experts like Matthew Redhead from RUSI noted that cyberattacks, election interference, and information warfare are becoming the "new normal" due to their low cost and minimal political risk for aggressor states. While Russia's operations are described as "reckless," China’s approach remains more calculated but increasingly assertive in cyber operations.
READ THE STORY: Cybernews
Minimal Makeup Tricks Unmask Facial Recognition Weaknesses
Bottom Line Up Front (BLUF): Researchers at PeopleTec have discovered subtle techniques, such as minimal makeup application and image manipulation, that can bypass facial recognition algorithms. These approaches avoid drawing attention while effectively disrupting AI-based surveillance.
Analyst Comments: This surge could be an effort to weaken Taiwan’s defensive capabilities amid rising military posturing. The attacks also appear to influence public opinion and destabilize Taiwan’s political landscape. As Taiwan strengthens its cyber defenses, international allies, mainly the U.S. and Japan, may increase cyber collaboration to deter further aggression. Should cyberattacks persist, they could spark broader discussions on reinforcing Taiwan’s critical infrastructure through public-private partnerships and international support.
FROM THE MEDIA: In their pre-print paper titled "Novel AI Camera Camouflage: Face Cloaking Without Full Disguise," PeopleTec researchers David Noever and Forrest McKee detailed how targeted makeup darkening key face points can thwart Haar cascade classifiers and prevent detection by reverse image search systems such as BetaFaceAPI and Bing Visual Search. The study contrasts previous bold disguises like CV Dazzle and Juggalo-style makeup, which, while effective, are easily noticed by human observers. Instead, the research demonstrates that subtle alterations can achieve similar evasion results without the "theatrical prominence" of bold camouflage. The report also noted that modifying the alpha transparency layer in image files can make faces visible to humans but undetectable by some AI-based search engines. In an interview, Noever cautioned that facial recognition remains a "Pandora’s Box" with the potential for both beneficial and harmful applications. He highlighted its dual use, citing its role in criminal manhunts alongside concerns over involuntary mass surveillance.
READ THE STORY: The Register
OneBlood Ransomware Attack Exposes Donor Data and Disrupts Operations
Bottom Line Up Front (BLUF): New research from cyber-defense firm PeopleTec shows that minimal makeup application in key facial areas can confuse facial recognition systems without requiring apparent disguises. The study highlights a more discreet approach to evading surveillance than traditional bold disguises.
Analyst Comments: In July 2024, the nonprofit blood donation organization OneBlood suffered a ransomware attack that exposed sensitive donor information, including names and Social Security numbers. The attack disrupted operations, forcing hospitals to activate critical blood shortage protocols. OneBlood has notified affected individuals and regulators but has not disclosed the full scale of the breach.
FROM THE MEDIA: OneBlood, serving over 250 hospitals in southeastern U.S. states like Florida, Georgia, and Alabama, reported the breach to state regulators in Maine, Vermont, and Massachusetts in January 2025. The attack began around July 26, 2024, and persisted for two weeks, during which files containing sensitive donor information were copied without authorization. The breach forced OneBlood to operate at reduced capacity, limiting the availability of blood supplies and impacting hospitals’ ability to meet patient needs. Critical blood shortage protocols were activated across hospitals, and manual processes were implemented to label blood products. Despite notifying law enforcement and offering victims one year of credit monitoring, OneBlood has not disclosed the total number of affected individuals. Maine’s reporting form indicated that at least 281 state residents were impacted.
READ THE STORY: The Record
Google Ads Users Targeted in Malvertising Scam Stealing Credentials and 2FA Codes
Bottom Line Up Front (BLUF): A new malvertising campaign targets Google Ads users by tricking them into entering their login credentials and two-factor authentication (2FA) codes on fraudulent sites. The campaign's goal appears to be hijacking ad accounts to perpetuate further scams and selling stolen credentials on underground forums.
Analyst Comments: Threat actors exploiting the discrepancy between display URLs and final landing pages have bypassed Google’s ad checks. Using legitimate services such as Google Sites for phishing infrastructure makes these attacks harder to detect. The campaign’s association with Portuguese-speaking groups suggests regional origins, possibly Brazil, as identified by domain registries. If these attacks persist, they may lead to broader calls for Google to strengthen its ad verification processes and implement stricter URL validation mechanisms.
FROM THE MEDIA: Malwarebytes reports that the attackers lure victims with fake ads displayed when users search for "Google Ads" on Google. Clicking the ad redirects users to phishing sites hosted on Google Sites, mimicking legitimate login pages. The phishing pages capture Google Ads account credentials and 2FA codes in real-time using WebSocket connections. Researchers highlighted the attackers’ clever use of the display URL policy loophole, allowing them to show "ads.google[.]com" while hosting fraudulent content on "sites.google[.]com." Once credentials are stolen, attackers gain full access to the victim's account, adding new administrators and exploiting the ad budget to fund their fraudulent campaigns. Reports indicate the threat actors have also been leveraging cloaking techniques, CAPTCHAs, and anti-bot detection to evade security measures. The attackers seem well-organized, as many of their domains use ".pt" (Portugal's top-level domain), suggesting a likely base of operations in Brazil or Portuguese-speaking regions.
READ THE STORY: THN
U.S. Adds 16 Entities, Including Sophgo, to Trade Blacklist Over Huawei Chip Ties
Bottom Line Up Front (BLUF): The U.S. Commerce Department has added 16 entities, including 14 based in China and two in Singapore, to its trade blacklist for supporting Huawei and enabling access to restricted semiconductor technologies. The list includes Sophgo, a company linked to Huawei’s AI chip development, allegedly using a TSMC-manufactured chip in its systems. Companies on the list are prohibited from receiving U.S. exports without special licenses.
Analyst Comments: the Biden administration expanded its trade blacklist by adding 16 entities, including Sophgo, a company allegedly involved in supplying Huawei's Ascend 910B AI processor with a TSMC-manufactured chip. The blacklist includes entities accused of supporting Huawei’s semiconductor supply chain, which the U.S. views as a threat to national security. The new measures impose stricter controls on advanced chip exports and new regulations on DRAM technology, particularly affecting facilities associated with Chinese memory chipmaker Changxin Memory Technologies (CXMT). The rule aims to restrict the export of chips below the 14nm node used in AI applications. The U.S. Commerce Department previously sanctioned companies linked to Huawei’s network, and this latest expansion builds on broader export controls targeting AI and military-grade semiconductor technologies. TSMC and Samsung, two major chip manufacturers, have yet to comment on the impact of these restrictions on their operations.
FROM THE MEDIA: The Biden administration expanded its trade blacklist by adding 16 entities, including Sophgo, a company allegedly involved in supplying Huawei's Ascend 910B AI processor with a TSMC-manufactured chip. The blacklist includes entities accused of supporting Huawei’s semiconductor supply chain, which the U.S. views as a threat to national security. The new measures impose stricter controls on advanced chip exports and new regulations on DRAM technology, particularly affecting facilities associated with Chinese memory chipmaker Changxin Memory Technologies (CXMT). The rule aims to restrict the export of chips below the 14nm node used in AI applications. The U.S. Commerce Department previously sanctioned companies linked to Huawei’s network, and this latest expansion builds on broader export controls targeting AI and military-grade semiconductor technologies. TSMC and Samsung, two major chip manufacturers, have yet to comment on the impact of these restrictions on their operations.
READ THE STORY: Reuters
Russia Plans Air Terror Attacks, Warns Polish Prime Minister
Bottom Line Up Front (BLUF): Polish Prime Minister Donald Tusk has warned of potential Russian plans to launch terror attacks on air transport in Poland and possibly beyond. The comments, made alongside Ukrainian President Volodymyr Zelenskyy, underscore concerns about a broader sabotage campaign allegedly orchestrated by Moscow.
Analyst Comments: Experts view these incidents as reconnaissance and "probing" of Western defenses. If confirmed, such efforts could indicate preparation for more significant disruptions targeting NATO countries. The geopolitical implications could pressure European governments to enhance aviation and critical infrastructure security, raising questions about NATO's collective response to such threats.
FROM THE MEDIA: In his remarks on Wednesday, Tusk cited "recent intelligence" without disclosing specific details. His warning comes amid ongoing concerns after unexplained explosions at logistics depots in Britain, Germany, and Poland in July, which experts suspect were trial runs for more significant attacks. German authorities arrested two individuals of Russian descent in Bavaria last April for allegedly plotting attacks on military and logistics sites. Around the same time, two men in the UK were charged with starting a fire at a warehouse storing aid for Ukraine. In October, Germany’s domestic intelligence service reported a narrowly avoided plane crash due to a parcel explosion in a cargo hold, suspected to be sabotage.
READ THE STORY: FT
Suspected Ukrainian Hackers Impersonating Russian Ministries to Spy on Industry
Bottom Line Up Front (BLUF): A pro-Ukraine hacker group, Sticky Werewolf, is accused of targeting Russian scientific and industrial enterprises in an espionage campaign. Cybersecurity firm F.A.C.C.T. identified phishing emails disguised as official communications from Russia’s Ministry of Industry and Trade, delivering Ozone malware for remote access. The attack appears aimed at compromising devices in critical industries.
Analyst Comments: There are ongoing cyber tensions in the Russia-Ukraine conflict, with espionage attempts to disrupt or gather intelligence from key sectors. Sticky Werewolf’s impersonation tactics indicate a sophisticated approach to phishing, leveraging trust in government communications. If successful, such campaigns could undermine Russia’s defense and industrial operations. Attribution remains challenging, but the timing and targets suggest a strategic intent to weaken Russian infrastructure.
FROM THE MEDIA: Reports from F.A.C.C.T. indicate the phishing emails urged Russian defense companies to collaborate with correctional facilities for mechanical expertise. The emails contained an executable file hidden within an archive, designed to deploy the Ozone remote access trojan upon opening. Sticky Werewolf, previously linked to attacks on research institutes and pharmaceutical companies, is known for using Darktrack and Glory Stealer malware. F.A.C.C.T. reported that the campaign began shortly after the New Year and was detected earlier this week. Israeli cybersecurity firm Morphisec’s analysis supports a potential connection to Ukrainian cyber operations but noted that conclusive attribution remains uncertain. Similar tactics were observed in earlier attacks where Sticky Werewolf impersonated Russian ministries, such as the Ministry of Emergency Situations and the Ministry of Construction, to infiltrate research institutes focused on vaccine development.
READ THE STORY: The Record
U.S. TikTok Ban Nears as Supreme Court Weighs National Security vs. Free Speech
Bottom Line Up Front (BLUF): The U.S. Supreme Court is set to decide on a potential TikTok ban, enforcing a law requiring ByteDance, TikTok's China-based parent company, to divest from the platform by January 19. Advocates cite national security concerns over the Chinese government’s data access, while opponents, including the ACLU, argue the ban infringes on free speech for TikTok’s 170 million U.S. users.
Analyst Comments: The potential TikTok ban underscores a growing challenge in balancing national security concerns with constitutional freedoms. With China’s national security laws compelling data-sharing by companies like ByteDance, U.S. policymakers see the platform as a risk. However, critics—including the ACLU—argue that banning the platform may set a precedent for overreaching into free speech. Regardless of the Supreme Court’s ruling, this debate will likely influence future regulations targeting foreign-controlled tech platforms.
FROM THE MEDIA: The law requiring ByteDance to divest TikTok was passed with bipartisan support and signed by President Joe Biden in April 2024, citing concerns over national security. Richard Harknett, a cybersecurity expert from the University of Cincinnati, explained that China's national security laws compel companies to share sensitive data with the Chinese government, which raises fears about potential misuse. Meanwhile, Wayne State University professor Elizabeth Stoycheff criticized the law, arguing that the justification lacks evidence of an imminent threat and may infringe on free speech. Some users have also questioned Meta CEO Mark Zuckerberg’s lobbying efforts to ban TikTok, suggesting he is more motivated by eliminating competition than by addressing security risks.
READ THE STORY: Wdet
Items of interest
The U.S. Federal Trade Commission Files Lawsuit Against Deere Over Repair Restrictions
Bottom Line Up Front (BLUF): FTC has filed a lawsuit against farm equipment manufacturer Deere & Co., alleging that the company illegally monopolizes equipment repairs by limiting access to its repair tools and software, forcing farmers to rely solely on its authorized dealer network. The lawsuit seeks to make repair tools available to independent mechanics and equipment owners to address inflated repair costs and anti-competitive practices.
Analyst Comments: Deere's tight control over proprietary software has long been a concern, contributing to repair delays and higher expenses for farmers. A successful case could set a legal precedent affecting other manufacturers with similar restrictions. Involvement from Illinois and Minnesota signals growing bipartisan support for expanded "right-to-repair" measures aimed at improving industry fairness.
FROM THE MEDIA: FTC initiated legal action against Deere & Co., accusing the company of maintaining complete control over equipment repairs by withholding essential software from independent repair shops and farmers. This practice allegedly inflates costs and delays crucial repairs during harvest seasons. FTC Chair Lina Khan emphasized that "illegal repair restrictions" significantly impact farmers’ ability to maintain equipment and sustain their livelihoods. The lawsuit aims to require Deere to make repair tools and software available to independent providers and equipment owners. Reports indicate that the FTC investigation began in October 2024, with Illinois and Minnesota joining as plaintiffs to bolster the case. Deere has not issued a public response. This lawsuit aligns with recent government efforts to increase competition in agriculture, with actions targeting monopolies in seed distribution, livestock farming, and farm equipment maintenance.
READ THE STORY: Reuters
Farmers Are Hacking Their Tractors Because of a Right to Repair Ban (Video)
FROM THE MEDIA: As of 2020, no right to repair law has passed in the US. But more than 20 states are considering legislation similar to Nebraska's, and Bernie Sanders and Elizabeth Warren have both supported national right to repair legislation for farmers.
Farmers win again: John Deere's dismissal request DENIED! (Video)
FROM THE MEDIA: A significant legal victory in the right-to-repair movement occurred as a federal court denied John Deere's motion to dismiss a lawsuit filed by the U.S. Federal Trade Commission (FTC). The lawsuit accuses the agricultural giant of monopolistic practices by restricting access to equipment repair tools, forcing farmers to rely solely on authorized dealerships for repairs.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.