Saturday, Jan 18, 2025 // (IG): BB // GITHUB // SGM Jarrell
TSA Extends Cybersecurity Mandates for Pipeline Operators Amid Rising Threats
Bottom Line Up Front (BLUF): The Transportation Security Administration (TSA) has extended two key cybersecurity directives for pipeline operators by an additional year. Originally issued after the 2021 Colonial Pipeline ransomware attack, the directives now include amendments designed to strengthen effectiveness, shift to a performance-based approach, and address emerging cyber threats.
Analyst Comments: The extension of TSA’s pipeline security directives reflects the agency’s recognition of the ongoing risks to critical infrastructure from ransomware attacks and nation-state cyber actors. The move toward a performance-based framework allows operators greater flexibility in implementing measures tailored to their systems, though it could raise questions about consistent enforcement. With rising geopolitical tensions, particularly with China and Russia, pipelines and other critical infrastructure remain prime targets, necessitating robust and adaptive cybersecurity measures. However, industry pushback and political shifts could weaken these regulations under future administrations, potentially increasing vulnerabilities.
FROM THE MEDIA: The updated directives adopt a performance-based approach, giving operators the flexibility to achieve critical security outcomes. New requirements include developing TSA-approved cybersecurity implementation plans, maintaining incident response plans, and conducting annual assessments of cyber defenses.
The amendments and extensions come as cyber threats to critical infrastructure persist. The U.S. intelligence community has reported that Chinese-sponsored hackers have infiltrated critical infrastructure networks, and ransomware attacks targeting transportation systems are increasing. Industry representatives have criticized the mandates as burdensome, gaining support from Republican lawmakers who may seek to ease regulations under the next administration.
READ THE STORY: Cyberscoop
Sichuan Juxinhe Network Technology Sanctioned by the U.S. - Ties to MSS
Bottom Line Up Front (BLUF): The U.S. government has sanctioned Yin Kecheng, a Shanghai-based hacker affiliated with China’s Ministry of State Security (MSS), and Sichuan Juxinhe Network Technology, a Chinese cybersecurity company. Both entities are implicated in the Salt Typhoon cyber espionage campaign, which targeted U.S. Treasury Department systems and at least nine telecommunications companies, compromising sensitive data
Analyst Comments: This action demonstrates the growing assertiveness of the U.S. in responding to cyberattacks linked to China. The Salt Typhoon campaign reflects the increasingly sophisticated capabilities of Chinese threat actors targeting critical U.S. infrastructure. While symbolically significant, these sanctions will unlikely disrupt entities’ operations within China's jurisdiction. However, the expanded U.S. authority to impose penalties and new cybersecurity regulations from the FCC may deter future attacks and improve defenses.
FROM THE MEDIA: Sichuan Juxinhe Network Technology, a Chinese contractor tied to the MSS, reportedly exploited vulnerabilities in major telecoms to intercept communications and gain access to critical data. As a response, the FCC has introduced new cybersecurity regulations requiring annual certifications and risk management plans. Deputy Treasury Secretary Adewale Adeyemo has called for legislation to bolster third-party provider oversight and improve information-sharing protections to counter similar threats.
READ THE STORY: Cyberscoop // THN // The Record // Securityweek
RedNote Founder Charlwin Mao Welcomes ‘TikTok Refugees’ Amid Global Tensions
Bottom Line Up Front (BLUF): Charlwin Mao, co-founder of Xiaohongshu (commonly referred to as RedNote internationally), has seen a surge of U.S. users joining the app after a looming U.S. ban on TikTok. This unexpected migration highlights the irony of a Chinese social media platform benefiting from a crackdown on another Chinese-owned app. The influx of American users could challenge China's strict online censorship while drawing scrutiny from U.S. lawmakers.
Analyst Comments: The sudden popularity of Xiaohongshu among American users underscores the interconnectedness of global digital platforms, even amidst geopolitical tensions. While U.S. TikTok users seek alternatives, their migration to a China-based platform like RedNote could inadvertently create cultural exchanges that transcend political divisions. However, this poses risks for Xiaohongshu. Beijing may restrict access to Western content to maintain control over information flows, while U.S. lawmakers could target RedNote for similar concerns that led to TikTok’s ban. Charlwin Mao’s careful navigation of regulatory environments in both countries will determine how long this window of global engagement remains open.
FROM THE MEDIA: Xiaohongshu, or RedNote, has experienced a dramatic surge in U.S. users as TikTok faces a nationwide ban. The app, previously popular primarily within China, now serves as a refuge for "TikTok refugees," drawn to its photo-sharing and lifestyle content. Founded by Charlwin Mao and Miranda Qu in 2013, the platform began as a travel guide but evolved into a social media hub for beauty, travel, and consumer tips. The company, with over 300 million active users, is now valued at $20 billion following its newfound global attention. Mao, a Stanford graduate and former Bain Capital associate, operates the app in a delicate regulatory environment, ensuring it complies with China’s strict internet censorship while adapting to its international user base. Employees at Xiaohongshu’s Shanghai headquarters have worked to enhance content moderation controls as the app handles the cultural exchange between U.S. and Chinese users.
READ THE STORY: FT
U.S. Deploys FALCON Cyber Response Tool to Combat Costa Rica Oil Refinery Ransomware Attack
Bottom Line Up Front (BLUF): The U.S. government’s Foreign Assistance Leveraged for Cybersecurity Operational Needs (FALCON) program was deployed for the first time in response to a ransomware attack on Costa Rica’s largest oil refinery, RECOPE. This rapid response tool, launched by the State Department, helped remediate the attack within days, demonstrating its potential for bolstering global cybersecurity.
Analyst Comments: FALCON's inaugural deployment highlights the strategic importance of international partnerships in combating ransomware. The program's ability to rapidly deploy public-private cyber response teams underscores the need for collaborative global defense mechanisms. Costa Rica’s rising status as a key U.S. cybersecurity ally makes it a testing ground for initiatives like FALCON, which may be critical in addressing ransomware campaigns worldwide. While successful, future incidents may test the scalability of the program and its ability to respond to multiple simultaneous crises. The program’s continuation under the Trump administration will likely be pivotal in shaping U.S. leadership in global cybersecurity norms.
FROM THE MEDIA: A ransomware attack on Costa Rica’s RECOPE refinery occurred the day before Thanksgiving 2024, impacting administrative systems and causing disruptions to oil distribution. The ransomware group RansomHub demanded $5 million, but Costa Rica, adhering to its non-payment policy, sought U.S. assistance. The State Department's cyber bureau deployed the FALCON response team, which consisted of federal contractors and U.S. government personnel. Within 36 hours, team members were on the ground, providing immediate assistance to Costa Rican counterparts. Over 10 days, the FALCON team helped investigate the attack, expel the hackers, restore systems, and implement hardening measures to prevent future incidents. Costa Rica’s Science and Technology Minister Paula Bogantes Zamora noted that U.S. forensic assistance was critical in identifying the attack, which originated from a phishing email and involved months of network infiltration. Although RECOPE operations were disrupted temporarily, Costa Rica managed to avoid further panic, assuring citizens of sufficient oil reserves.
READ THE STORY: The Record
Biden Bolsters Cybersecurity with Last-Minute Executive Order Before Transition
Bottom Line Up Front (BLUF): In his final days as President, Joe Biden issued a sweeping executive order to strengthen U.S. cybersecurity. The order mandates minimum cybersecurity standards for government contractors, broadens sanctions against foreign cyber adversaries, sets cryptographic standards, and requires Cyber Trust Mark compliance for Internet of Things (IoT) vendors by 2027. It also prioritizes artificial intelligence tools for federal network security and increases funding to address the cyber talent shortage.
Analyst Comments: Biden's late-stage executive order reflects the urgency of addressing escalating threats from China, Russia, and North Korea. Including AI-driven vulnerability detection, cryptographic standards, and IoT security marks a forward-looking approach to evolving cyber risks. However, the success of the order hinges on implementation, which could face challenges under the Trump administration’s priorities. If embraced, these measures have the potential to enhance national resilience, strengthen vendor accountability, and support the cybersecurity workforce. If deprioritized, critical initiatives like AI-driven security tools may lose momentum, leaving government networks vulnerable to sophisticated attacks.
FROM THE MEDIA: Issued shortly before President-elect Donald Trump's inauguration, Biden's executive order aims to address growing cyber threats targeting U.S. federal agencies and infrastructure. The order subjects IT contractors to minimum cybersecurity requirements, introduces sanctions targeting cyber activities by foreign adversaries, and mandates cryptographic and AI-driven solutions to secure federal networks. By 2027, IoT vendors must comply with Cyber Trust Mark standards to improve device security. Experts have commended the executive order for its comprehensive scope. Flashpoint's Andrew Borene highlighted its relevance in countering adversary-led cyber operations. At the same time, BlueVoyant's Lorri Janssen-Anessi emphasized the importance of continuity in implementing the order’s provisions under the new administration. Industry leaders, however, have expressed concerns over whether Trump's administration will fully adopt these initiatives, potentially delaying their impact.
READ THE STORY: SCMEDIA
Canadian IT Company OpenText Labeled 'Undesirable' by Russian Authorities
Bottom Line Up Front (BLUF): Russia has designated OpenText Corporation, a Canadian IT company, as an "undesirable" organization, accusing it of collaborating with U.S. law enforcement and contributing to anti-Russia activities. The designation prohibits OpenText from operating in Russia, freezes its assets, and bans Russian entities from cooperating with the company.
Analyst Comments: This move underscores the growing digital and geopolitical divide between Russia and Western nations. By targeting OpenText, Russia is expanding its focus on IT and cybersecurity firms that support Ukraine or work with Western defense agencies. The designation aligns with Russia’s broader strategy of framing foreign organizations as threats to national security. The impact on OpenText is likely minimal given its 2022 exit from the Russian market, but this action signals an escalation in Russia’s efforts to vilify Western tech companies and deter collaboration between Russian entities and foreign firms.
FROM THE MEDIA: Russia's Prosecutor General's Office announced the addition of OpenText Corporation to its list of "undesirable" organizations. The office alleged that the Canadian company collaborates with U.S. law enforcement and provides the U.S. Department of Defense with software for user identification. Russian authorities also accused OpenText of aiding Ukraine by supplying cybersecurity tools to its law enforcement agencies and power grid operator Ukrenergo. OpenText, based in Waterloo, Ontario, acquired U.K.-based Micro Focus in 2023. Russia claims Micro Focus provided software to Ukrainian agencies to facilitate data collection targeting Russian troops. In response to Russia's 2022 invasion of Ukraine, OpenText and Micro Focus had already suspended their Russian operations and donated to humanitarian efforts in Ukraine. The "undesirable" designation mirrors Russia’s December 2024 move against Recorded Future, a U.S. cybersecurity firm, with similar allegations of anti-Russian propaganda and ties to Western defense institutions. The designation bans OpenText from any business in Russia, criminalizes collaboration by Russian entities, and enables asset seizures within the country.
READ THE STORY: The Record
Hackers Expose FBI Call Logs in AT&T Breach, Compromising Informants
Bottom Line Up Front (BLUF): A massive breach of AT&T in July 2022 exposed call and text metadata for over 100 million customers, including FBI agents. The leaked data may reveal the identities of confidential informants, raising serious national security concerns. While AT&T attempted to contain the damage, reports suggest lapses in communication security protocols may have worsened the impact.
Analyst Comments: The exposure of FBI communication records underscores the critical vulnerabilities in telecommunications infrastructure and operational security practices. While the content of calls was not leaked, metadata alone can provide a detailed picture of relationships and investigative targets, especially when exploited by sophisticated adversaries. This breach may also explain the FBI's recent advocacy for encrypted messaging platforms—a sharp departure from their historical opposition to end-to-end encryption. The incident highlights the urgency for telecom providers to implement robust cybersecurity measures and for federal agencies to adopt stricter operational protocols to mitigate such risks.
FROM THE MEDIA: In July 2022, AT&T disclosed a breach that exposed call and text metadata for over six months, affecting over 100 million customers. Confidential FBI communication logs were included in the stolen data, sparking fears that the identities of informants and sources could be compromised. While no call or text content was accessed, the metadata revealed communication patterns, including agents' mobile numbers and potentially sensitive investigative details.
Reports indicate that AT&T paid $370,000 to the attackers in an attempt to prevent the data from being leaked, but the full extent of the breach remains unclear. In December, a suspect linked to the extortion attempt was arrested. Meanwhile, the FBI has warned about potential fallout and called for improved communication security practices. The breach comes amid other attacks, such as the Salt Typhoon campaign by Chinese state-linked hackers, which targeted several U.S. telecom providers and exposed call recordings and location data of specific targets.
READ THE STORY: Wired
Misconfiguration in Microsoft Active Directory Enables NTLMv1 Bypass
Bottom Line Up Front (BLUF): Cybersecurity researchers discovered a misconfiguration in Microsoft Active Directory that allows NTLMv1 authentication despite being disabled through Group Policy. The bypass leverages a Netlogon Remote Protocol (MS-NRPC) setting that overrides NTLMv1 restrictions, exposing organizations to potential relay attacks and data theft.
Analyst Comments: Despite its deprecation, the persistence of NTLMv1 vulnerabilities highlights the challenges of transitioning from legacy authentication protocols in complex environments. The ability to bypass Group Policy restrictions demonstrates the importance of reviewing and mitigating misconfigurations in critical systems. Organizations relying on NTLM should prioritize auditing their authentication mechanisms, patching misconfigured applications, and moving to more secure protocols. The discovery underscores the risks of backward compatibility requirements in cybersecurity, as they often introduce exploitable weaknesses.
FROM THE MEDIA: Microsoft introduced Group Policy as a solution to disable NTLMv1 across networks, but researchers at Silverfort found that the policy can be bypassed due to misconfigured on-premise applications. The bypass relies on the ParameterControl setting within the NETLOGON_LOGON_IDENTITY_INFO data structure, which allows NTLMv1 authentication even when Active Directory is configured to enforce NTLMv2. This configuration flaw negates the intended protections of the LMCompatibilityLevel registry key, enabling attackers to perform relay attacks and maliciously authenticate to endpoints. Microsoft officially removed NTLMv1 in Windows 11 version 24H2 and Windows Server 2025, but many legacy systems remain vulnerable. The issue further complicates secure authentication management in environments where older protocols are still used for backward compatibility.
READ THE STORY: THN
Michael Saylor’s Bitcoin Bet: MicroStrategy Soars Amidst Risks
Bottom Line Up Front (BLUF): MicroStrategy's Michael Saylor has turned the software company into a Bitcoin investment vehicle, amassing 450,000 Bitcoin worth approximately $47 billion. The company's stock has surged 690% over the past year, far exceeding the value of its Bitcoin holdings, as investors bet on Saylor’s ability to profit from the cryptocurrency's scarcity. Despite this success, the strategy carries significant risks tied to Bitcoin’s volatility.
Analyst Comments: Michael Saylor’s aggressive Bitcoin accumulation has positioned MicroStrategy as a proxy for Bitcoin investment, appealing to institutions unable or unwilling to directly hold cryptocurrency. This unique approach allows the company to raise capital via equity and debt offerings, leveraging Bitcoin’s perceived scarcity and inflation-hedging qualities. However, the strategy is not without peril. A sharp decline in Bitcoin prices could leave MicroStrategy overleveraged and its stock vulnerable to significant losses. Investors should remain cautious, as the company’s valuation relies heavily on Bitcoin’s continued upward trajectory.
FROM THE MEDIA: The company’s shares now trade at a premium, valued at $97 billion despite holding $47 billion in Bitcoin. This has drawn institutional investors like Capital Group and Norway's sovereign wealth fund, Norges Bank, to purchase MicroStrategy shares. However, concerns persist about Saylor’s speculative approach, including past financial setbacks, the company’s heavy reliance on favorable market conditions, and rumors of overexposure during Bitcoin downturns, such as the FTX collapse in late 2022. Recently, Saylor introduced a new plan to issue $2 billion in perpetual preferred shares to continue Bitcoin acquisitions, signaling an unwavering commitment to the cryptocurrency. However, skeptics argue that MicroStrategy’s fate is intrinsically tied to Bitcoin’s volatile market, raising questions about sustainability and long-term risk.
READ THE STORY: WSJ
Items of interest
Blue Origin Successfully Launches "Space Tug" as It Competes with SpaceX
Bottom Line Up Front (BLUF): Jeff Bezos' aerospace company achieved a significant milestone with the first successful orbital launch of its New Glenn rocket on January 16, 2025. The payload, a prototype "space tug" called Blue Ring Pathfinder, is now testing in-space logistics and delivery capabilities despite the loss of the booster during descent.
Analyst Comments: The success of this launch positions Bezos’ venture as a credible competitor to SpaceX, particularly in the in-space logistics market. The Blue Ring Pathfinder demonstrates the growing interest in orbital infrastructure and space mobility, which are critical to commercial and defense applications. While the loss of the booster is a setback, the successful deployment of the payload highlights the company’s readiness to expand operations. Its partnerships with NASA, Amazon’s Project Kuiper, and the Defense Innovation Unit suggest a growing demand for versatile spacecraft capable of enhancing satellite deployment and maneuverability.
FROM THE MEDIA: The New Glenn rocket reached orbit on its first attempt, marking a significant achievement in the commercial space sector. The mission's payload, the Blue Ring Pathfinder, is designed to support in-space logistics, including deploying satellites into specific orbits and hosting payloads. It features 12 docking ports, each capable of carrying up to 500 kilograms, and offers orbital maneuvering with 3,000 meters per second of delta-V. The test is part of a Defense Innovation Unit project aimed at improving orbital logistics and resilience, especially as space becomes a critical domain for defense and communication. The increasing reliance on satellite infrastructure for global communications and the dominance of SpaceX’s fleet have amplified interest in alternative space capabilities. The company's growing involvement in defense projects complements broader interconnections with AWS Ground Station, supporting satellite fleet communications and data integration.
READ THE STORY: The Stack
New Glenn, Explained: What to know about Jeff Bezos' Blue Origin's new orbital class rocket (Video)
FROM THE MEDIA: Blue Origin is entering its next phase of launch capability with the introduction of its New Glenn rocket. The 98-meter-tall (~320 ft.) rocket is mostly manufactured and tested just outside of the gates of NASA's Kennedy Space Center in Florida. It's the second launch vehicle developed by the company founded by Jeff Bezos, following the suborbital New Shepard rocket.
Blue Origin’s New Glenn Reaches Orbit, Starship RUDS on 7th Flight (Video)
FROM THE MEDIA: What a monumental week in space! Blue Origin’s New Glenn rocket finally made its debut, reaching orbit on its first flight. Meanwhile, SpaceX’s Starship Flight 7 brought thrilling moments with another successful booster catch—though the ship faced challenges. Over in India, ISRO achieved groundbreaking docking with its SpaceX mission, solidifying its human spaceflight ambitions. We’ll also cover updates on ESA’s Gaia mission, Stoke Space’s funding milestone, and more from across the cosmos.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.