Sunday, Feb 09, 2025 // (IG): BB // GITHUB // SN R&D
Baltic nations cut ties to Russian power grid, prepare to link with EU
Bottom Line Up Front (BLUF): Lithuania has disconnected from Russia's power grid as part of a broader initiative by the Baltic states to synchronize with the European Union's electricity network. Latvia and Estonia are expected to follow suit, marking a significant geopolitical and energy shift. The transition aims to enhance regional security and reduce dependence on Russian infrastructure.
Analyst Comments: This move represents a critical step in the Baltic states’ long-term strategy to sever energy ties with Russia. This process accelerated after Moscow’s 2014 annexation of Crimea and the 2022 invasion of Ukraine. Lithuania, Latvia, and Estonia reinforce their alignment with Western energy policies and security frameworks by joining the EU's power grid. However, the transition may pose short-term risks, such as potential instability in power supply and economic adjustments for industries dependent on Russian-controlled energy frequencies. This shift could also prompt Moscow to retaliate with economic or cyber measures targeting Baltic infrastructure.
FROM THE MEDIA: Latvia and Estonia are set to follow, with full synchronization with the EU grid expected by February 9, 2025. Previously, the three Baltic nations relied on the Russian system for frequency control and network stability. However, after ceasing power purchases from Russia in 2022, they accelerated efforts to transition to EU energy infrastructure. Lithuania’s energy ministry has prepared contingency plans to mitigate power shortages, including temporary disconnection of heavy industrial users if necessary. The move significantly reduces Russian influence in the region and strengthens the Baltics' energy independence.
READ THE STORY: Reuters
Paragon Spyware Targeted Victims Across Europe, Italy Investigates
Bottom Line Up Front (BLUF): Italy's cybersecurity agency, Agenzia per la Cybersicurezza Nazionale (ANC), is investigating allegations that Paragon Solutions' spyware targeted victims in at least 14 European countries. The spyware, a zero-click surveillance tool, was reportedly used in a hacking campaign disclosed by WhatsApp. Victims include journalists, activists, and migrant advocates. While Italy denies government involvement, the incident raises concerns over the use of commercial spyware in Europe.
Analyst Comments: State and non-state actors' growing use of commercial spyware continues to pose a significant cybersecurity and human rights challenge. Paragon Solutions, an Israeli company, has been known to sell its spyware to governments, including the U.S. and its allies. While Italy denies its intelligence agencies used the spyware, targeting journalists and activists suggests potential government or private-sector misuse. The incident echoes past concerns around Pegasus spyware and may lead to stronger EU regulations on commercial surveillance tools. Meta’s ability to detect and block the attack vector highlights the importance of platform-led cybersecurity defenses against spyware threats.
FROM THE MEDIA: According to Italy’s ANC, seven Italian nationals were affected, along with victims in Belgium, Greece, Latvia, Lithuania, Austria, Cyprus, Czech Republic, Denmark, Germany, the Netherlands, Portugal, Spain, and Sweden. WhatsApp's lawyers briefed Italian authorities, confirming that the spyware exploited a malicious PDF file to infect devices. Paragon Solutions has acknowledged selling its spyware to the U.S. and allied governments but has not commented on its European deployment. In response, Italy’s government denied involvement and announced an investigation into the alleged hacking attempts.
READ THE STORY: The Record
Microsoft Identifies 3,000 Leaked ASP.NET Keys Enabling Code Injection Attacks
Bottom Line Up Front (BLUF): Microsoft has discovered over 3,000 publicly leaked ASP.NET machine keys that could enable ViewState code injection attacks, allowing remote code execution on IIS web servers. Threat actors exploit these exposed keys to inject malicious payloads, including the Godzilla post-exploitation framework. Microsoft urges developers to verify their machine keys, avoid using public repositories for key storage, and take immediate remediation steps.
Analyst Comments: Unlike traditional ViewState attacks that rely on stolen keys from dark web marketplaces, these leaked keys are easily accessible across open-source repositories. The widespread nature of the issue suggests organizations may already be compromised without realizing it. Simply rotating keys is not enough—administrators must audit their environments for persistent threats and reconfigure security controls to prevent further exploitation. With 3,000+ leaked keys, expect increased automated attacks targeting ASP.NET applications in the coming months.
FROM THE MEDIA: Microsoft’s Threat Intelligence team detected the first signs of this attack in December 2024, when an unidentified threat actor leveraged a hardcoded machine key to execute malicious ViewState payloads. The attack allows adversaries to bypass security checks, inject arbitrary code, and establish remote access to IIS servers. Unlike previous ViewState attacks using stolen or compromised keys, these publicly leaked keys create a broader surface. Microsoft has provided hash values of the compromised keys and strongly advises enterprise customers to scan their environments. In some cases, Microsoft removed key artifacts from limited instances of its official documentation to mitigate the issue.
READ THE STORY: THN
Judge Declines to Block Elon Musk’s DOGE Access to U.S. Labor Department Systems
Bottom Line Up Front (BLUF): A U.S. federal judge has ruled against a labor union’s request to block Elon Musk’s Department of Government Efficiency (DOGE) from accessing the U.S. Labor Department’s systems. The lawsuit, filed by the AFL-CIO, argues that Musk’s role in Trump’s administration allows him access to sensitive federal data, including investigations into his own companies and competitors. The decision marks a setback for government employee unions, but legal challenges against Musk’s expanding influence over federal agencies are ongoing.
Analyst Comments: As head of DOGE, Musk has been given broad powers to cut government spending, raising alarms over conflicts of interest, data privacy, and cybersecurity risks. His access to federal databases—particularly those related to labor investigations and economic statistics—could provide competitive advantages for his companies, including Tesla and SpaceX. Legal battles against DOGE are expected to intensify, with state attorneys general preparing lawsuits over Musk’s data access at the Treasury Department and other agencies. The implications include potential government restructuring, widespread job cuts, and increased scrutiny of Musk’s political role.
FROM THE MEDIA: U.S. District Judge John Bates ruled that the AFL-CIO had not provided sufficient evidence of harm to justify blocking DOGE’s access to the Labor Department's systems. The union had argued that Musk’s position gave him unauthorized access to non-public Occupational Safety and Health Administration (OSHA) investigations into Tesla, SpaceX, and The Boring Company, as well as sensitive economic data. While Musk has pledged to recuse himself from conflicts of interest, critics argue that oversight remains weak. Meanwhile, separate lawsuits against DOGE are escalating, including a multi-state legal challenge over Musk’s access to Treasury Department payment systems, which store sensitive financial data of millions of Americans.
READ THE STORY: The Record // Reuters
Tech vs. Finance: The Social Wars
Bottom Line Up Front (BLUF): Janan Ganesh explores the cultural and social differences between the tech and finance industries, arguing that while tech dominates innovation and economic power, finance professionals often make for a more engaging company. He suggests that finance has developed a certain humility post-2008, whereas tech, still riding high, lacks the same self-awareness.
Analyst Comments: Look beyond the surface, and a deeper narrative emerges about how industries shape behavior. Tech fosters an engineer-driven mindset—analytical, product-focused, and sometimes socially detached. Finance, by contrast, depends on relationships, persuasion, and perception, skills that encourage a smoother, more socially aware demeanor. Yet, as fintech and AI disrupt traditional finance, the boundary between the two worlds is thinning. If tech ever faces a seismic scandal akin to the 2008 financial crash, it may undergo the same cultural reckoning that reshaped finance.
FROM THE MEDIA: History repeats itself, even in career trends. Ganesh invokes The Red and the Black as a lens through which to examine the shifting sands of professional prestige, comparing the rise of tech and finance to past societal elites. Finance’s urban roots contrast with tech’s preference for sprawling, isolated campuses—a geographical divide that mirrors their differing social attitudes. He critiques tech’s tendency to overlook historical context, arguing that its fixation on disruption often ignores deeper economic and societal patterns. Ultimately, he suggests that while finance may no longer be the ultimate power player, it still holds a subtle edge in social acumen.
READ THE STORY: FT
Russia Uses Messaging Apps to Recruit Terrorists in Ukraine, Police Say
Bottom Line Up Front (BLUF): Ukraine’s national police chief, Ivan Vyhivskyi, has accused Russian intelligence of using messaging apps and online forums to recruit Ukrainian citizens for terrorist attacks. Authorities have linked at least nine attacks this year to this campaign, targeting police, military recruitment centers, and security services. Many recruits, including young and unemployed individuals, are reportedly killed or imprisoned by Russia after completing their missions.
Analyst Comments: Russia’s use of messaging apps for covert recruitment aligns with broader trends in digital warfare and hybrid operations. Telegram, a known hub for Russian influence operations, has been previously used to spread propaganda, coordinate cyberattacks, and recruit operatives. This tactic undermines Ukraine’s internal stability while allowing Russia to deny direct involvement plausibly. The use of minors in espionage-like “quest games” is particularly concerning, demonstrating Russia’s willingness to exploit vulnerable populations. Ukraine’s security agencies will likely increase counterintelligence efforts and work with tech companies to disrupt these recruitment networks.
FROM THE MEDIA: Recruits are often promised quick payments but are later betrayed, arrested, or killed by Russian operatives. Since January 2025, nine attacks have been linked to this campaign, targeting law enforcement, security services, and military facilities. While Vyhivskyi did not specify which apps were used, Telegram has been previously identified as a key platform for Russian recruitment and propaganda efforts. In December, Ukrainian intelligence uncovered a Russian espionage campaign manipulating teenagers into gathering geolocation data for airstrikes. Similar tactics have also been used to monitor critical infrastructure through locally recruited operatives.
READ THE STORY: The Record
CISA Warns of Active Exploits Targeting Trimble Cityworks Vulnerability (CVE-2025-0994)
Bottom Line Up Front (BLUF): A critical vulnerability (CVE-2025-0994, CVSS 8.6) in Trimble Cityworks, a widely used GIS-based asset management software, is actively exploited in real-world attacks. The flaw allows remote code execution (RCE) on Microsoft IIS servers, potentially leading to compromised infrastructure. CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch it by February 28, 2025.
Analyst Comments: This exploit seriously threatens municipal governments, utilities, and infrastructure providers that rely on Cityworks for asset management. The deployment of Cobalt Strike and VShell remote access tools (RATs) suggests nation-state actors or sophisticated cybercriminals may use this vulnerability for long-term persistence. Given the critical nature of Cityworks in urban planning and infrastructure maintenance, disruptions or data exfiltration could have significant operational consequences. Organizations must patch immediately, scan for indicators of compromise (IoCs), and monitor for unusual network activity.
FROM THE MEDIA: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent alert on February 6, 2025, warning that CVE-2025-0994 is being actively exploited. The vulnerability stems from deserialization of untrusted data, allowing authenticated attackers to execute remote code on affected IIS servers. Trimble patched the flaw on January 29, 2025, but ongoing attacks indicate that many systems remain unpatched. Threat actors have been observed deploying a Rust-based loader, which then executes Cobalt Strike and Go-based VShell RATs. Although the attackers' identities remain unknown, the sophistication of the tools suggests potential APT involvement.
READ THE STORY: THN
Google Warns of Nation-State Hackers Using AI for Cyberattacks
Bottom Line Up Front (BLUF): Google has flagged China, Iran, North Korea, and Russia as the top nations where hackers actively attempt to bypass AI security safeguards in its Gemini AI model. Threat actors linked to these countries use jailbreaking techniques to force AI to generate malicious code, identify software vulnerabilities, and analyze military data. Although Google continues to enhance its security measures, the race between cybercriminals and AI defenses remains a persistent challenge.
Analyst Comments: Nation-state actors and hacking groups leverage AI-generated malware development, cyber reconnaissance, and security bypass techniques to enhance operations. While Google and OpenAI have strengthened security features, AI-based cyber threats are evolving rapidly. This escalation raises serious regulatory questions about AI’s role in cybersecurity and the need for stronger safeguards to prevent misuse. If adversarial nations successfully weaponize AI at scale, we could see an increase in automated, AI-driven cyberattacks targeting critical infrastructure and government systems.
FROM THE MEDIA: Google’s Gemini AI security team has identified a surge in nation-state hacking attempts, with China, Iran, Russia, and North Korea being the most active in bypassing AI safeguards. Reports indicate that hacking groups linked to these nations exploit AI-powered chatbots to assist with malware development, vulnerability analysis, and security bypass techniques.
READ THE STORY: Samsung Magazine
Hackers Exploit Google’s Gemini for AI-Powered Cyber Attacks
Bottom Line Up Front (BLUF): Threat actors from China, Iran, North Korea, and Russia are weaponizing Google’s AI model, Gemini, to enhance cyber operations, according to Google Threat Intelligence Group (GTIG). While these Advanced Persistent Threats (APTs) haven’t developed entirely new AI-based capabilities, they leverage Gemini for phishing, malware obfuscation, reconnaissance, and social engineering. Additionally, underground cybercriminals are creating illicit AI tools designed for hacking like FraudGPT and WormGPT.
Analyst Comments: The increasing reliance on AI in cyber warfare signals a dangerous shift in the threat landscape. Instead of merely executing traditional cyberattacks, APT groups now optimize their operations using AI for automation, efficiency, and deception. Iran’s APT42 leading the charge underscores how AI lowers the technical barriers for sophisticated cyber activities. Meanwhile, the rise of underground malicious AI models poses a challenge for cybersecurity professionals, as these tools democratize cybercrime, enabling less skilled actors to execute advanced attacks.
FROM THE MEDIA: According to Google’s GTIG, at least 57 state-sponsored threat actors are misusing Gemini to streamline cyberattacks. Iranian hackers, particularly APT42, account for over 30% of AI-driven cyber activity from Iran, using Gemini to refine phishing tactics and conduct reconnaissance on security professionals. Chinese APTs use the AI model for privilege escalation and network infiltration, while Russian groups leverage it to obfuscate malware and evade detection. North Korean hackers exploit Gemini for job application scams, drafting cover letters to infiltrate Western companies under false identities.
READ THE STORY: The 420
DeepSeek App Exposes User Data by Transmitting Without Encryption
Bottom Line Up Front (BLUF): A security audit by NowSecure has revealed that DeepSeek's iOS app transmits sensitive user and device data over the internet without encryption, making it vulnerable to interception. The app also disables iOS's App Transport Security (ATS), further increasing security risks. Additionally, DeepSeek has ties to ByteDance’s Volcano Engine, raising concerns over data privacy and potential access by the Chinese government.
Analyst Comments: DeepSeek's security flaws highlight ongoing concerns about mobile applications collecting and transmitting sensitive user data without adequate safeguards. The use of weak encryption (3DES), hard-coded keys, and disabled ATS demonstrates poor security practices that could expose users to data interception and manipulation attacks. The app’s connections to China-based infrastructure add another layer of geopolitical scrutiny, especially given past concerns over TikTok’s data policies. These vulnerabilities, combined with reports of cybercriminals exploiting AI models like DeepSeek for malware and phishing campaigns, could push regulators to impose stricter controls or bans on AI-driven applications linked to foreign adversaries.
FROM THE MEDIA: A security audit of the DeepSeek iOS app, published by NowSecure on February 7, 2025, found that the app transmits user registration and device data without encryption. This flaw leaves data vulnerable to passive and active attacks over the internet. The app also globally disables App Transport Security (ATS), a critical iOS security feature designed to prevent unencrypted data transmissions. The data is sent to servers managed by Volcano Engine, a cloud platform owned by ByteDance, raising concerns about Chinese government access. These findings come as DeepSeek faces growing scrutiny, with multiple governments, including the U.S., Australia, and the Netherlands, banning the app from government devices.
READ THE STORY: THN
Ex-Google Engineer Indicted for Stealing AI Secrets for Chinese Companies
Bottom Line Up Front (BLUF): Linwei "Leon" Ding, a former Google software engineer, has been indicted on 14 economic espionage and trade secret theft counts. U.S. prosecutors allege Ding stole confidential AI-related data and chip blueprints to benefit two Chinese companies. His case is part of the U.S. government’s broader crackdown on foreign adversaries' theft of advanced technology. If convicted, Ding faces up to 15 years per espionage charge and 10 years per trade secret charge.
Analyst Comments: With the U.S. intensifying its efforts to safeguard intellectual property, cases like Ding’s demonstrate the risks of insider threats within tech giants. The alleged theft underscores China's aggressive push for AI self-sufficiency, especially as U.S. export controls tighten. As AI becomes the next frontier of global competition, corporations must strengthen internal security measures, particularly in safeguarding proprietary AI and chip designs. Expect more such prosecutions as the U.S. government expands its counterintelligence efforts.
FROM THE MEDIA: According to U.S. prosecutors, Ding, 38, systematically exfiltrated over 1,000 confidential Google files between 2022 and 2023, particularly concerning supercomputing infrastructure used for AI model training. The indictment alleges that he was being recruited by Chinese firms when the thefts began, and he later shared stolen information via PowerPoint presentations to employees of a startup he founded. Prosecutors say some of the stolen data pertained to Google’s custom AI chips, intended to compete with Nvidia and reduce reliance on external suppliers. The case is being prosecuted under the Disruptive Technology Strike Force, a U.S. initiative launched in 2023 to counter foreign threats to emerging technologies.
READ THE STORY: Cybernews
Malicious ML Models on Hugging Face Exploit Broken Pickle Format to Evade Detection
Bottom Line Up Front (BLUF): Cybersecurity researchers have identified two malicious machine learning (ML) models on Hugging Face that use nullifAI to evade detection. These models leverage "broken" pickle files, allowing them to execute a reverse shell attack while bypassing security scans. The affected repositories, glockr1/ballr7 and who-r-u0000/0000000000000000000000000000000000000, contained payloads that connected to hardcoded IP addresses. Hugging Face has since updated its Picklescan tool to address the issue.
Analyst Comments: The malicious models' use of 7z compression instead of the default ZIP format allowed them to bypass existing security scans, demonstrating how attackers are evolving their methods. While this incident appears to be a proof-of-concept rather than a large-scale supply chain attack, it underscores the need for stronger validation mechanisms in open-source AI repositories. Organizations relying on community-shared ML models should implement strict sandboxing and static analysis to mitigate similar threats in the future.
FROM THE MEDIA: The models used PyTorch’s pickle-based serialization format but introduced a malformed structure, enabling the execution of a platform-aware reverse shell upon deserialization. The attack worked by placing the malicious payload at the beginning of the pickle stream, allowing execution before the object serialization process failed. This flaw enabled the malware to evade Hugging Face’s Picklescan tool, which previously did not account for partially deserializable pickle files. Hugging Face has updated its security scanning processes to detect similar threats.
READ THE STORY: THN
Items of interest
UK Government Orders Apple to Create Backdoor for Encrypted iCloud Backups
Bottom Line Up Front (BLUF): The UK government has secretly issued a technical capability notice under the Investigatory Powers Act (IPA) 2016, ordering Apple to create a backdoor for encrypted iCloud backups globally. This mandate requires Apple to bypass its Advanced Data Protection (ADP) feature, undermining end-to-end encryption for messages, photos, and device backups. Privacy advocates and cybersecurity experts warn this move threatens digital security worldwide and could be exploited by hackers and authoritarian regimes.
Analyst Comments: If Apple complies, it risks violating user trust and weakening security for millions. Conversely, Apple may remove ADP from the UK, but this would not address the UK’s demand for global access. The move could also strain the UK’s data-sharing agreements with the EU and contradict U.S. recommendations for stronger encryption. Ultimately, this action may push criminals to more secure platforms while law-abiding users face more risks.
FROM THE MEDIA: Under IPA 2016, Apple is prohibited from disclosing the order’s existence and cannot delay implementation even while appealing in a secret court. Apple has long resisted such demands, citing privacy as a fundamental human right. The company could withdraw ADP from the UK market, but the UK’s extraterritorial authority allows it to pressure any tech company operating in its jurisdiction. Critics, including Big Brother Watch, call this an “unprecedented attack” on privacy. The order could also damage UK-EU relations, as the EU is set to review UK data-sharing agreements later this year. It contradicts the U.S. stance on encryption, prioritizing cybersecurity over government backdoors.
READ THE STORY: Gizmo China
UK demands backdoor for encrypted Apple user data (Video)
FROM THE MEDIA: The United Kingdom demands Apple build a backdoor to access encrypted iCloud user data. Learn how end-to-end encryption works and other tools that protect your digital privacy.
UK Demands Apple Access to Users' Encrypted Data (Video)
FROM THE MEDIA: Britain's security officials have ordered Apple to create a 'back door' to access all user content uploaded to the cloud, prompting Apple to consider suspending encrypted storage in the UK to maintain worldwide security promises.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.