Wednesday, Mar 19, 2025 // (IG): BB // GITHUB // SN R&D
China Accuses Taiwanese Military of Cyberattacks and Espionage
Bottom Line Up Front (BLUF): China’s Ministry of State Security (MSS) has publicly accused four Taiwanese military personnel of cyberattacks and espionage targeting key Chinese infrastructure. The individuals, allegedly linked to Taiwan’s Information, Communications, and Electronic Force Command (ICEFCOM), were named in an MSS report claiming that Taiwanese hackers have targeted power grids, water supplies, and telecommunications networks in China. Taiwan has denied the allegations, calling them a fabricated excuse to justify Beijing’s cyber operations.
Analyst Comments: This marks a new phase in China's cyber strategy, as public attribution of foreign hackers is rare for Beijing. The near-simultaneous release of reports by three Chinese cybersecurity firms suggests a coordinated effort between state authorities and private sector analysts. Given Taiwan's repeated claims of Chinese cyber intrusions, this accusation may be a tit-for-tat response designed to shape the global cybersecurity narrative. Whether China intends to escalate cyber operations against Taiwan in retaliation remains a key concern, particularly as regional tensions rise ahead of major political events.
FROM THE MEDIA: China’s MSS released the identities, photos, and job titles of four alleged Taiwanese hackers on March 18, 2025, accusing them of conducting phishing attacks, disinformation campaigns, and hacking government systems. Taiwanese officials immediately denied the claims, stating that ICEFCOM’s cyber operations focus solely on national defense. Chinese cybersecurity firms QiAnXin, Antiy, and Anheng Information also published reports on a Taiwan-linked cyber group known as APT-Q-20, which has allegedly been active since 2006. While these reports do not explicitly tie ICEFCOM to APT-Q-20, their simultaneous release suggests coordination with Beijing's accusations.
READ THE STORY: The Record
Leaked Chats Suggest Black Basta Ransomware Ties to Russian Authorities
Bottom Line Up Front (BLUF): Newly analyzed leaked chat logs indicate that Black Basta, a Russian-speaking ransomware group, may have direct connections with Russian officials. The leaks, containing over 200,000 messages, reveal that Black Basta's leader, Oleg Nefedov (aka GG or Tramp), allegedly received assistance from high-ranking Russian authorities after being detained in Armenia. The group, known for targeting hundreds of global organizations, has also used AI tools like ChatGPT for phishing, malware development, and data gathering.
Analyst Comments: If confirmed, these findings reinforce long-standing concerns that Russian cybercriminal groups operate with state backing or at least tacit approval. Black Basta’s ability to evade law enforcement suggests that Moscow may protect or leverage these groups for geopolitical purposes. The use of AI-driven cybercrime tactics marks an evolution in ransomware operations, potentially increasing the efficiency and sophistication of future attacks. As ransomware groups refine their tactics and maintain physical operations in Moscow, organizations must enhance AI-driven threat detection, improve response strategies, and strengthen collaboration with global cybersecurity agencies.
FROM THE MEDIA: Analysts from Trellix reviewed the logs and found evidence suggesting that Russian authorities facilitated Nefedov’s escape from Armenian custody in June 2024, allowing him to pass through a “green corridor”. The logs also reveal that Black Basta operates from at least two physical offices in Moscow and relies on AI tools for automation in phishing and malware development. These revelations add to growing evidence of cybercriminal-government collusion in Russia.
READ THE STORY: DarkReading
China Angered by U.S.-Led Acquisition of Panama Canal Ports
Bottom Line Up Front (BLUF): Chinese leader Xi Jinping is reportedly furious over a Hong Kong company’s decision to sell two Panama Canal port facilities to a U.S.-led investment group, including BlackRock, for $22.8 billion. The deal, announced on March 4, 2025, disrupts Beijing’s previous strategy to use the ports as a bargaining chip in negotiations with the Trump administration. While China is exploring ways to hinder the deal, it lacks direct control over the transaction, as the assets lie outside mainland China and Hong Kong.
Analyst Comments: By securing operational control over key transit points in the Panama Canal, the U.S. strengthens its economic and security foothold while undermining China’s Belt and Road ambitions. Xi’s frustration also reflects broader concerns about Chinese businesses distancing themselves from Beijing’s influence. While China may not be able to block the deal outright, it could retaliate through economic measures, restrictions on U.S. companies in China, or diplomatic pressure on Panama.
FROM THE MEDIA: The sale involves CK Hutchison, a Hong Kong conglomerate controlled by billionaire Li Ka-shing, transferring its Panama port assets to U.S. investors led by BlackRock. Chinese state authorities are now reviewing potential countermeasures but face limited options. In response, Chinese state media condemned the deal, warning that it could restrict Chinese shipping. Meanwhile, Trump hailed the agreement as a significant victory, declaring his administration was "reclaiming the Panama Canal" from Chinese influence. The deal is set to be finalized by April 2, 2025, pending regulatory approvals.
READ THE STORY: WSJ
New ‘Rules File Backdoor’ Attack Targets AI-Powered Code Editors
Bottom Line Up Front (BLUF): Cybersecurity researchers have discovered a new supply chain attack, dubbed Rules File Backdoor. This attack exploits AI-powered code editors like GitHub Copilot and Cursor to inject malicious code. Attackers manipulate rules files, which guide AI behavior, to subtly insert backdoors and security vulnerabilities into generated code. The attack allows malicious instructions to persist across projects, creating significant supply chain risks.
Analyst Comments: By manipulating AI-generated code at the rules configuration level, attackers introduce undetectable security flaws that can propagate across projects and compromise software supply chains. The use of hidden Unicode characters and semantic tricks makes it harder to detect malicious modifications. To mitigate the risks, developers should manually review AI-generated code, restrict rule file modifications, and implement strict security audits.
FROM THE MEDIA: Security researchers from Pillar Security disclosed the Rules File Backdoor attack on March 18, 2025, warning that it allows hackers to compromise AI-generated code silently. The attack exploits hidden Unicode characters and text markers to deceive AI models into generating insecure code, bypassing typical security reviews. Once introduced into a repository, the malicious rule files persist across team members and project forks, affecting downstream dependencies. While GitHub and Cursor acknowledged the issue, they emphasized that developers are responsible for reviewing AI-generated suggestions.
READ THE STORY: THN
Russia Leveraging Criminal Networks for Cyber Sabotage in EU
Bottom Line Up Front (BLUF): A new Europol report warns that Russia and other state actors increasingly use criminal networks to carry out cyber-attacks, sabotage, and other destabilization efforts in the European Union. These “hybrid threat actors” are engaging in tactics such as arson, data theft, and migrant smuggling to weaken EU institutions. The report highlights Russia’s growing role in politically motivated cyber operations targeting critical infrastructure and public institutions.
Analyst Comments: Europol’s findings suggest an evolution in Russia’s cyber and geopolitical strategy, shifting from direct cyber-attacks to outsourcing operations through criminal proxies. This approach allows plausible deniability while still exerting influence and causing disruption. The increasing use of AI in cybercrime, as highlighted in the report, adds another layer of complexity, making it harder for law enforcement to track and counter these threats. The EU will likely respond by strengthening cyber defenses, increasing intelligence-sharing, and possibly imposing new sanctions on entities linked to Russian cyber activities.
FROM THE MEDIA: It notes a rise in politically motivated cyber intrusions from Russia and its allied nations, with targets including hospitals, energy infrastructure, and public institutions. Lithuanian prosecutors recently blamed Russia’s GRU military intelligence agency for an arson attack on an Ikea store in Vilnius, part of a larger pattern of sabotage linked to Russian operatives. Poland’s prime minister, Donald Tusk, confirmed that Russian secret services were behind similar incidents in Warsaw. Europol also warns that AI-driven cybercrime is growing rapidly, with young recruits trained through social media to conduct hacking operations.
READ THE STORY: The Guardian
Chinese, Russian, and North Korean Hackers Exploiting Windows Shortcut Vulnerability
Bottom Line Up Front (BLUF): Cybersecurity researchers have identified multiple state-sponsored hacking groups from China, Russia, and North Korea exploiting a long-standing Windows shortcut (.lnk) vulnerability. The flaw, tracked as ZDI-CAN-25373 by the Zero Day Initiative (ZDI), allows attackers to disguise malicious files and trick users into executing them. Despite reports of active exploitation, Microsoft has declined to issue an immediate patch, classifying the flaw as low severity.
Analyst Comments: The widespread exploitation of this Windows vulnerability highlights the growing trend of nation-state hackers leveraging unpatched security flaws for cyber espionage. Notably, North Korean groups like Kimsuky and APT37 have demonstrated advanced evasion techniques, suggesting high coordination. Microsoft's decision not to patch the flaw immediately leaves organizations at risk, increasing reliance on endpoint security measures. Given the geopolitical tensions, it's likely that similar zero-day exploits will continue to be a key tool in state-sponsored cyber campaigns targeting government, defense, and financial sectors.
FROM THE MEDIA: According to the Zero Day Initiative, 11 state-backed hacking groups have used ZDI-CAN-25373 since 2017 to steal sensitive data and conduct cyber espionage. The bug exploits how Windows handles .lnk files, allowing attackers to disguise malicious payloads as harmless shortcuts. Nearly 70% of identified campaigns focused on intelligence gathering rather than financial gain. While Microsoft stated that its Defender product can detect and block related threats, researchers found almost 1,000 samples exploiting the flaw, suggesting broader usage.
READ THE STORY: The Record // THN
Eight European Nations File UN Complaint Over Russian Satellite Interference
Bottom Line Up Front (BLUF): Eight European countries, including the Netherlands, France, and Poland, have lodged a formal complaint with the United Nations over Russia’s alleged interference with satellite communications. The disruptions, targeting major European satellite providers Eutelsat and SES, have affected television broadcasts, aviation navigation, and military operations. The complaint has been submitted to the International Telecommunication Union (ITU), with an additional 17 EU member states and the UK supporting the action.
Analyst Comments: By targeting communications infrastructure, Russia disrupts civilian services and complicates military coordination, particularly in Ukraine. The confirmed involvement of Russian-controlled areas like Kaliningrad and Crimea suggests a deliberate campaign rather than incidental interference. While the UN discussions may apply diplomatic pressure, Russia’s previous denials and refusal to engage in talks indicate that these disruptions will unlikely cease without more direct countermeasures from European nations.
FROM THE MEDIA: According to Dutch outlet Nieuwsuur, European satellite interference has been traced back to Russia-occupied Crimea and Kaliningrad. The disruptions have affected television channels—including incidents of Russian propaganda appearing on BabyTV—and have caused significant navigation issues for commercial airlines and ships. Over 30,000 flights in the Baltic region have been impacted since September 2024. Despite Russia denying involvement, France and Sweden are now holding direct talks with Russian representatives at the UN in Geneva. However, experts remain skeptical that these discussions will yield concrete results.
READ THE STORY: Cyber News
CISA Warns of Active Exploitation in GitHub Action Supply Chain Attack
Bottom Line Up Front (BLUF): The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity GitHub Actions vulnerability, CVE-2025-30066, to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, found in tj-actions/changed-files, allows attackers to access sensitive data, such as AWS keys and GitHub tokens, through compromised action logs. The breach, linked to a cascading supply chain attack, also affected reviewdog/action-setup@v1, raising concerns about the security of widely used CI/CD workflows.
Analyst Comments: The compromise of GitHub Personal Access Tokens (PATs) highlights the importance of restricting access controls, monitoring repository changes, and rotating secrets regularly. The fact that Microsoft and GitHub-hosted workflows remain attractive targets for attackers suggests that similar CI/CD pipeline exploits could emerge. Organizations should prioritize securing their software supply chains, replacing vulnerable actions, and adopting Zero Trust principles to mitigate risks.
FROM THE MEDIA: The attack on tj-actions/changed-files was discovered on March 11, 2025, and confirmed by security firm Wiz on March 14, 2025. It was part of a broader supply chain attack that initially compromised reviewdog/action-setup@v1. Malicious code was injected via a Base64-encoded payload embedded in an install.sh script, allowing attackers to extract secrets from workflows. GitHub maintainers have since patched the issue, releasing version 46.0.1, and affected users are urged to update by April 4, 2025. Security experts warn that similar attacks could occur again due to the nature of the breach if additional preventative measures are not taken.
READ THE STORY: THN
Costco Faces Pressure Over China Tariffs and Supplier Costs
Bottom Line Up Front (BLUF): Costco is pressuring its suppliers in mainland China to cut prices in response to escalating U.S. tariffs, a move that risks scrutiny from Beijing. The retailer, which relies heavily on Chinese imports, is following a broader trend among U.S. companies seeking to offset the cost of new tariffs imposed by the Trump administration. With geopolitical tensions rising, Beijing has already summoned Walmart for discussions on similar pricing demands, signaling potential regulatory risks for Costco and other retailers.
Analyst Comments: By demanding lower prices from Chinese suppliers, the company aims to shield itself from tariff-driven cost increases. However, this move could backfire if Beijing views it as economic coercion. Walmart’s recent meeting with China’s Ministry of Commerce suggests that Chinese authorities closely monitor U.S. firms operating within their borders. Large retailers may accelerate their diversification efforts as trade tensions persist, shifting production to countries outside China to mitigate future risks.
FROM THE MEDIA: Costco, which operates seven warehouses in mainland China, has asked suppliers to reduce costs amid the latest round of U.S. tariffs. The Trump administration increased tariffs on Chinese goods to 20% in March 2025, following an initial 10% hike in February 2024. After media reports surfaced about its pricing demands, Walmart faced similar scrutiny from Chinese authorities, prompting a discussion with the Ministry of Commerce. China’s state media has criticized the U.S. for its trade policies, reinforcing a nationalist stance on economic disputes.
READ THE STORY: FT
Critical AMI BMC Vulnerability (CVE-2024-54085) Enables Remote Server Takeover and Bricking
Bottom Line Up Front (BLUF): A newly disclosed vulnerability, CVE-2024-54085, has been identified in AMI’s MegaRAC Baseboard Management Controller (BMC) software, allowing attackers to bypass authentication and execute remote code, deploy malware, brick server hardware, and induce continuous reboot loops. The vulnerability carries a maximum CVSS v4 score of 10.0, indicating its severe impact. Affected manufacturers include HPE, Asus, and ASRockRack, with AMI releasing patches on March 11, 2025. Organizations using impacted hardware are urged to apply updates immediately, though patching requires device downtime.
Analyst Comments: BMC firmware is a critical enterprise and cloud infrastructure component. Like CVE-2023-34329, this flaw reinforces concerns over the BMC&C (BMC and Chain of Custody) vulnerabilities first reported in 2022. Given AMI's position in the BIOS supply chain, the impact extends across multiple hardware manufacturers, making mitigation complex. Organizations must prioritize patching, but the required downtime presents a challenge. If threat actors weaponize this flaw before widespread patching, ransomware attacks or nation-state operations targeting critical infrastructure could escalate.
FROM THE MEDIA: Eclypsium reported CVE-2024-54085, a severe authentication bypass vulnerability in AMI MegaRAC BMC firmware. Attackers can exploit this flaw through Redfish interfaces to gain complete control over affected servers, install malware, manipulate firmware, and cause indefinite reboots or physical damage. The vulnerability impacts devices from major manufacturers, including HPE Cray XD670, Asus RS720A-E11-RS24U, and ASRockRack. AMI released patches on March 11, 2025, and OEMs like HPE and Lenovo have begun integrating fixes into their security updates. However, patching requires device downtime, making immediate mitigation challenging for enterprises.
READ THE STORY: THN
EU Warns of Russia and China’s Expanding ‘Massive Digital Arsenals’
Bottom Line Up Front (BLUF): The European Union has accused Russia and China of deploying large-scale digital warfare tactics to interfere with Western democracies. In its latest report, the EU warns that both nations use sophisticated cyber tools, social media influence campaigns, and disinformation to destabilize societies. While their coordination remains mostly opportunistic, their messaging—particularly regarding Ukraine and NATO—has become increasingly aligned.
Analyst Comments: Russia has long used cyber and propaganda tactics to sow discord. However, China’s increasing reliance on private PR firms and influencers suggests a shift toward more covert influence campaigns. As the EU strengthens its cybersecurity and counter-disinformation efforts, further sanctions and digital countermeasures against Russian and Chinese entities are likely. With major geopolitical events such as the Paris Olympics and European elections on the horizon, Western nations must remain vigilant against cyber-enabled destabilization efforts.
FROM THE MEDIA: The report states that over 80 countries and 200 organizations were targeted by disinformation attacks in the past year. Russia, in particular, has deployed a network of state and non-state actors—including social media influencers and official spokespeople—to amplify its narratives. Meanwhile, China has increased its use of private PR firms to promote content aligned with its political interests. The EU has already imposed sanctions on Russian intelligence operatives involved in these activities, and further countermeasures may follow.
READ THE STORY: Cyber Wars
Items of interest
Europol Warns of AI-Driven ‘Proxy’ Cyber Attacks for Hostile Powers
Bottom Line Up Front (BLUF): Europol has warned that organized crime groups increasingly act as proxies for hostile state-sponsored cyber operations. Criminal networks leverage artificial intelligence (AI) to enhance their cyberattacks' speed, reach, and sophistication, often targeting governments and critical infrastructure rather than individuals or businesses. The report highlights how Russia and China have exploited these criminal entities to conduct hybrid warfare through cyber sabotage, misinformation campaigns, and AI-enhanced cyber fraud. Europol describes the situation as an "unprecedented security challenge" for national governments.
Analyst Comments: The increasing collaboration between organized crime and nation-state actors represents a significant evolution in cyber warfare. The deployment of AI-enhanced cyberattacks, deepfake scams, and automated phishing operations allows hostile powers to maintain plausible deniability while destabilizing governments and critical infrastructure. This trend underscores the urgent need for stronger international collaboration, AI regulation, and enhanced cybersecurity frameworks. Without proactive countermeasures, these AI-driven cyber threats will continue to evolve, posing serious economic and national security risks.
FROM THE MEDIA: Europol states that criminal organizations no longer operate independently but increasingly work in alignment with hostile state actors. AI is used to develop sophisticated malware, automate large-scale phishing attacks, and generate deepfake content that deceives individuals and security systems. AI-generated misinformation campaigns have also been weaponized to influence elections, disrupt social cohesion, and erode trust in democratic institutions. Europol warns that cybercriminals exploit government contractors and supply chain vulnerabilities to breach secure networks. The report specifically calls out Russia’s use of cybercriminal groups for politically motivated attacks and China’s interest in leveraging AI for cyber espionage operations.
READ THE STORY: FT
The Future of U.S. AI Leadership with CEO of Anthropic (Video)
FROM THE MEDIA: Anthropic Chief Executive Officer and Cofounder Dario Amodei discusses the future of U.S. AI leadership, the role of innovation in an era of strategic competition, and the outlook for frontier model development.
I’m changing how I use AI (Open WebUI + LiteLLM) (Video)
FROM THE MEDIA: AI is getting expensive…but it doesn’t have to be. I found a way to access all the major AI models– ChatGPT, Claude, Gemini, and even Grok – without paying for multiple expensive subscriptions. Not only do I get unlimited access to the newest models, but I can also share it with my entire team, my wife, and my kids– all while keeping complete control over what they can access. With better security, more privacy, and many features… this might be the best way to use AI.
The selected stories cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in its original material or related links on its sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.