"Google on Thursday said it observed the North Korea-linked threat actor known as UNC2970 using its generative artificial intelligence (AI) model Gemini to conduct reconnaissance on its targets, as various hacking groups continue to weaponize the tool for accelerating various phases of the cyber attack life cycle, enabling information operations, and even conducting model extraction attacks.

"The group used Gemini to synthesize OSINT and profile high-value targets to support campaign planning and reconnaissance," Google Threat Intelligence Group (GTIG) said in a report shared with The Hacker News. "This actor's target profiling included searching for information on major cybersecurity and defense companies and mapping specific technical job roles and salary information."

The tech giant's threat intelligence team characterized this activity as a blurring of boundaries between what constitutes routine professional research and malicious reconnaissance, allowing the state-backed actor to craft tailored phishing personas and identify soft targets for initial compromise.

UNC2970 is the moniker assigned to a North Korean hacking group that overlaps with a cluster that's tracked as Lazarus Group, Diamond Sleet, and Hidden Cobra. It's best known for orchestrating a long-running campaign codenamed Operation Dream Job to target aerospace, defense, and energy sectors with malware under the guise of approaching victims under the pretext of job openings.

GTIG said UNC2970 has "consistently" focused on defense targeting and impersonating corporate recruiters in their campaigns, with the target profiling including searches for "information on major cybersecurity and defense companies and mapping specific technical job roles and salary information.""

https://thehackernews.com/2026/02/google-reports-state-backed-hackers.html

#CyberSecurity #Gemini #AI #GenerativeAI #Google #NorthKorea #OSINT #StateHacking

"A China-linked threat actor known as Lotus Blossom has been attributed with medium confidence to the recently discovered compromise of the infrastructure hosting Notepad++.

The attack enabled the state-sponsored hacking group to deliver a previously undocumented backdoor codenamed Chrysalis to users of the open-source editor, according to new findings from Rapid7.

The development comes shortly after Notepad++ maintainer Don Ho said that a compromise at the hosting provider level allowed threat actors to hijack update traffic starting June 2025 and selectively redirect such requests from certain users to malicious servers to serve a tampered update by exploiting insufficient update verification controls that existed in older versions of the utility.

The weakness was plugged in December 2025 with the release of version 8.8.9. It has since emerged that the hosting provider for the software was breached to perform targeted traffic redirections until December 2, 2025, when the attacker's access was terminated. Notepad++ has since migrated to a new hosting provider with stronger security and rotated all credentials."

https://thehackernews.com/2026/02/notepad-hosting-breach-attributed-to.html

#CyberSecurity #Notepad #China #OpenSource #StateHacking

"The hackers behind a cyberattack that targeted Poland's grid infrastructure in December disabled communication devices for at least 30 sites across a number of energy facilities in different parts of the country.

The hackers succeeded in disabling the communication systems, known as remote terminal units or RTUs, that are used to monitor and control other equipment, and they were able to render the RTUs inoperable and beyond repair. But they did not cause an outage or otherwise have an impact on generation and transmission equipment at these nearly three dozens sites, according to Dragos, a US-based company that participated in the forensic investigation of one of the entities that was hit in the attack.

Most of the devices they targeted were not directly part of control infrastructure, Dragos says, but were instead systems related to grid safety and stability monitoring rather than active generation control. Nonetheless, the systems the attackers targeted do play a role in monitoring functions and maintaining grid stability, and had the attackers gained full operational control of these systems, could have created an impact that would have been "significantly different,” Dragos notes. Dragos also says the attack appears to have been "opportunistic" rather than fully targeted and well planned.

The sites that were impacted are managed by several energy entities, including two combined-heat-and-power plants and a number of facilities used to manage the dispatch of renewable energy from wind and solar sites. Dragos did not identify which entity was part of its investigation."

https://www.zetter-zeroday.com/attack-against-polands-grid-disrupted-communication-devices-at-about-30-sites/

#CyberSecurity #CyberWarfare #Poland #StateHacking #GridInfrastructure #Energy

"A cyberattack that targeted power plants and other energy producers in Poland at the end of December used malware known as a “wiper” that was intended to erase computers and in an operation that was intended to cause a power outage and other disruption to services, says European security firm ESET, which obtained a copy of the malware used in the attack.

Wipers are designed to delete or overwrite critical files on a computer in order to render them inoperable. They have been used extensively by Russia against targets in Ukraine before and during its current war with that country.

Robert Lipovsky, principal threat intelligence researcher for the Slovakian firm, whose team has examined the malware – which they're calling DynoWiper – says the operation is “unprecedented” in Poland, since past cyberattacks targeting that country were not disruptive in nature or intent.

“Pulling off a disruptive cyberattack against the Polish energy sector is a big deal,” he told Zero Day.

Although the attack was thwarted, Polish authorities have stated that if successful it could have taken out power to 500,000 people in Poland. Polish officials haven't revealed how the hackers pulled off the attack or how officials determined the intent was to be disruptive or destructive, but the use of a wiper supports a conclusion that this was the intent of the attack.

Officials there have attributed the attack to Russia, and Lipovsky says his team concurs."

https://www.zetter-zeroday.com/cyberattack-targeting-polands-energy-grid-used-a-wiper/

#CyberWarfare #CyberSecurity #Poland #Russia #StateHacking #EnergyGrid

"Germany’s government is preparing to give its foreign intelligence service, the Bundesnachrichtendienst (BND), far broader powers over online surveillance and hacking than it has ever had before.

A draft amendment to the BND Act, circulating by German media, would transform the agency’s reach by authorizing it to break into foreign digital systems, collect and store large portions of internet traffic, and analyze those communications retroactively.

At the core of this plan is Frankfurt’s DE-CIX internet exchange, one of the largest data junctions on the planet.

For thirty years, global traffic has passed through this node, and for just as long, the BND has quietly operated there under government supervision, scanning international data streams for intelligence clues.

Until now, this monitoring has been limited. The agency could capture metadata such as connection records, but not the full content of messages, and any data collected had to be reviewed and filtered quickly.

The proposed legal reform would overturn those restrictions.

The BND would be permitted to copy and retain not only metadata but also entire online conversations, including emails, chats, and other content, for up to six months."

https://reclaimthenet.org/germany-bnd-surveillance-law-expansion-de-cix-data-retention-hacking

#Germany #EU #Surveillance #Metadata #DataRetention #StateHacking

"Cisco’s Networking Academy, a global training program designed to educate IT students in the basics of IT networks and cybersecurity, proudly touts its accessibility to participants around the world: “We believe education can be the ultimate equalizer, enabling anyone, regardless of background, to develop expertise and shape their destiny in a digital era,” reads the first line on its website.

That laudable statement, however, reads a bit differently when the “destiny” of those students appears to be owning a majority stake in companies linked to one of the most successful Chinese state-sponsored hacking operations ever to target the West—and many of Cisco's own products.

That's the surprising conclusion of Dakota Cary, a researcher at cybersecurity firm SentinelOne and the Atlantic Council, who, like many security analysts, has closely tracked the Chinese state-sponsored hacker group known as Salt Typhoon. That cyberespionage group gained notoriety last year when it was revealed that the hackers had penetrated at least nine telecom companies and gained the ability to spy on Americans’ real-time calls and texts, specifically targeting then-presidential and vice presidential candidates Donald Trump and JD Vance, among many others."

https://www.wired.com/story/2-men-linked-to-chinas-salt-typhoon-hacker-group-likely-trained-in-a-cisco-academy/

#CyberSecurity #China #SaltTyphoon #StateHacking #Cisco #CiscoAcademy

"The Justice Department announced two indictments in the Central District of California charging Ukrainian national Victoria Eduardovna Dubranova, 33, also known as Vika, Tory, and SovaSonya, for her role in conducting cyberattacks and computer intrusions against critical infrastructure and other victims around the world, in support of Russia’s geopolitical interests. Dubranova was extradited to the United States earlier this year on an indictment charging her for her actions supporting CyberArmyofRussia_Reborn (CARR). Today, Dubranova was arraigned on a second indictment charging her for her actions supporting NoName057(16) (NoName). Dubranova pleaded not guilty in both cases, and is scheduled to begin trial in the NoName matter on Feb. 3, 2026 and in the CARR matter on April 7, 2026.

As described in the indictments, the Russian government backed CARR and NoName by providing, among other things, financial support. CARR used this financial support to access various cybercriminal services, including subscriptions to distributed denial of service-for-hire services. NoName was a state-sanctioned project administered in part by an information technology organization established by order of the President of Russia in October 2018 that developed, along with other co-conspirators, NoName’s proprietary distributed denial of service (DDoS) program.

“Politically motivated hacktivist groups, whether state-sponsored like CARR or state-sanctioned like NoName, pose a serious threat to our national security, particularly when foreign intelligence services use civilians to obfuscate their malicious cyber activity targeting American critical infrastructure as well as attacking proponents of NATO and U.S. interests abroad,” said First Assistant U.S. Attorney Bill Essayli for the Central District of California."

https://www.justice.gov/opa/pr/justice-department-announces-actions-combat-two-russian-state-sponsored-cyber-criminal

#CyberCrime #CyberSecurity #Russia #StateHacking #DDoS #USA #Hacktivism

"Cybersecurity researchers have shed light on a mobile forensics tool called Massistant that's used by law enforcement authorities in China to gather information from seized mobile devices.

The hacking tool, believed to be a successor of MFSocket, is developed by a Chinese company named SDIC Intelligence Xiamen Information Co., Ltd., which was formerly known as Meiya Pico. It specializes in the research, development, and sale of electronic data forensics and network information security technology products.

According to a report published by Lookout, Massistant works in conjunction with a corresponding desktop software, allowing for access to the device's GPS location data, SMS messages, images, audio, contacts, and phone services."

https://thehackernews.com/2025/07/chinas-massistant-tool-secretly.html

#China #Surveillance #CyberSecurity #Hacking #StateHacking #PoliceState

"China’s state-owned aircraft maker had just announced the Western engine it had chosen for its new aircraft.

One month later, in January 2010, American cyber researchers started to see the “preparatory activity” of a Chinese hacking group focusing on an American turbine company that made a part needed for jet engines.

For years afterwards, a division of China’s intelligence apparatus could be seen trying to steal engine design information from Western companies. By 2017 and 2018, the US government had opened indictments – with convictions to follow – against figures in the US and China trying to steal Western aerospace information.

The subterfuge, now largely forgotten by the public, is an essential chapter in the origin story of the C919, which was developed to compete with two of the world’s most widely used passenger aircraft – the Boeing 737 and the Airbus A320neo. It was also the foundation of establishing the Commercial Aircraft Corporation of China (COMAC) as a serious player in the global commercial aviation market.

The C919 is now in regular production, and it’s taking its first steps in aiding China’s systematic efforts to both develop its aerospace industry and to produce a viable passenger aircraft.
But years after concerns were raised over Chinese intellectual property theft, few of the affected parties are keen to talk openly about the alleged cyber-espionage."

https://www.smh.com.au/business/companies/prisoner-s-dilemma-how-china-is-using-the-west-to-break-an-aviation-duopoly-20250530-p5m3ir.html

#China #Boeing #Airbus #COMAC #C919 #IPTheft #StateHacking #CyberSecurity

"For maybe a decade, North Korean intelligence services have been training young IT workers and sending them abroad in teams, often to China or Russia. From these bases, they scour the web for job listings all over, usually in software engineering, and usually with Western companies. They favor roles that are fully remote, with solid wages, good access to data and systems, and few responsibilities. Over time they began applying for these jobs using stolen or fake identities and relying on members of their criminal teams to provide fictional references; some have even started using AI to pass coding tests, video interviews, and background checks.

But if an applicant lands a job offer, the syndicate needs somebody on the ground in the country the applicant claims to live in. A fake employee, after all, can’t use the addresses or bank accounts linked to their stolen IDs, and they can’t dial in to a company’s networks from overseas without instantly triggering suspicion. That’s where someone like Christina Chapman comes in.

As the “facilitator” for hundreds of North Korea–linked jobs, Chapman signed fraudulent documents and handled some of the fake workers’ salaries. She would often receive their paychecks in one of her bank accounts, take a cut, and wire the rest overseas: Federal prosecutors say Chapman was promised as much as 30 percent of the money that passed through her hands.

Her most important job, though, was tending the “laptop farm.” After being hired, a fake worker will typically ask for their company computer to be sent to a different address than the one on record—usually with some tale about a last-minute move or needing to stay with a sick relative. The new address, of course, belongs to the facilitator, in this case Chapman."

https://www.wired.com/story/north-korea-stole-your-tech-job-ai-interviews/

#CyberSecurity #NorthKorea #IT #RemoteJobs #StateHacking #AI

"Apple sent notifications this week to several people who the company believes were targeted with government spyware, according to two of the alleged targets.

In the past, Apple has sent similar notifications to targets and victims of spyware, and directed them to contact a nonprofit that specializes in investigating such cyberattacks. Other tech companies, like Google and WhatsApp, have in recent years also periodically sent such notifications to their users.

As of Wednesday, only two people appear to have come forward to reveal they were among those who received the notifications from Apple this week.

One is Ciro Pellegrino, an Italian journalist who works for online news outlet Fanpage. Pellegrino wrote in an article that he received an email and a text message from Apple on Tuesday notifying him that he was targeted with spyware. The message, according to Pellegrino, also said he wasn’t the only person targeted."

https://techcrunch.com/2025/04/30/apple-notifies-new-victims-of-spyware-attacks-across-the-world/

#CyberSecurity #Apple #Spyware #StateHacking #Surveillance

"The office of Hannah Neumann, a member of the German Greens and head of the delegation spearheading work on European Union-Iran relations, was targeted by a hacking campaign that started in January, she said. Her staff was contacted with messages, phone calls and emails by hackers impersonating a legitimate contact. They eventually managed to target a laptop with malicious software.

"It was a very sophisticated attempt using various ways to manage that someone accidentally opens a link, including putting personal pressure on them," Neumann said.

Neumann was made aware of the ongoing ploy four weeks ago by the German domestic intelligence service, she said.

The group thought to be behind the attack is a hacking collective associated with the Iranian Revolutionary Guard, known as APT42, according to a report by the Parliament’s in-house IT service DG ITEC and seen by POLITICO. Another Iranian hacking group, called APT35 or Charming Kitten, was initially considered a culprit too. The two Iranian threat groups are closely related."

https://www.politico.eu/article/european-parliament-iran-delegation-chair-victim-tehran-linked-hacking-hannah-neumann/

#EU #Germany #Iran #CyberSecurity #StateHacking #Spyware #APT42 #APT35

"In security advisories posted on its website, Apple confirmed it fixed the two zero-day vulnerabilities, which “may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS.”

The bugs are considered zero days because they were unknown to Apple as they were being exploited.

It’s not yet known who is behind the attacks or how many Apple customers were targeted, or if any were successfully compromised. A spokesperson for Apple did not return TechCrunch’s inquiry.

Apple credited the discovery of one of the two bugs to security researchers working at Google’s Threat Analysis Group, which investigates government-backed cyberattacks. This may indicate that the attacks targeting Apple customers were launched or coordinated by a nation state or government agency. Some government-backed cyberattacks are known to involve the use of remotely planted spyware and other phone-unlocking devices."

https://techcrunch.com/2025/04/16/apple-says-zero-day-bugs-exploited-against-specific-targeted-individuals-using-ios/

#CyberSecurity #Apple iOS #ZeroDayBugs #StateHacking

"The European Commission is issuing burner phones and basic laptops to some US-bound staff to avoid the risk of espionage, a measure traditionally reserved for trips to China.

Commissioners and senior officials travelling to the IMF and World Bank spring meetings next week have been given the new guidance, according to four people familiar with the situation.

They said the measures replicate those used on trips to Ukraine and China, where standard IT kit cannot be brought into the countries for fear of Russian or Chinese surveillance.

“They are worried about the US getting into the commission systems,” said one official.

The treatment of the US as a potential security risk highlights how relations have deteriorated since the return of Donald Trump as US president in January.

Trump has accused the EU of having been set up to “screw the US” and announced 20 per cent so-called reciprocal tariffs on the bloc’s exports, which he later halved for a 90-day period.

At the same time, he has made overtures to Russia, pressured Ukraine to hand over control over its assets by temporarily suspending military aid and has threatened to withdraw security guarantees from Europe, spurring a continent-wide rearmament effort.

“The transatlantic alliance is over,” said a fifth EU official.""

https://www.ft.com/content/20d0678a-41b2-468d-ac10-14ce1eae357b

#USA #Trump #CyberSecurity #EU #Espionage #StateHacking

"A coalition of governments has published a list of legitimate-looking Android apps that were actually spyware and were used to target civil society that may oppose China’s state interests.

On Tuesday, the U.K.’s National Cyber Security Centre, or NCSC, which is part of intelligence agency GCHQ, along with government agencies from Australia, Canada, Germany, New Zealand, and the United States, published separate advisories on two families of spyware, known as BadBazaar and Moonshine.

These two spywares hid inside legitimate-looking Android apps, acting essentially as “Trojan” malware, with surveillance capabilities such as the ability to access the phone’s cameras, microphone, chats, photos, and location data, the NCSC wrote in a press release on Wednesday.

BadBazaar and Moonshine, which have been previously analyzed by cybersecurity firms like Lookout, Trend Micro, and Volexity, as well as the digital rights nonprofit Citizen Lab, were used to target Uyghurs, Tibetans, and Taiwanese communities, as well as civil society groups, according to the NCSC.

Uyghurs are a Muslim-minority group largely in China that has for years faced detention, surveillance, and discrimination from the Chinese government, and thus has frequently been the target of hacking campaigns."

https://techcrunch.com/2025/04/09/governments-identify-dozens-of-android-apps-bundled-with-spyware/

#CyberSecurity #China #Android #Spyware #StateHacking #Uyghurs #Tibet #Taiwan

"Chinese officials acknowledged in a secret December meeting that Beijing was behind a widespread series of alarming cyberattacks on U.S. infrastructure, according to people familiar with the matter, underscoring how hostilities between the two superpowers are continuing to escalate.

The Chinese delegation linked years of intrusions into computer networks at U.S. ports, water utilities, airports and other targets, to increasing U.S. policy support for Taiwan, the people, who declined to be named, said.

The first-of-its-kind signal at a Geneva summit with the outgoing Biden administration startled American officials used to hearing their Chinese counterparts blame the campaign, which security researchers have dubbed Volt Typhoon, on a criminal outfit, or accuse the U.S. of having an overactive imagination."

https://www.wsj.com/politics/national-security/in-secret-meeting-china-acknowledged-role-in-u-s-infrastructure-hacks-c5ab37cb

#USA #CyberSecurity #China #StateHacking #VoltTyphoon #Infrastructure

"We don’t know what pressure the Trump administration is using to make intelligence services fall into line, but it isn’t crazy to worry that the NSA might again start monitoring domestic communications.

Because of the Signal chat leak, it’s less likely that they’ll use vulnerabilities in Signal to do that. Equally, bad actors such as drug cartels may also feel safer using Signal. Their security against the US government lies in the fact that the US government shares their vulnerabilities. No one wants their secrets exposed.

I have long advocated for a "defense dominant" cybersecurity strategy. As long as smartphones are in the pocket of every government official, police officer, judge, CEO, and nuclear power plant operator—and now that they are being used for what the White House now calls calls "sensitive," if not outright classified conversations among cabinet members—we need them to be as secure as possible. And that means no government-mandated backdoors.

We may find out more about how officials—including the vice president of the United States—came to be using Signal on what seem to be consumer-grade smartphones, in a apparent breach of the laws on government records. It’s unlikely that they really thought through the consequences of their actions.

Nonetheless, those consequences are real. Other governments, possibly including US allies, will now have much more incentive to break Signal’s security than they did in the past, and more incentive to hack US government smartphones than they did before March 24.

For just the same reason, the US government has urgent incentives to protect them."

https://www.schneier.com/blog/archives/2025/03/the-signal-chat-leak-and-the-nsa.html

#USA #CyberSecurity #Signal #Encryption #Backdoors #Privacy #NSA #StateHacking

"The Department of Justice has announced criminal charges against 12 Chinese government-linked hackers who are accused of hacking more than 100 American organizations, including the U.S. Treasury, over the course of a decade.

The charged individuals all played a “key role” in China’s hacker-for-hire ecosystem, a senior DOJ official said on a background call with reporters, including TechCrunch, on Wednesday. The official added that those charged, which includes contract hackers and Chinese law enforcement officials, targeted organizations in the U.S. and worldwide for the purposes of “suppressing free speech and religious freedoms.”

The DOJ also confirmed that two of the indicted individuals are linked to the China government-backed hacking group APT27, or Silk Typhoon."

https://techcrunch.com/2025/03/05/justice-department-charges-chinese-hackers-for-hire-linked-to-treasury-breach/

#USA #CyberSecurity #DoJ #China #StateHacking #APT27 #SilkTyphoon

"When the Chinese hacker group known as Salt Typhoon was revealed last fall to have deeply penetrated major US telecommunications companies—ultimately breaching no fewer than nine of the phone carriers and accessing Americans' texts and calls in real time—that hacking campaign was treated as a four-alarm fire by the US government. Yet even after those hackers' high-profile exposure, they've continued their spree of breaking into telecom networks worldwide, including more in the US.

Researchers at cybersecurity firm Recorded Future on Wednesday night revealed in a report that they've seen Salt Typhoon breach five telecoms and internet service providers around the world, as well as more than a dozen universities from Utah to Vietnam, all between December and January. The telecoms include one US internet service provider and telecom firm and another US-based subsidiary of a UK telecom, according to the company's analysts, though they declined to name those victims to WIRED."

https://www.wired.com/story/chinas-salt-typhoon-spies-are-still-hacking-telecoms-now-by-exploiting-cisco-routers/

#CyberSecurity #China #SaltTyphoon #StateHacking #USA #BigTelco #Hacking

"The message from President Biden’s national security adviser was startling.

Chinese hackers had gained the ability to shut down dozens of U.S. ports, power grids and other infrastructure targets at will, Jake Sullivan told telecommunications and technology executives at a secret meeting at the White House in the fall of 2023, according to people familiar with it. The attack could threaten lives, and the government needed the companies’ help to root out the intruders.

What no one at the briefing knew, including Sullivan: China’s hackers were already working their way deep inside U.S. telecom networks, too.

The two massive hacking operations have upended the West’s understanding of what Beijing wants, while revealing the astonishing skill level and stealth of its keyboard warriors—once seen as the cyber equivalent of noisy, drunken burglars.

China’s hackers were once thought to be interested chiefly in business secrets and huge sets of private consumer data. But the latest hacks make clear they are now soldiers on the front lines of potential geopolitical conflict between the U.S. and China, in which cyberwarfare tools are expected to be powerful weapons."

https://www.wsj.com/tech/cybersecurity/typhoon-china-hackers-military-weapons-97d4ef95

#CyberSecurity #USA #China #SaltTyphoon #StateHacking #CyberWarfare