China says the US attacked mobile devices of timekeeping agency
F5 hackers lurked in company's systems for years, Cyberattack on supplier is disrupting Japanese retailers, Russian hackers stole sensitive UK military documents, Envoy Air hacked by Clop, Pro-Palestine hackers expose top Israeli military researchers, much more
This has only happened once before, but today I have two big stories appearing in two publications, and you should check them out.
The first, an exclusive which just kind of dropped in my lap, is my latest CSO piece, which reports that foreign threat actors infiltrated the Kansas City National Security Campus (KCNSC), a manufacturing facility that produces roughly 80% of the non-nuclear parts in the nation’s nuclear stockpile. Experts think this incident underscores the need to protect operational technology from exploits that primarily affect IT systems.
The second is my latest CyberScoop piece, which is a look at the various players and ideas that are jostling for control over the CVE program following its near-collapse in April and ahead of its next funding cliff in March.
Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.
If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!
China said it uncovered “irrefutable evidence” of US government cyber attacks on the country’s main agency responsible for timekeeping.
The US National Security Agency has exploited vulnerabilities in some National Time Service Center employees’ mobile phones to attack the devices and acquire sensitive information since March 25, 2022, according to a statement on the official Wechat account of the Ministry of State Security on Sunday.
The US spy agency, the country’s largest to specialize in signals intelligence, has repeatedly used stolen login credentials since April 18, 2023, to hack into the computers at the center, the ministry said.
China’s Time Service Center, located in the northwestern city of Xi’an, is a vital national facility that provides high-precision service for the government, civil society, and the various industries. It also offers essential data support for the calculation of international standard time. (Bloomberg News)
Related: Modern Diplomacy, South China Morning Post, Forbes Middle East, Reuters, Associated Press, Tech in Asia, Benzinga, The Express Tribune, The Independent, StratNews, Reuters, Dagens, Security Affairs, Times of India
Sources say the state-backed hackers who breached cybersecurity company F5 broke in beginning in late 2023 and lurked in the company’s systems until being discovered in August of this year.
The attackers penetrated F5’s computer systems by exploiting software from the company that had been left vulnerable and exposed to the internet, according to the people. F5 told customers that the hackers were able to break in after the firm’s staff failed to follow the cybersecurity guidelines it provides customers, said the people, who spoke on the condition that they not be identified because they were not authorized to discuss the matter.
Chinese state-backed hackers were behind the attack, according to people familiar with the matter.
The attack prompted alerts from governments in the US and UK, with one American official warning of potentially “catastrophic” consequences. F5’s customers include government agencies and 85% of the Fortune 500. (Jake Bleiberg, Jordan Robertson, and Margi Murphy / Bloomberg)
Related: Cryptopolitan, Techzine
A cyber attack on Askul Corp. is disrupting e-commerce and logistics for major Japanese retailers, including Muji owner Ryohin Keikaku Co.
It’s the second such incident to unsettle the country’s consumer market in less than a month. Household goods seller The Loft Co. and Sogo & Seibu Co. retail chain have also suspended e-commerce sites.
Ryohin Keikaku, which didn’t offer a timeline for the resumption of online sales, said its own system hasn’t been compromised, and store logistics and deliveries are unaffected by the incident.
The Loft Co., owned by York Holdings Co., which recently spun off from Seven & i Holdings Co., also said that the resumption of e-commerce operations has yet to be determined.
The incident comes just weeks after Japan’s largest brewer Asahi Group Holdings Ltd. suffered a cyber attack that disrupted production and shipments of its “Super Dry” beer, Japan’s most popular brew. It caused the company to postpone the reporting of third-quarter financial results. The latest disruption will raise questions about the vulnerability of Japan’s e-commerce infrastructure, especially with many retailers sharing the same online vendors. (Kanoko Matsuyama and Yui Hasebe / Bloomberg)
Related: Finimize, The Sun, Arab News, The Straits Times, NHK, AFP, Mainichi, Nippon, The Asahi Shibum
Russian hackers stole hundreds of sensitive military documents containing details of eight RAF and Royal Navy bases, as well as Ministry of Defence staff names and emails, and posted them on the dark web.
In what has been described as a 'catastrophic' security breach, cybercriminals accessed the cache of files by hacking a maintenance and construction contractor used by the MoD.
The 'gateway' attack, which targeted third party the Dodd Group, allowed cyber gangsters to circumvent the almost impenetrable cyber defences used by the Armed Forces.
The MoD said it was investigating the enormous data and security breach, believed to have been carried out by Russian group Lynx.
Leaked documents seen by the MoS disclose information about a number of sensitive RAF and Navy bases, including RAF Lakenheath, in Suffolk, where the US Air Force's F-35 stealth jets are based and their nuclear bombs are believed to be housed.
Other bases include RAF Portreath – a top-secret radar station that forms part of NATO's air defence network – and RAF Predannack, now home to the UK's National Drone Hub.
Details of contractors' names, car registrations, and mobile numbers, as well as MoD personnel's names and email addresses, have also been uploaded. Some documents are marked 'Controlled' or 'Official Sensitive'. (LYDIA VELJANOVSKI and SEAN RAYMENT / The Daily Mail)
Related: The Sun, Mirror, Cybersecurity Insiders, Kyiv Post, BBC News, RBC-Ukraine, The Times, ITV
The regional American airline Envoy Air became the second company to confirm that information was stolen by hackers who breached their Oracle E-Business Suite application.
A spokesperson for the airline confirmed that its IT system was impacted by the recent hacking campaign allegedly launched by Russian cybercriminal group Clop. Envoy Air, a wholly-owned subsidiary of American Airlines, said a “limited amount of business information and commercial contact details may have been compromised.”
On Thursday evening, the cybercriminals claimed to have stolen an undisclosed amount of information from American Airlines, adding the company to its leak site.
An American Airlines spokesperson said the claim pertained to Envoy Air and that American Airlines itself does not use the Oracle E-Business Suite application. The parent company conducted a review over the last few weeks to confirm that the incident was related to the subsidiary, the spokesperson said.
“We are aware of the incident involving Envoy’s Oracle E-Business Suite application. Upon learning of the matter, we immediately began an investigation, and law enforcement was contacted,” an Envoy Air spokesperson told Recorded Future News.
“We have conducted a thorough review of the data at issue and have confirmed no sensitive or customer data was affected.” The spokesperson confirmed that the incident is specific to Envoy Air and said it had no impact on flight or airport ground handling operations. (Jonathan Greig / The Record)
Related: Reuters, Travel and Tour World, Aviation A2Z
According to Mehr News Agency, the pro-Palestinian Handala hacking group issued an official statement unveiling what it called an “unprecedented” disclosure, exposing personal data of 17 top military researchers working within Israel’s military establishment.
In their statement, the group said, “Today, for the first time, we are revealing the highly confidential personal details of 17 senior military scientists, men and women who form the core of the Zionist regime’s war machine. These individuals are not anonymous cogs; they are the architects of destruction and the masterminds behind weapons that have brought fear, suffering, and death upon countless innocent civilians in numerous wars.” (Mehr News Agency)
Related: Tehran Times, Borna News
Vocus, which is the parent company for Dodo and iPrimus and is Australia's fourth largest telco, said in a statement that 1600 home internet and mobile customers had been affected by a hack on the business's email and mobile services.
The internet provider suspended its services in a bid to rectify the problem.
“Our initial investigation has revealed unauthorised access to approximately 1,600 email accounts, leading to unauthorised SIM swaps on 34 Dodo Mobile accounts,” a spokesperson said.
“We have worked with impacted customers to reverse these SIM swaps and we continue to monitor this situation.”
The telco said its teams continued to work on the breach on Saturday, before restoring email services to customers.
By 7am on Sunday, email services had been restored, although customers would need to ring up their service provider and change their password. (Cameron Micallef / News.com)
Related: Daily Mail, 7News, Daily Jang, ABC.net.au, Daily Mail, Meyka
Cyberintelligence firm NSO Group is now blocked from Meta’s WhatsApp messaging platform, following a judge's ruling that also drastically reduced a multimillion-dollar award granted to the Silicon Valley giant in May.
US District Judge Phyllis Hamilton said in a 25-page ruling that there was evidence NSO Group’s flagship spyware could still infiltrate WhatsApp users’ devices and granted Meta’s request for a permanent injunction.
However, Hamilton, a Bill Clinton appointee, also determined that any damages would need to follow a ratioed amount of compensation based on a legal framework designed to proportion damages. She ordered that the jury-based award of $167 million should be reduced to a little over $4 million.
“In this case, the court does not have a sufficient basis for determining that defendants’ behavior is ‘particularly egregious,’ which means the punitive damages ratio is capped at 9/1,” Hamilton wrote.
The damages stem from the company’s use of its proprietary spyware called Pegasus, which, once implanted, can control a phone’s microphones and cameras while extracting the personal and location data of its owner. (Carly Nairn / Courthouse News Service)
Related: TipRanks, Al Jazeera, Cryptopolitan, TechCrunch
Cybercriminals are abusing a widespread lack of authentication in the customer service platform Zendesk to flood targeted email inboxes with menacing messages that come from hundreds of Zendesk corporate customers simultaneously.
Zendesk is an automated help desk service designed to make it simple for people to contact companies for customer support issues. Earlier this week, KrebsOnSecurity started receiving thousands of ticket creation notification messages through Zendesk in rapid succession, each bearing the name of different Zendesk customers, such as CapCom, CompTIA, Discord, GMAC, NordVPN, The Washington Post, and Tinder.
The abusive missives sent via Zendesk’s platform can include any subject line chosen by the abusers. In my case, the messages variously warned about a supposed law enforcement investigation involving KrebsOnSecurity.com or else contained personal insults.
Notified about the mass abuse of their platform, Zendesk said the emails were ticket creation notifications from customer accounts that configured their Zendesk instance to allow anyone to submit support requests — including anonymous users. (Brian Krebs / Krebs on Security)
Related: Slashdot, Hacker News (ycombinator)
The Dutch intelligence services AIVD and MIVD have reduced the amount of information they share with their American counterparts, citing political developments in the United States under President Donald Trump and growing concerns over the politicization of intelligence and "respect for human rights."
In a joint interview with de Volkskrant, AIVD Director-General Erik Akerboom and MIVD Director Peter Reesink confirmed that the agencies have become more selective in their cooperation with the CIA and NSA.
“That we sometimes no longer tell certain things, that’s true,” Reesink said. Akerboom added, “Sometimes you have to think case by case: can I still share this information or not?” While both officials stressed that relations with US intelligence agencies remain “excellent,” they emphasized that the Netherlands has become “more critical.”
According to the two directors, the Netherlands is increasingly focusing on European cooperation. “We have scaled up enormously,” Akerboom told De Volkskrant, referring to a leading group of Northern European services — including those from the United Kingdom, Germany, Scandinavia, France, and Poland — that are exchanging intelligence more intensively. The war in Ukraine and the growing Russian threat to Europe have accelerated these multilateral intelligence partnerships. Reesink noted that a similar development is visible within military intelligence circles. (NL Times)
Related: Volkskrant, Caliber, Dutch News
The official Xubuntu website was compromised over the weekend (18/19 October 2025) briefly serving up Windows malware to users trying to download the distro.
Users who visited the Xubuntu website over the weekend to download the official .torrent of the Xfce-toting Ubuntu flavour instead got a xubuntu-safe-download.zip.
When the rogue zip file was extracted it contained an .exe runtime and a ‘terms of service’ text file.
The Xubuntu team took down the affected download page as soon as they were informed. There is no indication that direct Xubuntu ISO downloads (or checksums) were modified, altered, replaced or otherwise interfered with. (Joey Sneddon / OMGUbuntu)
Related: ghacks
Six hacker wallets sold ETH during the crypto crash on October 10, locking in heavy losses and rebuying at higher prices, losing a total of over $13.4 million due to their poor timing.
According to blockchain tracking platform Lookonchain, the hackers quickly re-entered the market. They bought the same amount of ETH, 7,816 coins, back at $4,159 each. This move led to a confirmed loss of over $13.4 million, as the assets were repurchased at a higher price.
Though linked to past exploits, their recent moves suggest they traded under pressure like any other market participant. Blockchain data shows they sold low and bought high, exposing a lack of trading skill despite their history of technical exploits. (Kelvin Munene / CoinCentral)
Related: Cryptopolitan, Blockchain Reporter
The OYO Hotel & Casino Las Vegas (formerly Hooters Hotel & Casino) suffered a significant cyberattack in January 2025, according to court filings first reported by Crain’s New York Business on October 14, 2025.
The resulting data breach reportedly compromised the personal information of 4,700 casino and hotel guests and employees.
The cyber attack surfaced in a legal dispute between Highgate Hotels, a prominent hotel management firm, and OYO Hotels, which owns properties in Las Vegas and New York, among many other cities. Highgate filed suit contesting its abrupt termination from the OYO Times Square hotel, arguing that its August 1, 2025 dismissal violated New York Labor Law Section 860-a, which requires 90 days’ notice for certain mass layoffs.
OYO defended its action by citing “seriously deficient” IT practices at Highgate, as demonstrated by a Las Vegas data breach that went unreported by mainstream news outlets until the legal filings surfaced. (OYO also fired Highgate as its Las Vegas property manager, though Paragon continues to operate the casino, according to Vital Vegas.)
However, OYO’s termination of Highgate came six weeks before the breach’s official discovery date. As recorded by the state of Maine attorney general’s office, it wasn’t notified of the incident until September 18, 2025. (Corey Levitan / Casino.org)
Related: Newsnet5, Crain's New York Business, Vital Vegas, Maine Attorney General
Best Thing of the Day: AOL Was a Blast From the Past Even Ten Years Ago
Kim Zetter offers a deeper dive into how the emails of John Bolton got hacked, noting that he used AOL email as a kind of diary that he was keeping to eventually write a book about his experience as national security advisor.
Bonus Best Thing of the Day: View This as a Cybersecurity Public Service Warning
In the Guardian, Tim Brown, the security chief of SolarWinds reflects on the Russian hack that exposed US government agencies and the heart attack he suffered in the aftermath, underscoring the need to attend to security workers' emotional health during crises.
Worst Thing of the Day: You Can't Trust Anybody Anymore
Software developer David Dodda explains how he narrowly dodge implanting malware on machine after receiving a sophisticated fake coding interview from a "legitimate" blockchain company.
Closing Thought
