Foreign nation suspected in hack of Washington Post reporters’ emails

THIS IS NOT JUST BOILERPLATE - METACURITY NEEDS YOUR HELP

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!

Company officials told staffers that a cyberattack on the Washington Post compromised email accounts of several journalists and was potentially the work of a foreign government.

Sources said staffers were told the intrusions compromised journalists’ Microsoft accounts and could have granted the intruder access to work emails they sent and received. They also said the reporters targeted were those on the national security and economic policy teams, including some who wrote about China.

In an internal memo on Sunday, Post Executive Editor Matt Murray said he wanted to notify staff about a “possible targeted unauthorized intrusion into our email system,” adding that the Post believes a limited number of journalists’ accounts were affected. He said the company discovered the issue on Thursday evening and has begun an investigation.

Murray previously helped manage a similar incident during his tenure as editor in chief of The Wall Street Journal.

Staffers affected by the hack were notified recently and instructed not to discuss the matter. 

The newspaper's reporters said they seldom send sensitive information via email and instead prefer to use Slack for internal coordination and encrypted messaging services such as Signal to speak with sources.

In his staff note sent Sunday afternoon, Murray said the news outlet has taken additional steps to secure its digital systems, including a forced credential reset for all Post employees. (Dustin Volz. Isabella Simonetti and Robert McMillan / Wall Street Journal. Gift access for Metacurity readers)

Related: CNN, Bloomberg, Neowin, CBS News, ChannelNews, Databreaches.net

Canada's WestJet Airlines is investigating a cybersecurity incident that has disrupted access to its mobile app and some internal systems, affecting an undisclosed number of users.

WestJet said specialized internal teams are working alongside law enforcement and Transport Canada to limit the impact and determine the scope of the breach.

"We are expediting efforts to safeguard sensitive data and personal information for both our guests and employees," the company said, adding it was too early to speculate on the scope or cause of the incident. (Bipasha Dey and Surbhi Misra / Reuters)

Related: West Jet, Calgary Herald, CBC News, Toronto City News, The Canadian Press, Bleeping Computer, IB Times, Databreaches.net, Security Week, Infosecurity Magazine, FL360aero, Cybernews, Teiss

Experts say Iran is widely expected to retaliate against Israel's missile strikes with cyber operations, and these could extend to American targets.

"I would expect there to be a cyber component of both the Israeli and Iranian activities," former White House advisor Michael Daniel said.

"Iranian cyber activity has not been as extensive outside of the Middle East but could shift in light of the military actions," Google threat intelligence group chief analyst John Hultquist said. "Iranian cyber espionage activity already targets the US government, military, and political [sector], but new activity may threaten privately owned critical infrastructure, or even private individuals."

Separately, cybersecurity firm Radware said there was a 700% increase in cyberattacks against Israel over the past two days compared to the period before June 12.

“The 700% surge in malicious activity within just two days stems from cyber retaliation operations by Iranian state actors and pro-Iranian hacker groups, including DDoS attacks, infiltration attempts targeting critical infrastructure, data theft, and malware distribution campaigns,” said Ron Meyran, VP of Cyber Threat Intelligence at Radware. (Jessica Lyons / The Register and Jerusalem Post)

Related: Intelligent CISO, Cybernews, Calcalist, GovInfoSecurity, Cyber Daily

In a US SEC filing, Zoomcar, India’s largest peer-to-peer car-sharing app, reported a data breach, saying the sensitive details of millions of customers were exposed.

The company said it became aware of the incident on June 9 "after certain employees received external communications from a threat actor alleging unauthorized access to Company data."

The company stressed that there is no indication that “financial information, plaintext passwords, or other sensitive identifiers were compromised” so far. (Vilius Petkauskas / Cybernews)

Related: SEC, Cyber Insider

Asefa, the Madrid-based subsidiary of France’s leading mutual insurer SMABTP, confirmed a cyber incident that interrupted part of its IT infrastructure after the Qilin ransomware syndicate posted that it had exfiltrated over 200 gigabytes of sensitive data from the company.

Qilin, a ransomware group that has targeted more than 300 organisations globally in the last 12 months, has listed Asefa on its dark web leak portal.

Files purportedly obtained during the breach include internal corporate documents, financial receipts, legal agreements, passport scans, and notably, details of a major insurance programme linked to the redevelopment of FC Barcelona’s Camp Nou stadium. (Vilius Petkauskas / Cybernews).

Related: Insurance Business Mag

The Trump administration provided deportation officials with personal data, including the immigration status, on millions of Medicaid enrollees, a move that could make it easier to locate people as part of his sweeping immigration crackdown.

Documents and emails show Medicaid officials unsuccessfully sought to block the data transfer, citing legal and ethical concerns.

Nevertheless, the emails show that two top advisers to Health Secretary Robert F. Kennedy Jr. ordered the dataset handed over to the Department of Homeland Security. Officials at the Centers for Medicare and Medicaid Services were given just 54 minutes on Tuesday to comply with the directive.

The dataset includes information on people living in California, Illinois, Washington state, and Washington, D.C., all of which allow non-U.S. citizens to enroll in Medicaid programs that pay for their expenses using only state taxpayer dollars. CMS transferred the information just as the Trump administration ramped up its enforcement efforts in Southern California. (Kimberly Kindy and Amanda Seitz / Associated Press)

Related: CalMatters, The Daily Beast, Newsweek, The Hill

Bug bounty hunter Alvaro Balada discovered that over 46,000 internet-facing observability platform provider Grafana instances remain unpatched and exposed to a client-side open redirect vulnerability that allows a malicious plugin to execute and take over an account.

The flaw, tracked as CVE-2025-4123, impacts multiple versions of the open-source platform used for monitoring and visualizing infrastructure and application metrics.

Grafana issued security updates on May 21 to fix the flaw, but researchers at OX Security, who refer to the bug as OX Security, say more than a third of all Grafana instances reachable over the public internet have not been patched.

To mitigate the risk of exploitation, Grafana administrators are recommended to upgrade to versions 10.4.18+security-01, 11.2.9+security-01, 11.3.6+security-01, 11.4.4+security-01, 11.5.4+security-01, 11.6.1+security-01, and 12.0.0+security-01. (Bill Toulas / Bleeping Computer)

Related: Grafana Labs, Ox Security, Infosecurity Magazine

Researchers at Safety Detectives identified a data breach involving VirtualMacOSX.com, an online provider of cloud services targeted at Mac users, in an incident that affects at least 10,000 customers.

SafetyDetectives states that it found a post publicizing a VirtualMacOSX.com database in a forum known for data leaks, cracks, and other security issues. Those who replied to or liked the post were given access to the data.

The data included sensitive information, including full names, financial data, contact info, and passwords. Analysis by SafetyDetectives led them to believe the data is genuine, but the researchers “refrained from testing the exposed credentials” to verify the data due to ethical concerns. (Roman Loyola / Macworld)

Related: Safety Detectives, HackRead, MacTech

The Delhi Police dismantled a cyber-extortion network, arresting two individuals, including the suspected mastermind, linked to blackmail involving nude video calls.

According to police reports, the investigation was launched following a complaint by Shahdara resident Ankit Kumar Kain, who was targeted in the scam.

Kain encountered a woman, Nandini, via the QuakQuak dating app. Subsequently, they exchanged WhatsApp numbers, during which she conducted a video call whilst nude, recording Kain's face. She subsequently blackmailed him, threatening to release the video unless Rs 35,000 was transferred to a Bandhan Bank account. Fearing disgrace, Kain complied but later reported the matter on the National Cybercrime Reporting Portal.

Police investigations traced the transaction to a Bandhan Bank account under Mangal Singh from South Delhi, managed by Shyam Singh of Rajasthan. Investigators discovered that Shyam had opened the account using Mangal's details. The mobile number and email linked to the account pointed to Shyam. Four mobile devices involved in the scheme were retrieved from him. A second suspect, Aamir, is yet to be apprehended, while Mangal Singh was detained and confessed to receiving a commission for providing his banking credentials. (Devdiscourse)

Related: ANI, The Daily Jagran

The European Commission announced it is allocating €145.5 million, or about US$170 million, to help public administrations and small and medium-sized enterprises adopt cybersecurity solutions and apply research-driven innovations.

The European Cybersecurity Competence Centre has launched two funding calls to support this effort. 

The first call, part of the Digital Europe Programme, has a budget of around €55 million (around $63 million). €30 million (around $35 million) is set aside to strengthen cybersecurity in hospitals and healthcare providers.

Under the Horizon Europe Programme, the second call has a budget of around €90.5 million (around $105 million). It will support the use and development of generative AI for cybersecurity applications, new advanced tools and processes for operational cybersecurity, privacy-enhancing technologies, and post-quantum cryptography. (Anna Ribeiro / Industrial Cyber)

Related: European Commission

In an SEC filing, Victoria's Secret said it has restored all critical systems impacted by a May 24 security incident that forced it to shut down corporate systems and the e-commerce website.

The company disclosed that all restored critical systems are now fully operational and that it is working with external experts to assess the cyberattack's impact.

It also believes the incident will likely have no material impact on its yearly fiscal results, even though it may continue to incur expenses related to the attack.

"We immediately enacted our response protocols to contain and eradicate unauthorized network access, and third-party experts were engaged. All critical systems are restored and fully operational," Victoria's Secret said. (Sergiu Gatlan / Bleeping Computer)

Related: SEC, Cyber Daily

Email hosting company Cock [dot] li confirmed reports that hackers exploited vulnerabilities in its Roundcube database with the thieves posting two tables from cock.li's Roundcube database online and offering them for sale.

The hacker reports they took the users and contact tables.

Passwords were stored in the sessions table, which is not
included in the leak. There was no functioning "Remember me" feature on
cock.li's webmail, so this would have included the password of anyone
actively logged into webmail, which is about 350 at any time.

However, anyone who has used webmail since 2016 should change their password. (Mail.cock.li)

Related: r/emailprivacy, r/emailprivacy

The US Securities and Exchange Commission formally withdrew certain notices of proposed rulemaking issued between March 2022 and November 2023.

The Commission does not intend to issue final rules concerning these proposals. The first was a proposed rule entitled Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies.

The second was entitled Reopening of Comment Period for 'Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies."

The SEC took a similar tack with several Biden-era proposals that would impose various requirements on the cryptocurrency industry. (SEC and Cointelegraph)

Bipartisan House members introduced the Advanced AI Security Readiness Act, which requires the National Security Agency to create an artificial intelligence “security playbook” to protect sensitive US technologies from foreign adversaries like China.

The lawmakers said there was evidence that Chinese-based startup DeepSeek’s AI chatbot “used illegal distillation techniques to steal insights from U.S. AI models to accelerate their own technology development,” and that the legislation was needed “to address vulnerabilities, threat detection, cyber and physical security strategies, and contingency plans for highly sensitive AI systems.” (Edward Graham / NextGov/FCW)

Related: Meritalk, Select Committee on the CCP

SK Telecom, Korea's leading mobile carrier, is set to partially resume new subscription services limited to eSIM starting later this week, following a recent large-scale data breach.

New subscriptions, which had been suspended nationwide, will resume at its retail stores starting Monday morning.

The breach, first detected on April 18, involved the unauthorized exposure of data linked to universal subscriber identity module (USIM) cards. In response, SK Telecom has been replacing affected customers' USIM cards free of charge to prevent potential identity theft or financial fraud. (Yonhap News)

Related: The Investor, Maeil Business Newspaper, Chosun Biz, The Korean Times

Researchers at c/side report that a new, obfuscated browser-based malware campaign has surfaced, demonstrating how attackers are now exploiting trusted domains like Google.com to bypass traditional antivirus defenses.

It appears to originate from a legitimate OAuth-related URL, but covertly executes a malicious payload with full access to the user's browser session.

The attack begins with a script embedded in a compromised Magento-based e-commerce site. The script references a seemingly harmless Google OAuth logout URL: https://accounts.google.com/o/oauth2/revoke.

However, this URL includes a manipulated callback parameter, which decodes and runs an obfuscated JavaScript payload using eval(atob(...)).

The use of Google’s domain is central to the deception because the script loads from a trusted source, most content security policies (CSPs) and DNS filters allow it through without question.

This script only activates under specific conditions. If the browser appears automated or the URL includes the word “checkout,” it silently opens a WebSocket connection to a malicious server. This means it can tailor malicious behavior to user actions. (Efosa Udinmwen / TechRadar)

Related: c/side

The US Cybersecurity and Infrastructure Security Agency (CISA) issued ten industrial control systems (ICS) advisories highlighting vulnerabilities in equipment from Siemens, AVEVA, and PTZOptics, which are widely used across critical infrastructure sectors.

CISA disclosed an ‘Out-of-bounds Read’ vulnerability in Siemens Tecnomatix Plant Simulation equipment affecting all versions before V2404.0013. “Successful exploitation of this vulnerability could allow an attacker to execute code in the context of the current process.”

The affected applications contain an out-of-bounds read past the end of an allocated structure while parsing specially crafted WRL files. This could allow an attacker to execute code in the context of the current process.

CVE-2025-32454 has been assigned to this vulnerability. It carries a CVSS v3 base score of 7.8 and a CVSS v4 base score of 7.3. Michael Heinzl reported this vulnerability to Siemens, who in turn reported this vulnerability to CISA. (Anna Ribeiro / Industrial Cyber)

Related: CISA

Best Thing of the Day: Let's See if the New Cyber Director Gets to Do This

Former national cyber director Harry Coker said that one of his top wins in the White House role was carrying out his responsibilities in an apolitical manner.

Worst Thing of the Day: He Really Needed That Data for His AI Company After All

Elon Musk and his allies systematically built a false narrative of widespread fraud at the Social Security Administration based on misinterpreted data to justify an aggressive effort to gain access to personal information on millions of Americans.

Bonus Worst Thing of the Day: How About Tracking Law Enforcement Itself as the Biggest Threat?

Army intelligence analysts are monitoring civilian-made ICE tracking tools, treating them as potential threats to law enforcement.

Closing Thought