Pro-Hamas hackers stole plans for Australia's next-gen infantry fighting vehicles

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!

Classified plans for Australia’s new $7bn infantry fighting vehicles have been stolen by pro-Hamas hackers known as The Cyber Toufan in a massive cyber attack on Israeli arms companies.

The hackers - believed to be linked to the Iranian state – posted 3D renderings and technical details of the Army’s next-generation Redback vehicle, which will be fitted with hi-tech weapons turrets supplied by Israel’s Elbit Systems.

The group claims to have obtained confidential data from 17 Israeli defence companies after gaining entry to supply chain firm MAYA Technologies through its security cameras more than a year ago.

It started publishing confidential details of 36 Israeli military projects on its Telegram social media channel on October 22, declaring it had “infiltrated the heart of Israel’s defence engineering operations."

The Elbit turrets incorporate advanced sensors and remote weapons systems designed by Australian defence company EOS, as well as its own 30mm cannon and Iron Fist protection system.

The data breach also exposed plans for an Elbit helmet-mounted display system similar to one used on the Redback, as well as the Spike NLOS anti-tank missile being considered for purchase by the Australian Defence Force.

It’s unclear how much information was stolen and whether it could be used to develop countermeasures for the Redback’s weapons and defensive technology. There are also concerns that Israel’s world-leading military capabilities could be reverse-engineered from the stolen data.

The Australian Army will get 127 of the tank-like Redback vehicles, designed by South Korea’s Hanwha Defence, for about $7 billion AUD. The Elbit turrets will be supplied under a contract worth about $920 million AUD. (Ben Packham / The Australian)

Related: Iran International, Sky News, The Australian, r/AustralianPolitics, Jerusalem Post

Australia, the UK, and Denmark have joined Norway in raising concerns over the security risks of electric buses made by China's Yutong Group.

On the company's Australian website, Yutong Australia said it had "delivered" more than 1,500 vehicles here since 2012, of which only 133 low-floor city buses and about 12 charter or coach buses in Australia were battery electric.

Norwegian transport operator Ruter published test results last week that showed bus-maker Yutong Group had access to buses' control systems for software updates and diagnostics on the model they tested.

However, cybersecurity expert Alastair MacGibbon said it was a "moot point" whether the bus model raising concern in Europe was in Australia.

Mr MacGibbon, chief strategy officer at CyberCX and former head of the Australian Cyber Security Centre, said all "connected" vehicles, and particularly electric vehicles, required constant connectivity with manufacturers who have access to microphones, cameras, and GPS devices.

"They have to be able to update software and firmware. That means they can degrade the device, turn it off, turn off certain features, and the fundamental point here is it's not about made in China, but controlled by China," he said.

"The problem is, of course, that if a company is domiciled in China, they obviously come under the lawful direction of the CCP [Chinese Communist Party]."

Movia, Denmark’s largest public transport company, has 469 Chinese electric buses in operation – 262 of which were manufactured by Yutong.

Jeppe Gaard, Movia’s chief operating officer, said he was made aware last week that “electric buses – like electric cars – can be remotely deactivated if their software systems have web access”. He added: “This is not a Chinese bus problem. It is a problem for all types of vehicles and devices with Chinese electronics built in.”

Gaard said the Danish agency for civil protection and emergency management, Samsik, told it that it was not aware of any specific cases in which electric buses had been deactivated, but warned that the vehicles were equipped with “subsystems with internet connectivity and sensors (cameras, microphones, GPS) that can constitute vulnerabilities which could be exploited to disrupt bus operations."

Yutong has supplied about 700 buses to the UK market, primarily in Nottingham, south Wales and Glasgow, operated by groups including Stagecoach and FirstBus. The company is hoping to sell more vehicles in London, where it has developed a double-decker electric bus that meets the standards of Transport for London.

The UK Department for Transport said: “We are looking into the case and working closely with the UK’s National Cyber Security Centre to understand the technical basis for the actions taken by the Norwegian and Danish authorities.” (Sally Brooks / ABC.net.au, Miranda Bryant / The Guardian
Jim Pickard, Gill Plimmer and Richard Milne / Financial Times)

Related: Asia Financial, ABC, NBC News, Yahoo Finance

Legislation to end the federal government shutdown includes a provision that would extend the already expired Cybersecurity Information Sharing Act of 2015 through the end of January, breathing new life into legal protections that are vital to sharing threat data between companies and between industry and the government.

Now, with the extension language in the continuing resolution bill that also includes three short-term appropriations bills, Congress is poised to restore it to life, at least temporarily.

The Senate voted 60-40 on Sunday night to advance the legislation. It still would have to get a successful House vote and a signature from President Donald Trump.

If that bill becomes law, the House and Senate would have a short window to advance a more permanent solution. The respective leaders of the House Homeland Security Committee, Rep. Andrew Garbarino, R-N.Y., and the Senate Homeland Security and Governmental Affairs panel, Rand Paul, R-Ky., have introduced bills that would take significantly different approaches to amending and extending the 2015 law.

The Trump administration has pushed for a 10-year extension without any changes. (Tim Starks / CyberScoop)

In early November 2025, Knownsec, a large cybersecurity company with ties to the Chinese government, suffered a massive data breach, with reports indicating that hackers obtained over 12,000 classified documents, including information on Chinese state-owned cyber weapons, internal tools, and global target lists.

This incident not only exposed vulnerabilities in Knownsec's cybersecurity services but, more importantly, revealed to global security researchers the Chinese government's supported cyber weapons ecosystem and its targeted surveillance activities in multiple countries worldwide.

The leak involved a massive amount of documents, with over 12,000 confidential files successfully extracted by hackers. These files included content related to collaborations between Knownsec and Chinese government departments, technical details of cyber weapons, source code for internal tools, and lists of surveillance targets targeting foreign organizations.

The leaked information initially appeared on the code-sharing platform GitHub. Although GitHub subsequently removed the content for violating its terms of service, the leaked files had already spread widely within the cybersecurity research community. (Mrxn's Blog)

Related: TechDigest, The Register, Red Hot Cyber

NSO Group, the Israeli company behind Pegasus spyware, says a group of investors led by Hollywood producer Robert Simonds has acquired a controlling stake in the firm, which has named a former Trump official to lead an effort to restore its battered reputation.

The company, which has faced lawsuits and US government sanctions since revelations that its technology was used to spy on political dissidents, human-rights advocates, journalists, and American officials, declined to disclose the purchase price.

NSO’s new executive chairman, David Friedman, a former US ambassador to Israel and onetime bankruptcy lawyer for President Trump, said he wants to use his ties to the Trump administration to help rebuild the company’s spyware business in the US. (Dov Lieber / The Wall Street Journal)

Related: Haaretz, Globes, Times of Israel, Gizmodo, Ynet News

Get your message, announcement, or white paper in front of thousands of cyber leaders, policy makers, and decision-makers for little more than the cost of an annual Metacurity subscription. Click the button below to find out more about our sponsorship options.

The Australian government has imposed strict sanctions and travel bans on four groups and one individual, internationally-wanted North Korean programmer and hacker Park Jin Hyok, for targeting Australians to fund North Korea’s missile and weapons of mass destruction program.

North Korean actors have been involved in cryptocurrency theft, fraudulent “IT work” and webs of spies around the world, the Foreign Minister said.

It comes after North Korea warned similar US sanctions could “antagonise” their supreme leader.

Park Jin Hyok and his state-sponsored Lazarus Group hacking team – also sanctioned – were alleged to be involved in a ransomware attack, which saw victims forced to pay North Korea in cryptocurrency to access their own computer files.

Groups Kimsuky, Andariel, and Chosun Expo were also sanctioned and have been accused of targeting international health systems, nuclear power companies, and think tanks. (Max Aldred / Sky News)

Related: Minister of Foreign Affairs, Department of Foreign Affairs and Trade, Region Canberra, The Nightly, IT News, Anadolu Ajansi, The Chosun

Singapore police announced that three Chinese nationals, Yan Peijian, Huang Qinzheng, and Liu Yuqi, were convicted and sentenced to imprisonment for their roles in the Shadow Brokers global cybercrime syndicate that conducted illegal cyber activities.

Police arrested the trio in an operation in September 2024. Yan’s laptop was later found to contain messages discussing vulnerable domains, which included five Australian, Argentinian, and Vietnamese government sites.

A police raid of the Mount Sinai bungalow they were living in uncovered malware-related files on their devices, including remote access trojans (RATs) associated with plugX and Shadow Brokers. (Lydia Lam / Channel News Asia)

Related: Singapore Police Force, Channel News Asia, Straits Times

A jury was unable to reach a verdict in the fraud trial of two brothers, James Peraire-Bueno and his brother Anton, both recently graduated from the Massachusetts Institute of Technology, who were accused of stealing roughly $25 million in cryptocurrency from traders on the Ethereum blockchain.

US District Judge Jessica Clarke declared a mistrial Friday in the case against the pair after a highly technical three-week trial. Jurors deliberated for three days, but they told the judge they would be unable to reach a unanimous decision.

In a note to the judge late Friday, jurors cited the “emotional burden” they were under, adding that half of them had spontaneously broken down in tears at one point during deliberations. Some jurors also reported multiple nights of sleeplessness.

The trial had focused on controversial crypto trades known as “sandwich attacks,” which use bots to place large trades before and after another user’s transaction. The attacker profits by selling immediately after driving up the price at the expense of the sandwiched user.

The brothers, who developed a complex strategy to seize attackers’ funds, argued their actions were fair game in an unregulated market. The government contended their actions were a straightforward theft. (Miles J. Herszenhorn and Chris Dolmetsch / Bloomberg)

Related: Reuters, Business Insider, Cointelegraph

Researchers from South Korean cybersecurity firm Genians report that North Korean state-sponsored hackers hijacked Google accounts to remotely control and wipe smartphones and tablets held by individuals in South Korea, then exploited their KakaoTalk messenger as a channel to spread malware to their contacts.

The attack marks the first confirmed case of a North Korean state-sponsored hacking group compromising Google accounts to gain remote control over smart devices, according to South Korean cybersecurity firm Genians.

The attack was identified as part of a malware campaign by North Korea’s KONNI APT cyber espionage group.

In the first stage of the hacking scenario, hackers infiltrated targeted individuals’ devices through spear-phishing attacks by impersonating South Korea's tax agency, the National Tax Service.

Then, hackers conducted extensive internal reconnaissance and user information gathering before launching the cyberattack.

Next, hackers compromised victims' Google accounts and exploited the Google “Find Hub” service, intended initially by Google to protect lost or stolen Android devices, for data-destructive attacks.

However, hackers abused key functions of the Find Hub service, which allows users to execute a variety of remote commands on registered Android-based devices, to perform location tracking and remotely reset smartphones and tablets. More seriously, the North Korean cyberattackers compromised victims’ KakaoTalk accounts, utilizing them as primary channels to spread malicious files to their contacts.

The compromising of KakaoTalk accounts was carried out after resetting the victims’ Android devices, disrupting and delaying the expected recovery and use of the targeted smart devices for an extended period.

Specifically, the hackers executed a remote factory-reset command on victims’ Android devices after confirming via Find Hub’s location query that the victims were not using their devices.

The remote reset halted regular device operation, blocked notifications and message alerts from the KakaoTalk messaging app, and effectively prevented victims from seeing alerts and delaying detection and response.

Immediately after the reset, the attacker used the victim’s logged-in KakaoTalk PC version as a second distribution channel to rapidly spread malicious files. (Ji Da-gyum / The Korea Herald)

Related: Genians, Malay Mail, NK News, Korea Post, Straits Times

The Department of Defense rolled out the final version of the latest model for how the US military will build its cyber forces over the next several years, an approach that is unlikely to quell growing calls for a separate service.

The revised model, meant to help US Cyber Command tackle issues that have persisted since its creation in 2010, like an inability to attract and keep top-tier talent, represents what is left over from the overhaul effort once known as “Cyber Command 2.0.” 

The revamp, which began under the Biden administration, was fast-tracked by Defense Secretary Pete Hegseth earlier this year. It was eventually sent to Pentagon brass, only to be returned to Cyber Command for reexamination. Mid-level staffers and career service members carried on the initiative amid leadership churn within the command and DOD. (Martin Matishak / The Record)

Related: Breaking Defense

The Swiss National Cyber Security Centre (NCSC) is warning iPhone owners about a phishing scam that claims to have found their lost or stolen iPhone but is actually trying to steal their Apple ID credentials.

When iPhone customers lose their phone or it is stolen, they can set a custom message in Apple's Find My app that appears on the lock screen. When lost, this message may include an email address or phone number to contact the owner.

According to the NCSC, threat actors may be using this information to send targeted phishing texts (smishing) through SMS or iMessage to the displayed contact information, claiming to be from Apple's Find My team and stating that their phone had been found. (Lawrence Abrams / Bleeping Computer)

Related: Swiss NCSC, Forbes

Dr Reddy’s Laboratories Ltd has reportedly lost ₹2.16 crore or around $244,000 in a cyber fraud, where hackers diverted funds by impersonating a Group Pharmaceuticals executive, according to an FIR filed with the Bengaluru City Cyber Crime Police on November 5.

The complaint, filed by Mahesh Babu K from Group Pharmaceuticals Ltd., said the company was expecting a payment of Rs 2.16 crore from Dr. Reddy’s for goods supplied. However, hackers allegedly intercepted email communications between the two companies and sent a fake message to Dr. Reddy’s finance team on November 3.

The fraudulent email, sent from an address mimicking the official one—‘KKeshav@Grouppharma.in’ instead of ‘kkeshav@grouppharma.in’—instructed the team to transfer the amount to a different Bank of Baroda account. Believing it to be genuine, the payment was made to the fraudulent account.

Group Pharmaceuticals later discovered the fraud and approached the police, requesting that the fake account be frozen and the funds recovered. The FIR lists the accused as being based in Vadodara, Gujarat. (Moneycontrol News)

Related: Business Standard, India News Network, The Times of India, NDTV, Hindustan Times, The Economic Times, Live Mint

SUSE software engineer and Open Container Initiative (OCI) board member Aleksa Sarai discovered three newly disclosed vulnerabilities – tracked as CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881 (all ) – in the runC container runtime used in Docker and Kubernetes, which could be exploited to bypass isolation restrictions and get access to the host system.

runC is a universal container runtime and the OCI reference implementation for running containers. It is responsible for low-level operations such as creating the container process, setting up namespaces, mounts, and cgroups that higher-level tools, like Docker and Kubernetes, can call.

Researchers at cloud security company Sysdig note that exploiting the three vulnerabilities "require the ability to start containers with custom mount configurations," which an attacker can achieve through malicious container images or Dockerfiles.

Currently, there have been no reports of any of the flaws being actively exploited in the wild. In an advisory this week, Sysdig shares that attempts to exploit any of the three security issues can be detected by monitoring suspicious symlink behaviors.

RunC developers also shared mitigation actions, which include activating user namespaces for all containers without mapping the host root user into the container's namespace. (Bill Toulas / Bleeping Computer)

Related: Sysdig, Techzine

Researchers at Microsoft have detailed a new side-channel attack called “Whisper Leak” that can guess the topic of encrypted AI chats, exposing a fundamental privacy risk across the AI industry.

Whisper Leak is not an isolated bug but a systemic vulnerability affecting a wide swath of the AI industry. The Microsoft team tested 28 commercially available LLMs, finding that the majority were highly susceptible.

The researchers reveal how patterns in network traffic size and timing can reveal what users are discussing, even with TLS encryption. The flaw affects 28 major AI models, creating a serious privacy risk for users globally. An observer on a network could spot sensitive talks about legal or health topics.

After a disclosure process that began in June, major providers like OpenAI and Microsoft have started to deploy fixes, but the issue points to a core risk in streaming AI.

The attack’s ingenuity lies in its ability to work without breaking the underlying TLS encryption that protects online communications. Instead, it exploits the metadata that encryption inherently leaves exposed.

Whisper Leak is not an isolated bug but a systemic vulnerability affecting a wide swath of the AI industry. The Microsoft team tested 28 commercially available LLMs, finding that the majority were highly susceptible. (Markus Kasanmascheff / WinBuzzer)

Related: Microsoft, GitHub, IT News, CyberInsider, Security Affairs

Cyber exposure and management and security company Armis announced a pre-IPO funding round of $435 million, bringing the company’s valuation to $6.1 billion.

Growth Equity at Goldman Sachs Alternatives led the round with major participation from CapitalG, and was joined by new investor Evolution Equity Partners, alongside several existing investors. (Samantha Subin / CNBC)

Related: SiliconANGLE, Axios, Armis, TechCrunch, Reuters

Open-source security software company Truffle Security Co. announced today that it has raised $25 million in a Series B venture funding round.

Intel Capital and a16z led the round with the participation of Abstract, Lytical Ventures, and prominent security leaders Casey Ellis (Founder, BugCrowd), Emilio Escobar (CISO, Datadog), and Haroon Meer (Founder & CEO, Thinkst). (Duncan Riley / Silicon Angle)

Related: Truffle Security, Axios

Cybersecurity startup 1Password, which is backed by Hollywood stars Ryan Reynolds, Matthew McConaughey, and Scarlett Johansson, has topped more than $400 million in annual recurring revenue.

“We believe we’re at a pretty significant inflection point in our journey,” the password manager’s CEO, David Faugno, told CNBC. “We’re set up for this next wave of disruption, which I think is an even bigger opportunity for us.”

Faugno said he expects the company to surpass a billion dollars in ARR over the next “several years,” benefiting from a shift in the threat landscape due to artificial intelligence and more complex protection needs. (Samantha Subin / CNBC)

Related: Business Wire, r/technology

Best Thing of the Day: It Takes a Thief...

BBC News got an in-person and wide-ranging interview from a Colorado prison with Ukrainian Vyacheslav Penchukov, also known as Tank, that reveals the inner workings of these prolific cyber-gangs, the mindset of some of the individuals behind them, and never-before-known details about hackers still at large.

Worst Thing of the Day: So What If It Was Widely Hailed As a First-Class Data Privacy Law?

European Union officials are ready to sacrifice the GDPR for the sake of AI, as they seek to turbocharge business in Europe by slashing red tape.

Closing Thought