Russia switches up tactics in cyberattacks on energy companies, Amazon

'Tis the season to be generous. Please support Metacurity in our mission to end infosec news overload.

Metacurity is a pure labor of love and is the only daily newsletter that delivers the critical infosec developments you need to know, scanned from thousands of sources and smartly summarized.

But to continue delivering our daily updates, we need your support. Please consider upgrading to an annual paid subscription today.

If you can't upgrade to a paid subscription today, please consider donating what you can.

According to Amazon cybersecurity researchers, hackers backed by the Russian government have changed tactics in a years-long campaign against energy companies in North America, Europe, and the Middle East.

The attackers are targeting internet routers and other widely used devices that have been set up incorrectly or sport known security holes, Amazon said

This method is cheaper and easier to carry out than trying to find and exploit so-called zero-day bugs—new vulnerabilities that don’t yet have fixes, said CJ Moses, chief information security officer for Amazon Integrated Security, a team that manages the company’s digital and physical security.

In the latest attacks, which Amazon links to Russia’s military intelligence operation known as the GRU, hackers are breaking into electricity and other energy providers and third parties that sell security services to the sector, to steal the legitimate credentials of employees. The hackers try to establish long-term access, likely for espionage purposes, to harvest login information and other data, and move around corporate networks over time.

Tools used by Amazon to monitor activity on its cloud infrastructure picked out “coordinated operations” against customer devices hosted on Amazon Web Services, the company said. That includes persistent connections to vulnerable routers, network management tools, and other devices, and signs that data was being collected. (Kim Nash / Wall Street Journal)

Related: Amazon, The Register

Adult video platform PornHub is being extorted by the ShinyHunters extortion gang after the search and watch history of its Premium members was reportedly stolen in a recent Mixpanel data breach.

Last week, PornHub disclosed that a recent breach at analytics vendor Mixpanel impacted it. Mixpanel suffered a breach on November 8th, 2025, after an SMS phishing (smishing) attack enabled threat actors to compromise its systems.

"A recent cybersecurity incident involving Mixpanel, a third-party data analytics provider, has impacted some Pornhub Premium users," reads a PornHub security notice posted on Friday.

"Specifically, this situation affects only select Premium users. It is important to note this was not a breach of Pornhub Premium's systems. Passwords, payment details, and financial information remain secure and were not exposed."

PornHub says it has not worked with Mixpanel since 2021, indicating the stolen records are historical analytics data from 2021 or earlier.

 BleepingComputer learned that ShinyHunters began extorting Mixpanel customers last week, sending emails that began with "We are ShinyHunters" and warned that their stolen data would be published if a ransom was not paid.

In an extortion demand sent to PornHub, ShinyHunters claims it stole 94GB of data containing over 200 million records of personal information in the Mixpanel breach.

ShinyHunters later confirmed to BleepingComputer that they were behind the extortion emails, claiming the data consists of 201,211,943 records of historical search, watch, and download activity for the platform's Premium members.

A small sample of data shared with BleepingComputer shows that the analytic events sent to Mixpanel contain a large amount of sensitive information that a member would not likely want publicly disclosed.

This data includes a PornHub Premium member's email address, activity type, location, video URL, video name, keywords associated with the video, and the time the event occurred. (Lawrence Abrams / Bleeping Computer)

Related: PornHub, Newsweek, Security Affairs, Forbes, r/technology

A 21-year-old hacker, Nathan ‘Snoopy’ Austad, of Minnesota, who contributed to a group effort that reportedly stole about $600,000 from around 1,600 compromised DraftKings accounts, pleaded guilty to computer intrusion conspiracy.

He admitted in court that he helped engineer a “credential stuffing” attack on DraftKings in November 2022.

His co-conspirators, Kamerin Stokes and Joseph Garrison, have already pleaded guilty. Garrison received an 18-month prison sentence. He also received a three-year supervised release and was ordered to pay back more than $1.4 million.

Austad will receive his sentencing on April 10, 2026. (Mo Nuwwarah / PockerScout)

Related: Justice Department, Security Week, Infosecurity Magazine, Hoodline

Members of the German parliament or Bundestag were unable to access their email accounts for more than four hours, according to three senior MPs.

One of the MPs said the “attack” began as Ukrainian President Volodymyr Zelenskyy entered the Bundestag for talks with its president, Julia Klöckner.

A government insider said he suspected the outage was a retaliatory cyber attack following Germany’s decision to summon the Russian ambassador to the foreign ministry last week over alleged sabotage and hybrid warfare incidents.

However, "The trigger was an overload situation between the two data centers of the Bundestag administration," according to a letter sent to members of parliament and the IT managers of the parliamentary groups. "This is a technical problem, so a cyberattack can currently be ruled out as the cause."

The email disruption occurred shortly after talks between Zelenskyy and Donald Trump’s special envoy Steve Witkoff, along with the US president’s son-in-law Jared Kushner, concluded at the German chancellery — just a few hundred metres away — on a possible settlement to end Russia’s war in Ukraine. (Anne-Sylvaine Chassany and Ben Hall / Financial Times and Heise)

Related: Reuters

The Iranian Handala hacker group has put a bounty for information on over a dozen Israelis it claims are developers of Patriot, Arrow, and David's Sling air defense systems, as part of a continued project threatening and doxing Israeli academics, journalists, and defense personnel.

On Saturday, the group offered a $30,000 bounty on information on Israeli engineers and technicians, listing their photos, names, credentials, email addresses, locations, and phone numbers. The information has been spread widely on Arab media and Telegram, including by Hamas.

The profiles on the Israelis often included personal messages, with one target being warned that his children would not be safe.

"You thought your family - the wife - three children - were safe," the hacker group wrote on its target database website. "Don't forget about those three children.”

Others were told that they had become "marked" and that their emails and phone numbers were being monitored. (MICHAEL STARR, MATHILDA HELLER / The Jerusalem Post)

Researchers at Rapid7 report that a new malware-as-a-service (MaaS) information stealer named SantaStealer is being advertised on Telegram and hacker forums as operating in memory to avoid file-based detection.

The operation is a rebranding of a project called BluelineStealer, and the developer is ramping up the operation ahead of a planned launch before the end of the year.

SantaStealer appears to be the project of a Russian-speaking developer and is promoted for a Basic, $175/month subscription, and a Premium for $300/month.

Rapid7 analyzed several SantaStealer samples and obtained access to the affiliate web panel, which revealed that the malware comes with multiple data-theft mechanisms but does not rise to the advertised feature for evading detection and analysis.

The panel features a user-friendly design where 'customers' can configure their builds with specific targeting scopes, ranging from full-scale data theft to lean payloads that only go after specific data. (Bill Toulas / Bleeping Computer)

Related: Rapid7

The UK government is “dragging its heels” on whether to classify China as a major threat to Britain’s national security, the parliament’s intelligence watchdog warned.

Lawmakers on the Intelligence and Security Committee — which has access to classified briefings as part of its work overseeing Britain’s intelligence services — said they are “concerned” by apparent inaction over whether to designate Beijing as a top-level threat when it comes to influencing Britain.

Ministers have been under pressure to put China on the “enhanced tier” of Britain’s Foreign Influence Registration Scheme, a tool to protect the economy and society from covert hostile activity.

Both Iran and Russia have been placed in the top tier, which adds a new layer of restrictions and accountability to their activities in Britain.

The government has so far resisted calls to add China to that list, even though Beijing has been accused of conducting state-threat activities in the UK, such as industrial espionage, cyber-attacks, and spying on politicians. (Mason Boycott-Owen / Politico EU)

Related: Intelligence and Security Committee, UK Parliament, The Times, The Stack

In her first speech on the job, Blaise Metreweli, the new head of MI6, said that assassination plots, sabotage, cyberattacks, and the manipulation of information by Russia and other hostile states mean that “the frontline is everywhere.”

She said the UK faces a new “age of uncertainty” where the rules of conflict are being rewritten, particularly in light of wider Kremlin aggression after the invasion of Ukraine.

“The export of chaos is a feature, not a bug, in the Russian approach to international engagement,” the agency’s first female chief will argue, and “until Putin is forced to change his calculus,” it is expected to continue.

UK Air Chief Marshal Richard Knighton, the chief of the defence staff, said in a separate speech that “the situation is more dangerous than I have known during my career” and called for the country as a whole to be “stepping up." (Dan Sabbagh / The Guardian)

Related: GOV.UK, The New York Times, The Telegraph, CNN, BBC News, Politico, ABC News, The Independent, The Telegraph, Reuters, The Times, NDTV, The Record

One of the lesser-known features that Google offers is a “Dark Web Report” monitoring tool, but Google sent out an email to active users of its “Dark Web Report” tool to inform them that, as of February 16, 2026, the tool will be shut down.

The feature was made available to all Google account holders in July 2024, with this shutdown coming less than a year and a half after the wide rollout.

This tool would monitor the dark web for Google account users' email addresses. It was a free part of their Google account that provided updates on whether their email was found on these potentially dangerous sites.

On a support page, Google explains that it will be shutting down this tool because it “didn’t provide helpful next steps.” (Ben Schoon / 9to5Google)

Related: Ars Technica, Android Police, The Verge, PCMag, Google Help Center, TechCrunch, MobileSyrup, Thurrott, iPhone in Canada, How-To Geek, WWL-TV, Android Central, Android Authority, r/google, r/Android, Bleeping Computer

Audio streaming platform SoundCloud confirmed that outages and VPN connection issues over the past few days were caused by a security breach in which threat actors stole a database, exposing users' email addresses and profile information.

The disclosure follows widespread reports over the past four days from users who were unable to access SoundCloud when connecting via VPN, with attempts resulting in the site displaying 403 "forbidden" errors.

SoundCloud said it recently detected unauthorized activity involving an ancillary service dashboard and activated its incident response procedures. It acknowledged that a threat actor accessed some of its data but said the exposure was limited in scope.

The breach affects 20% of SoundCloud’s users, which, based on publicly reported user figures, could impact roughly 28 million accounts.

The company said it is confident that all unauthorized access to SoundCloud systems has been blocked and that there is no ongoing risk to the platform.

However, the company's response included a configuration change that disrupted VPN connectivity to the site. SoundCloud has not provided a timeline for when VPN access will be fully restored. (Lawrence Abrams / Bleeping Computer)

Related: Soundcloud, The Register, BetaNews, Dataconomy, CyberInsider, The Cyber Express, Gigazine, CyberDaily

Fieldtex Products, a US company that provides contract sewing and medical supply fulfillment services, has disclosed a data breach after it was targeted by a notorious ransomware group.

In a data security incident notice posted on its website, Fieldtex said it detected unauthorized access to its systems in mid-August. An investigation showed that hackers may have gained access to “a limited amount of protected health information”.

Fieldtex specializes in commercial sewing services and manufacturing soft-sided carrying cases for the medical and military sectors. It also distributes first aid and medical supplies through a dedicated division.

The healthcare data breach tracker maintained by the US Department of Health and Human Services revealed this week that the Fieldtex data breach has impacted 238,615 individuals. (Eduard Kovacs / Security Week)

Related: Fieldtex, SC Media, BankInfoSecurity

According to Cloudflare's 2025 Year in Review report, global internet traffic grew by 19 percent during 2025, while nearly half of traffic now comes from mobile devices, even as a significant and growing portion also comes from bots, many designed to train AI.

Cloudflare notes that internet traffic worldwide grew by almost a fifth, with the increases coming in fits and starts. In fact, traffic was somewhat flat through mid-April and even experienced a mysterious dip before bouncing back sharply to 5 percent growth during May.

Most of the growth occurred after mid-August; however, it accelerated rapidly to hit 19 percent by the start of December. This pattern is similar to that seen for the past few years, although growth peaked at about 17 percent last year.

According to Cloudflare, 43 percent of requests across the interwebs were from mobile devices this year, up from 41 percent in 2024. The balance came from "classic" laptop and desktop-type devices. But despite the slight increase, the firm says it believes that mobile device usage has now effectively reached a steady proportion of the traffic.

When it comes to the most accessed internet services, Google remains top of the overall list, followed by Facebook, then Apple, and Microsoft. For social media sites, X (formerly Twitter) has now slipped into sixth position, behind LinkedIn and Snapchat. (Dan Robinson / The Register)

Related: Cloudflare, Digit, Mashable, Implicator.ai, Capacity, Search Engine Journal, SiliconANGLE, Advanced Television, ComputerWeekly.com, Help Net Security, Slashdot, WebProNews, City A.M. - Technology, AiThority, Business Wire Technology: Security News

The Trump administration began a recruiting effort called the US Tech Force aimed at bolstering the government’s ranks of technology workers, starting a program that will hire tech employees to join federal agencies and work on projects related to artificial intelligence and modernization.

The project is the first targeted recruiting program of its kind for the administration, which kicked off its tenure by firing federal workers and pressuring tens of thousands to resign. The government has long needed more tech workers, but that deficit most likely worsened this year, when an unknown number departed.

The goal is to hire about 1,000 top-level technical employees and supervisors to work on projects at agencies such as the Internal Revenue Service and the Defense Department. The government is seeking software engineers, data scientists, and product managers. After two years, Mr. Kupor said, they can stay in government or take a higher-paying job in the private sector.

The Tech Force resembles other efforts by the federal government to recruit more technologists. The US Digital Corps, a program initiated in 2021 under the Biden administration, also seeks to bring tech workers into federal jobs for two-year terms, but it targets candidates in earlier stages of their careers. That program was intended to allow participants to help the government modernize its technology before eventually moving on to higher-paying jobs in the tech industry.

Another program was the US Digital Service, founded in 2014, which the Trump administration fashioned into a home for the Department of Government Efficiency and renamed the US DOGE Service. The project, spearheaded by Elon Musk, also sought to bring tech workers into government jobs for rapid modernization.

But DOGE made sweeping job cuts as well — including senior technologists in the Digital Service and others in the wing of the General Services Administration that runs the Digital Corps. DOGE also eliminated 18F, a digital services agency created in 2014 that developed software and technology products for various federal agencies and employed nearly 100 people. (Eileen Sullivan / New York Times)

Related: Tech Force, CNN, NextGov/FCW, Ars Technica, Reuters, CNBC Television on YouTube, The Economic Times, Tech in Asia, SiliconANGLE, DigiTimes, Sherwood News, MacTech.com, The Register, 9to5Mac, Benzinga, CNBC, Implicator.ai, New York Times, The Verge, AppleInsider, The Information, FedScoop, Times of India, Axios, Business Insider, r/fednews, r/Slashdot, Hacker News (ycombinator)

After noticing a spike in detections involving what looked like a movie torrent for One Battle After Another, Bitdefender researchers started an investigation and discovered that it was a complex infection chain.

The film, Leonardo DiCaprio's latest, has quickly gained notoriety, making it an attractive lure for cybercriminals seeking to infect as many devices as possible.

The Agent Tesla malware in this fake movie release has been used for years in many campaigns, including email phishing and COVID-19 vaccination registration. (Raul Vasile BUCUR and Silviu STAHIE / Bitdefender)

Related: Gizmodo

Silent Push purchased Canadian adversary infrastructure platform provider Hyas to get better visibility into proxy-based traffic through unique data sources.

The preemptive cyber defense vendor said its purchase of Hyas will help combat threats like North Korean remote workers and fraudsters using residential proxy networks by identifying the true origin of traffic masked by proxies or VPNs. (Michael Novinson / GovInfoSecurity)

Related: Silent Push

Best Thing of the Day: Better Late Than Never

A year after the city bungled a ransomware attack, the City of Columbus said it is strengthening its IT infrastructure to ensure that its policies align with state standards to protect residents’ data.

Worst Thing of the Day: It's Hard to Do the Right Thing

After they exposed the harms of Big Tech, many whistleblowers say they faced poorer job prospects and professional exile in Silicon Valley.

Closing Thought