Russian hackers suspected of sabotaging dam in Western Norway

Please, please help us keep the lights on

Metacurity has been a labor of love for years, and I’m so grateful for your readership. Your support can help ensure I can continue delivering the carefully curated weekly long-reads and daily digests of the most critical developments in cybersecurity.

If you find value in what Metacurity offers, please consider upgrading to a paid subscription. We also provide corporate subscription options, and soon we’ll be introducing affordable sponsorship opportunities—perfect for promoting your events or products to a highly engaged audience.

To learn more, feel free to reach out at cynthia@metacurity.com.

Thank you so much for being part of the Metacurity community.

Russian hackers are likely behind the suspected sabotage at the dam in Risvatnet, Bremanger, western Norway, in April that affected water flows, police officials told Norwegian media.

During the April incident, hackers gained access to a digital system that remotely controls one of the dam’s valves and opened it to increase the water flow, NRK said. The valve was open for around four hours but did not pose a danger to the surrounding area, NRK reported.

A three-minute-long video showing the dam’s control panel and a mark identifying a pro-Russian cybercriminal group was published on Telegram in April, police attorney Terje Nedrebø Michelsen told NRK.

Similar videos have previously circulated on social media, but the announcement by Norwegian police marked the first time since 2022 that officials have publicly suggested pro-Russian hackers may have successfully targeted critical water infrastructure in Europe. (Emma Burrows / Associated Press)

Related: The Guardian, Reuters, Politico EU, United24, Gazeta Express, Euromaidan Press, Rappler, AAP, Gazeta Express, r/Europe, VG.no

According to an internal memo, the House of Commons and Canada's cybersecurity agency are investigating a significant data breach caused by an unknown "threat actor" targeting employee information.

The House of Commons alerted staff on Monday that there was an information breach. It said a malicious actor was able to exploit a recent Microsoft vulnerability to gain unauthorized access to a database containing information used to manage computers and mobile devices.

Some of the information obtained by the hacker is not available to the public, according to the email. That includes employees' names, job titles, office locations, and email addresses, as well as information regarding their House of Commons-managed computers and mobile devices.

The cyberattack happened on Friday, according to the email sent to employees. 

It calls on employees and members of the House of Commons to be especially vigilant as information accessed during the breach could be used in scams or to target and impersonate parliamentarians. (Kate McKenna / CBC News)

Crypto sleuth ZachXBT received information from an unnamed source that a small team of North Korean IT workers, linked to a $680,000 crypto hack of fan-token marketplace Favrr in June, has been using Google products and even renting computers to infiltrate crypto projects.

The data shows that the small team of six North Korean IT workers shares at least 31 fake identities, obtaining everything from government IDs and phone numbers to purchasing LinkedIn and UpWork accounts to mask their true identities and land crypto jobs. 

One of the workers supposedly interviewed for a full-stack engineer position at Polygon Labs, while other evidence showed scripted interview responses in which they claimed to have experience at NFT marketplace OpenSea and blockchain oracle provider Chainlink.

The leaked documents show the North Korean IT workers secured “blockchain developer” and “smart contract engineer” roles on freelance platforms like Upwork, then used remote access software like AnyDesk to carry out the work for unsuspecting employers. They also used VPNs to hide their locations.

Google Drive exports and Chrome profiles showed they used Google tools to manage schedules, tasks, and budgets, communicating in English while using Google’s Korean-to-English translation tool.

One spreadsheet showed the IT workers spent a combined $1,489.8 on expenses in May to carry out their operations.

The evidence also provided insight into their areas of curiosity. One search asked whether ERC-20 tokens could be deployed on Solana, while another sought information on the top AI development companies in Europe. (Brayden Lindrea / Cointelegraph)

Related: CryptoSlate, CoinCentral, CoinMarketCap

A federal appeals court delivered a victory to the Federal Communications Commission by upholding new and controversial data breach reporting requirements for telecommunications companies targeted in cyberattacks.

The court rejected consolidated challenges, 2 to 1, from trade groups including the Ohio Telecom Association, Texas Association of Business, and USTelecom. They argued the rules exceeded the agency’s authority and violated congressional restrictions. Circuit Judge Jane Stranch found that the Communications Act of 1934’s prohibition on “unjust or unreasonable” practices provided adequate authority for the breach notification requirements by allowing the agency to “prescribe” regulations as necessary.

“There is a direct connection between a carrier’s failure to disclose breaches of customer’s ‘identifying information’ and its role in providing communication services,” read the opinion for the US Court of Appeals for the Sixth Circuit.

The disputed 2024 rule, authorized during the Biden administration, requires providers to notify the FCC of data breaches involving 500 or more customers’ personal data within seven business days.

The policy represents a significant expansion from previous requirements that were limited in scope, covering call records and billing data. The new rule now covers personally identifiable information, including Social Security numbers, email addresses, and biometric data. (Kartikay Mehrotra / Bloomberg Law)

Related: Courthouse News, Reason, Databreaches.net

New York Attorney General Letitia James sued the operator of the Zelle payments network on Wednesday, alleging it enabled fraud by allowing scammers to steal over $1 billion from users between 2017 and 2023.

James’ office said in a press release that its investigation found that Early Warning Services, the owner and designer of the peer-to-peer money transfer company, designed Zelle “without critical safety features.” The release noted that the lawsuit against EWS follows a similar one dropped by the Consumer Financial Protection Bureau in March.

“EWS knew from the beginning that key features of the Zelle network made it uniquely susceptible to fraud, and yet it failed to adopt basic safeguards to address these glaring flaws or enforce any meaningful anti-fraud rules on its partner banks,” James’ office said in the release.

The lawsuit alleges that Zelle became a “hub for fraudulent activity” because the registration process lacked verification steps and that EWS and its partner banks knew “for years” that fraud was spreading and did not take actionable steps to resolve it, according to the press release.

James is seeking restitution and damages, in addition to a court order mandating that Zelle put anti-fraud measures in place. (Laya Neelakandan / CNBC)

Related: AG.NY.gov, The Record, CNN, Reuters, Associated Press, CBS News, Forbes, Newsday, WGRZ, Wall Street Journal

According to records obtained by the New York Times, the British government spent $3.2 million on a secret legal order preventing journalists from reporting a data breach that put almost 19,000 Afghans and their families at risk.

The breach, which happened in 2022, exposed the personal details of thousands of Afghans who had worked with British forces before the Taliban takeover in 2021.

The government, led by the Conservative Party at the time, went to England’s High Court to obtain an order barring anyone from disclosing the breach, even to the people whose lives were feared to be at risk from the Taliban as a result. Journalists were also prevented from reporting on the existence of the court order itself.

The government’s legal action began in August 2023, when journalists first asked the Ministry of Defense about the breach, and continued until the order was lifted last month. It cost the British government 2.4 million pounds, or over $3.2 million, according to information disclosed in response to a Freedom of Information request.

Government ministers involved in the decision have since defended the stringent legal order, which is known in Britain as a “super injunction,” arguing that it was necessary to protect the people whose personal details had been disclosed. As a direct result of the data breach, Britain spent at least £400 million on a secret program to relocate 4,500 Afghans to Britain. (Lizzie Dearden / New York Times)

Russian authorities announced they were “partially” restricting calls in messaging apps Telegram and WhatsApp, the latest step to tighten control over the internet.

In a statement, government media and internet regulator Roskomnadzor justified the measure as necessary for fighting crime, saying that “according to law enforcement agencies and numerous appeals from citizens, foreign messengers Telegram and WhatsApp have become the main voice services used to deceive and extort money, and to involve Russian citizens in sabotage and terrorist activities.”

The regulator also alleged that “repeated requests to take countermeasures have been ignored by the owners of the messengers.”

A Whatsapp spokesperson said in a statement that the encrypted messaging app “defies government attempts to violate people’s right to secure communication, which is why Russia is trying to block it from over 100 million Russian people.” (Dasha Litvinova / Associated Press)

Related:  Reuters, Radio Free Europe/Radio Liberty, Financial Express, The Guardian, Ukrainian National News, The Moscow Times, Meduza, AsiaOne, Benzinga, Moneycontrol, Al Jazeera, CyberScoop, Social Media Today, TASS, NDTV, Kyiv Post, The Insider, Courthouse News Service, Novaya Gazeta Europe, LIGA, Kursiv Media Uzbekistan, thebarentsobserver, The Moscow Times, Africanews, Daily Sabah, Channel NewsAsia, Meduza, The Kyiv Independent, Mediazona, Channels Television, Bloomberg Law, Anadolu Ajansı, Forbes.ru

​CISA warned that attackers are actively exploiting two security vulnerabilities in N‑able's N-central remote monitoring and management (RMM) platform.

According to CISA, the two flaws can allow threat actors to gain command execution via an insecure deserialization weakness (CVE-2025-8875) and inject commands by exploiting an improper sanitization of user input vulnerability (CVE-2025-8876).

Although N-able has yet to confirm CISA's report that the security bugs are now being exploited in the wild, the company patched them in N-central 2025.3.1. It also urged admins to secure their systems before further information on the bugs is released.

"This release includes a critical security fix for CVE-2025-8875 and CVE-2025-8876. These vulnerabilities require authentication to exploit. However, there is a potential risk to the security of your N-central environment if unpatched," N-able said.

According to Shodan searches, approximately 2,000 N-able N-central instances are exposed online (some of which are likely already patched), with the majority originating from the United States, Australia, and Germany. (Sergiu Gatlan / Bleeping Computer)

Related: CISA, N-Able, Security Affairs, Help Net Security

Researchers at Abnormal AI report that cybercriminals are selling access to active law enforcement and government email accounts for as little as $40 on the dark web.

These compromised accounts belong to officials from the US, UK, India, Brazil, and Germany, with agencies such as the FBI among those affected.

Emails sent from domains such as .gov and .police are more likely to evade technical defenses and less likely to raise suspicion among recipients. The result is a higher ratio of malicious attachments and links that are clicked on.

The Abnormal AI researchers noted that while law enforcement accounts have been quietly sold on the dark web for years, there has recently been a marked shift in strategy.

“Cybercriminals are no longer just reselling access; they’re actively marketing specific use cases, such as submitting fraudulent subpoenas or bypassing verification procedures for social platforms and cloud providers. This commoditization of institutional trust has broadened the appeal of these accounts and lowered the barrier to entry for impersonation-based attacks,” they wrote. (James Coker / Infosecurity Magazine)

Related: Abnormal Security, Help Net Security, Silicon Angle

Researchers at South Korean cybersecurity firm S2W said that the North Korean state-backed hacker group tracked as ScarCruft recently took the unusual step of infecting targets with ransomware alongside other malicious files.

S2W said ScarCruft, primarily known for cyber-espionage campaigns against high-profile individuals and government entities, used “newly observed” ransomware as part of the operation.

The researchers labeled the ransomware VCD after the extension it appends to the names of encrypted files. It drops two versions of its ransom note, one in English and the other in Korean, the researchers said.

ScarCruft’s use of ransomware “suggests a potential shift toward financially motivated operations, or an expansion of operational goals that now include disruptive or extortion-driven tactics,” S2W said.

ScarCruft previously has targeted entities in South Korea, Japan, Vietnam, Russia, and Nepal. In a campaign aimed at South Koreans in July, S2W said, the hackers used phishing emails containing a malicious archive to gain access to targeted systems. The decoy file displayed a message about postal code updates tied to changes in street addresses. The report does not specify who received the emails.

Researchers identified more than nine types of malware in the campaign, including the LightPeek and FadeStealer information stealers, as well as NubSpy, a backdoor that uses the legitimate PubNub real-time messaging platform for command-and-control (C2) communication. (Daryna Antoniuk / The Record)

Related: S2W, Dark Reading, Hack Read

US Senator Maggie Hassan (D-NH), the top Democrat on the Joint Economic Committee, sent a letter to five of the top data broker firms, IQVIA Digital, Comscore, Telesign Corporation, 6sense Insights, and Findem, demanding that each explain why code on their sites appears designed to frustrate deletion requests.

Her letter follows the publication of an investigation by The Markup/CalMatters and copublished by WIRED, which found that at least 35 firms hid opt-out information from search results.

Hassan wants the firms to justify the placement of their opt‑out pages; acknowledge whether they used code to block search indexing and, if so, against how many users; pledge to remove any such code by September 3; and provide Congress with recent audit results and steps taken since the investigation, if any, to improve user access. (Dell Cameron / Wired)

Related: The Markup, CalMatters, Wired

Fortinet is warning about a remote unauthenticated command injection flaw in FortiSIEM that has in-the-wild exploit code, making it critical for admins to apply the latest security updates.

FortiSIEM is a central security monitoring and analytics system used for logging, network telemetry, and security incident alerts, serving as an integral part of security operation centers, where it's an essential tool in the hands of IT ops teams and analysts.

The product is generally used by governments, large enterprises, financial institutions, healthcare providers, and managed security service providers (MSSPs).

The flaw, tracked as CVE-2025-25256 and rated critical (CVSS: 9.8), impacts multiple branches of SIEM, from 5.4 up to 7.3.

While Fortinet does not outright state that the flaw was exploited as a zero-day, they did confirm that functional exploit code exists for the flaw. "Practical exploit code for this vulnerability was found in the wild," noted the vendor.

Fortinet says exploitation of this flaw does not produce distinctive IOCs to determine if a device has been compromised.

This disclosure comes a day after GreyNoise warned of a massive spike in brute-force attacks targeting Fortinet SSL VPNs earlier this month, followed by a switch to FortiManager. The network threat intelligence company warned that spikes of malicious traffic often precede the disclosure of a new vulnerability.

It is unclear if Fortinet's disclosure of  CVE-2025-25256 is related to GreyNoise's report.

Given the availability of an exploit proof of concept (PoC), organizations must apply the latest security updates for CVE-2025-25256 as soon as possible. (Bill Toulas / Bleeping Computer)

Related: FortiGuard, Help Net Security, WebProNews, CyberScoop, The Cyber Express, The Register, Security Affairs, Security Week, pwner.gg, Bleeping Computer, GreyNoise, Dark Reading, Tenable

Manpower, one of the world's largest staffing companies, is notifying nearly 145,000 individuals that their information was stolen by attackers who breached the company's systems in December 2024.

According to a data breach filing with the Office of Maine's Attorney General this week, Manpower is now alerting 144,189 individuals who were impacted by a data breach after undisclosed attackers gained access to the company's systems in late December.

The company detected the incident while investigating an IT systems outage at a Lansing, Michigan, franchise on January 20.

"Through that investigation, we learned of information suggesting that an unknown actor gained unauthorized access to our network between December 29, 2024 and January 12, 2025 and potentially acquired certain files, some of which may have contained certain individuals' personal information," Manpower says in breach notification letters sent to affected individuals. (Sergiu Gatlan / Bleeping Computer)

Related: Office of the Maine Attorney General, Security Affairs, The Register, Infosecurity Magazine

Donald Trump said that he could potentially bring up the recent hack of US federal court databases with Russian President Vladimir Putin during their meeting in Alaska this week.

Investigators believe that hackers, including Russian actors, breached the court’s electronic filing system, potentially exposing sensitive court data across multiple US states.

“I guess I could, are you surprised?” Trump said during a press conference in response to a question from a reporter on whether he would bring up the hacking activity with Putin during their planned meeting on Friday. “They hack in, that’s what they do. They’re good at it, we’re good at it, we’re actually better at it.”

This marks the first time Trump has publicly acknowledged the hack since it was brought to light last week. (Maggie Miller / Politico)

Related: CNBC, Axios, Newsweek, Sarah Jones

Sergei Potapenko and Ivan Turõgin, two Estonian nationals, were sentenced in Washington state to 16 months in prison for carrying out a cryptocurrency Ponzi scheme that netted more than half a billion dollars.

They worked alongside four unnamed co-conspirators to defraud investors through a bogus cryptomining operation.

According to court documents, around 2013, they created the company HashCoins, which advertised the sale of mining equipment for bitcoin and other virtual currencies. Orders poured in from customers, but HashCoins didn’t make mining equipment. Instead, it purchased and assembled mining equipment from different companies, but at no point did it have sufficient inventory to deliver what it had promised to customers.

Faced with a growing number of complaints from customers, Potapenko and Turõgin pivoted to advertising “remote” mining services whereby investors would receive a percentage of profits from a pooled mining operation they called HashFlare.

Potapenko and Turõgin have already served 16 months in prison and will return to Estonia for supervised release. (James Reddick / The Record)

Related: Justice Department, Cointelegraph, ERR

The US Cybersecurity and Infrastructure Security Agency rolled out new guidance entitled “Foundations for OT Cybersecurity: Asset Inventory Guidance for Owners and Operators" to help deal with what some cyber experts say is a rising concern: a lack of visibility into threats to operational technology.

CISA developed the guidance in conjunction with other agencies, including the Environmental Protection Agency, the National Security Agency, the FBI, and several international partners.

The new guidance describes how to inventory OT systems across multiple sectors and categorize them using different taxonomy, depending on the sector in question. For instance, oil and gas organizations may use different terms for systems compared to water and wastewater operators.

Inventorying systems is a key first step in building a “modern defensible architecture,” CISA explains in its guidance. (Justin Doubleday / Federal News Network)

Related: CISA, NSA, Industrial Cyber

The US National Institute of Standards and Technology (NIST) finalized a new lightweight cryptography standard, formally released as Ascon-Based Lightweight Cryptography Standards for Constrained Devices (NIST Special Publication 800-232), to address the security vulnerabilities of Internet of Things (IoT) devices and other resource-constrained electronics. 

The core of the new standard comprises four interrelated algorithms, all based on the Ascon family of cryptographic primitives. Ascon, presented initially at the Eurocrypt Conference in 2014, is a suite of authenticated encryption and hashing algorithms specifically engineered for high performance in constrained environments.

The algorithms selected by NIST – Ascon-A, Ascon-B, Ascon-H, and Ascon-X – offer varying levels of security and performance characteristics, allowing developers to choose the most appropriate option for their specific application requirements. Ascon-A and Ascon-B are authenticated encryption algorithms, providing both confidentiality and integrity, while Ascon-H is a dedicated hash function, and Ascon-X is a key-derivation function. (Quantum News)

Related: NIST, Help Net Security

According to sources, buyout group Francisco Partners is exploring a multibillion-dollar sale of cybersecurity firm BeyondTrust Software.

Francisco Partners is working with bankers to gauge interest in a potential takeover of BeyondTrust, which specializes in so-called privileged access management solutions.

While the price the buyout firm is seeking for BeyondTrust couldn’t immediately be learned, such cybersecurity companies can fetch multiples of anywhere from five to 20 times their annual revenue.

BeyondTrust generates annual recurring revenue of about $500 million. (Ryan Gould / Bloomberg)

Best Thing of the Day: A Mystery Will Be Revealed

James Sanborn, the artist who created Kryptos, an outdoor sculpture at CIA headquarters, which has ciphertext that has been decoded by cryptanalysts for three of four panels, will be auctioning off the 97-character plaintext of the four panels.

Worst Thing of the Day: Ransom Payments More Than Double

Researchers at Veeam showed that the average ransom payment soared 104% during the first quarter of 2025, with the media payment amount doubling to $400,000.

Closing Thought