Spain probes small electric firms' cyber defenses in connection with blackout

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!

Spain’s National Cybersecurity Institute (Incibe) is demanding information from small electricity generators on their cyber defenses while investigators probe last month’s blackout, seeking to determine whether they were a weak link exploited by bad actors to bring down the country’s power grid.

One source said senior government officials have “concerns” about the robustness of cyber defenses at small and medium-sized power facilities, notably the solar and wind farms that have proliferated as Spain became a global leader in renewables.

Spain has yet to identify the root cause of the Iberian power grid's collapse on April 28 and has not discounted a cyber attack.

Separately, a judge at Spain’s National High Court has opened an investigation into whether a cyber attack was behind the outage. Spanish grid operator Red Eléctrica said on the day after the outage that there was no evidence of a cyber attack on its own facilities, but has not commented since then.

Three companies that own or operate renewable power plants said they had received a barrage of questions about the blackout and their own defences from Incibe, as part of official inquiries into what happened. (Barney Jopson / Financial Times)

Related: Reuters

The Alabama Office of Information Technology is responding to a disruptive cybersecurity “event” after noticing abnormal network activity last week.

The division warned that the state’s network users may experience temporary disruptions to websites, email, and phone service. Some state employee usernames and passwords were compromised, but the personal data of state residents was not compromised.

A notice provided by the governor's office offers few other details, except that the event was detected last Friday and that “teams have been working around-the-clock to identify and mitigate impacts.” (Colin Wood / StateScoop)

Related: Alabama Governor's Press Office, WVTM, WSFA, WBRC, WBMA, WKRG, Montgomery Advertiser

UK retailer Marks and Spencer (M&S) said hackers, widely considered to be the group that calls itself DragonForce, stole personal data from its customers in the cyberattack reported on April 22.

M&S said the data doesn’t include usable payment, card details, or account passwords.

The company said customers need not take any action. It continues to take steps to protect its systems, working with relevant government authorities and law enforcement. (Nina Kienle / Wall Street Journal)

Related: Bloomberg, The Grocer, Metro.co.uk, Mirror, MoneyWeek, Cyber Security News, Retail Insight Sector, BBC, TechCrunch, The Record, The Register, The Times, The Independent, Reuters, Mirror, Metro.co.uk, The Guardian

The DragonForce cybercrime group, which bragged about crippling Marks & Spencer’s systems and breaching Co-op Group databases appeared to have vowed to protect “the former Soviet Union” from the technology used in the attacks.

 The group appeared to use a dark web forum to threaten to “punish any violations” by fellow hackers planning to use its ransomware in Russia or the former Soviet states—the first indication of any allegiance.

DragonForce, which licenses its ransomware to other hacking gangs for a fee, claimed responsibility for an attack that has left shelves at some M&S branches bare and forced the company to suspend online orders.

“Any attack by our software on critical infrastructure, hospitals where critical patients, children, and the elderly are kept, or on the countries of the former Soviet Union, is a PROVOCATION by unscrupulous partners,” read a statement which claimed to be from the group, released at the end of last month.

“We, as regulators, are doing our best to counteract this, and we will punish any violations, as well as assist in solving the problems of the affected parties.” (John Simpson / The Observer)

Related: Halcyon, SpecOps, Cybersecurity Insiders

British judge Justice Nicholas Hilliard sentenced six Bulgarian spies to prison terms of up to eleven years for gathering information to be used by Russia that was "prejudicial to the safety of the state."

Ringleader Orlin Roussev, 47, was jailed for 10 years and eight months, and his deputy, Biser Dzhambazov, 44, was sentenced to 10 years and two months.

Dzhambazov's former partner, Katrin Ivanova, 33, was sentenced to nine years and eight months in prison. Three others, Tihomir Ivanchev, 39, Ivan Stoyanov, 33, and Vanya Gaberova, 30, were jailed for between six and eight years.

Before trial, ringleader Orlin Roussev denied that he engaged in any "James Bond activity" in police interviews. But the court heard that vast amounts of surveillance equipment had been found in his 33-bedroom former guesthouse.

The case against them was described as "one of the largest" foreign intelligence operations in the UK and focused on six of their assignments.

It presented, for the first time in a UK criminal court, the inner workings of a Russian operational spy cell - exposing their thousands of messages organising surveillance, photos and videos of their targets, and talk of plans to kidnap and kill. (Ruth Comerford, Chris Bell / BBC News)

Related: The Record, Euronews, Sky News, The Independent, Associated Press

In a May 12 filing in the US District Court for the District of Columbia, US prosecutors asked Judge Amy Berman to impose a two-year sentence for Eric Council Jr., the individual who helped post a fake message announcing the approval of Bitcoin exchange-traded funds through the Securities and Exchange Commission’s (SEC’s) X account.

The fake announcement, which shook markets roughly 24 hours before the regulator actually approved spot Bitcoin ETFs, led to Council's arrest.

“This case deserves a guidelines range prison sentence,” said US prosecutors. “Defendant profited through a sophisticated fraud scheme involving fraudulently produced identification documents, a series of misrepresentations at telecommunication stores, and the transmission of password reset codes for victim online accounts to co-conspirators in the United States and abroad. This conduct deserves a significant penalty. (Turner Wright / Cointelegraph)

Researchers at Microsoft report that a cyber-espionage group they call Marbled Dust, aligned with the Turkish government, appears to have exploited a zero-day vulnerability in a messaging app to spy on Kurdish military operations in Iraq.

Since April 2024, the hackers have been breaking into accounts of Output Messenger, an app commonly used for workplace and organizational chats.

The team said it “assesses with high confidence that the targets of the attack are associated with the Kurdish military operating in Iraq, consistent with previously observed Marbled Dust targeting priorities.” The Kurdish militant group PKK said Monday that it was disbanding and disarming after decades of conflict with Turkey. Most of Iraq’s Kurds live in a semi-autonomous region that has a border with Turkey.

Marbled Dust’s activities overlap with operations that other companies track as Sea Turtle or UNC1326. The hackers are known for targeting entities in Europe and the Middle East, “particularly government institutions and organizations that likely represent counter interests to the Turkish government, as well as targets in the telecommunications and information technology sectors,” Microsoft said.

The previously undocumented Output Messenger bug, CVE-2025-27920, could allow an authenticated user to upload malicious files into the server’s startup directory. Microsoft said it’s not sure how Marbled Dust got access to authenticated user accounts in every instance, but the group may use techniques like DNS hijacking or typosquatted domains to intercept web traffic and capture individuals’ credentials.

Output Messenger’s developer, India-based Srimax, issued an update for the software after Microsoft notified it of the vulnerability. The researchers also discovered a second bug, CVE-2025-27921, that does not appear to have been exploited. The Srimax patches cover that flaw, too. (Joe Warminsky / The Record)

Related: Microsoft, The Register, The Cyber Express, GBHackers, Cybersecurity News, Bleeping Computer

The X account of the Ethereum layer 2 network ZKsync and its developer Matter Labs were compromised early on May 13, with hackers falsely claiming the network was being probed by US authorities, among other scam messages.

A ZKsync-related X account posted on May 13 confirmed that the accounts for ZKsync and Matter Labs were compromised and warned users not to interact after the accounts shared links to a fake airdrop in an apparent phishing scam.

The hacked ZKsync and Matter Labs then both posted a fake statement claiming ZKsync was under investigation by the US Securities and Exchange Commission and that the Treasury Department could impose sanctions on the platform.

Matter Labs’ Nolan said the firm was looking into how the X accounts were breached, and believed it was via “compromised delegated accounts,” which allow users limited access to an X account, allowing them to post on its behalf. (Jesse Coghlan / Cointelegraph)

Related: BeInCrypto, crypto.news, cryptorank

Dior’s coveted client list of China’s wealthiest and most powerful consumers has been compromised in a significant data breach, forcing the French luxury giant to issue an apology as it scrambles to contain potential fallout and limit any damage to its reputation.

The luxury brand under French conglomerate LVMH experienced a customer data breach in China on May 7. According to a text message sent to customers yesterday, the company disclosed that an unauthorized external party had gained access to its database, obtaining sensitive personal information such as customers’ names, gender, phone numbers, email addresses, mailing addresses, purchase amounts, and shopping preferences.

Dior emphasized that the compromised data did not include bank account details, IBANs (International Bank Account Numbers), or credit card information. Nonetheless, the brand urged customers to exercise heightened caution, advising them to beware of phishing messages, unsolicited calls or emails, and to avoid clicking on suspicious links or disclosing personal information. (Daisy Pan / Jing Daily)

Related: Global Times, Shine

In a major crackdown on cybercrime, the Telangana Cyber Security Bureau in India (TGCSB) arrested 20 individuals, including a relationship manager of DCB Bank's Vapi branch, during a 10-day interstate operation in Surat, Gujarat.

The operation, conducted between May 1 and 10 under the on-ground supervision of DSPs Phaneedra and Ranga Reddy, uncovered the accused's involvement in over 515 cybercrime cases across the country, including 60 in Telangana.

Among those arrested was 26-year-old Ankit Kumar Singh, a relationship manager at DCB Bank, Vapi. He was taken into custody along with 14 bank account holders.

Police also arrested five agents who acted as intermediaries between fraudsters and account holders. The accused operated 27 bank accounts through which fraudulent transactions were processed in recent months. (Times of India)

Related: ETV Bharat, Munsif Daily, Telangana Today

Maharashtra Cyber police in India have reportedly identified seven Advanced Persistent Threat (APT) groups responsible for launching over 15 lakh or around 1.5 million cyber attacks targeting critical infrastructure websites across India following the Pahalgam terror strike.

Officials said only 150 attacks were successful, according to a report by the news agency PTI. This means a failure rate of 99.99%, or an abysmal success rate of 0.01%.

In a report titled "Road of Sindoor", prepared under the military operation launched by the Indian armed forces under the same name against terrorists, the state's nodal cyber agency has detailed the cyber warfare launched by Pakistan-allied hacking groups.

The report has been submitted to all key law enforcement agencies, including the Director General of Police and the State Intelligence Department.

According to the report, these cyber attacks originated from Bangladesh, Pakistan, the Middle East, and an Indonesian group. (Times of India)

Related: The Hindu, Deccan Herald, OpIndia, Indian Express, Capacity Media

An independent cybersecurity researcher from New Zealand named Paul (aka "MrBruh") discovered that the ASUS DriverHub driver management utility was vulnerable to a critical remote code execution flaw that allowed malicious sites to execute commands on devices with the software installed.

Paul found the software had poor validation of commands sent to the DriverHub background service.

This allowed the researcher to create an exploit chain utilizing flaws tracked as CVE-2025-3462 and CVE-2025-3463 that, when combined, achieve origin bypass and trigger remote code execution on the target.

MrBruh reported the vulnerabilities on April 8 and Asus rolled out fixes for them on May 9. (Bill Toulas / Bleeping Computer)

Related: MrBruh, Security Week, Security Affairs

Christiaan Beek, Rapid7's senior director of threat analytics, wrote an unpublished proof-of-concept code for ransomware that would allow ransomware to affect a PC's CPU.

There are some indications that criminals are moving toward this end goal, from the UEFI bootkits that go back to 2018 and are now sold on cybercrime forums to allow miscreants to bypass Secure Boot and embed malware into the firmware, surviving operating system reboots.

While Beek says he hasn't yet found a working malware sample in the wild, "if they worked on it a few years ago, you can bet some of them will get smart enough at some point and start creating this stuff." (Jessica Lyons / The Register)

Related: MakeUseOf, SC Media, PC Perspective, TechRadar, TechSpot

Apple updated its security website to reveal that its just-released iOS 18.5 also fixes over 30 security vulnerabilities affecting things like Bluetooth, FaceTime, and more.

There’s also a fix exclusively for the iPhone 16e for a vulnerability impacting the device’s baseband.

The iPhone 16e is the first product to feature an Apple-designed modem, which the company calls the C1 chip. iOS 18.5 fixes a vulnerability affecting the baseband, which allows an “attacker in a privileged network position to intercept network traffic.”

iOS 18.5 also patches vulnerabilities affecting Call History, Bluetooth, CoreAudio, AppleJPEG, and more. Notably, Apple isn’t aware of any situations in which these vulnerabilities were exploited in the wild. (Chance Miller / 9to5Mac)

Related: Apple, Security Week, Wccftech, Apple Insider, Macworld, GBHackers, Cyber Security News, The Mac Observer, MacRumors

According to the Office of the Australian Information Commissioner (OAIC)'s latest Notifiable Data Breaches Report covering July to December 2024, the number of data breach reports in Australia increased by 25 percent in 2024 compared to the previous year.

The 1,113 breaches recorded were mainly experienced by health service providers and the government.

Most reported breaches affected fewer than 5,000 people each, but two breaches impacted between 500,000 and one million people. (SBS News)

Related: OAIC, Capital Brief

CrowdStrike Holdings Inc. Chief Executive Officer George Kurtz disclosed last month that he’d gifted over $1 billion worth of his company’s stock to undisclosed recipients, sharply reducing his influence over the company in an unusual move for a tech founder.

According to the company's latest proxy statement, the disposition is the latest in a series of transactions that have slashed his voting power in CrowdStrike to 2.5% from 31% in 2022.

Kurtz, who has a net worth of $3.2 billion, according to the Bloomberg Billionaires Index, which is valuing his fortune for the first time, presents a rare example in the tech world of a founder ceding ownership and control while still leading the company. (Dylan Sloan and Biz Carson / Bloomberg)

Related: Hacker News (ycombinator)

Best Thing of the Day: You Can Never Really Get Rid of Your RSS Feed

Podcaster and Infosec.exchange administrator Jerry Bell has created an account called @cisareflector on the Mastodon instance that will allow anyone to follow via the Fediverse or RSS CISA alerts and notifications now that the cybersecurity agency inexplicably got rid of its own RSS feed.

Worst Thing of the Day: Sometimes You Need to Look a Gift Horse in the Mouth

Current and former US military, defense, and Secret Service officials say if Trump accepts a "free" luxury jet from Qatar, he will, in essence, be accepting a ginormous flying security risk that would cost billions of dollars to retrofit to meet Air Force One security requirements.

Closing Thought