Suspected Chinese hackers breach top telco law firm

A Special Request

Metacurity has been a labor of love for years, and I’m so grateful for your readership. Your support can help ensure I can continue delivering the carefully curated weekly long-reads and daily digests of the most critical developments in cybersecurity.

If you find value in what Metacurity offers, please consider upgrading to a paid subscription. We also provide corporate subscription options, and soon we’ll be introducing affordable sponsorship opportunities—perfect for promoting your events or products to a highly engaged audience.

To learn more, feel free to reach out at cynthia@metacurity.com.

Thank you so much for being part of the Metacurity community.

If you can't commit to a subscription, please consider donating what you can afford to help keep Metacurity free to all.

In a memo sent to clients, powerful DC-based law firm Wiley Rein said suspected Chinese hackers have broken into the email accounts of attorneys and advisers at a powerful Washington, DC, law firm in an apparent intelligence-gathering operation.

The firm said the hackers responsible have been known to target information related to trade, Taiwan, and US government agencies involved in setting tariffs and reviewing foreign investment.

“We believe, based on the evidence reviewed to date, that a group that may be affiliated with the Chinese government accessed messages in the Microsoft 365 accounts of certain Wiley personnel for intelligence gathering purposes,” the memo said.

Wiley Rein is working with law enforcement, and Google-owned security firm Mandiant is remediating the hack, the memo said. 

Although Wiley cited trade and tariffs as the primary aim of the suspected Chinese hackers, Wiley is best known in DC and globally as the leading law firm that represents or has represented virtually every telecom, media, and technology company in matters before the US government and regulatory agencies.

Firm Chairman Emeritus Dick Wiley founded the firm in 1983 after serving as Chairman of the Federal Communications Commission. Last year, the Chinese threat group Salt Typhoon emerged as a serious supply chain risk to telecommunications companies and their customers, who were considered to be the ultimate targets of the threat group.

The telcos infiltrated by Salt Typhoon include AT&T, Verizon, and Comcast, and suspicions remain that those telecom giants and other victims might still be resident inside the communications carriers' networks.

According to Bloomberg, in 2012, Wiley Rein was hacked, one of twenty victims hacked by a Chinese threat group that US intelligence called Byzantine Candor. Back then, the targets included lawyers pursuing trade claims against the country’s exporters and an energy company preparing to drill in waters China claims as its own. (Annie Grayer and Sean Lyngaas / CNN and Metacurity)

Related: Databreaches.net

His Majesty's Revenue & Customs, or HMRC, announced that thirteen people have been arrested in Romania after phishing attacks against the government office, in which authorities suspect stolen data was used to obtain millions of pounds of tax payments fraudulently.

HMRC said its criminal investigators had joined more than 100 Romanian police officers to arrest the people in the southern counties of Ilfov, Giurgiu, and Calarasi.

Police also seized cash and luxury cars during the raids against the individuals aged between 23 and 53, and arrested them on suspicion of computer fraud, money laundering, and illegal access to a computer system.

A 14th person, a 38-year-old man, was arrested in Preston, northwest England, earlier on Thursday, HMRC said.

The raids follow HMRC's revelation last month that a criminal gang had stolen 47 million pounds ($63.7 million) by using phishing tactics to access more than 100,000 customer accounts and falsely claiming payments from the government.

The arrests are part of several HMRC investigations into phishing incidents, in which individuals are targeted with emails that seem legitimate, prompting them to disclose passwords or credit card information unwittingly. (Sachin Ravikumar / Reuters)

Related: Security Week, BankInfoSecurity, HackRead, BBC News, Birmingham Live

A hacker shared a string of racist and antisemitic posts from the X account of Elmo, the fuzzy red monster from “Sesame Street."

The posts, on a verified account with more than 600,000 followers, contained racial slurs, antisemitic language, and commentary about President Trump and the so-called Epstein files, the remaining investigative documents of the sex-trafficking investigation into Jeffrey Epstein. The posts were removed shortly after they were published on Sunday afternoon.

“Elmo’s X account was compromised today by an unknown hacker who posted disgusting messages, including antisemitic and racist posts,” a spokeswoman for Sesame Workshop, the nonprofit organization behind “Sesame Street,” said in a brief statement. “We are working to restore full control of the account.”

The social media platform X, formerly Twitter, has experienced a surge in racist, antisemitic, and other hateful speech since Elon Musk took it over in 2022. (Yan Zhuang / New York Times)

Related: Forbes, PerthNow, Israel National News, The New Daily, Graham Cluley, Mashable, Jerusalem Post, Jewish Telegraphic Agency, IBTimes.co.uk : Technology, Washington Examiner

Based on reporting by security researchers Neil Smith and Eric Reuter, CISA issued an advisory warning that the protocol used for remote linking over RF for End-of-Train and Head-of-Train (also known as a FRED) relies on a BCH checksum for packet creation that can be created with a software-defined radio and issue brake control commands to the EoT device, disrupting operations or potentially overwhelming the brake systems.

CVE-2025-1727 has been assigned to this vulnerability, and a CVSS v3 base score of 8.1 has been calculated.

The Association of American Railroads (AAR) is pursuing new equipment and protocols that should replace traditional End-of-Train and Head-of-Train devices. The standards committees involved in these updates are aware of the vulnerability and are investigating mitigating solutions.

The AAR Railroad Electronics Standards Committee (RESC) maintains this protocol, which is used by multiple manufacturers across the industry, including Hitachi Rail STS USA, Wabtec, Siemens, and others. Users of EoT/HoT devices are recommended to contact their own device manufacturers with questions.

CISA recommends that users take defensive measures to minimize the risk of exploitation of this vulnerability. (CISA)

According to a legal complaint, the Department of Justice is trying to recoup funds from an alleged Nigerian scammer who convinced victims to transfer the equivalent of $250,000 in the cryptocurrency Ethereum as a supposed donation to the Trump-Vance Inaugural Committee.

The DOJ's complaint, however, only lists two people as falling prey to the scam: “Ivan” and “Mouna."

Those are the same first names as the chief executive officer and US chief financial officer of the crypto company MoonPay, Ivan Soto-Wright and Mouna Ammari Siala. The wallet used to pay the alleged scammer has also previously been publicly linked to Soto-Wright.

If the victims of the scam were, in fact, the top executives of MoonPay, “that smacks of favoritism or selective enforcement,” Mark Hays, a crypto regulation advocate with Americans for Financial Reform, told NOTUS, pointing to the Trump DOJ’s separate rollback of enforcement against crypto companies.

The DOJ included screenshots of two emails between the victims and the scammer in its complaint to the court. The first email was on Christmas Eve 2024, from the email address steve_witkoff@t47lnaugural, in which the first letter of “inaugural” was actually written with a lowercase L. The real Steve Witkoff was the co-chair of Trump’s inaugural committee.

The email said, “Hi Ivan & Mouna, Please find below the USDT wallet address and barcode for the contribution.”

A responding email from “Mouna” to the alleged scammer, with “Ivan” cc’d — both with last names and email address redacted by DOJ — reads, “Hi Steve- our contribution of $250k was just processed. Here is the confirmation,” with a link to a crypto transaction using a wallet independent trackers have also linked to MoonPay. (Claire Heddles / NOTUS)

Related: Court Listener

Researcher Marco Figueroa, GenAI Bug Bounty Programs Manager at Mozilla, submitted a prompt injection vulnerability to 0din that showed Google Gemini for Workspace can be exploited to generate email summaries that appear legitimate but include malicious instructions or warnings that direct users to phishing sites without using attachments or direct links.

The process involves creating an email with an invisible directive for Gemini. An attacker can hide the malicious instruction in the body text at the end of the message using HTML and CSS that sets the font size to zero and its color to white.

The malicious instruction will not be rendered in Gmail, and because there are no attachments or links present, the message is highly likely to reach the potential target's inbox.

If the recipient opens the email and asks Gemini to generate a summary of the email, Google's AI tool will parse the invisible directive and obey it.

An example provided by Figueroa shows Gemini following the hidden instruction and includes a security warning about the user's Gmail password being compromised, along with a support phone number.

Users should also be aware that Gemini summaries should not be considered authoritative when it comes to security alerts. (Bill Toulas / Bleeping Computer)

Related: 0din, Cyber Security News

According to internal access logs, a staffer from the Department of Government Efficiency, or DOGE, recently got high-level access to view and change the contents of a payments system that controls tens of billions of dollars in government payments and loans to farmers and ranchers across the United States.

A source working for the USDA provided evidence of DOGE's high-level access to the payments system called the National Payment Service. The access is a highly privileged level of permissions that the USDA employee says no other individual at the agency has, and goes against normal access protocols. With that access, DOGE can view and modify data entries inside the system, giving them a view into sensitive personal information and the power to cancel loans outright.

It's unclear whether staffers previously employed by DOGE are now full-time employees at USDA. Another USDA employee who requested anonymity, fearing retribution, said that the group is now internally referred to as the "Efficiency Team," or the "E team."

The move is in line with an early command by Secretary of Agriculture Brooke Rollins to give DOGE "full access and transparency," though it may run counter to the agency's long-standing policies around data protection and privacy. DOGE's near-unfettered access to sensitive data at other agencies like the Treasury Department and the Social Security Administration continues to be challenged in court due to privacy, security, and legal concerns. (Jenna McLaughlin / NPR)

Related: Farms.com, Food Tank, New York AG Connection

A crypto hacker who stole $42 million from the decentralized crypto perpetuals exchange GMX is returning the funds and collecting a $5 million reward.

The hacker struck on July 9th and transferred part of the funds to an unknown wallet. At the time, GMX said the exploit was limited to GMXV1 and that V2, its markets and liquidity pools, as well as the ecosystem’s native asset, were unaffected.

In its report on the incident, GMX says the exploit was a re-entrancy attack, or a type of hack that affects smart contracts by taking advantage of a vulnerability presented when a smart contract makes a call to another before updating itself, leaving open the possibility for an external malicious contract to enter in. (Mehron Rokhy / the Daily Hodl)

Related: The Block, Cointelegraph, The Record, Decrypt

KrebsOnSecurity learned the identities of two of the four suspects arrested last week in connection with the ransomware attacks on British retail giants, with one identified as a UK man, Owen David Flowers, who is alleged to have been involved in the Scattered Spider ransomware attack that shut down several MGM Casino properties in September 2023.

The woman arrested is or recently was in a relationship with Flowers.

But the bigger fish arrested is allegedly Thalha Jubair, a UK man who is believed to have used the nickname “Earth2Star,” which corresponds to a founding member of the cybercrime-focused Telegram channel “Star Fraud Chat.”

Sources say that Jubair was also a core member of the LAPSUS$ cybercrime group that broke into dozens of technology companies in 2022, stealing source code and other internal data from tech giants including Microsoft, Nvidia, Okta, Rockstar Games, Samsung, T-Mobile, and Uber. (Brian Krebs / Krebs on Security)

Thailand's Department of Special Investigation (DSI) announced that the Thung Song Provincial Court sentenced 70 members of a criminal cyber fraud gang, with each sentenced up to 24 years in prison.

The case centred on the mass arrest of Thai and Chinese members of the call-centre gang - the largest such criminal network detected operating in the country to date, according to the DSI.

The police operation began in November 2023 after investigators uncovered evidence of the gang's illegal transnational activities. (Bangkok Post)

Related: Khmer Times, khaosodenglish, Thai Examiner

Nicholas Truglia, a man who got 18 months in prison for his part in a scheme to steal $22 million in cryptocurrency, saw his sentence increased to 12 years after failing to pay back his victim as he had promised.

Nicholas Truglia's sentence was increased to 12 years after US District Judge Alvin Hellerstein found he had willfully failed to honor his agreement to pay nearly $20.4 million in restitution.

Mark Gombiner, Truglia's lawyer, told Hellerstein the sentence was illegal and "an extraordinary abuse of discretion" and promised to appeal.

Truglia pleaded guilty to participating in a scheme to steal more than $20 million of cryptocurrency from Michael Terpin, the founder and chief executive officer of Transform Group. (Bob Van Voris and Anika Arora Seth / Bloomberg)

Related: The Block, India Today, Cointelegraph, AInvest

The US FBI shut down NSW2U.com, a major website hosting pirated copies of Nintendo Switch games.

Now the website hosts a single image offering a warning message from the FBI, acknowledging the domain has been seized.

The move is the latest in a string of anti-piracy efforts surrounding Nintendo games this year. It follows Nintendo itself taking action to permanently "brick" new Switch 2 consoles that use a piracy-enabling Flash card device. (Tom Phillips / IGN)

Related: FBI, Advanced Television, Nintendo Life, WALB, Hack Read, Tom's Hardware, Engadget, Video Games Chronicle, PCMag, GoNintendo

Best Thing of the Day: Don't Buy American

As the US moves deeper into a strongman surveillance state, Canada and European economies are increasingly turning to alternative tech providers who operate out of the reach of Trump-friendly American tech giants.

Worst Thing of the Day: The US Is Now in Favor of Fake News

The Trump administration's move to dismantle most of the US Agency for Global Media, which encompassed respected foreign news outlet Voice of America, has allowed Chinese state-run media to broadcast propaganda unopposed on Chinese-language media outlets.

Closing Thought