Suspected foreign actor likely accessed lawmakers' emails and chat logs in CBO hack

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!

The Congressional Budget Office, lawmakers’ nonpartisan bookkeeper, was hacked by a suspected foreign actor, according to an agency spokeswoman, potentially exposing the key financial research data Congress uses to craft legislation.

Sources say officials discovered the incursion in recent days and now worry that communications between lawmakers’ offices and nonpartisan researchers could have been accessed by an adversary or one of its digital proxies, as well as internal email and office chat logs.

One source said CBO officials told lawmakers that they believe they detected the intrusion early. Another source said some congressional offices have generally stopped corresponding with the CBO via email because of the cybersecurity risks.

“The Congressional Budget Office has identified the security incident, has taken immediate action to contain it, and has implemented additional monitoring and new security controls to further protect the agency’s systems going forward,” CBO spokeswoman Caitlin Emma said in a statement.

“The incident is being investigated and work for the Congress continues. Like other government agencies and private sector entities, CBO occasionally faces threats to its network and continually monitors to address those threats.” (Jacob Bogage and Riley Beggin / The Washington Post)

Related: NextGov/FCW, CNN, Washington Examiner, Independent, Bleeping Computer, Axios, Associated Press, Politico, Raw Story, Reuters, CyberScoop, Security Affairs, Security Week

Francesco Nicodemo, a consultant who works with left-wing politicians in Italy, has gone public as the latest person targeted with Paragon spyware in the country.

He said in a Facebook post that for 10 months, he preferred not to publicize his case because he “did not want to be used for political propaganda,” but now “the time has come.”

Online news site Fanpage first reported the news that Nicodemo was among the people who received a WhatsApp notification in January.

The revelation that Nicodemo was targeted with Paragon spyware widens the scope — once again — of the ongoing spyware scandal in Italy, which has ensnared several victims from various positions in society: several journalists, immigration activists, prominent business executives, and now a political consultant with a history of working for the center-left Partito Democratico (Democratic Party) and its politicians. (Lorenzo Franceschi-Bicchierai / TechCrunch)

Related: Francesco Nicodemo's Post, Fanpage, The Record, TechNadu

The Washington Post said it is among the victims of a sweeping cyber breach of the Oracle E-Business Suite platform.

The paper did not provide further detail, but its statement comes after CL0P, the notorious ransomware group, said on its website that the Washington Post was among its victims. CL0P and Oracle did not immediately return messages seeking comment. (Raphael Satter and A.J. Vicens / Reuters)

Related: Bloomberg

Researchers at Palo Alto Networks discovered an Android spyware they call Landfall that targeted Samsung Galaxy phones during a nearly year-long hacking campaign.

It was first detected in July 2024 and relied on exploiting a security flaw in the Galaxy phone software that was unknown to Samsung at the time, a type of vulnerability known as a zero-day.

Unit 42 said the flaw could be abused by sending a maliciously crafted image to a victim’s phone, likely delivered through a messaging app, and that the attacks may not have required any interaction from the victim. 

Samsung patched the security flaw — tracked as CVE-2025-21042 — in April 2025, but details of the spyware campaign abusing the flaw have not been previously reported.

The researchers said that it’s not known which surveillance vendor developed the Landfall spyware, nor is it known how many individuals were targeted as part of the campaign. But the researchers said that the attacks likely targeted individuals in the Middle East. (Zack Whittaker / TechCrunch)

Related: Palo Alto Networks

In a submission for the 2026 National Trade Estimate Report produced by the United States Trade Representative (USTR), Cloudflare warns the US government that site-blocking efforts cause widespread disruption to legitimate services.

Cloudflare's submission points to Italy's automated Piracy Shield system, which reportedly blocked "tens of thousands" of legitimate sites. Meanwhile, overbroad IP address blocks in Spain and new automated blocking proposals in France are serious concerns that harm US business interests, Cloudflare reports. (Ernesto Van der Sar / TorrentFreak)

Related:  Cloudflare, WebProNews, Hacker News, r/Piracy, Slashdot

According to documents obtained by FOIAball, the Ole Miss-Georgia college football matchup this week was one of at least two games last year where the school used a Department of Homeland Security information-sharing platform to keep a watchful eye on attendees. 

The platform, known as HSIN, is a centralized hub for the myriad law enforcement agencies involved with security at significant events. At a game like Ole Miss-Georgia, according to an Event Action Plan obtained by FOIAball, at least 11 different departments were on the ground, from Ole Miss campus police to a military rapid-response team.

HSINs are generally depicted as a secure channel to facilitate communication between various entities.

In a video celebrating its twentieth anniversary, a former HSIN employee hammered home that stance. “When our communities are connected, our country is indeed safer," they said.

But that nebulous framing obscures what they can actually do. The Homeland Information Sharing Network (the acronym is pronounced Hiz-Un) system launched in the post-Sept. 11 push for inter-department communication and information openness.

Under DHS, which was granted a broad mandate to coordinate communication and oversee security, HSINs have become a widely used tool.  (David Covucci / FOIAball)

Related: r/cfb

Dutch regional radio and television public broadcaster RTV Noord was hit by a cyberattack, causing significant disruptions for the regional radio and television public broadcaster.

The broadcaster's IT department discovered the hack. The unknown hackers left a message on the server. The broadcaster is not disclosing the message's content.

The broadcaster from the province of Groningen has been experiencing problems in all its editorial systems since this morning. Publishing news items on the app and website requires a lot of extra effort.

Radio broadcasts can still continue, according to RTV Noord. The station is playing CDs, and an LP has even been transferred from the stage to the turntable. All music is started manually. (NOS)

Related: RTV Noord, Tweakers, RTL.nl

A DDoS cyberattack claimed by the pro-Russian hacker group NoName057 briefly disrupted the websites of Belgian telecom operators Proximus and Scarlet.

A DDoS attack around the same time also hit Ghent University Hospital.

Proximus spokesperson Fabrice Gansbeke confirmed that technicians detected unusual traffic around 7:20 and took immediate countermeasures. "From 7:30, we saw a sharp increase in traffic. The impact was very limited: our systems held up," he said.

At 8:53, NoName057 posted a message on Telegram boasting of attacks against the websites of Scarlet and Proximus and an internal Telenet portal. However, Telenet spokesperson Stefan Coenjaerts denied the claim. "Our systems were not hacked and no websites went offline," he said.

The hackers cited comments by Defence Minister Theo Francken in a recent interview with Humo magazine, where he said NATO would “flatten” Moscow if Russia attacked Brussels. “We advise the Belgian minister not to throw such statements around,” the group wrote. (Belga News Agency)

Related: AA, Databreaches.net

Get your message, announcement, or white paper in front of thousands of cyber leaders, policy makers, and decision-makers for little more than the cost of an annual Metacurity subscription. Click the button below to find out more about our sponsorship options.

Some patients of OB-GYN Associates in Nevada are receiving letters informing them that some of their personal information may have been exposed in a data security breach.

It happened around August 7 of this year.

The letter says that the first and last names, social security numbers, driver's license numbers, and past medical information of some patients could have been accessed.

In response, an investigation was conducted and completed on September 29.

Those affected are being offered access to single-bureau credit monitoring, credit reporting, and credit score services. (2News)

Related: KOLO, 2 News Nevada, The HIPAA Journal

Best Thing of the Day: We're Gonna Need to Go Ahead and Move You Downstairs into Storage B

Founding director of CISA Chris Krebs likened the $120 million exploit of DeFi protocol Balancer to the scheme from Office Space, where the idea was to skim fractions of a penny off the top of many individual transactions.

Worst Thing of the Day: Don't Let the Stalkers Off the Hook

EFF teamed up with AV Comparatives again to test Android stalkerware detection by major antivirus apps and found the detection rates to be a very mixed bag again.

Closing Thought