The UK Foreign Office was hacked in October

Important publishing notice: Starting Monday, December 22, Metacurity will be on a holiday publishing break. We resume publication on Monday, January 5, 2026.

Thanks to all of you for reading and supporting Metacurity. You are outstanding professionals and savvy newshounds for checking out our daily round-ups of the critical developments in InfoSecLand.

Wishing you and your loved ones a joyous holiday season. Stay safe and sane out there.

And, if your more generous feelings overtake you, please consider supporting Metacurity with an upgraded subscription so that we can continue on our mission to end infosec news overload in the new year.

Warm and happy holidays to all!

Chris Bryant, a trade minister in Keir Starmer’s government, said that hackers have compromised Foreign Office data, but the government is "fairly confident" that no individual data has been accessed.

He said the government first became aware of the hack in October and was now "on top of it."

The data stolen was on systems operated on the Home Office's behalf by the Foreign Office, which detected the breach.

A Chinese group of hackers known as Storm 1949 targeted Foreign Office servers and had accessed information relating to visa details, with "thousands" of confidential documents and data stolen.

But the minister told Sky News that it is "not entirely clear" who is responsible for the hack, and he could share "remarkably little detail." (Sky News)

Related: The Guardian, Financial Times, The Register, The Sun, The US Sun, Mirror, BBC News, Reuters, The Independent, The Register, Telegraph, Reuters

An infinitesimal delay in the typed commands of a new IT worker provided an early clue that an imposter had gotten access to an Amazon corporate computer.

Keystroke data from the laptop of a worker who was supposed to be in the US should have taken tens of milliseconds to reach Amazon’s Seattle headquarters. Instead, the flow from this machine was more than 110 milliseconds, Amazon’s Chief Security Officer Stephen Schmidt said.

The person, who Schmidt said was hired by an Amazon contractor, was part of the surge in recent years of North Koreans skirting strict sanctions by the US and other countries to con their way into remote jobs, often in IT. 

Since April 2024, Amazon staff have found and foiled more than 1,800 attempts to be hired by North Koreans, Schmidt said during a security event at the company’s New York City office this week. This year, the number of such attempts has gone up 27%, on average, from one quarter to the next, the company says.

Amazon didn’t hire any North Koreans directly, Schmidt said. But he said the number of times that impostors tried to get hired by the company and the fact that Amazon shipped a company computer to a contractor who turned out to be a proxy for North Korea should stand as a warning. (Jake Bleiberg / Bloomberg)

Related: Tom's Hardware, r/nottheonion, Slashdot, Times of India, WebProNews, The Register, LinkedIn, Security Week, Fortune

Italian police have arrested a second Latvian suspect in connection with an attempted malware attack aboard a Mediterranean ferry, expanding the international scope of the investigation.

The inquiry started when vessel operator GNV discovered the installation of a Remote Access Trojan (RAT) on certain IT systems aboard the ferry Fantastic, and "neutralized" it without consequences." On the vessel's arrival at the French port of Sète, France's secret police force boarded the ship and detained two crewmembers, one Latvian and one Bulgarian national.

The Latvian crewmember was charged with "conspiring to penetrate a data processing system on behalf of a foreign power" and related offenses.

On Wednesday, authorities in Naples arrested a second Latvian national on board a vessel in Naples - raising the prospect that two different ships may have been involved.

The case of the second detainee has been transferred to the Genoa prosecutor's office, which brought the original charges.

While Russia has not been officially named as the suspected foreign power behind the malware attempt, French Interior Minister Laurent Nuñez noted that investigators are treating it as a case of foreign interference, and "at the moment, foreign interference very often comes from the same country." (The Maritime Executive)

Related: Bloomberg, The Telegraph

According to the Danish Defence Intelligence Service (DDIS), Russia is responsible for recent destructive and disruptive cyberattacks against Denmark.

The DDIS assessed that Russian hacktivists were behind a destructive cyber-attack on a Danish water utility in 2024.

Russian threat actors were also blamed for a series of distributed denial-of-service (DDoS) attacks on Danish websites in the run-up to the 2025 municipal and regional council elections. This event was “used as a platform to attract public attention,” the intelligence service added.

Specifically, the DDIS named the pro-Russian hacktivist groups Z-Pentest as the authors of the destructive attack on the water utility in 2024 and said NoName057(16) was behind the series of DDoS attacks in 2025.

The intelligence service also assessed that both groups have links to the Russian state.

“The Russian state uses both groups as instruments of its hybrid war against the West. The aim is to create insecurity in the targeted countries and to punish those who support Ukraine," the service said. (Kevin Poireault / Infosecurity Magazine)

Related: Danish Defence Intelligence Service

Researchers at ESET report that a previously unknown, China-aligned hacker group they call LongNosedGoblin has been targeting government institutions across Southeast Asia and Japan.

The group has been active since at least September 2023 and was uncovered after the company detected new malware strains inside the network of a Southeast Asian government last year.

What sets LongNosedGoblin apart from other known China-linked threat actors is its reliance on the Group Policy, a legitimate Windows feature commonly used by system administrators to enforce rules across large networks. The hackers abused this feature to deploy malware and move laterally across targeted systems.

One of the group’s primary tools is a malware strain dubbed NosyHistorian, which collects browser history from Google Chrome, Microsoft Edge, and Mozilla Firefox. The stolen data is then used to decide which victims are of higher interest and where to deploy additional malware, including a backdoor known as NosyDoor.

ESET believes NosyDoor is not exclusive to LongNosedGoblin. A variant of the malware had previously been used in an attack against an organization in a European Union country, though with different tactics.

That overlap indicates NosyDoor may be offered as a commercial service to multiple China-aligned actors, the researchers said. (Daryna Antoniuk / The Record)

Related: WeLiveSecurity

DXS International, a British technology company whose software is widely used throughout the National Health Service (NHS), has disclosed a cybersecurity incident affecting its internal systems.

In a notice to the London Stock Exchange, the company said it detected unauthorized access to office servers on December 14. DXS said it contained the breach and that its clinical services remained unaffected and operational throughout.

At present, there is no confirmation whether NHS patient data was compromised, although the company said it has notified Britain’s data protection regulator, the Information Commissioner’s Office (ICO).

DXS said investigations are ongoing and that it is working with NHS cybersecurity teams and external specialists “whose thorough investigations are underway to establish the nature and extent of the incident.”

The company, which added that it did not currently believe the incident would have a material adverse impact on its finances, provides clinical decision support and referral management tools used by GP practices and primary care networks across England. (Alexander Martin / The Record)

Related: DXS, Cyber Daily, TechCrunch, The Register

Darktrace released new research regarding a dangerous new variant of BeaverTail malware, a JavaScript-based information stealer.

Linked to North Korea’s notorious Lazarus Group, the software is part of an increasingly aggressive campaign targeting the financial and cryptocurrency sectors. The research is part of Darktrace’s latest report, The State of Cybersecurity.

According to researchers, the software often spreads through fake job offers. Hackers pose as recruiters and lure developers or crypto traders into “technical interviews” that require downloading tools like MiroTalk or FreeConference. In reality, these are traps designed to compromise the victim’s system.

Researchers noted that catching this latest version is more complex than ever because the hackers are now hiding the malware inside VS Code extensions and npm packages (the standard building blocks used to create apps). It has become a “modular, cross-platform” threat, meaning it can jump between Windows, Mac, and Linux without missing a beat.

Further investigation revealed that this new version uses “over 128 layers” of concealment to hide its code. This deep protection is far beyond anything seen in earlier versions. The campaigns, which target everyone from marketing professionals to retail employees, are attributed to North Korean clusters like Famous Chollima, Gwisin Gang, and Tenacious Pungsan, all linked to the larger Lazarus Group. (Deeba Ahmed / HackRead)

Related: Darktrace, IT Wire

Threat intel group Curated Intelligence reports that the Clop ransomware gang is targeting Internet-exposed Gladinet CentreStack file servers in a new data theft extortion campaign.

Gladinet CentreStack enables businesses to securely share files hosted on on-premises file servers through web browsers, mobile apps, and mapped drives without requiring a VPN. According to Gladinet, CentreStack "is used by thousands of businesses from over 49 countries."

Since April, Gladinet has released security updates to address several other security flaws that were exploited in attacks, some of them as zero-days.

The Clop cybercrime gang is now scanning for and breaching CentreStack servers exposed online, with Curated Intel saying that ransom notes are left on compromised servers.

However, there is currently no information on the vulnerability Clop is exploiting to hack into CentreStack servers. It is unclear whether this is a zero-day flaw or a previously addressed bug that the owners of the hacked systems have yet to patch. (Sergiu Gatlan / Bleeping Computer)

Related: Curated Intelligence on LinkedIn, GitHub

Ryan Clifford Goldberg, a former incident response supervisor at Sygnia Consulting Ltd., and Kevin Tyler Martin, who was a ransomware negotiator for DigitalMint, pleaded guilty to one count each of conspiracy to interfere with commerce by extortion, federal court records show.

The pair acknowledged in the court filings that, along with a third person, they spent years trying to hack and extort businesses, in one instance receiving a ransom payment of more than $1 million in cryptocurrency from a Florida medical device company.

A DigitalMint spokesperson said two of the people accused in the scheme had worked for the Chicago-based firm. They were both fired and “acted wholly outside the scope of their employment and without any authorization, knowledge or involvement from the company,” the spokesperson said in an emailed statement.

DigitalMint is continuing to cooperate with the Justice Department and fired the employees at different times “upon learning of their illicit activity, given the information provided to us during the law enforcement investigation,” the spokesperson said. (Jake Bleiberg / Bloomberg)

Donald Trump has nominated Lt. Gen. Joshua M. Rudd, a former Delta Force commander and current deputy commander of Indo-Pacific Command, to be the next head of the National Security Agency and US Cyber Command, ending eight months of leadership limbo at the helm of the nation’s largest spy agency and its offensive military cyber organization.

The nomination was received by Congress this week, said two officials, who spoke on the condition of anonymity because it has not been officially announced by the Pentagon, White House, or the Office of the Director of National Intelligence.

Rudd would formally replace Gen. Timothy Haugh, who Trump fired in April. The president’s move drew sharp bipartisan rebukes as an unjustified political move engineered by the far-right activist Laura Loomer.

The acting head has been Lt. Gen. William J. Hartman, who had been Haugh’s deputy at both organizations and was widely expected to succeed Haugh. The nomination never materialized.

Rudd appears not to have previously held a military cybersecurity position, though a person familiar with his nomination said his background in a global region that includes China would align with US goals to counter Chinese cyber threats. (Ellen Nakashima and Alex Horton / The Washington Post and David DiMolfetta / NextGov/FCW)

Related: NextGov, Politico, The Record, Breaking Defense, Reuters, DefenseScoop

TikTok has signed a deal to divest its US entity to a joint venture controlled by American investors.

Oracle, Silver Lake, and Abu Dhabi-based MGX will collectively own 45% of the US entity, which will be called "TikTok USDS Joint Venture LLC."

Nearly one-third of the company will be held by affiliates of existing ByteDance investors, and nearly 20% will be retained by ByteDance.

The US joint venture will be responsible for US data protection, algorithm security, content moderation, and software assurance.

Upon closing, the USjoint venture "will operate as an independent entity with authority over US data protection, algorithm security, content moderation, and software assurance, while TikTok Global's US entities will manage global product interoperability and certain commercial activities, including e-commerce, advertising, and marketing," (Sara Fischer / Axios)

Related: CNBC, Bloomberg, Silicon Republic, Reuters, CNN, NPR, Music Ally, New York Times, NBC News, TVREV, The Information, Associated Press, Capacity, Sharecast, Yahoo Finance, TechCrunch, Times of India, Financial Times, Clarified, CGTN, Tech in Asia, Dexerto, ABC News, Pixel Envy, Ukrainian National News, Forbes Middle East, UPI, TRT World, BBC, Nairametrics, Social Media Today, Blockchain.News, International Business Times, The National, 9to5Mac, Mashable, Fox Business, Cord Cutters News, Livemint, Sinocism, Variety, The Independent, Washington Examiner, The Verge, The Straits Times, MacRumors, Benzinga, TechRadar

Kevin Mandia, founder of the cybersecurity firm Mandiant—which Alphabet’s Google acquired for $5.4 billion—has formed a new company called Armadin that will take on the imminent threat from AI hacking.

The company aims to use artificial intelligence to supercharge the business of testing networks for vulnerabilities. Armadin raised $24 million in seed funding from Ballistic Ventures, a venture-capital firm co-founded by Mandia, and is in talks with Accel, GV, and Kleiner Perkins to raise $100 million or more, people familiar with the matter said.

The deal is expected to value the company at more than $600 million. The round isn’t finalized, and the details could still change. (Kate Clark and
Robert McMillan / Wall Street Journal)

Related: WebProNews

Best Thing of the Day: Smart TVs Are Already Enough of a Privacy Mess

LG Electronics will let owners of its televisions delete Microsoft artificial intelligence software amid a consumer backlash.

Worst Thing of the Day: Yet Another Argument in Favor of Tor

The Pennsylvania Supreme Court ruled that police did not need a warrant to obtain a convicted rapist’s Google searches when investigating the crime.

Closing Thought