UK military will ramp up offensive cyber attacks against Russia and China

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!

Ahead of the publication of the country's strategic review next week, UK Defense Secretary John Healey said that Britain will ramp up its offensive cyberattacks against states such as Russia and China because “the keyboard is now a weapon of war”, adding that the UK’s new cyber command will coordinate such offensive digital capabilities.

The offensive operations could involve hacking into computer systems to disrupt an enemy’s ability to launch conventional attacks and spread propaganda online.

The Ministry of Defence has faced 90,000 cyberattacks from “state-linked sources” over the past two years, military chiefs said during a visit to the cyber command at MoD Corsham in Wiltshire yesterday. The figure is twice as high as in the previous two years.

Healey said: “This is a level of cyberwarfare that is continual and intensifying. That requires us to step up our capacity to defend against it.”

He fell short of admitting Britain was fighting a cyberwar with Russia, but said the “intensity of the cyberattacks we are seeing from Russia is stepping up” and “this is a level of cyberwarfare that is continual and intensifying."

The defence review, which has taken nearly a year to complete, will be published on Monday. Sir Keir Starmer is expected to outline the threats facing the UK and how the armed forces will be modernized to confront them. Unlike previous reviews, military chiefs have been blocked from discussing it in public. A chunk of it is expected to focus on autonomy and cyber, as well as plans for a more joined-up approach across all three services.

The review will point out that daily cyberattacks are “threatening the foundations of the economy and daily life." (Larisa Brown / The Times)

Related: Gov.uk, Sky News, ITN, The Telegraph, The Independent, Daily Mail, BBC News, Financial Times

In the latest security issue impacting consumer-facing companies, Victoria’s Secret & Co. has stopped some office operations and told employees to avoid using company technology amid a “security incident” that disrupted the retailer’s online shopping website and some store services.

Some employees were locked out of email accounts because their passwords didn't work, according to a person familiar with the situation. The person asked not to be identified because they weren’t authorized to speak on the matter.

A spokesperson said that the retailer is taking steps to address what they described as a “security incident,” including tapping outside experts. The spokesperson said the company took down its website and some store services. (Lara Sanli, Jeff Stone, and Lily Meier / Bloomberg)

Related:  TechCrunch, CyberInsider, The US Sun, 9News, ZeroHedge News, The Register, Reuters, Newsweek, r/columbus, Cyber Daily, SFGate, Bleeping Computer

LexisNexis Risk Solutions, a data broker that collects and uses consumers’ personal data to help its paying corporate customers detect possible risk and fraud, has disclosed a data breach affecting more than 364,000 people. 

The company said in a filing with Maine’s attorney general that the breach, which occurred on December 25, 2024, allowed a hacker to obtain consumers’ sensitive personal data from a third-party platform used for software development.

Jennifer Richman, a spokesperson for LexisNexis, told TechCrunch that an unknown hacker accessed the company’s GitHub account.

The stolen data varies, but includes names, dates of birth, phone numbers, postal and email addresses, Social Security numbers, and driver's license numbers.

It’s not immediately clear what circumstances led to the breach. Richman said LexisNexis received a report on April 1, 2025, “from an unknown third party claiming to have accessed certain information.” The company would not say if it had received a ransom demand from the hacker. (Zack Whittaker / TechCrunch)

Related: Office of the Maine Attorney General, Security Week, Fast Company, The Record, The Register, The Verge, Bleeping Computer, Finextra, Cybernews

Investigative journalist organization Danwatch and German publication Der Spiegel scraped and analyzed over two million documents from a public procurement database which exposed Russian nuclear facilities, including their layout, in great detail, causing security experts to conclude that the exposure of these facilities in the database could potentially make the large new nuclear weapons bases vulnerable to attack.

Among the millions of documents, Danwatch found hundreds of original blueprints of the Strategic Missile Forces’ bases near the small town of Yasny, which have since 2019 been equipped with the Avangard hypersonic glide vehicle—one of Russia’s new nuclear delivery systems that plays a central role in President Putin’s ambitions to put Russia in front in an arms race against the West.

First and foremost, the many documents reveal the scope of Russian modernization. They show deliveries of enormous quantities of steel, sand, cement, bricks, and insulation, as well as more sensitive things like IT systems, electrical installations, water, heating, and ventilation routing.

The security systems are detailed: three layers of electric fences along the bases’ outer perimeter, sensors for seismic activity and radioactivity, explosion-proof doors and windows, reinforced concrete buildings, and alarm systems with magnetic contacts and infrared sensors. In some cases, the type and locations of internal surveillance cameras on the buildings are specified.

The documents also reveal the facilities’ internal layout in great detail. They describe where the soldiers eat, sleep, and use the toilet. They also describe where they relax, what exercise equipment they use (primarily treadmills and hand weights), what games they play to pass the time (chess and checkers), and what signs hang on the walls (“Stop! Turn around! Forbidden zone!” or “The Military Oath” or “Rules for shoe care”).

They further describe which rooms in the basements store the protective gear and where the weapons cabinets stand. It’s written explicitly where the control rooms are located and which buildings are connected via underground tunnels. (Mathias Glistrup and Thomas Gosta Svensson / Danwatch and Nikolai Antoniadis , Anna-Lena Kornfeld , Roman Lehberger , Sven Petersen , Fidelius Schmid and Christoph Winterbach / Der Spiegel)

Related: The Moscow Times, Meduza, Cybernews, The Australian, Espreso, Express, US Sun

The US government has collected DNA samples from upwards of 133,000 migrant children and teenagers, including at least one 4-year-old, and uploaded their genetic data into a national criminal database used by local, state, and federal law enforcement.

Records quietly released by the US Customs and Border Protection earlier this year offer the most detailed look at the scale of CBP’s controversial DNA collection program.

They reveal for the first time just how deeply the government’s biometric surveillance reaches into the lives of migrant children, some of whom may still be learning to read or tie their shoes, yet whose DNA is now stored in a system built initially for convicted sex offenders and violent criminals.

 Experts say that the children’s raw genetic material will be stored indefinitely and worry that, without proper guardrails, the DNA dragnet could eventually be used for more extensive profiling.

The records span from October 2020 through the end of 2024 and show that CBP swabbed the cheeks of between 829,000 and 2.8 million people. Experts estimate that the true figure, excluding duplicates, is likely well over 1.5 million.

That number includes as many as 133,539 children and teenagers. These figures mark a sweeping expansion of biometric surveillance—one that explicitly targets migrant populations, including children. (Dhruv Mehrotra / Wired)

Researchers at GreyNoise report that over 9,000 ASUS routers are compromised by a novel botnet dubbed "AyySSHush" that was also observed targeting SOHO routers from Cisco, D-Link, and Linksys.

They say the campaign carries the hallmarks of a nation-state threat actor, though they made no concrete attributions.

The threat monitoring firm reports that the attacks combine brute-forcing login credentials, bypassing authentication, and exploiting older vulnerabilities to compromise ASUS routers, including the RT-AC3100, RT-AC3200, and RT-AX55 models.

Specifically, the attackers exploit an old command injection flaw tracked as CVE-2023-39780 to add their own SSH public key and enable the SSH daemon to listen on the non-standard TCP port 53282. These modifications allow the threat actors to retain backdoor access to the device even between reboots and firmware updates.

GreyNoise reports logging just 30 malicious requests associated with this campaign over the past three months, though 9,000 ASUS routers have been infected.

ASUS has released security updates that address CVE-2023-39780 for the impacted routers, though the exact time of availability varies per model. (Bill Toulas / Bleeping Computer)

Related: GreyNoise, GreyNoise Labs, SCMedia, Ars Technica, r/technology, CyberInsider, TechTimes, Cybernews, Security Affairs, Cyber Security News

Researchers at Google's Threat Intelligence Group say that the Chinese APT41 hacking group used a new malware named 'ToughProgress' that exploits Google Calendar for command-and-control (C2) operations, hiding malicious activity behind a trusted cloud service.

Google identified and dismantled attacker-controlled Google Calendar and Workspace infrastructure and introduced targeted measures to prevent such abuse in the future.

Google's Safe Browsing blocklist was also updated accordingly. Users will receive a warning when visiting associated sites, and traffic from those sites will be blocked across all of the tech giant's products.

The report does not name any specific compromised organizations or victims, but Google says it notified them directly in collaboration with Mandiant. Google also shared ToughProgress samples and traffic logs with victims to help them pinpoint infections in their environments. (Bill Toulas / Bleeping Computer)

Related: Google, CyberScoop, GBHackers, TechNadu, Gigazine, The Stack

Berkeley Research Group, a financial advisory firm working on multiple church bankruptcy cases, including the Baltimore Archdiocese, said it has not found evidence that data stolen in a cybersecurity breach has appeared online.

Timothy Karcher, a partner at Proskauer Rose LLP, stated on behalf of Berkeley Research Group LLC that the company made a payment to the "threat actor" and obtained a "destruction log" along with an assurance that the data had been deleted. (Ed. Note: Most cyber professionals believe threat actors lie about destroying data they stole.)

The firm said the FBI is also investigating the breach and has not found evidence that the perpetrators sought out data related to the 12 bankruptcy cases involving sexual abuse.When BRG announced the breach, the company said it impacted at least ten bankruptcy proceedings involving dioceses and archdioceses nationwide, including Baltimore, Albany, Rochester, and Utica, New York, and several in California.

BRG said the number of potential people exposed was unclear. (Christian Olaniran / CBS News Baltimore)

Related: The Daily Record, The Baltimore Sun

Information was stolen from NHS trusts in the latest cyberattack on the UK health service, raising concerns that patient data might be vulnerable in such incidents.

University College London Hospitals NHS Foundation Trust and University Hospital Southampton NHS Foundation Trust have been named as those exposed via a recently discovered exploit.

Evidence shows that the data was accessed maliciously and was taken clandestinely after hackers exploited holes in the software to take the data clandestinely.

In this case, the vulnerability was in a piece of software called Ivanti Endpoint Manager Mobile (EPMM), a program that helps businesses manage employee phones.

The hole in Ivanti's software was first discovered on 15 May, and it has since been fixed - although there are warnings that systems previously exploited could still be vulnerable.

The vulnerability in Ivanti's software allowed hackers to access, explore, and run programs on their target's systems. (Tim Baker / Sky News)

Related: ITPro, Computing, City AM, Tech Digest

IT specialist Dan Williams discovered that the locations of tens of millions of Virgin Media O2 mobile customers were exposed for up to two years because of a network security flaw, which has been reported to the UK’s communications and data protection regulators.

The defect meant that the location of any of Virgin Media O2's phone customers with a device capable of making a 4G call could be tracked to the nearest mobile mast by anyone with a Virgin Media O2 SIM card.

Customers' locations could be tracked most precisely in urban areas, where mobile masts are often attached to lampposts and cover areas as small as 100 square metres.

Williams alerted Virgin Media O2 to the issue in March, but was “extremely disappointed” not to receive a response until he published his findings on a blog in May. (Kieren Smith / Financail Times)

Related: Mast Database, Mobile ID World, Fudzilla, Dark Reading

A University of Chicago Medicine Medical group cybersecurity breach in July may have exposed personal information of 38,000 patients.

The exposed data includes names, Social Security numbers, addresses, dates of birth, medical information, and financial account information.

Third-party debt collection vendor Nationwide Recovery Systems notified UChicago Medicine on April 8 that the data breach occurred in July 2024.

A UChicago Medicine statement said, "From July 5, 2024, to July 11, 2024, an unauthorized individual accessed NRS systems and obtained information from certain files and folders. Upon learning of this, NRS took steps to terminate the unauthorized access and make enhancements to further secure their systems." (Doug Cunningham / UPI)

Related: CBS News, Chicago Tribune, ABC7, Teiss, Hoodline, UChicago Medicine, Chicago Sun-Times

Cork Protocol, a decentralized finance venue for trading pegged asset-related risks, lost about $12 million in wrapped staked ETH, or wstETH.

According to security analysts at Cyvers, the attacker withdrew 3,761.87 wstETH using a malicious contract.

As of writing, the exploiter has only swapped the stolen funds for ETH. The funds have not yet been scattered across several wallets, as onchain hackers typically do.

Phil Fogel, founder of Cork Protocol, confirmed the incident and said the team was probing the cause. “We are investigating a potential exploit on Cork Protocol and are pausing all contracts,” Fogel wrote on X. “We will report back with more information.” (Naga Avan-Nomayo / The Block)

Related: Cointelegraph, The Defiant, CryptoNinjas, CoinDesk, The Crypto Times, crypto.news, CoinCentral, The Defiant, Invezz, The Record

Researchers at Oasis Security report that using Microsoft OneDrive to upload a file to ChatGPT, Slack, or Zoom could result in a user handing over access to more than one file.

In certain circumstances, the applications using Microsoft’s official OneDrive File Picker may get full read access to a OneDrive account in addition to write access.

This broad access stems from a limitation in Microsoft’s OAuth implementation within File Picker that researchers described as “a lack of fine-grained permissions scopes.”

According to Oasis, all versions of the OneDrive File Picker request permissions that allow them to read the user’s entire OneDrive drive for the “upload” process and write anywhere on the drive for the “download” process.

However, version 7.0 of the File Picker in specific requests both read and write permissions for the upload process. (Shweta Sharma / CSO Online)

Related: Oasis Security, Silicon Angle, GBHackers, HackRead, Security Week, InfoSecurity Magazine, SCMedia, Dark Reading

Researchers at Darktrace report that a newly discovered Go-based Linux botnet malware named PumaBot is brute-forcing SSH credentials on embedded IoT devices to deploy malicious payloads.

The targeted nature of PumaBot is also evident by the fact that it targets specific IPs based on lists pulled from a command-and-control (C2) server instead of broader internet scanning.

The malware receives a list of target IPs from its C2 (ssh.ddos-cc.org) and attempts brute-force login attempts on port 22 for open SSH access.

During this process, it checks for the presence of a "Pumatronix" string, which Darktrace believes could correspond to the vendor's targeting of surveillance and traffic camera systems.

Once the targets have been established, the malware receives credentials to test against them. If successful, it runs 'uname -a' to get environment information and verify the targeted device is not a honeypot.

Next, it writes its main binary (jierui) to /lib/redis and installs a systemd service (redis.service) to secure persistence across device reboots.

Finally, it injects its own SSH into the 'authorized_keys' file to maintain access even after a cleanup that removes the primary infection.

To defend against botnet threats, upgrade IoTs to the latest available firmware version, change default credentials, put them behind firewalls, and keep them in separate networks isolated from valuable systems. (Bill Toulas / Bleeping Computer)

Related: Darktrace, GovInfoSecurity, Security Affairs

Researchers at QuorumCyber say that the Interlock ransomware gang is deploying a previously undocumented remote access trojan (RAT) named NodeSnake against educational institutions for persistent access to corporate networks.

Interlock's latest attacks on educational institutions start with phishing emails carrying malicious links or attachments that lead to NodeSnake RAT infections.

Once active on the infected machine, it collects key metadata about the user, running processes, services, and network configurations and exfiltrates it to the C2.

The existence of NodeSnake and its continuous development is an indication of Interlock's continued evolution and focus on long-term stealthy persistence. (Bill Toulas / Bleeping Computer)

Related: Quorum Cyber, SecurityLab.ru

American banking and financial industry advocacy groups have petitioned the Securities and Exchange Commission to repeal its cybersecurity incident public disclosure requirements.

Five US banking groups led by the American Bankers Association asked the regulator to remove its rule in a May 22 letter, arguing that disclosing cybersecurity incidents “directly conflicts with confidential reporting requirements intended to protect critical infrastructure and warn potential victims.”

The group, including the Securities Industry and Financial Markets Association, the Bank Policy Institute, Independent Community Bankers of America, and the Institute of International Bankers, claimed that the rule compromises regulatory efforts to enhance national cybersecurity. (Martin Young / Cointelegraph)

Related: Bank Policy Institute, Sifma, The Cyber Express, ICBA, SC Media, PYMNTS, Banking Exchange, Korea IT Times, Finextra, Cryptotimes

Russian President Vladimir Putin said that Western tech companies still operating in Russia but acting against the country’s interests should be “strangled,” as authorities seek to replace foreign software and services with domestic alternatives.

“We need to strangle them… I say this without hesitation,” Putin told business leaders at a Kremlin meeting, responding to complaints from Iva Technologies CEO Stanislav Iodkovsky, who said local firms were “losing billions” because companies like Zoom and Microsoft had not fully withdrawn from the Russian market.

“We must respond in kind, mirror their actions,” the Kremlin leader added. Asked about Russian consumers still relying on foreign software and services, Putin said his proposal would help rid them of “bad habits.”

Hundreds of Western companies have left Russia or scaled back their operations in the country since its full-scale invasion of Ukraine in February 2022. In response, the Kremlin has imposed steep exit costs on remaining firms. (The Moscow Times)

Related: The Register, Fortune, Meduza, Business Insider, The Kyiv Independent, Anadolu Ajansi, The Daily Beast, UNN.ua

NATO proposed including expenditures on cybersecurity and activities related to border and coastal security to qualify for the military alliance’s new defense-related spending target of 1.5% of GDP.

According to a document shared with member countries and people familiar with the matter, NATO started negotiations with countries on what will be allowed under its new spending target that it plans to adopt at a June summit. The total spending target will be 5% of GDP, with 3.5% on hard defense expenditures and 1.5% on defense-related outlays.

According to the document, other expenditures that may qualify for the 1.5% portion include protecting critical infrastructure spending, non-defense intelligence agencies, and space-related activities.

A broader definition of what qualifies as a defense-related outlay would make it easier for countries to meet the target, with some nations lobbying to have expenditures such as counter-terrorism to be included. (Donato Paolo Mancini, Andrea Palasciano, Daniel Basteiro, and Jasmina Kuzmanovic / Bloomberg)

Related: Cyber Daily, Breaking Defense

Cerby, a provider of a platform for identity security automation, raised $40 million in a Series B venture funding round.

DTCP led the round with participation from existing backers, including Okta Ventures, Salesforce Ventures, and Two Sigma Ventures. (Kyt Dotson / Silicon Angle)

Related: Cerby, Pulse 2.0, Security Week, FinSMEs, GuruFocus, PYMNTS, Tech Funding News

Defense and information technology company Leidos announced today it acquired Kudu Dynamics, a cybersecurity and networks company, for $300 million to beef up its artificial intelligence-enabled offensive cyber and electronic warfare capabilities.

Leidos’ expertise, coupled with Kudu’s strength in vulnerability research and exploit development — the practice of finding weak points in an adversary’s cyber or electronic warfare structure and then finding a way in — is a “really good match,” Roy Stevens, president of Leidos National Security Sector, said. (Carley Welch / Breaking Defense)

Related: PR Newswire, GovConWire, WashingtonExec, Defense News, Defense Daily, The Business Journals, Washington Technology, TipRanks, GuruFocus

Best Thing of the Day: I'm Going to Punch Your Eyes Out

Google co-founder Sergey Brin claims that threatening generative AI models produces better results.

Bonus Best Thing of the Day: It May Be B.S. But It's Still a Good Sign

Whining endlessly that DOGE was accurately blamed for cruel and destructive behavior, the world's most prosperous and luckiest man, Elon Musk, claims he's leaving government service.

Worst Thing of the Day: Can't Even Sh*tpost on YouTube Anymore

 A new service called YouTube-Tools uses a modified large language model created by the company Mistral to generate a background report on YouTube commenters based on their conversations, enabling it to find every comment every YouTube user has left on every video.

Closing Thought