UK spy chief warns of escalating Russian cyber aggression

Everyone is racing to adopt AI. But if your security foundation is weak, AI won’t save you — it will amplify the risk.

That’s the core message behind my just-published new book, The NIST 2.0 Cybersecurity Framework: Practical Risk Management Using Real-World Incidents. Rather than treating cybersecurity as a compliance exercise, the book shows how organizations can build resilient security programs grounded in real operational failures and lessons learned.

Wiley is currently offering Metacurity readers a 20% discount with code ENG20. Don't wait! Order your copy today! Email me to find out about bulk purchases for your organization or special customized print runs for your team.

The UK is at a "moment of consequence" as Russia is "relentlessly targeting" critical infrastructure, the UK's largest spy agency will warn.

GCHQ Director Anne Keast-Butler will set out threats facing the UK and the measures she believes need to be taken to confront them when she makes her inaugural public speech on Wednesday.

In excerpts from her address, Keast-Butler singles out Russia for "targeting critical infrastructure, democratic processes, supply chains and public trust".

Russia has been blamed for a string of espionage plots on British soil and, more recently, for waging an undeclared 'hybrid war' against the UK and other Nato countries. The Kremlin has denied the allegations.

Keast-Butler says GCHQ is working tirelessly to fend off cyber attacks and counter what she calls "reckless sabotage and assassination attempts".

She adds that: "In the face of such aggression and chaos, GCHQ is working tirelessly with intelligence and Defence partners to degrade and reduce the Russian threat." (Frank Gardner / BBC News)

Related: Associated Press, The Guardian, Independent, Sky News, The Times, CNN, CNBC, Telegraph, New York Times

India is undertaking tests of some of its most sensitive public-facing financial and government application software to better understand their vulnerabilities to Anthropic PBC’s next-generation Mythos AI model, according to Indian officials familiar with the matter.

Indian technology giants Infosys Ltd. and Tata Consultancy Services Ltd. are among companies carrying out the tests of their software for vulnerabilities in a secure environment to Mythos, the officials said, asking not to be identified because the discussions are private. Infosys, in particular, is looking to devise patches to its widely used Finacle banking software, they said.

Separately, India’s state-run cybersecurity agency CERT-In is undergoing tests of key digital infrastructure, including the Aadhaar national ID program and government login systems, said the officials. The companies, which don’t currently have access to Mythos, are using Anthropic’s Claude Opus 4.7 AI software to patch vulnerabilities, they said. (Rajesh Roy, Ruchi Bhatia, and Sudhi Ranjan Sen / Bloomberg)

Related: Crypto Briefing, Guru Focus, Varindia, Crypto Briefing, Analytics India, GK Today, Crypto Briefing

US telecom giant Charter Communications has confirmed it suffered a data breach after the ShinyHunters extortion group threatened to leak stolen data unless a ransom is paid.

The company said it is alerting authorities about the incident and that no sensitive personal customer information was stolen.

"We are aware of the situation, following our security protocols and are in the process of alerting appropriate authorities," Charter said in a statement.

"No sensitive personal information (PI) or customer proprietary network information (CPNI) data was exfiltrated by the threat actor as a result of recent activity."

This statement follows Charter's listing on the ShinyHunters data leak site, where attackers claimed to have stolen 40 million records containing the personal information of consumer and business customers. (Lawrence Abrams / Bleeping Computer)

Related: SC Media, Tom's Guide, Cyber Insider, Komando

A ransomware gang claims to have hacked MyPillow, the company founded by 2020 election conspiracy theorist and Minnesota gubernatorial candidate Mike Lindell.

In a post to its blog on the dark web on Monday, the ransomware gang known as “Play” said it was able to steal a wide range of private information from the Minnesota-based company: “private and personal confidential data, clients’ documents, budget, payroll, IDs, taxes, finance information, etc.,” the hackers wrote. (Mikael Thalen / Straight Arrow News)

Related: The Register

A website called UK Visa Portal is publicly exposing the passports and selfie photos of applicants who signed up and paid the site to obtain a UK immigration visa.

An anonymous person notified TechCrunch about the security lapse, saying that the website is exposing at least 100,000 documents from people who uploaded their passports and selfies to the website as part of the application process.

The website is not affiliated with the UK government, and some have complained that they mistakenly paid a fee to this company instead of using the official GOV.UK website.

TechCrunch has not heard back from the UK Visa Portal’s management. The security lapse has still not been fixed. (Zack Whittaker / TechCrunch)

Related: Business Today, Zamin

Metacurity is the only daily cybersecurity briefing built for clarity, not agendas—no vendor spin, no echo chamber, just sharp, original aggregation and analysis of what actually matters to security leaders.

If you rely on Metacurity to cut through the noise on policy, industry shifts, and security research, consider supporting us with a paid subscription. Independent coverage like this only exists because readers decide it’s worth it.

Security vendor CrowdStrike reports that it has taken down the command and control (C2) channels used by the operators of the Glassworm botnet, which has targeted developers since last year.

Earlier reports suggested the self-replicating malware's infrastructure was unkillable due to the use of the immutable and distributed Solana public blockchain for C2 dead drops.

CrowdStrike wrote in its analysis that the Glassworm operators went further in their efforts to create resilient infrastructure, using the BitTorrent peer-to-peer (P2P) network's distributed hash table (DHT) for configuration data, stored against hard-coded public keys.

Using the BitTorrent DHT enabled the Glassworm operators to leverage a large global network with no single point of failure.

In addition, Glassworm is set up to use Google Calendar event titles as dead drops for C2 paths, encoded with Base64, and the malware also uses commercial virtual private service providers to deliver its final payload.

"Disrupting this architecture required precision and timing," CrowdStrike said.

"Taking down only one channel would have left the others operational, allowing the operators to reconstitute quickly. (Juha Saarinen / IT News)

Related: CrowdStrike, CyberSecurityNews

Google Threat Intelligence Group (GTIG) recently analyzed a dozen active Chinese-language phishing-as-a-service (PhaaS) offerings, identifying a rapidly growing underground ecosystem.

Departing from traditional static password harvesting, these sophisticated threat actors now prioritize real-time interception and tokenization techniques. By utilizing live administration panels, attackers can instantly capture one-time passcodes (OTPs) and successfully bypass multifactor authentication (MFA) protocols.

To distribute these threats, Chinese-language operators heavily leverage encrypted communication protocols, specifically RCS and Apple iMessage, according to GTIG. The primary tactical objective focuses on exploiting digital wallet provisioning.

GTIG says the proliferation of the Chinese-language PhaaS ecosystem underscores a need for technical security controls that go beyond user education and recommends transitioning to FIDO2/WebAuthn infrastructure paired with risk-based verification and device fingerprinting against the real-time interception of account authentication OTPs.

Google also recommends making the victim's credentials technically impossible to weaponize. (Lore Apostol / TechNadu)

Related: Google, Resecurity, Help Net Security

The FBI warned that the Silent Ransom Group (SRG) extortion gang is now targeting US-based law firms in in-person data theft attacks.

"As of Spring 2026, SRG actors use a social engineering scheme to pose as an employee from the victim's IT department. SRG actors either directly call or send phishing emails to urge employees to call the SRG actor posing as IT support," the FBI warned in a flash alert.

"While on the phone, the SRG actor directs the employee to grant access to a remote desktop session. If that attempt fails, SRG sends a threat actor to the victim's location to gain access to insert a storage device into the victim's computer."

By going to the victim's location in person, the malicious actors can steal data by connecting USB drives or external hard drives to the victim's computer.

The FBI included the unauthorized installation of external hard drives or USB drives on company computers, and the presence of unidentified or unauthorized individuals claiming to be IT support and attempting to access computers, as possible indicators of an SRG attack. (Sergiu Gatlan / Bleeping Computer)

Related: IC3

BusPatrol, a company that has installed AI-powered cameras in tens of thousands of school buses around the US, now plans to turn those cameras into automatic license plate readers (ALPRs), capturing the location of every vehicle the buses drive past, and give that data to law enforcement.

The plan will essentially transform school buses into roaming surveillance vehicles, taking a technology that was originally designed to issue tickets to people illegally passing stopped buses and using it for much wider and general law enforcement, likely without a warrant.

BusPatrol has already taken steps to share the collected data with law enforcement contracting giant Axon, according to leaked BusPatrol documents and a source with knowledge of the plans. Internally, BusPatrol has acknowledged how controversial its plan to collect and share this data is, pointing specifically to concerns about ICE using license plate data, but emphasizes the likely success of selling the angle of protecting children. (Joseph Cox / 404 Media)

Related: Gizmodo

Prominent telecommunications US law firm Wiley Rein has been sued in a proposed class action alleging the firm failed to protect sensitive personal data stolen by hackers believed to be affiliated with ​the Chinese government.

The lawsuit was filed in the federal court in Washington by a ‌Florida resident and seeks class-action status for potentially thousands of people.

The complaint alleges that cybercriminals accessed Microsoft 365 email accounts belonging to certain Wiley Rein personnel between July 2024 and June 2025 before the firm detected the intrusion last year.

The stolen data ​allegedly includes names, addresses, dates of birth, financial account numbers, medical information, and full or partial ​Social Security numbers, according to the lawsuit. The firm did not begin notifying victims ⁠until on or around March 6, 2026, the complaint said. (Mike Scarcella / Reuters)

Related: Bloomberg Law

The White House updated rules for federal agencies to keep logs of significant cyber activities in their networks, touting it as a measure to cut back on red tape and focus on how cybersecurity risks have evolved.

The Office of Management and Budget memorandum, released Friday, replaces a 2021 memo signed by then-President Joe Biden. It continues the revisions that Donald Trump has made to federal cybersecurity guidance under his predecessor.

The new memo, M-26-14, nods at the intentions of the earlier memo, M-21-31, saying that “Implementation of that memorandum improved foundational capabilities across agencies” to establish standards for logging and improve agencies’ record-keeping for the purposes of detecting and responding to cyberattacks.

There have been calls for the idea of updating the 2021 memo, and one observer praised the new version to CyberScoop. Another analyst, however, questioned how much harm the Trump administration might do by rescinding the earlier memo before having all of the new memo’s directives in place. (Tim Starks / CyberScoop)

Related: White House, FEDWeek

Best Thing of the Day: If You Think a Government Is Spying on You...

Apple, Google, and Meta offer opt-in features specifically designed to counter targeted spyware attacks. 

Bonus Best Thing of the Day: You Go, Girl

Valentina Palmiotti - better known as Chompie - was the most successful individual at the annual Pwn2Own hacking competition in Berlin (but is worried about the end of such bug competitions in the era of AI).

Worst Thing of the Day: The IRS Is At It Again

The Internal Revenue Service (IRS) is considering a proposal that would authorize ID.me to retain taxpayers’ biometric data for years, a change that would deepen the role of facial recognition in federal tax administration and revive privacy concerns that forced the IRS to retreat from a similar controversy four years ago.

Bonus Worst Thing of the Day: We Will Stop at Nothing Less Than Total Panopticon

China is overhauling the world’s largest surveillance network with advanced AI, giving the state more automated powers to track people, analyze behavior, and predict potential unrest in real time.

Extra Bonus Worst Thing of the Day: Don't Give Us Your Stinking Human Morality Hogwash

Jeremy Nixon, founder of Silicon Valley's AGI House, said Pope Leo's encyclical pleading for the tech industry to consider the damage to humanity AI poses might mean something to the world’s Catholics, but he doubted that it would have an effect on Silicon Valley.

Closing Thought