US Senate confirms Cairncross as National Cyber Director

A new era of cyberthreats from sophisticated threat actors is here, according to CrowdStrike's latest threat hunting report. Check out my latest CSO piece that outlines how defenders can protect against them.

A Special Appeal

Metacurity has been a labor of love for years, and I’m so grateful for your readership. Your support can help ensure I can continue delivering the carefully curated weekly long-reads and daily digests of the most critical developments in cybersecurity.

If you find value in what Metacurity offers, please consider upgrading to a paid subscription. We also provide corporate subscription options, and soon we’ll be introducing affordable sponsorship opportunities—perfect for promoting your events or products to a highly engaged audience.

To learn more, feel free to reach out at cynthia@metacurity.com.

Thank you so much for being part of the Metacurity community.

If you can't commit to a subscription, please consider donating what you can afford to help keep Metacurity free to all.

The Senate confirmed Sean Cairncross to serve as national cyber director in a 59-35 vote on Saturday night, making him the first Senate-approved cybersecurity official of President Donald Trump’s second term.

Cairncross is a former Republican National Committee official and was CEO of the Millennium Challenge Corporation agency during Trump’s first term. As national cyber director, he will be tasked with overseeing an office first stood up under the Biden administration, which serves as the key White House cyber policy interlocutor across federal agencies and Capitol Hill.

“I want to thank President Trump for this opportunity. It is an incredible honor to serve our country and this President as the National Cyber Director,” Cairncross said in a statement issued by the White House. “As the cyber strategic environment continues to evolve, we must ensure our policy efforts and capabilities deliver results for our national security and the American people. The United States must dominate the cyber domain through strong collaboration across departments and agencies, as well as private industry. Under President Trump’s leadership, we will enter a new era of effective cybersecurity policy.”

Cairncross is the third confirmed leader to take office. Chris Inglis was its first director when it was founded four years ago. Kemba Walden then led the office in an acting capacity, followed by Harry Coker, who was confirmed in December 2023. (David DiMolfetta / NextGov/FCW)

Related: Cyberscoop, WebProNews, The White House, McCrary Institute, The Record, Security Week

Key institutions in the Caribbean part of the Dutch Kingdom were hit by a hack last week.

First, the Curaçao Tax Authority was hit by a ransomware attack, knocking out telephone customer service and in-person assistance, which authorities say should resume operations today.

A virus has also been found in the IT system at the Court of Justice, which operates on all six Caribbean islands. For security reasons, the computer system has been taken offline. Several cases scheduled for hearing last week were postponed, but according to the court, most cases have gone ahead. Work is still underway to restore the systems.

The official email accounts of Aruban parliamentarians were also hacked. The consequences are still unclear. Authorities in Sint Maarten have warned businesses and institutions to be extra vigilant due to the incidents on the Caribbean islands. (NOS)

Related: NL Times

Last month, when Microsoft announced that Chinese state-sponsored hackers had exploited vulnerabilities in SharePoint, it failed to mention that support for SharePoint is handled by a China-based engineering team that has been responsible for maintaining the software for years.

ProPublica viewed screenshots of Microsoft’s internal work-tracking system that showed China-based employees recently fixing bugs for SharePoint “OnPrem,” the version of the software involved in last month’s attacks. The term, short for “on premises,” refers to software installed and run on customers’ own computers and servers.

Microsoft said the China-based team “is supervised by a US-based engineer and subject to all security requirements and manager code review. Work is already underway to shift this work to another location.”

It’s unclear if Microsoft’s China-based staff had any role in the SharePoint hack. But experts have said that allowing China-based personnel to perform technical support and maintenance on US government systems can pose significant security risks. (Renee Dudley / ProPublica)

Related: WinBuzzer, Axios, r/cybersecurity

Blockchain intelligence platform Arkham Intelligence said it uncovered a previously undisclosed heist of 127,426 Bitcoin, now worth nearly $14.5 billion, from Chinese mining pool LuBian in December 2020.

The heist appears to be the most significant theft of crypto in terms of overall value at the time of the heist, with $3.5 billion worth of BTC stolen. Though Mt. Gox lost about 744,000 BTC throughout its operation, the price of Bitcoin meant the coins were worth merely hundreds of millions of dollars at the time the exchange collapsed, rather than billions.

LuBian suddenly burst onto the mining scene in late April of 2020, growing quickly to become at one point the sixth-largest mining pool on the Bitcoin network. A message in Chinese on the pool's website referred to the pool as "the safest high-yielding mining pool in the world."

Then, LuBian vanished just as suddenly in February of 2021, leaving crypto investors to speculate that the pool may have been shut down by the Chinese government or had pivoted to a private pool. 

Yet according to Arkham's telling, LuBian shut down after a massive hack wiped out most of its reserves. Arkham speculated that a weakness in LuBian's private key generating algorithm could be to blame for the exploit.

The alleged hacker has not moved any of the BTC since July 2024. LuBian had sent messages to several attacking addresses through Bitcoin's OP_RETURN field. "To the whitehat who is saving our asset, you can contact us...to discuss the return of asset and your reward," the message across two transactions reads. (Zack Abrams / The Block)

Related:  Arkham, Cryptopolitan, Crypto News, Crypto Briefing, Blockchain.News, BeInCrypto, CoinGape, CoinDesk, Cointelegraph

Analysts from the US Cybersecurity and Infrastructure Security Agency (CISA) and US Coast Guard (USCG) conducted a threat hunt engagement at a critical infrastructure organization, during which CISA proactively searched for evidence of malicious activity or the presence of a malicious cyber actor on the customer’s network using host network, ICS, commercial cloud, and open-source analysis tools.

However, while reviewing IT–OT interconnectivity, CISA found the OT environment was misconfigured.

Key findings included shared local admin accounts with identical plaintext passwords, poor network segmentation between IT and OT environments, and inadequate log retention and logging practices. Additional findings covered misconfigured ‘sslFlags’ on a production server and misconfigured structured query language connections on a production server.

“While CISA did not find evidence of threat actor presence on the organization’s network, the team did identify several cybersecurity risks,” CISA and the USCG said. (Anna Ribeiro / Industrial Cyber)

Related: CISA, The Register

The US Cybersecurity and Infrastructure Security Agency (CISA) announced the public availability of Thorium, an open-source platform for malware and forensic analysts across the government, public, and private sectors.

Thorium was developed in partnership with Sandia National Laboratories as a scalable cybersecurity suite that automates many tasks involved in cyberattack investigations, and can schedule over 1,700 jobs per second and ingest over 10 million files per hour per permission group.

Security teams can use Thorium for automating and speeding up various file analysis workflows. (Sergiu Gatlan / Bleeping Computer)

Related: CISA, The Record, Security Affairs, ExecutiveGov, GitHub, CSO Online

The Department of Homeland Security announced it would provide more than $100 million to state, local, territorial, and tribal governments to improve their cybersecurity and resilience through the State and Local Cybersecurity Grant Program and Tribal Cybersecurity Grant Program.

The Cybersecurity and Infrastructure Security Agency and the Federal Emergency Management Agency jointly administer the program.

The funding includes $91.7 million for state and local governments “for a range of cybersecurity improvements, including planning and exercises, hiring experts in the community, and improving services for their citizens. The TCGP provides $12.1 million to tribal governments for similar uses,” CISA said. (Tom Leithauser / VitalLaw)

Related: CISA

Researchers at Palo Alto Networks' Unit 42 warn that ransomware gangs have recently joined ongoing attacks targeting a Microsoft SharePoint vulnerability chain, part of a broader exploitation campaign that has already led to the breach of at least 148 organizations worldwide.

Security researchers at Palo Alto Networks' Unit 42 have discovered a 4L4MD4R ransomware variant, based on open-source Mauri870 code, while analyzing incidents involving this SharePoint exploit chain (dubbed "ToolShell").

The ransomware was detected on July 27 after discovering a malware loader that downloads and executes the ransomware from the innovationfactory [.]it (145.239.97[.]206).

The loader was spotted following a failed exploitation attempt that revealed malicious PowerShell commands designed to disable security monitoring on the targeted device.

The 4L4MD4R ransomware encrypts files on the compromised system and demands a payment of 0.005 Bitcoin, generating ransom notes and encrypted file lists on infected systems. (Sergiu Gatlan / Bleeping Computer)

Related: Palo Alto Networks, WebProNews, Cyber Daily

Sources say the hackers who targeted telecom network Post Luxembourg are believed to have attacked Huawei routers and their operating software, in particular those that enable connection to European financial centres, from London to Paris, via Frankfurt or Amsterdam.

In an email sent to numerous players in Luxembourg, the department of the Luxembourg Regulatory Institute that oversees the cybersecurity and security of essential services networks and information systems is also inviting anyone using the “Huawei Enterprise router” in their network to contact their CSIRT, or Computer Security Incident Response Team.

Sources say the Chinese routers were the target of “a targeted cyberattack of a particularly advanced and sophisticated technical level. This malicious operation exploited a software vulnerability in a standardised component to cause a large-scale malfunction and widespread unavailability of services,” as Post described the incident.

A “standardised component” is a way of describing a piece of computer code that can be used in different situations to save time, to monitor a possible cyberattack better, or to be more efficient when updating. But, when compromised, it causes problems wherever it is present.

Beyond the cyberattack itself, the presence of hardware from the Chinese giant at the heart of Post’s infrastructure raises questions. After using Huawei equipment for 3G and 4G, Orange and Proximus abandoned the idea of using Huawei equipment for 5G amid global controversy, but the presence of this equipment at Post is more surprising. (Thierry Labro / PaperJam)

Related: CHD.lu, The Record, Luxembourg Times, RTL Today, Delano

Lawyers have warned that a May cyberattack on the UK Legal Aid Agency has pushed the sector into chaos, with barristers going unpaid, cases being turned away, and fears that a growing number of firms could desert legal aid work altogether.

In May, the legal aid agency announced that the personal data of hundreds of thousands of legal aid applicants in England and Wales dating back to 2010 had been accessed and downloaded in a significant cyber-attack.

Three months on, much of the legal aid system remains offline as services are being rebuilt, with lawyers unable to access records or bill for their services, particularly in civil cases.

Chris Minnoch, the chief executive of the Legal Aid Practitioners Group, said he had had members calling him in tears, staying up into the night waiting for payments to come through, and having to negotiate extended overdrafts.

Although the Legal Aid Agency has set up a contingency payment system, where legal aid practitioners can apply for weekly payments equivalent to the average they were paid in the three months running up to the hack, many said it was not enough.

One barrister working primarily on legal aid cases, who asked not to be named, said they were offered only £9.50 a week under the contingency scheme. (Jessica Murray / The Guardian)

Related: Gov.uk, Tech Radar, CISO Series, IT Pro, Counter Terror Business

Germany’s Einhaus Group, a leading mobile device insurance and service network, has initiated insolvency proceedings in the wake of a cyberattack.

According to German press reports, Einhaus was targeted by hackers in March 2023 and is understood to have paid a ransom(ware) fee of around $230,000 at the time.

 However, the once large and successful company, with partnerships including Cyberport, 1&1, and Deutsche Telekom, struggled to recover from the service interruption and the obvious financial strains, which now appear to be fatal. (Mark Tyson / Tom's Hardware)

Related: WA.de, Golem.de, Red Hot Cyber

On July 31, 2025, internal conflicts between the ransomware group and one of its affiliates led to the public exposure of sensitive operational details, marking a rare glimpse into the inner workings of the Qilin ransomware operation.

The exposure began when a Qilin affiliate operating under the handle “hastalamuerte” publicly accused the ransomware group of conducting an exit scam, allegedly defrauding the affiliate of $48,000.

This dispute escalated when another cybercriminal known as “Nova,” associated with a competing ransomware group, released login credentials and access details to Qilin’s affiliate management panel on dark web forums.

The leaked information included administrative access to the group’s internal systems, which Qilin has been using to coordinate attacks against over 600 victims since 2022.

Among the high-profile targets compromised by Qilin operations are the Palau Health Ministry, Japan’s Utsunomiya Cancer Center, and Lee Enterprises in the United States. (Kaaviya / GBHackers)

Related: The Raven File, Databreaches.net, Cyber Daily

According to CrowdStrike's 2025 Threat Hunting report, the number of companies that hired North Korean software developers grew a staggering 220% during the past 12 months, and most of their success is due to automating and optimizing the workflow involved in fraudulently obtaining and holding tech jobs.

CrowdStrike said the IT workers infiltrated more than 320 companies in the past 12 months. 

Crowdstrike’s investigations revealed North Korea’s tech workers, an adversary Crowdstrike dubs “Famous Chollima,” used AI to scale every aspect of the operation. The North Koreans have used generative AI to help them forge thousands of synthetic identities, alter photos, and build tech tools to research jobs and track and manage their applications. In interviews, North Koreans used AI to mask their appearance in video calls, guide them in answering questions, and pass technical coding challenges associated with getting software jobs.

Critically, they now rely on AI to help them appear more fluent in English and well-versed in the companies where they’re interviewing. Once they get hired, the IT workers use AI chatbots to help with their daily work—responding in Slack, drafting emails—to make sure their written offerings appear technically and grammatically sound and to help them hold down multiple jobs simultaneously, CrowdStrike found.

Separately, a North Korean defector named "Jin-su" said in a rare interview that he sent back to Pyongyang 85% of the money he earned as an IT analyst working on behalf of the regime.

"We know it's like robbery, but we just accept it as our fate," Jin-su said, "it's still much better than when we were in North Korea." (Amanda Gerut / Fortune and Beth Godwin and Julie Yoonnyung Lee / BBC News)

Related: Cyberscoop, CrowdStrike, Silicon Angle

A group of former civilian leaders and retired military digital security brass called the Commission on Cyber Force Generation launched an effort that will spell out how the country should proceed in one day establishing a US Cyber Force.

The Commission will develop potential routes Congress and the White House could follow in creating a separate cyber service and aim to have completed the bulk of the work ahead of next year’s must-pass national defense authorization act (NDAA), according to panel co-chair Josh Stiefel, who previously served as a professional staff member on the House Armed Services Committee.

“The timing is right, with this administration, where I left in order to pursue this,” Stiefel, now vice president for government affairs at Second Front, a defense technology and security firm, he said. “I believe that there's this opportunity now to draw attention to this issue and make progress on it in a meaningful way.”

The committee was formed through a partnership between the Center for Strategic and International Studies and the Cyberspace Solarium Commission 2.0. 

Its 17-member board is composed of several former, high-ranking civilian leaders such as Michael Sulmeyer, the Pentagon’s first Senate-confirmed cyber policy chief, and Georges Barnes, who served as the No. 2 at the National Security Agency. It also boasts past cyber warfare chiefs from each military branch, including retired Admiral Michael Gilday, who served as Chief of Naval Operations, as well as experts from industry and academia.

Retired lieutenant general Ed Cardon, who led Army Cyber Command and will co-chair the commission with Stiefel, said the panel is “about generating speed to the decision” of establishing a digital service “because the threat is increasing, and the technology is adding speed to the domain, and we can't sit around for four or five years and figure out how to do it.” (Martin Mathishak / The Record)

Mike Burgees, the Director-General of Security of the Australian Security Intelligence Organisation (ASIO), said it has seen nation states use ‘even more sophisticated and difficult to detect methods’ in their attempts to obtain sensitive information unlawfully.

While this may seem like common sense, ASIO has identified over 100 individuals using job sites such as LinkedIn to talk about projects they worked on, and some posting specifications and functionality on ‘open discussion forums.'

This has direct consequences for national security, and the mistakes add up. A report quoted by Burgees identifies an overall cost of over AU$12 billion in just one year lost to espionage, highlighting its impact.

These are conservative estimates too, Burgees points out, and the ‘most serious, significant and cascading costs of espionage are not included in the 12.5 billion dollar figure.' (Ellen Jennings-Trace / Tech Radar)

Related: Asio.gov.au

Speaking to reporters on the side of the Cyber Security Agency of Singapore’s (CSA) Exercise Cyber Star, Singapore's Coordinating Minister for National Security and Minister for Home Affairs K Shanmugam said that while naming a specific country linked to cyber threat group UNC3886 is not in Singapore’s interest at this point in time, the attack was still severe enough for the government to let the public know about the group.

“Media coverage (and) industry experts all attribute UNC3886 to some country … Government does not comment on this.

“We release information that we assess is in the public interest. Naming a specific country is not in our interest at this point in time.”

Google-owned cybersecurity firm Mandiant has described UNC3886 as a "China-nexus espionage group" that has targeted prominent strategic organisations on a global scale. (Fabian Koh / Channel News Asia)

In a conference transparency report, DEF CON announced it had added a fifth person to its banned list, Eric Michaud, who was banned based on reporting by the Washington Post that said he was enabling Morgan Marquis-Boire.

The Washington Post reported that Unciphered, a company that was lionized for its ability to crack passwords for huge cryptocurrency accounts, was secretly founded by Morgan Marquis-Boire, who has been accused by several women of physical and emotional abuse. Marquis-Boire was banned by DEF CON in 2017.

Eric Michaud, co-founder and chief executive of Unciphered, has been the public face of the company. (DEF CON and Joseph Menn / Washington Post)

Best Thing of the Day: We've Been Through Bubbles Before

Wannacry hero turned tech pundit Marcus Hutchins has written an opus on why he hates AI and the rest of us should too.

Bonus Best Thing of the Day: Hack the Planet!

A website called Vintage Everyday has published 27 behind-the-scenes Polaroid pictures from the making of the 1995 cult classic “Hackers.”

Extra Bonus Best Thing of the Day: Not Enough Money in the World

The US Department of Justice announced the launch of a $200 million fund to compensate victims who were sex-trafficked through the Backpage.com website.

Worst Thing of the Day: Remember When Ransomware Gangs Promised Not to Attack Healthcare Facilities?

Private equity-backed NRS Healthcare, which works with around 40 councils across England and Northern Ireland, is on the verge of collapse, due to, among other factors, a cyberattack it experienced a year ago.

Closing Thought