Western allies pair Russia sanctions with a warning on critical infrastructure attacks

UK charges five over Russian Coms spoofing platform, Treasury sanctions VPN provider tied to ransomware gangs, DHS missed warning signs before credential theft breach, Cyberattacks targeted US personnel through Mideast mobile networks, Korean police uncover large-scale GitHub token leak, much more

Share
Western allies pair Russia sanctions with a warning on critical infrastructure attacks
Photo by mana5280 / Unsplash
brown bear with blue eyes
Photo by mana5280 / Unsplash

Check out my piece featuring cybersecurity pioneer and distinguished professor of computer science at Purdue University, Gene Spafford, on why artificial intelligence is exposing decades of neglected security practices—and why fundamental security frameworks like NIST CSF 2.0 matter more than ever.


Metacurity is the cybersecurity industry's daily reality check—an independent briefing that cuts through vendor spin, social media outrage, and endless recycled narratives to explain what actually matters and why.

Every weekday, thousands of cybersecurity professionals—including many of the industry's most respected security leaders—rely on Metacurity to separate signal from noise. We do the reading, research, and analysis so you don't have to.

If Metacurity helps you stay informed, save time, or see the bigger picture, please consider becoming a paid subscriber. Reader support is what keeps Metacurity independent, agenda-free, and focused on serving the cybersecurity community—not advertisers, vendors, or investors.


Western governments delivered a coordinated message to Russia's cyber operators, coupling new sanctions against Russian intelligence-linked hackers with a multinational warning that many of the same actors continue to gain access to critical infrastructure networks through vulnerable and poorly configured routers.

The sanctions package announced by the European Union and United Kingdom targeted individuals and entities linked to Russia's FSB and GRU intelligence services, including the FSB's 16th Center, which Western officials accuse of directing years of cyber operations against European governments and critical infrastructure. At nearly the same time, cybersecurity agencies from the United States and eight allied nations issued a joint advisory warning that FSB Center 16 operators remain actively engaged in targeting network infrastructure worldwide.

The advisory, co-authored by the NSA, FBI, and CISA along with agencies from Australia, Canada, New Zealand, the United Kingdom, Estonia, Finland, France, and Italy, describes an ongoing campaign in which Russian operators scan internet-connected networks for vulnerable routers and other edge devices that can be used as entry points into critical infrastructure environments.

The group, tracked by various security vendors as Berserk Bear, Energetic Bear, Crouching Yeti, Dragonfly, Ghost Blizzard, and Static Tundra, searches for routers that use default or weak SNMP authentication strings. According to the advisory, the attackers then issue commands using spoofed IP addresses to copy device configuration files and exfiltrate them to actor-controlled servers using the Trivial File Transfer Protocol.

The warning also notes that the same operators have exploited Cisco vulnerabilities, including the Smart Install flaw CVE-2018-0171. In August 2025, the FBI warned that the group had been using the vulnerability to target critical infrastructure organizations since November 2021.

Sectors considered most at risk include energy, communications, healthcare, financial services, defense, the defense industrial base, and state and local government services.

“Center 16 has been seen hunting for vulnerable routers by scanning the internet for devices that still use default or weak Simple Network Management Protocol (SNMP) passwords and community strings,” the UK National Cyber Security Center said in its advisory.

“Whilst the actor primarily uses SNMP scans to locate and compromise vulnerable routers, they have also exploited well-known vulnerabilities relating to Cisco devices, Cisco’s Smart Install feature and web-portal flaws to gain control of network devices.”

The juxtaposition of the two developments was difficult to miss. As Western governments imposed new costs on Russian cyber operators, they also acknowledged an uncomfortable reality: many of the intrusions attributed to those operators still begin with vulnerabilities and misconfigurations that defenders have known how to fix for years. (Matthew Dalton / Wall Street Journal, Sergiu Gatlan / Bleeping Computer)

Related: GOV.UK, NSAIC3, CISA, European Council, BleepingComputer, Politico, JazeeraPaymentSecurity.ioUPIBloombergThe Economic TimesThe Kyiv Independent,  Military.comReutersRadio Free Europe/Radio, ABC.net.au, National Cyber Security Centre, Ukrainska Pravda, The Cyber Express, Financial Review, CSO Online, Brussels Times, Dark Reading, Crypto Briefing, Ars Technica, Agence France-Presse, CBS News, Security Affairs, Help Net Security

Source: FBI.

UK authorities charged five people following a National Crime Agency (NCA) investigation into Russian Coms, a major caller ID spoofing platform used by criminals to make over 1.8 million scam calls.

The five people charged are 28-year-old Ayoub Sehailia, 30-year-old Zakkaria Sehailia, 30-year-old Usman Din, 29-year-old Denis Ozmus, and 53-year-old Fadila Salem, 53, all from London.

The list of charges includes conspiracy to supply articles for use in connection with fraud, transferring or converting criminal property, and, in Zakkaria Sehailia's case, failing to comply with a notice to provide phone passcodes. All five are scheduled to appear at Westminster Magistrates' Court on Friday, August 14. (Sergiu Gatlan / Bleeping Computer)

Related: NCA, Help Net Security, Infosecurity Magazine, Computing, Hounslow Herald

The US government sanctioned a VPN provider and its Ukrainian administrator for abetting ransomware gangs behind attacks on American municipalities, hospitals, schools and businesses.

First VPN Service (1VPNS) provided ransomware groups with tools to “hide their identities, disguise malicious software, and evade detection — enabling attacks that have caused billions of dollars in losses to US critical infrastructure providers,” according to a Treasury Department press release.

The administrator, Dmytro Rashevskyi, used fake identities “to buy infrastructure from companies that might otherwise refuse to do business with him because of complaints of abuse from internet service providers about illegal activity originating from 1VPNS servers,” the Treasury said.

A second man, Belarusian national Yegeniy Vladimirovich Silayev, was designated for allegedly selling “cryptors,” or methods used to make malware harder to detect and more effective by cloaking it as harmless files.

Silayev is not affiliated with First VPN.

Under the sanctions, no one in the US can complete transactions with the designees. Sanctions are also considered a reputational blow that often leads to a downturn in business revenues. (Suzanne Smalley / The Record)

Related: Treasury Department, Bleeping Computer, The Cyber Express, Cyber Security News

According to an internal incident readout, Department of Homeland Security personnel twice dismissed signs of cyber intruders inside the agency’s Homeland Security Information Network as harmless activity, allowing hackers to remain undetected inside for weeks and eventually steal credential files.

Department investigators have still not determined the affiliation of the hackers, according to two people with knowledge of an ongoing probe into the incident. DHS may send staff to brief Congress on the hack in a classified setting in the coming weeks, added the people, who spoke on the condition of anonymity to communicate the department’s thinking.

Between May 15 and May 24, the infiltration was detected by analysts inside FEMA, where they observed the hackers had altered files on testing and live servers, used a legitimate web-server program to run malicious code and deleted activity logs that could have exposed their movements, according to the readout. The activity was ruled a false positive.

Between May 25 and June 3, the hackers used similar methods aiming to leave scant trace of their activity, setting off more alerts that were again dismissed as benign. On June 4, they installed hidden backdoors and stole credential data — typically employed to verify users’ identities and grant access to accounts or systems — where personnel then declared a breach was active. (David DiMolfetta / NextGov/FCW)

Related: Gizmodo

Middle Eastern mobile networks were repeatedly hit with cyber attacks to track the locations of US personnel and contractors during the Iran war, according to telecoms data and people familiar with the matter.

The prospect that adversaries were stalking US forces has alarmed some American lawmakers, who have warned that roaming systems and smartphone ad tech have left the military vulnerable to attack.

The malicious tracking attempts came in the build-up to the US-Israeli assault on Iran in late February and continued in the early days of the war, when Tehran retaliated with missile and drone strikes against US forces and military installations around the region. The data, shared with the FT by the Mobile Surveillance Monitor research project, shows regional telecom networks fending off a wave of requests, called SS7 pings.

These sought to pin down the locations of specific phones roaming outside their home networks, in what two cybersecurity experts who reviewed the data said suggested a coordinated campaign. (Mehul Srivastava, Jacob Judah and James Politi / Financial Times)

Related: Cryptobriefing, Iran International

South Korean police have detected a data breach involving over 500 units of account information on GitHub, the world’s largest open-source software development platform.

The police notified Microsoft Company, the operator of GitHub, as well as Interpol (the International Criminal Police Organization) and companies that owned the leaked accounts, recommending additional security measures.

The National Police Agency National Office of Investigation stated, “We recently confirmed a large-scale leak of ‘personal access tokens,’ which are authentication credentials for accessing GitHub,” adding, “We are distributing a security advisory that includes urgent security measures and recommendations to prevent further damage.”

According to sources familiar with the matter, the police began their investigation after discovering that a hacker involved in a separate cybercrime case possessed another person’s GitHub token. Among the confirmed cases, 370 accounts from 54 countries have been identified, with the nationalities of their owners verified.

Over 200 additional accounts remain unconfirmed in terms of nationality. The police have notified Interpol of the affected accounts with identified owners and nationalities. Domestic cases accounted for over 30 instances. The police are investigating whether further damage has occurred due to the token leak. (Kim Young-joon / The Chosun Daily)

Related: Maeil Business, The Korea Herald, Seoul Economic Daily, Asia Business Daily, SBS News

Big Tech companies, including Apple, Meta, and Google, have "significant gaps" in tackling child sexual abuse and the growing threat of online sexual extortion, Australia's internet ‌regulator eSafety said.

Online platforms are failing to use available technologies that can identify well-known coercion scripts used by sexual extortion offenders, eSafety said in a transparency report.

"In several cases, we have provided these platforms with evidence of how their services are being colonised by criminals to devastating impact, with clear guidance on how to stem ​the abuse," said eSafety Commissioner Julie Inman Grant."Even when we've laid this out, we haven't seen adequate responses, despite the technology being ​readily available." (Renju Jose / Reuters)

Related: eSafety, Women's Agenda, AAP, The International News, Cyber Daily

Researchers from Tracebit said they found that placing prompt injections alongside passwords, cryptographic keys, and other secrets stored on Amazon Web Services was often all that was needed to shut down attacks from AI hacking agents.

The prompts direct the attacking LLM to perform an action forbidden by its guardrails, the safety barriers AI developers erect to prevent it from taking harmful actions. The LLM responds by shutting down.

Examples are a prompt that orders the LLM to provide steps for developing inhalable Anthrax spores, or, in the case of LLMs from Chinese developers, make references to the iconic Tank Man from the 1989 Tiananmen Square massacre. Once the LLM encounters these forbidden commands, it no longer follows its existing commands. The researchers have named the technique context bombing.

“Ultimately we’re triggering a refusal mechanism in the context,” Andy Smith, co-founder and CEO of Tracebit, said when explaining the name choice. “What we’re trying to capture is the fact that this does have a strong, sharp effect and one that can be difficult for the agents to come back from. Once they get that into their context, they are going to keep refusing.”

Tracebit says initial testing suggests context bombing has great potential. They tested Opus 4.8, Gemini 3.1 Pro, GLM 5.2, DeepSeek 4 Pro, and Kimi 2.6 by giving them instructions to perform routine developer tasks that led the models to enumerate resources and stumble onto the planted strings. They ran the models inside a simulated AWS environment.

“Across five leading models and 152 attack runs, planting one of these strings in a decoy secret cut the rate at which agents seized full account admin from 57% to 5%, and complete compromise (where they also left themselves a persistent foothold) from 36% to 1%,” Monday’s post reported. “The most capable agent in our tests, Opus 4.8, went from achieving admin access in 93% of runs to failing every single time when confronted with a context bomb.” (Dan Goodin / Ars Technica)

Related: Tracebit, AI Weekly

Source: Tracebit.

Apple sued OpenAI and two former employees, alleging misappropriation of its trade secrets to ​benefit the ChatGPT-owner's foray into consumer hardware, a dramatic escalation of already simmering tension between the two companies.

The complaint accuses OpenAI of orchestrating a broad effort to systematically acquire and exploit Apple's ‌confidential information through former employees, recruiting practices and supplier relationships to accelerate its push into the consumer hardware business.

The lawsuit sets up a battle over who will control future AI devices that may not use traditional apps or operating systems — devices which, if successful, would direct consumer attention away from Apple's best-selling iPhone. Analysts believe OpenAI is working on a phone or other device of its own.

The two former Apple employees named in the suit are Chang Liu, a former senior system electrical engineer, and former vice president of product design for iPhone and Apple Watch, Tang Yew Tan. (Stephen Nellis, Jaspreet Singh and Deepa Seetharaman / Reuters)

Related: CNBC, Reuters, The Verge, Ars Technica, TechCrunch

National charity Lifeline Australia has confirmed it was the victim of a data breach after a threat actor posted alleged staff information on the dark web.

In a post to an underground hacking forum over the weekend, the threat actor known as 2019 claimed to have stolen more than 10,600 data records from Lifeline.

The hacker claimed that names, dates of birth, workplace email addresses, phone numbers and contact numbers for messaging platform WhatsApp were among the compromised details.

While Lifeline operates a free 24/7 crisis support service, the post appeared to relate primarily to staff and volunteer information rather than help seekers.

A spokesperson for the charity confirmed that no help seeker data, personal contact information, or financial details had been accessed. (Leonard Bernardone / Information Age)

Related: Insurance Business, Cyber Daily

Texas state police is one of a growing number of local law enforcement agencies signing deals with Cognyte, a Herzliya, Israel-based company listed on the Nasdaq with a $560 million market cap.

The six-year-old company, which was spun out of Israeli surveillance giant Verint in 2021, sells a range of surveillance tech. That includes software that claims to find leads in big police datasets and predict where crime is likely to occur in the future.

The firm, which touts itself as the “leading alternative” to $315 billion market cap Palantir, made most of its $400 million in 2025 revenue in Israel and Europe. But it’s slowly making inroads in the US, with American revenue gradually rising from $10 million in 2023 to $15 million in 2025, per filings with the SEC.

The same month as a $4.5 million Texas state police deal, its biggest on record in the US, the Department of War spent $400,000 on a FalcoNet backpack. Cognyte has sold surveillance vans to the Albuquerque police department in New Mexico and the New York State Police, which helps patrol the border between Canada and the US. In 2024, the Florida Department of Law Enforcement spent $765,000 on FalcoNet for Operation Vigilant Sentry, a mission targeting mass migration via the Caribbean that was enacted by the Biden administration in 2023.

In a recent yearly filing with the SEC, the company promoted its work with border and intelligence agencies, saying, “By applying advanced analytics, behavioral pattern recognition and real-time intelligence, our technology helps agencies detect suspicious activity, identify potential trafficking or smuggling operations and prevent illegal border crossings.” (Thomas Brewster / Forbes)

Related: Business Wire

Japan's largest taxi operator, Nihon Kotsu, announced that its systems were compromised in a cyberattack, forcing the company to shut down part of its infrastructure.

The incident occurred over the weekend, early Saturday morning, and impacted operations, including the company's taxi dispatch system, which remains offline as of today.

Nihon Kotsu is Japan's largest taxi and chauffeur (hire) operator by group revenue, with annual revenue of roughly $1 billion (¥155 billion).

In a separate announcement, the firm specifies that the “labor taxi” service booked by pregnant women close to giving birth is suspended in the areas of Tokyo, Musashino City, Mitaka City, Tachikawa, Yokohama, and Saitama. (Bill Toulas / Bleeping Computer)

Related: Nihon Kotsu, Nihon Kotsu, Security Affairs, Tech Radar, The Cyber Express

Security researchers Sam Curry and Maik Robert discovered that the San Francisco Police Department had accidentally exposed live feeds from five Skydio police drones on the public internet for roughly six months.

Anyone with the link could watch real-time drone video, thermal imagery, GPS location data, and information about drone operators. The exposure appears to have been caused by a misconfigured sharing feature in Skydio's software rather than a flaw in the drone platform itself. (Andy Greenberg, Dhruv Mehrotra / Wired)

Drone footage exposed at a public web address shows how a quadcopter zoomed in on an SUV’s license plate, tracked it through traffic, then followed the driver as he exited the car and ran into an apartment complex. The suspect hid behind a vehicle, then adjusted his hiding place, yet was still visible to a second drone that arrived on the scene—one of four that tracked his location in a single hour and then captured police tackling him—all in response to what the SFPD describes as an alleged “auto boost/strip” incident, the theft of car parts or another object from a vehicle. Materials reviewed by WIRED

Researchers at Jamf report that a new macOS information-stealing malware called CrashStealer pretends to be Apple's crash-reporting tool to steal credentials, keychain data, and crypto wallets.

They started tracking the malware in May, when it appeared to still be in development, but observed it being used in attacks in early July.

CrashStealer has a typical infostealer capability set that seems to focus on password managers and more than 80 crypto wallet extensions.

The CrashStealer infostealer's binary impersonates Apple's system component by taking the name ‘CrashReporter.app,’ in an attempt to evade users’ scrutiny and potentially security tools.

Besides the name, the malware also creates a LaunchAgent named ‘com.apple.crashreporter.helper’ and uses the legitimate tool’s icon and metadata to resemble the legitimate tool as much as possible.

Jamf did not share details about CrashStealer’s exact initial distribution method, but note that the first-stage payload (Werkbit Setup) is hosted on a fake software site registered in late June. (Bill Toulas / Bleeping Computer)

Related: Jamf, IT News, AppleWorld Today

Site delivering the CrashStealer loader Source: Jamf Labs.

The company released Zimbra 10.1.19 this Tuesday to patch this stored cross-site scripting (XSS) security flaw, which has yet to receive a CVE ID for easy tracking. Attackers can exploit this Classic Web Client security issue through specially crafted emails that execute malicious code when the email is opened. (Sergiu Gatlan / Bleeping Computer)

Related: TechSpot, Hot Hardware

The Trump administration and industry groups have been discussing a capability framework for US open-source models based on the current capabilities of leading open-source Chinese models, a person close to the discussions said.

The proposal would streamline US-made models to market (both open-source and “closed,” licensed models) if their capabilities are equal to or below the capabilities of leading open-source Chinese models, the person, who spoke on the condition of anonymity to share details of the private conversations, said.

Currently, the conversations are not centered around a separate, forthcoming executive order on open-source AI models (as speculation online has suggested), but rather clarifying guidance on the AI executive order that the Trump administration already issued in June. (The administration and industry groups have been discussing a capability framework for US open-source models based on the current capabilities of leading open-source Chinese models, a person close to the discussions tells me. (Benjamin Guggenheim / Washington Post)

Related: Interconnects.ai

TriWest Healthcare Alliance officials notified 11,844 beneficiaries of a data breach that may have affected their protected health information.

About four million beneficiaries are covered by TriWest, the managed care contractor for the Department of Defense's Tricare West Region.

In a letter to one beneficiary dated July 2 and provided to Military Times, TriWest officials said they had discovered a security incident April 16, in which an unauthorized person gained limited, unauthorized access to TriWest information and downloaded it.

“We are unaware of any misuse of your information,” officials stated in the letter, but they went on to say TriWest is offering a free credit-monitoring service for those who feel it’s needed.

The unauthorized person obtained health-related and other personal information, specifically names, Department of Defense Benefits Numbers and beneficiaries’ ZIP codes. Officials said that in fewer than five instances, the information also included Social Security numbers, addresses and dates of birth. (Karen Jowers / Military Times)

Related: Globe Newswire

The Jscrambler client-side web security company disclosed that a threat actor published a malicious version of its npm package that has been downloaded almost 1,500 times.

The malicious Jscrambler package spanned releases 8.14, 8.16, 8.17, and 8.20 and included information-stealing malware that executed during the ‘preinstall’ hook.

“Today, we identified the unauthorized publication of a malicious version of our jscrambler npm package, which is used with our Code Integrity product,” Jscrambler said.

“This incident was limited to that package and did not affect any other Jscrambler products, including Webpage Integrity,” the company said.

Although Jscrambler reacted quickly, the malicious package lasted for two hours before the developer deprecated it and released the safe version 8.22. (Bill Toulas / Bleeping Computer)

Related: Jscrambler, BankInfoSecurity, StepSecurity, Security Week

Microsoft has warned that threat actors using tradecraft linked to the ShinyHunters extortion group are abusing trusted OAuth relationships to gain persistent access to Salesforce environments, steal CRM data, and evade traditional sign-in detections.

The campaigns, observed from mid-202520252025 through mid-202620262026, affected organizations in retail, education, manufacturing, and other sectors.

Microsoft said the activity did not stem from an inherent Salesforce vulnerability. Instead, attackers exploited authorized applications, third-party integrations, and weak guest-user configurations to operate through legitimate cloud workflows.

The attackers relied on three primary access paths: voice phishing that tricks users into approving malicious OAuth applications, the compromise of SaaS supply chain integrations, and the misuse of Salesforce Experience Cloud guest access. (Varshini / Cyber Press)

Related: Microsoft

Complete permission visibility for Salesforce connected apps and external client apps. Source: Microsoft.

The EAC is an obscure but important agency that oversees testing and standards for voting machines, including around security. While federal certification is voluntary, states have until now relied upon their stamp of approval when purchasing voting machines.

On July 10, Democratic Commissioners Ben Hovland and Thomas Hicks were fired by the White House, while reports indicate that a third Commissioner, Republican Christy McCormick, resigned. While Congress mandated the commission be bipartisan, the Supreme Court has recently given the President broad authority to fire executive branch officials at will.

In an interview with NPR, Hovland said he worried the firings would further erode trust that the commission was working in a bipartisan manner.

A letter also sent last week to all 50 states by the DOJ said the department will investigate and prosecute any election official “who knowingly retains non-citizens on the state’s voter registration list or facilitates noncitizens in receiving and casting ballots.”

CyberScoop spoke with several Secretaries of State who said that the number one threat facing elections in their state is not from a foreign country or AI but their own federal government. (Derek B. Johnson / CyberScoop)

Related: NPR

Researchers at Check Point report that a range of cyberattacks they observed over the past year, AI systems generated commands, tested vulnerabilities and helped hackers move through victim networks, sometimes carrying out thousands of commands with less human direction than researchers had previously seen.

It means AI has now been used in some form at every stage of a cyberattack, from identifying targets to exploiting vulnerabilities to stealing data, to help hackers achieve their goals.

The shift does not yet amount to fully autonomous hacking, a top company executive told Nextgov/FCW, but it shows that AI is moving from an occasional aid to an extra set of hands throughout the entirety of an intrusion process. The findings also highlight how rapidly the global cyber ecosystem has adopted AI, with the technology now embedded across every part of an offensive operation rather than confined to isolated tasks. (David DiMolfetta / NextGov/FCW)

Related: Check Point

“In support of Secretary of War Hegseth’s directive to aggressively scale warfighter readiness, I’m announcing the immediate suspension of the Cybersecurity Maturity Model Certification, or CMMC, Phase II requirements, which were originally scheduled to go into effect November 10, 2026,” Kirsten Davies, chief information officer, told reporters at the Pentagon today, using the secondary name for the secretary of defense. “I want to be clear across the Department of War and our defense industrial base, investing in and dynamically maintaining robust cybersecurity remains a critical non-negotiable priority. This action does not eliminate the legal requirement for our industry partners to protect federal data.”

Davies added later, “We are not reducing cybersecurity through this measure. We are reducing the red tape.”

A July 10 memo released by the Pentagon today notes that the current iteration of CMMC imposes “significant and often prohibitive burdens on the Defense Industrial Base (DIB), particularly the small and non-traditional businesses that are the engine of American innovation. While cybersecurity is essential, administrative compliance cannot come at the cost of warfighting capability and industrial base growth.” (Mark Pomerleau and Sydney J. Freedberg Jr. / Breaking Defense)

Related: War.gov, Washington Technology, GovConWire, National Defense Magazine, DefenseScoop, Federal News Network

Best Thing of the Day: More of These Please

The military and private industry gathered at the University of Cincinnati this week to prepare for the next digital threat by participating in the Ohio Cyber Guardian, a four-day cyber defense exercise hosted by the Ohio Cyber Range Institute at UC’s Digital Futures building.

Bonus Best Thing of the Day: More of This Too, Please

The Los Angeles Police Department (LAPD) announced it will let its surveillance contract with automated license plate reader company (ALPR) Flock expire, becoming the largest police department in the country to drop its contract.

Worst Thing of the Day: As If Being in Jail Isn't Hard Enough

A hacker group called Breach Boyz claims it had gained information about inmates at the Rogers County jail, sending local Tulsa, OK, broadcast stations an email with a list of nearly 30 inmates, along with their private information like driver's license numbers, home address, and Social Security numbers.

Closing Thought