Drift blames exploit on North Korea, GitHub attacks target South Korea, Die Linke breach threatens data leak - Cybersecurity Headlines

Summary

Cybersecurity Headlines – April 7, 2026

Main Theme This episode, hosted by Sarah Lane, delivers essential updates from the cybersecurity landscape, focusing on major cyberattacks attributed to nation-state actors, ransomware threats against political entities, and emerging trends in cybercrime and AI security. It presents in-depth snapshots of daily incidents that reflect evolving tactics, global risks, and regulatory responses.

Key Stories and Insights

1. Drift Protocol Exploit Blamed on North Korea

[00:10]

Incident Overview: North Korean state-linked group UNC4736 spent about six months infiltrating Drift protocol, masquerading as a legit trading firm and building trust via meetings and $1 million deposits.
Attack Details: The exploit, executed on April 1, involved compromising contributor devices through a malicious test flight app and a VS Code Cursor vulnerability. Attackers gained multisig approvals and siphoned off $270 million in less than a minute.
Security Takeaways:
- Drift warns of “weaknesses in DeFi’s reliance on multisig security against long term, identity-based infiltration campaigns.”
- The case exemplifies the growing sophistication of social engineering and supply-chain attacks in decentralized finance.

“The operation highlights weaknesses in DeFi's reliance on multisig security against long term identity-based infiltration campaigns.” – [Sarah Lane, 01:16]

2. GitHub Attacks Target South Korea

[01:46]

Campaign: Fortinet FortiGuard Labs reports North Korean-linked hackers (Kim Suki Group) using GitHub for command-and-control in multi-stage attacks on South Korean organizations.
Technique: Phishing delivers link files that drop decoy PDFs while executing PowerShell scripts; these scripts profile infected systems and exfiltrate data to attacker-controlled GitHub repositories.
Trend Highlight: Attackers “living off the land” by abusing legitimate, trusted platforms to evade detection while maintaining persistence.

“Pointing toward a broader shift of living off the land techniques that rely on legitimate tools and trusted platforms…” – [Sarah Lane, 02:23]

3. Ransomware Threat Against Die Linke, German Political Party

[02:37]

Attack Details: Qilin Ransomware group targeted Germany’s left-wing party Die Linke, compromising internal systems with the threat of leaking stolen data unless ransom is paid.
Response: The party confirmed a “serious breach,” shut down sections of its IT systems and warned internal and employee information may be exposed.
Context: Raises alarms about increasing attacks on political institutions, potentially aligned with “Russian geopolitical interests.”

4. Russian Crypto Payments Expand into Africa

[03:23]

Development: Sanctioned Russian crypto network A7 has reportedly expanded into Nigeria and Zimbabwe.
Objective: Part of Russia’s effort to build alternative, ruble-based payment channels outside Western-dominated systems, using stablecoins and promissory notes.
Significance: Analysts note this is aligned with Russia’s “broader geopolitical push into Africa,” though the real impact is unclear.

5. Microsoft Links Medusa Ransomware Attacks to China-Linked Group

[04:13]

Threat Actor: Storm 1175, China-linked, exploits zero-day and recent vulnerabilities—sometimes within days or even before patch release.
Victims: Attacks span healthcare, education, finance, and more across US, UK, and Australia.
Scope: Over 16 enterprise software vulnerabilities, quick deployment (as little as 24 hours), methods include credential theft and defense evasion.

6. Fortinet Vulnerability Actively Exploited

[04:47]

Alert: US and Singapore authorities warn of active exploitation of a critical Forticlient EMS vulnerability (CVSS 9.1/10).
Response: CISA mandates rapid patching across government networks.
Timeline: Exploitation began immediately after the disclosure; risk heightened during holiday period.

7. Stalkerware Maker Avoids Jail Time

[05:17]

Judgment: Brian Fleming, founder of PC Tattletale, sentenced to one day in prison (already served) and $5,000 fine following guilty plea for distributing non-consensual surveillance software.
Significance: Marks the first US conviction of a stalkerware maker since 2014—potential sign of more stringent future enforcement.
Context: Over 100 stalkerware companies under investigation.

8. Google DeepMind: New Attacks on AI Agents

[05:59]

Research: Google DeepMind identified “AI agent traps” where malicious web content manipulates automated AI systems, leading to data leaks, misinformation, or unintended actions.
Categories: Six types, including hidden prompt injection, semantic manipulation, memory poisoning, and system-level coordination attacks.
Call to Action: Stronger model hardening, runtime protections and standardized frameworks urgently needed to safeguard agentic AI systems.

Notable Quotes & Memorable Moments

On DeFi Security Limitations:

"The operation highlights weaknesses in DeFi's reliance on multisig security against long term identity-based infiltration campaigns."
— Sarah Lane [01:16]
On Living Off the Land Attacks:

"Pointing toward a broader shift of living off the land techniques that rely on legitimate tools and trusted platforms to maintain persistence and reduce detection."
— Sarah Lane [02:23]
On Stalkerware Prosecution (US):

"The case marks the first US conviction of a stalkerware maker since 2014 and could signal more enforcement, though prosecutions remain rare."
— Sarah Lane [05:40]

Timestamps of Key Segments

| Segment | Start Time |
|---------|-----------|
| Drift protocol exploit (North Korea) | 00:10 |
| GitHub used in attacks targeting South Korea | 01:46 |
| Die Linke (Germany) breach by Qilin ransomware | 02:37 |
| Russian crypto payments in Africa | 03:23 |
| Medusa ransomware/Storm 1175 (China) | 04:13 |
| Fortinet vulnerability warning | 04:47 |
| PC Tattletale stalkerware sentencing | 05:17 |
| Google DeepMind on web attacks against AI agents | 05:59 |

Closing Notes

Today’s episode emphasizes the interconnected nature of cybersecurity threats, from nation-state espionage to political ransomware attacks and the increasing risk profile of automated AI systems. Listeners are reminded to remain vigilant as these advanced threats continue to evolve across sectors and geographies.

Host: Sarah Lane
Find more stories and analysis: cisoseries.com

Transcript

A (0:00)

From the CISO series, it's Cybersecurity Headlines

B (0:07)

these are the cybersecurity headlines for Tuesday, April 7, 2026. I'm Sarah Lane. Drift says exploit was North Korean intelligence operation A North Korean state linked group apparently spent about six months infiltrating Drift protocol by posing as a legitimate trading firm, building trust through meetings, technical collaboration and depositing more than $1 million before executing a $270 million exploit on April 1. Investigators say the attackers compromised contributor devices via a malicious test flight app and a vulnerability in VS code cursor, letting them secure multisig approvals and drain funds in under a minute. Drift attributed the attack to UNC4736 and warned the operation highlights weaknesses in DeFi's reliance on multisig security against long term identity based infiltration campaigns. GitHub used in multi stage attacks targeting South Korea Researchers at Fortinet Fortiguard Labs report that North Korean linked hackers are using GitHub as command and control infrastructure in multi stage attacks against South Korean organizations. The campaign starts with phishing delivered link files that drop decoy PDFs while silently executing PowerShell scripts which profile infected systems, evade analysis and exfiltrate data to attacker controlled GitHub repositories. The activity is tied to the Kim Suki Group, pointing toward a broader shift of living off the land techniques that rely on legitimate tools and trusted platforms to maintain persistence and and reduce detection. Data leak threatened after D Linka attack the Qilin Ransomware group claimed a cyber attack on Germany's left wing party Delinka, threatening to steal stolen data if a ransom isn't paid. The party confirmed a serious breach, shut down parts of its IT systems and warned that internal data and employee information could be exposed, though its membership database wasn't affected. Officials worry this reflects a broader pattern of cyber attacks on political institutions, with some ransomware operations potentially aligning with Russian geopolitical interests. Russian crypto payments expand into Africa on the topic of geopolitical interests, a sanctioned Russian crypto network called A7 is expanding into Africa with reported offices in Nigeria and Zimbabwe as part of Russia's effort to build alternative payment rails outside Western systems. Founded by Elon Sor and backed by a Russian Defense linked bank, A7 uses tools like stablecoins and promissory notes to keep ruble based trade flowing despite sanctions. Analysts say the move aligns with Russia's broader geopolitical push into Africa, though the network's actual footprint and usage is unclear. Huge thanks to our sponsor Vanta risk and regulation are ramping up and customers expect proof of security security just to do business. Vanta's automation brings compliance, risk and customer trust together on one AI powered platform. So whether you're prepping for a SoC2 or running an enterprise GRC program, Vanta keeps you secure and keeps your deals moving. Learn more@vanta.com CISO Microsoft links Medusa affiliate to attacks Microsoft says a China linked cybercrime group known as Storm 1175 is carrying out rapid ransomware attacks by exploiting both zero day and recently disclosed vulnerabilities, sometimes within days or even before patches are released. The group chains multiple exploits, steals credentials, disables defenses and deploys Medusa ransomware within as little as 24 hours to targeting sectors including healthcare, education and finance across the US, the UK and Australia. Microsoft notes the group has used more than 16 vulnerabilities across widely used enterprise software. Singapore and US warn of latest Fortinet bug US and Singapore authorities are warning that the critical vulnerability in Fortinet's Forticlient EMS that we covered in Monday's show is being actively exploited after its disclosure by researchers at defused. The flaw, rated 9.1 out of 10, is widely used across government networks, prompting CISA to order rapid patching and mitigation to prevent compromise. Researchers say exploitation began almost immediately and may have intensified during the latest holiday window. Stalkerware maker receives no jail time a US court sentenced Brian Fleming, founder of stalkerware firm PC Tattletale, to no prison time beyond one day served and and a $5,000 fine after he pleaded guilty to distributing surveillance software designed to secretly monitor victims. Prosecutors say the app was marketed for spying on others without consent, despite nominal legal disclaimers following a Homeland Security investigations probe into more than 100 stalkerware companies. The case marks the first US conviction of a stalkerware maker since 2014 and could signal more enforcement, though prosecutions remain rare. Google DeepMind maps web attacks against AI agents Google DeepMind researchers identified a new class of AI agent traps where malicious Web content manipulates autonomous AI agents into leaking data, spreading misinformation or executing unintended actions. The team outlined six attack categories, including hidden prompt injections, semantic manipulation, memory poisoning and system level coordination attacks that exploit how agents process content and follow instructions. The research highlights growing risks in agentic AI systems and calls for stronger defenses like model hardening, runtime protections and standardized security frameworks to mitigate emerging threats. Quantitative risk management promises to be the missing piece of the CyberSecurity puzzle, allowing CISOs to better connect their work to tangible business outcomes. But is it moving the needle or just making it easier to push technical debt down the road? That's one of the segments we're breaking down on this week's episode of the CISO Series podcast. Look for the episode Remember, every unappreciated risk is just a crisis waiting to be discovered wherever you get your podcasts. If you have thoughts on the news from today or about our show in general, be sure to reach out to us@feedbacksoseries.com we really want to hear from you. I am Sarah Lane, reporting for the CISO Series. You stay safe out there and we'll talk to you tomorrow.