Taiwan semiconductor sector hacked, Salt Typhoon breaches National Guard, Congress ponders Stuxnet - Cybersecurity Headlines

Summary7 min read

Cyber Security Headlines – July 18, 2025

Hosted by CISO Series, the "Cyber Security Headlines" podcast delivers daily updates from the ever-evolving world of information security. In the July 18, 2025 episode, host Steve Prentice and David Spark delve into significant cybersecurity incidents, legislative actions, and emerging threats that are shaping the landscape of digital security. Below is a comprehensive summary of the episode's key discussions, enriched with notable quotes and timestamps for reference.

1. Chinese Hackers Target Taiwan's Semiconductor Sector

Timestamp: [00:07]

Overview: The episode kicks off with alarming news about Chinese state-sponsored threat actors launching spear-phishing campaigns against Taiwan's semiconductor industry. According to a report by Proofpoint, organizations involved in the manufacturing, design, and testing of semiconductors, along with their supply chains and financial analysts focusing on the Taiwanese market, have been primary targets.

Key Details:

Threat Actors: Three China-aligned clusters identified as UNK Fist Bump, UNK Drop Pitch, and UNK Sparky Carp.
Methodology: Between March and June 2025, these groups employed spear-phishing emails masquerading as communications from graduate students seeking job opportunities. These deceptive emails delivered malicious payloads, including Cobalt Strike and the custom backdoor Voldemort.
Impact: The campaigns successfully infiltrated targeted organizations, posing significant risks to semiconductor supply chains and financial analyses within the sector.

Notable Quote:

"We're all targets of spear phishing campaigns undertaken by three Chinese state-sponsored threat actors." – David Spark [00:07]

2. SALT Typhoon Breaches U.S. National Guard

Timestamp: [00:07]

Overview: The SALT Typhoon group, a Chinese state-sponsored hacking organization, successfully breached the U.S. Army National Guard network in 2024. Maintaining an undetected presence for nine months, the group exfiltrated network configuration files and administrator credentials, potentially jeopardizing other government networks.

Key Details:

Techniques Used: While the exact infiltration method remains undisclosed, Bleeping Computer attributes the breach to SALT Typhoon’s history of exploiting legacy vulnerabilities in networking devices, such as Cisco routers.
Potential Risks: The stolen credentials and configurations could facilitate broader access to other sensitive government infrastructure, amplifying national security concerns.

Notable Quote:

"These credentials could be used to compromise other government networks." – David Spark [00:07]

3. Congress Investigates Stuxnet's Legacy on Critical Infrastructure

Timestamp: [00:07]

Overview: Looking back at one of the most infamous cyberattacks, Congress is set to examine the ramifications of Stuxnet, the malware that disrupted Iran's nuclear program 15 years ago. The House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection aims to explore how Stuxnet's tactics can inform current critical infrastructure policies.

Key Details:

Hearing Date: Scheduled for Tuesday, July 22nd.
Witnesses: Among the panel is Kim Zetter, a renowned cybersecurity journalist and author of Countdown to Zero Day, which chronicles the Stuxnet attack.
Stuxnet’s Impact: The malware led to the destruction of over 1,000 centrifuges, eliminating roughly 10% of Iran's uranium enrichment capacity at the time.

Notable Quote:

"The House Homeland Security Subcommittee is planning to investigate whether Stuxnet could guide today's critical infrastructure policy debate." – Steve Prentice [00:07]

4. Malware Concealed Within DNS Records Exploits Security Blind Spots

Timestamp: [00:07]

Overview: Researchers from Domain Tools have uncovered a sophisticated method where hackers embed malware within DNS TXT records. This strategy complicates detection as traditional security tools struggle to identify such concealed threats.

Key Details:

Technique: Malware is encoded in hexadecimal and distributed across hundreds of subdomains, effectively bypassing email and web filters.
Operational Advantage: Since DNS traffic is seldom monitored rigorously, attackers can retrieve and reassemble the malicious code using standard DNS queries once inside a network.
Future Threats: The increasing adoption of encrypted DNS methods like DoH (DNS over HTTPS) and DoT (DNS over TLS) is anticipated to further obfuscate such malicious activities, challenging existing cybersecurity defenses.

Notable Quote:

"Hackers are hiding malware inside DNS records, specifically in the form of TXT records, which make it difficult for traditional security tools to detect." – David Spark [00:07]

5. Cloudflare Clarifies 1.1.1.1 Outage Wasn't a Cyber Attack

Timestamp: [00:07]

Overview: Amidst rumors of a cyberattack or BGP (Border Gateway Protocol) hijack, Cloudflare has clarified that the recent outage of its 1.1.1.1 resolver service on July 14 was due to an internal misconfiguration.

Key Details:

Cause of Outage: A configuration change intended for a future data localization suite on June 6 inadvertently linked to a non-production DLS service.
Impact: The outage affected users globally, disrupting internet services in various regions.
Company Statement: Cloudflare emphasized that the incident was not the result of malicious activities but rather a human error during system maintenance.

Notable Quote:

"The outage was a configuration change for a future data localization suite performed on June 6, which mistakenly linked to a non-production DLS service." – Steve Prentice [00:07]

6. Cisco Alerts Users to Critical Vulnerability in Identity Services Engine (ISE)

Timestamp: [00:07]

Overview: Cisco has issued a warning about a new high-severity vulnerability in its Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE PIC). This flaw could allow attackers to execute arbitrary code with elevated privileges on affected systems.

Key Details:

Vulnerability Score: The flaw has been assigned a CVSS score of 10, indicating the highest level of severity.
Affected Versions: ISE and ISE PIC releases 3.3 and 3.4 are impacted, regardless of device configuration.
Comparison to Previous Flaw: Similar to a vulnerability patched in June, this new issue underscores ongoing security challenges within Cisco’s infrastructure products.

Notable Quote:

"This vulnerability has a CVSS score of 10 and affects ISE and ISE PIC releases 3.3 and 3.4 regardless of device configuration." – David Spark [00:07]

7. Thai Ministry of Labor Website Restored After Devman Group Hack

Timestamp: [00:07]

Overview: The Thai Ministry of Labor has successfully restored its website following a defacement attack by the Devman Group, who claimed to have stolen 300 gigabytes of data and demanded a $15 million ransom.

Key Details:

Attack Timeline: Devman asserted they had access to the ministry's systems for over 43 days, during which they encrypted 2,000 laptops and several servers.
Data Breach Claims: The group alleges the exfiltrated data includes citizen records, information on foreign visitors, and classified documents.
Government Response: Thailand’s permanent secretary maintained that only the website's appearance was altered and denied that any sensitive servers were accessed.

Notable Quote:

"Devman claims to have spent over 43 days inside the ministry's systems, encrypting 2,000 laptops and several servers." – Steve Prentice [00:07]

8. Arizona's North Country Healthcare Targeted by Stormouse Ransomware

Timestamp: [00:07]

Overview: North Country Healthcare, a nonprofit health center in Northern Arizona, has fallen victim to a cyberattack by the Stormouse Ransomware Group. The breach resulted in the theft of personal and health data of 600,000 patients.

Key Details:

Ransom Demand:
- Data of 100,000 patients is slated for sale.
- Data of 500,000 patients is to be released on a leak site for free.
Threat Actor Profile: Stormouse (spelled S-T-O-R-M-O-U-S) is identified as a pro-Russia ransomware group active since early 2022.
Impact on Healthcare: The breach poses severe privacy implications for patients and undermines trust in healthcare data security.

Notable Quote:

"Stormouse is known as a pro-Russia ransomware group and has been active since early 2022." – David Spark [00:07]

Upcoming Events and Community Engagement

While the episode primarily focused on pressing cybersecurity issues, it also highlighted upcoming events and opportunities for listeners to engage with the CISO Series community:

Live Streams: Scheduled for the following Friday, featuring topics like hacking, vendor competition, and critical thinking strategies.
Week in Review Show: Featuring Cyrus Tibbs, CISO at PennyMac, who will provide expert commentary on the week's news.
Toronto Meetup: An invitation to join Steve Prentice, David Spark, and other CISOs for a coffee gathering at the Brick Street Bakery in Toronto’s Distillery District on July 25.

For more details and to participate, listeners are encouraged to visit the CISO Series Events Page.

Conclusion:

The July 18, 2025 episode of "Cyber Security Headlines" offers a thorough examination of recent cybersecurity threats, vulnerabilities, and legislative actions. From state-sponsored attacks targeting critical industries to vulnerabilities in major infrastructure services, the discussions underscore the persistent and evolving nature of cyber threats. Additionally, the episode emphasizes the importance of community engagement and continuous learning within the cybersecurity field.

For the complete stories and daily updates, listeners are encouraged to visit CISOseries.com.

This summary captures the essence of the podcast episode, providing detailed insights and contextual understanding for those who haven't had the chance to listen.

Loading summary

Transcript3 lines

[00:00]
Steve Prentice
From the CISO series, it's Cybersecurity Headlines.
[00:07]
David Spark
These are the cybersecurity headlines for Friday, July 18, 2025. I'm Steve Prentice. Chinese hackers use Cobalt Strike on Taiwan's semiconductor sector according to a report published on Tuesday by proofpoint, organizations involved in the manufacturing, design and testing of semiconduct as well as equipment and services supply chain entities within this sector and also as well as financial investment analysts specializing in the Taiwanese semiconductor market. We're all targets of spearfishing campaigns undertaken by three Chinese state sponsored threat actors. The activity is said to have taken place between March and June of 2025 and it is being attributed to three China aligned clusters named UNK Fist Bump, UNK Drop Pitch and UNK Sparky Carp. The spearfishing campaign involved emails appearing to come from graduate students appealing to recruitment and human resources personnel for job opportunities and which delivered the payload of Cobalt Strike or the sea based custom backdoor Voldemort SALT Typhoon breached National Guard and stole network Configurations the Chinese state sponsored hacking group breached and remained undetected in a U.S. army National Guard network for nine months in 2024, stealing network configuration files and administrator credentials. These, it was said, could be used to compromise other government networks. The method by which the group penetrated the National Guard network was not disclosed, but Bleeping Computer states that Salt Typhoon is known for targeting old vulnerabilities in networking devices such Cisco routers. End quote Congress to investigate Stuxnet to confront OT cyber threats the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection is planning to investigate whether Stuxnet, the malware that severely impacted Iran's nuclear program 15 years ago, could guide today's critical infrastructure policy debate. This is according to reporting from Cyberscoop. The hearing will happen next Tuesday, July 22nd. Amongst the witnesses listed for the hearing is Kim Zetter, cybersecurity journalist and author of the book Countdown to Zero Day, which provides an excellent narrative of the Stuxnet malware attack, which is estimated to have caused the damage and removal of more than 1,000 centrifuges, or approximately 10% of Iran's total enrichment capacity at the time. Hackers exploit a blind spot hiding malware inside DNS Records According to researchers at Domain Tools, hackers are hiding malware inside DNS records, specifically in the form of. TXT records, which make it difficult for traditional security tools to detect. By encoding malware in hexadecimal and spreading it across hundreds of subdomains, attackers bypass email and web filters. Since DNS traffic is rarely monitored. Once inside a network, an attacker can use standard DNS queries to retrieve and reassemble the malicious code, the researchers stated. As encrypted DNS methods like DoH, which is DNS over HTTPs, and DoT, which is DNS over TLS, become more common, spotting such threats will become even harder for cybersecurity defenses. Huge thanks to our sponsor ThreatLocker. ThreatLocker is a leader in Zero Trust Endpoint security, offering cybersecurity controls to protect businesses from zero day attacks and ransomware. ThreatLocker operates with a default deny approach to reduce the attack surface and mitigate potential cyber vulnerabilities. To learn more and to start your free trial, visit threatlocker.com CISO that is T H R E A T locker the 1.1.1.1 outage, not a cyber attack, says Cloudflare. The recent 1.1.1.1 resolver service outage that occurred on July 14 was caused by an internal misconfiguration, said Cloudflare in an announcement following a postmortem of the incident. The outage impacted most users of the service all over the world, rendering Internet services unavailable in many cases. The announcement from Cloudflare was made as a follow up to the attack, as would be expected, but was also to refute rumors of the event having been a cyber attack or a BGP that is Border Gateway protocol hijack. Instead, the company explained the outage was a configuration change for a future data localization suite performed on June 6, which mistakenly linked to a non production DLS service. Cisco warns of another high severity vulnerability in ise. This new maximum severity security vulnerability impacting Identity Services Engine and Cisco ISE Passive Identity Connector, which is ISE pic, could permit an attacker to execute arbitrary code on the underlying operating system with elevated privileges, end quote this vulnerability has a CVSS score of 10 and a different CVE number than the one that we reported on on June 27. It is similar to that earlier vulnerability which was patched last month. And just like last month's flaw, this one affects ISE and ise pic releases 3.3 and 3.4 regardless of device configuration. Thai officials restore hacked Ministry of Labor website the website was restored after having been defaced by hackers from the Devman Group who claim to have stolen 300 gigabytes of data and are demanding a $15 million ransom. While the country's permanent secretary insisted that only the site's appearance was altered and no sensitive servers were accessed, Devman claims to have spent over 43 days inside the ministry's systems, encrypting 2,000 laptops and several servers. Allegedly, the stolen data includes citizen records, information on foreign visitors and classified documents Arizona's North Country Healthcare Suffers cyber Attack Based in Northern Arizona, North Country Healthcare is a non profit, federally qualified health center that provides primary health care services through 14 locations. It is also now one of the most recent healthcare facilities to have suffered a cyber attack, this one from the Stormouse Ransomware Group who claims to have stolen personal and health data belonging to 600,000 patients. Stormous spelt S T O R M O U S is known as a pro Russia ransomware group and has been active since early 2022. The group claims that the data of 100,000 patients will be listed for sale and the data of 500,000 patients will be listed on the leak site for free. This according to the HIPAA Journal. An update to the article in this journal, published on July 15 says the files have now been published as usual, we've got a busy Friday of live streams today. It starts at 1pm with Super Cyber Friday, where the topic will be hacking, vendor competition, an hour of critical thinking about how to get noticed, and then come back at 3:30pm Eastern where we have our Week in Review Show. Cyrus Tibbs, who is the CISO at PennyMac, will be our guest, providing his expert commentary on the news of the week. To join us for both, head on over to cisoseries.com's events page. And finally, if you find yourself in Toronto next Friday, July 25, be sure to join David Spark and myself and a whole bunch of great CISOs and fans of the show for coffee at the Brick Street Bakery in the beautiful and historic Distillery District of downtown Toronto. To register for this event again, go to the Events page at CISO Series I'm Steve Prentice reporting for the CISO Series.
[08:47]
Steve Prentice
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories. Behind the headlines.

Cyber Security Headlines – July 18, 2025

1. Chinese Hackers Target Taiwan's Semiconductor Sector

Timestamp: [00:07]

Key Details:

Threat Actors: Three China-aligned clusters identified as UNK Fist Bump, UNK Drop Pitch, and UNK Sparky Carp.
Methodology: Between March and June 2025, these groups employed spear-phishing emails masquerading as communications from graduate students seeking job opportunities. These deceptive emails delivered malicious payloads, including Cobalt Strike and the custom backdoor Voldemort.
Impact: The campaigns successfully infiltrated targeted organizations, posing significant risks to semiconductor supply chains and financial analyses within the sector.

Notable Quote:

"We're all targets of spear phishing campaigns undertaken by three Chinese state-sponsored threat actors." – David Spark [00:07]

2. SALT Typhoon Breaches U.S. National Guard

Timestamp: [00:07]

Key Details:

Techniques Used: While the exact infiltration method remains undisclosed, Bleeping Computer attributes the breach to SALT Typhoon’s history of exploiting legacy vulnerabilities in networking devices, such as Cisco routers.
Potential Risks: The stolen credentials and configurations could facilitate broader access to other sensitive government infrastructure, amplifying national security concerns.

Notable Quote:

"These credentials could be used to compromise other government networks." – David Spark [00:07]

3. Congress Investigates Stuxnet's Legacy on Critical Infrastructure

Timestamp: [00:07]

Key Details:

Hearing Date: Scheduled for Tuesday, July 22nd.
Witnesses: Among the panel is Kim Zetter, a renowned cybersecurity journalist and author of Countdown to Zero Day, which chronicles the Stuxnet attack.
Stuxnet’s Impact: The malware led to the destruction of over 1,000 centrifuges, eliminating roughly 10% of Iran's uranium enrichment capacity at the time.

Notable Quote:

"The House Homeland Security Subcommittee is planning to investigate whether Stuxnet could guide today's critical infrastructure policy debate." – Steve Prentice [00:07]

4. Malware Concealed Within DNS Records Exploits Security Blind Spots

Timestamp: [00:07]

Key Details:

Technique: Malware is encoded in hexadecimal and distributed across hundreds of subdomains, effectively bypassing email and web filters.
Operational Advantage: Since DNS traffic is seldom monitored rigorously, attackers can retrieve and reassemble the malicious code using standard DNS queries once inside a network.
Future Threats: The increasing adoption of encrypted DNS methods like DoH (DNS over HTTPS) and DoT (DNS over TLS) is anticipated to further obfuscate such malicious activities, challenging existing cybersecurity defenses.

Notable Quote:

"Hackers are hiding malware inside DNS records, specifically in the form of TXT records, which make it difficult for traditional security tools to detect." – David Spark [00:07]

5. Cloudflare Clarifies 1.1.1.1 Outage Wasn't a Cyber Attack

Timestamp: [00:07]

Key Details:

Cause of Outage: A configuration change intended for a future data localization suite on June 6 inadvertently linked to a non-production DLS service.
Impact: The outage affected users globally, disrupting internet services in various regions.
Company Statement: Cloudflare emphasized that the incident was not the result of malicious activities but rather a human error during system maintenance.

Notable Quote:

"The outage was a configuration change for a future data localization suite performed on June 6, which mistakenly linked to a non-production DLS service." – Steve Prentice [00:07]

6. Cisco Alerts Users to Critical Vulnerability in Identity Services Engine (ISE)

Timestamp: [00:07]

Key Details:

Vulnerability Score: The flaw has been assigned a CVSS score of 10, indicating the highest level of severity.
Affected Versions: ISE and ISE PIC releases 3.3 and 3.4 are impacted, regardless of device configuration.
Comparison to Previous Flaw: Similar to a vulnerability patched in June, this new issue underscores ongoing security challenges within Cisco’s infrastructure products.

Notable Quote:

"This vulnerability has a CVSS score of 10 and affects ISE and ISE PIC releases 3.3 and 3.4 regardless of device configuration." – David Spark [00:07]

7. Thai Ministry of Labor Website Restored After Devman Group Hack

Timestamp: [00:07]

Key Details:

Attack Timeline: Devman asserted they had access to the ministry's systems for over 43 days, during which they encrypted 2,000 laptops and several servers.
Data Breach Claims: The group alleges the exfiltrated data includes citizen records, information on foreign visitors, and classified documents.
Government Response: Thailand’s permanent secretary maintained that only the website's appearance was altered and denied that any sensitive servers were accessed.

Notable Quote:

"Devman claims to have spent over 43 days inside the ministry's systems, encrypting 2,000 laptops and several servers." – Steve Prentice [00:07]

8. Arizona's North Country Healthcare Targeted by Stormouse Ransomware

Timestamp: [00:07]

Key Details:

Ransom Demand:
- Data of 100,000 patients is slated for sale.
- Data of 500,000 patients is to be released on a leak site for free.
Threat Actor Profile: Stormouse (spelled S-T-O-R-M-O-U-S) is identified as a pro-Russia ransomware group active since early 2022.
Impact on Healthcare: The breach poses severe privacy implications for patients and undermines trust in healthcare data security.

Notable Quote:

"Stormouse is known as a pro-Russia ransomware group and has been active since early 2022." – David Spark [00:07]

Upcoming Events and Community Engagement

While the episode primarily focused on pressing cybersecurity issues, it also highlighted upcoming events and opportunities for listeners to engage with the CISO Series community:

Live Streams: Scheduled for the following Friday, featuring topics like hacking, vendor competition, and critical thinking strategies.
Week in Review Show: Featuring Cyrus Tibbs, CISO at PennyMac, who will provide expert commentary on the week's news.
Toronto Meetup: An invitation to join Steve Prentice, David Spark, and other CISOs for a coffee gathering at the Brick Street Bakery in Toronto’s Distillery District on July 25.

For more details and to participate, listeners are encouraged to visit the CISO Series Events Page.

Conclusion:

For the complete stories and daily updates, listeners are encouraged to visit CISOseries.com.

This summary captures the essence of the podcast episode, providing detailed insights and contextual understanding for those who haven't had the chance to listen.