A

You're listening to the Cyberwire network, powered by N2K. And now a word from our sponsor. The Johns Hopkins University Information Security Institute is seeking qualified applicants for its innovative Master of Science in Security Informatics degree program. Study alongside world class interdisciplinary experts and gain unparalleled educational research and professional experience in information security and assurance. Interested U.S. citizens should consider the Department of Defense's Cyber Service Academy program, which covers tuition, textbooks and a laptop, as well as providing a $34,000 additional annual stipend. Apply for the fall 2026 semester and for this scholarship by February 28th. Learn more at CS JHU. Edu MSSI Chinese hackers infiltrate a US law firm the EU Commission President warns Russia is waging a hybrid war against Europe. Researchers say lojacks is the latest malware from Russia's fancy bear Salesforce refuses ransom demands London police arrest two teens over an alleged ransomware attack on a preschool Microsoft tightens Windows 11 setup restrictions signed and Data Tribe Spotlight 2025 cybersecurity innovators on our Industry Voices segment, we're joined by Sean Duby Sempras principal technologists discussing identity system security and the growth of the HIP conference and employees overshare with ChatGPT. It's Wednesday, October 8th, 2025. I'm Dave Buettner and this is your Cyberwire Intel Brief. Thanks for joining us here today. It's great to have you with us. Williams and Connolly, one of the United States top law firms, disclosed that Chinese hackers infiltrated parts of its computer systems in a broader campaign targeting US law and tech firms. The FBI's Washington Field Office is investigating what sources say may involve more than a dozen victims. The New York Times reports the attackers reportedly access several attorney email accounts through a zero day vulnerability, though the firm says there's no evidence client files or databases were compromised. Williams and Connolly has engaged cybersecurity firm Crowdstrike and outside counsel Norton Rose Fulbright to assist in the response. According to Mandiant, the campaign aligns with a Chinese espionage effort seeking intelligence on US national security and trade issues. The firm says the intrusion has been contained. European Commission President Ursula von der Leyen warned that Russia is waging a hybrid war against Europe, citing coordinated cyberattacks, sabotage and provocations across EU member states. Speaking before the European Parliament, she pointed to airspace violations by Russian MiG fighters and drone incursions over critical infrastructure in several EU countries, describing them as part of a deliberate campaign to unsettle our citizens, test our resolve and weaken our support for Ukraine. Von Der Leyen said a new Pan European Security Strategy developed with NATO aims to strengthen rapid cyber response and protect essential infrastructure. She urged EU members to leave their comfort zone and confront the threat with unity and deterrence. She declared, every square centimeter of our territory must be protected. Researchers at ESET have uncovered lojax, the first known malware found actively infecting a computer's UEFI firmware, a critical component that controls how a system boots. Believed to be created by the rushing hacking group Sednit, also known as Fancy Bear or APT28, Lojax embeds itself in a computer's firmware, allowing it to survive even after a hard drive replacement or operating system reinstall. This gives attackers deep, persistent control over compromised machines and potential access to network systems and data. ESET named the malware after LoJack, the legitimate anti theft tool it abuses. Experts recommend enabling secure boot and updating firmware to block infection if compromised. Users may need to reflash or replace the motherboard entirely. Salesforce has confirmed it will not pay ransom demands from the hacking group scattered Lapsus Hunters, which claims to have stolen nearly 1 billion records from Salesforce customers. The attackers launched a data leak site on the Breach Forum's domain, threatening to publish stolen data from 39 major companies, companies including FedEx, Disney, Google and Marriott. Salesforce told customers it will not negotiate or pay extortion demands despite credible intelligence that the hackers plan to leak the data. London's Metropolitan Police arrested two 17 year olds on suspicion of computer misuse and blackmail linked to a ransomware attack on preschool operator Keto International. The attackers, calling themselves the Radiant Group, leaked photos, names and home addresses of children and parents to extort payment, later deleting the data after backlash from other criminals. The arrests follow a September 25 report to the UK's Action Fraud Center. Police said the case is being treated extremely seriously and investigations are ongoing. Microsoft is tightening restrictions on creating local accounts during Windows 11 setup, removing known methods that let users bypass Microsoft account requirements. The change, introduced in a recent Insider preview build, means users will soon need both an Internet connection and a Microsoft account to complete the out of box experience. Microsoft says bypassing the setup previously caused incomplete configurations and reduced security. Earlier this year, the company removed the bypass NRO script for similar reasons, though a Registry workaround still exists for now, Microsoft may eliminate that option in future updates to ensure devices are fully configured and meet modern security standards. SciNet has announced the 2025 SciNet 16 Innovator Award winners, recognizing standout startups driving the next wave of cybersecurity innovation. Selected from 193 applicants across 19 countries, the winners include Bedrock Security, ConductorOne, Oligo Security, Prompt Security and Seamplicity. Each company was chosen for developing technologies that address modern threats across cloud, AI and enterprise Systems in parallel. DataTribe named five finalists for its 2025 Cybersecurity Startup Challenge, including Acuity, Citadel, Tensor Machines, Starseer and Evercoast, ahead of Cyber innovation day on November 4th in Washington, D.C. together, these programs spotlight the innovators defining cybersecurity's AI driven future. It's likely unsurprising to anyone that employees are getting a little too chatty with ChatGPT. A new report from LayerX warns that employees are inadvertently exposing sensitive corporate data through ChatGPT and other generative AI tools. The Enterprise AI and SaaS Data Security Report for 2025 found that 45% of enterprise employees use AI tools and 77% of them paste data into chatbot prompts, 22% of which contain personally identifiable or payment card information. Most of these pastes come from unmanaged personal accounts, leaving companies blind to data leakage and compliance risks. LayerX says ChatGPT dominates enterprise AI use accessed by over 90% of users, while Microsoft Copilot adoption remains below 3%. The report urges CISOs to enforce single sign on to maintain visibility and control over AI data flows. LayerX warns such leaks could create regulatory and geopolitical risks. Coming up after the break, my conversation with Sean Duby, principal technologist at C Sempras. We're discussing identity system security and the growth of the hip conference and employees overshare with ChatGPT. Stick around at Talas. They know cyber security can be tough and you can't protect everything. But with Thales, you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most applications, data and identity. That's Thales T H A L E S. Learn more@talasgroup.com Cyber what's your 2am Security worry? Is it do I have the right controls in place? Maybe? Are my vendors secure or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data and simplifies your security at scale. And it fits right into your workflows, using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently, and finally, get back to sleep. Get started@vanta.com cyber that's v a n t a dot com cyber Shawn Dubey is principal technologist at Sempris. On today's sponsored Industry Voices segment, we discuss identity system security and the growth of the HIP Conference. Sean, I understand you are in Charleston this week at the HIP Conference. For folks who aren't familiar with that conference, what is it and what's your involvement there?

B

Well, it's interesting, the Hybrid Identity Protection Conference. It was conceived as a vendor agnostic technical conference designed by identity people for identity people to help them wade through all the complexities and rapid changes that happen in the modern world of hybrid identity. More complicated than ever. Our founder of the conference and our CEO Mickey Bresman was really the driving force behind it. Even when Cempras was very small, just a few dozen people, and he recruited several veterans with experience in a predecessor conference, such as Gil Kirkpatrick and myself, to help get the conference off the ground. That was back in 2017. So it's been nine years since then through Covid and everything else and then, which is pretty great. And not to brag, but I guess I'm bragging is that we really get, we get rave reviews about the conference. Many people have told me personally and actually just last week, it's the best conference they've ever been to. So it doesn't get much better than that.

A

No, no. Well, hats off to you and your colleagues there. What sort of growth have you seen over the years?

B

Well, originally the first one was in World Trade Center 7 in 2017 and probably had 30 people in it, something like that. And this year we are in the low Hundreds, less than 500, but more than about 300. I'm not exactly sure what the number is, so quite a bit. And the professionalism and the organ of our teams and all that is just grown by leaps and bounds. I'm actually going to be recording podcasts on Monday before the conference of individuals presenting at the conference for my HIP podcast as well, which is paired with the conference.

A

Well, I know one of the key elements of the conference are these Operation Blind Spot tabletop exercises. Could you explain what that's all about?

B

Sure. Blind Spot Tabletop are disaster recovery, crisis management tabletops, and we hold them throughout the year. And the point of course behind them is that they expose the blind spots that can hinder efficient cyber response. I actually led the red team at the previous blind spot exercise at Black Hat in August. In addition to the blind spot exercises we're doing in HIP this week, we're organizing an upcoming event at Govware in Singapore on October 21st and at Microsoft Ignite in San Francisco on November 19th.

A

Well, in your estimation, if a random organization got hit by a cyber attack, how prepared would they be? If they had a well tested cyber crisis preparedness plan, would they be prepared or would they still find themselves scrambling a bit?

B

Well, we've actually published some research on this earlier this year. And what the research has told us is that somewhat surprisingly is that more than 95% of organizations have a cyber crisis plan, but also 90% report that roadblocks hamper efficient response because of the gaps in communications across most organizations. And this jives very well with what I hear from incident response professionals. In our research, we found that these communication gaps between the key stakeholders lead to slower responses. And as I said, in talking to cyber response technical individuals, they find that they often have had to sit on their hands while communication issues are resolved and leadership order and who makes decisions for what are figured out. So it's very much people, process and technology, with oftentimes people being the thing that is slower than anything else. The report that we published earlier this year, you can find it on our website if you search for state of enterprise cyber crisis readiness.

A

Well, in your estimation, from your experience, how realistic should these tabletop exercises be for defenders? I mean, should they be disruptive?

B

Well, so much of, as I go back to people's, the people part of people process and technologies, so much of these exercises, it's human nature that you don't want to fail in an exercise, especially when management is probably watching. But the whole point of a good tabletop is to expose weak points in your response plan, to expose potential failures. So they should be more than routine. They should be more than just check the box exercises. They don't check the box exercises don't provide little value. And in my estimation, they can be dangerous because the participants walk away thinking that their organization is more prepared than it really is. So the exercise should show messy realities, expose them like incomplete communication chains. Oh, we can't get a hold of Jim Bob because he's on vacation and he's the only person that has access to these plans. Or unclear decision authority where your leadership of your organization ends up being political infighting to make very important, very potentially disruptive decisions and make them as quickly as possible. Or the one that we all think about technical gaps instead, what happens with polished and safe tabletops where you follow the happy paths and the happy path and you make assumption that a lot of things are working in your infrastructure and reinforces the illusion that we've got this oh, I think we're pretty good. These polished tabletops often discourage adaptive thinking, which in my conversations again with incident response people, on my podcast last week I did a recording. My guest was the top incident response person for cohesity, Jonathan Mayer, and he specifically called out adaptive thinking as an important trait in incident response. Because in a real incident things are chaotic, they're confusing and oftentimes things have happened that have never happened before because remember, you've got real human beings on the other side and they do this. A they're not dumb. B they do this sort of thing all the time and you do it only every once in a while. Maybe they will make moves and counter moves that you probably haven't thought of and probably haven't seen before. So that's what you have to practice for. If a tabletop's overly structured or sanitized, it doesn't force either the leaders or the responders to think on their feet, adapt to incomplete information or make decisions when you have uncertainty all around you. Instead, they just play along with the script and so they can check it off, but they haven't necessarily improved their defenses or their response at all.

A

You touched on the potential for failure. I mean, is there value in going full Kobayashi Maru, full Star Trek on some of these folks where there is no way to succeed?

B

Well, it's interesting. We did a at the tabletop that we did at the operation we did in Black Hat. We actually, as I said, I was leading the red team and I had an ace in the hole. I had Marcus Hutchins, who is a famous cybersecurity figure on my team and we ended up not quite Kobayashi Maru, but a standoff between the blue team and the red team. But it made for some pretty hair raising moments as we sparred back and forth aggressively. So yes, sometimes, yeah, sometimes that's how you learn. You learn by failure and then seeing doing what you can and if you can't fix it, then at least you're aware that that is a weak point. I won't burden you with any quotes from Sun Tzu, but that's that's absolutely what this is all about.

A

Well, going back to the HIP conference, I understand that you had world renowned cyberpsychologist Professor Mary Icahn was your keynote speaker yesterday at the conference. What was the talk about?

B

I thought that this was very interesting because first off, she's a great speaker, but she spoke about something fairly unique in my experience, which is how it's, it's the intersection of technology and human behavior. So she is a world expert in what's called cyberpsychology. And what she talked about was hybrid identity environments, where technology fits, where human behavior fits. So we think about the technology all the time, but the human dimension, how users perceive authentication systems, how they trust them and how they interact with them, remains the most exploited and least understood aspect of cyber defense. I mean, we've all been through phishing exercises and we know how well those succeed or don't succeed. And yet responses or studies show again and again that it doesn't affect the click through rate on phishing attacks very much because there's all of this human aspect to it that is not fully understood. So in her keynote she examined the cyberpsychological challenges of securing hybrid identity and the complexities of it coming on in this world of AI driven threats. So you have nation state actors and cybercriminals increasingly using AI and machine learning to deliver hyper focused, hyper personalized phishing and advanced social engineering attacks. And they succeed not just because they're technically sophisticated. They succeed also because they exploit human frailty within identity workflows to trick us into doing things we otherwise know better than to do. As identity professionals, we talk about something called anti patterns where you have seen some kind of a dialogue pop up so many times you just end up clicking up. Yeah, okay, okay, okay, okay. We say, I had a friend that described it as spouse mode. Answers. Okay, okay. Yes. Yes. Okay, okay. It's like dealing with a toddler. Right, Right, exactly. And you may have just clicked through an officing because you're so used to those workflows.

A

Yeah.

B

So Mary delved into that more deeply.

A

Well, I understand. Also coming up you've got Jenny Easterly and Chris Inglis. Can you give us a little preview of what you're expecting from them?

B

Yeah, I'm very much looking forward to both of these keynotes. I've not met Jenn Easterly and I look forward to meeting her in person. Her keynote is set up as a fireside chat and it's about cyber resilience and lessons she's learned in her career and the challenges ahead. The title of it is Cyber Resilience. Yesterday's Lessons, Tomorrow's Challenges. She's planning, as I understand it, to discuss the toughest cyber incident she dealt with as CISA director and how leaders can avoid fatigue and motivate their teams where the biggest threats will be coming over the next five years and the role that AI once again will play in both cyber threats and defense. Now, Chris, Chris Inglis, who's former U.S. national cyber director, he's keynoting on Thursday also, and he's keynoting on Thursday morning. And the title of his keynote is the Evolving Cyber Resilience in the Age of Innovation. It's about how the global reliance on a distributed digital infrastructure, it's what we all rely on now, has created both unprecedented opportunities and dangerous vulnerabilities as traditional forces that controlled the way we do things lose their power. And transformative technologies like AI and nationalism and fragmented regulation change the world almost on a daily basis. He says that success requires adaptation and a leading in resilience mindset to thrive in the middle of all this ongoing instability and accelerating change. I've been fortunate enough to spend a little time with Chris, and he's absolutely someone that if he's talking, I'm going out of my way to make sure that I'm listening.

A

Yeah, no, it's quite a lineup that you all have here for the conference. Before I let you go, I'd be remiss to not ask you about AI. Can we talk a little bit about AI and velocity? You know, how. How do organizations need to evolve, faced with these challenges of AI is my guess is the pace we used to operate at is insufficient and as if.

B

The pace that we were operating at wasn't hairy enough as it is.

A

Right, that's right. That's right.

B

Yeah. More, more, faster all the time. And more sophisticated through AI. I mean, look, we're using it for good right now, and the threat actors are equally using it. If you think about our use of AI and how it's changing, have you, six months ago, had you ever heard of the term vibe coding before? No. And now it's sort of becoming part of the vernacular. At least in our industry, it's becoming part of the vernacular. Yeah. I don't have a solid answer for you on this. I have to tell you because I don't think it's easy to tell what we have in front of us, because I'm not sure anyone knows what's in front of us. We can make predictions, but at this rate of change. Who knows what next week is going to bring us? Certainly if you follow the news feeds, as you do as a professional, you're seeing more and rapid, more rapid changes all the time in ways that you had never thought about before. What was one that just came about? Oh, so threat actors. This is not specifically related to AI, but as things continue to change, threat actors are now targeting H VAC systems in hospitals. Because if you hit the H vac systems, they can't operate. So that's turned out to be a critical piece that the bad guys have found. And then of course, if you look back on it and you go, well, of course. But a year ago, who thought about that in terms of health care, in terms of healthcare attacks?

A

Yeah. Well, Sean, thank you for taking the time for us here today and good luck with the rest of the HIP conference. I hope it all goes well for you.

B

Thank you. It'll be a very busy week to be sure.

A

That's Sean Duke, the principal technologist with Sempras. The holidays have arrived at the Home Depot and we're here to help bring the excitement with decor for every part of your home. Check out our wide assortment of easy to assemble pre lit trees so you can spend less time setting up and more time celebrating. And bring your holiday spirit outdoors with unique decor like one of our Santa inflatables. Whatever your style, find the right pieces at the right prices this holiday season at the Home Depot. Ford BlueCruise Hands Free highway driving takes the work out of being behind the wheels, allowing you to relax and reconnect while also staying in control. Enjoy the drive in BlueCruise enabled vehicles like the F150 Explorer and Mustang Mach E. Available feature on equipped vehicles. Terms apply. Does not replace safe driving. See Ford.com BlueCruise for more details. And finally, a Danish software engineer named Joachim built a simple website one weekend in August and accidentally gave the European Union a migraine. His creation Fight Chat control lets visitors fire off pre written protest emails to lawmakers opposing an EU bill meant to combat child sexual abuse material online. Privacy advocates call the measure a threat to encryption. Politicians now just call it that thing flooding my inbox. More than 2.5 million people have visited the site, reportedly triggering millions of emails and paralyzing inboxes across Brussels. Diplomats complain it's not a dialogue, while Joachim insists it's democracy, just faster and louder. The campaign has stirred national debates, clogged parliamentary servers and made one thing clear in Europe, even a lone coder can jam the machinery of policy with enough public outrage and a send button. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com a quick note before we wrap up. Today is the last day to vote in the Sans Difference Maker Award in the Media Creator of the Year category, which I have been inexplicably nominated for. I'm honored to be recognized and would appreciate your support. You'll find a link to vote in our show Notes. And like I said, voting is open through the end of today. Thanks for listening and being part of the N2K CyberWire community. N2K senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our Executive Producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Cyber Innovation Day is the premier event for cyber startups, researchers and top VC firms building trust into tomorrow's digital world. Kick off the day with unfiltered insights and panels on securing tomorrow's technology. In the afternoon, the 8th annual DataTribe Challenge takes center stage as elite startups pitch for exposure, acceleration and funding. The Innovation Expo runs all day, connecting founders, investors and researchers around breakthroughs in cybersecurity. It all happens November 4th in Washington, D.C. discover the startups building the future of cyber. Learn more@cid.datatribe.com.