CyberWire Daily: "Cyber Defenders Pulled Into Deportation Duty"

Date: October 9, 2025
Host: Maria Varmazes (standing in for Dave Bittner)
Guest: Sarah Graham (Atlantic Council's Cyber Statecraft Initiative)

Episode Overview

This episode delivers a comprehensive roundup of the day's top cybersecurity news, ranging from policy shifts that reassign cyber experts to non-security roles, to major DDoS attacks disrupting online gaming, and deep dives into the global spyware market. The centerpiece interview features Sarah Graham of the Atlantic Council, who unpacks the opaque world of commercial spyware, investment trends, and the challenge of regulating and exposing these "mythical beasts."

Key News and Analysis

1. DHS Reassigns Cybersecurity Personnel to Immigration Duties

[01:21 – 03:15]

The Department of Homeland Security has diverted hundreds of cybersecurity and national security experts, including CISA staff, to support President Trump's deportation initiatives.
These mandatory reassignments are backed by threats of dismissal and rapid relocations.
The move significantly disrupts CISA’s capacity, especially curtailing critical cyber defense and international collaboration functions.
Morale among agency personnel is "plummeting amid a climate of fear and censorship."
Critics warn this leaves the U.S. more vulnerable to cyberattacks, while DHS officials claim it’s merely “routine personnel alignment.”

2. Massive DDoS Attack Hits Gaming Platforms

[03:15 – 04:15]

Platforms such as Steam, Xbox, PlayStation, Riot Games, and Epic Games were hit by a record-setting 29.69 Tbps DDoS attack, attributed to the Airsuru Botnet.
Riot Games confirmed internal security but acknowledged user impact.
The scale signals growing vulnerabilities in global gaming infrastructure.

3. Discord Extortion Attempt & Data Breach Dispute

[04:15 – 05:23]

Attackers claim to have stolen 1.6 TB of data—including IDs and payment details—from Discord’s Zendesk support system.
Discord disputes the scale, saying 70,000 users’ ID photos were exposed, not millions as claimed.
Refusing to pay a $5 million ransom, Discord labels the incident an extortion attempt.

4. Chaos Ransomware’s Destructive Evolution

[05:23 – 06:13]

Researchers detail the new “Chaos C” ransomware variant:
- Now not written in .NET for the first time, showing technical evolution.
- Deletes large files, hijacks clipboard data to steal cryptocurrency.
- Uses multiple encryption methods and disguises itself as a utility.

5. Log Poisoning Web Intrusion Case

[06:13 – 07:02]

Huntress details August 2025 attacks leveraging “log poisoning” on phpMyAdmin, installing web shells and Ghost RAT for persistent access.
Over 100 victims, concentrated in East Asia; highlighted is the risk from default settings and outdated packages.

6. FCC Data Breach Disclosure Rule Revisited

[07:02 – 07:38]

The FCC’s 2024 rule requiring telecoms to notify customers of breaches within 30 days is under further review following industry pushback, though courts upheld the rule.

7. Teen Recruitment in Russian Cyber Ops

[07:38 – 08:18]

Two Dutch teens arrested after being recruited via Telegram for data collection near sensitive sites, illustrating a trend of threat actors grooming young people for cyberattacks.
Dutch PM calls it “extremely worrying.”

8. Ukraine to Establish Military Cyber Forces

[08:18 – 08:53]

Ukrainian parliament advances a bill to establish formal cyber forces, aligning with NATO standards and reflecting the modern realities of warfare.

9. Troy Hunt Critiques Ineffective Legal Injunctions Post-Breach

[08:53 – 09:41]

Security researcher Troy Hunt calls court-granted injunctions after major breaches "the legal equivalent of offering thoughts and prayers."
They mostly restrict researchers and media, not the criminals.

"Such orders don't detect hackers or prevent leaks ... companies use them to appear proactive and protect shareholder interests, but they offer little real defense for victims or transparency about compromised information." — Troy Hunt, [09:11]

In-Depth Interview: Unveiling the Global Spyware Market

Guest: Sarah Graham, Atlantic Council Cyber Statecraft Initiative
[12:55 – 25:36]

Defining Spyware

Spyware: Malicious software enabling unauthorized remote access for surveillance (excludes stalkerware, ad tech, etc.).

“We really keep a relatively narrow definition ... focused on that unauthorized remote access specifically for the purposes of surveillance.” — Sarah Graham [13:35]

Market Composition & Key Players

Transparency in the spyware marketplace is low—most reporting covers big names (like NSO Group), but many small and medium players and intermediaries operate globally.
Most vendors identified are based in Israel, India, and Italy.
Notably, there’s a marked increase in U.S.-based investors funding these companies—even those on U.S. government blacklists.

“There has been a significant increase within our sample of US-based investors that continue to disproportionately fund capabilities ... undermining the important US government action.” — Sarah Graham [15:00]

U.S. Investor Trends

31 U.S. investors identified in the last year, including pension funds from New Jersey and Washington State.
Investments are sometimes directed into companies, like Candiru, already listed on the U.S. Entity List.

“There must be some expectation that there is a future profit to be had here.” — Sarah Graham [16:25]

Government Role: Buyer, Regulator, and Enabler

Italy, India, and Israel have permissive legal environments supporting domestic spyware industries—with states acting as buyers and sometimes as weak regulators.
Overlap between commercial, state, and regulatory interests often leads to conflicts of interest and resistance to effective transparency or control.

Evasion, Accountability, and Brokers

Companies frequently rebrand, rename, and jurisdiction-hop to evade sanctions and export controls.
Brokers and resellers—entities providing market access, hardware, or services—play key roles in obscuring corporate identities and complicating accountability.

“Intermediary entities are playing a pretty crucial role to limiting transparency.” — Sarah Graham [21:35]

Plausible Deniability for Clients and Vendors

Multiple layers of intermediaries provide plausible deniability to both spyware vendors and their nation-state buyers. Example: Mexican spyware contracts structured to obscure buyer identity.

U.S. Policy and Regulation

No major policy shifts apparent under the new U.S. administration; blacklisting and sanctions continue, but U.S.-based funding of spyware persists.

Impact on the Public

Most Americans aren’t direct targets, but their financial assets—like pension funds—may be invested in spyware companies.
Graham urges greater transparency regarding where public and private money is invested.

“Being able to have some context over where your finances are being invested ... is certainly a first step in understanding what’s going on and how entangled these sorts of ecosystems actually are.” — Sarah Graham [25:17]

Closing Story:

Spy Dog Book Series Website Incident
[26:56 – 28:10]

Website for the popular “Spy Dog” children’s series was taken over and repurposed for explicit content after domain expiration.
Schools and publisher react with emergency recalls and warnings to parents.

Notable Quotes & Moments

On the consequences of moving cyber defenders away from their posts:

“Critics warn that the shift leaves the United States more vulnerable to cyber threats as major hacks continue to target government networks.” [01:57]
Sarah Graham on spyware investment trends:

“There has to be a reason investors invest when they see the potential for profit, despite U.S. policy actions.” [16:18]
Graham on the challenges of accountability:

“Shifting vendor identities ... make it really difficult to track consistency in their activity... Strategic jurisdictional hopping is something that they certainly partake in.” [19:45]
Troy Hunt on legal responses to data breaches:

“These injunctions mainly restrict journalists, researchers, and services like Have I Been Pwned? Rather than the criminals themselves.” [09:25]

Timestamps by Topic

DHS cyber personnel reassignment: 01:21
Gaming sector DDoS attack: 03:15
Discord breach/extortion: 04:15
Chaos ransomware update: 05:23
Web intrusions via log poisoning: 06:13
FCC rule review: 07:02
Teen recruitment by Russian hackers: 07:38
Ukraine’s cyber forces bill: 08:18
Troy Hunt on injunctions: 08:53
Interview: Sarah Graham: 12:55 – 25:36
Spy Dog website story: 26:56

Summary Takeaway

This episode highlights the risks of deprioritizing cyber defense capabilities in pursuit of other national strategies, the evolving landscape of cybercrime and ransomware, and the persistent challenges of the global spyware industry and its shadowy supply chain. The detailed interview with Sarah Graham makes clear that commercial spyware’s impact is widespread—spanning from state intelligence to everyday Americans’ retirement funds—and that addressing its spread requires unprecedented transparency and international cooperation.

CyberWire Daily: "Cyber Defenders Pulled Into Deportation Duty"

Date: October 9, 2025
Host: Maria Varmazes (standing in for Dave Bittner)
Guest: Sarah Graham (Atlantic Council's Cyber Statecraft Initiative)

Episode Overview

Key News and Analysis

1. DHS Reassigns Cybersecurity Personnel to Immigration Duties

[01:21 – 03:15]

The Department of Homeland Security has diverted hundreds of cybersecurity and national security experts, including CISA staff, to support President Trump's deportation initiatives.
These mandatory reassignments are backed by threats of dismissal and rapid relocations.
The move significantly disrupts CISA’s capacity, especially curtailing critical cyber defense and international collaboration functions.
Morale among agency personnel is "plummeting amid a climate of fear and censorship."
Critics warn this leaves the U.S. more vulnerable to cyberattacks, while DHS officials claim it’s merely “routine personnel alignment.”

2. Massive DDoS Attack Hits Gaming Platforms

[03:15 – 04:15]

Platforms such as Steam, Xbox, PlayStation, Riot Games, and Epic Games were hit by a record-setting 29.69 Tbps DDoS attack, attributed to the Airsuru Botnet.
Riot Games confirmed internal security but acknowledged user impact.
The scale signals growing vulnerabilities in global gaming infrastructure.

3. Discord Extortion Attempt & Data Breach Dispute

[04:15 – 05:23]

Attackers claim to have stolen 1.6 TB of data—including IDs and payment details—from Discord’s Zendesk support system.
Discord disputes the scale, saying 70,000 users’ ID photos were exposed, not millions as claimed.
Refusing to pay a $5 million ransom, Discord labels the incident an extortion attempt.

4. Chaos Ransomware’s Destructive Evolution

[05:23 – 06:13]

Researchers detail the new “Chaos C” ransomware variant:
- Now not written in .NET for the first time, showing technical evolution.
- Deletes large files, hijacks clipboard data to steal cryptocurrency.
- Uses multiple encryption methods and disguises itself as a utility.

5. Log Poisoning Web Intrusion Case

[06:13 – 07:02]

Huntress details August 2025 attacks leveraging “log poisoning” on phpMyAdmin, installing web shells and Ghost RAT for persistent access.
Over 100 victims, concentrated in East Asia; highlighted is the risk from default settings and outdated packages.

6. FCC Data Breach Disclosure Rule Revisited

[07:02 – 07:38]

The FCC’s 2024 rule requiring telecoms to notify customers of breaches within 30 days is under further review following industry pushback, though courts upheld the rule.

7. Teen Recruitment in Russian Cyber Ops

[07:38 – 08:18]

Two Dutch teens arrested after being recruited via Telegram for data collection near sensitive sites, illustrating a trend of threat actors grooming young people for cyberattacks.
Dutch PM calls it “extremely worrying.”

8. Ukraine to Establish Military Cyber Forces

[08:18 – 08:53]

Ukrainian parliament advances a bill to establish formal cyber forces, aligning with NATO standards and reflecting the modern realities of warfare.

9. Troy Hunt Critiques Ineffective Legal Injunctions Post-Breach

[08:53 – 09:41]

Security researcher Troy Hunt calls court-granted injunctions after major breaches "the legal equivalent of offering thoughts and prayers."
They mostly restrict researchers and media, not the criminals.

"Such orders don't detect hackers or prevent leaks ... companies use them to appear proactive and protect shareholder interests, but they offer little real defense for victims or transparency about compromised information." — Troy Hunt, [09:11]

In-Depth Interview: Unveiling the Global Spyware Market

Guest: Sarah Graham, Atlantic Council Cyber Statecraft Initiative
[12:55 – 25:36]

Defining Spyware

Spyware: Malicious software enabling unauthorized remote access for surveillance (excludes stalkerware, ad tech, etc.).

“We really keep a relatively narrow definition ... focused on that unauthorized remote access specifically for the purposes of surveillance.” — Sarah Graham [13:35]

Market Composition & Key Players

Transparency in the spyware marketplace is low—most reporting covers big names (like NSO Group), but many small and medium players and intermediaries operate globally.
Most vendors identified are based in Israel, India, and Italy.
Notably, there’s a marked increase in U.S.-based investors funding these companies—even those on U.S. government blacklists.

“There has been a significant increase within our sample of US-based investors that continue to disproportionately fund capabilities ... undermining the important US government action.” — Sarah Graham [15:00]

U.S. Investor Trends

31 U.S. investors identified in the last year, including pension funds from New Jersey and Washington State.
Investments are sometimes directed into companies, like Candiru, already listed on the U.S. Entity List.

“There must be some expectation that there is a future profit to be had here.” — Sarah Graham [16:25]

Government Role: Buyer, Regulator, and Enabler

Italy, India, and Israel have permissive legal environments supporting domestic spyware industries—with states acting as buyers and sometimes as weak regulators.
Overlap between commercial, state, and regulatory interests often leads to conflicts of interest and resistance to effective transparency or control.

Evasion, Accountability, and Brokers

Companies frequently rebrand, rename, and jurisdiction-hop to evade sanctions and export controls.
Brokers and resellers—entities providing market access, hardware, or services—play key roles in obscuring corporate identities and complicating accountability.

“Intermediary entities are playing a pretty crucial role to limiting transparency.” — Sarah Graham [21:35]

Plausible Deniability for Clients and Vendors

Multiple layers of intermediaries provide plausible deniability to both spyware vendors and their nation-state buyers. Example: Mexican spyware contracts structured to obscure buyer identity.

U.S. Policy and Regulation

No major policy shifts apparent under the new U.S. administration; blacklisting and sanctions continue, but U.S.-based funding of spyware persists.

Impact on the Public

Most Americans aren’t direct targets, but their financial assets—like pension funds—may be invested in spyware companies.
Graham urges greater transparency regarding where public and private money is invested.

“Being able to have some context over where your finances are being invested ... is certainly a first step in understanding what’s going on and how entangled these sorts of ecosystems actually are.” — Sarah Graham [25:17]

Closing Story:

Spy Dog Book Series Website Incident
[26:56 – 28:10]

Website for the popular “Spy Dog” children’s series was taken over and repurposed for explicit content after domain expiration.
Schools and publisher react with emergency recalls and warnings to parents.

Notable Quotes & Moments

On the consequences of moving cyber defenders away from their posts:

“Critics warn that the shift leaves the United States more vulnerable to cyber threats as major hacks continue to target government networks.” [01:57]
Sarah Graham on spyware investment trends:

“There has to be a reason investors invest when they see the potential for profit, despite U.S. policy actions.” [16:18]
Graham on the challenges of accountability:

“Shifting vendor identities ... make it really difficult to track consistency in their activity... Strategic jurisdictional hopping is something that they certainly partake in.” [19:45]
Troy Hunt on legal responses to data breaches:

“These injunctions mainly restrict journalists, researchers, and services like Have I Been Pwned? Rather than the criminals themselves.” [09:25]

Timestamps by Topic

DHS cyber personnel reassignment: 01:21
Gaming sector DDoS attack: 03:15
Discord breach/extortion: 04:15
Chaos ransomware update: 05:23
Web intrusions via log poisoning: 06:13
FCC rule review: 07:02
Teen recruitment by Russian hackers: 07:38
Ukraine’s cyber forces bill: 08:18
Troy Hunt on injunctions: 08:53
Interview: Sarah Graham: 12:55 – 25:36
Spy Dog website story: 26:56

Cyber defenders pulled into deportation duty.

Powered by Wave AI

Summary

CyberWire Daily: "Cyber Defenders Pulled Into Deportation Duty"

Episode Overview

Key News and Analysis

1. DHS Reassigns Cybersecurity Personnel to Immigration Duties

2. Massive DDoS Attack Hits Gaming Platforms

3. Discord Extortion Attempt & Data Breach Dispute

4. Chaos Ransomware’s Destructive Evolution

5. Log Poisoning Web Intrusion Case

6. FCC Data Breach Disclosure Rule Revisited

7. Teen Recruitment in Russian Cyber Ops

8. Ukraine to Establish Military Cyber Forces

9. Troy Hunt Critiques Ineffective Legal Injunctions Post-Breach

In-Depth Interview: Unveiling the Global Spyware Market

Defining Spyware

Market Composition & Key Players

U.S. Investor Trends

Government Role: Buyer, Regulator, and Enabler

Evasion, Accountability, and Brokers

Plausible Deniability for Clients and Vendors

U.S. Policy and Regulation

Impact on the Public

Closing Story:

Notable Quotes & Moments

Timestamps by Topic

Summary Takeaway

Summary

CyberWire Daily: "Cyber Defenders Pulled Into Deportation Duty"

Episode Overview

Key News and Analysis

1. DHS Reassigns Cybersecurity Personnel to Immigration Duties

2. Massive DDoS Attack Hits Gaming Platforms

3. Discord Extortion Attempt & Data Breach Dispute

4. Chaos Ransomware’s Destructive Evolution

5. Log Poisoning Web Intrusion Case

6. FCC Data Breach Disclosure Rule Revisited

7. Teen Recruitment in Russian Cyber Ops

8. Ukraine to Establish Military Cyber Forces

9. Troy Hunt Critiques Ineffective Legal Injunctions Post-Breach

In-Depth Interview: Unveiling the Global Spyware Market

Defining Spyware

Market Composition & Key Players

U.S. Investor Trends

Government Role: Buyer, Regulator, and Enabler

Evasion, Accountability, and Brokers

Plausible Deniability for Clients and Vendors

U.S. Policy and Regulation

Impact on the Public

Closing Story:

Notable Quotes & Moments

Timestamps by Topic

Summary Takeaway