A

You're listening to the Cyberwire network. Powered by N2K.

B

The DMV has established itself as a top tier player in the global cyber industry. DMV Rising is the premier event for cyber leaders and innovators to engage in meaningful discussions and celebrate the innovation happening in and around the Washington D.C. area. Join us on Thursday, September 18th to connect with the leading minds shaping our field and experience firsthand why the Washington D.C. region is the beating heart of cyber innovation. Visit DMVRising.com to secure your spot. Think your Certificate security is covered by March 2026 TLS, certificate lifespans will be cut in half, meaning double today' renewals. And in 2029, certificates will expire every 47 days, demanding between 8 and 12 times the renewal volume. That's exponential complexity, operational workload and risk. Unless you modernize your strategy, Cyberark Proven in Identity Security is your partner in certificate security. Cyberark simplifies lifecycle management with visibility, automation and control at scale. Master the 47 day shift with CyberArk Scan for vulnerabilities, streamline operations, scale security visit cyberark.com 47day that's cyberark.com the numbers 47day An FBI AI botnet disruption leaves cybercriminals scrambling to pick up the pieces Notorious ransomware gangs announce their retirement, but don't hold your breath. Hacktivists leaked data tied to China's Great Firewall. A new report says DHS mishandled a key program designed to retain cyber talent at cisa. Gpugate malware cleverly evades analysis White Cobra targets developers with malicious extensions North Korea's Kimsuki Group uses AI to generate fake South Korean military IDs. We've got our Monday Business Brief summary. My guest is Tim Starks from cyberscoop discussing offensive cyber operations and a cyber attack leaves students hung out to dry. It's Monday, September 15, 2025. I'm Dave Buettner, and this is your Cyberwire Intel Brief. Thanks for joining us. It's great to have you with us. The FBI recently disrupted a massive botnet, freeing nearly 95,000 hacked devices. But instead of neutralizing the threat, the takedown sparked a scramble among cybercriminals to seize control of the machines. A rival botnet known as Isuru captured more than a quarter of them and quickly began launching some of the largest distributed denial of Service attacks ever recorded. Cloudflare reported one strike reaching 11.5 trillion bits per second, a new world record. Analysts warn this unintended consequence shows how difficult it is to dismantle botnets without leaving devices open to new operators. What began as an FBI success has turned into a dangerous escalation, highlighting how today's Internet connected devices can be weaponized faster than law enforcement can neutralize them. Fifteen ransomware gangs, including Scattered Spider and Lapsus, have suddenly declared they're retiring, claiming their real mission was noble system hardening, not extortion. In a breach forum's post dripping with self justification, they say they'll now enjoy their golden parachutes from millions in stolen funds while others continue improving systems. They even promise to humiliate those who arrested some members. If this sounds like a heartfelt farewell, don't bet on it. Cybercrime groups are notorious for rebranding, and few believe these attackers are hanging up their keyboards. Hacktivists have leaked nearly 600 gigabytes of data tied to China's Great Firewall in what experts call the largest breach of its kind. The files, published by Enlace Hacktivista on September 11, include source code, internal reports, work logs and technical documentation allegedly from Gige Networks and the MESA lab, both central to the firewall's development. Early analysis shows evidence of censorship and surveillance exports to countries tied to China's Belt and Road Initiative, including Pakistan and Ethiopia. Unlike past leaks, this trove includes raw operational data, tens of thousands of documents and software packages that reveal how the firewall has evolved and expanded. Researchers caution the files may contain malware, but say they offer a rare, detailed look into China's censorship machine. Meanwhile, China is tightening cybersecurity rules, requiring network operators to report particularly serious incidents within one hour starting November 1st. The Cyberspace Administration of China defines top tier threats as large scale outages, breaches exposing over 100 million citizens, data or cyber attacks disrupting utilities, transport or health care for millions. Officials must notify higher authorities within 30 minutes of receiving reports, and operators must file a full review within 30 days. Lawmakers are also considering amendments to raise fines for failures involving critical infrastructure or data protection. A new inspector general report says the Department of Homeland Security mishandled a key program designed to retain cyber talent at CISA. Since 2015, over $100 million was spent on the Cyber Incentive program, meant to keep highly sought after cybersecurity experts in government. Instead, funds were often misdirected. Payments went to ineligible staff, including 240 employees with no direct cybersecurity roles, and more than 300 people received erroneous back pay. The watchdog concluded the poorly managed program wasted taxpayer dollars and may worsen attrition risks, leaving CISA less able to protect the nation from cyber threats. Triggered by a 2023 hotline complaint, the investigation found HR failed to track payments and CISA has agreed to eight corrective recommendations to fix oversight and targeting issues. Arctic Wolf's Cybersecurity Operations center has uncovered a sophisticated campaign blending Google Ads and GitHub lookalike domains to deliver malware attackers use commit specific links in ads to mimic official repositories, luring IT professionals into downloading a malicious MSI installer disguised as GitHub Desktop at 128 megabytes. The installer bypassed many sandboxes by stuffing itself with dummy files. Its standout feature, dubbed gpugate, employed a GPU based decryption routine that kept the payload encrypted unless run on a machine with a real gpu, evading most analysis environments. Once executed, the malware gained admin rights for persistence and lateral movement. The campaign primarily targeted IT workers in Western Europe, with evidence suggesting Russian speaking operators. Likely goals included credential theft, data exfiltration and ransomware deployment. A threat actor known as White Cobra is targeting developers by planting 24 malicious extensions in the Visual Studio Marketplace and OpenVSX Registry affecting VS code cursor and Windsurf users. The campaign is active with new malicious uploads replacing removed ones. Ethereum developer Zach Cole reported his wallet was drained after using one such extension, which appeared legitimate with a professional design and 54,000 downloads. White Cobra, previously tied to a half a million dollar crypto theft, exploits, weak extension vetting and cross compatibility of V6 packages. Cybersecurity firm Genyons has uncovered a spear phishing campaign by North Korea's Kimsuki Group that used AI to generate fake South Korean military ID cards detected on July 17. The attack impersonated a defense institution sending emails with counterfeit ID samples attached as PNGs designed to look like draft reviews for ID issuance. The images flagged as deepfakes with 98% certainty, were created through prompt injection to bypass AI safeguards against generating illegal IDs. A malicious bat file executed alongside the images enabled data theft and remote control. Targets included researchers, journalists and activists focused on North Korea. The campaign marks an evolution of Kim Suki's earlier click fix phishing attacks, showing how deepfake technology can enhance the credibility of social engineering attempts. It's Monday, which means we've got a summary of our N2K CyberWire business brief. Mitsubishi Electric has announced its largest acquisition to date, agreeing to buy San Francisco based OT security firm Nozomi Networks for $883 million in cash. The deal builds on Mitsubishi's earlier 7% stake in Nozomi, gained during the company's $100 million Series E funding round in 2024, expected to close late this year. Nozomi will continue operating from San Francisco with RD in Switzerland. Mitsubishi says the acquisition adds a fast growing AI powered cybersecurity business to its industrial portfolio, helping deliver advanced protection for critical infrastructure and IoT systems. Meanwhile, consolidation continues across the cybersecurity sector. SentinelOne is buying Observo AI for $225 million. Ultraviolet Cyber acquired Black Ducks Testing Services and several smaller firms in Europe, the US and Israel announced deals. Investment activity was also strong with ID me raising $340 million, IQM Quantum computers securing $320 million and Shift 5 closing $75 million to accelerate growth in their respective sectors. Be sure to check out our complete business briefing on our website thecyberwire.com coming up after the break, my conversation with Tim Starks from cyberscoop. We're discussing offensive cyber operations and a cyber attack leaves students hung out to dry. Stay with us. And now a word from our sponsor. The Johns Hopkins University Information Security Institute is seeking qualified applicants for its innovative Master of Science in Security Informatics degree program. Study alongside world class interdisciplinary experts and gain unparalleled educational research and professional experience in information security and assurance. Interested U.S. citizens should consider the Department of Defense's Cyber Service Academy program, which covers tuition, textbooks and a laptop, as well as providing a $34,000 additional annual stipend. Apply for the fall 2026 semester and for this scholarship by February 28th. Learn more at CS JHU. Edu, MSSI. We've all been there. You realize your business needs to hire someone yesterday. How can you find amazing candidates fast? Well, it's easy. Just use Indeed. When it comes to hiring, Indeed is all you need. Stop struggling to get your job post noticed. Indeed. Sponsored Jobs helps you stand out and hire fast. Your post jumps to the top of search results so the right candidates see it first and it works. Sponsored jobs on indeed get 45% more applications than non sponsored ones. One of the things I love about Indeed is how fast it makes hiring. And yes, we do actually use Indeed for hiring here at N2K CyberWire. Many of my colleagues here came to us through Indeed plus with sponsored jobs. There are no subscriptions, no long term contracts. You only pay for results. How fast is Indeed? Oh, in the minute or so that I've been Talking to you, 23 hires were made on Indeed. According to Indeed Data worldwide, there's no need to wait any longer. Speed up your hiring right now with Indeed and listeners to this show will get a $75 sponsored job credit. To get your jobs more visibility at indeed.com cyberwire just go to indeed.com cyberwire right now and support our show by saying you heard about Indeed on this podcast. Indeed.com cyberwire terms and conditions apply. Hiring Indeed is all you need. And it is always my pleasure to welcome back to the show Tim Starks. He is a senior reporter at Cybersecurity Scoop. Tim, welcome back.

A

It's my pleasure. Mine, Dave.

B

So, Tim, we had a water cooler conversation here around the virtual water cooler here at CyberWire, and one of my colleagues brought up the fact that it seems like there is a lot of growing buzz about this notion of offensive cyber or as it is euphemistically referred to sometimes active defense. Right?

A

Yes.

B

In fact, this was something that you wrote about recently on cyberscoop, particularly kind of keying off this announcement from Google that this was something that they were pursuing. What's going on here, Tim?

A

Yeah, there's been kind of a two front series of developments going on with this. One is the private sector side and the other is the public sector, the federal government. So on the private sector side, Google has said they're going to set up a disruption unit and they don't. They haven't said what that's going to look like yet. But disruption kind of falls into that spectrum between what we talk about. You just mentioned the term cyber offense and active defense. It's a little bit more on the offensive side. We're talking about things like taking a company to court and getting its infrastructure taken down. We've seen Microsoft do that a lot or something more like with the federal government disrupting by going and stealing back essentially. I don't know if you can steal back something that was stolen from you, but taking back stolen cryptocurrency from ransomware gangs, that's kind of the range of things that you think of when you think of disruptions. And that makes it interesting to hear what Google might do with it. There was a broader discussion the day that that was announced about is the private sector capable of doing this? Does it have the ability? And then this most recent week, there was a lot of discussion about this from Trump administration officials talking about how they want to change the national strategy to put the risk, the cyber burden risk on the attackers, to use the phrase that Alexei Belizel from the National Security Council used We're talking about making it less about the victims and more about the villains. So it's two fronts and there's a lot of interesting policy ramifications and industry, government, business ramifications for all this. That is really fascinating to me. Yeah.

B

And can we just start with basic stuff here that correct me if I'm wrong, hacking back is illegal.

A

It is, yeah. The Computer Fraud and Abuse act would basically, if you are, if you're going to hack back, if you're literally going to go into an organization or companies, even governments, you're basically, you're running risks of being arrested under the federal anti hacking law. We've had some debate about in past years that kind of has been a dead end is to come up with ways that you can authorize legally some hacking back. And that has gotten nowhere in Congress beyond the introduction of bills. A lot of people think that's a very bad idea. In fact, we're seeing a new version of this idea, Letters of Marque, which goes back to pirate days, right? Yeah.

B

Right.

A

Going back to the government saying, hey, you're authorized to be a mercenary going after pirates on our behalf. Here's a letter, you're legally allowed to go after these pirates. So that's something that we're now seeing a bit more discussion in Congress about the idea of maybe putting legislation to create a framework for this. And what's interesting about that is even if they do it and the little response we've seen from the Hill, the people proposing the idea, there was a House hearing several months back where a lawmaker raised this idea and all the panelists were like, yeah, no, we wouldn't be interested in being that kind of business. But there was some talk at this recent conference, the one where the Google announcement came out about is there going to be a burgeoning market for this if the law changes and how good would anybody be at it? Right.

B

Could there be something in the middle, a public private partnership where the, the feds take care of the legal side of it, but basically contract the actual offensive cyber out to one of the usual suspects, the big names.

A

Yeah, that's a point that I think there's a little bit of discussion about. Certainly I think there's a little bit that's already happening. There was a company that talked about selling exploits to governments. It's not a very profitable business because you have one customer. There's not a lot of competition for pricing. You're not offering it and getting a lot of bids per se, unless you decide you want to Go to the dark side and offer it to governments that are less ethical or more authoritarian than ours. They say, look, it's a difficult marketplace because once you sell the exploit, it's gone. So there's that option where there could be some public private. And one of the things that Brandon Wells said, who was a former CISA official, is now in the private sector is perhaps what you could see the private sector contributing would be just private sector, good old fashioned capitalist innovation where if they can figure out a way to take what are very manpower intensive and time intensive things that cyber operations are, cyber offensive operations are, if they could somehow innovate in that field, that would be something that could really help the federal government. But that's pretty vague, right? There's a lot of galphin between what that would look like, what would that innovation be like, what could the innovation be? And right now, certainly the government hasn't figured it out and they're using a lot of resources to try to figure out how to do these things more. And it's difficult. So, you know, it's hard to imagine how you get from A to B. But there's a lot of talk of getting from A to B, which is more than there has been in recent years.

B

You mentioned about putting the burden on the attackers. What is the explanation for that? How would that play out?

A

Yeah, so you'll recall one of the things that was interesting about the prior administration, the Biden administration is that their national security, they're not sorry, their cybersecurity strategy said, you know, right now the risk, the risk burden, the burden of risk for cyber on cybersecurity is on the end user. They get insecure products, they use insecure products. They have to do things like set up multi factor authentication. They have to buy additional services to protect themselves. The Biden administration said, let's shift the risk to others people who can handle it better, namely the private sector, the companies that produce these technologies. But also they started to talk about this, this idea going back to circling back what we started talking about disruption. So they had a large section of the national Security strategy that said, let's do more to make it so the attacker feels pressure. This administration now we saw two different top officials this recent week saying one was turned across the National Cyber Director. Keeping in mind, of course, the National Cyber Director wrote the last National Cyber Security Strategy. So he's a person who will be in position if things hold form to write the next National Security National Cybersecurity Strategy. And as mentioned, Alexei Belizelle who's the top NSC cyber official? So these two people both said we need to shift the risk to yet a different place that is to the attacker. So that means going more on cyber offense. But also, Alexei was saying it's not the only tool in the toolbox. Even though we've been talking this up, we can't just be offensive. We do have to still do things defensively. Why we still need something like cisa. So how they blend that, that is going to be really interesting. There was a little bit of stuff that came out in the last administration about them trying to loosen up the rules of cyber engagement in cyberspace was interesting. It didn't get rolled back very far, but the Biden administration changed a few things about how that worked. So how do they start going about this? And certainly a strategy would be one way to do it. But at an operational level, this is going to be happening at Cyber Command and it'll be interesting to see how that high level strategy translates to policy and actual on the ground or at least in the space. Because we're talking about cyberspace on the ground operations.

B

Right. I'm trying to imagine the cyber equivalent of a targeted drone strike. Right.

A

Well, an example of that actually might be, I think from the. I think this would have been from, I think was this 2018. I believe it was 2018. There was a, there was an operation where they went into the Russian troll farm essentially and shut down their website, shut down their operations for a while. So that's a little bit like the drone strike you're talking about. That's an example of what it might look like. But obviously that's short term and temporary. And is that worth it? I think something more like, if you go even further back, something like shutting down the centrifuges in Iran that happened many, many years back, that the US and Israel were part of doing perhaps a little bit of England that maybe would be more like, we're not just going to attack you in cyberspace, we're going to attack you in cyberspace in a way that causes physical destruction. I think that would be another level you could take it to. If you could obviously locate where these attackers are, is there something you could do to blow up something near them? The imagination is required here because we don't have a lot of real examples that have come out. We have those kinds of examples that we were just talking about. And the imagination is where you have to take it because right now nobody's talking about it out loud. It would be all very classified for the most part. Unless, of course, and this is where some of the other, other things that are fascinating about this come out. How, how deterring is it to launch cyber attacks in cyberspace against cyber attackers if they don't know you did it, or if the public doesn't know that you did it? And, and they don't send the message. So there's, there's all these fascinating, like, moving pieces and gears that you just kind of, kind of have to think about at this point until we start seeing more of it actually happening.

B

Yeah, I agree with your fascination. And, and, and also to me, one of the, the things to have an eye on is the amorphous shifting norms. Right?

A

Yeah. I mean, certainly on the, on the bad guy side, if we're being, if I'm representing America, you know, we, we have seen there was a time period where during the, during COVID Height Heights, a couple of the ransomware gang says, we're not going to attack hospitals or we're not going to attack. And then not long after that, they were doing it. So even when norms are sort of being unofficially established, they're being violated constantly. And the other thing, of course, is that the United States has never drawn in any very specific way what we call red lines in cyberspace.

B

Right.

A

Just know if you do this, we're going to attack you. We've never done it. There have been a lot of people suggest it would be a bad idea to do it. Some people think it's a good idea. Bad idea argument is, of course, that if you say this is the red line and then somebody oversteps it, you're obligated to attack them. There's the unpredictability element of it. Like, okay, you're not going to know what causes an attack until we attack you. That maybe then puts some doubt into the attacker's mind. Should we do this? Is it worth it? If we don't know what the line is and we don't know when we overstep it, what's that? The good side, of course, is draw the lines. And they're not going to cross the lines because they're going to know what happens if they do. So that's another thing, is that the norms are not established. What norms we do have are somewhat constantly shifting.

B

Right? Yeah. All right. Well, as they say, time will tell. It's a universal chess game.

A

Always true. It's always true.

B

It is true. Tim Starks is senior reporter at cyberscoop. Tim, thanks so much for sharing your expertise with us today.

A

Thanks Steve.

B

At Thales, they know cybersecurity can be tough and you can't protect everything. But with Thales, you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most applications, data and identity. That's Thales. T H A L E S learn more@talasgroup.com Cyber.

C

When did making plans get this complicated? It's time to streamline with WhatsApp, the secure messaging app that brings the whole group together. Use polls to settle dinner plans, send event invites and pin messages so no one forgets mom 60th and never miss a meme or milestone. All protected with end to end encryption. It's time for WhatsApp message privately with everyone. Learn more@WhatsApp.com.

B

And finally, at Amsterdam's Spinoza campus, more than a thousand students are still schlepping laundry bags across town after a cyber attack turned their smart washing machines into very expensive, very useless boxes. Back in July, an unknown hacker tampered with the digital payment system, granting students a glorious few weeks of free spin cycles. Management company Duo eventually pulled the plug, declaring it wasn't in the business of underwriting free laundry. Students now fight over a dwindling fleet of 10 analog washers, most of which are usually broken. While some mutter darkly about license, the university has offered little help other than pointing back to duo. So while IoT hacks usually fuel botnets or ad fraud, this one left students wringing out socks by hand, proof that cyber mischief can hit right at the fabric of daily and that's the cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment on Jason and Brian Show. Every week you can find Grumpy Old Geeks, where all the fine podcasts are listed. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K senior producer is Alice Carruth, our Cyberwire Our producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilby is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. And now a word from our sponsor. ThreatLocker, the powerful zero trust enterprise solution that stops ransomware in its tracks. AllowListing is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy, ensuring apps can only access the files, registry keys, network resources and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from threat locker.