A

You're listening to the Cyberwire Network powered by N2K. Are you ready for AI in cybersecurity? Demand for these skills is growing exponentially for cybersecurity professionals. It's why CompTIA, the largest vendor neutral certification authority, is developing SEC AI Plus. It's their first ever AI certification focused on artificial intelligence and cybersecurity and is designed to help mid career cybersecurity professionals demonstrate their competencies with AI tools. And that's why N2K's SEC AI practice exam is coming out this year to help you prepare for the certification release in 2026. To find out more about this new credential and how N2K can help you prepare today, check out our blog@certify.cybervista.net blog and thanks.

B

At Thales they know cybersecurity can be tough and you can't protect everything. But with Thales you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most applications, data and identity. That's Thales T H A L E S learn more@thalesgroup.com Cyber A Foreign Threat actor breached a key US nuclear weapons manufacturing site. The cyber attack on Jaguar Land Rover is the most financially damaging cyber incident in UK history. A new report from Microsoft warns that AI is reshaping cybersecurity at an unprecedented pace. The tool shell vulnerability fuels Chinese cyber operations across four continents. Fake browser updates are spreading ransom hub lockbit and data stealing malware Hackers deface La Metro bus stop displays A spyware developer is warned by Apple of a mercenary spyware attack. Pwn to own payouts Proceed. Ben Yellen from the University of Maryland center for Cyber Health and Hazard Strategies discusses a federal whistleblower from the Social Security Administration and When the cloud goes down, the beds heat up. It's Wednesday, October 22, 2025. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It's great to have you with us. A foreign threat actor breached the Kansas City National Security Campus, a key US nuclear weapons manufacturing site, by exploiting unpatched Microsoft SharePoint vulnerabilities. According to a source involved in the August response, the attackers accessed systems at the Honeywell Managed Facility, which produces most non nuclear components for U.S. nuclear weapons. Attribution remains disputed. Microsoft links the broader campaign to Chinese groups Linen Typhoon and Violet Typhoon, while another source claims Russian involvement. The incident underscores how IT weaknesses can expose operational technology even in air gapped environments. AT experts warn that despite limited impact, the breach highlights gaps in zero trust protections for industrial systems. Even unclassified technical data could hold strategic value by revealing manufacturing tolerances or supply chain dependencies. The Department of Energy confirmed limited disruption and said affected systems are being restored. The cyber attack on Jaguar Land Rover is projected to cost 1.9 billion pounds, making it the most financially damaging cyber incident in UK history, according to the Cyber Monitoring Center. The BBC says the late August hack forced a five week production shutdown across JLR's global operations and disrupted more than 5,000 suppliers. The cyber Monitoring center classified the breach as a Category 3 event, citing estimated losses between 1.6 billion pounds and 2.1 billion pounds, with full recovery expected by January of next year. More than half the losses are attributed to JLR's own recovery and operational downtime, while supply chain and local economy impacts make up the rest. JLR has not disclosed the attack type or whether a ransom was paid. Microsoft's Digital Defense Report for 2025 warns that AI is reshaping cybersecurity at an unprecedented pace, empowering both defenders and attackers. The company says adversaries now use generative AI to automate social engineering vulnerability, discovery and evasion, while targeting AI systems themselves through prompt injection and data poisoning, nation state actors are intensifying espionage and influence operations, particularly against research and communication sectors often linked to geopolitical conflicts. Microsoft urges defenders to embed cybersecurity into business strategy, emphasizing zero trust, cloud security and identity protection. The report stresses that no organization can face these challenges alone. International collaboration and political deterrence are vital to counter malicious state activity. Microsoft also calls for preparation for quantum era threats, climate, cloud governance and workforce upskilling to build collective cyber resilience, a program. Note our N2K CyberWire Network Partner Microsoft Threat Intelligence, discusses the report in detail on today's episode of the Microsoft Threat Intelligence podcast. We'll have a link in the show notes Chinese linked hackers exploited the tool shell vulnerability in Microsoft SharePoint to attack organizations across four continents, according to Symantec. The flaw, a bypass for two earlier SharePoint bugs revealed at Pwn to own Berlin, allows unauthenticated remote code execution on on premises servers. Microsoft previously attributed the exploitation to Chinese group Budworm, also known as Linen, Typhoon, Sheath, Miner, Violet typhoon and and storm 2603 the Warlock ransomware Symantec's report identifies additional Chinese actors targeting government, telecom, financial and academic institutions in the Middle East, Africa, South America and the us. Attackers deployed multiple backdoors, including Zing Door, Shadow Pad and Crusty Loader, using legitimate executables for DLL sideloading. The operations also leveraged credential dumping tools Petit Potom for domain compromise and Utilities for data exfiltration and persistence. Symantec concludes toolshell was exploited by more Chinese actors than previously known. A new report from Trustwave Spider Labs warns that Soc Golish, also known as Fake Updates, is a global malware as a service operation, turning fake software updates into large scale infection campaigns. Run by threat group TA569, SOC Golish compromises legitimate websites, often WordPress sites, and injects malicious scripts, or uses domain shadowing to distribute malware disguised as browser or Flash updates. The group sells access to other criminals, including Evil Corps and and has recently delivered Ransom Hub, ransomware and healthcare related attacks. Researchers also found ties to Russia's GRU unit 29155, noting that Tsok Golesh has spread the Raspberry Robin worm using traffic filtering tools like Kitaro. TDS TA569 selectively targets victims and delivers payloads including Lockbit, ransomware, Asyncrat and data stealers, making Soc Goelish a major global cyber threat. Louisiana Metro confirmed that several digital signage boards were hijacked this week after displaying a false suicide bomb warning apparently posted by Turkish hackers. The incident affected bus stops where the alarming message appeared alongside a hacker group's social media tag. Officials traced the intrusion to Papercast, a third party content management vendor whose systems were compromised. The unauthorized messages have since been removed as Metro and Papercast investigate the breach. A developer formerly employed by government spyware maker Trenchant says Apple warned him that his iPhone was targeted by mercenary spyware, marking one of the first known cases of a spyware developer becoming a victim. The developer, using the pseudonym Jay Gibson, had worked on iOS zero day exploits before being suspended and later fired amid an internal investigation into a leak of Trenchant's hacking tools. Gibson denies involvement and believes he was scapegoated. Apple's alert, issued in March, suggests a state linked surveillance campaign. Although no infection was confirmed, sources told TechCrunch that other exploit developers have received similar Apple notifications, signaling that the spread of zero day spyware is now ensnaring its own creators. Trenchen's parent company, L3Harris, declined comment. On day one of Pone to Own Ireland 2025, researchers earned $522,500 by exploiting 34 previously unknown vulnerabilities across printers, routers, NAS devices and smart home products, according to Trend Micro's Zero Day Initiative. The top prize, $100,000, went to a SoHo smash up exploit chaining flaws in QNAP router and NAS devices. Other major payouts included $50,000 each for hacks on Synology and Sonos devices. Additional vulnerabilities in Home Assistant, Philips Hue and HP Canon printers were also rewarded. The contest continues with a 1 million dollar WhatsApp exploit demonstration expected on Thursday. Coming after the break, Ben Yellen discusses a federal whistleblower from the Social Security Administration and When the cloud goes down, beds heat up. Stick around. What's your 2am Security worry? Is it do I have the right controls in place? Maybe Are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data, and simplifies your security at scale. And it fits right into your workflows, using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently, and finally get back to sleep. Get started@vanta.com cyber that's V A N T A dot com cyber and now a word from our sponsor. The Johns Hopkins University Information Security Institute is seeking qualified applicants for its innovative Master of Science in Security Informatics degree program, study alongside world class interdisciplinary experts and gain unparalleled educational research and professional experience in information security and assurance. Interested U.S. citizens should consider the Department of Defense's Cyber Service Academy program, which covers tuition, textbooks and a laptop, as well as providing a $34,000 additional annual stipend. Apply for the fall 2026 semester and for this scholarship by February 28th. Learn more at CS JHU. Edu MSSI and it is always my pleasure to welcome back to the show Ben Yellen. He is my caveat co host and he is from the University of Maryland center for Cyber Health and Hazard Strategies. Ben, welcome back.

C

Good to be with you again, Dave.

B

Interesting story from the Washington Post dealing with this former Social Security Administration employee who became a whistleblower and has received a lot of blowback from that activity. What's going on here, Ben?

C

So it's been a while since We've talked about the Department of Government Efficiency, which I believe still exists, but it's just the first few months of the Trump administration. This was front page of every news story.

B

Right.

C

Elon Musk and his crew were helicoptering into federal agencies and taking control of computers. They were firing a lot of people. They were cutting off funding to disfavored programs like usaid. And according to this whistleblower, a guy by the name of Charles Borges, they were putting people's sensitive data at risk. So Borges is a former Chief Data Officer at the Social Security Administration. He is a career official who's worked under presidents of both parties. He ended up submitting his resignation over this issue. But he had filed a whistleblower complaint after learning that DOGE had copied a mainframe database containing data on hundreds of millions of Americans to a cloud server. He warned that the. What's called the nubident master file contained names, Social Security numbers, birthdays, addresses. This all went into that insecure cloud system. There was very little oversight. The DOGE team didn't really know what it was doing, at least according to his allegation. And he felt that people's sensitive information could have been publicly exposed and could be available on the dark Web, for example. Reached for comment. Current leaders of the Social Security Administration and their commissioner have denied there's been any breach, which I think doesn't quite answer the question about vulnerabilities. Just because there hasn't been an identifiable breach doesn't mean that there will not be one. But he did say that the cloud location was secure, and this is something that SSA has used in the past to store data. But Borges account was backed up by others who have worked for the agency. A former acting commissioner by the name of Leland Dudak backed his claims. He said that the DOGE cloud environment is too little secured and inappropriate for personal data. So this is just a story about a whistleblower finding that agents of DOGE were bypassing normal security protocols. He used proper internal mechanisms for bringing this to the attention of his superiors. And he claims that he faced retaliation, isolation, and ultimately was forced to resign and end his career in public service because of this disclosure.

B

So help me understand that aspect of it, because aren't these whistleblower provisions put in place to prevent retaliation, isolation, resignation, all those sorts of things?

C

Yeah, that actually has to be enforced, though, and there has to be somebody willing to enforce it.

B

And that would be the Department of Justice.

C

Well, it could be the Department of Justice. It could just be Internal agency enforcement.

B

Okay.

C

If the administration is not interested in protecting whistleblowers, there's just not much that a whistleblower can do. There are ways where you can retaliate without officially retaliating. I mean, you can just make somebody's life a living hell through demotions or embarrassment or putting them. Reassigning them to projects that are outside their area of expertise. They could be first on the furlough list once the government shutdown starts. Like, there are ways to injure these type of career employees in some way that's not obvious enough that it's violating whistleblower protections. And even if there is an obvious violation, it would require a Department of justice that I think might be hostile in pursuing these violations. So, yeah, I don't think the system is foolproof as it relates to whistleblower protections.

B

And this article points out that they had a lot of morale issues at the Social Security Administration among all of this stuff from Doge coming in with their metaphorical chainsaw, I suppose.

C

Yeah. I mean, this is not the only problem that's been identified. There have been closed offices because of budget cuts. They were forced to hire people that they had previously laid off just because senior citizens were complaining that they were waiting in long lines at undermanned offices.

B

And senior citizens vote.

C

They do vote. Yep. So this has become. This has certainly become a pattern and a problem for the administration. And it's something that's reflected across a lot of doge's actions. Firing some of our foremost nuclear safety experts and then scrambling to rehire them. Firing most of the staff of the National Oceanic Administration or whatever. Noaa. Yeah, no, national oceanic and Atmospheric Administration.

B

There you go.

C

And then scrambling to rehire them. So it's part and parcel of what this effort has undertaken, but I think an underreported part of the story is this type of data vulnerability. And that's something this whistleblower brought to light.

B

Yeah, I suppose his days in public service are over. And probably fair to say he'll have opportunities in the private sector, given his high rank at ssa.

C

Oh, totally. He could cash in, you know, tomorrow. And I also, if there's a different administration in the future and there's an effort to rehire career officials who lost their jobs during this effort, I think he would be the type of person that might be rehired.

B

Yeah. It just strikes me it's a challenging time to be a good faith public servant in a lot of these organizations right now. It's just a lot of. I don't know. Pushing that rock uphill, I suppose.

C

I think that might be an understatement.

B

All right, well, Ben Yellen is my caveat co host and also from the University of Maryland center for Cyber Health and Hazard Strategies. Ben, thanks for joining us.

C

Thank you.

A

When did making plans get this complicated? It's time to streamline with WhatsApp, the secure messaging app that brings the whole group together. Use polls to settle dinner plans, send event invites and pin messages so no one forgets mom 60th and never miss a meme or milestone. All protected with end to end encryption. It's time for WhatsApp message privately with everyone.

C

Learn more@WhatsApp.com this episode is brought to you by Indeed. When your computer breaks, you don't wait for it to magically start working again. You fix the problem. So why wait to hire the people your company desperately needs? Use Indeed's sponsored jobs to hire top talent fast. And even better, you only pay for results. There's no need to wait. Speed up your hiring with a $75 sponsored job credit@ Indeed.com podcast terms and conditions apply.

B

And finally, when Amazon Web Services sneezed earlier this week, smart beds across America caught a fever. Around 3:00am Eastern Time, AWS US East 1 region suffered a major outage, taking down not just apps and banking sites but also the nation's priciest pillows. Owners of Eight Sleep's $2,000 pod mattress covers awoke to find their cloud connected sleep sanctuaries trapped in digital limbo. Some beds overheated into sauna territory, others froze or tilted at improbable angles, all thanks to the missing Internet umbilical cord. One user quipped, back end outage means I'm sleeping in a sauna. Others discovered the bitter irony of a smart bed that can't think for itself offline. By sunrise, AWS had restored normal operations, and eight Sleep's CEO vowed to create an outage mode. Until then, users might want to keep a fan and a sense of humor next to the bed. And that's the Cyber Wire. For link to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Heltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Cyber Innovation Day is the premier event for cyber startups, researchers and top VC firms building trust into tomorrow's digital world. Kick off the day with unfiltered insights and panels on securing tomorrow's technology. In the afternoon, the 8th annual DataTribe Challenge takes center stage as elite startups pitch for exposure, acceleration, and funding. The Innovation Expo runs all day, connecting founders, investors and researchers around breakthroughs in cybersecurity. It all happens November 4th in Washington, D.C. discover the startups building the future of cyber. Learn more@cid.datatribe.com.