CyberWire Daily – "Hacktivists go galactic."

Date: November 26, 2025
Host: Maria Varmazis (in for Dave Bittner)
Featured Guest: Cynthia Kaiser, SVP, Ransomware Research Institute (Halcyon)

Episode Overview

This episode delves into the surge of hacktivist and nation-state cyber activity targeting the space sector during the Gaza conflict, the evolving tactics of prominent ransomware groups (featuring a deep dive on Akira ransomware), and major incidents and trends in the cybersecurity landscape. Host Maria Varmazis brings listeners a concise yet insightful briefing, punctuated by an interview with Cynthia Kaiser to explore the aggressiveness and sophistication of Akira ransomware.

Key Segments & Insights

1. Hacktivist Cyber Attacks on the Space Sector

[02:10 – 04:00]

Report by ETH Zurich:
Research tracked 237 cyber operations against space-sector organizations during the Gaza war; only 11 occurred prior to October 7.
Spike Linked to Conflict:
Once the war began, pro-Palestinian hacktivist groups rapidly increased activity.
Common Tactics:
- Most frequent: DDoS attacks.
- Targets often chosen due to common government URL lists, even if they don’t operate critical infrastructure (e.g., Israel Space Agency targeted despite limited attack surface).
Bigger Picture:
- “Cyber operations against space sector organizations are now a routine element of geopolitical escalation.”
  – Maria Varmazis [03:20]

2. Major Threat Actor Operations & Industry Breaches

[04:00 – 09:50]

Russia-Aligned RomCom/GRU Activity:
- Used SocGholish to breach a US civil engineering firm with Ukraine ties; suspected operational role of GRU unit 29155.
FBI Advisory – Account Takeover Scams:
- $262 million lost in 2025 already.
- Sophisticated social engineering: impersonation of banks/law enforcement.
Emerging AI Threat – "Hash Jack":
- Cato Networks uncovers prompt injection vulnerability in AI browser assistants (Perplexity, Copilot for Edge, Gemini for Chrome).
- Exploits URL hashtags to inject malicious prompts.
- Vendor responses vary; Chrome yet to be fully mitigated.
UK Local Government Attacks:
- Disruptive attacks on three London Councils; connected incidents and investigation ongoing.
Russia-North Korea Collaboration:
- Evidence of Gamarudon (Russia) and Lazarus Group (North Korea) sharing infrastructure for malware delivery.
- "Probable infrastructure reuse with moderate confidence of operational collaboration."
  – genthreat Labs cited by Maria Varmazis [07:15]
Canon Subsidiary Breach:
- Attack exploiting Oracle E-Business Suite flaw.
- No leaked data reported by Clop gang.

3. Feature Interview: Deep Dive on Akira Ransomware

Guest: Cynthia Kaiser, SVP of the Ransomware Research Institute at Halcyon
[11:55 – 22:39]

Akira’s Speed and Tactics

"It's really one of the most aggressive ransomware actors that we're tracking, and that's saying something right among all these people who are really the lowest of the low. But I think one of the most important things to know about Akira is it's all about speed with them."
– Cynthia Kaiser [12:12]
Notable Technique:
- Encrypts only a small percentage of files to maximize speed.
Tactics:
- Fast spread across networks (minutes to affect over 100+ systems).
- Targets high-access systems first, especially hypervisors in virtualized environments.

Initial Access & Stealth

Attack Vectors:
- Exploits of SonicWall vulnerabilities; uses compromised credentials.
- Creation of admin accounts for stealthy operations.
- Early detection at SonicWall is crucial.
"Living off the Land":
- Uses existing system tools, DLL sideloading, and remote tools (e.g., AnyDesk).
- Relies on credential creation to blend in as typical users.

Targets & Business Model

Sectors hardest hit: Manufacturing, business services, construction (but also retail, IT, education, finance).
"If you look at where they've claimed to have done attacks...it's about 60 attacks just in November alone. That's a crazy amount. And so really, you have to think about everybody is being targeted."
– Cynthia Kaiser [16:33]
Ransomware-as-a-Service Model:
- Developers rent out malware to affiliates who carry out attacks, sharing profits.

Integrity & Data Deletion Myths

Questioned on whether paying ensures data recovery:
- "In most cases you receive a decryptor, whether it works on all your files is a different story for Akira itself... But more so, this is a group that also steals data... There has not been a group that I've seen who says they were going to delete the data... that they actually deleted customer data."
  – Cynthia Kaiser [18:53]
Bottom Line: Paying ransom doesn't guarantee data deletion.

Recommendations

Follow FBI/CISA joint advisories:
- Patch known-exploited vulnerabilities.
- Use phishing-resistant MFA (not SMS codes).
- Regularly back up (offline) and test recoveries.
Defense in Depth:
- Ensure multiple layers can detect activity, even if main endpoint security is blinded.

Akira’s Sophistication

"Akira is very sophisticated. It's incredibly difficult to identify them when they're on a system. Even in the after, when you're doing an incident response, it can be hard to determine how information might have been taken... aggressive, but it's also sophisticated, which is a terrible combination for all of us."
– Cynthia Kaiser [22:01]

4. Brief Headlines

[04:00 – 09:50 and 22:39 – 24:30]

Campbell's Soup CISO on Leave:
- Allegations: Disparaging (and bizarre) comments about Campbell’s soups, racist remarks.
- Campbell’s: “The comments on the recording are not only inaccurate, they are patently absurd... the alleged comments are made by an IT person who has nothing to do with how we make our food.”
  – Official company statement, summarized by Maria Varmazis [24:10]

Notable Quotes

“Cyber operations against space sector organizations are now a routine element of geopolitical escalation.”
– Maria Varmazis [03:20]
“It's really one of the most aggressive ransomware actors that we're tracking, and that's saying something right among all these people who are really the lowest of the low. But I think one of the most important things to know about Akira is it's all about speed with them.”
– Cynthia Kaiser [12:12]
“In most cases you receive a decryptor, whether it works on all your files is a different story for Akira itself... There has not been a group that I've seen who says they were going to delete the data...that they actually deleted customer data.”
– Cynthia Kaiser [18:53]
“Akira is very sophisticated. It's incredibly difficult to identify them when they're on a system. Even in the after, when you're doing an incident response, it can be hard to determine how information might have been taken... aggressive, but it's also sophisticated, which is a terrible combination for all of us.”
– Cynthia Kaiser [22:01]

Important Timestamps

02:10 – Hacktivist attacks on the space sector during Gaza war
04:30 – Russian & North Korean operational collaboration
07:15 – FBI warns of $262M in account takeover scams
08:00 – "Hash Jack" AI browser attack vector explained
09:15 – London councils’ cyber incidents
11:55 – Akira ransomware deep dive (Cynthia Kaiser interview starts)
16:33 – Industries targeted by Akira
18:53 – Data deletion myth debunked
22:01 – Akira's operational sophistication
24:10 – Campbell's Soup CISO lawsuit story

Tone & Style

The episode balances urgent, matter-of-fact reporting on emerging cyber threats with an accessible, insightful interview deep-dive into ransomware. Maria Varmazis is clear and concise, with Cynthia Kaiser adding expert color and unsparing analysis on actor motivations and the practical realities of ransomware defense.

Summary

This episode of CyberWire Daily offers a wide-ranging, accessible analysis of how state and activist cyber threats are impacting both novel domains like the space sector and more common targets such as businesses and local governments. The in-depth review of Akira ransomware by Cynthia Kaiser is especially valuable, making clear both the technical and operational sophistication of modern ransomware actors, and emphasizing practical steps that organizations should take to defend themselves. The episode concludes with a lighter, headline-grabbing story involving the Campbell's Soup CISO, underscoring how insider issues can also disrupt the cybersecurity landscape.

CyberWire Daily – "Hacktivists go galactic."

Date: November 26, 2025
Host: Maria Varmazis (in for Dave Bittner)
Featured Guest: Cynthia Kaiser, SVP, Ransomware Research Institute (Halcyon)

Episode Overview

Key Segments & Insights

1. Hacktivist Cyber Attacks on the Space Sector

[02:10 – 04:00]

Report by ETH Zurich:
Research tracked 237 cyber operations against space-sector organizations during the Gaza war; only 11 occurred prior to October 7.
Spike Linked to Conflict:
Once the war began, pro-Palestinian hacktivist groups rapidly increased activity.
Common Tactics:
- Most frequent: DDoS attacks.
- Targets often chosen due to common government URL lists, even if they don’t operate critical infrastructure (e.g., Israel Space Agency targeted despite limited attack surface).
Bigger Picture:
- “Cyber operations against space sector organizations are now a routine element of geopolitical escalation.”
  – Maria Varmazis [03:20]

2. Major Threat Actor Operations & Industry Breaches

[04:00 – 09:50]

Russia-Aligned RomCom/GRU Activity:
- Used SocGholish to breach a US civil engineering firm with Ukraine ties; suspected operational role of GRU unit 29155.
FBI Advisory – Account Takeover Scams:
- $262 million lost in 2025 already.
- Sophisticated social engineering: impersonation of banks/law enforcement.
Emerging AI Threat – "Hash Jack":
- Cato Networks uncovers prompt injection vulnerability in AI browser assistants (Perplexity, Copilot for Edge, Gemini for Chrome).
- Exploits URL hashtags to inject malicious prompts.
- Vendor responses vary; Chrome yet to be fully mitigated.
UK Local Government Attacks:
- Disruptive attacks on three London Councils; connected incidents and investigation ongoing.
Russia-North Korea Collaboration:
- Evidence of Gamarudon (Russia) and Lazarus Group (North Korea) sharing infrastructure for malware delivery.
- "Probable infrastructure reuse with moderate confidence of operational collaboration."
  – genthreat Labs cited by Maria Varmazis [07:15]
Canon Subsidiary Breach:
- Attack exploiting Oracle E-Business Suite flaw.
- No leaked data reported by Clop gang.

3. Feature Interview: Deep Dive on Akira Ransomware

Guest: Cynthia Kaiser, SVP of the Ransomware Research Institute at Halcyon
[11:55 – 22:39]

Akira’s Speed and Tactics

"It's really one of the most aggressive ransomware actors that we're tracking, and that's saying something right among all these people who are really the lowest of the low. But I think one of the most important things to know about Akira is it's all about speed with them."
– Cynthia Kaiser [12:12]
Notable Technique:
- Encrypts only a small percentage of files to maximize speed.
Tactics:
- Fast spread across networks (minutes to affect over 100+ systems).
- Targets high-access systems first, especially hypervisors in virtualized environments.

Initial Access & Stealth

Attack Vectors:
- Exploits of SonicWall vulnerabilities; uses compromised credentials.
- Creation of admin accounts for stealthy operations.
- Early detection at SonicWall is crucial.
"Living off the Land":
- Uses existing system tools, DLL sideloading, and remote tools (e.g., AnyDesk).
- Relies on credential creation to blend in as typical users.

Targets & Business Model

Sectors hardest hit: Manufacturing, business services, construction (but also retail, IT, education, finance).
"If you look at where they've claimed to have done attacks...it's about 60 attacks just in November alone. That's a crazy amount. And so really, you have to think about everybody is being targeted."
– Cynthia Kaiser [16:33]
Ransomware-as-a-Service Model:
- Developers rent out malware to affiliates who carry out attacks, sharing profits.

Integrity & Data Deletion Myths

Questioned on whether paying ensures data recovery:
- "In most cases you receive a decryptor, whether it works on all your files is a different story for Akira itself... But more so, this is a group that also steals data... There has not been a group that I've seen who says they were going to delete the data... that they actually deleted customer data."
  – Cynthia Kaiser [18:53]
Bottom Line: Paying ransom doesn't guarantee data deletion.

Recommendations

Follow FBI/CISA joint advisories:
- Patch known-exploited vulnerabilities.
- Use phishing-resistant MFA (not SMS codes).
- Regularly back up (offline) and test recoveries.
Defense in Depth:
- Ensure multiple layers can detect activity, even if main endpoint security is blinded.

Akira’s Sophistication

"Akira is very sophisticated. It's incredibly difficult to identify them when they're on a system. Even in the after, when you're doing an incident response, it can be hard to determine how information might have been taken... aggressive, but it's also sophisticated, which is a terrible combination for all of us."
– Cynthia Kaiser [22:01]

4. Brief Headlines

[04:00 – 09:50 and 22:39 – 24:30]

Campbell's Soup CISO on Leave:
- Allegations: Disparaging (and bizarre) comments about Campbell’s soups, racist remarks.
- Campbell’s: “The comments on the recording are not only inaccurate, they are patently absurd... the alleged comments are made by an IT person who has nothing to do with how we make our food.”
  – Official company statement, summarized by Maria Varmazis [24:10]

Notable Quotes

“Cyber operations against space sector organizations are now a routine element of geopolitical escalation.”
– Maria Varmazis [03:20]
“It's really one of the most aggressive ransomware actors that we're tracking, and that's saying something right among all these people who are really the lowest of the low. But I think one of the most important things to know about Akira is it's all about speed with them.”
– Cynthia Kaiser [12:12]
“In most cases you receive a decryptor, whether it works on all your files is a different story for Akira itself... There has not been a group that I've seen who says they were going to delete the data...that they actually deleted customer data.”
– Cynthia Kaiser [18:53]
“Akira is very sophisticated. It's incredibly difficult to identify them when they're on a system. Even in the after, when you're doing an incident response, it can be hard to determine how information might have been taken... aggressive, but it's also sophisticated, which is a terrible combination for all of us.”
– Cynthia Kaiser [22:01]

Important Timestamps

02:10 – Hacktivist attacks on the space sector during Gaza war
04:30 – Russian & North Korean operational collaboration
07:15 – FBI warns of $262M in account takeover scams
08:00 – "Hash Jack" AI browser attack vector explained
09:15 – London councils’ cyber incidents
11:55 – Akira ransomware deep dive (Cynthia Kaiser interview starts)
16:33 – Industries targeted by Akira
18:53 – Data deletion myth debunked
22:01 – Akira's operational sophistication
24:10 – Campbell's Soup CISO lawsuit story

wavePod

Hacktivists go galactic.

Powered by Wave AI

Summary

CyberWire Daily – "Hacktivists go galactic."

Episode Overview

Key Segments & Insights

1. Hacktivist Cyber Attacks on the Space Sector

2. Major Threat Actor Operations & Industry Breaches

3. Feature Interview: Deep Dive on Akira Ransomware

Akira’s Speed and Tactics

Initial Access & Stealth

Targets & Business Model

Integrity & Data Deletion Myths

Recommendations

Akira’s Sophistication

4. Brief Headlines

Notable Quotes

Important Timestamps

Tone & Style

Summary

Summary

CyberWire Daily – "Hacktivists go galactic."

Episode Overview

Key Segments & Insights

1. Hacktivist Cyber Attacks on the Space Sector

2. Major Threat Actor Operations & Industry Breaches

3. Feature Interview: Deep Dive on Akira Ransomware

Akira’s Speed and Tactics

Initial Access & Stealth

Targets & Business Model

Integrity & Data Deletion Myths

Recommendations

Akira’s Sophistication

4. Brief Headlines

Notable Quotes

Important Timestamps

Tone & Style

Summary