A (4:59)

Federal prosecutors say a Houston business owner illegally moved at least $160 million in restricted Nvidia AI chips to China. The Justice Department says Allen Ho Hsu pleaded guilty to smuggling H100 and H200 GPUs by falsifying shipping documents and routing more than $50 million in payments from China to fund the operation. Authorities tied Hsu and his company to Operation Gatekeeper, a broader crackdown that also led to arrests of two additional suspects accused of using straw buyers, fake labels and misclassified paperwork to secretly ship GPUs to China and Hong Kong.

A (5:44)

Unrelated US prosecutors have charged Ukrainian national Victoria Dubronova for allegedly supporting Russian state backed hacktivist groups behind cyber attacks on critical infrastructure, including US Water systems, election systems and nuclear entities. She faces separate indictments tied to Noname, O5 716 and Cyber army of Russia Reborn and has pleaded not guilty in both cases. The indictments say Noname operated a state sanctioned DDoS effort using its DDoSia tool while CAR, the cyber army of Russia Reborn, founded and directed by Russia's gru, claimed hundreds of attacks worldwide. Prosecutors say Carr damaged US Drinking water systems, triggered an ammonia leak at a Los Angeles facility and targeted nuclear and election systems. Federal prosecutors have charged Atlanta activist Samuel Tunick for allegedly deleting data from a Google Pixel phone before a Customs and Border Protection officer could search it. Court records say Tunick intentionally wiped the device on January 24th to prevent the government from taking it into custody. The indictment was filed in November and he was arrested earlier this month. The search was to be carried out by a CBP Tactical Terrorism Response Team officer, a unit civil liberties groups describe as secretive and aggressive in targeting and detaining travelers. Tunic has since been released with travel restrictions. As the case continues, charges tied specifically to wiping a phone are uncommon, raising questions about device searches at US Ports of entry.

A (7:33)

The power sector's rapid digital transformation is boosting efficiency, yet cyberattacks are growing faster than utilities can respond. Schneider Electric's Srubronil Roy says grid threats have more than doubled in two years, creating real risk of large scale disruption. A global data survey shows uneven readiness. Only 36% of respondents fully implement and regularly test cybersecurity measures, while others report partial adoption, stalled plans or no plans at all. Professionals cite supply chain exposure as the sector's weakest point, followed by risks across smart meters, IT and OT systems, and human errors. Experts warn that software dependencies, IT OT convergence and emerging AI driven attacks are widening the attack surface.

A (8:29)

Researchers say a new phishing kit called Spiderman is spreading on the dark web and making it simple for low skill attackers to mimic European banks and crypto platforms. Varonis reports that the full stack kit lets operators clone login pages for dozens of institutions and launch broad cross country campaigns. Campaigns targets include Deutsche Bank, Commerce Bank, ING and Kaikse bank, along with crypto wallets. The sellers community has about 750 members suggesting active use. The kit collects victims credentials in real time and can request more data such as credit card numbers and one time security codes enabling full account takeover. Built in geo blocking and filters help the phishing pages evade detection. Researchers expect real time code interception to accelerate financial fraud. Across Europe.

A (9:28)

Two US healthcare organizations are notifying about 520,000 people that their sensitive information was exposed in separate hacking incidents. Vitus Hospice Services reported that an unauthorized party compromised a vendor account and accessed its systems between late September and late October, affecting more than 319,000 individuals. Exposed data may include personal details, medical information and insurance records. Tricentury Eye Care reported a separate intrusion impacting 200,000 people after an unknown actor accessed its network and obtained files containing personal and health information. Both organizations say they strengthened security and informed regulators and law enforcement. These breaches show how vendor access and network intrusions continue to expose large volumes of protected health information.

A (10:34)

Coming up after the break, Dick o' Brien from Symantec in carbon Black Super Threat Hunter Team discusses a major campaign that lures targets with fake party invites. And the Pentagon unveils a killer chatbot. Stay with us.

A (11:01)

Most environments trust far more than they should, and attackers know it. ThreatLocker solves that by enforcing default deny at the point of execution. With ThreatLocker allow listing, you stop unknown executables cold. With ring fencing, you control how trusted applications behave. And with ThreatLocker, DAC defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero trust principles without the operational pain. Its powerful protection that gives CISOs real visibility, real control, and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose ThreatLocker to minimize alert fatigue, stop ransomware at the source, and regain control over their environments. Schedule your demo@threatlocker.com n2k today.

A (12:02)

Foreign.

A (12:10)

Is transforming every industry, but it's also creating new risks that traditional frameworks can't keep up with. Assessments today are fragmented, overlapping, and often specific to industries, geographies or regulations. That's why Black kite created the BKGA3AI assessment framework to give cybersecurity and risk teams a unified, evolving standard for measuring AI risk across their own organizations and their vendors. AI use. It's global, research driven, built to evolve with the threat landscape, and free to use because Black Kite is committed to strengthening the entire cybersecurity community. Learn more@blackkite.com.

A (13:06)

Dick o' Brien is Principal Intelligence Analyst from Symantec and Carbon Black's Threat Hunter team. Today we're discussing a major campaign that lures targets with fake party invites. Is there anything in particular that makes this campaign stand out from typical holiday themed fishing?

B (13:25)

There's a couple of things that are noteworthy.

B (13:30)

You mentioned typical holiday themed fishing, but this is something that we used to see a lot of going back maybe a decade or so, and not just holidays, but big events like the Olympics or the soccer World cup and things like that. We would always see fishing campaigns built around current events, and it's kind of died off. So it's unusual or interesting to see attackers take up this tactic again in the meantime. More recently, they've usually kind of masqueraded their emails as routine correspondence, the kind of stuff that crops up in everybody's inboxes. So receipts, invoices, letters from the tax authorities, meeting invites. So it's interesting to see the revival of this tactic. And maybe it's a case of there's at least one group of attackers who think that people are no longer familiar with this type of lure anymore and that maybe it's worth trying again.

A (14:32)

It's hard to ponder the thought of a generational cycle with these sorts of things, right?

B (14:39)

It doesn't seem that long ago, no.

A (14:41)

Well, walk us through the lore itself. How are these things crafted?

B (14:45)

They're fairly simple. Emails.

B (14:48)

Like I mentioned the kind of the subjects. So the emails are usually structured with fairly terse text. And the main goal is to get you to click on a link in the email to find out more, to download the document or get the invite or whatever. And that's when the party starts. From the attacker's perspective, it initiates an attack chain where a malicious installer is downloaded, and then that in turn is then used to download further tools onto the victim's computer.

A (15:27)

Well, the research mentions the use of legitimate remote management tools. Can you take us through that part of it?

B (15:33)

Yeah. These tools, they've really become a thing among attackers. And once you start to look under the hood a little bit, you can see why.

B (15:45)

They have a lot of legitimate use cases. They're used by organizations to manage the software that's on their network, like roll out new software or roll out updates to existing soft. But from an attacker perspective, they're effectively a backdoor. And once you get this installed on a computer, you can then install additional tools, some of them malicious. You can exfiltrate data and.

B (16:16)

There'S encrypted communications between the client and the server, so you can't really see what's being taken out of the network and sent back to the attackers.

A (16:27)

So what are the operators here after? What are they going for?

B (16:31)

We don't know for sure.

B (16:35)

I guess the general goal of the attack is to establish a foothold on the compromised computer and achieve a little bit of persistence. So they try and install defensive agent tools. They will.

B (16:54)

Put in credential stealing tools, and also some tools, simple tools that try to hide their malicious activities, such as a utility that will hide the mouse cursor. And the end goal of these attacks isn't clear, but we think the most likely motivation is that they are essentially access brokers, as they're known, and then they will sell on compromised computers to other attackers who will use them for further exploitation. It might be ransomware. It might be some other kind of malware.

A (17:30)

Well, with the visibility that you have, are they targeting any specific industries or organization types, or is it more scattershot?

B (17:38)

This is scattershot. These guys, they're casting a wide net, and then in the hope that they will turn over some interesting victims. So if they manage to compromise computer on a relatively large organization, that would be of interest to ransomware attackers, for example, and they may sell access to that organization to those attackers.

A (18:03)

How do you suppose teams should think about risk during this holiday season? You know, our inboxes are full of legitimate RSVP's and invites.

B (18:13)

Yeah, I mean, it's a timely reminder, you know, not to just believe everything that you see.

B (18:21)

And I know we all get a lot of email these days, but it is always worth the time to scrutinize what's in your inbox. And don't just blindly click on things or open attachments. You know, try and kind of think about, why am I receiving this email? Should I be receiving this email? Is it related to, you know, anything I'm doing? Is it from somebody I know?

A (18:48)

Well, for organizations who rely on these remote monitoring and management platforms for legitimate work, do you have any recommendations for practical steps they can do to, to reduce this sort of abuse?

B (19:01)

Yes, I would really audit what software is running on your network and anything that is not a sanction tool within your organization should be gone. So the, you know, most organizations would only use one of these tools if they use any of them at all. But this attack campaign, they're installing multiple RMN tools on compromised computers. So that's a real telltale sign of those two or three installed on a single machine. But yeah, keep a close eye on what's running on your network and anything that shouldn't be there, move fast.

A (19:44)

Yeah, you all mentioned that sometimes they're rotating through multiple tools.

B (19:50)

Yeah, I mean, this is, I guess, the thing that drew our attention to this attack campaign. It's quite a new, it's a new tactic for us at least. Usually they would, you know, we see attackers install one RMM tool, but they're installing multiple ORMM tools. And what's even more curious is that they're installing them at intervals. So there will be an initial compromise and then a couple of weeks later they'll come back and install another ormm. And then, you know, maybe three or four weeks later, another one will appear. And that's, that's interesting to see. It's not something we've seen before, and we're not sure exactly why they're doing it. I mean, one hypothesis we had is that they're using trial licenses for all of these tools, and when the trial license expires, they launch another. But I think probably the.

B (20:49)

The most likely explanation is that they're trying to create some kind of level of redundancy. So if one is detected and deleted, they're going to have something to fall back on, so they're going to have a longer presence on the network. They're hedging their bets.

A (21:05)

That's Dick o' Brien from Symantec and Carbon Black's Threat Hunter team.

A (21:27)

And finally, Secretary of War Pete Hegseth introduced Genai Mil with the solemn gravitas usually reserved for unveiling a new missile system. Though the platform appears to be a glorified Google Gemini chatbot that mostly rearranges spreadsheets in classic fashion, Hegseth framed office automation as an existential race for global dominance, assuring the public that formatting documents at unprecedented speed will somehow make the US Military more lethal than ever. Under Secretary Emil Michael followed up with his own sermon on Manifest Destiny, suggesting God himself wants federal workers to have AI autocomplete. The Pentagon insists the system is reliable because it's grounded in Google search, which is bold given Google's recent habit of confidently ingesting and regurgitating nonsense. Officials promise 3 million users will soon have access, though the site immediately went down, perhaps the first recorded instance of a battlefield AI retreating before it ever deployed.

B (22:44)

Foreign.

A (22:57)

That's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you as a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Keltzman. Our executive producer is Jennifer Iban. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.