Summary4 min read

Risky Bulletin: Pentagon has more than 70,000 Cyber Personnel

Podcast: Risky Bulletin
Date: September 19, 2025
Host: Amberly Jackson (prepared by Catalyn Campanu)

Episode Overview

This episode delivers concise yet detailed updates on the latest developments in cybersecurity. Key stories include a major US Government Accountability Office (GAO) review revealing the Pentagon’s vast cyber workforce, critical vulnerabilities and breaches across public and private sectors, surveillance contracts, notable cybercrime arrests, and new regulations. The tone remains factual and analytical, with a focus on the implications for both the industry and the public.

Key Discussion Points & Insights

1. Pentagon’s Massive Cyber Workforce

The GAO released its first comprehensive review of US cyber personnel and capabilities.
Key Statistics:
- 70,000+ cyber personnel across 500 organizations
- 61,000 are military and civilian staff
- 9,500 are temporary contractors
Critical Insight: Multiple organizations provide overlapping services, suggesting potential for cost-cutting and efficiency improvements.
"The report found that many military organisations provide overlapping services and could allow room for cost cutting." (00:35)

2. Major US Data Leaks and Surveillance Contracts

DHS Data Leak: Due to a platform misconfiguration, the Department of Homeland Security’s Office of Intelligence and Analysis exposed unclassified investigative leads for two months in 2023. Thousands of unauthorized users accessed the data. (01:00)
ICE Forensics and Surveillance Contracts:
- Magnet Forensics: $3 million contract for the Grey Key phone unlocking tool.
- Clearview AI: $10 million contract for facial recognition.
- Paragon Solutions: Reactivated contract with Israeli spyware vendor.

3. Global Policy and Regulatory Action

Brazil: Passed a data protection law akin to the UK Online Safety Act, imposing:
- Age verification and parental controls
- Ban on targeted advertising to children
Moldova: Creating 'Stratcom', a 29-employee agency to counter disinformation; launches post-parliamentary elections. (01:34)

4. Emergent Threats and Research

DeepSeek AI Bias: Research reveals that DeepSeek AI delivers insecure code to programmers from groups “deemed sensitive by China” (e.g., Tibet and Taiwan), while refusing code for queries linked to groups like Falun Gong or ISIS. (01:54)
- "DeepSeek AI returns code with security flaws to coders that are working for groups deemed sensitive by China." (01:55)
SonicWall Firewall Breach: Hackers conducted a brute-force attack, stealing firewall config backups from <5% of SonicWall devices via the MySonicWall cloud. (02:27)
Survival Flight Breach: Data Extortion Crew leaked information on nearly 11,000 emergency medical transport patients; the firm was compromised twice in under a year. (02:50)

5. Cybercrime and Law Enforcement

Scattered Spider Arrests: UK police arrested two teenage members, including Thala Joubert (19) and Owen Flowers (18), for hacking London’s transit authority and US companies.
- Joubert faces US charges for hacking 47 companies and extorting at least $115 million. (03:24)
- "Joubert has also been charged in the US for the hacks of 47 American companies and extorting ransoms of at least $115m." (03:40)
Westminster ‘Honey Trap’ Scandal: Ex-councillor Oliver Stedman charged with blackmail after impersonating a woman to target politicians; originally suspected as a foreign operation. (03:55)

6. Supply Chain & Malware Updates

NPM Worm Supply Chain Attack: Over 500 NPM packages compromised, stealing tokens and uploading them on GitHub. Impact is macOS/Linux-focused, linked to previous Singularity attacks. Upguard identified at least 17 major affected companies. (04:35)
System BC Botnet: Active again post-Europol takedown, now targeting virtual private servers instead of home users. Access is sold to proxy operators. (05:00)

7. Old and New Vulnerabilities

Router Vulnerabilities: 10-year-old “Pixie Dust” WiFi attack still affects 20 out of 24 current routers per NetRise. Allows attackers to recover WPS PINs and access networks. (05:25)
Google Chrome Zero-Day: Actively exploited flaw in V8 JavaScript engine, patched as the sixth Chrome Zero-Day this year. (05:47)
WordPress Plugin Exploit: Serious vulnerability in "Case Theme User" plugin, bundled with multiple commercial themes; allows account hijacks knowing only a user’s email. Over 12,000 sites at risk. (06:05)

8. Industry and Defensive Moves

EDR Vendors Withdraw from MITRE ATT&CK Evaluations:
- SentinelOne, Palo Alto Networks (last week), Microsoft (June) have withdrawn from the evaluations that test detection of real-world threat actor TTPs. (06:32)

Notable Quotes & Memorable Moments

On Pentagon’s cyber headcount and inefficiencies:
"The report found that many military organisations provide overlapping services and could allow room for cost cutting." — Amberly Jackson (00:35)
On DeepSeek AI's selective vulnerabilities:
"DeepSeek AI returns code with security flaws to coders that are working for groups deemed sensitive by China." — Amberly Jackson (01:55)
On Scattered Spider charges:
"Joubert has also been charged in the US for the hacks of 47 American companies and extorting ransoms of at least $115m." — Amberly Jackson (03:40)

Timestamps for Important Segments

[00:04] — Opening stories & Pentagon workforce
[01:00] — DHS leak; ICE surveillance contracts
[01:34] — Brazil’s child protection law; Moldova’s Stratcom
[01:54] — DeepSeek AI code bias
[02:27] — SonicWall firewall config breach
[02:50] — Survival Flight patient breach
[03:24] — Scattered Spider hacker arrests
[03:55] — Westminster blackmail scandal
[04:35] — NPM supply chain attack
[05:00] — System BC botnet resurgence
[05:25] — WiFi Pixie Dust router vulnerability
[05:47] — Google Chrome zero-day exploit
[06:05] — WordPress plugin vulnerability
[06:32] — EDR vendors quit MITRE ATT&CK testing

Summary

This episode delivers a dense rundown of cybersecurity news spanning government operations, major hacks, regulatory progress, persistent vulnerabilities, and industry shifts. The Risky Biz team keeps the tone brisk, professional, and insightful, providing listeners with actionable awareness of the key risks and developments in the field.

Loading summary

Transcript1 lines

[00:04]
A
America's Government Accountability Office says the Pentagon employs more than 70,000 cyber personnel. Hackers steal sonic wall firewall configs, Deepseek returns insecure code for groups that China doesn't like and two scattered SPIDER members arrested in the uk. This is the risky bulletin prepared by Catalyn Campanu and read by me, Amberly Jackson. Today is September 19th and this podcast episode is brought to you by application. Allow listing software maker Airlock Digital A US Government Accountability Office investigation has found that the Pentagon employs more than 70,000 people in cybersecurity and cyberspace operation roles. The report says the cyber workforce is spread across 500 organisations and includes 61,000 military and civilian personnel and 9,500 temporary contractors. The report found that many military organisations provide overlapping services and could allow room for cost cutting. The GAO report is the first full review of US cyber personnel and capabilities. A DHS office leaked unclassified data for two months in 2023. The leak occurred due to a misconfiguration in a platform managed by the DHS Office of Intelligence and Analysis. The office collects surveillance data to share with other US law enforcement agencies. The misconfiguration exposed investigative leads to thousands of users who were not authorised to view them. U.S. immigration and Customs Enforcement has signed a $3 million contract with Magnet Forensics. The company merged with GreyShift in 2023 and makes the Grey Key tool, which can forcibly unlock phones and extract user data. ICE also recently signed a $10 million contract with facial recognition company Clearview AI and reactivated a contract with Israeli spyware and surveillance maker Paragon Solutions. Brazil has passed a new data protection law similar to the UK Online Safety Act. The digital ECA will require companies to limit children's access to sexual and violent content by introducing age verification checks. It also requires tech companies to introduce parental control systems. All platforms are banned from using a child's data for targeted advertising. The Moldovan government is establishing an agency to counter disinformation. Stratcom will have 29 employees and will begin operating within a month. Plans to establish the centre were announced in 2023. It will launch days after Moldova holds its parliamentary elections on September 28. Recent research has shown that DeepSeek AI returns code with security flaws to coders that are working for groups deemed sensitive by China. According to the Washington Post, programmers from Tibet and Taiwan received code of lower quality. Deepseq also refused requests if queries suggested that code would be used by the Islamic State or the Falun Gong movement. Hackers have accessed backups of firewall configuration files stored on the MySonicWall cloud service SonicWall is notifying customers and asking them to reset firewall credentials. Less than 5% of the company's firewalls are affected. The attacker allegedly used a brute force attack to break into the accounts and steal the backup config files. The world leaks data Extortion Crew has leaked patient data from an emergency medical transportation company. Survival Flight was hacked in July and almost 11,000 patients were impacted. The company provides rapid response medical air transportation services in the U.S. according to Data Breaches.net, this is the company's second hack in less than a year. Two teenage members of the Scattered Spider hacking group have been arrested in the UK. 19 year old Thala Joubert and 18 year old Owen Flowers were arrested at their homes on Tuesday. They were accused of hacking Transport for London, the city's public transportation agency, back in August last year. Joubert has also been charged in the US for the hacks of 47American companies and extorting ransoms of at least $115m. A former UK Labour councillor has been charged with blackmail after an investigation into the Westminster honey trap scandal in 2023. Oliver Stedman allegedly posed as a woman and sent flirtatious WhatsApp messages and explicit images to 12 individuals. Five of those were UK politicians. The incident was initially believed to be the work of foreign hackers. Stedman was arrested in April 2024. This week he was charged with blackmail and improper use of a public phone network. He resigned from his position shortly after the arrest. A supply chain attack that deployed a worm on the NPM repository has now reached more than 500 packages. Attackers steal access tokens and upload them to public GitHub repositories. The worm only runs on macOS and Linux systems. Security firm Upguard has identified at least 17 major companies impacted by the token thefts. The worm has been linked to the same group that carried out a previous NPM supply chain attack known as Singularity. The System BC malware botnet is infecting new devices after its servers were seized by Europol last year. According to Lumen, the botnet is now targeting virtual private servers instead of home consumers. Access to the hacked servers is being rented to multiple proxy network operators. A large number of current router models are still vulnerable to a 10 year old wifi attack. The Pixie dust attack allows threat actors to recover router wps pins and access their WI FI networks. A NETRISE study of 24 current routers found that 20 of them were still vulnerable. Google has patched and actively exploited Chrome Zero Day. It is a vulnerability in Chrome's V8 JavaScript engine and was discovered by one of Google's internal security teams. It is the sixth Chrome Zero day to be patched this year. Threat actors are exploiting a vulnerability in a WordPress plugin. The case Theme User plugin is bundled with multiple commercial WordPress themes. The vulnerability allows remote attackers to access any account on a site as long as they know a user's email address. According to WordFence, the plugin is installed on more than 12,000 websites. Exploitation began at the end of August, and finally, three major EDR vendors have pulled out of evaluations for the MITRE, ATT and CK framework. The evaluations check if the EDRs detect common TTPs that are used in the real world by known threat actors. Sentinel One and Palo Alto Networks pulled out last week while Microsoft left in June. That's all for this podcast edition. Today's show was brought to you by our sponsor, Airlock Digital. Find them@airlockdigital.com thanks for your company.