CyberWire Daily - Chinese hackers serve up espionage.
Episode Date: October 8, 2025Chinese hackers infiltrate a major U.S. law firm. The EU Commission President warns Russia is waging a hybrid war against Europe. Researchers say LoJax is the latest malware from Russia’s Fancy Bear.... Salesforce refuses ransom demands. London Police arrest two teens over an alleged ransomware attack on a preschool. Microsoft tightens Windows 11 setup restrictions. SINET and DataTribe spotlight 2025 cybersecurity innovators. On our Industry Voices segment, we are joined by Sean Deuby, Semperis Principal Technologist, discussing identity system security and the growth of the HIP Conference. Employees overshare with ChatGPT. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On our Industry Voices segment, we are joined by Sean Deuby, Semperis Principal Technologist, discussing identity system security and the growth of the HIP Conference while highlighting some of the keynotes and presentations. If you want to hear the full conversation, you can tune in here. Selected Reading Chinese Hackers Said to Target U.S. Law Firms (The New York Times) Russia is at ‘hybrid war’ with Europe, warns EU chief, calling for members ‘to take it very seriously’ (The Record) What you need to know about “LoJax”, the new, stealthy malware from Fancy Bear (ESET) Salesforce refuses to pay ransom over widespread data theft attacks (Bleeping Computer) Teens arrested in London preschool ransomware attack (The Register) Microsoft kills more Microsoft Account bypasses in Windows 11 (Bleeping Computer) SINET Announces the 2025 SINET16 Innovator Awards (BusinessWire) DataTribe Announces Finalists for Eighth Annual Cybersecurity Startup Challenge (DataTribe) Employees regularly paste company secrets into ChatGPT (The Register) One-man spam campaign ravages EU ‘chat control’ bill (POLITICO) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
And now a word from our sponsor.
The Johns Hopkins University Information Security Institute is seeking qualified applicants
for its innovative Master of Science in Security Informatics degree program.
Study alongside world-class interdisciplinary experts
and gain unparalleled educational research and professional experience in information security and assurance.
Interested U.S. citizens should consider the Department of Defense's Cyber Service Academy program,
which covers tuition, textbooks, and a laptop, as well as providing a $34,000 additional annual stipend.
Apply for the fall 2026th semester and for this scholarship by February 28th.
Learn more at CS.com.
jh u.edu slash ms.s.i.
Chinese hackers infiltrate a major U.S.
The EU Commission President warns Russia is waging a hybrid war against Europe
Researchers say Lojax is the latest malware from Russia's fancy bear.
Salesforce refuses ransom demands.
London police harassed two teens over an alleged ransomware attack on a preschool.
Microsoft Titans Windows 11 setup restrictions.
Cynet and Data Tribe, Spotlight 2025 Cybersecurity Innovators.
On our industry voices segment, we're joined by Sean Duby, Sempris principal technologists,
discussing identity system security and the growth of the hip conference.
and employees overshare with ChatGPT.
It's Wednesday, October 8th, 2025.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today.
It's great to have you with us.
Williams and Connolly, one of the United States' top law firms,
disclosed that Chinese hackers infiltrated parts of its computer systems
in a broader campaign targeting U.S. law and tech firms.
The FBI's Washington Field Office is investigating what sources say
may involve more than a dozen victims, the New York Times reports.
The attackers reportedly access several attorney email accounts through a zero-day vulnerability,
though the firm says there's no evidence client files or databases were compromised.
Williams and Connolly has engaged cybersecurity firm CrowdStrike and outside counsel
Norton Rose Fulbright to assist in the response.
According to Mandient, the campaign aligns with a Chinese espionage effort seeking
intelligence on U.S. national security and trade issues.
The firm says the intrusion has been contained.
European Commission President Ursula von der Leyen warned that Russia is waging a hybrid war
against Europe, citing coordinated cyber attacks, sabotage, and provocations across EU member
states.
Speaking before the European Parliament, she pointed to airspace violations by Russian
MIG fighters and drone incursions over critical infrastructure in several EU countries,
describing them as part of a deliberate campaign, quote,
to unsettle our citizens, test our resolve, and weaken our support for Ukraine, and quote.
Vonderland said a new pan-European security strategy developed with NATO aims to strengthen rapid
cyber response and protect essential infrastructure.
She urged EU members to leave their comfort zone and,
confront the threat with unity and deterrence. She declared every square centimeter of our territory
must be protected. Researchers at ESET have uncovered Lojax, the first known malware found actively
infecting a computer's UEFI firmware, a critical component that controls how a system boots.
Believed to be created by the rushing hacking group Sednet, also known as Fancy Bear or APT-28,
lowjacks embeds itself in a computer's firmware, allowing it to survive even after a hard drive
replacement or operating system reinstall. This gives attackers deep persistent control over
compromised machines and potential access to network systems and data. ESET named the malware
after LoJack, the legitimate anti-theft tool it abuses. Experts recommend enabling secure boot and
updating firmware to block infection. If compromised,
users may need to reflash or replace the motherboard entirely.
Salesforce has confirmed it will not pay ransom demands from the hacking group Scattered Lapsis
Hunters, which claims to have stolen nearly one billion records from Salesforce customers.
The attackers launched a data leak site on the Breach Forum's domain, threatening to publish
stolen data from 39 major companies, including FedEx, Disney, Google, and Marriott.
sales force told customers it will not negotiate or pay extortion demands despite credible intelligence that the hackers plan to leak the data
London's metropolitan police arrested two 17-year-olds on suspicion of computer misuse and blackmail
linked to a ransomware attack on preschool operator keto international. The attackers, calling themselves the radiant group,
leaked photos, names, and home addresses of children and parents to extort payment,
later deleting the data after backlash from other criminals.
The arrests follow a September 25th report to the UK's Action Fraud Center.
Police said the case is being treated extremely seriously, and investigations are ongoing.
Microsoft is tightening restrictions on creating local accounts during Windows 11 setup,
removing known methods that let users bypass Microsoft account requirements.
The change introduced in a recent insider preview build
means users will soon need both an Internet connection
and a Microsoft account to complete the out-of-box experience.
Microsoft says bypassing the setup previously caused incomplete configurations
and reduced security.
Earlier this year, the company removed the bypass NRO script
for similar reasons, though a registry workaround still exists, for now.
Microsoft may eliminate that option in future updates to ensure devices are fully configured
and meet modern security standards.
Cynet has announced the 2025 Cynet 16 Innovator Award winners,
recognizing standout startups driving the next wave of cybersecurity innovation,
selected from 193 applicants across 19 countries.
The winners include bedrock security, conductor one, oligo security, prompt security, and simplicity.
Each company was chosen for developing technologies that address modern threats across cloud,
AI, and enterprise systems.
In parallel, Data Tribe named five finalists for its 2025 cybersecurity startup challenge,
including Acuity, Citadel, Tensor Machines, Starseer, and Evercoast,
ahead of Cyber Innovation Day on November 4th in Washington, D.C.
Together, these programs spotlight the innovators defining cybersecurity's AI-driven future.
It's likely unsurprising to anyone that employees are getting a little too chatty with Chat-GPT.
A new report from Layer X warns that employees are innovative,
inadvertently exposing sensitive corporate data through chatGBT and other generative AI tools.
The Enterprise AI and SAS Data Security Report for 2025 found that 45% of enterprise employees use AI tools,
and 77% of them paste data into chatbot prompts, 22% of which contain personally identifiable or payment card information.
Most of these pasts come from unmanaged personal accounts, leaving company,
blind to data leakage and compliance risks. Layer X says ChatGPT dominates enterprise AI use,
accessed by over 90% of users, while Microsoft co-pilot adoption remains below 3%.
The report urges CSOs to enforce single sign-on to maintain visibility and control over AI
data flows. Layer X warns such leaks could create regulatory and geopolitical risks.
Coming up after the break, my conversation with Sean Doobie, principal technologist at Sempris.
We're discussing identity system security and the growth of the HIPP conference.
And employees overshare with chat GPT.
Stick around.
at talus they know cyber security can be tough and you can't protect everything but with talus you can secure what matters most
with talus's industry leading platforms you can protect critical applications data and identities
anywhere and at scale with the highest ROI that's why the most trusted brands and largest banks
retailers and healthcare companies in the world rely on Talis to protect what matters most.
Applications, data, and identity. That's Talis. T-H-A-L-E-S. Learn more at talusgroup.com
slash cyber.
What's your 2am security worry? Is it do I have the right
controls in place. Maybe are my vendors secure? Or the one that really keeps you up at night,
how do I get out from under these old tools and manual processes? That's where Vanta comes in.
Vanta automates the manual work, so you can stop sweating over spreadsheets,
chasing audit evidence, and filling out endless questionnaires. Their trust management platform
continuously monitors your systems, centralizes your data, and simplifies your security at scale.
And it fits right into your workflows, using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time.
With Vanta, you get everything you need to move faster, scale confidently, and finally, get back to sleep.
Get started at Vanta.com slash cyber. That's V-A-N-T-A-com slash cyber.
Sean Duby is principal technologist at Sempris.
On today's sponsored industry voices segment,
we discuss identity system security and the growth of the HIPP conference.
Sean, I understand you are in Charleston this week at the HIP conference.
For folks who aren't familiar with that conference,
what is it and what's your involvement there?
Well, it's interesting.
The hybrid identity protection, hip conference, it was a,
conceived as a vendor agnostic technical conference designed by identity people for identity people
to help them wade through all the complexities and rapid changes that happen in the modern world
of hybrid identity, more complicated than ever. Our founder of the conference and our CEO,
Mickey Bresman, was really the driving force behind it, even when Sampras was very small,
just a few dozen people. And he recruited several veterans.
with experience in a predecessor conference,
such as Gil Kirkpatrick and myself,
to help get the conference off the ground.
That was back in 2017.
So it's been nine years since then,
through COVID and everything else,
which is pretty great.
And not to brag, but I guess I'm bragging,
is that we really get rave reviews about the conference.
Many people have told me personally,
and actually just last week,
it's the best conference they've ever been to.
So it doesn't get much better than that.
No, no.
Well, hats off to you and your colleagues there.
What sort of growth have you seen over the years?
Well, originally, the first one was in World Trade Center 7 in 2017
and probably had 30 people in it, something like that.
And this year, we're in the low hundreds, less than 500, but more than about 300.
I'm not exactly sure what the number is.
So quite a bit, and the professionalism and the organization of our teams and all that is just grown by leaps and bounds.
I'm actually going to be recording podcasts on Monday before the conference of individuals presenting at the conference for my hip podcast as well, which is paired with the conference.
Well, I know one of the key elements of the conference are these Operation Blind Spot Tabletop X.
Could you explain what that's all about?
Sure. Blind spot tabletop are disaster recovery, crisis management tabletops, and we hold
them throughout the year. And the point, of course, behind them is that they expose the blind spots
that can hinder efficient cyber response. I actually led the red team at the previous blind spot
exercise at Black Hat in August. In addition to the blind spot exercises we're doing in hip this
week. We're organizing an upcoming event at Govware in Singapore on October 21st and at Microsoft
Ignite in San Francisco on November 19th. Well, in your estimation, if a random organization
got hit by a cyber attack, how prepared would they be? If they had a well-tested cyber crisis
preparedness plan, would they be prepared or would they still find themselves scrambling a bit?
Well, we've actually published some research on this earlier this year, and what the research has told us is that, somewhat surprisingly, is that more than 95% of organizations have a cyber crisis plan, but also 90% report that roadblocks hamper efficient response because of the gaps in communications across most organizations.
And this jibes very well with what I hear from incident response professionals.
In our research, we found that these communication gaps between the key stakeholders lead to slower responses.
And as I said, in talking to cyber response technical individuals, they find that they often have had to sit on their hands while communication issues are resolved and leadership order and who,
makes decisions for what are figured out. So it's very much people process and technology with
oftentimes people being the thing that is slower than anything else. The report that we published
earlier this year, you can find it on our website if you search for state of enterprise cyber crisis
readiness. Well, in your estimation from your experience, how realistic should
should these tabletop exercises be for defenders?
I mean, should they be disruptive?
Well, so much of, as I go back to people's, the people part of people process and technologies,
so much of these exercises, it's human nature that you don't want to fail in an exercise,
especially when management is probably watching.
But the whole point of a good tabletop is to expose weak points in your response plan,
to expose potential failures.
So they should be more than routine.
They should be more than just check the box exercises.
They don't check the box exercises,
don't provide little value.
And in my estimation, they can be dangerous
because the participants walk away
thinking that their organization is more prepared
than it really is.
So the exercise should show messy realities,
expose them like incomplete communication chains.
Oh, we can't get a hold of,
Jim Bob, because he's on vacation and he's the only person that has access to these plans,
or unclear decision authority where your decision, your leadership of your organization
ends up being political infighting to make very important, very potentially disruptive decisions
and make them as quickly as possible, or the one that we all think about, technical gaps.
Instead, what happens with polished and safe tabletops where you follow the happy path and the happy path
and you make assumption that a lot of things are working in your infrastructure and reinforces the illusion that we've got this.
Oh, I think we're pretty good.
These polished tabletops often discourage adaptive thinking, which in my conversations, again, with instant response people,
in my podcast last week, I did a recording.
My guest was the top incident response, a person for cohesity, Jonathan Mayer.
And he specifically called out adaptive thinking as an important trait in incident response.
Because in a real incident, things are chaotic.
They're confusing.
And oftentimes, things have happened that have never happened before.
because remember, you've got real human beings on the other side, and they do this, A, they're not dumb.
B, they do this sort of thing all the time, and you do it only every once in a while, maybe.
They will make moves and counter moves that you probably haven't thought of it, probably haven't seen before.
So that's what you have to practice for.
If a tabletop's overly structured or sanitized, it doesn't force either the leaders or the responders to think on their feet.
adapt to incomplete information or make decisions when you have uncertainty all around you.
Instead, they just play along with the script, and so they can check it off,
but they haven't necessarily improved their defenses or their response at all.
You touched on the potential for failure.
I mean, is there value in going full Kobayashi-Maru,
full Star Trek on some of these folks, where there is no way to,
succeed? Well, it's interesting. We did a, at the, at the tabletop that we did at the operation,
we did in Black Hat. We actually, as I said, I was leading the red team and I had a,
I had an ace in the hole. I had Marcus Hutchins, who is the famous cybersecurity figure on
my team. And we ended up not quite Kobayashi-Maru, but a standoff.
between the blue team and the red team,
but it made for some pretty hair-raising moments
as we sparred back and forth aggressively.
So yes, sometimes, yeah, sometimes that's how you learn.
You learn by failure and then doing what you can,
and if you can't fix it,
then at least you're aware that that is a weak point.
I won't burden you with any quotes from Sun Tsu,
but that's absolutely what this is all about.
Well, going back to the HIP conference,
I understand that you had world-renowned cyber psychologist,
Professor Mary Eichen was your keynote speaker yesterday at the conference.
What was the talk about?
I thought that this was very interesting because, first off,
she's a great speaker,
but she spoke about something fairly unique
in my experience, which is how it's the intersection of technology and human behavior.
So she is a world expert in what's called cyber psychology.
And what she talked about was hybrid identity environments, where technology fits, where human behavior fits.
So we think about the technology all the time with the human dimension, how users,
perceive authentication systems, how they trust them, and how they interact with them,
remains the most exploited and least understood aspect of cyber defense.
I mean, we've all been through fishing exercises, and we know how well those succeed or don't
succeed, and yet responses or studies show again and again that it doesn't affect
the click-through rate on fishing attacks very much
because there's all of this human aspect to it
that is not fully understood.
So in our keynote,
she examined the cyber psychological challenges
of securing hybrid identity
and the complexities of it coming on
in this world of AI-driven threats.
So you have nation-state actors and cybercriminals
increasingly using AI and machine learning
to deliver hyper-focused, hyper-personalized fishing
and advanced social engineering attacks.
And they succeed not just because they're technically sophisticated,
they succeed also because they exploit human frailty
within identity workflows to trick us into doing things
we otherwise know better than to do.
As identity professionals, we talk about something called anti-patterns
where you have seen some kind of a dialogue pop up so many times
you just end up clicking up, yeah, okay, okay, okay, okay, okay.
We say, you know, I had a friend that described it as spouse mode answers.
Okay, okay, yes, yes, okay, okay.
It's like dealing with a toddler.
Right, right, exactly.
And you may have just clicked through into phishing
because you're so used to those workflows.
So Mary delved into that more deeply.
Well, I understand also coming up, you've got Jenny Easterly and Chris Inglis.
Can you give us a little preview of what you're expecting from them?
Yeah, I'm very much looking forward to both of these keynotes.
I've not met Jen Easterly, and I look forward to meeting her in person.
Her keynote is set up as a fireside chat, and it's about cyber resilience and lessons she's learned in her career.
and the challenges ahead.
The title of it is,
Cyber Resilience,
Yesterday's Lessons, Tomorrow's Challenges.
She's planning, as I understand it,
to discuss the toughest cyber incident
she dealt with the SISA director
and how leaders can avoid
fatigue and motivate their teams
where the biggest threats will be coming
over the next five years
and the role that AI, once again,
will play in both cyber threats
and defense. Now, Chris, Chris Inglis, who's former U.S. National Cyber Director, he's
keynoting on Thursday also, and he's keynoting on Thursday morning. And the title of his keynote is
the evolving battlefield cyber resilience in the age of innovation. It's about how the global
reliance on a distributed digital infrastructure, is what we all rely on now, has created
both unprecedented opportunities and dangerous vulnerabilities as traditional forces that controlled
the way we do things lose their power and transformative technologies like AI and nationalism
and fragmented regulation change the world almost on a daily basis.
He says that success requires adaptation and a leading and resilience mindset.
to thrive in the middle of all this ongoing instability and accelerating change.
I've been fortunate enough to spend a little time with Chris,
and he's absolutely someone that if he's talking,
I'm going out of my way to make sure that I'm listening.
Yeah.
It's quite a lineup that you all have here for the conference.
Before I let you go, I'd be remiss to not ask you about AI.
Can we talk a little bit about AI and velocity?
You know, how do organizations need to evolve faced with these challenges of AI?
My guess is the pace we used to operate at is insufficient.
And as if the pace that we were operating at wasn't hairy enough as it is, right?
That's right. That's right.
Yeah, more faster all the time and more sophisticated to AI.
I mean, look, we're using it for good right now.
And the threat actors are equally using it.
If you think about our use of AI and how it's changing,
have you, six months ago, had you ever heard of the term vibe coding before?
No.
And now it's sort of becoming part of the vernacular, at least in our industry,
it's becoming part of the vernacular.
Yeah, I don't have a solid answer for you on this.
I have to tell you because I don't think it's easy to tell what we have
front of us because I'm not sure anyone knows what's in front of us. We can make predictions,
but at this rate of change, who knows what next week is going to bring us? Certainly, if you
follow the newsfeeds as you do as a professional, you're seeing more in rapid, more rapid
changes all the time in ways that you had never thought about before. What was one that just
came about? Oh, so threat actors, this is not specifically related to AI, but as things
continue to change threat actors are now targeting HVAC systems in hospitals, because if you hit
the HVAC systems, they can't operate. So that's turned out to be a critical piece that the bad
guys have found. And then, of course, if you look back on it and you go, well, of course,
but a year ago, we thought about that in terms of health care, in terms of health care attacks.
Yeah. Well, Sean, thank you for taking the time for us here today. And
good luck with the rest of the hip conference. I hope it all goes well for you.
Thank you. It'll be a very busy week to be sure.
That's Sean Doobie, principal technologist with Sempris.
With Amex Platinum, access to exclusive Amex pre-sale tickets can score you a spot track side.
for life turns into the trip
of a lifetime. That's the
powerful backing of Amex. Pre-sale tickets
for future events subject to availability and varied
by race. Turns and conditions apply. Learn more
at amex.ca.ca.
slash Yannex.
And finally, a Danish software
engineer named Joachim built
a simple website one weekend
in August and accidentally
gave the European Union a migraine.
His creation
fight chat control, lets visitors fire off pre-written protest emails to lawmakers
opposing an EU bill meant to combat child sexual abuse material online.
Privacy advocates call the measure a threat to encryption.
Politicians now just call it, that thing flooding my inbox.
More than 2.5 million people have visited the site,
reportedly triggering millions of emails and paralyzing inboxes across Brussels.
diplomats complain it's not a dialogue, while Joachim insists it's democracy, just faster and louder.
The campaign has stirred national debates, clogged parliamentary servers, and made one thing clear.
In Europe, even a lone coder can jam the machinery of policy with enough public outrage and a send button.
And that's The CyberWire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
A quick note before we wrap up, today is the last day to vote in the Sands Difference Maker Award
in the Media Creator of the Year category, which I have been inexplicably nominated for.
I'm honored to be recognized and would appreciate your support.
You'll find the link to vote in our show notes,
and like I said, voting is open through the end of today.
Thanks for listening and being part of the N2K Cyberwire community.
N2K's senior producer is Alice Kutroof.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music by Elliot Peltzman.
Our executive producer is Jennifer Eibin.
Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you.
back here tomorrow.
building trust into tomorrow's digital world.
Kick off the day with unfiltered insights and panels on securing tomorrow's technology.
In the afternoon, the 8th annual Data Tribe Challenge takes center stage
as elite startups pitch for exposure, acceleration, and funding.
The Innovation Expo runs all day, connecting founders, investors, and researchers
around breakthroughs in cybersecurity.
It all happens November 4th in Washington, D.C.
discover the startups building the future of cyber.
Learn more at cid.datrib.com.