CyberWire Daily - Cyber defenders pulled into deportation duty.

Starting point is 00:00:00 You're listening to the Cyberwire Network, powered by N2K. And now a word from our sponsor. The Johns Hopkins University Information Security Institute is seeking qualified applicants for its innovative Master of Science in Security Informatics degree program. Study alongside world-class interdisciplinary experts and gain unparalleled educational research and professional experience in information security and assurance. Interested U.S. citizens should consider the Department of Defense's Cyber Service Academy program, which covers tuition, textbooks, and a laptop, as well as providing a $34,000 additional annual stipend.

Starting point is 00:00:51 Apply for the fall 2026th semester and for this scholarship by February 28th. Learn more at CS.com. JhU.edu slash MSSI. Discord refuses ransom after a third-party support system breach. Researchers examine chaos, ransomware, and creative log-poisoning web intrusions. The FCC reconsider its telecom data breach disclosure rule. Experts warn of teen recruitment in pro-Russian hacking operations. Ukraine's parliament approves the establishment of cyber forces.

Starting point is 00:01:52 Troy Hunt criticizes data breach injunctions as empty gestures. Our guest today is Sarah Graham from the Atlantic Council's Cyber Statecraft Initiative discussing their report, Mythical Beasts, diving into the depths of the global spyware market. And SpyDog's secret site goes off leash. Today is Thursday, October 9, 2025. I'm Maria Varmazis, and this is your Cyberwire Intel Briefing.

Starting point is 00:02:42 Hi, everyone. Thank you for joining me today. I'm standing in for Dave Bittner. He'll be back tomorrow. Let's get into it. The Department of Homeland Security has reassigned hundreds of national security employees, including cybersecurity specialists from the Cybersecurity and Infrastructure Security Agency, better known as SISA, to support President Trump's deportation initiatives.

Starting point is 00:03:04 Current and former employees say that the reassignments, which are described as mandatory, come with threats of dismissal for refusal and often involve sudden relocations. Many of those moved had focused on protecting federal systems from nation-state cyber attacks. Their transfers to agencies such as Immigration and Customs Enforcement and Customs and Border Protection have disrupted SISA's core mission, particularly within its capacity building and international engagement divisions. Staff morale has reportedly plummeted amid a climate of fear and censorship. Critics warn that the shift leaves the United States more vulnerable to cyber threats as major hacks continue to target government networks. DHS officials defend the moves as routine

Starting point is 00:03:52 personnel alignment to meet agency priorities. Earlier this week, a massive DDoS attack disrupted several major gaming platforms, including Steam, Xbox, PlayStation, Riot Games, and Epic Games. The coordinated assault, reportedly powered by the Air Suru Botnet, reached record levels of 29.69 terabits per second, overwhelming servers, and causing widespread outages across the industry. Riot Games confirmed that while its internal systems remain secure, the flood of network traffic severely affected gameplay for League of Legends and Valorant users.

Starting point is 00:04:30 Services have since been restored, but experts warned that the scale and simultaneity of this event reveal growing vulnerabilities in global gaming infrastructure. Discord says it will not pay a ransom to threat actors that are claiming to have stolen data on 5.5 million users through its Zendesk support system, according to a report from bleeping a computer. Discord disputes the hackers figures, stating that only about 70,000 users had government ID photos exposed

Starting point is 00:05:00 and emphasized that Discord itself was not breached. The attackers, on the other hand, alleged that they accessed a compromised support agent account with an outsourced provider, stealing 1.6 terabytes of data, including user IDs, emails, and partial payment details. For its part, Discord dismissed those claims as part of an extortion attempt and reaffirmed that no internal systems were compromised. The hackers reportedly demanded up to $5 million and threatened to leak the data after failed negotiations. Bleeping computer could not verify the authenticity of the stolen data samples. Researchers at Fortinette examined Chaos Ransomware, which resurfaced in 2025 with a new C++ variant,

Starting point is 00:05:44 its first version not written in dot net, marking a major evolution in the malware's capabilities, dubbed chaos C++, the strain combines encryption with destructive behavior, deleting large files entirely instead of encrypting them and then hijacking clipboard data to steal cryptocurrency payments. The malware disguises itself as a fake utility, silently execute its payload, and employs multiple encryption methods, including AES, RSA, and XOR. Its clipboard hijacking feature replaces Bitcoin wallet addresses with attacker-controlled ones, redirecting potential payments.

Starting point is 00:06:21 This chaos variant reflects a broader shift from traditional ransomware to hybrid extortion and destruction, signaling chaos developers' growing focus on financial theft and operational impact over simple data encryption. And in other new research findings elsewhere, an investigation by Huntress details a hands-on compromise that began in August 2025 with log poisoning, also called log injection, on a public Ph.P. My Admin panel. The actor planted a one-liner PHP web shell, reminiscent of China Chopper, controlled it with Ant Sword, and then installed Neza,

Starting point is 00:06:59 which is a monitoring tool used peer-to-run commands. The sequence ended with Ghost Remote Access Trojan or Ghost RAT. Huntress reports likely more than 100 victims, most frequently in Taiwan, Japan, South Korea, and Hong Kong. The access path involved weak defaults and exposed aspects. admin interfaces, highlighting real-world risk from test stacks and outdated packages. Huntress suggests that defenders harden public apps, enforce authentication, monitor for web shells, and detect suspicious service creation and execution paths.

Starting point is 00:07:34 The Federal Communications Commission, better known as the FCC, will revisit its 2024 data breach disclosure rule that requires telecom providers to notify customers within 30 days. A Sixth Circuit panel had upheld this rule, rejecting claims from the industry groups that it exceeded FCC authority and violated the Congressional Review Act. After those groups sought a rehearing, the FCC asked to suspend the case while it re-examines the order. A court then granted advance, requiring progress reports every 60 days. The arrest of two 17-year-olds in the Netherlands has raised alarms about nation-state hackers recruiting teenagers, for espionage. The teens were detained for collecting Wi-Fi data near Europol and other sensitive sites and were reportedly approached on telegram by pro-Russian operatives. Dutch intelligence

Starting point is 00:08:28 tipped police to the activity, which officials link to Russia's hybrid tactics. Security analysts say that this case underscores a growing pattern, and that is that threat actors are grooming teens on telegram, discord, and gaming platforms to perform low-skill digital tech. tasks, from network scanning to credential theft. Experts warn that young recruits who are often unaware of the consequences here are being manipulated into aiding cyber operations. Dutch Prime Minister Dick Schofe called the trend extremely worrying, urging vigilance from parents and educators.

Starting point is 00:09:06 Ukraine's parliament has approved in the first reading a bill to establish cyber forces within its military, reflecting the growing role of cyber warfare in its conflict, with Russia. Backed by 255 lawmakers, then you command will defend Ukraine's digital infrastructure and report directly to the commander-in-chief and president. The cyber forces will recruit reservists, conduct training, and operate under the general staff's Cyber Directorate, aligning operations with NATO standards. Final approval awaits a second reading and presidential signature. Security researcher Troy Hunt argues that court injunctions following major data breaches,

Starting point is 00:09:46 like those granted to H.W.L. Ebsworth and Qantas are the legal equivalent of offering thoughts and prayers. In his analysis, Hunt notes that such orders don't detect hackers or prevent leaks. After H.W.L. Ebsworth's injunction against Russia's Alpha V group, the attackers ignored it and dumped the data anyway. Hunt says that these injunctions mainly restrict journalists, researchers, and services like, have I been poned, rather than the criminals themselves. While companies use them to appear proactive and protect shareholder interests, they offer little real defense for victims or transparency about compromised information. Stick around after the break where Dave Bittner sits down with Sarah Graham, discussing their work and findings on mythical beasts,

Starting point is 00:10:41 diving into the depths of the global spyware market. And Spy Dog's secret site goes off leash. At Talas, they know cybersecurity can be tough and you can't protect everything. But with Talas, you can secure what matters most. With Talas's industry-leading platforms, you can protect critical. applications, data and identities, anywhere and at scale with the highest ROI. That's why the most trusted brands and largest banks, retailers, and healthcare companies in the world rely on TALIS to protect what matters most.

Starting point is 00:11:30 Applications, data, and identity. That's TALIS. T-H-A-L-E-S. Learn more at TALIS Group.com slash cyber. What's your 2 a.m. security worry? Is it, do I have the right controls in place? Maybe are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual works so you can stop sweating over spreadsheets, chasing audit evidence, and filling out endless questionnaires. Their trustments. They're trust. management platform continuously monitors your systems, centralizes your data, and simplifies your security at scale. And it fits right into your workflows, using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time. With Vanta, you get everything

Starting point is 00:12:33 you need to move faster, scale confidently, and finally get back to sleep. Get started at Vanta.com slash cyber. That's V-A-N-T-A-com slash cyber. Sarah Graham is from the Atlantic Council's CyberState Craft Initiative, or CSI, and she is discussing their work and findings on mythical beasts diving to the depths of the global spyware market with Dave Bittner. Here's their conversation. So spyware can be defined in a few different ways, but in our report and this second published report we have here, we take a relatively narrow scope to how we're defining spyware as a type of malicious software that enables the unauthorized remote access of a target device for the purposes of intrusion and surveillance. And so oftentimes folks will ask us, why isn't the scope broader or did you include something like stockerware or ad tech? we really keep a relatively narrow definition here focused on that unauthorized remote access

Starting point is 00:13:47 specifically for the purposes of surveillance. Well, can you paint a picture of this market for us here? I mean, who are the key players and how do they tend to operate? Sure. So in terms of the marketplace, in recent years, there's been a lot of great reporting by different organizations, including Citizen Lab and Amnesty Tech, about the, harms coming out of the spyware industry. But in contrast, there's been a relative lack of transparency about what's happening within the marketplace. We oftentimes see headlines about big players

Starting point is 00:14:22 such as the NSO group, but there's a lot of other players, small, medium size, and more than just vendors. So our report is really trying to turn to look at the marketplace as a whole and understand the supply chain of different vendors, holding companies, investors, and the like across the marketplace at a global scale. Well, who are some of the key players here? Yeah. So in our report, we really take a look at the global scale of the spyware market, but hone in on a few particular areas of interest. On first turn, one of our major trends that we identified in the original report,

Starting point is 00:15:00 and see holding consistent with data from this past year are that the majority of identified entities are domiciled in Israel, India, and Italy. But something I really want to point out and we see as a trend emerging in this updated data set is that there has been a significant increase within our sample of U.S.-based investors

Starting point is 00:15:22 that continue to disproportionately fund capabilities and really we want to highlight this because it really undermines the important U.S. government action that we've seen in the past 18 months to two years on spyware in contrast with the investors from the U.S. who continue to invest in these types of technologies. Yeah, can we dig into that a little bit? What insights can you provide as to what's driving that market investment from the U.S.? So to start with a bit of data, we see with the data from this past year, a total of 31 total U.S. investors that we were able to identify. And this,

Starting point is 00:16:06 we find is particularly remarkable given that some of the entities that U.S. investors are investing in are actually listed on the U.S. entity list. So, for example, Kandiru listed on the entity list, has investment from U.S. firms, including integrity partners, as well as a few other venture capital firms and pension funds coming out of different states. So we're seeing that there's investment from a wide range of investors into a wide range of different spyware vendors, not only including Kandiru, but Cognit and a few others as well. And to your question of what's really driving this, our data doesn't necessarily answer that question, but something that my fantastic co-author, Jen Roberts, continues to point

Starting point is 00:16:58 Now, as we've dug into this data, is there has to be a reason. Investors invest when they see the potential for profit, despite U.S. policy action, such as the entity list, there obviously must be some expectation that there is a future profit to be had here. Yeah. Well, help us understand how these commercial spyware vendors differ from traditional state intelligence operations. One thing that we get asked about quite a bit is how.

Starting point is 00:17:28 How do these spywheres differ and how are they useful to governments for national security? And there's a strong sense that there's some political will to put controls on these technologies, despite the fact that they are used for permissioned uses in state national security operations. But there is interest to preserve that limited use. And the ability to do so really hinges on these sorts of transatlanticism. transparency efforts with data sets like the ones that we've created here to ensure and maintain the integrity of those capabilities for those narrowly defined and permissioned use cases.

Starting point is 00:18:11 Well, one of the things you uncover in the report here digs into the government's role, both as buyers and regulators of this. Sure. So the government, the state plays a different role in different jurisdictions. jurisdictions here. And so I can give you a few examples. As I mentioned at the start, what we do observe and see consistent is that three jurisdictions, in particular, India, Italy, and Israel have a lot of activity within their boundaries. And what is something that we see is consistent amongst these three is that it's a relatively permissive environment with some sort of state

Starting point is 00:18:52 involvement. This varies. We see in the Indian cluster that this is most common in the sort of hack for hire market in Italy, there's a much older history of spyware with quite a bit of overlap with state entities, whether that's as buyers, but also as regulators, which as you can imagine can oftentimes create some either implicit or explicit conflicts of interest and can really make transparency efforts and ultimately any meaningful regulation and quite challenging. Why is it so difficult to hold these spyware companies accountable? I mean, is it as simple as the fact that they're offshore from our own local regulators?

Starting point is 00:19:39 It's a million-dollar question. I think a lot of people would like to know the answer to this. One, I can point out to a few things. One trend that we see in all of our reporting has been this feature of shifting vendor identities. So that might be really subtle name changes or total rebrands of different entities that make it really difficult to track consistency in their activity. These entities have a lot of smart folks involved. And so strategic jurisdictional hopping is something that they certainly partake in. And we see this in a few different examples.

Starting point is 00:20:19 For example, we know from a court case that Quadream established a presence in Cyprus to avoid European export controls. And so, as you can imagine, this sort of limited ability to consistently track is a huge barrier. And that actually highlights one of our second key trends in this report around the role of resellers and brokers, which I'd be happy to talk about it more, too. Well, yeah, let's dig into it. What can you share about that? Yeah, what we find with our updated data sample is a large number of what we're calling resellers and brokers. These are sort of partners within the marketplace that can be unrelated to the development of spyware, but they contribute some sort of technical or business need for the vendor.

Starting point is 00:21:10 So this could be something like marketing services, the provision of telecommunications, intercept devices, or creating access to some sort of regional market that, in a original vendor might not have otherwise been able to easily enter and, you know, sell to interested buyers. And so through access to public data sources, we've been able to identify a larger share of these entities and have come to identify more and more that in this expanded and opaque marketplace, these types of intermediary entities are playing a pretty crucial role to limiting transparency. Yeah, can we talk about that?

Starting point is 00:21:51 I mean, one of the things that it strikes me is that these spyware companies give a lot of nation states plausible deniability, right? I mean, to what degree is that an element here? Certainly. There's plausible deniability sort of up and down the supply chain. You could imagine all the way through at the end use of surveillance, plausible deniability in terms of how particular information is gained. But there's also plausible deniability upwards on the supply chain. And I think these brokers and resellers play a really

Starting point is 00:22:25 crucial role to that, whether it's mere overlap only of business officers, or whether that's some sort of larger overlap between, for example, the original vendor and setting up some sort of satellite office in another state to gain access to that market. Some examples that we really dug into in the report are around the Mexican spyware ecosystem and with some recent transparency reporting. We've been able to see how there were layers and layers of plausible deniability through the creation of contracts that only very subtly indicate perhaps that these technologies were being sold to different state agencies. Where do we stand with policymakers here in the U.S.?

Starting point is 00:23:14 Is there any broad agreement on the place that spyware is intended to play? With the new administration, it's actually still relatively early within the tenure of four years, and we haven't seen any public indications of change to the current status quo of the U.S. policy perspective on these. issues. But I think something to point out is that the absence of any change suggests at least that at minimum, the current trajectory, which has in the past included this effort through listing vendors on the entity list, issuing sanctions and visa restrictions. Just given that these things have not necessarily been pulled back is some sort of signal that this might continue, this sort of policy action might continue.

Starting point is 00:24:08 So to what degree should regular people be concerned about this, you know, for our listeners, is this, you know, high-level espionage kind of thing, or does it affect people in their day-to-day lives? In terms of targeting with spyware, our report doesn't go into this in great detail. And I would really encourage listeners to go and check out some of the, some organizations that really give a lot of context and color to these sorts of targeted surveillance intrusions coming from organizations like I mentioned of Citizen Lab or Amnesty Tech. But that doesn't deny the fact that we all can take some personal steps in our personal digital footprint and securing that. What I think does matter, though, for most Americans is what I talked about with U.S. investments. When we dig into this a bit more

Starting point is 00:25:04 in detail, we actually found that a few different pension funds, for example, are invested in spyware companies. If I'm recalling correctly, I believe a pension fund out of New Jersey and Washington State are included in this. And while that might not be something that an everyday person is aware of, being able to have some context over where your finances are being invested into is certainly a first step in understanding what's going on and how entangled these sorts of ecosystems actually are. That was Dave Bittner, sitting down with Sarah Graham, on the Atlantic Council's CyberStatecraft Initiative, discussing their work and findings on mythical beasts, diving into

Starting point is 00:25:45 the depths of the global spyware market. With MX Platinum, access to exclusive MX pre-sale tickets, score you a spot track side. So being a fan for life turns into the trip of a lifetime. That's the powerful backing of Amex. Pre-sale tickets for future events subject to availability and varied by race.

Starting point is 00:26:13 Turns and conditions apply. Learn more at amex.ca. slash Yannex. At Desjardin, we speak business. We speak startup funding and comprehensive game plans. We've mastered made-to-measure growth and expansion advice, and we can talk your ear-off

Starting point is 00:26:28 about transferring your business when the time comes. Because at Desjardin business, We speak the same language you do. Business. So join the more than 400,000 Canadian entrepreneurs who already count on us. And contact Desjardin today. We'd love to talk.

Starting point is 00:26:44 Business. In Derbyshire, the spy dog, spy pups, and spy cat books, which are all wholesome tales of gadget-wielding pets, solving crimes. Well, they've been abruptly recalled after a web address printed in the back of the books started leading somewhere far less child-friendly. And the site for these books, which was once home to bonus content, was taken over by a third party who replaced puppies and paw prints with explicit material. Yikes.

Starting point is 00:27:23 Yeah, publisher Puffin and author Andrew Cope expressed horror, urging everyone not to visit the link and vowing swift action through, quote, appropriate channels. Schools, meanwhile, are treating the incident like a national security emergency, emailing parents, removing books, and issuing return immediately orders. For now, it seems, Spy Dog's latest mission is an undercover operation in digital damage control. And that's The CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. Hey, CyberWire listeners, as we near the end of the year, and yeah, can you believe we're almost there already,

Starting point is 00:28:21 it is the perfect time to reflect on your company's achievements and set new goals to boost your brand across the industry next year. And we'd love to help you achieve those goals. We've got some unique end-of-year opportunities, complete with special incentives to launch 2026. So tell your marketing team to reach on out to us. Send us a message to sales at thecyberwire.com or visit our website so we can connect about building a program to meet your goals.

Starting point is 00:28:51 We'd love to know what you think of our podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of Cybersecurity. If you like our show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to Cyberwire at N2K.com. N2K senior producer is Alice Caruth. Our producer is Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ivan. Peter Kilpie is our publisher. And I'm your host, Maria Vermazas, in for Dave Bittner.

Starting point is 00:29:28 Thanks for listening. We'll see you tomorrow. Cyber Innovation Day is the premier event for cyber startups, researchers, and top VC firms building trust into tomorrow's digital world. Kick off the day with unfiltered insights and panels on securing tomorrow's technology. In the afternoon, the eighth annual Data Tribe Challenge takes center stage as elite startups pitch for exposure, acceleration, and funding. The Innovation Expo runs all day, connecting founders. investors, investors, and researchers around breakthroughs in cyber security.

Starting point is 00:30:32 It all happens November 4th in Washington, D.C. Discover the startups building the future of cyber. Learn more at cid.d. datatribe.com.

CyberWire Daily - Cyber defenders pulled into deportation duty.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.