CyberWire Daily - FBI botnet cleanup backfires.
Episode Date: September 15, 2025FBI botnet disruption leaves cybercriminals scrambling to pick up the pieces. Notorious ransomware gangs announce their retirement, but don’t hold your breath. Hacktivists leak data tied to China’...s Great Firewall. A new report says DHS mishandled a key program designed to retain cyber talent at CISA. GPUGate malware cleverly evades analysis. WhiteCobra targets developers with malicious extensions. North Korea’s Kimsuky group uses AI to generate fake South Korean military IDs. My guest is Tim Starks from CyberScoop, discussing offensive cyber operations. A cyberattack leaves students hung out to dry. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined once again by Tim Starks from CyberScoop discussing offensive cyber operations. You can read Tim’s article Google previews cyber ‘disruption unit’ as U.S. government, industry weigh going heavier on offense for more background. Selected Reading The FBI Destroyed an Internet Weapon, but Criminals Picked Up the Pieces (Wall Street Journal) 15 ransomware gangs ‘go dark’ to enjoy 'golden parachutes' (The Register) 600 GB of Alleged Great Firewall of China Data Published in Largest Leak Yet (HackRead) China Enforces 1-Hour Cybersecurity Incident Reporting (The Cyber Express) DHS watchdog finds mismanagement in critical cyber talent program (FedScoop) GPUGate Malware: Malicious GitHub Desktop Implants Use Hardware-Specific Decryption, Abuse Google Ads to Target Western Europe (Arctic Wolf) 'WhiteCobra' floods VSCode market with crypto-stealing extensions (Bleeping Computer) AI-Forged Military IDs Used in North Korean Phishing Attack (Infosecurity Magazine) Mitsubishi to acquire Nozomi Networks for nearly $1 billion. (N2K CyberWire Business Briefing) Dutch students denied access to jailbroken laundry machines (The Register) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
The DMV has established itself as a top-tier player in the global cyber industry.
DMV rising is the premier event for cyber leaders and innovators
to engage in meaningful discussions and celebrate the innovation happening in and around the Washington
D.C. area. Join us on Thursday, September 18th, to connect with the leading minds shaping
our field and experience firsthand why the Washington, D.C. region is the beating heart of cyber
innovation. Visit DMV Rising.com to secure your spot.
certificates lifespans will be cut in half, meaning double today's renewals.
And in 2029, certificates will expire every 47 days, demanding between 8 and 12 times the renewal
volume.
That's exponential complexity, operational workload, and risk, unless you modernize your strategy.
CyberArk, proven in identity security, is your partner in certificate security.
CyberArk simplifies life cycle management with visibility, automation, and control at scale.
Master the 47-day shift with CyberArk. Scan for vulnerabilities, streamline operations, scale security.
Visit cyberark.com slash 47-day. That's cyberark.com slash the numbers 47-D-A-Y.
An FBI botnet disruption leaves cybercriminals scrambling to pick up the pieces.
Notorious ransomware gangs announced their retirement, but don't hold your breath.
Hacktivists leak data tied to China's great firewall.
A new report says DHS mishandled a key program designed to retain cyber talent at Sisa,
GPU gate malware cleverly evades analysis.
White Cobra targets developers with malicious extensions.
North Korea's Kimsuki Group uses AI to generate fake South Korean military IDs.
We've got our Monday business brief summary.
My guest is Tim Starks from CyberScoop discussing offensive cyber operations.
And a cyber attack leaves students hung out to dry.
It's Monday, September 15th, 2025.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us.
The FBI recently disrupted a massive botnet, freeing nearly 95,000 hacked devices.
But instead of neutralizing the threat, the takedowns sparked a scramble among cybercriminals
to seize control of the machines.
A rival botnet, known as Isuru, captured more than a quarter of them, and quickly began
launching some of the largest distributed denial of service attacks ever recorded.
Cloudflare reported one strike reaching 11.
point five trillion bits per second, a new world record.
Analyst warned this unintended consequence shows how difficult it is to dismantle botnets
without leaving devices open to new operators.
What began as an FBI success has turned into a dangerous escalation,
highlighting how today's internet-connected devices can be weaponized faster than law enforcement
can neutralize them.
15 ransomware gangs, including Scattered Spider and Lapsis, have suddenly declared their retiring,
claiming their real mission was noble system hardening, not extortion.
In a breach forum's post dripping with self-justification, they say they'll now enjoy their
golden parachutes from millions in stolen funds, while others continue improving systems.
They even promised to humiliate those who arrested some members.
If this sounds like a heartfelt farewell, don't bet on it.
Cybercrime groups are notorious for rebranding,
and few believe these attackers are hanging up their keyboards.
Activists have leaked nearly 600 gigabytes of data tied to China's Great Firewall
in what experts call the largest breach of its kind.
The files, published by Enlase Hack de Vista on September 11th, include source code, internal reports, work logs, and technical documentation allegedly from Gij Networks and the Mesa Lab, both central to the firewalls development.
Early analysis shows evidence of censorship and surveillance exports to countries tied to China's Belt and Road Initiative, including Pakistan and Ethiopia.
Unlike past leaks, this trove includes raw operational data, tens of thousands of documents, and software packages that reveal how the firewall has evolved and expanded.
Researchers caution the files may contain malware, but say they offer a rare, detailed look into China's censorship machine.
Meanwhile, China is tightening cybersecurity rules, requiring network operators to report particularly serious incidents with the United States.
one hour starting November 1st. The cyberspace administration of China defines top-tier threats
as large-scale outages, breaches exposing over 100 million citizens' data, or cyber attacks
disrupting utilities, transport, or health care for millions. Officials must notify higher
authorities within 30 minutes of receiving reports, and operators must file a full review
within 30 days.
Lawmakers are also considering amendments to raise fines for failures involving critical
infrastructure or data protection.
A new Inspector General report says the Department of Homeland Security mishandled a key
program designed to retain cyber talent at SISA.
Since 2015, over $100 million was spent on the Cyber Incentive Programme, meant to keep
highly sought-after cybersecurity experts in government. Instead, funds were often misdirected.
Payments went to ineligible staff, including 240 employees with no direct cybersecurity roles,
and more than 300 people received erroneous back pay. The watchdog concluded the poorly managed
program wasted taxpayer dollars and may worsen attrition risks, leaving SISA less able to protect
the nation from cyber threats.
Triggered by a 2023 hotline complaint, the investigation found HR failed to track payments,
and SISA has agreed to eight corrective recommendations to fix oversight and targeting issues.
Arctic Wolf's Cybersecurity Operations Center has uncovered a sophisticated campaign
blending Google Ads and GitHub look-alike domains to deliver malware.
Attackers use commit-specific links in ads to mimic official repositories,
luring IT professionals into downloading a malicious MSI installer disguised as GitHub desktop.
At 128 megabytes, the installer bypassed many sandboxes by stuffing itself with dummy files.
Its standout feature, dubbed GPUGate, employed a GPU-based decryption routine that kept the payload
encrypted unless run on a machine with a real GPU, evading most analysis environments.
Once executed, the malware gained admin rights for persistence and lateral movement.
The campaign primarily targeted IT workers in Western Europe,
with evidence suggesting Russian-speaking operators.
Likely goals included credential theft, data exfiltration, and ransomware deployment.
A threat actor known as White Cobra is targeting developers
by planting 24 malicious extensions in the Visual Studio marketplace
and open VsX registry, affecting VS code, cursor, and windsurf users.
The campaign is active with new malicious uploads replacing removed ones.
Ethereum developer Zach Cole reported his wallet was drained after using one such extension,
which appeared legitimate with a professional design and 54,000 downloads.
White Cobra, previously tied to a half a million dollar crypto theft, exploits weak
extension vetting and cross-compatibility of V6 packages.
Cybersecurity firm Jenians has uncovered a spearfishing campaign by North Korea's Kimsuki
Group that used AI to generate fake South Korean military ID cards.
Detected on July 17th, the attack impersonated a defense institution, sending emails with
counterfeit ID samples attached as PNGs, designed to look like draft reviews.
for ID issuance.
The images, flagged as deepfakes with 98% certainty, were created through prompt injection
to bypass AI safeguards against generating illegal IDs.
A malicious bat file executed alongside the images enabled data theft and remote control.
Targets included researchers, journalists, and activists focused on North Korea.
The campaign marks an evolution of Kemsuki's earlier ClickFix fishing attack.
showing how deep-fake technology can enhance the credibility of social engineering attempts.
It's Monday, which means we've got a summary of our N2K Cyberwire business brief.
Mitsubishi Electric has announced its largest acquisition to date,
agreeing to buy San Francisco-based OT security firm Nizomi Networks for $883 million in cash.
The deal builds on Mitsubishi's earlier 7% stake in Nizomi,
gained during the company's $100 million Series E funding round in 2024.
Expected to close late this year,
Zomi will continue operating from San Francisco with R&D in Switzerland.
Mitsubishi says the acquisition adds a fast-growing AI-powered cybersecurity business
to its industrial portfolio,
helping deliver advanced protection for critical infrastructure and IoT systems.
Meanwhile, consolidation continues across the cybersecurity,
sector, Sentinel 1 is buying Observo AI for $225 million.
Ultraviolet cyber acquired Black Ducks testing services and several smaller firms in Europe,
the U.S. and Israel announced deals.
Investment activity was also strong with ID Me raising $340 million, IQM quantum computers
securing $320 million, and Shift 5 closing $75 million.
to accelerate growth in their respective sectors.
Be sure to check out our complete business briefing on our website,
thecyberwire.com.
Coming up after the break, my conversation with Tim Starks from CyberScoop,
we're discussing offensive cyber operations,
and a cyber attack leaves students hung out to dry.
Stay with us.
And now a word from our sponsor.
The Johns Hopkins University Information Security Institute is seeking qualified applicants
for its innovative Master of Science in Security Informatics degree program.
Study alongside world-class information.
interdisciplinary experts and gain unparalleled educational research and professional experience
in information security and assurance. Interested U.S. citizens should consider the Department of Defense's
Cyber Service Academy program, which covers tuition, textbooks, and a laptop, as well as providing
a $34,000 additional annual stipend. Apply for the fall 2026th semester and for this scholarship by February 28th.
Learn more at c.j.j.j.edu slash MSSI.
We've all been there. You realize your business needs to hire someone yesterday.
How can you find amazing candidates fast?
Well, it's easy. Just use Indeed. When it comes to hiring, Indeed is all you need.
Stop struggling to get your job post noticed. Indeed's sponsored jobs helps you stand out and hire fast.
Your post jumps to the top of search results, so the right candidates see it first. And it works.
Sponsored jobs on Indeed get 45% more applications than non-sponsored ones.
One of the things I love about Indeed is how fast it makes hiring. And yes, we do actually.
actually use Indeed for hiring here at N2K Cyberwire.
Many of my colleagues here came to us through Indeed.
Plus, with sponsored jobs, there are no subscriptions, no long-term contracts.
You only pay for results.
How fast is Indeed?
Oh, in the minute or so that I've been talking to you,
23 hires were made on Indeed, according to Indeed data worldwide.
There's no need to wait any longer.
Speed up your hiring right now with Indeed.
And listeners to this show will get a $75-sponsored job credit to get your jobs more visibility at indeed.com slash cyberwire.
Just go to indeed.com slash cyberwire right now and support our show by saying you heard about Indeed on this podcast.
Indeed.com slash cyberwire.
Terms and conditions apply.
Hiring?
Indeed is all you need.
And it is always my pleasure to welcome back to the show, Tim Starks.
He is a senior reporter at Cyberscoop.
Tim, welcome back.
It's my pleasure.
Mine.
So, Tim, we had a water cooler conversation here around the virtual water cooler here at Cyberwire.
And one of my colleagues brought up the fact that it seems like there is a lot of growing buzz.
about this notion of offensive cyber or, as is euphemistically referred to,
sometimes active defense, right?
And this was something that you wrote about recently on CyberSoup,
particularly kind of keying off this announcement from Google,
that this was something that they were pursuing.
What's going on here, Tim?
Yeah, there's been kind of a two-front series of developments going on with this.
One is the private sector side, and the other is the public sector, the federal government.
So on the private sector side, Google has said they're going to set up a disruption unit.
And they haven't said what that's going to look like yet.
But disruption kind of falls into that spectrum between what we talk about.
You just mentioned the term cyber offense and active defense.
It's a little bit more on the offensive side.
We're talking about things like taking a company to court and getting its infrastructure taken down.
We've seen Microsoft do that a lot.
Or something more like with the federal government disrupting by going and stealing back, essentially.
I don't know if you can steal back something that was stolen from you, but taking back stolen cryptocurrency from ransomware gangs.
That's kind of the range of things that you think of when you think of disruptions.
And that makes it interesting to hear what Google might do with it.
There was a broader discussion the day that that was announced about, you know, is the private sector capable of doing this?
Does it have the ability?
And then, you know, this most recent week, there was a lot of discussion about this from Trump administration officials talking about how they want to change the national strategy to put the risk, the cyber burden risk on the attackers.
To use the phrase that Alexei Bouliselle from the National Security Council used, we're talking about making it less about the victims and more about the villains.
So it's two fronts, and there's a lot of interesting policy ramifications and industry, government, business regulations for all this that is really fascinating to me.
Yeah, and like, can we just start with, you know, basic stuff here that, correct me if I'm wrong, hacking back is illegal?
It is.
Yeah.
Yeah, the computer fraud and abuse hack would basically, if you are, if you're going to hack back, if you're literally going to go into an organization,
or companies, even governments.
Basically, you're running risks of being arrested
under the federal anti-hacking law.
We've had some debate about in past years
that kind of has been at that end
is to come up with ways
that you can authorize legally some hacking back.
And that has gotten nowhere in Congress
beyond the introduction of bills.
A lot of people think that's a very bad idea.
In fact, we're seeing a new version of this idea.
Letters of Mark,
which goes back to pirate
days. Right. Yeah. Right. Going back to the government saying, hey, you're authorized to be a
mercenary going after pirates on our behalf. Here's a letter. You're legally allowed to go after
these pirates. So that's something that we're now seeing a bit more discussion in Congress
about the idea of maybe putting legislation to create a framework for this. And, you know,
what's interesting about that is even if they do it and, you know, the little response
we've seen from the Hill, the people proposing the idea.
You know, there was a house hearing several months back
where a lawmaker raised this idea,
and all the panelists were like,
yeah, no, we wouldn't be interested in being that kind of business.
But there was some talk at this recent conference,
the one where the Google announcement came out,
about is there going to be a burgeoning market for this
if the law changes, and how good would anybody be at it?
Right.
Could there be something in the middle, a public-private partnership where the feds take care of the legal side of it, but basically contract the actual offensive cyber out to one of the usual suspects, the big names?
Yeah, that's a point that I think there's a little bit of discussion about.
Certainly, I think there's a little bit that's already happening.
You know, there was a company that talked about selling exploits to the federal, to governments.
it's not a very profitable business
because you have one customer
there's not a lot of competition for pricing
you're not offering it
and getting a lot of bids per se
unless you decide you want to go to the dark side
and offer it to governments that are less ethical
or less or more authoritarian than ours
they say look
it's a difficult marketplace
because once you sell the exploit
it's gone
so there's that option
where there could be some public-private
and one of the things that Brandon Well said
who was a former CISO official, is now in the private sector,
is perhaps what you could see the private sector contributing
would be just private sector,
good old fashion capitalist innovation, right?
Where if they can figure out a way to take
what are very manpower-intensive and time-intensive things
that are, that cyber-offensive operations are,
if they could somehow innovate in that field,
that would be something that could really help the federal government.
But that's pretty vague, right?
there's a lot of galf in between what that would look like.
What would that innovation be like?
What could the innovation be?
Certainly the government hasn't figured it out,
and they're using a lot of resources
to try to figure out how to do these things more.
And it's difficult.
So, you know, it's hard to imagine how you get from A to B,
but there's a lot of talk of getting from A to B,
which is more than there has been in recent years.
You mentioned about putting the burden on the attackers.
What is the explanation for that?
How would that play out?
Yeah, so you'll recall one of the things that was interesting
about the prior administration, the Biden administration, is that their national security
strategy, they're not, sorry, their cyber security strategy said, you know, right now the risk,
the burden of risk for cyber on cybersecurity is on the end user. They get insecure products.
They use insecure products. They have to do things like set up multi-factor authentication.
They have to buy additional services to protect themselves. The Biden administration said,
let's shift the risk to others, people who can handle it better, namely the private sector,
the companies that produce these technologies.
But also, they started to talk about this idea,
going back to circling back what we started talking about, disruption.
So they had a large section of the National Security Strategy
that said, let's do more to make it so the attacker feels pressure.
This administration now, we saw two different top officials
this recent week saying, you know,
one was turned and can cross the National Cyber Director.
Keeping in mind, of course,
the National Cyber Director wrote the last National Cyber Security Strategy.
So he's a person who will be in position
if things hold form to write the next national cybersecurity strategy.
And as mentioned, Alexei Boulazel, who's the top NSC, cyber official.
So these two people both said, we need to shift the risk to yet a different place, that is, to the attacker.
So that means going more on cyber offense.
But also, you know, Alexa was saying, you know, it's not the only tool in toolbox.
Even though we've been talking this up, we can't just be offensive.
We do have to still do things defensively.
Why we still need something like Sessa?
So how they blend that is going to be really interesting.
You know, there was a little bit of stuff that came out in the last administration
about them trying to loosen up the rules of cyber engagement and cyberspace was interesting.
It didn't get rolled back very far, but the Biden administration changed a few things about how that worked.
So how do they start going about this?
And certainly a strategy would be one way they do it.
But at an operational level, this is going to be happening at Cyber Command.
And it'll be interesting to see how that high-level strategy translates to policy
an actual on the ground, or at least in the space,
because we're talking about cyberspace,
on the ground operations.
Right.
I'm trying to imagine the cyber equivalent
of a targeted drone strike.
Mm-hmm.
Right?
Well, an example of that actually might be,
I think, from the,
I think this would have been from,
I think was this 2018?
I believe it was 2018.
There was an operation where they went into the Russian troll farm,
essentially.
and shut down their website,
shut down their operations for a while.
So that's a little bit like the drone strike you're talking about.
That's an example of what it might look like.
But obviously, that's short term and temporary,
and is that worth it?
I think something more like,
if you go even further back,
something like shutting down the centrifuges in Iran
that happened many, many years back
that the U.S. and Israel were part of doing
perhaps a little bit of England,
that maybe would be more like,
we're not just going to attack you in cyberspace,
we're going to attack you in cyberspace in a way that causes physical destruction.
I think that would be another level you could take it to if you could, you know,
obviously locate where these attackers are.
Is there something you could do to blow up something to them?
I mean, the imagination is required here because we don't have a lot of real examples that have come out.
We have those kinds of examples that we were just talking about,
and the imagination is where you have to take it.
Because right now, nobody's talking about it out loud.
It would be all very classified for the most part.
Unless, of course, and this is where some of the other,
things that are fascinating about this come out, how deterring is it to launch cyber attacks
in cybers against cyber attackers if they don't know you did it or if the public doesn't know
that you did it and they don't send the message? So there's all these fascinating like moving
pieces and gears that you just kind of kind of have to think about at this point until we start
seeing more of it actually happening. Yeah. I agree with your fascination. And also to me,
one of the things to have an eye on
is the amorphous shifting norms, right?
Yeah, I mean, certainly on the bad guy side,
if I'm representing America,
you know, we have seen,
there was a time period where during the,
during COVID heights,
a couple of the ransomware gangs says,
we're not going to attack hospitals,
we're not going to attack the electric sector.
And then not long after that,
they were doing it.
So even when norms are sort of being unofficially established, they're being violated constantly.
And the other thing, of course, is that the United States has never drawn in any very specific way what we call red lines in cyberspace.
Just know, if you do this, we're going to attack you.
We've never done it.
There have been a lot of people suggested it would be a bad idea to do it.
Some people think it's a good idea.
Bad idea argument is, of course, that if you say this is the red line and then somebody oversteps it, you're obligated to attack them.
There's the unpredictability element of it.
Like, okay, you're not going to know what causes an attack.
until we attack you. That maybe then puts some doubt into the attacker's mind. Should we do
this? Is it worth it? If we don't know what the line is, and we don't know when we overstep it,
what's that? The good side, of course, is like, you know, draw the lines, and they're not going
to cross the lines, because they're going to know what happens if they do. So that's another thing,
is that the norms are not established. What norms we do have are so much constantly shifting.
Right. Yeah. All right. Well, as they say, time will tell.
It's a universal chestnut.
It's always true.
It's always true.
Tim Starks is senior reporter at CyberScoop.
Tim, thanks so much for sharing your expertise with us today.
Thanks, Tim.
At TALIS, they know cybersecurity can be tough and you can't protect everything.
But with TALIS, you can secure what matters most.
With TALIS's industry-leading platforms, you can protect critical applications, data, and identities,
anywhere and at scale with the highest ROI.
That's why the most trusted brands and largest banks, retailers, and health care companies in the world
rely on TALIS to protect what matters most.
Applications, data, and identity.
That's TALIS.
T-H-A-L-E-S.
Learn more at TALIS Group.com slash cyber.
And finally, at Amsterdam's Spinoza Campus,
more than a thousand students are still schlepping laundry bags across town
after a cyber attack turned their smart washing machines into very expensive, very useless boxes.
Back in July, an unknown hacker tampered with the digital payment system, granting students
a glorious few weeks of free spin cycles. Management company Duo eventually pulled the plug,
declaring it wasn't in the business of underwriting free laundry.
Students now fight over a dwindling fleet of 10 analog washers.
most of which are usually broken, while some mutter darkly about lice.
The university has offered little help other than pointing back to Duo.
So, while IoT hacks usually fuel botnets or ad fraud,
this one left students ringing out socks by hand,
proof that cyber mischief can hit right at the fabric of daily life.
And that's The CyberWire.
For links to all of today's stories, check out our daily briefing at theCiberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment on Jason and Brian's show every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey and the show notes or send an email to Cyberwire at N2K.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music by Elliot Peltzman.
Our executive producer is Jennifer Ibin.
Peter Kilby is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
And now a word from our sponsor, Threat Locker, the powerful zero-trust enterprise solution that stops ransomware in its tracks.
Allow listing is a deny-by-default software that makes application control simple and fast.
Ring fencing is an application containment strategy, ensuring apps can only access the files, registry keys, network resources, and other applications they truly need to function.
Shut out cybercriminals with world-class endpoint protection.
from Threat Locker.