CyberWire Daily - Hackers peek behind the nuclear curtain.
Episode Date: October 22, 2025A foreign threat actor breached a key U.S. nuclear weapons manufacturing site. The cyberattack on Jaguar Land Rover is the most financially damaging cyber incident in UK history. A new report from Mic...rosoft’ warns that AI is reshaping cybersecurity at an unprecedented pace. The ToolShell vulnerability fuels Chinese cyber operations across four continents. Fake browser updates are spreading RansomHub, LockBit, and data-stealing malware. Hackers deface LA Metro bus stop displays. A Spyware developer is warned by Apple of a mercenary spyware attack. Pwn2Own payouts proceed. Ben Yelin from University of Maryland Center for Cyber Health and Hazard Strategies on a Federal Whistle Blower from the SSA. When the cloud goes down, beds heat up. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Ben Yelin from University of Maryland Center for Cyber Health and Hazard Strategies on a Federal Whistle Blower from the SSA. If you enjoyed Ben’s conversation, be sure to check out more from him over on the Caveat Podcast. 2025 Microsoft Digital Defense Report To learn more about the 2025 Microsoft Digital Defense Report, join our partners on The Microsoft Threat Intelligence Podcast. On today’s episode, host Sherrod DeGrippo is joined by Chloé Messdaghi and Crane Hassold to unpack the key findings of the 2025 Microsoft Digital Defense Report; a comprehensive look at how the cyber threat landscape is accelerating through AI, automation, and industrialized criminal networks. You can listen to new episodes of The Microsoft Threat Intelligence Podcast every other Wednesday on your favorite podcast app. Selected Reading Foreign hackers breached a US nuclear weapons plant via SharePoint flaws (CSO Online) JLR hack is costliest cyber attack in UK history, say analysts (BBC) Microsoft 2025 digital defense report flags rising AI-driven threats, forces rethink of traditional defenses (Industrial Cyber) The New Frontlines of Cybersecurity: Lessons from the 2025 Digital Defense Report (The Microsoft Threat Intelligence Podcast) Sharepoint ToolShell attacks targeted orgs across four continents (Bleeping Computer) SocGholish Malware Using Compromised Sites to gDeliver Ransomware (Hackread) LA Metro digital signs taken over by hackers (KTLA) Apple alerts exploit developer that his iPhone was targeted with government spyware (TechCrunch) Hackers Earn Over $520,000 on First Day of Pwn2Own Ireland 2025 (SecurityWeek) AWS crash causes $2,000 Smart Beds to overheat and get stuck upright (Dexerto) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Are you ready for AI in cybersecurity?
Demand for these skills is growing exponentially for cybersecurity professionals.
It's why Comptia, the largest vendor-neutral certification authority, is developing SEC AI Plus.
It's their first ever AI certification focused on artificial intelligence and cybersecurity
and is designed to help mid-career cybersecurity professionals demonstrate their competencies with AI tools.
And that's why N2K's SEC AI Plus practice exam is coming out this year to help you prepare for this certification release in 2026.
To find out more about this new credential and how N2K can help you prepare today,
check out our blog at certify.
cybervista.net slash blog.
And thanks.
At TALIS, they know cybersecurity can be tough, and you can't protect everything.
But with TALIS, you can secure what matters most.
With TALIS's industry-leading platforms, you can protect critical applications, data and identities,
anywhere and at scale with the highest ROI.
That's why the most trusted brands and largest banks,
retailers, and health care companies in the world
rely on TALIS to protect what matters most.
Applications, data, and identity.
That's TALES.
T-H-A-L-E-S.
Learn more at talusgroup.com slash cyber.
A foreign threat actor breached a key U.S. nuclear weapons manufacturing site.
The cyber attack on Jaguar Land Rover is the most financially damaging cyber incident in U.K. history.
A new report from Microsoft warns that AI is reshaping cybersecurity at an unprecedented pace.
The tool-shell vulnerability fuels Chinese cyber operations across,
four continents. Fake browser updates are spreading ransom hub, lockbid, and data-stealing malware.
Hackers deface L.A. Metro bus stop displays. A spyware developer is warned by Apple of a mercenary
spyware attack. Pone to own payouts proceed. Ben Yellen from the University of Maryland
Center for Cyber Health and Hazard Strategies discusses a federal whistleblower from the
Social Security Administration. And when the cloud goes down, the beds heat up.
It's Wednesday, October 22nd, 2025.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today. It's great to have you with us.
A foreign threat actor breached the Kansas City National Security Campus, a key U.S. nuclear weapons manufacturing site,
by exploiting unpatched Microsoft SharePoint vulnerabilities, according to a source involved in the August response.
The attackers accessed systems at the Honeywell managed facility, which produces most non-nuclear components for U.S. nuclear weapons.
attribution remains disputed.
Microsoft links the broader campaign to Chinese group's Linen Typhoon and Violet Typhoon,
while another source claims Russian involvement.
The incident underscores how IT weaknesses can expose operational technology,
even in air-gapped environments.
Experts warn that despite limited impact,
the breach highlights gaps in zero-trust protections for industrial systems,
Even unclassified technical data could hold strategic value by revealing manufacturing tolerances or supply chain dependencies.
The Department of Energy confirmed limited disruption and said affected systems are being restored.
The cyber attack on Jaguar Land Rover is projected to cost 1.9 billion pounds, making it the most financially damaging cyber incident in UK history,
according to the Cyber Monitoring Center.
The BBC says the late August hack forced a five-week production shutdown
across JLR's global operations and disrupted more than 5,000 suppliers.
The Cyber Monitoring Center classified the breach as a Category 3 event,
citing estimated losses between 1.6 billion pounds and 2.1 billion pounds,
with full recovery expected by January of 2020.
next year. More than half the losses are attributed to JLR's own recovery and operational downtime,
while supply chain and local economy impacts make up the rest. JLR has not disclosed the attack
type or whether a ransom was paid. Microsoft's Digital Defense Report for 2025 warns that
AI is reshaping cybersecurity at an unprecedented pace, empowering both defenders and
attackers. The company says adversaries now use generative AI to automate social engineering,
vulnerability discovery, and evasion, while targeting AI systems themselves through prompt
injection and data poisoning. Nation state actors are intensifying espionage and influence operations,
particularly against research and communication sectors, often linked to geopolitical conflicts.
Microsoft urges defenders to embed cybersecurity.
into business strategy, emphasizing zero trust, cloud security, and identity protection.
The report stresses that no organization can face these challenges alone.
International collaboration and political deterrence are vital to counter malicious state activity.
Microsoft also calls for preparation for quantum era threats, cloud governance, and workforce
upskilling to build collective cyber resilience.
A program note, our N2K Cyberwire network partner, Microsoft Threat Intelligence,
discusses the report in detail on today's episode of the Microsoft Threat Intelligence podcast.
We'll have a link in the show notes.
Chinese linked hackers exploited the tool-shell vulnerability in Microsoft SharePoint
to attack organizations across four continents, according to Symantec.
The flaw, a bypass for two earlier SharePoint buzz,
revealed at Ponte Own Berlin, allows unauthenticated remote code execution on on-premises servers.
Microsoft previously attributed the exploitation to Chinese group Budworm, also known as Linen Typhoon,
Sheath Minor, Violet Typhoon, and Storm 2603, the Warlock Ransomware.
Samantec's report identifies additional Chinese actors targeting government, telecom, financial, and academic institutions,
in the Middle East, Africa, South America, and the U.S.
attackers deployed multiple back doors, including Zingdor, Shadowpad, and Krusty Loader,
using legitimate executables for DLL side-loading.
The operations also leveraged credential dumping tools,
pettit Potom for domain compromise, and utilities for data exfiltration and persistence.
Symantec concludes, tool shell was exploited by more Chinese.
actors than previously known.
A new report from Trustwave Spider Labs warns that Sok Golish, also known as fake updates,
is a global malware-as-a-service operation turning fake software updates into large-scale infection
campaigns. run by Threat Group TA 569, Sok Golish compromises legitimate websites,
often WordPress sites, and injects malicious scripts or uses domain shadow
to distribute malware disguised as browser or flash updates.
The group sells access to other criminals, including Evil Corps,
and has recently delivered Ransom Hub ransomware and healthcare-related attacks.
Researchers also found ties to Russia's GRU Unit 29-155,
noting that Sank Golish has spread the Raspberry Robin worm,
using traffic filtering tools like Kitaro TDS,
TA569 selectively targets victims and delivers payloads including lock-bit ransomware,
async rat, and data stealers, making Sok Golish a major global cyber threat.
L.A. Metro confirmed that several digital signage boards were hijacked this week
after displaying a false suicide bomb warning, apparently posted by Turkish hackers.
The incident affected bus stops, where the alarming message,
appeared alongside a hacker group's social media tag.
Officials traced the intrusion to papercast,
a third-party content management vendor
whose systems were compromised.
The unauthorized messages have since been removed
as Metro and Papercast investigate the breach.
A developer formerly employed by government spyware maker Trenchant
says Apple warned him that his iPhone was targeted by mercenary spyware,
marking one of the first known cases of a spyware developer becoming a victim.
The developer, using the pseudonym J. Gibson,
had worked on iOS zero-day exploits before being suspended and later fired
amid an internal investigation into a leak of trenchant's hacking tools.
Gibson denies involvement and believes he was scapegoated.
Apple's alert, issued in March, suggests a state-linked surveillance campaign,
although no infection was confirmed.
Sources told TechCrunch that other exploit developers
have received similar Apple notifications,
signaling that the spread of zero-day spyware
is now ensnaring its own creators.
Trenchin's parent company, L3 Harris, declined comment.
On day one of Pond to Own Ireland, 2025,
researchers earned $522,500
by exploiting 34 previously unknown vulnerabilities
across printers, routers, NAS devices, and smart home products,
according to Trend Micro's Zero Day initiative.
The top prize, $100,000 went to a Soho smash-up exploit,
chaining flaws in Q-Nap router and NAS devices.
Other major payouts included $50,000 each for hacks on Synology and Sonos devices.
Additional vulnerabilities and home assistant Phillips Hugh and HP Canon printers were also rewarded.
The contest continues with a $1 million WhatsApp exploit demonstration expected on Thursday.
Coming up after the break, Ben Yellen discusses a federal whistleblower from the Social Security Administration,
and when the cloud goes down, beds heat up.
Stick around.
What's your 2 a.m. security worry.
Is it, do I have the right controls in place?
Maybe are my vendors secure?
Or the one that really keeps you up at night?
How do I get out?
from under these old tools and manual processes.
That's where Vanta comes in.
Vanta automates the manual work,
so you can stop sweating over spreadsheets,
chasing audit evidence, and filling out endless questionnaires.
Their trust management platform continuously monitors your systems,
centralizes your data, and simplifies your security at scale.
And it fits right into your workflows,
using AI to streamline evidence collection,
flag risks, and keep your program audit ready.
all the time. With Vanta, you get everything you need to move faster, scale confidently, and
finally get back to sleep. Get started at Vanta.com slash cyber. That's V-A-N-T-A-com slash cyber.
And now a word from our sponsor. The Johns Hopkins University Information Security Institute
is seeking qualified applicants for its innovative Master of Science and Security Informatics
degree program. Study alongside world-class interdisciplinary experts and gain unparalleled educational
research and professional experience in information security and assurance. Interested U.S.
citizens should consider the Department of Defense's Cyber Service Academy program, which covers
tuition, textbooks, and a laptop, as well as providing a 30-year-old.
$24,000 additional annual stipend.
Apply for the fall 2026th semester and for this scholarship by February 28th.
Learn more at c.j.j.u.edu slash MSSI.
And it is always my pleasure to welcome back to the show. Ben Yellen. He is my caveat co-host, and he is from the University of Maryland Center for Cyber Health and Hazard Strategies. Ben, welcome back.
Good to be with you again, Dave.
Interesting story from The Washington Post, dealing with this former Social Security Administration employee who became a whistleblower and has received a lot of blowback from that activity.
What's going on here, Ben?
So it's been a while since we've talked about the Department of Government Efficiency,
which I believe still exists, but it's just the first few months of the Trump administration,
this was front page of every news story.
Elon Musk and his crew were helicoptering into federal agencies and taking control of computers.
They were firing a lot of people.
They were cutting off funding to disfavored programs like USAID,
and according to this whistleblower, a guy by the name of Charles Borges,
they were putting people's sensitive data at risk.
So Borges is a former chief data officer at the Social Security Administration.
He is a career official who's worked under presidents of both parties.
He ended up submitting his resignation over this issue,
but he had filed a whistleblower complaint after learning that Doge had copied a mainframe database
containing data on hundreds of millions of Americans to a cloud server.
He warned that the, what's called the Nubidant Master File contain names,
social security numbers, birthdays, addresses.
This all went into that insecure cloud system.
There was very little oversight.
The Doge team didn't really know what it was doing,
at least according to his allegation.
And he felt that people's sensitive information could have been publicly exposed.
and could be available on the dark web, for example.
Reached for comment,
current leaders of the Social Security Administration
and their commissioner have denied
that there's been any breach,
which I think doesn't quite answer the question
about vulnerabilities.
Just because there hasn't been an identifiable breach,
doesn't mean that there will not be one.
Yeah.
But he did say that the cloud location was secure,
and this is something that SSA has used in the past to store data.
But Borges' account was backed up by others who have worked for the agency.
A former acting commissioner by the name of Leland Dudak backed his claims.
He said that the Doge cloud environment is too little secured and inappropriate for personal data.
So this is just a story about a whistleblower finding that agents of Doge were bypassing normal security protocols.
He used proper internal mechanisms for bringing this to the attention of his superiors,
and he claims that he faced retaliation, isolation,
and ultimately was forced to resign and end his career in public service because of this disclosure.
So help me understand that aspect of it, because aren't these whistleblower provisions put in place to prevent retaliation, isolation, resignation,
all those sorts of things.
Yeah, that actually has to be enforced, though,
and there has to be somebody willing to enforce it.
And that would be the Department of Justice?
Oh, it could be the Department of Justice.
It could just be internal agency enforcement.
Okay.
If the administration is not interested in protecting whistleblowers,
there's just not much that a whistleblower can do.
There are ways where you can retaliate without officially retaliating.
I mean, you can just make somebody's life a living hell
through demotions or embarrassment or putting them,
reassigning them to projects that are outside their area of expertise.
They could be first on the furlough list once the government shutdown starts.
There are ways to injure these type of career employees in some way
that's not obvious enough that it's violating whistleblower protections.
And even if there is an obvious violation,
it would require a Department of Justice
that I think might be hostile in pursuing
these violations.
So, yeah, I don't think the system is full-proof
as it relates to whistleblower protections.
And this article points out
that they had a lot of morale issues
at the Social Security Administration
among all of this stuff from Doge
coming in with their metaphorical chainsaw, I suppose.
Yeah, I mean, this is not the only problem
that's been identified.
There have been closed offices
because of budget cuts.
They were forced to hire people,
that they had previously laid off,
just because senior citizens were complaining
that they were waiting in long lines at undermanned offices.
And senior citizens vote.
They do vote, yeah.
So this has certainly become a pattern
and a problem for the administration,
and it's something that's reflected across a lot of Doge's actions,
firing some of our foremost nuclear safety experts
and then scrambling to rehire them.
firing most of the staff of the National Oceanic Administration or whatever,
NOAA.
Yeah, no.
National Oceanic and Atmospheric administration.
There you go.
And then scrambling to rehire them.
So it's part and parcel of what this effort has undertaken.
But I think an underreported part of the story is this type of data vulnerability.
And that's something this whistleblower brought to light.
Yeah. I suppose his days in public service are over, and I would probably fair to say he'll have opportunities in the private sector, given his high rank at SSA.
Oh, totally. He could cash in, you know, tomorrow.
Right. And I also, if there's a different administration in the future, and there's an effort to rehire career officials who lost their jobs during this effort, I think he would be the type of person that might be rehired.
Yeah, it just strikes me.
It's a challenging time to be a good faith public servant
in a lot of these organizations right now.
It's just a lot of pushing that rock uphill, I suppose.
I think that might be an understatement.
All right.
Well, Ben Yellen is my caveat co-host
and also from the University of Maryland Center
for Cyber Health and Hazard Strategies.
Ben, thanks for joining us.
Thank you.
This episode is brought to you by Peloton.
A new era of fitness is here.
Introducing the new Peloton Cross Training Tread Plus, powered by Peloton IQ.
Built for breakthroughs with personalized workout plans, real-time insights, and endless ways to move.
Lift with confidence, while Peloton IQ counts reps, corrects form, and tracks your progress.
Let yourself run, lift, flow, and flow.
go. Explore the new Peloton cross-training tread plus at OnePeloton.C.A.
And finally, when Amazon Web Services sneezed earlier this week,
smart beds across America caught a fever. Around 3 a.m. Eastern time,
AWS's U.S. East One region suffered a major outage,
taking down not just apps and banking sites, but also the nation's priciest pillows.
Owners of eight-sleep's $2,000 pod mattress covers awoke to find their cloud-connected sleep sanctuaries
trapped in digital limbo. Some beds overheated into sauna territory, others froze or tilted
at improbable angles, all thanks to the missing internet umbilical cord.
One user quipped, back-end outage means I'm sleeping in a sauna.
Others discovered the bitter irony of a smart bed that can't think for itself offline.
By sunrise, AWS had restored normal operations,
and 8 Sleep's CEO vowed to create an outage mode.
Until then, users might want to keep a fan and a sense of humor next to the bed.
And that's the Cyberwire, for links to all of today's stories,
check out our daily briefing at the Cyberwire.com.
We'd love to know what do you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to Cyberwire at N2K.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music by Elliot Heltzman.
Our executive producer is Jennifer Ivan.
Peter Kilpe is our publisher, and I'm Dave Fitner.
Thanks for listening.
We'll see you back here.
Tomorrow.
Cyber Innovation Day is the premier event for cyber startups, researchers, and top VC firms building trust into tomorrow's digital world.
Kick off the day with unfiltered insights and panels on securing tomorrow's technology.
In the afternoon, the 8th annual Data Tribe Challenge takes center stage as elite startups pitch for exposure, acceleration, and funding.
The Innovation Expo runs all day, connecting founders, investors, and researchers around breakthroughs in cybersecurity.
It all happens November 4th in Washington, D.C.
Discover the startups building the future of cyber.
Learn more at cid.d. datatribe.com.
Thank you.