CyberWire Daily - Iran’s digital retaliation looms.
Episode Date: June 23, 2025US warns of heightened risk of Iranian cyberattacks. Cyber warfare has become central to Israel and Iran’s strategies. Oxford City Council discloses data breach. Europe aiming for digital sovereignt...y. Michigan hospital network says data belonging to 740,000 was stolen by ransomware gang. RapperBot pivoting to attack DVRs. A picture worth a thousand wallets. New Zealand’s public sector bolsters cyber defenses. On our Industry Voices segment today, we are joined by Imran Umar, Zero Trust Lead at Booz Allen Hamilton, discussing Zero Trust and Thunderdome. And a cyberattack spoils Russia’s dairy flow. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn.CyberWire Guest On our Industry Voices segment today, we are joined by Imran Umar, Zero Trust Lead at Booz Allen Hamilton, discussing Zero Trust and Thunderdome. Hear the full conversation here. Find resources below to learn more about the topic Imran discusses. For additional information: Zero Trust, More Confidence Zero Trust: Translating Results into Action Selected Reading US Warns of Heightened Risk of Iranian Cyber-Attacks After Military Strikes (Infosecurity Magazine) Bank hacks, internet shutdowns and crypto heists: Here’s how the war between Israel and Iran is playing out in cyberspace (Politico) Oxford City Council suffers breach exposing two decades of data (Bleeping Computer) Europeans seek 'digital sovereignty' as US tech firms embrace Trump (Reuters) Data of more than 740,000 stolen in ransomware attack on Michigan hospital network (The Record) RapperBot Attacking DVRs to Gain Access Over Surveillance Cameras to Record Video (Cyber Security News) CoinMarketCap Doodle Image Vulnerability Lets Attackers Run Malicious Code via API Call (GB Hackers) NZ NCSC mandates minimum cybersecurity baseline for public sector agencies, sets October deadline (Industrial Cyber) Russian dairy supply disrupted by cyberattack on animal certification system (The Record) Audience Survey Complete our annual audience survey before August 31. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Hey everybody, Dave here.
I've talked about DeleteMe before, and I'm still using it because it still works.
It's been a few months now, and I'm just as impressed today as I was when I signed
up.
DeleteMe keeps finding and removing my personal information from data broker sites and they
keep me updated with detailed reports so I know exactly what's been taken down.
I'm genuinely relieved knowing my privacy isn't something I have to worry about every
day.
The DeleteMe team handles everything.
It's the set it and forget it
piece of mind.
And it's not just for individuals. Delete Me also offers solutions for businesses, helping
companies protect their employees' personal information and reduce exposure to social
engineering and phishing threats.
And right now, our listeners get a special deal, 20% off your Delete Me plan.
Just go to joindeleteeme.com slash n2k and use promo code n2k at checkout.
That's joindeleteeme.com slash n2k, code n2k. U.S. warns of heightened risk of Iranian cyber attacks.
Cyber warfare has become central to Israel and Iran's strategies.
Oxford City Council discloses data breach.
Europe aiming for digital sovereignty.
Michigan Hospital Network says data belonging to 740,000 was stolen by ransomware gang.
Rapper bought pivoting to attack DVRs.
A picture worth a thousand wallets.
New Zealand's public sector bolsters cyber defenses. On our industry voices segment today, we are joined by Imran Umar,
Zero Trust lead at Booz Allen Hamilton, discussing Zero Trust and Thunderdome.
And a cyber attack spoils Russia's dairy flow. Today is Monday, June 23rd, 2025.
I'm Maria Varmazes, host of the T-Minus Space Daily Podcast, in for Dave Bittner.
And this is your CyberWire Intel Briefing. Wire intel briefing.
Thanks for joining me this Monday.
Let's get into it.
The U.S. Department of Homeland Security has warned of a heightened risk of Iranian cyber
attacks following American military strikes against Iran's nuclear facilities.
DHS said in a National Terrorism Advisory System bulletin issued yesterday that low-level
cyber attacks against U.S. networks by pro-Iranian hacktivists are likely and cyber actors affiliated
with the Iranian government may conduct attacks against U.S. networks.
The advisory added that both hacktivists and Iranian government-affiliated actors routinely
target poorly secured U.S. networks and internet-connected devices for disruptive cyber attacks.
John Holtquist, who is the chief analyst at Google Threat Intelligence Group, noted that
Iran has had mixed results with disruptive cyber attacks and they frequently fabricate
and exaggerate their efforts in an effort to boost
their psychological impact.
We should be careful not to overestimate these incidents and inadvertently assist the actors.
The impacts, he says, may still be serious for individual enterprises which can prepare
by taking many of the same steps that they would to prevent ransomware.
In the wake of escalating tensions between Israel and Iran,
cyberspace has emerged as a critical battleground.
Israel-linked hackers have reportedly exfiltrated over $90 million
from Iran's Bank Seppa and Nobitex exchange,
highlighting vulnerabilities in financial systems during conflict.
On the other hand, Iran has retaliated by imposing nationwide internet blackouts,
severely disrupting civilian access and communications.
Cyber attacks from Iranian actors, both state-linked and hacktivists,
are targeting critical infrastructure across Israel and potentially the United States,
with water systems and industrial control environments
particularly at risk.
Iran's asymmetric cyber strategy leans on disinformation, psychological operations,
and surveillance via compromised digital devices.
Meanwhile, US agencies like CISA are urging heightened cyber-villageance and resilience.
This conflict underscores the growing use of cyber as both a standalone and complementary
theater in modern warfare, where attacks on infrastructure, finance, and information can
have real-world consequences far beyond the battlefield.
The Oxford City Council, which is the local government authority for the English city
of Oxford,
has disclosed a data breach affecting personal information across the past two decades.
The council stated,
We have now identified that people who worked on Oxford City Council administered elections
between 2001 and 2022, including poll station workers and ballot counters,
may have had some personal details accessed.
The majority of these people will be current or former council officers.
The council detected a quote, unauthorized presence within its network over the weekend
of June 7th.
The statement adds, investigations continue to identify as precisely as we can what was
accessed and what, if anything, might have been taken out of our systems.
There is no evidence of a mass download or extraction of data.
Europe is accelerating efforts to achieve digital sovereignty
amid growing unease over United States tech giants' alignment
with the Trump administration.
EU leaders are pushing for stronger data localization,
stricter regulations on cloud services, and
enhanced protections for European digital infrastructure.
The concern is that American platforms may prioritize U.S. political interests, potentially
compromising European data autonomy and cybersecurity.
This shift comes as U.S. firms ramp up lobbying and infrastructure investment in Europe,
even as the transatlantic regulatory divide deepens.
Cybersecurity experts see this as a critical juncture
for Europe's long-term control over its digital landscape and threat resilience.
Michigan Hospital Network McLaren Healthcare says information belonging to more than 740,000
people was stolen during a ransomware attack last August, according to the record.
The affected data included names, social security numbers, driver's license numbers, medical
data, and health insurance information.
McLaren operates 13 hospitals and various medical services across the state of Michigan
and the attack disrupted services at the time.
The Inc. ransomware gang is believed to be responsible for the attack.
RapperBot, which is a Mirai-based botnet known for targeting IoT devices, has pivoted towards
attacking digital video recorders or DVRs using command injection exploits.
The campaign exploits known vulnerabilities in DVR firmware, enabling attackers to execute remote commands and co-op devices into a growing botnet.
This shift marks an evolution in wrapperbots capabilities, signaling an expanded focus on industrial and surveillance hardware, often left unpatched.
Researchers report sustained scanning activity and brute force attacks targeting specific DVR brands.
The botnet's modular structure and adaptability make it a persistent threat,
especially to organizations with unsecured or outdated embedded devices on their networks.
outdated embedded devices on their networks. A critical vulnerability was discovered in CoinMarketCap's Doodle Image Upload feature
that could have allowed attackers to execute arbitrary JavaScript in users' browsers.
And this is an example of a stored cross-site scripting flaw.
Security researchers found that malicious payloads embedded in SVG images could bypass
existing sanitation filters.
If exploited, attackers could hijack sessions, steal credentials, or redirect users to phishing
sites.
CoinMarketCap has since patched this vulnerability, but the incident highlights ongoing risks
in user-generated content features and the importance of rigorous input validation.
It also underscores the security challenges facing crypto-related platforms
with large, highly targeted user bases.
New Zealand's National Cybersecurity Centre has mandated a minimum cybersecurity standard, or
MCSS, for all public sector agencies, with an implementation deadline set for October 2025.
The MCSS includes 19 baseline controls covering areas like asset management,
secure configuration, access controls, and incident response.
It aims to establish a consistent cybersecurity posture across government entities,
emphasizing risk-informed practices and resilience. Agencies must report compliance progress and demonstrate measurable security
outcomes. The move follows increasing concerns about advanced persistent
threats targeting public infrastructure, reinforcing the government's commitment
to baseline hardening and coordinated defense in an evolving threat landscape.
Coming up next on our Industry Voices segment, host Dave Bittner sits down with Booz Allen-Hamilton's Zero Trust lead, Imran Umar,
talk about Zero Trust and Thunderdome.
Plus, a cyberattack brings Russia's DairySuffie
to a standstill.
Stick around. And now, a word from our sponsor, ThreatLocker.
Keeping your system secure shouldn't mean constantly reacting to threats.
ThreatLocker helps you take a different approach by giving you full control over what software
can run in your environment.
If it's not approved, it doesn't run.
Simple as that.
It's a way to stop ransomware and other attacks before they start without adding extra complexity
to your day. See how ThreatLocker can help you lock down your environment at www.threatlocker.com. Compliance regulations, third-party risk, and customer security demands are all growing
and changing fast.
Is your manual GRC program actually slowing you down?
If you've ever found yourself drowning in spreadsheets, chasing down screenshots, or
wrangling manual processes
just to keep your GRC program on track, you're not alone.
But let's be clear, there is a better way.
Banta's Trust Management Platform takes the headache out of governance, risk, and compliance.
It automates the essentials, from internal and third-party risk to consumer trust, making
your security posture stronger,
yes, even helping to drive revenue. And this isn't just nice to have. According to a recent
analysis from IDC, teams using Vanta saw a 129% boost in productivity. That's not a typo,
that's real impact. So, if you're ready to trade in chaos for clarity,
check out Vanta and bring some serious efficiency to your GRC game.
Vanta. GRC. How much easier trust can be.
Get started at vanta.com slash cyber.
On our industry voices segment, Dave Bittner recently spoke with Booz Allen Hamilton's Zero Trust lead Imran Umar about Zero Trust and Thunderdome.
Here's their conversation.
Zero Trust has definitely evolved.
The focus over the last several years has been on enterprise IT. So how do I get my enterprise IT network
moved to a zero trust framework?
What we are starting to see now is an emphasis
of how the same zero trust concept can now be applied
to weapon systems and to operational technology
to think of ICS data systems.
So how do we take the same concept?
Because our adversaries are not only attacking
our IT system, but they're attacking critical infrastructure.
They're always on the lookout
to penetrate our weapons systems.
So how do we take the same concept of zero trust,
the same framework, the same principles
that we are starting to apply on enterprise IT networks?
How are we now scaling that and deploying that
for OT and weapon systems?
That does require us to tailor these capabilities
because the same set of zero trust activities
that are relevant for enterprise IT systems
may not necessarily be relevant for OT and weapon systems.
The DOD CIO and others in collaboration with companies
like BlueZelon, we are providing insights and input into what
a Zero Trust framework should look like for other domains,
like Beference Systems and Tactical and OT.
Well, I definitely want to talk about those challenges
of implementing Zero Trust within the DoD.
But before we get there, again, staying a little broader,
what are some of
the big challenges that organizations face these days when it comes to implementing zero
trust?
Yes, great question.
I mean, the biggest challenge of your seeing is, you know, most organizations, originally
when they got the mandate to start implementing zero trust or they got the requirements, they
started doing a maturity assessment.
The assessment is really critical because it tells you,
where are you in your maturity state across the different pillars,
like user, like identity, like data.
From there, they start building
the roadmap and implementation plan.
While users have had success across the user pillars,
the device pillar, the visibility pillar,
a lot of them are struggling with the data pillar. The data pillar, the visibility pillar, a lot of them are struggling
with the data pillar.
The data pillar continues to be the most elusive,
the most challenging.
And it's not necessarily a technology problem.
It's not a technical problem that most people
are running into.
The problem is more around governance, policy,
the standards to which we are going to be tagging
and labeling data, having proper attributes
to be able to share that data
with customers that are actually able to receive that data.
So the biggest challenge, I would say in a summary,
is the data pillar.
Well, I mean, digging into some of the DOD challenges here,
as you alluded to, things like weapons systems
and OT environments, what are some of the specifics
of those needs that can be
challenging for implementing zero trust?
Yeah, if you take a look at like OT systems, a lot of our critical infrastructure is very
legacy and those systems are extremely vulnerable and to do modernization across those systems,
you know, will be very expensive and it will take a large amount of time.
So one of the things we are proposing is essentially coming in and basically stopping the bleeding.
How do we protect critical assets? How do we stop intrusion into those systems, the legacy systems that are already in place. One of the biggest issues we're running into
is because there's more OT and IT integration
of these systems, we are opening up new vulnerabilities.
So our recommendation has been that for OT systems,
we go in, conduct a similar ZT assessment for OT system.
Luzalyn has built a very robust OT assessment,
just like we've done for enterprise IT systems,
apply that and essentially identify your biggest gaps.
And most of the gaps are,
most of the issues that we generally see are, for example,
if you're doing upgrades of OT systems,
the potential of leaving back doors open
to vendors or third-party suppliers
and then an adversary using those back holes to basically
act for a VOT environment and compromising them.
So those could be easily addressed with a lot of the
systems capabilities that we're deploying today.
One of the things that I've heard folks talking about in the
DoD space is this ThunderDome solution.
For folks who aren't familiar with it,
can you describe that for us?
Absolutely. So ThunderDome is the DISA and DoD Zero Trust solution.
So it started off as a small pilot,
but it was competitively awarded to Booth Dallin,
and we were down selected as part of this award,
and they asked us to deploy a small instance of ThunderDome,
a zero trust solution for DISA at specific locations.
Since then, we have scaled ThunderDome
across multiple different DoD mission partners.
It provides the most advanced zero trust solution.
It basically meets the 152 advanced activities outlined by DOD CIO.
So ThunderDome is the marquee Zero Trust Solution that's available to the entire Department
of Defense.
It's a very open architecture, it's a very modular architecture, so products and solutions
can be interswapped.
ThunderDome can also be deployed not only on your unclassed network,
but also your classified network.
That's what we have deployed today for a lot of our customers.
ThunderDome also provides the ability for customers to be able
to tailor solutions for different environments.
So if somebody wanted to deploy ThunderDome capabilities,
not just at the enterprise level,
but at the tactical level or detail,
disconnected environment, we have proven that ThunderDome can be deployed across all these
different domains. You mentioned that ThunderDome takes advantage of open architecture and a modular
approach. What are the specific advantages to coming at the problem with those sorts of capabilities?
to coming at the problem with those sorts of capabilities?
Yeah, it's a very complex environment. You know, a lot of customers at VC
have existing technical stacks
that they have spent resources on.
So the grip and replace sometimes is not the answer.
So what we have done with Thunderdome
is we come in and conduct a rapid
zero trust assessment for customers.
We are, for example, working with a lot of co-coms right now and for the state agencies.
We come in and start conducting a VT assessment.
We take a look at an existing environment.
We build an architecture based on ThunderDome principles,
which is the proven architecture.
We basically walk them through as to
which capabilities from ThunderDome they can adopt,
which capabilities that they already have in place,
and how those capabilities can connect into ThunderDome. One of the beauties of ThunderDome they can adopt. Which capabilities that they already have in place and how those capabilities can connect into ThunderDome.
One of the beauties of ThunderDome is
it's a multi-tenant solution.
You build it once and reuse it.
So when we're talking about efficiency and scalability,
we have the ability to bring on customers
onto the ThunderDome solution
and provide them the ability to manage it themselves
if they choose to.
They want that service to be fully managed by DISA, that's also an option. So the multi-tenant
architecture, the open architecture has been extremely helpful for us to scale ThunderDome.
Help me understand how folks go about dialing this sort of thing in. I mean, everyone's situation is different.
Is ThunderDome, it sounds to me like it's not an all or nothing situation here.
Like you're able to kind of pick and choose what things best fit with your specific environment?
Absolutely.
You nailed it.
Absolutely.
So ThunderDome is very flexible modular and people have the ability to pick and choose
capabilities.
I'll give an example.
We have customers, we have several co-coms and for-the-state agencies that are immediately
interested in our Zero Trust Edge solution.
Our Zero Trust Edge solution is very robust, very scalable.
It provides conditional access, micro-segmentation of user traffic and device traffic.
A lot of the customers are very
interested in the Zero Trust S solution,
and we are able to go and deploy
the Zero Trust S solution into their environment
and integrate it into their existing fabric,
integrate it into their identity solution,
their endpoint security product, their IDP, their SIN.
Similar to that, we have other pieces of
Thunderdome like the Zero Trust Remote Solution.
We have a robust application security stack
that protects application workload.
Finally, we have a very robust visibility and
analytic solution that supports
providing enterprise level visibility across
all the Zero trust infrastructure.
What are your recommendations for organizations who are just starting this
zero trust journey? I mean how can they get started without feeling overwhelmed?
Yeah, I mean the deadline is coming right 2027 is the timeline, especially on the
DOD side for agencies to meet their target level activities.
So Thunderdome is a turnkey solution that they can adopt. It's very flexible, very cost-efficient,
and it could be tailored to the customer needs. So I think number one, we would recommend it.
Thunderdome is the easy button. Now, for customers that do want to start from scratch, I think the first thing they need to do is conduct a zero trust assessment.
So BlueDialand has this program called the Zero Trust Accelerator.
The Zero Trust Accelerator program essentially comes in and
conduct a deep assessment of the customer's solution.
We take input like the customer's Zero Trust plan,
if they have built a Zero Trust architecture,
if they have capabilities in place today,
we take all that as input,
we plug all that data into our Zero Trust automated dashboard,
and it provides customers a good visual snapshot
of where they are across the pillars.
Then they can decide, hey,
I'm very mature,
somewhat mature in the user pillar.
I need to put resources towards the identity pillar, for example.
Our accelerator program allows us to quickly provide customers,
a quick snapshot of where the gaps are,
and we have done so many vendor AOA analysis of alternative testing,
of so many different products,
we can provide recommendations and build them
or share with them existing blueprints
and reference architectures that they can adopt.
And then not only that,
they can use the Thunderdome vehicle
to actually task off to implement the solution for them.
So the Thunderdome contract vehicle
provides a lot of flexibility.
You can adopt the turnkey solution or you can utilize the vehicle to do an acceleration
assessment and deploy your tailored solution if that's what you desire.
So the organizations who are seeing success here, who are doing a good job implementing
this, what are the common elements in their execution?
I think the customers that are the most successful in the VFC from a zero trust perspective are customers that have already in place a robust identity solution
because everything kind of starts from identity and have put the right governance around it.
And then you can build things, you know, you can build your data pillar,
you can build your user inventory, your device inventory,
you can build your, you know, things like behavioral analytics, micro segmentation, but
the success of VSC with most customers is they already have a robust identity capability in
place and then all the other zero trust capabilities essentially integrate with
those identity platform and helps accelerate their zero trust journey.
All right, well, I think I have everything I need
for our story here.
Is there anything that I missed?
Anything I haven't asked you
that you think it's important to share?
I think one gotcha that people may not be aware of,
they kind of move towards this advanced zero trust,
is you're collecting a lot of data
from a visibility perspective.
Because one of the things that zero trust will be doing
is you're doing real-time dynamic access.
So we are looking at user device posture.
We're looking at user identity.
We're looking at behavioral analytics.
We're looking at information in terms of
what are they approved,
what systems and data are they approved for access.
Now all of a sudden you're collecting a lot of data.
The traditional model, if you look at the visibility analytics pillar,
the traditional model has been take all that data and dump it into your SIN,
your security incident event management tool.
Well, that model doesn't scale.
That whole centralized model where take all the data from the edge,
from the enterprise,
and put it into a central location, and go look for signals from a hunt perspective,
it's not going to work. So one of the things we built on Thunderdome is a distributed
defense cyber operation architecture, where the data, this is what it is, we're not moving data
around, but we have built a smart AI driven data pipeline. And what we're doing is as we're not moving data around, but we have built a smart AI driven data pipeline.
And what we're doing is as we're collecting
this sensor data, we are transforming that data inline.
So we're doing the data enrichment,
we're doing the data transformation,
we're doing data analytics,
we're actually deploying AI models inline
so they can detect threats.
And we're really using our same as our dashboard.
So one thing customers do need to watch out for is they will be collecting a lot more logs, line so they can detect threats. And we're really using our same as our dashboard. So
one thing customers do need to watch out for is they will be collecting a lot more logs. The traditional centralized PTO model will not work and they need to start moving towards a
distributed PTO architecture. That was CyberWire host Dave Bittner speaking with Booz Allen Hamilton's Zero Trust lead Imran Umar about Zero Trust and Underdome. from our sponsor, Spy Cloud. Identity is the new battleground, and attackers are exploiting stolen identities
to infiltrate your organization.
Traditional defenses can't keep up.
Spy Cloud's holistic identity threat protection
helps security teams uncover
and automatically remediate hidden exposures
across your users from breaches, malware, and phishing
to neutralize identity-based threats
like account takeover,
fraud and ransomware.
Don't let invisible threats compromise your business.
Get your free corporate darknet exposure report at spycloud.com slash cyberwire and see what
attackers already know.
That's spycloud.com slash cyber wire.
And finally today, a cyber attack has thrown Russia's dairy industry into disarray after hackers brought down Mercury, which is the country's electronic veterinary certification system. It's the third strike on the platform this year alone, but it is easily the worst so
far.
With the system offline, producers scrambled to issue paper-based certificates, only to
find that many retailers, including big names like Miratorg and Yandex Lavka, wouldn't
accept them.
And that's because under Russian law, businesses cannot legally handle animal products like
milk, eggs, or meat without digital documentation.
Yeah, the result?
A supply chain snarl, empty shelves, and plenty of confusion.
The dairy association Soyuzmoloko says unclear instructions from regulators
aren't helping. Meanwhile, restoration work is underway, but with no timeline for full
recovery and no culprit identified, the moooovement of milk remains on pause for now. For links to all of today's stories, check out our daily briefing at the cyberwire.com.
And don't forget to check out the Grumpy Old Geeks podcast where Dave contributes to a
regular segment on Jason and Brian's show every week.
And you can find Grumpy Old Geeks where all of the fine podcasts are listed.
And that's the CyberWire.
We would love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like this show, please share a rating
and review in your podcast app. Please also fill out the survey and the show notes or
send an email to cyberwire at n2k.com.
We're privileged that N2K CyberWire is part of the daily routine of the most influential
leaders and operators in the public and private sector. From the Fortune 500 to many of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement
agencies.
N2K makes it easy for companies to optimize your biggest investment, your people.
We make you smarter about your teams while making your teams smarter.
Learn how at n2k.com.
We're conducting our annual audience survey to learn more about our listeners,
and we're collecting your insights until August 31, 2025.
There's a link for you in the show notes.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music
and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iven. Peter Kilpe is our publisher, and I'm Maria Varmazes,
in for Dave Bittner.
Thanks for listening, we'll see you tomorrow. Did you know Active Directory is targeted in 9 out of 10 cyber attacks?
Once attackers get in, they can take control of your entire network.
That's why Semperis created Purplenight, the free security assessment tool that scans your active directory for hundreds of vulnerabilities and shows you how to fix them.
Join thousands of IT pros using PurpleKnight to stay ahead of threats.
Download it now at sempris.com slash purple-knight.
That's sempris.com slash purple-knight.