CyberWire Daily - Rebooting the government, one cyber law at a time.
Episode Date: November 10, 2025Ending the government shutdown revives an expired cybersecurity law. The DoD finalizes a new model for building U.S. military cyber forces. A North Korean APT exploits Google accounts for full device ...control. The EU dials back AI protections in response to pressure from Big Tech companies and the U.S. government. Researchers discover a critical vulnerability in the Monsta FTP web-based file management tool. The Landfall espionage campaign targets Samsung Galaxy devices in the Middle East. Five Eyes partners fret eroding cooperation on counterintelligence and counterterrorism. Israeli spyware maker NSO Group names the former U.S. ambassador to Israel as its new executive chairman. Monday Biz Roundup. Tim Starks from CyberScoop discusses uncertainty in the federal Cyber Corp program, The friendly face of digital villainy. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today we are joined by Tim Starks from CyberScoop discussing uncertainty in the federal Cyber Corp program. Selected Reading Cyber information sharing law would get extension under shutdown deal bill (CyberScoop) Don't call it Cyber Command 2.0: Master plan for digital forces will take years to implement (The Record) North Korean hackers hijack Google, KakaoTalk accounts to control South Korean phones: Report (The Straits Times) EU set to water down landmark AI act after Big Tech pressure (The Financial Times) Monsta FTP Vulnerability Exposed Thousands of Servers to Full Takeover (Hackread) Newly identified Android spyware appears to be from a commercial vendor (The Record) F.B.I. Director Is Said to Have Made a Pledge to Head of MI5, Then Broken It (The New York Times) Seeking to get off US blacklist, spyware firm NSO taps ex-envoy Friedman as chairman (The Times of Israel) Google's Wiz acquisition clears DOJ's antitrust review. (The Cyberwire) Tank interview: A hacking kingpin reveals all to the BBC (BBC News) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Ever wished you could rebuild your network from scratch to make it more secure, scalable, and simple?
Meet Meter, the company reimagining enterprise networking from the ground up.
Meter builds full-stack, zero-trust networks, including hardware, firmware, and software,
all designed to work seamlessly together.
The result, fast, reliable, and secure connectivity
without the constant patching, vendor juggling, or hidden costs.
From wired and wireless to routing, switching firewalls, DNS security, and VPN,
every layer is integrated and continuously protected in one unified platform.
And since it's delivered as one predictable monthly service,
you skip the heavy capital costs and endless upgrade cycles.
Meeter even buys back your old infrastructure to make switching effortless.
Transform complexity into simplicity and give your team time to focus on what really matters,
helping your business and customers thrive.
Learn more and book your demo at meter.com slash cyberwire.
That's M-E-T-E-R dot com slash cyberwire.
Ending the government shutdown revives an expired cybersecurity law.
The DOD finalizes a new model for building U.S. military cyber forces.
A North Korean APT exploits Google accounts for full device control.
The EU dials back AI protections in response to pressure from big tech companies and the U.S. government.
Researchers discover a critical vulnerability in the Monstra FTP web-based file management tool.
The landfall espionage campaign targets Samsung Galaxy devices in the Middle East.
Five Eyes Partners fret eroding cooperation on counterintelligence and counterterrorism.
Israeli spyware maker NSAG group names the former U.S. ambassador to Israel as its new executive chairman.
We got our Monday biz roundup.
Tim Starks from CyberScoop discusses uncertainty in the federal cyber.
program and the friendly face of digital villainy.
It's Monday, November 10th, 2025.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today.
It's great to have you with us.
Congress is moving to end the federal government shutdown
with legislation that also revives an expired cybersecurity law.
The bill includes a short-term extension
of the Cybersecurity Information Sharing Act of 2015,
which lapsed at the end of September.
The law gives companies legal protection,
when sharing cyber threat data with the government and other firms,
a safeguard industry leaders consider essential.
The Senate voted 60 to 40 to advance the measure Sunday night,
but it still needs approval from the House and President Trump's signature.
The temporary extension running through January gives lawmakers time to negotiate a longer-term fix.
Competing proposals from House and Senate leaders differ sharply,
while the Trump administration continues to advocate a 10-year renewal without changes.
The Department of Defense has finalized a new model for building U.S. military cyber forces
aiming to fix long-standing challenges in recruiting and retaining skilled personnel.
The plan, derived from the earlier Cyber Command 2.0 overhaul,
outlines a years-long implementation effort meant to strengthen U.S. Cyber Command's capabilities,
Key initiatives include a virtual advanced cyber training and education center,
expected to reach initial readiness by late fiscal 2028 and full operation by 2031,
and a cyber innovation warfare center to accelerate new cyber capabilities between 2026 and beyond 2030.
Some milestones stretch into 2033.
However, the slow rollout may fuel renewed calls from experts and large,
lawmakers for a dedicated cyber-military branch.
Critics argue existing services have failed to supply sufficient qualified personnel,
while Pentagon officials say the new model justifies delaying a separate cyber force.
DoD calls the plan a transformative step toward greater lethality and agility.
North Korean state-sponsored hackers hijacked Google accounts to remotely control and wipe Android devices
in South Korea, according to cybersecurity firm Genians.
The campaign, attributed to North Korea's Kony Advanced Persistent Threat Group,
marks the first confirmed case of Pyongyang-linked actors exploiting Google accounts for
full device control.
Attackers gained access through spearfishing emails impersonating South Korea's National
Tax Service, then abused Google's Find Hub feature, normally used to locate lost devices,
to track, reset, and disable victim's smartphones.
They then compromised Kiko Talk Messenger accounts
to spread malware via trusted contacts,
amplifying the reach of the attack.
Victims included a counselor for North Korean defector students.
Genians called the operation a highly sophisticated social engineering campaign
combining device neutralization with account-based malware propagation.
The European Commission
is preparing to pause parts of its Artificial Intelligence Act,
responding to pressure from big tech companies and the U.S. government.
According to a draft proposal seen by the Financial Times,
Brussels plans to include the move in a simplification package set for November 19th,
aiming to ease compliance and maintain global competitiveness.
The proposal would grant a one-year grace period for companies using high-risk AI systems
and delay enforcement of AI transparency rules until August 27.
The plan follows U.S. warnings that strict EU digital rules could strain transatlantic relations.
While the AI Act took effect in August 2024, most provisions, especially for high-risk AI, begin in 2026.
Officials insist the EU remains committed to the Act's goals, but implementation could shift
to avoid economic disruption.
Cybersecurity firm Watchtower
discovered a critical vulnerability
in the Monster FTP web-based file management tool
that could let attackers completely take over
affected web servers.
The flaw allows remote code execution
without requiring authentication,
meaning hackers can exploit it before logging in.
Attackers could trick the application
into downloading and saving malicious files
anywhere on the server,
giving them full control.
Monster FTP, widely used by businesses and individuals to manage website files via browser,
was found to have this flaw in its latest versions, echoing older unresolved vulnerabilities.
Watchtower reported the issue on August 13th of this year,
and developers quickly released a patched version on August 26.
Users are urged to update immediately to prevent exploitation.
Researchers at Palo Alto Network's Unit 42 uncovered a nine-month espionage campaign
using commercial-grade spyware dubbed Landfall, targeting Samsung Galaxy devices, likely in the Middle
East. The Android spyware exploited a zero-day flaw in Galaxy phones' image processing libraries
via malformed DNG image files sent through WhatsApp. The zero-click malware enabled microphone,
camera, and call recording, as well as data and location ex-filtration, with no user interaction
required. The vulnerability, privately reported to Samsung in September 24, was only patched in
April of this year. Unit 42 linked landfalls tactics and infrastructure to commercial spyware
vendors and noted similarities to the stealth Falcon group tied to the UAE, though no direct
connection was proven.
Targets likely include users in Iraq, Iran, Turkey, and Morocco.
At a secret meeting near London this past May, FBI director Cash Patel reportedly promised
MI5 Chief Ken McCallum to preserve an FBI position in London that supported Britain's
high-tech surveillance work.
Patel later allowed the post to lapse amid White House budget cuts, leaving MI5 frustrated.
and raising doubts among U.S. allies about his reliability.
The episode, detailed by the New York Times,
has deepened Five Eyes' partners' concerns
that Patel's partisan approach and dismissal of career agents
are eroding cooperation on counterintelligence and counterterrorism.
Allies reportedly view the Bureau as adrift and increasingly politicized.
Patel's controversial overseas conduct,
including gifting illegal replica guns in New Zealand
and firing a senior agent in Australia has reinforced those worries.
The FBI declined to comment on Patel's talks with MI5,
but former intelligence officials warned that trust,
once lost among Five Eyes members, is difficult to rebuild.
Israeli spyware maker NSO Group has named former U.S. ambassador to Israel,
David Friedman as its new executive chairman, part of an effort to rebuild ties with Washington
and escape the U.S. Commerce Department blacklist imposed in 2021 for enabling transnational
repression. The move follows a takeover by U.S. investors led by Hollywood producer Robert
Simons, ending the involvement of NSO's founders. Friedman, a close Trump ally, said he aims to show that
NSO's tools can help keep Americans safer by supporting law enforcement.
NSA, best known for its Pegasus spyware, insists it sells only to vetted governments to fight
terrorism, though critics accuse it of aiding surveillance abuses.
Friedman said he will seek new U.S. partnerships while ensuring tighter client oversight.
NSO continues operating under Israeli Defense Ministry regulation and faces ongoing legal
and reputational challenges worldwide.
Looking at our Monday biz roundup, global cybersecurity and tech investment activity surged this
past week, led by Armis's $435 million pre-IPO round, valuing the San Francisco
attack surface management firm at $6.1 billion.
The funding, led by Goldman Sachs alternatives, will support Armis' growth toward a planned
IPO and $1 billion in annual recurring revenue.
Other notable raises include Denmark's formalize at 30 million euros to expand its
GRC platform across Europe, Israel's daylight at $33 million to accelerate its AI-powered security
operations, and Canada's flair coming in at $30 million to drive innovation and threat exposure
management. Smaller rounds supported reflectives at $22 million, wide-field security with $11.3
million, and stealth startups, Melanta, and Spectrum Labs, each bringing in $10 million.
In M&A, Google's $32 billion acquisition of WIS cleared a key U.S. antitrust review, while Francisco
partners agreed to take JAMF private for $2.2 billion. Additional deals include, including
included Ping Identities acquisition of Keyless, Z-Scaler, buying SPLX, and bug crowd acquiring
mayhem security to expand AI and API defense capabilities.
Be sure to check out our complete business briefing on our website.
It's part of Cyberwire Pro.
Coming up after the break,
Tim Starks from CyberScoop discusses uncertainty in the Federal CyberCore program
and the friendly face of digital villainy.
Stay with us.
We've all been there.
You realize your business needs to hire someone.
one yesterday. How can you find amazing candidates fast? Well, it's easy. Just use Indeed. When it comes to
hiring, Indeed is all you need. Stop struggling to get your job post noticed. Indeed's sponsored jobs
helps you stand out and hire fast. Your post jumps to the top of search results so the right
candidates see it first. And it works. Sponsored jobs on Indeed get 45% more applications than
non-sponsored ones. One of the things I love about Indeed is how fast it makes hiring.
And yes, we do actually use Indeed for hiring here at N2K Cyberwire. Many of my colleagues here
came to us through Indeed. Plus, with sponsored jobs, there are no subscriptions, no long-term
contracts. You only pay for results. How fast is Indeed? Oh, in the minute or so that I've been
talking to you, 23 hires were made on Indeed. According to Indeed data,
worldwide. There's no need to wait any longer. Speed up your hiring right now with Indeed. And listeners
to this show will get a $75 sponsored job credit to get your jobs more visibility at Indeed.com
slash cyberwire. Just go to Indeed.com slash cyberwire right now and support our show by saying you
heard about Indeed on this podcast. Indeed.com slash cyberwire. Terms and conditions apply. Hiring. Indeed is
all you need.
What's your 2 a.m. security worry?
Is it, do I have the right controls in place?
Maybe, are my vendors secure?
Or the one that really keeps you up at night?
How do I get out from under these old tools and manual processes?
That's where Vanta comes in.
Vanta automates the manual work, so you can stop sweating over
spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management
platform continuously monitors your systems, centralizes your data, and simplifies your security
at scale. And it fits right into your workflows, using AI to streamline evidence collection,
flag risks, and keep your program audit ready all the time. With Vanta, you get everything you
need to move faster, scale confidently, and finally get back to sleep.
Get started at vanta.com slash cyber.
That's v-a-t-a-com slash cyber.
It is always my pleasure to welcome Tim Starks back to the show.
He is a senior reporter at CyberScoop.
Tim, welcome back.
My pleasure.
So I want to touch on a couple of stories
that you have written for the show.
the folks over at Cyruscoop, starting with this story that we had the CBO, the Congressional Budget
Office, acknowledging a cyber incident. What's going on here, Tim? Yeah, so they acknowledged
a cyber incident to us. The Washington Post reported on it first. The response from CBO is we've got
this under control. This is something we discovered. We've taken action to fix it. We're going to be
taking even more action.
It seems like it's a little bit more to it than that.
There was, in the post story that there was a note that they believed this was a suspected
for an actor.
There was some discussion online from security researchers that this might have been China
that did this.
There's still more spilling out about this while we're talking.
And I think it'll be a little bit more before we know more.
But the other thing that they said was that they had caught it early, the officials that
spoke on background, that they thought it was under control.
Okay.
So we will see.
Time will tell.
Yes.
That's right.
Time will tell.
It always does.
Yeah.
So as you and I are recording this,
we don't really have very much in the way of details of the degree to which data was exfiltrated or anything, really.
Yeah.
I mean, the sense is that whoever the hackers were,
they did get access to potentially the communications between the Congressional Budget Office and lawmen.
The Congressional Budget Office, for those who aren't obsessed with Washington, insidery
business is basically they're the body that's whenever Congress produces a bill, they go,
we think this will add X millions or billions or trillions to the deficit.
So that's their major role, but they do other things as well.
So you can imagine there'd be a lot of correspondence back and forth between the researchers
at the CBO, an organization that was created, be a nonpartisan, and lawmakers' offices
themselves. So that's potentially worrisome as far as the impact. We have seen this kind of thing
before a little bit where, you know, there have been ways for hackers to sort of indirectly
back into the offices of lawmakers and they're, what they're saying to other people. We've seen it
with the DC HealthLink hack. We've seen it with the Library of Congress hack. So that's the
potential fallout is that people who are spies overseas,
get some insight into the thinking of policymakers that we wouldn't normally want them to have.
Yeah. I want to touch on a couple of other articles that you've written here related to the same
topic, and that's the Cyber Corps, these scholarships for service that was a federal job program,
specifically for cybersecurity folks. There's been some uncertainty here as to the future of the program
and perhaps what folks who are involved in it might be on the hook for?
That's exactly right.
Essentially, when you sign up for CyberCore Scholarship for Service,
and thousands of people have participated in this program
since it was created toward the beginning of this century,
you say, thank you, government, for the scholarship money you're giving us,
the stipends for us to continue studying,
and at the end of it, the government expects you to serve for 18 months,
or sorry, within 18 months, you must serve after graduation.
You also need to do an internship.
Well, anybody who's been paying attention to what's been going on with federal government lately
is that it's hard to get jobs there.
In fact, it's hard to keep jobs there,
and it seems as though that they're continuing to shrink the number of jobs available,
including in the cyberspace and maybe even especially.
And I talked to a number of some of the students who are active participants in this program,
and they're very worried that what is going to happen
is that they're not going to be able to find jobs to fulfill.
they're part of the contract, and it turns out that when you do that, when you don't do that,
the government says you owe us all that money that we gave you. So this will be converted into
loans. And this is hundreds of thousands of dollars for some of these students. So it's a very
big potential problem. Right now, a lot of them are having trouble fighting jobs. Some of them have
had offers for jobs that were rescinded or internships. So they're in a real big bind potentially.
Well, you did a follow-up article here that was talking about how perhaps OPM is going to give them a
little more time? Yeah, so that's what OPM is the agency that co-administters this program. Essentially,
it's managed by the National Science Foundation. For what it's worth, the people who are in this
program have been complaining that OPM and SF, all the organizations that are involved in this program,
have not been giving them much information about what's going on here. They've complained that they,
that there was supposed to be a big job fair. In January, they got moved to October. Well, October ended,
and there was no job fair. This is where a lot of students actually make a lot of progress.
So that's yet another layer of things that have been difficult about this.
So OPM says when the shutdown ends, our plan is to coordinate with NSF and see if we can't do a mass deferment.
So that's something that the students I talked to said, well, okay, that's a little bit of progress.
On the other hand, we're kind of worried that a deferment isn't going to get the job done.
Are there suddenly going to be new jobs available at the end of that deferment?
It doesn't seem like that's the way the federal government is going.
It doesn't seem like they're going to be going back to hiring a bunch more people after getting rid of so many.
So they're concerned that that's not going to do the trick.
It does seem as though there's at least something happening that the OPM is aware that it's a problem.
I don't know if my story and another colleague at another publication wrote a story about this as well.
I don't know if that inspired them to say, okay, we need to take a look at this because it just so happens that this was the first time that the students had heard anything from anybody in a long time about what's going on with this program.
The other thing, of course, is that they're worried that after the shutdown ends seems like it kind of runs the risk of being, it seems like it might be politicizing their future because obviously what's going on with the shutdown has been very political.
And the Republican administration has been looking to blame the other side for this, and this maybe could be another lever they could potentially do that with.
So that's some of the concerns that the students have about this thing is happening.
They're glad to have heard from OPM at all, but they're worried that this isn't going to necessarily get the job done.
and they'd like to see something concrete.
Right now, this is just talking about a thing they might do,
and that's not happening yet.
Right.
And it seems like they're approaching this in good faith
that they want to fulfill their obligation,
but the government just might not have the opportunity for them to do that.
Yeah, and that goes to the future of the program.
I mean, I've done some additional reporting,
and I'll probably do some more on this as we go.
But one of the things I've been hearing that I didn't quite capture
in the articles that I published already,
is the degree to which, you know, even though the story led off, the first story I wrote led off with people worrying about the future of the program, there's more to be worried about here, about how do you get people to sign it for a program when the people who were in the program before suddenly might not be able to get the jobs?
And what's fascinating about this is that, you know, this program was meant to be a way to fill the gigantic cybersecurity worker gap in the federal government.
if you don't have people wanting to participate in this program in the future because they've seen what's happened to the people who were just in the program, where does that leave this program? Where does it leave the future of it? The budget proposal for this program was a 65% reduction. So where does that leave the future of the program? I think it's a huge question and a worrisome one.
I wonder what could possible outcomes be here. I mean, obviously, you know, the government could have some sort of forgiveness program. That would be.
maybe ideal for the people involved.
But has there been any talk of maybe having these people fulfill their obligation at the
state level, you know, find or work in a critical infrastructure for a private company?
You know, is anyone trying to be creative here?
Yeah, so there is a certain section of the participants of the program who are allowed to
work in state and local government.
They are finding that those jobs are rather sparse as well.
Some of the other things that people talked about.
So one of the things, of course, is that if for some reason there is,
a rollback of these largely Doge-inspired, but have continued, even past the outset of Doge.
If some of these cuts are rolled back, then, okay, the situation improves.
Some of the other things that people have talked about, you know, besides just outright getting
rid of the program, is a mass forgiveness of the loans.
Another would be to look at some other kinds of programs that are similar to this where
you're just guaranteed a job, right?
That if you are in the program, they have a job for you somewhere.
It's just going to be a thing that exists.
There are some other ideas that are being thrown around about that.
The thing that is also a little concerning about that,
and you mentioned the idea of the private sector,
there are people who are looking at, okay, should I do the private sector job?
Because, well, at least I can pay off my loans, right, if I get paid well.
But that also seems to be kind of against the spirit of the program.
And some of these people, while some of them may have looked at this as a means to an end
to get a cybersecurity education, a good number of them actually wanted to work in the government.
And this has soured them to a certain degree on that.
There's other alternatives that are a little less viable for most people,
entering the military to get the government to pay the loans,
the idea of getting a research exception.
I talked to one student who had done that,
where you just kind of are able to research on college campuses.
So there might be some ways to deal with this outside of them getting a job in the government
that seems unlikely right now.
But right now it's more just in the idea stage.
I don't know the degree to which the government
had been thinking about this prior to the stories
that were written about this.
I'm not saying that we changed anything.
I don't know.
But we just don't know whether that
this is something they've been thinking about for very long.
It might have been that we spurred them to think about it
or it might have been thinking about it for a while.
They just haven't been communicating.
I'm not sure which one it was.
It seems like wherever we are,
it's still in the idea stage.
Yeah.
All right.
Well, stay tuned.
And Tim Starks is senior reporter at CyberScoop.
Tim, thanks so much for taking the time.
Thank you, Dave.
At Talas, they know cybersecurity can be tough and you can't protect everything.
But with Talas, you can secure what matters most.
With Talas's industry-leading platforms, you can protect critical applications.
you can protect critical applications, data, and identities, anywhere and at scale with the highest
ROI. That's why the most trusted brands and largest banks, retailers, and health care companies
in the world rely on TALIS to protect what matters most. Applications, data, and identity.
That's TALIS. T-H-A-L-E-S. Learn more at talusgroup.com slash cyber.
And now a word from our sponsor, Threat Locker,
the powerful zero-trust enterprise solution that stops ransomware in its tracks.
Allow listing is a deny-by-default software that makes application control simple and fast.
Ring fencing is an application containment strategy, ensuring apps can only access the files,
registry keys, network resources, and other applications they truly need to function.
Shut out cybercriminals with world-class endpoint protection from threat locker.
And finally, when a BBC reporter met with Tank, known to the FBI as Yakoslav Penjikov in a prison meeting room,
he didn't storm in like a fallen cyber overlord.
Instead, he poked his head around a pillar, flashed a movie star grin, and winked.
It was a fitting entrance for a man who once hacked banks by day and DJed nightclubs as DJ Slavarich by night.
Penshikov's charm, not just his code, helped him lead the Jabber Zeus and iced ID gangs,
stealing millions and earning a decade on the FBI's most wanted.
list. Now serving time in a low-security Colorado prison, he studies English, plays sports,
and jokes, not smart enough, I'm in prison. His remorse is selective. He regrets trusting fellow
hackers more than the havoc he caused. In cybercrime, he reflects, your friends become informants.
Even behind bars, Tank seems oddly content, just another outlaw who mistook charisma for cleverness.
And that's the Cyberwire.
For links to all of today's stories, check out our daily briefing at the Cyberwire.com.
A quick programming note, we're taking a brief pause tomorrow, Tuesday, November 11th, to honor and sell
our veterans. While we're away, we'd like to highlight a great conversation from our T-minus
podcast, where Maria sits down with Lieutenant Rob Sarver and Alex Gensier, authors of Warrior to
Civilian, the Field Manual for the Hero's Journey. It's an insightful look at helping veterans
navigate life after service. Now we can all do our part to support them. We'd love to know what you
think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the
rapidly changing world of cybersecurity. If you like our show, please share a rating and review
in your favorite podcast app. Please also fill out the survey in the show notes or send an email
to Cyberwire at N2K.com. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is
Jennifer Ivan. Peter Kilty is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you
back here tomorrow.