Quote:A new wave of cyber attacks against British companies is a "critical national security threat", an analyst has told Sky News.
It follows the exposure of a previously unknown vulnerability in software used by hundreds of companies.
But unlike the recent attacks against M&S, Co-op and Harrods, the latest incident was not ransomware but rather remote code execution.
This is where hackers take control of devices and networks over the internet to run potentially malicious programmes or steal data and information.
The event - revealed by analyst Arda Buyukkaya at cybersecurity firm EclecticIQ - used a previously unknown backdoor in a piece of software called SAP Netweaver, with a patch since released.
Cody Barrow is the chief executive of EclecticIQ and previously worked at the Pentagon, the NSA and US Cyber Command.
He told Sky News: "Governments should treat this as a critical national security threat", adding that it is the kind of scenario that keeps people like him up at night.
Mr Barrow said the exploitation of networks is "extensive and ongoing", with more than 500 SAP customers affected and more potentially at risk. He urged users to update their software to the latest version.
Gas giant Cadent, publishers News UK, Euro Garages (EG) Group, Johnson Matthey and Ardagh Metal have been named as victims, with US and Saudi Arabian entities also targeted.
NHS England has posted a warning about the exploit on their website, although it is not clear if they are impacted.
The National Cyber Security Centre (NCSC), the UK government's authority on cyber threats and part of GCHQ, are monitoring the situation.
Quote:China remains the top military and cyber threat to the U.S., according to a report by U.S. intelligence agencies published on Tuesday that said Beijing was making "steady but uneven" progress on capabilities it could use to capture Taiwan.
China has the ability to hit the United States with conventional weapons; compromise U.S. infrastructure through cyber attacks; and target its assets in space, the Annual Threat Assessment by the intelligence community said, adding that Beijing also seeks to displace the United States as the top AI power by 2030.
Russia, along with Iran, North Korea and China, seeks to challenge the U.S. through deliberate campaigns to gain an advantage, with Moscow's war in Ukraineaffording a "wealth of lessons regarding combat against Western weapons and intelligence in a large-scale war," the report said.
Released ahead of testimony before the Senate Intelligence Committee by President Donald Trump's intelligence chiefs, the report said China's People's Liberation Army (PLA) most likely planned to use large language models to create fake news, imitate personas, and enable attack networks.
"China's military is fielding advanced capabilities, including hypersonic weapons, stealth aircraft, advanced submarines, stronger space and cyber warfare assets and a larger arsenal of nuclear weapons," Director of National Intelligence Tulsi Gabbard told the committee. She labeled Beijing as Washington's "most capable strategic competitor."
"China almost certainly has a multifaceted, national-level strategy designed to displace the United States as the world's most influential AI power by 2030," the report said.
CIA Director John Ratcliffe told the committee that China had made only "intermittent" efforts to curtail the flow of precursor chemicals fueling the U.S. fentanyl crisis because it was reluctant to crack down on lucrative Chinese businesses.
Trump has increased tariffs on all Chinese imports by 20% to punish Beijing for what Trump called its failure to halt shipments of fentanyl chemicals. China has denied playing a role in the crisis, the leading cause of U.S. drug overdose deaths. The issue has become a major point of friction between the Trump administration and Chinese officials.
"There is nothing to prevent China ... from cracking down on fentanyl precursors," Ratcliffe said.
The Chinese foreign ministry said it "advised the U.S. not to use its own hegemonic logic to mirror China, and not to use outdated Cold War thinking to view China-U.S. relations," when asked about the report on Wednesday.
The ministry urged Washington to stop "condoning and supporting Taiwan independence separatist activities," ministry spokesperson Guo Jiakun said.
The spokesperson for China's embassy in Washington, Liu Pengyu, said the United States has long "hyped up" the China threat as an excuse to maintain U.S. military hegemony.
"China is determined to be a force for peace, stability and progress in the world, and also determined to defend our national sovereignty, security and territorial integrity," Liu said, adding that "fentanyl abuse is a problem that the United States itself must confront and resolve."
Quote:Chinese public security authorities attributed a cyberattack on an unnamed technology company to the Taiwan government on Tuesday, prompting the latter to blame China for spreading disinformation over such breaches.
The "overseas hacker organisation" behind the attack was "supported by" Taiwan's Democratic Progressive Party (DPP), authorities in the capital of southern Guangdong province said in a statement, based on an initial police investigation.
The DPP is the ruling party in Taiwan.
Taiwan's National Security Bureau in turn accused the Communist Party of China (CPC), which it called "a source of global information security threat", of peddling false information about cyber breaches.
It said in a statement to Reuters that the CPC was "manipulating inaccurate information to confuse the outside world, so as to cover up the related cyber hacking acts" and shift the focus of attention.
China claims Taiwan as its territory even as the democratic and separately governed island rejects that claim.
Taiwan President Lai Ching-te, who last week marked one year in office, has said only Taiwan's people can decide their future.
Chinese state news agency Xinhua reported that a police investigation found the hacker organisation targeted network systems in more than 10 provinces in China in recent years, including military, energy, hydropower, transportation and government networks.
Xinhua, citing technical experts, said the attacks were of "low technical level", their method "simple and crude."
Taiwan's security authority said: "The CPC has long carried out cyber hacking and theft of funds from Taiwan, disseminated false information, and carried out cognitive warfare in an attempt to destroy Taiwan's critical infrastructure and create social division and antagonism."
Quote:The Czech government on Wednesday condemned China for carrying out a cyberattack against its foreign ministry exposing thousands of unclassified emails.
Czechia said that the Chinese state-sponsored group Advanced Persistent Threat 31 (APT31) targeted the foreign ministry from 2022 — the year the country held the rotating EU presidency — and was able to read unclassified emails sent between embassies and EU institutions.
The Czech foreign minister, Jan Lipavský, said he would summon the Chinese ambassador immediately to explain the findings and tell him this would damage the countries' bilateral relations.
"With today’s move, we have exposed China, which has long been working to undermine our resilience and democracy,” Lipavský said. “Through cyberattacks, information manipulation, and propaganda, it interferes in our society — and we must defend ourselves against that.”
It is the first time the Czech government has attributed a national cyberattack to a state-backed actor.
An investigation conducted by the Security Information Service, Military Intelligence, Office for Foreign Relations and Information, and National Cyber and Information Security Agency (NUKIB) provided Czech authorities with a high degree of certainty about who was behind the targeting of the ministry.
APT31 is run by China’s ministry of state security from the city of Wuhan, according to the U.S. justice department.
The group has been accused of high-profile attacks in the past, including targeting the personal emails of campaign staff working for U.S. presidential candidate Joe Biden in 2020. In 2024, the U.K. and U.S. imposed sanctions on individuals tied to APT31.
The alleged Chinese hack sparked outrage in Brussels, among the EU's top brass and at NATO headquarters.
Quote:China is increasingly spying on Dutch semiconductors and other high-tech areas, Dutch Defence Minister Ruben Brekelmans said on Saturday.
Key takeaways:
China is increasing its spying activity on Dutch semiconductors
Dutch intelligence agency says that "the biggest cyber threat is coming from China"
"The semiconductor industry, which we are technologically leading, or technology advanced, of course, to get that intellectual property - that's interesting to China," Brekelmans told Reuters on Saturday at the Shangri-La Dialogue security forum in Singapore.
In April last year, the Dutch intelligence services released an annual report noting China’s increased activity in spying on the Dutch semiconductor, aerospace, and maritime industries.
Commenting on the threat, Brekelmans said: "It's continuing. In our newest intelligence reports, our intelligence agency said that the biggest cyber threat is coming from China, and that we do see most cyber activity when it comes to us being as from China. That was the case last year, but that's still the case. So we only see this intensifying."
He added that the Netherlands is focusing more on security as China is "using their economic position for geopolitical purposes and also to pressure us.”
Despite significant catch-up in its race for semiconductors, China is still lagging behind global leaders overall.
“Ten years ago, [Chinese semiconductor companies] were two generations behind. Five years ago, they were two generations behind, and now they’re still two generations behind,” G. Dan Hutcheson, vice chair of research firm TechInsights, said.
And yet, China is making impressive progress. In 2021–2022, 55% of global semiconductor patent applications were Chinese, more than double that of American patents.
Despite semiconductor design firms in China increasing nearly sixfold between 2010-2022, Chinese design firms still accounted for only 8% of global design revenue in 2022, with no Chinese firms among the top 25 global design firms.
"For God has not destined us for wrath, but for obtaining salvation through our Lord Jesus Christ," 1 Thessalonians 5:9
Maranatha!
The Internet might be either your friend or enemy. It just depends on whether or not she has a bad hair day.
Quote:Cybersecurity investigators noticed a highly unusual software crash — it was affecting a small number of smartphones belonging to people who worked in government, politics, tech and journalism.
The crashes, which began late last year and carried into 2025, were the tipoff to a sophisticated cyberattack that may have allowed hackers to infiltrate a phone without a single click from the user.
The attackers left no clues about their identities, but investigators at the cybersecurity firm iVerify noticed that the victims all had something in common: They worked in fields of interest to China’s government and had been targeted by Chinese hackers in the past.
Foreign hackers have increasingly identified smartphones, other mobile devices and the apps they use as a weak link in U.S. cyberdefenses. Groups linked to China’s military and intelligence service have targeted the smartphones of prominent Americans and burrowed deep into telecommunication networks, according to national security and tech experts.
It shows how vulnerable mobile devices and apps are and the risk that security failures could expose sensitive information or leave American interests open to cyberattack, those experts say.
“The world is in a mobile security crisis right now,” said Rocky Cole, a former cybersecurity expert at the National Security Agency and Google and now chief operations officer at iVerify. “No one is watching the phones.”
US zeroes in on China as a threat, and Beijing levels its own accusations
U.S. authorities warned in December of a sprawling Chinese hacking campaign designed to gain access to the texts and phone conversations of an unknown number of Americans.
“They were able to listen in on phone calls in real time and able to read text messages,” said Rep. Raja Krishnamoorthi of Illinois. He is a member of the House Intelligence Committee and the senior Democrat on the Committee on the Chinese Communist Party, created to study the geopolitical threat from China.
Chinese hackers also sought access to phones used by Donald Trump and running mate JD Vance during the 2024 campaign.
The Chinese government has denied allegations of cyberespionage, and accused the U.S. of mounting its own cyberoperations. It says America cites national security as an excuse to issue sanctions against Chinese organizations and keep Chinese technology companies from the global market.
“The U.S. has long been using all kinds of despicable methods to steal other countries’ secrets,” Lin Jian, a spokesman for China’s foreign ministry, said at a recent press conference in response to questions about a CIA push to recruit Chinese informants.
U.S. intelligence officials have said China poses a significant, persistent threat to U.S. economic and political interests, and it has harnessed the tools of digital conflict: online propaganda and disinformation, artificial intelligence and cyber surveillance and espionage designed to deliver a significant advantage in any military conflict.
Mobile networks are a top concern. The U.S. and many of its closest allies have banned Chinese telecom companies from their networks. Other countries, including Germany, are phasing out Chinese involvement because of security concerns. But Chinese tech firms remain a big part of the systems in many nations, giving state-controlled companies a global footprint they could exploit for cyberattacks, experts say.
Quote:The reconnaissance activity targeting American cybersecurity company SentinelOne was part of a broader set of partially-related intrusions into several targets between July 2024 and March 2025.
"The victimology includes a South Asian government entity, a European media organization, and more than 70 organizations across a wide range of sectors," SentinelOne security researchers Aleksandar Milenkoski and Tom Hegel said in a report published today.
Some of the targeted sectors include manufacturing, government, finance, telecommunications, and research. Also present among the victims was an IT services and logistics company that was managing hardware logistics for SentinelOne employees at the time of the breach in early 2025.
The malicious activity has been attributed with high confidence to China-nexus threat actors, with some of the attacks tied to a threat cluster dubbed PurpleHaze, which, in turn, overlaps with Chinese cyber espionage groups publicly reported as APT15 and UNC5174.
In late April 2024, SentinelOne first disclosed PurpleHaze-related reconnaissance activity targeting some of its servers that were deliberately accessible over the internet by "virtue of their functionality."
"The threat actor's activities were limited to mapping and evaluating the availability of select internet-facing servers, likely in preparation for potential future actions," the researchers said.
It's currently not known if the attackers' intent was to just target the IT logistics organization or if they planned to expand their focus to downstream organizations as well. Further investigation into the attacks has uncovered six different activity clusters (named to A to F) that date back to June 2024 with the compromise of an unnamed South Asian government entity.
Quote:Corporate investigators have reportedly discovered evidence that Chinese hackers infiltrated an American telecommunications company in the summer of 2023, suggesting that China’s attackers penetrated the U.S. communications system far earlier than publicly known.
Bloomberg reports that corporate investigators working for an unnamed U.S. telecommunications firm have uncovered that Chinese state-backed hackers had breached the company’s systems in the summer of 2023, nearly a year before the publicly disclosed Salt Typhoon espionage campaign targeting multiple US telecom providers. The discovery, which has not been previously reported, raises questions about the timeline of China’s foothold in the American communications industry.
According to two people familiar with the matter and an unclassified report seen by Bloomberg News, the investigators found that malware used by Chinese state-backed hacking groups had been present on the company’s systems for seven months, starting in the summer of 2023. The report, sent to Western intelligence agencies, does not name the compromised telecommunications company.
The 2023 intrusion predates the well-publicized Salt Typhoon campaign, which the US government has attributed to Chinese state-backed hackers. In the Salt Typhoon breaches, hackers infiltrated multiple major US telecommunications companies, including AT&T and Verizon Communications, siphoning personal data of millions of Americans and targeting the phones of high-profile individuals such as then-presidential candidate Donald Trump, his running mate JD Vance, and then-Vice President Kamala Harris.
The malware used in the 2023 breach, known as Demodex, is a rootkit that provides hackers with deep and secretive access to infected machines. Several cybersecurity companies have linked Demodex to Chinese hacking groups targeting telecommunications companies and governments in Southeast Asia. The malware has also been tied to the Salt Typhoon attackers and other hacking groups.
In the 2023 breach, hackers gained access to the computers of IT administrators at the targeted U.S. telecommunications company. The investigation revealed that the malware remained on the firm’s systems until late winter of 2024. Demodex is designed to leave few digital traces, making it challenging to determine the full extent of the hackers’ activities once inside the breached machines.
The Chinese government embassy in Washington emphasized the difficulty of determining the origins of hacks and accused the US and its allies of being responsible for cyberattacks on China. The embassy spokesperson, Liu Pengyu, called on the relevant party to “stop using cybersecurity to smear and slander China, and stop spreading all kinds of disinformation about the so-called Chinese hacking threats.”
Quote:A cyberattack on The Washington Post compromised the email accounts of several journalists and was most likely the work of a foreign government, The Wall Street Journal reported on Sunday.
Matt Murray, The Washington Post’s executive editor, said in an internal memo that the breach was discovered on Thursday and an investigation had been initiated, The Wall Street Journal reported.
Staff at The Washington Post were told the intrusions compromised journalists’ Microsoft accounts and could have granted the intruder access to work emails, The Wall Street Journal reported, citing people familiar with the situation.
The reporters whose emails were targeted included members of the national security and economic policy teams, including some who write about China, the report added.
The Washington Post did not immediately respond to Reuters’ request for comment. In 2022, News Corp, which publishes The Wall Street Journal, was breached by digital intruders.
The email accounts and data of an unspecified number of journalists were compromised in that incident.
Quote:The Marks & Spencer hackers sent an abuse-filled email directly to the retailer's boss gloating about what they had done and demanding payment, BBC News has learnt.
The message to M&S CEO Stuart Machin - which was in broken English - was sent on the 23 April from the hacker group DragonForce using an employee email account.
The email confirms for the first time that M&S has been hacked by the ransomware group – something that M&S has so far refused to acknowledge.
"We have marched the ways from China all the way to the UK and have mercilessly raped your company and encrypted all the servers," the hackers wrote.
"The dragon wants to speak to you so please head over to [our darknet website]."
The cyber attack has been hugely damaging for M&S, costing it an estimated £300m. More than six weeks on, it is still unable to take online orders
The extortion email was shown to the BBC by a cyber-security expert.
The message, which includes a racist term, was sent to the M&S CEO and seven other executives.
As well as bragging about installing ransomware across the M&S IT system to render it useless, the hackers say they have stolen the private data of millions of customers.
Nearly three weeks later customers were informed by the company that their data may have been stolen.
The email was sent apparently using the account of an employee from the Indian IT giant Tata Consultancy Services (TCS) - which has provided IT services to M&S for over a decade.
The Indian IT worker based in London has an M&S email address but is a paid TCS employee.
It appears as though he himself was hacked in the attack.
TCS has previously said it is investigating whether it was the gateway for the cyber-attack.
The company has told the BBC that the email was not sent from its system and that it has nothing to do with the breach at M&S.
M&S has declined to comment entirely.
'We can both help each other'
A darknet link shared in the extortion email connects to a portal for DragonForce victims to begin negotiating the ransom fee. This is further indication that the email is authentic.
Sharing the link – the hackers wrote: "let's get the party started. Message us, we will make this fast and easy for us."
The criminals also appear to have details about the company's cyber-insurance policy too saying "we know we can both help each other handsomely : ))".
The M&S CEO has refused to say if the company has paid a ransom to the hackers.
DragonForce ended the email with an image of a dragon breathing fire.
"For God has not destined us for wrath, but for obtaining salvation through our Lord Jesus Christ," 1 Thessalonians 5:9
Maranatha!
The Internet might be either your friend or enemy. It just depends on whether or not she has a bad hair day.
Quote:Cyber analysts have reportedly discovered a strange cyberwarfare trend. According to a report by New York Times, quoting security researchers, since the beginning of the war in Ukraine, groups linked to the Chinese government have repeatedly hacked Russian companies and government agencies in an apparent search for military secrets. There has been increase in Since Russia’s invasion of Ukraine in February 2022, Chinese government-linked hackers have repeatedly targeted Russian companies and government agencies, seeking military secrets, according to the New York Times report.
The cyberattacks, which intensified in May 2022, have persisted despite public declarations of a “no-limits” partnership between Russian President Vladimir Putin and Chinese President Xi Jinping.
Chinese hacking groups 'targetting' Russian businesses
The report claims that a Chinese hacking group, Sanyo, impersonated a Russian engineering firm’s email addresses in 2023 to steal data on nuclear submarines, as uncovered by Taiwan-based cybersecurity firm TeamT5, which linked the attack to Beijing. “China likely seeks to gather intelligence on Russia’s activities, including on its military operation in Ukraine, defense developments and other geopolitical maneuvers,” TeamT5 researcher Che Chang told the Times.
A classified Russian FSB document, obtained by The New York Times, reveals Moscow’s concerns about China’s pursuit of Russian defense technology and battlefield insights, labeling China an “enemy.” This contrasts with the public Sino-Russian alliance, as Russia relies on China for oil markets and war-critical technology. The document highlights China’s interest in drone warfare and software, noting that “the war in Ukraine fundamentally shifted intelligence priorities for both countries,” according to Itay Cohen of Palo Alto Networks, as quoted by the Times.
What techniques Chinese hackers are said to be using against Russia
The New York Times also reports that Chinese hackers targeted Rostec, Russia’s state-owned defense conglomerate, for satellite communications and radar data, using malicious Microsoft Word files to infiltrate aviation and state entities. Groups like Mustang Panda, suspected of ties to China’s Ministry of State Security, have hit Russian military and border units, the Times notes, citing Rafe Pilling of Sophos. Pilling told the Times, “The targeting we’ve observed tends to be political and military intelligence gathering.”
Proprietary malware like Deed RAT, used by Chinese state-sponsored hackers, has been deployed against Russian aerospace and defense sectors, the report said, citing Positive Technologies. Despite 2009 and 2015 agreements barring mutual cyberattacks, the Times notes that experts view these as symbolic, with hacking spiking post-Ukraine invasion. “The activity — we saw it immediately in the months following Russia’s full-scale invasion,” Cohen told the Times, highlighting the tension beneath the public narrative of Sino-Russian unity.
Can you trust a country that does not care about its hackers hitting an ally's cyber-infrastructure as it did not matter at all?
Quote:Canada's cybersecurity agency, the Canadian Centre for Cyber Security, has issued a warning that Chinese-backed hackers are likely responsible for a recent attack that compromised telecommunications infrastructure in the country. The agency confirmed that three network devices registered to a Canadian company were compromised in these attacks. In a joint bulletin (as seen by Bloomberg) released this week with the US Federal Bureau of Investigation (FBI), the Canadian Centre for Cyber Security urged Canadian organisations to strengthen their networks against the threat posed by Salt Typhoon, a hacking group with documented links to the Chinese government. The warning emphasises the ongoing risk and the need for immediate action to protect critical infrastructure.
What Canada’s cybersecurity agency said about the recent hacking incident
“The Cyber Centre is aware of malicious cyber activities currently targeting Canadian telecommunications companies. The responsible actors are almost certainly PRC state-sponsored actors, specifically Salt Typhoon,”the agency said, referring to the People’s Republic of China, reports Bloomberg.
The agency also noted that separate investigations showing overlaps with indicators linked to Salt Typhoon indicate the cyber campaign “is broader than just the telecommunications sector.”
According to the agency, the hackers will “almost certainly” continue attempting to infiltrate Canadian organisations — particularly telecom providers — over the next two years, the report adds.
Beijing has consistently rejected US claims linking it to Salt Typhoon, a group first reported by The Wall Street Journal last year. In January, the US imposed sanctions on a Chinese company for allegedly being “directly involved” in the cyber intrusions, along with China’s Ministry of State Security.
"For God has not destined us for wrath, but for obtaining salvation through our Lord Jesus Christ," 1 Thessalonians 5:9
Maranatha!
The Internet might be either your friend or enemy. It just depends on whether or not she has a bad hair day.
Quote:The French cybersecurity agency on Tuesday revealed that a number of entities spanning governmental, telecommunications, media, finance, and transport sectors in the country were impacted by a malicious campaign undertaken by a Chinese hacking group by weaponizing several zero-day vulnerabilities in Ivanti Cloud Services Appliance (CSA) devices.
The campaign, detected at the beginning of September 2024, has been attributed to a distinct intrusion set codenamed Houken, which is assessed to share some level overlaps with a threat cluster tracked by Google Mandiant under the moniker UNC5174 (aka Uteus or Uetus).
"While its operators use zero-day vulnerabilities and a sophisticated rootkit, they also leverage a wide number of open-source tools mostly crafted by Chinese-speaking developers," the French National Agency for the Security of Information Systems (ANSSI) said. "Houken's attack infrastructure is made up of diverse elements -- including commercial VPNs and dedicated servers."
The agency theorized that Houken is likely being used by an initial access broker since 2023 with an aim to gain a foothold into target networks and then shared with other threat actors interested in carrying out follow-on post-exploitation activities, reflective of a multi-party approach to vulnerability exploitation, as pointed out by HarfangLab.
"A first party identifies vulnerabilities, a second uses them at scale to create opportunities, then accesses are distributed to third parties which further attempt to develop targets of interest," the French cybersecurity company noted earlier this February.
"The operators behind the UNC5174 and Houken intrusion sets are likely primarily looking for valuable initial accesses to sell to a state-linked actor seeking insightful intelligence," the agency added.
In recent months, UNC5174 has been linked to the active exploitation of SAP NetWeaver flaws to deliver GOREVERSE, a variant of GoReShell. The hacking crew has also leveraged vulnerabilities in Palo Alto Networks, Connectwise ScreenConnect, and F5 BIG-IP software in the past to deliver the SNOWLIGHT malware, which is then used to drop a Golang tunneling utility called GOHEAVY.
Another report from SentinelOne attributed the threat actor to an intrusion against a "leading European media organization" in late September 2024.
In the attacks documented by ANSSI, the attackers have been observed exploiting three security defects in Ivanti CSA devices, CVE-2024-8963, CVE-2024-9380, and CVE-2024-8190, as zero-days to obtain credentials and establish persistence using one of the three methods -
Directly deploying PHP web shells
Modifying existing PHP scripts to inject web shell capabilities, and
Installing a kernel module that serves as a rootkit
The attacks are characterized by the use of publicly available web shells like Behinder and neo-reGeorg, followed by the deployment of GOREVERSE to maintain persistence after lateral movements. Also employed is an HTTP proxy tunneling tool called suo5 and a Linux kernel module named "sysinitd.ko" that was documented by Fortinet in October 2024 and January 2025.
"It is composed of a kernel module (sysinitd.ko) and a user-space executable file (sysinitd) installed on the targeted device through the execution of a shell script: install.sh," ANSSI said. "By hijacking inbound TCP traffic over all ports, and invoking shells, sysinitd.ko and sysinitd allow the remote execution of any command with root privileges."
Quote:Taiwan's National Security Bureau (NSB) has warned that China-developed applications like RedNote (aka Xiaohongshu), Weibo, TikTok, WeChat, and Baidu Cloud pose security risks due to excessive data collection and data transfer to China.
The alert comes following an inspection of these apps carried out in coordination with the Ministry of Justice Investigation Bureau (MJIB) and the Criminal Investigation Bureau (CIB) under the National Police Agency.
"The results indicate the existence of security issues, including excessive data collection and privacy infringement," the NSB said. "The public is advised to exercise caution when choosing mobile apps."
The agency said it evaluated the apps against 15 indicators spanning five broad categories: Personal data collection, excessive permission usage, data transmission and sharing, system information extraction, and biometric data access.
According to the analysis, RedNote violated all 15 indicators, followed by Weibo and TikTok that were found to breach 13 indicators. WeChat and Baidu Cloud violated 10 and 9 of the 15 indicators, respectively.
These issues encompassed extensive collection of personal data, including facial recognition information, screenshots, clipboard contents, contact lists, and location information. All the apps have also been flagged for harvesting the list of installed apps and device parameters.
"With regard to data transmission and sharing, the said five apps were found to send packets back to servers located in China," the NSB said. "This type of transmission has raised serious concerns over the potential misuse of personal data by third-parties."
NSB also pointed out that companies operating in China are obligated to turn over user data under domestic laws for national security, public security, and intelligence purposes, and that using these apps can breach the privacy of Taiwanese users.
The development comes as countries like India have enacted bans against Chinese-made apps, citing security concerns. In November 2024, Canada ordered TikTok to dissolve its operations in the country, although its fate in the U.S. still remains in limbo, as the ban – which was supposed to take effect in January 2025 – has been extended for a third time.
"For God has not destined us for wrath, but for obtaining salvation through our Lord Jesus Christ," 1 Thessalonians 5:9
Maranatha!
The Internet might be either your friend or enemy. It just depends on whether or not she has a bad hair day.
Quote:Suspected Chinese hackers have broken into the email accounts of attorneys and advisers at a powerful Washington, DC, law firm in an apparent intelligence-gathering operation, the firm, Wiley Rein, told clients this week in a memo reviewed by CNN.
The hackers responsible have been known to target information related to trade, Taiwan and US government agencies involved in setting tariffs and reviewing foreign investment, said the notice from the firm.
“We believe, based on the evidence reviewed to date, that a group that may be affiliated with the Chinese government accessed messages in the Microsoft 365 accounts of certain Wiley personnel for intelligence gathering purposes,” the memo said.
The breach comes after the Trump administration escalated America’s trade war with China this spring by slapping unprecedented tariffs on Chinese exports to the United States. The tit-for-tat tariffs set off a scramble in both governments to understand each other’s positions.
With clients that span the Fortune 500 and a team of top trade attorneys, Wiley Rein is a powerful player in helping US companies and the government navigate the trade war with China. The firm describes itself as “wired into Washington” and says it provides “unmatched insights into the evolving priorities of agencies, regulators, and lawmakers.”
Wiley Rein told clients it is still working to determine what information the hackers accessed. “We also notified law enforcement and are coordinating with them.”
CNN has requested comment from Wiley Rein and the FBI, which typically investigates high-profile hacks with national security implications. Google-owned security firm Mandiant is remediating the hack, the Wiley Rein memo said. CNN has requested comment from Mandiant.
Liu Pengyu, spokesperson for the Chinese Embassy in Washington, DC, said in a statement to CNN, “China firmly opposes and combats all forms of cyber attacks and cyber crime — a position that is consistent and clear. At the same time, we also firmly oppose smearing others without solid evidence.”
It’s only the latest suspected Chinese intrusion into a US organization that handles sensitives trade or investment matters. CNN reported in January that Chinese hackers had breached the US government office that reviews foreign investments for national security risks.
Foreign investment reviews play an important role in the relationship between the world’s two biggest economies. On Friday, the Trump administration announced that it had blocked a Hong Kong-based firm’s acquisition of Jupiter Systems, a supplier of audio-visual equipment. The statement cited the “potential compromise of Jupiter’s products used in military and critical infrastructure environments.”
For years, across Republican and Democratic administrations, US officials have tried to come to grips with China’s formidable cyber capabilities. The FBI has said that China has a bigger hacking program than all other foreign governments combined.
The hack of Wiley Rein could add to one of numerous open investigations that the FBI has into Beijing-linked cyber-espionage.
The FBI is still dealing with the sweeping Chinese compromise of US telecom providers that targeted the phone communications of senior US leaders, including then-presidential candidate Trump and became public last year. AT&T, Verizon and other big communications firms were breached.
“We don’t know if we’re done identifying victims or if there will be more,” Brett Leatherman, the assistant director of the FBI’s Cyber Division, said in an interview last month with CNN, referring to the telecom hacking campaign. But the FBI does believe the telecom firms have contained the hackers after many months of investigation, he said.
“Beijing’s cyber doctrine is more than access,” Leatherman added. “It’s about building long-term leverage.”
Quote:An elite Chinese cyberspy group hacked at least one state’s National Guard network for nearly a year, the Department of Defense has found.
The hackers, already responsible for one of the most expansive cyberespionage campaigns against the U.S. to date, are alleged to have burrowed even further than previously known and may have obtained sensitive military or law enforcement information. Authorities are still working to discover the extent of the data accessed.
A Department of Homeland Security memo from June, describing the Pentagon’s findings, said that the group, publicly known by the nickname Salt Typhoon, “extensively compromised a U.S. state’s Army National Guard network” from March 2024 through December. The memo did not say which state.
The report was provided to NBC News through the national security transparency nonprofit Property of the People, which obtained it through a freedom of information request.
The Department of Defense didn’t respond to a request for comment. A National Guard Bureau spokesperson confirmed the compromise but declined to share details.
“While we cannot provide specific details on the attack or our response to it, we can say this attack has not prevented the National Guard from accomplishing assigned state or federal missions, and that NGB continues to investigate the intrusion to determine its full scope,” the spokesperson said.
A spokesperson for China’s embassy in Washington did not deny the campaign but said the U.S. has failed to prove China is behind the Salt Typhoon hacks.
“Cyberattacks are a common threat faced by all countries, China included,” the spokesperson said, adding that the U.S. “has been unable to produce conclusive and reliable evidence that the ‘Salt Typhoon’ is linked to the Chinese government.”
Salt Typhoon is notorious even by the standards of China’s massive cyberspy efforts because of its ability to jump from one organization to another. Last year, U.S. authorities found that it had hacked at least eight of the country’s largest internet and phone companies, including AT&T and Verizon, using access to spy on the calls and text messages of both the Harris and Trump presidential campaigns, as well as the office of then-Senate Majority Leader Chuck Schumer.
While part of the Department of Defense, National Guard units are also under the authority of their states; some are deeply integrated with local governments or law enforcement, which may have given the Salt Typhoon hackers the ability to compromise other organizations.
The hack “likely provided Beijing with data that could facilitate the hacking of other states’ Army National Guard units, and possibly many of their state-level cybersecurity partners,” the DHS report found. The National Guard in 14 U.S. states work with law enforcement “fusion centers” to share intelligence, the DHS memo notes. The hackers accessed a map of geographic locations in the targeted state, diagrams of how internal networks are set up, and personal information of service members, it said.
In January, the Treasury Department — also a recent target of alleged Chinese hacking — sanctioned a Sichuan company for allegedly helping Beijing’s Ministry of State Security conduct Salt Typhoon operations.
Salt Typhoon can be pernicious and hard to root out once the hackers take hold. In the AT&T case, the company announced in December that it appeared as if they were no longer being affected and Verizon said in January it had “contained” the incident. Both companies stopped short of saying they were fully protected from the hackers returning. A report from Cisco said that, in at least one instance, Salt Typhoon hackers remained in an affected environment for up to three years.
Quote:July 16 (Reuters) - Chinese-linked hackers are targeting the Taiwanese semiconductor industry and investment analysts as part of a string of cyber espionage campaigns, researchers said on Wednesday.
While hacking to steal data and information about the industry is not new, there is an increase in sustained hacking campaigns from several China-aligned hacking groups, researchers with cybersecurity firm Proofpoint said in a new analysis, opens new tab.
“We’ve seen entities that we hadn’t ever seen being targeted in the past being targeted,” said Mark Kelly, a threat researcher focused on Chinese-related threats at Proofpoint.
The previously unreported hacking campaigns were carried out by at least three distinct Chinese-linked groups primarily between March and June of this year, with some activity likely ongoing, Proofpoint said. They come amid rising restrictions by Washington on exports to China of U.S.-designed chips that are often manufactured in Taiwan. China's chip industry has been working to replace its dwindling supply of sophisticated U.S. chips, especially those used in artificial intelligence.
The researchers declined to identify the hacking targets, but told Reuters that approximately 15 to 20 organizations ranging from small businesses, analysts employed by at least one U.S.-headquartered international bank, and large global enterprises faced attacks.
Major Taiwanese semiconductor firms include Taiwan Semiconductor Manufacturing Co (2330.TW), opens new tab, MediaTek (2454.TW), opens new tab, United Microelectronics Corp (2303.TW), opens new tab, Nanya Technology (2408.TW), opens new tab and RealTek Semiconductor (2379.TW), opens new tab. TSMC declined to comment. MediaTek, UMC, Nanya and RealTek did not respond to requests for comment.
Reuters was unable to identify the specific hacking targets or determine whether any of the efforts were successful.
A spokesperson for the Chinese embassy in Washington told Reuters in an email that cyber attacks “are a common threat faced by all countries, China included,” and that the Asian country “firmly opposes and combats all forms of cyber attacks and cyber crime — a position that is consistent and clear.”
The activity ranged from one or two emails sent as part of the more targeted campaign focused on specific people, to as many as 80 emails when trying to gain information from the company at large, Kelly said.
One group targeted semiconductor design, manufacturing and supply-chain organizations using compromised Taiwanese university email accounts to pose as job seekers and send malware via PDFs with URLs leading to malicious files, or a password-protected archive.
Another targeted financial analysts at major unnamed investment firms focused on the Taiwanese semiconductor industry by posing as a fictitious investment firm and seeking collaboration. Two of the entities are based in Asia, while the third is based in the U.S. The FBI declined to comment.
A representative of TeamT5, a cybersecurity firm based in Taiwan, told Reuters that it had also seen an increase in emails being sent targeting the semiconductor industry tied to a few hacking groups, “but not a wide or general phenomenon.”
Targeting of semiconductors and the supply chain around them “is a persistent threat that has existed for long,” the representative said, and a “constant interest” for Chinese-related advanced hacking operators.
These groups often target “peripheral suppliers or related industries,” the representative said, such as a situation in June where a China-linked hacking group identified by TeamT5 as "Amoeba" launched a phishing campaign against an unnamed chemical company that plays a critical role in the semiconductor supply chain.
Quote:Undeterred by recent indictments alleging widespread cyberespionage against American agencies, journalists and infrastructure targets, Chinese hackers are hitting a wider range of targets and battling harder to stay inside once detected, seven current and former U.S. officials said in interviews.
Hacks from suspected Chinese government actors detected by the security firm CrowdStrike more than doubled from 2023 to more than 330 last year and continued to climb as the new administration took over, the company said. Bursts of espionage are typical with each new president, the officials said, and major staff cuts at the Cybersecurity and Infrastructure Security Agency (CISA) have disrupted some response coordination.
“The U.S. is absolutely facing the most serious Chinese hacking ever. We are in China’s golden age of hacking,” said China expert Dakota Cary of the security company SentinelOne.
Although the various Chinese hacking campaigns seem to be led by different government agencies and have different goals, all benefit from new techniques and from Beijing’s introduction of a less constrained system for cyber offense, the officials and outside researchers told The Washington Post. Some of them spoke on the condition of anonymity because of the sensitivity of the matter.
Chinese intelligence, military and security agencies previously selected targets and tasked their own employees with breaking in, they said. But the Chinese government decided to take a more aggressive approach by allowing private industry to conduct cyberattacks and hacking campaigns on their own, U.S. officials said.
The companies are recruiting top hackers who discover previously unknown, or “zero-day,” flaws in software widely used in the United States. Then the companies search for where the vulnerable programs are installed, hack a great many of them at once, and then sell access to multiple Chinese government customers and other security companies.
That hacking-for-hire approach creates hundreds of U.S. victims instead of a few, making it hard to block attacks and to decide which were China’s key targets and which were unintentionally caught in the hacks, an FBI official said, speaking on the condition of anonymity to follow agency practices.
“They’ll find a zero-day, scan for anything vulnerable, and then try to broker access — and now we have, scale-wise, a significantly larger problem,” the official said. “The result of that incentive structure is that there is significantly more hacking.”
An indictment unsealed last week accused a Chinese man arrested in Italy of hacking at a company called Shanghai Powerock Network Co., which prosecutors described as “one of many ‘enabling’ companies in the [People’s Republic of China] that conducted hacking for the PRC government.”
Several former officials said that although China had been deterred in the past by such U.S. indictments, public condemnations and sanctions, that seemed to no longer be the case.
“Cyberspace is where China and [President] Xi [Jinping]’s confidence are on full display. It’s the domain where China has been willing to accept a lot of political risk with the U.S.,” said Laura Galante, a principal at WestExec Advisors and the top U.S. cyberthreat intelligence official during most of the Biden administration.
China has mastered the ability to move undetected through networks of compromised U.S. devices, so that the final connection to a target appears to be an ordinary domestic connection. That makes it easy to get around technology that blocks overseas links and puts it outside the purview of the National Security Agency, which by law must avoid scrutinizing most domestic transmissions.
And here's the official announcement of the hacker's arrest.
Quote:China’s Ministry of State Security allegedly directed theft of COVID-19 research and confidential information regarding American policy makers
HOUSTON – A 33-year-old Chinese national has been taken into custody for his alleged involvement in U.S. computer intrusions between February 2020 and June 2021, including the reckless and indiscriminate HAFNIUM campaign that compromised thousands of computers worldwide.
Authorities took People's Republic of China (PRC) national Xu Zewei (徐泽伟) into custody in Milan, Italy, as he departed a plane from China at the request of the United States.
Xu is charged along with PRC national Zhang Yu (张宇), 44, in a now unsealed nine-count indictment returned in November 2023. They were both involved in computer intrusions between February 2020 and June 2021 at the direction of officers of the PRC’s Ministry of State Security’s (MSS) Shanghai State Security Bureau (SSSB), according to the indictment.
The charges allege MSS and SSSB are PRC intelligence services responsible for PRC's domestic counterintelligence, non-military foreign intelligence and aspects of the PRC's political and domestic security. When conducting the computer intrusions, Xu worked for Shanghai Powerock Network Co. Ltd., one of many “enabling” companies in the PRC that conducted hacking for the PRC government, according to the charges.
“The indictment alleges that Xu was hacking and stealing crucial COVID-19 research at the behest of the Chinese government while that same government was simultaneously withholding information about the virus and its origins,” said Nicholas Ganjei, U.S. Attorney for the Southern District of Texas. “The Southern District of Texas has been waiting years to bring Xu to justice and that day is nearly at hand. As this case shows, even if it takes years, we will track hackers down and make them answer for their crimes. The United States does not forget.”
“This arrest underscores the United States’ patient and tireless commitment to pursuing hackers who seek to steal information belonging to U.S. companies and universities,” said John A. Eisenberg, Assistant Attorney General for the National Security Division. “The Justice Department will find you and hold you accountable for threatening our cybersecurity and harming our people and institutions.”
“While the world was reeling from a virus that originated in China, the Chinese government plotted to steal U.S. research critical to vaccine development,” said FBI Houston Special Agent in Charge Douglas Williams. “Xu Zewei, an alleged hacker acting on behalf of China's primary spy agency, targeted COVID-19 data using sophisticated cyber techniques and tradecraft. His landmark arrest by FBI Houston agents in Italy proves that we will scour the ends of the Earth to hold criminal foreign adversaries accountable.”
According to court documents, in early 2020, Xu and his co-conspirators hacked and otherwise targeted U.S. based universities and leading immunologists and virologists conducting ground-breaking research into COVID-19 vaccines, treatment and testing. The charges allege Xu and others reported their activities to officers in the SSSB who were supervising and directing the hacking activities. For example, on or about Feb. 19, 2020, Xu allegedly provided an SSSB officer with confirmation that he had compromised the network of a research university located in SDTX. On or about Feb. 22, 2020, the SSSB officer directed Xu to target and access specific email accounts (mailboxes) belonging to virologists and immunologists engaged in COVID-19 research for the research university, according to the allegations. Xu later allegedly confirmed for the SSSB officer he acquired the contents of the researchers’ mailboxes.
Beginning in late 2020, Xu and his co-conspirators exploited certain vulnerabilities in Microsoft Exchange Server, a widely used Microsoft product for sending, receiving and storing email messages, according to the charges. Their exploitation of Microsoft Exchange Server was allegedly at the forefront of a massive campaign targeting thousands of computers worldwide and known publicly as “HAFNIUM.”
In March 2021, Microsoft publicly disclosed the intrusion campaign by state-sponsored hackers operating out of China. In July 2021, the United States and foreign partners attributed the HAFNIUM campaign to the PRC’s MSS, which they and private sector cybersecurity leaders condemned as “indiscriminate,” “reckless,” “irresponsible” and “destabilizing.”
The charges allege victims of Xu’s exploitation of Microsoft Exchange Server were a university located in SDTX and a law firm with offices worldwide, including in Washington, D.C. After exploiting computers running Microsoft Exchange Server, Xu and his co-conspirators allegedly installed web shells on them to enable their remote administration. According to the indictment, these web shells were specific to HAFNIUM actors at the time. As with the earlier COVID-19 research intrusions, Xu and Zhang allegedly worked together on the HAFNIUM intrusions under the supervision and direction of SSSB officers. For example, on or about Jan. 30, 2021, Xu confirmed to Zhang that he had compromised the university’s network, according to the charges, and on or about Feb. 28, 2021, updated an SSSB officer on his successful intrusions. This SSSB officer then directed Xu to obtain a list of other, successful intrusions from a second SSSB officer, according to the allegations. The charges allege unauthorized access to the law firm’s network allowed Xu and his co-conspirators to steal information from mailboxes and search them for information regarding specific U.S. policy makers and government agencies. Their search terms allegedly included “Chinese sources,” “MSS” and “HongKong.”
The announcement of charges against Xu is the latest describing the PRC’s use of an extensive network of private companies and contractors in China to hack and steal information in a manner that obscured the PRC government’s involvement. Operating from their safe haven and motivated by profit, this network of private companies and contractors in China allegedly cast a wide net to identify vulnerable computers, exploit those computers, and then identify information that it could sell directly or indirectly to the PRC government. This largely indiscriminate approach can result in more victims in the United States and elsewhere, more systems worldwide left vulnerable to future exploitation by third parties, and more stolen information, often of no interest to the PRC government and, therefore, sold to other third-parties.
In April 2021, the Justice Department announced a court-authorized operation to remediate hundreds of computers in the United States left vulnerable by HAFNIUM actors.
Quote:Security researchers say Chinese authorities are using a new type of malware to extract data from seized phones, allowing them to obtain text messages — including from chat apps such as Signal — images, location histories, audio recordings, contacts, and more.
In a report shared exclusively with TechCrunch, mobile cybersecurity company Lookout detailed the hacking tool called Massistant, which the company said was developed by Chinese tech giant Xiamen Meiya Pico.
Massistant, according to Lookout, is Android software used for the forensic extraction of data from mobile phones, meaning the authorities using it need to have physical access to those devices. While Lookout doesn’t know for sure which Chinese police agencies are using the tool, its use is assumed widespread, which means Chinese residents, as well as travelers to China, should be aware of the tool’s existence and the risks it poses.
“It’s a big concern. I think anybody who’s traveling in the region needs to be aware that the device that they bring into the country could very well be confiscated and anything that’s on it could be collected,” Kristina Balaam, a researcher at Lookout who analyzed the malware, told TechCrunch ahead of the report’s release. “I think it’s something everybody should be aware of if they’re traveling in the region.”
Balaam found several posts on local Chinese forums where people complained about finding the malware installed on their devices after interactions with the police.
“It seems to be pretty broadly used, especially from what I’ve seen in the rumblings on these Chinese forums,” said Balaam.
The malware must be planted on an unlocked device, and works in tandem with a hardware tower connected to a desktop computer, according to a description and pictures of the system on Xiamen Meiya Pico’s website.
Balaam said Lookout couldn’t analyze the desktop component, nor could the researchers find a version of the malware compatible with Apple devices. In an illustration on its website, Xiamen Meiya Pico shows iPhones connected to its forensic hardware device, suggesting the company may have an iOS version of Massistant designed to extract data from Apple devices.
Police do not need sophisticated techniques to use Massistant, such as using zero-days — flaws in software or hardware that have not yet been disclosed to the vendor — as “people just hand over their phones,” said Balaam, based on what she’s read on those Chinese forums.
Since at least 2024, China’s state security police have had legal powers to search through phones and computers without needing a warrant or the existence of an active criminal investigation.
“If somebody is moving through a border checkpoint and their device is confiscated, they have to grant access to it,” said Balaam. “I don’t think we see any real exploits from lawful intercept tooling space just because they don’t need to.”
Quote:Singapore said on Friday that it was responding to cyberattacks on its critical infrastructure by an espionage group alleged by security experts to be linked to China.
"UNC3886 poses a serious threat to us, and has the potential to undermine our national security,” Coordinating Minister for National Security K. Shanmugam said in a speech. "It is going after high value strategic threat targets, vital infrastructure that delivers essential services."
He did not give details of the attacks, citing security risks, nor of any consequences.
Google-owned cybersecurity firm Mandiant has described UNC3886 as a "China-nexus espionage group" that has attacked defense, technology and telecommunications organizations in the U.S. and Asia.
Beijing routinely denies any allegations of cyberespionage, and says it opposes all forms of cyberattacks and is in fact a victim of such threats. The Chinese embassy did not immediately respond to a request for comment sent after office hours.
Singapore's critical infrastructure sectors include energy, water, banking, finance, healthcare, transport, government, communication, media, as well as security and emergency services, according to the country's cyber agency.
Reuters earlier this week reported that the Taiwanese semiconductor industry and investment analysts had been targeted by Chinese-linked hackers as part of a string of cyber espionage campaigns.
"For God has not destined us for wrath, but for obtaining salvation through our Lord Jesus Christ," 1 Thessalonians 5:9
Maranatha!
The Internet might be either your friend or enemy. It just depends on whether or not she has a bad hair day.
Chinese Hackers
![[Image: SP1-Scripter.png]](https://www.save-point.org/images/userbars/SP1-Scripter.png)
![[Image: SP1-Writer.png]](https://www.save-point.org/images/userbars/SP1-Writer.png)
![[Image: SP1-Poet.png]](https://www.save-point.org/images/userbars/SP1-Poet.png)
![[Image: SP1-PixelArtist.png]](https://www.save-point.org/images/userbars/SP1-PixelArtist.png)
![[Image: SP1-Reporter.png]](https://i.postimg.cc/GmxWbHyL/SP1-Reporter.png)
