Sandworm (aka Seashell Blizzard) has an initial access wing called "BadPilot" that uses standard intrusion tactics to spread Russia's tendrils around the world.

Source: Kenishirotie via Alamy Stock Photo

Arguably, no advanced persistent threat (APT) enjoys as much notoriety as Sandworm, otherwise known as Military Unit 74455 within Russia's military intelligence (GRU). Its highlight reel includes NotPetya, an attack against the 2018 Winter Olympics, and two effective assaults on Ukraine's power grid. More recent activities include a campaign against Denmark's energy sector and an unsuccessful attempt to down Ukraine's grid for a third time, followed by a successful attempt.

In a sign of the times, Sandworm has subtly been shifting toward quieter, more widespread intrusions. Microsoft, which tracks the group as "Seashell Blizzard," has identified a subgroup within 74455 focused solely on gaining initial access to high-value organizations across major industries and geographic regions. It calls this subgroup "BadPilot."

**Sandworm's IAB, BadPilot**

Since at least late 2021, BadPilot has been performing opportunistic attacks against Internet-facing infrastructure, taking advantage of known vulnerabilities in popular email and collaboration platforms. Notable examples include Zimbra's CVE-2022-41352, the Microsoft Exchange bug CVE-2021-34473, and CVE-2023-23397 in Microsoft Outlook. All three of these vulnerabilities received "critical" 9.8 out of 10 scores in the Common Vulnerability Scoring System (CVSS).

BadPilot uses these critical vulnerabilities to gain useful initial access to traditionally high-value organizations: telecommunications companies, oil and gas companies, shipping companies, arms manufacturers, and entities of foreign governments. Targets have ranged from Ukraine and broader Europe to Central and South Asia and the Middle East.

Since early 2024, BadPilot has expanded to access targets in the US and UK as well. For this, it has made particular use of bugs in remote monitoring and management software: CVE-2023-48788, for example, a remote injection opportunity in the Fortinet Forticlient Enterprise Management Server (EMS), and the rare 10 out of 10 CVSS-rated CVE-2024-1709, allowing for authentication bypass in ScreenConnect by ConnectWise.

After gaining its foothold on a targeted system, BadPilot follows all the usual steps of any average hacking operation. It promptly establishes persistence using its custom "LocalOlive" Web shell, as well as copies of legitimate remote management and monitoring (RMM) tools, or "ShadowLink," which configures compromised systems as Tor hidden services. It collects credentials, performs lateral movement, exfiltrates data as necessary, and sometimes performs further post-compromise activities.

"There is not a lack of sophistication here, but a focus on agility and obtaining goals," says Sherrod DeGrippo, director of threat intelligence strategy at Microsoft. "These TTPs work because this threat actor is persistent and continues pursuing its objectives."

**The Impact in Ukraine**

Ultimately, BadPilot's job is to lubricate more significant attacks by its parent group, and, by extension, empower its controlling government. While a lot of its activity seems opportunistic, Microsoft wrote, "its compromises cumulatively offer Seashell Blizzard options when responding to Russia's evolving strategic objectives."

It may or may not be a coincidence, for example, that the group came into being just months before Russia's invasion of Ukraine. As that war began, and Russia peppered its neighbor with more cyberattacks than ever before, BadPilot was right in the mix, helping gain access to organizations perceived to be providing political or military support to its adversary. Additionally, Microsoft says, the group has enabled at least three destructive attacks in Ukraine since 2023.

Sandworm has targeted critical infrastructure across Ukraine since the war started, including telecommunications infrastructure, manufacturing plants, transportation and logistics, energy, water, military and government organizations, and other infrastructure meant to support the civilian population. It has also targeted military communities for the purpose of intelligence gathering.

"These threat actors are persistent, creative, organized, and well-resourced," DeGrippo emphasizes. For this reason, "Critical sectors need to ensure that they sustain above-average security practices, patch their software, monitor Internet-facing assets, and enhance their overall security posture."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Microsoft: Russia's Sandworm APT Exploits Edge Bugs Globally

When it comes to keeping patient information safe, people empowerment is just as necessary as deploying new technologies.

Source: Yuri Arcurs via Alamy Stock Photos

COMMENTARY

Some say artificial intelligence (AI) has changed healthcare in ways we couldn't have imagined just a few years ago. It's now used for everything from paperwork to helping doctors make better diagnoses. But like any new tech, there are risks involved.

Currently, AI is both a potent defense mechanism and an attacker enabler. Therefore, the question that must be asked is clear: Is AI an enemy or a friend of cybersecurity in healthcare? Honestly, the answer is both.

**AI as the Defender: Enhancing Healthcare Security**

Healthcare systems are rich targets for malicious actors, with considerable protected health information (PHI) spread across interconnected assets such as electronic health records, Internet of Things (IoT)-enabled medical devices, and telehealth platforms. It has been proven that traditional cybersecurity tools often lack the resources and features required to protect such complex ecosystems and, as in different industries, struggle to keep pace with both the volume of data being generated and evolving attack methodologies.

The advantage of machine learning algorithms is that they can find a potential threat before it is serious. AI-powered security tools can detect anomalies in system behaviors, such as unauthorized data transfer or suspicious login activities, and thus proactively prevent a breach. Indeed, several hospitals using AI-powered systems have been able to avert ransomware attacks and maintain operational integrity and patient safety.

Artificial Intelligence is also incomparable in terms of its critical role in reducing administrative burdens and further complying with the Health Insurance Portability and Accountability Act (HIPAA) and other regulations. AI-powered tools, such as virtual assistants and data processing systems, take over administrative work while safeguarding sensitive data. These tools protect PHI and free human resources to focus on patient care.

**AI as the Enabler of Cyber Threats**

While AI hardens the defense, it turbocharges the attacker side, too. In such a way, cyber threats in healthcare have become increasingly sophisticated. The game changed with generative AI tools that let attackers create unbelievably realistic tailor-made emails with perfect grammar and formatting that quickly slipped through traditional security filters.

Deepfakes add another layer to these deceptions: generating hyperreal audio and video that makes an attacker sound like senior health leaders or other trusted voices. These fabrications have been used to deceive staff into granting unauthorized access, sharing PHI, and even making fraudulent financial transactions. In some cases, attackers have used deepfakes to spread false medical information or to undermine public confidence, further destabilizing an already complex threat landscape.

AI-powered malware leverages machine learning to make live changes, evade traditional detection, and zero in on critical systems, such as IoT-enabled devices and electronic health records. Attackers manipulate diagnostic data, alter medical imaging, and gain entry through vulnerabilities in lightly secured IoT devices, enabling them to create avenues to coordinate attacks. Combining AI with IoT could pose a greater threat to patient safety and trust in healthcare systems than just financial losses. 

AI-powered threats sound an alarm for information security, IT, and healthcare leaders. These risks are reshaping the cybersecurity landscape. Preemptive defenses require advanced AI tools, employee training, and collaboration across cross-functional teams. This would, in turn, involve policy and detection system reviews to grant top priority for countering AI-impelled social engineering and malware. Constantly being one step ahead of the bad actors requires constant vigilance, innovative thinking, and a core commitment to data safety and patient care.

**Balancing AI's Potential with Realistic Implementation**

As an expert or executive, you face the critical decision of managing the promise of AI and the risk it further introduces into an already overcomplicated cybersecurity landscape. AI is not the Holy Grail; it's a tool that can be used for and against us. AI’s transformative potential in healthcare and security comes from how it is implemented, so leaders must approach its adoption with a balanced perspective. They should be excited yet cautious, knowing full well that attackers are leveraging the very same technology to undermine our systems, data, and trust.

In my experience, the excitement around adopting AI tools like transcript generators, grammar checkers, or automated note-taking systems often takes precedence over critical security assessments. I have seen teams advocate for rapid implementation to save time and resources without assessing the risks; common questions such as where the data is stored, how it is processed, or if the vendor is compliant often are not asked. This rush to embrace convenience creates gaps that attackers can exploit, especially in healthcare, where even minor oversights can lead to significant breaches of PHI or personally identifiable information (PII).

Deepfakes, adaptive malware, and the exploitation of IoT devices, all powered by AI, require a new type of thinking to address these threats — one that changes from legacy defenses or even leading-edge AI-powered tools to placing those tools within an extended proactive security framework encompassing audits, employee training, and reliable governance. For that to happen, health workers and administrators must be empowered to recognize sophisticated attacks, faked video calls, or some other unexpected data transfer AI flagged up. People empowerment is just as necessary in deploying new technologies.

Drive collaboration between IT, security, and clinical teams in developing customized strategies for technical vulnerabilities and operational realities. This means vigilance, from systems monitoring to continuing review of AI's evolving role in your institution.

Safeguarding healthcare systems includes protecting the trust and well-being of the patients it cares for and its entire community. This depends entirely on the type of leadership that doesn't just react to threats but proactively takes bold measures to mitigate risks before they spread. Security embedded in all facets of the organization should ensure continuity of critical operations and uncompromised care of the patients by leaders in healthcare.

**About the Author**

Lead Security Engineer, C4HCO

Claudio Gallo is a lead security engineer of the Colorado Marketplace Exchange, dedicated to protecting critical information in the healthcare and insurance industries. With expertise in application security, cloud architecture, and compliance, Claudio designs innovative strategies to safeguard sensitive data and ensure trust in important services. Passionate about making a meaningful difference, he is equally committed to mentoring aspiring professionals in the information security industry, sharing knowledge, and fostering the next generation of cybersecurity talent.

Is AI a Friend or Foe of Healthcare Security?

More than half of attacks on Indian businesses come from outside the country, while 45% of those targeting consumers come from Cambodia, Myanmar, and Laos.

Source: NicoElNino via Shutterstock

India continues to see a surge in cybercrime affecting both citizens and businesses, with cyber fraud against citizens jumping 51% over the past year and cyberattackers targeting businesses in volumes significantly higher than global averages.

Overall, Indian citizens filed more than 1.7 million cybercrime complaints in 2024, up from 1.1 million complaints in 2023, according to the latest data from India's National Cyber Reporting Platform (NCRP) released in early February. While many of those cyber scams came from domestic sources, about 45% of the cyberattacks came from cybercriminal havens in Cambodia, Myanmar, and Laos, according to the report.

The problem underscores the dark side of increasing access to online services. While the country is digitizing many of its government services — giving citizens easier access — crime has followed online, President Droupadi Murmu said during a speech to Parliament on Jan. 31.

"\[I\]n an increasingly digital society, cybersecurity has become a crucial issue of national importance," Murmu said. "Digital fraud, cybercrime, and emerging technologies like deepfakes pose challenges to our social, economic, and national security."

India's citizens are not the only targets of cybercriminals — business sites increasingly face online attacks. Cyber-risks and digital/technology risks are the most pressing concerns for companies in India, with businesses in the region prioritizing those issues more than their global counterparts, according to PricewaterhouseCoopers' "2025 Global Digital Trust Insights — India Edition."

Source: PricewaterhouseCoopers, "2025 Global Digital Trust Insights — India Edition"

"Over the next 12 months, Indian organizations are prioritizing the mitigation of three key risks: cyberthreats, digital vulnerabilities and inflation," PwC India stated in the report. "This focus highlights the critical need for robust cybersecurity, reliable technological infrastructure, and strategies to counter rising costs and ensure resilience and sustained growth."

**Businesses See Different Threat Profile**

Compared with other regions of the world, India is seeing a greater volume of attacks. The average website in India sees about 6.9 million unwanted requests — often referred to as "attacks" by vendors — every year, with 26% more attacks per site compared with the global average, according to Indusface. Denial-of-service attacks are also more common against Indian targets, compared with the global average, says Venky Sundar, founder and president for the Americas at Indusface.

The threat actors have gone mobile-first, with API servers for mobile applications targeted with 43% more requests per host compared with websites, he says.

There is "a shift in attack strategies towards disrupting mobile and connected services," Sundar says. "Cybercrime is increasingly targeting external-facing APIs associated with mobile apps rather than just traditional web platforms."

The attacks are split fairly evenly between domestic sources and global ones, he adds. Overall, about half of the malicious traffic targeting company sites and API servers are domestic, with much of the rest coming from four countries: US, France, UK, and Singapore.

**Government Moves to Protect Citizens**

The government is currently taking steps to make life harder for attackers. The Reserve Bank of India (RBI), for example, has created exclusive Internet domains for banks (bank.in) and for non-bank financial institutions (fin.in), which will be run by the Institute for Development and Research in Banking Technology (IDRBT). India also passed its first privacy and data-protection law in 2023, and drafted implementation rules last month, which together define the rights of Indian citizens and requirements for companies handling data.

India and the US also recently signed a memorandum of understanding (MoU) that allows the two countries to cooperate on intelligence gathering, the exchange of information on cybercrime cases, and collaborative training. India has also fought to rescue and repatriate its citizens from forced labor camps for criminal syndicates in Cambodia, Myanmar, and Laos, where they are forced to conduct a variety of online scams.

Yet the country still faces a shortage of cybersecurity professionals. In September, the government announced an effort to train 5,000 "cyber commandos" over the next five years, to help national and state governments with cyber investigations.

Training citizens in cybersecurity can have additional benefits, President Murmu said in her remarks to Parliament.

"My government has taken numerous measures to control these cyber threats, creating opportunities for employment in the field of cybersecurity for the youth \[and\] is continuously working to ensure competence in cybersecurity," she said, noting that the country has reached Tier 1 status in the International Telecommunication Union's Global Cybersecurity Index.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

India's Cybercrime Problems Grow as Nation Digitizes

The analyst firm recommends defining security and governance processes while reducing friction for business stakeholders.

Source: Yay Media AS via Alamy Stock Photo

NEWS BRIEF

Only 14% of security and risk management leaders can effectively secure organizational data assets while also enabling the data to achieve business objectives, according to Gartner. In a recent survey, Gartner found that 35% of respondents secure data assets and 21% use data to achieve business goals, but only one in seven (14%) could do both effectively.

This gap exposes organizations to threats, regulatory penalties, and operational inefficiencies, Gartner said. The analyst firm outlined five recommendations for organizations to address the gap:

*   Reduce governance-related friction for the business. Use a well-established process to co-create data security polices and standards.
    
*   Align data-security-related governance efforts. Partner with other internal functions to identify overlaps.
    
*   Delineate non-negotiable security requirements that business groups must meet when handling data security risks.
    
*   Define high-level guardrails around GenAI-related decisions. Allow business groups to experiment within clearly set parameters.
    
*   Work jointly with data and analytics teams. Secure top-down buy-in on data security initiatives.
    

**About the Author**

Dark Reading

The Edge is Dark Reading's home for features, threat data and in-depth perspectives on cybersecurity.

Gartner: Most Security Leaders Cannot Balance Data Security, Business Goals

The combined companies will create a seamless ecosystem of trust, governance, risk, and compliance.

Source: Srabin via iStock Photo

NEWS BRIEF

Drata, a trust management platform provider, announced plans on Tuesday to acquire SafeBase to streamline security reviews, strengthen vendor risk management, and maintain customer trust through continuous compliance. The acquisition, valued "at a quarter of a billion dollars," according to a company spokesperson, is expected to close by the end of the month.

Stricter regulatory requirements, increased cloud adoption, and growing dependency on artificial intelligence tools are driving market demand for a "full stack" Trust Management platform, Drata said in a statement. The companies have a "shared vision of being the go-to 'trust layer' between companies," Drata said. The goal is to create a comprehensive trust management platform, combining Drata's compliance automation and vendor risk management capabilities with SafeBase's Trust Center Platform, which streamlines security questionnaires.

SafeBase, founded in 2020 by CEO al Yang and CTO Adar Arnon, helps customers fill out security questionnaires before buying a new piece of software or hardware. These questionnaires can be time-consuming and difficult to complete, especially for more complex products. SafeBase can reduce the time spent on inbound security questionnaires by up to 98%, according to Drata. The company, which raised $33 million in a Series B round last April, counts organizations including CrowdStrike, HubSpot, LinkedIn, T-Mobile, Twilio, and "one-third of the Cloud 100" as customers.

**About the Author**

Drata Acquires SafeBase to Strengthen GRC Portfolio

But there's plenty in it — including two zero-days — that need immediate attention.

Source: Somphop Krittayaworagul via Shutterstock

Microsoft's February security update contains substantially fewer vulnerabilities for admins to address compared to a month ago, but there's still plenty in it that requires immediate attention.

Topping the list are two zero-day vulnerabilities that attackers are actively exploiting in the wild, two more that are publicly known but not exploited yet, a patch for a zero-day that Microsoft disclosed in December 2024, and an assortment of other common vulnerabilities and exposures (CVEs) with potentially severe consequences for affected organizations.

**63 CVEs, 2 Zero-Days**

In total, Microsoft released patches for 63 unique CVEs, a far cry from the massive 159 CVEs — including a startling eight zero-days — that the company disclosed in January. Microsoft assessed four of the bugs it disclosed today as being of critical severity. It rated the vast majority of the remaining bugs as important to address but of lesser severity for a variety of factors, including attack complexity and privileges required to exploit the vulnerability.

The two actively exploited zero-day bugs in this month's update are CVE-2025-21418 (CVSS score 7.8), an elevation of privilege vulnerability in Windows Ancillary Function Driver for WinSock, and CVE-2025-21391 (CVSS 7.1), another elevation of privilege issue, this time affecting Windows Storage. Per its usual practice, Microsoft's advisories for both bugs offered no details on the exploitation activity. But security researchers had their own take on why organizations need to address the issues ASAP.

CVE-2025-21418, for instance, only enables a local exploit. That means an attacker or malicious insider must already have access to a target machine, via a phishing attack, malicious document, or other vector, said Kev Breen, senior director, cyber threat research, at Immersive Labs. Even so, such flaws are "valuable to attackers as they allow them to disable security tooling, dump credentials, or move laterally across the network to exploit the increased access," Breen said in an emailed comment. An attacker who successfully exploits the flaw can gain SYSTEM level privileges on the affected system, he said, while recommending that organizations make the vulnerability a top priority to fix.

With CVE-2025-21391, the Windows Storage zero-day, the concern is not about the flaw enabling unauthorized data access; rather, the concern is about how attackers could exploit it to affect data integrity and availability. "Microsoft has outlined that if the attacker successfully exploited this vulnerability, they would only be able to delete targeted files on a system," said Natalie Silva, lead cyber security engineer at Immersive Labs, in an emailed comment. "Microsoft has released patches to mitigate this vulnerability. It's recommended for administrators to apply these immediately."

In a blog, researchers at Action1 described the flaw as resulting from a weakness in how Windows Storage resolves file paths and follows links. Attackers can leverage the weakness to "redirect file operations to critical system files or user data, leading to unauthorized deletion," the security vendor said.

Breen recommended that organizations also treat CVE-2025-21377, an NTLM hash disclosure spoofing vulnerability, as a high priority bug that needs immediate attention. When Microsoft originally disclosed the bug in December 2024, it did not have a patch available for it, making the flaw a zero-day threat. "The vulnerability allows a threat actor to steal the NTLM credentials for a victim by sending them a malicious file," Breen said. "The user doesn't have to open or run the executable but simply viewing the file in Explorer could be enough to trigger the vulnerability." Microsoft itself has assessed the vulnerability as something that threat actors are more likely to exploit

The other previously disclosed vulnerability in the February patch update is CVE-2025-21194, a security feature bypass vulnerability in Microsoft Surface.

**Critical Flaws**

The flaws that Microsoft rated as being of critical severity in this latest update are CVE-2025-21379 (CVSS Score 7.1), an RCE in the DHCP client service; CVE-2025-21177 (CVSS Score 8.7), a privilege elevation vulnerability in Microsoft Dynamics 365 Sales; CVE-2025-21381 (CVSS 7.8), a Microsoft Excel RCE; and CVE-2025-21376 (CVSS 8.1), an RCE in Windows LDAP and the only one in the set that Microsoft identified as more vulnerable to exploitation.

Interestingly, one of the flaws that Microsoft rated as critical (CVE-2025-21177) required affected customers to do nothing, but it is an issue that Microsoft has already addressed on its end. This vulnerability makes use of the newer CAR (customer action required) attribute to identify that there is no customer actions required, says Tyler Reguly, associate director security R&D at Fortra. "While these information updates are nice, they can bloat the number of updates that admins may be worried about dealing with on a Patch Tuesday," Reguly said in an emailed comment. "One can't help but wonder if these updates should be issued outside of Patch Tuesday since they do not require customer action."

Meanwhile, the only CVE to earn a severity score of 9.0 in this month's update — (CVE-2025-21198) — is an RCE affecting Microsoft High Performance Compute (HPC) Pack. An attacker cannot exploit the flaw unless they have access to the network used to connect to the high-performance cluster, Reguly said. "This networking requirement should limit the impact of what would otherwise be a more serious vulnerability."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Microsoft's February Patch a Lighter Lift Than January's

The vulnerability could allow a threat actor to disable the security feature on a locked device and gain access to user data.

Source: Simon Dack via Alamy Stock Photo

NEWS BRIEF

Apple has released a security update for a vulnerability that the tech giant reports may have been exploited in an "extremely sophisticated attack."

Not only that, but these attacks targeted specific individuals, though Apple has not provided any further information.

The vulnerability, tracked as CVE-2025-24200, could allow for a physical attack to disable USB Restricted Mode on a locked device.

USB Restricted Mode is a feature that makes it more difficult for threat actors to unlock a user's phone. When active, a phone's lightning port will only allow charging after the device has been locked for more than an hour, meaning that if an unauthorized actor attempted to connect a locked iPhone to a device to access its data, they could only do so with the necessary credentials.

The security update to fix this vulnerability is available for iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch third generation and later, iPad Pro 11-inch first generation and later, iPad Air third generation and later, iPad seventh generation and later, and iPad mini fifth generation and later.

Users of any of these devices should install updates as soon as possible and can check if they're updated to the latest software version by going to their settings.

These kinds of vulnerabilities are usually deployed by commercial spyware vendors, such as Pegasus, to target particular individuals, so the average user shouldn't be concerned about being targeted while the details of the attack remain unpublished. However, if they are published, copycat cybercriminals will try to imitate this attack vector, hence the urgency in updating to the latest version.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

Apple Releases Urgent Patch for USB Vulnerability

The staffers were tasked with building relationships on the ground across the country in local election jurisdictions, teaching election officials tactics on mitigating cyber threats, cyber hygiene, combating misinformation and foreign influence, and more.

Source: Rob Crandall via Alamy Stock Photo

NEWS BRIEF

The US Cybersecurity and Infrastructure Security Agency (CISA) has placed 17 staffers who worked with local officials to provide training on dealing with election-related cyber threats on leave.

This leave is pending an internal review, which will examine the staffers' work to combat cyber threats from foreign governments, and efforts to influence US elections with disinformation campaigns.

Ten of the employees are regional election security specialists, specifically hired to grow field staff and election security knowledge before the 2024 election. All 17 employees were former state or local election officials who were tasked with building relationships across 8,000 different local election jurisdictions across the country.

The other staffers that have been placed on leave include current and former members of CISA's Election Security and Resilience team, a leave that is also pending review of the agency's work to combat misinformation and disinformation campaigns. 

Some elected state officials have been particularly outspoken about the benefits that CISA's work has provided in securing election offices and mitigating cyber threats, such as Kentucky Secretary of State Michael Adams, who applauded the "boots on the ground" tactics CISA implemented, and the relationships its employees built with county clerks. 

"They're teaching them and helping them check their physical security and their cyber hygiene, and that's been extremely popular," said Adams.

For now, the reviews only heighten questions and concerns over the future of the agency in this second Trump administration, especially considering the lack of a replacement for Jen Easterly as CISA director.

The first Trump administration went head-to-head with CISA when the agency aimed to counter misinformation about the 2020 election, which then-president Trump and his allies deemed as "stolen" without evidence. That included the firing of CISA Director Chris Krebs, who called the 2020 presidential election the most secure election in American history.

**About the Author**

Skilled writer and editor covering cybersecurity for Dark Reading.

CISA Places Election Security Staffers on Leave

State-led data privacy laws and commitment to enforcement play a major factor in shoring up business data security, an analysis shows.

Source: Oleckii Mach via Alamy Stock Photo

States are increasingly embracing data privacy regulation, and Kentucky, Rhode Island, and Tennessee are leading the charge. That has earned them high marks from security experts and landed them at the top of the list of states with the lowest rates of data breaches.

These three states are effectively protecting data because of a dual approach of drafting smart data privacy legislation, and then enforcing those laws when appropriate, according to Anonta Khan, who is with DesignRush, the firm that conducted the state data privacy study. Conversely, South Dakota (which got the lowest safety score in the survey, 65.14 out of 100) and Alaska (66.50) rank at the bottom.

"Some states, like Kentucky (the highest rated at 99.32) and Rhode Island (97.14), do a good job protecting data," Khan says. "They have fewer cybercrimes and data leaks. Others, like South Dakota and Alaska, have weak laws and a lot of cyber threats."

However, she stresses, "having strong laws doesn't always mean a state is safe."

It's more nuanced than that.

**Higher Safety Scores Don't Mean Less Cybercrime**

In general, the results of the study suggest that states with less data breach regulation tend to have higher rates of cybercrime overall. That includes Nevada (with a safety score of 77.64), which last year logged 309.7 cyber incidents per 100,000 people, which is more than triple the national average. But there are other contributing factors. Nevada, for instance, has businesses that are attractive targets for hackers, like casinos, Kahn points out.

Related:CISA Places Election Security Staffers on Leave

Going further, California (89.3) has strong privacy laws but high cybercrime rates; that's because hackers are consistently targeting the state's tech sector, Khan explains. Delaware is another state with strong privacy laws that is likewise plagued by high rates of data breaches, being the state where most financial lending services are incorporated.

The takeaway? "This shows that laws need to be enforced well," Khan says.

A similar report from the Electronic Privacy Information Center (EPIC) in late January outlined areas where states should, in its view, take a more aggressive position against companies leaking personal data. And state governments appear to be moving in that direction, with a new wave of reform efforts on the horizon.

**New State-Led Data Privacy Efforts Are Brewing**

Delaware, for example, has kicked off 2025 with its new Data Privacy Protection Act going into effect. Other states, including Iowa, Nebraska, New Hampshire, and New Jersey, are also adding fresh data privacy laws this year and increasing enforcement budgets.

Related:DeepSeek AI Fails Multiple Security Tests, Raising Red Flag for Businesses

States like Texas have also provided a model for aggressive data privacy regulation enforcement. On Jan. 13, Texas Attorney General Ken Paxton filed suit against the Allstate insurance company for what he alleges was an effort to skirt his state's data privacy rules and track citizens' data without consent.

As these new laws come online, Khan and others are optimistic that data privacy practices are improving across the US, thanks to re-upped efforts at the state level. Moving forward, these laws will be tailored to fit emerging technology use cases, Khan adds.

"Artificial Intelligence (AI) is also becoming a bigger issue," Kahn says. "Colorado's Anti-Discrimination in AI Law starts in 2026, and other states are considering similar rules. Meanwhile, lawsuits over website tracking, biometric data, and online privacy will continue in 2025."

Regardless of state of residence, companies should look at this new era of data privacy protection as an opportunity, according to Ojas Rege, senior vice president and general manager of privacy and data governance at OneTrust.

"With 20 distinct US data privacy laws enacted — all with different requirements and obligations — this is a risk most organizations won't want to take," Rege says. "By moving off spreadsheets, bringing in automation, and designating a senior data privacy leader, organizations can proactively comply with the current wave of US state privacy laws. Adopting AI responsibly also requires an effective data privacy program as a starting point and foundation."

Related:XE Group Shifts From Card Skimming to Supply Chain Attacks

**About the Author**

Dark Reading

Becky Bracken is a veteran multimedia journalist covering cybersecurity for Dark Reading.

Data Leaks Happen Most Often in These States — Here's Why

Salt Typhoon underscores the urgent need for organizations to rapidly adopt modern security practices to meet evolving threats.

Source: vska via Alamy Stock Photo

COMMENTARY

The Chinese-linked hacking group Salt Typhoon recently was detected lurking in major US telecommunication systems, exposing nearly every American's communications to Chinese intelligence and security services. 

In response, on Dec. 4, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI issued a joint statement recommending that American citizens and companies adopt end-to-end encrypted communication tools to avoid exposing sensitive information to China. While this advice is prudent to secure communications, hasty adoption of these technologies could result in regulatory noncompliance for organizations in highly regulated industries. These organizations should carefully examine both their security risk and regulatory obligations as they adopt new security solutions.

**Background: Salt Typhoon**

Salt Typhoon exploited legacy systems throughout the telecommunications industry that were too old to implement modern cybersecurity practices, with some parts dating back to the late 1970s. Commonly accepted baseline cyber protections like multifactor authentication were not implemented. While the scope of this attack is widespread, including voice calls and SMS messages, US intelligence officials noted that communications within encrypted communication applications such as Apple's iMessage, Meta's WhatsApp, and Signal were not exposed.

Salt Typhoon marks one of the most sophisticated attacks on US critical infrastructure in history. US officials have concluded that every major telecommunications provider has been implicated. China remains the most active and persistent cyber threat to the United States, and the Salt Typhoon campaign marks one of the most sophisticated attacks on US critical infrastructure in history. 

**Security vs. Compliance: Adopting End-to-End Encryption Technologies**

US cybersecurity and intelligence officials advised companies and individuals to adopt end-to-end encrypted applications for communications where only the sender and the intended recipients can access the content of the communication. End-to-end encryption works by securing the content of communications using cryptographic keys at both the sender and recipient. The end result is data in transit is secure, rendering the contents of any intercepted or compromised communications indecipherable without the cryptographic key, including by Internet service providers and telecommunications companies — and foreign hackers targeting those entities.

While end-to-end encrypted applications provide obvious advantages for security, many are not designed to comply with the data retention and access requirements imposed upon certain highly regulated industries. 

In the financial services sector, Securities and Exchange Commission (SEC) Rule 17a-4(b)(4) requires that communications received and sent by a member, broker, or dealer that relate to the business of an organization are to be retained for at least three years. Additionally, Section 802 of the Sarbanes-Oxley Act requires accountants who audit or review financial statements to retain records, which include any communications relevant to the audit or review. 

In the healthcare sector, Section 164.312(e) of the Health Insurance Portability and Accessibility Act (HIPAA) requires that covered entities implement technical safeguards to prevent unauthorized access to electronic protected health information (ePHI) that is being transmitted over an electronic communications network. Many encrypted communications applications restrict a covered entity's ability to monitor for or audit unauthorized disclosure of ePHI. Additionally, Section 164.350(j) of HIPAA requires that covered entities retain documentation of any communications containing ePHI for at least six years. 

**Recommendations**

As Salt Typhoon has revealed, unsecured communications of executives and employees across every sector may be targeted by Chinese intelligence services for exploitation. In this new environment, balancing communications security with compliance can be challenging. To appropriately navigate these risks, organizations in every sector should consider three things.

First, organizations should implement end-to-end encryption for all business communications internally and, to the greatest extent practicable, externally. There are numerous mobile and desktop applications currently available that are designed to serve this purpose. For companies in regulated industries, it is important to also consider regulatory retention, monitoring, and auditing requirements when considering these tools. Such organizations should seek to implement solutions that can ensure appropriate encryption standards for messaging, collaboration, and voice and video calls specifically configured to allow for auditing and data preservation. 

Second, organizations should implement policies and procedures to guide the use of encrypted communications. For example, many encrypted communication applications allow users to individually establish time-based purge rules for messages. While valuable for information security, this could render an organization non-compliant with data retention and audit requirements. Where possible, such functions should be disabled for individuals and archiving tools should be in place. Additionally, employees should receive regular training on communications security and regulatory compliance.

Third, a key lesson from Salt Typhoon is that baseline cybersecurity measures still provide meaningful defenses against malicious parties. Cybersecurity measures such as multifactor authentication, use of password managers, encrypting data at rest and in motion, and ensuring that all software and hardware are modern and equipped with the latest updates will give organizations a much stronger cybersecurity posture. 

**Conclusion**

Salt Typhoon underscores the urgent need for organizations to rapidly adopt modern security practices to meet evolving threats. However, in doing so, organizations need to balance the security imperatives with their regulatory obligations. 

**About the Authors**

Co-Leader, Cybersecurity and Data Privacy Practice Group, Buchanan Ingersoll & Rooney

Michael McLaughlin is the co-leader of Buchanan Ingersoll & Rooney’s Cybersecurity and Data Privacy practice group. Michael advises clients in matters involving cybersecurity, public policy, and government relations. Michael helps clients navigate the complexities of cybersecurity, data privacy and the related regulatory landscape. Michael is the co-author of Battlefield Cyber: How China and Russia Are Undermining Our Democracy and National Security.

Jillian Cash, Associate, Corporate Section, Buchanan Ingersoll & Rooney

Jillian Cash is an associate Buchanan’s Corporate Section, where she focuses on a variety of corporate, transactional, and cybersecurity matters.

Kellen Carleton, Associate, Corporate Finance and Technology Group, Buchanan Ingersoll & Rooney

Kellen Carleton is an associate in Buchanan’s Corporate Finance and Technology group where he focuses on a variety of corporate, transactional, and cybersecurity matters.

Source

DARKReading