Japan is on a mission to catch up to the US standard of national cyber preparedness, and its new legislation is a measure intended to stop escalating Chinese cyber-espionage efforts, experts say.

Source: Sean Pavone via Alamy Stock Photo

The Japanese government is on a mission to catch up to US national cybersecurity preparedness standards and has just passed bold legislation aimed at bolstering the country's cyber-response capabilities.

Together, the two articles of legislation constitute what's referred to as the Active Cyber Defense Bill, which enables the Japanese government to take more aggressive measures to stop cyberattacks before they can cause widespread damage.

After some delays in 2024, the bill was finally presented to, and approved by, the country's leading Liberal Democratic Party (LDP) last month. On Feb. 7, it was approved by the Cabinet (which consists of the prime minister and up to 19 other ministers), and was in turn submitted to the National Diet, Japan's parliament.

The passage of the law follows a warning in January from Japan's national police that Chinese state-backed threat actor MirrorFace has been committing wide-scale cyber espionage since 2019 in an effort to steal Japan's national security secrets.

"The country is grappling with a mix of state-sponsored attacks, particularly from neighboring nations, and criminal activity targeting its advanced industrial base," Bugcrowd founder Casey Ellis explains. "Ransomware, supply chain attacks, and IP espionage (e.g., MirrorFace) are all high on the list, as are concerns around prepositioning attacks against critical infrastructure and the defense industry. Its move toward legalizing 'active cyber defense' is a bold step and, to me, is a reflection of the country's delicate geopolitical and geographic position."

**Japan Faces Cyber-Defense Hard Truths**

The overhaul of Japan's cyber-readiness efforts dates back to April 2022 and is a wake-up call delivered to the country's leadership by former US Director of National Intelligence Dennis C. Blair. He was sharply critical of the country's cybersecurity efforts, and this distressed Japanese lawmakers so much that his message left them in what is now known as "Blair Shock."

Blair told Tokyo's government a hard truth: that its cybersecurity preparedness just wasn't up to the standard of its allies in North America and Europe. To amend that, he suggested the government establish new positions and agencies equivalent to those in the US, such as the US Cyber Command and the executive position of National Cyber Director.

Then-Prime Minister Fumio Kishida's administration took the criticism to heart. As soon as it had the opportunity that December, it released a new National Security Strategy with new goals for improving cybersecurity response capabilities. Most notably, the government introduced what it called "active" cyber defense, "for eliminating in advance the possibility of serious cyberattacks that may cause national security concerns to the Government and critical infrastructures and for preventing the spread of damage in case of such attacks, even if they do not amount to an armed attack." In short: identifying the source of a cyberattack early, and defeating it before it can cause serious harm.

In case that sounds a bit like government overreach, lawmakers have since clarified how exactly its active cyber defense will work.

Roughly speaking, the first half of the Active Cyber Defense Bill defines the more passive changes Japan will implement in its national cyber posture.

Among other things, the bill establishes a cybersecurity council and a committee overseeing information gathering and analysis. It requires that critical infrastructure providers report cybersecurity incidents and imbues the prime minister's office with new power to collect certain relevant information through telecommunications providers. It also lays out restrictions on how the government can use that collected data and what sensitive information must be filtered out.

The second piece of legislation introduces more active measures for ensuring Japan's cyber defense.

The military will enjoy new powers to actively protect both its systems and certain systems associated with the US military presence in its borders. And, notably, law enforcement will be hiring new "cyber harm prevention officers," whose job will be to proactively address major cyber threats by, for example, shutting down enemy servers during an incident. When time is short, the prevention officers may act even without explicit approval from relevant oversight bodies.

Ellis says that "the idea of 'vigilante hacking' is controversial but not without merit in specific, controlled scenarios. It signals a shift toward a more proactive stance, which is arguably overdue given the evolving threat landscape."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Japan Goes on Offense With New 'Active Cyber Defense' Bill

Sean Cairncross will be one of the primary advisers to the administration on national cybersecurity matters.

Source: Nimneth X via Shutterstock

President Donald Trump reportedly will nominate Sean Cairncross, former chief operating officer of the Republican National Committee (RNC), as the new head of the Office of the National Cyber Director (ONCD), according to multiple reports.

Cairncross's name apparently was mentioned in a list of planned White House nominees for various posts in the administration obtained by Politico, Axios, and other media outlets.

As national cyber director, Cairncross will play a key role in developing and shaping US cybersecurity policies in the new administration.

The ONCD serves as one of the principal advisers to the president on cybersecurity matters. Unlike the US Cybersecurity and Information Security Agency (CISA), which handles operational cybersecurity and directly engages with federal agencies, ONCD's primary mission is to develop a high-level, whole-of-nation cybersecurity strategy. Among other things, the ONCD led the development of President Joe Biden's National Cybersecurity Strategy of March 2023.

**Influential Role**

In his new role, Cairncross would be responsible for coordinating national cybersecurity policy, advising the president on cyber threats, and ensuring a unified federal response to emerging cyber-risks. He would share responsibility for advising the president on cyber matters, along with the director of cyber at the White House National Security Council (NSC) — a group that advises the president on all matters security related, and not just cyber.

Cairncross is a former RNC official and CEO of the independent US foreign aid agency Millennium Challenge Corporation (MCC). He brings considerable political experience but lacks formal cybersecurity credentials.

As CEO of the MCC from 2019 to 2020, Cairncross oversaw the agency's efforts to alleviate poverty through economic growth in developing nations. Before that, he was deputy assistant to President Trump and senior adviser to the White House chief of staff, and had served as chief operating officer (COO) of the RNC during the 2016 election cycle.

If confirmed, Cairncross fills the role formerly held by Harry Coker Jr., a former CIA senior executive and career Naval officer who served as the White House national cyber director from December 2023 to January, 2025. Coker now serves as Maryland Department of Commerce Secretary after his appointment by Maryland Governor Wes Moore in late January.

Meanwhile, Politico last week reported that Trump had appointed Alexei Bulazel, a former security researcher at Apple and former director of the NSC, as the new senior director for cyber at the Council. If true, that would make Cairncross the second high-level cybersecurity appointment that Trump has made since taking office on Jan. 20.

**Evolving Cybersecurity Strategies**

The nomination of Cairncross as national cyber director marks a significant development in the Trump administration's still nascent but evolving cyber strategy. In just four weeks in the White House, Trump has implemented changes that have sent ripples through the cybersecurity industry.

One of his first acts in office was to rescind a Biden administration executive order that required developers of major artificial intelligence projects and systems to adhere to safety and ethical guidelines. He has, however, left two other Biden cybersecurity executive orders untouched thus far: EO 14111, Strengthening and Promoting Innovation in the Nation's Cybersecurity; and EO 14028, Improving the Nation's Cybersecurity.

Almost immediately after taking office, the Trump administration terminated advisory committee members within the US Department of Homeland Security (DHS). That included members of CISA's Cyber Safety Review Board (CSRB), which among other things was investigating Chinese group Salt Typhoon's attacks on US critical infrastructure.

The Trump administration's moves have impacted CISA as well. Earlier this week, 17 CISA staffers involved in efforts to combat election-related threats were placed on leave pending an internal review of their work. In a report last week, NPR quoted unnamed CISA staffers as saying they had received deferred resignation offers as part of the Elon Musk-led Department of Government Efficiency's (DOGE) efforts to cut costs across the federal government.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

President Trump to Nominate Former RNC Official as National Cyber Director

The open technology, which tackles disinformation, has gained steam in the past year, surpassing 500 corporate members and continuing to evolve.

Source: Tero Vesalainen via Shutterstock

When armed gangs raided a Haitian prison and released 4,700 prisoners last March, images and videos showing the violence and gunfire saturated social media around the world. Determining which graphic media was authentic — and marking those instances in a way that future viewers could verify for themselves what was real and what was modified — was a significant challenge.

Showcasing a solution to exactly that problem, the British Broadcasting Corporation (BBC) launched its adoption of Content Credentials, a technology for attesting to the authenticity and provenance of digital content, by using the technology to verify a TikTok video of the attack. The BBC verified the location of the video and its likely veracity, but it determined that audio of gunfire had been added after the fact. The company then digitally signed the video so that future viewers would know the BBC had verified it.

Content Credentials — an open technology that aims to solve disinformation and media integrity issues — is being developed by the Coalition for Content Provenance and Authenticity (C2PA), a group of more than 500 media, software, and hardware companies working to create an ecosystem for verified media.

The BBC's adoption of Content Credentials is just one use case but an important one, says Andy Parsons, senior director of the Content Authenticity Initiative (CAI) at Adobe and a steering committee member of the C2PA.

"The BBC \[is\] declaring that — regardless of whether this is a photo or whether AI was used to do a photo illustration — you can be guaranteed that it came from BBC, and even that simple proof-of-date or proof-of-origin is something we don't have in media right now," Parsons says.

In 2019, technology and media companies created the CAI to find solutions to disinformation and ways for news organizations to authenticate photos and video. Two years later, six companies — Adobe, Arm, BBC, Intel, Microsoft, and Truepic — founded the C2PA to pursue an open standard for establishing the provenance of various types of media files. The two efforts eventually combined forces to advance Content Credentials, a digital-signature technology and infrastructure for verifying and authenticating media.

In the past year, Content Credentials and the C2PA gained significant steam, with the addition of Amazon, Google, Meta, and OpenAI to the steering committee and the adoption of the technology by several camera makers — including Canon, Leica, and Sony — and smartphone makers, such as Samsung.

Yet the ecosystem is still in its infancy, Christian Paquin, a principal research software engineer at Microsoft, told attendees at last month's ShmooCon 2025.

"You can imagine the situation in five to 10 years when this technology is baked in a lot of the trusted news and a hardware ecosystem that can produce these signatures and can be validated by the social media themselves or the browsers, so that we can really have trust signals to differentiate what's real and what's not," he said.

**Manifest Destiny**

Content Credentials have three main components: the media data, a manifest describing the data and any actions transforming the data, and a digital signature binding the two pieces of information together in a tamper-evident way. The manifest includes typical metadata, as well as some additional C2PA-accepted fields — attestations — that can describe additional attributes of the photo, its source, and the software actions used to process the data.

Based on public-key encryption and digital signatures, Content Credentials act as an audit log of every action performed on a piece of media. A photo could be captured with a smartphone, cropped and lightened with photo-editing software, and then compressed by a content delivery network. Each of those steps would be an attestation in the manifest of the signed content credential.

A video signed with a Content Credential shows that it originated with the BBC News Lab. Source: https://contentcredentials.org/verify

The result is providing an audit trail with each piece of authenticated content, which could help citizens and users better know what is fake and what is arguably real, Adobe's Parsons says.

"All the companies involved — and I would lump in civil society and some governments as well — have a real urgency to solve this problem," he says. "And while C2PA is not a silver bullet at solving misinformation, it does put in place a fundamental foundational layer that the Internet probably should always have had around trust, and this is a really nice clean way to do it."

Already, most makers of foundational artificial intelligence (AI) models — such as Open AI, Meta, and Microsoft — digitally sign all images created by their image-generation models with a Content Credential, indicating that it was AI generated or manipulated.

**An Evolving Standard**

The technology is not done, either. The C2PA specification has quickly evolved over the past three years, reaching version 2.1 in September. Among the new features are efforts to make the credentials more "durable" — in other words, adopting techniques, such as digital fingerprinting and watermarking, to indicate the provenance of images, even if they are manipulated after publication or captured from a screenshot.

The combination of signed metadata with fingerprinting and watermarking is powerful, Adobe's Purdy wrote in a 2024 analysis of the techniques.

"\[N\]one of these techniques is durable enough in isolation to be effective on its own," he said. "But combined into a single approach, the three form a unified solution that is robust and secure enough to ensure that reliable provenance information is available no matter where a piece of content goes."

Watermarks, fingerprinting, and Content Credentials can be a powerful combination. Source: "Durable Content Credentials," CAI blog

A number of technical problems remain to be solved. Journalists reporting on an authoritarian regime, for example, may want to remain anonymous and mask their location. Zero-knowledge proofs can help, allowing a name to be redacted and only the organization — BBC News, for example — to be shown or to generalize the location. ZK proofs allow an attribute to be signed, so a photo's GPS coordinates could instead be reduced to New York City or Kiev to provide a general location that hides the photographer's identity, and verified with a digital signature.

"This is an evolving set of certifications," Microsoft's Paquin told the audience at ShmooCon. "The main challenge is establishing who can sign certificates ... establishing PKI that is worldwide is a big problem."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Content Credentials Technology Verifies Image, Video Authenticity

As digital inclusion gains prominence, businesses face increasing pressure to ensure their websites are accessible to users of all abilities. accessiBe, a leader in web accessibility innovation, offers a suite of solutions designed to tackle accessibility challenges with ease. By leveraging advanced AI technology alongside professional services, accessiBe provides tools to help organizations strive to comply with the Americans with Disabilities Act (ADA) and adhere to the Web Content Accessibility Guidelines (WCAG).

****About accessiBe****

Founded in 2018 in Israel, accessiBe has revolutionized the field of web accessibility. Its flagship product, accessWidget, uses artificial intelligence to dynamically address common accessibility barriers. Designed to support businesses in conforming with WCAG 2.1 AA standards, accessWidget operates within a broader ecosystem of solutions that ensure comprehensive digital accessibility. Trusted by thousands of organizations, accessiBe counts renowned brands like Skullcandy, Tiffany & Co., and Sally Beauty among its clients.

****How accessWidget Works****

Central to accessiBe’s offerings is accessWidget, a powerful AI-driven tool that simplifies the path to accessibility. With the addition of a single JavaScript code snippet, businesses can enable features such as:

*   **AI-Driven Remediation:** Identifies and resolves issues like screen reader compatibility, keyboard navigation challenges, and other accessibility barriers.
*   **Customizable User Interface:** Allows website visitors to modify font sizes, adjust color contrasts, and enable text-to-speech functionalities for a personalized browsing experience.
*   **Continuous Monitoring:** Performs regular scans to detect and address current and new accessibility issues as content updates.

While accessWidget automates many aspects of web accessibility, achieving full compliance with the ADA in adherence to WCAG often requires additional manual adjustments. For these cases, businesses can also rely on accessiBe’s complementary services, accessServices, to address more complex needs.

****A Complete Ecosystem for Digital Accessibility Solutions****

Beyond accessWidget, accessiBe offers a holistic ecosystem that combines automation with expert-driven solutions:

*   **accessFlow:** A developer-focused tool that integrates accessibility best practices directly into the design and development phases of website creation.
*   **accessServices:** Professional manual remediation services designed to address challenges that go beyond the scope of AI capabilities.

This comprehensive approach ensures that businesses can address accessibility challenges efficiently, enabling both compliance with legal requirements and conformance with established accessibility standards.

****Why Choose accessiBe?****

accessiBe stands out as a forward-thinking leader in the web accessibility space, offering a seamless blend of automated tools and professional services. Its solutions not only empower businesses to address accessibility barriers but also help create a more inclusive digital experience for all users. By combining advanced AI capabilities with manual expertise, accessiBe equips organizations with the tools they need to meet legal requirements and exceed user expectations.

****Conclusion****

For businesses aiming to put web accessibility as a vital part of their business plans, accessiBe offers practical and effective solutions. Although full accessibility often requires both automation and manual intervention, accessiBe provides the foundation necessary for businesses to have a wide and easy path on this journey.

With its reliable structure of solutions and proven expertise, accessiBe remains a trusted partner for organizations committed to taking the next step forward by making sure that their websites are accessible to everyone.

accessiBe Review: A Step Forward to Digital Accessibility for All

US, UK, and Australian law enforcement have targeted a company called Zservers (and two of its administrators) for providing bulletproof hosting services to the infamous ransomware gang.

Source: Alexey Krukovski via Alamy Stock Photo

The US government has joined Australia and the UK in sanctioning a Russia-based bulletproof hosting (BPH) services provider and two of its administrators for the company's role in supporting LockBit ransomware attacks. The move is a continuation of a barrage of law-enforcement actions against the Russia-based cybercriminal organization.

The Department of the Treasury's Office of Foreign Assets Control (OFAC), Australia's Department of Foreign Affairs and Trade, and the United Kingdom's Foreign Commonwealth and Development Office jointly sanctioned Zservers, based in Barnaul, Russia, for enabling "ransomware attacks and other criminal activity," the Treasury Department revealed in a press release Feb. 11. That illicit activity specifically centers on providing the infrastructure to facilitate attacks by LockBit, a prolific Russian-based ransomware-as-a-service (RaaS) group, according to the release.

The latest sanctions against Zservers are a continuation of multinational law-enforcement actions aimed at putting LockBit — which has committed severely disruptive ransomware attacks against numerous global organizations — permanently out of commission.

Specifically, they follow four LockBit-related arrests and device seizures made in October by Europol and Eurojust, which at the time also sanctioned and named as a LockBit affiliate Aleksandr Ryzhenkov (aka Beverley). Ryzhenkov was once second-in-command for the infamous Evil Corp cybercrime organization. Officials also arrested one of LockBit's lead developers in Israel last August, while a separate action by Australia sanctioned LockBit's head honcho, LockBitSupp (aka Dmitry Yuryevich Khoroshev), in May 2024.

Related:President Trump to Nominate Former RNC Official as National Cyber Director

"Ransomware actors and other cybercriminals rely on third-party network service providers like Zservers to enable their attacks on Us and international critical infrastructure," Bradley T. Smith, the Treasury Department's acting under secretary for terrorism and financial intelligence, said in a press statement. The sanctions demonstrate the US government's "collective resolve to disrupt all aspects of this criminal ecosystem, wherever located, to protect our national security," he added.

**LockBit Investigation Trail Leads to Zservers**

Law enforcement investigating LockBit discovered the criminal activity of Zservers after the company advertised its BPH services on known cybercriminal forums, according to the Treasury Department. BPH service providers sell access to specialized servers and other computer infrastructure designed to evade detection and thus defy law enforcement attempts to disrupt malicious activities.

Related:Content Credentials Technology Verifies Image, Video Authenticity

Allegedly, Zservers has provided BPH services, including leasing numerous IP addresses, to LockBit affiliates, who have used the hosting services to coordinate and launch ransomware attacks, according to international law enforcement, which collected evidence over several years to come to this conclusion.

During a 2022 search of a known LockBit affiliate, Canadian law enforcement uncovered a laptop operating a virtual machine connected to a Zservers' subleased IP address and running a programming interface used to operate LockBit malware. Also that year, a Russian cybercriminal purchased IP addresses from Zservers, which the department said was likely for use to power LockBit chat servers to discuss ransomware operations. In 2023, Zservers also leased infrastructure, including a Russian IP address, to a LockBit affiliate, the department said.

**Do Anti-Russian Sanctions Work?**

The idea behind government sanctions is to prohibit companies in certain countries from doing business with people involved in cybercriminal activity with the aim of deterring that activity. However, given the resilience of professional ransomware and other cybercriminal groups, experts have mixed opinions on whether this strategy actually works in the long run.

Related:India's Cybercrime Problems Grow as Nation Digitizes

"It is important to acknowledge that although sanctions might impede ransomware operations by targeting their infrastructure, ransomware groups such as LockBit are highly adaptive and well-connected, and will likely have other providers they're able to call on," says Andrew Costis, engineering manager of the Adversary Research Team at security firm AttackIQ.

However, sanctions should make it more difficult for cybercriminals to operate by increasing their costs and forcing attackers to find less effective methods to commit ransomware attacks, another security expert says. This can serve to at least slow them down if not totally put them out of service, notes Randolph Barr, CISO at security firm Cequence.

"The recently announced sanctions and law enforcement actions against Zservers will aid in disrupting ransomware groups by targeting their infrastructure, seizing servers, and blocking financial transactions," he says.

Still, sanctions alone may not necessarily disrupt LockBit and other ransomware groups entirely, meaning that organizations must remain vigilant, Barr says. "As threat actors adapt, companies must continue improving incident management and include ransomware scenarios in their preparedness exercises," he notes.

Indeed, Costis says, given the adaptability of RaaS and its network of affiliates in particular, "organizations must stay vigilant and focus on the latest tactics, techniques, and procedures (TTPs) attackers deploy, to stay ahead of ever-changing threats."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Feds Sanction Russian Hosting Provider for Supporting LockBit Attacks

Sandworm (aka Seashell Blizzard) has an initial access wing called "BadPilot" that uses standard intrusion tactics to spread Russia's tendrils around the world.

Source: Kenishirotie via Alamy Stock Photo

Arguably, no advanced persistent threat (APT) enjoys as much notoriety as Sandworm, otherwise known as Military Unit 74455 within Russia's military intelligence (GRU). Its highlight reel includes NotPetya, an attack against the 2018 Winter Olympics, and two effective assaults on Ukraine's power grid. More recent activities include a campaign against Denmark's energy sector and an unsuccessful attempt to down Ukraine's grid for a third time, followed by a successful attempt.

In a sign of the times, Sandworm has subtly been shifting toward quieter, more widespread intrusions. Microsoft, which tracks the group as "Seashell Blizzard," has identified a subgroup within 74455 focused solely on gaining initial access to high-value organizations across major industries and geographic regions. It calls this subgroup "BadPilot."

**Sandworm's IAB, BadPilot**

Since at least late 2021, BadPilot has been performing opportunistic attacks against Internet-facing infrastructure, taking advantage of known vulnerabilities in popular email and collaboration platforms. Notable examples include Zimbra's CVE-2022-41352, the Microsoft Exchange bug CVE-2021-34473, and CVE-2023-23397 in Microsoft Outlook. All three of these vulnerabilities received "critical" 9.8 out of 10 scores in the Common Vulnerability Scoring System (CVSS).

BadPilot uses these critical vulnerabilities to gain useful initial access to traditionally high-value organizations: telecommunications companies, oil and gas companies, shipping companies, arms manufacturers, and entities of foreign governments. Targets have ranged from Ukraine and broader Europe to Central and South Asia and the Middle East.

Since early 2024, BadPilot has expanded to access targets in the US and UK as well. For this, it has made particular use of bugs in remote monitoring and management software: CVE-2023-48788, for example, a remote injection opportunity in the Fortinet Forticlient Enterprise Management Server (EMS), and the rare 10 out of 10 CVSS-rated CVE-2024-1709, allowing for authentication bypass in ScreenConnect by ConnectWise.

After gaining its foothold on a targeted system, BadPilot follows all the usual steps of any average hacking operation. It promptly establishes persistence using its custom "LocalOlive" Web shell, as well as copies of legitimate remote management and monitoring (RMM) tools, or "ShadowLink," which configures compromised systems as Tor hidden services. It collects credentials, performs lateral movement, exfiltrates data as necessary, and sometimes performs further post-compromise activities.

"There is not a lack of sophistication here, but a focus on agility and obtaining goals," says Sherrod DeGrippo, director of threat intelligence strategy at Microsoft. "These TTPs work because this threat actor is persistent and continues pursuing its objectives."

**The Impact in Ukraine**

Ultimately, BadPilot's job is to lubricate more significant attacks by its parent group, and, by extension, empower its controlling government. While a lot of its activity seems opportunistic, Microsoft wrote, "its compromises cumulatively offer Seashell Blizzard options when responding to Russia's evolving strategic objectives."

It may or may not be a coincidence, for example, that the group came into being just months before Russia's invasion of Ukraine. As that war began, and Russia peppered its neighbor with more cyberattacks than ever before, BadPilot was right in the mix, helping gain access to organizations perceived to be providing political or military support to its adversary. Additionally, Microsoft says, the group has enabled at least three destructive attacks in Ukraine since 2023.

Sandworm has targeted critical infrastructure across Ukraine since the war started, including telecommunications infrastructure, manufacturing plants, transportation and logistics, energy, water, military and government organizations, and other infrastructure meant to support the civilian population. It has also targeted military communities for the purpose of intelligence gathering.

"These threat actors are persistent, creative, organized, and well-resourced," DeGrippo emphasizes. For this reason, "Critical sectors need to ensure that they sustain above-average security practices, patch their software, monitor Internet-facing assets, and enhance their overall security posture."

**About the Author**

Nate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."

Microsoft: Russia's Sandworm APT Exploits Edge Bugs Globally

A team Microsoft calls BadPilot is acting as Sandworm's “initial access operation,” the company says. And over the last year it's trained its sights on the US, the UK, Canada, and Australia.

Over the last decade, the Kremlin's most aggressive cyberwar unit, known as Sandworm, has focused its hacking campaigns on tormenting Ukraine, even more so since Russian president Vladimir Putin's full-scale invasion of Russia's neighbor. Now Microsoft is warning that a team within that notorious hacking group has shifted its targeting, indiscriminately working to breach networks worldwide—and, in the last year, has seemed to show a particular interest in networks in English-speaking Western countries.

On Wednesday, Microsoft's threat intelligence team published new research into a group within Sandworm that the company’s analysts are calling BadPilot. Microsoft describes the team as an “initial access operation” focused on breaching and gaining a foothold in victim networks before handing off that access to other hackers within Sandworm’s larger organization, which security researchers have for years identified as a unit of Russia’s GRU military intelligence agency. After BadPilot's initial breaches, other Sandworm hackers have used its intrusions to move within victim networks and carry out effects such as stealing information or launching cyberattacks, Microsoft says.

Microsoft describes BadPilot as initiating a high volume of intrusion attempts, casting a wide net and then sorting through the results to focus on particular victims. Over the last three years, the company says, the geography of the group's targeting has evolved: In 2022, it set its sights almost entirely on Ukraine, then broadened its hacking in 2023 to networks worldwide, and then shifted again in 2024 to home in on victims in the US, the UK, Canada and Australia.

“We see them spraying out their attempts at initial access, seeing what comes back, and then focusing on the targets they like,” says Sherrod DeGrippo, Microsoft’s director of threat intelligence strategy. “They’re picking and choosing what makes sense to focus on. And they are focusing on those Western countries.”

Microsoft didn't name any specific victims of BadPilot's intrusions, but broadly stated that the hacker group's targets have included “energy, oil and gas, telecommunications, shipping, arms manufacturing,” and “international governments.” On at least three occasions, Microsoft says, its operations have led to data-destroying cyberattacks carried out by Sandworm against Ukrainian targets.

As for the more recent focus on Western networks, Microsoft's DeGrippo hints that the group's interests have likely been more related to politics. “Global elections are probably a reason for that,” DeGrippo says. “That changing political landscape, I think, is a motivator to change tactics and to change targets.”

Over the more than three years that Microsoft has tracked BadPilot, the group has sought to gain access to victim networks using known but unpatched vulnerabilities in internet-facing software, exploiting hackable flaws in Microsoft Exchange and Outlook, as well as applications from OpenFire, JetBrains, and Zimbra. In its targeting of Western networks over the last year in particular, Microsoft warns that BadPilot has specifically exploited a vulnerability in the remote access tool Connectwise ScreenConnect and Fortinet FortiClient EMS, another application for centrally managing Fortinet's security software on PCs.

After exploiting those vulnerabilities, Microsoft found that BadPilot typically installs software that gives it persistent access to a victim machine, often with legitimate remote access tools like Atera Agent or Splashtop Remote Services. In some cases, in a more unique twist, it also sets up a victim's computer to run as so-called onion service on the Tor anonymity network, essentially turning it into a server that communicates via Tor's collection of proxy machines to hide its communications.

Another, separate report Tuesday from the cybersecurity firm EclecticIQ pointed to an entirely distinct hacking campaign that firm also ties to Sandworm. Since late 2023, EclecticIQ found the hacker group has used a malware-infected Windows piracy tool, distributed via Bittorrent, to breach Ukrainian government networks. In those cases, EclecticIQ found, the hackers have installed a remote access tool called Dark Crystal RAT to carry out cyberespionage.

Any sign of Sandworm, which Microsoft refers to by the name Seashell Blizzard, raises alarms in part because the group has a history of hacking operations that go far beyond mere spying. Over the last decade, the group has caused at least three blackouts by targeting electric utilities in Ukraine—still the only such hacker-induced blackouts in history. The group also released the NotPetya malware that spread worldwide and did at least $10 billion in damage, and it used wiper malware to destroy countless networks in more targeted attacks across Ukraine both before and after the 2022 invasion.

Microsoft has so far found no evidence that, in BadPilot's targeting of Western networks specifically, Sandworm has shown any intention to carry out anything other than espionage. “This seems very early in terms of initial resource gathering, trying to get this much persistent access,” says Microsoft's DeGrippo. “Then we would have to wait to see what they do with it.”

But she notes that BadPilot is nonetheless tied to a larger group that has a history of highly disruptive cyberattacks. “Therefore," says DeGrippo, "the potential actions that they could take next is of deep concern.”

A Hacker Group Within Russia’s Notorious Sandworm Unit Is Breaching Western Networks

Microsoft’s February Patch Tuesday addresses 63 security vulnerabilities, including two actively exploited zero-days. Update your systems now to…

Microsoft’s February Patch Tuesday addresses 63 security vulnerabilities, including two actively exploited zero-days. Update your systems now to protect against these threats.

Microsoft’s February 2025 Patch Tuesday update addresses 63 security vulnerabilities across its product range, including two zero-day exploits actively being used by attackers. Four of these vulnerabilities are classified as critical.

The update covers a variety of vulnerability types, including remote code execution, elevation of privilege, denial of service, spoofing, security feature bypass, information disclosure, and tampering.

Screenshot via SOCRadar

Two zero-day vulnerabilities are of particular concern due to their active exploitation.  

CVE-2025-21391, an elevation of privilege flaw in Windows Storage, could allow attackers to delete critical system files, potentially causing data loss and service disruptions.  While Microsoft states this vulnerability doesn’t expose confidential data, the ability to disrupt services is, nevertheless, a serious concern.  

The second actively exploited zero-day, CVE-2025-21418, affects the Ancillary Function Driver for Windows Sockets.  This vulnerability enables privilege escalation, potentially granting attackers SYSTEM-level access.  Details about the exploitation methods for these vulnerabilities remain undisclosed.

Microsoft is also addressing two publicly disclosed zero-day vulnerabilities. CVE-2025-21194, a hypervisor flaw, could compromise the secure kernel in UEFI-based virtual machines. This vulnerability is speculated to be related to the PixieFail vulnerabilities. Another flaw, CVE-2025-21377, could allow attackers to steal NTLM hashes through minimal user interaction with a malicious file.

Some critical vulnerabilities patched by Microsoft include: CVE-2025-21376, an RCE vulnerability in Windows Lightweight Directory Access Protocol allowing arbitrary code execution. CVE-2025-21177, a Server-Side Request Forgery vulnerability in Dynamics 365 that may lead to privilege escalation. CVE-2025-21379 in the DHCP Client Service and CVE-2025-21381 in Microsoft Excel, both allow remote code execution.  

Another severe flaw addressed was in Microsoft’s High-Performance Compute Pack. Tracked as CVE-2025-21198, it is a remote code execution (RCE) vulnerability that allows attackers to perform RCE on other clusters or nodes connected to the targeted head node by sending a specially crafted HTTPS request

Microsoft also addressed some high-risk flaws in this update including vulnerabilities in Microsoft Office SharePoint, Windows Disk Cleanup Tool, Windows CoreMessaging, Windows Win32 Kernel Subsystem, Windows Setup Files Cleanup, Windows DWM Core Library, and others. These vulnerabilities are considered high-risk due to their potential for exploitation and the lack of existing workarounds.  

Beyond Microsoft’s updates, other vendors, including Adobe, SAP, and Ivanti, have also released security patches.  SAP’s updates address vulnerabilities in BusinessObjects, Supplier Relationship Management, and Approuter, including a critical authorization flaw.  Ivanti’s patch fixes a critical OS command injection vulnerability in its Cloud Services Application.  

These updates highlight the ongoing need for timely security patching. With actively exploited zero-days and a range of critical vulnerabilities, organizations must prioritize applying these updates to mitigate risks. The sheer volume of vulnerabilities tracked by security platforms is staggering, as illustrated by SOCRadar’s Vulnerability Intelligence dashboard.

Screenshot via SOCRadar

Mr. Saeed Abbasi, Manager of Vulnerability Research at Qualys Threat Research Unit, told Hackread.com that CVE-2025-21391, though appearing as a file deletion bug, is actively exploited and far more dangerous when combined with code execution. While it doesn’t threaten confidentiality, it severely impacts integrity and availability, potentially crippling servers. Attackers can exploit it to delete critical system files, replacing them with weakly secured versions, and ultimately gaining SYSTEM-level access. Abbasi warns this is no minor flaw; it’s a stealthy path to full system control.

Patch Tuesday: Microsoft Fixes 63 Bugs with 2 Zero-Days

When it comes to keeping patient information safe, people empowerment is just as necessary as deploying new technologies.

Source: Yuri Arcurs via Alamy Stock Photos

COMMENTARY

Some say artificial intelligence (AI) has changed healthcare in ways we couldn't have imagined just a few years ago. It's now used for everything from paperwork to helping doctors make better diagnoses. But like any new tech, there are risks involved.

Currently, AI is both a potent defense mechanism and an attacker enabler. Therefore, the question that must be asked is clear: Is AI an enemy or a friend of cybersecurity in healthcare? Honestly, the answer is both.

**AI as the Defender: Enhancing Healthcare Security**

Healthcare systems are rich targets for malicious actors, with considerable protected health information (PHI) spread across interconnected assets such as electronic health records, Internet of Things (IoT)-enabled medical devices, and telehealth platforms. It has been proven that traditional cybersecurity tools often lack the resources and features required to protect such complex ecosystems and, as in different industries, struggle to keep pace with both the volume of data being generated and evolving attack methodologies.

The advantage of machine learning algorithms is that they can find a potential threat before it is serious. AI-powered security tools can detect anomalies in system behaviors, such as unauthorized data transfer or suspicious login activities, and thus proactively prevent a breach. Indeed, several hospitals using AI-powered systems have been able to avert ransomware attacks and maintain operational integrity and patient safety.

Artificial Intelligence is also incomparable in terms of its critical role in reducing administrative burdens and further complying with the Health Insurance Portability and Accountability Act (HIPAA) and other regulations. AI-powered tools, such as virtual assistants and data processing systems, take over administrative work while safeguarding sensitive data. These tools protect PHI and free human resources to focus on patient care.

**AI as the Enabler of Cyber Threats**

While AI hardens the defense, it turbocharges the attacker side, too. In such a way, cyber threats in healthcare have become increasingly sophisticated. The game changed with generative AI tools that let attackers create unbelievably realistic tailor-made emails with perfect grammar and formatting that quickly slipped through traditional security filters.

Deepfakes add another layer to these deceptions: generating hyperreal audio and video that makes an attacker sound like senior health leaders or other trusted voices. These fabrications have been used to deceive staff into granting unauthorized access, sharing PHI, and even making fraudulent financial transactions. In some cases, attackers have used deepfakes to spread false medical information or to undermine public confidence, further destabilizing an already complex threat landscape.

AI-powered malware leverages machine learning to make live changes, evade traditional detection, and zero in on critical systems, such as IoT-enabled devices and electronic health records. Attackers manipulate diagnostic data, alter medical imaging, and gain entry through vulnerabilities in lightly secured IoT devices, enabling them to create avenues to coordinate attacks. Combining AI with IoT could pose a greater threat to patient safety and trust in healthcare systems than just financial losses. 

AI-powered threats sound an alarm for information security, IT, and healthcare leaders. These risks are reshaping the cybersecurity landscape. Preemptive defenses require advanced AI tools, employee training, and collaboration across cross-functional teams. This would, in turn, involve policy and detection system reviews to grant top priority for countering AI-impelled social engineering and malware. Constantly being one step ahead of the bad actors requires constant vigilance, innovative thinking, and a core commitment to data safety and patient care.

**Balancing AI's Potential with Realistic Implementation**

As an expert or executive, you face the critical decision of managing the promise of AI and the risk it further introduces into an already overcomplicated cybersecurity landscape. AI is not the Holy Grail; it's a tool that can be used for and against us. AI’s transformative potential in healthcare and security comes from how it is implemented, so leaders must approach its adoption with a balanced perspective. They should be excited yet cautious, knowing full well that attackers are leveraging the very same technology to undermine our systems, data, and trust.

In my experience, the excitement around adopting AI tools like transcript generators, grammar checkers, or automated note-taking systems often takes precedence over critical security assessments. I have seen teams advocate for rapid implementation to save time and resources without assessing the risks; common questions such as where the data is stored, how it is processed, or if the vendor is compliant often are not asked. This rush to embrace convenience creates gaps that attackers can exploit, especially in healthcare, where even minor oversights can lead to significant breaches of PHI or personally identifiable information (PII).

Deepfakes, adaptive malware, and the exploitation of IoT devices, all powered by AI, require a new type of thinking to address these threats — one that changes from legacy defenses or even leading-edge AI-powered tools to placing those tools within an extended proactive security framework encompassing audits, employee training, and reliable governance. For that to happen, health workers and administrators must be empowered to recognize sophisticated attacks, faked video calls, or some other unexpected data transfer AI flagged up. People empowerment is just as necessary in deploying new technologies.

Drive collaboration between IT, security, and clinical teams in developing customized strategies for technical vulnerabilities and operational realities. This means vigilance, from systems monitoring to continuing review of AI's evolving role in your institution.

Safeguarding healthcare systems includes protecting the trust and well-being of the patients it cares for and its entire community. This depends entirely on the type of leadership that doesn't just react to threats but proactively takes bold measures to mitigate risks before they spread. Security embedded in all facets of the organization should ensure continuity of critical operations and uncompromised care of the patients by leaders in healthcare.

**About the Author**

Lead Security Engineer, C4HCO

Claudio Gallo is a lead security engineer of the Colorado Marketplace Exchange, dedicated to protecting critical information in the healthcare and insurance industries. With expertise in application security, cloud architecture, and compliance, Claudio designs innovative strategies to safeguard sensitive data and ensure trust in important services. Passionate about making a meaningful difference, he is equally committed to mentoring aspiring professionals in the information security industry, sharing knowledge, and fostering the next generation of cybersecurity talent.

Is AI a Friend or Foe of Healthcare Security?

More than half of attacks on Indian businesses come from outside the country, while 45% of those targeting consumers come from Cambodia, Myanmar, and Laos.

Source: NicoElNino via Shutterstock

India continues to see a surge in cybercrime affecting both citizens and businesses, with cyber fraud against citizens jumping 51% over the past year and cyberattackers targeting businesses in volumes significantly higher than global averages.

Overall, Indian citizens filed more than 1.7 million cybercrime complaints in 2024, up from 1.1 million complaints in 2023, according to the latest data from India's National Cyber Reporting Platform (NCRP) released in early February. While many of those cyber scams came from domestic sources, about 45% of the cyberattacks came from cybercriminal havens in Cambodia, Myanmar, and Laos, according to the report.

The problem underscores the dark side of increasing access to online services. While the country is digitizing many of its government services — giving citizens easier access — crime has followed online, President Droupadi Murmu said during a speech to Parliament on Jan. 31.

"\[I\]n an increasingly digital society, cybersecurity has become a crucial issue of national importance," Murmu said. "Digital fraud, cybercrime, and emerging technologies like deepfakes pose challenges to our social, economic, and national security."

India's citizens are not the only targets of cybercriminals — business sites increasingly face online attacks. Cyber-risks and digital/technology risks are the most pressing concerns for companies in India, with businesses in the region prioritizing those issues more than their global counterparts, according to PricewaterhouseCoopers' "2025 Global Digital Trust Insights — India Edition."

Source: PricewaterhouseCoopers, "2025 Global Digital Trust Insights — India Edition"

"Over the next 12 months, Indian organizations are prioritizing the mitigation of three key risks: cyberthreats, digital vulnerabilities and inflation," PwC India stated in the report. "This focus highlights the critical need for robust cybersecurity, reliable technological infrastructure, and strategies to counter rising costs and ensure resilience and sustained growth."

**Businesses See Different Threat Profile**

Compared with other regions of the world, India is seeing a greater volume of attacks. The average website in India sees about 6.9 million unwanted requests — often referred to as "attacks" by vendors — every year, with 26% more attacks per site compared with the global average, according to Indusface. Denial-of-service attacks are also more common against Indian targets, compared with the global average, says Venky Sundar, founder and president for the Americas at Indusface.

The threat actors have gone mobile-first, with API servers for mobile applications targeted with 43% more requests per host compared with websites, he says.

There is "a shift in attack strategies towards disrupting mobile and connected services," Sundar says. "Cybercrime is increasingly targeting external-facing APIs associated with mobile apps rather than just traditional web platforms."

The attacks are split fairly evenly between domestic sources and global ones, he adds. Overall, about half of the malicious traffic targeting company sites and API servers are domestic, with much of the rest coming from four countries: US, France, UK, and Singapore.

**Government Moves to Protect Citizens**

The government is currently taking steps to make life harder for attackers. The Reserve Bank of India (RBI), for example, has created exclusive Internet domains for banks (bank.in) and for non-bank financial institutions (fin.in), which will be run by the Institute for Development and Research in Banking Technology (IDRBT). India also passed its first privacy and data-protection law in 2023, and drafted implementation rules last month, which together define the rights of Indian citizens and requirements for companies handling data.

India and the US also recently signed a memorandum of understanding (MoU) that allows the two countries to cooperate on intelligence gathering, the exchange of information on cybercrime cases, and collaborative training. India has also fought to rescue and repatriate its citizens from forced labor camps for criminal syndicates in Cambodia, Myanmar, and Laos, where they are forced to conduct a variety of online scams.

Yet the country still faces a shortage of cybersecurity professionals. In September, the government announced an effort to train 5,000 "cyber commandos" over the next five years, to help national and state governments with cyber investigations.

Training citizens in cybersecurity can have additional benefits, President Murmu said in her remarks to Parliament.

"My government has taken numerous measures to control these cyber threats, creating opportunities for employment in the field of cybersecurity for the youth \[and\] is continuously working to ensure competence in cybersecurity," she said, noting that the country has reached Tier 1 status in the International Telecommunication Union's Global Cybersecurity Index.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Tag

#intel