Daily Brief

Ukrainian military intelligence successfully infiltrated and extracted over 4.4GB of data from Tupolev, a major Russian bomber manufacturer. The breach yielded sensitive information including employee personal data, engineering resumes, purchase records, and minutes from private meetings. In a symbolic gesture of defiance, the hackers also defaced Tupolev's website, replacing standard images with an owl gripping a bomber. This cyber-attack followed a physical drone attack on Russian airbases which used trucks to launch drones that targeted Russian aircraft, intensifying the conflict dynamics. The data obtained could significantly impact Russian strategic aviation operations, with Ukrainian intelligence commenting on the comprehensive nature of the data affecting both ground and aerial tactics. This incident demonstrates escalating cyber warfare capabilities, highlighting Ukrainian advances in cyber-attack strategies amidst ongoing conflict. Following the attacks, tensions escalate as President Putin vows retaliation, indicating potential further conflict engagement. Western governments, notably the U.S., continue to back Ukrainian cyber defenses, emphasizing a deep operational partnership and shared intelligence efforts.

Microsoft announced a new European Security Program in Berlin, designed to enhance cybersecurity across European Union countries, EFTA members, the UK, Monaco, and the Vatican. The initiative aims to counter increasing cyber threats from state-backed actors in nations like Russia, Iran, China, and North Korea, focusing on espionage activities through credential theft and exploiting vulnerabilities. The program leverages artificial intelligence to provide real-time threat insights and intelligence, enhancing detection and blocking of sophisticated cyber-attacks. Partnerships with organizations such as Europol, the CyberPeace Institute, LASR, and the Western Balkans Cyber Capacity Center will be strengthened under this new initiative. Microsoft also plans to deliver updates on foreign influence operations, including the use of deepfakes, and provide guidance for newly discovered vulnerabilities. The tech giant underscored its commitment by referencing its involvement in the takedown of the Lumma infostealer malware, which had significantly impacted several European countries. Microsoft's program expansion includes collaboration with internet service providers to enhance user-level remediation and cyber defense capabilities across Europe.

The FBI announced that the Play ransomware group has compromised approximately 900 organizations globally, including many critical infrastructure entities. This represents a significant increase from the 300 reported victims in October 2023, with affected regions spanning North America, South America, and Europe. The Play ransomware group, known for its recompiled malware, ensures difficult detection and prevention by security software. Victims have also experienced extortion through phone calls, where they are threatened with the leak of stolen data unless a ransom is paid. Play ransomware exploits include utilizing vulnerabilities in remote monitoring and management tools to facilitate remote code execution attacks on U.S. organizations. The group operates a ransomware-as-a-service model, stealing sensitive data before encrypting systems and then pressuring payments by threatening to publish the data online. The FBI, together with CISA and the Australian Cyber Security Centre, advises updating systems and software regularly, using MFA, maintaining offline backups, and developing recovery protocols. Noteworthy victims of this ransomware include major entities like Rackspace, Dallas County, and Krispy Kreme.

Ransomware group Interlock claimed responsibility for a cyberattack on Kettering Health in May, disrupting medical treatments and leaking 941 GB of sensitive data. Among the compromised data were ID cards, payment information, and detailed purchasing reports, spanning over 732,490 files and 20,418 folders. The cyber incident led to systemic outages, causing Kettering Health to cancel essential medical procedures, including chemotherapy and pre-surgery appointments. Kettering Health, which manages 14 medical centers and over 120 outpatient facilities, had to redirect emergency cases and revert to paper-based patient charting. Following the attack, the healthcare provider managed to restore major components of its electronic health record (EHR) system by June 2, improving patient care coordination. The attack is part of a broader trend, with 26 confirmed ransomware attacks on U.S. healthcare providers in the current year and 17 confirmed Interlock ransomware cases since October 2024. The healthcare network has so far refrained from confirming the validity of the data leak purported by Interlock.

Ukrainian police arrested a 35-year-old hacker accused of breaching approximately 5,000 hosting accounts to mine cryptocurrency. The breaches occurred at an international hosting company where the hacker unlawfully accessed client accounts and deployed virtual machines for mining, resulting in $4.5 million in damages. The hacker exploited server resources of the hosting company to perform unauthorized cryptocurrency mining since 2018. Investigation revealed that the hacker utilized open-source intelligence to identify and exploit vulnerabilities in international organizations. During the police raid, authorities confiscated various devices and evidence, including computer equipment, mobile phones, bank cards, and tools linked to cyber activities like data theft and remote access. Analysis of the seized materials indicated the hacker’s involvement in multiple hacker forums and possession of stolen email credentials and cryptocurrency wallets. The hacker now faces potential charges that could lead to 15 years of imprisonment under Ukrainian law, with ongoing investigations that might add further charges. Recommendations for IT teams to prevent similar incidents include using strong, unique passwords, multi-factor authentication, and regular monitoring of account activities.

Cisco has released patches for three vulnerabilities affecting its Identity Services Engine (ISE) and Customer Collaboration Platform (CCP), which have public exploit codes available. The most severe vulnerability, CVE-2025-20286, identified in Cisco ISE, involves a critical static credential issue potentially compromising cloud deployments. This vulnerability allows unauthenticated attackers to access various administrative functions and sensitive data across cloud environments like AWS, Azure, and Oracle Cloud Infrastructure. Security researchers advise that only Cisco ISE deployments with the Primary Administration node on clouds are susceptible to this particular exploit. Cisco’s response includes providing hotfixes and advising administrators to execute a specific command to reset configurations to factory settings if unable to immediately apply the patches. Other patched vulnerabilities include an arbitrary file upload flaw in Cisco ISE and an information disclosure vulnerability in the Customer Collaboration Platform. Prior to these patches, in September, Cisco fixed a command injection vulnerability in ISE that allowed privilege escalation to root on unpatched systems.

Ukraine's Main Intelligence Directorate (GUR) reportedly penetrated the systems of Tupolev, a key Russian aerospace manufacturer, obtaining 4.4 gigabytes of sensitive data. The data breach included personal information of Tupolev employees, internal communications, procurement documents, and minutes from private meetings. The hack also involved defacement of Tupolev's official website, replacing its homepage with an image symbolic of Ukrainian prowess. Ukrainian intelligence claims the hack exposed vital details related to Russia's strategic aviation operations and could impact Russian defense capabilities. The breach is part of a broader series of cyber-attacks attributed to Ukrainian forces, targeting various Russian governmental and defense agencies since the conflict began. This cyber operation follows a physical drone attack by Ukraine on Russian airfields, highlighting a combined approach of physical and cyber warfare tactics by Ukraine.

U.S. law enforcement, led by the Secret Service and FBI, conducted an international operation seizing multiple domains of BidenCash, a notorious dark web market. The seized domains now redirect to a U.S. government site indicating their involvement in illegal carding activities. Dutch National Police and organizations like The ShadowServer Foundation and Searchlight Cyber supported the operation. BidenCash, which emerged in April 2022, was known for trading stolen credit card information and personal data, filling a gap left by previously shut down card markets. Recent leaks from BidenCash included databases containing over 4 million stolen credit card details, predominantly from U.S. cardholders. Despite occasional operational recoveries by such marketplaces, law enforcement actions have considerably disrupted illegal online card trading activities. The ongoing efforts by the Secret Service also include actions against physical skimming devices, preventing potential fraud amounting to millions.

The FBI has issued a warning about new cyber scams involving NFT airdrops on the Hedera Hashgraph network. Cybercriminals are distributing fake NFTs and tokens to wallet addresses, tricking users into visiting phishing sites. Victims are deceived into submitting sensitive information such as passwords and wallet seed phrases, leading to wallet hijacking and theft. Hedera Hashgraph, differing from traditional blockchain technology, uses a hashgraph system for faster and more efficient operations. Scammers utilize multiple channels including phishing emails, social media ads, and fake websites to promote their fraudulent schemes. The FBI advises verifying the legitimacy of any airdrop alerts through official channels and never sharing sensitive credentials. Regular monitoring of cryptocurrency accounts for any signs of unauthorized access or transactions is recommended. Victims of such scams should contact their account providers and report the incidents to the FBI's Internet Crime Complaint Center.

Google's Threat Intelligence Group has identified a vishing (voice phishing) group, known as UNC6040, specializing in Salesforce data breaches for financial gain. UNC6040 tricks English-speaking employees via phone calls, posing as IT support, to gain unauthorized access to Salesforce environments using a deceptive version of the Data Loader app. The threat actors manipulate victims to authorize a modified Data Loader app under a different name, thus accessing sensitive data and exfiltrating it. After the initial data breach, UNC6040 utilizes the stolen data to move laterally through networks, accessing platforms like Okta, Workplace, and Microsoft 365. Several months post-compromise, UNC6040 engages in extortion attempts, claiming ties to ShinyHunters to pressure victims. Salesforce warned its users in March 2025 about similar social engineering tactics used by other threat actors to steal credentials and add malicious apps. The extensive duration between the initial breach and the extortion indicates the potential for widespread impact on multiple victim organizations.

The Google Threat Intelligence Group has identified a cybercrime group, designated as UNC6040, which is exploiting Salesforce users through fake IT support calls. Approximately 20 organizations across sectors like hospitality, retail, and education in the Americas and Europe have fallen victim to this scam. The attackers impersonate IT support personnel and coax employees into installing a malicious version of the Salesforce Data Loader, enabling them to exfiltrate sensitive data. To execute these attacks, UNC6040 provides victims with an eight-digit connection code during support calls, linking the malicious Data Loader to the victim’s Salesforce environment. The same infrastructure used by UNC6040 also hosted phishing panels aimed at deceiving users into submitting credentials and multifactor authentication codes. After initial data theft, the attackers engaged in lateral movement within the networks, accessing platforms like Okta, Workplace, and Microsoft 365 for further information theft. Some victims faced extortion months after the initial breach, indicating possible collaboration between UNC6040 and other cybercriminal entities. Salesforce has issued guidance on mitigating such attacks, emphasizing the risks of voice phishing aimed at stealing MFA tokens and installing unauthorized applications.

Lee Enterprises experienced a ransomware attack in February 2025, compromising the personal information of 39,779 individuals. The breached data includes sensitive details such as Social Security numbers and full names. The cyberattack caused significant operational disruptions, including network shutdowns, affecting newspaper printing and delivery across the U.S. Hackers from the Qilin ransomware group claimed responsibility, alleging they stole 120,000 documents and 350 GB of data. Lee Enterprises previously faced a network breach in 2020 by Iranian hackers aimed at spreading disinformation. The recent security breach has been publicly disclosed in a filing with Maine's Attorney General's office and the SEC. Lee Enterprises is currently investigating the legitimacy of the claims of stolen data posted on the dark web.

Google's Threat Intelligence Group observed social engineering attacks by the group identified as UNC6040, claiming ties to ShinyHunters. Attackers target multinational companies, tricking English-speaking employees into using a compromised Salesforce Data Loader application. The malicious actors impersonate IT support to facilitate the installation of the Data Loader, which then accesses sensitive data on Salesforce and connected cloud platforms like Okta and Microsoft 365. UNC6040 exploits this access to exfiltrate data, which includes sensitive communications and authorization tokens, among others. After data theft, the actors attempt lateral movements within networks, accessing further sensitive data across platforms. Detection systems have managed to halt some of these data theft activities by revoking access after detecting unauthorized activity. Following the initial breach, data exfiltration activities can lead to extortion, with delayed demands for ransom to prevent data leaks. Google recommends enhanced security measures including restricted API permissions and blocking access from known commercial VPNs to mitigate such threats.

AS-REP Roasting targets Active Directory user objects lacking Kerberos pre-authentication, exposing systems to unauthorized access. Malicious tools like Rubeus and Impacket exploit this vulnerability, bypassing the normal encryption-based authentication mechanism. Cybersecurity agencies list AS-REP Roasting as a prevalent method among 17 common techniques used to target Active Directory. Stolen credentials play a significant role in data breaches, with 44.7% of such incidents involving compromised passwords, per Verizon's Data Breach Investigation Report. Detection and mitigation involve identifying vulnerable accounts, enforcing Kerberos pre-authentication, and monitoring network events for signs of attacks. Implementing strong password policies and maintaining high security standards are crucial to defending against AS-REP Roasting and enhancing overall system security. Specops Password Policy aids in managing and securing passwords by blocking compromised passwords and enforcing robust password policies, thereby bolstering defense mechanisms against such attacks.

Regional newspaper publisher Lee Enterprises reported a data theft involving the personal information of approximately 40,000 individuals. The compromised data included first and last names, social security numbers, and did not specifically target newspaper subscribers but certain employees. The cyberattack was first detected on February 3, with unauthorized data access starting two days prior. A third-party vendor was engaged for a comprehensive review, concluding on or about May 28, that personal information of affected individuals was included in the accessed data. Following the attack, Lee Enterprises took measures to enhance security, notified the FBI, and pledged cooperation with any subsequent investigations to hold the perpetrators accountable. The incident has been classified as a cybersecurity attack involving data encryption and exfiltration, potentially impacting the company’s future financial performance despite having cyber insurance. Operational disruptions varied across the company’s vast portfolio of over 70 daily newspapers, with some publications ceasing production temporarily while others managed reduced outputs.