Polish Hydropower Plant in Tczew Targeted by Russian Hacktivists Again

A phishing campaign targeting KazMunaiGas employees was initially attributed to the Noisy Bear threat actor. The campaign, codenamed Operation BarrelFire, involved phishing emails with malicious attachments. KazMunaiGas later clarified that the activity was part of a planned phishing test conducted in May 2025. The campaign used a ZIP file containing a Windows shortcut (LNK) downloader, a decoy document, and instructions in Russian and Kazakh. The LNK file dropped additional payloads, including a PowerShell loader and a DLL-based implant. The infrastructure was hosted on a Russia-based bulletproof hosting service. The campaign was initially reported in September 2025, with KazMunaiGas confirming it was a test in response to the report. The Noisy Bear threat actor has been active since at least April 2025, with the campaign involving sophisticated techniques such as anti-analysis measures and CreateRemoteThread Injection. The activity has geopolitical implications, potentially aiming to sustain information advantage in Central Asia.

Jaguar Land Rover (JLR) experienced a cyberattack that severely disrupted its production and retail operations. The attack prompted the company to shut down several systems to mitigate the impact. Customer data was compromised, and the exact nature of the attack and the timeline for recovery remain unclear. The incident affected multiple systems, including those at the Solihull production plant, where popular models like the Land Rover Discovery and Range Rover are manufactured. The attack occurred over the weekend, a common time for such incidents due to reduced response capabilities. This is the second cyberattack JLR has suffered this year, raising concerns about potential vulnerabilities from the previous attack. JLR has extended the production shutdown for another week, with operations expected to resume on September 24, 2025. The company is still investigating the incident and has not attributed the breach to a specific cybercrime group.

WhatsApp patched a zero-day vulnerability (CVE-2025-55177) in its messaging apps for Apple iOS and macOS. The flaw allowed unauthorized users to process content from arbitrary URLs on targeted devices. The issue was exploited in conjunction with a recently disclosed Apple flaw (CVE-2025-43300) in targeted zero-day attacks. WhatsApp notified less than 200 users who may have been targeted as part of the spyware campaign. The vulnerability relates to insufficient authorization of linked device synchronization messages. The exploitation involved chaining the WhatsApp flaw with the Apple vulnerability, enabling sophisticated attacks against specific users. The CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog and is advising federal agencies to apply mitigations by September 23, 2025.

Chinese state-sponsored Advanced Persistent Threat (APT) actors, specifically the Salt Typhoon group, are conducting a sustained campaign to gain long-term access to critical infrastructure networks worldwide. These actors exploit vulnerabilities in routers and other edge network devices used by telecommunications providers, ISPs, and other infrastructure operators. The campaign targets telecommunications, transportation, lodging, government, and military networks. The actors employ tactics to evade detection and maintain persistent access, posing a significant threat to national and economic security. The advisory provides actionable guidance to help organizations strengthen their defenses and protect critical systems. The campaign has targeted at least 600 organizations across 80 countries, including 200 in the U.S. The advisory details how state-backed threat actors, including Salt Typhoon, penetrate networks around the world and how defenders can protect their own environments. The advisory tracks this cluster of activity to multiple advanced persistent threats (APTs), though it partially overlaps with Salt Typhoon. The advisory notes that the actors have had considerable success exploiting publicly known vulnerabilities, including Ivanti Connect Secure, Ivanti Policy Secure, Palo Alto Networks PAN-OS, and Cisco IOS XE vulnerabilities. The advisory suspects that the APT actors may target other devices, including Fortinet firewalls, Juniper firewalls, Microsoft Exchange, Nokia routers and switches, Sierra Wireless devices, and Sonicwall firewalls. The actors use multiple tactics to maintain persistence, including modifying Access Control Lists (ACLs), opening standard and non-standard ports, enabling SSH servers, and creating tunnels over protocols. The actors target protocols and infrastructure involved in authentication, such as Terminal Access Controller Access Control System Plus (TACACS+), to facilitate lateral movement across network devices. The advisory provides extensive recommendations for mitigating these threats, including monitoring network device configuration changes, auditing network services and tunnels, and checking logs for integrity. The advisory highlights a critical shift from Chinese state-sponsored activity from being purely espionage to gaining long-term access for potential disruption. 45 previously unreported domains associated with Salt Typhoon and UNC4841 have been discovered, dating back to May 2020. The oldest domain identified is onlineeylity[.]com, registered on May 19, 2020. The domains were registered using Proton Mail email addresses and fake personas. The domains point to high-density and low-density IP addresses, with the earliest activity traced back to October 2021. The domains are linked to Chinese cyber espionage campaigns, with potential overlaps between Salt Typhoon and UNC4841.

On August 24, 2025, a ransomware attack targeted the state of Nevada, impacting essential services and leading to data theft. The Cybersecurity and Infrastructure Security Agency (CISA) and its partners are providing real-time incident response to assist in restoring critical services and rebuilding systems. The attack's origins are under investigation. CISA's Threat Hunting teams are actively examining state networks to identify the full scope of the situation and mitigate threats. The Federal Bureau of Investigation (FBI) is assisting in the investigation, and the Federal Emergency Management Agency (FEMA) is advising on emergency response grants and other available assistance. The attack on Nevada is part of a broader trend of ransomware attacks on local governments, exacerbated by federal budget and staffing cuts.