The Iranian wiper "Apostle" (described last week by SentinelOne) posed as ransomware in a campaign against Israeli targets. It's recently acquired genuine ransomware capabilities. WIRED has an overview of the campaign, and CPO Magazine notes that one motivation for the imposture is false-flagging: Tehran's operators appear to have wished to be taken for a Russian ransomware gang.
On Friday CISA issued an Alert on the spearphishing incident in which USAID credentials for Constant Contact's email service were abused to send phishing emails to a range of victims. Microsoft last week attributed the campaign to the Russian threat actor Nobelium, but CISA's Alert is noteworthy for specifically declining to offer attribution. It was updated Saturday to read: "CISA and FBI acknowledge open-source reporting attributing the activity discussed in the report to APT29 (also known as Nobelium, The Dukes, and Cozy Bear). However, CISA and FBI are investigating this activity and have not attributed it to any threat actor at this time." They'll provide updates as their investigation proceeds. The incident is still to be taken seriously, and CISA has advice on defense, but official attribution will have to wait.
Over the weekend European journalists published results of an investigation linking US intelligence services to Danish organizations believed to have cooperated in enabling US surveillance of targets in Germany, France, Sweden, and Norway between 2012 and 2014. The Washington Post reports that France's President Macron says that's no way to treat an ally; the AP records similar reactions from other European governments.