Daily Briefing for 03.26.26

Top stories.

• CISA's acting director warns of long-term impacts of DHS shutdown.
• Chinese threat actor deploys stealthy malware within telecom networks.
• Russia arrests suspected LeakBase administrator.

CISA's acting director warns of long-term impacts of DHS shutdown.

Nick Andersen, acting director of the US Cybersecurity and Infrastructure Security Agency (CISA), told the House Homeland Security Committee that the Department of Homeland Security shutdown is increasing cyber risks and causing CISA employees to resign, the Record reports. With 60% of the agency's workforce furloughed, Andersen said the "remaining personnel are carrying out mission essential functions without pay while facing increasing pressure from nation-state and criminal actors targeting our nation's critical infrastructure." He added, "These are necessary functions, but they are not sufficient to get ahead of the threat. Delays in issuing binding operational directives, reduced coordination with industry partners, and constrained incident response capacity all create openings for our adversaries."

Andersen said in an interview with the Record after the hearing that the shutdown will likely negatively impact CISA's hiring potential in the long run. "This is not going to be a one-and-done," he said. "We're going to be dealing with the longer-term impacts of people thinking that the Department of Homeland Security and CISA, in particular, is not a choice employer in this technical world."

Chinese threat actor deploys stealthy malware within telecom networks.

Rapid7 has published a report on a stealthy Chinese espionage operation targeting telecommunications networks. The threat actor, tracked as "Red Menshen," deployed a Linux backdoor called "BPFdoor" that operates within the kernel. Rapid7 states, "Unlike conventional malware, BPFdoor does not expose listening ports or maintain visible command-and-control channels. Instead, it abuses Berkeley Packet Filter (BPF) functionality to inspect network traffic directly inside the kernel, activating only when it receives a specifically crafted trigger packet. There is no persistent listener or obvious beaconing. The result is a hidden trapdoor embedded within the operating system itself."

Russia arrests suspected LeakBase administrator.

Russian authorities have arrested a Taganrog resident accused of running the LeakBase cybercriminal forum, BleepingComputer reports. LeakBase was seized by Western law enforcement agencies earlier this month. Russian state news agency TASS cites Ministry of Internal Affairs spokesperson Irina Volk as saying police in Rostov detained an individual "on suspicion of creating and administering one of the largest international hacker platforms." A criminal case has been opened against the suspect.