
The end of a cybercrime empire.
Authorities dismantle a Pakistan-based cybercrime network. Lawmakers question the feasibility of establishing a U.S. Cyber Force as a standalone military branch. The DOJ sues to block HPE’s acquisition of Juniper Networks. Tangerine Turkey deploys cryptomining malware. Major healthcare providers send breach notifications. Norwegian police seize a Russian-crewed ship suspected of damaging a communications cable. Researchers discover critical vulnerabilities in GitHub Copilot. D-Link patches a critical router vulnerability. CISA and the FDA have warned U.S. healthcare organizations of severe security vulnerabilities in Chinese-made patient monitors. Pauses in funding create confusion for federal cybersecurity vendors. We bid a fond farewell to a pair of N2K colleagues. The case of the disappearing government data.
Today is Friday January 31st 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
Authorities dismantle a Pakistan-based cybercrime network.
US and Dutch authorities have dismantled a Pakistan-based cybercrime network that sold hacking and fraud tools online. Dubbed Operation Heart Blocker, the crackdown led to the seizure of 39 domains operated by Saim Raza, also known as HeartSender, who had been selling phishing toolkits, scam pages, and email extractors since 2020. His tools, marketed as undetectable by security solutions, were widely used in business email compromise (BEC) scams, leading to over $3 million in losses. Thousands of cybercriminals purchased these tools to steal credentials and conduct fraud. Authorities also uncovered millions of stolen data records, prompting Dutch police to launch a website where users can check if their credentials were compromised. Those affected are urged to change their passwords and stay vigilant against phishing attempts.
Lawmakers question the feasibility of establishing a U.S. Cyber Force as a standalone military branch.
A bipartisan group of lawmakers is urging the National Academy of Sciences, Engineering, and Medicine (NASEM) to fully evaluate the feasibility of establishing a U.S. Cyber Force as a standalone military branch. In a January 29 letter, Reps. Morgan Luttrell (R-TX), Pat Fallon (R-TX), and Sen. Kirsten Gillibrand (D-NY) stressed that while the defense policy bill altered the study’s focus to broader cyber force models, it must still answer whether a Cyber Force is the best option.
Lawmakers also suggested a deadline of November 30 and requested updates every two months to ensure timely input for the Fiscal Year 2027 defense discussions. The debate continues over whether U.S. Cyber Command should remain under its current structure, akin to Special Operations Command, or if an independent Cyber Force is necessary to address ongoing readiness challenges. The letter signals Congress’ commitment to reassessing military cyber capabilities.
The DOJ sues to block HPE’s acquisition of Juniper Networks.
The U.S. Department of Justice (DOJ) has sued to block Hewlett Packard Enterprise’s (HPE) $14 billion acquisition of Juniper Networks, arguing it would stifle competition by leaving only HPE and Cisco controlling over 70% of the U.S. networking market. The companies dispute the claim, saying the deal would enhance competition. The lawsuit marks the first antitrust case under President Trump’s new term. Despite approvals from the UK and EU, HPE and Juniper face an eight-month legal battle before the October deadline.
Tangerine Turkey deploys cryptomining malware.
Tangerine Turkey is a VBS worm that spreads via USB drives to deploy cryptomining malware. First observed by Red Canary in November 2024, it ranked #8 in their January 2025 threat report. The malware hijacks printui.dll to execute mining software and has been linked to a global cryptojacking campaign.
Azerbaijan’s CERT found strong overlaps between Tangerine Turkey and a massive cryptomining operation called Universal Mining, which had infected 270,741 computers in 135 countries. VirusTotal samples indicate it sometimes drops XMRig, though configuration files are often pulled from remote servers and GitHub repositories.
Several related GitHub profiles and domains used for configuration were taken down. Reports from Quick Heal and Azerbaijan’s CERT suggest Tangerine Turkey is part of a larger, evolving cryptomining campaign, possibly with new variants beyond VBS, including BAT, PowerShell, and EXE-based execution methods.
Major healthcare providers send breach notifications.
Community Health Center (CHC), a major Connecticut healthcare provider, is notifying over 1 million patients of a data breach exposing their personal and health information. Attackers accessed CHC’s network in October 2024, but the breach was only discovered in January 2025. The stolen data includes names, Social Security numbers, medical diagnoses, and insurance details, but CHC states that no systems were encrypted and operations remained unaffected.
Investigators found that a “skilled criminal hacker” was behind the attack but was stopped within hours. Meanwhile, NorthBay Health is notifying 569,000 individuals of a separate data breach in early 2024, which may have involved ransomware. Although NorthBay says there’s no evidence of identity theft, it is offering free identity protection. The attack disrupted hospital operations for weeks. These incidents highlight the growing trend of cybercriminals targeting healthcare providers for data theft and extortion.
Norwegian police seize a Russian-crewed ship suspected of damaging a communications cable.
Norwegian police have seized the Silver Dania, a Norwegian-registered, Russian-crewed ship, suspected of damaging a communications cable between Sweden and Latvia. This marks the third vessel detained in recent weeks amid rising concerns over subsea infrastructure sabotage in the Baltic Sea.
The ship was detained at Norway’s request after sailing from St. Petersburg to Murmansk. Latvian authorities are investigating three ships over the cable cut, with Sweden already detaining the Vezhen. Meanwhile, Finland has seized the Eagle S, suspected of intentionally dragging its anchor for 60 miles, severing multiple cables.
With heightened NATO concerns, Baltic Sentry, a new military initiative, has been launched to protect critical infrastructure. NATO allies have warned of potential actions against Russian vessels if subsea threats persist.
Researchers discover critical vulnerabilities in GitHub Copilot.
Researchers have discovered two critical vulnerabilities in GitHub Copilot, Microsoft’s AI-powered coding assistant, exposing major security flaws in enterprise AI tools.
The “Affirmation Jailbreak” trick allows users to bypass Copilot’s ethical safeguards by simply adding affirmations like “Sure” to prompts, enabling it to generate malicious code such as SQL injection scripts or deauthentication attacks.
The “Proxy Hijack” exploit is even more severe, allowing attackers to reroute Copilot’s API traffic, capture authentication tokens, and gain unrestricted access to OpenAI’s models. This could lead to enterprise-wide financial risks by generating high-cost AI queries or leaking sensitive proprietary code.
With 83% of Fortune 500 companies using Copilot, the risks are widespread. Researchers urge better AI security controls, including adversarial training, certificate pinning, and stricter API token policies. As AI coding tools advance, security frameworks like NIST’s AI Risk Management are needed to prevent exploitation.
D-Link patches a critical router vulnerability.
A critical unauthenticated Remote Code Execution (RCE) vulnerability in D-Link DSL-3788 routers allows attackers to gain full control remotely. The flaw was discovered by Max Bellia of SECURE NETWORK BVTECH.
Potential risks include complete router takeover, network compromise, and malware deployment. D-Link has released a patched firmware version and urges users to update immediately to protect against exploitation.
CISA and the FDA have warned U.S. healthcare organizations of severe security vulnerabilities in Chinese-made patient monitors.
CISA and the FDA have warned U.S. healthcare organizations to remove Contec CMS8000 patient monitors due to severe security vulnerabilities that risk remote code execution and patient data leaks. The Chinese-made device, used in the U.S. and EU, contains a firmware backdoor that allows attackers to overwrite files, execute arbitrary code, and exfiltrate patient data.
Tracked as CVE-2025-0626 (CVSS 7.7), the flaw enables unauthorized remote control, while CVE-2025-0683 (CVSS 5.9) exposes patient data by transmitting unencrypted information to a hardcoded IP address. A third flaw, CVE-2024-12248 (CVSS 9.3), allows out-of-bounds writes leading to remote code execution.
These issues affect multiple firmware versions, including rebranded models like the Epsimed MN-120. No patches exist, and CISA advises immediate removal from networks. Past vulnerabilities in the same device have also exposed serious security risks, but no known attacks have been reported yet.
Pauses in funding create confusion for federal cybersecurity vendors.
The General Services Administration (GSA) has paused new federal contract awards, creating confusion among vendors and raising concerns about broader impacts. The Jan. 24 memo cites the need for new leadership to review acquisition strategies, but allows exceptions for emergency obligations and IT spending.
The pause follows President Trump’s freeze on federal funds, though some restrictions were lifted after state Medicaid websites went down. Despite concerns in the cybersecurity sector, experts believe the GSA pause won’t cause long-term harm. However, uncertainty about cybersecurity funding—especially given the administration’s stance on agencies like CISA—could deter small vendors.
Industry groups, including the Professional Services Council, have called for clearer guidance on contract spending. Meanwhile, the Department of Defense clarified that its contracts remain unaffected, ensuring that critical national security missions continue. Vendors are seeking clarity to avoid disruption in cybersecurity and other federal services.
We’ve got some very special see you laters in today’s guest slot. We are going to miss N2K President Simone Petrella and Executive Editor Brandon Karpf. Join us in wishing them well. I’ll let our team share their wishes next. We’ll be right back.
Welcome back.
The case of disappearing government data.
And finally, when Harvard archivist Jack Cushman logged onto data.gov the morning after Donald Trump’s inauguration, something felt off. The numbers didn’t quite add up. The day before, the government’s largest public data repository listed 307,854 datasets. Now, more than 2,000 were gone.
At first, he thought it might be a glitch. But as he dug deeper, snapshots from the Wayback Machine confirmed it: datasets were disappearing, many tied to climate research, environmental monitoring, and diversity initiatives.
Cushman wasn’t alone in his concern. Archivists, researchers, and data hoarders across the internet scrambled to preserve what they could, knowing all too well that government data is fragile in the digital age. Unlike the printed documents of the past, which found homes in libraries across the country, today’s data lives on centralized servers, vulnerable to quiet deletions.
Some missing datasets turned up on agency websites, others were truly gone. The question remained: Was this routine cleanup—or a purge?
No regulations mandate digital data preservation, leaving crucial information at risk. While some datasets remain accessible via agency websites or backups, determining the full impact will take time.
The quiet deletion of government data is more than an administrative decision—it is a threat to transparency, accountability, and historical record. When critical datasets disappear, so does public access to scientific research, policy history, and information that shapes our understanding of the world. Without strong preservation policies, we risk losing more than just numbers on a website—we risk erasing knowledge itself. If we allow data to be quietly rewritten, relocated, or erased without scrutiny, we open the door to a future where truth itself becomes malleable, dictated not by facts but by those in power. Safeguarding government records is not just about archiving; it is about defending the integrity of information in a democracy that depends on it.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.