Salt in the wound.

Salt Typhoon is still at it. Russian cyber-actor Seashell Blizzard expands its reach. The EFF sues DOGE to protect federal workers’ data. House Republicans pursue a comprehensive data privacy bill. Fortinet patches a critical vulnerability. Google views cybercrime as a national security threat. Palo Alto Networks issues 10 new security advisories. Symantec suspects a Chinese APT sidehustle. Guest Jason Baker, Principal Security Consultant at GuidePoint Security, joins us to share an update on the state of ransomware. A massive IoT data breach exposes 2.7 billion records. Here come the AI agents.

Today is Thursday February 13th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Salt Typhoon is still at it. 

Salt Typhoon, a Chinese hacker group, has continued breaching global telecom networks despite exposure last fall. Cybersecurity firm Recorded Future reports that between December and January, the group hacked five telecoms, an ISP, and over a dozen universities across multiple countries, including the US. The hackers exploited vulnerabilities in Cisco’s IOS software, targeting routers and switches to gain full control of network infrastructure.

Even after US government warnings, media reports, and Treasury sanctions, Salt Typhoon remains highly active. They use compromised Cisco devices to establish covert communication channels and exfiltrate data. The hackers have expanded beyond telecoms, targeting universities in the US, Argentina, Indonesia, and more.

Experts warn that China’s cyber-espionage is more aggressive than widely recognized. Despite government efforts, the attacks persist, prompting officials to urge Americans to use encrypted messaging apps. Recorded Future believes the scale of Salt Typhoon’s operations is likely even larger than currently detected.

Russian cyber-actor Seashell Blizzard expands its reach. 

Microsoft has reported that Russian cyber-actor Seashell Blizzard has enlisted a specialist initial access subgroup to enhance its ability to compromise high-value global targets. This long-running operation has expanded the group’s reach, securing persistent access to critical sectors like energy, telecom, shipping, arms manufacturing, and government networks.

Initially focused on Ukraine and Eastern Europe, Seashell Blizzard has now extended operations to the US, UK, Canada, and Australia. The subgroup exploits published vulnerabilities in remote access software, including ConnectWise ScreenConnect and Fortinet FortiClient.

Using scanning tools and exploit kits, they breach network perimeters, then deploy RMM software, webshells, and malicious modifications to maintain long-term access. These techniques align with Russia’s strategic cyber objectives. Microsoft warns the group will continue innovating scalable attack methods to support Russia’s geopolitical agenda.

The EFF sues DOGE to protect federal workers’ data. 

The Electronic Frontier Foundation (EFF) is leading a lawsuit against Elon Musk’s Department of Government Efficiency (DOGE) to block its access to millions of US government workers’ data. Alongside federal employee unions, the EFF filed the lawsuit on February 11 against DOGE and the Office of Personnel Management (OPM), arguing that DOGE’s access violates the Privacy Act of 1974.

DOGE, created in January to cut federal spending, allegedly gained unauthorized access to OPM’s vast employee database, which includes PII, financial, health, and classified information. The plaintiffs demand DOGE be blocked from further access and delete any collected data.

The EFF warns that misuse of this data could lead to privacy violations, cyber threats, and political abuse. This follows a federal ruling limiting DOGE’s access to Treasury data.

Meanwhile, Elon Musk and allies are accusing journalists of “doxxing” after reports identified employees in his government efficiency program, DOGE. Critics argue Musk is misusing the term to silence legitimate reporting on public officials. The Electronic Frontier Foundation (EFF) and legal experts stress that government employees are not protected from public scrutiny under the First Amendment.

Interim U.S. Attorney Ed Martin hinted at criminal charges against reporters, though no federal anti-doxxing law exists. Wired and The Wall Street Journal reported on DOGE hires, including an official with a history of racist posts. In response, Musk attacked reporters online, while supporters targeted them with harassment.

Experts say the backlash exposes hypocrisy, as Musk and Trump allies have previously doxxed federal employees. Free speech groups are demanding clarification on legal threats against the press.

House Republicans pursue a comprehensive data privacy bill. 

House Republicans have launched a working group to draft a comprehensive data privacy bill, led by Rep. John Joyce (R-PA). The group, composed of nine Republicans and no Democrats, aims to create legislation that can pass Congress, following years of failed efforts due to disagreements over consumer protections.

With 13 states enacting their own privacy laws, Republicans argue that a national standard is necessary to protect Americans’ rights and maintain the U.S.’s leadership in digital tech, including AI. Industry groups have pushed for a federal law that preempts stricter state regulations.

Fortinet patches a critical vulnerability. 

Fortinet has patched a critical vulnerability (CVE-2024-40591) in its FortiOS Security Fabric, which could allow attackers to escalate privileges to super-admin. Affecting multiple FortiOS versions, the flaw stems from improper privilege assignment, making it possible for a compromised upstream FortiGate device to grant an attacker full system control. This could lead to widespread breaches and data theft. Fortinet urges immediate updates, releasing patches for affected versions. The issue was internally discovered by Fortinet’s Justin Lum. 

Google views cybercrime as a national security threat. 

Google’s latest cybersecurity report warns that cybercrime has become a national security threat, increasingly exploited by state-backed groups like those from Russia, China, Iran, and North Korea. The report, released ahead of the Munich Security Conference, reveals that while financially motivated attacks outnumber state-sponsored ones, the two are now deeply intertwined. Governments leverage cybercriminals for tools, talent, and even full-scale operations.

Ransomware gangs have shifted focus to Ukraine, and Chinese and Iranian espionage groups supplement their activities with cybercrime. North Korea is notorious for cryptocurrency theft and covert IT worker schemes.

Despite growing threats, cybercrime gets less attention than state-backed hacking. Google stresses international cooperation is needed to combat it. Healthcare is especially vulnerable, with ransomware attacks worsening patient outcomes and data leaks in the sector doubling in three years.

Palo Alto Networks issues 10 new security advisories. 

Palo Alto Networks has issued 10 new security advisories, including a high-severity vulnerability (CVE-2025-0108) in PAN-OS that allows unauthenticated attackers to bypass authentication via the firewall’s management interface. While it doesn’t enable remote code execution, it could impact system integrity and confidentiality. Patches and mitigations are available, with risk reduced by restricting access to trusted IPs.

Another high-severity flaw (CVE-2025-0110) involves command injection but requires admin privileges. Additional advisories address Cortex XDR agent and PAN-OS vulnerabilities, none of which have been exploited in the wild. 

Symantec suspects a Chinese APT sidehustle. 

A ransomware attack using tools typically linked to Chinese cyberespionage groups was likely carried out by an individual hacker, according to Symantec. The attack leveraged a Toshiba executable to sideload a malicious DLL, deploying a PlugX (Korplug) backdoor—previously used only by Mustang Panda, a Chinese APT group.

From July 2024 to January 2025, PlugX was used in espionage attacks targeting governments in Southeastern Europe and Southeast Asia. However, in November 2024, the same toolset was used in an extortion attack against a South Asian software firm. The attacker exploited a Palo Alto Networks firewall vulnerability (CVE-2024-0012) for access, stole Amazon S3 credentials, and deployed RA World ransomware.

Symantec suggests the attacker was an insider monetizing espionage tools, though they may have ties to Bronze Starlight (Emperor Dragonfly), a China-based APT known for using ransomware as a decoy.

A massive IoT data breach exposes 2.7 billion records. 

A massive IoT data breach exposed 2.7 billion records containing Wi-Fi passwords, IP addresses, and device identifiers, linked to Mars Hydro, a China-based grow light manufacturer, and LG-LED SOLUTIONS LIMITED, a California-registered firm.

Discovered by cybersecurity researcher Jeremiah Fowler and reported to vpnMentor, the 1.17TB unprotected database was publicly accessible without encryption or authentication. It contained plain-text Wi-Fi SSIDs and passwords, device MAC addresses, API tokens, and error logs labeled “Mars-pro-iot-error” and “SF-iot-error.”

The data appears tied to Mars Hydro’s Mars Pro app, which controls IoT grow lights, despite its privacy policy claiming no user data collection. Fowler alerted LG-LED and Mars Hydro, leading to rapid restriction of access, but it remains unclear how long the data was exposed or if it was accessed maliciously.

 

Up next, I chat with GuidePoint Security’s Jason Baker about where he sees ransomware going in 2025. And, AI agents are now using computers. We’ll be right back.

Welcome back.

Here come the AI agents. 

And finally, our HAL 9000 desk tells us that AI assistants are getting an upgrade, and this time, they’re not just answering questions—they’re taking action. OpenAI, Anthropic, and Google DeepMind are rolling out AI agents that can browse the web, fill out forms, and even book your dinner reservations. Sounds convenient, right? Well… what happens when things go sideways?

Imagine waking up to find your AI assistant accidentally ordered 100 pounds of onions or booked you a surprise trip to Siberia. These bots still need human oversight—they can’t log in, agree to terms of service, or enter credit card details—but once they can, what’s stopping a glitchy AI from signing you up for 50 streaming services or accepting sketchy terms on your behalf?

Experts warn that hackers could manipulate AI agents, turning them into digital puppets for cybercriminals. The first person whose AI buys a fleet of cars? That’s going to be a story.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.