FCC draws the line on Chinese tech threats.

The FCC looks to counter Chinese cyber threats. Turmoil at CISA. Volt Typhoon infiltrated a power utility for over 300 days. Europe takes the lead at Ukraine’s annual cyber conference. Facebook discloses a critical vulnerability in FreeType. A new Android spyware infiltrated the Google Play store. Our guest is Alvaro Alonso Ruiz, Co-Founder and CCO of Leanspace, who is discussing software in space with T-Minus Space Daily host Maria Varmazis. A UK hospital finds thousands of unwelcome guests on their network.

Today is Thursday March 13th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The FCC looks to counter Chinese cyber threats. 

The FCC is establishing a national security council to counter Chinese cyber threats and maintain U.S. leadership in key technologies like AI, 5G, and quantum computing. FCC Chair Brendan Carr says the council will focus on mitigating cyber attacks, espionage, and reducing supply chain reliance on adversaries. It will be led by Adam Chan, a former House China Committee lawyer. The FCC’s role has expanded amid U.S.-China tech tensions, overseeing telecom security, drone certification, and subsea cables. A key early focus is Salt Typhoon, a large-scale Chinese cyber attack on U.S. telecom networks. The move aligns with broader U.S. efforts, like the CIA’s China Mission Center, to curb Beijing’s tech ambitions. China’s embassy dismissed the concerns, urging a cooperative approach to U.S.-China relations.

Turmoil at CISA. 

In a piece for Wired, Eric Geller makes the case that the Cybersecurity and Infrastructure Security Agency (CISA) is in crisis due to mass layoffs and political pressure under President Donald Trump’s administration. Employees report low morale, leadership failures, and weakened cybersecurity efforts, making it harder to protect U.S. infrastructure from cyber threats. Many critical staffers have been dismissed, and partnerships with international and private-sector allies are unraveling. CISA’s election security efforts have been suspended, and key AI and open-source security programs are being dismantled. Employees fear political retaliation, and the agency’s acting director, Bridget Bean, is accused of prioritizing Trump’s agenda over national security. Restrictions on communication, frozen projects, and uncertainty about future layoffs have left employees demoralized and overwhelmed. With adversaries like Russia, China, and Iran ramping up cyber threats, former officials warn that CISA’s decline could have dire consequences for U.S. security and economic stability. Many fear worse is yet to come.

Meanwhile, CISA is cutting $10 million in annual funding for MS-ISAC and EI-ISAC, cybersecurity intelligence groups that help state and local governments defend against cyber threats. The move is part of broader budget and staffing cuts under the Trump administration. Experts warn that defunding EI-ISAC leaves election offices vulnerable to foreign cyberattacks, shifting costs to local taxpayers. Cuts are also undermining international anti-cybercrime efforts, including stopping Southeast Asian scam operations. Critics argue these moves weaken U.S. cyber defenses, leaving critical infrastructure and elections exposed to increasing threats from nation-state hackers.

The states aren’t taking the ISAC cuts lying down - Arizona Secretary of State Adrian Fontes (D) is proposing VOTE-ISAC, an independent cybersecurity initiative for state and local election offices. The plan aims to replace EI-ISAC, which previously provided 24/7 threat monitoring and federal intelligence sharing. Without it, counties face a $45 million cybersecurity gap. Fontes has already reached out to states and stakeholders and plans to launch VOTE-ISAC as a nonprofit with support from public officials, philanthropy, and private industry.

Volt Typhoon infiltrated a power utility for over 300 days. 

Chinese threat actor Volt Typhoon infiltrated Littleton Electric Light and Water Departments (LELWD) in Massachusetts, maintaining access for over 300 days before detection in November 2023. The attack, discovered during Dragos’ OT security deployment, targeted operational technology (OT) data, including energy grid operations and spatial layouts. Volt Typhoon, linked to Chinese espionage, is known for persistent access and data exfiltration. Dragos warns the group could escalate to Stage 2 ICS attacks, potentially disrupting critical US infrastructure in the future.

Elsewhere, Chinese cyberespionage group UNC3886 is deploying custom backdoors on end-of-life Juniper Networks MX routers, which no longer receive security updates. The backdoors, based on TinyShell malware, allow data exchange and command execution. Mandiant discovered the attacks in mid-2024, linking them to UNC3886, known for exploiting zero-day vulnerabilities in Fortinet and VMware ESXi. The hackers bypassed Junos OS security by injecting malicious code into trusted processes, circumventing Veriexec protections. This ongoing espionage campaign threatens critical networking infrastructure globally.

Europe takes the lead at Ukraine’s annual cyber conference. 

At Ukraine’s Kyiv International Cyber Resilience Forum, Ukraine’s major annual cyber conference, European allies took the lead amid diminished U.S. presence. Last year, the U.S. Department of State and top American cyber officials played key roles, but no Trump administration officials attended this year, highlighting geopolitical tensions between Kyiv and Washington. While Google, Cloudflare, and CrowdStrike partnered with the event, only Mandiant’s Sandra Joyce gave a keynote. Discussions focused on European-led cybersecurity strategies, with Ukrainian officials advocating for a collective European cybersecurity framework based on Ukraine’s frontline experience. Ukraine formalized ties with the European Cybersecurity Competence Centre, signaling closer European cooperation. Past U.S. cyber aid, including software and funding via USAID, was acknowledged but largely absent from discussions. Ukrainian officials remain hopeful for future U.S. cyber collaboration, though the State Department has reportedly halted funding for cyber diplomacy programs under Trump.

Facebook discloses a critical vulnerability in FreeType. 

Facebook has disclosed a critical vulnerability (CVE-2025-27363) in FreeType, an open-source font rendering library widely used in Linux, Android, game engines, and GUI frameworks. The flaw, present in all versions up to 2.13, allows arbitrary code execution and is actively exploited. The issue stems from an out-of-bounds write when parsing TrueType GX and variable font files. While FreeType patched the bug in version 2.13.0 (February 2023), older versions remain at risk. Developers are urged to update to FreeType 2.13.3 immediately.

A new Android spyware infiltrated the Google Play store. 

North Korean threat group APT37 (ScarCruft) deployed KoSpy, an Android spyware that infiltrated Google Play and APKPure via five malicious apps disguised as file managers and security tools. Active since March 2022, KoSpy steals SMS, call logs, GPS data, files, audio, and keystrokes. The malware evades detection by using Firebase Firestore and encrypted C2 communications. Google has removed the infected apps, but users must manually uninstall them or reset devices. Google Play Protect helps block known versions of KoSpy.

 

 

A UK hospital finds thousands of unwelcome guests on their network. 

And finally, our device inventory desk tells us that the Princess Alexandra Hospital in the UK) recently discovered that PlayStations, coffee machines, and even passing electric cars were connecting to its network. Deputy director of ICT Jeffery Wood admitted, “Our attack surface was much bigger than we thought,” after finding 5,000–10,000 unknown devices lurking in their system. This alarming revelation came during a trial of a cyber exposure platform, part of a broader tech modernization effort.

With no dedicated cybersecurity team, the hospital’s infrastructure staff handles security, integrating automated tools, XDR, and AI-driven protections. Network segmentation has even freed the marketing team to use Apple devices—previously banned. However, zero-trust security remains a distant dream.

Deputy Director Wood says the hospital is embracing a “one NHS” partnership model rather than siloed vendor relationships, but warns: “This isn’t just cyber risk. This is risk. Attacks could harm our patients.”

Nothing like a cybersecurity audit to find out your MRI machine shares a network with someone’s PS5.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.