Podcasts
CyberWire Daily
Ep 2303
The CyberWire Daily Podcast 5.7.25
Ep 2303 | 5.7.25

When spyware backfires.

Show Notes
Transcript

A jury orders NSO Group to pay $167 millions dollars to Meta over spyware allegations. CISA warns of hacktivists targeting U.S. ICS and SCADA systems. Researcher Micah Lee documents serious privacy risks in the TM SGNL app used by high level Trump officials. The NSA plans significant workforce cuts. Nations look for alternatives to U.S. cloud providers. A medical device provider discloses a cyberattack disrupting its ability to ship customer orders. The Panda Shop smishing kit impersonates trusted brands. Accenture’s CFO thwarts a deepfake attempt. Our temporary intern Kevin Magee from Microsoft wraps up his reporting from the RSAC show floor. Server room shenanigans, with romance, retaliation, and root access. 

Today is Wednesday May 7th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A jury orders NSO Group to pay $167 millions dollars to Meta over spyware allegations. 

A U.S. federal jury has ordered Israeli spyware maker NSO Group to pay over $167 million in damages for hacking into WhatsApp and targeting more than 1,000 people. The ruling caps a six-year legal battle led by WhatsApp’s parent company, Meta, which accused NSO of using its Pegasus spyware to breach U.S. anti-hacking laws. The damages include $167 million in punitive and $440,000 in compensatory penalties—marking a record hit to the spyware industry. Although NSO claims it only sells to governments for lawful use, investigations show Pegasus has targeted journalists, activists, and officials worldwide. The ruling also rejected NSO’s claim of immunity and exposes the broader threat spyware poses to privacy and democracy. NSO says it may appeal. Meta says they plan to donate damages to digital rights groups.

CISA warns of hacktivists targeting U.S. ICS and SCADA systems. 

CISA, alongside the FBI, EPA, and Department of Energy, has issued a joint advisory warning that unsophisticated cyber actors are actively targeting industrial control systems (ICS) and SCADA systems in the U.S. oil and gas sector. These attackers—likely hacktivists—exploit poor cyber hygiene using basic tools like default credentials, brute force attacks, and misconfigured remote access. Despite their simplicity, such intrusions can lead to serious consequences including system shutdowns or physical damage. CISA urges asset owners to immediately remove OT systems from the public internet, enforce strong passwords and phishing-resistant MFA, secure remote access, segment networks, and prepare for manual operations. The alert also stresses reviewing third-party access and system configurations. This follows recent warnings about critical vulnerabilities in ICS devices from major manufacturers.

Researcher Micah Lee documents serious privacy risks in the TM SGNL app used by high level Trump officials. 

Security researcher Micah Lee has exposed serious privacy risks in the TM SGNL app—a modified version of Signal used by Trump-era officials. Despite marketing claims, Lee’s analysis of TM SGNL’s Android source code confirms the app sends plaintext copies of messages to TeleMessage’s AWS-hosted archive server, bypassing Signal’s end-to-end encryption. These chat logs, which include Signal, WhatsApp, Telegram, and possibly WeChat messages, are vulnerable to access by the Israeli firm’s staff and potentially foreign intelligence. The discovery was validated by a recent hack of TeleMessage that revealed plaintext messages in server memory. Senator Ron Wyden has urged the DOJ to investigate, citing national security concerns. TM SGNL appears visually identical to Signal and interoperates with it, making it difficult for users to detect the switch. Lee warns that powerful U.S. officials using this insecure app may have exposed sensitive communications, possibly for years. TeleMessage has since taken its archive server offline.

The NSA plans significant workforce cuts. 

The NSA is planning to cut up to 2,000 civilian positions—around 8% of its workforce—as part of a broader Trump administration effort to shrink the federal government. The downsizing affects roles across the agency, including cybersecurity and administrative staff. Cuts are tied to a Defense Department directive to reduce its budget by 8% annually for five years, affecting all “combat support agencies.” The NSA is focusing on early retirements and buyouts to avoid mass layoffs.

Meanwhile, key cybersecurity leaders at NIST, including Computer Security Division chief Matthew Scholl, are departing amid federal downsizing under the Trump administration, raising serious concerns about NIST’s capacity to lead in AI and post-quantum cryptography. Over 20% of CSD’s federal staff have exited, jeopardizing critical research and weakening collaboration with industry. Experts warn the loss of institutional knowledge will hamper standards development and shift more cybersecurity burdens to businesses. NIST’s budget may also face steep cuts under Trump’s FY26 proposal.

Nations look for alternatives to U.S. cloud providers. 

All of this instability and uncertainty in the U.S. has triggered global demand for alternatives to U.S. cloud dominance. Europe is seeking digital sovereignty through a strategy that moves beyond simply replicating Amazon, Google, or Microsoft. The goal is to build a viable European cloud ecosystem that’s not only technically credible, but politically and economically independent. This means reducing dependency on proprietary U.S. services, investing in open-source software tailored for cloud infrastructure, and supporting European service providers. Governments play a critical role by funding development, shaping procurement policies, and enforcing privacy laws like GDPR to prioritize local solutions. While Europe already has strong hosting and networking players, transitioning them into full-service cloud providers requires new business models and technical capabilities. The plan resembles building digital “railroads”—laying the foundation for others to innovate upon. This initiative, echoed by concerns in Canada, Australia, and New Zealand, represents a broader global desire to break free from U.S. tech hegemony and establish trusted, local control over critical infrastructure.

A medical device provider discloses a cyberattack disrupting its ability to ship customer orders. 

Medical device giant Masimo has disclosed a cyberattack that is disrupting its ability to process and ship customer orders. The breach, detected on April 27, has forced some manufacturing facilities to operate below normal levels. In a filing with the SEC, the California-based company said it isolated affected systems, engaged cybersecurity experts, and notified law enforcement. The nature and scope of the attack remain under investigation, and Masimo has not confirmed if ransomware was involved. Despite the disruption, CEO Katie Szyman stated during an earnings call that the incident is not expected to affect financial guidance. Masimo, known for its pulse oximetry and patient monitoring tools, joins a growing list of manufacturers hit by cyberattacks that have caused major operational and financial setbacks, including Clorox, Johnson Controls, and Sensata Technologies. 

The Panda Shop smishing kit impersonates trusted brands. 

A new China-based smishing kit called “Panda Shop” is enabling cybercriminals to steal financial data by impersonating trusted brands like USPS, DHL, and major banks. Discovered by Resecurity, the kit creates mobile-optimized phishing pages that convincingly mimic legitimate websites. It supports the theft of Google Pay, Apple Pay, and credit card details, and can send up to 2 million messages daily—potentially targeting 60 million victims per month. Unlike older SMS-based scams, Panda Shop uses advanced tactics including Google RCS and Apple iMessage, evasion methods to bypass detection, and OTP interception to defeat multi-factor authentication. Researchers linked it to the Smishing Triad group due to shared tactics and coding similarities. Configuration files and domain data point to operations based in China. The attackers boldly claim to be beyond the FBI’s reach, further emphasizing the challenge of combating transnational cybercrime.

Accenture’s CFO thwarts a deepfake attempt. 

Last May, someone impersonating an attorney set up a video call with Accenture’s CFO and a very convincing deepfake of CEO Julie Sweet. The fake “Julie” asked for an urgent funds transfer. Luckily, the CFO followed company protocols—and no money left the company. Flick March, Accenture’s EMEA cyber strategy lead, recounted the close call at the Cyber Security Festival, warning that deepfakes are changing the game. With tools now available for as little as £20, even trained professionals are fooled—half failed a recent deepfake test. March calls this a “paradigm shift in the attack vector.” Deepfakes now blur the lines between cyber, fraud, and disinformation, demanding a total rethink of security strategies. Companies must embrace identity security, establish secure communication channels, and train teams to question even seemingly authentic requests. “If something feels off,” says March, “you should feel empowered to say, ‘call me back on Monday.’”

Server room shenanigans, with romance, retaliation, and root access. 

And finally, a former IT manager is suing Deutsche Bank and its contractor Computacenter, alleging they let a security breach slide right under their noses… and into their server rooms. According to James Papa, a fellow IT worker brought his girlfriend—an unauthorized Chinese national with tech skills—into Deutsche Bank’s most sensitive tech areas multiple times. “Jenny,” as she’s called, allegedly accessed secure systems with a contractor laptop, all while Papa was offsite. When he reported it, rather than earning a promotion, Papa got the boot. No action was taken against the lovebirds, who later vacationed in China. Now Papa is suing for $20 million, claiming whistleblower retaliation and a good old-fashioned cover-up. As for Deutsche Bank and Computacenter? Mum’s the word. 

Because nothing says ‘robust cybersecurity’ like bring-your-girlfriend-to-work day in the server room.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our CyberWire producer is Liz Stokes. We’re mixed by Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: CyberWire, Inc.