Listening In on the listeners.

The FBI shares revelations on Salt Typhoon’s reach. Former NSA and FBI directors sound alarm on infrastructure cybersecurity gaps. Google is launching a new cyber “disruption unit”. A new report highlights cyber risks to the maritime industry. A Pennsylvania healthcare provider suffers a data breach affecting over six hundred thousand individuals. Citrix patches a critical vulnerability under active exploitation. The U.S. sanctions a North Korean-linked fraud network. Ransomware is rapidly evolving with generative AI. Our guest is Brandon Karpf, speaking with T-Minus host Maria Varmazis connecting three seemingly disparate stories. Who needs a tutor when you’ve got root access? 

Today is Thursday August 28th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The FBI shares revelations on Salt Typhoon’s reach.  

The Wall Street Journal reports that the China-linked cyber campaign known as Salt Typhoon reached far beyond U.S. telecom carriers, hitting more than 80 countries and compromising sensitive data on a scale investigators hadn’t grasped until recently.

FBI cyber chief Brett Leatherman told the Journal the intrusion gave Chinese intelligence access to more than one million call records, as well as systems used by law enforcement for court-approved wiretaps—a development that he called among the most consequential breaches in U.S. history. The operation also swept up private calls and texts from over 100 Americans and allowed potential tracking of citizens’ movements worldwide.

U.S. officials say the campaign, active since at least 2019, was more sweeping and indiscriminate than typical espionage operations. While Beijing denies involvement, the FBI has issued new technical details to companies and allies aimed at spotting Salt Typhoon’s lingering presence in networks.

The NSA, along with U.S. and foreign partners, has issued a joint Cybersecurity Advisory warning that Chinese state-sponsored hackers are targeting telecommunications, government, transportation, lodging, and military networks worldwide. The advisory ties the activity—overlapping with reporting on groups like Salt Typhoon—to several China-based firms providing services to the Ministry of State Security and the People’s Liberation Army.

The report, “Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System,” details the hackers’ tactics, techniques, and procedures, including methods for exploitation, persistence, data collection, and exfiltration. It also lists exploited vulnerabilities and indicators of compromise.

Former NSA and FBI directors sound alarm on infrastructure cybersecurity gaps. 

The Global Cyber Innovation Summit (GCIS) recently hosted an exclusive security briefing at One World Trade Center on “National Security Threats to U.S. Critical Infrastructure.” The invitation-only event gathered executives, former national security leaders, technologists, and policy experts for a discussion on rising cyber risks and defense strategies.

Bob Ackerman, GCIS founder, opened the event, followed by McKinsey’s Ida Kristensen, who highlighted a projected $31.1 billion global risk from OT breaches in the coming year. A panel featuring former NSA Director Gen. Paul Nakasone, former FBI Director Christopher Wray, AEP CEO Bill Fehrman, and Dragos CEO Rob Lee explored how threat actors increasingly target industrial systems through IT-to-OT pivots.

Keynote speaker Thomas Fanning stressed the need for collaboration across IT, OT, and executive leadership. Speakers underscored that cyberattacks on infrastructure risk not just data—but public safety.

Google is launching a new cyber “disruption unit”. 

Google is launching a new cyber “disruption unit” aimed at proactively interfering with malicious online operations, a move that comes as U.S. policymakers and industry leaders debate the future of offensive cyber strategies. Sandra Joyce, vice president of Google Threat Intelligence Group, said the effort will focus on “legal and ethical disruption” and invited partners to join. The initiative reflects a broader conversation about the balance between “active defense” tactics, such as honeypots, and more aggressive measures like hacking back, which remain legally restricted.

At a cybersecurity policy conference, former officials and industry leaders debated whether the private sector should play a larger role in offensive cyber operations. While legislation to authorize private companies remains stalled, some argue U.S. deterrence requires more direct action. Experts cautioned that any shift must ensure measurable impact while avoiding uncontrolled escalation.

A new report highlights cyber risks to the maritime industry. 

The maritime industry, which underpins 80% of global trade, is modernizing with automation, remote monitoring, and advanced energy systems—but those innovations are opening new cyber risks. A new report from Help Net Security says ships and ports now face threats ranging from ransomware to espionage, with vulnerabilities in operational technology, navigation systems, and software supply chains.

Incidents such as the 2017 NotPetya attack on Maersk, which shut down 76 terminals, and recent ransomware hits on ports in Europe highlight the stakes. State actors from Russia, Iran, and China are also accused of targeting maritime infrastructure, while interference with satellite navigation and AI-powered cyberattacks present growing dangers.

With only 17% of shipyards reporting in-house cybersecurity expertise, experts stress workforce training, continuous risk assessments, and stronger industry collaboration to build resilience across the global maritime sector.

A Pennsylvania healthcare provider suffers a data breach affecting over six hundred thousand individuals. 

Healthcare Services Group, Inc. (HSGI), a Pennsylvania-based healthcare support services provider, has disclosed a data breach affecting 624,496 individuals nationwide. Attackers gained unauthorized access between September 27 and October 7, 2024, stealing sensitive data including names, Social Security numbers, driver’s licenses, state IDs, financial details, and account credentials. HSGI reported the breach to the SEC in October 2024, later confirming stolen data in June 2025. Notifications began August 25, 2025, with victims offered 12–24 months of credit monitoring and identity theft protection.

Citrix patches a critical vulnerability under active exploitation. 

A critical Citrix vulnerability (CVE-2025-7775) is being actively exploited, leaving more than 28,200 NetScaler ADC and Gateway instances exposed worldwide, according to CISA and Citrix. The flaw, patched on August 27, allows remote code execution and was abused as a zero-day. Most vulnerable systems are in the U.S., Germany, and the U.K. Citrix urges immediate upgrades, as no mitigations exist. Two other high-severity flaws (CVE-2025-7776, CVE-2025-8424) were also disclosed. CISA added CVE-2025-7775 to its Known Exploited Vulnerabilities catalog, requiring federal patching by August 28.

The U.S. sanctions a North Korean-linked fraud network. 

The U.S. Treasury has sanctioned a North Korean-linked fraud network that placed hackers in U.S. companies by posing as job seekers. Once hired, the operatives stole data, extorted employers, and funneled wages to Pyongyang, generating at least $1 million for the regime. The Treasury says North Korea launders stolen funds, often via cryptocurrency, to support its nuclear program. Companies are now legally barred from engaging with the sanctioned parties.

Ransomware is rapidly evolving with generative AI. 

New research shows ransomware is rapidly evolving with generative AI, lowering barriers for cybercriminals and making attacks more effective. Anthropic reports that hackers are using its AI models, including Claude and Claude Code, to write malware, craft extortion notes, and run ransomware-as-a-service schemes. One group, GTG-5004, used Claude to develop ransomware sold for $400–$1,200 despite lacking technical expertise. Separately, ESET identified PromptLock, the first proof-of-concept AI-powered ransomware. While not yet deployed, it demonstrates how attackers may exploit AI to automate intrusions. Experts warn that AI-assisted ransomware is still emerging, but the trend points to faster, more sophisticated attacks with global implications.

Who needs a tutor when you’ve got root access?

Spanish police say they’ve nabbed a 21-year-old Seville university student who allegedly decided the best way to boost his grades wasn’t through studying, but through hacking the region’s education system. Investigators claim he broke into Andalusia’s Séneca platform, quietly upgrading his own marks—and, in a rare act of academic generosity, adjusting classmates’ scores too.

Authorities say he also breached the email accounts of at least 13 professors across six universities, including those preparing next year’s entrance exams. His career as Andalusia’s unofficial registrar unraveled when staff at a Jaén high school noticed “irregularities.” Police seized computer gear and a notebook detailing his handiwork.

The student now faces charges of computer intrusion, identity theft, and document forgery. His exams, however, remain permanently failed.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

We'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights until August 31, 2025. There's a link in the show notes.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.