Chinese hackers serve up espionage.

Chinese hackers infiltrate a major U.S. law firm. The EU Commission President warns Russia is waging a hybrid war against Europe. Researchers say LoJax is the latest malware from Russia’s Fancy Bear. Salesforce refuses ransom demands. London Police arrest two teens over an alleged ransomware attack on a preschool. Microsoft tightens Windows 11 setup restrictions. SINET and DataTribe spotlight 2025 cybersecurity innovators. On our Industry Voices segment, we are joined by Sean Deuby, Semperis Principal Technologist, discussing identity system security and the growth of the HIP Conference. Employees overshare with ChatGPT.

Today is Wednesday October 8th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Chinese hackers infiltrate a major U.S. law firm. 

Williams & Connolly, one of the United States’ top law firms, disclosed that Chinese hackers infiltrated parts of its computer systems in a broader campaign targeting U.S. law and tech firms. The FBI’s Washington field office is investigating what sources say may involve more than a dozen victims. The attackers reportedly accessed several attorney email accounts through a zero-day vulnerability, though the firm said there’s no evidence client files or databases were compromised. Williams & Connolly has engaged cybersecurity firm CrowdStrike and outside counsel Norton Rose Fulbright to assist in the response. According to Mandiant, the campaign aligns with a Chinese espionage effort seeking intelligence on U.S. national security and trade issues. The firm says the intrusion has been contained.

The EU Commission President warns Russia is waging a hybrid war against Europe. 

European Commission President Ursula von der Leyen warned that Russia is waging a “hybrid war” against Europe, citing coordinated cyberattacks, sabotage, and provocations across EU member states. Speaking before the European Parliament, she pointed to airspace violations by Russian MiG fighters and drone incursions over critical infrastructure in several EU countries, describing them as part of a deliberate campaign “to unsettle our citizens, test our resolve, and weaken our support for Ukraine.” Von der Leyen said a new pan-European security strategy, developed with NATO, aims to strengthen rapid cyber response and protect essential infrastructure. She urged EU members to “leave their comfort zone” and confront the threat with unity and deterrence. “Every square centimetre of our territory must be protected,” she declared.

Researchers say LoJax is the latest malware from Russia’s Fancy Bear. 

ESET researchers have uncovered “LoJax,” the first known malware found actively infecting a computer’s UEFI firmware, a critical component that controls how a system boots. Believed to be created by the Russian hacking group Sednit, also known as Fancy Bear or APT28, LoJax embeds itself in a computer’s firmware, allowing it to survive even after a hard drive replacement or operating system reinstall. This gives attackers deep, persistent control over compromised machines and potential access to networked systems and data. ESET named the malware after LoJack, the legitimate anti-theft tool it abuses. Experts recommend enabling Secure Boot and updating firmware to block infection. If compromised, users may need to reflash or replace the motherboard entirely.

Salesforce refuses ransom demands. 

Salesforce has confirmed it will not pay ransom demands from the hacking group “Scattered Lapsus$ Hunters,” which claims to have stolen nearly one billion records from Salesforce customers. The attackers launched a data leak site on the breachforums[.]hn domain, threatening to publish stolen data from 39 major companies including FedEx, Disney, Google, and Marriott. Salesforce told customers it will not negotiate or pay extortion demands despite “credible intelligence” that the hackers plan to leak the data.

London Police arrest two teens over an alleged ransomware attack on a preschool. 

London’s Metropolitan Police arrested two 17-year-olds on suspicion of computer misuse and blackmail linked to a ransomware attack on preschool operator Kido International. The attackers, calling themselves the Radiant Group, leaked photos, names, and home addresses of children and parents to extort payment, later deleting the data after backlash from other criminals. The arrests followed a September 25 report to the UK’s Action Fraud center. Police said the case is being treated “extremely seriously” and investigations are ongoing.

Microsoft tightens Windows 11 setup restrictions. 

Microsoft is tightening restrictions on creating local accounts during Windows 11 setup, removing known methods that let users bypass Microsoft account requirements. The change, introduced in Insider Preview Build 26220.6772, means users will soon need both an internet connection and a Microsoft account to complete the Out-of-Box Experience (OOBE). Microsoft says bypassing the setup previously caused incomplete configurations and reduced security. Earlier this year, the company removed the BypassNRO.cmd script for similar reasons, though a registry workaround still exists, for now. Microsoft may eliminate that option in future updates to ensure devices are “fully configured” and meet modern security standards.

SINET and DataTribe spotlight 2025 cybersecurity innovators. 

SINET has announced the 2025 SINET16 Innovator Award winners, recognizing standout startups driving the next wave of cybersecurity innovation. Selected from 193 applicants across 19 countries, the winners include Bedrock Security (AI-driven data governance), ConductorOne (identity security automation), Oligo Security (runtime application defense), Prompt Security (AI security and data protection), and Seemplicity (AI-powered remediation management). Each company was chosen for developing technologies that address modern threats across cloud, AI, and enterprise systems.

In parallel, DataTribe named five finalists for its 2025 Cybersecurity Startup Challenge, including Ackuity, Cytadel, Tensor Machines, Starseer, and Evercoast, ahead of Cyber Innovation Day on November 4 in Washington, D.C. Together, these programs spotlight the innovators defining cybersecurity’s AI-driven future.

Employees overshare with ChatGPT. 

It seems some employees are getting a little too chatty with ChatGPT.  A new report from LayerX warns that employees are inadvertently exposing sensitive corporate data through ChatGPT and other generative AI tools. The Enterprise AI and SaaS Data Security Report 2025 found that 45% of enterprise employees use AI tools, and 77% of them paste data into chatbot prompts, 22% of which contains personally identifiable or payment card information. Most of these pastes (82%) come from unmanaged personal accounts, leaving companies blind to data leakage and compliance risks. LayerX says ChatGPT dominates enterprise AI use, accessed by over 90% of users, while Microsoft Copilot adoption remains below 3%. The report urges CISOs to enforce Single Sign-On (SSO) to maintain visibility and control over AI data flows. LayerX’s CEO warns such leaks could create regulatory and geopolitical risks.

 

How one coder gave the EU a headache. 

A Danish software engineer named Joachim built a simple website one weekend in August ,  and accidentally gave the European Union a migraine. His creation, Fight Chat Control, lets visitors fire off pre-written protest emails to lawmakers opposing an EU bill meant to combat child sexual abuse material online. Privacy advocates call the measure a threat to encryption; politicians now just call it “that thing flooding my inbox.” More than 2.5 million people have visited the site, reportedly triggering millions of emails and paralyzing inboxes across Brussels. Diplomats complain it’s “not a dialogue,” while Joachim insists it’s democracy ,  just faster and louder. The campaign has stirred national debates, clogged parliamentary servers, and made one thing clear: in Europe, even a lone coder can jam the machinery of policy with enough public outrage ,  and a send button.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

One quick note before we wrap up: I’ve been nominated for the SANS Difference Maker Award in the Media Creator of the Year category. I’m honored to be recognized and would appreciate your support. You’ll find the link to vote in our show notes, and voting is open until Wednesday, October 8th at 11:59 p.m. Eastern. Thanks for listening, and for being part of the N2K CyberWire community.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.