Cyber defenders pulled into deportation duty.

DHS reassigns cyberstaff to immigration duties. A massive DDoS attack disrupts several major gaming platforms. Discord refuses ransom after a third-party support system breach. Researchers examine Chaos ransomware and creative log-poisoning web intrusions. The FCC reconsiders its telecom data breach disclosure rule. Experts warn of teen recruitment in pro-Russian hacking operations. Ukraine’s parliament approves the establishment of Cyber Forces. Troy Hunt criticizes data breach injunctions as empty gestures. Our guest is Sarah Graham from the Atlantic Council’s Cyber Statecraft Initiative (CSI) discussing their report, "Mythical Beasts: Diving into the depths of the global spyware market." And, Spy Dog’s secret site goes off leash.

Today is Thursday October 9th, 2025. I’m Dave Bittner Maria Varmazis. And this is your CyberWire Intel Briefing.

DHS reassigns cyberstaff to immigration duties. 

The Department of Homeland Security has reassigned hundreds of national security employees, including cybersecurity specialists from the Cybersecurity and Infrastructure Security Agency (CISA), to support President Trump’s deportation initiatives. Current and former employees say the reassignments—described as mandatory—come with threats of dismissal for refusal and often involve sudden relocations.

Many of those moved had focused on protecting federal systems from nation-state cyberattacks. Their transfers to agencies such as Immigration and Customs Enforcement and Customs and Border Protection have disrupted CISA’s core mission, particularly within its Capacity Building and international engagement divisions. Staff morale has reportedly plummeted amid a climate of fear and censorship.

Critics warn the shift leaves the U.S. more vulnerable to cyber threats as major hacks continue to target government networks. DHS officials defend the moves as routine personnel alignment to meet agency priorities.

A massive DDoS attack disrupts several major gaming platforms. 

Earlier this week, a massiveDDoS attack disrupted several major gaming platforms, including Steam, Xbox, PlayStation, Riot Games, and Epic Games. The coordinated assault, reportedly powered by the Airsuru botnet, reached record levels of 29.69 terabits per second, overwhelming servers and causing widespread outages across the industry.

Riot Games confirmed that while its internal systems remained secure, the flood of network traffic severely affected gameplay for League of Legends and Valorant users. Services have since been restored, but experts warn that the scale and simultaneity of this event reveal growing vulnerabilities in global gaming infrastructure.

Discord refuses ransom after a third-party support system breach. 

Discord says it will not pay a ransom to threat actors claiming to have stolen data on 5.5 million users through its Zendesk support system, Bleeping Computer reports. The company disputes the hackers’ figures, stating that only about 70,000 users had government ID photos exposed and emphasizing that Discord itself was not breached.

Attackers allege they accessed a compromised support agent account within an outsourced provider, stealing 1.6 terabytes of data, including user IDs, emails, and partial payment details. Discord dismissed those claims as part of an extortion attempt and reaffirmed that no internal systems were compromised.

The hackers reportedly demanded up to $5 million and threatened to leak the data after failed negotiations. BleepingComputer could not verify the authenticity of the stolen data samples.

Researchers examine Chaos ransomware and creative log-poisoning web intrusions. 

Researchers at Fortinet examine Chaos ransomware, which resurfaced in 2025 with a new C++ variant—its first version not written in .NET—marking a major evolution in the malware’s capabilities. Dubbed Chaos-C++, the strain combines encryption with destructive behavior, deleting large files entirely instead of encrypting them and hijacking clipboard data to steal cryptocurrency payments.

The malware disguises itself as a fake utility, silently executes its payload, and employs multiple encryption methods, including AES, RSA, and XOR. Its clipboard hijacking feature replaces Bitcoin wallet addresses with attacker-controlled ones, redirecting potential payments.

This variant reflects a broader shift from traditional ransomware to hybrid extortion and destruction, signaling Chaos developers’ growing focus on financial theft and operational impact over simple data encryption.

And in other new research findings elsewhere, an investigation by Huntress details a hands-on compromise that began in August 2025 with log poisoning, also called log injection, on a public phpMyAdmin panel. The actor planted a one-liner PHP web shell reminiscent of China Chopper, controlled it with AntSword, then installed Nezha, a monitoring tool used here to run commands. The sequence ended with Ghost Remote Access Trojan, or Ghost RAT.

Huntress reports likely more than 100 victims, most frequently in Taiwan, Japan, South Korea, and Hong Kong. The access path involved weak defaults and exposed admin interfaces, highlighting real-world risk from test stacks and outdated packages.

Huntress suggests defenders harden public apps, enforce authentication, monitor for web shells, and detect suspicious service creation and execution paths.

The FCC reconsiders its telecom data breach disclosure rule. 

The Federal Communications Commission will revisit its 2024 data breach disclosure rule requiring telecom providers to notify customers within 30 days. A Sixth Circuit panel had upheld the rule, rejecting claims from industry groups that it exceeded FCC authority and violated the Congressional Review Act. After those groups sought a rehearing, the FCC asked to suspend the case while it reexamines the order. The court granted abeyance, requiring progress reports every 60 days.

Experts warn of teen recruitment in pro-Russian hacking operations. 

The arrest of two 17-year-olds in the Netherlands has raised alarms about nation-state hackers recruiting teenagers for espionage. The teens, detained for collecting Wi-Fi data near Europol and other sensitive sites, were reportedly approached on Telegram by pro-Russian operatives. Dutch intelligence tipped police to the activity, which officials link to Russia’s hybrid tactics.

Security analysts say this case underscores a growing pattern: threat actors grooming teens on Telegram, Discord, and gaming platforms to perform low-skill digital tasks, from network scanning to credential theft. Experts warn that young recruits—often unaware of the consequences—are being manipulated into aiding cyber operations.

Dutch Prime Minister Dick Schoof called the trend “extremely worrying,” urging vigilance from parents and educators.

Ukraine’s parliament approves the establishment of Cyber Forces. 

Ukraine’s parliament has approved in the first reading a bill to establish Cyber Forces within its military, reflecting the growing role of cyberwarfare in its conflict with Russia. Backed by 255 lawmakers, the new command will defend Ukraine’s digital infrastructure and report directly to the commander-in-chief and president. The Cyber Forces will recruit reservists, conduct training, and operate under the General Staff’s cyber directorate, aligning operations with NATO standards. Final approval awaits a second reading and presidential signature.

Troy Hunt criticizes data breach injunctions as empty gestures. 

Security researcher Troy Hunt argues that court injunctions following major data breaches—like those granted to HWL Ebsworth and Qantas—are the legal equivalent of offering “thoughts and prayers.” In his analysis, Hunt notes that such orders don’t deter hackers or prevent leaks. After HWL Ebsworth’s injunction against Russia’s ALPHV group, the attackers ignored it and dumped the data anyway.

Hunt says these injunctions mainly restrict journalists, researchers, and services like Have I Been Pwned, rather than the criminals themselves. While companies use them to appear proactive and protect shareholder interests, they offer little real defense for victims or transparency about compromised information. 

Stick around after the break, Dave sits down with Sarah Graham, discussing their work and findings on "Mythical Beasts: Diving into the depths of the global spyware market." And Spy Dog’s secret site goes off leash.

Sarah Graham is from the Atlantic Council’s Cyber Statecraft Initiative (CSI) and she is  discussing their work and findings on "Mythical Beasts: Diving into the depths of the global spyware market" with Dave. Here’s their conversation.

That was Dave Bittner sitting down with Sarah Graham from the Atlantic Council’s Cyber Statecraft Initiative (CSI) discussing their work and findings on "Mythical Beasts: Diving into the depths of the global spyware market."

Spy Dog’s secret site goes off leash. 

In Derbyshire, the Spy Dog, Spy Pups, and Spy Cat books—wholesome tales of gadget-wielding pets solving crimes—have been abruptly recalled after a web address printed in the back started leading somewhere far less child-friendly. The site, once home to bonus content, was taken over by a third party who replaced puppies and paw prints with explicit material.

Publisher Puffin and author Andrew Cope expressed horror, urging everyone not to visit the link and vowing swift action through “appropriate channels.” Schools, meanwhile, are treating the incident like a national security emergency—emailing parents, removing books, and issuing “return immediately” orders. For now, it seems Spy Dog’s latest mission is an undercover operation in digital damage control.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.