When hackers go BIG in cyber espionage.

F5 discloses long-term breach tied to nation-state actors. PowerSchool hacker receives a four-year prison sentence. Senator scrutinizes Cisco critical firewall vulnerabilities. Phishing campaign impersonates LastPass and Bitwarden. Credential phishing with Google Careers. Reduce effort, reuse past breaches, recycle into new breach. Qilin announces new victims. Manoj Nair, from Snyk, joins us to explore the future of AI security and the emerging risks shaping this rapidly evolving landscape. And AI faces the facts.

Today is October 16th, 2025. I’m Maria Varmazis, host of T-Minus Space Daily, in for Dave Bittner. And this is your CyberWire Intel Briefing.

F5 discloses long-term breach tied to nation-state actors.

Seattle-based cybersecurity firm F5 disclosed yesterday that state-sponsored hackers had "long-term, persistent access" to its networks, leading to the theft of source code and customer information. The company says the hackers had access to the development environment for its BIG-IP product suite and its engineering knowledge management platform.

In an SEC filing, the company said "Through this access, certain files were exfiltrated, some of which contained certain portions of the Company’s BIG-IP source code and information about undisclosed vulnerabilities that it was working on in BIG-IP. We are not aware of any undisclosed critical or remote code vulnerabilities, and we are not aware of active exploitation of any undisclosed F5 vulnerabilities. We have no evidence of modification to our software supply chain, including our source code and our build and release pipelines."

Bloomberg cites people familiar with the matter as saying the hack is believed to be linked to China, and that the hackers were inside F5's networks for at least twelve months. Ars Technica notes that F5's BIG-IP line is used across the US government and by most of the largest companies in the world.

The US Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive ordering Federal civilian agencies to immediately inventory F5 devices and apply the latest updates by October 22nd. The agency stated, "The threat actor’s access to F5’s proprietary source code could provide that threat actor with a technical advantage to exploit F5 devices and software. The threat actor’s access could enable the ability to conduct static and dynamic analysis for identification of logical flaws and zero-day vulnerabilities as well as the ability to develop targeted exploits."

PowerSchool hacker receives a four-year prison sentence.

19-year-old Matthew Lane of Massachusetts has been sentenced to four years in prison after pleading guilty to hacking education software provider PowerSchool. Lane stole information belonging to more than 70 million individuals and demanded a ransom of $2.9 million in exchange for not publishing the data. In addition to his prison sentence, Lane has been ordered to pay $14 million in restitution and a $25,000 fine.

Senator scrutinizes Cisco critical firewall vulnerabilities.

U.S. Senator Bill Cassidy has formally pressed Cisco for answers over two critical firewall vulnerabilities (CVE-2025-20333 and CVE-2025-20362) that allegedly allowed hackers to breach “at least one federal agency.” The Senator’s letter demands clarity on Cisco’s timeline, knowledge of exploitation, customer guidance, and internal communication protocols. The request follows a CISA directive instructing agencies to patch, audit logs, and retire unsupported devices within 24 hours — citing “unacceptable risk” from Cisco’s ASA and FTD platforms. Cisco has admitted the flaws were exploited as early as May and linked to the ArcaneDoor espionage campaign. 

Phishing campaign impersonates LastPass and Bitwarden.

BleepingComputer reports that a phishing campaign is impersonating LastPass and Bitwarden with phony breach notifications. The emails claim the companies have been hacked, and instruct users to install a more secure version of the password managers. This file will download the Syncro remote monitoring and management tool, which the attackers use to install ScreenConnect software. ScreenConnect is a legitimate remote management tool, but is frequently abused by attackers to take control of victims' computers.

LastPass issued a statement on the phishing campaign, noting, "To be clear, LastPass has NOT been hacked, and this is an attempt on the part of a malicious actor to draw attention and generate urgency in the mind of the recipient, a common tactic for social engineering and phishing emails."

Credential phishing with Google Careers. 

Sublime Security shares a new wave of credential phishing scams impersonating Google Careers pages to target job seekers, employing near-limitless variations to bypass defenses. Legitimate-sounding domain names like “google-careers[.]site” house fake login forms that harvest credentials. Attackers tweak page design, copy, and URLs constantly, meaning each campaign looks slightly different and evades static detection rules. The scammers also exploit password reset flows, job alerts, and recruitment messages to lure victims. Sublime Security warns that these campaigns are effectively infinite in variation, making them harder to hunt and block using traditional signatures or rules. The post recommends defenses such as domain monitoring, anomaly detection, user awareness, and strong MFA (multi-factor authentication).

Reduce effort, reuse past breaches, recycle into new breach.

An Elasticsearch cluster exposed nearly 6 billion records, apparently accumulated from multiple past breaches and data scraping operations. The repository contained sensitive user data—emails, names, phone numbers, IPs—spanning across over 40 million unique individuals. The leak is believed to aggregate information from many known incidents rather than originate in a single new breach. The database was publicly accessible for weeks, enabling anyone to query it until taken offline. Even though the data itself isn’t newly stolen, its centralization magnifies risk, making it a rich target for opportunistic cybercrime.

Qilin announces new victims.

Ransomware group Qilin has publicly listed new victims after recent attacks, expanding its victim swap in the ransomware underworld. Reported targets include organizations in France, Italy, and the United States, across sectors like healthcare, finance, and manufacturing. Qilin is known for double extortion: encrypting data and threatening to release sensitive information unless paid. In most recent cases, the group claimed to have stolen proprietary documents, employee records, and customer data, and demanded multi-million dollar ransoms. Analysts warn that Qilin’s pressure tactics are intensifying, with shorter deadlines and more aggressive leak strategies. Organizations are urged to verify backups, strengthen segmentation, and monitor for signs of reconnaissance.

Coming up after the break, Manoj Nair, Chief Innovation Officer at Snyk, joins us to explore the future of AI security and the emerging risks shaping this rapidly evolving landscape. And AI faces the facts. Stick around.

Dave Bittner recently sat down with Manoj Nair, Chief Innovation Officer at Snyk, to explore the future of AI security and the emerging risks shaping this rapidly evolving landscape. Here is their conversation.

That was Manoj Nair sitting down with Dave Bittner to explore the future of AI security and the emerging risks shaping this rapidly evolving landscape.

AI faces the facts.

Facial recognition is becoming part of everyday life — from unlocking phones to verifying our identities online. But for millions of people living with facial differences, that technology can be more of a barrier than a convenience.

New reporting from Wired reveals that some individuals are being locked out of essential services, like renewing driver’s licenses, accessing financial accounts, or verifying their identity, simply because the systems can’t recognize their faces. Experts say the issue stems from algorithms that weren’t trained with enough diversity, leaving people with craniofacial conditions or other differences literally unseen by the technology.

Advocates warn this isn’t just a technical glitch — it’s a reminder that when AI systems fail to include everyone, they can deepen long-standing inequities and isolation. They’re calling for more inclusive design and human support when automated systems fall short. It’s proof that even advanced AI can sometimes miss what’s right in front of it.

And that’s the CyberWire Daily, brought to you by N2K CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Maris Varmazis. Thanks for listening.