Hackers peek behind the nuclear curtain.

A foreign threat actor breached a key U.S. nuclear weapons manufacturing site. The cyberattack on Jaguar Land Rover is the most financially damaging cyber incident in UK history. A new report from Microsoft’ warns that AI is reshaping cybersecurity at an unprecedented pace. The ToolShell vulnerability fuels Chinese cyber operations across four continents. Fake browser updates are spreading RansomHub, LockBit, and data-stealing malware. Hackers deface LA Metro bus stop displays. A Spyware developer is warned by Apple of a mercenary spyware attack. Pwn2Own payouts proceed. Ben Yelin from University of Maryland Center for Cyber Health and Hazard Strategies on a Federal Whistle Blower from the SSA. When the cloud goes down, beds heat up.

Today is Wednesday October 22nd 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

A foreign threat actor breached a key U.S. nuclear weapons manufacturing site. 

A foreign threat actor breached the Kansas City National Security Campus (KCNSC), a key U.S. nuclear weapons manufacturing site, by exploiting unpatched Microsoft SharePoint vulnerabilities, according to a source involved in the August response. The attackers accessed systems at the Honeywell-managed facility, which produces most non-nuclear components for U.S. nuclear weapons. Attribution remains disputed: Microsoft links the broader campaign to Chinese groups Linen Typhoon and Violet Typhoon, while a source claims Russian involvement. The incident underscores how IT weaknesses can expose operational technology, even in air-gapped environments. Experts warn that despite limited impact, the breach highlights gaps in zero-trust protections for industrial systems. Even unclassified technical data could hold strategic value by revealing manufacturing tolerances or supply chain dependencies. The Department of Energy confirmed limited disruption and said affected systems are being restored.

The cyberattack on Jaguar Land Rover is the most financially damaging cyber incident in UK history. 

The cyberattack on Jaguar Land Rover (JLR) is projected to cost £1.9 billion, making it the most financially damaging cyber incident in UK history, according to the Cyber Monitoring Centre (CMC). According to the BBC, the late-August hack forced a five-week production shutdown across JLR’s global operations and disrupted more than 5,000 suppliers. CMC classified the breach as a Category 3 event, citing estimated total losses between £1.6 billion and £2.1 billion, with full recovery expected by January 2026. More than half the losses are attributed to JLR’s own recovery and operational downtime, while supply-chain and local-economy impacts make up the rest. JLR has not disclosed the attack type or whether a ransom was paid.

A new report from Microsoft’ warns that AI is reshaping cybersecurity at an unprecedented pace. 

Microsoft’s Digital Defense Report 2025 warns that AI is reshaping cybersecurity at an unprecedented pace—empowering both defenders and attackers. The company says adversaries now use generative AI to automate social engineering, vulnerability discovery, and evasion, while targeting AI systems themselves through prompt injection and data poisoning. Nation-state actors are intensifying espionage and influence operations, particularly against research and communications sectors, often linked to geopolitical conflicts. Microsoft urges defenders to embed cybersecurity into business strategy, emphasizing zero trust, cloud security, and identity protection. The report stresses that no organization can face these challenges alone; international collaboration and political deterrence are vital to counter malicious state activity. Microsoft also calls for preparation for quantum-era threats, cloud governance, and workforce upskilling to build collective cyber resilience. And, our N2K CyberWire Network partner, Microsoft Threat Intelligence, discusses the report in detail on today’s episode of the Microsoft Threat Intelligence Podcast. We will have the link in the show notes so you can take a deep dive into how the cyber threat landscape is accelerating through AI, automation, and industrialized criminal networks.

The ToolShell vulnerability fuels Chinese cyber operations across four continents. 

Chinese-linked hackers exploited the ToolShell vulnerability (CVE-2025-53770) in Microsoft SharePoint to attack organizations across four continents, according to Symantec. The flaw, a bypass for two earlier SharePoint bugs revealed at Pwn2Own Berlin, allows unauthenticated remote code execution on on-premises servers. Microsoft previously attributed the exploitation to Chinese groups Budworm (Linen Typhoon), Sheathminer (Violet Typhoon), and Storm-2603 (Warlock ransomware). Symantec’s report identifies additional Chinese actors targeting government, telecom, financial, and academic institutions in the Middle East, Africa, South America, and the U.S. Attackers deployed multiple backdoors, including Zingdoor, ShadowPad, and KrustyLoader, using legitimate executables for DLL side-loading. The operations also leveraged credential dumping tools, PetitPotam for domain compromise, and utilities for data exfiltration and persistence. Symantec concludes ToolShell was exploited by more Chinese actors than previously known.

Fake browser updates are spreading RansomHub, LockBit, and data-stealing malware.

A new report from Trustwave SpiderLabs warns that SocGholish, also known as FakeUpdates, is a global Malware-as-a-Service (MaaS) operation turning fake software updates into large-scale infection campaigns. Run by threat group TA569, SocGholish compromises legitimate websites—often WordPress sites—and injects malicious scripts or uses domain shadowing to distribute malware disguised as browser or Flash updates. The group sells access to other criminals, including Evil Corp, and has recently delivered RansomHub ransomware in healthcare-related attacks. Researchers also found ties to Russia’s GRU Unit 29155, noting that SocGholish has spread the Raspberry Robin worm. Using traffic filtering tools like Keitaro TDS, TA569 selectively targets victims and delivers payloads including LockBit ransomware, AsyncRAT, and data stealers, making SocGholish a major global cyber threat.

Hackers deface LA Metro bus stop displays. 

LA Metro confirmed that several digital signage boards were hijacked this week after displaying a false “suicide bomb” warning, apparently posted by Turkish hackers. The incident affected bus stops including one at 6th Street and Vermont Avenue, where the alarming message appeared alongside a hacker group’s social media tag. Officials traced the intrusion to Papercast, a third-party content management vendor, whose systems were compromised. The unauthorized messages have since been removed as Metro and Papercast investigate the breach.

A Spyware developer is warned by Apple of a mercenary spyware attack. 

A developer formerly employed by government spyware maker Trenchant says Apple warned him that his iPhone was targeted by mercenary spyware, marking one of the first known cases of a spyware developer becoming a victim. The developer, using the pseudonym Jay Gibson, had worked on iOS zero-day exploits before being suspended and later fired amid an internal investigation into a leak of Trenchant’s hacking tools. Gibson denies involvement and believes he was scapegoated. Apple’s alert, issued in March, suggests a state-linked surveillance campaign, though no infection was confirmed. Sources told TechCrunch that other exploit developers have received similar Apple notifications, signaling that the spread of zero-day spyware is now ensnaring its own creators. Trenchant’s parent company, L3Harris, declined comment.

Pwn2Own payouts proceed. 

On day one of Pwn2Own Ireland 2025, researchers earned $522,500 by exploiting 34 previously unknown vulnerabilities across printers, routers, NAS devices, and smart home products, according to Trend Micro’s Zero Day Initiative (ZDI). The top prize, $100,000, went to a “SOHO Smashup” exploit chaining flaws in QNAP router and NAS devices. Other major payouts included $50,000 each for hacks on Synology and Sonos devices. Additional vulnerabilities in Home Assistant, Philips Hue, and HP/Canon printers were also rewarded. The contest continues, with a $1 million WhatsApp exploit demonstration expected Thursday.

When the cloud goes down, beds heat up. 

When Amazon Web Services sneezed on October 20, smart beds across America caught a fever. Around 3 a.m. ET, AWS’s US-EAST-1 region suffered a major outage—taking down not just apps and banking sites, but also the nation’s priciest pillows. Owners of Eight Sleep’s $2,000 “Pod” mattress covers awoke to find their cloud-connected sleep sanctuaries trapped in digital limbo. Some beds overheated into sauna territory; others froze or tilted at improbable angles, all thanks to the missing internet umbilical cord.

One user quipped, “Backend outage means I’m sleeping in a sauna.” Others discovered the bitter irony of a “smart bed” that can’t think for itself offline.

By sunrise, AWS had restored normal operations, and Eight Sleep’s CEO vowed to create an “outage mode.” Until then, users might want to keep a fan—and a sense of humor—by the bed.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.