Rebooting the government, one cyber law at a time.
Ending the government shutdown revives an expired cybersecurity law. The DoD finalizes a new model for building U.S. military cyber forces. A North Korean APT exploits Google accounts for full device control. The EU dials back AI protections in response to pressure from Big Tech companies and the U.S. government. Researchers discover a critical vulnerability in the Monsta FTP web-based file management tool. The Landfall espionage campaign targets Samsung Galaxy devices in the Middle East. Five Eyes partners fret eroding cooperation on counterintelligence and counterterrorism. Israeli spyware maker NSO Group names the former U.S. ambassador to Israel as its new executive chairman. Monday Biz Roundup. Tim Starks from CyberScoop discusses uncertainty in the federal Cyber Corp program, The friendly face of digital villainy.
Today is Monday November 10th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
Ending the government shutdown revives an expired cybersecurity law.
Congress is moving to end the federal government shutdown with legislation that also revives an expired cybersecurity law. The bill includes a short-term extension of the Cybersecurity Information Sharing Act of 2015, which lapsed at the end of September. The law gives companies legal protection when sharing cyber threat data with the government and other firms, a safeguard industry leaders consider essential. The Senate voted 60–40 to advance the measure Sunday night, but it still needs approval from the House and President Trump’s signature. The temporary extension, running through January, gives lawmakers time to negotiate a longer-term fix. Competing proposals from House and Senate leaders differ sharply, while the Trump administration continues to advocate a 10-year renewal without changes.
The DoD finalizes a new model for building U.S. military cyber forces.
The Department of Defense has finalized a new model for building U.S. military cyber forces, aiming to fix long-standing challenges in recruiting and retaining skilled personnel. The plan, derived from the earlier “Cyber Command 2.0” overhaul, outlines a years-long implementation effort meant to strengthen U.S. Cyber Command’s capabilities. Key initiatives include a virtual Advanced Cyber Training and Education Center, expected to reach initial readiness by late fiscal 2028 and full operation by 2031, and a Cyber Innovation Warfare Center to accelerate new cyber capabilities between 2026 and beyond 2030. Some milestones stretch into 2033. However, the slow rollout may fuel renewed calls from experts and lawmakers for a dedicated cyber military branch. Critics argue existing services have failed to supply sufficient qualified personnel, while Pentagon officials say the new model justifies delaying a separate Cyber Force. DOD calls the plan a transformative step toward greater “lethality and agility.”
A North Korean APT exploits Google accounts for full device control.
North Korean state-sponsored hackers hijacked Google accounts to remotely control and wipe Android devices in South Korea, according to cybersecurity firm Genians. The campaign, attributed to North Korea’s Konni advanced persistent threat (APT) group, marks the first confirmed case of Pyongyang-linked actors exploiting Google accounts for full device control. Attackers gained access through spear-phishing emails impersonating South Korea’s National Tax Service, then abused Google’s Find Hub feature, normally used to locate lost devices, to track, reset, and disable victims’ smartphones. They then compromised KakaoTalk messenger accounts to spread malware via trusted contacts, amplifying the reach of the attack. Victims included a counsellor for North Korean defector students. Genians called the operation a highly sophisticated social-engineering campaign, combining device neutralization with account-based malware propagation.
The EU dials back AI protections in response to pressure from Big Tech companies and the U.S. government.
The European Commission is preparing to pause parts of its Artificial Intelligence (AI) Act, responding to pressure from Big Tech companies and the U.S. government. According to a draft proposal seen by the Financial Times, Brussels plans to include the move in a “simplification package” set for November 19, aiming to ease compliance and maintain global competitiveness. The proposal would grant a one-year grace period for companies using high-risk AI systems and delay enforcement of AI transparency rules until August 2027. The plan follows U.S. warnings that strict EU digital rules could strain transatlantic relations. While the AI Act took effect in August 2024, most provisions, especially for high-risk AI, begin in 2026. Officials insist the EU remains committed to the Act’s goals, but implementation could shift to avoid economic disruption.
Researchers discover a critical vulnerability in the Monsta FTP web-based file management tool.
Cybersecurity firm watchTowr discovered a critical vulnerability in the Monsta FTP web-based file management tool that could let attackers completely take over affected web servers. Tracked as CVE-2025-34299, the flaw allows remote code execution (RCE) without requiring authentication, meaning hackers can exploit it before logging in. Attackers could trick the application into downloading and saving malicious files anywhere on the server, giving them full control. Monsta FTP, widely used by businesses and individuals to manage website files via browser, was found to have this flaw in its latest versions, echoing older unresolved vulnerabilities. WatchTowr reported the issue on August 13, 2025, and developers quickly released a patched version, 2.11.3, on August 26. Users are urged to update immediately to prevent exploitation.
The Landfall espionage campaign targets Samsung Galaxy devices in the Middle East.
Researchers at Palo Alto Networks’ Unit 42 uncovered a nine-month espionage campaign using “commercial-grade” spyware dubbed LANDFALL, targeting Samsung Galaxy devices, likely in the Middle East. The Android spyware exploited a zero-day flaw (CVE-2025-21042) in Galaxy phones’ image processing libraries via malformed DNG image files sent through WhatsApp. The zero-click malware enabled microphone, camera, and call recording, as well as data and location exfiltration, with no user interaction required. The vulnerability, privately reported to Samsung in September 2024, was only patched in April 2025. Unit 42 linked LANDFALL’s tactics and infrastructure to commercial spyware vendors and noted similarities to the Stealth Falcon group tied to the UAE, though no direct connection was proven. Targets likely included users in Iraq, Iran, Turkey, and Morocco.
Five Eyes partners fret eroding cooperation on counterintelligence and counterterrorism.
At a secret May meeting near London, FBI Director Kash Patel reportedly promised MI5 chief Ken McCallum to preserve an FBI position in London that supported Britain’s high-tech surveillance work. Patel later allowed the post to lapse amid White House budget cuts, leaving MI5 frustrated and raising doubts among U.S. allies about his reliability. The episode, detailed by The New York Times, has deepened Five Eyes partners’ concerns that Patel’s partisan approach and dismissals of career agents are eroding cooperation on counterintelligence and counterterrorism. Allies reportedly view the bureau as adrift and increasingly politicized. Patel’s controversial overseas conduct, including gifting illegal replica guns in New Zealand and firing a senior agent in Australia, has reinforced those worries. The FBI declined to comment on Patel’s talks with MI5, but former intelligence officials warned that trust once lost among Five Eyes members is difficult to rebuild.
Israeli spyware maker NSO Group names the former U.S. ambassador to Israel as its new executive chairman.
Israeli spyware maker NSO Group has named former U.S. ambassador to Israel David Friedman as its new executive chairman, part of an effort to rebuild ties with Washington and escape the U.S. Commerce Department blacklist imposed in 2021 for enabling “transnational repression.” The move follows a takeover by U.S. investors led by Hollywood producer Robert Simonds, ending the involvement of NSO’s founders. Friedman, a close Trump ally, said he aims to show that NSO’s tools can help “keep Americans safer” by supporting law enforcement. NSO, best known for its Pegasus spyware, insists it sells only to vetted governments to fight terrorism, though critics accuse it of aiding surveillance abuses. Friedman said he will seek new U.S. partnerships while ensuring tighter client oversight. NSO continues operating under Israeli Defense Ministry regulation and faces ongoing legal and reputational challenges worldwide.
Monday Biz Roundup.
Global cybersecurity and tech investment activity surged this past week, led by Armis’s $435 million pre-IPO round, valuing the San Francisco attack surface management firm at $6.1 billion. The funding, led by Goldman Sachs Alternatives, will support Armis’s growth toward a planned IPO and $1 billion in annual recurring revenue. Other notable raises include Denmark’s Formalize (€30M) to expand its GRC platform across Europe, Israel’s Daylight ($33M) to accelerate its AI-powered security operations, and Canada’s Flare ($30M) to drive innovation in threat exposure management. Smaller rounds supported Reflectiz ($22M), WideField Security ($11.3M), and stealth startups Malanta and Spektrum Labs ($10M each).
In M&A, Google’s $32B acquisition of Wiz cleared a key U.S. antitrust review, while Francisco Partners agreed to take Jamf private for $2.2B. Additional deals included Ping Identity’s acquisition of Keyless, Zscaler buying SPLX, and Bugcrowd acquiring Mayhem Security to expand AI and API defense capabilities.
The friendly face of digital villainy.
When a BBC reporter met with Tank, known to the FBI as Vyacheslav Penchukov, in a prison meeting room, he didn’t storm in like a fallen cyber overlord. Instead, he poked his head around a pillar, flashed a movie-star grin, and winked. It was a fitting entrance for a man who once hacked banks by day and DJ’d Donetsk nightclubs as “DJ Slava Rich” by night. Penchukov’s charm, not just his code, helped him lead the Jabber Zeus and IcedID gangs, stealing millions and earning a decade on the FBI’s Most Wanted list. Now serving time in a low-security Colorado prison, he studies English, plays sports, and jokes, “Not smart enough, I’m in prison.” His remorse is selective; he regrets trusting fellow hackers more than the havoc he caused. “In cybercrime,” he reflects, “your friends become informants.” Even behind bars, Tank seems oddly content, just another outlaw who mistook charisma for cleverness.
And that’s the CyberWire.
Quick programming note: We’re taking a brief pause tomorrow, Tuesday, November 11th, to honor and celebrate our Veterans.
While we’re away, we’d like to highlight a great conversation featuring Lieutenant Rob Sarver and Alex Gendzier, authors of Warrior to Civilian: The Field Manual for the Hero’s Journey. It’s an insightful look at helping veterans navigate life after service—and how we can all do our part to support them.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry. Learn how at n2k.com.
N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.
