Hacktivists go galactic.

Report sheds light on cyber activity targeting space-related organizations during the Gaza War. Russian threat actor targets US civil engineering firm. FBI says $262 million has been stolen in account takeover scams this year. HashJack attack tricks AI browser assistants. London councils disrupted by cyberattacks. Russia’s Gamaredon and North Korea’s Lazarus Group appear to be sharing infrastructure. Canon says subsidiary was breached by Oracle EBS flaw. Dave Bittner was joined by Cynthia Kaiser, SVP of the Ransomware Research Center at Halcyon, sharing a deep dive on Akira ransomware. And Campbell’s Soup CISO placed on leave following lawsuit.

Today is Wednesday, November 28th and I’m your T-Minus Space Daily host Maria Varmazis in for Dave Bittner who is preparing for tomorrow’s turkey feast. Thanks for joining us for your CyberWire Intel Briefing.

Report sheds light on cyber activity targeting space-related organizations during the Gaza War.

We’re starting today with a new report out of ETH Zürich that sheds light on a spike in cyber activity targeting space-related organizations during the Gaza War. Researchers at the Centre for Security Studies tracked 237 cyber operations aimed at the space sector over the course of the conflict, and here’s the striking part, only 11 of those incidents happened before October 7th.

According to the study, once the war began, hacktivist groups, mostly pro-Palestinian groups, either emerged or significantly ramped up activity. And most of what they did wasn’t subtle. The bulk of these operations were DDoS attacks, quick bursts of traffic designed to knock websites offline, sometimes lasting only seconds.

One of the most frequent targets was the Israel Space Agency, even though it doesn’t operate satellites or maintain deep space infrastructure and has a pretty limited attack surface. But because hacktivist campaigns often recycle huge lists of government-related URLs, the agency became a recurring name on those target lists.

The authors of the report say this is part of a broader pattern we’re seeing in modern conflict- cyber operations against space-sector organizations are now a routine element of geopolitical escalation. I know we keep telling you, but it’s worth repeating, take cybersecurity seriously folks! 

Russian threat actor targets US civil engineering firm.

The Russia-aligned threat actor "RomCom" used SocGolish to breach a US-based civil engineering company that had done work for Ukraine, according to researchers at Arctic Wolf. While SocGolish is operated by a criminal malware-as-a-service group, Arctic Wolf "assesses with a medium-to-high confidence level that Russia’s GRU unit 29155 is utilizing SocGholish to target victims."

The researchers note, "This SocGholish activity demonstrates the ongoing exploitation of compromised legitimate websites as a malware delivery framework, turning routine web browsing into a potential vector for ransomware access."

FBI says $262 million has been stolen in account takeover scams this year.

The US Federal Bureau of Investigation (FBI) has issued an advisory on account takeover (ATO) fraud schemes, noting that these attacks have caused $262 million in losses since January 2025. The attackers use well-known social engineering techniques to impersonate financial institutions and trick users into granting access to their accounts. The crooks are targeting banks, payrolls, and health savings accounts.

The Bureau notes, "In some instances, cyber criminals impersonating financial institutions reported to the account owner that their information was used to make fraudulent purchases, including firearms. The cyber criminal convinces the account owner to provide information to a second cyber criminal impersonating law enforcement, who then convinces the account owner to provide account information."

HashJack attack tricks AI browser assistants.

Cato Networks has published a report on an indirect prompt injection technique affecting several AI browser assistants, including Perplexity's Comet, Copilot for Edge, and Gemini for Chrome. The technique, which Cato calls "HashJack," uses the pound or hash sign (#) to place malicious prompts after legitimate URLs. The researchers explain, "When an AI browser loads a page and the user interacts with the AI assistant, these hidden prompts are fed directly into large language models (LLMs). In agentic AI browsers like Comet, the attack can escalate further, with the AI assistant automatically sending user data to threat actor-controlled endpoints."

Perplexity and Microsoft have since implemented mitigations against this technique, while Google acknowledged the issue and gave Cato permission to publicly disclose the flaw. The issue is still unresolved in the Chrome browser.

London councils disrupted by cyberattacks.

The BBC reports that at least three London councils were hit by disruptive cyberattacks over the past few days. The Royal Borough of Kensington & Chelsea (RBKC) and Westminster City Council sustained an attack that affected shared IT systems and took down phone services, while Hammersmith & Fulham Council said it was working to recover from a "serious cyber security incident." The Hammersmith & Fulham attack appears to be connected to the incident affecting RBKC and Westminster City. A memo from the Hammersmith & Fulham Council instructed staff not to click on any Outlook or Teams links from RBKC and Westminster City colleagues until further notice. The BBC says the Met Police is investigating the incidents.

Russia’s Gamaredon and North Korea’s Lazarus Group appear to be sharing infrastructure.

Researchers from Gen Threat Labs have seen evidence that Russia’s Gamaredon and North Korea’s Lazarus Group are sharing infrastructure, indicating that the two state-sponsored actors “may be coordinating at an operational level.” 

The researchers observed a Gamaredon C2 server hosting InvisibleFerret, a strain of malware attributed to the Lazarus Group. The malware was delivered through an identical server structure used in Lazarus’s ContagiousInterview campaign. Gen notes, “While the IP could represent a proxy or VPN endpoint, the temporal proximity of both groups’ activity and the shared hosting pattern indicate probable infrastructure reuse, with moderate confidence of operational collaboration.”

Canon says subsidiary was breached by Oracle EBS flaw.

Canon has confirmed that one of its subsidiaries was breached by an attack campaign targeting Oracle E-Business Suite instances. The company told SecurityWeek, “We have confirmed that the incident only affected the web server, and we have already taken security measures and resumed service. In addition, we are continuing to investigate further to ensure that there is no other impact.”

The Clop extortion gang listed Canon as one of its victims, but hasn’t leaked any data from the company.

Stick around after the break we have Cynthia Kaiser, SVP of the Ransomware Research Center at Halcyon, sharing a deep dive on Akira ransomware. And Campbell’s Soup CISO placed on leave following lawsuit.

Dave Bittner recently sat down with Cynthia Kaiser, SVP of the Ransomware Research Center at Halcyon, as they took a deep dive on Akira ransomware. Here is their conversation. 

That was Cynthia Kaiser, SVP of the Ransomware Research Center at Halcyon, sharing a deep dive on Akira ransomware. Learn more on Halcyon’s threat actor profile of Akira, and how they fit into their latest Malicious Quartile Report, there is a link in the show notes. 

Campbell’s Soup CISO placed on leave following lawsuit.

Campbell’s Soup's chief information security officer is in hot water after a lawsuit claimed he made disparaging remarks about the company’s soup, as well as racist comments about his Indian coworkers. The executive, Martin Bally, has been placed on leave pending an investigation. The lawsuit was filed by a former employee of the company, remote security analyst Robert Garza. Garza recorded Bally’s comments during a lunch meeting, and claims he was fired after bringing the recording to a superior. 

Bally allegedly said Campbell’s makes unhealthy soup for “poor people” using 3D-printed chicken and bioengineered meats. Campbell’s said in a statement, “The comments on the recording are not only inaccurate – they are patently absurd. Keep in mind, the alleged comments are made by an IT person, who has nothing to do with how we make our food.”

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We will not be publishing tomorrow through Sunday in observance of the Thanksgiving holiday here in the United States. We have some great content planned for you to check out in the CyberWire Daily podcast feed. We will see you back here on Monday. Enjoy your turkey everyone!

And that’s the CyberWire Daily, brought to you by N2K CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.