In a new typosquatting campaign, threat actors are seen using malicious Go packages posing as popular libraries to install malware on unsuspecting Linux and macOS systems.

Researchers from the software supply chain cybersecurity platform, Socket, found seven packages impersonating widely used Go libraries like Hypert and Layout to trick developers.

“These packages share repeated malicious filenames and consistent obfuscation techniques, suggesting a coordinated threat actor capable of pivoting rapidly,” Socket researchers said in a blog post.

Typosquatting is a technique attackers use to create malicious websites, domains, or software packages with names that closely resemble legitimate ones. By exploiting common typing errors or slight variations, attackers trick users into downloading malware, revealing sensitive information, or installing harmful software.

Removal of the said malicious packages from the Go Module Mirror has been requested, along with the flagging of associated Github repositories and user accounts, the post added.

Typosquatting Hypert, Layout for RCE and more

According to the discovery, the attackers cloned the popular “hypert” library developers use for testing HTTP API clients, releasing four fake versions embedded with remote code execution functions. Typosquatting clones used included-github.com/shallowmulti/hypert, github.com/shadowybulk/hypert, github.com/belatedplanet/hypert, and github.com/thankfulmai/hypert.

One particular package,“—–shallowmulti/hypert”, executed shell commands to download and run a malicious script from a typo variation (alturastreet[.]icu.) of the legitimate banking domain alturacu.com.

Three additional packages were found impersonating the legitimate “layout” library with clones — github.com/vainreboot/layout,github.com/ornatedoctrin/layout, and github.com/utilizedsun/layout.

These packages executed hidden shell commands to download and run malicious scripts for fetching and executing the ultimate ELF-based malware on Linux and macOS systems.

Campaign is tailor-made for persistence 

The repeated use of identical filenames, array-based string obfuscation, and delayed execution tactics strongly suggests a coordinated adversary who plans to persist and adapt, the researchers added.

The presence of multiple malicious Hypert and Layout packages along with several fallback domains also suggests a resilient infrastructure. This setup will allow threat actors to adapt quickly, ensuring continued operations even if a domain or repository is blacklisted or taken down.

“Given the threat actor’s demonstrated ability to upload malicious packages, there is a strong reason to suspect that similar tactics, techniques, and procedures (TTPs) will continue infiltrating the Go ecosystem,” the researchers noted. Few things that developers can do to outsmart the campaign include adopting real-time scanning tools, code audits, and careful dependency management against typosquatting attempts.

Laut dem aktuellen Horizon Report 2025 wurden im Jahr 2024 weltweit 183 Millionen Patientendaten kompromittiert. Das ist ein Anstieg von neun Prozent im Vergleich zum Vorjahr. Doch weshalb fällt es für Gesundheitseinrichtungen so schwer, sich ausreichend vor Ransomware-Angriffen zu schützen?

Um das herauszufinden, hat der Sicherheitsanbieter Absolute Security mehr als eine Million Endgeräte im Gesundheitswesen analysiert. Die Analysten sind dabei auf folgende Sicherheitsmängel gestoßen:

• Fehlende, nicht-konforme Sicherheits- und Risikokontrollen: Bei 15 Prozent der analysierten PCs wurde festgestellt, dass kritische Sicherheitskontrollen nicht mit den internen Sicherheits- und Risikorichtlinien übereinstimmten oder sogar gänzlich auf den Geräten fehlten. Zu den untersuchten grundlegenden Security-Lösungen gehörten Data Protection, Endpoint-Protection-Services (EPP/XDR), Security Service Edge (SSE), VPN und Vulnerability- Management-Lösungen. Diese Ergebnisse zeigen, dass PCs und Netzwerken im Gesundheitswesen häufig eine wichtige erste Verteidigungslinie fehlt, die Angreifer und Exploits aufhalten können.
• Verspätete Patches: Der durchschnittliche Windows-Endpunkt im Gesundheitswesen ist 48 Tage im Rückstand mit kritischen Sicherheits-Patches. Der Analyse zufolge sind nicht-gepatchte Schwachstellen eine der Hauptursachen für Sicherheitsverletzungen und Ransomware-Infektionen. „Dieses grundlegende Versäumnis in der Security-Hygiene führt dazu, dass Unternehmen Datenverletzungen und langwierige, störende Ausfälle riskieren“, mahnen die Autoren der Studie.
• Schatten-KI-Risiken: Die Nutzung von KI nimmt zu. Mitarbeiter im Gesundheitswesen greifen häufig auf ChatGPT und andere generative KI-Plattformen zu, die nicht HIPAA (Health Insurance Portability and Accountability Act)-konform sind. „Dies ist nicht nur hinsichtlich einer möglichen Gefährdung von Patientendaten sowie Verstößen gegen gesetzliche Vorschriften bedenklich, sondern zeigt auch, dass Organisationen kaum in der Lage sind, die Nutzung von Schatten-KI zu regeln“, betonen die Forscher. Obwohl es sich bei HIPAA in erster Linie um ein US-Gesetz handelt, kann es auch für deutsche Unternehmen relevant sein, wenn sie Gesundheitsdaten aus den USA verarbeiten oder darauf Zugriff haben.

„Ransomware-Gruppen nutzen verwundbare Endpunkte aus, um den Betrieb zu stören und sensible Patientendaten zu stehlen. Gleichzeitig steigen die Compliance-Risiken, da Organisationen im Gesundheitswesen damit zu kämpfen haben, gesunde Sicherheitskontrollen aufrechtzuerhalten und KI-bezogene Bedrohungen zu überwachen“, kommentiert Thomas Lo Coco, Sales Manager Central Europe bei Absolute Security. „Mit einem proaktiven Resilienz-Ansatz können Krankenhäuser, Kliniken und Gesundheitsdienstleister Risikolücken schließen, regulatorische Verstöße vermeiden und sich nach einem Cyberangriff oder IT-Vorfall schnell wieder erholen.“

Lesetipps: Die 6 größten Cyberbedrohungen im Gesundheitswesen

Neuer EU-Plan für mehr Cybersicherheit im Gesundheitswesen

If you are a tech leader, you might encourage your daughter to follow your path, imagining a journey, like yours, with challenges that can be overcome with hard work. But if you are a man — especially a white man — you are likely unaware of the massive obstacles she will face that you didn’t. For women, the path to leadership is littered with obstructions that hard work can’t overcome.

Those obstacles start at the first rung of the ladder. Women remain less likely than men to be hired into entry-level roles, which leaves them underrepresented from the very beginning, according to the 2024 Women in the Workplace study. And women are far less likely to get promoted — a situation that hasn’t changed much over the past several years. For every 100 men promoted to manager in 2018, only 79 women were promoted. In 2024, that number was just 81. This is why men outnumber women at every level. It is why only 29% of C-suite members are women.

If your daughter is very young, she might see workplace parity in her lifetime — unless she is black. “It will take 22 years to reach parity for white women — and more than twice as long for women of color,” according to the Women in the Workplace study. That means, without any setbacks, we won’t see a workplace that reflects the US population until 2073.  

The good news? You can help. If you are aware of the obstacles, you can help make efforts to move them. Women need allies. Be one of those.

Here are eight of the biggest obstacles women face and what they and tech leaders can do about them.

Das Bundesamt für Sicherheit in der Informationstechnik (BSI) hat die Version 1.0 seiner Eckpunkte der IT-Sicherheitsanforderungen für Datenbanksysteme veröffentlicht. Die Dokumente basieren BSI-Angaben zufolge auf einer umfassenden Analyse verschiedener Typen von Datenbankmanagementsystemen.

Schwerpunkt: Security by Default

Ein zentrales Prinzip der Eckpunkte ist „Security by Default“. Hiermit soll sichergestellt werden, dass Datenbanksysteme bereits bei der Installation in einem abgesicherten Zustand starten können. Zudem betonen die Sicherheitsexperten, wie wichtig es sei, die Datenbank-Software zu härten. Das gelinge beispielsweise, indem nur notwendige Funktionen aktiviert würden, um Sicherheitsrisiken zu minimieren.

Die Anforderungen gelten sowohl für relationale als auch NoSQL-Datenbanksysteme und berücksichtigen On-Premises- sowie Cloud-Umgebungen. Spezifische Vorgaben für einzelne Systemarten sind gesondert in den BSI-Eckpunkten gekennzeichnet.

Zusätzlich legt das BSI Wert auf Nachhaltigkeit und rechtliche Konformität, um zu gewährleisten, dass Unternehmen in ihrem Datenbankbetrieb langfristig sicher sind und gesetzliche Bestimmungen einhalten.

Regelmäßige Updates und Wartung erforderlich

Bestandteil der Anforderungen ist auch die Protokollierung sicherheitsrelevanter Ereignisse. Diese Maßnahme soll eine nachvollziehbare Überwachung und Analyse potenzieller Sicherheitsvorfälle ermöglichen. Darüber hinaus fordert, das BSI die Software nachhaltig zu pflegen, um langfristige Sicherheit und Verfügbarkeit der Systeme zu gewährleisten. Dies schließt regelmäßige Updates, Sicherheits-Patches und eine kontinuierliche Wartung mit ein.

Neben technischen Maßnahmen pocht das BSI darauf, dass gesetzliche Vorschriften eingehalten werden. Die Sicherheitsanforderungen beinhalten daher Vorgaben, die gewährleisten sollen, dass Datenbanksysteme den relevanten Gesetzen und regulatorischen Bestimmungen entsprechen.

Risiken reduzieren, Sicherheit erhöhen

Das übergeordnete Ziel der BSI-Richtlinien ist es, Datenbanksysteme sicher zu konfigurieren und zu betreiben, um potenzielle Schwachstellen zu minimieren. Dadurch soll nicht nur die IT-Sicherheit in der Bundesverwaltung gestärkt, sondern generell der sichere und zuverlässige Betrieb von Datenbanksystemen gewährleistet werden.

What is risk management?

Risk management is the process of identifying, analyzing, and mitigating uncertainties and threats that can harm your company or organization. No business venture or organizational action can completely avoid risk, of course, and working too hard to do so would mean foregoing potentially lucrative opportunities and strategies. Risk management as a discipline aims to help organizations prepare for the future by quantifying risks to the extent possible and balancing the risks of future actions against potential benefits.

How do organizations structure risk management operations?

Risk management has in some organizations traditionally been multicentric, with different departments or individuals within the org implementing risk management techniques in their work: Risk management is a component of good project management, for instance. IT leaders in particular must be able to integrate risk management philosophies and techniques into their planning, as IT infrastructure and spending can represent within the company an intense combination of risk (of cyberattacks, downtime, or botched rollouts, for instance) and benefits realized as increased capabilities or efficiencies.

Some companies, particularly those in heavily regulated industries, such as banks and hospitals, centralize risk in a single department under a top-level chief risk officer (CRO) or similar executive role. A CRO might find themselves with responsibilities that overlap or conflict with CSOs, CISOs, and CIOs, and in some orgs without a clearly defined risk leader, ambitious infosec or infosecurity execs might try to take on that role for themselves.  In any case, IT leaders need to understand and apply risk management in the areas under their purview.

Risk assessment vs. risk analysis vs. risk management

When reading about this topic, you might encounter the term risk assessment, which refers to the process of evaluating a safeguard or countermeasure against potential threats. You might also hear about risk analysis, which involves identifying potential risks your organization faces and analyzing specific vulnerabilities related to those threats. Risk assessment and risk analysis are key elements to the risk management process, which offers a bigger picture on an organization’s total risk, though sometimes you will see the three terms eliding into one another in casual use.

Risk management vs. enterprise risk management

You might also encounter a distinction between risk management (sometimes back-labelled “traditional risk management”) and enterprise risk management. Enterprise risk management (ERM) has tried to move away from some of the risk management practices seen as antiquated; instead of having each organizational silo manage its own risk, centralized ERM teams, often under the umbrella of a CRO or similar exec as part of a larger governance, risk, and compliance strategy, assess and analyze risk in a more holistic way. Under ERM, business risks are quantified to determine which risks are worth taking. This is the risk management philosophy that most organizations aspire to follow today, with varying degrees of success.

Risk management frameworks

Organizations implement these high-minded principles through risk management frameworks — detailed documents that lay out how risk is to be assessed, analyzed, quantified, and mitigated.

ISO 31000, issued by the International Organization for Standardization, is one of the most widely used and comprehensive frameworks — a framework of frameworks, actually, as it relies on other ISO documents to define how risk is managed in specific areas. (ISO 27005 focuses on information security, for instance.)

Some frameworks focus on specific topics, or began that way and expanded to become more general. For instance, the COSO framework grew out of risk management in the world of financial auditing but grew to provide guidance for establishing an overall ERM program.

There are a number of frameworks that have a focus on infosec and IT, including:

• Factor Analysis of Information Risk (FAIR), an international standard quantitative model for information security and operational risk
• The Risk Management Framework, a suite of NIST standards and guidelines to support the implementation of risk management programs to meet FISMA requirements
• COBIT, a broad and comprehensive framework from ISACA focused on IT management and governance.

CSO Online has more details on these and other frameworks.

Risk management process

At the heart of each of these frameworks is a process outlining the steps necessary for an organization to implement a risk management regime at their company. These steps vary from framework to framework, but let’s take a closer look at the risk management process as outlined in ISO 31000, since it’s something of a gold standard. Note that these steps are not a strict sequence; rather, they are iterative activities your organization should pursue regularly.

Communicate and consult. You need to help stakeholders throughout your organization understand risks associated with their job duties and how those risks inform specific decisions and actions they’ll take. This phase involves communication to help team members understand the nature of risk management generally and consultationto gather information to help make informed decisions about individual departments.

Define scope, context, and criteria. You should understand each department’s objectives, along with the environment in which the department operates. That way you can define the scope of your risk management activities — that is, where you’re going to apply them within the organization — along with the context in which they take place.

In this phase you’ll also be defining “risk criteria” — essentially, the standards or parameters that you use to evaluate how risky a potential action is.

Assess risks. In this phase, you’ll identify, analyze, and assess risks that could affect each area of your organization. In risk analysis, you not only identify potential risks and the specific vulnerabilities related to them, but also consider their likelihood and potential consequences. In risk assessment, you’ll weigh the results of your analysis against the criteria you’ve established, which can help you determine the best mitigation path.

Treat risks. This is the phase where you choose and then actually implement the steps to address potential risk.

Monitor and analyze. This is where the iteration comes in: You will want to assess your mitigation plans for effectiveness and adjust accordingly. The risk team should be monitoring the results of actions taken, assessing to make sure everything is going to plan, and analyzing where improvements are warranted.

Record and report. The whole risk management process should be documented, both to meet any regulatory reporting requirements and to serve as a basis for future iteration.

Risk appetite and risk tolerance

To make that a little less abstract, let’s consider what happens at the core of the process described above — the steps where you define criteria and then assess and treat risk.

To define risk criteria, you also need to establish your risk appetite(a high-level description of your attitude towards risk) and your risk tolerance(a more quantified description of what you’re willing to risk in specific areas). Consider an example from an information security context:

• Risk appetite: “We’re not willing to risk significant data breaches, and we’re willing to spend money on security measures to mitigate that risk.”
• Risk tolerance: “No more than 1% of our systems should have critical vulnerabilities, like unpatched software, at any given time.”
• Risk criteria: “We scan each system monthly; any unpatched software with a flaw that has a CVS score higher than 7 must be remediated within 24 hours, and if more than 1% of systems are that vulnerable, the CISO must be alerted.”

More than one quantified risk tolerance statement can emerge from a risk appetite statement, and more than one criteria can be derived from a risk tolerance statement. The risk management process consists of iterating over these sorts of controls as necessary throughout your organization.

Challenges to risk management

Hopefully it’s clear why in theory you might want to implement a risk management program — or centralize current risk management efforts into an ERM program. But some of the challenges to implementing risk management should suggest themselves to you as well:

• Time and money. Risk management programs aren’t cheap. Organizations need to invest in specialized software tools, but that sort of spending is just the beginning. A bigger issue is that a risk management will occupy time— work hours by people across the organization both as the program is ramped up and as risk assessed on an ongoing basis. Executives may have difficulty seeing the value of such investments.
• Getting to a consensus on risk. It would be great if you could simply connect a risk-o-meter to your organization’s servers and get a scientifically quantified level of risk. In fact, even the “quantitative” aspects of risk management (like the values we used in our cyber vulnerability example above) can emerge only from consensus among the humans that work at your organization. They may not all agree, especially in cases where taking a more risk-averse stance can make an organization less nimble — or less profitable.
• Risk can arise outside your organization. As you build a risk management program, it will become clear how much day-to-day risk for any company arises from other organizations you do business with, which you cannot directly control. This is a thorny challenge for any organization; CSO’s Mary K. Pratt has tips for managing third-party risk.

Risk management certification

If your company already has a risk management program that you want to get involved in — or if you want to start one yourself or look for a role in the risk realm — there are certifications that can give you a leg up:

• CRISC (Certified in Risk and Information Systems Control) is an upper-level IT professional certification focused on enterprise risk management from an information technology perspective.
• CRMP (Certified Risk Management Professional) allows you to show off your specialized knowledge of risk management topics and ability to manage a risk management program.
• COSO’s ERM Certificate is for anyone whose work touches on risk management to demonstrate their mastery of the concepts involved.

There are other more specialized certifications with specific focuses such as healthcare, insurance, or financial auditing; Indeed has a comprehensive list that can help you being your journey!

Ransomware bleibt branchenübergreifend auf dem Vormarsch und entwickelt sich beständig weiter – vereinzelten behördlichen Erfolgen zum Trotz. Das ist unter anderem auch folgenden Trends zuzuschreiben:

• Ransomware-as-a-Service (RaaS)-Angebote senken die Zugangsbarrieren.
• Neue Erpressungstaktiken versprechen noch mehr kriminelle Gewinne.
• Künstliche Intelligenz (KI) wird bei Cyberkriminellen immer beliebter.

Davon abgesehen, kommen für jeden Bedrohungsakteur, der von der Bildfläche verschwindet, (mindestens) zwei neue nach. Die Angreifer, die Ransomware einsetzen, entstammen inzwischen unterschiedlichen „Kasten“ des Cybercrime-Untergrunds – vom technisch eher nicht versierten Einzeltäter über professionell organisierte Cybercrime-Banden bis hin zu Bedrohungsakteuren, die in staatlichem Auftrag operieren.

Die folgenden elf (aktiven) Ransomware-as-a-Service-Bedrohungen sind für Sicherheitsentscheider und ihre Unternehmen besonders unheilvoll.

1. Akira

Hintergrund: Bei Akira handelt es sich um eine ausgeklügelte RaaS-Operation, die erstmals Anfang 2023 aufgetaucht ist.

Funktionsweise: Um die IT-Systeme von Unternehmen anzugreifen, konzentrieren sich Cybercrime-Gruppen, die die Akira-Ransomware einsetzen, häufig auf:

• Authentifizierungsschwachstellen in VPN-Appliances,
• offene RDP-Clients und
• kompromittierte Anmeldedaten.

Ziele: Mit Akira werden insbesondere kleine und mittelgroße Unternehmen in Nordamerika, Europa und Australien angegriffen. Laut den Experten von Unit 42 (Palo Alto Networks), stehen dabei in erster Linie Unternehmen aus dem verarbeitenden Gewerbe, dem Dienstleistungssektor, der ITK-Branche sowie den Bereichen Technologie und Pharma im Visier.   

Attribution: Einige Indizien deuten auf Verbindungen nach Russland hin, beziehungsweise zur nicht mehr existenten Ransomware-Bande Conti. Gesicherte Informationen dazu gibt es jedoch bislang nicht.

2. Black Basta

Hintergrund: Die Ransomware-Gang Black Basta hat sich erstmals Anfang 2022 in Szene gesetzt und gilt als Ableger der berüchtigten Conti-Bande.

Funktionsweise: Wird ein Unternehmensnetzwerk von der Black-Basta-Malware heimgesucht, geschieht das im Regelfall über:

• bekannte Schwachstellen oder
• Social-Engineering-Kampagnen.

Ziele: Laut einer Analyse des Cloud-Sicherheitsanbieters Qualys werden vor allem Ziele in den USA mit Black Basta angegriffen. Dabei stehen vornehmlich der Manufacturing-Bereich, sowie der Dienstleistungs-, Retail- und High-Tech-Sektor im Fokus der Angreifer.

Attribution: Einige Sicherheitsexperten bringen Black Basta mit der russischen APT-Gruppe FIN7 in Verbindung. Das begründet sich in technischen Parallelen, wenn es darum geht, Endpunkt-Lösungen auszutricksen.  

3. BlackLock

Hintergrund: Nach Einschätzung von ReliaQuest ist BlackLock (auch bekannt als El Dorado) aktuell der Ransomware-Betreiber, der weltweit am schnellsten wächst. Wie die Sicherheitsexperten prognostizieren, könnte BlackLock 2025 zur aktivsten Ransomware-, beziehungsweise RaaS-Gruppe werden – obwohl sie erst im März 2024 erstmals aufgetaucht ist. 

Funktionsweise: Die Gruppe zeichnet sich vor allem dadurch aus, dass sie proprietäre, maßgeschneiderte Malware entwickelt und einsetzt. Diese zielt insbesondere auf VMware ESXi-Umgebungen ab. Um ihre erpresserische Malware auszuliefern, nutzen die Cyberkriminellen und ihre Affiliates zum Beispiel:

• RDP-Protokolle,
• Social Engineering,
• bekannte Schwachstellen, oder
• gestohlene Zugangsdaten.

Ziele: Mit der BlackLock-Ransomware wurden bereits diverse Unternehmen angegriffen – vornehmlich in den Vereinigten Staaten. Mit Blick auf die Branchen, die hierbei im Fokus stehen, sind vor allem die Immobilienbranche, das produzierende Gewerbe sowie der Healtcare-Sekktor hervorzuheben.

Attribution: Obwohl im Fall der Mitglieder der BlackLock-Gang keine eindeutige Zuordnung getroffen werden kann, gibt es auch hier Verbindungen zu Russland: Die RaaS-Gang rekrutiert Kunden und Partner über das russischsprachige Untergrundforum RAMP.

4. Cl0p

Hintergrund: Die Cl0p-Ransomware sucht Systeme bereits seit dem Jahr 2019 heim. Auch Cl0p ist sowohl eine Ransomware-Gruppe als auch eine Malware, die als Service vertrieben wird.

Funktionsweise: Die Cl0p-Bande zeichnet sich durch besonders raffinierte Taktiken aus und nutzt für ihre Angriffskampagnen im Regelfall Zero-Day-Schwachstellen aus. Von Partnern wird die Ransomware auch gerne verbreitet über:

• Social Engineering und
• gefälschte Webseiten.  

Ziele: Cl0p nimmt in erster Linie große Unternehmen ins Visier, vornehmlich aus der Finanz-, Healthcare- und Manufacturing-Branche sowie der Medienindustrie. Die wahrscheinlich bekannteste Cl0p-Angriffskampagne fand 2023 im Rahmen eines Supply-Chain-Angriffs statt: Dabei wurden diverse Unternehmen weltweit über eine Lücke in der Datentransfersoftware MOVEit angegriffen.

Attribution: Die Cl0p-Ransomware wird mit mehreren, hauptsächlich russischsprachigen Cybercrime-Gruppen in Verbindung gebracht – insbesondere den APT-Gruppen TA505 und FIN11.

5. Funksec

Hintergrund: Bei FunkSec handelt es sich um eine neue RaaS-Bande, die erst Ende 2024 die Cybercrime-Bühne betreten und trotzdem bereits zahlreiche Angriffe gefahren hat.  

Funktionsweise: Die hohe Angriffsfrequenz ist nach der Einschätzung von Sicherheitsexperten insbesondere auf den Einsatz von KI zurückzuführen. Demnach erstellen die Cyberkriminellen (die auch Hacktivism-Verbindungen erkennen lassen) ihre erpresserische Malware gezielt mit KI.

Ziele: Mit derFunkSec-Ransomware wurden bislang vor allem Unternehmen und Organisationen in den USA und in Indien angegriffen.

Attribution: Wie Forscher von CheckPoint herausgefunden haben, führen die Spuren des führenden FunkSec-Mitglieds nach Algerien.

6. LockBit

Hintergrund: LockBit gehört in Sachen Ransomware-as-a-Service zu den Vorreitern und hat dieses Vertriebsmodell ab 2019 maßgeblich mitentwickelt. Obwohl die Gruppe Anfang 2024 vermeintlich zerschlagen wurde, steht ein Comeback im Raum – zumindest einzelne Mitglieder scheinen weiterhin aktiv zu sein.

Funktionsweise: Die LockBit-Ransomware ist berüchtigt für ihre effiziente Verschlüsselung und die damit verknüpfte „Double Extortion“-Erpressungstaktik. Eingeschleust wird die Ransomware zum Beispiel über:

• ungepatchte Schwachstellen,
• Zero-Day-Exploits oder
• kompromittierte Zugangsdaten.

Ziele: LockBit hat nach Informationen des US-Justizministeriums bereits mehr als 2.000 Unternehmen und Organisationen aus diversen Branchen und Sektoren erpresst – darunter zum Beispiel Continental, Boeing und die Deutsche Energie-Agentur.

Attribution: Auch im Fall von LockBit führen die Spuren nach Russland: Mit Dmitry Khoroshev wurde ein russischer Staatsbürger als führender Lockbit-Admin und Entwickler enttarnt und von den Behörden zur Rechenschaft gezogen.

7. Lynx

Hintergrund: Die Lynx-Ransomware ist erstmals Mitte 2024 in Erscheinung getreten. Auch hierbei handelt es sich um ein RaaS-Angebot. Laut Unit42 sind weite Teile des Quellcodes dieser Ransomware identisch mit dem der Malware INC. Da diese seit 2024 im Cybercrime-Untergrund verkauft wird, könnte es sich also sowohl um ein „Rebranding“ als auch um eine eigenständige Weiterentwicklung handeln.

Funktionsweise: Die Lynx-Ransomware wird zum Beispiel über Social Engineering „an den Mann gebracht“. Einmal im Netzwerk, stiehlt und verschlüsselt die Malware Daten – und löscht zudem Sicherungskopien.

Ziele: Die Ransomware-Bande hat sich nach eigener Aussage darauf festgelegt, keine Regierungsinstitutionen, Krankenhäuser oder Non-Profit-Organisationen anzugreifen. Getroffen hat es dafür – vornehmlich in den USA – unter anderem Unternehmen aus dem Energiesektor.

Attribution: –

8. Medusa

Hintergrund: DieRansomware-as-a-Service-OperationMedusa tauchte erstmals im Jahr 2023 auf. Besondere Aufmerksamkeit erregt die Hackergruppe, weil sie auch im Clearnet Leak-Seiten betreibt und zudem über Social-Media-Plattformen wie X und Facebook kommuniziert.

Funktionsweise: Die Ransomware wird entweder über Schwachstellen in öffentlich zugänglichen Ressourcen eingeschleust – oder per Social Engineering.

Ziele: Laut den Experten von Bitdefender handelt es sich bei Medusa um eine opportunistische Hackerbande, die nicht auf bestimmte Branchen oder geografische Regionen festgelegt ist. Bislang wurden etwa verschiedene europäische und nordamerikanische Organisationen aus dem Gesundheits- und Bildungswesen, sowie dem Fertigungs- und Retail-Sektor angegriffen.

Attribution: Aktivitäten in russischsprachigen Cybercrime-Foren deuten darauf hin, dass die führenden Mitglieder von Medusa aus Russland oder seinen osteuropäischen Nachbarländern stammen könnten.

9. Play

Hintergrund: Die Ransomware Play bedroht seit Juni 2022 Unternehmen und Institutionen – und steht seit Ende 2023 auch als RaaS zur Verfügung.

Funktionsweise: Laut den Experten von Sentinel One nehmen Play-Bedrohungsakteure ihre Opfer vor allem über Schwachstellen ins Visier, beispielsweise in:

• RDP-Protokollen oder
• Devices mit Fortinets FortiOS.

Ziele: Die Play-Ransomware-Gang nimmt in erster Linie große Unternehmen ins Visier und agiert dabei branchenübergreifend. Bislang hat es bereits Organisationen aus dem Gesundheitswesen, der ITK-Branche, dem Finanzsektor sowie dem öffentlichen Dienst getroffen.

Attribution: Play weist nach Informationen von Unit 42 Verbindungen zu nordkoreanischen APT-Gruppen auf. Die Sicherheitsforscher konnten feststellen, dass beispielsweise die nordkoreanische Hackergruppe APT45 auf die Play-Ransomware setzt.

10. Qilin

Hintergrund: Die Ransomware-as-a-Service-Operation Qilin ist auch unter der Bezeichnung Agenda bekannt und seit Mitte 2022 aktiv.

Funktionsweise: Die Qilin-Ransomware nimmt in erster Linie Windows- und Linux-Systeme ins Visier. In Unternehmensnetze hält die Malware meist Einzug über:

• legitime (gestohlene oder gekaufte) Zugangsdaten und
• Social-Engineering-Angriffe.

Ziele: Qilin greift insbesondere Unternehmen in den USA und Europa an – mit Ausnahme der GUS-Staaten. Dabei stehen Industrie- und Dienstleistungsunternehmen im Fokus.

Attribution: Die Mitglieder von Qilin sind nach wie vor unbekannt, Sicherheitsexperten gehen jedoch aufgrund einschlägiger Foreneinträge davon aus, dass zumindest Verbindungen nach Russland bestehen.

11. RansomHub

Hintergrund: RansomHub wurde erstmals im Februar 2024 beobachtet und hat sich seither zu einer der größten, neuen Ransomware-Bedrohungen entwickelt. Das könnte auch daran liegen, dass die Gruppe (die ebenfalls ein RaaS-Modell betreibt) angeblich Mitglieder anderer Cybercrime-Banden verpflichten konnte – darunter LockBit und BlackCat.

Funktionsweise: Initialen Zugang zu Systemen verschaffen sich die Cyberkriminellen im Regelfall durch:

• Spear Phishing,
• Bekannte Schwachstellen oder
• Password Spraying.

Ziele: RansomHub wird bereits mit mehr als 200 Angriffen auf diverse Unternehmen und Organisationen aus verschiedenen Sektoren in Verbindung gebracht. Darunter auch Regierungsbehörden und KRITIS-Betreiber in den USA und Europa.

Attribution: Indizien deuten auf eine organisierte, russischsprachige Cybercrime-Operation hin – mit Verbindungen zu anderen, etablierten Ransomware-Akteuren. (fm)

Sie wollen weitere interessante Beiträge rund um das Thema IT-Sicherheit lesen? Unser kostenloser Newsletter liefert Ihnen alles, was Sicherheitsentscheider und -experten wissen sollten, direkt in Ihre Inbox.

A China-aligned threat group tracked by Microsoft as Silk Typhoon, two members of which were recently charged by US authorities, has recently shifted its focus to the enterprise IT supply chain by compromising cloud IT services and software providers and then moving downstream to their customers, according to a report from Microsoft.

Silk Typhoon, known for exploiting zero-day vulnerabilities in network-edge devices, is highly proficient in performing lateral movement between cloud and on-premises environments.

“In particular, Silk Typhoon was observed abusing stolen API keys and credentials associated with privilege access management (PAM), cloud app providers, and cloud data management companies, allowing the threat actor to access these companies’ downstream customer environments,” Microsoft researchers warned.

On March 5, US authorities charged 12 Chinese nationals with attacking US-based critics and dissidents of China, a large religious organization in the US, foreign ministries of multiple governments in Asia, and US federal and state government agencies, including the Treasury Department in late 2024.

The Justice Department (DOJ) and the FBI also announced the seizure of internet domains linked to Silk Typhoon, which is also known as APT27.

Silk Typhoon has attacked a wide array of targets

The group actively targets IT services and infrastructure providers, remote monitoring and management (RMM) companies, managed service providers (MSPs) and their affiliates, healthcare organizations, legal services firms and other companies that might have been given access to systems and networks of their clients. This opens the door to supply chain compromises through the abuse of privileged access.

In one such incident, Silk Typhoon used stolen API keys to access devices from an organization’s downstream customers and tenants through an admin account. Using the access provided by the stolen API keys, the attackers reset the default admin account, created additional users, deployed web shells, and deleted log entries to hide their tracks.

The downstream victims were primarily from the state and local government, as well as the IT sector, and the information stolen from their systems was related to US government policy and administration, law enforcement investigations and other legal processes.

“Silk Typhoon has shown proficiency in understanding how cloud environments are deployed and configured, allowing them to successfully move laterally, maintain persistence, and exfiltrate data quickly within victim environments,” the researchers said.

Two-way lateral movement

Aside from abusing cloud assets and third-party services and software providers to gain access to local networks, the Silk Typhoon attackers are also proficient in jumping from on-premise environments into cloud environments. The group’s hackers regularly target Microsoft AADConnect (now Entra Connect) servers which are used to synchronize on-premise Active Directory deployments with Azure AD (now called Entra ID).

Once inside a local network, the attackers will try to dump credentials from Active Directory, search passwords inside key vaults and escalate their privileges to admin.

In addition to targeting IT providers, identity management providers and RMM solutions for initial access, Silk Typhoon has a history of developing zero-day exploits. In 2021, the group compromised hundreds of Microsoft Exchange servers belonging to private organizations and government agencies through zero-day exploits, prompting the FBI to obtain a court order that allowed the agency to remotely remove the deployed web shells from private servers, a move that was seen as unprecedented.

Salt Typhoon also targets compromised credentials

Since then, the group has specialized in zero-day exploits for network-edge devices, exploiting vulnerabilities in GlobalProtect Gateway on Palo Alto Networks firewalls (CVE-2024-3400), Citrix NetScaler appliances (CVE-2023-3519) and Ivanti Pulse Connect Secure appliances (CVE-2025-0282).

Compromised credentials are also a big part of the group’s initial access efforts. These are the result of both password spray attacks, active collection from compromised networks and systems, as well as reconnaissance by scanning public GitHub repositories for corporate credentials and passwords. However, credentials are not always needed if there are privileged and pre-authenticated applications that can be abused to access information.

“While analyzing post-compromise tradecraft, Microsoft identified Silk Typhoon abusing service principals and OAuth applications with administrative permissions to perform email, OneDrive, and SharePoint data exfiltration via MSGraph,” the researchers said. “Throughout their use of this technique, Silk Typhoon has been observed gaining access to an application that was already consented within the tenant to harvest email data and adding their own passwords to the application.”

Defending against Silk Typhoon’s methods

Organizations should make sure all of their internet-facing servers, appliances and other devices are kept up to date. In case there is a zero-day vulnerability, forensic analysis should be performed and all potential post-compromise activities a threat actor might have performed, including lateral movement, should be investigated. Following patch cycles, any active or persistent sessions for logged in users or remote users should be terminated and reset.

Microsoft said that legitimate application and service principals — service accounts — should be subject to strong controls and monitoring. These include:

• Audit the current privilege level of all identities, users, service principals, and Microsoft Graph Data Connect applications (use the Microsoft Graph Data Connect authorization portal) to understand which identities are highly privileged. Scrutinize privileges more closely if they belong to an unknown identity, belong to identities that are no longer in use, or are not fit for purpose.
• Identify abused OAuth apps using anomaly detection policies. Detect abused OAuth apps that make sensitive Exchange Online administrative activities through App governance. Investigate and remediate any risky OAuth apps.
• Review any applications that hold EWS.AccessAsUser.All and EWS.full_access_as_app permissions and understand whether they are still required in the tenant.
• Applications that are no longer required should be removed. If apps must access mailboxes, granular and scalable access can be implemented using role-based access control for applications in Exchange Online. This access model ensures applications are only granted to the specific mailboxes required.

Sign-ins from unusual locations should also be flagged, access should follow the principle of least privilege, and VPN access should be done using modern authentication methods. On-premise service accounts should not have direct permissions on cloud resources to limit lateral movement and conditional access policies should be implemented. The Microsoft report contains additional recommendations as well as Microsoft Sentinel queries to hunt for Silk Typhoon-related activities.

Nach eigenen Angaben wurde das Netzwerk der Stadtwerke Schwerte von einem Cyberangriff getroffen. Laut einem Bericht der Regionalzeitung Ruhr Nachrichten ist auch die Stadtverwaltung davon betroffen.

Im Zuge des Angriffs habe sich die Stadt dazu veranlasst gesehen, „umfassende Sicherheitsvorkehrungen zu treffen“ und die digitale Verbindung zu den Stadtwerken zu kappen, heißt es. Die Verbindung zum kommunalen IT-Dienstleister Südwestfalen IT sei ebenfalls unterbrochen.

Bürgerdienste eingeschränkt

Dem Bericht zufolge sind derzeit deshalb sämtliche Dienste der Stadt nicht verfügbar. Dazu zählen beispielsweise Antragsverfahren für Führungszeugnisse und Pässe. Rathaus und Dienststellen der Stadt sind zudem nicht per E-Mail erreichbar.

Wie lange die Störungen anhalten, ist noch unklar. „Wir arbeiten gemeinsam mit externen Dienstleistern an einer möglichst zügigen Lösung des Problems. Nach aktuellem Stand sind die Versorgungsdienstleistungen nicht betroffen“, versichern die Stadtwerke. Das gelte auch für die Websites der Unternehmen der Stadtwerkegruppe.

Weitere Informationen zu dem Angriff gibt es bisher nicht. Die Ermittlungen laufen offenbar noch. Nach Angaben der Stadtwerke Schwerte wurden die zuständigen Behörden bereits über den Vorfall informiert.

Der Fall ruft Erinnerungen wach. Im Jahr 2023 sorgte eine Ransomware-Attacke auf die Südwestfalen IT dafür, dass viele Verwaltungsdienstleistungen in ganz Nordrhein-Westfalen über mehrere Wochen lahmgelegt waren. Insgesamt dauerte der Krisenmodus mehrere Monate an.

US authorities have announced criminal charges against 12 Chinese nationals allegedly involved in a long-running cyber-espionage campaign tied to China’s government.

The Justice Department (DOJ) and the FBI also announced the seizure of internet domains linked to the Silk Typhoon hacking group, which is accused of breaching US government agencies and high-profile organizations.

“These malicious cyber actors, acting as freelancers or as employees of i-Soon, conducted computer intrusions at the direction of the PRC’s (People’s Republic of China) Ministry of Public Security (MPS) and Ministry of State Security (MSS) and on their own initiative,” the DOJ said in a statement.

China’s hacker-for-hire industry

According to court documents, among those charged are two officers from China’s Ministry of Public Security (MPS), while the remaining ten worked for Anxun Information Technology, commonly known as i-Soon, a private firm allegedly connected to China’s APT27 hacking group, also called Silk Typhoon.

The hackers reportedly operated both as company employees and as freelancers, conducting attacks at the direction of China’s MPS and MSS while being “motivated by profit,” according to prosecutors.

“Each of these defendants played a critical role in the PRC government hacker-for-hire ecosystem, which by any measure, has gotten out of control,” the DOJ statement added.

The indictments name Wu Haibo, i-Soon’s chief executive officer; Chen Cheng, its chief operating officer; and sales director Wang Zhe, along with multiple technical staff members. Also charged were Wang Liyu and Sheng Jing, identified as MPS officers directly involved in the operation.

Lucrative cyber mercenary operation

The financial scope of the operation was substantial, with i-Soon reportedly charging Chinese government ministries between $10,000 and $75,000 per compromised email inbox, plus additional fees for analyzing stolen data, the DOJ statement added.

This scheme generated millions for both the company and individual hackers. Notably, Silk Typhoon is the same group responsible for the 2021 Microsoft Exchange Server zero-day exploits that targeted Western intelligence and defense agencies. At that time, Microsoft tracked the group under the name Hafnium.

The scale and sophistication of the operations indicate a well-established infrastructure with significant resources, suggesting years of development and refinement of hacking techniques specifically designed to evade detection by US cybersecurity systems.

Extensive victim profile

The indictments describe a wide-ranging campaign affecting numerous high-value American targets, including a technology and defense contractor serving the Department of Defense, Department of Homeland Security, and intelligence agencies; a major US law firm; a managed communications provider of Microsoft Exchange email services; a county government; a university healthcare system operating multiple hospitals; and a defense policy think tank.

The breadth of targets demonstrates the strategic nature of the campaign, targeting not only government entities but also the broader ecosystem of organizations that support critical national infrastructure and security operations. This approach allows the hackers to acquire sensitive information through various entry points in the supply chain.

Two previously indicted individuals, Yin KeCheng and Zhou Shuai, were specifically named in a seizure warrant as having “facilitated and profited from some of the most significant Chinese-based computer network exploitation schemes against US victims.” Their activities reportedly date back to 2013, indicating a persistent and long-term espionage effort.

Domain seizures and bounties

In addition to the indictments, authorities announced court-authorized seizures of i-Soon internet domains linked to December 2024 Treasury Department network intrusions and other breaches. These domains served as command and control infrastructure for the hacking operations.

The State Department has offered bounties of up to $2 million for information leading to the arrest or conviction of two key alleged Silk Typhoon members, though officials acknowledged the limited likelihood of China allowing any arrests.

This move represents an escalation in US response tactics, combining law enforcement actions with financial incentives to disrupt the hacking operations and potentially create internal discord within the hacking groups.

Implications for enterprise security

For enterprise security teams, the indictments reveal critical insights into the operational methods of state-sponsored threat actors. The use of private contractors and the establishment of financial incentives for data theft demonstrate the commercialization of cyberespionage, creating new challenges for defensive strategies.

Organizations should reevaluate their security postures in light of these revelations, with particular attention to potential compromise of email systems, which appear to be highly valued targets. The involvement of managed service providers in the victim list also highlights the importance of supply chain security and vendor risk management.

The revelations about specific pricing for compromised email inboxes provide unprecedented visibility into the economics driving these attacks and may help organizations better prioritize their defensive investments based on adversary incentives.

Badbox, the notorious Android malware botnet, has been disrupted for a third time in 15 months, with over half a million infected machines now sinkholed.

A co-ordinated effort led by the bot detection and mitigation platform, Human Security, will likely cripple the suddenly inflated cybercrime operation that has compromised over one million Android devices worldwide.

“Human’s Satori Threat Intelligence and Research team recently uncovered and — in collaboration with Google, Trend Micro, Shadowserver, and other partners — partially disrupted a complex and expansive fraud operation dubbed ‘Badbox 2.0’,” Human researchers said in a blog post.

The Badbox botnet operation distributes malware through compromised consumer electronics, primarily Android-based TV boxes.

Operation grew multifold since the earlier busts

Satori researchers observed the evolution of the Badbox operation into Badbox 2.0, confirming that disruption was merely a temporary setback for the threat actors. Following the first disclosure in 2023, the C2 servers powering Badbox were shut down, and infected devices were removed from major marketplaces.

However, attackers quickly adapted, making minor tweaks to evade detection, which apparently survived a second major takedown by the German authorities in December 2024.

“The BADBOX 2.0 scheme is bigger and far worse than what we saw in 2023 in terms of the uptick in types of devices targeted, the number of devices infected, the different types of fraud conducted, and the complexity of the scheme,” Gavin Reid, CISO of Human, said in a press statement. “This operation embodies the interconnected nature of modern cyberattacks and how threat actors target the customer journey and demonstrates why businesses require full-spectrum protection from the impacts of digital fraud and abuse.”

The investigation revealed deceptive tactics used by the attackers, including a fake version of Saletracker, a module originally designed for sales monitoring by a Chinese device manufacturer. The attackers disguised their Triada-based backdoor under this fake module, using it as a cover for controlling infected devices.

Additionally, the threat actors established a series of domains to host new C2 servers. By spring of 2024, Satori researchers identified new test versions of backdoors linked to these C2 servers.

“Satori identified more than 1 million devices that were infected in Badbox 2.0, up from the 74,000 in the original Badbox scheme,“ Human added.

Badbox 2.0 operates multiple frauds

Badbox 2.0 infiltrates low-cost consumer devices with backdoors, allowing threat actors to remotely deploy fraud modules.

These devices connect to actor-controlled C2 servers to, on activation, potentially carry out multiple attacks, including programmatic ad fraud, click fraud, and residential proxy servers — which in turn facilitate attacks like account takeover, fake account creation, DDoS, malware distribution, and one-time-password (OTP) theft.

“Badbox 2.0 threat actors also operated over 200 re-bundled and infected versions of popular apps listed on third-party marketplaces and served as an alternative backdoor delivery system,“ researchers added. Of these, the team identified 24 “evil twin” apps with corresponding “decoy twin” apps on the Play Store, through which ad fraud is conducted.

Human collaborated with Google to take these apps off Google Play. “We appreciate collaborating with Human to take action against the Badbox operation and protect consumers from fraud,” Shailesh Saini, Director of Android Security & Privacy Engineering & Assurance, Google, said in a press statement.“The infected devices are Android Open Source Project devices, not Android TV OS devices or Play Protect certified Android devices.“

Users should ensure Google Play Protect, Android’s malware protection that is switched on by default on devices with Google Play Services, is enabled, Saini added. Human Security, in collaboration with the internet security group Shadowserver Foundation, sinkholed multiple Badbox 2.0 domains, disrupting communication between over 500,000 infected devices and the botnet’s C2 servers.

Fehler in der Konfiguration von Access Management Systems (AMS) gefährden weltweit Unternehmen. Schließlich enthalten diese Systeme sensible Mitarbeiterdaten, die – sollten sie in falsche Hände fallen – Hackern Tor und Tür zu firmeneigenen Datenschätzen öffnen können.

Besonders betroffen sind laut einer Untersuchung des Anbieters von Cybersecurity-Lösungen Modat

• das Gesundheitswesen,
• Bildungseinrichtungen,
• die Fertigungsindustrie und
• Behörden.

Biometrische Daten in Gefahr

Angreifer könnten hier beispielsweise Anmeldedaten manipulieren, um Sicherheitssysteme zu umgehen. Dies würde erhebliche Risiken für Datenschutz, Finanzen und Vorschriften mit sich bringt.

Modat zufolge seien bereits Hunderttausende sensible Daten offengelegt worden, darunter biometrische Informationen, Identifikationsdaten und Fotos In einigen Fällen könnten diese Schwachstellen es unbefugten Personen ermöglichen, physische Sicherheitsmaßnahmen zu umgehen und sich Zugang zu gesperrten Einrichtungen zu verschaffen.

AMS sind essenziell für die Sicherheit, weisen aber oft Schwachstellen auf, schreiben die Security-Experten. Insbesondere durch ihre Netzwerkanbindung würden Hackern verschiedenste Angriffsvektoren eröffnet. Laut dem Bericht treten diese Sicherheitslücken besonders in Europa, den USA und der MENA-Region (Naher Osten und Nordafrika) auf.

Europa als Hotspot für exponierte Zutrittsmanagementsysteme

Die Untersuchung zeigt eine hohe Konzentration exponierter Zutrittsmanagementsysteme in Europa. Italien sticht mit 16.678 gefährdeten Systemen besonders negativ heraus. Aber auch in anderen Regionen gibt es viele tausend lückenhafte Installationen, beispielsweise in Mexiko (5.940) und Vietnam (5.035). Trotz strenger Datenschutzgesetze sind europäische Länder besonders betroffen. Unter anderem meldete Modat für Spanien 1.151 ungeschützte Systeme.

Modats Untersuchungen, die auf Daten aus der eigenen Magnify-Plattform basieren, haben gezeigt, dass viele Zutrittsmanagementsysteme ungeschützt mit gravierenden Sicherheitsmängeln im Internet liegen. Dies liegt den Experten zufolge hauptsächlich an falschen Konfigurationen, veralteten Protokollen und mangelnder Überwachung.

Die Folgen können in vielerlei Hinsicht gravierend sein. Mit der Gefährdung sensibler Mitarbeiterinformationen drohten Verstöße gegen den Datenschutz, was entsprechende Bußgelder nach sich ziehen kann. Mit Hilfe kompromittierter und gestohlener Identitäten könnten sich Hacker zudem Zugang zu sensiblen Firmendaten verschaffen. Die möglichen Folgen: Ransomware-Attacken, Datenklau und  Wirtschaftsspionage.

Tipps für die Absicherung von AMS

Modat hat die betroffenen Organisationen über die Schwachstellen informiert und Maßnahmen empfohlen, wie diese zu beheben seien. Dazu gehört, das AMS vom Internet abzuklemmen sowie strenge Zugangskontrollen und regelmäßige Sicherheitsupdates durchzuführen. Der Bericht warnt, dass die Integration von IT und OT die Angriffsfläche vergrößert habe. Ohne strenge Sicherheitsmaßnahmen riskierten betroffene Unternehmen finanzielle Schäden wie auch die physische Sicherheit ihrer Angestellten und der gesamten Infrastruktur, so die Experten.

Proaktiver Ansatz für Cybersicherheit empfohlen

Die Cybersicherheitsexperten raten Unternehmen insgesamt zu einem proaktiven Ansatz mit

• strenger Netzwerksegmentierung,
• Verschlüsselung sensibler Daten und
• regelmäßigen Sicherheitsprüfungen.

 Modat empfiehlt ferner, Standard-Anmeldeinformationen sofort zu ändern sowie Zugangsberechtigungen grundsätzlich einzuschränken und kontinuierlich zu überwachen. So lasse sich unbefugter Zugriff verhindern sowie die Sicherheit von Daten und Einrichtungen gewährleisten.

Cybersecurity worker job satisfaction is mediocre with many staff actively considering a change.

Only a third or respondents to an annual Cybersecurity Staff Compensation Benchmark Report by IANS Research and Artico Search are likely to recommend their employer. More than 60% are contemplating switching jobs within the next 12 months.

Among those considering a change, dissatisfaction with career progression emerged as a key issue, while work-life balance is less of a concern. Dissatisfaction with career progression is highest among senior professionals, with 53% of cybersecurity functional leaders eyeing the exit.

The study is based on responses from more than 500 cybersecurity staff across a range of industries and company types in the US and Canada.

Security architects and engineers continue to earn top-tier salaries, with average annual cash compensation of $206,000 and $191,000, respectively. Midlevel security analysts with about five years’ experience earn on average $133,000 annually.

Cybersecurity professionals with deep expertise in cloud security, application security, and threat intelligence earn significantly more than their peers, according to the report.

Career development

Independent HR and tech recruitment specialists told CSO that the survey’s findings align with their perspectives on the evolving cybersecurity jobs market.

“Poorly structured career development plans by organizations increase the risk of higher turnover, especially among senior employees who place significant value on upward mobility,” said Dr. John Blythe, director of cyber psychology at Immersive.

The expanding cybersecurity job market, particularly the demand for senior security managers, further facilitates job switching, Dr. Blythe said.

“The cybersecurity sector is full of naturally curious people; therefore, some individuals will prioritize skill variety and new experiences over stability,” he noted.

Andy Wadsworth, director at The Bridge, Morson’s specialist IT recruitment business, said that cybersecurity industry job seekers want to see a “clear leadership strategy” and to work with on “exciting, innovative cyber technology projects, including AI systems.”

“Professionals working in the cyber sector are keen to be involved in developing cyber strategies, and this is true even of junior candidates, who are often just as eager to be involved in the planning stages for cybersecurity projects,” Wadsworth said.

Wadsworth added that candidates are prioritizing employers that are prepared to invest in workers by allowing them to attend conferences alongside access to external training and development courses.

Career growth key to staff satisfaction

High salaries alone are no guarantee that organizations will lower their staff turnover rate.

“Despite earning top salaries, security architects and engineers still engage in job switching,” Dr. Blythe told CSO. “Other factors, such as recognition, career growth, autonomy, and meaningful work, are equally crucial to overall satisfaction.”

Dr. Blythe added: “Employees who feel undervalued may experience reduced morale and productivity, eventually leading to higher attrition. It is critical that organizations establish structured career pathways, continuous upskilling opportunities, regular feedback mechanisms, and improved recognition programs to foster motivation and long-term commitment.”

Cybersecurity staff increasingly prefer hybrid or remote work

Many organizations are revisiting work-from-home policies, but cybersecurity professionals overwhelmingly prefer remote or hybrid arrangements, according to IANS’s research. Currently, 52% work remotely and 43% are in hybrid setups, with 59% expressing a strong preference for fully remote work.

Forcing a shift back to the office in this talent-scarce field risks disengagement, increased turnover, and recruitment difficulties, IANS and Artico Search warn.

The Bridge’s Wadsworth warned that businesses that require staff to work from the office all or most of the time reduce their catchment area for talent that’s already in short supply.

“Talented cybersecurity professionals are difficult to find, and targeting talent within commutable reach of the office reduces the talent pool,” Wadsworth told CSO, adding that offering remote working allows employers to still obtain good candidates with a reduced salary package.

Most candidates are accepting more time in the office as a normal expectation again and hybrid working can offer the best of both worlds.

“Despite the obvious advantages of working from home, most professionals appreciate the positive benefits of working in the office, where they can engage with colleagues face-to-face and collaborate effectively as a team,” Wadsworth said. “There are definitely fewer cybersecurity professionals working fully remotely these days, and hybrid is typical.”

Michael Goldberg, VP of strategic partnerships at Harvey Nash USA, said that demand for cybersecurity skills continues to rise while cybersecurity staff are looking for flexible working arrangements.

“Career growth remains a key factor in overall job satisfaction, but more broadly technologists are looking for flexible working arrangements,” according to Goldberg.

Goldberg concluded: “To attract highly sought after cyber talent, companies must go beyond competitive pay — clear career growth and flexible work is now essential. With AI advancing, organizations must balance security, privacy, and innovation without stifling progress.”

The recent order directing US Cyber Command to halt all planning of offensive cyber operations against Russia is more than a tactical shift — it is an outright retreat from deterrence at a time when Russian cyber aggression shows no signs of slowing.

In an era where cyber conflict is constant and adversaries push boundaries wherever they sense weakness, this decision signals to Russian hackers, intelligence services, and affiliated criminal groups that the US is no longer actively contesting their operations.

Cyber deterrence is not theoretical; it is a tangible outcome of the threat, both real and perceived, of American cyber power. It is what prevents Russian ransomware gangs from paralyzing US infrastructure with impunity and what stops state-sponsored hackers from breaching energy grids or election systems.

By stepping back from active cyber planning against Russia, the US risks giving adversaries exactly what they want: fewer obstacles, less pressure, and more freedom to escalate their cyber operations. And the loss of federal efforts, particularly means something new for Western private industry: breathing space in which Russia can more fully evolve its interference toolkit.

Cyber deterrence plays a practical role in defense

For years, US Cyber Command has relied on persistent engagement to keep adversaries off balance. This strategy does not simply wait for cyberattacks to happen; it actively works to degrade adversarial capabilities before they can strike. Since 2018, this is what deterrence has looked like in cyberspace– not a Cold War-style standoff but a continuous effort to make cyber operations against the US harder, costlier, and less effective.

Recent history shows how this approach works. In 2018, US cyber forces took direct action against Russia’s Internet Research Agency, disrupting its disinformation operations during the midterm elections. In 2020, Cyber Command and private-sector partners dismantled the TrickBot botnet, a key enabler of Russian ransomware and espionage campaigns.

Similarly, the campaign against the Russian ransomware group REvil in 2021 significantly reduced the group’s ability to launch disruptive attacks on US businesses. Each of these actions imposed real costs on Russian cyber actors, forcing them to rebuild infrastructure, rethink strategies, and hesitate before launching new operations. Ongoing operations in Ukraine by US and aligned hunt-forward teams extend this effect.

Halting offensive planning removes this critical pressure. It gives Russian cyber units and affiliated criminals a breathing room they have not had in years, allowing them to refine techniques, develop new attack vectors, and prepare more aggressive campaigns. This is not speculation—it is how adversaries operate. Cyber campaigns are iterative, and when defenses weaken, attacks increase.

How Russia will exploit US inaction

Moscow has never viewed cyberspace as a domain of restraint in the way multiple US administrations have. It has consistently used cyber operations to disrupt elections, cripple infrastructure, steal sensitive data, and wage influence campaigns designed to destabilize Western institutions for more than four decades. In this moment, where the US is showing every sign of easing its cyber pushback against such activities, we should expect an acceleration of three key threat areas.

Firstly, we will almost certainly see increased critical infrastructure targeting. Russia has repeatedly demonstrated a willingness to sabotage power grids, industrial systems, and supply chains. A decade ago in Ukraine, Russian hackers shut down electricity for hundreds of thousands through targeted cyberattacks.

The US has thus far avoided a similar large-scale attack, but if Russian cyber operatives believe they no longer face offensive retaliation, they may be emboldened to escalate their probing of US energy, water, and transportation systems to mirror recent actions linked to actors like China’s Volt Typhoon.

Secondly, we should expect escalatory Russian ransomware and other criminal activity. Russian ransomware groups have always functioned as de facto cyber mercenaries, generating billions in illicit profits while undermining Western businesses and public services in ways that align with Moscow’s political interests.

Groups like LockBit and Conti have been temporarily weakened by law enforcement crackdowns and Cyber Command’s efforts, but with the US pulling back, we must expect these actors to reorganize and intensify attacks. Schools, hospitals, and corporations could once again find themselves at the mercy of ransomware operators who no longer fear US disruption efforts.

Finally, it seems certain that the next few years will be characterized by expanding cyber-economic and influence warfare operations. If US Cyber Command is not planning countermeasures against Russian state-sponsored cyber campaigns, Russia’s intelligence agencies will take full advantage. Increases in supply-chain attacks, phishing campaigns against government and corporate networks, and covert data exfiltration from technology and defense sectors seem inevitable.

Likewise, the online disinformation apparatus that has long targeted US elections may become more aggressive in the absence of active counter-operations and the ascendance of President Trump’s disruptive narrative politicking.

In short, Russian cyber actors always test the limits of what they can get away with. But, by removing offensive cyber planning from the equation, the US forfeits the opportunity to shape adversary behavior and thus actively invites escalation and threat evolution.

Private-sector leadership: Is alternative deterrence possible?

If the present US government won’t lead in cyber deterrence, the private sector must obviously take up the mantle. Security executives, CISOs, and industry leaders must assume that Russian cyber actors will grow more aggressive — not to mention willing to experiment — in the coming months and prepare accordingly.

While private companies do not have the authority to launch offensive cyber operations, they can still implement alternative deterrence mechanisms that raise the cost of cyber aggression and reduce the rewards for attackers.

At the higher end, large enterprises should expand active cyber defense strategies, including deception technologies, adversary engagement tools, and more aggressive intelligence-sharing. Deploying cyber deception tactics—honey tokens, canary files, decoy systems, etc. — forces adversaries to expend greater resources on reconnaissance, increasing their risk of exposure and failure. By embedding deceptive elements within networks, companies can slow down Russian hackers, confuse their tactics, and create uncertainty about which targets are real.

Private-sector players should also prioritize any opportunity that takes them beyond siloed security efforts. Cross-industry intelligence-sharing alliances should go beyond reporting indicators of compromise and instead coordinate active threat hunting and joint mitigation efforts.

The private sector has already shown it can operate at this level — Microsoft and Google have taken down state-backed cybercriminal infrastructure in the past. Now, security teams must formalize joint response frameworks that can neutralize threats before they escalate into major breaches.

At the same time, while private-sector actors cannot legally conduct retaliatory cyber operations, they can work within existing legal and technical frameworks to disrupt adversary infrastructure.

This includes:

1. Aggressively dismantling command-and-control servers used by known Russian malware through legal takedowns and court orders;
2. Deploying synthetic environments to lure and exhaust adversary resources, forcing them to waste time and effort on decoys; and
3. Leveraging AI-driven threat analysis to proactively blacklist known adversary tactics, techniques, and procedures before they are used in live operations.

Finally, if deterrence through retaliation is off the table, then the only alternative is deterrence by denial — making successful attacks so difficult and costly that adversaries are discouraged from trying. This re-affirms a need for more than the basics of cybers defense as a standard across industry to, among other things: (1) implement zero-trust security models to compartmentalize access and prevent large-scale breaches; (2) deploy automated response capabilities that can isolate and neutralize intrusions within minutes rather than hours or days; and (3) regularly run live-fire cyberattack simulations to stress-test defenses, specifically against Russian TTPs.

Deterrence must continue, with or without government support

Halting offensive cyber planning against Russia does not de-escalate tensions—it creates an opening for adversaries to exploit. Security professionals across government and industry must recognize that Russia will take advantage of this policy shift to ramp up cyber operations. While the US government’s decision may remove what many see as the country’s primary tool of deterrence, it does not remove the necessity of deterrence itself.

If government leadership is unwilling to act, private industry and security professionals must develop their own deterrence strategies. Active cyber defense, intelligence collaboration, preemptive disruption, and resilience-driven deterrence are not just theoretical responses; they are now essential survival strategies. The cybersecurity community must not wait for the next wave of Russian cyber aggression –because it is already on the way.

Dass Jobs im Bereich Cybersecurity ein hohes Burnout-Potenzial aufweisen, ist längst kein Geheimnis mehr: Das Umfeld von Sicherheitsprofis ist vor allem geprägt von dem (gefühlten) Druck, täglich steigenden Anforderungen gerecht werden zu müssen. Dafür sind diverse Gründe ursächlich – in erster Linie aber die Art und Weise, wie über Security gedacht wird. Die gute Nachricht: Wenn Sie ein schädliches Mindset identifizieren, können Sie es verändern und sowohl sich als auch Ihre Teams besser für den Erfolg positionieren.

Cybersicherheit ist ein hochtechnisches Gebiet und in gewisser Hinsicht eine harte Wissenschaft. Auf der anderen Seite ist sie aber auch stark von Elementen der Psychologie und Moral geprägt. Wie effektiv die IT-Sicherheit letztlich ausfällt, hängt auch vom Mindset und den Überzeugungen der Fachkräfte und Entscheider auf diesem Gebiet ab.

Sollten Sie eines der folgenden sechs Mindsets an den Tag legen, ist Arbeit angesagt, damit ein gesünderes Security-Umfeld gedeihen kann.

1. “Security ist ein Ziel”

Ein besonders heimtückisches Security-Mindset ist die Überzeugung, dass es sich um eine Reise mit Start- und Zielpunkt handelt. Zu dieser Überzeugung kommt man (hoffentlich) nicht bewusst – Profis ist klar, dass es sich um eine kontinuierliche Aufgabe handelt. Unterbewusst kann es aber durchaus dazu kommen, dass es zu vorübergehender Untätigkeit kommt, wenn bestimmte Tasks gerade erledigt wurden.

Das führt allerdings nur dazu, dass alle im Team mehr unnötigen Stress haben. Denn wer ein Ende in Aussicht stellt, erzeugt ein subtiles Gefühl der Enttäuschung oder gar des Scheiterns, sobald offenbar wird, dass es doch immer noch etwas mehr zu tun gibt. Zur Ruhe werden Sie (und Ihr Team) erst kommen, wenn sie akzeptieren, dass Security ein fortlaufender Prozess ist.

2. “IT-Sicherheit ist nur was für Profis”

Die Auffassung, dass Security ausschließlich in den Händen der entsprechenden Spezialisten liegt, führt zu zweierlei unglücklichen Konsequenzen:

1. Alle anderen Mitarbeiter werden – zumindest gefühlt – aus der Verantwortung entlassen.

2. Sicherheitsprofis werden auf subtile Weise in eine Einzelkämpferrolle gedrängt.

Softwareentwickler sollten Security in jeder Phase des Lebenszyklus im Hinterkopf behalten, statt sich erst zur Auslieferung damit zu befassen. Das gilt jedoch auch für alle anderen Mitarbeiter im Unternehmen: Nur wenn Awareness herrscht, kann die Gefahr von Cyberangriffen minimiert werden.

Natürlich kommt den Sicherheitsexperten diesbezüglich eine führende, beziehungsweise leitende Rolle zu. Letztendlich sollte sich aber jeder Mitarbeiter dazu befähigt fühlen, zur allgemeinen Unternehmenssicherheit beitragen zu können. Eine gemeinschaftliche Aufgabe stärkt davon abgesehen auch das Wir-Gefühl.

3. “Security wird immer nur diffiziler”

Kaum etwas ist entmutigender als eine klassische Sisyphos-Aufgabe. Dieser Eindruck kann allerdings leicht entstehen, wenn es um Security geht: Cyberkriminelle werden immer raffinierter und nutzen immer bessere Tools, während die digitale Infrastruktur, die geschützt werden muss, sich immer umfangreicher, komplexer und vernetzter gestaltet.

In der Realität ist der Kampf zwischen White und Black Hats ein ständiges Geben und Nehmen. Das Phänomen Ransomware ist ein gutes Beispiel: Eine Zeit lang schienen sich Verschlüsselungstrojaner zu einer Plage zu entwickeln – inzwischen hat sich die Sicherheitsbranche entsprechend weiterentwickelt und messbar zurückgeschlagen.

Indem Sie die zyklische Natur der IT-Sicherheit akzeptieren, befähigen Sie sich dazu, eine Haltung einzunehmen, die die richtige Balance zwischen Entspannung und Wachsamkeit findet. Mentales Gleichgewicht ist der Schlüssel zu langfristigem (Security-)Erfolg.

Sie wollen weitere interessante Beiträge rund um das Thema IT-Sicherheit lesen? Unser kostenloser Newsletter liefert Ihnen alles, was Sicherheitsentscheider und -experten wissen sollten, direkt in Ihre Inbox.

Jetzt CSO-Newsletter sichern

4. “Sicherheit ist ein Produkt”

Die IT Security wird nicht selten als Standalone-Funktion oder Zusatzprodukt betrachtet, die über die zugrundeliegende Infrastruktur “gestülpt” wird oder als konkrete “Sache”, die finalisiert und ausgeliefert werden muss. Das ähnelt ein bisschen der einstigen Perspektive auf Qualität im Allgemeinen als eine eigenständige, separate Komponente der Dinge. Um es mit Aristoteles zu sagen: “Qualität ist keine Handlung, sondern eine Gewohnheit”.

Security wiederum ist wie Qualität kein fertiges Produkt, sondern (wie bereits angemerkt) eine fortlaufende Disziplin. Sicherheit als eine Praxis zu betrachten, die ständig verfeinert werden muss, setzt die dafür nötige Energie frei. Sie sollten es als Segen betrachten, in einem Bereich zu arbeiten, der kontinuierlich Raum für Wachstum und die Möglichkeit bietet, Ihre Skills vollumfänglich zur Geltung zu bringen. Haben Sie dieses Mindset verinnerlicht, gilt es, das mit dem gesamten Unternehmen zu teilen.

Security sollte in keinem Fall wie ein Produkt ausgeliefert werden, denn sie ist keine Begleiterscheinung oder ein Hilfsmittel. Vielmehr sollte sie der Treiber für Kultur und bewusstes Handeln sein. Kurzum: IT-Sicherheit sollte Teil des täglichen Doings sein – auf individueller und organisatorischer Ebene.

5. “Die Kriminellen treiben die Security”

Security-Profis, die kontinuierlich damit beschäftigt sind, Brände zu löschen, können zur Überzeugung kommen, dass die Cyberkriminellen das Spiel beherrschen. Diese reaktive Perspektive auf die IT-Sicherheit sorgt für Frustration und ein Gefühl der Machtlosigkeit.

In der Realität haben die Unternehmen das Ruder in der Hand: Sie sind es schließlich, deren Assets für Kriminelle verlockende Ziele darstellen. Die Angreifer sind in den meisten Fällen nicht zu unterschätzen – es ist jedoch das Business, dass die Sicherheit treibt.

6. “100 Prozent reicht gerade”

Gute Sicherheit braucht messbare Faktoren. Metriken wie die “Mean Time to Detect” (MTTD) ermöglichen es, die Situation zu monitoren und die Effektivität von Programmen zu messen. Problematisch wird es in diesem Bereich, wenn Sie der Vorstellung erliegen, dass sich sämtliche Indikatoren stets in eine positive Richtung – oder noch schlimmer im “perfekten” Bereich – bewegen müssen. Diese unrealistische Erwartung ist ein Einfallstor für verzerrte Messwerte.

Stattdessen sollten Sie Metriken eher als Wegweiser sehen, die Sie ans Ziel bringen können. Der Schlüssel liegt jedoch darin, die nötigen Schritte zu unternehmen und Maßnahmen einzuziehen, um die Dinge in die richtige Richtung lenken. Das macht es essenziell, sich ehrlich mit Messungen auseinanderzusetzen. (fm)

Dieser Beitrag basiert auf einem Artikel unserer US-Schwesterpublikation Network World.

In late February, healthcare organizations across the US started receiving extortion demands by mail claiming that their organization’s data had been stolen in a ransomware attack and giving them 10 days to respond.

According to the letters, printed on paper and delivered in envelopes purporting to be from the BianLian ransomware group, the data would be leaked unless the organization paid a ransom of between $250,000 to $350,000 in Bitcoin.

Now for the good news: the breaches never happened, and the letters are almost certainly fake. Two security vendors that have studied the letters, Arctic Wolf and Guidepoint Security, now believe that the whole letter-writing campaign is a ruse by someone pretending to be BianLian, one of the ransomware industry’s up-and-coming threat groups.

Targeting healthcare organizations, the strange incident is a reminder that ransomware today is really two industries: a larger one that carries out the serious ransomware attacks everyone hears about and a much smaller and less well publicized one that tries to impersonate them.

But how can organizations distinguish a real attack with menaces from an entirely simulated one?

Judging from published examples, not easily, at least for a non-expert. The letters had Boston postmarks and a city center return address, links to Tor data leak sites associated with BianLian and, in two cases, an example of what was claimed to be a compromised password.

“We are not a politically motivated group and we want nothing more than money. Our industry only works if we hold up our end of the bargain,” stated the attackers in a letter analyzed by Guidepoint Security.

“If you follow our instructions and pay the full requested amount on time, all of your company’s data will be permanently destroyed and none of it will ever be published,” the letter continued.

Something phishy

A clue that something is amiss is simply that the attackers would use a letter to communicate. There is no record of this tactic being deployed before by organized ransomware groups such as BianLian and for good reason: sending demands by post is uncertain and very slow.

Letters sent to multiple organizations were also identical to one another, Arctic Wolf noted, apart from small variations tailoring text for each recipient. This is the same tactic used by random email attacks and smacks of opportunism. They also refused to negotiate and offered no channel to do this. In ransomware circles, that is almost unheard of.

That said, sending demands by letter does have a useful characteristic: they won’t be filtered by spam systems which makes them more likely to be read by someone.  It’s a form of social engineering in which if even one company falls for the tactic out of a thousand letters, the pay day will make it worth the effort.

If stolen credit cards are used to pay for the postage costs, it’s probably also cheap or even free with the letters themselves sent via print-to-mail services that feed them to the US Postal Service.

Phantom extortion

Ransomware impersonation is nothing new. In 2019, organizations across the US reportedly received emails deploying the same fake breach modus operandi as the recent letter writers – ‘pay up now because we have your data’. In truth, such campaigns are probably commonplace but are dismissed as obvious ruses and rarely reported on.

However, by 2023 the tactic had evolved into something more sophisticated with a separate campaign backing up its bogus threats by attaching snippets of genuine data culled from dark web trawls. This raises a disturbing possibility: the organization has been breached but the group threatening them is not one who carried out the attack.

Underlying all this is how organizations should defend themselves in practical ways against yet another fraud tactic.

“Attacks like this are unlikely to succeed in the majority of cases, but the perpetrators only have to have a small number of victims fall for it for it to be a big pay day for them,” cybersecurity expert Graham Cluley said via email.

Developing defenses

The first line of defense against this type of attack is simply to develop a process to deal with it, he said. Incidents like this should be reported internally to increase awareness of the scammers’ techniques. At the same time, every ransom threat should be reported to the IT team as well as to the security companies supporting the organization.

Attackers would typically include evidence that data has been exfiltrated in the form of genuine data. However, organizations need to be careful they aren’t being tricked:

“These protocols include verifying the authenticity of any ransom demands. It is important to establish whether that data could have been stolen in an earlier data breach or may have been collected from a different third-party source,” said Cluley.

Cluley also stressed the need for organizations to have a response plan that could assess the possibility of a breach itself while engaging with law enforcement.

“There should be named members of staff in your plan who coordinate communications with any potential extortionist, who ensures that all relevant departments are involved in any important decisions. Make sure that you engage with law enforcement. If you have received a fake ransom snail-mail, chances are that other businesses have as well,” said Cluley.

Ransom demands are always designed for their shock value, agreed John Shier, Field CISO at security vendor Sophos. Sending a demand by letter was unusual but that might be the point.

“Teams need to bring awareness of this latest scam to their leadership. If an organization receives a letter, they shouldn’t panic, but they still need to investigate if there is any basis to the claim,” he said.

“At the very least, companies should review network logs for any unauthorized access and large data transfers that don’t conform to normal patterns. While it appears that the letters are fake, some due basic diligence needs to be performed to rule out a data breach,” he said.

Wie die polnische Raumfahrtbehörde POLSA kürzlich über ihren X-Account mitteilte, ist es zu einem Cybersicherheitsvorfall gekommen. Die Organisation habe ihre Netzwerke umgehend vom Internet getrennt, um weiteren Schaden zu verhindern, heißt es.

Wer steckt hinter dem Angriff?

Weiter Informationen zu dem Angriff gibt es bisher nicht. Wer dahinter steckt ist noch unklar. Polens Digitalminister Krzysztof Gawkowski bestätigte, dass staatliche Cybersicherheitsdienste hinzugezogen wurden, um die Quelle des unbefugten Zugriffs zu ermitteln.

Es wäre jedoch nicht verwunderlich, wenn Russland hinter der Attacke steckt. In den vergangenen Jahren wurde Polen häufig Ziel von russischen Hackergruppen wie APT28, die als staatlich gesponsert gilt.

Steigen die Energiepreise, werden kostenintensive Projekte wie Rechenzentren für Künstliche Intelligenz (KI) ebenfalls teurer. Große Unternehmen suchen deshalb verstärkt nach Möglichkeiten, ihren Energiehaushalt günstiger zu gestalten. Alte Kernkraftwerke werden hierfür beispielsweise reaktiviert und in den Dienst der Unternehmen gestellt werden.

Fluch und Segen der Wechselrichter

Diese Konnektivität schafft neue Schwachstellen, die Unternehmen bei der Risikobewertung berücksichtigen müssen. Die potenziellen Risiken reichen von der Störung einer einzelnen Distributed Energy Resource (DER) bis hin zur Beeinträchtigung des Stromnetzes selbst.

Eine Schlüsselkomponente von Solar-DERs ist der intelligente Wechselrichter, der an das Stromnetz angeschlossen wird, aber nicht im Besitz des Versorgungsunternehmens ist.

Wechselrichter steuern den Energiefluss zwischen DERs und dem Stromnetz, tragen zur Netzstabilität bei und kommunizieren mit dem Versorger. Intelligente Wechselrichter nutzen IoT-Technologie und cloudbasierte Dienste. Sie sind jedoch anfällig für Cyber-Bedrohungen, wodurch effektive Cybersicherheitsmaßnahmen erforderlich sind.

In der Entwicklung und ohne Sicherheitsstandards

Es gibt allerdings keine einheitlichen Industriestandards für die Sicherheit von Wechselrichtern, nur freiwillige Best Practices. Zugleich befindet sich die DER-Sicherheit noch in der Entwicklung und wird branchenübergreifend unterschiedlich umgesetzt. Experten warnen deshalb, dass unzureichende Sicherheitsmaßnahmen langfristige Schwachstellen in der Energieinfrastruktur verursachen könnten. Sie befürchten, dass sich eine ähnliche Situation wie bei vielen IoT-Geräten ergeben könnte.

In den letzten Jahren standen zudem Kostensenkungen und schnelle Markteinführungen im Vordergrund, wodurch Sicherheitsstandards weiter vernachlässigt wurden. Dies führt zu häufig verwendeten schwachen Standardpasswörtern wie „12345678“ oder „psw1111“. Diese werden darüber hinaus nur selten geändert, was Angreifern den Zugriff auf Systeme erleichtert.

Solar- und Batteriesysteme als Ziel für Cyberangriffe

Die hohe Zahl an Solar- und Batteriesystemen, alleine in den USA sind es 5 Millionen Solaranlagen und in Deutschland circa 3,4 Millionen Photovoltaikanlagen, mit vielen Wechselrichtern macht sie zudem zu attraktiven Zielen für Cyberangriffe.

Intelligente Wechselrichter werden allgemein über ein Bedienfeld verwaltet, und die meisten kommerziellen Solaranlagen sind auch mit einer Online-Verwaltungssoftware verbunden. Ein Unternehmen kann die Verwaltung der Solarsysteme auch an einen Dritten auslagern. Das Bedienfeld, die Verwaltungssoftware und die Netzwerke von Drittanbietern sind allesamt potenzielle Einstiegspunkte für einen Angreifer.

Ähnliche Sicherheitslücke bei einer Vielzahl von Anbietern

Solaranlagen sind oft mit Batteriesystemen verbunden, die eigene Steuerungssysteme haben. Während kleinere Batterien meist isoliert bleiben, verfügen große Batteriesysteme über eigene Internetverbindungen, was sie anfälliger für Angriffe macht. Hersteller wie Enphase und SolarEdge verbessern deshalb ihre Sicherheitsmaßnahmen, damit es in Zukunft nicht zu solchen Szenarien kommen kann.

Forscher entdeckten beispielsweise im Jahr 2024 Schwachstellen im IQ Gateway von Enphase, einem führenden Anbieter von Mikro-Wechselrichtern für Solaranlagen. Diese Schwachstelle ermöglichte es Angreifern alle internetverbundenen Enphase-Wechselrichter zu übernehmen. Kriminelle hätten sich hiermit Zugriff auf über 4 Millionen Geräte in 150 Ländern verschaffen können.

Ähnliche Schwachstellen wurden zuvor bei den Solaranlagen-Plattformen von Solarman und Deye, zwei chinesischen Anbietern, gefunden.

Mehr DERs bedeuten auch mehr Sicherheitsrisiken

Schwachstellen in intelligenten Wechselrichtern können in Zeiten hoher Nachfrage das Stromnetz gefährden. Ein Ausfall von Solar-DERs könnte unter anderem zu Stromausfällen führen, da alternative Energiequellen nicht schnell genug verfügbar oder teurer sind. Angreifer könnten auch falsche Kapazitätsangaben an Versorgungsunternehmen senden, was zu Fehlberechnungen führt. Dies ist besonders für Gebäudeautomationssysteme problematisch, da die Verwaltung von Solaranlagen und Batteriesystemen häufig in sie integriert ist.

Die zunehmende Verbreitung von DERs erhöht zudem das Risiko, dass Angreifer bei Kompromittierungen Zugriff auf Stromerzeugung und Versorgungsnetz erhalten. Versorgungsunternehmen sind aufgrund ihrer zentralen Verwaltung vieler DERs allerdings ein noch lukrativeres Ziel.

Chinesische Bedrohung, US-amerikanische Abhilfe

Sowohl staatliche Akteure als auch Cyberkriminelle könnten laut Experten Solar-DERs nutzen, um Stromnetze anzugreifen. 2023 griff zum Beispiel die russische Gruppe Just Evil das litauische Energieunternehmen Ignitis über dessen Solarüberwachungssystem an. Sicherheitsexperten warnen darüber hinaus, dass viele Wechselrichter und Batteriesysteme aus China stammen. Deren Software werde zentral gesteuert und aktualisiert, was ein erhebliches Sicherheitsrisiko darstelle.

Zugleich kommt das Thema Cybersicherheit wenn Unternehmen ihre Solar-DER-Projekte planen viel zu kurz, so die Experten. Dies liege vor allem daran, dass in der stark vorschriftsgetriebenen Solarbranche solche Sicherheitsprogramme nicht gefordert sind. Dementsprechend wären auch keine vorhanden.

Dem stellen sich mehrere Organisationen entgegen und haben Best Practices sowie Rahmenwerke für die DER-Sicherheit entwickelt. Dazu gehören:

• NIST IR 8498, Cybersecurity for Smart Inverters (Cybersicherheit für intelligente Wechselrichter) vom US National Institute of Standards and Technology (NIST)
• Cybersecurity Baselines for Electric Distribution Systems and DER von der National Association of Regulatory Utility Commissioners (NARUC)
• The Distributed Energy Resource Cybersecurity Framework vom US National Renewable Energy Laboratory (NREL)

Sicherheitsverantwortung richtig delegieren

Wichtige Sicherheitsmaßnahmen für Solar-DERs umfassen die Überprüfung der Anbieter auf Cybersicherheit und Brandschutz, insbesondere bezüglich Fernzugriff und Datenspeicherung. Experten empfehlen, Installateure frühzeitig nach den Zugriffsrechten und dem Schutz unter anderem der Nutzerdaten zu fragen.

Zudem sollten Unternehmen Sicherheitsverantwortung kompetenten Mitarbeitern zuweisen und strenge Zugangskontrollen sowie Multifaktor-Authentifizierung (MFA) einsetzen. Rollenbasierte Zugriffskontrollen (RBAC) sollten ebenfalls implementiert werden, um den Zugang auf autorisierte Mitarbeiter zu beschränken.

Dokumentation von Vorgängen und Aktionen

Des weiteren sollten Kunden das Ereignisprotokoll zur Erfassung von Daten konfigurieren, die im Falle eines Sicherheitsereignisses benötigt werden. Ereignisprotokolle von Wechselrichtern listen wichtige Informationen auf, die den Sicherheitsteams bei der Analyse eines unerwarteten Ereignisses helfen. Dazu gehören:

• Alle Benutzerauthentifizierungsversuche zusammen mit den dazugehörigen Identitäten
• Änderungen an den Konfigurationseinstellungen des Wechselrichters, einschließlich der Identitäten derjenigen, die sie vorgenommen haben
• Das Erstellen oder Löschen von Benutzerkonten
• Aufzeichnungen über Software- und Firmware-Updates und ob die Aktualisierung manuell oder automatisch erfolgte
• Alle Kommunikationsvorgänge, wie zum Beispiel der Verlust der Konnektivität oder Verbindungen zu einem Netzwerk
• Aktionen, die direkt über das Bedienfeld des Wechselrichters vorgenommen werden

Schutz der Kommunikationsverbindungen

Um die Sicherheit von Solar-DERs zu gewährleisten, sollten, laut den Sicherheitsexperten, auch die Kommunikationsverbindungen besonders geschützt werden. Dies kann beispielsweise durch dedizierte Mobilfunkverbindungen für Wechselrichter und Stromversorger, sowie durch regelmäßige Software- und Firmware-Updates erfolgen.

Systembackups sollten ebenfalls regelmäßig erstellt und auf ihre Integrität geprüft werden. Weitere Maßnahmen umfassen das Deaktivieren nicht benötigter Funktionen, das Entfernen ungenutzter Geräte und Penetrationstests. Sicherheitspraktiken wie das Trennen des Wechselrichters von anderen Netzwerken und das Vermeiden von lokalen Backups vervollständigen die Schutzmaßnahmen, so die Experten.

Abschalten was nicht mehr gebraucht wird

Die Experten raten zudem dazu, Funktionen, die nicht mehr verwendet werden, zu deaktivieren. Hierzu können Fernzugriffsprotokolle, Gast- oder anonymer Benutzerzugang oder drahtlose Kommunikation gehören.

Darüber hinaus sollten Betreiber den intelligenten Wechselrichter aus dem System entfernen, wenn er nicht mehr benötigt wird. Dies liegt vor allem daran, dass Angreifer angeschlossene, aber vergessene IoT-Geräte lieben, da sie ihre Chancen auf Entdeckung verringern.

Keysight Technologies’ Ixia Vision product family has been found to contain critical security vulnerabilities that could allow remote attackers to compromise affected devices.

According to a newly issued alert from the Cybersecurity and Infrastructure Security Agency (CISA), these flaws expose the devices to risks such as remote code execution, unauthorized file downloads, and system crashes, posing significant threats to enterprises using the affected hardware.

“Successful exploitation of these vulnerabilities could crash the device being accessed; a buffer overflow condition may allow remote code execution,” the CISA advisory warned, highlighting the critical nature of the security gaps.

High-risk vulnerabilities discovered

The NATO Cyber Security Centre first reported the vulnerabilities to Keysight, identifying four distinct security issues that could potentially compromise network infrastructure.

The most severe issue, a path traversal vulnerability tracked as CVE-2025-24494, has been assigned a CVSS v4 score of 8.6, indicating a high level of severity. Exploiting this flaw could allow attackers to execute arbitrary scripts or binaries using administrative privileges, potentially leading to full system compromise.

Another critical flaw, CVE-2025-24521, involves an improper restriction of XML external entity references. This vulnerability could enable attackers to remotely download unauthorized files, escalating security risks.

While its CVSS v3.1 base score is rated at 4.9, its CVSS v4 rating reaches 6.9, underscoring its potential impact when combined with other vulnerabilities, the advisory added.

Potential threats to enterprises

Successful exploitation of these vulnerabilities could have dire consequences, including system crashes, arbitrary file deletions, and unauthorized access to sensitive information. Attackers leveraging these flaws may gain control over affected devices, facilitating further attacks within an enterprise’s network.

Furthermore, multiple path traversal vulnerabilities (CVE-2025-21095 and CVE-2025-23416) identified in the affected software versions could be used to download or delete files arbitrarily, leading to data integrity issues and service disruptions.

“Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents,” the advisory emphasized.

Patch and mitigation recommendations

Keysight Technologies has acknowledged the vulnerabilities and released security patches to address them. Organizations using the affected devices are urged to upgrade to version 6.7.0 or later for CVE-2025-24494 and to version 6.8.0 for CVE-2025-24521, CVE-2025-21095, and CVE-2025-23416.

These updates, released between October 2024 and March 2025, contain essential fixes to prevent exploitation.

CISA has also issued recommendations to mitigate the risks associated with these vulnerabilities. The agency advises organizations to minimize network exposure for control system devices, ensure they are not accessible from the internet, and place them behind firewalls.

Additionally, organizations should adopt secure remote access methods such as VPNs while ensuring that VPN solutions are updated to the latest versions to mitigate potential security weaknesses, the advisory said.

Industry response and future security measures

While no public exploitation of these vulnerabilities has been reported so far, cybersecurity experts warn that threat actors may soon attempt to take advantage of unpatched systems. Given the widespread deployment of Keysight’s network packet broker devices in enterprise environments, organizations must prioritize timely updates and strengthen network defenses.

CISA has urged companies to follow best practices for industrial control system (ICS) security, emphasizing the need for defense-in-depth strategies. As organizations increasingly rely on network visibility solutions like Ixia Vision, ensuring robust security measures will be essential to mitigating cyber risks and preventing potential attacks. As cyber threats continue to evolve, timely patch management and proactive security strategies remain critical in safeguarding enterprise infrastructure from emerging vulnerabilities.

Ransomware-as-a-service (RaaS) models, double extortion tactics, and increasing adoption of AI characterize the evolving ransomware threat landscape.

Law enforcement takedowns of groups such as LockBit have contributed to making the ransomware marketplace more fragmented, with emergent players attempting to muscle in on the action.

Attackers range from nation-state actors to RaaS operations, lone operators, and data theft extortion groups. The following non-exhaustive list contains a rundown of the main currently active threat groups, selected for inclusion based on their impact or innovative features.

Akira

History: Akira is a sophisticated RaaS operation that emerged in early 2023 and remains active.

How it works: Groups deploying Akira often exploit lack of authentication in corporate VPN appliances, open RDP (remote desktop protocol) clients, and compromised credentials to attack corporate systems.

Targeted victims: The key targets are small to midsize businesses across North America, Europe, and Australia. Affected industries include manufacturing, professional and legal services, education, telecommunications, technology, and pharmaceuticals, according to Palo Alto Networks’ Unit 42 intelligence unit.

Attribution: Circumstantial evidence suggests Russian origins, and links with the defunct Conti ransomware, but attribution remains unclear. “The [threat] actor gained attention due to the ‘retro aesthetic’ applied to their DLS (data leak site) and messaging,” Shobhit Gautam, staff solutions architect for EMEA at bug bounty platform HackerOne, says.

Black Basta

History: Black Basta appeared on the ransomware scene in early 2022 and is believed to be a spin-off from Conti, a group notorious for attacking major organizations.

How it works: Black Basta usually deploys malware through exploitation of known vulnerabilities and social engineering campaigns. “Employees in the target environment are email bombed and then contacted by the group pretending to be the organization’s help desk,” according to Christiaan Beek, senior director of threat analytics at Rapid7.

Targeted victims: More than 500 organizations globally have been affected by Black Basta, according to an analysis by cloud security firm Qualys.

Attribution: Security researchers speculate Black Basta may be associated with the FIN7 cybercrime group due to similarities in custom modules for evading endpoint detection and response systems in malware samples.

Blackcat (ALPHV)

History: BlackCat, also known by the aliases ALPHV or Noberus, emerged in November 2021. It is said to be made up of former members of the now-defunct Darkside group, which infamously targeted the Colonial Pipeline.

How it works: The malware used by BlackCat targets Windows and Linux systems. BlackCat is known for using a triple-extortion strategy, which involves demanding a ransom for file decryption, pledging not to disclose stolen data, and preventing distributed denial-of-service (DDoS) attacks.

Targeted victims: The BlackCat (ALPHV) ransomware group has been responsible for several high-profile attacks most notably Caesars Entertainment (September 2023) and Change Healthcare’s UnitedHealth Group subsidiary (February 2024).

Attribution: The BlackCat group has gone dark, possibly in response to law enforcement action and the impact of the Change Healthcare attack. Its principals, likely experienced cybercriminals, have become the target of US prosecution.

BlackLock

History: BlackLock (aka El Dorado) has shown explosive growth since emerging in March 2024. Threat intel firm ReliaQuest predicts it may overtake RansomHub as the most active ransomware group this year.

How it works: The group stands apart by developing its own custom malware — a hallmark of top-tier groups like “Play” and “Qilin,” according to ReliaQuest. Its malware targets Windows, VMware ESXi (virtualized servers), and Linux environments. Attackers typically encrypt data while also exfiltrating sensitive information, threatening to publish sensitive information if extortionate demands are not met.

Targeted victims: BlackLock has targeted a wide variety of victims, including US-based real estate, manufacturing, and healthcare organizations.

Attribution: BlackLock is highly active on the RAMP forum, a Russian-language platform focused on ransomware, actively recruiting for various roles, including initial access brokers, who sell access to partially compromised networks to its affiliates. There is no definitive attribution for the makeup of the BlackLock ransomware group.

Cl0p

History: The Cl0p ransomware has a complex history dating back to 2019. Its widespread misuse over the past six years is primarily associated with Russian-speaking cybercrime groups, primarily TA505 and FIN11.

How it works: Cl0p exploits zero-day vulnerabilities to target its prey. The Cl0p group tends to avoid using conventional payloads but still relies on a leak site to extort payment from victims. “We’ve seen the group use high-profile platform vulnerabilities with minimal downtime to exfiltrate data, such as exploiting a vulnerability in Cleo file transfer software,” according to Rapid7’s Beek.

Targeted victims: Cl0p has targeted major organizations worldwide. Most notoriously, Cl0p conducted a massive campaign exploiting the MOVEit vulnerability, affecting thousands of organizations in 2023.

Attribution: The Cl0p ransomware is attributed to several (mostly Russian speaking) cybercriminal groups.

Funksec

History: FunkSec is a new RaaS group that emerged in late 2024, claiming more than 85 victims in December alone.

How it works: FunkSec uses AI in its malware development, demands low ransoms, and has “questionable credibility regarding their data leaks,” according to Rapid7’s Beek.

Targeted victims: FunkSec has claimed a large number of victims, but researchers caution some of the leaks may be rehashed or recycled from earlier breaches.

Attribution: FunkSec operates as a RaaS model, likely with Russian-speaking affiliates.

LockBit

History: LockBit is a cybercrime group operating through a ransomware-as-a-service model it was instrumental in pioneering. Despite being disrupted in 2024, LockBit has shown signs of a comeback. The malware operation remains notorious for its efficient encryption and double extortion tactics.

How it works: LockBit, despite a major takedown operation by law enforcement last year, continues to use the evermore powerful RaaS model as well as double extortion, also known as “lock and leak.” “LockBit continues to list victims, recruit affiliates, and try to reclaim its reputation on dark web forums,” Luke Donovan, head of threat intelligence, Searchlight Cyber tells CSO.

Targeted victims: LockBit targeted thousands of victims worldwide in its heyday, including government services, private sector companies, and critical infrastructure providers.

Attribution: LockBit’s use of Russian-language forums and targeting patterns have led some analysts to believe the group is based in Russia. Russian national Dmitry Yuryevich Khoroshev, named by Western law enforcement agencies last year as the developer and administrator of LockBit, faces a US indictment alongside asset freezes and travel bans. Two Russian nationals were indicted for deploying LockBit ransomware against targeted organizations.

Lynx

History: Lynx shares 48% of its source code with the earlier INC ransomware, which indicates a plausible rebranding or evolution of the same threat actor.

How it works: Lynx also operates a RaaS and employs double extortion tactics. After infiltrating a system, the ransomware can steal sensitive information and encrypt the victim’s data, effectively locking them out. To make recovery more difficult, it adds the ‘.lynx’ extension to encrypted files and deletes backup files like shadow copies.

Targeted victims: Since emerging, the ransomware has actively targeted several US and UK industries, including retail, real estate, architecture, financial services, and environmental services. The group behind Lynx attacked multiple facilities across the US between July 2024 and November 2024, which include victims associated with energy, oil, and gas, according to Palo Alto’s Unit 42 threat intel group. “According to a statement Lynx released in July 2024, they claim to be ‘ethical’ with regards to choosing victims,” Rapid7’s Beek adds.

Attribution: Lynx operates as a RaaS model, meaning it is likely used by multiple cybercriminals rather than a single entity.

Medusa

History: Medusa is a ransomware-as-a-service operation that debuted in 2022.

How it works: The group typically hacks into systems by either exploiting vulnerabilities in public-facing assets, phishing emails, or using initial access brokers.

Targeted victims: Cybercriminals behind Medusa have targeted healthcare, education, manufacturing, and retail organizations in the US, Europe, and India.

Attribution: Activity on Russian-language cybercrime forums related to Medusa suggests the core group and many of its affiliates may be from Russia or neighbouring countries but this remains unconfirmed.

Play

History: Play is a ransomware threat that emerged in June 2022. The group intensified its activities following the disruption of other major threat actors.

How it works: Attackers typically encrypt systems after exfiltrating sensitive data. Play keeps a fairly low profile on the dark web aside from its leak site, not advertising itself on dark web forums. “It has even claimed not to be an RaaS gang at all, saying it maintains a ‘closed group to guarantee the secrecy of deals,’ in spite of evidence to the contrary,” Searchlight Cyber’s Donovan explains.

Targeted victims: The group has targeted various sectors, including healthcare, telecommunications, finance, and government service.

Attribution: Play may have connections to North Korean state-aligned APT groups.

In October 2024, security researchers at Palo Alto Networks’ Unit 42 published evidence of a deployment of Play ransomware by a threat actor backed by North Korea, specifically APT45. “The link between this threat actor and Play is unclear, but demonstrates the potential for crossover between state-sponsored cyber activity and ostensibly independent cybercrime networks,” Donovan says.

Qilin

History: Qilin, also known as Agenda, is a Russia-based RaaS group that has been operating since May 2022.

How it works: The group targets Windows and Linux systems, including VMware ESXi servers, using ransomware variants written in Golang and Rust. Qilin follows a double extortion model — encrypting victims’ files and threatening to leak stolen data if the ransom is not paid.

Targeted victims: Qilin recruits affiliates on underground forums and prohibits attacks on organizations in Commonwealth of Independent States (CIS) countries bordering present-day Russia.

Attribution: The makeup of Qilin remains unknown but a Russian-speaking organized cybercrime operation is strongly suspected.

RansomHub

History: RansomHub emerged in February 2024 and quickly became a major cyber threat. The group, initially known as Cyclops and later Knight, rebranded and expanded its operations by recruiting affiliates from other disrupted ransomware groups such as LockBit and ALPHV/BlackCat.

How it works: Once inside a network, RansomHub affiliates exfiltrate data and deploy encryption tools, often utilizing legitimate administrative utilities to facilitate their malicious activities. RansomHub operates an “affiliate-friendly” RaaS model, initially offering a fixed 10% fee for those that make attacks using its ransomware and the option to collect ransom payments directly from victims before paying the core group. “These elements make it an attractive option for affiliates that are looking for a guaranteed return, where other RaaS operations have been unreliable in paying out in the past,” Searchlight Cyber’s Donovan says.

Targeted victims: RansomHub has been linked to more than 210 victims across various critical sectors, including healthcare, finance, government services, and critical infrastructure in Europe and North America, according to Rapid7.

Attribution: Attribution remains unconfirmed but circumstantial evidence points toward an organized Russian-speaking cybercrime operation with ties to other established ransomware threat actors.

Security researchers are warning of a significant global rise in Chinese cyberespionage activity against organizations in every industry.

Over the course of 2024, researchers from security firm CrowdStrike observed a 150% average increase in intrusions by Chinese threat actors worldwide, with some sectors experiencing two- to three-fold surges. Researchers at the firm also identified seven new Chinese-origin cyberespionage groups in 2024, many of which exhibited specialized targeting and toolsets.

“Throughout 2024, China-nexus adversaries demonstrated increasingly bold targeting, stealthier tactics, and more specialized operations,” CrowdStrike stated in its 2025 Global Threat Report. “Their underlying motivation is likely China’s desire for regional influence, particularly its goal of eventual reunification with Taiwan, which could ultimately bring China into conflict with the United States.”

The report also highlighted that Chinese groups continue to share malware tools — a long-standing hallmark of Chinese cyberespionage — with the KEYPLUG backdoor serving as a prime example. China-linked actors also displayed a growing focus on cloud environments for data collection and an improved resilience to disruptive actions against their operations by researchers, law enforcement, and government agencies.

A sign of China’s maturing cyber capabilities

CrowdStrike attributes China’s increasingly dominant position in global cyberespionage to a decade of strategic investments, following General Secretary Xi Jinping’s 2014 call for the country to become a cyber power.

These efforts include investments in university programs to cultivate a highly skilled cyber workforce; private sector contracts to provide People’s Liberation Army (PLA), Ministry of Public Security (MPS), and Ministry of State Security (MSS) cyber units with skilled operators and infrastructure; running domestic bug hunting and capture-the-flag competitions to fuel exploit development programs; and industry networking events where PLA and MSS cyber operators obtain unique tools and tradecraft.

“It is highly likely that these investments have led to greater operational security (OPSEC) and specialization in China-linked intrusion operations,” the researchers noted. “Adversaries are pre-positioning themselves within critical networks, supported by a broader ecosystem that includes shared tooling, training pipelines, and sophisticated malware development.”

New cyber operations in key sectors

Historically, Chinese cyberespionage groups have predominantly targeted organizations from the government, technology, and telecommunications sectors and that continued in 2024. Government orgs were a target for China-linked threat actors in virtually all regions of the world, and Salt Typhoon, a cyber unit tied to China’s MSS, made headlines in recent months after compromising major telecom and ISP networks in the US, with this type of targeting also common in Asia and Africa.

But it was financial services, media, manufacturing, industrials, and engineering that saw the biggest surges in China-linked intrusions last year — 200-300% growth rates compared to 2023. Overall, the number of intrusions and new Chinese cyberespionage groups grew across the board.

Three Chinese groups that CrowdStrike tracks as Liminal Panda, Locksmith Panda, and Operator Panda seem specialized in targeting and compromising telecommunications entities.

Liminal Panda in particular has demonstrated extensive knowledge of telecom networks and how to exploit interconnections between providers to move and initiate intrusions across various regions. Locksmith Panda seems more focused on Indonesia, Taiwan, and Hong Kong, with targeting that is more broad, extending to technology, gaming, and energy companies, as well as democracy activists.

Operator Panda, which seems to be CrowdStrike’s name for the group known as Salt Typhoon, specializes in exploiting internet-facing appliances such as Cisco switches. In addition to telecom operators, the group has also targeted professional services firms.

Vault Panda and Envoy Panda are two groups that target government entities, but whereas Vault Panda is broad in its targeting, also going after financial services, gambling, technology, academic, and defense organizations, Envoy Panda seems focused on diplomatic entities, especially from Africa and the Middle East.

Vault Panda has used many malware families shared by Chinese threat actors, including KEYPLUG, Winnti, Melofee, HelloBot, and ShadowPad. The group regularly exploits vulnerabilities in public-facing web applications to gain initial access. Meanwhile Envoy Panda is known for its use of Turian, PlugX, and Smanager. PlugX, aka Korplug, is one of the oldest remote access trojans used by China-linked cyberespionage groups, with original versions dating back to 2008.

Another commonly shared resource between Chinese threat groups are so-called ORB (Operational Relay Box) networks that consist of thousands of compromised IoT devices and virtual private servers that are used to route traffic and conceal espionage operations. These networks are similar to botnets, but are primarily used as proxies, and are often administered by independent contractors that are based in China. They complicate attribution due to the often short-lived nature of the IP addresses of the nodes being used.

“Despite law enforcement attempts to disrupt the ORB networks, China-nexus adversaries continue to use these resources as a key part of their operations,” the CrowdStrike researchers wrote.

Better identity management and adversary-centric patching

Some of most common intrusion methods last year were compromised credentials, misconfigurations, and unpatched vulnerabilities in public-facing assets, whether web applications or network appliances.

Simply relying on multi-factor authentication is not enough to prevent complex breaches that rely on social engineering and impersonation to exploit existing relationships. Organizations need to use conditional access policies, regularly review account activity, and monitor for signs of unusual user behavior that could indicate a compromised account.

Furthermore, attackers are quick to adopt new techniques and proof-of-concept exploits from technical blogs and combine them in multi-stage attack chains. Vulnerabilities in internet-facing systems should be prioritized, as well as flaws that have publicly known exploits or are known to be actively exploited by threat groups targeting your industry, even if they don’t have the highest severity scores.

“Monitoring for subtle signs of exploit chaining, such as unexpected crashes or privilege escalation attempts, can help detect attacks before they progress,” the researchers wrote.