US Cybercom, CISA are softening stances on Russia as a cyber foe: reports

Metacurity is a mostly reader-supported publication that relies on the generous support of our paid readers. Please consider supporting Metacurity with an upgraded subscription.

If you can't commit to a subscription today, please consider donating whatever you can. Thank you!

A pair of alarming reports rattled the cybersecurity industry because they indicated that the US Cyber Command and the Cybersecurity and Infrastructure Security Agency (CISA) are retreating from the notion that Russia is a cyber adversary.

The Record reported that sources say Defense Secretary Pete Hegseth ordered US Cyber Command to cease all planning against Russia, including offensive digital actions.

The sources said the order does not apply to the National Security Agency, which Haugh also leads, or its signals intelligence work targeting Russia, the sources said.

Subsequent press reports confirming The Record's reporting suggest that the downgrading of the Russian threat is apparently part of an effort to draw Russia into peace talks regarding the war in Ukraine.

According to the sources, the exact duration of Hegseth’s order is unknown, though the command has been told the guidance will last for the foreseeable future.

Separately, The Guardian reported that a recent memo from the Cybersecurity and Infrastructure Security Agency (Cisa) set new priorities for the agency. The new directive reportedly included priorities for China and protecting local systems but did not mention Russia.

One source said agency analysts were verbally informed not to follow or report on Russian threats, even though this had previously been the agency's primary focus.

CISA denies The Guardian's reporting, saying its mission is to defend against all cyber threats, including those from Russia. (Martin Matishak / The Record, Stephanie Kirchgaessner / The Guardian, Julian E. BarnesDavid E. Sanger and Helene Cooper / The New York Times)

Related: New York Times, Washington Post, CNN, The Register, r/cybersecurity, Jake Williams on LinkedIn

The UK's Information Commissioner's Office has launched an investigation into how TikTok, Reddit, and online image-sharing website Imgur safeguard children's privacy.

Social media companies use complex algorithms to prioritize content and keep users engaged. However, the fact that they amplify similar content can lead to children being influenced by increasing amounts of harmful material.

The watchdog said it is probing how Chinese company ByteDance's short-form video-sharing platform TikTok uses the personal information of 13–to 17–year–olds to suggest content in their feeds.

The ICO said that social media and discussion platforms Reddit and Imgur are being investigated for how they assess the age of child users.

"If we find there is sufficient evidence that any of these companies have broken the law, we will put this to them and obtain their representations before reaching a final conclusion," the ICSO said. (Angela Christy and Mrinmay Dey / Reuters)

Related: BBC, UK ICO, 9to5Mac, The Guardian, Silicon Republic, Infosecurity, Politico, BusinessCloud, Proactive, The Standard, TechIssuesToday.com, The i Paper, Sky News, TipRanks Financial, Tech in Asia

The Qilin ransomware gang claimed responsibility for the attack on media and newspaper company Lee Enterprises that disrupted operations on February 3, leaking samples of data they claim was stolen from the company and threatening to release on March 5 all the allegedly stolen data unless a ransom demand is paid.

The outage on February 3 caused significant problems, such as losing access to internal systems and cloud storage and the failure of corporate VPNs.

A week later, Lee Enterprises submitted a new filing with the SEC stating that the hackers "encrypted critical applications and exfiltrated certain files," indicating that they were hit by ransomware.

Qilin ransomware added Lee Enterprises to its dark web extortion site, sharing samples of the allegedly stolen data, including government ID scans, non-disclosure agreements, financial spreadsheets, contracts/agreements, and other confidential documents reportedly stolen from the firm.

The ransomware actors claimed to have stolen 120,000 files totaling 350GB in size and threatened to release it all on March 5. (Bill Toulas / Bleeping Computer)

Related: Axios, Security Affairs, Security Week

One of the most notorious providers of abuse-friendly “bulletproof” web hosting for cybercriminals, Prospero OOO (the triple O is the Russian version of “LLC”), has started routing its operations through networks run by the Russian antivirus and security firm Kaspersky Lab.

Last year, the French security firm Intrinsec detailed Prospero’s connections to bulletproof services advertised on Russian cybercrime forums under Securehost and BEARHOST.

Kaspersky, however, denied that it is providing services to Prospero. It said, "The routing through networks operated by Kaspersky doesn’t by default mean provision of the company’s services, as Kaspersky’s automatic system (AS) path might appear as a technical prefix in the network of telecom providers the company works with and provides its DDoS services.”

“Kaspersky pays great attention to conducting business ethically and ensuring that its solutions are used to provide cybersecurity protection. The company is investigating the situation to inform the company whose network could have served as a transit for a “bulletproof” web hosting provider so that the former takes the necessary measures.” (Brian Krebs / Krebs on Security)

The Minister for Digitalisation, Krzysztof Gawkowski, said Polish cybersecurity services have detected unauthorized access to the Polish Space Agency's (POLSA) IT infrastructure.

"In connection with the incident, the systems under attack were secured ... Intensive operational activities are also underway to identify who is behind the cyberattack," Gawkowski wrote on social media platform X.

The agency confirmed to PAP that a cybersecurity incident had occurred. The situation was being analyzed to secure data, and the POLSA network was immediately disconnected from the internet, the agency told PAP. (Anna Wlodarczak-Semczuk / Reuters)

Related: The Register, TechNadu, The Record

Researchers at Amnesty International report details a chain of three zero-day vulnerabilities developed by phone-unlocking company Cellebrite, which its researchers found after investigating the hack of a student protester’s phone in Serbia.

The flaws were found in the core Linux USB kernel, meaning “the vulnerability is not limited to a particular device or vendor and could impact over a billion Android devices."

Amnesty said it first found traces of one of the flaws in a case in mid-2024. Then, last year, after investigating the hack of a student activist in Serbia, the organization shared its findings with Google’s anti-hacking unit Threat Analysis Group, which led the company researchers to identify and fix the three separate flaws.

During the investigation into the activist’s phone, Amnesty researchers found the USB exploit, which allowed Serbian authorities to unlock the phone using Cellebrite tools. (Lorenzo Franceschi-Bicchierai / TechCrunch)

Related: Amnesty International, Security Week, Fudzilla, Ars Technica, Bleeping Computer, r/technews, Slashdot

The US Justice Department announced that Louis Donald Mendonsa was sentenced following a guilty plea for distributing child sexual abuse materials (CSAM) via the dark web and other online networks after 6,500 explicit images were found on his devices.

Mendonsa has been sentenced to 24 years and four months in federal prison for his involvement in managing four illegal websites on the dark web that shared explicit images and videos of children.

Mendonsa, a Sacramento native, played a key role in maintaining these platforms, which were active from December 2021 until his arrest in November 2022. He received his sentence on February 27, 2025, after pleading guilty in April 2024 to seven counts of distributing CSAM and one count of possession.

The websites, which operated on the dark web, a hidden part of the internet often used for illegal activities only accessible through the Tor browser, allowed users to advertise, distribute, and trade disturbing content involving children. According to the US Department of Justice’s press release, one of the sites even featured material depicting infants and toddlers.

Mendonsa not only managed these platforms but also actively promoted and shared illegal content himself. His activities were discovered by law enforcement while he was using public Wi-Fi at a local coffee shop. (Waqas / HackRead)

Related: Justice Department, Desert Sun, The Sacramento Bee, Cybernews, TechNadu

Erie Meyer, former chief technology officer at the US Consumer Financial Protection Bureau (CFPB), says that the cancellation of nearly three dozen cybersecurity contracts endangers the security of sensitive data maintained by the federal watchdog.

Meyer said that a rush to terminate contracts raises serious concerns about data preservation and the bureau’s overall ability to function. The cancellations came as part of a Trump administration effort to disable the CFPB by suspending its oversight, closing its Washington headquarters, and firing its director and many other employees.

Meyer said in the filing that the 32 cybersecurity contracts that were scrapped cover a range of services, including vulnerability scanning and penetration testing, security audit and log analysis, virtual private network deployment, and management of IT networks, systems, and applications.

“That data is crucial to everything from identifying and assisting victims of consumer fraud and providing them with court-ordered relief, to tracking the financial information that is critical to the Bureau’s role in helping to stabilize financial markets, to responding to consumer companies,” Meyer said. (Jamie Tarabay / Bloomberg)

Related: Axios, PYMNTS

Automated workflow software company Zapier said that an “unauthorized user” accessed “certain Zapier code repositories” and may have gained access to customer information.

According to an email sent by the company, the customer data had been “inadvertently copied to the repositories for debugging purposes. "

The company says it became aware of the unauthorized access on Thursday. When it did, the company “immediately secured access to the repositories and invalidated the unauthorized user’s access,” the email says. Zapier says the incident “did not affect any Zapier database, infrastructure or production, authentication, or payment systems.”

The code repos shouldn’t have included customer data. But after auditing them, Zapier discovered that some information had been “inadvertently” copied over. Zapier’s platform allows users to create automations that work across other companies’ apps and services, potentially putting it in the middle of a lot of sensitive information.

The hacker was able to access the repositories because of a “two-factor authentication (2FA) misconfiguration on an employee’s account.” The company says it is now conducting a review of its processes to “ensure this does not occur again.” (Jay Peters / The Verge)

Related: SC Media, Techzine

According to data shared by a security researcher, a little-known phone surveillance operation called Spyzie has compromised over half a million Android devices and thousands of iPhones and iPads.

Most of the affected device owners, who are unknown, are likely unaware that their phone data has been compromised.

The security researcher said that Spyzie is vulnerable to the same bug as Cocospy and Spyic, two near-identical but differently branded stalkerware apps that share the same source code and exposed the data of more than 2 million people, as we reported last week. The bug allows anyone to access the phone data, including messages, photos, and location data, exfiltrated from any device compromised by the three apps.

The researcher said the bug also exposes the email addresses of each customer who signed up to use Spyzie to compromise another device.

The researcher exploited the bug to collect 518,643 unique email addresses of Spyzie customers and provided the cache of email addresses to TechCrunch and to Troy Hunt, who operates the Have I Been Pwned data breach notification site. (Zack Whitaker / TechCrunch)

Related: SC Media, Malwarebytes, TechRadar, Android Headlines

HomeTeamNS, a non-profit body set up to recognize the contributions of workers from the Singapore Police Force and Singapore Civil Defence Force, was hit by a cyberattack.

The affected servers contained data of employees and former employees and the vehicle details of some members and affiliate members.

HomeTeamNS said the affected servers were immediately disabled and isolated from its IT network.

“At this time, there is no evidence of data extraction, but we are monitoring closely,” it added.

The organization said it had contacted those affected to protect themselves from phishing or unauthorized transactions and minimize the impact of this incident. (Channel News Asia)

Related: Computer Weekly, GovInsider, The Straits Times, AsiaOne, mothership, The Online Citizen

In a new filing with the Office of the Maine Attorney General, the Massachusetts-based lender Reading Cooperative Bank (RCB) says a phishing-related cyberattack is impacting 24,041 customers.

The incident is believed to have occurred between August 8th of, 2024 and January 31st of 2025.

According to the filing, some of the data at risk due to the data breach includes names or other personally identifying information. (Mark Emem / The Daily HODL)

Related: Office of the Maine Attorney General, Teiss

The Toronto Zoo says a copy of transaction data from its guests and members, including names, addresses, and credit card information, was taken and "leaked on the dark web" in a cybersecurity attack on its computer systems over a year ago.

In an update on its website, the zoo said the data taken and leaked due to the ransomware attack in January 2024 included information about all guests and members who paid general admission and made membership purchases between 2000 and April 2023.

The zoo said the compromised data includes first and last names and, in some cases, street address information, phone numbers, and email addresses. For guests and members who made credit card transactions between January 2000 and April 2023, the data includes the last four digits of credit card numbers and associated expiration dates.

"The way the data was leaked has made it difficult to download. It is currently not published, though this could change," the zoo said in the update. (CBC News)

Related: Toronto Zoo, CityNews, The Cyber Express, CP24, Toronto Star

Best Thing of the Day: All Your Data Don't Belong to Us

After Mozilla included a provision in its terms of use, making it sound like users would be giving Firefox broad permission to use their data, including any content entered into Firefox, it issued updated terms of use to clarify that it does gain ownership of user data.

Worst Thing of the Day: Making America Great Again So We Can Deprive Foreign Countries of Cyber Help

A $95 million IBM contract from the Agency for International Development to strengthen the cybersecurity posture of several allied European and Eurasian countries was canceled after the Trump administration decided to kill the foreign aid agency.

Closing Thought