Cyberconflict and warfare

Indian stock exchanges curb foreign access amid cybersecurity concerns

India’s two largest stock exchanges, the National Stock Exchange (NSE) and BSE Ltd, have temporarily restricted overseas access to their websites amid rising concerns over cyber threats. The move does not affect foreign investors’ ability to trade on Indian markets.

Sources familiar with the matter confirmed the decision followed a joint meeting between the exchanges, although no recent direct attack has been specified.

Despite the restrictions, market operations remain fully functional, with officials emphasising that the measures are purely preventive.

The precautionary step comes during heightened regional tensions between India and Pakistan, though no link to the geopolitical situation has been confirmed. The NSE has yet to comment publicly on the situation.

A BSE spokesperson noted that the exchanges are monitoring cyber risks both domestically and internationally and that website access is now granted selectively to protect users and infrastructure.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Cyberattacks against US soar in early 2025

Cyberattacks targeting the US surged dramatically in early 2025, according to a new report from cybersecurity firm Trellix. Between October 2024 and March 2025, advanced persistent threats (APTs) increased by 136% compared to the previous quarter.

China’s cyber operations showed significant sophistication, with groups such as APT40 and Mustang Panda leading the charge. APT41, another Chinese-affiliated group, intensified its activities by 113%, focusing on exploiting both new and known vulnerabilities rather than relying on phishing tactics.

Analysts noted that nearly half of these threats originated from China, while over a third were linked to Russia. Meanwhile, Russia’s APT29, also known as Midnight Blizzard, primarily targeted transportation, shipping, and telecommunications sectors.

The report highlighted that government institutions remained the primary focus of hostile cyber actors. However, the telecommunications industry experienced a sharp 92% increase in APT attacks, while the technology sector faced a staggering 119% rise.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

France accuses Russia of cyberattacks on Olympic and election targets

France has publicly accused Russia’s military intelligence agency of launching cyberattacks against key French institutions, including the 2017 presidential campaign of Emmanuel Macron and organisations tied to the Paris 2024 Olympics.

The allegations were presented by Foreign Minister Jean-Noël Barrot at the UN Security Council, where he condemned the attacks as violations of international norms. French authorities linked the operations to APT28, a well-known Russian hacking group connected to the GRU.

The group also allegedly orchestrated the 2015 cyberattack on TV5 Monde and attempted to manipulate voters during the 2017 French election by leaking thousands of campaign documents. A rise in attacks has been noted ahead of major events like the Olympics and future elections.

France’s national cybersecurity agency recorded a 15% increase in Russia-linked attacks in 2024, targeting ministries, defence firms, and cultural venues. French officials warn the hacks aim to destabilise society and erode public trust.

France plans closer cooperation with Poland and pledged to counter Russia’s cyber operations with all available means.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Cybercriminals target Gmail accounts in sophisticated new attack

Gmail users are facing a serious new threat that could lead to their accounts being hijacked by cybercriminals.

Experts at Malwarebytes have issued an urgent warning about a sophisticated scam that is bypassing Gmail’s usually reliable spam filters, putting billions of accounts at risk.

The scam was first noticed by Nick Johnson, a developer with the Ethereum Name Service, who received an official-looking email supposedly from Google.

Although it appeared genuine and even passed all verification checks, the link inside redirected users to a fraudulent site hosted via Google’s own website creation platform. Cybercriminals exploited the fact that anyone can create pages on sites.google.com to make the scam look credible.

Google has acknowledged the attack, linked to the Rockfoils threat group, and confirmed that new protections are being rolled out.

While measures are underway to address the vulnerability, security experts strongly advise Gmail users to remain cautious and follow essential safety practices to avoid falling victim.

Simple actions, such as avoiding links in unsolicited emails, double-checking email headers, and refusing to use Google credentials to sign into other services, can significantly reduce the risk. Staying vigilant is now more important than ever to protect personal data and online security.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

SK Telecom begins SIM card replacement after data breach

South Korea’s largest carrier, SK Telecom, began replacing SIM cards for its 23 million customers on Monday following a serious data breach.

Instead of revealing the full extent of the damage or the perpetrators, the company has apologised and offered free USIM chip replacements at 2,600 stores nationwide, urging users to either change their chips or enrol in an information protection service.

The breach, caused by malicious code, compromised personal information and prompted a government-led review of South Korea’s data protection systems.

However, SK Telecom has secured less than five percent of the USIM chips required, planning to procure an additional five million by the end of May instead of having enough stock ready for immediate replacement.

Frustrated customers, like 30-year-old Jang waiting in line in Seoul, criticised the company for failing to be transparent about the amount of data leaked and the number of users affected.

Instead of providing clear answers, SK Telecom has focused on encouraging users to seek chip replacements or protective measures.

South Korea, often regarded as one of the most connected countries globally, has faced repeated cyberattacks, many attributed to North Korea.

Just last year, police confirmed that North Korean hackers had stolen over a gigabyte of sensitive financial data from a South Korean court system over a two-year span.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Lazarus Group uses fake firms to spread malware to the crypto industry

North Korean hackers, believed to be part of the Lazarus Group, have created fake US businesses to target cryptocurrency developers. According to cybersecurity firm Silent Push, two companies, Blocknovas LLC and Softglide LLC, were set up to infect victims with malicious software.

These companies were established using false information in New York and New Mexico, violating international sanctions.

The attacks involved job offers that led to ‘sophisticated malware deployments,’ aimed at compromising cryptocurrency wallets and stealing credentials. The FBI has since seized the Blocknovas website, which had been used to deceive individuals and distribute malware.

Silent Push noted that multiple victims had fallen victim to the scam, with Blocknovas being the most active front in the campaign.

The phishing operation is just one example of North Korea’s ongoing cyber activities. The Lazarus Group has previously been responsible for high-profile hacks, including the $1.4 billion attack on crypto exchange Bybit in February.

The FBI continues to focus on imposing risks and consequences for those facilitating these cyber operations.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Researchers report espionage campaign targeting government and critical sectors in Southeast Asia

Symantec has reported that the China-linked espionage group known as Billbug—also referred to as Lotus Blossom, Lotus Panda, Bronze Elgin, and Thrip—conducted a sustained intrusion campaign against multiple organizations in a Southeast Asian country between August 2024 and February 2025. The campaign involved the use of several custom tools, including loaders, credential stealers, and a reverse SSH utility.

According to Symantec, this activity appears to continue a series of operations previously observed in late 2023, which targeted various government and critical infrastructure organisations across Southeast Asia. While Chinese attribution has been suggested, specific attribution to an individual actor remains inconclusive. Identified targets include a government ministry, an air traffic control organisation, a telecommunications provider, and a construction company.

Additional intrusions were reported against a news agency and an air freight company in neighbouring countries. The campaign leveraged DLL sideloading techniques, utilising legitimate executables from Trend Micro and Bitdefender to load malicious code.

Symantec’s analysis detailed how these binaries were used to sideload malicious DLLs, which decrypted and executed payloads designed to maintain persistence and enable further compromise of targeted systems. Billbug has been active since at least 2009, with a documented history of targeting government, defence, telecommunications, and critical infrastructure sectors in Southeast Asia and beyond.

Symantec and other cybersecurity researchers have tracked the group across multiple campaigns, including previous operations involving backdoors like Hannotog and Sagerunex. The recent report also references related findings from Cisco Talos, which provided indicators of compromise connected to the same campaign.

Symantec noted that Billbug continues to adapt its techniques, including the use of compromised legitimate software and custom malware, to conduct espionage operations across the region.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Dutch Ministry of Defence expands recruitment of cyber reservists to support national cybersecurity efforts

The Dutch Ministry of Defence has announced plans to expand its cyber defence capabilities by recruiting additional cyber reservists, according to NOS. The initiative is part of the Ministry’s strategy to strengthen cybersecurity expertise within its armed forces, with recruitment efforts scheduled to intensify after the summer. Several reservist positions have already been advertised online.

Cyber reservists are civilian professionals with digital security expertise who contribute part-time to the military’s cyber operations. Typically employed under zero-hour contracts, they may be called upon to support defence activities during evenings, weekends, or specific operational periods, while continuing their civilian careers.

The reservist units are part of the Defence Cyber Command (DCC), which currently consists of six platoons. Reservists may also participate in military exercises in the Netherlands or internationally, including NATO operations, with voluntary deployments.

Recruitment targets for cyber reservists were set at 150 over a ten-year period, but this number has not yet been achieved. According to Defence Ministry officials, interest in these positions has increased following the escalation of global cyber threats, particularly after the Russian invasion of Ukraine, though exact figures remain undisclosed for operational security reasons.

Cybersecurity expert Bert Hubert highlighted the distinct nature of cyber reserve work compared to traditional military reservist roles, emphasising the complexity of effective cyber defence operations.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Russian hackers target NGOs with fake video calls

Hackers linked to Russia are refining their techniques to infiltrate Microsoft 365 accounts, according to cybersecurity firm Volexity.

Their latest strategy targets non-governmental organisations (NGOs) associated with Ukraine by exploiting OAuth, a protocol used for app authorisation without passwords.

Victims are lured into fake video calls through apps like Signal or WhatsApp and tricked into handing over OAuth codes, which attackers then use to access Microsoft 365 environments.

The campaign, first detected in March, involved messages claiming to come from European security officials proposing meetings with political representatives. Instead of legitimate video links, these messages directed recipients to OAuth code generators.

Once a code was shared, attackers could gain entry into accounts containing sensitive data. Staff at human rights organisations were especially targeted due to their work on Ukraine-related issues.

Volexity attributed the scheme to two threat actors, UTA0352 and UTA0355, though it did not directly connect them to any known Russian advanced persistent threat groups.

A previous attack from the same actors used Microsoft Device Code Authentication, usually reserved for connecting smart devices, instead of traditional login methods. Both campaigns show a growing sophistication in social engineering tactics.

Given the widespread use of Microsoft 365 tools like Outlook and Teams, experts urge organisations to heighten awareness among staff.

Rather than trusting unsolicited messages on encrypted apps, users should remain cautious when prompted to click links or enter authentication codes, as these could be cleverly disguised attempts to breach secure systems.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Sweden unable to determine cause of Baltic Sea cable damage

The Swedish Accident Investigation Authority (SHK) has published its final report on the damage to the C-Lion 1 subsea cable in the Baltic Sea on 18 November 2024, concluding that it cannot determine whether the incident was the result of an accident or intentional sabotage.

The investigation focused on the Chinese bulk carrier Yi Peng 3, which was initially identified as having caused the damage.

While investigators from several neighbouring countries, including Sweden, were allowed to board the vessel, the SHK reported that the visit was time-constrained and that access to key evidence—such as surveillance footage and the vessel’s Voyage Data Recorder—was not granted.

Interviews with the crew were conducted in the presence of Chinese officials.

The SHK outlined two possible scenarios: one in which the anchor was deliberately released to damage seabed infrastructure, and another in which it detached due to improper security.

The report noted that certain technical details—such as the absence of damage to key anchor components—make the accidental scenario less likely, but acknowledged that neither hypothesis could be confirmed due to investigative limitations.

Under international maritime law, flag states typically lead investigations in international waters, though exceptions may apply in cases involving suspected criminal activity.

While some analysts have raised concerns about potential state-sponsored sabotage, officials from several European countries have indicated increasing confidence that the recent cable breaks were not the result of coordinated or intentional activity.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!