Cybercrime

China now the top DDoS target, says Cloudflare

Cloudflare’s latest DDoS threat report reveals that business competitors initiate most known attacks. Of the customers who identified attackers, 63% blamed rivals, 21% pointed to state-linked actors, and 5% admitted self-inflicted disruptions caused by misconfigurations.

The Q2 report shows China as the most targeted country, followed by Brazil and Germany, while Ukraine, Singapore and Indonesia are listed among the top sources of DDoS traffic. Telecommunications, internet services and gaming are the industries most frequently targeted by attackers.

Cloudflare highlighted that the locations identified as sources often reflect the presence of botnets, proxies or VPNs, not the actual location of threat actors. Countries like the Netherlands appear high on the list due to favourable privacy laws and strong network infrastructure.

The company urged broader participation in its threat intelligence feed to help mitigate risks. Over 600 providers currently use Cloudflare’s data to remove abusive accounts and stop the spread of DDoS attacks across the internet.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

EU helps Vietnam prepare for cyber emergencies

The European Union and Vietnam have conducted specialised cyber‑defence training to enhance the resilience of key infrastructure sectors such as power, transportation, telecoms and finance.

Participants, including government officials, network operators and technology experts, engaged in interactive threat-hunting exercises and incident simulation drills designed to equip teams with practical cyber‑response skills.

This effort builds on existing international partnerships, including collaboration with the US Cybersecurity and Infrastructure Security Agency, to align Vietnam’s security posture with global standards.

Vietnam faces an alarming shortfall of more than 700,000 cyber professionals, with over half of organisations reporting at least one breach in recent years.

The training initiative addresses critical skills gaps and contributes to national digital security resilience.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Trojanised Telegram APKs target Android users with Janus exploit

A large Android malware campaign has been uncovered, distributing trojanised versions of Telegram Messenger via more than 600 malicious domains. The operation uses phishing infrastructure and evasion techniques to deceive users and deliver infected APK files.

Domains exploit typosquatting, with names like ‘teleqram’ and ‘apktelegram’, and mimic Telegram’s website using cloned visuals and QR code redirects. Users are sent to zifeiji[.]asia, which hosts a fake Telegram site offering APK downloads between 60MB and 70MB.

The malware targets Android versions 5.0 to 8.0, exploiting the Janus vulnerability and bypassing security via legacy signature schemes. After installation, it establishes persistent access using socket callbacks, enabling remote control.

It communicates via unencrypted HTTP and FTP, and uses Android’s MediaPlayer component to trigger background activity unnoticed. Once installed, it requests extensive permissions, including access to all locally stored data.

Domains involved include over 300 on .com, with many registered through Gname, suggesting a coordinated and resilient campaign structure.

Researchers also found a JavaScript tracker embedded at telegramt.net, which collects browser and device data and sends it to dszb77[.]com. The goal appears to be user profiling and behavioural analysis.

Experts warn that the campaign’s scale and technical sophistication pose a significant risk to users running outdated Android systems.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Experts link Qantas data breach to AI voice impersonation

Cybersecurity experts believe criminals may have used AI-generated voice deepfakes to breach Qantas systems, potentially deceiving contact centre staff in Manila. The breach affected nearly six million customers, with links to a group known as Scattered Spider.

Qantas confirmed the breach after detecting suspicious activity on a third-party platform. Stolen data included names, phone numbers, and addresses—but no financial details. The airline has not confirmed whether voice impersonation was involved.

Experts point to Scattered Spiders’ history of using synthetic voices to trick help desk staff into handing over credentials. Former FBI agent Adam Marré said the technique, known as vishing, matches the group’s typical methods and links them to The Com, a cybercrime collective.

Other members of The Com have targeted companies like Salesforce through similar tactics. Qantas reportedly warned contact centre staff shortly before the breach, citing a threat advisory connected to Scattered Spider.

Google and CrowdStrike reported that the group frequently impersonates employees over the phone to bypass multi-factor authentication and reset passwords. The FBI has warned that Scattered Spider is now targeting airlines.

Qantas says its core systems remain secure and has not confirmed receiving a ransom demand. The airline is cooperating with authorities and urging affected customers to watch for scams using their leaked information.

Cybersecurity firm Trend Micro notes that voice deepfakes are now easy to produce, with convincing audio clips available for as little as $5. The deepfakes can mimic language, tone, and emotion, making them powerful tools for deception.

Experts recommend biometric verification, synthetic signal detection, and real-time security challenges to counter deepfakes. Employee training and multi-factor authentication remain essential defences.

Recent global cases illustrate the risk. In one instance, a deepfake mimicking US Senator Marco Rubio attempted to access sensitive systems. Other attacks involved cloned voices of US political figures Joe Biden and Susie Wiles.

As voice content becomes more publicly available, experts warn that anyone sharing audio online could become a target for AI-driven impersonation.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Salt Typhoon compromises critical US infrastructure

A US state’s Army National Guard network was thoroughly compromised by the Chinese cyberespionage group Salt Typhoon from March to December 2024. According to a confidential federal memo, hackers extracted highly sensitive information, including administrator credentials, network maps, and interstate communication data, raising alarm over data leaked across all 50 states and four US territories.

Security analysts caution that the breach goes beyond intelligence gathering. With access to National Guard systems, integral to state-level threat response and civilian support, the group is poised to exploit vulnerabilities in critical infrastructure, particularly during crises or conflict.

Salt Typhoon, linked to China’s Ministry of State Security, has a track record of penetrating telecommunications, energy grids, transport systems, and water utilities. Often leveraging known vulnerabilities in Cisco and Palo Alto equipment, the group has exfiltrated over 1,400 network configuration files from more than 70 US critical infrastructure providers.

Federal agencies, including DHS and CISA, are sounding the alarm: this deep infiltration presents a serious national security threat and indicates a strategic shift in cyber warfare. Navigating Sun Typhoon’s persistent access through local and federal networks is now a top priority in defending the critical systems on which communities rely.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

EU sends warning to crypto platforms over AML risks

The EU’s Anti-Money Laundering Authority (AMLA) has warned that fragmented oversight and inconsistent rules pose significant risks to the bloc’s financial integrity. Chair Bruna Szego urged regulators and crypto firms to prepare for stricter anti-money laundering rules.

The Frankfurt-based agency, now operational, will oversee the enforcement of new EU-wide anti-money laundering regulations. Szego stressed the importance of identifying the beneficial owners of crypto platforms and ensuring they are not linked to criminal networks.

Concerns over inconsistent controls across EU countries and diverging interpretations of MiCA requirements have grown. Crypto firms must be prepared to meet the different standards across all jurisdictions they plan to operate.

From July 2027, crypto platforms will be required to block anonymous wallets and provide authorities with complete, real-time access to account data.

Major firms like Binance have already faced regulatory penalties, with ongoing investigations highlighting the rising pressure on the sector.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Military-trained hacker brought down in telecom data theft

A former US Army Private admitted in court to a sweeping cybercrime operation targeting major telecom providers AT&T and Verizon between April 2023 and December 2024.

Operating as ‘kiberphant0m,’ he infiltrated at least ten corporate networks, stealing login credentials and sensitive call logs, including those of senior officials.

Prosecutors revealed a sophisticated scheme: the hacker used brute‑force SSH attacks, coordinated with online accomplices via Telegram, and attempted extortion valued at over US$1 million. Stolen call records were posted and sold on dark‑web platforms such as BreachForums.

Wagenius pleaded guilty to charges including wire fraud conspiracy, computer extortion, and aggravated identity theft. He faces a combined sentence of up to 27 years, with his sentencing hearing scheduled for 6 October 2025.

Security analysts note this case highlights the increasing threat of insiders exploiting privileged access and illustrates how even service‑level employees can orchestrate wide‑scale cyber intrusions and extortion campaigns.

It also underscores the strategic role of public-private coordination in dismantling online illicit economies.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

AI Appreciation Day highlights progress and growing concerns

AI is marking another milestone as experts worldwide reflect on its rapid rise during AI Appreciation Day. From reshaping business workflows to transforming customer experiences, AI’s presence is expanding — but so are concerns over its long-term implications.

Industry leaders point to AI’s growing role across sectors. Patrick Harrington from MetaRouter highlights how control over first-party data is now seen as key instead of just processing large datasets.

Vall Herard of Saifr adds that successful AI implementations depend on combining curated data with human oversight rather than relying purely on machine-driven systems.

Meanwhile, Paula Felstead from HBX Group believes AI could significantly enhance travel experiences, though scaling it across entire organisations remains a challenge.

Voice AI is changing industries that depend on customer interaction, according to Natalie Rutgers from Deepgram. Instead of complex interfaces, voice technology is improving communication in restaurants, hospitals, and banks.

At the same time, experts like Ivan Novikov from Wallarm stress the importance of securing AI systems and the APIs connecting them, as these form the backbone of modern AI services.

While some celebrate AI’s advances, others raise caution. SentinelOne’s Ezzeldin Hussein envisions AI becoming a trusted partner through responsible development rather than unchecked growth.

Naomi Buckwalter from Contrast Security warns that AI-generated code could open security gaps instead of fully replacing human engineering, while Geoff Burke from Object First notes that AI-powered cyberattacks are becoming inevitable for businesses unable to keep pace with evolving threats.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Co-op CEO apologises after cyberattack hits 6.5 million members

Co-op CEO Shirine Khoury-Haq has confirmed that all 6.5 million members had their data stolen during a cyberattack in April.

‘I’m devastated that information was taken,’ Khoury-Haq told BBC Breakfast. ‘It hurt my members; they took their data, and it hurt our customers, whom I take personally.’

The stolen data included names, addresses, and contact details, but no financial or transaction information. Khoury-Haq said the incident felt ‘personal’ due to its impact on Co-op staff, adding that IT teams ‘fought off these criminals’ under immense pressure.

Although the hackers were removed from Co-op’s systems, the stolen information could not be recovered. The company monitored the breach and reported it to the authorities.

Co-op, which operates a membership profit-sharing model, is still working to restore its back-end systems. The financial impact has not been disclosed.

In response, Co-op is partnering with The Hacking Games — a cybersecurity recruitment initiative — to guide young talent towards legal tech careers. A pilot will launch in Co-op Academies Trust schools.

The breach was part of a wider wave of cyberattacks on UK retailers, including Marks & Spencer and Harrods. Four people aged 17 to 20 have been arrested concerning the incidents.

In a related case, Australian airline Qantas also confirmed a recent breach involving its frequent flyer programme. As with Co-op, financial data was not affected, but personal contact information was accessed.

Experts warn of increasingly sophisticated attacks on public and private institutions, calling for stronger digital defences and proactive cybersecurity strategies.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Air Serbia suffers deep network compromise in July cyberattack

Air Serbia delayed issuing June payslips after a cyberattack disrupted internal systems, according to internal memos obtained by The Register. A 10 July note told staff: ‘Given the ongoing cyberattacks, for security reasons, we will postpone the distribution of June 2025 payslips.’

The IT department is reportedly working to restore operations, and payslips will be emailed once systems are secure again. Although salaries were paid, staff could not access their payslip PDFs due to the disruption.

HR warned employees not to open suspicious emails, particularly those appearing to contain payslips or that seemed self-addressed. ‘We kindly ask that you act responsibly given the current situation,’ said one memo.

Air Serbia first informed staff about the cyberattack on 4 July, with IT teams warning of possible disruptions to operations. Managers were instructed to activate business continuity plans and adapt workflows accordingly.

By 7 July, all service accounts had been shut down, and staff were subjected to company-wide password resets. Security-scanning software was installed on endpoints, and internet access was restricted to selected airserbia.com pages.

A new VPN client was deployed due to security vulnerabilities, and data centres were shifted to a demilitarised zone. On 11 July, staff were told to leave their PCs locked but running over the weekend for further IT intervention.

An insider told The Register that the attack resulted in a deep compromise of Air Serbia’s Active Directory environment. The source claims the attackers may have gained access in early July, although exact dates remain unclear due to missing logs.

Staff reportedly fear that the breach could have involved personal data, and that the airline may not disclose the incident publicly. According to the insider, attackers had been probing Air Serbia’s exposed endpoints since early 2024.

The airline also faced several DDoS attacks earlier this year, although the latest intrusion appears far more severe. Malware, possibly an infostealer, is suspected in the breach, but no ransom demands had been made as of 15 July.

Infostealers are often used in precursor attacks before ransomware is deployed, security experts warn. Neither Air Serbia nor the government of Serbia responded to media queries by the time of publication.

Air Serbia had a record-breaking year in 2024, carrying 4.4 million passengers — a 6 percent increase over the previous year. Cybersecurity experts recently warned of broader attacks on the aviation industry, with groups such as Scattered Spider under scrutiny.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!