Welcome reader to your CybersecurityHQ report

Brought to you by:

👉 Cypago - Cyber governance, risk management, and continuous control monitoring in a single platform

Forwarded this email? Join 70,000 weekly readers by signing up now.

#OpenToWork? Try our AI Resume Builder to boost your chances of getting hired!

—

Updates:

I am continuously refining the AI avatar to deliver deeper, more insightful analyses inspired by cybersecurity’s most influential leaders. Expect even more valuable insights, soon to be part of our premium membership.

Weekly Headlines

🎧 Listen to this newsletter on our AI-powered podcast

Lazarus Group Behind Record Heist

Hackers stole approximately $1.4 billion in Ethereum from crypto exchange Bybit on Friday, marking the largest crypto heist in history. Blockchain analysts and cybersecurity researchers, including the independent investigator ZachXBT, have identified North Korea’s Lazarus Group as the likely perpetrator. ZachXBT traced the stolen funds to wallets linked to previous North Korean hacks on Phemex, BingX, and Poloniex, asserting with "100%" confidence that Lazarus was responsible.

Blockchain monitoring firms Elliptic and TRM Labs reached the same conclusion, citing the hackers’ signature laundering techniques. Elliptic has been working with Bybit and investigators to track the stolen assets and prevent North Korea from profiting. Co-founder Tom Robinson confirmed that the stolen funds are being mixed with assets from past North Korean thefts, reinforcing the link to the regime.

North Korea has a long history of crypto theft, with a UN panel attributing at least 58 heists to the regime. In 2024 alone, the country allegedly stole over $650 million through multiple attacks. While Bybit continues its internal investigation, it has not officially commented on the Lazarus Group connection. North Korea’s Permanent Mission to the UN did not respond to requests for comment.

3.3M Affected in DISA Breach

DISA Global Solutions, a major U.S. background screening and drug testing firm, has suffered a data breach affecting 3.3 million individuals. The breach happened between February 9 and April 22, 2024, when DISA discovered unauthorized access to its systems. Initially, the company reported potential exposure of sensitive data but found no evidence of further misuse. However, a deeper investigation confirmed that personal information had been compromised.

The breach impacts DISA’s vast client base, including 30% of Fortune 500 companies, raising concerns about nationwide consequences. Affected individuals received notifications stating their data may have been exposed due to employment screening services. 

The exposed data includes a terrifying level of detail, like names, Social Security numbers, driver’s licenses, government IDs, financial details, and unspecified “other data elements,” likely related to background checks and medical records.

Although DISA has not confirmed the nature of the cyberattack, a deleted notice suggested that a ransom was paid to prevent public exposure of the stolen data. The company claims no stolen data has surfaced on the dark web. To mitigate risks, DISA is offering 12 months of free credit monitoring through Experian and recommends that affected individuals place fraud alerts and security freezes on their accounts.

iCloud Backups No Longer Secure

Apple has decided to remove its Advanced Data Protection (ADP) feature in the UK, responding to government demands for access to encrypted user data. ADP, which extends end-to-end encryption to iCloud backups, is no longer available for new UK users, and existing users will eventually need to disable it.

This change means iCloud backups, including iMessages and photos, will be accessible to Apple and could be handed over to authorities if legally compelled. Apple has long resisted such demands, arguing that weakening encryption creates security vulnerabilities. Experts warn that removing ADP compromises user privacy and exposes UK users to potential cyber threats.

The decision follows Britain's issuance of a Technical Capability Notice under the 2016 Investigatory Powers Act, which compels companies to assist law enforcement in accessing digital evidence. Other Commonwealth countries, such as Australia, may follow suit. Privacy advocates and cybersecurity experts, including Meredith Whittaker of Signal, have criticized the move, calling it a threat to personal security and a setback for the UK’s tech sector.

Apple maintains that encryption is vital for user safety but has conceded to legal pressure. While device-stored data remains encrypted, users relying on cloud backups will now have reduced privacy protections.

Skybox Collapses Despite $300M Funding

Skybox Security, a cybersecurity firm that raised over $300 million in funding, has abruptly shut down, laying off its entire workforce in Israel and the United States. The closure follows the immediate sale of its business and technology assets to Israeli rival Tufin. CEO Mordecai (Mo) Rosen announced the shutdown on February 24, 2025, affecting approximately 300 employees—100 in Israel and 200 in the U.S.

Skybox had secured significant investment, including a $50 million round as recently as February 2023.

Tufin, which operates in network security policy management, has acquired Skybox’s assets and is positioning itself as a support system for former Skybox customers. Tufin CEO Ray Brancato reassured clients of a smooth transition, emphasizing Tufin’s financial stability. While the acquisition salvages Skybox’s technology, its workforce now faces an uncertain future—yet another story in a series of headline-grabbing layoffs.

Upgrade your subscription for exclusive access to member-only insights and services

Upgrade to paid

Hackers Exploit Signal QR Codes

Google Threat Intelligence Group (GTIG) has a recent write-up on the increasing efforts by multiple Russia-aligned threat actors to compromise Signal Messenger accounts, particularly those belonging to military personnel, politicians, journalists, and activists.

The primary method involves abusing Signal’s linked devices feature. Attackers craft malicious QR codes, tricking victims into linking their accounts to adversary-controlled devices. This provides real-time access to messages without requiring full device compromise. Fake group invites, phishing pages, and military-themed scams have been used to execute these attacks.

UNC5792, a suspected Russian espionage unit, has manipulated Signal group invite pages to redirect victims to malicious URLs. Another group, UNC4221, has developed a custom Signal phishing kit, disguising malware as military applications like Kropyva, used by Ukrainian forces. APT44, linked to Russia’s GRU, has also exploited captured devices on the battlefield, linking them to their own infrastructure.

Beyond phishing, Russian cyber units such as Turla and UNC1151 are using malware and scripts to exfiltrate Signal message databases from Android and Windows devices. Belarusian-linked UNC1151 has similarly staged data for later exfiltration.

Virginia School Recovers from Cyberattack

Williamsburg-James City County Public Schools in Virginia have fully restored their systems following a cyberattack on February 9, which disrupted network access and prevented virtual learning during a snowstorm. Acting Superintendent Daniel Keever confirmed that the district’s internal tech team and cybersecurity experts secured and restored systems by February 14. The investigation, involving local and federal law enforcement, remains ongoing.

Although the attack did not compromise physical safety, it forced students and staff to engage in offline learning while networks were repaired. The district was unable to transition to remote learning during weather-related closures due to the outage.

As a precaution, WJCC Schools is offering one year of free credit monitoring and identity restoration services to students and staff. Keever said, “We do not have evidence that any personal information is being used maliciously, but we want to reassure our community with confidence and tools to protect themselves."

SailPoint Debuts at $12.8B Valuation

AI-focused cybersecurity firm Dream, co-founded by former Austrian Chancellor Sebastian Kurz and Israeli entrepreneurs in January 2023, has reached a $1.1 billion valuation following a $100 million Series B funding round. The investment, led by Bain Capital Ventures, includes backing from Group 11, Tru Arrow, Tau Capital, and Aleph. Dream specializes in protecting governments and critical infrastructure from cyber threats, reflecting growing investor confidence in AI-driven cybersecurity solutions.

Identity security firm SailPoint (SAIL.O), backed by Thoma Bravo, debuted on the stock market at $23 per share, valuing the company at $12.8 billion. The listing marks a cautious return to public markets amid investor skepticism over valuations, as traders navigate policy uncertainty and delayed interest rate cuts.

Palo Alto Networks (PANW.O) has raised its full-year revenue forecast, citing increased demand for AI-driven security solutions. Rising concerns over digital scams and high-profile cyber incidents are driving enterprise clients to invest more in advanced threat protection to safeguard business operations and reputation.

Experts Warn: 7 Years to PQC

Just over a week ago, Microsoft introduced Majorana 1, a quantum chip with a Topological Core that can scale to a million qubits. And while this is cause for much celebration—it’s the product of more than two decades of research—it is also the cause for concern among cybersecurity experts.

In a recent blog, for example, Phil Venables (VP at Google) writes about how the rush toward quantum computing gives us a vague timeline for when we need to have our assets on the other side of Post Quantum Cryptography (PQC). He gives us just seven years. After that time, quantum computing will be able to easily break through any current-gen cryptography.

The announcement from Microsoft has greatly increased the interest in and rush toward PQC.

Interesting Read

If you live in an apartment building, this one will keep you up at night. Security researcher Eric Daigle discovered that the MESH by Viscount access control system, used in apartment buildings, has a major vulnerability due to unchanged default login credentials. 

While waiting for a ferry, Daigle found an installation manual online that listed the default username and password, which many buildings had failed to change. Being a security researcher, he immediately tested it. 

It worked.

The first system he accessed exposed residents' full names, unit numbers, phone numbers, and detailed logs of when they entered or exited the building. Worse, the system allowed unauthorized users to unlock doors and override access controls in under five minutes.

Using the security scanning tool ZoomEye, Daigle identified 89 vulnerable buildings, with 43% of recently exposed systems being completely insecure. The vast majority of affected buildings were in Canada. Despite notifying Hirsch, the current vendor of MESH by Viscount, no action was taken to alert affected clients. A CVE identifier was eventually assigned, but the issue remains unresolved. 

Weekly Inspired Arora Opinion & Analysis

This weekly column has been created based on a deep analysis of how Nikesh Arora, CEO of Palo Alto Networks, strategizes in the cybersecurity space, drawing inspiration from his leadership style, forward-thinking approach, and innovative insights. While not an exact representation, the column embodies key elements of his strategic mindset and vision for the future of cybersecurity.

—

The Lazarus Playbook: How a Rogue Nation Weaponizes Cybercrime

The staggering $1.4 billion theft from Bybit, attributed to North Korea’s Lazarus Group, is more than just a record-breaking heist - it’s a warning shot. Over the past decade, we have seen Lazarus and other state-sponsored actors evolve from rudimentary hacking operations into sophisticated, well-funded cybercrime syndicates. Their tactics, which leverage blockchain laundering techniques and deception at scale, highlight a new era of financially motivated cyber warfare.

For years, blockchain was touted as immutable, decentralized, and secure. Yet, breaches like this expose fundamental weaknesses in crypto security infrastructure. The tools used - bridge attacks, mixer services, and social engineering - are not new. However, the scale and precision of Lazarus Group’s operations demonstrate a disturbing level of cyber resilience and adaptability.

What’s most concerning is the geopolitical chess game behind these attacks. Cybercrime is now a core revenue stream for sanctioned nations like North Korea, fueling everything from weapons programs to political destabilization efforts. Every breach not only drains financial institutions but also forces security teams worldwide to rethink their defense strategies. Traditional security frameworks simply aren’t sufficient in the face of adversaries operating with the backing of an entire nation-state.

The lesson here? Crypto exchanges, financial institutions, and cybersecurity firms must step up collective intelligence sharing. We need stronger cross-border regulatory frameworks to track stolen assets, more aggressive enforcement against laundering networks, and a more dynamic approach to cyber defense that accounts for the rapidly shifting tactics of threat actors.

Seven Years to Zero: The Quantum Computing Threat to Encryption

If the Lazarus Group’s exploits show us today’s biggest threats, quantum computing foreshadows tomorrow’s cybersecurity crisis. Microsoft’s recent introduction of the Majorana 1 quantum chip, with its Topological Core, is a technological marvel. But it also marks the beginning of a countdown: we now have just seven years before quantum computing renders modern encryption obsolete.

Today’s cryptographic systems - RSA, ECC, and even AES - rely on the infeasibility of brute-force decryption. Quantum computers, once they reach sufficient stability and scale, will break these cryptographic barriers effortlessly. This shift poses an existential risk not just for financial transactions and national security but for everything from healthcare data privacy to corporate intellectual property.

The cybersecurity industry is in a race to develop Post-Quantum Cryptography (PQC). The National Institute of Standards and Technology (NIST) has already begun standardizing quantum-resistant algorithms, but widespread adoption remains a challenge. Retrofitting global infrastructure with PQC is not a simple software update - it requires a complete re-architecting of secure communications, identity verification, and data storage systems.

Organizations must take proactive measures now:

1. Quantum Readiness Audits – Companies should assess their exposure to cryptographic vulnerabilities and plan migration strategies accordingly.

2. Hybrid Cryptographic Models – Transitioning to a mix of classical and quantum-resistant encryption ensures resilience against both traditional and future threats.

3. Investment in Quantum-Safe Technologies – Businesses should partner with cybersecurity firms actively developing PQC solutions and deploy experimental models to future-proof critical assets.

4. Policy and Regulation Advocacy – Governments and enterprises need to collaborate to drive policies that ensure a secure transition without stifling innovation.

The Future of Cybersecurity: A Dual Battlefront

We are at an inflection point where cybersecurity threats operate on two timelines: the immediate risk posed by nation-state hackers like Lazarus and the looming quantum disruption. The answer isn’t fear; it’s action. The security industry, financial institutions, and policymakers must work in unison to combat today’s attackers while preparing for tomorrow’s cryptographic reckoning.

Cybersecurity is no longer just about building stronger walls - it’s about redesigning the entire fortress before it becomes obsolete.

Until next week,

Arora Avatar

Twitter Highlights

Stay Safe, Stay Secure.

The CybersecurityHQ Team