Welcome reader to your CybersecurityHQ report

Brought to you by:

Cypago - Enterprise-grade Cyber GRC Platform

Cypago enables strategic decision making through a full Cyber GRC product suite to help you avoid business reputation impact, financial or client trust losses

—

Weekly Headlines

🎧 Listen to this newsletter on our AI-powered podcast

FBI Removes Chinese State-Sponsored Malware

The FBI successfully removed PlugX malware from approximately 4,200 infected computers across the US in an operation targeting state-sponsored Chinese hacking groups, the Department of Justice announced on Tuesday. PlugX, linked to groups like Mustang Panda and Twill Typhoon, has been active since at least 2012, infecting Windows computers through USB ports. The malware allows hackers to remotely access files, execute commands, and collect information from compromised devices.

Using a command-and-control server with a hardcoded IP address, PlugX enabled hackers to maintain remote control over infected systems. The FBI exploited this same server to neutralize the malware. Collaborating with French law enforcement, the FBI accessed the server, identified infected devices, and issued commands to uninstall PlugX, stopping it from running and removing associated files.

In an official statement, Assistant Director of FBI’s cyber division Bryan Vorndran said, “Leveraging our partnership with French law enforcement, the FBI acted to protect U.S. computers from further compromise by PRC state-sponsored hackers. Today’s announcement reaffirms the FBI’s dedication to protecting the American people by using its full range of legal authorities and technical expertise to counter nation-state cyber threats.”

This marks another significant cybersecurity operation by the FBI, which previously dismantled Quakbot malware in 2024 and protected systems from the Hafnium hack in 2021. These efforts highlight the agency’s growing focus on proactive measures to counter cyber threats. PlugX had infected tens of thousands of devices worldwide, with 45,000 IP addresses in the US contacting its control server as of late 2023. The operation underscores international cooperation in combating advanced persistent threats.

Chinese Hackers Breach US Treasury

Chinese hackers breached the US Treasury Department’s unclassified systems, targeting the Committee on Foreign Investment in the US (CFIUS), which oversees foreign investments for national security risks—according to US officials speaking with CNN.

The hackers accessed Treasury user workstations and unclassified documents, raising concerns that pieced-together data could be synthesized into strategic intelligence. They also targeted Treasury's sanctions office, which recently penalized a Chinese company for alleged cyberattacks. US officials are evaluating the potential national security impact, although no classified information appears to have been compromised.

The incident is one of many US-China cyber attacks that are increasing tensions between the two countries. That’s leading to both action in the final days of the Biden White House and pressure on the incoming Trump administration

President Biden is set to issue a new executive order to tighten cybersecurity standards for federal agencies and contractors in response to persistent Chinese-linked cyberattacks and other cyber threats. The order, expected in the final days of his presidency, introduces stricter software development requirements, mandatory vendor attestations evaluated by the Cybersecurity and Infrastructure Security Agency (CISA), and secure management guidelines for access tokens and cryptographic keys.

Russian Trading Platform Suffers Cyberattack

Russia's primary electronic trading platform for state and corporate procurement, Roseltorg, suffered a significant cyberattack attributed to the pro-Ukraine hacker group Yellow Drift. Initially described as "maintenance work," the company later confirmed an external attack to destroy data and its entire infrastructure. Yellow Drift claimed responsibility, alleging they deleted 550 terabytes of data, including emails and backups, and shared screenshots of the compromised system as proof.

Roseltorg, a key platform managing procurement for defense, construction, and other industries, assured users that data and infrastructure have been restored, with trading systems expected to resume soon. However, as of now, the website remains offline, causing concerns among clients, including government agencies and corporations like Lukoil, Rostelecom, and Alrosa. Users have reported financial losses and delays due to the disruption.

The attack is part of a broader surge in cyber operations targeting Russian entities. Other recent victims include the government agency Rosreestr, internet provider Nodex, and tech firm Infobis, all reportedly breached by Ukrainian hacker groups.

Orchid Security closed its latest seed funding round with $36 million. Leading the herd were Intel Capital and Team8. The company is headquartered in New York with R&D based in Israel.

Orchid is attempting to leverage LLMs to manage identity systems and ultimately protect customers’ identities. They are already working with big names like Costco and Repsol.

Robinhood Pays $45M SEC Settlement

Robinhood Markets has agreed to pay $45 million to settle charges by the U.S. Securities and Exchange Commission (SEC) for multiple regulatory violations. The SEC found that Robinhood Securities LLC and Robinhood Financial LLC failed to comply with key requirements, including accurate trade reporting, timely filing of suspicious activity reports, recordkeeping, and adherence to short sale rules.

The violations also involved failures in retaining work-related communications conducted on unauthorized messaging platforms and deficiencies in trading data management (known as blue sheets). Additionally, regulators identified inadequate measures to address cybersecurity risks.

Robinhood admitted to the violations and expressed satisfaction with resolving the matter. General Counsel Lucas Moskowitz stated the company is focused on innovation and looks forward to working with the SEC under a new administration.

This settlement adds Robinhood to a growing list of broker-dealers penalized for failing to properly manage and retain employee communications on "off-channel" platforms. The company has pledged to continue improving its compliance and services.

Upgrade your subscription for exclusive access to member-only insights and services.

Upgrade to paid

Small Towns Battle Big Cyberattacks

Now, let’s do a little roundup of obscure American towns facing major cyberattack incidents—one of the most bizarre trends in the industry. In West Haven, Connecticut, City Hall made a public announcement Saturday via Facebook that, “ Recently, the City of West Haven’s IT Department was alerted and identified an IT system security incident impacting our systems, and out of an abundance of caution, it was determined that the best course of action was to shut all systems down while we investigated further…”

They were prepared, luckily enough, with system in place to limit the impact on operations to a few days.

But small towns across the US have had it much worse than that. And now, two of them are getting some help.

In Webster, New York, a cyberattack nine weeks ago led to the loss of more than $520,000. The town only informed its community members on Thursday—as an active investigation meant they couldn’t share details. Now, Webster police have seized back $300,000 and will recoup the rest of their losses through cyber insurance. The town is now working with the FBI to investigate the situation further.

For its part, Athens, Ohio, is looking to recover some of the $721,976.26 lost in a November cyberattack where scammers posed as Pepper Construction to reroute payments. Court filings reveal that $349,522.10 has been recovered from the scammer's bank account, but another victim, Regency Centers, a Florida-based real estate developer, also lost $326,874.06 to the same account and may have a claim to the funds.

Republic Bank and Trust, where the mule account was located, has secured the recovered money in a separate account and is seeking a judge's decision on how to divide it to avoid a lawsuit. The scammers had opened the account in August, posing as a New Jersey company, and used it to conduct similar fraudulent schemes against both Athens and Regency Centers.

Athens Deputy Service-Safety Director Andrew Chiki confirmed the city is pursuing legal and investigative avenues to recover the funds and hold the perpetrators accountable. Investigations remain ongoing, with Regency Centers also reviewing the situation.

Edtech Giant PowerSchool Faces Backlash Over Major Data Breach

PowerSchool, a California-based edtech company serving over 15,000 customers globally, is under scrutiny following a significant cybersecurity breach exposing student and staff data across multiple school boards. The December 22 incident, traced to a Ukrainian hosting company, involved PowerSchool making an undisclosed payment to prevent data release.

The exposed information includes names, birthdates, addresses, and phone numbers, with Rocky View Schools confirming potential compromise of sensitive data including medical records and custody arrangements. Records dating back to 2011 may be affected.

University of Calgary cybersecurity expert Dr. Thomas Keenan criticized PowerSchool's vague communication and called for financial compensation to affected families, citing long-term identity theft risks. While PowerSchool has offered credit monitoring and identity protection services, questions persist about the breach's full scope and the company's data protection practices.

Microsoft Pledges $80B AI Investment in Trump-Nadella Meeting

In a significant tech-political convergence, Microsoft CEO Satya Nadella met with President-elect Donald Trump and Elon Musk to discuss AI and cybersecurity, marking another step in Silicon Valley's efforts to rebuild relations with the incoming Trump administration.

The highlight of the meeting was Microsoft's ambitious $80 billion commitment to AI data centers globally, with $50 billion earmarked for U.S. investments. Microsoft President Brad Smith, who joined the Mar-a-Lago discussion alongside JD Vance, has been vocal about avoiding "heavy-handed regulations" in AI development while advocating for pragmatic export controls that balance security with expansion.

This meeting comes amid an aggressive expansion of cloud infrastructure by tech giants. Microsoft's previous fiscal year saw over $50 billion in capital expenditures, primarily in server farm construction. Notably, the company's AI infrastructure plans include an unusual power solution: reopening a reactor at the Three Mile Island nuclear plant in Pennsylvania, following a trend of tech companies turning to nuclear power for their energy-intensive AI operations.

The gathering at Trump's Florida estate represents the latest in a series of high-profile tech industry engagements with the president-elect, as Silicon Valley seeks to navigate the changing political landscape despite past tensions from Trump's first term.

Interesting Read

Well, it’s finally happening—TikTok is leaving the US. Marcus Walsh, writing for Cybernews, looks at the post-TikTok landscape for the next big security liabilities hiding in the AppStore.

The ban, likely to come on January 19, is inspiring a deluge of tributes on the platform, but that likely won’t end concerns that Chinese apps (or any foreign-controlled apps for that matter) can have undo influence on the US through algorithmic manipulation and data harvesting.

In fact, the two leading contenders for TikTok—the very apps many users might turn to once the ban is in place—are both Chinese: Xiaohongshu and Lemon8.

It does seem that we don’t need to look so far afield for these threats. As Meta (which owns both Facebook and Instagram) or X (owned by a newly political public figure) could be said to have the same kind of influence.

Weekly Arora-Inspired Opinion & Analysis

This weekly column has been created based on a deep analysis of how Nikesh Arora, CEO of Palo Alto Networks, strategizes in the cybersecurity space, drawing inspiration from his leadership style, forward-thinking approach, and innovative insights. While not an exact representation, the column embodies key elements of his strategic mindset and vision for the future of cybersecurity.

-

The Battlefield of Geopolitics Is Expanding: National Security Makes Cybersecurity a Priority The Trojan horse-style cyber threats of today are no longer confined to the corporate or national walls they breach. They are now top national security priority for the U.S. and many allied nations. Ops like the FBI's recent takedown of the PlugX malware our adversaries have been using to gain control of U.S. networks are making plain that cybersecurity has become one of the new geopolitics. Nations, corporations, and we citizens must learn now to work, play, and live in this new digital landscape.

The operation conducted by the FBI against PlugX, which had infected more than 4,000 U.S. systems, serves as an exemplary instance of the government taking offensive measures in the realm of cybersecurity. Active since 2012 and connected to Chinese groups like Mustang Panda and Twill Typhoon, the malware was dealt with through law enforcement cooperation that extended as far as France. Such international collaboration is vital when countering the sophisticated, state-sponsored threats that accompany internet technologies. Indeed, Gulf War II not only implicated the United States in a military offensive that some condemned as a violation of human rights. PlugX isn’t just a malicious tool—it’s tied up in a larger agenda of sowing chaos and attempting to drink from whatever ‘infosphere’ they can tapping into our systems and harvesting intelligence.

Given the increasing sophistication in cyberattacks, this shift from defense to offense is essential. PlugX underscores the weaknesses in vital systems. State-sponsored hackers are using these to achieve both espionage and sabotage ends, and they're not just targeting private enterprises. They're going after the "very core" of national security, as the FBI itself recently put it. The Bureau's actions in taking down these online threats reflect an understanding that the digital world has to be defended just as vigorously as our physical borders.

The recent breach of U.S. Treasury systems by Chinese hackers is an example of how today’s cyber operations are rapidly becoming an essential element of statecraft. The hackers undetected for months, gained access to unclassified documents inside the Committee on Foreign Investment in the U.S. (CFIUS) that are supposedly the foundation for critical strategic decisions. In this case, they could have been going after something as mundane but important as intel on how and why CFIUS orders U.S. companies to do (or not do) business with foreign entities.

As governments worldwide bolster their cybersecurity postures, the private sector has a vital part to play. It falls mainly to the tech giants—Microsoft, Google, and others—to shield the nation from cyber threats. These companies provide the platform upon which many parts of the federal government now operate. But with reliance on the private sector for national security comes the need to worry about data privacy and what it means to increasingly "outsource" aspects of national security to private companies.

The cases in which public and private responsibilities are combined illuminate problems like PowerSchool's data breach. PowerSchool's data breach has been exposed—by whom hasn't even been revealed as of yet. The breach compromised private information about students and staff, and it happened because a private company was managing compromised public data. We in the public sector need to be asking much more pointed questions about the private handling of public data and the actual efficacy of pretend-to-be-'robust'-practices. When such breaches happen, we shouldn't be putting the lion's share of the blame on the private company involved. Instead, we need to start putting a pretty hefty portion of the blame on the public entities that signed off on giving this data to the private companies.

When considering the broader issue, we see that global cybersecurity is becoming an international concern. By now, cyberattacks carried out by state-backed actors from around the world—like China and Russia—have become a common part of public discourse. And for good reason. These acts are not just an attempt to disrupt things here and there. They're strategic moves in the digital arena—where extensive geopolitical power plays are now being made. The U.S. government, in response, has rolled out tighter cybersecurity measures for federal agencies and contractors and is sending clear signals that national security must now extend into cyberspace.

What is essential to understand from these developments is that global collaboration in cybersecurity is now a necessity. By their nature, attacks know no borders, and safeguarding vital systems increasingly demands a level of international cooperation that seems, at present, all too rare. Resilience against these ever-more ingenious threats requires public and private entities to work together in an atmosphere permeated by mutual trust. Cooperating in such an atmosphere seems vital to all involved if "we" are to succeed in keeping as many as possible "critical infrastructures" safe from "cyberattacks."

To sum up, the national and international security of all countries is intertwined with cybersecurity, which is now a major element in that security. The FBI and similar agencies around the world are sending a clear message: We are in the cyber business now, and we are geopolitically countering both nation-state and criminal forces trying to bring America and its allies down through cyber means. While using more tools than ever, these agencies must operate under the golden rule of securing not just the digital infrastructure but also the privacy and personal data of citizens.

Until next week,

Arora Avatar

Twitter Highlights

Stay Safe, Stay Secure.

The CybersecurityHQ Team