International relations might have been polite at summit meetings this week in Asia, but in cybersecurity, the global struggles proceeded as expected. Driving much of the news were tales of nation-state threat groups causing damage worldwide through breaches, cryptocurrency crimes, hacktivism and tampering with critical infrastructure.
China, Russia, Iran and North Korea often play key roles in nation-state attacks targeting Western governments and businesses. Cybersecurity vendor Trellix attributed North Korean groups with 18% of the nation-state activity it detected between April and September, the largest share of such schemes.
This week’s featured articles examine nation-state threats that have affected a range of targets, from a company’s revenue forecasts to industrial control systems (ICSes) in Canada.
Nation-state cyberattack hits F5’s top line
Network technology vendor F5 said this week that some of its customers are hesitant to sign or renew contracts following an intrusion by a nation-state group, which was subsequently reported to be China. After breaching the company’s networks, the group maintained long-term access to F5’s development and engineering platforms. The hackers accessed information about security vulnerabilities that F5 was evaluating.
Given the visibility of the incident, some F5 customers are holding off on new commitments, CEO François Locoh-Donou told investors during an earnings call Monday. F5 said it expected revenue growth in fiscal 2026 to be anywhere from flat to 4%, which would fall short of the roughly 9% growth predicted by Wall Street.
Read the full story by Eric Geller on Cybersecurity Dive.
North Korean group shifts to more patient, sophisticated attacks
North Korean threat group BlueNoroff is expanding its cryptocurrency theft operations, targeting fintech executives and Web3 developers. The group, known by several names, including Sapphire Sleet and APT38, uses elaborate social engineering tactics, including fake cryptocurrency news websites and fraudulent online job interviews.
BlueNoroff has evolved its strategy in numerous ways. Once known for working on macOS platforms, for example, the group has been seen using Microsoft Teams for fake meetings recently. Kaspersky researchers also observed various malware being sent using a multistage execution process. Payloads in the campaign include the DownTroy malware loader, RealTimeTroy backdoor, SilentSiphon multicredential stealer and CosmicDoor remote-control malware.
Experts have observed more patience and sophistication from BlueNoroff, with attackers building long-term relationships with targets before deploying malware disguised as legitimate applications. This shift represents an expansion of BlueNoroff’s capabilities beyond traditional cryptocurrency attacks.
Read the full story by Elizabeth Montalbano on Dark Reading.
Canada warns utility companies, others of hacktivist intrusions
Canadian authorities issued an advisory this week stating that hacktivist groups recently breached critical infrastructure facilities by exploiting internet-connected ICSes. The Canadian Centre for Cyber Security reported attacks on water utilities, oil and gas companies, and agricultural sites. Malicious hackers tampered with pressure valves at water facilities, manipulated automated tank gauges at energy companies, and exploited temperature and humidity controls at grain silos, the government said.
The advisory noted that exposed ICS components included programmable logic controllers, human-machine interfaces and remote terminal units. To protect these systems, authorities recommended using VPNs and MFA safeguards.
While Canadian authorities did not attribute the attacks to a specific nation-state group or actor, they categorized the activities as hacktivist in nature, designed to, among other things, “undermine Canada’s reputation.”
Read the full story by David Jones on Cybersecurity Dive.
Breach identifies recruits in Iranian cyberespionage program
Iran’s Ravin Academy, a training center for state-backed hackers operated under the Ministry of Intelligence and Security, suffered a major data breach that observers believe to be the result of a hacktivism operation.
The breach exposed names, phone numbers and other personal data of recruits being trained for cyberespionage operations. Ravin Academy acknowledged the breach in a recent Telegram post, blaming foreign rivals for the attack ahead of Iran’s National Cybersecurity Olympiad. Founded in 2019, Ravin Academy has been sanctioned by the U.S., U.K. and EU for training hackers involved in espionage activities.
Read the full story by Nate Nelson on Dark Reading.
Editor’s note: An editor used AI tools to aid in the generation of this news brief. Our expert editors always review and edit content before publishing.
