Knownsec
November 9, 2025
•[ data leak, cyber espionage, malware ]
According to coverage in The Register of research by Chinese blog MXRN, attackers breached the systems of Beijing linked security company Knownsec and leaked more than twelve thousand classified documents describing Chinese state cyber weapons, internal tools and global targeting lists, along with code for remote access trojans that can compromise major desktop and mobile operating systems; the cache also reportedly includes a spreadsheet of 80 successfully attacked overseas targets and massive datasets such as Indian immigration records, South Korean telecom call logs and Taiwanese road planning information that Knownsec had previously obtained in offensive operations, some of which were briefly published to GitHub before being removed.
National Time Service Center
October 20, 2025
•[ espionage, state-sponsored attack ]
China accuses U.S. NSA of cyber-espionage against NTSC timing systems
Williams & Connolly
October 8, 2025
•[ espionage, state-sponsored attack, data leak ]
Breach of U.S. law firm with major political clients linked to Chinese espionage campaign.
U.S. National Nuclear Security Administration (NNSA)
July 18, 2025
•[ data breach, vulnerability, zero-day ]
Breach of NNSA systems through a Microsoft SharePoint zero-day vulnerability. DOE stated a small number of systems were impacted and are being restored. Attack was later linked to Chinese state hacking groups Linen Typhoon and Violet Typhoon.
Netherlands Public Prosecution Service (Openbaar Ministerie)
July 17, 2025
•[ cyberattack, vulnerability exploit, state-sponsored attack ]
Strong indications that Russia was behind a cyberattack exploiting a Citrix vulnerability; the OM took systems offline on July 17 as a response; extent of data access not yet disclosed.
One undisclosed university in the United States
July 15, 2025
•[ espionage, vulnerability exploitation, malware ]
China-linked operators abused CVE-2025-53770 (ToolShell) weeks after Microsofts July patch to gain initial access at a telecom, escalate privileges (e.g., PetitPotam), harvest credentials, and deploy ShadowPad/Zingdoor/KrustyLoader for persistent espionage against telecom and government networks. Primary effect was covert access and collection, not service outage.
Wiley Rein LLP
July 12, 2025
•[ espionage, unauthorized access, state-sponsored attack ]
Firm notified clients that Microsoft 365 accounts of certain personnel were accessed in an apparent intelligence-gathering operation; suspected China-affiliated group.
Municipality of Tirana (City of Tirana)
June 20, 2025
•[ data leak, denial of service, state-sponsored attack ]
Iran-linked MOIS cluster EUROPIUM (Homeland Justice) conducted a coordinated cyberattack on Tiranas municipal government on Jun 20 2025, taking the city website offline and disrupting services; attackers claimed data theft and wiping of city databases; Microsoft and Albanian officials attributed the activity to MOIS-linked operators; restoration completed by Jun 24 2025.
At least one Ukrainian grain producer
June 1, 2025
•[ malware, wiper attack, state-sponsored attack ]
Russian state-backed threat group Sandworm, also known as APT44, used several data-wiping malware families in a series of destructive attacks against Ukrainian organizations in 2025, including newly reported operations targeting the countrys grain sector. An ESET APT activity report cited by BleepingComputer says that in June and September Sandworm deployed wipers like ZEROLOT and Sting against entities in the governmental, energy, logistics, and grain industries, with the grain sector highlighted as a less frequent but strategically important target. The wipers corrupt files, disk partitions, and master boot records in ways that prevent recovery, likely aiming to weaken Ukraines war economy by disrupting a critical export industry.
Kurdish forces
May 14, 2025
•[ espionage, vulnerability, zero-day ]
Turkey-linked espionage operators exploited a zero-day in Output Messenger to surveil Iraq-based Kurdish forces, collecting communications and device data; Microsoft attributed the activity to a Turkey-aligned group focused on intelligence collection.
Undisclosed Ukrainian critical infrastructure organization
April 1, 2025
•[ malware, data exfiltration, wiper ]
The FSBs 18th Center for Information Security (Gamaredon) deployed PathWiper malware against an undisclosed Ukrainian critical-infrastructure operator in early April 2025, exfiltrating large volumes of operational data before executing a destructive wiper that caused temporary service degradation.
Deutsche Gesellschaft für Osteuropakunde (DGO)
March 30, 2025
•[ espionage, data leak, state-sponsored attack ]
In late March 2025, German officials reported a cyber-espionage incident targeting the Deutsche Gesellschaft fr Osteuropakunde (DGO), a nonprofit academic association focused on Eastern Europe. Investigators attributed the intrusion to Russias Foreign Intelligence Service (SVR), also known as Midnight Blizzard, APT29, or NOBELIUM. Attackers accessed email servers and internal communications for intelligence-gathering purposes. No data encryption or operational disruption was reported, indicating a stealthy exploitation of application servers.
Digital Realty
March 1, 2025
•[ state-sponsored attack, espionage, vulnerability exploit ]
The Ministry of State Security (MSS)linked group Salt Typhoon infiltrated Digital Realty and other data-center operators in early 2025 by exploiting vulnerabilities in network-appliance infrastructure and stolen credentials. Microsoft attributed the campaign to PRC state-sponsored espionage targeting Western critical-infrastructure providers.
Undisclosed Myanmar government organization
March 1, 2025
•[ state-sponsored attack, malware, rootkit ]
Chinese state-linked threat actors deployed a kernel-mode rootkit to conceal ToneShell malware on systems belonging to a Myanmar government organization, enabling stealthy persistent access.
Local media outlets in Azerbaijan
February 20, 2025
•[ targeted attack, data destruction, state-sponsored attack ]
Azerbaijans parliament commission head said APT29/Cozy Bear was behind a Feb 20 cyberattack that targeted internal servers at Baku TV and spread to other outlets, aiming to disrupt media infrastructure and alter/delete information; officials framed motive as retaliation over Russia-related media actions.
Harbin Asian Winter Games Organizing Committee
February 7, 2025
•[ cyberattack, state-sponsored attack ]
China accuses US of launching 'advanced' cyberattacks, names alleged NSA agents
Multiple Organizations in Asia
February 6, 2025
•[ espionage, backdoor, credential theft ]
Evasive Panda, a Chinese state-sponsored group operating under the Ministry of State Securitys Guangdong State Security Department / Technical Reconnaissance Bureau, deployed a custom SSH backdoor across enterprise network devices to exfiltrate credentials and maintain long-term covert access in espionage operations identified by Cisco Talos in February 2025.
Undisclosed cryptocurrency market-making firm
October 20, 2024
•[ data exfiltration, cryptocurrency, state-sponsored attack ]
Recorded Future observed C2 reconnaissance followed by FTP exfiltration from a market-making firm in the UAE during the Contagious Interview campaign (OctNov 2024). Attributed to the NGB 3rd Technical Surveillance Bureau (North Korea).
Undisclosed online casino operator
October 20, 2024
•[ Data exfiltration, State-sponsored attack, Reconnaissance ]
Recorded Future analysis identified reconnaissance and FTP exfiltration traffic from a Costa Rican online casino targeted in the Contagious Interview campaign (OctNov 2024), attributed to the NGB 3rd Technical Surveillance Bureau (North Korea).
At least one individual in Ukraine
January 6, 2024
•[ phishing, credential harvesting, state-sponsored attack ]
The article reports researchers observed a months-long phishing/credential-harvesting operation targeting users of UKR.NET, a popular Ukrainian webmail and news service. The campaign ran from June 2024 through April 2025 and was attributed to Russian state-backed BlueDelta (APT28/Fancy Bear/Forest Blizzard). Researchers said the actors created multiple fake UKR.NET login pages and sent phishing emails with PDF attachments containing embedded links to the fraudulent portals, with more than 20 linked PDF lure files identified. The purpose was assessed as harvesting credentials and gathering intelligence supporting broader Russian objectives; the reporting did not quantify how many users were successfully compromised.
