Source: United States Senator for Rhode Island Jack Reed
WASHINGTON, DC – Today, after the U.S. Department of Defense announced it has accepted a luxury commercial aircraft donated by Qatar for use as the new Air Force One for President Donald Trump while he is in office and then plans to transfer it to Trump’s presidential library when he leaves office, U.S. Senator Jack Reed (D-RI), the Ranking Member of the Senate Armed Services Committee, slammed the decision, stating:
“This is a national embarrassment that raises serious security and ethics questions.
“President Trump is outsourcing a core symbol of American sovereignty, power, and ingenuity. He is forcing U.S. taxpayers to shell out potentially hundreds of millions of dollars to refurbish this so-called gift which will likely only be in official service for a short time.
“Refurbishing a Qatari-gifted plane with the responsibilities of Air Force One isn’t just costly – it’s a serious national security risk. Potentially exposing the President’s communications and safety to a foreign government is reckless and would create unacceptable vulnerabilities for our nation.
“Today’s announcement is not the end of the story, and I expect my colleagues to join me in exercising oversight over this outrageous move. There must be transparency and accountability about the costs of retrofitting this plane, the counterintelligence risks involved, and how it will be used once President Trump leaves office.”
Source: People’s Republic of China – State Council News
BEIJING, May 21 — China’s visa-exemption policies have boosted inbound travel. Since the start of this year, “China Travel” has kept trending. On Wednesday, the Consular Department of the Ministry of Foreign Affairs of China released a list of frequently asked questions about these policies.
Q: Who does the visa waiver apply to?
A: Nationals of 43 countries including Brunei, France, Germany, Italy, Spain, Holland, Malaysia, Switzerland, Ireland, Hungary, Austria, Belgium, Luxembourg, New Zealand, Australia, Poland, Portugal, Greece, Cyprus, Slovenia, Slovakia, Norway, Finland, Denmark, Iceland, Andorra, Monaco, Liechtenstein, the Republic of Korea, Bulgaria, Romania, Croatia, Montenegro, North Macedonia, Malta, Estonia, Latvia, Japan, Brazil, Argentina, Chile, Peru and Uruguay (Brazil, Argentina, Chile, Peru and Uruguay take effect from June 1, 2025) holding valid ordinary passports can be exempted from visa requirement if entering China for the purpose of business, tourism, family or friend visits, exchange and transit. They can stay in China for no more than 30 days without a visa.
Q: Do foreign nationals eligible for a visa waiver need to make declarations to Chinese embassies and consulates in advance?
A: Foreign nationals eligible for a visa waiver do not need to declare in advance to Chinese embassies and consulates before entering China without a visa.
Q: Will the purpose of the intended stay in China be examined by Chinese border inspection authorities when entering China? How will it be done? Are other documents needed for entering China in addition to a passport?
A: Foreign nationals traveling for purposes of business, tourism, family or friend visits, exchange and transit that meet the visa waiver requirements, can be allowed to enter China without a visa upon examination and approval in accordance with the law by border inspection authorities. Entry into China shall be denied by border inspection authorities in accordance with the law to foreign nationals who travel for purposes that do not meet the visa waiver requirements or who are not allowed to enter China in accordance with laws and regulations. It is recommended to take documents such as invitation letters, air tickets and reservations of accommodation as proof corresponding to the purposes of entry into China. Visa waiver does not apply to those who come to China for work, study, journalistic or similar purposes.
Q: Is there any additional requirement for minors eligible for a visa waiver?
A: Visa waiver requirements for minors are the same as for adults.
Q: Are there any requirements regarding the type and validity of entry documents?
A: For foreign nationals, an ordinary passport valid for at least the duration of the intended stay in China is needed. Holders of travel documents or temporary or emergency documents other than ordinary passports are not allowed to enter China without a visa.
Q: How to calculate the duration of stay of 30 days?
A: The duration of stay without a visa is calculated from the day after entry and lasts continuously for 30 calendar days.
Q: Does the visa waiver apply to foreign nationals who travel from a third country?
A: Eligible foreign nationals can depart for China from any country or region.
Q: Does the visa waiver apply to foreign nationals who travel via modes of transport other than aviation?
A: The visa waiver applies to all travelers coming to China through any sea, road and airport open to foreign nationals — except where laws, regulations or bilateral arrangements specify otherwise. For arrivals in China by way of private transport, certain procedures for entry and exit of means of transport shall be processed in accordance with relevant laws and regulations of China.
Q: Does the visa waiver apply to tour groups?
A: The visa waiver applies to eligible foreign nationals either in tour groups or as individuals.
Q: If the length of intended stay exceeds 30 days, can the visa waiver be extended?
A: Foreign nationals planning to stay in China for over 30 days shall apply for visas corresponding to their purposes of stay in advance at Chinese embassies or consulates. If they have to stay longer than 30 days for appropriate and sufficient reasons after entering China without a visa, they shall apply for stay permits to the exit and entry administrations of public security authorities of China.
Q: Does the visa waiver allow multiple entries? Is there any requirement on the length of intervals between each entry, or any restriction on the number of entries without a visa or total days of stay?
A: Foreign nationals eligible for the visa waiver can enter China without a visa multiple times. Currently, there is no restriction on the number of entries or total days of stay, but those who enjoy visa-free travel to China shall not engage in activities inconsistent with their purpose of entry.
Source: Northern Territory Police and Fire Services
Yesterday, detectives from the Southern Drug Investigation Unit executed multiple search warrants at commercial premises resulting in three arrests and significant seizures of methamphetamine, ketamine and cannabis.
In the morning, police executed a search warrant at a hotel where they located and seized a less than commercial quantity of methamphetamine, a commercial quantity of ketamine and a less than traffickable amount of cannabis. A 47-year-old female was arrested and charged with:
Possess Schedule 1 (Methamphetamine) – Less than commercial quantity
Possess Schedule 2 (Cannabis) – Less than traffickable
She was remanded to appear in the Alice Springs Local Court today.
In a separate incident that afternoon, detectives conducted searches at the airport where they located and seized several packages containing a significant amount of methamphetamine. A 44-year-old male and a 51-year-old male were arrested and charged with:
Both males were remanded to appear in the Alice Springs Local Court today.
Detective Acting Superintendent Deanne Ward said, “If these drugs had entered our regional township and communities, it could have had devastating impacts on people’s lives and social cohesion.”
Anyone with information on the supply of alcohol or drugs into remote communities can call police on 131 444 or make an anonymous report to Crime Stoppers on 1800 333 000.
The IAEA team based at Ukraine’s Zaporizhzhya Nuclear Power Plant (ZNPP) heard bursts of gunfire this morning, coinciding with a purported drone attack on the site’s training centre, Director General Rafael Mariano Grossi said.
It was the third time this year that the training centre, located just outside the site perimeter, was reportedly targeted by such an unmanned aerial vehicle.
The ZNPP told the IAEA team that the drone hit the roof of the training centre, without causing any casualties or major damage. It was not immediately known whether the drone had directly struck the building or whether it crashed on the structure after being shot down, the ZNPP said.
The IAEA staff members heard the gunfire shortly before 10am local time, but it was not clear if this observation was connected to the drone.
The IAEA team requested to visit the training centre, as it was able to do following the previous such incident that occurred in April. However, on this occasion permission has not yet been granted.
“These reported drone incidents are very concerning, as they could pose a direct threat to nuclear safety and security. To put it simply: there are too many drones flying near nuclear sites, not just the Zaporizhzhya Nuclear Power Plant. It should stop immediately,” Director General Grossi said.
In February, a drone severely damaged the New Safe Confinement (NSC) at the Chornobyl plant in northern Ukraine, built to prevent any radioactive release from the reactor unit 4 destroyed in the 1986 accident and to protect it from external hazards.
In mid-April, a drone was reportedly shot down and crashed near the ZNPP’s training centre, just over three months after another reported drone attack on the same centre.
Ukraine’s operating nuclear power plants (NPPs) – Khmelnytskyy, Rivne and South Ukraine – also regularly report of drones being detected near the respective sites. Last Friday, the IAEA team at the South Ukraine NPP was informed that drones were observed as close as 2km from the site and the team reported hearing anti-aircraft fire from their hotel. The same night, drones were reported to have been observed transiting through the Chornobyl Exclusion Zone.
Source: United States House of Representatives – Representative Mark Alford (Missouri 4th District)
Today, Congressman Mark Alford (MO-04) announced the launch of the Long-Range Strike Caucus for the 119th Congress. The Caucus provides an informal, bipartisan opportunity to educate Members of Congress on current and future U.S. bomber capabilities, advocate for this essential instrument of national security, and facilitate engagement between Congress, industry, and the Department of Defense. The Caucus is co-chaired by Rep. Don Davis (NC-01).
“We’re proud to re-launch the Long-Range Strike Caucus for this Congress,”said Congressman Alford.“As the Congressman for Whiteman Air Force Base—the home of the B-2 Spirit, and soon the B-21 Raider—I have witnessed first-hand the strategic necessity of our long-range strike capabilities. Last October, I was in the Middle East when our heroic airmen showed the world what they can do, striking terrorist lairs in Yemen with pinpoint precision.That’s not just power. It’s a promise that America can reach out and touch anyone, anywhere, at any time when freedom is at stake. I look forward to bipartisan collaboration on how we can ensure America maintains its superior long-range strike capabilities well into the future.”
“As our nation confronts emerging global threats to national security, the Long Range Strike Caucus can play a significant role in our defense and in safeguarding the American people,” said Congressman Don Davis. “Modernizing our long-range strike aircraft, particularly our bombers, is essential to ensuring that the U.S. military continues to be the world’s premier fighting force.”
Background:
The Long-Range Strike Caucus advocates for our nation’s bomber force and the many missions that support our bombers in conducting long-range strikes. This includes active duty, guard, and reserve units that provide fighter escort, suppression of enemy air defenses, air refueling, testing, acquisition, and depot maintenance.
The Air Force bomber fleet provides a unique ability for the U.S. to rapidly strike any target in the world, an essential capability for deterring our enemies and reassuring our allies and partners.
Despite its active use and global presence, our bomber fleet is the smallest and oldest it has ever been. With an average age of more than 40 years old, almost half of our current long-range strike aircraft pre-date the Cuban Missile Crisis. The failure to adequately modernize has impacted our ability operate, especially in potentially contested environments. Therefore, efforts to develop and procure a new generation of Air Force bombers, including the B-21 Raider and refitted B-52J, are critical to the conventional and nuclear national security apparatus.
Source: People’s Republic of China in Russian – People’s Republic of China in Russian –
Source: People’s Republic of China – State Council News
MINSK, May 21 (Xinhua) — The 12th International Exhibition of Arms and Military Equipment MILEX-2025 opened on Wednesday at the Minsk International Exhibition Center “BelExpo”. More than 150 companies from Belarus, Russia, China, Iran, Pakistan, and India are taking part in the event. They are demonstrating samples of weapons and military equipment that reflect the main trends and development prospects of the global arms market.
President of Belarus Alexander Lukashenko sent a greeting to the participants and guests of the international exhibition. “In the year of the 80th anniversary of the Victory of the Soviet people in the Great Patriotic War, we are holding this representative forum in honor of our common heroes. The generation of victors bequeathed to us to preserve peace and freedom in our native land, won at an unprecedentedly high price. In the name of this goal, we, the allied countries, are increasing our defense potential and strengthening cooperation in the field of security,” A. Lukashenko’s press service quotes him as saying.
The President of Belarus expressed confidence that the international exhibition of weapons and military equipment will allow a wide range of specialists and experts to become familiar with the most advanced achievements of both Belarusian manufacturers and foreign partners.
MILEX-2025 presents more than 750 samples of weapons, military and special equipment of Belarusian production. Among them are the anti-aircraft missile system “Buk-MB-2K” with the first Belarusian anti-aircraft guided missile, the grenade launcher system “Sapfir”, the armored personnel carrier V-2. The total area of the exhibition exceeds 11.5 thousand square meters.
The 11th International Scientific Conference on the Development of Weapons, Military and Special Equipment and Dual-Use Technologies will be held as part of the scientific and business program of the event. The conference will address current issues of creating systems to counter high-precision weapons, electronic warfare, radio-technical and radar reconnaissance, troop and weapon control, and radio communications. A separate section will be devoted to the topic of unmanned systems for various purposes.
The organizers of the 12th International Exhibition of Arms and Military Equipment MILEX-2025 are the State Military-Industrial Committee and the Ministry of Defense of Belarus, as well as the National Exhibition Center “BelExpo”. The event will last until May 24. –0–
As soon as snow melted from Russia’s Zabaykal’skiy Kray in mid-March 2025, satellites began detecting large numbers of wildland fires burning in the grasslands and forests surrounding Chita, the territory’s capital. Two months later, fires continued to rage around the city. The MODIS (Moderate Resolution Imaging Spectroradiometer) on NASA’s Aqua satellite captured this image of smoke streaming from multiple fires near Chita on May 19, 2025. The city, a stop along the Trans-Siberian Railway, has a population of about 350,000. News reports indicate that fires were active on the city’s outskirts on May 20 and were edging closer to the city center as firefighters worked amid dry, windy conditions. On May 20, 2025, Russia’s Aerial Protection Service reported 49 fires burning across nearly 700,000 hectares (2,700 square miles) in six regions of the country. Thirty-three fires were in Zabaykal’skiy (also called Transbaikal) and nine in Buryatiya, both of which border Mongolia. Russian officials reported deploying 2,700 personnel and 13 aircraft to fight the fires, including more than 1,000 paratroopers and airborne troops in Zabaykal’skiy. NASA Earth Observatory image by Michala Garrison, using MODIS data from NASA EOSDIS LANCE and GIBS/Worldview. Story by Adam Voiland.
NASA’s X-59 quiet supersonic research aircraft successfully completed a critical series of tests in which the airplane was put through its paces for cruising high above the California desert – all without ever leaving the ground. The goal of ground-based simulation testing was to make sure the hardware and software that will allow the X-59 to fly safely are properly working together and able to handle any unexpected problems. Learn more about this series of exercies, dubbed “aluminum bird” testing by engineers. Image credit: Lockheed Martin/Garry Tice
News In Brief – Source: US Computer Emergency Readiness Team
Executive Summary
This joint cybersecurity advisory (CSA) highlights a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies. This includes those involved in the coordination, transport, and delivery of foreign assistance to Ukraine. Since 2022, Western logistics entities and IT companies have faced an elevated risk of targeting by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (85th GTsSS), military unit 26165—tracked in the cybersecurity community under several names (see “Cybersecurity Industry Tracking”). The actors’ cyber espionage-oriented campaign, targeting technology companies and logistics entities, uses a mix of previously disclosed tactics, techniques, and procedures (TTPs). The authoring agencies expect similar targeting and TTP use to continue.
Executives and network defenders at logistics entities and technology companies should recognize the elevated threat of unit 26165 targeting, increase monitoring and threat hunting for known TTPs and indicators of compromise (IOCs), and posture network defenses with a presumption of targeting.
This cyber espionage-oriented campaign targeting logistics entities and technology companies uses a mix of previously disclosed TTPs and is likely connected to these actors’ wide scale targeting of IP cameras in Ukraine and bordering NATO nations.
The following authors and co-sealers are releasing this CSA:
United States National Security Agency (NSA)
United States Federal Bureau of Investigation (FBI)
United Kingdom National Cyber Security Centre (NCSC-UK)
Germany Federal Intelligence Service (BND) Bundesnachrichtendienst
Germany Federal Office for Information Security (BSI) Bundesamt für Sicherheit in der Informationstechnik
Germany Federal Office for the Protection of the Constitution (BfV) Bundesamt für Verfassungsschutz
Czech Republic Military Intelligence (VZ) Vojenské zpravodajství
Czech Republic National Cyber and Information Security Agency (NÚKIB) Národní úřad pro kybernetickou a informační bezpečnost
Czech Republic Security Information Service (BIS) Bezpečnostní informační služba
Poland Internal Security Agency (ABW) Agencja Bezpieczeństwa Wewnętrznego
Poland Military Counterintelligence Service (SKW) Służba Kontrwywiadu Wojskowego
United States Cybersecurity and Infrastructure Security Agency (CISA)
United States Department of Defense Cyber Crime Center (DC3)
United States Cyber Command (USCYBERCOM)
Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
Canadian Centre for Cyber Security (CCCS)
Danish Defence Intelligence Service (DDIS) Forsvarets Efterretningstjeneste
Estonian Foreign Intelligence Service (EFIS) Välisluureamet
Estonian National Cyber Security Centre (NCSC-EE) Küberturvalisuse keskus
French Cybersecurity Agency (ANSSI) Agence nationale de la sécurité des systèmes d’information
Netherlands Defence Intelligence and Security Service (MIVD) Militaire Inlichtingen- en Veiligheidsdienst
Download the PDF version of this report:
Russian GRU Targeting Western Logistics Entities and Technology Companies (PDF, 1,081KB)
For a downloadable list of IOCs, visit:
Introduction
For over two years, the Russian GRU 85th GTsSS, military unit 26165—commonly known in the cybersecurity community as APT28, Fancy Bear, Forest Blizzard, BlueDelta, and a variety of other identifiers—has conducted this campaign using a mix of known tactics, techniques, and procedures (TTPs), including reconstituted password spraying capabilities, spearphishing, and modification of Microsoft Exchange mailbox permissions. In late February 2022, multiple Russian state-sponsored cyber actors increased the variety of cyber operations for purposes of espionage, destruction, and influence—with unit 26165 predominately involved in espionage. [1] As Russian military forces failed to meet their military objectives and Western countries provided aid to support Ukraine’s territorial defense, unit 26165 expanded its targeting of logistics entities and technology companies involved in the delivery of aid. These actors have also targeted Internet-connected cameras at Ukrainian border crossings to monitor and track aid shipments. Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 17. See Appendix A: MITRE ATT&CK tactics and techniques for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. This advisory uses the MITRE D3FEND® framework, version 1.0.
Description of Targets
The GRU unit 26165 cyber campaign against Western logistics providers and technology companies has targeted dozens of entities, including government organizations and private/commercial entities across virtually all transportation modes: air, sea, and rail. These actors have targeted entities associated with the following verticals within NATO member states, Ukraine, and at international organizations:
Defense Industry
Transportation and Transportation Hubs (ports, airports, etc.)
Maritime
Air Traffic Management
IT Services
In the course of the targeting lifecycle, unit 26165 actors identified and conducted follow-on targeting of additional entities in the transportation sector that had business ties to the primary target, exploiting trust relationships to attempt to gain additional access [T1199].
The actors also conducted reconnaissance on at least one entity involved in the production of industrial control system (ICS) components for railway management, though a successful compromise was not confirmed [TA0043].
The countries with targeted entities include the following, as illustrated in Figure 1:
Bulgaria
Czech Republic
France
Germany
Greece
Italy
Moldova
Netherlands
Poland
Romania
Slovakia
Ukraine
United States
Figure 1: Countries with Targeted Entities
Initial Access TTPs
To gain initial access to targeted entities, unit 26165 actors used several techniques to gain initial access to targeted entities, including (but not limited to):
The actors abused vulnerabilities associated with a range of brands and models of small office/home office (SOHO) devices to facilitate covert cyber operations, as well as proxy malicious activity via devices with geolocation in proximity to the target [T1665]. [2]
Credential Guessing/Brute Force
Unit 26165 actors’ credential guessing [T1110.001] operations in this campaign exhibit some similar characteristics to those disclosed in the previous CSA “Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments.” [3] Based on victim network investigations, the current iteration of this TTP employs a similar blend of anonymization infrastructure, including the use of Tor and commercial VPNs [T1090.003]. The actors frequently rotated the IP addresses used to further hamper detection. All observed connections were made via encrypted TLS [T1573].
Spearphishing
GRU unit 26165 actors’ spearphishing emails included links [T1566.002] leading to fake login pages impersonating a variety of government entities and Western cloud email providers’ webpages. These webpages were typically hosted on free third-party services or compromised SOHO devices and often used legitimate documents associated with thematically similar entities as lures. The subjects of spearphishing emails were diverse and ranged from professional topics to adult themes. Phishing emails were frequently sent via compromised accounts or free webmail accounts [T1586.002, T1586.003]. The emails were typically written in the target’s native language and sent to a single targeted recipient.
Some campaigns employed multi-stage redirectors [T1104] verifying IP-geolocation [T1627.001] and browser fingerprints [T1627] to protect credential harvesting infrastructure or provide multifactor authentication (MFA) [T1111] and CAPTCHA relaying capabilities [T1056]. Connecting endpoints failing the location checks were redirected to a benign URL [T1627], such as msn.com. Redirector services used include:
Webhook[.]site
FrgeIO
InfinityFree
Dynu
Mocky
Pipedream
Mockbin[.]org
The actors also used spearphishing to deliver malware (including HEADLACE and MASEPIE) executables [T1204.002] delivered via third-party services and redirectors [T1566.002], scripts in a mix of languages [T1059] (including BAT [T1059.003] and VBScript [T1059.005]) and links to hosted shortcuts [T1204.001].
CVE Usage
Throughout this campaign, GRU unit 26165 weaponized an Outlook NTLM vulnerability (CVE-2023-23397) to collect NTLM hashes and credentials via specially crafted Outlook calendar appointment invitations [T1187]. [4],[5] These actors also used a series of Roundcube CVEs (CVE-2020-12641, CVE-2020-35730, and CVE-2021-44026) to execute arbitrary shell commands [T1059], gain access to victim email accounts, and retrieve sensitive data from email servers [T1114].
Since at least fall 2023, the actors leveraged a WinRAR vulnerability (CVE-2023-38831) allowing for the execution of arbitrary code embedded in an archive as a means of initial access [T1659]. The actors sent emails with malicious attachments [T1566.001] or embedded hyperlinks [T1566.002] that downloaded a malicious archive prepared using this CVE.
Post-Compromise TTPs
After an initial compromise using one of the above techniques, unit 26165 actors conducted contact information reconnaissance to identify additional targets in key positions [T1589.002]. The actors also conducted reconnaissance of the cybersecurity department [T1591], individuals responsible for coordinating transport [T1591.004], and other companies cooperating with the victim entity [T1591.002].
The actors used native commands and open source tools, such as Impacket and PsExec, to move laterally within the environment [TA0008]. Multiple Impacket scripts were used as .exe files, in addition to the python versions, depending on the victim environment. The actors also moved laterally within the network using Remote Desktop Protocol (RDP) [T1021.001] to access additional hosts and attempt to dump Active Directory NTDS.dit domain databases [T1003.003] using native Active Directory Domain Services commands, such as in Figure 2: Example Active Directory Domain Services command:
C:Windowssystem32ntdsutil.exe "activate instance ntds" ifm "create full C:temp[a-z]{3}" quit quit
Figure 2: Example Active Directory Domain Services command
Additionally, GRU unit 26165 actors used the tools Certipy and ADExplorer.exe to exfiltrate information from the Active Directory. The actors installed python [T1059.006] on infected machines to enable the execution of Certipy. Accessed files were archived in .zip files prior to exfiltration [T1560]. The actors attempted to exfiltrate archived data via a previously dropped OpenSSH binary [T1048].
Incident response investigations revealed that the actors would take steps to locate and exfiltrate lists of Office 365 users and set up sustained email collection. The actors used manipulation of mailbox permissions [T1098.002] to establish sustained email collection at compromised logistics entities, as detailed in a Polish Cybercommand blog. [6]
After initial authentication, unit 26165 actors would change accounts’ folder permissions and enroll compromised accounts in MFA mechanisms to increase the trust-level of compromised accounts and enable sustained access [T1556.006]. The actors leveraged python scripts to retrieve plaintext passwords via Group Policy Preferences [T1552.006] using Get-GPPPassword.py and a modified ldap-dump.py to enumerate the Windows environment [T1087.002] and conduct a brute force password spray [T1110.003] via Lightweight Directory Access Protocol (LDAP). The actors would additionally delete event logs through the wevtutil utility [T1070.001].
After gaining initial access to the network, the actors pursued further access to accounts with access to sensitive information on shipments, such as train schedules and shipping manifests. These accounts contained information on aid shipments to Ukraine, including:
sender,
recipient,
train/plane/ship numbers,
point of departure,
destination,
container registration numbers,
travel route, and
cargo contents.
In at least one instance, the actors attempted to use voice phishing [T1566.004] to gain access to privileged accounts by impersonating IT staff.
Malware
Unit 26165’s use of malware in this campaign ranged from gaining initial access to establishing persistence and exfiltrating data. In some cases, the attack chain resulted in multiple pieces of malware being deployed in succession. The actors used dynamic link library (DLL) search order hijacking [T1574.001] to facilitate malware execution. There were a number of known malware variants tied to this campaign against logistics sector victims, including:
HEADLACE [7]
MASEPIE [8]
While other malware variants, such as OCEANMAP and STEELHOOK, [8] were not directly observed targeting logistics or IT entities, their deployment against victims in other sectors in Ukraine and other Western countries suggest that they could be deployed against logistics and IT entities should the need arise.
Persistence
In addition to the abovementioned mailbox permissions abuse, unit 26165 actors also used scheduled tasks [T1053.005], run keys [T1547.001], and placed malicious shortcuts [T1547.009] in the startup folder to establish persistence.
Exfiltration
GRU unit 26165 actors used a variety of methods for data exfiltration that varied based on the victim environment, including both malware and living off the land binaries. PowerShell commands [T1059.001] were often used to prepare data for exfiltration; for example, the actors prepared zip archives [T1560.001] for upload to their own infrastructure.
The actors also used server data exchange protocols and Application Programming Interfaces (APIs) such as Exchange Web Services (EWS) and Internet Message Access Protocol (IMAP) [T1114.002] to exfiltrate data from email servers. In multiple instances, the actors used periodic EWS queries [T1119] to collect new emails sent and received since the last data exfiltration [T1029]. The actors typically used infrastructure in close geographic proximity to the victim. Long gaps between exfiltration, the use of trusted and legitimate protocols, and the use of local infrastructure allowed for long-term collection of sensitive data to go undetected.
Connections to Targeting of IP Cameras
In addition to targeting logistics entities, unit 26165 actors likely used access to private cameras at key locations, such as near border crossings, military installations, and rail stations, to track the movement of materials into Ukraine. The actors also used legitimate municipal services, such as traffic cams.
The actors targeted Real Time Streaming Protocol (RTSP) servers hosting IP cameras primarily located in Ukraine as early as March 2022 in a large-scale campaign, which included attempts to enumerate devices [T1592] and gain access to the cameras’ feeds [T1125]. Actor-controlled servers sent RTSP DESCRIBE requests destined for RTSP servers, primarily hosting IP cameras [T1090.002]. The DESCRIBE requests were crafted to obtain access to IP cameras located on logically distinct networks from that of the routers that received the request. The requests included Base64-encoded credentials for the RTSP server, which included publicly documented default credentials and likely generic attempts to brute force access to the devices [T1110]. An example of an RTSP request is shown in Figure 3.
Successful RTSP 200 OK responses contained a snapshot of the IP camera’s image and IP camera metadata such as video codec, resolution, and other properties depending on the IP camera’s configuration.
From a sample available to the authoring agencies of over 10,000 cameras targeted via this effort, the geographic distribution of victims showed a strong focus on cameras in Ukraine and border countries, as shown in Table 1:
Table 1: Geographic distribution of targeted IP cameras
Country
Percentage of Total Attempts
Ukraine
81.0%
Romania
9.9%
Poland
4.0%
Hungary
2.8%
Slovakia
1.7%
Others
0.6%
Mitigation Actions
General Security Mitigations
Architecture and Configuration
Employ appropriate network segmentation [D3-NI] and restrictions to limit access and utilize additional attributes (such as device information, environment, and access path) when making access decisions [D3-AMED].
Consider Zero Trust principles when designing systems. Base product choices on how those products can solve specific risks identified as part of the end-to-end design. [9]
Ensure that host firewalls and network security appliances (e.g., firewalls) are configured to only allow legitimately needed data flows between devices and servers to prevent lateral movement [D3-ITF]. Alert on attempts to connect laterally between host devices or other unusual data flows.
Use automated tools to audit access logs for security concerns and identify anomalous access requests [D3-RAPA].
For organizations using on-premises authentication and email services, block and alert on NTLM/SMB requests to external infrastructure [D3-OTF].
Utilize endpoint, detection, and response (EDR) and other cybersecurity solutions on all systems, prioritizing high value systems with large amounts of sensitive data such as mail servers and domain controllers [D3-PM] first.
Perform threat and attack modeling to understand how sensitive systems may be compromised within an organization’s specific architecture and security controls. Use this to develop a monitoring strategy to detect compromise attempts and select appropriate products to enact this strategy.
Collect and monitor Windows logs for certain events, especially for events that indicate that a log was cleared unexpectedly [D3-SFA].
Enable optional security features in Windows to harden endpoints and mitigate initial access techniques [D3-AH]:
Enable attack surface reduction rules to prevent executable content from email [D3-ABPI].
Enable attack surface reduction rules to prevent execution of files from globally writeable directories, such as Downloads or %APPDATA% [D3-EAL].
Unless users are involved in the development of scripts, limit the local execution of scripts (such as batch scripts, VBScript, JScript/JavaScript, and PowerShell [10]) to known scripts [D3-EI], and audit execution attempts.
Disable Windows Host Scripting functionality and configure PowerShell to run in Constrained mode [D3-ACH].
Where feasible, implement allowlisting for applications and scripts to limit execution to only those needed for authorized activities, blocking all others by default [D3-EAL].
Consider using open source SIGMA rules as a baseline for detecting and alerting on suspicious file execution or command parameters [D3-PSA].
Use services that provide enhanced browsing services and safe link checking [D3-URA]. Significant reductions in successful spearphishing attempts were noted when email providers began offering link checking and automatic file detonation to block malicious content.
Where possible, block logins from public VPNs, including exit nodes in the same country as target systems, or, if they need to be allowed, alert on them for further investigation. Most organizations should not need to allow incoming traffic, especially logins to systems, from VPN services [D3-NAM].
Educate users to only use approved corporate systems for relevant government and military business and avoid the use of personal accounts on cloud email providers to conduct official business. Network administrators should also audit both email and web request logs to detect such activity.
Many organizations may not need to allow outgoing traffic to hosting and API mocking services, which are frequently used by GRU unit 26165. Organizations should consider alerting on or blocking the following services, with exceptions allowlisted for legitimate activity [D3-DNSDL].
*.000[.]pe
*.1cooldns[.]com
*.42web[.]io
*.4cloud[.]click
*.accesscan[.]org
*.bumbleshrimp[.]com
*.camdvr[.]org
*.casacam[.]net
*.ddnsfree[.]com
*.ddnsgeek[.]com
*.ddnsguru[.]com
*.dynuddns[.]com
*.dynuddns[.]net
*.free[.]nf
*.freeddns[.]org
*.frge[.]io
*.glize[.]com
*.great-site[.]net
*.infinityfreeapp[.]com
*.kesug[.]com
*.loseyourip[.]com
*.lovestoblog[.]com
*.mockbin[.]io
*.mockbin[.]org
*.mocky[.]io
*.mybiolink[.]io
*.mysynology[.]net
*.mywire[.]org
*.ngrok[.]io
*.ooguy[.]com
*.pipedream[.]net
*.rf[.]gd
*.urlbae[.]com
*.webhook[.]site
*.webhookapp[.]com
*.webredirect[.]org
*.wuaze[.]com
Heuristic detections for web requests to new subdomains, including of the above providers, may uncover malicious phishing activity [D3-DNRA]. Logging the requests for each sub-domain requested by users on a network, such as in DNS or firewall logs, may enable system administrators to identify new targeting and victims.
Identity and Access Management
Organizations should take measures to ensure strong access controls and mitigate against common credential theft techniques:
Use MFA with strong factors, such as passkeys or PKI smartcards, and require regular re-authentication [D3-MFA]. [11], [12] Strong authentication factors are not guessable using dictionary techniques, so they resist brute force attempts.
Implement other mitigations for privileged accounts: including limiting the number of admin accounts, considering using hardware MFA tokens, and regularly reviewing all privileged user accounts [D3-JFAPA].
Separate privileged accounts by role and alert on misuse of privileged accounts [D3-UAP]. For example, email administrator accounts should be different from domain administrator accounts.
Reduce reliance on passwords; instead, consider using services like single sign-on [D3-TBA].
For organizations using on-premises authentication and email services, plan to disable NTLM entirely and migrate to more robust authentication processes such as PKI certificate authentication.
Do not store passwords in Group Policy Preferences (GPP). Remove all passwords previously included in GPP and change all passwords on the corresponding accounts [D3-CH]. [13]
Use account throttling or account lockout [D3-ANET]:
Throttling is preferred to lockout. Throttling progressively increases time delay between successive login attempts.
Account lockout can leave legitimate users unable to access their accounts and requires access to an account recovery process.
Account lockout can provide a malicious actor with an easy way to launch a Denial of Service (DoS).
If using lockout, then allowing 5 to 10 attempts before lockout is recommended.
Use a service to check for compromised passwords before using them [D3-SPP]. For example, “Have I Been Pwned” can be used to check whether a password has been previously compromised without disclosing the potential password.
Change all default credentials [D3-CRO] and disable protocols that use weak authentication (e.g., clear-text passwords or outdated and vulnerable authentication or encryption protocols) or do not support multi-factor authentication [D3-ACH] [D3-ET]. Always configure access controls carefully to ensure that only well-maintained and well-authenticated accounts have access. [13]
IP Camera Mitigations
The following mitigation techniques for IP cameras can be used to defend against this type of malicious activity:
Ensure IP cameras are currently supported. Replace devices that are out of support.
Apply security patches and firmware updates to all IP cameras [D3-SU].
Disable remote access to the IP camera, if unnecessary [D3-ITF].
Ensure cameras are protected by a security appliance, if possible, such as by using a firewall to prevent communication with the camera from IP addresses not on an allowlist [D3-NAM].
If remote access to IP camera feeds is required, ensure authentication is enabled [D3-AA] and use a VPN to connect remotely [D3-ET]. Use MFA for management accounts if supported [D3-MFA].
Disable Universal Plug and Play (UPnP), Peer-to-Peer (P2P), and Anonymous Visit features on IP cameras and routers [D3-NI].
Turn off other ports/services not in use (e.g., FTP, web interface, etc.) [D3-ACH].
If supported, enable authenticated RTSP access only [D3-AA].
Review all authentication activity for remote access to make sure it is valid and expected [D3-UBA]. Investigate any unexpected or unusual activity.
Audit IP camera user accounts to ensure they are an accurate reflection of your organization and that they are being used as expected [D3-UAP].
Configure, tune, and monitor logging—if available—on the IP camera.
Indicators of Compromise (IOCs)
Note: Specific IoCs may no longer be actor controlled, may themselves be compromised infrastructure or email accounts, or may be shared infrastructure such as public VPN or Tor exit nodes. Care should be taken when basing triaging logs or developing detection rules on these indicators. GRU unit 26165 almost certainly uses extensive further infrastructure and TTPs not specifically listed in this report.
Utilities and scripts
Legitimate utilities
Unauthorized or unusual use of the following legitimate utilities can be an indication of a potential compromise:
ntdsutil – A legitimate Windows executable used by threat actors to export contents of Active Directory
wevtutil – A legitimate Windows executable used by threat actors to delete event logs
vssadmin – A legitimate Windows executable possibly used by threat actors to make a copy of the server’s C: drive
ADexplorer – A legitimate window executable to view, edit, and backup Active Directory Certificate Services
OpenSSH – The Windows version of a legitimate open source SSH client
schtasks – A legitimate Windows executable used to create persistence using scheduled tasks
whoami – A legitimate Windows executable used to retrieve the name of the current user
tasklist – A legitimate Windows executable used to retrieve the list of running processes
hostname – A legitimate Windows executable used to retrieve the device name
arp – A legitimate Windows executable used to retrieve the ARP table for mapping the network environment
systeminfo – A legitimate Windows executable used to retrieve a comprehensive summary of device and operating system information
net – A legitimate Windows executable used to retrieve detailed user information
wmic – A legitimate Windows executable used to interact with Windows Management Instrumentation (WMI), such as to retrieve letters assigned to logical partitions on storage drives
cacls – A legitimate Windows executable used to modify permissions on files
icacls – A legitimate Windows executable used to modify permissions to files and handle integrity levels and ownership
ssh – A legitimate Windows executable used to establish network shell connections
reg – A legitimate Windows executable used to add to or modify the system registry
Note: Additional heuristics are needed for effective hunting for these and other living off the land (LOTL) binaries to avoid being overwhelmed by false positives if these legitimate management tools are used regularly. See the joint guide, Identifying and Mitigating Living Off the Land Techniques, for guidance on developing a multifaceted cybersecurity strategy that enables behavior analytics, anomaly detection, and proactive hunting, which are part of a comprehensive approach to mitigating cyber threats that employ LOTL techniques.
Malicious scripts
Certipy – An open source python tool for enumerating and abusing Active Directory Certificate Services
Get-GPPPassword.py – An open source python script for finding insecure passwords stored in Group Policy Preferences
ldap-dump.py – A script for enumerating user accounts and other information in Active Directory
Hikvision backdoor string: “YWRtaW46MTEK”
Suspicious command lines
While the following utilities are legitimate, and using them with the command lines shown may also be legitimate, these command lines are often used during malicious activities and could be an indication of a compromise:
edge.exe “-headless-new -disable-gpu”
ntdsutil.exe “activate instance ntds” ifm “create full C:temp[a-z]{3}” quit quit
Disclaimer: These IP addresses date June 2024 through August 2024. The authoring agencies recommend organizations investigate or vet these IP addresses prior to taking action, such as blocking.
June 2024
July 2024
August 2024
192[.]162[.]174[.]94
207[.]244[.]71[.]84
31[.]135[.]199[.]145
79[.]184[.]25[.]198
91[.]149[.]253[.]204
103[.]97[.]203[.]29
162[.]210[.]194[.]2
31[.]42[.]4[.]138
79[.]185[.]5[.]142
91[.]149[.]254[.]75
209[.]14[.]71[.]127
46[.]112[.]70[.]252
83[.]10[.]46[.]174
91[.]149[.]255[.]122
109[.]95[.]151[.]207
46[.]248[.]185[.]236
83[.]168[.]66[.]145
91[.]149[.]255[.]19
64[.]176[.]67[.]117
83[.]168[.]78[.]27
91[.]149[.]255[.]195
64[.]176[.]69[.]196
83[.]168[.]78[.]31
91[.]221[.]88[.]76
64[.]176[.]70[.]18
83[.]168[.]78[.]55
93[.]105[.]185[.]139
64[.]176[.]70[.]238
83[.]23[.]130[.]49
95[.]215[.]76[.]209
64[.]176[.]71[.]201
83[.]29[.]138[.]115
138[.]199[.]59[.]43
70[.]34[.]242[.]220
89[.]64[.]70[.]69
147[.]135[.]209[.]245
70[.]34[.]243[.]226
90[.]156[.]4[.]204
178[.]235[.]191[.]182
70[.]34[.]244[.]100
91[.]149[.]202[.]215
178[.]37[.]97[.]243
70[.]34[.]245[.]215
91[.]149[.]203[.]73
185[.]234[.]235[.]69
70[.]34[.]252[.]168
91[.]149[.]219[.]158
192[.]162[.]174[.]67
70[.]34[.]252[.]186
91[.]149[.]219[.]23
194[.]187[.]180[.]20
70[.]34[.]252[.]222
91[.]149[.]223[.]130
212[.]127[.]78[.]170
70[.]34[.]253[.]13
91[.]149[.]253[.]118
213[.]134[.]184[.]167
70[.]34[.]253[.]247
91[.]149[.]253[.]198
70[.]34[.]254[.]245
91[.]149[.]253[.]20
Detections
Customized NTLM listener
rule APT28_NTLM_LISTENER {
meta:
description = "Detects NTLM listeners including APT28's custom one"
( any of ($sysinternals_*) and any of ($psexec_*) )
or
( 2 of ($network_*) and 2 of ($psexec_*))
)
}
The cybersecurity industry provides overlapping cyber threat intelligence, IOCs, and mitigation recommendations related to GRU unit 26165 cyber actors. While not all encompassing, the following are the most notable threat group names related under MITRE ATT&CK G0007 and commonly used within the cybersecurity community:
APT28 [14]
Fancy Bear [14]
Forest Blizzard [14]
Blue Delta [15]
Note: Cybersecurity companies have different methods of tracking and attributing cyber actors, and this may not be a 1:1 correlation to the U.S. government’s understanding for all activity related to these groupings.
Further Reference
To search for the presence of malicious email messages targeting CVE-2023-23397, network defenders may consider using the script published by Microsoft: https://aka.ms/CVE-2023-23397ScriptDoc.
For the Impacket TTP, network defenders may consider using the following publicly available Impacket YARA detection rule: https://github.com/Neo23x0/signature-base/blob/master/yara/gen_impacket_tools.yar
Works Cited
[1] Microsoft. Defending Ukraine: Early Lessons from the Cyber War. 2022. https://blogs.microsoft.com/on-the-issues/2022/06/22/defending-ukraine-early-lessons-from-the-cyber-war/ [2] FBI et al. Russian Cyber Actors Use Compromised Routers to Facilitate Cyber Operations. 2024. https://media.defense.gov/2024/Feb/27/2003400753/-1/-1/0/CSA-Russian-Actors-Use-Routers-Facilitate-Cyber_Operations.PDF [3] NSA et al. Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. 2021. https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/0/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF [4] ANSSI. Campagnes d'attaques du mode opératoire APT28 depuis 2021. 2023. https://cert.ssi.gouv.fr/cti/CERTFR-2023-CTI-009/ [5] ANSSI. Targeting and compromise of french entities using the APT28 intrusion set. 2025. https://cert.ssi.gouv.fr/cti/CERTFR-2025-CTI-007/ [6] Polish Cyber Command. Detecting Malicious Activity Against Microsoft Exchange Servers. 2023. https://www.wojsko-polskie.pl/woc/articles/aktualnosci-w/detecting-malicious-activity-against-microsoft-exchange-servers/ [7] IBM. Israel-Hamas Conflict Lures to Deliver Headlace Malware. 2023. https://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/ [8] CERT-UA. APT28: From Initial Attack to Creating Domain Controller Threats in an Hour. 2023. https://cert.gov.ua/article/6276894 [9] NSA. Embracing a Zero Trust Security Model. 2021. https://media.defense.gov/2021/Feb/25/2002588479/-1/-1/0/CSI_EMBRACING_ZT_SECURITY_MODEL_UOO115131-21.PDF [10] NSA et al. Keeping PowerShell: Security Measures to Use and Embrace. 2022. https://media.defense.gov/2022/Jun/22/2003021689/-1/-1/0/CSI_KEEPING_POWERSHELL_SECURITY_MEASURES_TO_USE_AND_EMBRACE_20220622.PDF [11] National Institute of Standards and Technology (NIST). Special Publication 800-63B: Digital Identity Guidelines – Authentication and Lifecycle Management. 2020. https://pages.nist.gov/800-63-3/sp800-63b.html [12] NSA. Selecting Secure Multi-factor Authentication Solutions. October 16, 2020. https://media.defense.gov/2024/Jul/31/2003515137/-1/-1/0/MULTIFACTOR_AUTHENTICATION_SOLUTIONS_UOO17091520.PDF [13] NSA and CSA. NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations. 2023. https://media.defense.gov/2023/Oct/05/2003314578/-1/-1/0/JOINT_CSA_TOP_TEN_MISCONFIGURATIONS_TLP-CLEAR.PDF
[14] Department of Justice. Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU). 2024. https://www.justice.gov/archives/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian [15] Recorded Future. GRU’s BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage Campaigns. 2024. https://go.recordedfuture.com/hubfs/reports/CTA-RU-2024-0530.pdf
Disclaimer of endorsement
The information and opinions contained in this document are provided "as is" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.
Purpose
This document was developed in furtherance of the authoring agencies’ cybersecurity missions, including their responsibilities to identify and disseminate threats and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.
Contact
United States organizations
National Security Agency (NSA)
Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI)
U.S. organizations are encouraged to reporting suspicious or criminal activity related to information in this advisory to CISA via the agency’s Incident Reporting System, its 24/7 Operations Center (report@cisa.gov or 888-282-0870), or your local FBI field office. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment user for the activity; the name of the submitting company or organization; and a designated point of contact.
Department of Defense Cyber Crime Center (DC3)
United Kingdom organizations
Germany organizations
Czech Republic organizations
Poland organizations
Australian organizations
Visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories.
Canadian organizations
Estonia organizations
French organizations
French organizations are encouraged to report suspicious activity or incident related to information found in this advisory by contacting ANSSI/CERT-FR by email at cert-fr@ssi.gouv.fr or by phone at: 3218 or +33 9 70 83 32 18.
See Table 2 through Table 14 for all the threat actor tactics and techniques referenced in this advisory.
Table 2: Reconnaissance
Tactic/Technique Title
ID
Use
Reconnaissance
TA0043
Conducted reconnaissance on at least one entity involved in the production of ICS components for railway management.
Conducted contact information reconnaissance to identify additional targets in key positions.
Gather Victim Org Information
T1591
Conducted reconnaissance of the cybersecurity department.
Gather Victim Org Information: Identify Roles
T1591.004
Conducted reconnaissance of individuals responsible for coordinating transport.
Gather Victim Org Information: Business Relationships
T1591.002
Conducted reconnaissance of other companies cooperating with the victim entity.
Gather Victim Host Information
T1592
Attempted to enumerate Real Time Streaming Protocol (RTSP) servers hosting IP cameras.
Table 3: Resource development
Tactic/Technique Title
ID
Use
Compromise Accounts: Email Accounts
T1586.002
Sent phishing emails using compromised accounts.
Compromise Accounts: Cloud Accounts
T1586.003
Sent phishing emails using compromised accounts.
Table 4: Initial Access
Tactic/Technique Title
ID
Use
Trusted Relationship
T1199
Conducted follow-on targeting of additional entities in the transportation sector that had business ties to the primary target, exploiting trust relationships to attempt to gain additional access.
Phishing
T1566
Used spearphishing for credentials and delivering malware to gain initial access to targeted entities.
Phishing: Spearphishing Attachment
T1566.001
Sent emails with malicious attachments.
Phishing: Spearphishing Link
T1566.002
Used spearphishing with included links to fake login pages. Sent emails with embedded hyperlinks that downloaded a malicious archive.
Phishing: Spearphishing Voice
T1566.004
Attempted to use voice phishing to gain access to privileged accounts by impersonating IT staff.
External Remote Services
T1133
Exploited Internet-facing infrastructure, including corporate VPNs, to gain initial access to targeted entities.
Exploit Public-Facing Application
T1190
Exploited public vulnerabilities and SQL injection to gain initial access to targeted entities.
Content Injection
T1659
Leveraged a WinRAR vulnerability allowing for the execution of arbitrary code embedded in an archive.
Table 5: Execution
Tactic/Technique Title
ID
Use
User Execution: Malicious Link
T1204.001
Used malicious links to hosted shortcuts in spearphishing.
User Execution: Malicious File
T1204.002
Delivered malware executables via spearphishing.
Scheduled Task/Job: Scheduled Task
T1053.005
Used scheduled tasks to establish persistence.
Command and Scripting Interpreter
T1059
Delivered scripts in spearphishing. Executed arbitrary shell commands.
Command and Scripting Interpreter: PowerShell
T1059.001
PowerShell commands were often used to prepare data for exfiltration.
Command and Scripting Interpreter: Windows Command Shell
T1059.003
Used BAT script in spearphishing.
Command and Scripting Interpreter: Visual Basic
T1059.005
Used VBScript in spearphishing.
Command and Scripting Interpreter: Python
T1059.006
Installed python on infected machines to enable the execution of Certipy.
Enrolled compromised accounts in MFA mechanisms to increase the trust-level of compromised accounts and enable sustained access.
Hijack Execution Flow: DLL Search Order Hijacking
T1574.001
Used DLL search order hijacking to facilitate malware execution.
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1547.001
Used run keys to establish persistence.
Boot or Logon Autostart Execution: Shortcut Modification
T1547.009
Placed malicious shortcuts in the startup folder to establish persistence.
Table 7: Defense Evasion
Tactic/Technique Title
ID
Use
Indicator Removal: Clear Windows Event Logs
T1070.001
Deleted event logs through the wevtutil utility.
Table 8: Credential access
Tactic/Technique Title
ID
Use
Brute Force
Sent requests with Base64-encoded credentials for the RTSP server, which included publicly documented default credentials, and likely were generic attempts to brute force access to the devices.
Brute Force: Password Guessing
T1110.001
Used credential guessing to gain initial access to targeted entities.
Brute Force: Password Spraying
T1110.003
Used brute force to gain initial access to targeted entities. Conducted a brute force password spray via LDAP.
Multi-Factor Authentication Interception
Used multi-stage redirectors to provide MFA relaying capabilities in some campaigns.
Input Capture
Used multi-stage redirectors to provide CAPTCHA relaying capabilities in some campaigns.
Forced Authentication
Used an Outlook NTLM vulnerability to collect NTLM hashes and credentials via specially crafted Outlook calendar appointment invitations.
OS Credential Dumping: NTDS
T1003.003
Attempted to dump Active Directory NTDS.dit domain databases.
Unsecured Credentials: Group Policy Preferences
T1552.006
Retrieved plaintext passwords via Group Policy Preferences using Get-GPPPassword.py.
Table 9: Discovery
Tactic/Technique Title
ID
Use
Account Discovery: Domain Account
T1087.002
Used a modified ldap-dump.py to enumerate the Windows environment.
Table 10: Command and Control
Tactic/Technique Title
ID
Use
Hide Infrastructure
T1665
Abused SOHO devices to facilitate covert cyber operations, as well as proxy malicious activity, via devices with geolocation in proximity to the target.
Proxy: External Proxy
T1090.002
Actor-controlled servers sent RTSP DESCRIBE requests destined for RTSP servers.
Proxy: Multi-hop Proxy
T1090.003
Used Tor and commercial VPNs as part of their anonymization infrastructure
Encrypted Channel
T1573
Connected to victim infrastructure using encrypted TLS.
Multi-Stage Channels
T1104
Used multi-stage redirectors for campaigns.
Table 11: Defense evasion (mobile framework)
Tactic/Technique Title
ID
Use
Execution Guardrails
Used multi-stage redirectors to verify browser fingerprints in some campaigns.
Execution Guardrails: Geofencing
T1627.001
Used multi-stage redirectors to verify IP-geolocation in some campaigns.
Table 12: Lateral movement
Tactic/Technique Title
ID
Use
Lateral Movement
Used native commands and open source tools, such as Impacket and PsExec, to move laterally within the environment.
Remote Services: Remote Desktop Protocol
T1021.001
Moved laterally within the network using RDP.
Table 13: Collection
Tactic/Technique Title
ID
Use
Email Collection
Retrieved sensitive data from email servers.
Email Collection: Remote Email Collection
T1114.002
Used server data exchange protocols and APIs such as Exchange Web Services (EWS) and IMAP to exfiltrate data from email servers.
Automated Collection
Used periodic EWS queries to collect new emails.
Video Capture
Attempted to gain access to the cameras’ feeds.
Archive Collected Data
Accessed files were archived in .zip files prior to exfiltration.
Archive Collected Data: Archive via Utility
T1560.001
Prepared zip archives for upload to the actors’ infrastructure.
Table 14: Exfiltration
Tactic/Technique Title
ID
Use
Exfiltration Over Alternative Protocol
Attempted to exfiltrate archived data via a previously dropped OpenSSH binary.
Scheduled Transfer
Used periodic EWS queries to collect new emails sent and received since the last data exfiltration.
Appendix B: CVEs exploited
Table 15: Exploited CVE information
CVE
Vendor/Product
Details
CVE-2023-38831
RARLAB WinRAR
Allows execution of arbitrary code when a user attempts to view a benign file within a ZIP archive.
CVE-2023-23397
Microsoft Outlook
External actors could send specially crafted emails that cause a connection from the victim to an untrusted location of the actor’s control, leaking the Net-NTLMv2 hash of the victim that the actor could then relay to another service to authenticate as the victim.
CVE-2021-44026
Roundcube Webmail
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search params.
CVE-2020-35730
Roundcube Webmail
An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16 and 1.4.x before 1.4.10, where a plaintext email message with JavaScript in a link reference element is mishandled by linkref_addindex in rcube_string_replacer.php.
CVE-2020-12641
Roundcube Webmail
Roundcube Webmail before 1.4.4 allows arbitrary code execution via shell metacharacters in a configuration setting for im_convert_path or im_identify_path in rcube_image.php.
Appendix C: MITRE D3FEND Countermeasures
Table 16: MITRE D3FEND countermeasures
Countermeasure Title
ID
Details
Network Isolation
Employ appropriate network segmentation. Disable Universal Plug and Play (UPnP), Peer-to-Peer (P2P), and Anonymous Visit features on IP cameras and routers.
Access Mediation
Limit access and utilize additional attributes (such as device information, environment, and access path) when making access decisions. Configure access controls carefully to ensure that only well-maintained and well-authenticated accounts have access.
Inbound Traffic Filtering
Implement host firewall rules to block connections from other devices on the network, other than from authorized management devices and servers, to prevent lateral movement.
Resource Access Pattern Analysis
Use automated tools to audit access logs for security concerns and identify anomalous access requests.
Outbound Traffic Filtering
Block NTLM/SMB requests to external infrastructure.
Platform Monitoring
Install EDR/logging/cybersecurity solutions onto high value systems with large amounts of sensitive data such as mail servers and domain controllers.
System File Analysis
Collect and monitor Windows logs for certain events, especially for events that indicate that a log was cleared unexpectedly.
Application Hardening
Enable optional security features in Windows to harden endpoints and mitigate initial access techniques.
Application-based Process Isolation
Enable attack surface reduction rules to prevent executable content from email.
Executable Allowlisting
Enable attack surface reduction rules to prevent execution of files from globally writeable directories, such as Downloads or %APPDATA%.
Execution Isolation
Unless users are involved in the development of scripts, limit the execution of scripts (such as batch, JavaScript, and PowerShell) to known scripts.
Application Configuration Hardening
Disable Windows Host Scripting functionality and configure PowerShell to run in Constrained mode. Disable protocols that use weak authentication (e.g., clear-text passwords, or outdated and vulnerable authentication or encryption protocols) or do not support multi-factor authentication. Turn off other ports/services not in use (e.g., FTP, web interface, etc.).
Process Spawn Analysis
Use open source SIGMA rules as a baseline for detecting and alerting on suspicious file execution or command parameters.
URL Reputation Analysis
Use services that provide enhanced browsing services and safe link checking.
Network Access Mediation
Do not allow incoming traffic, especially logins to systems, from public VPN services. Where possible, logins from public VPNs, including exit nodes in the same country as target systems, should be blocked or, if allowed, alerted on for further investigation. Ensure cameras and other Internet of Things devices are protected by a security appliance, if possible.
DNS Denylisting
D3-DNSDL
Do not allow outgoing traffic to hosting and API mocking services frequently used by malicious actors.
Domain Name Reputation Analysis
Heuristic detections for web requests to new subdomains may uncover malicious phishing activity. Logging the requests for each sub-domain requested by users on a network, such as in DNS or firewall logs, may enable system administrators to identify new targeting and victims.
Multi-factor Authentication
Use MFA with strong factors and require regular re-authentication, especially for management accounts.
Job Function Access Pattern Analysis
D3-JFAPA
Implement other mitigations for privileged accounts: including limiting the number of admin accounts, considering using hardware MFA tokens, and regularly reviewing all privileged user accounts.
User Account Permissions
Separate privileged accounts by role and alert on misuse of privileged accounts. Audit user accounts on all devices to ensure they are an accurate reflection of your organization and that they are being used as expected.
Token-based Authentication
Reduce reliance on passwords; instead, consider using services like single sign-on.
Credential Hardening
Do not store passwords in Group Policy Preferences (GPP). Remove all passwords previously included in GPP and change all passwords on the corresponding accounts.
Authentication Event Threshholding
Use account throttling or account lockout. Throttling progressively increases time delay between successive login attempts. If using account lockout, allow between 5 to 10 attempts before lockout.
Strong Password Policy
Use a service to check for compromised passwords before using them.
Credential Rotation
Change all default credentials.
Encrypted Tunnels
Disable protocols that use weak authentication (e.g., clear-text passwords, or outdated and vulnerable authentication or encryption protocols). Use a VPN for remote connections to devices.
Software Update
Apply security patches and firmware updates to all devices. Ensure devices are currently supported. Replace devices that are end-of-life.
Agent Authentication
Ensure authentication is enabled for remote access to devices. If supported on IP cameras, enable authenticated RTSP access only.
User Behavior Analysis
Review all authentication activity for remote access to make sure it is valid and expected. Investigate any unexpected or unusual activity.
The EU aims to become the first climate-neutral continent in the world by 2050. Since the announcement of the European Green Deal and following the adoption of the European Climate Law in 2021, the EU’s climate agenda has been built even more around the principle of carbon pricing. The EU emissions trading system (ETS) is, today, the cornerstone of the EU’s strategy to achieve this vision, complemented by a mix of industrial, energy and climate policies. Currently, the EU ETS covers stationary (power and industrial) installations, domestic aviation and maritime transport. Following the revision of the EU ETS Directive, greenhouse gas (GHG) emissions from buildings, road transport and additional sectors not covered by the existing EU ETS will be covered under a new ETS2. Carbon pricing is expected to regulate around 75 % of EU GHG emissions from 2027. Following the adoption of the revised ETS Directive in 2023, Member States had to transpose the ETS2 into national law. The ETS2 will target GHG emissions from fuel for the sectors covered. Fuel suppliers have to buy and surrender emissions allowances and are likely to pass on the cost of this new instrument to final consumers. Consumers are likely to face higher energy bills if they do not switch to low-carbon technologies, which is why the ETS2, while aiming to achieve climate objectives, has become a social concern. A new Social Climate Fund will support the switch to low-carbon technologies in the building and transport sectors, including but not only through direct payments for vulnerable households impacted by the new ETS2. However, some stakeholders have claimed that the Social Climate Fund will not be enough and are asking for the ETS2 to be delayed or modified. This briefing looks at the recent issues and concerns that have been raised regarding the ETS2.
Source: People’s Republic of China in Russian – People’s Republic of China in Russian –
Source: People’s Republic of China – State Council News
URUMQI, May 21 (Xinhua) — A cargo plane carrying 51 tonnes of e-commerce goods took off from northwest China’s Xinjiang Uygur Autonomous Region on Wednesday and arrived in Estonia’s capital Tallinn, marking the launch of the first direct cargo air route from Xinjiang to the Baltic region.
The new route will be operated once a week by a Boeing 767 cargo aircraft, with a one-way flight time of approximately 11 hours. Compared with conventional aircraft, this aircraft offers 30 percent more cargo capacity, primarily transporting light industry products such as clothing and daily necessities, effectively reducing logistics costs.
According to Feng Liang, general manager of Xinjiang Wanshengtong Supply Chain Management Co, Ltd., the air route will provide Chinese merchants with the opportunity to directly interact with e-commerce platforms in Northern Europe and help improve the shopping experience of consumers in the region.
To date, 20 international cargo air routes have been launched from Xinjiang’s capital Urumqi to 20 cities, including 12 routes covering key hubs in Northern, Eastern and Western Europe.
From January to April 2025, the customs office of Urumqi Diwopu International Airport handled 1,584 cargo flights, a whopping 1,157.1 percent increase year-on-year, and the cargo turnover of this airport reached 26,000 tons, an increase of 522.2 percent compared with the same period last year.
The regular operation of multiple international air cargo routes will help Xinjiang-based cross-border e-commerce companies expand their presence in overseas markets, boosting exports of textiles, electronics and other competitive products and promoting the quality and efficiency of trade among Belt and Road Initiative participants, said Zhao Beijing, an official with Diwopu Customs. –0–
Source: United States House of Representatives – Congresswoman Norma Torres (35th District of California)
May 21, 2025
Amendments Address Critical Issues facing Californians, including higher taxes, Cuts to Healthcare and food assistance, and dangerous Trump Administration changes to Air Safety Systems
WASHINGTON, D.C. — Congresswoman Norma Torres introduced targeted amendments to the Republican Budget Reconciliation aimed at protecting working families’ access to healthcare, food assistance, fairness in tax policy, and protecting essential public services. These amendments address critical areas, including healthcare, SNAP, transportation, and infrastructure, ensuring that policies serve the best interests of American workers and communities.
“Republican budget proposals threaten essential programs that millions of Americans depend on,” said Congresswoman Torres. “These amendments are a necessary step to ensure that our tax policies, public services, and infrastructure investments are fair and effective in supporting the American people.”
The proposed amendments aim to address the issues in the Republican Budget Reconciliation bill, which includes cutting healthcare coverage for nearly 14 million people, reducing SNAP benefits by $300 billion, and leaving 42 million Americans facing cuts to their benefits:
Protect Healthcare and Prevent Medicaid Cuts: Torres is pushing to strike provisions to cut hundreds of billions of dollars from Medi-Cal, California’s Medicaid. This amendment would protect the healthcare of millions of Americans who rely on Medicaid for essential health services, including the nearly 340,000 adults and children in the Inland Empire who rely on Medi-Cal (California’s Medicaid program). Cuts to Medicaid disproportionately harm children, seniors, and people with disabilities. A cut to Medicaid is also a cut to Medicare, as 30% of Medicaid dollars support Medicare enrollees.
Prevent Harmful SNAP Cuts: Torres is proposing an amendment to prevent $300 billion in cuts to the Supplemental Nutrition Assistance Program (SNAP), which would endanger the food security of millions of American families, including 112,000 Americans in the Inland Empire. By striking these harmful provisions, nearly 90% of households that participate in SNAP have either a child, a senior, or an individual with disability. Rep. Torres seeks to protect vulnerable working families from losing access to the resources they need to stay healthy and nourished.
Lift the SALT Deduction Cap: Torres is advocating for the removal of the $10,000 cap on State and Local Tax (SALT) deductions that Trump signed into law in 2017. By limiting the SALT deduction to $10,000, the Trump 2017 Tax bill effectively raised taxes on Californians by eliminating their ability to deduct their state and local tax payments (including state income taxes and local property taxes) from their income for federal taxes. As residents of a state with a high cost of living and high housing costs, hardworking Californians are hit particularly hard by Trump’s cap on the SALT deduction. Californians pay more than their fair share of taxes, contributing $83 billion more in federal taxes than they received in return. Lifting the cap is about fairness and provides Californians with deserved tax relief in Trump’s high-priced economy.
Protect Aviation Safety and Ensure Fair FAA Staffing Practices: Torres introduced an amendment to keep the flying public safe, protecting Federal Aviation Administration (FAA) employees from unlawful firings. The FAA has fired at least 400 individuals responsible for maintaining air traffic control systems. This amendment will ensure that no funds made available by this Act may be used to terminate a probationary or non-probationary employee unless an individual performance assessment is conducted. This amendment aims to prevent unlawful terminations, ensuring that FAA staff are treated fairly and that safety standards are upheld for the traveling public. This amendment protects local jobs while maintaining air travel safety standards at Ontario International and regional airports.
Support California’s Critical Infrastructure Needs: Torres is fighting back against the indefensible corruption of this Administration, specifically the newly released U.S. Army Corps of Engineers plan to help only Republican leaning states, not all Americans equally. Torres is advocating for the U.S. Army Corps of Engineers (USACE) to allocate resources for California’s water infrastructure, environmental restoration, and flood management projects. Given California’s challenges with drought, wildfires, and floods, this amendment is designed to strengthen the state’s infrastructure and ensure communities are better protected from environmental and flood-related disasters.
Remove harmful tax on remittances: Torres is fighting back against this bill’s unjust 5% federal tax on remittance transfers that targets immigrant communities. With Americans sending over $93 billion in 2023 to help families abroad with basic necessities, this tax would devastate economies in countries like Honduras, Haiti, and El Salvador, where remittances comprise up to 30% of GDP. This amendment would prevent harmful policies that destabilize regional allies, contradict migration management efforts, and punish those playing by the rules—ensuring our policies support rather than harm immigrant communities and diplomatic partnerships.
“These amendments are designed to protect the well-being of American families, ensure the long-term viability of essential public programs, and support fair policies that address the unique needs of communities across the country,” Congresswoman Torres added. “We cannot afford to let partisan politics undermine the services and resources that our citizens rely on every day.”
One major consequence of the UK government’s resistance to rejoining the European single market is that it is forced to go around the world seeking trade deals and investment.
Recently, the government has boasted of successful arrangements with India, the US, and some new agreements with the EU. But it has also found itself courting one highly dubious suitor.
Since the chancellor of the exchequer, Rachel Reeves, went to Beijing in January 2025, the government has been focusing much of its attention on China. And while investment from the world’s second-largest economy is fairly unproblematic in a few sectors (some services and domestic real estate, for example), other areas are a cause for concern.
Relying on Chinese money to support key sectors such as steel, telecommunications, advanced electronics, power and transport – all vital for Britain’s economic and geopolitical security – is potentially dangerous.
Get your news from actual experts, straight to your inbox.Sign up to our daily newsletter to receive all The Conversation UK’s latest coverage of news and research, from politics and business to the arts and sciences.
Yet it has been going on for years. Efforts to secure funding by a previous Conservative government even allowed state-owned Chinese companies to invest in the UK’s nuclear future, despite considerable criticism from the likes of MI5 and the British military.
Then there was the 2017 acquisition by a Chinese state-backed private equity firm of cutting-edge semi-conductor company, Imagination Technologies. Subsequent concerns over the leaking of its intellectual property prompted a parliamentary enquiry into foreign corporate asset-stripping.
British Steel was also a target. Sold in 2019, it is now owned by a private company, Jingye, which in April 2025 moved to shut down operations at its Scunthorpe site by not supplying the raw materials required for its blast furnaces.
In response, the UK government took emergency control of production in a scramble to stop the furnaces from going cold.
That incident should have served as an urgent reminder to the government that it needs to be wary of the effect Chinese companies can have on the UK.
Early signs, however, are not reassuring. Business secretary Jonathan Reynolds commented that Jingye was not acting in the “rational way” he would expect of a company in a market economy.
But the government should know that when it comes to strategic decision-making, Chinese companies do not operate in ways that others consider rational. Put simply, they are not comparable to their equivalents in Britain or other liberal-market economies – because they are effectively controlled by the Chinese Communist Party (CCP).
According to the CCP’s data, by 2017 it had established a formal presence inside 92% of larger private companies and 73% of all private companies in China. Those figures will certainly be higher now. And, as with the digital-technology firm Huawei, senior CCP members are often on a company’s boards of directors.
So, while Jingye almost eliminated British Steel as a viable company, it can be reasonably assumed that a decision of such strategic and geopolitical importance would not have been taken by Jingye’s executives alone. They would have been “guided” by the CCP.
Influence and infrastructure
And of course, it’s not just steel production the UK should be concerned about. Chinese ownership now extends across many vital sectors.
There’s the Chinese state-owned company, Beijing Construction Engineering helping to build a new science and innovation park next to Manchester airport. And the private Hong Kong company, CK Infrastructure which owns water companies serving north-east England, Essex and Suffolk.
China Investment Corporation (state-owned) owns part of Heathrow, while China Huaneng (state-owned) operates Europe’s largest battery storage facility in Wiltshire. Meanwhile, wind turbine producer Mingyang (privately owned and reputedly linked to the Chinese military) is the preferred bidder for a new Scottish wind farm, despite being barred from a similar Norwegian development.
All of these companies, irrespective of formal ownership, are likely to be subject to varying degrees of CCP influence and control (comment on the issue from Chinese companies is rare). And successive UK governments have either failed to appreciate the implications of this, or have accepted it as the price of gaining greater access to the Chinese market – especially for London’s financial sector.
This was almost certainly a factor behind China’s involvement in the building of Hinkley Point’s new nuclear power station, and was at the forefront in Rachel Reeves’s discussions with the Chinese government earlier this year.
Separately, Chinese investment in non-strategic sectors is much less controversial. One private conglomerate (Fosun) owns the Premier League side Wolverhampton Wanderers and formerly owned Thomas Cook.
But the lesson from the British Steel fiasco is clear. We are now in a world where the political interests of major states trump the economic interests of their business corporations. Geopolitics takes precedence over geoeconomics.
Consequently, Chinese firms – regardless of ownership status – should be barred from industries vital to the UK’s economic and political security. Anything less risks subordinating British interests to those of the Chinese Communist Party.
Funding from European Cooperation in Science and Technology (COST), for the China in Europe Research Network, contributed to the research on which this article is based.
Source: Republic of Taiwan – Ministry of Foreign Affairs
May 18, 2025
No. 161
Former Vice President Chen Chien-jen, serving as special envoy of President Lai Ching-te, together with his wife and Deputy Minister of Foreign Affairs François Chihchung Wu, attended the inauguration of Pope Leo XIV on the morning of May 18. In an audience with the pontiff following the ceremony, Mr. Chen conveyed greetings from President Lai and the sincere congratulations of the government, people, and Catholic community of Taiwan.
Upon arriving for the ceremony in St. Peter’s Square, Mr. Chen was received by a ceremonial officer for the Holy See. The inauguration, a grand and solemn occasion, took around two hours. According to statistics released by the Holy See, more than 150 delegations attended. Before the ceremony commenced, Mr. Chen exchanged greetings with Paraguayan Chamber of Deputies Speaker Raúl Latorre; Guatemalan Special Envoy and Ambassador to the Holy See Alfredo Vásquez Rivera; other officials from diplomatic allies; and delegates from the United States, Japan, Europe, and numerous other friendly countries. He also extended felicitations to and shared cordial interactions with several high-ranking members of the Vatican clergy, including Secretary of State Cardinal Pietro Parolin and Secretary of the Dicastery for Interreligious Dialogue Monsignor Indunil Janakaratne Kodithuwakku Kankanamalage.
After the inauguration, Pope Leo received the heads of national delegations. Mr. Chen presented the pontiff with a congratulatory letter from President Lai, a commemorative set of postage stamps depicting four of Taiwan’s Catholic churches—St. Joseph’s Church in Jinlun Village, Taitung County; the Holy Family Catholic Church in Taipei City; the Basilica of the Immaculate Conception in Wanjin Village, Pingtung County; and the Holy Rosary Cathedral Basilica in Kaohsiung City—and a collection of postcards on Holy See artifacts jointly produced by Taiwan and the Apostolic Nunciature in Taiwan, highlighting the close connection between the Catholic Church in Taiwan and the Holy See. Mr. Chen also presented Pope Leo with a photo taken in 2020, when the pontiff was serving as bishop of the Chiclayo Diocese in Peru. The picture showed him accepting antipandemic supplies donated by Taiwan. The materials, delivered in cartons labeled “Taiwan Box,” were donated to Cáritas Chiclayo and other Peruvian healthcare and charitable organizations by the Pingtung County Government and Dr. Lai Hsien-yung of Hualien County’s Mennonite Christian Hospital. The government and people of Taiwan provided proactive assistance to the international community throughout the COVID-19 pandemic, fulfilling their international responsibilities and demonstrating that Taiwan could help and that Taiwan was helping.
When Mr. Chen arrived at the airport in Rome on May 17, he met with Eswatini Prime Minister Russell Dlamini, who had also made the trip to attend the papal inauguration. Mr. Chen also attended a mass and prayer service for peace led by Bishop John Lee Keh-mien, President of the Chinese Regional Bishops’ Conference of Taiwan, at St. Benedict’s Monastery. On May 18, Mr. Chen had dinner with 16 prominent members of the Catholic clergy and several key officials and ambassadors of diplomatic allies, including Special Delegate of the Holy See to the Sovereign Military Order of Malta Cardinal Silvano Tomasi and Haitian Special Envoy and former Minister of Foreign Affairs Alrich Nicolas.
Since establishing diplomatic ties 83 years ago, Taiwan and the Holy See have enjoyed a profound diplomatic alliance and shared the core values of religious freedom, human rights, peace, and benevolence. The two sides will build on their existing friendship and solid foundation of cooperation in humanitarian assistance and other domains to further deepen bilateral relations and together make even greater contributions to the world. (E)
Source: People’s Republic of China in Russian – People’s Republic of China in Russian –
Source: People’s Republic of China – State Council News
Moscow, May 21 /Xinhua/ — Russia and China have made significant progress in bilateral cooperation in recent years, and the countries have established a deep level of cooperation in many areas, Russian businessman Oleg Deripaska said in a recent interview with Xinhua.
“We have made serious progress over the past four years. In general, this is a large, deep, large-scale cooperation in many areas: energy, transport, logistics, mechanical engineering, joint developments in aviation, space, nuclear energy. The countries share experience, organize joint design, develop engineering. This is already a fairly deep level of cooperation,” he noted.
According to O. Deripaska, the countries are taking important steps to develop transport and logistics infrastructure. “The Russian side is modernizing railways, transport crossings, pipelines, power lines, communication lines, and ports. The Chinese and Russian sides are stimulating trade turnover by providing subsidies for transportation,” the businessman said, emphasizing that increasing the speed of cargo delivery improves trade.
Another important area for further deepening trade and economic cooperation between the two countries, he believes, is improving financial conditions. This is not only about settlements in national currencies, but also about developing project financing mechanisms. “Our companies are already opening enterprises in China to produce modules that are needed for use in Russian production. In the same way, Chinese companies should invest in creating joint production facilities in Russia,” the Xinhua source believes.
Speaking about cooperation between China and Russia in the field of science and education, O. Deripaska emphasized that in the next two years this issue will be given special attention, because joint educational projects not only bring the peoples of the two countries closer together, but also allow building a foundation for the future.
As an example of such cooperation, the Russian entrepreneur cited the Chinese-Russian University PPI-MSU in Shenzhen /Guangdong Province, South China/. With the support of O. Deripaska’s funds, the university has created several educational programs for Chinese and Russian students. “Science is a source of progress, that is, all innovations begin with scientific developments, and this is important for us. Our investments create the opportunity for joint education in Russia and China,” he explained, adding that joint programs are being developed between universities in Irkutsk, Krasnoyarsk and universities in Harbin /the administrative center of Heilongjiang Province, Northeast China/ and Xi’an /the administrative center of Shaanxi Province, Northwest China/.
The businessman praised the level of development of science, technology and engineering knowledge in China, noting significant successes in such high-tech areas as renewable energy, space programs, electronics, and electric vehicle production. “China has focused on education and building a system of scientific universities and research centers. A lot has been spent on training Chinese specialists abroad. Now many of them have returned. We see this progress,” he added.
According to O. Deripaska, the deep level of cooperation between China and Russia allows us to hope that all the development goals set for the two countries will be achieved. –0–
Former Vice President Chen Chien-jen, serving as special envoy of President Lai Ching-te, together with his wife and Deputy Minister of Foreign Affairs François Chihchung Wu, attended the inauguration of Pope Leo XIV on the morning of May 18. In an audience with the pontiff following the ceremony, Mr. Chen conveyed greetings from President Lai and the sincere congratulations of the government, people, and Catholic community of Taiwan.
Upon arriving for the ceremony in St. Peter’s Square, Mr. Chen was received by a ceremonial officer for the Holy See. The inauguration, a grand and solemn occasion, took around two hours. According to statistics released by the Holy See, more than 150 delegations attended. Before the ceremony commenced, Mr. Chen exchanged greetings with Paraguayan Chamber of Deputies Speaker Raúl Latorre; Guatemalan Special Envoy and Ambassador to the Holy See Alfredo Vásquez Rivera; other officials from diplomatic allies; and delegates from the United States, Japan, Europe, and numerous other friendly countries. He also extended felicitations to and shared cordial interactions with several high-ranking members of the Vatican clergy, including Secretary of State Cardinal Pietro Parolin and Secretary of the Dicastery for Interreligious Dialogue Monsignor Indunil Janakaratne Kodithuwakku Kankanamalage.
After the inauguration, Pope Leo received the heads of national delegations. Mr. Chen presented the pontiff with a congratulatory letter from President Lai, a commemorative set of postage stamps depicting four of Taiwan’s Catholic churches—St. Joseph’s Church in Jinlun Village, Taitung County; the Holy Family Catholic Church in Taipei City; the Basilica of the Immaculate Conception in Wanjin Village, Pingtung County; and the Holy Rosary Cathedral Basilica in Kaohsiung City—and a collection of postcards on Holy See artifacts jointly produced by Taiwan and the Apostolic Nunciature in Taiwan, highlighting the close connection between the Catholic Church in Taiwan and the Holy See. Mr. Chen also presented Pope Leo with a photo taken in 2020, when the pontiff was serving as bishop of the Chiclayo Diocese in Peru. The picture showed him accepting antipandemic supplies donated by Taiwan. The materials, delivered in cartons labeled “Taiwan Box,” were donated to Cáritas Chiclayo and other Peruvian healthcare and charitable organizations by the Pingtung County Government and Dr. Lai Hsien-yung of Hualien County’s Mennonite Christian Hospital. The government and people of Taiwan provided proactive assistance to the international community throughout the COVID-19 pandemic, fulfilling their international responsibilities and demonstrating that Taiwan could help and that Taiwan was helping.
When Mr. Chen arrived at the airport in Rome on May 17, he met with Eswatini Prime Minister Russell Dlamini, who had also made the trip to attend the papal inauguration. Mr. Chen also attended a mass and prayer service for peace led by Bishop John Lee Keh-mien, President of the Chinese Regional Bishops’ Conference of Taiwan, at St. Benedict’s Monastery. On May 18, Mr. Chen had dinner with 16 prominent members of the Catholic clergy and several key officials and ambassadors of diplomatic allies, including Special Delegate of the Holy See to the Sovereign Military Order of Malta Cardinal Silvano Tomasi and Haitian Special Envoy and former Minister of Foreign Affairs Alrich Nicolas.
Since establishing diplomatic ties 83 years ago, Taiwan and the Holy See have enjoyed a profound diplomatic alliance and shared the core values of religious freedom, human rights, peace, and benevolence. The two sides will build on their existing friendship and solid foundation of cooperation in humanitarian assistance and other domains to further deepen bilateral relations and together make even greater contributions to the world. (E)
NATO Secretary General Mark Rutte welcomed Czech President Petr Pavel to NATO Headquarters on Wednesday (21 May 2025) to discuss preparations for the upcoming NATO Summit in The Hague.
The Secretary General praised Czechia as a strong and reliable Ally, highlighting its defence investment and support to Ukraine. “You spend more than 2% of GDP on defence, and I welcome the commitment you’ve already made to increase defence spending to 3% in the coming years,” said Mr Rutte.
Czechia plays an important role in NATO’s deterrence and defence, contributing to Forward Land Forces in Slovakia, Latvia and Lithuania. This year, Czechia will also deploy combat aircraft to Iceland in support of NATO’s air policing mission.
The Secretary General commended Czechia’s substantial support to Ukraine, including over 1.3 billion euros in military assistance. He welcomed the success of the Czech-led ammunition initiative, which has helped deliver over 3 million rounds of large-calibre ammunition to Ukraine, including 1.5 million in 2024 alone. Mr Rutte also underlined Czechia’s growing role in NATO’s long-term support to Ukraine, including contributions to NATO’s Security Assistance and Training command (NSATU) in Wiesbaden and the deployment of 20 personnel to NSATU’s Logistics Enabling Nodes this July.
Looking ahead to the NATO Summit in The Hague, Secretary General Rutte stressed the importance of strengthening NATO’s deterrence and defence even further, increasing defence spending, and building a stronger and more innovative transatlantic defence industry. “We will need to do much more, and this will remain our focus as we prepare for The Hague Summit,” he said. “We have a lot of work to do. And I know I can count on Czechia’s continued commitment and leadership.”
This joint cybersecurity advisory (CSA) highlights a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies. This includes those involved in the coordination, transport, and delivery of foreign assistance to Ukraine. Since 2022, Western logistics entities and IT companies have faced an elevated risk of targeting by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (85th GTsSS), military unit 26165—tracked in the cybersecurity community under several names (see “Cybersecurity Industry Tracking”). The actors’ cyber espionage-oriented campaign, targeting technology companies and logistics entities, uses a mix of previously disclosed tactics, techniques, and procedures (TTPs). The authoring agencies expect similar targeting and TTP use to continue.
Executives and network defenders at logistics entities and technology companies should recognize the elevated threat of unit 26165 targeting, increase monitoring and threat hunting for known TTPs and indicators of compromise (IOCs), and posture network defenses with a presumption of targeting.
This cyber espionage-oriented campaign targeting logistics entities and technology companies uses a mix of previously disclosed TTPs and is likely connected to these actors’ wide scale targeting of IP cameras in Ukraine and bordering NATO nations.
The following authors and co-sealers are releasing this CSA:
United States National Security Agency (NSA)
United States Federal Bureau of Investigation (FBI)
United Kingdom National Cyber Security Centre (NCSC-UK)
Germany Federal Intelligence Service (BND) Bundesnachrichtendienst
Germany Federal Office for Information Security (BSI) Bundesamt für Sicherheit in der Informationstechnik
Germany Federal Office for the Protection of the Constitution (BfV) Bundesamt für Verfassungsschutz
Czech Republic Military Intelligence (VZ) Vojenské zpravodajství
Czech Republic National Cyber and Information Security Agency (NÚKIB) Národní úřad pro kybernetickou a informační bezpečnost
Czech Republic Security Information Service (BIS) Bezpečnostní informační služba
Poland Internal Security Agency (ABW) Agencja Bezpieczeństwa Wewnętrznego
Poland Military Counterintelligence Service (SKW) Służba Kontrwywiadu Wojskowego
United States Cybersecurity and Infrastructure Security Agency (CISA)
United States Department of Defense Cyber Crime Center (DC3)
United States Cyber Command (USCYBERCOM)
Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
Canadian Centre for Cyber Security (CCCS)
Danish Defence Intelligence Service (DDIS) Forsvarets Efterretningstjeneste
Estonian Foreign Intelligence Service (EFIS) Välisluureamet
Estonian National Cyber Security Centre (NCSC-EE) Küberturvalisuse keskus
French Cybersecurity Agency (ANSSI) Agence nationale de la sécurité des systèmes d’information
Netherlands Defence Intelligence and Security Service (MIVD) Militaire Inlichtingen- en Veiligheidsdienst
For over two years, the Russian GRU 85th GTsSS, military unit 26165—commonly known in the cybersecurity community as APT28, Fancy Bear, Forest Blizzard, BlueDelta, and a variety of other identifiers—has conducted this campaign using a mix of known tactics, techniques, and procedures (TTPs), including reconstituted password spraying capabilities, spearphishing, and modification of Microsoft Exchange mailbox permissions. In late February 2022, multiple Russian state-sponsored cyber actors increased the variety of cyber operations for purposes of espionage, destruction, and influence—with unit 26165 predominately involved in espionage. [1] As Russian military forces failed to meet their military objectives and Western countries provided aid to support Ukraine’s territorial defense, unit 26165 expanded its targeting of logistics entities and technology companies involved in the delivery of aid. These actors have also targeted Internet-connected cameras at Ukrainian border crossings to monitor and track aid shipments. Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 17. See Appendix A: MITRE ATT&CK tactics and techniques for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. This advisory uses the MITRE D3FEND® framework, version 1.0.
Description of Targets
The GRU unit 26165 cyber campaign against Western logistics providers and technology companies has targeted dozens of entities, including government organizations and private/commercial entities across virtually all transportation modes: air, sea, and rail. These actors have targeted entities associated with the following verticals within NATO member states, Ukraine, and at international organizations:
Defense Industry
Transportation and Transportation Hubs (ports, airports, etc.)
Maritime
Air Traffic Management
IT Services
In the course of the targeting lifecycle, unit 26165 actors identified and conducted follow-on targeting of additional entities in the transportation sector that had business ties to the primary target, exploiting trust relationships to attempt to gain additional access [T1199].
The actors also conducted reconnaissance on at least one entity involved in the production of industrial control system (ICS) components for railway management, though a successful compromise was not confirmed [TA0043].
The countries with targeted entities include the following, as illustrated in Figure 1:
Bulgaria
Czech Republic
France
Germany
Greece
Italy
Moldova
Netherlands
Poland
Romania
Slovakia
Ukraine
United States
Figure 1: Countries with Targeted Entities
Initial Access TTPs
To gain initial access to targeted entities, unit 26165 actors used several techniques to gain initial access to targeted entities, including (but not limited to):
The actors abused vulnerabilities associated with a range of brands and models of small office/home office (SOHO) devices to facilitate covert cyber operations, as well as proxy malicious activity via devices with geolocation in proximity to the target [T1665]. [2]
Credential Guessing/Brute Force
Unit 26165 actors’ credential guessing [T1110.001] operations in this campaign exhibit some similar characteristics to those disclosed in the previous CSA “Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments.” [3] Based on victim network investigations, the current iteration of this TTP employs a similar blend of anonymization infrastructure, including the use of Tor and commercial VPNs [T1090.003]. The actors frequently rotated the IP addresses used to further hamper detection. All observed connections were made via encrypted TLS [T1573].
Spearphishing
GRU unit 26165 actors’ spearphishing emails included links [T1566.002] leading to fake login pages impersonating a variety of government entities and Western cloud email providers’ webpages. These webpages were typically hosted on free third-party services or compromised SOHO devices and often used legitimate documents associated with thematically similar entities as lures. The subjects of spearphishing emails were diverse and ranged from professional topics to adult themes. Phishing emails were frequently sent via compromised accounts or free webmail accounts [T1586.002, T1586.003]. The emails were typically written in the target’s native language and sent to a single targeted recipient.
Some campaigns employed multi-stage redirectors [T1104] verifying IP-geolocation [T1627.001] and browser fingerprints [T1627] to protect credential harvesting infrastructure or provide multifactor authentication (MFA) [T1111] and CAPTCHA relaying capabilities [T1056]. Connecting endpoints failing the location checks were redirected to a benign URL [T1627], such as msn.com. Redirector services used include:
Webhook[.]site
FrgeIO
InfinityFree
Dynu
Mocky
Pipedream
Mockbin[.]org
The actors also used spearphishing to deliver malware (including HEADLACE and MASEPIE) executables [T1204.002] delivered via third-party services and redirectors [T1566.002], scripts in a mix of languages [T1059] (including BAT [T1059.003] and VBScript [T1059.005]) and links to hosted shortcuts [T1204.001].
CVE Usage
Throughout this campaign, GRU unit 26165 weaponized an Outlook NTLM vulnerability (CVE-2023-23397) to collect NTLM hashes and credentials via specially crafted Outlook calendar appointment invitations [T1187]. [4],[5] These actors also used a series of Roundcube CVEs (CVE-2020-12641, CVE-2020-35730, and CVE-2021-44026) to execute arbitrary shell commands [T1059], gain access to victim email accounts, and retrieve sensitive data from email servers [T1114].
Since at least fall 2023, the actors leveraged a WinRAR vulnerability (CVE-2023-38831) allowing for the execution of arbitrary code embedded in an archive as a means of initial access [T1659]. The actors sent emails with malicious attachments [T1566.001] or embedded hyperlinks [T1566.002] that downloaded a malicious archive prepared using this CVE.
Post-Compromise TTPs
After an initial compromise using one of the above techniques, unit 26165 actors conducted contact information reconnaissance to identify additional targets in key positions [T1589.002]. The actors also conducted reconnaissance of the cybersecurity department [T1591], individuals responsible for coordinating transport [T1591.004], and other companies cooperating with the victim entity [T1591.002].
The actors used native commands and open source tools, such as Impacket and PsExec, to move laterally within the environment [TA0008]. Multiple Impacket scripts were used as .exe files, in addition to the python versions, depending on the victim environment. The actors also moved laterally within the network using Remote Desktop Protocol (RDP) [T1021.001] to access additional hosts and attempt to dump Active Directory NTDS.dit domain databases [T1003.003] using native Active Directory Domain Services commands, such as in Figure 2: Example Active Directory Domain Services command:
C:Windowssystem32ntdsutil.exe "activate instance ntds" ifm "create full C:temp[a-z]{3}" quit quit
Figure 2: Example Active Directory Domain Services command
Additionally, GRU unit 26165 actors used the tools Certipy and ADExplorer.exe to exfiltrate information from the Active Directory. The actors installed python [T1059.006] on infected machines to enable the execution of Certipy. Accessed files were archived in .zip files prior to exfiltration [T1560]. The actors attempted to exfiltrate archived data via a previously dropped OpenSSH binary [T1048].
Incident response investigations revealed that the actors would take steps to locate and exfiltrate lists of Office 365 users and set up sustained email collection. The actors used manipulation of mailbox permissions [T1098.002] to establish sustained email collection at compromised logistics entities, as detailed in a Polish Cybercommand blog. [6]
After initial authentication, unit 26165 actors would change accounts’ folder permissions and enroll compromised accounts in MFA mechanisms to increase the trust-level of compromised accounts and enable sustained access [T1556.006]. The actors leveraged python scripts to retrieve plaintext passwords via Group Policy Preferences [T1552.006] using Get-GPPPassword.py and a modified ldap-dump.py to enumerate the Windows environment [T1087.002] and conduct a brute force password spray [T1110.003] via Lightweight Directory Access Protocol (LDAP). The actors would additionally delete event logs through the wevtutil utility [T1070.001].
After gaining initial access to the network, the actors pursued further access to accounts with access to sensitive information on shipments, such as train schedules and shipping manifests. These accounts contained information on aid shipments to Ukraine, including:
sender,
recipient,
train/plane/ship numbers,
point of departure,
destination,
container registration numbers,
travel route, and
cargo contents.
In at least one instance, the actors attempted to use voice phishing [T1566.004] to gain access to privileged accounts by impersonating IT staff.
Malware
Unit 26165’s use of malware in this campaign ranged from gaining initial access to establishing persistence and exfiltrating data. In some cases, the attack chain resulted in multiple pieces of malware being deployed in succession. The actors used dynamic link library (DLL) search order hijacking [T1574.001] to facilitate malware execution. There were a number of known malware variants tied to this campaign against logistics sector victims, including:
While other malware variants, such as OCEANMAP and STEELHOOK, [8] were not directly observed targeting logistics or IT entities, their deployment against victims in other sectors in Ukraine and other Western countries suggest that they could be deployed against logistics and IT entities should the need arise.
Persistence
In addition to the abovementioned mailbox permissions abuse, unit 26165 actors also used scheduled tasks [T1053.005], run keys [T1547.001], and placed malicious shortcuts [T1547.009] in the startup folder to establish persistence.
Exfiltration
GRU unit 26165 actors used a variety of methods for data exfiltration that varied based on the victim environment, including both malware and living off the land binaries. PowerShell commands [T1059.001] were often used to prepare data for exfiltration; for example, the actors prepared zip archives [T1560.001] for upload to their own infrastructure.
The actors also used server data exchange protocols and Application Programming Interfaces (APIs) such as Exchange Web Services (EWS) and Internet Message Access Protocol (IMAP) [T1114.002] to exfiltrate data from email servers. In multiple instances, the actors used periodic EWS queries [T1119] to collect new emails sent and received since the last data exfiltration [T1029]. The actors typically used infrastructure in close geographic proximity to the victim. Long gaps between exfiltration, the use of trusted and legitimate protocols, and the use of local infrastructure allowed for long-term collection of sensitive data to go undetected.
Connections to Targeting of IP Cameras
In addition to targeting logistics entities, unit 26165 actors likely used access to private cameras at key locations, such as near border crossings, military installations, and rail stations, to track the movement of materials into Ukraine. The actors also used legitimate municipal services, such as traffic cams.
The actors targeted Real Time Streaming Protocol (RTSP) servers hosting IP cameras primarily located in Ukraine as early as March 2022 in a large-scale campaign, which included attempts to enumerate devices [T1592] and gain access to the cameras’ feeds [T1125]. Actor-controlled servers sent RTSP DESCRIBE requests destined for RTSP servers, primarily hosting IP cameras [T1090.002]. The DESCRIBE requests were crafted to obtain access to IP cameras located on logically distinct networks from that of the routers that received the request. The requests included Base64-encoded credentials for the RTSP server, which included publicly documented default credentials and likely generic attempts to brute force access to the devices [T1110]. An example of an RTSP request is shown in Figure 3.
Successful RTSP 200 OK responses contained a snapshot of the IP camera’s image and IP camera metadata such as video codec, resolution, and other properties depending on the IP camera’s configuration.
From a sample available to the authoring agencies of over 10,000 cameras targeted via this effort, the geographic distribution of victims showed a strong focus on cameras in Ukraine and border countries, as shown in Table 1:
Table 1: Geographic distribution of targeted IP cameras
Country
Percentage of Total Attempts
Ukraine
81.0%
Romania
9.9%
Poland
4.0%
Hungary
2.8%
Slovakia
1.7%
Others
0.6%
Mitigation Actions
General Security Mitigations
Architecture and Configuration
Employ appropriate network segmentation [D3-NI] and restrictions to limit access and utilize additional attributes (such as device information, environment, and access path) when making access decisions [D3-AMED].
Consider Zero Trust principles when designing systems. Base product choices on how those products can solve specific risks identified as part of the end-to-end design. [9]
Ensure that host firewalls and network security appliances (e.g., firewalls) are configured to only allow legitimately needed data flows between devices and servers to prevent lateral movement [D3-ITF]. Alert on attempts to connect laterally between host devices or other unusual data flows.
Use automated tools to audit access logs for security concerns and identify anomalous access requests [D3-RAPA].
For organizations using on-premises authentication and email services, block and alert on NTLM/SMB requests to external infrastructure [D3-OTF].
Utilize endpoint, detection, and response (EDR) and other cybersecurity solutions on all systems, prioritizing high value systems with large amounts of sensitive data such as mail servers and domain controllers [D3-PM] first.
Perform threat and attack modeling to understand how sensitive systems may be compromised within an organization’s specific architecture and security controls. Use this to develop a monitoring strategy to detect compromise attempts and select appropriate products to enact this strategy.
Collect and monitor Windows logs for certain events, especially for events that indicate that a log was cleared unexpectedly [D3-SFA].
Enable optional security features in Windows to harden endpoints and mitigate initial access techniques [D3-AH]:
Enable attack surface reduction rules to prevent executable content from email [D3-ABPI].
Enable attack surface reduction rules to prevent execution of files from globally writeable directories, such as Downloads or %APPDATA% [D3-EAL].
Unless users are involved in the development of scripts, limit the local execution of scripts (such as batch scripts, VBScript, JScript/JavaScript, and PowerShell [10]) to known scripts [D3-EI], and audit execution attempts.
Disable Windows Host Scripting functionality and configure PowerShell to run in Constrained mode [D3-ACH].
Where feasible, implement allowlisting for applications and scripts to limit execution to only those needed for authorized activities, blocking all others by default [D3-EAL].
Consider using open source SIGMA rules as a baseline for detecting and alerting on suspicious file execution or command parameters [D3-PSA].
Use services that provide enhanced browsing services and safe link checking [D3-URA]. Significant reductions in successful spearphishing attempts were noted when email providers began offering link checking and automatic file detonation to block malicious content.
Where possible, block logins from public VPNs, including exit nodes in the same country as target systems, or, if they need to be allowed, alert on them for further investigation. Most organizations should not need to allow incoming traffic, especially logins to systems, from VPN services [D3-NAM].
Educate users to only use approved corporate systems for relevant government and military business and avoid the use of personal accounts on cloud email providers to conduct official business. Network administrators should also audit both email and web request logs to detect such activity.
Many organizations may not need to allow outgoing traffic to hosting and API mocking services, which are frequently used by GRU unit 26165. Organizations should consider alerting on or blocking the following services, with exceptions allowlisted for legitimate activity [D3-DNSDL].
*.000[.]pe
*.1cooldns[.]com
*.42web[.]io
*.4cloud[.]click
*.accesscan[.]org
*.bumbleshrimp[.]com
*.camdvr[.]org
*.casacam[.]net
*.ddnsfree[.]com
*.ddnsgeek[.]com
*.ddnsguru[.]com
*.dynuddns[.]com
*.dynuddns[.]net
*.free[.]nf
*.freeddns[.]org
*.frge[.]io
*.glize[.]com
*.great-site[.]net
*.infinityfreeapp[.]com
*.kesug[.]com
*.loseyourip[.]com
*.lovestoblog[.]com
*.mockbin[.]io
*.mockbin[.]org
*.mocky[.]io
*.mybiolink[.]io
*.mysynology[.]net
*.mywire[.]org
*.ngrok[.]io
*.ooguy[.]com
*.pipedream[.]net
*.rf[.]gd
*.urlbae[.]com
*.webhook[.]site
*.webhookapp[.]com
*.webredirect[.]org
*.wuaze[.]com
Heuristic detections for web requests to new subdomains, including of the above providers, may uncover malicious phishing activity [D3-DNRA]. Logging the requests for each sub-domain requested by users on a network, such as in DNS or firewall logs, may enable system administrators to identify new targeting and victims.
Identity and Access Management
Organizations should take measures to ensure strong access controls and mitigate against common credential theft techniques:
Use MFA with strong factors, such as passkeys or PKI smartcards, and require regular re-authentication [D3-MFA]. [11], [12] Strong authentication factors are not guessable using dictionary techniques, so they resist brute force attempts.
Implement other mitigations for privileged accounts: including limiting the number of admin accounts, considering using hardware MFA tokens, and regularly reviewing all privileged user accounts [D3-JFAPA].
Separate privileged accounts by role and alert on misuse of privileged accounts [D3-UAP]. For example, email administrator accounts should be different from domain administrator accounts.
Reduce reliance on passwords; instead, consider using services like single sign-on [D3-TBA].
For organizations using on-premises authentication and email services, plan to disable NTLM entirely and migrate to more robust authentication processes such as PKI certificate authentication.
Do not store passwords in Group Policy Preferences (GPP). Remove all passwords previously included in GPP and change all passwords on the corresponding accounts [D3-CH]. [13]
Use account throttling or account lockout [D3-ANET]:
Throttling is preferred to lockout. Throttling progressively increases time delay between successive login attempts.
Account lockout can leave legitimate users unable to access their accounts and requires access to an account recovery process.
Account lockout can provide a malicious actor with an easy way to launch a Denial of Service (DoS).
If using lockout, then allowing 5 to 10 attempts before lockout is recommended.
Use a service to check for compromised passwords before using them [D3-SPP]. For example, “Have I Been Pwned” can be used to check whether a password has been previously compromised without disclosing the potential password.
Change all default credentials [D3-CRO] and disable protocols that use weak authentication (e.g., clear-text passwords or outdated and vulnerable authentication or encryption protocols) or do not support multi-factor authentication [D3-ACH] [D3-ET]. Always configure access controls carefully to ensure that only well-maintained and well-authenticated accounts have access. [13]
IP Camera Mitigations
The following mitigation techniques for IP cameras can be used to defend against this type of malicious activity:
Ensure IP cameras are currently supported. Replace devices that are out of support.
Apply security patches and firmware updates to all IP cameras [D3-SU].
Disable remote access to the IP camera, if unnecessary [D3-ITF].
Ensure cameras are protected by a security appliance, if possible, such as by using a firewall to prevent communication with the camera from IP addresses not on an allowlist [D3-NAM].
If remote access to IP camera feeds is required, ensure authentication is enabled [D3-AA] and use a VPN to connect remotely [D3-ET]. Use MFA for management accounts if supported [D3-MFA].
Disable Universal Plug and Play (UPnP), Peer-to-Peer (P2P), and Anonymous Visit features on IP cameras and routers [D3-NI].
Turn off other ports/services not in use (e.g., FTP, web interface, etc.) [D3-ACH].
If supported, enable authenticated RTSP access only [D3-AA].
Review all authentication activity for remote access to make sure it is valid and expected [D3-UBA]. Investigate any unexpected or unusual activity.
Audit IP camera user accounts to ensure they are an accurate reflection of your organization and that they are being used as expected [D3-UAP].
Configure, tune, and monitor logging—if available—on the IP camera.
Indicators of Compromise (IOCs)
Note: Specific IoCs may no longer be actor controlled, may themselves be compromised infrastructure or email accounts, or may be shared infrastructure such as public VPN or Tor exit nodes. Care should be taken when basing triaging logs or developing detection rules on these indicators. GRU unit 26165 almost certainly uses extensive further infrastructure and TTPs not specifically listed in this report.
Utilities and scripts
Legitimate utilities
Unauthorized or unusual use of the following legitimate utilities can be an indication of a potential compromise:
ntdsutil – A legitimate Windows executable used by threat actors to export contents of Active Directory
wevtutil – A legitimate Windows executable used by threat actors to delete event logs
vssadmin – A legitimate Windows executable possibly used by threat actors to make a copy of the server’s C: drive
ADexplorer – A legitimate window executable to view, edit, and backup Active Directory Certificate Services
OpenSSH – The Windows version of a legitimate open source SSH client
schtasks – A legitimate Windows executable used to create persistence using scheduled tasks
whoami – A legitimate Windows executable used to retrieve the name of the current user
tasklist – A legitimate Windows executable used to retrieve the list of running processes
hostname – A legitimate Windows executable used to retrieve the device name
arp – A legitimate Windows executable used to retrieve the ARP table for mapping the network environment
systeminfo – A legitimate Windows executable used to retrieve a comprehensive summary of device and operating system information
net – A legitimate Windows executable used to retrieve detailed user information
wmic – A legitimate Windows executable used to interact with Windows Management Instrumentation (WMI), such as to retrieve letters assigned to logical partitions on storage drives
cacls – A legitimate Windows executable used to modify permissions on files
icacls – A legitimate Windows executable used to modify permissions to files and handle integrity levels and ownership
ssh – A legitimate Windows executable used to establish network shell connections
reg – A legitimate Windows executable used to add to or modify the system registry
Note: Additional heuristics are needed for effective hunting for these and other living off the land (LOTL) binaries to avoid being overwhelmed by false positives if these legitimate management tools are used regularly. See the joint guide, Identifying and Mitigating Living Off the Land Techniques, for guidance on developing a multifaceted cybersecurity strategy that enables behavior analytics, anomaly detection, and proactive hunting, which are part of a comprehensive approach to mitigating cyber threats that employ LOTL techniques.
Malicious scripts
Certipy – An open source python tool for enumerating and abusing Active Directory Certificate Services
Get-GPPPassword.py – An open source python script for finding insecure passwords stored in Group Policy Preferences
ldap-dump.py – A script for enumerating user accounts and other information in Active Directory
Hikvision backdoor string: “YWRtaW46MTEK”
Suspicious command lines
While the following utilities are legitimate, and using them with the command lines shown may also be legitimate, these command lines are often used during malicious activities and could be an indication of a compromise:
edge.exe “-headless-new -disable-gpu”
ntdsutil.exe “activate instance ntds” ifm “create full C:temp[a-z]{3}” quit quit
Disclaimer: These IP addresses date June 2024 through August 2024. The authoring agencies recommend organizations investigate or vet these IP addresses prior to taking action, such as blocking.
June 2024
July 2024
August 2024
192[.]162[.]174[.]94
207[.]244[.]71[.]84
31[.]135[.]199[.]145
79[.]184[.]25[.]198
91[.]149[.]253[.]204
103[.]97[.]203[.]29
162[.]210[.]194[.]2
31[.]42[.]4[.]138
79[.]185[.]5[.]142
91[.]149[.]254[.]75
209[.]14[.]71[.]127
46[.]112[.]70[.]252
83[.]10[.]46[.]174
91[.]149[.]255[.]122
109[.]95[.]151[.]207
46[.]248[.]185[.]236
83[.]168[.]66[.]145
91[.]149[.]255[.]19
64[.]176[.]67[.]117
83[.]168[.]78[.]27
91[.]149[.]255[.]195
64[.]176[.]69[.]196
83[.]168[.]78[.]31
91[.]221[.]88[.]76
64[.]176[.]70[.]18
83[.]168[.]78[.]55
93[.]105[.]185[.]139
64[.]176[.]70[.]238
83[.]23[.]130[.]49
95[.]215[.]76[.]209
64[.]176[.]71[.]201
83[.]29[.]138[.]115
138[.]199[.]59[.]43
70[.]34[.]242[.]220
89[.]64[.]70[.]69
147[.]135[.]209[.]245
70[.]34[.]243[.]226
90[.]156[.]4[.]204
178[.]235[.]191[.]182
70[.]34[.]244[.]100
91[.]149[.]202[.]215
178[.]37[.]97[.]243
70[.]34[.]245[.]215
91[.]149[.]203[.]73
185[.]234[.]235[.]69
70[.]34[.]252[.]168
91[.]149[.]219[.]158
192[.]162[.]174[.]67
70[.]34[.]252[.]186
91[.]149[.]219[.]23
194[.]187[.]180[.]20
70[.]34[.]252[.]222
91[.]149[.]223[.]130
212[.]127[.]78[.]170
70[.]34[.]253[.]13
91[.]149[.]253[.]118
213[.]134[.]184[.]167
70[.]34[.]253[.]247
91[.]149[.]253[.]198
70[.]34[.]254[.]245
91[.]149[.]253[.]20
Detections
Customized NTLM listener
rule APT28_NTLM_LISTENER {
meta:
description = "Detects NTLM listeners including APT28's custom one"
( any of ($sysinternals_*) and any of ($psexec_*) )
or
( 2 of ($network_*) and 2 of ($psexec_*))
)
}
The cybersecurity industry provides overlapping cyber threat intelligence, IOCs, and mitigation recommendations related to GRU unit 26165 cyber actors. While not all encompassing, the following are the most notable threat group names related under MITRE ATT&CK G0007 and commonly used within the cybersecurity community:
Note: Cybersecurity companies have different methods of tracking and attributing cyber actors, and this may not be a 1:1 correlation to the U.S. government’s understanding for all activity related to these groupings.
Further Reference
To search for the presence of malicious email messages targeting CVE-2023-23397, network defenders may consider using the script published by Microsoft: https://aka.ms/CVE-2023-23397ScriptDoc.
The information and opinions contained in this document are provided "as is" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.
Purpose
This document was developed in furtherance of the authoring agencies’ cybersecurity missions, including their responsibilities to identify and disseminate threats and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.
Contact
United States organizations
National Security Agency (NSA)
Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI)
U.S. organizations are encouraged to reporting suspicious or criminal activity related to information in this advisory to CISA via the agency’s Incident Reporting System, its 24/7 Operations Center (report@cisa.gov or 888-282-0870), or your local FBI field office. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment user for the activity; the name of the submitting company or organization; and a designated point of contact.
Department of Defense Cyber Crime Center (DC3)
United Kingdom organizations
Germany organizations
Czech Republic organizations
Poland organizations
Australian organizations
Visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories.
Canadian organizations
Estonia organizations
French organizations
French organizations are encouraged to report suspicious activity or incident related to information found in this advisory by contacting ANSSI/CERT-FR by email at cert-fr@ssi.gouv.fr or by phone at: 3218 or +33 9 70 83 32 18.
See Table 2 through Table 14 for all the threat actor tactics and techniques referenced in this advisory.
Conducted follow-on targeting of additional entities in the transportation sector that had business ties to the primary target, exploiting trust relationships to attempt to gain additional access.
Sent requests with Base64-encoded credentials for the RTSP server, which included publicly documented default credentials, and likely were generic attempts to brute force access to the devices.
Abused SOHO devices to facilitate covert cyber operations, as well as proxy malicious activity, via devices with geolocation in proximity to the target.
External actors could send specially crafted emails that cause a connection from the victim to an untrusted location of the actor’s control, leaking the Net-NTLMv2 hash of the victim that the actor could then relay to another service to authenticate as the victim.
An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16 and 1.4.x before 1.4.10, where a plaintext email message with JavaScript in a link reference element is mishandled by linkref_addindex in rcube_string_replacer.php.
Roundcube Webmail before 1.4.4 allows arbitrary code execution via shell metacharacters in a configuration setting for im_convert_path or im_identify_path in rcube_image.php.
Appendix C: MITRE D3FEND Countermeasures
Table 16: MITRE D3FEND countermeasures
Countermeasure Title
ID
Details
Network Isolation
Employ appropriate network segmentation. Disable Universal Plug and Play (UPnP), Peer-to-Peer (P2P), and Anonymous Visit features on IP cameras and routers.
Access Mediation
Limit access and utilize additional attributes (such as device information, environment, and access path) when making access decisions. Configure access controls carefully to ensure that only well-maintained and well-authenticated accounts have access.
Inbound Traffic Filtering
Implement host firewall rules to block connections from other devices on the network, other than from authorized management devices and servers, to prevent lateral movement.
Resource Access Pattern Analysis
Use automated tools to audit access logs for security concerns and identify anomalous access requests.
Outbound Traffic Filtering
Block NTLM/SMB requests to external infrastructure.
Platform Monitoring
Install EDR/logging/cybersecurity solutions onto high value systems with large amounts of sensitive data such as mail servers and domain controllers.
System File Analysis
Collect and monitor Windows logs for certain events, especially for events that indicate that a log was cleared unexpectedly.
Application Hardening
Enable optional security features in Windows to harden endpoints and mitigate initial access techniques.
Application-based Process Isolation
Enable attack surface reduction rules to prevent executable content from email.
Executable Allowlisting
Enable attack surface reduction rules to prevent execution of files from globally writeable directories, such as Downloads or %APPDATA%.
Execution Isolation
Unless users are involved in the development of scripts, limit the execution of scripts (such as batch, JavaScript, and PowerShell) to known scripts.
Application Configuration Hardening
Disable Windows Host Scripting functionality and configure PowerShell to run in Constrained mode. Disable protocols that use weak authentication (e.g., clear-text passwords, or outdated and vulnerable authentication or encryption protocols) or do not support multi-factor authentication. Turn off other ports/services not in use (e.g., FTP, web interface, etc.).
Process Spawn Analysis
Use open source SIGMA rules as a baseline for detecting and alerting on suspicious file execution or command parameters.
URL Reputation Analysis
Use services that provide enhanced browsing services and safe link checking.
Network Access Mediation
Do not allow incoming traffic, especially logins to systems, from public VPN services. Where possible, logins from public VPNs, including exit nodes in the same country as target systems, should be blocked or, if allowed, alerted on for further investigation. Ensure cameras and other Internet of Things devices are protected by a security appliance, if possible.
Do not allow outgoing traffic to hosting and API mocking services frequently used by malicious actors.
Domain Name Reputation Analysis
Heuristic detections for web requests to new subdomains may uncover malicious phishing activity. Logging the requests for each sub-domain requested by users on a network, such as in DNS or firewall logs, may enable system administrators to identify new targeting and victims.
Multi-factor Authentication
Use MFA with strong factors and require regular re-authentication, especially for management accounts.
Implement other mitigations for privileged accounts: including limiting the number of admin accounts, considering using hardware MFA tokens, and regularly reviewing all privileged user accounts.
User Account Permissions
Separate privileged accounts by role and alert on misuse of privileged accounts. Audit user accounts on all devices to ensure they are an accurate reflection of your organization and that they are being used as expected.
Token-based Authentication
Reduce reliance on passwords; instead, consider using services like single sign-on.
Credential Hardening
Do not store passwords in Group Policy Preferences (GPP). Remove all passwords previously included in GPP and change all passwords on the corresponding accounts.
Authentication Event Threshholding
Use account throttling or account lockout. Throttling progressively increases time delay between successive login attempts. If using account lockout, allow between 5 to 10 attempts before lockout.
Strong Password Policy
Use a service to check for compromised passwords before using them.
Credential Rotation
Change all default credentials.
Encrypted Tunnels
Disable protocols that use weak authentication (e.g., clear-text passwords, or outdated and vulnerable authentication or encryption protocols). Use a VPN for remote connections to devices.
Software Update
Apply security patches and firmware updates to all devices. Ensure devices are currently supported. Replace devices that are end-of-life.
Agent Authentication
Ensure authentication is enabled for remote access to devices. If supported on IP cameras, enable authenticated RTSP access only.
User Behavior Analysis
Review all authentication activity for remote access to make sure it is valid and expected. Investigate any unexpected or unusual activity.
The rising tensions with North Korea, coupled with China’s increasing assertiveness, have necessitated South Korea to bolster its military capabilities and readiness. These strategic enhancements include investments in advanced weapons systems, military preparedness, and fortification of cybersecurity infrastructure. In light of these developments, the country has allocated $222 billion for the period from 2021 to 2025, according to GlobalData, a leading data and analytics company.
Akash Pratim Debbarma, Aerospace & Defense Analyst at GlobalData, comments: “Over the years, South Korea has successfully diminished its reliance on imports and enhanced the capabilities of its armed forces through the indigenous development of several advanced military systems. The country’s allocation of funds toward acquisition and research, development, testing, and evaluation (RDT&E) underscores its commitment to addressing the evolving security challenges within the region.”
The successful flight of the KF-21 prototype by Korea Aerospace Industries (KAI) in 2022 marks a significant stride toward self-reliance in combat aircraft production. While the induction of the KF-21 is slated for 2028, it is expected to considerably enhance South Korea’s aerial combat capabilities with advanced onboard avionics and near-stealth performance.
Debbarma concludes: “As North Korea continues its nuclear-capable missile tests, South Korea remains steadfast in enhancing its deterrence strategies, bolstering its air, naval, and missile defense capabilities. However, South Korea is still mainly dependent on the 28,500 US troops to maintain a credible deterrence against potential hostilities from North Korea.
“With looming uncertainties about the continuance of its reliance on US support following Trump’s return to office, South Korea will likely redirect most of its defense budgets into indigenization efforts. While supporting its armed forces, South Korea will also try to achieve economy of scale to keep the cost down for its domestic defense systems by exporting them to its allies worldwide.
NEW YORK, May 21, 2025 (GLOBE NEWSWIRE) — Creatd, Inc. (OTC: CRTD), a holding company focused on acquiring synergistic companies, today announced the publication of its Q1 2025 financial results.
Q1 2025 Highlights:
Net equity improved by $7.9 million in Q1 2025, an 80% quarter-over-quarter increase from Q4 2024.
Revenues reached $721,815, up from $428,000 in Q1 2024, representing 70% year-over-year growth
Continued execution of uplisting strategy focused on strengthening the balance sheet and acquiring accretive operating businesses
A major contributor to the first quarter’s performance was the completed acquisition of Flyte, an emerging platform in the private aviation and travel technology sector. Flyte’s addition supports Creatd’s strategy of acquiring established businesses that deliver immediate financial results and align with long-term strategic goals.
The momentum from Q1 is carrying into Q2, notably with yesterday’s announcement of Creatd’s intent to acquire a stake in PCG Advisory and its affiliated companies for a collective $2.3 million. Given recent developments in Q2, Creatd has now achieved positive net equity for the first time in over four years since its Nasdaq listing. This is an important step toward applying for an uplisting to a national exchange in Q3 2025.
With a targeted closing at the end of June 2025, the PCG transaction is one of several deals designed to further increase the company’s net equity. In tandem, Creatd is reducing liabilities and advancing additional strategic transactions already in motion.
Jeremy Frommer, CEO of Creatd, commented:
“In addition to our accretive acquisitions and overall reduction in liabilities, we’re seeing improving financials across our existing businesses, Vocal and OG Collection. While many microcap companies chase short-term wins at shareholders’ expense, we’re focused on fundamentals: growing revenue and maintaining a strong balance sheet. We’re laying the groundwork for an uplisting, one transaction at a time.”
The full Q1 2025 Quarterly Report is available on OTC Markets.
About Creatd, Inc. Creatd, Inc. focuses on investments and operations across technology, media, aviation, advertising, and consumer sectors. By leveraging its expertise in structured finance and acquisitions, Creatd identifies and nurtures opportunities within small-cap companies, driving growth and innovation across its diverse portfolio.
New York, New York, May 21, 2025 (GLOBE NEWSWIRE) — TIME has named David Nussbaum, Founder and Chairman of Proto Inc., to its 2025 TIME100 Health list in the “Innovators” category, recognizing his pioneering work creating hologram and AI technology to expand access to healthcare. The annual list honors the 100 most influential figures shaping global health.
Featured in the May 26 print edition, TIME praised Proto Hologram for its impact on rural healthcare access by “beaming” doctors into clinics, its real-time AI translation tools, HIPAA-compliant systems, and newly reduced cost—making the technology more accessible than ever. Read the story here.
Nussbaum shares the honor with leaders such as Alice Walton, Bill Nye, and WHO Director-General Dr. Tedros Adhanom Ghebreyesus.
“Nothing is more important than connecting with your doctor in person to create that emotional, physical connection—especially when you’re talking about something as important as cancer or Parkinson’s or life-altering news,” Nussbaum told TIME.
Dr. Sylvia Richie of West Cancer Center beams live across the country to talk with Proto Founder David Nussbaum. West Cancer and Proto launched the first real doctor-patient hologram appointments in 2024.
The first company to install Proto technology to beam doctors to patients for real appointments was West Cancer Center in Tennessee. Since then many major clinics have launched pilot programs to bring the solution to the shortage of caregivers to more underserved populations. Proto is also in use in higher education medical and healthcare programs including the University of Central Florida CHPS program, the University of Nebraska Medical Center, the University of Minnesota’s Hormal Institute and the Vanderbilt University School of Nursing.
“This honor of being on the Time100 Health list really belongs to the entire Proto team,” said Nussbaum.”Their belief, talent, hustle and heart have built this company and this incredible technology. A spotlight on any of us is a reflection on all of us. I’m so grateful that I get to work with this team every single day. This is also a tribute to the companies and organizations that have been brave and imaginative enough to take the leap – the doctors and nurses and patients and executives who are putting Proto’s hologram communication and AI tools in action to help people everywhere.”
West Cancer Center’s Dr. Sylvia Richie demonstrates live hologram medical appointments by beaming from Tennessee to Los Angeles to be present in a Proto Luma.
Proto is the original, patented hologram communications and AI spatial compute platform in use around the world by dozens of Fortune 500 companies, 50 universities, and stadiums, airports, hospitals and malls everywhere. In addition to healthcare, Proto is active in education, finance, retail, hospitality, sports and entertainment. Proto has been recognized previously as the inventor of the technology by the New York Times, Wall Street Journal, TechCrunch, the Today Show, CNN and the BBC.
The full 2025 TIME100 Health list appears in the May 26, 2025 print issue of TIME and at time.com/time100health.
About Proto Inc.: Proto Inc. is the patented leader in hologram technology and AI spatial computing. Proto devices and its platform are in use across enterprise, finance, healthcare, education, retail, hospitality, sports and entertainment. Invented in Los Angeles and with showrooms and distribution partners around the globe, Proto distributes the large Proto Epic and Proto Luma, the desktop-sized Proto M2, and a suite of hologram AI and spatial computing services. Learn more at protohologram.com
Kinshasa (Agenzia Fides) – “We hope the Pope will make an appeal for peace in the Democratic Republic of Congo,” write the members of ACMEJ (Association Against Evil and for the Integration of Youth) of Katogota, in the province of South Kivu, in the east of the country.Recalling that “in his first Sunday blessing from St. Peter’s Basilica, the new Pope Leo XIV made a solemn appeal for peace in Ukraine and for an immediate ceasefire in Gaza,” the members of the ACMEJ ask the Holy Father not to forget the tragedy of their homeland, one of the forgotten conflicts that continue to bloody the world. Since the M23 guerrillas, supported by Rwandan soldiers, have conquered vast areas of North and South Kivu—including the regional capitals of Goma and Bukavu—the civilian population has been living in tragic conditions.According to ACMEJ, the village of Katogota, already the scene of a massacre on May 14, 2000, in which 375 civilians died, has once again been “destroyed, looted, wounded, and bombed by the M23 and its Rwandan allies.” “The attackers have illegally occupied the premises of the local Catholic Church of Saint Berger—church, school, and prayer hall—as well as the multipurpose hall of the Katogota community, setting up their camp there and transforming the religious and educational spaces into military accommodation,” the statement sent to Fides said.”The villagers ask Pope Leo XIV to make a new solemn appeal for peace in the eastern Democratic Republic of the Congo, starting with an immediate and effective ceasefire and the creation of a buffer zone in the villages of Katogota and Kamanyola, under the control of military forces sent by the United Nations Security Council or the African Union.” According to the ACMEJ, this measure would allow refugees and displaced persons from Katogota to return to their homes more safely, pending a final peace agreement,” the human rights organization stated.The villages of Katogota and Kamanyola are currently on the front line separating the M23 from forces loyal to the Kinshasa government (see Fides, 4/3/2025). The situation has been further aggravated by the Congolese government’s recent decision to close banks and airports in areas under M23 control.The Secretary General of the National Episcopal Conference of Congo (CENCO), Bishop Donatien Nshole, denounced the interruption of these essential services. “The closure of banks and airports in these areas forces many families to survive in particularly precarious conditions,” he said on May 19. (L.M.) (Agenzia Fides, 21/5/2025)
Share:
Source: People’s Republic of China in Russian – People’s Republic of China in Russian –
Source: People’s Republic of China – State Council News
HARBIN, May 21 (Xinhua) — “In terms of humanitarian cooperation, the Amur Region is the leader among other Russian regions in the number of Russian-Chinese joint events, just like Heilongjiang Province is among Chinese regions. I very much hope that in the future we will be able to raise the level of these events by attracting additional partner regions from both sides,” Amur Region Governor Vasily Orlov said in an interview with Xinhua.
He made the statement on the sidelines of the 34th Harbin International Economic and Trade Fair, which is being held in Harbin, the capital of Heilongjiang Province, northeast China, from May 17 to 21.
“We have more than 200 events. They are held annually, there are very bright and iconic ones that have become the calling card of our cities – Blagoveshchensk and Heihe and the Amur Region and Heilongjiang Province,” explained V. Orlov.
Among the above-mentioned events, the governor named the annual winter festival held on the ice of the Amur River (Heilongjiang River), which includes hockey matches, car rallies, and winter swimming competitions.
“We have a number of regions that would like to act as partners in this event, and Heilongjiang Province will certainly also find such partners from the Chinese side,” noted V. Orlov.
The Governor of the Amur Region highly praised the Harbin Winter Ice and Snow Festival. “It has become such a calling card that people from all over China come here to see it, but we have every chance that the winter festival in Blagoveshchensk and Heihe will be the same calling card and tourists will come there.”
According to V. Orlov, there is colossal potential for tourism between Russia and China. “We are implementing several large logistics projects, including a cable car, the construction of which will be completed this year. Such a facility will give a serious boost to the growth of the tourist flow.”
“We are further developing the theme of promoting tourism throughout Russia among Chinese tourists. We have built a new airport in Blagoveshchensk, built all the infrastructure for aircraft, and by the end of the year we will build an international passenger terminal. We are also actively working to develop the sector of flights from Blagoveshchensk to other cities of interest to Chinese tourists in Russia, such as Petropavlovsk-Kamchatsky, Irkutsk and to Baikal,” the governor noted.
V. Orlov is also aware of the high demand and congestion of flights between Blagoveshchensk and Harbin. “We really hope that the number of such flights will increase so that they fly regularly between the two cities,” he summed up. -0-
The Government today announced that amendments to the Small Unmanned Aircraft Order and the Air Navigation (Hong Kong) Order 1995 will be published in the Government Gazette on Friday, with an aim to facilitate the development of the low-altitude economy.
The Small Unmanned Aircraft (Amendment) Order 2025 serves to extend the existing regulatory regime with a proposal to add a new category C, covering aircraft that weigh over 25kg but not more than 150kg.
Anyone operating category C aircraft will have to obtain prior permission from the Civil Aviation Department. Insurance requirements are also proposed. In addition, there is a proposal to permit a statutory fee to be charged on a full cost-recovery basis.
Anyone conducting cross-boundary small unmanned aircraft (SUA) operations, regardless of the weight of the SUA deployed, will have to obtain prior permission from the department.
Another proposal is that information about any SUA operated under the department’s prior permission should be kept for six months and be accessible within Hong Kong.
As regards air navigation, the Air Navigation (Hong Kong) Order 1995 (Amendment) Order 2025 serves to facilitate trials of various unconventional aircraft in Hong Kong. New articles are proposed to empower the Chief Executive to permit such trials under specified conditions.
The Transport & Logistics Bureau said the Government is proactively taking forward initiatives to promote the low-altitude economy in Hong Kong, adding that it is imperative to establish a robust legal and regulatory framework for the relevant emerging technologies.
The proposed legislative amendments can tap into the potential of heavier SUA units and facilitate trial flights for unconventional aircraft, thereby expanding and enriching application scenarios for different low-altitude flying activities, the bureau added.
Meanwhile, the Government is studying the scope for a new, customised piece of legislation that would regulate different types of unconventional aircraft.
The amendment orders will be tabled at the Legislative Council on May 28, with a targeted commencement date of July 18.
Since last Thursday, intensified Israeli air strikes on Gaza have killed more than 500 Palestinians, and a prolonged Israeli aid blockade has led to widespread starvation among the territory’s two million residents.
Meanwhile, the IDF is intensifying its air and ground attacks on the civilian population and on the few remaining health services. Al Jazeera is also reporting that the IDF has issued “a forward displacement order” for the entirety of Khan Younis, the second largest city in Gaza.
The escalation of the Israeli onslaught has been condemned by UN human rights chief Volker Türk, who has likened the IDF campaign as an exercise in ethnic cleansing:
“This latest barrage of bombs … and the denial of humanitarian assistance underline that there appears to be a push for a permanent demographic shift in Gaza that is in defiance of international law and is tantamount to ethnic cleansing,” he said.
If the West so wished, it could be putting more economic pressure on Israel to cease committing its litany of atrocities. Israel’s use of starvation as a weapon of war has been sparking mass demonstrations across Europe.
In the Netherlands at the weekend, a massive demonstration culminated in calls for the Netherlands government to formally ask the EU to suspend its free trade agreement with Israel.
Until now, the world’s relative indifference to the genocide in Gaza has been mirrored by Palestine’s Arab neighbours. As Gaza burned yet again, Saudi Arabia and the Emirates were lavishly entertaining US President Donald Trump — Israel’s chief enabler — and showering him with gifts.
In all, economic joint ventures worth hundreds of billions of dollars were signed and sealed last week between the US and the Middle East region, despite the misery being inflicted right next door.
Footnote: Directly and indirectly, Big Tech firms such as Microsoft and Intel continue to enable and enhance the IDF war machine’s actions in Gaza. This is an extension of the long time support given to Israel by Silicon Valley firms via the supply of digital infrastructure, advanced chips, software and cloud computing facilities.
The extinction of hope As the Ha’aretz newspaper reported this week, “The three pillars of hope for the Palestinians have collapsed: armed struggle has lost legitimacy, state negotiations have stalled, and faith in the international community has faded. Now, they face one question: ‘Where do we go from here?’
As Ha’aretz concluded, the Palestinians seem to have vanished into a diplomatic Bermuda Triangle. What would it take, one wonders, for the New Zealand government — and Foreign Minister Winston Peters — to wake up from their moral slumber?
Whenever the Luxon government does talk about this conflict, it still calls for a “two state solution” even though, as a leading Israeli journalist Gideon Levy says, this ceased to be a viable option more than 25 years ago.
“We crossed the point of no return a long time ago. We crossed the point at which there was any room for a Palestinian state, with 700,000 settlers who will not be evacuated, because nobody will have the political power to do so. The West Bank is practically annexed for many, many years . . . Nobody can take this discourse seriously anymore. But, you know, those who want to believe in it, believe in it.”
Conveniently, the two state waffle does provide Peters and Luxon with cover for their reluctance to — for example — call in, or expel the Israeli ambassador. Or impose a symbolic trade boycott. Or impose targeted sanctions on the extremists within the Netanyahu Cabinet who are driving Israeli policy.
Instead of those options, the “negotiated two state” fantasy has been encouraged to take on a life of its own. Yet do we really think that Israel would entertain for a moment the expulsion of the hundreds of thousands of Jewish settlers illegally occupying the land on the West Bank required for a viable Palestinian state?
The Netanyahu government has long had plans to double that number, with the settler influx growing at a reported rate of about 12,000 a year.
The backlash Israel’s use of starvation as a weapon is finally creating a backlash, in Europe at least. The public outrage being expressed in demonstrations in the UK, France and Germany finally seems to be making some governments feel a need to be seen to be doing more.
Not before time. At the drop of a hat, Western nations — New Zealand included — will bang on endlessly about the importance of upholding the norms of international law. So you have to ask . . . why have we/they chosen to remain all but mute about the repeated violations of human rights law and the Geneva Conventions being carried out by the IDF in Gaza on a daily basis?
“In [Khan Younis’] Nasser Hospital, Safaa Al-Najjar, her face stained with blood, wept as the shroud-wrapped bodies of two of her children were brought to her: [18 month old] Motaz Al-Bayyok and [six weeks old] Moaz Al-Bayyok.
“The family was caught in the overnight airstrikes. All five of Al-Najjar’s other children, ranging in ages from 3 to 12, were injured, while her husband was in intensive care. One of her sons, 11-year-old Yusuf, his head heavily bandaged, screamed in grief as the shroud of his younger sibling was parted to show his face.
Ultimately, Israel’s moral decline will be for its own citizens to reckon with, in future. For now, New Zealand is standing around watching in silence, while a blood-soaked campaign of ethnic cleansing unmatched in recent history is being carried out.
Source: People’s Republic of China in Russian – People’s Republic of China in Russian –
Source: People’s Republic of China – State Council News
WASHINGTON, May 21 (Xinhua) — U.S. Defense Secretary Pete Hegseth on Tuesday ordered the Pentagon to launch a comprehensive investigation into the circumstances surrounding the withdrawal of U.S. troops from Afghanistan in 2021.
In a memo, Hegseth said the Defense Department had an obligation to investigate what he described as a disastrous operation that ended with 13 U.S. service members killed in a suicide attack at Kabul airport.
“This remains an important step toward restoring the faith and trust of the American people and all those who wear uniform, and is prudent given the number of casualties and equipment lost during the withdrawal operation,” the memo said.
The troop withdrawal, which ended nearly 20 years of U.S. military presence in Afghanistan, was overseen by then-President Joseph Biden and his national security team in August 2021. A suicide bomber linked to the Islamic State attacked Kabul’s airport in the final days of the troop withdrawal, killing U.S. troops and Afghans.
P. Hegseth called the withdrawal of troops “catastrophic and shameful.”
Both Hegseth and President Donald Trump have repeatedly criticized the Biden administration’s troop withdrawal efforts. –0–
Source: Hong Kong Government special administrative region
Legislative amendments which seek to implement the latest requirements of the International Civil Aviation Organization (ICAO) for the safe transport of dangerous goods (DG) by air will be gazetted on Friday (May 23) for tabling in the Legislative Council on May 28, and targeted for commencement on July 18, 2025.
The Air Navigation (Hong Kong) Order 1995 (Amendment of Schedule 16) Order 2025 and the Dangerous Goods (Consignment by Air) (Safety) Regulations (Amendment of Schedule) Order 2025 serve to incorporate the ICAO’s latest requirements in the local legislation. Such requirements are set out in a new edition (i.e. the 2025-2026 edition) of the ICAO’s Technical Instructions for the Safe Transport of Dangerous Goods by Air (Technical Instructions).
Some of the updated provisions introduced by the new edition of the Technical Instructions include:
(a) A requirement to indicate on the DG transport document the dimensions of packages containing certain radioactive materials has been added to facilitate cargo loading procedures;
(b) A note specifying DG allowed for carriage by passengers has been relocated to better reflect its applicability; and
(c) Some changes to the technical requirements on the classification, packing, marking and labelling of certain kinds of DG for carriage by air have been incorporated.
“The aviation industry is supportive to the legislative amendments which aim to enhance the safe carriage of DG by air,” a spokesperson for the Transport and Logistics Bureau said.
DG, in the context of air transport, include explosives, compressed gas, flammable liquids, flammable solids, oxidising substances, toxic substances, infectious substances, radioactive materials and corrosives.
The Leeds Armed Forces Festival is back for a second year with an extravaganza of themed activities taking place leading up to Armed Forces Day itself at the end of next month.
The festival, hosted by the Lord Mayor of Leeds, is a chance for everyone to show their support for the men and women who make up our armed forces community, from currently serving troops and service families, to reservists, veterans, and cadets.
Everyone in Leeds is invited to participate, and there is something to suit all tastes.
Highlights of the festival include the Lotherton Hall 1940’s weekend, special exhibitions at the Royal Armouries; a Commonwealth War Graves tour; Tea and Talk at Temple Newsam; a curator talk and object handling event at Leeds Discovery Centre, and various social history club events at Leeds Museum at various time s and dates in June, July and August.
Returning for a second year is the popular special tour of the Thackray Museum of Medicine, focusing on the building’s role as a military hospital in the First World War and the ever-popular singing group, the D-Day Darlings, will also be presenting their explosive new show for VE and VJ Day at City Varieties.
The centrepiece of the festival will be the main Armed Forces Day event on Sunday, June 29.
The event will start with the raising of the Armed Forces Day flag in Victoria Gardens at 10:30am, before military personnel, veterans, and cadets, parade through the city’s streets to the main event space on Briggate, where the Lord Mayor will take the salute, all accompanied by the West Yorkshire Police band.
The day’s main activities will be on Briggate between 11am-4pm, and will be packed with family-friendly activities, parades, stalls, exhibitions, and music. Weather permitting, there will also be a flypast by the Battle of Britain Memorial Flight’s (BBMF) C47 Dakota/Skytrain aircraft.
Lord Mayor Elect, Councillor Dan Cohen, said: “Leeds has a long tradition of supporting our armed forces in both war and peace, and I look forward to continuing that tradition during my year as Lord Mayor.
“This year, Armed Forces Day has added significance as we mark the 80th anniversary of VE Day and VJ Day; remembering, reflecting, and commemorating those who fought, worked, and sacrificed to allow us our way of life today.
“While a fun and engaging day for all the family, the Armed Forces Festival is also an incredible way to say thank you to the men and women of the armed forces community, past, present, and future.
“I would like to extend an invitation to everyone in Leeds, and I look forward to seeing as many people at the different events as possible.”
Source: Moscow Government – Government of Moscow –
Digital platform “Moschino” has been visited 2.5 million times since its launch in the fall of 2023. There, film industry representatives can apply for filming approval, select suitable locations and props, and city residents and tourists can sign up for excursions and master classes, learn about creative meetings and other events. This was reported by Natalia Sergunina, Deputy Mayor of Moscow.
“The platform has already attracted 800 thousand unique users. It is in demand not only among industry professionals and students of specialized universities, but also among everyone interested in cinema,” said Natalia Sergunina.
More than half of the views are on the page dedicated to family and friends at the Moskino cinema park. It contains a schedule of immersive performances, exhibitions, introductory walks and other events. For example, one of the excursions, the Cinema Expedition, includes a visit to the sets of the Ivan the Great Bell Tower and the Terem Palace of the Moscow Kremlin, a real Tu-154 aircraft and the largest chromakey in Europe.
Filmmakers especially enjoy the section with descriptions of almost 700 city filming locations and a booking service. Among them are streets, parks, squares, train stations, cultural institutions, estates, pavilions of the Gorky Film Studio, the Moskino film factory and other places.
Experts can use a catalogue of 60 thousand props, including modern and historical costumes, furniture, props, equipment and other items from different eras.
The service also has a section for those who want to build a career in the industry. It presents programs of specialized educational institutions and courses for actors, scriptwriters, editors, cameramen and other specialists in this field.
The capital pays great attention to the development of the industry within the framework of the Mayor’s project “Moscow – the city of cinema”. The structure of the Moscow film cluster already includes enter Gorky Film Studio (locations on Sergei Eisenstein Street and Valdai Passage), a chain of cinemas, a film park and the Moskino film factory.
The Moskino film commission helps organize filming in the city. Since the beginning of the year, it has received more than a thousand applications – 53 percent more than a year ago. One of the most popular filming locations is the Moskino cinema park. In just three months, 15 projects were implemented here.
Please note: This information is raw content directly from the source of the information. It is exactly what the source states and does not reflect the position of MIL-OSI or its clients.
Please Note; This Information is Raw Content Directly from the Information Source. It is access to What the Source Is Stating and Does Not Reflect
Press Release Nokia sole company recognized as a Champion, Market Momentum Leader in Omdia’s 2025 Private 5G Market Radar report
Nokia private wireless portfolio, edge AI capabilities, segment blueprints, and global partner ecosystem recognized for accelerating Industry 4.0 transformation.
21 May 2025 Espoo, Finland – Nokia today announced that it is the sole company recognized as a Champion and a Market Momentum Leader in Omdia’s Market Radar: E2E Private 5G Networks Vendors – 2025. The report highlights Nokia’s 5G Private Wireless vision, strong product portfolio, and continued investment in mission-critical connectivity solutions tailored for industrial enterprises in multiple verticals, including manufacturing, mining, ports, airports, utilities, public safety, and railways.
Omdia’s Private 5G Market Radar report provides comprehensive analyses of the private 5G vendor landscape, while discussing partnerships, market trends, and strategic insights. According to Omdia, the Market Leader category represents leading vendors that provide advanced capabilities across six areas explored and which Omdia believes is worthy of a place on most technology selection shortlists. Nokia was the only vendor cited as a Champion in the report for “jump starting the market to exploring opportunities in the mission-critical edge where the connectivity at OT world are merging.”
At a time when private wireless networks have become essential for industries seeking secure, reliable, and high-performance connectivity to support their digital transformation, Nokia’s leadership in the sector is recognized for being the first company to identify the private networks opportunity and engage with the ecosystem to drive market adoption, having already deployed 890 private 4G and 5G networks worldwide as of Q1 2025.
Omdia highlights Nokia’s evolving its private wireless solutions beyond connectivity to an edge compute and AI platform for industries, verticalized solutions built on years of research, testing, and validation through segment blueprints, as well as a rich ecosystem of applications and partners such as Kyndryl, Telefonica Tech and Verizon.
“Nokia’s continued leadership in the private 5G market is underpinned by its comprehensive and forward-looking approach to industrial connectivity. By offering an integrated platform that benefits an array of industries, Nokia is setting the pace for Industry 4.0 transformation,” said Pablo Tomasi, Principal Analyst, Private Networks and Enterprise 5G at Omdia.
“Omdia’s recognition reflects our commitment to delivering robust, scalable, and intelligent networks that meet the demanding needs of industrial environments. From our MX Industrial Edge platform to our vertical blueprints, Nokia is helping enterprises accelerate their digital transformation journeys,” said Raghav Sahgal, President of Cloud and Network Services at Nokia.
Nokia’s portfolio supports both campus and wide-area networks, including private wireless solutions such as Nokia Digital Automation Cloud (DAC), Modular Private Wireless (MPW), and Core Enterprise Solutions. It also features patented innovations like MX Industrial Edge (MXIE), Nokia MX Boost, and AI-powered solutions including Nokia MX Grid, MX Workmate, Visual Position and Object Detection (VPOD), and MX Context.
Some of Nokia’s most notable private network customer references include Southern California Edison, British Sugar, Husky Terminals, Sociedad Portuaria Puerto Bahia, Butachimie, Lufthansa Technik, Dow Chemical, Chevron Phillips Chemical, Hola Oulu Hospital, and Carrix.
About Nokia At Nokia, we create technology that helps the world act together.
As a B2B technology innovation leader, we are pioneering networks that sense, think and act by leveraging our work across mobile, fixed and cloud networks. In addition, we create value with intellectual property and long-term research, led by the award-winning Nokia Bell Labs, which is celebrating 100 years of innovation.
With truly open architectures that seamlessly integrate into any ecosystem, our high-performance networks create new opportunities for monetization and scale. Service providers, enterprises and partners worldwide trust Nokia to deliver secure, reliable and sustainable networks today – and work with us to create the digital services and applications of the future.
About Omdia Omdia, part of Informa TechTarget, Inc. (Nasdaq: TTGT), is a global analyst and advisory leader that helps you connect the dots across the technology ecosystem. Now joined by Canalys, Enterprise Strategy Group and Wards Intelligence, our deep knowledge of tech markets combined with our actionable insights empower organizations to make smart growth decisions.