MIL-OSI China: Bulgarian saffron, Croatian tuna granted Chinese market access

Source: People’s Republic of China – State Council News

NINGBO, May 22 — Bulgarian saffron and Croatian tuna were granted Chinese market access on Thursday, adding to the list of imported agricultural and food products from Central and Eastern European Countries (CEECs) for Chinese consumers.

Import access was approved for these products during the fourth China-CEEC Expo & International Consumer Goods Fair, which opened on Thursday in Ningbo, east China’s Zhejiang Province.

According to data released by China’s General Administration of Customs (GAC) on the same day, a total of 126 types of agricultural and food products from CEECs have been granted access to China.

China has streamlined its approval processes and enhanced its customs clearance efficiency in recent years, allowing CEEC delicacies such as Polish amber beer and Latvian canned fish to enter the Chinese market more easily.

Against the backdrop of a complex international landscape, China-CEEC cooperation is providing greater certainty and vitality to the world economy, according to GAC deputy chief Zhao Zenglian.

China’s expansion of agricultural imports has bolstered bilateral trade. Customs data shows that China-CEEC trade totaled 142.27 billion U.S. dollars in 2024 — up 6.3 percent year on year and outpacing China’s overall import-export growth by 2.5 percentage points.

MIL OSI China News –

May 27, 2025

MIL-OSI Australia: Guide to functional currency rules

Source: New places to play in Gungahlin

How to use the functional currency rules guide

The electronic version of this document is the only authorised version. Printed copies may be out of date.

Read this guide to find out more about the functional currency rules, including:

eligibility requirements
the implications for tax accounting and tax reporting.

You can use this guide if you are:

an Australian resident or a non-resident with a permanent establishment in Australia and both of the following apply
- you keep your accounts solely or predominantly in a particular foreign currency
- you wish to work out your taxable income (or tax loss) using that foreign currency – that is, using your ‘applicable functional currency’
a non-resident disposing of indirect interests in real property in Australia and the sole or predominant currency in which you keep your accounts at the time of disposal is a foreign currency. The application of functional currency rules is mandatory in this situation.

This guide does not cover income from overseas permanent establishments of resident taxpayers.

Functional currency translation rules

The functional currency translation rules are an exception to the core foreign currency translation rules.

Under the core foreign currency translation rules, amounts in a foreign currency must be translated into Australian dollars (A$). There are also rules about when and at what exchange rate a translation is to take place for a given type of transaction.

Under the functional currency rules, you can use a currency other than A$ as the unit of account to work out your taxable income or tax loss. The core foreign currency translation rules continue to apply to amounts and transactions not covered by the functional currency rules.

If you are an eligible taxpayer who keeps your accounts solely or predominantly in a particular foreign currency, you can choose to use that foreign currency as the unit of account to work out your taxable income or tax loss.

If you have made such a choice (that is, an effective functional currency choice), you do not translate transactions you undertake in either a foreign currency or in your applicable functional currency into A$. Rather, you translate only your net amount of taxable income or tax loss calculated in your applicable functional currency into A$.

The core foreign currency translation rules are contained in section 960-50 of Subdivision 960-C of the Income Tax Assessment Act 1997 (ITAA 1997).

The functional currency translation rules are contained in section 960-80 of Subdivision 960-D of the ITAA 1997.

How the functional currency rules work

Once you choose to use a non-Australian dollar applicable functional currency, you must use that currency as the unit of account in your day-to-day tax accounting. After working out your taxable income or tax loss in the applicable functional currency, you must translate that amount into A$ to report on your tax return.

You must also carry out your instalment income calculations in your applicable functional currency and translate that amount into A$ for reporting purposes.

Eligibility to account in a functional currency

Only certain taxpayers can choose to work out their taxable income or tax loss using a non-Australian dollar applicable functional currency. This guide is relevant only if you are either of the following:

a resident who must prepare financial reports under section 292 of the Corporations Act 2001
a non-resident carrying on business through a permanent establishment in Australia.

Your applicable functional currency is the sole or predominant currency in which you keep your ‘accounts’ at the time you choose to use functional currency.

‘Accounts’ means ledgers, journals, statements of financial performance, profit and loss accounts, balance sheets and statements of financial position and includes statements, reports and notes attached to, or intended to be read, with such items.

Find out more in subsection 960-70(4) of the ITAA 1997.

The following taxpayers using a non-A$ applicable functional currency are not covered in this guide:

Australian residents carrying on business through overseas permanent establishments, using a non-A$ applicable functional currency to work out their taxable income or loss
attributable taxpayers in respect of controlled foreign companies (CFC) and transferor trusts, using a non-A$ applicable functional currency to work out the ‘attributable income’ of the CFC or transferor trust.

When to make a functional currency choice

The functional currency rules started to apply on 1 July 2003.

Ordinarily, if you choose to use a foreign currency as your applicable functional currency to work out your taxable income or tax loss, your choice will take effect after the end of the tax year during which you made it.

You must make your functional currency choice in writing.

In some circumstances, you can make your functional currency choice after the start of the tax year in which you intend it to take effect. This is referred to as a ‘backdated start up choice’. You must make a ‘backdated start up choice within 90 days of either of the following:

the start of the tax year, if your entity existed at that time
the day your entity came into existence, if it did not exist at the start of the tax year.

See details on:

Withdrawing an existing functional currency choice and substituting a new choice

You can withdraw your existing functional currency choice if the functional currency you are using ceases to be the sole or predominant currency in which you keep your ‘accounts’. Your functional currency choice withdrawal will take effect from the end of the tax year in which you withdraw it.

Your withdrawal:

cannot be backdated
must be made in writing
should be available as part of the business’s tax records.

After your previous functional currency choice is withdrawn, you can make a choice to use the new sole or predominant currency in which you keep your accounts to work out your taxable income or tax loss. You must make this choice in writing. If you don’t make a new functional currency choice, the core foreign currency translation rules will apply, which means that all amounts must be translated into A$.

See details on:

when your choice of currency ceases to be your main currency for accounts in subsection 960-90 of the ITAA 1997
when your functional currency choice withdrawal will take effect in items 1 and 2 of subsection 960-90(1) of the ITAA 1997
making a choice to use the new sole or predominant currency in which you keep your accounts in subsection 960-90(3) of the ITAA 1997.

Documenting your choice to use a non-Australian dollar applicable functional currency

When making your written choice to use a non-Australian dollar currency as your applicable functional currency, include all the following:

the name and tax file number of the entity making the choice
the use to which the functional currency is being put – for example, to work out taxable income or tax loss
the date the choice takes effect
the unit of account that the entity intends to use as its functional currency
the signature of the entity’s public officer and the date the written functional currency choice was signed.

You do not need to send your written functional currency choice to us. However, it should be available as part of your business’ tax records.

Non-functional currency amounts you receive or pay

All amounts included in working out your taxable income or tax loss must be in the applicable functional currency. This means you must translate all amounts you receive or pay in another currency, including A$ amounts, into the applicable functional currency.

The functional currency translation rules, including applicable exchange rates, follow the principles in the core foreign currency translation rules for translating foreign currency amounts to A$. This is covered in subsection 960-50(6) of Subdivision 960-C and also subsection 960-80(6) of Subdivision 960-D of the ITAA 1997.

However, the A$ is treated as a foreign currency while your applicable functional currency is not a foreign currency for the purposes of working out your taxable income or tax loss in the applicable functional currency. This is covered in subsection 960-80(1) of the ITAA 1997.

A foreign exchange (forex) realisation gain or loss may arise for certain amounts if there is a difference in prevailing exchange rates at the relevant times. For example, the exchange rate applicable at the time you incur an amount may be different from the exchange rate applicable when you pay it. In this situation, changes in the value of the A$ against the applicable functional currency can bring about a forex gain or loss – an example follows.

Example 1: trigger of foreign currency loss

Stellar Rex Incorporated (Stellar Rex), a USA company with a branch (permanent establishment) in Australia, chooses to account for their Australian branch’s taxable income in a functional currency. For Stellar Rex’s purposes, US dollars (US$) is the applicable functional currency and A$ is a foreign currency.

Stellar Rex contracts to purchase a depreciating asset from an Australian company in A$ as follows:

Year 1

Stellar Rex contracts to purchase the asset for A$10,000. Stellar Rex holds the asset from the date of contract.

At the contract time, A$1.00 = US$0.50.

Therefore, the cost of the asset in the applicable functional currency is US$5,000.

Year 2

Thirteen months after beginning to hold the asset, Stellar Rex pays A$10,000 for the asset.

At this time A$1.00 = US$0.55, so the A$10,000 Stellar Rex pays is equivalent to US$5,500.

A forex realisation loss of US$500 is made under Forex realisation event (FRE) 4 when Stellar Rex pays A$10,000 for the asset in year 2. As the payment was made more than 12 months after first holding the asset, the loss is not a short-term forex realisation loss – refer to section 775-75 of the ITAA 1997.

Therefore, Stellar Rex will take this loss into account as an allowable deduction when calculating the taxable income or tax loss of its Australian branch for year 2. The taxable income of the Australian branch is calculated in US$ and translated into A$ at the end of the tax year for the purpose of working out the amount of A$ income tax it is liable to pay.

End of example

Find out more about foreign currency translation (conversion) rules.

Pre-choice amounts

Special translation rules apply to amounts that are attributable to transactions or events that happened before your current functional currency choice took effect (‘pre-choice’ amounts). Pre-choice amounts that are relevant for working out your taxable income or tax loss for a year after your functional currency choice takes effect must be translated into your applicable functional currency in accordance with these special rules. This includes pre-choice amounts that are denominated in the same non-A$ currency as your applicable functional currency.

See details on:

If you haven’t previously made a functional currency choice, you should translate a relevant pre-choice amount as follows:

firstly, into A$ at the exchange rate applicable at the time of the transaction or event
secondly, into the applicable functional currency at the exchange rate at the time your functional currency choice took effect.

If you have previously made a choice to use a non-A$ currency as your applicable functional currency, you should translate a relevant pre-choice amount:

firstly, into the previous applicable functional currency at the exchange rate applicable at the time of the transaction or event
secondly, into the new applicable functional currency at the exchange rate at the time your new functional currency choice took effect.

Example 2: sale of assets acquired before making a functional currency choice

Fion Incorporated (FION), a non-resident corporation, operates through a permanent establishment in Australia. FION conducts most of its business in Yen (¥).

In the year ended 30 June (year 1) FION chooses to use ¥ as its applicable functional currency. The choice applies for the year commencing 1 July (year 2).

In the year ended 30 June (year 3) FION sells a tourist resort for ¥600 million, which it had purchased before year 1 for ¥500 million.

As FION’s applicable functional currency is ¥, the capital gain or capital loss on the disposal of the tourist resort will be calculated in ¥. However, FION had not made a choice to use ¥ as its applicable functional currency at the time it purchased the tourist resort – that is, it was still using A$ for tax purposes. Therefore, the ¥ cost of the resort is translated to A$ at the exchange rate prevailing at the time of the purchase. This A$ amount is then translated to ¥ at the exchange rate prevailing at the time FION’s choice to use ¥ as its applicable functional currency took effect.

For the purposes of this example, the exchange rates were:

A$1.00 = ¥68.50 at the time FION purchased the resort
A$1.00 = ¥62.00 at the time FION’s functional currency choice took effect.

This means the cost base for the purpose of calculating the capital gain or loss on the disposal of the tourist resort is:

(¥500,000,000 ÷ 68.50) × 62.00
= A$7,299,270 × 62.00
= ¥452,554,745.

The capital gain calculated in FION’s applicable functional currency is:

sale proceeds = ¥600,000,000
less ¥452,554,745
capital gain = ¥147,445,255.

End of example

Tax reporting and functional currency

The functional currency rules allow you to work out your taxable income or tax loss in your applicable functional currency. However, all tax reporting must still be expressed in A$. When reporting on your tax return or activity statement, work out the reported amounts in your applicable functional currency and then translate these amounts into A$.

For tax reporting purposes, when a translation is needed for label amounts (other than the taxable income amount), use the same translation rate as the taxable income translation rate. If you don’t have a taxable income amount in a given income year (that is, you have a tax loss), you should use the same rate you would have used to translate a taxable income amount into A$.

How to treat different amounts
Amount type	Treatment
Amounts used in working out taxable income or tax loss in the applicable functional currency (FC). Note sections 6AB and 6AC of the Income Tax Assessment Act 1936 (ITAA 1936) with regard to foreign income and foreign tax and the ‘grossing-up’ of foreign income to include foreign tax paid.	Include the amount in the taxable income calculation in the FC before translating taxable income from the FC into A$.
Amounts used to work out taxable income or a tax loss that are in a foreign currency. For example: A$ amounts, including the ‘gross-up’ amount for a franked dividend amounts of foreign income, including the ‘gross-up’ amount for foreign tax paid in respect of that income. Section 6AC of the ITAA 1936 requires the amount of foreign income included in your assessable income to be ‘grossed-up’ to include any foreign tax you paid in relation to the foreign income. If you receive a franked dividend, section 207-20 of the ITAA 1997 requires you to ‘gross-up’ your assessable income by the amount of the franking credit – and also entitles you to a tax offset equal to the amount of the franking credit.	Translate into the FC using the applicable exchange rate for that amount. As ‘gross-up’ amounts contribute to the calculation of your taxable income or tax loss, you must translate them into the FC. Include the FC value in the taxable income calculation before translating taxable income from FC into A$ – see Example 3 and Example 4.
Carry-forward losses	Carry-forward losses are allowable deductions that reduce taxable income. Identify the carry forward loss amount in the FC from the previous income year. Include these amounts in the taxable income calculation in the FC before translating taxable income from FC into A$. When reporting the value of a tax loss, translate it from FC into A$.
Tax exempt amounts that reduce carry-forward losses	Tax exempt amounts that reduce carry-forward losses are translated into the FC generally upon being derived. They are then used to absorb the loss to the extent of their value. When reporting the value of a tax exempt amount, translate it into A$.
Foreign income tax offsets (FITO) Subsection 770-10(1) of the ITAA 1997 provides that you are entitled to a foreign income tax offset for foreign income tax you paid in respect of an amount of foreign income that is included in your assessable income in a year of income. (FITO in relation to the ‘attributable income’ of a CFC is not dealt with in this guide.)	The value of foreign income tax offset amounts is not used in working out taxable income, except for when calculating the ‘attributable income’ of a controlled foreign company (CFC) or transferor trust. The core foreign currency translation rules apply, and the value of foreign tax paid used to calculate foreign income tax offsets is translated into A$ when the foreign tax is paid – see Example 3.
Franking credits	A credit that arises in the franking account of an entity (a franking credit) is a tax offset. The amount of the tax offset you are entitled to as a result of receiving a franked dividend is not translated into your FC. Your tax offset amount will equal the A$ amount of the franking credit attached to the dividend you received before it was translated into functional currency. Add the A$ value of franking credits to your franking account without translation into FC – see Example 4. You must keep your franking account in A$.
Tax offsets and rebates	Tax offsets and rebates are not used to work out taxable income or a tax loss. The core foreign currency translation rules apply. If the amount is already in A$, then no translation takes place. If the amount is in a non-A$ currency, translate the amount into A$. Do not translate into FC first.
Values expressed in law Paragraph 960-80(2)(i) of the ITAA 1997 covers this.	Translate these amounts to FC at the applicable rate – see Example 5.

Example 3: foreign income tax offsets

In this example, you choose US dollars (US$) as your applicable functional currency.

Calculate your assessable income

¥115 = US$1.00 = A$2.00.

¥11,500 derived by you consisting of:

¥10,350 cash and ¥1,150 tax withheld in Japan.

To work out your taxable income, translate ¥11,500 into the US$ FC as follows:

¥11,500 = US$100 added to assessable income.

Taxable income in US$, including the amount you received in ¥, is translated into A$ at the end of the tax year. If, between the time you derived the income and tax year end, the relative value of the US$–A$ changes, this change will be reflected in the amount of A$ assessable income you will eventually bring to account. In this example, if at year end US$1.00 = A$1.75, then you will report the A$ assessable income you received from the ¥11,500 transaction as A$175.

Calculate your FITO

Translate the ¥1,150 tax withheld amount into A$ as follows:

¥1,150 = A$20.

A$20 is used in calculating the amount of the foreign income tax offset, being the lesser of the amount of the foreign tax paid or the Australian tax payable on the foreign income.

End of example

Example 4: franking credits

US$1.00 = A$2.00

XYZ Corporation (XYZ) is an Australian resident company, which chooses to use US$ as its applicable functional currency.

XYZ derives a fully franked dividend as follows:

A$70 cash.
A$30 gross-up amount (franking credit value).

To find out more, refer to subsection 207-20(1) of the ITAA 1997.

Assessable income calculation

XYZ translates A$100 ($70 + $30) into US$ as follows:

A$100 × 0.5 = US$50.

At the end of the tax year, US$50 (and other taxable income values) are translated into A$ at regulation rate.

Franking account balance

Add A$30 to franking account balance. No translation takes place.

End of example

Example 5: application of translation rule to a monetary limit

Exact Limited (Exact) has made a valid choice to use US$ as its applicable functional currency. In year 1, Exact purchases a car for US$40,000. At the time, the price is equivalent to A$72,700.

If the car limit under section 40-230 of the ITAA 1997 was A$60,000 in year 1, Exact would apply that provision by converting the limit to US$33,012. The first element of the US$ cost of a car is therefore reduced to that amount.

End of example

Mandatory application of functional currency for indirect Australian real property interests

If:

you are a foreign resident
a CGT event happens in relation to a CGT asset that is an indirect Australian real property interest for you, and
at the time of the CGT event, the sole or predominant currency in which you keep your accounts is a currency other than Australian currency

you must use the applicable functional currency to work out the amount of any capital gain or capital loss. Subsection 960-61(2) of the ITAA 1997 covers this.

This requirement applies to CGT events that happen on or after 12 December 2006.

Capital gains and losses

There are 2 steps to work out a capital gain or capital loss.

Step 1 translate an amount that is not in the applicable functional currency into the applicable functional currency.

Step 2 translate the amount of any capital gain or capital loss into Australian currency.

See more details at table item 6 of subsection 960-80(1) of the ITAA 1997.

Exchange rates to apply

Different exchange rates apply to the translation of amounts that are elements in the calculation of capital gain or loss.

See more details at subsection 960-80(4) of the ITAA 1997.

The exchange rate to be used when translating amounts will be either the:

rate at the time the costs are incurred
rate at the time of the CGT event.

Exchange rate applicable at the time the costs are incurred

Amounts relating to the payments made and costs incurred that form part of the cost base of a CGT asset, are translated into your functional currency at the exchange rate applicable at the time the costs are incurred.

See details in:

table item 5 of subsection 960-50(6) of the ITAA 1997
TR 2007/5 Income tax: functional currency – when is an amount not in the ‘applicable functional currency’? paragraphs 110 and 153.

Exchange rate applicable at the time of the CGT event

Amounts which are relevant for working out the capital gain or capital loss (capital proceeds or market value of other property) on the happening of a CGT event, are translated into the applicable functional currency at the exchange rate applicable at the time of the CGT event.

See details in:

Amount of capital gain or capital loss calculated in the applicable functional currency

This amount is translated into the Australian currency at the exchange rate applicable at the time of CGT event.

See details in:

table item 5 in subsection 960-50(6) of the ITAA 1997
TR 2007/5 Income tax: functional currency – when is an amount not in the ‘applicable functional currency’?

Reporting during the year

Business activity statements

When completing a business activity statement (BAS):

calculate your instalment income in the applicable functional currency
translate your instalment income into Australian dollars at the appropriate rate
complete label T1 of the BAS accordingly.

Company tax return

The functional currency rules allow some taxpayers to choose to work out their taxable income or tax loss by using a non-A$ currency as their applicable functional currency (FC).

All amounts disclosed on the company tax return must be disclosed in A$.

When a label amount is accounted for in a non-A$ FC, that sum should be translated into A$ using the same functional currency translation rate (shown at label 8N Functional currency translation rate of the company tax return) used to translate the taxable income or tax loss figure.

The following amounts are always accounted for in A$, and not in the FC:

Label 7 J Franking credits
Label 7 C Australian franking credits from a New Zealand Company.

The following amounts do not need to be translated into A$ before completion of the return:

Label 7 R Tax losses deducted
Label 7 S Tax losses transferred in.

Tax losses are allowable deductions from taxable income. If you carry forward losses, you should account for and claim them in your FC. Report any losses used during the income year at label 7R by translating the value of the loss used into A$ at the FC translation rate.

As mentioned above, label 8N is where you show the exchange rate used to translate the FC taxable income figure (and many other figures on the company tax return) into A$.

At label 8N, show the translation rate the company used to translate the taxable income figure from the FC into A$. The translation rate is the amount the FC amount is divided by to get an equivalent amount of A$. That is, the number of non-A$ currency units that equal one A$ rounded to 4 significant figures – see Examples for labels 8N and 8O.

Label 😯 – functional currency chosen

Label 😯 is where you show your chosen FC using the 3-letter code from the international standard ISO 4217 – ‘Currency codes’. See the list of Currency codes for label 😯.

Labels 8N and 😯 must be completed by:

Australian resident taxpayers who use FC to work out their taxable income or tax loss
foreign residents carrying on an activity or business at, or through, an Australian permanent establishment, who use FC to work out their taxable income or tax loss.

You should not complete labels 8N and 😯 if you are an Australian resident taxpayer using FC only to work out the attributable income of a controlled foreign company (CFC) or transferor trust.

The following are examples of correctly completed labels 8N and 8O. The exchange rates used are from 26 September 2003.

Examples for labels 8N and 😯
Applicable FC	Label N	Label O
US Dollar	.6695	USD
Yen	77.18	JPY
New Zealand Dollar	1.1385	NZD
Won	785.8	KRW
Rupiah	5679	IDR

As mentioned previously, if you choose to use FC, you should account for the value of any carry-forward losses using that FC.

The value of those tax losses and net capital losses carried forward to later income years should be reported in A$ at ‘Losses information’ – labels 13U and 13V – on the company tax return.

Calculation statement

The calculation statement on the company tax return shows you how to work out the amount of tax payable or refundable. It starts with the ‘Taxable income’ figure at label A. This figure should have been worked out earlier, using the applicable FC and then translated into A$.

Other figures in the calculation statement are either of the following:

A$ amounts, such as pay as you go (PAYG) instalments raised
amounts translated into A$ previously, such as any foreign income tax offset.

Currency codes for label 😯

These currency codes are from international standard ISO 4217 – Currency codes.

A–F, G–K, L–P, Q–U, V–Z

A

Afghan Afghani – AFN
Albanian Lek – ALL
Algerian Dinar – DZD
Angolan Kwanza – AOA
Argentine Peso – ARS
Armenian Dram – AMD
Aruban Guilder – AWG
Azerbaijani Manat – AZN

B

Bahamian Dollar – BSD
Bahraini Dinar – BHD
Bangladeshi Taka – BDT
Barbados Dollar – BBD
Belarusian Ruble – BYN
Belize Dollar – BZD
Bermudian Dollar – BMD
Bhutanese Ngultrum – BTN
Bolivian Boliviano – BOB
Bosnia & Herzegovina Convertible Marks – BAM
Botswanan Pula – BWP
Brazilian Real – BRL
British Pound – GBP
Brunei Dollar – BND
Bulgarian Lev – BGN
Burundi Franc – BIF

C

Cambodian Riel – KHR
Canadian Dollar – CAD
Cabo Verde Escudo – CVE
Cayman Islands Dollar – KYD
CFA Franc BCEAO – XOF
CFA Franc BEAC – XAF
CFP Franc – XPF
Chilean Peso – CLP
Chinese Yuan Renminbi – CNY
Colombian Peso – COP
Comorian Franc – KMF
Congolese Franc – CDF
Costa Rican Colon – CRC
Cuban Peso – CUP
Czech Koruna – CZK

D

Danish Krone – DKK
Djibouti Franc – DJF
Dominican Peso – DOP

E

East Caribbean Dollar – XCD
Egyptian Pound – EGP
El Salvador Colon – SVC
Eritrean Nakfa – ERN
Ethiopian Birr – ETB
Euro – EUR

F

Falkland Islands Pound – FKP
Fijian Dollar – FJD

G

Gambian Dalasi – GMD
Georgian Lari – GEL
Ghanaian Cedi – GHS
Gibraltar Pound – GIP
Guatemalan Quetzal – GTQ
Guernsey Pound Sterling – GBP
Guinean Franc – GNF
Guyanese Dollar – GYD

H

Haitian Gourde – HTG
Honduran Lempira – HNL
Hong Kong Dollar – HKD
Hungarian Forint – HUF

I

Icelandic Krona – ISK
Indian Rupee – INR
Indonesian Rupiah – IDR
Iranian Rial – IRR
Iraqi Dinar – IQD
Isle of Man Pound Sterling – GBP
Israeli New Sheqel – ILS

J

Jamaican Dollar – JMD
Japanese Yen – JPY
Jersey Pound Sterling – GBP
Jordanian Dinar – JOD

K

Kazakhstani Tenge – KZT
Kenyan Shilling – KES
Kuwaiti Dinar – KWD
Kyrgystani Som – KGS

L

Laotian Kip – LAK
Latvia Euro – EUR
Lebanese Pound – LBP
Lesotho Loti – LSL
Liberian Dollar – LRD
Libyan Dinar – LYD
Lithuania Euro – EUR

M

Macanese Pataca – MOP
Macedonia Denar – MKD
Malagasy Ariary – MGA
Malawian Kwacha – MWK
Malaysian Ringgit – MYR
Maldivian Rufiyaa – MVR
Mauritanian Ouguiya – MRU
Mauritius Rupee – MUR
Mexican Peso – MXN
Moldovan Leu – MDL
Mongolian Tugrik – MNT
Moroccan Dirham – MAD
Mozambique Metical – MZN
Myanmar Kyat – MMK

N

Namibia Dollar – NAD
Nepalese Rupee – NPR
Netherlands Antillean Guilder – ANG
New Zealand Dollar – NZD
Nicaraguan Cordoba Oro – NIO
Nigerian Naira – NGN
North Korean Won – KPW
Norwegian Krone – NOK

O

Omani Rial – OMR
Other – OTH

P

Pakistani Rupee – PKR
Panamanian Balboa – PAB
Papuan Kina – PGK
Paraguayan Guarani – PYG
Peruvian Nuevo Sol – PEN
Philippine Peso – PHP
Polish Zloty – PLN
Pound Sterling – GBP

Q

Qatari Rial – QAR

R

Romanian New Leu – RON
Russian Ruble – RUB
Rwandan Franc – RWF

S

Saint Helena Pound – SHP
Samoan Tala – WST
Sao Tome and Principe Dobra – STN
Saudi Riyal – SAR
Serbian Dinar – RSD
Seychelles Rupee – SCR
Sierra Leonean Leone – SLE
Singapore Dollar – SGD
Solomon Islands Dollar – SBD
Somali Shilling – SOS
South African Rand – ZAR
South Korean Won – KRW
South Sudanese Pound – SSP
Sri Lankan Rupee – LKR
Sudanese Pound – SDG
Surinam Dollar – SRD
Eswatini Lilangeni – SZL
Swedish Krona – SEK
Swiss Franc – CHF
Syrian Pound – SYP

T

Taiwanese New Dollar – TWD
Tajikistani Somoni – TJS
Tanzanian Shilling – TZS
Thai Baht – THB
Tongan Pa’anga – TOP
Trinidad and Tobago Dollar – TTD
Tunisian Dinar – TND
Turkish Lira – TRY
Turkmenistan New Manat – TMT
Tuvalu Australian Dollar – AUD

U

UAE Dirham – AED
Ugandan Shilling – UGX
Ukrainian Hryvnia – UAH
Uruguayan Peso – UYU
US Dollar – USD
Uzbekistan Sum – UZS

V

Vanuatuan Vatu – VUV
Venezuelan Bolivar Soberano – VES
Vietnamese Dong – VND

Y

Yemeni Rial – YER

Z

Zambian Kwacha – ZMW
Zimbabwe Gold – ZWG

MIL OSI News –

May 27, 2025

MIL-OSI Europe: Meeting with the Prime Minister of the Republic of Bulgaria

Source: Government of Italy (English)

The President of the Council of Ministers, Giorgia Meloni, received the Prime Minister of the Republic of Bulgaria, Rossen Jeliazkov, at Palazzo Chigi today.

The meeting provided an opportunity to acknowledge the common will to deepen bilateral relations in strategic sectors such as infrastructure and transport, energy, interconnections and defence.

During the discussion, a broad alignment of views between Rome and Sofia also emerged on the main European issues, starting with cohesion policy, enlargement and the pursuit of innovative solutions to irregular migration.

With regard to the major issues in international politics, the two leaders focused on the conflict in Ukraine, confirming their support for the ongoing efforts to reach a just and lasting peace.

MIL OSI Europe News –

May 27, 2025

MIL-OSI Security: Five Romanians Admit Bank Fraud Involving ATM Skimming Devices

Source: Federal Bureau of Investigation (FBI) State Crime News

ST. LOUIS – Five Romanian nationals have admitted installing skimming devices on St. Louis area ATMs to harvest bank account information from customers and commit fraud.

Mihai Vlaicu, 48, and Mihai Florin Marinescu, 37, pleaded guilty Wednesday in U.S. District Courtin St. Louis to one count of conspiracy to commit bank fraud.

Laurentiu Miguel Ivan, 33, pleaded guilty to the same charge in March and Nelu Nae, 37, and Venera Isabelle Dumitru, 28, pleaded guilty to the charge in April. A sixth person indicted in the case, Ianus Nita, 53, has not yet been arrested.

In their plea agreements, the five admit stealing bank account information via skimming devices and then using, or attempting to use, that information to withdraw money from ATMs.

Around January of 2024, Vlaicu and Marinescu installed skimming devices on at least two bank ATMs, one in Clayton and one in Frontenac. They obtained the information of at least six victims, and then used cloned cards to try and withdraw cash.

On five days in April, Dumitru and Ivan used account information from two other victims to withdraw cash from ATMs in St. Louis. Ivan obtained $1,421 and Dumitru obtained $1,070.50.

On April 25, Dumitru and Ivan tried to withdraw cash from a St. Louis County ATM using an account number belonging to another victim. On April 30, Vlaicu tried to withdraw money from a St. Louis County ATM using the banking information of six victims.

On May 2, Marinescu unsuccessfully tried to install a skimming device on an ATM in south St. Louis County. Nae retrieved the device the next day.

On May 9, Marinescu installed a skimming device on an ATM in Wildwood. On May 11, Nita withdrew cash belonging to two victims from a St. Louis County ATM.

On May 28, Marinescu and Nae installed a skimming device on an ATM in St. Louis, which was located and removed by law enforcement before Nita and Vlaicu could retrieve it.

The conspirators were using an Airbnb in St. Louis County as a base for their criminal activity. Investigators found a laptop computer there containing hundreds of videos of customers entering their PINs when they used an ATM outfitted with a skimming device. They also found skimming devices, installation tools, a large amount of cash and numerous gift cards at the rented residence.

Ivan is scheduled to be sentenced June 25, Dumitru on July 10, Nae on July 23 and Marinescu and Vlaicu on August 20. The charge carries a penalty of up to 30 years in prison, a $1 million fine or both prison and a fine.

Ivan, Dumitru, Marinescu are not legally in the United States.

The FBI, the St. Louis Metropolitan Police Department, the Webster Groves Police Department, the Clayton Police Department and the Frontenac Police Department investigated the case with assistance from the St. Louis County Police Department. Assistant U.S. Attorney Gwen Carroll is prosecuting the case.

MIL Security OSI –

May 27, 2025

MIL-OSI Video: Climate, Peace & Security on Protection of Civilians- Joint Security Council Media Stakeout

Source: United Nations (Video News)

Comments to the media by Georgios Gerapetritis, Minister of Foreign Affairs of the Hellenic Republic and President of the Security Council for the month of May, on behalf of the Security Council members signatories to the Joint Pledges related to Climate, Peace & Security on Protection of Civilians and Denmark, Guyana, Panama, Republic of Korea, Sierra Leone, Slovenia, and United Kingdom.

https://www.youtube.com/watch?v=hwDtN1P39_o

MIL OSI Video –

May 27, 2025

MIL-OSI Europe: Emergency support of €15 million to farmers in Czechia, Slovenia and Germany

Source: European Commission

European Commission Press release Brussels, 22 May 2025 Today, Member States endorsed the Commission’s proposal to mobilise €15 million from the agricultural reserve to support farmers in Czechia, Slovenia and Germany affected by adverse weather events and a recent animal disease outbreak.

MIL OSI Europe News –

May 27, 2025

MIL-OSI United Kingdom: Report of the Head of OSCE Mission to Skopje: UK statement, May 2025

Source: United Kingdom – Government Statements

Speech

Report of the Head of OSCE Mission to Skopje: UK statement, May 2025

The UK underlines appreciation for the work and added value of the OSCE Mission to Skopje over the last 12 months, particularly in supporting government reforms.

Thank you, Mr Chair.

Firstly, I would like to welcome back Ambassador Wahl to the Permanent Council. Thank you for the work of your team over the last year, and for your comprehensive and engaging report this morning.

The United Kingdom highly appreciates the work and added value of the OSCE Mission to Skopje, and the Mission’s support to government reforms.

The United Kingdom and North Macedonia have developed a strong and supportive bilateral partnership since we established diplomatic relations over 30 years ago. I am delighted that our Prime Minister met with Prime Minister Mickoski during the European Political Community summit last week and announced the new strategic partnership between our two countries. This deepens our mutual commitment to work together on issues of trade and investment, foreign policy, tackling organised crime, infrastructure cooperation and migration.

The UK welcomes the findings of the ODIHR Election Observation Mission that the parliamentary and presidential elections held in North Macedonia last year were competitive and fundamental freedoms were respected, though we note the concerns highlighted over insufficient regulation of the process. We encourage the Government of North Macedonia to continue engagement towards addressing the remaining recommendations in the ODIHR Election Observation Mission Final Report ahead of municipal elections later this year.

The UK positively notes the OSCE Mission’s achievements over the past 12 months, set out clearly in your Report. We particularly welcome your continued engagement to promote social cohesion and community rights, and your support on criminal justice reform – including work in the last 12 months on judicial independence, promotion of fair trial standards and strengthening cooperation with civil society.

The UK is also pleased to note the Mission’s continued commitment to gender equality – particularly your support for women’s political participation, and your engagement with parliament on the adoption of a new Gender Action Plan for 2025-2027.

Mr Chair, it is vital for the work of all OSCE field operations that participating States agree a Unified Budget for 2025 and beyond. As highlighted in the Report, the continued non-agreement of budgets and the resulting forced subsistence on monthly allotments make it very challenging for field missions to deliver across their mandates and adjust to changing priorities. We urge all participating States to engage constructively with upcoming proposals to resolve the impasse over budgets.

Thank you, Ambassador Wahl. Thank you, Mr Chair.

Published 22 May 2025

MIL OSI United Kingdom –

May 27, 2025

MIL-OSI Europe: OLAF and Romanian authorities lead the way on digital tools to safeguard EU budget

Source: European Anti-Fraud Offfice

Press release no.12
PDF version

The European Anti-Fraud Office (OLAF), the Romanian Police and Romania’s Department for the Fight Against Fraud (DLAF), are hosting European anti-fraud specialists in Bucharest to discuss the use of digital tools to fight fraud against the EU budget. The meeting aims to strengthen cross-border cooperation and improve the detection and investigation of fraud through advanced digital means.

Running from 20-23 May 2025, the Technical Workshop on Digital Anti-Fraud Tools brings together nearly 100 anti-fraud experts from EU Member States, the European Court of Auditors (ECA), the European Public Prosecutor’s Office (EPPO), Eurojust, Europol, and OLAF. The event focuses on building a community of digitally skilled anti-fraud specialists and identifying best practices in anti-fraud detection and investigation in digital environments. It is also aimed at fostering synergies in the development of data-driven tools – including artificial intelligence – to protect European taxpayers’ money.

Additionally, on 22 May 2025, OLAF and the Romanian National Trade Register Office (ONRC) signed a bilateral agreement to facilitate access to national company data for the purpose of anti-fraud investigations. This agreement reflects a shared commitment to ensuring a more effective protection of EU financial interests.

Ville Itälä, OLAF Director-General said: “OLAF is proud to play a leading role in driving the digital transformation of the anti-fraud community, particularly by fostering the development and take-up of digital tools, including artificial intelligence. These innovative tools will significantly strengthen our ability to protect the EU budget.”

Benone Marian Matei, General Inspector of the Romanian Police said: “The Central Unit for Information Analysis reaffirms its commitment to the development and use of advanced analytical tools to support the early identification of fraud patterns and to enhance the protection of European funds.”

Ionuț Bogdan Dințoi, Secretary of State and Head of DLAF said: “DLAF reiterates the good cooperation with OLAF and, as a partner in the protection of EU financial interests, supports OLAF’s efforts to bring together professionals and create a framework for sharing good practices in using and developing digital and AI tools in the anti-fraud domain, specifically to protect Union expenditure.”

Luiza Mardare, ONRC Director-General, commented on the signing of the bilateral agreement with OLAF: “The signing of these protocols is a step towards standard practice and, we hope, an important support for the actions carried out by the European Anti-Fraud Office in protecting the financial interests of the European Union. In this regard, by granting the European Anti-Fraud Office free access to the data held by the Trade Register, we can contribute to the fight against corruption within the European Union.”

OLAF mission, mandate and competences:

OLAF’s mission is to detect, investigate and stop fraud with EU funds.

OLAF fulfils its mission by:
•    carrying out independent investigations into fraud and corruption involving EU funds, so as to ensure that all EU taxpayers’ money reaches projects that can create jobs and growth in Europe;
•    contributing to strengthening citizens’ trust in the EU Institutions by investigating serious misconduct by EU staff and members of the EU Institutions;
•    developing a sound EU anti-fraud policy.

In its independent investigative function, OLAF can investigate matters relating to fraud, corruption and other offences affecting the EU financial interests concerning:
•    all EU expenditure: the main spending categories are Structural Funds, agricultural policy and rural development funds, direct expenditure and external aid;
•    some areas of EU revenue, mainly customs duties;
•    suspicions of serious misconduct by EU staff and members of the EU institutions.

Once OLAF has completed its investigation, it is for the competent EU and national authorities to examine and decide on the follow-up of OLAF’s recommendations. All persons concerned are presumed to be innocent until proven guilty in a competent national or EU court of law.

For further details:

Pierluigi CATERINO
Spokesperson
European Anti-Fraud Office (OLAF)
Phone: +32(0)2 29-52335
Email: olaf-media ec [dot] europa [dot] eu (olaf-media[at]ec[dot]europa[dot]eu)
https://anti-fraud.ec.europa.eu
LinkedIn: European Anti-Fraud Office (OLAF)
Bluesky: euantifraud.bsky.social

If you’re a journalist and you wish to receive our press releases in your inbox, please leave us your contact data.

MIL OSI Europe News –

May 27, 2025

MIL-OSI United Kingdom: Landmark government partnership signed with North Macedonia

Source: United Kingdom – Executive Government & Departments

World news story

Landmark government partnership signed with North Macedonia

The new Government Partnership will drive economic growth across both countries through increased collaboration on infrastructure projects.

Today marks a new era for UK-North Macedonia relations, following the signing of a Government-to-Government Partnership (G2G) which will boost trade and drive economic growth. This Partnership supports the delivery of critical infrastructure projects across various sectors, including transport, health, energy, and technology. It will be able to draw on a wide range of support, including technical assistance programmes and up to £5 billion in UK Export Finance support available for projects in North Macedonia.

The formal signing ceremony took place at the historic Old Admiralty Building in London on Thursday 22nd May 2025, with the UK Minister for Exports, Gareth Thomas MP, and the Deputy Prime Minister of North Macedonia, Aleksandar Nikoloski, in attendance.

This G2G underscores the commitment of both nations to collaborate on critical infrastructure projects that deliver social, economic, and environmental benefits. By leveraging the expertise and innovation of both countries, this Partnership will drive the development of resilient infrastructure that fosters growth and prosperity.

The exchange of knowledge and best practice between our two countries will be central to this G2G, drawing from the expertise of both nation’s respective infrastructure fields. This means the UK Government and British businesses working in partnership with the government of North Macedonia and their local supply chain to deliver infrastructure projects across North Macedonia. This approach will generate mutual benefits for both nations through the sharing of innovation to deliver resilient infrastructure that drives growth.

Minister of Exports, Gareth Thomas MP expressed his enthusiasm:

This partnership opens up a new chapter in our bilateral relationship with North Macedonia.

The UK has a wealth of experience in delivering high-quality infrastructure across the world and I am delighted to be kicking off this new partnership that will help more British businesses export to North Macedonia.

The UK Ambassador to North Macedonia, Matthew Lawson said:

We have achieved a significant milestone in the UK – North Macedonia relations with the signing of the Government-to-Government Partnership by UK Minister for Exports, Gareth Thomas MP, and the Deputy Prime Minister of North Macedonia, Aleksandar Nikoloski.

The G2G will further strengthen the already excellent trade ties between our countries and support the delivery of critical infrastructure projects in different sectors, including transport, health, energy, and technology in North Macedonia. As the British Ambassador I am proud that our governments have reached this landmark partnership that will benefit the citizens of both countries. We stand strong and united together.

This G2G builds on a strong existing bilateral relationship between the UK and North Macedonia. Recently, UK Prime Minister Keir Starmer and Prime Minister Hristijan Mickoski welcomed a new Strategic Partnership at the European Political Community Summit in Tirana on the 16th May 2025. This G2G represents the start of our enhanced trade and infrastructure collaboration.

Chris Barton, His Majesty’s Trade Commissioner for Europe also expressed his support:

I am delighted that this G2G will support stronger collaboration across our governments and businesses to deliver economic growth for both our nations and good-quality infrastructure for the citizens of North Macedonia.

Notes to editors:

government to government (G2G) partnerships are formal arrangements under which we agree to provide another government is provided with access to UK public and private expertise for specific projects or programmes that create commercial benefits
total trade in goods and services (exports plus imports) between the UK and North Macedonia was £1.7 billion in the four quarters to the end of Q3 2024
the UK is North Macedonia’s second largest trading partner in the 4 quarters to the end of Q3 2024

Published 22 May 2025

MIL OSI United Kingdom –

May 27, 2025

MIL-OSI Europe: Written question – Measures to support people with Down syndrome and initiatives for the self-representation of people with disabilities – E-001954/2025

Source: European Parliament

Question for written answer E-001954/2025
to the Commission
Rule 144
Victor Negrescu (S&D)

In the European Union, including Romania, people with Down syndrome continue to face structural barriers to accessing education, social services and employment and to participating in civic life. In the absence of clear European standards and a framework on the recognition of self-representation, these members of the public are often excluded from decision-making processes that directly affect their lives. In Romania, parents and organisations working to support young people with Down syndrome – such as those recently involved in the Erasmus+ project ‘European Self Advocates’ – are calling for a coordinated European approach that respects their dignity, opinions and fundamental rights.

Questions:

1.What concrete measures does the Commission have in mind for developing common EU standards for social, educational and support services for people with Down syndrome, with a view to ensuring their equal treatment and genuine inclusion in all Member States?
2.How does the Commission intend to support initiatives promoting the self-representation of people with intellectual disabilities, including those with Down syndrome, so that their voice is heard and respected in decision-making processes at local, national and European level?

Submitted: 15.5.2025

Last updated: 22 May 2025

MIL OSI Europe News –

May 23, 2025

MIL-OSI Security: 80 arrests and more than 37,700 cultural goods seized in major art trafficking bust

Source: Interpol (news and events)

22 May 2025

Europol, INTERPOL and the World Customs Organization (WCO) supported investigators from 23 countries in the fight against criminals who exploit humanity’s cultural heritage

LYON, France – The ninth edition of Operation Pandora, an international operation targeting the trafficking of cultural goods, has led to 80 arrests and the seizure of 37,727 items including archaeological pieces, artworks, coins and musical instruments.

Codenamed Pandora IX and carried out throughout 2024, the operation involved law enforcement and customs authorities from 23 countries. It was coordinated by Spain (Guardia Civil), with operational support from Europol, INTERPOL and the WCO through its Regional Intelligence Liaison Office for Eastern and Central Europe.

Authorities also confiscated 69 metal detectors and 23 tools commonly used for illegal excavations, underlining the persistent threat of looting to cultural sites.

In total, 258 cases were reported by the participating countries. Many investigations are still ongoing, with further arrests and seizures expected.

Operational highlights

The Italian Carabinieri Command for the Protection of Cultural Heritage (TPC) in coordination with the Italian Customs and Monopolies agency (ADM) seized a painting attributed to renowned artist Jannis Kounellis during a joint border operation. Upon inspection, it was determined to be inauthentic. Had it been genuine, its estimated value would have been around EUR 100,000. In a separate investigation, the Carabinieri TPC seized more than 300 items, including coins, metal and ceramic fragments such as arrowheads and spearheads dating back to the Roman and Punic periods. These artifacts were being offered for sale on e-commerce platforms and were discovered in a private apartment.

Two icons of Saint Seraphim of Sarov were discovered by Ukraine Customs.

Both icons of Saint Seraphim were found in the luggage of a passenger travelling by bus during a control at the border with Poland.

One of 36 coins found by Ukraine Customs while controlling a private vehicle at the border with Poland.

The Spanish Guardia Civil dismantled a criminal group involved in archaeological looting

Spanish Guardia Civil: During the operation authorities recovered 2,500 archaeological items, primarily Roman coins

Italian Customs and Monopolies agency (ADM) seized a painting attributed to artist Jannis Kounellis, which turned out to be inauthentic.

The Carabinieri TPC seized more than 300 items, including coins, metal and ceramic fragments.

Since its launch in 2016, Operation Pandora has become a key global initiative to protect cultural heritage from illicit trafficking.

The Spanish Guardia Civil dismantled a criminal group involved in archaeological looting in the province of Cáceres. Six individuals were arrested, and three others are under investigation. During the operation authorities recovered 2,500 archaeological items, primarily Roman coins minted in the Celtiberian city of Tamusia. These artifacts had been looted from protected archaeological sites in the province of Caceres using metal detectors and were being sold illegally through social media platforms.

Also in Spain, the Guardia Civil intercepted a passenger attempting to fly from Palma de Mallorca to Germany carrying 55 ancient coins and a ring. A subsequent investigation led to an indictment for crimes against cultural heritage and plundering underwater wrecks and archaeological sites. In total, 64 objects of historical value and 1,576 ancient coins were confiscated.

In Greece, the Department of Cultural Heritage and Antiquities of Athens recovered five Byzantine icons. Acting on intelligence and using special investigative techniques, including an undercover officer, three individuals were arrested while attempting to sell the icons for EUR 70,000.

Ukrainian customs authorities seized 87 cultural goods that were being illegally transported out of the country to Poland, Moldova and Romania.

Cyber patrols uncover additional cases

In addition to on-the-ground actions, dedicated cyber patrols were carried out during the operation to identify potential illicit online sales of cultural property. These virtual investigations led to the opening of new cases, demonstrating how digital platforms are quickly becoming a channel of choice by traffickers to market and sell looted artefacts. A total of 4,298 cultural goods were seized as a result of the cyber patrols.

Built on international cooperation

Operation Pandora IX was carried out in the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT). Europol facilitated the exchange of information and provided analytical and operational support to the national investigations. Furthermore, one cyber patrol week was hosted by Europol.

INTERPOL coordinated cross-border actions and offered tools such as its Stolen Works of Art database and on the ground ID-Art mobile application.

The WCO’s secure communication tool, CENcomm, was made available to all participants while its Regional Intelligence Liaison Office for Eastern and Central Europe compiled, refined and shared information provided by Customs administrations

Since its launch in 2016, Operation Pandora has become a key global initiative to protect cultural heritage from illicit trafficking.

Participating countries in Pandora IX (2024):

Albania, Austria, Belgium, Bosnia & Herzegovina, Bulgaria, Czech Republic, France, Germany, Greece, Ireland, Italy, Malta, Moldova, Netherlands, North Macedonia, Norway, Poland, Portugal, Romania, Serbia, Spain, Ukraine, United States.

Participating agencies:

Europol, INTERPOL, World Customs Organization

MIL Security OSI –

May 23, 2025

MIL-OSI United Kingdom: Council’s digital helper Darcie gets next generation upgrade for phone calls

Source: City of Derby

Residents who call Derby City Council will now be greeted by an improved, and more inclusive telephone version of its digital helper Darcie.

Introduced in 2023 to handle customer service queries more efficiently, Darcie has undergone a significant behind-the-scenes transformation and can now do more than just give standard answers.

Powered by the latest generative AI technology, Darcie can understand more complex questions and hold more natural conversations, offering a smoother and more human-like experience when answering queries.

Built using advanced machine learning models, Darcie continues to improve over time and continues to learn every time the digital helper is asked a question.

Darcie can now answer adult social care queries for the first time, as well as giving more enhanced responses on a range of Council services such as bin collections, planning applications, fostering, and registration services.

The latest telephone upgrade is part of the Council’s ongoing commitment to using technology to improve the lives of the people of Derby and build a smarter, more sustainable city.

It follows improvements to the online version of Darcie earlier this year, when residents were invited to test the digital helper and share their feedback. Results were overwhelmingly positive, with 73% of respondents reporting satisfaction with their experience.

Ron, 75, who tested improved Darcie said:

I had no problem using Darcie. It was very intuitive—whether using the voice function or typing out questions. I got answers to everything I asked, and if Darcie didn’t know something, she explained where I could find further information. I found it very, very useful in that sense.

I’m not the most experienced person in using IT, so I was a bit apprehensive. But I decided to give it a go, and I was very pleasantly surprised.

Available 24/7 via phone and the Council website, Darcie ensures that residents can access information and support at any time, including evenings, weekends, and public holidays and without having to wait in a call queue. Residents can still choose to speak to a human advisor during normal office hours for more complex needs.

Councillor Hardyal Dhindsa, Cabinet Member for Digital and Organisational Transformation at Derby City Council said:

Darcie places Derby City Council at the forefront of using generative AI in local government. The Council is one of the first in the country to apply this advanced technology in such a practical way – helping residents get quick, accurate answers to everyday questions.

The changes are designed to make it even easier for residents to get the help they need quickly and efficiently—especially outside normal office hours.

Darcie is a smart, evolving tool that plays an important role in helping residents get the right information, in the right way, at the right time.

Darcie was introduced by the Council in 2023, alongside Ali, who manages housing enquiries for Derby Homes. Between them, the digital helpers have handled over 2 million enquiries since launch, resolving 44% of cases without the need for staff input, allowing frontline teams to focus on customers who need more than a simple response.

Since the upgrade was launched on 20 May, the Council has seen an 84% reduction in calls to the switchboard during peak times, with 57% of customer queries now being responded to directly by Darcie (the remainder are dealt with by a human advisor).

Both web and phone versions of Darcie have been upgraded to support nine of the most widely spoken languages in Derby, after English based on Council data – Arabic, Czech, Pashto, Polish, Punjabi, Romanian, Slovak, Somali, and Urdu. Each language has a dedicated phone number.

In June, the Council’s adult learning service (DALS) will launch an online course introducing residents to artificial intelligence and offering tips on how to make the most of Darcie and similar tools.

MIL OSI United Kingdom –

May 22, 2025

MIL-OSI China: Q&A: What to know about China’s visa-free policies

Source: People’s Republic of China – State Council News

BEIJING, May 21 — China’s visa-exemption policies have boosted inbound travel. Since the start of this year, “China Travel” has kept trending. On Wednesday, the Consular Department of the Ministry of Foreign Affairs of China released a list of frequently asked questions about these policies.

Q: Who does the visa waiver apply to?

A: Nationals of 43 countries including Brunei, France, Germany, Italy, Spain, Holland, Malaysia, Switzerland, Ireland, Hungary, Austria, Belgium, Luxembourg, New Zealand, Australia, Poland, Portugal, Greece, Cyprus, Slovenia, Slovakia, Norway, Finland, Denmark, Iceland, Andorra, Monaco, Liechtenstein, the Republic of Korea, Bulgaria, Romania, Croatia, Montenegro, North Macedonia, Malta, Estonia, Latvia, Japan, Brazil, Argentina, Chile, Peru and Uruguay (Brazil, Argentina, Chile, Peru and Uruguay take effect from June 1, 2025) holding valid ordinary passports can be exempted from visa requirement if entering China for the purpose of business, tourism, family or friend visits, exchange and transit. They can stay in China for no more than 30 days without a visa.

Q: Do foreign nationals eligible for a visa waiver need to make declarations to Chinese embassies and consulates in advance?

A: Foreign nationals eligible for a visa waiver do not need to declare in advance to Chinese embassies and consulates before entering China without a visa.

Q: Will the purpose of the intended stay in China be examined by Chinese border inspection authorities when entering China? How will it be done? Are other documents needed for entering China in addition to a passport?

A: Foreign nationals traveling for purposes of business, tourism, family or friend visits, exchange and transit that meet the visa waiver requirements, can be allowed to enter China without a visa upon examination and approval in accordance with the law by border inspection authorities. Entry into China shall be denied by border inspection authorities in accordance with the law to foreign nationals who travel for purposes that do not meet the visa waiver requirements or who are not allowed to enter China in accordance with laws and regulations. It is recommended to take documents such as invitation letters, air tickets and reservations of accommodation as proof corresponding to the purposes of entry into China. Visa waiver does not apply to those who come to China for work, study, journalistic or similar purposes.

Q: Is there any additional requirement for minors eligible for a visa waiver?

A: Visa waiver requirements for minors are the same as for adults.

Q: Are there any requirements regarding the type and validity of entry documents?

A: For foreign nationals, an ordinary passport valid for at least the duration of the intended stay in China is needed. Holders of travel documents or temporary or emergency documents other than ordinary passports are not allowed to enter China without a visa.

Q: How to calculate the duration of stay of 30 days?

A: The duration of stay without a visa is calculated from the day after entry and lasts continuously for 30 calendar days.

Q: Does the visa waiver apply to foreign nationals who travel from a third country?

A: Eligible foreign nationals can depart for China from any country or region.

Q: Does the visa waiver apply to foreign nationals who travel via modes of transport other than aviation?

A: The visa waiver applies to all travelers coming to China through any sea, road and airport open to foreign nationals — except where laws, regulations or bilateral arrangements specify otherwise. For arrivals in China by way of private transport, certain procedures for entry and exit of means of transport shall be processed in accordance with relevant laws and regulations of China.

Q: Does the visa waiver apply to tour groups?

A: The visa waiver applies to eligible foreign nationals either in tour groups or as individuals.

Q: If the length of intended stay exceeds 30 days, can the visa waiver be extended?

A: Foreign nationals planning to stay in China for over 30 days shall apply for visas corresponding to their purposes of stay in advance at Chinese embassies or consulates. If they have to stay longer than 30 days for appropriate and sufficient reasons after entering China without a visa, they shall apply for stay permits to the exit and entry administrations of public security authorities of China.

Q: Does the visa waiver allow multiple entries? Is there any requirement on the length of intervals between each entry, or any restriction on the number of entries without a visa or total days of stay?

A: Foreign nationals eligible for the visa waiver can enter China without a visa multiple times. Currently, there is no restriction on the number of entries or total days of stay, but those who enjoy visa-free travel to China shall not engage in activities inconsistent with their purpose of entry.

MIL OSI China News –

May 22, 2025

MIL-OSI: BULGOLD Announces Annual General and Special Meeting Voting Results

Source: GlobeNewswire (MIL-OSI)

TORONTO, May 21, 2025 (GLOBE NEWSWIRE) — BULGOLD Inc. (TSXV: ZLTO) (the “Company” or “BULGOLD”) is pleased to announce the voting results from its Annual General and Special Meeting of the holders (“Shareholders”) of common shares of the Company that was held at 10:00 AM on May 21, 2025 (the “Meeting”).

All the matters put forward before Shareholders for consideration and approval as set out in the Company’s management information circular dated April 1, 2025 (the “Circular”) were approved by the requisite majority of votes cast at the Meeting. In particular, Shareholders approved the election of all director nominees listed in the Circular. The board of directors of the Company is now comprised as follows:

James A. Crombie
Sean Hasson
Colin Jones
Laurie Marsland
Dr. Mihaela Barnes
Vanessa Cook

Shareholders also appointed McGovern Hurley LLP as auditors of the Company until the close of the next annual meeting of Shareholders at a remuneration to be fixed by the board of directors of the Company.

Further, the disinterested Shareholders passed an ordinary resolution ratifying and confirming the Company’s 10% “rolling” equity incentive plan including the setting-aside, allotting and reserving 10% of the Company’s outstanding common shares from time to time for issuance pursuant to the exercise of awards granted thereunder (the full text of which is set out in the Circular).

A total of 10,957,856 common shares representing approximately 39.7% of the Company’s issued and outstanding common shares were voted in connection with the Meeting, and each of the foregoing matters were approved by over 99.4% of the votes cast thereon.

About BULGOLD Inc.
BULGOLD is a gold exploration company focused on the exploration and development of mineral exploration projects in Central and Eastern Europe. The Company controls 100% of three quality quartz-adularia epithermal gold projects located in the Bulgarian and Slovak portions of the Western Tethyan Belt: the Lutila Gold Project, the Kostilkovo Gold Project and the Kutel Gold Project. Management of the Company believes that its assets show potential for high-grade, good-metallurgy, low-sulfidation epithermal gold mineralisation.

On December 31, 2024, BULGOLD’s issued and outstanding shares were 27,597,928 of which approximately 40.3% were held by Founders, Directors and Management. Additional information about the Company is available on BULGOLD’s website (www.BULGOLD.com) and on SEDAR+ (www.sedarplus.ca).

Neither TSX Venture Exchange nor its Regulation Services Provider (as that term is defined in the policies of the TSX Venture Exchange) accepts responsibility for the adequacy or accuracy of this release.

Cautionary Statement Regarding Forward-Looking Information

This press release contains forward‐looking statements and forward‐looking information within the meaning of applicable securities laws. These statements relate to future events or future performance and include statements relating to voting results of the Meeting. All statements other than statements of historical fact may be forward‐looking statements or information. The forward‐looking statements and information are based on certain key expectations and assumptions made by management of the Company. Although management of the Company believes that the expectations and assumptions on which such forward-looking statements and information are based are reasonable, undue reliance should not be placed on the forward‐looking statements and information since no assurance can be given that they will prove to be correct.

Forward-looking statements and information are provided for the purpose of providing information about the current expectations and plans of management of the Company relating to the future. Readers are cautioned that reliance on such statements and information may not be appropriate for other purposes, such as making investment decisions. Since forward‐looking statements and information address future events and conditions, by their very nature they involve inherent risks and uncertainties. Actual results could differ materially from those currently anticipated due to a number of factors and risks, including the inherent uncertainty of mineral exploration; risks related to title to mineral properties; and credit, market, currency, operational, commodity, geopolitical, liquidity and funding risks generally, including changes in economic conditions, interest rates or tax rates and general market and economic conditions. Accordingly, readers should not place undue reliance on the forward‐looking statements and information contained in this press release. Readers are cautioned that the foregoing list of factors is not exhaustive. The forward‐looking statements and information contained in this press release are made as of the date hereof and no undertaking is given to update publicly or revise any forward‐looking statements or information, whether as a result of new information, future events or otherwise, unless so required by applicable securities laws. The forward-looking statements and information contained in this press release are expressly qualified by this cautionary statement.

For further information, please contact:

BULGOLD Inc.
Sean Hasson, President and Chief Executive Officer
Telephone: +359 2 989 2361
Email: information@BULGOLD.com
Website: www.BULGOLD.com

The MIL Network –

May 22, 2025

MIL-OSI Security: Major strike against Italian-Albanian drug trafficking network: 52 suspects targeted

Source: Eurojust

During the action day, authorities in both countries seized assets worth at least several millions euros, including apartments and companies, as well as various luxury vehicles. . Large amounts of cash and quantities of cocaine and heroin were also seized. A full and complete evaluation of the seizures will be carried out in the coming days.

No complete estimate of the total profits of the cooperation between the three OCGs is available. However, information obtained through the JIT shows that the criminal networks were involved in payments, often in cash, of close to EUR 5 million and the trafficking of at least 1 800 kilos of cocaine and heroin.

Investigations into the linked criminal organisations were initiated in 2016 by the Public Prosecutor’s Office of Bari and the Special Anti-Corruption and Organised Crime Prosecutor’s Office of Tirana and the Albanian Police. On the Albanian side, one OCG, which operated from Durres, was responsible for the transport and wholesale distribution of large quantities of cocaine, heroin and cannabis trafficked between the Balkans, Northern Europe, South America and Puglia in Italy.

Two Italian-led criminal gangs carried out the cutting and packaging of illicit drugs and supplied cocaine and heroin from Latin America and Turkey to local gangs in organisations in Bari, Brindisi and Lecce.

The arrests in Italy and Albania are the result of a long-term collaboration through the JIT. This involved the use of wiretaps, intensive video surveillance, the monitoring of suspects and the analysis of encrypted chats. These chats were decrypted following intensive cooperation through Eurojust.

Since 2020, Eurojust has supported the authorities in Italy and Albania with the JIT. Furthermore, the Agency provided assistance with the execution of requests for Mutual Legal Assistance during the action day and gave cross-border judicial support. Albania is one of the twelve countries outside the European Union with a Liaison Prosecutor at Eurojust. The investigations were also coordinated and supported by the office of the dedicated security expert at the Italian Embassy in Tirana.

The judicial cooperation between Italy and Albania has already proven effective in recent years. Between 2018 and 2021, the Anti-Mafia Investigation Directorate of Bari issued and executed 118 arrest warrants against alleged drug traffickers operating in both countries. As a result, various defendants were sentenced up to 20 years imprisonment.

This week’s operation was carried out at the request of and by the following authorities:

Italy: Public Prosecutor’s Office Bari – District Anti-Mafia Directorate; Anti-Mafia Investigation Directorate Bari, under the coordination of the National Anti-Mafia and Anti-Terrorism Directorate Rome, with support of the Office of the Security Expert at the Italian Embassy in Tirana
Albania: Special Anti-Corruption and Organised Crime Prosecutor’s Office (SPAK) of Tirana; Albanian Police

MIL Security OSI –

May 22, 2025

MIL-OSI USA: Russian GRU Targeting Western Logistics Entities and Technology Companies

News In Brief – Source: US Computer Emergency Readiness Team

Executive Summary

This joint cybersecurity advisory (CSA) highlights a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies. This includes those involved in the coordination, transport, and delivery of foreign assistance to Ukraine. Since 2022, Western logistics entities and IT companies have faced an elevated risk of targeting by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (85th GTsSS), military unit 26165—tracked in the cybersecurity community under several names (see “Cybersecurity Industry Tracking”). The actors’ cyber espionage-oriented campaign, targeting technology companies and logistics entities, uses a mix of previously disclosed tactics, techniques, and procedures (TTPs). The authoring agencies expect similar targeting and TTP use to continue.

Executives and network defenders at logistics entities and technology companies should recognize the elevated threat of unit 26165 targeting, increase monitoring and threat hunting for known TTPs and indicators of compromise (IOCs), and posture network defenses with a presumption of targeting.

This cyber espionage-oriented campaign targeting logistics entities and technology companies uses a mix of previously disclosed TTPs and is likely connected to these actors’ wide scale targeting of IP cameras in Ukraine and bordering NATO nations.

The following authors and co-sealers are releasing this CSA:

United States National Security Agency (NSA)
United States Federal Bureau of Investigation (FBI)
United Kingdom National Cyber Security Centre (NCSC-UK)
Germany Federal Intelligence Service (BND) Bundesnachrichtendienst
Germany Federal Office for Information Security (BSI) Bundesamt für Sicherheit in der Informationstechnik
Germany Federal Office for the Protection of the Constitution (BfV) Bundesamt für Verfassungsschutz
Czech Republic Military Intelligence (VZ) Vojenské zpravodajství
Czech Republic National Cyber and Information Security Agency (NÚKIB) Národní úřad pro kybernetickou a informační bezpečnost
Czech Republic Security Information Service (BIS) Bezpečnostní informační služba
Poland Internal Security Agency (ABW) Agencja Bezpieczeństwa Wewnętrznego
Poland Military Counterintelligence Service (SKW) Służba Kontrwywiadu Wojskowego
United States Cybersecurity and Infrastructure Security Agency (CISA)
United States Department of Defense Cyber Crime Center (DC3)
United States Cyber Command (USCYBERCOM)
Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
Canadian Centre for Cyber Security (CCCS)
Danish Defence Intelligence Service (DDIS) Forsvarets Efterretningstjeneste
Estonian Foreign Intelligence Service (EFIS) Välisluureamet
Estonian National Cyber Security Centre (NCSC-EE) Küberturvalisuse keskus
French Cybersecurity Agency (ANSSI) Agence nationale de la sécurité des systèmes d’information
Netherlands Defence Intelligence and Security Service (MIVD) Militaire Inlichtingen- en Veiligheidsdienst

Download the PDF version of this report:

Russian GRU Targeting Western Logistics Entities and Technology Companies (PDF, 1,081KB)

For a downloadable list of IOCs, visit:

Introduction

For over two years, the Russian GRU 85th GTsSS, military unit 26165—commonly known in the cybersecurity community as APT28, Fancy Bear, Forest Blizzard, BlueDelta, and a variety of other identifiers—has conducted this campaign using a mix of known tactics, techniques, and procedures (TTPs), including reconstituted password spraying capabilities, spearphishing, and modification of Microsoft Exchange mailbox permissions.
In late February 2022, multiple Russian state-sponsored cyber actors increased the variety of cyber operations for purposes of espionage, destruction, and influence—with unit 26165 predominately involved in espionage. [1] As Russian military forces failed to meet their military objectives and Western countries provided aid to support Ukraine’s territorial defense, unit 26165 expanded its targeting of logistics entities and technology companies involved in the delivery of aid. These actors have also targeted Internet-connected cameras at Ukrainian border crossings to monitor and track aid shipments.
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 17. See Appendix A: MITRE ATT&CK tactics and techniques for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. This advisory uses the MITRE D3FEND® framework, version 1.0.

Description of Targets

The GRU unit 26165 cyber campaign against Western logistics providers and technology companies has targeted dozens of entities, including government organizations and private/commercial entities across virtually all transportation modes: air, sea, and rail. These actors have targeted entities associated with the following verticals within NATO member states, Ukraine, and at international organizations:

Defense Industry
Transportation and Transportation Hubs (ports, airports, etc.)
Maritime
Air Traffic Management
IT Services

In the course of the targeting lifecycle, unit 26165 actors identified and conducted follow-on targeting of additional entities in the transportation sector that had business ties to the primary target, exploiting trust relationships to attempt to gain additional access [T1199].

The actors also conducted reconnaissance on at least one entity involved in the production of industrial control system (ICS) components for railway management, though a successful compromise was not confirmed [TA0043].

The countries with targeted entities include the following, as illustrated in Figure 1:

Bulgaria
Czech Republic
France
Germany
Greece
Italy
Moldova
Netherlands
Poland
Romania
Slovakia
Ukraine
United States

Figure 1: Countries with Targeted Entities

Initial Access TTPs

To gain initial access to targeted entities, unit 26165 actors used several techniques to gain initial access to targeted entities, including (but not limited to):

The actors abused vulnerabilities associated with a range of brands and models of small office/home office (SOHO) devices to facilitate covert cyber operations, as well as proxy malicious activity via devices with geolocation in proximity to the target [T1665]. [2]

Credential Guessing/Brute Force

Unit 26165 actors’ credential guessing [T1110.001] operations in this campaign exhibit some similar characteristics to those disclosed in the previous CSA “Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments.” [3] Based on victim network investigations, the current iteration of this TTP employs a similar blend of anonymization infrastructure, including the use of Tor and commercial VPNs [T1090.003]. The actors frequently rotated the IP addresses used to further hamper detection. All observed connections were made via encrypted TLS [T1573].

Spearphishing

GRU unit 26165 actors’ spearphishing emails included links [T1566.002] leading to fake login pages impersonating a variety of government entities and Western cloud email providers’ webpages. These webpages were typically hosted on free third-party services or compromised SOHO devices and often used legitimate documents associated with thematically similar entities as lures. The subjects of spearphishing emails were diverse and ranged from professional topics to adult themes. Phishing emails were frequently sent via compromised accounts or free webmail accounts [T1586.002, T1586.003]. The emails were typically written in the target’s native language and sent to a single targeted recipient.

Some campaigns employed multi-stage redirectors [T1104] verifying IP-geolocation [T1627.001] and browser fingerprints [T1627] to protect credential harvesting infrastructure or provide multifactor authentication (MFA) [T1111] and CAPTCHA relaying capabilities [T1056]. Connecting endpoints failing the location checks were redirected to a benign URL [T1627], such as msn.com. Redirector services used include:

Webhook[.]site
FrgeIO
InfinityFree
Dynu
Mocky
Pipedream
Mockbin[.]org

The actors also used spearphishing to deliver malware (including HEADLACE and MASEPIE) executables [T1204.002] delivered via third-party services and redirectors [T1566.002], scripts in a mix of languages [T1059] (including BAT [T1059.003] and VBScript [T1059.005]) and links to hosted shortcuts [T1204.001].

CVE Usage

Throughout this campaign, GRU unit 26165 weaponized an Outlook NTLM vulnerability (CVE-2023-23397) to collect NTLM hashes and credentials via specially crafted Outlook calendar appointment invitations [T1187]. [4],[5] These actors also used a series of Roundcube CVEs (CVE-2020-12641, CVE-2020-35730, and CVE-2021-44026) to execute arbitrary shell commands [T1059], gain access to victim email accounts, and retrieve sensitive data from email servers [T1114].

Since at least fall 2023, the actors leveraged a WinRAR vulnerability (CVE-2023-38831) allowing for the execution of arbitrary code embedded in an archive as a means of initial access [T1659]. The actors sent emails with malicious attachments [T1566.001] or embedded hyperlinks [T1566.002] that downloaded a malicious archive prepared using this CVE.

Post-Compromise TTPs

After an initial compromise using one of the above techniques, unit 26165 actors conducted contact information reconnaissance to identify additional targets in key positions [T1589.002]. The actors also conducted reconnaissance of the cybersecurity department [T1591], individuals responsible for coordinating transport [T1591.004], and other companies cooperating with the victim entity [T1591.002].

The actors used native commands and open source tools, such as Impacket and PsExec, to move laterally within the environment [TA0008]. Multiple Impacket scripts were used as .exe files, in addition to the python versions, depending on the victim environment. The actors also moved laterally within the network using Remote Desktop Protocol (RDP) [T1021.001] to access additional hosts and attempt to dump Active Directory NTDS.dit domain databases [T1003.003] using native Active Directory Domain Services commands, such as in Figure 2: Example Active Directory Domain Services command:

C:Windowssystem32ntdsutil.exe "activate instance ntds" ifm "create full C:temp[a-z]{3}" quit quit

Figure 2: Example Active Directory Domain Services command

Additionally, GRU unit 26165 actors used the tools Certipy and ADExplorer.exe to exfiltrate information from the Active Directory. The actors installed python [T1059.006] on infected machines to enable the execution of Certipy. Accessed files were archived in .zip files prior to exfiltration [T1560]. The actors attempted to exfiltrate archived data via a previously dropped OpenSSH binary [T1048].

Incident response investigations revealed that the actors would take steps to locate and exfiltrate lists of Office 365 users and set up sustained email collection. The actors used manipulation of mailbox permissions [T1098.002] to establish sustained email collection at compromised logistics entities, as detailed in a Polish Cybercommand blog. [6]

After initial authentication, unit 26165 actors would change accounts’ folder permissions and enroll compromised accounts in MFA mechanisms to increase the trust-level of compromised accounts and enable sustained access [T1556.006]. The actors leveraged python scripts to retrieve plaintext passwords via Group Policy Preferences [T1552.006] using Get-GPPPassword.py and a modified ldap-dump.py to enumerate the Windows environment [T1087.002] and conduct a brute force password spray [T1110.003] via Lightweight Directory Access Protocol (LDAP). The actors would additionally delete event logs through the wevtutil utility [T1070.001].

After gaining initial access to the network, the actors pursued further access to accounts with access to sensitive information on shipments, such as train schedules and shipping manifests. These accounts contained information on aid shipments to Ukraine, including:

sender,
recipient,
train/plane/ship numbers,
point of departure,
destination,
container registration numbers,
travel route, and
cargo contents.

In at least one instance, the actors attempted to use voice phishing [T1566.004] to gain access to privileged accounts by impersonating IT staff.

Malware

Unit 26165’s use of malware in this campaign ranged from gaining initial access to establishing persistence and exfiltrating data. In some cases, the attack chain resulted in multiple pieces of malware being deployed in succession. The actors used dynamic link library (DLL) search order hijacking [T1574.001] to facilitate malware execution. There were a number of known malware variants tied to this campaign against logistics sector victims, including:

HEADLACE [7]
MASEPIE [8]

While other malware variants, such as OCEANMAP and STEELHOOK, [8] were not directly observed targeting logistics or IT entities, their deployment against victims in other sectors in Ukraine and other Western countries suggest that they could be deployed against logistics and IT entities should the need arise.

Persistence

In addition to the abovementioned mailbox permissions abuse, unit 26165 actors also used scheduled tasks [T1053.005], run keys [T1547.001], and placed malicious shortcuts [T1547.009] in the startup folder to establish persistence.

Exfiltration

GRU unit 26165 actors used a variety of methods for data exfiltration that varied based on the victim environment, including both malware and living off the land binaries. PowerShell commands [T1059.001] were often used to prepare data for exfiltration; for example, the actors prepared zip archives [T1560.001] for upload to their own infrastructure.

The actors also used server data exchange protocols and Application Programming Interfaces (APIs) such as Exchange Web Services (EWS) and Internet Message Access Protocol (IMAP) [T1114.002] to exfiltrate data from email servers. In multiple instances, the actors used periodic EWS queries [T1119] to collect new emails sent and received since the last data exfiltration [T1029]. The actors typically used infrastructure in close geographic proximity to the victim. Long gaps between exfiltration, the use of trusted and legitimate protocols, and the use of local infrastructure allowed for long-term collection of sensitive data to go undetected.

Connections to Targeting of IP Cameras

In addition to targeting logistics entities, unit 26165 actors likely used access to private cameras at key locations, such as near border crossings, military installations, and rail stations, to track the movement of materials into Ukraine. The actors also used legitimate municipal services, such as traffic cams.

The actors targeted Real Time Streaming Protocol (RTSP) servers hosting IP cameras primarily located in Ukraine as early as March 2022 in a large-scale campaign, which included attempts to enumerate devices [T1592] and gain access to the cameras’ feeds [T1125]. Actor-controlled servers sent RTSP DESCRIBE requests destined for RTSP servers, primarily hosting IP cameras [T1090.002]. The DESCRIBE requests were crafted to obtain access to IP cameras located on logically distinct networks from that of the routers that received the request. The requests included Base64-encoded credentials for the RTSP server, which included publicly documented default credentials and likely generic attempts to brute force access to the devices [T1110]. An example of an RTSP request is shown in Figure 3.

DESCRIBE rtsp://[IP ADDRESS] RTSP/1.0

CSeq: 1

Authorization: Basic

User-Agent: WebClient

Accept: application/sdp

DESCRIBE rtsp://[IP ADDRESS] RTSP/1.0

CSeq: 2

Authorization: Digest username="admin", realm="[a-f0-9]{12}", algorithm="MD5", nonce="[a-f0-9]{32}", uri="", response="[a-f0-9]{32}"

User-Agent: WebClient

Accept: application/sdp

Figure 3: Example RTSP request

Successful RTSP 200 OK responses contained a snapshot of the IP camera’s image and IP camera metadata such as video codec, resolution, and other properties depending on the IP camera’s configuration.

From a sample available to the authoring agencies of over 10,000 cameras targeted via this effort, the geographic distribution of victims showed a strong focus on cameras in Ukraine and border countries, as shown in Table 1:

Table 1: Geographic distribution of targeted IP cameras
Country	Percentage of Total Attempts
Ukraine	81.0%
Romania	9.9%
Poland	4.0%
Hungary	2.8%
Slovakia	1.7%
Others	0.6%

Mitigation Actions

General Security Mitigations

Architecture and Configuration

Employ appropriate network segmentation [D3-NI] and restrictions to limit access and utilize additional attributes (such as device information, environment, and access path) when making access decisions [D3-AMED].
- Consider Zero Trust principles when designing systems. Base product choices on how those products can solve specific risks identified as part of the end-to-end design. [9]
Ensure that host firewalls and network security appliances (e.g., firewalls) are configured to only allow legitimately needed data flows between devices and servers to prevent lateral movement [D3-ITF]. Alert on attempts to connect laterally between host devices or other unusual data flows.
Use automated tools to audit access logs for security concerns and identify anomalous access requests [D3-RAPA].
For organizations using on-premises authentication and email services, block and alert on NTLM/SMB requests to external infrastructure [D3-OTF].
Utilize endpoint, detection, and response (EDR) and other cybersecurity solutions on all systems, prioritizing high value systems with large amounts of sensitive data such as mail servers and domain controllers [D3-PM] first.
- Perform threat and attack modeling to understand how sensitive systems may be compromised within an organization’s specific architecture and security controls. Use this to develop a monitoring strategy to detect compromise attempts and select appropriate products to enact this strategy.
Collect and monitor Windows logs for certain events, especially for events that indicate that a log was cleared unexpectedly [D3-SFA].
Enable optional security features in Windows to harden endpoints and mitigate initial access techniques [D3-AH]:
- Enable attack surface reduction rules to prevent executable content from email [D3-ABPI].
- Enable attack surface reduction rules to prevent execution of files from globally writeable directories, such as Downloads or %APPDATA% [D3-EAL].
- Unless users are involved in the development of scripts, limit the local execution of scripts (such as batch scripts, VBScript, JScript/JavaScript, and PowerShell [10]) to known scripts [D3-EI], and audit execution attempts.
- Disable Windows Host Scripting functionality and configure PowerShell to run in Constrained mode [D3-ACH].
Where feasible, implement allowlisting for applications and scripts to limit execution to only those needed for authorized activities, blocking all others by default [D3-EAL].
Consider using open source SIGMA rules as a baseline for detecting and alerting on suspicious file execution or command parameters [D3-PSA].
Use services that provide enhanced browsing services and safe link checking [D3-URA]. Significant reductions in successful spearphishing attempts were noted when email providers began offering link checking and automatic file detonation to block malicious content.
Where possible, block logins from public VPNs, including exit nodes in the same country as target systems, or, if they need to be allowed, alert on them for further investigation. Most organizations should not need to allow incoming traffic, especially logins to systems, from VPN services [D3-NAM].
Educate users to only use approved corporate systems for relevant government and military business and avoid the use of personal accounts on cloud email providers to conduct official business. Network administrators should also audit both email and web request logs to detect such activity.

Many organizations may not need to allow outgoing traffic to hosting and API mocking services, which are frequently used by GRU unit 26165. Organizations should consider alerting on or blocking the following services, with exceptions allowlisted for legitimate activity [D3-DNSDL].

*.000[.]pe
*.1cooldns[.]com
*.42web[.]io
*.4cloud[.]click
*.accesscan[.]org
*.bumbleshrimp[.]com
*.camdvr[.]org
*.casacam[.]net
*.ddnsfree[.]com
*.ddnsgeek[.]com
*.ddnsguru[.]com
*.dynuddns[.]com
*.dynuddns[.]net
*.free[.]nf
*.freeddns[.]org
*.frge[.]io
*.glize[.]com
*.great-site[.]net
*.infinityfreeapp[.]com
*.kesug[.]com
*.loseyourip[.]com
*.lovestoblog[.]com
*.mockbin[.]io
*.mockbin[.]org
*.mocky[.]io
*.mybiolink[.]io
*.mysynology[.]net
*.mywire[.]org
*.ngrok[.]io
*.ooguy[.]com
*.pipedream[.]net
*.rf[.]gd
*.urlbae[.]com
*.webhook[.]site
*.webhookapp[.]com
*.webredirect[.]org
*.wuaze[.]com

Heuristic detections for web requests to new subdomains, including of the above providers, may uncover malicious phishing activity [D3-DNRA]. Logging the requests for each sub-domain requested by users on a network, such as in DNS or firewall logs, may enable system administrators to identify new targeting and victims.

Identity and Access Management

Organizations should take measures to ensure strong access controls and mitigate against common credential theft techniques:

Use MFA with strong factors, such as passkeys or PKI smartcards, and require regular re-authentication [D3-MFA]. [11], [12] Strong authentication factors are not guessable using dictionary techniques, so they resist brute force attempts.
Implement other mitigations for privileged accounts: including limiting the number of admin accounts, considering using hardware MFA tokens, and regularly reviewing all privileged user accounts [D3-JFAPA].
Separate privileged accounts by role and alert on misuse of privileged accounts [D3-UAP]. For example, email administrator accounts should be different from domain administrator accounts.
Reduce reliance on passwords; instead, consider using services like single sign-on [D3-TBA].
- For organizations using on-premises authentication and email services, plan to disable NTLM entirely and migrate to more robust authentication processes such as PKI certificate authentication.
Do not store passwords in Group Policy Preferences (GPP). Remove all passwords previously included in GPP and change all passwords on the corresponding accounts [D3-CH]. [13]
Use account throttling or account lockout [D3-ANET]:
- Throttling is preferred to lockout. Throttling progressively increases time delay between successive login attempts.
- Account lockout can leave legitimate users unable to access their accounts and requires access to an account recovery process.
- Account lockout can provide a malicious actor with an easy way to launch a Denial of Service (DoS).
- If using lockout, then allowing 5 to 10 attempts before lockout is recommended.
Use a service to check for compromised passwords before using them [D3-SPP]. For example, “Have I Been Pwned” can be used to check whether a password has been previously compromised without disclosing the potential password.
Change all default credentials [D3-CRO] and disable protocols that use weak authentication (e.g., clear-text passwords or outdated and vulnerable authentication or encryption protocols) or do not support multi-factor authentication [D3-ACH] [D3-ET]. Always configure access controls carefully to ensure that only well-maintained and well-authenticated accounts have access. [13]

IP Camera Mitigations

The following mitigation techniques for IP cameras can be used to defend against this type of malicious activity:

Ensure IP cameras are currently supported. Replace devices that are out of support.
Apply security patches and firmware updates to all IP cameras [D3-SU].
Disable remote access to the IP camera, if unnecessary [D3-ITF].
Ensure cameras are protected by a security appliance, if possible, such as by using a firewall to prevent communication with the camera from IP addresses not on an allowlist [D3-NAM].
If remote access to IP camera feeds is required, ensure authentication is enabled [D3-AA] and use a VPN to connect remotely [D3-ET]. Use MFA for management accounts if supported [D3-MFA].
Disable Universal Plug and Play (UPnP), Peer-to-Peer (P2P), and Anonymous Visit features on IP cameras and routers [D3-NI].
Turn off other ports/services not in use (e.g., FTP, web interface, etc.) [D3-ACH].
If supported, enable authenticated RTSP access only [D3-AA].
Review all authentication activity for remote access to make sure it is valid and expected [D3-UBA]. Investigate any unexpected or unusual activity.
Audit IP camera user accounts to ensure they are an accurate reflection of your organization and that they are being used as expected [D3-UAP].
Configure, tune, and monitor logging—if available—on the IP camera.

Indicators of Compromise (IOCs)

Note: Specific IoCs may no longer be actor controlled, may themselves be compromised infrastructure or email accounts, or may be shared infrastructure such as public VPN or Tor exit nodes. Care should be taken when basing triaging logs or developing detection rules on these indicators. GRU unit 26165 almost certainly uses extensive further infrastructure and TTPs not specifically listed in this report.

Utilities and scripts

Legitimate utilities

Unauthorized or unusual use of the following legitimate utilities can be an indication of a potential compromise:

ntdsutil – A legitimate Windows executable used by threat actors to export contents of Active Directory
wevtutil – A legitimate Windows executable used by threat actors to delete event logs
vssadmin – A legitimate Windows executable possibly used by threat actors to make a copy of the server’s C: drive
ADexplorer – A legitimate window executable to view, edit, and backup Active Directory Certificate Services
OpenSSH – The Windows version of a legitimate open source SSH client
schtasks – A legitimate Windows executable used to create persistence using scheduled tasks
whoami – A legitimate Windows executable used to retrieve the name of the current user
tasklist – A legitimate Windows executable used to retrieve the list of running processes
hostname – A legitimate Windows executable used to retrieve the device name
arp – A legitimate Windows executable used to retrieve the ARP table for mapping the network environment
systeminfo – A legitimate Windows executable used to retrieve a comprehensive summary of device and operating system information
net – A legitimate Windows executable used to retrieve detailed user information
wmic – A legitimate Windows executable used to interact with Windows Management Instrumentation (WMI), such as to retrieve letters assigned to logical partitions on storage drives
cacls – A legitimate Windows executable used to modify permissions on files
icacls – A legitimate Windows executable used to modify permissions to files and handle integrity levels and ownership
ssh – A legitimate Windows executable used to establish network shell connections
reg – A legitimate Windows executable used to add to or modify the system registry

Note: Additional heuristics are needed for effective hunting for these and other living off the land (LOTL) binaries to avoid being overwhelmed by false positives if these legitimate management tools are used regularly. See the joint guide, Identifying and Mitigating Living Off the Land Techniques, for guidance on developing a multifaceted cybersecurity strategy that enables behavior analytics, anomaly detection, and proactive hunting, which are part of a comprehensive approach to mitigating cyber threats that employ LOTL techniques.

Malicious scripts

Certipy – An open source python tool for enumerating and abusing Active Directory Certificate Services
Get-GPPPassword.py – An open source python script for finding insecure passwords stored in Group Policy Preferences
ldap-dump.py – A script for enumerating user accounts and other information in Active Directory
Hikvision backdoor string: “YWRtaW46MTEK”

Suspicious command lines

While the following utilities are legitimate, and using them with the command lines shown may also be legitimate, these command lines are often used during malicious activities and could be an indication of a compromise:

edge.exe “-headless-new -disable-gpu”
ntdsutil.exe “activate instance ntds” ifm “create full C:temp[a-z]{3}” quit quit
ssh -Nf
schtasks /create /xml

Outlook CVE Exploitation IOCs

md-shoeb@alfathdoor[.]com[.]sa
jayam@wizzsolutions[.]com
accounts@regencyservice[.]in
m.salim@tsc-me[.]com
vikram.anand@4ginfosource[.]com
mdelafuente@ukwwfze[.]com
sarah@cosmicgold469[.]co[.]za
franch1.lanka@bplanka[.]com
commerical@vanadrink[.]com
maint@goldenloaduae[.]com
karina@bhpcapital[.]com
tv@coastalareabank[.]com
ashoke.kumar@hbclife[.]in
213[.]32[.]252[.]221
124[.]168[.]91[.]178
194[.]126[.]178[.]8
159[.]196[.]128[.]120

Commonly Used Webmail Providers

portugalmail[.]pt
mail-online[.]dk
email[.]cz
seznam[.]cz

Malicious Archive Filenames Involving CVE-2023-38831

calc.war.zip
news_week_6.zip
Roadmap.zip
SEDE-PV-2023-10-09-1_EN.zip
war.zip
Zeyilname.zip

Brute Forcing IP Addresses

Disclaimer: These IP addresses date June 2024 through August 2024. The authoring agencies recommend organizations investigate or vet these IP addresses prior to taking action, such as blocking.

June 2024	July 2024	August 2024
192[.]162[.]174[.]94	207[.]244[.]71[.]84	31[.]135[.]199[.]145	79[.]184[.]25[.]198	91[.]149[.]253[.]204
103[.]97[.]203[.]29	162[.]210[.]194[.]2	31[.]42[.]4[.]138	79[.]185[.]5[.]142	91[.]149[.]254[.]75
209[.]14[.]71[.]127		46[.]112[.]70[.]252	83[.]10[.]46[.]174	91[.]149[.]255[.]122
109[.]95[.]151[.]207		46[.]248[.]185[.]236	83[.]168[.]66[.]145	91[.]149[.]255[.]19
		64[.]176[.]67[.]117	83[.]168[.]78[.]27	91[.]149[.]255[.]195
		64[.]176[.]69[.]196	83[.]168[.]78[.]31	91[.]221[.]88[.]76
		64[.]176[.]70[.]18	83[.]168[.]78[.]55	93[.]105[.]185[.]139
		64[.]176[.]70[.]238	83[.]23[.]130[.]49	95[.]215[.]76[.]209
		64[.]176[.]71[.]201	83[.]29[.]138[.]115	138[.]199[.]59[.]43
		70[.]34[.]242[.]220	89[.]64[.]70[.]69	147[.]135[.]209[.]245
		70[.]34[.]243[.]226	90[.]156[.]4[.]204	178[.]235[.]191[.]182
		70[.]34[.]244[.]100	91[.]149[.]202[.]215	178[.]37[.]97[.]243
		70[.]34[.]245[.]215	91[.]149[.]203[.]73	185[.]234[.]235[.]69
		70[.]34[.]252[.]168	91[.]149[.]219[.]158	192[.]162[.]174[.]67
		70[.]34[.]252[.]186	91[.]149[.]219[.]23	194[.]187[.]180[.]20
		70[.]34[.]252[.]222	91[.]149[.]223[.]130	212[.]127[.]78[.]170
		70[.]34[.]253[.]13	91[.]149[.]253[.]118	213[.]134[.]184[.]167
		70[.]34[.]253[.]247	91[.]149[.]253[.]198
		70[.]34[.]254[.]245	91[.]149[.]253[.]20

Detections

Customized NTLM listener

rule APT28_NTLM_LISTENER {

meta:

description = "Detects NTLM listeners including APT28's custom one"

strings:

$command_1 = "start-process powershell.exe -WindowStyle hidden"

$command_2 = "New-Object System.Net.HttpListener"

$command_3 = "Prefixes.Add('http://localhost:8080/')"

$command_4 = "-match 'Authorization'"

$command_5 = "GetValues('Authorization')"

$command_6 = "Request.RemoteEndPoint.Address.IPAddressToString"

$command_7 = "@(0x4e,0x54,0x4c,0x4d, 0x53,0x53,0x50,0x00,0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x28,0x00,0x00,0x01,0x82,0x00,0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77,0x88,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)"

$command_8 = ".AllKeys"

$variable_1 = "$NTLMAuthentication" nocase

$variable_2 = "$NTLMType2" nocase

$variable_3 = "$listener" nocase

$variable_4 = "$hostip" nocase

$variable_5 = "$request" nocase

$variable_6 = "$ntlmt2" nocase

$variable_7 = "$NTLMType2Response" nocase

$variable_8 = "$buffer" nocase

condition:

5 of ($command_*)

or

all of ($variable_*)

}

HEADLACE shortcut

rule APT28_HEADLACE_SHORTCUT {

meta:

description = "Detects the HEADLACE backdoor shortcut dropper. Rule is meant for threat hunting."

strings:

$type = "[InternetShortcut]" ascii nocase

$url = "file://"

$edge = "msedge.exe"

$icon = "IconFile"

condition:

all of them

}

HEADLACE credential dialogbox phishing

rule APT28_HEADLACE_CREDENTIALDIALOG {

meta:

description = "Detects scripts used by APT28 to lure user into entering credentials"

strings:

$command_1 = "while($true)"

$command_2 = "Get-Credential $(whoami)"

$command_3 = "Add-Content"

$command_4 = ".UserName"

$command_5 = ".GetNetworkCredential().Password"

$command_6 = "GetNetworkCredential().Password.Length -ne 0"

condition:

5 of them

}

HEADLACE core script

rule APT28_HEADLACE_CORE {

meta:

description = "Detects HEADLACE core batch scripts"

strings:

$chcp = "chcp 65001" ascii

$headless = "start "" msedge --headless=new --disable-gpu" ascii

$command_1 = "taskkill /im msedge.exe /f" ascii

$command_2 = "whoami>"%programdata%" ascii

$command_3 = "timeout" ascii

$command_4 = "copy "%programdata%" ascii

$non_generic_del_1 = "del /q /f "%programdata%" ascii

$non_generic_del_3 = "del /q /f "%userprofile%Downloads" ascii

$generic_del = "del /q /f" ascii

condition:

(

$chcp

and

$headless

)

and

(

1 of ($non_generic_del_*)

or

($generic_del)

or

3 of ($command_*)

)

}

MASEPIE

rule APT28_MASEPIE {

meta:

description = "Detects MASEPIE python script"

strings:

$masepie_unique_1 = "os.popen('whoami').read()"

$masepie_unique_2 = "elif message == 'check'"

$masepie_unique_3 = "elif message == 'send_file':"

$masepie_unique_4 = "elif message == 'get_file'"

$masepie_unique_5 = "enc_mes('ok'"

$masepie_unique_6 = "Bad command!'.encode('ascii'"

$masepie_unique_7 = "{user}{SEPARATOR}{k}"

$masepie_unique_8 = "raise Exception("Reconnect"

condition:

3 of ($masepie_unique_*)

}

STEELHOOK

rule APT28_STEELHOOK {

meta:

description = "Detects APT28's STEELHOOK powershell script"

strings:

$s_1 = "$($env:LOCALAPPDATAGoogleChromeUser DataLocal State)"

$s_2 = "$($env:LOCALAPPDATAGoogleChromeUser DataDefaultLogin Data)"

$s_3 = "$($env:LOCALAPPDATAMicrosoftEdgeUser DataLocal State)"

$s_4 = "$($env:LOCALAPPDATAMicrosoftEdgeUser DataDefaultLogin Data)"

$s_5 = "os_crypt.encrypted_key"

$s_6 = "System.Security.Cryptography.DataProtectionScope"

$s_7 = "[system.security.cryptography.protectdata]::Unprotect"

$s_8 = "Invoke-RestMethod"

condition:

all of them

}

PSEXEC

rule GENERIC_PSEXEC {

meta:

description = "Detects SysInternals PSEXEC executable"

strings:

$sysinternals_1 = "SYSINTERNALS SOFTWARE LICENCE TERMS"

$sysinternals_2 = "/accepteula"

$sysinternals_3 = "SoftwareSysinternals"

$network_1 = "%sIPC$"

$network_2 = "%sADMIN$%s"

$network_3 = "DeviceLanmanRedirector%sipc$"

$psexec_1 = "PSEXESVC"

$psexec_2 = "PSEXEC-{}-"

$psexec_3 = "Copying %s to %s..."

$psexec_4 = "gPSINFSVC"

condition:

(

( uint16( 0x0 ) ==0x5a4d )

and

( uint16( uint32( 0x3c )) == 0x4550 )

)

and

filesize < 1024KB

and

(

( any of ($sysinternals_*) and any of ($psexec_*) )

or

( 2 of ($network_*) and 2 of ($psexec_*))

)

}

The cybersecurity industry provides overlapping cyber threat intelligence, IOCs, and mitigation recommendations related to GRU unit 26165 cyber actors. While not all encompassing, the following are the most notable threat group names related under MITRE ATT&CK G0007 and commonly used within the cybersecurity community:

APT28 [14]
Fancy Bear [14]
Forest Blizzard [14]
Blue Delta [15]

Note: Cybersecurity companies have different methods of tracking and attributing cyber actors, and this may not be a 1:1 correlation to the U.S. government’s understanding for all activity related to these groupings.

Further Reference

To search for the presence of malicious email messages targeting CVE-2023-23397, network defenders may consider using the script published by Microsoft: https://aka.ms/CVE-2023-23397ScriptDoc.

For the Impacket TTP, network defenders may consider using the following publicly available Impacket YARA detection rule:
https://github.com/Neo23x0/signature-base/blob/master/yara/gen_impacket_tools.yar

Works Cited

[1] Microsoft. Defending Ukraine: Early Lessons from the Cyber War. 2022. https://blogs.microsoft.com/on-the-issues/2022/06/22/defending-ukraine-early-lessons-from-the-cyber-war/
[2] FBI et al. Russian Cyber Actors Use Compromised Routers to Facilitate Cyber Operations. 2024. https://media.defense.gov/2024/Feb/27/2003400753/-1/-1/0/CSA-Russian-Actors-Use-Routers-Facilitate-Cyber_Operations.PDF
[3] NSA et al. Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. 2021. https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/0/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF
[4] ANSSI. Campagnes d'attaques du mode opératoire APT28 depuis 2021. 2023. https://cert.ssi.gouv.fr/cti/CERTFR-2023-CTI-009/
[5] ANSSI. Targeting and compromise of french entities using the APT28 intrusion set. 2025. https://cert.ssi.gouv.fr/cti/CERTFR-2025-CTI-007/
[6] Polish Cyber Command. Detecting Malicious Activity Against Microsoft Exchange Servers. 2023. https://www.wojsko-polskie.pl/woc/articles/aktualnosci-w/detecting-malicious-activity-against-microsoft-exchange-servers/
[7] IBM. Israel-Hamas Conflict Lures to Deliver Headlace Malware. 2023. https://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/
[8] CERT-UA. APT28: From Initial Attack to Creating Domain Controller Threats in an Hour. 2023. https://cert.gov.ua/article/6276894
[9] NSA. Embracing a Zero Trust Security Model. 2021. https://media.defense.gov/2021/Feb/25/2002588479/-1/-1/0/CSI_EMBRACING_ZT_SECURITY_MODEL_UOO115131-21.PDF
[10] NSA et al. Keeping PowerShell: Security Measures to Use and Embrace. 2022. https://media.defense.gov/2022/Jun/22/2003021689/-1/-1/0/CSI_KEEPING_POWERSHELL_SECURITY_MEASURES_TO_USE_AND_EMBRACE_20220622.PDF
[11] National Institute of Standards and Technology (NIST). Special Publication 800-63B: Digital Identity Guidelines – Authentication and Lifecycle Management. 2020. https://pages.nist.gov/800-63-3/sp800-63b.html
[12] NSA. Selecting Secure Multi-factor Authentication Solutions. October 16, 2020. https://media.defense.gov/2024/Jul/31/2003515137/-1/-1/0/MULTIFACTOR_AUTHENTICATION_SOLUTIONS_UOO17091520.PDF
[13] NSA and CSA. NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations. 2023. https://media.defense.gov/2023/Oct/05/2003314578/-1/-1/0/JOINT_CSA_TOP_TEN_MISCONFIGURATIONS_TLP-CLEAR.PDF

[14] Department of Justice. Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU). 2024. https://www.justice.gov/archives/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian
[15] Recorded Future. GRU’s BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage Campaigns. 2024. https://go.recordedfuture.com/hubfs/reports/CTA-RU-2024-0530.pdf

Disclaimer of endorsement

The information and opinions contained in this document are provided "as is" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.

Purpose

This document was developed in furtherance of the authoring agencies’ cybersecurity missions, including their responsibilities to identify and disseminate threats and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.

Contact

United States organizations

National Security Agency (NSA)
Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI)
- U.S. organizations are encouraged to reporting suspicious or criminal activity related to information in this advisory to CISA via the agency’s Incident Reporting System, its 24/7 Operations Center (report@cisa.gov or 888-282-0870), or your local FBI field office. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment user for the activity; the name of the submitting company or organization; and a designated point of contact.
Department of Defense Cyber Crime Center (DC3)

United Kingdom organizations

Germany organizations

Czech Republic organizations

Poland organizations

Australian organizations

Visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories.

Canadian organizations

Estonia organizations

French organizations

French organizations are encouraged to report suspicious activity or incident related to information found in this advisory by contacting ANSSI/CERT-FR by email at cert-fr@ssi.gouv.fr or by phone at: 3218 or +33 9 70 83 32 18.

See Table 2 through Table 14 for all the threat actor tactics and techniques referenced in this advisory.

Table 2: Reconnaissance
Tactic/Technique Title	ID	Use
Reconnaissance	TA0043	Conducted reconnaissance on at least one entity involved in the production of ICS components for railway management.
Gather Victim Identity Information: Email Addresses	T1589.002	Conducted contact information reconnaissance to identify additional targets in key positions.
Gather Victim Org Information	T1591	Conducted reconnaissance of the cybersecurity department.
Gather Victim Org Information: Identify Roles	T1591.004	Conducted reconnaissance of individuals responsible for coordinating transport.
Gather Victim Org Information: Business Relationships	T1591.002	Conducted reconnaissance of other companies cooperating with the victim entity.
Gather Victim Host Information	T1592	Attempted to enumerate Real Time Streaming Protocol (RTSP) servers hosting IP cameras.

Table 3: Resource development
Tactic/Technique Title	ID	Use
Compromise Accounts: Email Accounts	T1586.002	Sent phishing emails using compromised accounts.
Compromise Accounts: Cloud Accounts	T1586.003	Sent phishing emails using compromised accounts.

Table 4: Initial Access
Tactic/Technique Title	ID	Use
Trusted Relationship	T1199	Conducted follow-on targeting of additional entities in the transportation sector that had business ties to the primary target, exploiting trust relationships to attempt to gain additional access.
Phishing	T1566	Used spearphishing for credentials and delivering malware to gain initial access to targeted entities.
Phishing: Spearphishing Attachment	T1566.001	Sent emails with malicious attachments.
Phishing: Spearphishing Link	T1566.002	Used spearphishing with included links to fake login pages. Sent emails with embedded hyperlinks that downloaded a malicious archive.
Phishing: Spearphishing Voice	T1566.004	Attempted to use voice phishing to gain access to privileged accounts by impersonating IT staff.
External Remote Services	T1133	Exploited Internet-facing infrastructure, including corporate VPNs, to gain initial access to targeted entities.
Exploit Public-Facing Application	T1190	Exploited public vulnerabilities and SQL injection to gain initial access to targeted entities.
Content Injection	T1659	Leveraged a WinRAR vulnerability allowing for the execution of arbitrary code embedded in an archive.

Table 5: Execution
Tactic/Technique Title	ID	Use
User Execution: Malicious Link	T1204.001	Used malicious links to hosted shortcuts in spearphishing.
User Execution: Malicious File	T1204.002	Delivered malware executables via spearphishing.
Scheduled Task/Job: Scheduled Task	T1053.005	Used scheduled tasks to establish persistence.
Command and Scripting Interpreter	T1059	Delivered scripts in spearphishing. Executed arbitrary shell commands.
Command and Scripting Interpreter: PowerShell	T1059.001	PowerShell commands were often used to prepare data for exfiltration.
Command and Scripting Interpreter: Windows Command Shell	T1059.003	Used BAT script in spearphishing.
Command and Scripting Interpreter: Visual Basic	T1059.005	Used VBScript in spearphishing.
Command and Scripting Interpreter: Python	T1059.006	Installed python on infected machines to enable the execution of Certipy.

Table 6: Persistence
Tactic/Technique Title	ID	Use
Account Manipulation: Additional Email Delegate Permissions	T1098.002	Used manipulation of mailbox permissions to establish sustained email collection.
Modify Authentication Process: Multi-Factor Authentication	T1556.006	Enrolled compromised accounts in MFA mechanisms to increase the trust-level of compromised accounts and enable sustained access.
Hijack Execution Flow: DLL Search Order Hijacking	T1574.001	Used DLL search order hijacking to facilitate malware execution.
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	T1547.001	Used run keys to establish persistence.
Boot or Logon Autostart Execution: Shortcut Modification	T1547.009	Placed malicious shortcuts in the startup folder to establish persistence.

Table 7: Defense Evasion
Tactic/Technique Title	ID	Use
Indicator Removal: Clear Windows Event Logs	T1070.001	Deleted event logs through the wevtutil utility.

Table 8: Credential access
Tactic/Technique Title	ID	Use
Brute Force		Sent requests with Base64-encoded credentials for the RTSP server, which included publicly documented default credentials, and likely were generic attempts to brute force access to the devices.
Brute Force: Password Guessing	T1110.001	Used credential guessing to gain initial access to targeted entities.
Brute Force: Password Spraying	T1110.003	Used brute force to gain initial access to targeted entities. Conducted a brute force password spray via LDAP.
Multi-Factor Authentication Interception		Used multi-stage redirectors to provide MFA relaying capabilities in some campaigns.
Input Capture		Used multi-stage redirectors to provide CAPTCHA relaying capabilities in some campaigns.
Forced Authentication		Used an Outlook NTLM vulnerability to collect NTLM hashes and credentials via specially crafted Outlook calendar appointment invitations.
OS Credential Dumping: NTDS	T1003.003	Attempted to dump Active Directory NTDS.dit domain databases.
Unsecured Credentials: Group Policy Preferences	T1552.006	Retrieved plaintext passwords via Group Policy Preferences using Get-GPPPassword.py.

Table 9: Discovery
Tactic/Technique Title	ID	Use
Account Discovery: Domain Account	T1087.002	Used a modified ldap-dump.py to enumerate the Windows environment.

Table 10: Command and Control
Tactic/Technique Title	ID	Use
Hide Infrastructure	T1665	Abused SOHO devices to facilitate covert cyber operations, as well as proxy malicious activity, via devices with geolocation in proximity to the target.
Proxy: External Proxy	T1090.002	Actor-controlled servers sent RTSP DESCRIBE requests destined for RTSP servers.
Proxy: Multi-hop Proxy	T1090.003	Used Tor and commercial VPNs as part of their anonymization infrastructure
Encrypted Channel	T1573	Connected to victim infrastructure using encrypted TLS.
Multi-Stage Channels	T1104	Used multi-stage redirectors for campaigns.

Table 11: Defense evasion (mobile framework)
Tactic/Technique Title	ID	Use
Execution Guardrails		Used multi-stage redirectors to verify browser fingerprints in some campaigns.
Execution Guardrails: Geofencing	T1627.001	Used multi-stage redirectors to verify IP-geolocation in some campaigns.

Table 12: Lateral movement
Tactic/Technique Title	ID	Use
Lateral Movement		Used native commands and open source tools, such as Impacket and PsExec, to move laterally within the environment.
Remote Services: Remote Desktop Protocol	T1021.001	Moved laterally within the network using RDP.

Table 13: Collection
Tactic/Technique Title	ID	Use
Email Collection		Retrieved sensitive data from email servers.
Email Collection: Remote Email Collection	T1114.002	Used server data exchange protocols and APIs such as Exchange Web Services (EWS) and IMAP to exfiltrate data from email servers.
Automated Collection		Used periodic EWS queries to collect new emails.
Video Capture		Attempted to gain access to the cameras’ feeds.
Archive Collected Data		Accessed files were archived in .zip files prior to exfiltration.
Archive Collected Data: Archive via Utility	T1560.001	Prepared zip archives for upload to the actors’ infrastructure.

Table 14: Exfiltration
Tactic/Technique Title	ID	Use
Exfiltration Over Alternative Protocol		Attempted to exfiltrate archived data via a previously dropped OpenSSH binary.
Scheduled Transfer		Used periodic EWS queries to collect new emails sent and received since the last data exfiltration.

Appendix B: CVEs exploited

Table 15: Exploited CVE information
CVE	Vendor/Product	Details
CVE-2023-38831	RARLAB WinRAR	Allows execution of arbitrary code when a user attempts to view a benign file within a ZIP archive.
CVE-2023-23397	Microsoft Outlook	External actors could send specially crafted emails that cause a connection from the victim to an untrusted location of the actor’s control, leaking the Net-NTLMv2 hash of the victim that the actor could then relay to another service to authenticate as the victim.
CVE-2021-44026	Roundcube Webmail	Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search params.
CVE-2020-35730	Roundcube Webmail	An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16 and 1.4.x before 1.4.10, where a plaintext email message with JavaScript in a link reference element is mishandled by linkref_addindex in rcube_string_replacer.php.
CVE-2020-12641	Roundcube Webmail	Roundcube Webmail before 1.4.4 allows arbitrary code execution via shell metacharacters in a configuration setting for im_convert_path or im_identify_path in rcube_image.php.

Appendix C: MITRE D3FEND Countermeasures

Table 16: MITRE D3FEND countermeasures
Countermeasure Title	ID	Details
Network Isolation		Employ appropriate network segmentation. Disable Universal Plug and Play (UPnP), Peer-to-Peer (P2P), and Anonymous Visit features on IP cameras and routers.
Access Mediation		Limit access and utilize additional attributes (such as device information, environment, and access path) when making access decisions. Configure access controls carefully to ensure that only well-maintained and well-authenticated accounts have access.
Inbound Traffic Filtering		Implement host firewall rules to block connections from other devices on the network, other than from authorized management devices and servers, to prevent lateral movement.
Resource Access Pattern Analysis		Use automated tools to audit access logs for security concerns and identify anomalous access requests.
Outbound Traffic Filtering		Block NTLM/SMB requests to external infrastructure.
Platform Monitoring		Install EDR/logging/cybersecurity solutions onto high value systems with large amounts of sensitive data such as mail servers and domain controllers.
System File Analysis		Collect and monitor Windows logs for certain events, especially for events that indicate that a log was cleared unexpectedly.
Application Hardening		Enable optional security features in Windows to harden endpoints and mitigate initial access techniques.
Application-based Process Isolation		Enable attack surface reduction rules to prevent executable content from email.
Executable Allowlisting		Enable attack surface reduction rules to prevent execution of files from globally writeable directories, such as Downloads or %APPDATA%.
Execution Isolation		Unless users are involved in the development of scripts, limit the execution of scripts (such as batch, JavaScript, and PowerShell) to known scripts.
Application Configuration Hardening		Disable Windows Host Scripting functionality and configure PowerShell to run in Constrained mode. Disable protocols that use weak authentication (e.g., clear-text passwords, or outdated and vulnerable authentication or encryption protocols) or do not support multi-factor authentication. Turn off other ports/services not in use (e.g., FTP, web interface, etc.).
Process Spawn Analysis		Use open source SIGMA rules as a baseline for detecting and alerting on suspicious file execution or command parameters.
URL Reputation Analysis		Use services that provide enhanced browsing services and safe link checking.
Network Access Mediation		Do not allow incoming traffic, especially logins to systems, from public VPN services. Where possible, logins from public VPNs, including exit nodes in the same country as target systems, should be blocked or, if allowed, alerted on for further investigation. Ensure cameras and other Internet of Things devices are protected by a security appliance, if possible.
DNS Denylisting	D3-DNSDL	Do not allow outgoing traffic to hosting and API mocking services frequently used by malicious actors.
Domain Name Reputation Analysis		Heuristic detections for web requests to new subdomains may uncover malicious phishing activity. Logging the requests for each sub-domain requested by users on a network, such as in DNS or firewall logs, may enable system administrators to identify new targeting and victims.
Multi-factor Authentication		Use MFA with strong factors and require regular re-authentication, especially for management accounts.
Job Function Access Pattern Analysis	D3-JFAPA	Implement other mitigations for privileged accounts: including limiting the number of admin accounts, considering using hardware MFA tokens, and regularly reviewing all privileged user accounts.
User Account Permissions		Separate privileged accounts by role and alert on misuse of privileged accounts. Audit user accounts on all devices to ensure they are an accurate reflection of your organization and that they are being used as expected.
Token-based Authentication		Reduce reliance on passwords; instead, consider using services like single sign-on.
Credential Hardening		Do not store passwords in Group Policy Preferences (GPP). Remove all passwords previously included in GPP and change all passwords on the corresponding accounts.
Authentication Event Threshholding		Use account throttling or account lockout. Throttling progressively increases time delay between successive login attempts. If using account lockout, allow between 5 to 10 attempts before lockout.
Strong Password Policy		Use a service to check for compromised passwords before using them.
Credential Rotation		Change all default credentials.
Encrypted Tunnels		Disable protocols that use weak authentication (e.g., clear-text passwords, or outdated and vulnerable authentication or encryption protocols). Use a VPN for remote connections to devices.
Software Update		Apply security patches and firmware updates to all devices. Ensure devices are currently supported. Replace devices that are end-of-life.
Agent Authentication		Ensure authentication is enabled for remote access to devices. If supported on IP cameras, enable authenticated RTSP access only.
User Behavior Analysis		Review all authentication activity for remote access to make sure it is valid and expected. Investigate any unexpected or unusual activity.

MIL OSI USA News -

May 22, 2025

MIL-OSI United Nations: Experts of the Committee on the Rights of the Child Commend Romania on Deinstitutionalisation Process, Raise Questions on Corporal Punishment and Segregation in Education

Source: United Nations – Geneva

The Committee on the Rights of the Child today concluded its review of the combined sixth and seventh periodic reports of Romania, with Committee Experts commending the State on the deinstitutionalisation process of alternative care centres, while raising questions on the prevalence of corporal punishment and measures taken to combat segregation in education.

A Committee Expert said she was happy to hear about the programme for the deinstitutionalisation of alternative care centres; this was something Romania should be proud of, as well as all the foster arrangements being made, especially for children with disabilities.

Juliana Scerri Ferrante, Committee Expert and Country Taskforce Member, said there seemed to be a lack of parental education programmes around corporal punishment. How could the views of the child be respected if violence was accepted as a disciplinary measure? Could the Romanian Government take clear steps to train staff and promote child education? Philip Jaffe, Committee Vice-Chair and Country Taskforce Member, also noted that corporal punishment appeared to remain quite widespread despite being banned in 2004. What efforts were being made to lower the prevalence and change attitudes among parents and adults?

Mr. Jaffe asked what was being done to combat school segregation based on disability, special education needs, and family economic status? What improvements were being made to increase the improvement of vocational training for older children who may be leaving the school system? Were there any programmes which specifically targeted economically disadvantaged children?

The delegation said Romanian legislation completely prohibited violence against children, regardless of the environment. However, despite the legislation, which was fully aligned with United Nations Conventions, the State needed to fight against mentalities and traditions and to practically change the minds of parents and caregivers, who believed corporal punishment would discipline children better. Awareness-raising campaigns were being conducted for parents, and mechanisms including hotlines had been developed to support children, including the helpline 119. Authorities were obligated to launch investigations immediately concerning any allegations of violence against children.

The delegation said the Ministry of Education had taken steps to assist children with special educational needs, with the creation of frameworks offering them different kinds of support, based on the type of disability. Adaptive measures had been taken for Roma children, including stimulating their participation in early education and in summer kindergartens, supporting education in their current language, and translating schoolbooks in their mother tongue, among others. An increasing number of contracts between schools and the business sector had been recorded, including around 6,000 contracts in the school year 2023/2024.

Introducing the report, Helena Omna-Raicu, President of the National Authority for the Protection of Child Rights and Adoption of Romania and head of the delegation, said Romania’s path in recent years had been shaped by profound changes and emerging pressures, including the war in Ukraine and the arrival of thousands of children and families fleeing conflict. As a neighbouring country, Romania had mobilised rapidly to provide emergency care, protection, psychosocial support, and schooling to children regardless of their nationality.

Ms. Omna-Raicu said Romania had made significant progress in certain areas, including in the deinstitutionalisation process. Of the 167 residential placement centres operating in 2017, 149 had already been closed by the end of March 2025 and over 6,000 children were now benefiting from family-type alternative care. The remaining 18 placement centres would be closed soon.

In closing remarks, Rinchen Chophel, Committee Expert and Country Taskforce Coordinator, reiterated the Committee’s appreciation for the Government of Romania’s support to Ukrainian refugees, particularly children. Significant progress had been made from the last reporting period to the current one, with many looking forward beyond the dialogue.

In her closing remarks, Ms. Omna-Raicu, expressed deep gratitude for the dialogue. The Committee’s concerns regarding urban disparities were noted. Romania would treat the Committee’s recommendations as an opportunity for deeper transformation.

The delegation of Romania was comprised of representatives from the National Authority for the Protection of Child Rights and Adoption; the Ministry of Education and Research; the Ministry of Justice; the Ministry of Health; the Ministry of Labour, Family, Youth and Social Security; the Ministry of Foreign Affairs; the General Inspectorate of the Romanian Police; the General Inspectorate for Immigration; the National Administration of Penitentiaries; the Prosecutor’s Office; the National Health Insurance Authority; and the Permanent Mission of Romania to the United Nations Office at Geneva.

Summaries of the public meetings of the Committee can be found here, while webcasts of the public meetings can be found here. The programme of work of the Committee’s ninety-ninth session and other documents related to the session can be found here.

The Committee will next meet in public at 3 p.m. on Wednesday, 21 May to begin its consideration of the combined fifth and sixth periodic reports of Qatar (CRC/C/QAT/5-6).

Report

The Committee has before it the combined sixth and seventh periodic reports of Romania (CRC/C/ROU/6-7).

Presentation of Report

HELENA OMNA-RAICU, President of the National Authority for the Protection of Child Rights and Adoption of Romania and head of the delegation, said Romania’s path in recent years had been shaped by profound changes and emerging pressures, including the war in Ukraine and the arrival of thousands of children and families fleeing conflict. As a neighbouring country, Romania had mobilised rapidly to provide emergency care, protection, psychosocial support, and schooling to children regardless of their nationality. The State was proud to have established the first Blue Dot in the region at the border crossing with Ukraine and launched the use of the Child Protection Information Management System Primero in only a couple of months after the onset of the refugee crisis, ensuring registration and case management for almost 40,000 refugee children.

Several new national strategies had been developed for 2021-2027 which aimed to address child poverty and wellbeing, including the national strategy for the protection and promotion of children’s rights “protected children, safe Romania” 2023-2027, and the national strategy on social inclusion and poverty reduction 2022-2027, among others. Romania had also adopted and begun the implementation of the child guarantee national action plan 2023-2030, which aimed to reduce the number of children at risk of poverty or social exclusion by at least 500,000 by 2030. Romania had seen a measurable decline in the proportion of children at risk of poverty and social exclusion from 41.5 per cent in 2022 to 33.8 per cent in 2024.

In April 2024, law 100/2024 was approved which included specific amendments to several laws relevant for social assistance. The new emergency ordinance no. 96/2024, approved in June 2024 regarding the provision of humanitarian support and assistance by the Romanian State to foreign citizens or stateless persons in special situations coming from the area of the armed conflict in Ukraine, established the legal framework providing refugees with access to a wide range of key national statutory services. Another significant legislative change was enacted by amending law 272/2004 in December 2024, which now mandated the participation of children in public decision-making processes.

There had also been several significant programmes launched, including modernising the unique national number 119 for reporting cases of abuse, neglect, exploitation and any other form of violence against children; the development of community services for children and families to prevent separation and support the family reintegration of children from the special protection system; and the development of 200 integrated community centres and 150 daycare centres for children, among others. Despite these advances, challenges remained, including disparities between rural and urban areas.

However, Romania had made significant progress in certain areas, including in the deinstitutionalisation process. Of the 167 residential placement centres operating in 2017, 149 had already been closed by the end of March 2025 and over 6,000 children were now benefiting from family-type alternative care. The remaining 18 placement centres would be closed soon. The use of European Union structural funds had also supported the training of over 11,000 foster carers. A new programme had also been introduced, aimed to scale-up integrated community-services in 2,000 marginalised rural communities, combining social assistance, health, education, and other types of social support. Over 800 million euros of European Social Funds were planned for enhancing access to social services for the most vulnerable, including children and their families.

The State had also expanded support for children at risk of early school leaving by using the early warning mechanism in education, of which around 50,000 participants from 6,950 institutions had completed the training programme. Targeted policies had been developed that supported the reintegration of children who dropped out during the pandemic, and more resources were reaching schools in deprived communities. In health, the role of community nurses and Roma health mediators had grown, and work continued to improve access to services for vulnerable groups.

Pilot projects on mental health for children had laid the groundwork for more systemic change, with mental health services for children and adolescents being expanded. However, challenges remained in ensuring equitable access to quality services in rural and marginalised areas, addressing shortages of specialised personnel, and improving early identification and intervention for children with developmental delays or disabilities.

Romania was committed to reducing the number of children affected by poverty and social exclusion by at least 500,000. The State would also pursue the complete closure of old-type residential centres, with every child in alternative care placed in family-based or community settings. Romania was committed to translating the pledges made during the first-ever global ministerial conference on ending violence against children held at the end of 2024 in Bogota, Columbia, into realities for children.

In education, the State aimed to increase the early childhood education enrolment rate by at least 22 per cent for children aged zero to three and at least 95 per cent for children aged four to six. There would be a focus on improving mental health services for children and linking schools, families, and health providers more effectively, aiming to reduce preventable mortality by 20 per cent compared to 2021 levels for children of all ages. Finally, Romania would ensure that children had a role in shaping systems through participatory budgeting, monitoring, and children and youth-led policy platforms. Romania remained committed to fully implementing the Convention and to contributing to the global effort to advance child rights everywhere.

Questions by Committee Experts

RINCHEN CHOPHEL, Committee Expert and Country Taskforce Coordinator, said Romania had achieved a lot since the last report, which the Committee was happy about. Romania’s assistance to the Ukrainian refugees and children should be noted. There had been significant legislative achievements, particularly the amendments to law 272. What measures were in place to ensure effective implementation of the law? The national strategy on social inclusion and poverty reduction 2022-2027, and the child guarantee national action plan 2023-2030 were very welcome developments. How had these impacted on measures to promote and protect children? Had an assessment been undertaken to evaluate the impact of the national strategy.

While welcoming increased allocations to certain sectors, the Coordinator asked what measures were in place to develop a child-friendly budgeting process? What was the current status of the complaints mechanism in the country for reporting all forms of abuse and violence for children? What had been done to inform children of their right to file a complaint? Had professionals working with children been trained on receiving complaints concerning children and the Convention?

The establishment of the child Ombudsman in 2018 was a crucial step in the right direction, and the Government should be congratulated for that. What was the current status of the institution? How did it connect with children? The Committee noted the State party’s awareness raising activities on the Convention with appreciation, including the translation of the Committee’s general comments into Romanian. How did these efforts extend to rural children?

JULIANA SCERRI FERRANTE, Committee Expert and Country Taskforce Member, asked if the national strategy for school de-segregation been adopted? If not, then when would this occur? What measures had been taken to address hate speech? Did the permanent committee set up in every education unit offer a complaints mechanism to children? If not, how could children complain in schools?

What had been done to decrease discrimination against the Roma population? What efforts had been made to promote the inclusion of Roma in mainstream schooling? How was discrimination against children with disabilities tackled in education? There was concern that Romanian law did not define valid reasons on which minor marriages could be authorised and this was left to the discretion of the authorities. What training was provided to apply the best interests of the child? What approaches had been taken to reduce the preventable mortality of children under five years old? What was the position of the Romanian Government on the proposed amendment to law 272 regarding lesbian, gay, bisexual, transgender and intersex children?

There seemed to be a lack of parental education programmes around corporal punishment. How could the views of the child be respected if violence was accepted as a disciplinary measure? Could the Romanian Government take clear steps to train staff and promote child education? How were child labour laws enforced? How would the Romanian Government establish a child participation mechanism? Were refugee and asylum-seeking children involved in decisions which affected them? Were children provided information on their rights?

What measures were being taken to strengthen the capacity of the social welfare services? How were children with disabilities prioritised in reform measures? What was being done to combat the illicit transfer of children abroad? Had bilateral agreements been conducted in this regard? Was the Romanian Government carrying out measures to understand the impact of prison on children? How were they supported when their parents were incarcerated? What support was available for young people leaving institutional care?

SOPHIE KILADZE, Committee Chair and Country Taskforce Member, said the adoption of law 105/22 providing for automatic birth registration should be considered as positive. Could more information be provided about how the law worked in practice? Were there any plans to introduce a statelessness determination procedure? Was data on statelessness which concerned children disaggregated? What measures were in place to protect children from excessive screen use? How did Romania deal with artificial intelligence as a European Union member? Romania had one of the lowest levels of digital skills in the European Union; what measures were being undertaken to promote digital literacy among children, as well as parents?

PHILIP JAFFE, Committee Vice-Chair and Country Taskforce Member, said it was wonderful that strong pledges had been made at the global ministerial conference on ending violence against children in Bogota. How was Romania implementing its mission as a pathfinding global alliance country? It seemed Romanian children were in need of protection against high levels of physical and sexual violence. One of the pledges made in Bogota was to conduct a prevalence study on sexual abuse; had the State moved forward with this study? Were there dedicated teams drawing up the comprehensive framework and strategy which had been promised? One pledge had been to enhance children’s participation regarding issues of violence. What efforts had the Government made to ensure that there was a clear public understanding that all forms of violence against children needed to be reported?

Corporal punishment appeared to remain quite widespread despite being banned in 2004. What efforts were made to lower the prevalence and change attitudes among parents and adults? It was encouraging that Romania had been one of 40 countries to recently join a statement of the Human Rights Council, expressing children’s right to protection from corporal punishment. How was bullying and cyber bullying being addressed at all levels of legislative policy? Could more information about the child helplines be provided?

Was it true that around seven to eight per cent of girls in Romania were married before the age of 18, with that percentage rising to around 20 per cent in the Roma community? What was being done in response to this? Was it true that charges had been dropped against a 17-year-old boy who entered into a non-formal marriage with an 11-year-old girl? What policy was in practice in the health sector regarding surgical interventions and intersex children? What were the guidelines to protect their bodily integrity until these children were capable of providing consent?

Responses by the Delegation

The delegation said the law on child protection now included clear provisions which made it compulsory for public administrative bodies to involve children in consultations regarding issues which concerned them. The national strategy on children’s rights was recently adopted and another national action plan was elaborated; these plans were complimentary. This was a comprehensive package which would help the Government to better implement all necessary measures. An assessment of the national strategy had been undertaken. The State was now piloting a system which would indicate how to establish a model of financing where children would be considered as a different group that would benefit from a different budget.

The national programme for schooling in Romania ensured children received food support at schools to increase the enrolment rate and participation. School supplies were also provided for all school grades. Two hundred euros were provided for the purchase of technology, and remedial lessons were provided to students coming from disadvantaged communities. Recently, the scholarship system had been extended to encompass more disadvantaged groups.

Funds allocated to primary medical care had registered a continuous annual increase. Just last year, the fund allocated to primary care increased by 24 per cent. The national observatory was a big achievement for Romania and aimed to identify the children most at risk of being separated from their families, based on indicators. Training was being conducted on the use of the observatory to ensure the data provided was reliable.

The hearing of minors in justice proceedings took place in special rooms, and a psychologist was always required to be present. The new national strategy for the development of the judicial system provided for another 10 hearing rooms across the country. There were specially designated prosecutors to handle cases involving minors. The child Ombudsman was fully operational and cooperated with all institutions. It had a functioning complaints mechanism. If an incident was notified to the Ombudsman, an investigation started, which concluded with a set of recommendations sent to the institution responsible to correct the situation.

Civil society representatives were part of the consultative groups established at the national level. A methodology had been issued and piloted regarding identifying and banning segregation within the educational sector. The measures focused on ensuring an inclusive education. Any kind of discrimination on criteria such as ethnicity, religion or sex was completely forbidden within the educational system. Specific places in high schools were allocated for Roma students and students with disabilities. To ensure access to high quality education, educational services had been developed starting from early education to prevent early dropout and absenteeism.

A set of programmes had been introduced, including a monthly allowance for children up to the age of 18, as well as parental leave. There was also a minimum income support which supported families with children. Emergency ordinance no.96 was developed specifically for children from Ukraine and their families.

There was a dedicated intergovernmental group which addressed the subject of forced marriage, with the aim of drafting legislative projects in this regard. Concerning infant mortality and the number of deaths under one year of age, a regionalised system of care had been introduced to ensure each neonate was born in a medical unit which could provide the services necessary for their care, thereby reducing infant mortality. An important national programme was in place which contained around 15 interventions, established in partnership with the United Nations Children’s Fund. Another programme provided 900 neonatal incubators around the country.

A significant number of services had been established to help families in vulnerable situations. A special programme was launched last year on the minimum inclusion income, which focused on how to assist parents within the labour market. The State was aware of a lack of social assistance in rural areas, which was where the most vulnerable communities lived. Interventions were directed, including food packages, and local administrative capacities would be developed.

A programme had been developed which aimed to establish hearing rooms for children in courts, and 29 hearing rooms were completed in April 2024. The rooms were used by the Prosecutors and police officers when they had victims who were minors. The rooms were child-friendly and specially designed with toys. The child did not see the other people participating in the hearing. A new strategy adopted in 2025 provided for the need for an additional 10 hearing rooms in the near future.

All social services were functioning based on a set of minimum quality standards, which were verified by the national agency for social inspection. With the United Nations Children’s Fund, Romania was piloting a project which would identify and train foster families to care specifically for children with disabilities. A child entering the special protection system was prioritised to be reintegrated in a family environment. Adoption was considered the best solution in this regard, and this could only be decided by a court. Priority was offered to domestic adoption, but international adoption could be considered after one year.

Amendments had been made to allow special spaces for visits in prison with children. Such spaces were now available in all prison facilities within the Romanian penitentiary system. There were cooperation protocols in place with the United Nations Children’s Fund and Save the Children which supported parents to develop their parental skills and improve their relationship with their children. The State was aware of the need to develop programmes which addressed the needs of children and adults and improved the relationship within the family.

The Ministry of Education aimed to develop digital competencies among students and parents. During the pandemic, all students were provided with laptops and digital devices to keep up with the educational process. In a new initiative launched in partnership with Microsoft, the Ministry of Education had announced the development of a project concerning artificial intelligence for increasing the school performance of students. A project was also being implemented aimed at improving the digital skills of civil servants.

Romania had a dedicated national child help line. It was toll-free and operational 24/7. Those operating the calls were specialised counsellors who could refer the cases to the relevant authorities. Another helpline just referred cases to social services. The 119 helpline was a recent development, operational from any place in Romania and accessible to children and adults. After the first year, it had been well received and was being regularly used to inform on any situation concerning a child.

Rape of a minor and sexual assault against a minor had been introduced as acts within the Criminal Code. Rape committed by an adult against a minor under the age of 18 was punished by a prison sentence of between seven to 12 years.

Questions by Committee Experts

PHILIP JAFFE, Committee Vice-Chair and Country Taskforce Member, said one in 20 people in Romania held a disability certificate, with around 80,000 being children. What were the difficulties faced by certain groups of children to receive this certificate, including rural children? Were there any awareness-raising campaigns for rural minorities and poor families regarding their entitlement to services? Could more information be provided about Romania’s strategy for persons with disabilities? How were the number and expertise of professionals being scaled up? To what degree had the State embraced a human-rights approach to disability, as opposed to a medical model of disability? How many children were still left in institutions? When would such institutions all be closed?

There were two recent laws on pre-university education and higher education; could more information be provided about the implementation of these laws? What was the level of gross domestic product dedicated to education in Romania? Was there a direct pipeline to hear about the concerns of children within the education system and were these concerns taken seriously? What was being done to combat school segregation based on disability, special education needs, and family economic status? Figures suggested that 40 per cent of children with disabilities had limited access to education. What steps were being made to improve education for children under the age of three? What improvements were being made to increase the improvement of vocational training for older children who may be leaving the school system? Were there any programmes which specifically targeted economically disadvantaged children? What was the mission of the Ministry of Youth?

SOPHIE KILADZE, Committee Chair and Country Taskforce Member, asked if sufficient resources were dedicated to the capacity building of medical personnel? Did all children have access to health care, including health insurance? How were vaccinations promoted in the country? How was breast feeding promoted? Child obesity was an issue of concern; how was this combatted? Was there a hot meals programme?

Mental health was a very important issue. Was data on mental health being disaggregated, including on suicide? Was there a comprehensive strategy and action plan regarding the issue of mental health? Were quality mental health services available in rural and remote areas? According to alarming information, the country had the highest number of adolescent mothers across the European Union. What steps would the State undertake to prevent adolescent pregnancies and subsequent abortions? Would Romania make reproductive education part of the curriculum?

What measures were in place to address drugs or substance abuse? Were there treatments available for children? Romania had made substantial efforts for Ukrainian children and other groups of refugees. How would the State integrate these children long-term? Were there delays in the enrolment of refugee children and their families into the social services system? Would amendments be considered in the asylum law to end the detention of families at the legislative level? Did unaccompanied migrant children have access to services, including psychosocial support and disability services? Were there any barriers which could hinder access to education?

What measures were being undertaken to end child labour, including begging? What was being done to assist children in street situations? How were perpetrators investigated and brought to justice? Were there quality services for child victims of trafficking in place? Was the system of child justice established across the country? Were adequate financial resources allocated to it? Was free legal aid available to children in conflict with the law? Was the detention of children used only as a last resort? If yes, did it comply with international standards?

RINCHEN CHOPHEL, Committee Expert and Country Taskforce Coordinator, said one in five children were affected by severe material and social deprivation, which was concerning. What was the reality on the ground? The minimum social assistance package had been introduced; could more information be provided on it? Romania was increasingly vulnerable to droughts, heatwaves, floods and landslides, and it was also grappling with water pollution. How had the national strategies pertaining to climate change helped to address the challenges of the environment and climate change in the country? What measures were being adopted to take into account children’s needs and views in the development of specific policies, including disaster-preparedness plans? Were child rights impact assessments carried out when dealing with the business sector?

A Committee Expert asked what the national coverage of vaccinations was in the country? Romania had an epidemic of measles; how did the population react to vaccinations? How was confidence being built in vaccines? Were people familiar with the law on rape? What happened once the 30-day limit for registering births had elapsed?

Responses by the Delegation

Romanian legislation completely prohibited violence against children, regardless of the environment. However, despite the legislation, which was fully aligned with United Nations Conventions, the State needed to fight against mentalities and traditions and to practically change the minds of parents and caregivers, who believed corporal punishment would discipline children better. Awareness-raising campaigns were being conducted for parents, and mechanisms including hotlines had been developed to support children, including the helpline 119.

Authorities were obligated to launch investigations immediately concerning any allegations of violence against children. Romania was committed to continuing these efforts and to changing social norms and mentalities. The numbers of cases of violence against children was increasing, which meant people were becoming more aware of the issue and reporting it.

Since 2016, the methodology applied in Romania clearly distinguished between the concept of disability and special education needs. In Romania, the deinstitutionalisation process was one of the most important commitments of the Government, and the process was now concluding. Currently, out of the 167 residential centres operating in 2017, 149 had already been closed, and more than 6,000 children were benefiting from alternative care. The legal framework stated that no placement centre could operate without the approved closure plan. The deinstitutionalisation process also involved finding better alternative and family-based care for children. Only 18 placement centres remained in the process of being closed, and by 2026 no such centre would be operating in Romania. The State was still aiming to find family-style solutions for children with disabilities, and a project was being developed with the United Nations Children’s Fund to this end.

If a birth was declared after the 30-day deadline but less than one year after the birth, the birth certificate could be issued based on approval from the mayor. If the birth declaration was made more than one year after the birth, the certificate needed to be approved by the mayor and other administrative bodies.

More than 2.8 million students were enrolled in the 2023/2024 school year in Romania. For high school, there had been a significant decrease in dropouts from 2.5 per cent in 2017 to 0.8 per cent in 2024. Around 4.5 per cent of the budget was allocated to education. The Ministry of Education had taken steps to assist children with special educational needs, with the creation of frameworks offering them different kinds of support, based on the type of disability. For students with temporary special needs, the law of education presented special measures, including the implementation of schooling hospitals, or schooling at home for those who were required to be in hospital or at home for medical reasons.

Adaptive measures had been taken for Roma children, including stimulating their participation in early education and in summer kindergartens, supporting education in their current language, and translating schoolbooks in their mother tongue, among others. More than 66,000 teachers had been trained in digital and multimedia use. An increasing number of contracts between schools and the business sector had been recorded, around 6,000 contracts in the school year 2023/2024. Most teachers had been trained to create open educational resources. Significant funds had been allocated to modernising rest room facilities in schools.

Any student could submit complaints of discrimination via an established framework. Students benefitted from representation in the school system through several platforms. The national strategy for sustainable development issued the methodology of the “green week programme”, which contributed to preschoolers and students’ competence in understanding basic concepts of climate change, to initiate individual and protective action to protect the environment. Teachers were obliged to obtain 90 transferrable professional credits every five years, through attending courses offered by Romanian training houses.

In recent years, infant mortality had remained relatively stable in Romania. From 2023 to 2024, the number of doctors treating children increased by five per cent. Regarding children’s access to medical services, all children were insured in Romania and benefitted from basic medical services across all sectors of health care. The national health insurance fund also reimbursed certain services. The Ministry of Health had launched a vaccination campaign in partnership with the Red Cross, to raise awareness of parents; this had been accompanied by a “catch-up” vaccination schedule, resulting in 1,500 children being vaccinated. A protocol had been signed with the Orthodox Church to establish an active partnership to create a framework for anyone facing a possible cancer diagnosis, offering support.

World Breastfeeding Week was celebrated in August each year, as breastfeeding remained one of the most effective ways to provide children with the best start in life. Breast feeding recommendations had been developed with partners, including the World Health Organization, and were relayed to medical practitioners at the local level. Around 200 integrated community centres would be restructured, elevated and equipped. A television broadcast had been created to promote the importance of breastfeeding in the first six months of a child’s life.

Information and education campaigns had been carried out for children, parents and teachers about the benefits of a healthy diet and the consequences of unhealthy eating. Around 1,000 people had benefited from the campaign. Substance abuse could be detected by family doctors and psychological services could be recommended. The national health insurance house implemented the national mental health programme, providing treatment for persons with substance abuses, and ensuring specific treatment for patients with depressive disorders.

Questions by Committee Experts

RINCHEN CHOPHEL, Committee Expert and Country Taskforce Coordinator, said the Government had approved a social assistance programme in 2011 which targeted all communes, but was underfinanced; could more information be provided? The Environment Week presented was an excellent initiative; how was it being utilised?

JULIANA SCERRI FERRANTE, Committee Expert and Country Taskforce Member, asked if there were any supervision orders, where children remained with their family but were supervised? Were there age assessment procedures during the asylum procedure? What rights did children applying for asylum have? Could they appeal any decisions?

PHILIP JAFFE, Committee Vice-Chair and Country Taskforce Member, said according to research by the United Nations Children’s Fund, Romanian girls felt much lonelier than Romanian boys. Was there a reason for this gap?

SOPHIE KILADZE, Committee Chair and Country Taskforce Member, asked for clarification on case management coordination?

A Committee Expert noted the prevalence of women among the large delegation and asked if women generally had an important and high-profile position in Romania, or if this only occurred when discussing children? Had there been any programmes to prevent violence? Had the concept of gender been fully institutionalised? Were teachers trained in detecting signs of violence? What was the prevalence of child marriage in the country? What about figures for marriages which were not officially recorded? Had there been any programmes to prevent the phenomenon or sanctions?

Was there any mapping of the at-risk populations in the country of female genital mutilation? Was female genital mutilation prohibited in law? What was the most updated action on sexual exploitation? Was there any cross-border cooperation between Romania and neighbouring countries? Did Ukrainian children born in Romania have access to Romanian citizenship? Did rape victims have access to emergency contraception?

Another Expert asked about vaccinations from children aged zero to 12; was there distrust in the population when it came to vaccines? It seemed that tuberculosis was a public health issue. What was being done in the field of treatment? Were there children whose births had not been declared, particularly among refugees, Roma and migrants?

A Committee Expert asked about the new concept introduced by the Parliament on parental alienation. How had this concept been consulted on, particularly with children? How would the best interests of the child be ensured? What specific measures were being taken to reduce school dropout and improve access to quality education for Roma children? What mechanisms were in place to monitor and support Roma children who were at risk of dropping out?

Another Committee Expert said she was happy to hear about the programme for the deinstitutionalisation of alternative care centres; this was something Romania should be proud of, as well as all the foster arrangements being made, especially for children with disabilities. What was the State doing to support the families of children with disabilities, particularly those with severe disabilities?

Responses by the Delegation

The delegation said emergency contraception was available to those who had experienced sexual assault and could be obtained without a prescription. Adolescent pregnancies were a major concern for the Romanian public health system. Contraceptives and medical devices were provided free of charge through family centres and through gynaecological departments, where abortions were performed upon request. Romania was one of the first European countries to offer non-discriminatory HIV/AIDS treatment.

Refugees were granted a monthly allowance, one-month’s accommodation, and access to education for minors. Legislation in the field of asylum provided for beneficiaries to apply for family reunification when family members were not in Romania. Identity documents needed to be provided to prove family links. Family reunification of unaccompanied minors was carried out with the best interest of the child in mind. Minors from immigrant backgrounds benefitted from the same rights as minors who were Romanian citizens. Romanian language courses provided teaching support, textbooks and workbooks developed on linguistic levels according to the European Union framework. Priority for asylum applications was given to unaccompanied minors.

Medical forensic expertise was used when an asylum applicant could not prove their age and there were serious doubts about their ethnicity. The declared age of the asylum applicant was accepted if their refusal to undergo the medical expertise was based on compelling reasons. The assessment was performed with full respect for the minor’s dignity and in as least invasive way as possible.

Investigations in child and human trafficking were undertaken by specialists with supervision from specialised prosecutors. Through law 229/2024, the Romanian Parliament aimed to discourage sex tourism and the pimping of minors. More than 1,200 criminal cases had been identified regarding child trafficking. The General Inspectorate of Romanian Police organised regular sessions for border police and

non-governmental organizations, with the purpose of identifying victims. More than 125 trainings had been carried out to over 4,000 workers who may encounter trafficking victims through their work. The National Agency against Trafficking in Persons and the Directorate for Investigating Organised Crime had implemented a national action plan in the fight against human trafficking to improve the awareness of at-risk groups.

In 2024, prosecutors from the Directorate for Investigating Organised Crime took part in 35 seminars regarding identifying child victims, compensation for victims, international cooperation, and online sexual exploitation of children, among other topics. A public awareness campaign had been launched relating to sexual acts between adults and minors. The message stated that a sexual act committed against a minor of 16 years or under constituted rape, if the age gap was more than five years, and punishments applied.

According to Romanian legislation, minors benefited from free legal aid, whether they committed a crime, or if they were victims of a crime. The Romanian penal system limited sanctions in regard to minors, and measures for deprivation of liberty were only given as a last resort and could only be ordered by a court.

The integrated social services project aimed to develop the academic knowledge of professionals working in the social assistance field, and to develop concrete measures for vulnerable groups of people.

During “green week”, schools organised activities around several topics relating to the environment. These were uploaded on a specialised platform dedicated to education on climate change and varied from one educational cycle to another. The Ministry of Education had developed a programme, the mechanism of early-living alert, which focused on early education for Roma children.

In Romania, social services were obligated to identify children in a risk situation. Children could remain within families and be monitored by social services until the risks were removed. The parental alienation provision was introduced in all cases relating to violence and neglect. It was recommended that this provision be removed, as these measures should only be applied by the courts. There were many trainings offered to judges on methods relating to children’s rights. Social workers were also trained to provide necessary assistance to visiting parents. Social services could only assist; they could not intervene and solve disputes between parents.

Closing Remarks

RINCHEN CHOPHEL, Committee Expert and Country Taskforce Coordinator, reiterated the Committee’s appreciation for the Government of Romania’s support to Ukrainian refugees, particularly children. The State was encouraged to continue to undertake these activities which were important for solidarity for children. Significant progress had been made from the last reporting period to the current one, with many looking forward beyond the dialogue. This was an indication of the Government’s commitment towards children. As the country moved forward, it was important to put emphasis on implementation and ensure vulnerable children did not miss out.

HELENA OMNA-RAICU, President of the National Authority for the Protection of Child Rights and Adoption of Romania and head of the delegation, expressed deep gratitude for the dialogue. The delegation welcomed the Committee’s emphasis on equality, accountability and sustainability, and would underpin the next stage of the State’s deinstitutionalisation journey. The Committee’s concerns regarding urban disparities were noted. It was recognised that rights delayed were rights denied, and the State was committed to accelerating affirmative action. Romania would treat the Committee’s recommendations as an opportunity for deeper transformation.

SOPHIE KILADZE, Committee Chair, thanked the delegation for the fruitful dialogue and commended its members for their clear and comprehensive answers. Ms. Kiladze extended her best regards to the children of Romania.

___________

Produced by the United Nations Information Service in Geneva for use of the media;
not an official record. English and French versions of our releases are different as they are the product of two separate coverage teams that work independently.

CRC25.013E

MIL OSI United Nations News –

May 22, 2025

MIL-OSI Europe: Answer to a written question – Operation of Pre-Removal Detention Centres in Albania and the impact on the EU – E-000070/2025(ASW)

Source: European Parliament

In general, it is possible for the EU and the Member States to cooperate with countries outside the EU in managing migration. This must be done in full respect of EU and international law.

Based on the information available to the Commission, Italy’s initiative originally aimed at transferring certain categories of third-country nationals intercepted in the high seas to centres in Albania, under Italian jurisdiction, to examine their applications for international protection. In case of rejection of such applications, Italy would carry out return procedures from these centres.

When Member States extend the application of national law implementing EU law to situations falling outside the scope of EU law, they must do it in a way that does not undermine or circumvent the application of harmonised rules or obligations under EU law.

As per the latest available information, Italy is now using the centre for the purpose of detention of returnees, in the same way as it uses pre-removal centres in Italy, and therefore it is conducting procedures with the same requirements, time limits and guarantees as those performed in Italian territory.

The Commission is following the implementation of the protocol and is in contact with the Italian authorities.

Last updated: 21 May 2025

MIL OSI Europe News –

May 22, 2025

MIL-OSI Europe: Press release – Slovenian President Pirc Musar calls for European courage and solidarity

Source: European Parliament 3

Speaking to plenary on Wednesday, Slovenian President Nataša Pirc Musar highlighted challenges facing the EU, including the ongoing conflicts in Ukraine and the Middle East.

Welcoming President Pirc Musar at a formal sitting, European Parliament President Roberta Metsola said: “Slovenia has helped to shape our Union, proving again and again that we work best when we work together. That is why it is so important that Slovenia and Europe remain united in our approach to the challenges ahead. Why our values matter. And why we will stand up for them.”

Pirc Musar recalled the positive experience of Slovenia’s reforms and integration into the EU in 2004 and underscored her country’s support for future merit-based EU enlargement, in particular to the Western Balkans, Ukraine and Moldova. She stressed the need to enhance the efficiency, and financial and institutional capacities of the EU as a political community to welcome new members.

On security and defence, President Pirc Musar called for greater strategic autonomy and increased societal resilience in the face of multiple crises. She stressed the EU’s responsibility to uphold the multilateral world order and the founding principles of the United Nations Charter.

Regarding the situation in the Middle East, Pirc Musar called for more EU involvement and an end to hostilities in the West Bank and Gaza.

Pirc Musar also underlined the importance of strengthening Europe’s global competitiveness to sustain the European social model. She advocated for continued investment in social justice, education, culture and high living standards for all EU citizens.

You can watch her address again here.

MIL OSI Europe News –

May 22, 2025

MIL-OSI Russia: HSE students win gold medals at international mathematical Olympiad in Ashgabat

Translation. Region: Russian Federal

Source: State University Higher School of Economics – State University Higher School of Economics –

In Ashgabat (Turkmenistan) was held V Open Mathematical Olympiad for Students OMOUS-2025 (Open Mathematical Olympiad for University Students), which brought together teams from Turkmenistan, Uzbekistan, Indonesia, Iran, Romania, Poland, the United Arab Emirates, Russia and India. In total, about 500 students joined the event.

Four undergraduate students from HSE took part in the competition.Applied Mathematics and Computer Science” Faculty of Computer Science (FKN) Vasily Silvestrov, Bogdan Butyrin, Daniil Soulnov and Anastasia Salimova, as well as the team coach, expert Center for Student Olympiads Igor Vorontsov.

The Olympiad consisted of two rounds: individual and team. The individual round lasted four hours, the participants were asked to solve six problems. In this competition, the students of the Faculty of Computer Science showed excellent results, winning gold medals.

The team round of the Olympiad took place the next day and lasted two hours, during which ten problems had to be solved. Here, the FKN team took second place, scoring 69 points out of 100.

Vasily Silvestrov

— Preparing for the problems of previous years, we understood that the Olympiad is not easy, but we have a good chance of winning gold medals. For me, this was the first international Olympiad, which added reasons to be nervous. We got a lot of points on the appeal. We prepared for it for two nights: we wrote alternative solutions and prepared criteria for them. Overall, it was an unforgettable experience: interesting culture, a beautiful city, delicious food. I would like to thank the organizers of the Olympiad for choosing and preparing the problems. We hope that next year, our university teams will also achieve excellent results.

Text: Maria Vorontsova

Please note: This information is raw content directly from the source of the information. It is exactly what the source states and does not reflect the position of MIL-OSI or its clients.

MIL OSI Russia News –

May 22, 2025

MIL-OSI Security: Russian GRU Targeting Western Logistics Entities and Technology Companies

Source: US Department of Homeland Security

Executive Summary

This joint cybersecurity advisory (CSA) highlights a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies. This includes those involved in the coordination, transport, and delivery of foreign assistance to Ukraine. Since 2022, Western logistics entities and IT companies have faced an elevated risk of targeting by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (85th GTsSS), military unit 26165—tracked in the cybersecurity community under several names (see “Cybersecurity Industry Tracking”). The actors’ cyber espionage-oriented campaign, targeting technology companies and logistics entities, uses a mix of previously disclosed tactics, techniques, and procedures (TTPs). The authoring agencies expect similar targeting and TTP use to continue.

Executives and network defenders at logistics entities and technology companies should recognize the elevated threat of unit 26165 targeting, increase monitoring and threat hunting for known TTPs and indicators of compromise (IOCs), and posture network defenses with a presumption of targeting.

This cyber espionage-oriented campaign targeting logistics entities and technology companies uses a mix of previously disclosed TTPs and is likely connected to these actors’ wide scale targeting of IP cameras in Ukraine and bordering NATO nations.

The following authors and co-sealers are releasing this CSA:

United States National Security Agency (NSA)
United States Federal Bureau of Investigation (FBI)
United Kingdom National Cyber Security Centre (NCSC-UK)
Germany Federal Intelligence Service (BND) Bundesnachrichtendienst
Germany Federal Office for Information Security (BSI) Bundesamt für Sicherheit in der Informationstechnik
Germany Federal Office for the Protection of the Constitution (BfV) Bundesamt für Verfassungsschutz
Czech Republic Military Intelligence (VZ) Vojenské zpravodajství
Czech Republic National Cyber and Information Security Agency (NÚKIB) Národní úřad pro kybernetickou a informační bezpečnost
Czech Republic Security Information Service (BIS) Bezpečnostní informační služba
Poland Internal Security Agency (ABW) Agencja Bezpieczeństwa Wewnętrznego
Poland Military Counterintelligence Service (SKW) Służba Kontrwywiadu Wojskowego
United States Cybersecurity and Infrastructure Security Agency (CISA)
United States Department of Defense Cyber Crime Center (DC3)
United States Cyber Command (USCYBERCOM)
Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
Canadian Centre for Cyber Security (CCCS)
Danish Defence Intelligence Service (DDIS) Forsvarets Efterretningstjeneste
Estonian Foreign Intelligence Service (EFIS) Välisluureamet
Estonian National Cyber Security Centre (NCSC-EE) Küberturvalisuse keskus
French Cybersecurity Agency (ANSSI) Agence nationale de la sécurité des systèmes d’information
Netherlands Defence Intelligence and Security Service (MIVD) Militaire Inlichtingen- en Veiligheidsdienst

Download the PDF version of this report:

Russian GRU Targeting Western Logistics Entities and Technology Companies (PDF, 1,081KB)

For a downloadable list of IOCs, visit:

Introduction

For over two years, the Russian GRU 85th GTsSS, military unit 26165—commonly known in the cybersecurity community as APT28, Fancy Bear, Forest Blizzard, BlueDelta, and a variety of other identifiers—has conducted this campaign using a mix of known tactics, techniques, and procedures (TTPs), including reconstituted password spraying capabilities, spearphishing, and modification of Microsoft Exchange mailbox permissions.
In late February 2022, multiple Russian state-sponsored cyber actors increased the variety of cyber operations for purposes of espionage, destruction, and influence—with unit 26165 predominately involved in espionage. [1] As Russian military forces failed to meet their military objectives and Western countries provided aid to support Ukraine’s territorial defense, unit 26165 expanded its targeting of logistics entities and technology companies involved in the delivery of aid. These actors have also targeted Internet-connected cameras at Ukrainian border crossings to monitor and track aid shipments.
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 17. See Appendix A: MITRE ATT&CK tactics and techniques for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. This advisory uses the MITRE D3FEND® framework, version 1.0.

Description of Targets

The GRU unit 26165 cyber campaign against Western logistics providers and technology companies has targeted dozens of entities, including government organizations and private/commercial entities across virtually all transportation modes: air, sea, and rail. These actors have targeted entities associated with the following verticals within NATO member states, Ukraine, and at international organizations:

Defense Industry
Transportation and Transportation Hubs (ports, airports, etc.)
Maritime
Air Traffic Management
IT Services

In the course of the targeting lifecycle, unit 26165 actors identified and conducted follow-on targeting of additional entities in the transportation sector that had business ties to the primary target, exploiting trust relationships to attempt to gain additional access [T1199].

The actors also conducted reconnaissance on at least one entity involved in the production of industrial control system (ICS) components for railway management, though a successful compromise was not confirmed [TA0043].

The countries with targeted entities include the following, as illustrated in Figure 1:

Bulgaria
Czech Republic
France
Germany
Greece
Italy
Moldova
Netherlands
Poland
Romania
Slovakia
Ukraine
United States

Figure 1: Countries with Targeted Entities

Initial Access TTPs

To gain initial access to targeted entities, unit 26165 actors used several techniques to gain initial access to targeted entities, including (but not limited to):

The actors abused vulnerabilities associated with a range of brands and models of small office/home office (SOHO) devices to facilitate covert cyber operations, as well as proxy malicious activity via devices with geolocation in proximity to the target [T1665]. [2]

Credential Guessing/Brute Force

Unit 26165 actors’ credential guessing [T1110.001] operations in this campaign exhibit some similar characteristics to those disclosed in the previous CSA “Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments.” [3] Based on victim network investigations, the current iteration of this TTP employs a similar blend of anonymization infrastructure, including the use of Tor and commercial VPNs [T1090.003]. The actors frequently rotated the IP addresses used to further hamper detection. All observed connections were made via encrypted TLS [T1573].

Spearphishing

GRU unit 26165 actors’ spearphishing emails included links [T1566.002] leading to fake login pages impersonating a variety of government entities and Western cloud email providers’ webpages. These webpages were typically hosted on free third-party services or compromised SOHO devices and often used legitimate documents associated with thematically similar entities as lures. The subjects of spearphishing emails were diverse and ranged from professional topics to adult themes. Phishing emails were frequently sent via compromised accounts or free webmail accounts [T1586.002, T1586.003]. The emails were typically written in the target’s native language and sent to a single targeted recipient.

Some campaigns employed multi-stage redirectors [T1104] verifying IP-geolocation [T1627.001] and browser fingerprints [T1627] to protect credential harvesting infrastructure or provide multifactor authentication (MFA) [T1111] and CAPTCHA relaying capabilities [T1056]. Connecting endpoints failing the location checks were redirected to a benign URL [T1627], such as msn.com. Redirector services used include:

Webhook[.]site
FrgeIO
InfinityFree
Dynu
Mocky
Pipedream
Mockbin[.]org

The actors also used spearphishing to deliver malware (including HEADLACE and MASEPIE) executables [T1204.002] delivered via third-party services and redirectors [T1566.002], scripts in a mix of languages [T1059] (including BAT [T1059.003] and VBScript [T1059.005]) and links to hosted shortcuts [T1204.001].

CVE Usage

Throughout this campaign, GRU unit 26165 weaponized an Outlook NTLM vulnerability (CVE-2023-23397) to collect NTLM hashes and credentials via specially crafted Outlook calendar appointment invitations [T1187]. [4],[5] These actors also used a series of Roundcube CVEs (CVE-2020-12641, CVE-2020-35730, and CVE-2021-44026) to execute arbitrary shell commands [T1059], gain access to victim email accounts, and retrieve sensitive data from email servers [T1114].

Since at least fall 2023, the actors leveraged a WinRAR vulnerability (CVE-2023-38831) allowing for the execution of arbitrary code embedded in an archive as a means of initial access [T1659]. The actors sent emails with malicious attachments [T1566.001] or embedded hyperlinks [T1566.002] that downloaded a malicious archive prepared using this CVE.

Post-Compromise TTPs

After an initial compromise using one of the above techniques, unit 26165 actors conducted contact information reconnaissance to identify additional targets in key positions [T1589.002]. The actors also conducted reconnaissance of the cybersecurity department [T1591], individuals responsible for coordinating transport [T1591.004], and other companies cooperating with the victim entity [T1591.002].

The actors used native commands and open source tools, such as Impacket and PsExec, to move laterally within the environment [TA0008]. Multiple Impacket scripts were used as .exe files, in addition to the python versions, depending on the victim environment. The actors also moved laterally within the network using Remote Desktop Protocol (RDP) [T1021.001] to access additional hosts and attempt to dump Active Directory NTDS.dit domain databases [T1003.003] using native Active Directory Domain Services commands, such as in Figure 2: Example Active Directory Domain Services command:

C:Windowssystem32ntdsutil.exe "activate instance ntds" ifm "create full C:temp[a-z]{3}" quit quit

Figure 2: Example Active Directory Domain Services command

Additionally, GRU unit 26165 actors used the tools Certipy and ADExplorer.exe to exfiltrate information from the Active Directory. The actors installed python [T1059.006] on infected machines to enable the execution of Certipy. Accessed files were archived in .zip files prior to exfiltration [T1560]. The actors attempted to exfiltrate archived data via a previously dropped OpenSSH binary [T1048].

Incident response investigations revealed that the actors would take steps to locate and exfiltrate lists of Office 365 users and set up sustained email collection. The actors used manipulation of mailbox permissions [T1098.002] to establish sustained email collection at compromised logistics entities, as detailed in a Polish Cybercommand blog. [6]

After initial authentication, unit 26165 actors would change accounts’ folder permissions and enroll compromised accounts in MFA mechanisms to increase the trust-level of compromised accounts and enable sustained access [T1556.006]. The actors leveraged python scripts to retrieve plaintext passwords via Group Policy Preferences [T1552.006] using Get-GPPPassword.py and a modified ldap-dump.py to enumerate the Windows environment [T1087.002] and conduct a brute force password spray [T1110.003] via Lightweight Directory Access Protocol (LDAP). The actors would additionally delete event logs through the wevtutil utility [T1070.001].

After gaining initial access to the network, the actors pursued further access to accounts with access to sensitive information on shipments, such as train schedules and shipping manifests. These accounts contained information on aid shipments to Ukraine, including:

sender,
recipient,
train/plane/ship numbers,
point of departure,
destination,
container registration numbers,
travel route, and
cargo contents.

In at least one instance, the actors attempted to use voice phishing [T1566.004] to gain access to privileged accounts by impersonating IT staff.

Malware

Unit 26165’s use of malware in this campaign ranged from gaining initial access to establishing persistence and exfiltrating data. In some cases, the attack chain resulted in multiple pieces of malware being deployed in succession. The actors used dynamic link library (DLL) search order hijacking [T1574.001] to facilitate malware execution. There were a number of known malware variants tied to this campaign against logistics sector victims, including:

HEADLACE [7]
MASEPIE [8]

While other malware variants, such as OCEANMAP and STEELHOOK, [8] were not directly observed targeting logistics or IT entities, their deployment against victims in other sectors in Ukraine and other Western countries suggest that they could be deployed against logistics and IT entities should the need arise.

Persistence

In addition to the abovementioned mailbox permissions abuse, unit 26165 actors also used scheduled tasks [T1053.005], run keys [T1547.001], and placed malicious shortcuts [T1547.009] in the startup folder to establish persistence.

Exfiltration

GRU unit 26165 actors used a variety of methods for data exfiltration that varied based on the victim environment, including both malware and living off the land binaries. PowerShell commands [T1059.001] were often used to prepare data for exfiltration; for example, the actors prepared zip archives [T1560.001] for upload to their own infrastructure.

The actors also used server data exchange protocols and Application Programming Interfaces (APIs) such as Exchange Web Services (EWS) and Internet Message Access Protocol (IMAP) [T1114.002] to exfiltrate data from email servers. In multiple instances, the actors used periodic EWS queries [T1119] to collect new emails sent and received since the last data exfiltration [T1029]. The actors typically used infrastructure in close geographic proximity to the victim. Long gaps between exfiltration, the use of trusted and legitimate protocols, and the use of local infrastructure allowed for long-term collection of sensitive data to go undetected.

Connections to Targeting of IP Cameras

In addition to targeting logistics entities, unit 26165 actors likely used access to private cameras at key locations, such as near border crossings, military installations, and rail stations, to track the movement of materials into Ukraine. The actors also used legitimate municipal services, such as traffic cams.

The actors targeted Real Time Streaming Protocol (RTSP) servers hosting IP cameras primarily located in Ukraine as early as March 2022 in a large-scale campaign, which included attempts to enumerate devices [T1592] and gain access to the cameras’ feeds [T1125]. Actor-controlled servers sent RTSP DESCRIBE requests destined for RTSP servers, primarily hosting IP cameras [T1090.002]. The DESCRIBE requests were crafted to obtain access to IP cameras located on logically distinct networks from that of the routers that received the request. The requests included Base64-encoded credentials for the RTSP server, which included publicly documented default credentials and likely generic attempts to brute force access to the devices [T1110]. An example of an RTSP request is shown in Figure 3.

DESCRIBE rtsp://[IP ADDRESS] RTSP/1.0

CSeq: 1

Authorization: Basic

User-Agent: WebClient

Accept: application/sdp

DESCRIBE rtsp://[IP ADDRESS] RTSP/1.0

CSeq: 2

Authorization: Digest username="admin", realm="[a-f0-9]{12}", algorithm="MD5", nonce="[a-f0-9]{32}", uri="", response="[a-f0-9]{32}"

User-Agent: WebClient

Accept: application/sdp

Figure 3: Example RTSP request

Successful RTSP 200 OK responses contained a snapshot of the IP camera’s image and IP camera metadata such as video codec, resolution, and other properties depending on the IP camera’s configuration.

From a sample available to the authoring agencies of over 10,000 cameras targeted via this effort, the geographic distribution of victims showed a strong focus on cameras in Ukraine and border countries, as shown in Table 1:

Table 1: Geographic distribution of targeted IP cameras
Country	Percentage of Total Attempts
Ukraine	81.0%
Romania	9.9%
Poland	4.0%
Hungary	2.8%
Slovakia	1.7%
Others	0.6%

Mitigation Actions

General Security Mitigations

Architecture and Configuration

Employ appropriate network segmentation [D3-NI] and restrictions to limit access and utilize additional attributes (such as device information, environment, and access path) when making access decisions [D3-AMED].
- Consider Zero Trust principles when designing systems. Base product choices on how those products can solve specific risks identified as part of the end-to-end design. [9]
Ensure that host firewalls and network security appliances (e.g., firewalls) are configured to only allow legitimately needed data flows between devices and servers to prevent lateral movement [D3-ITF]. Alert on attempts to connect laterally between host devices or other unusual data flows.
Use automated tools to audit access logs for security concerns and identify anomalous access requests [D3-RAPA].
For organizations using on-premises authentication and email services, block and alert on NTLM/SMB requests to external infrastructure [D3-OTF].
Utilize endpoint, detection, and response (EDR) and other cybersecurity solutions on all systems, prioritizing high value systems with large amounts of sensitive data such as mail servers and domain controllers [D3-PM] first.
- Perform threat and attack modeling to understand how sensitive systems may be compromised within an organization’s specific architecture and security controls. Use this to develop a monitoring strategy to detect compromise attempts and select appropriate products to enact this strategy.
Collect and monitor Windows logs for certain events, especially for events that indicate that a log was cleared unexpectedly [D3-SFA].
Enable optional security features in Windows to harden endpoints and mitigate initial access techniques [D3-AH]:
- Enable attack surface reduction rules to prevent executable content from email [D3-ABPI].
- Enable attack surface reduction rules to prevent execution of files from globally writeable directories, such as Downloads or %APPDATA% [D3-EAL].
- Unless users are involved in the development of scripts, limit the local execution of scripts (such as batch scripts, VBScript, JScript/JavaScript, and PowerShell [10]) to known scripts [D3-EI], and audit execution attempts.
- Disable Windows Host Scripting functionality and configure PowerShell to run in Constrained mode [D3-ACH].
Where feasible, implement allowlisting for applications and scripts to limit execution to only those needed for authorized activities, blocking all others by default [D3-EAL].
Consider using open source SIGMA rules as a baseline for detecting and alerting on suspicious file execution or command parameters [D3-PSA].
Use services that provide enhanced browsing services and safe link checking [D3-URA]. Significant reductions in successful spearphishing attempts were noted when email providers began offering link checking and automatic file detonation to block malicious content.
Where possible, block logins from public VPNs, including exit nodes in the same country as target systems, or, if they need to be allowed, alert on them for further investigation. Most organizations should not need to allow incoming traffic, especially logins to systems, from VPN services [D3-NAM].
Educate users to only use approved corporate systems for relevant government and military business and avoid the use of personal accounts on cloud email providers to conduct official business. Network administrators should also audit both email and web request logs to detect such activity.

Many organizations may not need to allow outgoing traffic to hosting and API mocking services, which are frequently used by GRU unit 26165. Organizations should consider alerting on or blocking the following services, with exceptions allowlisted for legitimate activity [D3-DNSDL].

*.000[.]pe
*.1cooldns[.]com
*.42web[.]io
*.4cloud[.]click
*.accesscan[.]org
*.bumbleshrimp[.]com
*.camdvr[.]org
*.casacam[.]net
*.ddnsfree[.]com
*.ddnsgeek[.]com
*.ddnsguru[.]com
*.dynuddns[.]com
*.dynuddns[.]net
*.free[.]nf
*.freeddns[.]org
*.frge[.]io
*.glize[.]com
*.great-site[.]net
*.infinityfreeapp[.]com
*.kesug[.]com
*.loseyourip[.]com
*.lovestoblog[.]com
*.mockbin[.]io
*.mockbin[.]org
*.mocky[.]io
*.mybiolink[.]io
*.mysynology[.]net
*.mywire[.]org
*.ngrok[.]io
*.ooguy[.]com
*.pipedream[.]net
*.rf[.]gd
*.urlbae[.]com
*.webhook[.]site
*.webhookapp[.]com
*.webredirect[.]org
*.wuaze[.]com

Heuristic detections for web requests to new subdomains, including of the above providers, may uncover malicious phishing activity [D3-DNRA]. Logging the requests for each sub-domain requested by users on a network, such as in DNS or firewall logs, may enable system administrators to identify new targeting and victims.

Identity and Access Management

Organizations should take measures to ensure strong access controls and mitigate against common credential theft techniques:

Use MFA with strong factors, such as passkeys or PKI smartcards, and require regular re-authentication [D3-MFA]. [11], [12] Strong authentication factors are not guessable using dictionary techniques, so they resist brute force attempts.
Implement other mitigations for privileged accounts: including limiting the number of admin accounts, considering using hardware MFA tokens, and regularly reviewing all privileged user accounts [D3-JFAPA].
Separate privileged accounts by role and alert on misuse of privileged accounts [D3-UAP]. For example, email administrator accounts should be different from domain administrator accounts.
Reduce reliance on passwords; instead, consider using services like single sign-on [D3-TBA].
- For organizations using on-premises authentication and email services, plan to disable NTLM entirely and migrate to more robust authentication processes such as PKI certificate authentication.
Do not store passwords in Group Policy Preferences (GPP). Remove all passwords previously included in GPP and change all passwords on the corresponding accounts [D3-CH]. [13]
Use account throttling or account lockout [D3-ANET]:
- Throttling is preferred to lockout. Throttling progressively increases time delay between successive login attempts.
- Account lockout can leave legitimate users unable to access their accounts and requires access to an account recovery process.
- Account lockout can provide a malicious actor with an easy way to launch a Denial of Service (DoS).
- If using lockout, then allowing 5 to 10 attempts before lockout is recommended.
Use a service to check for compromised passwords before using them [D3-SPP]. For example, “Have I Been Pwned” can be used to check whether a password has been previously compromised without disclosing the potential password.
Change all default credentials [D3-CRO] and disable protocols that use weak authentication (e.g., clear-text passwords or outdated and vulnerable authentication or encryption protocols) or do not support multi-factor authentication [D3-ACH] [D3-ET]. Always configure access controls carefully to ensure that only well-maintained and well-authenticated accounts have access. [13]

IP Camera Mitigations

The following mitigation techniques for IP cameras can be used to defend against this type of malicious activity:

Ensure IP cameras are currently supported. Replace devices that are out of support.
Apply security patches and firmware updates to all IP cameras [D3-SU].
Disable remote access to the IP camera, if unnecessary [D3-ITF].
Ensure cameras are protected by a security appliance, if possible, such as by using a firewall to prevent communication with the camera from IP addresses not on an allowlist [D3-NAM].
If remote access to IP camera feeds is required, ensure authentication is enabled [D3-AA] and use a VPN to connect remotely [D3-ET]. Use MFA for management accounts if supported [D3-MFA].
Disable Universal Plug and Play (UPnP), Peer-to-Peer (P2P), and Anonymous Visit features on IP cameras and routers [D3-NI].
Turn off other ports/services not in use (e.g., FTP, web interface, etc.) [D3-ACH].
If supported, enable authenticated RTSP access only [D3-AA].
Review all authentication activity for remote access to make sure it is valid and expected [D3-UBA]. Investigate any unexpected or unusual activity.
Audit IP camera user accounts to ensure they are an accurate reflection of your organization and that they are being used as expected [D3-UAP].
Configure, tune, and monitor logging—if available—on the IP camera.

Indicators of Compromise (IOCs)

Note: Specific IoCs may no longer be actor controlled, may themselves be compromised infrastructure or email accounts, or may be shared infrastructure such as public VPN or Tor exit nodes. Care should be taken when basing triaging logs or developing detection rules on these indicators. GRU unit 26165 almost certainly uses extensive further infrastructure and TTPs not specifically listed in this report.

Utilities and scripts

Legitimate utilities

Unauthorized or unusual use of the following legitimate utilities can be an indication of a potential compromise:

ntdsutil – A legitimate Windows executable used by threat actors to export contents of Active Directory
wevtutil – A legitimate Windows executable used by threat actors to delete event logs
vssadmin – A legitimate Windows executable possibly used by threat actors to make a copy of the server’s C: drive
ADexplorer – A legitimate window executable to view, edit, and backup Active Directory Certificate Services
OpenSSH – The Windows version of a legitimate open source SSH client
schtasks – A legitimate Windows executable used to create persistence using scheduled tasks
whoami – A legitimate Windows executable used to retrieve the name of the current user
tasklist – A legitimate Windows executable used to retrieve the list of running processes
hostname – A legitimate Windows executable used to retrieve the device name
arp – A legitimate Windows executable used to retrieve the ARP table for mapping the network environment
systeminfo – A legitimate Windows executable used to retrieve a comprehensive summary of device and operating system information
net – A legitimate Windows executable used to retrieve detailed user information
wmic – A legitimate Windows executable used to interact with Windows Management Instrumentation (WMI), such as to retrieve letters assigned to logical partitions on storage drives
cacls – A legitimate Windows executable used to modify permissions on files
icacls – A legitimate Windows executable used to modify permissions to files and handle integrity levels and ownership
ssh – A legitimate Windows executable used to establish network shell connections
reg – A legitimate Windows executable used to add to or modify the system registry

Note: Additional heuristics are needed for effective hunting for these and other living off the land (LOTL) binaries to avoid being overwhelmed by false positives if these legitimate management tools are used regularly. See the joint guide, Identifying and Mitigating Living Off the Land Techniques, for guidance on developing a multifaceted cybersecurity strategy that enables behavior analytics, anomaly detection, and proactive hunting, which are part of a comprehensive approach to mitigating cyber threats that employ LOTL techniques.

Malicious scripts

Certipy – An open source python tool for enumerating and abusing Active Directory Certificate Services
Get-GPPPassword.py – An open source python script for finding insecure passwords stored in Group Policy Preferences
ldap-dump.py – A script for enumerating user accounts and other information in Active Directory
Hikvision backdoor string: “YWRtaW46MTEK”

Suspicious command lines

While the following utilities are legitimate, and using them with the command lines shown may also be legitimate, these command lines are often used during malicious activities and could be an indication of a compromise:

edge.exe “-headless-new -disable-gpu”
ntdsutil.exe “activate instance ntds” ifm “create full C:temp[a-z]{3}” quit quit
ssh -Nf
schtasks /create /xml

Outlook CVE Exploitation IOCs

md-shoeb@alfathdoor[.]com[.]sa
jayam@wizzsolutions[.]com
accounts@regencyservice[.]in
m.salim@tsc-me[.]com
vikram.anand@4ginfosource[.]com
mdelafuente@ukwwfze[.]com
sarah@cosmicgold469[.]co[.]za
franch1.lanka@bplanka[.]com
commerical@vanadrink[.]com
maint@goldenloaduae[.]com
karina@bhpcapital[.]com
tv@coastalareabank[.]com
ashoke.kumar@hbclife[.]in
213[.]32[.]252[.]221
124[.]168[.]91[.]178
194[.]126[.]178[.]8
159[.]196[.]128[.]120

Commonly Used Webmail Providers

portugalmail[.]pt
mail-online[.]dk
email[.]cz
seznam[.]cz

Malicious Archive Filenames Involving CVE-2023-38831

calc.war.zip
news_week_6.zip
Roadmap.zip
SEDE-PV-2023-10-09-1_EN.zip
war.zip
Zeyilname.zip

Brute Forcing IP Addresses

Disclaimer: These IP addresses date June 2024 through August 2024. The authoring agencies recommend organizations investigate or vet these IP addresses prior to taking action, such as blocking.

June 2024	July 2024	August 2024
192[.]162[.]174[.]94	207[.]244[.]71[.]84	31[.]135[.]199[.]145	79[.]184[.]25[.]198	91[.]149[.]253[.]204
103[.]97[.]203[.]29	162[.]210[.]194[.]2	31[.]42[.]4[.]138	79[.]185[.]5[.]142	91[.]149[.]254[.]75
209[.]14[.]71[.]127		46[.]112[.]70[.]252	83[.]10[.]46[.]174	91[.]149[.]255[.]122
109[.]95[.]151[.]207		46[.]248[.]185[.]236	83[.]168[.]66[.]145	91[.]149[.]255[.]19
		64[.]176[.]67[.]117	83[.]168[.]78[.]27	91[.]149[.]255[.]195
		64[.]176[.]69[.]196	83[.]168[.]78[.]31	91[.]221[.]88[.]76
		64[.]176[.]70[.]18	83[.]168[.]78[.]55	93[.]105[.]185[.]139
		64[.]176[.]70[.]238	83[.]23[.]130[.]49	95[.]215[.]76[.]209
		64[.]176[.]71[.]201	83[.]29[.]138[.]115	138[.]199[.]59[.]43
		70[.]34[.]242[.]220	89[.]64[.]70[.]69	147[.]135[.]209[.]245
		70[.]34[.]243[.]226	90[.]156[.]4[.]204	178[.]235[.]191[.]182
		70[.]34[.]244[.]100	91[.]149[.]202[.]215	178[.]37[.]97[.]243
		70[.]34[.]245[.]215	91[.]149[.]203[.]73	185[.]234[.]235[.]69
		70[.]34[.]252[.]168	91[.]149[.]219[.]158	192[.]162[.]174[.]67
		70[.]34[.]252[.]186	91[.]149[.]219[.]23	194[.]187[.]180[.]20
		70[.]34[.]252[.]222	91[.]149[.]223[.]130	212[.]127[.]78[.]170
		70[.]34[.]253[.]13	91[.]149[.]253[.]118	213[.]134[.]184[.]167
		70[.]34[.]253[.]247	91[.]149[.]253[.]198
		70[.]34[.]254[.]245	91[.]149[.]253[.]20

Detections

Customized NTLM listener

rule APT28_NTLM_LISTENER {

meta:

description = "Detects NTLM listeners including APT28's custom one"

strings:

$command_1 = "start-process powershell.exe -WindowStyle hidden"

$command_2 = "New-Object System.Net.HttpListener"

$command_3 = "Prefixes.Add('http://localhost:8080/')"

$command_4 = "-match 'Authorization'"

$command_5 = "GetValues('Authorization')"

$command_6 = "Request.RemoteEndPoint.Address.IPAddressToString"

$command_7 = "@(0x4e,0x54,0x4c,0x4d, 0x53,0x53,0x50,0x00,0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x28,0x00,0x00,0x01,0x82,0x00,0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77,0x88,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)"

$command_8 = ".AllKeys"

$variable_1 = "$NTLMAuthentication" nocase

$variable_2 = "$NTLMType2" nocase

$variable_3 = "$listener" nocase

$variable_4 = "$hostip" nocase

$variable_5 = "$request" nocase

$variable_6 = "$ntlmt2" nocase

$variable_7 = "$NTLMType2Response" nocase

$variable_8 = "$buffer" nocase

condition:

5 of ($command_*)

or

all of ($variable_*)

}

HEADLACE shortcut

rule APT28_HEADLACE_SHORTCUT {

meta:

description = "Detects the HEADLACE backdoor shortcut dropper. Rule is meant for threat hunting."

strings:

$type = "[InternetShortcut]" ascii nocase

$url = "file://"

$edge = "msedge.exe"

$icon = "IconFile"

condition:

all of them

}

HEADLACE credential dialogbox phishing

rule APT28_HEADLACE_CREDENTIALDIALOG {

meta:

description = "Detects scripts used by APT28 to lure user into entering credentials"

strings:

$command_1 = "while($true)"

$command_2 = "Get-Credential $(whoami)"

$command_3 = "Add-Content"

$command_4 = ".UserName"

$command_5 = ".GetNetworkCredential().Password"

$command_6 = "GetNetworkCredential().Password.Length -ne 0"

condition:

5 of them

}

HEADLACE core script

rule APT28_HEADLACE_CORE {

meta:

description = "Detects HEADLACE core batch scripts"

strings:

$chcp = "chcp 65001" ascii

$headless = "start "" msedge --headless=new --disable-gpu" ascii

$command_1 = "taskkill /im msedge.exe /f" ascii

$command_2 = "whoami>"%programdata%" ascii

$command_3 = "timeout" ascii

$command_4 = "copy "%programdata%" ascii

$non_generic_del_1 = "del /q /f "%programdata%" ascii

$non_generic_del_3 = "del /q /f "%userprofile%Downloads" ascii

$generic_del = "del /q /f" ascii

condition:

(

$chcp

and

$headless

)

and

(

1 of ($non_generic_del_*)

or

($generic_del)

or

3 of ($command_*)

)

}

MASEPIE

rule APT28_MASEPIE {

meta:

description = "Detects MASEPIE python script"

strings:

$masepie_unique_1 = "os.popen('whoami').read()"

$masepie_unique_2 = "elif message == 'check'"

$masepie_unique_3 = "elif message == 'send_file':"

$masepie_unique_4 = "elif message == 'get_file'"

$masepie_unique_5 = "enc_mes('ok'"

$masepie_unique_6 = "Bad command!'.encode('ascii'"

$masepie_unique_7 = "{user}{SEPARATOR}{k}"

$masepie_unique_8 = "raise Exception("Reconnect"

condition:

3 of ($masepie_unique_*)

}

STEELHOOK

rule APT28_STEELHOOK {

meta:

description = "Detects APT28's STEELHOOK powershell script"

strings:

$s_1 = "$($env:LOCALAPPDATAGoogleChromeUser DataLocal State)"

$s_2 = "$($env:LOCALAPPDATAGoogleChromeUser DataDefaultLogin Data)"

$s_3 = "$($env:LOCALAPPDATAMicrosoftEdgeUser DataLocal State)"

$s_4 = "$($env:LOCALAPPDATAMicrosoftEdgeUser DataDefaultLogin Data)"

$s_5 = "os_crypt.encrypted_key"

$s_6 = "System.Security.Cryptography.DataProtectionScope"

$s_7 = "[system.security.cryptography.protectdata]::Unprotect"

$s_8 = "Invoke-RestMethod"

condition:

all of them

}

PSEXEC

rule GENERIC_PSEXEC {

meta:

description = "Detects SysInternals PSEXEC executable"

strings:

$sysinternals_1 = "SYSINTERNALS SOFTWARE LICENCE TERMS"

$sysinternals_2 = "/accepteula"

$sysinternals_3 = "SoftwareSysinternals"

$network_1 = "%sIPC$"

$network_2 = "%sADMIN$%s"

$network_3 = "DeviceLanmanRedirector%sipc$"

$psexec_1 = "PSEXESVC"

$psexec_2 = "PSEXEC-{}-"

$psexec_3 = "Copying %s to %s..."

$psexec_4 = "gPSINFSVC"

condition:

(

( uint16( 0x0 ) ==0x5a4d )

and

( uint16( uint32( 0x3c )) == 0x4550 )

)

and

filesize < 1024KB

and

(

( any of ($sysinternals_*) and any of ($psexec_*) )

or

( 2 of ($network_*) and 2 of ($psexec_*))

)

}

The cybersecurity industry provides overlapping cyber threat intelligence, IOCs, and mitigation recommendations related to GRU unit 26165 cyber actors. While not all encompassing, the following are the most notable threat group names related under MITRE ATT&CK G0007 and commonly used within the cybersecurity community:

APT28 [14]
Fancy Bear [14]
Forest Blizzard [14]
Blue Delta [15]

Note: Cybersecurity companies have different methods of tracking and attributing cyber actors, and this may not be a 1:1 correlation to the U.S. government’s understanding for all activity related to these groupings.

Further Reference

To search for the presence of malicious email messages targeting CVE-2023-23397, network defenders may consider using the script published by Microsoft: https://aka.ms/CVE-2023-23397ScriptDoc.

For the Impacket TTP, network defenders may consider using the following publicly available Impacket YARA detection rule:
https://github.com/Neo23x0/signature-base/blob/master/yara/gen_impacket_tools.yar

Works Cited

[1] Microsoft. Defending Ukraine: Early Lessons from the Cyber War. 2022. https://blogs.microsoft.com/on-the-issues/2022/06/22/defending-ukraine-early-lessons-from-the-cyber-war/
[2] FBI et al. Russian Cyber Actors Use Compromised Routers to Facilitate Cyber Operations. 2024. https://media.defense.gov/2024/Feb/27/2003400753/-1/-1/0/CSA-Russian-Actors-Use-Routers-Facilitate-Cyber_Operations.PDF
[3] NSA et al. Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. 2021. https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/0/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF
[4] ANSSI. Campagnes d'attaques du mode opératoire APT28 depuis 2021. 2023. https://cert.ssi.gouv.fr/cti/CERTFR-2023-CTI-009/
[5] ANSSI. Targeting and compromise of french entities using the APT28 intrusion set. 2025. https://cert.ssi.gouv.fr/cti/CERTFR-2025-CTI-007/
[6] Polish Cyber Command. Detecting Malicious Activity Against Microsoft Exchange Servers. 2023. https://www.wojsko-polskie.pl/woc/articles/aktualnosci-w/detecting-malicious-activity-against-microsoft-exchange-servers/
[7] IBM. Israel-Hamas Conflict Lures to Deliver Headlace Malware. 2023. https://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/
[8] CERT-UA. APT28: From Initial Attack to Creating Domain Controller Threats in an Hour. 2023. https://cert.gov.ua/article/6276894
[9] NSA. Embracing a Zero Trust Security Model. 2021. https://media.defense.gov/2021/Feb/25/2002588479/-1/-1/0/CSI_EMBRACING_ZT_SECURITY_MODEL_UOO115131-21.PDF
[10] NSA et al. Keeping PowerShell: Security Measures to Use and Embrace. 2022. https://media.defense.gov/2022/Jun/22/2003021689/-1/-1/0/CSI_KEEPING_POWERSHELL_SECURITY_MEASURES_TO_USE_AND_EMBRACE_20220622.PDF
[11] National Institute of Standards and Technology (NIST). Special Publication 800-63B: Digital Identity Guidelines – Authentication and Lifecycle Management. 2020. https://pages.nist.gov/800-63-3/sp800-63b.html
[12] NSA. Selecting Secure Multi-factor Authentication Solutions. October 16, 2020. https://media.defense.gov/2024/Jul/31/2003515137/-1/-1/0/MULTIFACTOR_AUTHENTICATION_SOLUTIONS_UOO17091520.PDF
[13] NSA and CSA. NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations. 2023. https://media.defense.gov/2023/Oct/05/2003314578/-1/-1/0/JOINT_CSA_TOP_TEN_MISCONFIGURATIONS_TLP-CLEAR.PDF

[14] Department of Justice. Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU). 2024. https://www.justice.gov/archives/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian
[15] Recorded Future. GRU’s BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage Campaigns. 2024. https://go.recordedfuture.com/hubfs/reports/CTA-RU-2024-0530.pdf

Disclaimer of endorsement

The information and opinions contained in this document are provided "as is" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.

Purpose

This document was developed in furtherance of the authoring agencies’ cybersecurity missions, including their responsibilities to identify and disseminate threats and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.

Contact

United States organizations

National Security Agency (NSA)
Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI)
- U.S. organizations are encouraged to reporting suspicious or criminal activity related to information in this advisory to CISA via the agency’s Incident Reporting System, its 24/7 Operations Center (report@cisa.gov or 888-282-0870), or your local FBI field office. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment user for the activity; the name of the submitting company or organization; and a designated point of contact.
Department of Defense Cyber Crime Center (DC3)

United Kingdom organizations

Germany organizations

Czech Republic organizations

Poland organizations

Australian organizations

Visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories.

Canadian organizations

Estonia organizations

French organizations

French organizations are encouraged to report suspicious activity or incident related to information found in this advisory by contacting ANSSI/CERT-FR by email at cert-fr@ssi.gouv.fr or by phone at: 3218 or +33 9 70 83 32 18.

See Table 2 through Table 14 for all the threat actor tactics and techniques referenced in this advisory.

Table 2: Reconnaissance
Tactic/Technique Title	ID	Use
Reconnaissance	TA0043	Conducted reconnaissance on at least one entity involved in the production of ICS components for railway management.
Gather Victim Identity Information: Email Addresses	T1589.002	Conducted contact information reconnaissance to identify additional targets in key positions.
Gather Victim Org Information	T1591	Conducted reconnaissance of the cybersecurity department.
Gather Victim Org Information: Identify Roles	T1591.004	Conducted reconnaissance of individuals responsible for coordinating transport.
Gather Victim Org Information: Business Relationships	T1591.002	Conducted reconnaissance of other companies cooperating with the victim entity.
Gather Victim Host Information	T1592	Attempted to enumerate Real Time Streaming Protocol (RTSP) servers hosting IP cameras.

Table 3: Resource development
Tactic/Technique Title	ID	Use
Compromise Accounts: Email Accounts	T1586.002	Sent phishing emails using compromised accounts.
Compromise Accounts: Cloud Accounts	T1586.003	Sent phishing emails using compromised accounts.

Table 4: Initial Access
Tactic/Technique Title	ID	Use
Trusted Relationship	T1199	Conducted follow-on targeting of additional entities in the transportation sector that had business ties to the primary target, exploiting trust relationships to attempt to gain additional access.
Phishing	T1566	Used spearphishing for credentials and delivering malware to gain initial access to targeted entities.
Phishing: Spearphishing Attachment	T1566.001	Sent emails with malicious attachments.
Phishing: Spearphishing Link	T1566.002	Used spearphishing with included links to fake login pages. Sent emails with embedded hyperlinks that downloaded a malicious archive.
Phishing: Spearphishing Voice	T1566.004	Attempted to use voice phishing to gain access to privileged accounts by impersonating IT staff.
External Remote Services	T1133	Exploited Internet-facing infrastructure, including corporate VPNs, to gain initial access to targeted entities.
Exploit Public-Facing Application	T1190	Exploited public vulnerabilities and SQL injection to gain initial access to targeted entities.
Content Injection	T1659	Leveraged a WinRAR vulnerability allowing for the execution of arbitrary code embedded in an archive.

Table 5: Execution
Tactic/Technique Title	ID	Use
User Execution: Malicious Link	T1204.001	Used malicious links to hosted shortcuts in spearphishing.
User Execution: Malicious File	T1204.002	Delivered malware executables via spearphishing.
Scheduled Task/Job: Scheduled Task	T1053.005	Used scheduled tasks to establish persistence.
Command and Scripting Interpreter	T1059	Delivered scripts in spearphishing. Executed arbitrary shell commands.
Command and Scripting Interpreter: PowerShell	T1059.001	PowerShell commands were often used to prepare data for exfiltration.
Command and Scripting Interpreter: Windows Command Shell	T1059.003	Used BAT script in spearphishing.
Command and Scripting Interpreter: Visual Basic	T1059.005	Used VBScript in spearphishing.
Command and Scripting Interpreter: Python	T1059.006	Installed python on infected machines to enable the execution of Certipy.

Table 6: Persistence
Tactic/Technique Title	ID	Use
Account Manipulation: Additional Email Delegate Permissions	T1098.002	Used manipulation of mailbox permissions to establish sustained email collection.
Modify Authentication Process: Multi-Factor Authentication	T1556.006	Enrolled compromised accounts in MFA mechanisms to increase the trust-level of compromised accounts and enable sustained access.
Hijack Execution Flow: DLL Search Order Hijacking	T1574.001	Used DLL search order hijacking to facilitate malware execution.
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	T1547.001	Used run keys to establish persistence.
Boot or Logon Autostart Execution: Shortcut Modification	T1547.009	Placed malicious shortcuts in the startup folder to establish persistence.

Table 7: Defense Evasion
Tactic/Technique Title	ID	Use
Indicator Removal: Clear Windows Event Logs	T1070.001	Deleted event logs through the wevtutil utility.

Table 8: Credential access
Tactic/Technique Title	ID	Use
Brute Force		Sent requests with Base64-encoded credentials for the RTSP server, which included publicly documented default credentials, and likely were generic attempts to brute force access to the devices.
Brute Force: Password Guessing	T1110.001	Used credential guessing to gain initial access to targeted entities.
Brute Force: Password Spraying	T1110.003	Used brute force to gain initial access to targeted entities. Conducted a brute force password spray via LDAP.
Multi-Factor Authentication Interception		Used multi-stage redirectors to provide MFA relaying capabilities in some campaigns.
Input Capture		Used multi-stage redirectors to provide CAPTCHA relaying capabilities in some campaigns.
Forced Authentication		Used an Outlook NTLM vulnerability to collect NTLM hashes and credentials via specially crafted Outlook calendar appointment invitations.
OS Credential Dumping: NTDS	T1003.003	Attempted to dump Active Directory NTDS.dit domain databases.
Unsecured Credentials: Group Policy Preferences	T1552.006	Retrieved plaintext passwords via Group Policy Preferences using Get-GPPPassword.py.

Table 9: Discovery
Tactic/Technique Title	ID	Use
Account Discovery: Domain Account	T1087.002	Used a modified ldap-dump.py to enumerate the Windows environment.

Table 10: Command and Control
Tactic/Technique Title	ID	Use
Hide Infrastructure	T1665	Abused SOHO devices to facilitate covert cyber operations, as well as proxy malicious activity, via devices with geolocation in proximity to the target.
Proxy: External Proxy	T1090.002	Actor-controlled servers sent RTSP DESCRIBE requests destined for RTSP servers.
Proxy: Multi-hop Proxy	T1090.003	Used Tor and commercial VPNs as part of their anonymization infrastructure
Encrypted Channel	T1573	Connected to victim infrastructure using encrypted TLS.
Multi-Stage Channels	T1104	Used multi-stage redirectors for campaigns.

Table 11: Defense evasion (mobile framework)
Tactic/Technique Title	ID	Use
Execution Guardrails		Used multi-stage redirectors to verify browser fingerprints in some campaigns.
Execution Guardrails: Geofencing	T1627.001	Used multi-stage redirectors to verify IP-geolocation in some campaigns.

Table 12: Lateral movement
Tactic/Technique Title	ID	Use
Lateral Movement		Used native commands and open source tools, such as Impacket and PsExec, to move laterally within the environment.
Remote Services: Remote Desktop Protocol	T1021.001	Moved laterally within the network using RDP.

Table 13: Collection
Tactic/Technique Title	ID	Use
Email Collection		Retrieved sensitive data from email servers.
Email Collection: Remote Email Collection	T1114.002	Used server data exchange protocols and APIs such as Exchange Web Services (EWS) and IMAP to exfiltrate data from email servers.
Automated Collection		Used periodic EWS queries to collect new emails.
Video Capture		Attempted to gain access to the cameras’ feeds.
Archive Collected Data		Accessed files were archived in .zip files prior to exfiltration.
Archive Collected Data: Archive via Utility	T1560.001	Prepared zip archives for upload to the actors’ infrastructure.

Table 14: Exfiltration
Tactic/Technique Title	ID	Use
Exfiltration Over Alternative Protocol		Attempted to exfiltrate archived data via a previously dropped OpenSSH binary.
Scheduled Transfer		Used periodic EWS queries to collect new emails sent and received since the last data exfiltration.

Appendix B: CVEs exploited

Table 15: Exploited CVE information
CVE	Vendor/Product	Details
CVE-2023-38831	RARLAB WinRAR	Allows execution of arbitrary code when a user attempts to view a benign file within a ZIP archive.
CVE-2023-23397	Microsoft Outlook	External actors could send specially crafted emails that cause a connection from the victim to an untrusted location of the actor’s control, leaking the Net-NTLMv2 hash of the victim that the actor could then relay to another service to authenticate as the victim.
CVE-2021-44026	Roundcube Webmail	Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search params.
CVE-2020-35730	Roundcube Webmail	An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16 and 1.4.x before 1.4.10, where a plaintext email message with JavaScript in a link reference element is mishandled by linkref_addindex in rcube_string_replacer.php.
CVE-2020-12641	Roundcube Webmail	Roundcube Webmail before 1.4.4 allows arbitrary code execution via shell metacharacters in a configuration setting for im_convert_path or im_identify_path in rcube_image.php.

Appendix C: MITRE D3FEND Countermeasures

Table 16: MITRE D3FEND countermeasures
Countermeasure Title	ID	Details
Network Isolation		Employ appropriate network segmentation. Disable Universal Plug and Play (UPnP), Peer-to-Peer (P2P), and Anonymous Visit features on IP cameras and routers.
Access Mediation		Limit access and utilize additional attributes (such as device information, environment, and access path) when making access decisions. Configure access controls carefully to ensure that only well-maintained and well-authenticated accounts have access.
Inbound Traffic Filtering		Implement host firewall rules to block connections from other devices on the network, other than from authorized management devices and servers, to prevent lateral movement.
Resource Access Pattern Analysis		Use automated tools to audit access logs for security concerns and identify anomalous access requests.
Outbound Traffic Filtering		Block NTLM/SMB requests to external infrastructure.
Platform Monitoring		Install EDR/logging/cybersecurity solutions onto high value systems with large amounts of sensitive data such as mail servers and domain controllers.
System File Analysis		Collect and monitor Windows logs for certain events, especially for events that indicate that a log was cleared unexpectedly.
Application Hardening		Enable optional security features in Windows to harden endpoints and mitigate initial access techniques.
Application-based Process Isolation		Enable attack surface reduction rules to prevent executable content from email.
Executable Allowlisting		Enable attack surface reduction rules to prevent execution of files from globally writeable directories, such as Downloads or %APPDATA%.
Execution Isolation		Unless users are involved in the development of scripts, limit the execution of scripts (such as batch, JavaScript, and PowerShell) to known scripts.
Application Configuration Hardening		Disable Windows Host Scripting functionality and configure PowerShell to run in Constrained mode. Disable protocols that use weak authentication (e.g., clear-text passwords, or outdated and vulnerable authentication or encryption protocols) or do not support multi-factor authentication. Turn off other ports/services not in use (e.g., FTP, web interface, etc.).
Process Spawn Analysis		Use open source SIGMA rules as a baseline for detecting and alerting on suspicious file execution or command parameters.
URL Reputation Analysis		Use services that provide enhanced browsing services and safe link checking.
Network Access Mediation		Do not allow incoming traffic, especially logins to systems, from public VPN services. Where possible, logins from public VPNs, including exit nodes in the same country as target systems, should be blocked or, if allowed, alerted on for further investigation. Ensure cameras and other Internet of Things devices are protected by a security appliance, if possible.
DNS Denylisting	D3-DNSDL	Do not allow outgoing traffic to hosting and API mocking services frequently used by malicious actors.
Domain Name Reputation Analysis		Heuristic detections for web requests to new subdomains may uncover malicious phishing activity. Logging the requests for each sub-domain requested by users on a network, such as in DNS or firewall logs, may enable system administrators to identify new targeting and victims.
Multi-factor Authentication		Use MFA with strong factors and require regular re-authentication, especially for management accounts.
Job Function Access Pattern Analysis	D3-JFAPA	Implement other mitigations for privileged accounts: including limiting the number of admin accounts, considering using hardware MFA tokens, and regularly reviewing all privileged user accounts.
User Account Permissions		Separate privileged accounts by role and alert on misuse of privileged accounts. Audit user accounts on all devices to ensure they are an accurate reflection of your organization and that they are being used as expected.
Token-based Authentication		Reduce reliance on passwords; instead, consider using services like single sign-on.
Credential Hardening		Do not store passwords in Group Policy Preferences (GPP). Remove all passwords previously included in GPP and change all passwords on the corresponding accounts.
Authentication Event Threshholding		Use account throttling or account lockout. Throttling progressively increases time delay between successive login attempts. If using account lockout, allow between 5 to 10 attempts before lockout.
Strong Password Policy		Use a service to check for compromised passwords before using them.
Credential Rotation		Change all default credentials.
Encrypted Tunnels		Disable protocols that use weak authentication (e.g., clear-text passwords, or outdated and vulnerable authentication or encryption protocols). Use a VPN for remote connections to devices.
Software Update		Apply security patches and firmware updates to all devices. Ensure devices are currently supported. Replace devices that are end-of-life.
Agent Authentication		Ensure authentication is enabled for remote access to devices. If supported on IP cameras, enable authenticated RTSP access only.
User Behavior Analysis		Review all authentication activity for remote access to make sure it is valid and expected. Investigate any unexpected or unusual activity.

MIL Security OSI -

May 22, 2025

MIL-OSI Europe: OSCE Presence builds capacities of Albanian judges and prosecutors on investigative and adjudicating techniques on money laundering

Source: Organization for Security and Co-operation in Europe – OSCE

Headline: OSCE Presence builds capacities of Albanian judges and prosecutors on investigative and adjudicating techniques on money laundering

OSCE Presence builds capacities of Albanian judges and prosecutors on investigative and adjudicating techniques on money laundering | OSCE

Skip navigation

Navigation

Home Newsroom News and press releases OSCE Presence builds capacities of Albanian judges and prosecutors on investigative and adjudicating techniques on money laundering

MIL OSI Europe News –

May 22, 2025

MIL-OSI Europe: Towards Safer Communities: Co-ordinated action to end violence against women and domestic violence

Source: Organization for Security and Co-operation in Europe – OSCE

Headline: Towards Safer Communities: Co-ordinated action to end violence against women and domestic violence

The meeting brought together key institutional actors to identify urgent measures, align mandates, and ensure co-ordinated engagement of ministries, parliaments, relevant institutions, and international partners. (OSCE) Photo details

SARAJEVO, 21 May 2025 – In a decisive step toward strengthening protections for survivors of domestic violence and violence against women, the OSCE Mission to Bosnia and Herzegovina (the Mission) convened a meeting today in Sarajevo to advance the implementation of the new legal framework in the Federation of BiH (FBiH).
The meeting brought together key institutional actors to identify urgent measures, align mandates, and ensure co-ordinated engagement of ministries, parliaments, relevant institutions, and international partners. Participants included representatives from the FBiH Ministries of Justice, Interior, Labour and Social Policy, and Health, as well as the FBiH Parliament’s Committees for Security and Gender Equality.
The FBiH Government has recently enacted critical legislation, including the Strategy for Prevention and Fight against Domestic Violence (2024–2027) and the Law on Protection against Domestic Violence and Violence against Women. These measures represent a major advancement in aligning domestic policies with international standards and improving protection and support services for survivors.
“We welcome the Government’s commitment to amending the Criminal Code to strengthen protections for women and children and hope to see its swift adoption by the FBiH Parliament,” said Thomas Busch, Deputy Head of the OSCE Mission to BiH. “Despite this progress, serious acts of violence persist. That’s why we must now focus on full implementation—to prevent abuse, protect victims, and ensure accountability.”
To ensure effective implementation of the law, the following actions were agreed:

Development and adoption of the relevant bylaws

Given the mid-September 2025 deadline for the adoption of 14 bylaws as stipulated by the Law on Protection against Domestic Violence and Violence against Women in Federation of BiH (Law), and recognizing that the development and adoption processes will require close coordination and cooperation among various stakeholders at Federation of Bosnia and Herzegovina (FBiH) and cantonal levels of governance, as well as the need to ensure coherence and alignment between the bylaws and the relevant laws;
Given the planned or requested support in the development of the bylaws provided by international organizations, including, inter alia, Delegation of European Union in Bosnia and Herzegovina, UN Agencies in Bosnia and Herzegovina including UN Women in Bosnia and Herzegovinian, the OSCE Mission to Bosnia and Herzegovina, and recognizing that certain key ministries have already initiated the drafting or consultation processes regarding the bylaws; and
Given existing coordination mechanisms amongst ministries in the context of implementing the GREVIO recommendations, the FBiH Strategy for Prevention and Protection Against Domestic Violence 2024–2027, and/or establishment of the Commission for Monitoring the Implementation of this Law as stipulated by the Law, which could be leveraged for technical-level coordination, and that the first coordination meeting at the technical level is planned for end of the May.

The following are recommended for:

Relevant ministries:
Establish a body or task force, composed of representatives from key FBiH ministries, to formalize existing co-ordination and oversee the process of drafting, reviewing, and harmonizing the bylaws;
Ensure efficient, transparent and inclusive consultation processes with relevant cantonal ministries, experts and professionals on bylaws; and
Secure timely adoption of coherent, bylaws that align with international standards and ensure the effective operationalization of the Law.

Chairs of committees:
By the end of 2025, organize a joint committees’ session to share experiences and practices in the implementation of the Law including to present prepared bylaws and share plans for capacity building of professionals;
Engage in promotional activities related to the implementation of the Law and bylaws, including with relevant cantonal committees.

The Mission:
Provide support to relevant ministries for the horizontal and vertical harmonization of the bylaws within and with the relevant legal framework(s); and
Facilitate regular dialogue amongst key stakeholders including organizations and members of the international community, particularly ministers and chairs of committees, to review progress, ensure consistency, efficiency, and alignment throughout the process.

2. Capacity building of professionals on the Law and relevant bylaws

Given existing and planned support provided by various international organizations, including various project of European Union such as EU4Police, UN Agencies including UN Women in Bosnia and Herzegovina, as well as the continuous support of the Mission, to Ministries of Interior and the and FBiH Ministry of Labor and Social Policy (MLSP) in strengthening the capacities of professionals;
Given planned budget allocations by the FBiH Ministry of Interior (MoI) for the development of the capacity of the FBiH Police Academy and by the FBiH MLSP for the capacity building of professionals engaged in the institutional response to domestic and gender-based violence, as well as additional capacity-building activities planned under the FBiH Strategy for Prevention and Protection against Domestic Violence 2024–2027; and
Given the validated training modules and programs developed by the FBiH MoI, FBiH MLSP, and the FBiH Minsitry of Health (MoH), as well as opportunities to ensure budget and institutional sustainability of these programs at FBiH and cantonal level where appropriate,

The following are recommended for:

Relevant ministries:
Assess existing capacity-building programs, including training modules and materials, to determine their adaptability, validation, and suitability for training professionals on the Law and relevant bylaws;
Identify the number and ranks of professionals to be trained, estimate the necessary costs, and develop an implementation timeline in co-ordination with relevant cantonal ministries; and
Propose mechanisms to ensure the sustainability of mandatory training programs and the necessary budget, targeting an adequate timeframe for the training of professionals working on prevention and response in cases of violence, based on improved validated training programs, in order to achieve comprehensive, unified, and harmonized procedures in cases of domestic and violence against women, and
Secure funding for the implementation of those programs through public budgets and with the international project support.

Chairs of committees:
Advocate with relevant committees’ counterparts at the cantonal level to secure institutional and budgetary support for the implementation of the Law;
Advocate for the allocation of necessary funding for the work of parliamentary committees, which would include support for field visits, sessions and debates relevant to the committees’ respective legislative and oversight activities;
Advocate for strengthening of co-operation and co-ordination of the FBiH Parliament’s committees with corresponding committees across different levels of government, which contributes to expanding committees’ capacities, positive dialogue and safeguarding stability.

The Mission:

Continue to provide programmatic and political support to key ministries and institutions across different levels of governance, focusing on building the capacity of professionals and advocating for sustainable policy solutions; and
Continue to provide programmatic and political support to relevant parliamentary committees across different level of governance, including in relation to their legislative and oversight mandates as well as co-operation and co-ordination among parliamentary committees.

MIL OSI Europe News –

May 22, 2025

MIL-OSI Video: High-level visit from Croatia

Source: World Trade Organization – WTO (video statements)

Director-General Ngozi Okonjo-Iweala met with the Prime Minister of the Republic of Croatia, Andrej Plenkovic, on 20 May at the WTO. They discussed current trade challenges and shared concerns about the effects on the global economy. They emphasized the crucial role of the multilateral trading system, the need for reform of the WTO, and the importance of dialogue and negotiated outcomes at times of tension.

https://www.youtube.com/watch?v=IgY7H4GxKdY

MIL OSI Video –

May 21, 2025

MIL-OSI Security: Third man charged as part of investigation into north London fires

Source: United Kingdom London Metropolitan Police

A third man has been charged as part of an investigation into a series of fires in north London.

Petro Pochynok 34 (25.07.90) of north London, a Ukrainian national [C] has been charged with conspiracy to commit arson with intent to endanger life, namely:

conspiring together with Roman Lavrynovych and Stanislav Carpiuc and others unknown to damage by fire property belonging to another,
intending to damage the property,
intending to endanger the life or another or being reckless as to whether the life of another would thereby be endangered.

Pochynok is due to appear at Westminster Magistrates’ Court on Wednesday, 21 May at 10:00hrs.

The charge, which was authorised by the Crown Prosecution Service, relates to a period from Thursday, 17 April to Tuesday, 13 May this year, in which three incidents took place – a vehicle fire in NW5 on Thursday, 8 May, a fire at the entrance of a property in N7 on Sunday, 11 May and a fire at a residential address in NW5 in the early hours of Monday, 12 May.

All have connections with a high-profile public figure, and therefore officers from the Met’s Counter Terrorism Command led the investigation into the fires.

Pochynok was arrested on Monday, 19 May, in the Chelsea area, SW3, on suspicion of conspiracy to commit arson with intent to endanger life.

As part of the same investigation, Roman Lavrynovych 21 (06.02.04), of Sydenham, a Ukrainian national [A] was charged with three counts of arson with intent to endanger life.

He appeared at Westminster Magistrates’ Court on 16 May and was remanded in custody to appear at the Old Bailey on 6 June.

Stanislav Carpiuc, 26 (15.07.98) of Romford, a Romanian national, [B] has also been charged with conspiracy to commit arson with intent to endanger life.

He appeared at Westminster Magistrates’ Court on Tuesday, 20 May and was remanded in custody to appear at the Old Bailey on 6 June.

Anyone with information that could assist the investigation should call police on 101 quoting CAD 441/12 May.

MIL Security OSI –

May 21, 2025

MIL-Evening Report: Counts in Bradfield and Calwell become clearer, while Jacqui Lambie faces a possible problem in the Tasmanian Senate

Source: The Conversation (Au and NZ) – By Adrian Beaumont, Election Analyst (Psephologist) at The Conversation; and Honorary Associate, School of Mathematics and Statistics, The University of Melbourne

Counting in several extremely close seats continues, but some results have become clearer. In Liberal-held Bradfield, Teal candidate Nicolette Boele has taken the lead, while the Calwell distribution of preferences indicates an independent is on track to pass the Liberals and benefit from their preferences against Labor. Meanwhile, Jacqui Lambie may have a problem in the Tasmanian Senate contest.

Labor has won 93 of the 150 House of Representatives seats, the Coalition 43, all Others 12 and two remain undecided (Bradfield and Calwell). After Tuesday’s split between the Liberals and Nationals, the ABC has the Liberals on 28 seats and the Nationals on 15, with the Liberals to form the official opposition.

The Australian Electoral Commission has 18 Liberals, nine Nationals and 16 seats won by Queensland’s Liberal National Party. LNP members can caucus with either the Liberals or Nationals, so they are splitting 10–6 to the Liberals.

I will continue to use Coalition in my coverage of this election, as the Liberal and National parties contested the election as the Coalition. It would be difficult to split the LNP vote into its Liberal and National components.

In the close seats, Boele leads the Liberals by 43 votes in Bradfield. She had trailed by 43 votes before the final votes were counted on Monday. The Poll Bludger said the last 181 formal postals counted favoured Boele by 125–56, giving her 69% of that batch.

Of the just over 14,000 total formal postal votes counted in Bradfield, the Liberals have won by 56.4–43.6. But late postals are often much better for the left than early ones.

What’s happening now in Bradfield is a full distribution of preferences, in which candidates are excluded from the bottom up on primary votes. If the margin after this distribution is complete is under 100 votes, there will be an automatic recount.

In Goldstein, Teal incumbent Zoe Daniel’s late surge has fallen short, as she trails Liberal Tim Wilson by 135 votes with everything counted, in from a 292-vote deficit last Thursday.

As with Bradfield, there will now be a full distribution of preferences in Goldstein. If the margin after this distribution is under 100 votes, there will be a recount. Daniel could also request a recount, but even if there is a recount, Wilson is very likely to win.

In Labor-held Calwell, which has 13 candidates, final primary votes were 30.5% Labor, 15.7% Liberals, 11.9% for independent Carly Moore, 10.7% for independent Joseph Youhana, 8.3% for the Greens and 6.9% for independent Samim Moslih.

The danger for Labor is that either Moore or Youhana overtake the Liberals on the distribution of preferences, then beat Labor at the final count on Liberal preferences. The AEC has a page that is updated with each exclusion in the preference distribution.

After six exclusions, the totals are 32.8% Labor, 17.1% Liberals, 14.7% Moore, 12.1% Youhana, 9.9% Greens, 7.9% Moslih and 5.6% One Nation (to be excluded next). Analyst Kevin Bonham says Moore needs 7.5% more than the Liberals to make the final two, and 67% of overall preferences to beat Labor. For Youhana, these figures are 13.4% and 69%.

Lambie may have a problem in the Tasmanian Senate contest

I have previously covered the Senate count. There have only been minor changes to the primary votes since that May 9 article. The Poll Bludger has modelled the state Senate contests using 2022 election preference flows.

According to this model, Labor will win the last seat in New South Wales, Victoria, South Australia and Western Australia, but only narrowly in WA. In Tasmania, Jacqui Lambie and the Liberals would edge out Labor. As I wrote previously, this result would give Labor 30 of the 76 total senators, the Coalition 27, the Greens 11, One Nation two and others six.

For a state a quota is one-seventh of the vote or 14.3%. In Tasmania Labor has 2.48 quotas, the Liberals 1.65, the Greens 1.13, Jacqui Lambie 0.51, One Nation 0.35 and Legalise Cannabis 0.24. One Nation will be the last exclusion, and whichever of Labor, the Liberals or Lambie is last after One Nation’s preferences are distributed loses.

There’s evidence that One Nation’s preferences have become better for the Coalition at this election than in 2022. In Capricornia, which had a One Nation primary vote of 15.5%, the LNP share of overall preferences increased nine points since 2022 to 62%.

Lambie wants the salmon farming industry to stop farming in Macquarie Harbour and says they should move offshore. This stance could cost her preferences from One Nation and other right-aligned parties.

I expect One Nation and other right-wing preferences in Tasmania to go strongly enough to the Liberals to give the Liberals one of the last two undecided seats, with the final seat between Labor and Lambie.

Labor is pro-salmon farming, so perhaps Lambie could benefit from Greens and Animal Justice preferences (the Greens have a small surplus over one quota and Animal Justice has 0.09 quotas).

Tasmanian poll and upper house elections

A Tasmanian state EMRS poll, conducted May 13–17 from a sample of 1,000, gave Labor 31% of the vote (up one since February), the Liberals 29% (down five), the Greens 14% (up one), the Jacqui Lambie Network 6% (down two), independents 17% (up five) and others 4% (up one).

Tasmania uses a proportional system for its lower house elections, so a two-party estimate is not applicable. Incumbent Liberal Premier Jeremy Rockliff’s net favourability was down four points to +6, while Labor leader Dean Winter’s was down one to +5. Rockliff led Winter by 44–32 as preferred premier (44–34 previously).

Every May two or three of Tasmania’s 15 upper house seats are up for election for six-year terms. The Poll Bludger said Tuesday that current upper house standings are four Liberals, three Labor, one Green and seven independents. On Saturday there will be elections in Liberal-held Montgomery, Labor-held Pembroke and independent-held Nelson.

European elections wrap

I covered Sunday’s European elections in Romania, Portugal and Poland for The Poll Bludger. In Romania the centrist defeated the far-right candidate by 53.6–46.4, but the left had a dismal result in Portugal. I also covered recounts in the April 28 Canadian election and polls ahead of the June 3 South Korean presidential election.

Adrian Beaumont does not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and has disclosed no relevant affiliations beyond their academic appointment.

– ref. Counts in Bradfield and Calwell become clearer, while Jacqui Lambie faces a possible problem in the Tasmanian Senate – https://theconversation.com/counts-in-bradfield-and-calwell-become-clearer-while-jacqui-lambie-faces-a-possible-problem-in-the-tasmanian-senate-257122

MIL OSI Analysis – EveningReport.nz –

May 21, 2025

MIL-OSI Economics: DG Okonjo-Iweala welcomes Prime Minister Plenkovic of Croatia to the WTO

Source: World Trade Organization

DG Okonjo-Iweala complimented Croatia on its resilient and forward-looking economy, which is driven by services trade and digital transformation. Both leaders agreed that the WTO’s next Ministerial Conference in Cameroon in March 2026 is an important opportunity for reform of the WTO and for strengthening its role in governing global trade.

Share

MIL OSI Economics –

May 21, 2025

MIL-OSI Europe: Highlights – Mission to Montenegro – 26-28.05.2025 – Committee on Budgets

Source: European Parliament

The Committee on Budgets (BUDG) is traveling to Montenegro to look into the implementation of the recently established Reform and Growth Facility for the Western Balkans, ongoing pre-accession support as well as the potential budgetary implications of Montenegro’s possible accession for the post-2027 Multi-Annual Financial Framework (MFF).

The BUDG Members participating are Johan Van Overtveldt (Chair and Head of delegation, ECR), Karlo Ressler (EPP), Hélder Sousa Silva (EPP), Janusz Lewandowsk (EPP)i, Jean-Marc Germain (S&D), Carla Tavares (S&D), Angéline Furet (PfE), Tomasz Buczek (ECR), Michele Picaro (ECR), Kai Tegethoff (Greens/EFA) and Thomas Waitz (Greens/EFA).

MIL OSI Europe News –

May 21, 2025

MIL-OSI: Societe Generale_ Combined General Meeting and Board of Directors dated 20 May 2025

Source: GlobeNewswire (MIL-OSI)

COMBINED GENERAL MEETING AND BOARD OF DIRECTORS DATED 20 MAY 2025

Press release

Paris, 20 May 2025

Combined General Meeting

The General Meeting of shareholders of Societe Generale was held on 20 May 2025 at CNIT Forest, 2, Place de la Défense, 92092 Puteaux and was chaired by Mr. Lorenzo Bini Smaghi.

Quorum was established at 64,34% (vs 55.61% in 2024):

687 shareholders participated by attending the General Meeting in person at the place where it was held on 20 May 2025;
1,057 shareholders were represented at the General Meeting by a person other than the Chairman;
13,140 shareholders voted online;
2,400 shareholders voted by post;
8,767 shareholders, including 2,500 online, representing 1.07% of the share capital, gave proxy to the Chairman;
A total of 26 051 shareholders were present or represented and participated in the vote.

The agenda item, with no vote, was an opportunity to present and discuss with shareholders the Group’s climate strategy and social and environmental responsibility.

In addition, 9 shareholders sent 56 written questions prior to the General Meeting. The answers were made public before the General Meeting on the institutional website.

All the resolutions put forward by the Board of Directors were adopted, in particular:

The 2024 annual company accounts and annual consolidated accounts;
The dividend per share was set at EUR 1.09. It shall traded ex-dividend on 26 May 2025 and will be paid from 28 May 2025;
The renewal of two independent directors for 4 years: Mr. William Connelly and Mr. Henri Poupart-Lafarge;
The appointment of two independent directors for 4 years: Mr. Olivier Klein and Mrs. Ingrid-Helen Arnold;
The renewal of Mr. Sébastien Wetter’s mandate as Director representing the employee shareholders;
The compensation policy for the Chairman, Chief Executive Officer, the Deputy Chief Executive Officers and the Directors;
The components composing the total compensation and the benefits of any kind paid or awarded for the 2024 financial year to the Chairman and the Chief Executive Officer and the Deputy Chief Executive Officers;
The authorisation granted to the Board of Directors to purchase ordinary shares of the Company was renewed for 18 months up to 10% of the share capital;
The authorisation for capital increases, enabling the issue of shares in favour of employees under a company or group saving plan, was renewed for 26 months;
The amendments to the Articles of Association to take account of the entry into force of the “Loi Attractivité” (no. 2024-537 dated 13 June 2024).

The detailed voting result is available this day on the Company’s website in the item “Annual General Meeting”.

Board of Directors

Following the renewals and appointments of directors, the Board of Directors is composed of 15 directors, including (i) 2 directors re-elected by the employees in March 2024 and (ii) 1 director representing employee shareholders appointed by the General Meeting and one non-voting director.

Accordingly, the Board of Directors is composed as follows:

Mr. Lorenzo Bini Smaghi, Chairman;
Mr. Slawomir Krupa, Director;
Mrs. Ingrid-Helen Arnold, Director;
Mr. William Connelly, Director;
Mr. Jérôme Contamine, Director;
Mrs. Béatrice Cossa-Dumurgier, Director;
Mrs. Diane Côté, Director;
Mrs. Ulrika Ekman, Director;
Mrs. France Houssaye, Director elected by employees;
Mr. Olivier Klein, Director;
Mrs. Annette Messemer, Director;
Mr. Henri Poupart-Lafarge, Director;
Mr Johan Praud, Director elected by employees;
Mr. Benoît de Ruffray, Director;
Mr. Sébastien Wetter, Director representing employees shareholders;
Mr. Jean-Bernard Lévy, Non-voting Director (“censeur”).

The Board of Directors is made up of 41,7% women (5/12) and 91,7% independent directors (11/12) if we exclude from the calculations the three directors representing the employees in accordance with paragraph 1 of Article L. 225-23 of the Commercial Code, paragraph 2 of Article L. 225-27 of the Commercial Code and the AFEP-MEDEF code. In order to ensure compliance with a forthcoming legislative change scheduled for mid-2026, the Board of Directors has already decided, for the General Meeting of May 2026, that shareholders will be invited to replace a man director, whose term of office will expire, by a woman director.

The Board of Directors held after the General Meeting has decided that, as of 20 May 2025, the Board committees will be composed as follows:

Audit and Internal Control Committee: Mr. Jérôme Contamine (chairman), Mrs. Diane Côté, Mrs. Ulrika Ekman, Mr. Olivier Klein and Mr. Sébastien Wetter;
Risk Committee: Mr. William Connelly (chairman), Mrs. Ingrid-Helen Arnold, Mrs. Béatrice Cossa Dumurgier, Mrs. Diane Côté, Mrs. Ulrika Ekman, Mr. Olivier Klein and Mrs. Annette Messemer;
Compensation Committee: Mrs. Annette Messemer (chairwoman), Mr. Jerome Contamine, Mr. Benoit de Ruffray and Mrs. France Houssaye;
Nomination and Corporate Governance Committee: Mr. Henri Poupart-Lafarge (chairman), Mr. William Connelly, Mme Diane Côté and Mr. Benoit de Ruffray.

Biographies

Mr. William Connelly is a graduate of Georgetown University in Washington (US). He began his career in 1980 at Chase Manhattan Bank, where he worked for 10 years, before joining Baring Brothers from 1990 to 1995. He then held various executive positions within ING Group NV from 1995 until he became a member of The Management Board, where he was responsible for Wholesale Banking from 2011 to 2016. He was also the CEO of ING Real Estate from 2009 to 2015. In addition to his mandate as an independent director of Societe Generale since 2017, he currently is the Chairman of the Board of Directors of Amadeus IT Group and the Chairman of the Board of Directors of Aegon until the second half of 2025. He also served as an independent director of Singular Bank from February 2019 to April 2023. During its session on 10 April 2025, the Societe Generale Board of Directors selected William Connelly for the Chairmanship as of the General Meeting which will be held on 27 May 2026. He will succeed Lorenzo Bini Smaghi, who has been Chairman since 2015, and will have completed his third term.

Mr. Henri Poupart-Lafarge, Graduate of École polytechnique, the École nationale des ponts et chaussées and the Massachusetts Institute of Technology (MIT). He began his career in 1992 at the World Bank in Washington D.C. before moving to the French Ministry of the Economy and Finance in 1994. He joined Alstom in 1998 as Head of Investor Relations and was in charge of Management Control. In 2000, he was appointed Chief Financial Officer of Transmission and Distribution at Alstom, a position he held until 2004. He was Chief Financial Officer of Alstom from 2004 until 2010 and became President of Alstom Grid from 2010 to 2011. On 4 July 2011, he became Chairman of Alstom Transport, before being appointed Chairman and Chief Executive Officer in February 2016, a position he held until June 2024. Since then, he has been Chief Executive Officer and Director of Alstom.

Mr. Olivier Klein, Graduated from the Panthéon‑Sorbonne University in 1978 with a Bachelor’s degree in Economics, from the National School of Statistics and Economic Administration (ENSAE) in 1980, and from HEC’s graduate course in Finance in 1985. He began his career at the BFCE in 1985 and served as manager of the Foreign Exchange and Rate Risk Management Advisory Department, then as Director of the BFCE’s Investment Bank, and finally as Regional Director of its corporate bank. He joined the Caisse d’Epargne group in 1998 and was Chairman of the Executive Board of the Caisse d’Epargne Ile‑de‑France Ouest from 2000 to 2007 and then of the Caisse d’Epargne Rhône‑Alpes from 2007 to 2009. In January 2010, he was appointed Chief Executive Officer of Commercial Banking and Insurance of the BPCE group until September 2012. He was appointed Chief Executive Officer of the BRED group from October 2012 to May 2023. He was a Member of the Supervisory Board of BPCE and its Risk Committee between 2019 and May 2023. He is Chief Executive Officer of Lazard Frères Banque SA and Managing Partner since September 2023. Since 1986, He is teaching macroeconomics and monetary policy at HEC. He is a director of Rexécode since 2018.

Mrs. Ingrid-Helen Arnold, Graduated from the University of Applied Sciences Ludwigshafen in 1997 with a master’s degree in economics. She began her career at SAP SE in 1996, where she held various responsibilities related to innovation and digital transformation. In 2014, she was appointed Chief Information Officer and Business
Processes and extended Member of the SAPExecutiveCommittee. From 2016 to April 2021, she was President of SAP Business Data Network group in Palo Alto (United States) and SAP SE Walldorf (Germany). In 2021, she joined the Südzucker group as Chief Digital Officer and Information tehcnology and member of the Group’s Executive Committee. She is Chief Executive Officer of KAKO GmbH since June 2024. She was a member of the Supervisory Board and a member of the Heineken group Audit Committee from 2019 to 2023. She is a member of the TUI group Supervisory Board since 2020.

Mr. Sébastien Wetter holds a Master degree in Fundamental Physics and graduated from the Lyons Business School (EM Lyon). He began his career at Societe Generale in 1997 in the Strategy and Marketing Division of Societe Generale’s retail bank. Working in the Group’s Organisation Consulting Department from 2002, he performed a range of roles in the Corporate & Investment Banking arm and helped roll out the Group-wide participatory Innovation programme. As of the end of 2005, he joined the Commodities Market Department as Chief Operating Officer holding a global remit, before becoming Head of Business Development in 2008. From 2010 until 2014, he served as General Secretary in the Group’s General Inspection and Audit Division. In 2014, he joined the Sales Division of the Corporate & Investment Bank arm where he held a number of positions: Head of marketing for major French and international clients, then in 2016, Global Chief Operating Officer responsible for the sales teams covering financial institutions. From 2020 to December 2022, he has been a banker managing Societe Generale’s relationship with international financial institutions. He has been a member of the of the Supervisory Board of the Fonds Commun de Placement d’Entreprise (FCPE) since May 2024.

The regulatory declarations on the absence of conflicts of interest and the absence of convictions mentioned on page 140 of the Universal Registration Document filed by Societe Generale on 12 March 2025 with the French market authority (AMF) under number D.25-00088, relating notably to the three directors whose terms of office are renewed remain valid and the two new directors appointed with effect from the General Meeting of 20 May 2025 have made the same regulatory declarations.

Press contacts:
Jean-Baptiste Froville_+33 1 58 98 68 00_ jean-baptiste.froville@socgen.com
Fanny Rouby_+33 1 57 29 11 12_ fanny.rouby@socgen.com

Societe Generale

Societe Generale is a top tier European Bank with around 119,000 employees serving more than 26 million clients in 62 countries across the world. We have been supporting the development of our economies for 160 years, providing our corporate, institutional, and individual clients with a wide array of value-added advisory and financial solutions. Our long-lasting and trusted relationships with the clients, our cutting-edge expertise, our unique innovation, our ESG capabilities and leading franchises are part of our DNA and serve our most essential objective – to deliver sustainable value creation for all our stakeholders.

The Group runs three complementary sets of businesses, embedding ESG offerings for all its clients:

French Retail, Private Banking and Insurance, with leading retail bank SG and insurance franchise, premium private banking services, and the leading digital bank BoursoBank.
Global Banking and Investor Solutions, a top tier wholesale bank offering tailored-made solutions with distinctive global leadership in equity derivatives, structured finance and ESG.
Mobility, International Retail Banking and Financial Services, comprising well-established universal banks (in Czech Republic, Romania and several African countries), Ayvens (the new ALD I LeasePlan brand), a global player in sustainable mobility, as well as specialized financing activities.

Committed to building together with its clients a better and sustainable future, Societe Generale aims to be a leading partner in the environmental transition and sustainability overall. The Group is included in the principal socially responsible investment indices: DJSI (Europe), FTSE4Good (Global and Europe), Bloomberg Gender-Equality Index, Refinitiv Diversity and Inclusion Index, Euronext Vigeo (Europe and Eurozone), STOXX Global ESG Leaders indexes, and the MSCI Low Carbon Leaders Index (World and Europe).

In case of doubt regarding the authenticity of this press release, please go to the end of the Group News page on societegenerale.com website where official Press Releases sent by Societe Generale can be certified using blockchain technology. A link will allow you to check the document’s legitimacy directly on the web page.

For more information, you can follow us on Twitter/X @societegenerale or visit our website societegenerale.com.

Attachment

Societe-Generale-Press-release-post-GM-2025_EN

The MIL Network –

May 21, 2025

MIL-OSI Europe: Press release – Press briefing on the 21 – 22 May plenary session

Source: European Parliament

European Parliament’s spokespersons will hold a last-minute briefing on the 21 – 22 May plenary session on Wednesday at 14.30.

When: Wednesday 21 May at 14.30

Where: Anna Politkovskaya press room in Brussels and via Interactio

Key topics next week include:

Debate on the EU’s response to the Israeli government’s plan to seize the Gaza Strip, and how to provide effective humanitarian support and secure the hostages’ release

Debate and vote on simplifying the EU’s carbon leakage instrument

Debate on the phasing-out of Russian gas, nuclear energy and oil imports

Vote on imposing new tariffs on fertilisers and additional ones on other agricultural products imported from Russia and Belarus

Debate on the new single market strategy

Debate on ways to make Europe more attractive to scientists

Formal sitting: Address by Nataša Pirc Musar, President of the Republic of Slovenia

Interpretation of the press briefing will be available in English and French.

Journalists wishing to participate actively and ask questions, please connect via Interactio using this link: https://ep.interactio.eu/link/pressconfp1611820

You can follow it live from 14.30 on Friday in Parliament’s Anna Politkovskaya press room or via Parliament’s webstreaming and EbS+.

Information for the media – Use of Interactio to ask questions

Interactio is only supported on iPads (with the Safari browser) and Mac/Windows (with the Google Chrome browser).

When connecting, enter your name and the media you are representing in the first name / last name fields. For better sound quality, use headphones and a microphone. Interpretation is only possible for questions asked on video.

Journalists who have never used Interactio before are asked to connect 30 minutes before the start of the press conference to perform a connection test. IT assistance can be provided if necessary. When connected, open the chat window (upper right corner) to be able to see the service messages.

For more details, check the connection guidelines and recommendations for remote speakers.

MIL OSI Europe News –

May 21, 2025

Category: Balkans

Example 1: trigger of foreign currency loss

Year 1

Year 2

Example 2: sale of assets acquired before making a functional currency choice

Calculate your assessable income

Calculate your FITO

Assessable income calculation

Franking account balance

Exchange rate applicable at the time the costs are incurred

Exchange rate applicable at the time of the CGT event

Amount of capital gain or capital loss calculated in the applicable functional currency

B

C

D

E

F

H

I

J

K

M

N

O

P

R

S

T

U

Y

Z

Report of the Head of OSCE Mission to Skopje: UK statement, May 2025

Updates to this page

Landmark government partnership signed with North Macedonia

Share this page

Updates to this page

Operational highlights

Cyber patrols uncover additional cases

Built on international cooperation

Participating countries in Pandora IX (2024):

Participating agencies:

Executive Summary

Introduction

Description of Targets

Initial Access TTPs

Credential Guessing/Brute Force

Spearphishing

CVE Usage

Post-Compromise TTPs

Malware

Persistence

Exfiltration

Connections to Targeting of IP Cameras

Mitigation Actions

General Security Mitigations

IP Camera Mitigations

Indicators of Compromise (IOCs)

Utilities and scripts

Outlook CVE Exploitation IOCs

Commonly Used Webmail Providers

Malicious Archive Filenames Involving CVE-2023-38831

Brute Forcing IP Addresses

Detections

Customized NTLM listener

HEADLACE shortcut

HEADLACE credential dialogbox phishing

HEADLACE core script

MASEPIE

STEELHOOK

PSEXEC

Further Reference

Works Cited

Disclaimer of endorsement

Purpose

Contact

Appendix B: CVEs exploited

Appendix C: MITRE D3FEND Countermeasures

Executive Summary

Introduction

Description of Targets