MIL-OSI USA: Ricketts Discusses Biofuels and Year-Round Nationwide E15 with Secretary Zeldin

US Senate News:

Source: United States Senator Pete Ricketts (Nebraska)

WASHINGTON, D.C. – Today, during an Environment and Public Works Committee hearing with Administrator of the EPA Lee Zeldin, U.S. Senator Pete Ricketts (R-NE) discussed the importance of biofuels to Nebraskan farmers and reaffirmed the use of sound science and risk-based analysis in regulatory action. Ricketts underscored the value nationwide, year-round E15 offers for consumers, farmers, and the environment.

“I know that everybody here knows that I love this committee because we get to talk about biofuels, so that’s what we’re going to do for a little bit here,” said Ricketts. “Supporting biofuels is consistent with President Trump’s mandate to unleash American energy. Year-round, nationwide E15 sales are a no-brainer in my humble opinion. It’s affordable, drives farm profits, and lessens energy reliance on adversaries.”

Watch the hearing HERE.

Ricketts’ comments were made in a hearing of the Committee on Environment and Public Works entitled: “The U.S. Environmental protection Agency’s Proposed Fiscal Year 2026 Budget.” The witness was Environmental Protection Agency Administrator Lee Zeldin.

BACKGROUND:

Ricketts is co-leading bipartisan Congressional Review Act legislation to block the Biden EV mandate. He recently introduced the bipartisan Renewable Fuels for Ocean-Going Vessels Act to expand the use of biofuels on ships and has led bipartisan resolutions designating May as Renewable Fuels Montheach of the last two years. Senator Ricketts is also supporting Senator Deb Fischer’s bill to make the year-round sale of E15 permanent across the country.

MIL OSI USA News –

May 22, 2025

MIL-OSI USA: Gillibrand Announces Bipartisan Legislation That Would Make Childbirth Free For Families With Private Insurance

US Senate News:

Source: United States Senator for New York Kirsten Gillibrand

Today, U.S. Senator Kirsten Gillibrand held a virtual press conference to discuss her Supporting Healthy Moms and Babies Act, bipartisan legislation that would require insurance companies to fully cover the costs associated with childbirth, including labor and delivery and prenatal, neonatal, perinatal, and postpartum care. Even with insurance, childbirth can cost families thousands of dollars, and expenses are even greater for women who have additional health complications during pregnancy, a high-deductible health plan, or gaps in their coverage. As a result, new mothers are twice as likely as other young women to have medical debt.

The Supporting Healthy Moms and Babies Act would require that costs associated with birth be categorized as essential health benefits (EHB) and would remove the relevant services from insurance cost-sharing.

Senators Cindy Hyde-Smith (R-MS), Tim Kaine (D-VA), and Josh Hawley (R-MO) cosponsor this legislation.

“The costs associated with having a baby can be astronomical, and we should be doing everything we can to lower them,” said Senator Gillibrand. “The fear of an enormous bill leads some women to delay seeking prenatal or postpartum care, or to avoid it entirely, which creates worse outcomes for both women and their babies. That is unacceptable. I am proud to be introducing this bipartisan legislation to require insurance companies to fully cover care throughout pregnancy and a year postpartum. I look forward to working with my colleagues across the aisle to get this bill passed.”

The Supporting Healthy Moms and Babies Act would eliminate cost-sharing for a variety of services, including:

Ultrasounds
Delivery services, including anesthesiology, fetal monitoring, consultations with specialists, and services relating to postpartum health
Comprehensive postpartum care for physical and mental health conditions caused or exacerbated by pregnancy, such as diabetes, hypertension, obesity, and postpartum depression and anxiety
Mental health care and treatment for substance use disorder related to new parenthood for adoptive parents
Care for miscarriages

The bill is expected to cause only a minor increase of $30 annually per enrollee in average premiums. Any rise in premiums due to covering out-of-pocket pregnancy costs will be likely less than annual inflation in premiums.

The Supporting Healthy Moms and Babies Act is supported by medical providers and pro-family advocates, including the American College of Obstetrics and Gynecology, American Medical Association, American Hospital Association, American Society for Reproductive Medicine, Association of Women’s Health, Obstetrics and Neonatal Nurses, Association of Maternal and Child Health Programs, Catholic Health Association, March of Dimes, American Principles Project, Concerned Women for America, and the Jesuit Conference Office of Justice and Ecology.

The full text of the legislation is available here.

MIL OSI USA News –

May 22, 2025

MIL-OSI USA: Unlocking Albany’s Potential Through Revitalization

Source: US State of New York

[embedded content]

The comprehensive approach to the CAP Initiative also includes up to $150 million to transform cultural experiences in and around Albany’s Downtown, such as renovating the New York State Museum and upgrading the exhibits to be more inviting to Albany families and tourists alike. It also includes funding to invest in improvements at the Empire State Plaza to strengthen connections with the surrounding community and make the space a vibrant and inviting part of the fabric of downtown Albany.

Additionally, Governor Hochul has committed up to $40 million to advance plans to reimagine I-787 which would include reconnecting Albany and surrounding communities and enhancing access to the Hudson River waterfront. This summer, the New York State Department of Transportation (NYSDOT) will release a Planning and Environment Linkages (PEL) study on potential ways to reimagine I-787, a travel corridor in the Capital Region that provides high speed access to the City of Albany and other communities along the river, including Green Island, Watervliet and Menands. Building upon the work completed under the PEL study, up to $40 million will be utilized by NYSDOT to begin an Environmental Impact Statement, which will lay the groundwork for a future project along the I-787 corridor. The environmental review will examine ways to enhance waterfront access along the Hudson River for all users of the road, connect neighborhoods and key destinations in communities along the corridor, and address the infrastructure of I-787, the South Mall Expressway, the Dunn Memorial Bridge, and additional infrastructure along the study area.

Governor Hochul previously announced $19.5 million in State investments to improve public safety in Albany, which included a $1 million commitment to the City of Albany Police Department and $500,000 for the Albany County Sheriff’s Office. These investments reflect a record level of State funding for public safety in the City of Albany and Capital Region. These resources are delivered through a series of nation-leading programs supported by the Division of Criminal Justice Services (DCJS), including the Gun Involved Violence Elimination (GIVE) initiative, the Capital Region Crime Analysis Center, the SNUG Street Outreach and Social Work Program and Project RISE (Respond, Invest, Sustain and Empower). Working together, these efforts have helped reduce violence and improve community safety.

Albany is not only our great state’s capital city, it’s also a place I call home. This investment isn’t just about dollars and cents, it’s about jobs, innovation and a brighter future for our community.

Governor Kathy Hochul

Informed by input from local stakeholders and the community, the CAP Initiative will unfold through a comprehensive public engagement process to identify key opportunities to promote business development, bolster public safety, encourage housing, attract visitors and enhance affordability.

Empire State Development President, CEO and Commissioner Hope Knight said, “Since Governor Hochul first proposed the Championing Albany’s Potential initiative in her State of the State, ESD has been working to establish the foundation upon which this historic investment in our Capital City will build. Working together, we will utilize this generational funding to support transformational projects that reflect the needs of those who live, work and visit the city, and encourage even more people to experience and explore Downtown Albany.”

New York State Office of General Services Commissioner Jeanette Moy said, “The historic investment Governor Hochul is making through the Championing Albany’s Potential initiative will help revitalize our capital city. It will also strengthen the ties between state government and our neighbors living and working in the communities surrounding the Capitol and Empire State Plaza. CAP is a sustainable plan for long-term growth that will spur public-private partnerships, build a thriving city center, and create a vibrant downtown for residents and visitors alike.”

New York State Homes & Community Renewal Commissioner RuthAnne Visnauskas said, “Albany deserves a downtown that is a place people want to visit, live, work, connect, and celebrate. It’s a place rich with history that has been wounded by planning decisions that negatively impacted entire neighborhoods. This $400 million investment will directly boost the city’s potential as an attractive destination by unwinding past mistakes and disinvestment. We’ve made strides recently in Governor Hochul’s administration, investing in upgrading affordable housing and reclaiming vacant land and buildings for development. Now, through CAP, there’s real momentum to rebuild, replan holistically with community involvement and revive our beautiful Capital City for those who live and work here now and for those who will enjoy its future.”

New York State Department of Transportation Commissioner Marie Therese Dominguez said, “The Hudson River is one of the Capital Region’s greatest natural assets, and over the past few years the Department of Transportation has made key investments to reconnect residents and visitors with the waterfront, including projects like the Albany Skyway – a linear park; building the Empire State Trail and today, the Livingston Avenue Rail Bridge, which is currently in construction. The I-787 corridor is a vital piece in reimagining the City of Albany and its waterfront, which is why the Governor’s investment in the next stage of this project is so important. For a number of years now, the project team at NYSDOT has engaged with communities all along the Hudson River to gather ideas and feedback and most importantly, listen to local residents – the people who work and live here, on the future of this corridor. The funding for the next stage of this project – an Environmental Impact Statement – was included in this year’s budget and brings us one step closer to advancing from the ideation stage to the preliminary design and eventual construction phase, as we work to study the real potential this corridor offers for travel, recreation and tourism as well as economic growth throughout the Capital Region.”

New York State Division of Criminal Justice Services Commissioner Rossana Rosado said, “Through Governor Hochul’s unparalleled leadership on public safety, cities across New York State are receiving record resources to ensure safer and stronger communities. These investments and initiatives – spanning evidence-based policing strategies, crime analysis center support, community violence interventions, and neighborhood empowerment programs – help keep New Yorkers safe, ensure a fair and effective justice system, and build opportunities for young people and families. Here in the Capital Region, DCJS is proud to support dozens of our law enforcement and community-based partners as they continue to drive down gun violence and crime.”

State Senator Patricia Fahy said. “I’m incredibly proud that the core of our Capital Region and the 46th District, downtown Albany, will receive $400 million in transformative, once-in-a-generation funding. For years, I’ve engaged with our community to chart a new path forward for Albany that includes Reimagining I-787, making the State Museum a 21st Century destination-location, expanding the core of our Capital Region: downtown Albany, and so much more. That’s why I’m so proud this year’s budget includes $200 million for downtown revitalization, $150 million for upgrading the New York State Museum, $40 million for the next phase of the reimagining I-787 study, and $1 million for addressing public safety in our neighborhoods. Now, the hard work begins in earnest. I look forward to engaging our community, stakeholders, and residents as we move forward with this funding. Make no mistake: together, these initiatives will usher in a new day for the Capital Region, the impacts of which will be felt for years, if not generations to come—if we get it right. I want to thank my legislative colleagues and the Governor for recognizing the value of investing in our Capital City’s success, and for helping deliver this funding in this year’s state budget.”

Assemblymember John T. McDonald III, RPh said “This historic funding is incredible news for the City of Albany and the entire Capital Region. The revitalization of the New York State Museum, the reimagining of I-787, much-needed improvements to the Empire State Plaza and other investments are transformative projects that will enhance connectivity, celebrate our history, and create new opportunities for residents and visitors alike. These efforts reflect years of advocacy and collaboration, and I thank Governor Hochul for her continued commitment to supporting the City of Albany and strengthening the Capital Region as a whole.”

Assemblymember Gabriella A. Romero said, “These investments truly are an investment in Albany’s potential and in making it a city all New Yorkers can be proud to call our capital. Revitalizing downtown, strengthening small business, expanding affordable housing – these are all valuable steps to uplift Albany. I thank the Governor for her leadership in championing this historic investment and Championing Albany’s Potential.”

Embedded Flickr Album

Albany County Executive Daniel P. McCoy said, “Governor Hochul’s Championing Albany’s Potential (CAP) Initiative has the potential to be transformational. It’s a historic commitment to the heart of Albany County that will bring new housing, new business, and new life into downtown. A reimagined Albany is exactly what we need, and I’m proud to stand with the governor in this effort.”

Albany Mayor Kathy Sheehan said, “This $400 million investment is a testament to the hard work of the City of Albany over the last 12 years to be ready to write the next great chapter in the history of New York’s Capital City. The pandemic taught us that we need to reimagine our downtowns to get more feet on the street by creating more housing, supporting our small businesses, enhancing public safety, and attracting world-class amenities, and this transformative investment will do just that and more. To steal a phrase from President Biden, this is truly a ‘big effing deal.’ My sincere thanks and appreciation to Governor Hochul for seeing what we all see in the City of Albany: a city that’s full of pride and potential and ready to soar to even greater heights. I also want to thank Senator Fahy, Assemblymember Romero, and Assemblymember McDonald, as well as the entire State Legislature for making this critical investment in their home away from home.”

Advance Albany County Alliance CEO Kevin O’Connor said, “The Advance Albany County Alliance thanks Governor Hochul for her thoughtful leadership and timely commitment to revitalizing New York’s Capital City. The City of Albany is not only the front door of state government, it is the heartbeat of Upstate New York’s fastest-growing county and the springboard for the local economy. The Governor’s disciplined approach through the CAP Initiative will ensure that state funding achieves the greatest possible positive impact. Through this partnership, we will supercharge our placemaking efforts, improve public spaces, secure a safe and welcoming downtown environment, and stimulate the central corridor of the Capital Region.”

Capitalize Albany Corporation President Ashley Mohl said, “With Governor Hochul’s focus and support fueled by this historic more than $400 million investment, New York’s capital city stands on the brink of transformative growth. Our board and staff look forward to working with ESD and MIG alongside our many local and other state economic development partners to maximize this funding and seize this incredible opportunity. To build on the Governor’s CAP Initiative, Capitalize Albany is looking forward to advancing its planned solicitation for qualified development teams interested in acquisition and redevelopment of the Liberty Park site. Our RFP will engage the market directly with the aim to attract strong interest and a range of RFP responses. If you’re a developer or team with a project for the Liberty Park site, we welcome your response.”

Downtown Albany BID Executive Director Georgette Steffens said, “In my 25 years of doing economic development in Downtown Albany, this is the largest investment we’ve ever seen. On behalf of nearly 200 property owners and over 120 restaurants and retail-related businesses, I want to express my profound gratitude to Governor Hochul and the Legislature for their commitment to Albany. We are already seeing the effects of the CAP initiative, with a renewed wave of investment interest in Downtown Albany beginning to percolate. The future of our city’s core is incredibly bright thanks to the Governor’s investment, and I look forward to working together to make Downtown a stronger and more vibrant place to live, work, and experience.”

MIL OSI USA News –

May 22, 2025

MIL-OSI USA: Welch, Shaheen Lead 20 Colleagues in Call to Protect ENERGY STAR

US Senate News:

Source: United States Senator Peter Welch (D-Vermont)
WASHINGTON, D.C. — U.S. Senator Peter Welch, Ranking Member of the Senate Agriculture Subcommittee on Rural Development, Energy, and Credit, this week joined Senator Jeanne Shaheen (D-N.H.) in leading 20 of their colleagues urging the Trump Administration to immediately reverse course on its plan to illegally and unilaterally terminate the ENERGY STAR program. In their letter, the Senators highlight the cost-saving benefits of the program, which is projected to save the average American household $450 on utility bills each year simply by choosing ENERGY STAR certified products.
Since 1992, ENERGY STAR has reduced energy costs for American families and businesses by $500 billion, including $42 billion worth of savings in 2020 alone. For every federal dollar spent on ENERGY STAR, Americans have enjoyed $350 in savings.
“For over three decades, the ENERGY STAR program has lowered Americans’ energy bills by informing consumers about energy efficient products. The program has enjoyed bipartisan support since its creation under authority of Section 103 of the Clean Air Act, most recently receiving $35.7 million in fiscal year 2025 appropriations,” wrote the Senators. “Reporting has indicated, however, that the Environmental Protection Agency (EPA) plans to eliminate ENERGY STAR without Congressional approval. Not only is the program protected under federal statute and thus illegal for the Administration to terminate unilaterally, but this decision also lacks basic economic sense. We write to urge you to immediately reverse course.”
The Senators continued: “ENERGY STAR is the epitome of an effective public-private partnership. As the program’s administrators, EPA and the Department of Energy set qualifying energy efficiency standards for products. EPA also protects the integrity of the ENERGY STAR brand, ensuring it remains well-known, trusted, and indicative of a quality product. Appliance manufacturers then voluntarily display the ENERGY STAR label, notifying consumers that a product will reduce their energy consumption and lower utility bills. The program strengthens consumer choice by sharing critical product information.”
“Eliminating the ENERGY STAR program will not only raise energy costs for American families and businesses, but also inflict far-reaching economic harms, threatening industry jobs and the reliability of the grid at a time of growing demand. We again urge you to immediately reconsider eliminating this popular and effective Congressionally authorized program,” the Senators concluded.
Administered by the EPA and Department of Energy, ENERGY STAR is a voluntary, market-based program that has saved consumers billions of dollars annually. The ENERGY STAR program has cumulatively reduced four billion metric tons of harmful emissions and currently supports more than 790,000 American jobs manufacturing and installing ENERGY STAR products.
ENERGY STAR is strongly supported by a wide array of manufacturers, homebuilders, housing organizations, building owners, small businesses, and other organizations. In April, the U.S. Real Estate Industry sent a letter to the Trump Administration expressing its strong support for the ENERGY STAR program. Additionally, the U.S. Green Buildings Council partnered with the Alliance to Save Energy in leading over 1,000 organizations in urging the Trump Administration to protect the program and maintain full funding and staffing levels.
In addition to Senators Welch and Shaheen, the letter was signed by Senators Bernie Sanders (I-Vt.), John Fetterman (D-Pa.), Mazie Hirono (D-Hawaii), Angus King (I-Maine), Chris Coons (D-Del.), Ed Markey (D-Mass.), Sheldon Whitehouse (D-R.I.), Chris Van Hollen (D-Md.), Dick Durbin (D-Ill.), Tammy Baldwin (D-Wis.), Jeff Merkley (D-Ore.), Amy Klobuchar (D-Minn.), Brian Schatz (D-Hawaii), Lisa Blunt Rochester (D-Del.), Tina Smith (D-Minn.), Ron Wyden (D-Ore.), Martin Heinrich (D-N.M.), Richard Blumenthal (D-Conn.), Michael Bennet (D-Colo.), and Cory Booker (D-N.J.).
Read and download the full letter.

MIL OSI USA News –

May 22, 2025

MIL-OSI USA: Russian GRU Targeting Western Logistics Entities and Technology Companies

News In Brief – Source: US Computer Emergency Readiness Team

Executive Summary

This joint cybersecurity advisory (CSA) highlights a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies. This includes those involved in the coordination, transport, and delivery of foreign assistance to Ukraine. Since 2022, Western logistics entities and IT companies have faced an elevated risk of targeting by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (85th GTsSS), military unit 26165—tracked in the cybersecurity community under several names (see “Cybersecurity Industry Tracking”). The actors’ cyber espionage-oriented campaign, targeting technology companies and logistics entities, uses a mix of previously disclosed tactics, techniques, and procedures (TTPs). The authoring agencies expect similar targeting and TTP use to continue.

Executives and network defenders at logistics entities and technology companies should recognize the elevated threat of unit 26165 targeting, increase monitoring and threat hunting for known TTPs and indicators of compromise (IOCs), and posture network defenses with a presumption of targeting.

This cyber espionage-oriented campaign targeting logistics entities and technology companies uses a mix of previously disclosed TTPs and is likely connected to these actors’ wide scale targeting of IP cameras in Ukraine and bordering NATO nations.

The following authors and co-sealers are releasing this CSA:

United States National Security Agency (NSA)
United States Federal Bureau of Investigation (FBI)
United Kingdom National Cyber Security Centre (NCSC-UK)
Germany Federal Intelligence Service (BND) Bundesnachrichtendienst
Germany Federal Office for Information Security (BSI) Bundesamt für Sicherheit in der Informationstechnik
Germany Federal Office for the Protection of the Constitution (BfV) Bundesamt für Verfassungsschutz
Czech Republic Military Intelligence (VZ) Vojenské zpravodajství
Czech Republic National Cyber and Information Security Agency (NÚKIB) Národní úřad pro kybernetickou a informační bezpečnost
Czech Republic Security Information Service (BIS) Bezpečnostní informační služba
Poland Internal Security Agency (ABW) Agencja Bezpieczeństwa Wewnętrznego
Poland Military Counterintelligence Service (SKW) Służba Kontrwywiadu Wojskowego
United States Cybersecurity and Infrastructure Security Agency (CISA)
United States Department of Defense Cyber Crime Center (DC3)
United States Cyber Command (USCYBERCOM)
Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
Canadian Centre for Cyber Security (CCCS)
Danish Defence Intelligence Service (DDIS) Forsvarets Efterretningstjeneste
Estonian Foreign Intelligence Service (EFIS) Välisluureamet
Estonian National Cyber Security Centre (NCSC-EE) Küberturvalisuse keskus
French Cybersecurity Agency (ANSSI) Agence nationale de la sécurité des systèmes d’information
Netherlands Defence Intelligence and Security Service (MIVD) Militaire Inlichtingen- en Veiligheidsdienst

Download the PDF version of this report:

Russian GRU Targeting Western Logistics Entities and Technology Companies (PDF, 1,081KB)

For a downloadable list of IOCs, visit:

Introduction

For over two years, the Russian GRU 85th GTsSS, military unit 26165—commonly known in the cybersecurity community as APT28, Fancy Bear, Forest Blizzard, BlueDelta, and a variety of other identifiers—has conducted this campaign using a mix of known tactics, techniques, and procedures (TTPs), including reconstituted password spraying capabilities, spearphishing, and modification of Microsoft Exchange mailbox permissions.
In late February 2022, multiple Russian state-sponsored cyber actors increased the variety of cyber operations for purposes of espionage, destruction, and influence—with unit 26165 predominately involved in espionage. [1] As Russian military forces failed to meet their military objectives and Western countries provided aid to support Ukraine’s territorial defense, unit 26165 expanded its targeting of logistics entities and technology companies involved in the delivery of aid. These actors have also targeted Internet-connected cameras at Ukrainian border crossings to monitor and track aid shipments.
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 17. See Appendix A: MITRE ATT&CK tactics and techniques for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. This advisory uses the MITRE D3FEND® framework, version 1.0.

Description of Targets

The GRU unit 26165 cyber campaign against Western logistics providers and technology companies has targeted dozens of entities, including government organizations and private/commercial entities across virtually all transportation modes: air, sea, and rail. These actors have targeted entities associated with the following verticals within NATO member states, Ukraine, and at international organizations:

Defense Industry
Transportation and Transportation Hubs (ports, airports, etc.)
Maritime
Air Traffic Management
IT Services

In the course of the targeting lifecycle, unit 26165 actors identified and conducted follow-on targeting of additional entities in the transportation sector that had business ties to the primary target, exploiting trust relationships to attempt to gain additional access [T1199].

The actors also conducted reconnaissance on at least one entity involved in the production of industrial control system (ICS) components for railway management, though a successful compromise was not confirmed [TA0043].

The countries with targeted entities include the following, as illustrated in Figure 1:

Bulgaria
Czech Republic
France
Germany
Greece
Italy
Moldova
Netherlands
Poland
Romania
Slovakia
Ukraine
United States

Figure 1: Countries with Targeted Entities

Initial Access TTPs

To gain initial access to targeted entities, unit 26165 actors used several techniques to gain initial access to targeted entities, including (but not limited to):

The actors abused vulnerabilities associated with a range of brands and models of small office/home office (SOHO) devices to facilitate covert cyber operations, as well as proxy malicious activity via devices with geolocation in proximity to the target [T1665]. [2]

Credential Guessing/Brute Force

Unit 26165 actors’ credential guessing [T1110.001] operations in this campaign exhibit some similar characteristics to those disclosed in the previous CSA “Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments.” [3] Based on victim network investigations, the current iteration of this TTP employs a similar blend of anonymization infrastructure, including the use of Tor and commercial VPNs [T1090.003]. The actors frequently rotated the IP addresses used to further hamper detection. All observed connections were made via encrypted TLS [T1573].

Spearphishing

GRU unit 26165 actors’ spearphishing emails included links [T1566.002] leading to fake login pages impersonating a variety of government entities and Western cloud email providers’ webpages. These webpages were typically hosted on free third-party services or compromised SOHO devices and often used legitimate documents associated with thematically similar entities as lures. The subjects of spearphishing emails were diverse and ranged from professional topics to adult themes. Phishing emails were frequently sent via compromised accounts or free webmail accounts [T1586.002, T1586.003]. The emails were typically written in the target’s native language and sent to a single targeted recipient.

Some campaigns employed multi-stage redirectors [T1104] verifying IP-geolocation [T1627.001] and browser fingerprints [T1627] to protect credential harvesting infrastructure or provide multifactor authentication (MFA) [T1111] and CAPTCHA relaying capabilities [T1056]. Connecting endpoints failing the location checks were redirected to a benign URL [T1627], such as msn.com. Redirector services used include:

Webhook[.]site
FrgeIO
InfinityFree
Dynu
Mocky
Pipedream
Mockbin[.]org

The actors also used spearphishing to deliver malware (including HEADLACE and MASEPIE) executables [T1204.002] delivered via third-party services and redirectors [T1566.002], scripts in a mix of languages [T1059] (including BAT [T1059.003] and VBScript [T1059.005]) and links to hosted shortcuts [T1204.001].

CVE Usage

Throughout this campaign, GRU unit 26165 weaponized an Outlook NTLM vulnerability (CVE-2023-23397) to collect NTLM hashes and credentials via specially crafted Outlook calendar appointment invitations [T1187]. [4],[5] These actors also used a series of Roundcube CVEs (CVE-2020-12641, CVE-2020-35730, and CVE-2021-44026) to execute arbitrary shell commands [T1059], gain access to victim email accounts, and retrieve sensitive data from email servers [T1114].

Since at least fall 2023, the actors leveraged a WinRAR vulnerability (CVE-2023-38831) allowing for the execution of arbitrary code embedded in an archive as a means of initial access [T1659]. The actors sent emails with malicious attachments [T1566.001] or embedded hyperlinks [T1566.002] that downloaded a malicious archive prepared using this CVE.

Post-Compromise TTPs

After an initial compromise using one of the above techniques, unit 26165 actors conducted contact information reconnaissance to identify additional targets in key positions [T1589.002]. The actors also conducted reconnaissance of the cybersecurity department [T1591], individuals responsible for coordinating transport [T1591.004], and other companies cooperating with the victim entity [T1591.002].

The actors used native commands and open source tools, such as Impacket and PsExec, to move laterally within the environment [TA0008]. Multiple Impacket scripts were used as .exe files, in addition to the python versions, depending on the victim environment. The actors also moved laterally within the network using Remote Desktop Protocol (RDP) [T1021.001] to access additional hosts and attempt to dump Active Directory NTDS.dit domain databases [T1003.003] using native Active Directory Domain Services commands, such as in Figure 2: Example Active Directory Domain Services command:

C:Windowssystem32ntdsutil.exe "activate instance ntds" ifm "create full C:temp[a-z]{3}" quit quit

Figure 2: Example Active Directory Domain Services command

Additionally, GRU unit 26165 actors used the tools Certipy and ADExplorer.exe to exfiltrate information from the Active Directory. The actors installed python [T1059.006] on infected machines to enable the execution of Certipy. Accessed files were archived in .zip files prior to exfiltration [T1560]. The actors attempted to exfiltrate archived data via a previously dropped OpenSSH binary [T1048].

Incident response investigations revealed that the actors would take steps to locate and exfiltrate lists of Office 365 users and set up sustained email collection. The actors used manipulation of mailbox permissions [T1098.002] to establish sustained email collection at compromised logistics entities, as detailed in a Polish Cybercommand blog. [6]

After initial authentication, unit 26165 actors would change accounts’ folder permissions and enroll compromised accounts in MFA mechanisms to increase the trust-level of compromised accounts and enable sustained access [T1556.006]. The actors leveraged python scripts to retrieve plaintext passwords via Group Policy Preferences [T1552.006] using Get-GPPPassword.py and a modified ldap-dump.py to enumerate the Windows environment [T1087.002] and conduct a brute force password spray [T1110.003] via Lightweight Directory Access Protocol (LDAP). The actors would additionally delete event logs through the wevtutil utility [T1070.001].

After gaining initial access to the network, the actors pursued further access to accounts with access to sensitive information on shipments, such as train schedules and shipping manifests. These accounts contained information on aid shipments to Ukraine, including:

sender,
recipient,
train/plane/ship numbers,
point of departure,
destination,
container registration numbers,
travel route, and
cargo contents.

In at least one instance, the actors attempted to use voice phishing [T1566.004] to gain access to privileged accounts by impersonating IT staff.

Malware

Unit 26165’s use of malware in this campaign ranged from gaining initial access to establishing persistence and exfiltrating data. In some cases, the attack chain resulted in multiple pieces of malware being deployed in succession. The actors used dynamic link library (DLL) search order hijacking [T1574.001] to facilitate malware execution. There were a number of known malware variants tied to this campaign against logistics sector victims, including:

HEADLACE [7]
MASEPIE [8]

While other malware variants, such as OCEANMAP and STEELHOOK, [8] were not directly observed targeting logistics or IT entities, their deployment against victims in other sectors in Ukraine and other Western countries suggest that they could be deployed against logistics and IT entities should the need arise.

Persistence

In addition to the abovementioned mailbox permissions abuse, unit 26165 actors also used scheduled tasks [T1053.005], run keys [T1547.001], and placed malicious shortcuts [T1547.009] in the startup folder to establish persistence.

Exfiltration

GRU unit 26165 actors used a variety of methods for data exfiltration that varied based on the victim environment, including both malware and living off the land binaries. PowerShell commands [T1059.001] were often used to prepare data for exfiltration; for example, the actors prepared zip archives [T1560.001] for upload to their own infrastructure.

The actors also used server data exchange protocols and Application Programming Interfaces (APIs) such as Exchange Web Services (EWS) and Internet Message Access Protocol (IMAP) [T1114.002] to exfiltrate data from email servers. In multiple instances, the actors used periodic EWS queries [T1119] to collect new emails sent and received since the last data exfiltration [T1029]. The actors typically used infrastructure in close geographic proximity to the victim. Long gaps between exfiltration, the use of trusted and legitimate protocols, and the use of local infrastructure allowed for long-term collection of sensitive data to go undetected.

Connections to Targeting of IP Cameras

In addition to targeting logistics entities, unit 26165 actors likely used access to private cameras at key locations, such as near border crossings, military installations, and rail stations, to track the movement of materials into Ukraine. The actors also used legitimate municipal services, such as traffic cams.

The actors targeted Real Time Streaming Protocol (RTSP) servers hosting IP cameras primarily located in Ukraine as early as March 2022 in a large-scale campaign, which included attempts to enumerate devices [T1592] and gain access to the cameras’ feeds [T1125]. Actor-controlled servers sent RTSP DESCRIBE requests destined for RTSP servers, primarily hosting IP cameras [T1090.002]. The DESCRIBE requests were crafted to obtain access to IP cameras located on logically distinct networks from that of the routers that received the request. The requests included Base64-encoded credentials for the RTSP server, which included publicly documented default credentials and likely generic attempts to brute force access to the devices [T1110]. An example of an RTSP request is shown in Figure 3.

DESCRIBE rtsp://[IP ADDRESS] RTSP/1.0

CSeq: 1

Authorization: Basic

User-Agent: WebClient

Accept: application/sdp

DESCRIBE rtsp://[IP ADDRESS] RTSP/1.0

CSeq: 2

Authorization: Digest username="admin", realm="[a-f0-9]{12}", algorithm="MD5", nonce="[a-f0-9]{32}", uri="", response="[a-f0-9]{32}"

User-Agent: WebClient

Accept: application/sdp

Figure 3: Example RTSP request

Successful RTSP 200 OK responses contained a snapshot of the IP camera’s image and IP camera metadata such as video codec, resolution, and other properties depending on the IP camera’s configuration.

From a sample available to the authoring agencies of over 10,000 cameras targeted via this effort, the geographic distribution of victims showed a strong focus on cameras in Ukraine and border countries, as shown in Table 1:

Table 1: Geographic distribution of targeted IP cameras
Country	Percentage of Total Attempts
Ukraine	81.0%
Romania	9.9%
Poland	4.0%
Hungary	2.8%
Slovakia	1.7%
Others	0.6%

Mitigation Actions

General Security Mitigations

Architecture and Configuration

Employ appropriate network segmentation [D3-NI] and restrictions to limit access and utilize additional attributes (such as device information, environment, and access path) when making access decisions [D3-AMED].
- Consider Zero Trust principles when designing systems. Base product choices on how those products can solve specific risks identified as part of the end-to-end design. [9]
Ensure that host firewalls and network security appliances (e.g., firewalls) are configured to only allow legitimately needed data flows between devices and servers to prevent lateral movement [D3-ITF]. Alert on attempts to connect laterally between host devices or other unusual data flows.
Use automated tools to audit access logs for security concerns and identify anomalous access requests [D3-RAPA].
For organizations using on-premises authentication and email services, block and alert on NTLM/SMB requests to external infrastructure [D3-OTF].
Utilize endpoint, detection, and response (EDR) and other cybersecurity solutions on all systems, prioritizing high value systems with large amounts of sensitive data such as mail servers and domain controllers [D3-PM] first.
- Perform threat and attack modeling to understand how sensitive systems may be compromised within an organization’s specific architecture and security controls. Use this to develop a monitoring strategy to detect compromise attempts and select appropriate products to enact this strategy.
Collect and monitor Windows logs for certain events, especially for events that indicate that a log was cleared unexpectedly [D3-SFA].
Enable optional security features in Windows to harden endpoints and mitigate initial access techniques [D3-AH]:
- Enable attack surface reduction rules to prevent executable content from email [D3-ABPI].
- Enable attack surface reduction rules to prevent execution of files from globally writeable directories, such as Downloads or %APPDATA% [D3-EAL].
- Unless users are involved in the development of scripts, limit the local execution of scripts (such as batch scripts, VBScript, JScript/JavaScript, and PowerShell [10]) to known scripts [D3-EI], and audit execution attempts.
- Disable Windows Host Scripting functionality and configure PowerShell to run in Constrained mode [D3-ACH].
Where feasible, implement allowlisting for applications and scripts to limit execution to only those needed for authorized activities, blocking all others by default [D3-EAL].
Consider using open source SIGMA rules as a baseline for detecting and alerting on suspicious file execution or command parameters [D3-PSA].
Use services that provide enhanced browsing services and safe link checking [D3-URA]. Significant reductions in successful spearphishing attempts were noted when email providers began offering link checking and automatic file detonation to block malicious content.
Where possible, block logins from public VPNs, including exit nodes in the same country as target systems, or, if they need to be allowed, alert on them for further investigation. Most organizations should not need to allow incoming traffic, especially logins to systems, from VPN services [D3-NAM].
Educate users to only use approved corporate systems for relevant government and military business and avoid the use of personal accounts on cloud email providers to conduct official business. Network administrators should also audit both email and web request logs to detect such activity.

Many organizations may not need to allow outgoing traffic to hosting and API mocking services, which are frequently used by GRU unit 26165. Organizations should consider alerting on or blocking the following services, with exceptions allowlisted for legitimate activity [D3-DNSDL].

*.000[.]pe
*.1cooldns[.]com
*.42web[.]io
*.4cloud[.]click
*.accesscan[.]org
*.bumbleshrimp[.]com
*.camdvr[.]org
*.casacam[.]net
*.ddnsfree[.]com
*.ddnsgeek[.]com
*.ddnsguru[.]com
*.dynuddns[.]com
*.dynuddns[.]net
*.free[.]nf
*.freeddns[.]org
*.frge[.]io
*.glize[.]com
*.great-site[.]net
*.infinityfreeapp[.]com
*.kesug[.]com
*.loseyourip[.]com
*.lovestoblog[.]com
*.mockbin[.]io
*.mockbin[.]org
*.mocky[.]io
*.mybiolink[.]io
*.mysynology[.]net
*.mywire[.]org
*.ngrok[.]io
*.ooguy[.]com
*.pipedream[.]net
*.rf[.]gd
*.urlbae[.]com
*.webhook[.]site
*.webhookapp[.]com
*.webredirect[.]org
*.wuaze[.]com

Heuristic detections for web requests to new subdomains, including of the above providers, may uncover malicious phishing activity [D3-DNRA]. Logging the requests for each sub-domain requested by users on a network, such as in DNS or firewall logs, may enable system administrators to identify new targeting and victims.

Identity and Access Management

Organizations should take measures to ensure strong access controls and mitigate against common credential theft techniques:

Use MFA with strong factors, such as passkeys or PKI smartcards, and require regular re-authentication [D3-MFA]. [11], [12] Strong authentication factors are not guessable using dictionary techniques, so they resist brute force attempts.
Implement other mitigations for privileged accounts: including limiting the number of admin accounts, considering using hardware MFA tokens, and regularly reviewing all privileged user accounts [D3-JFAPA].
Separate privileged accounts by role and alert on misuse of privileged accounts [D3-UAP]. For example, email administrator accounts should be different from domain administrator accounts.
Reduce reliance on passwords; instead, consider using services like single sign-on [D3-TBA].
- For organizations using on-premises authentication and email services, plan to disable NTLM entirely and migrate to more robust authentication processes such as PKI certificate authentication.
Do not store passwords in Group Policy Preferences (GPP). Remove all passwords previously included in GPP and change all passwords on the corresponding accounts [D3-CH]. [13]
Use account throttling or account lockout [D3-ANET]:
- Throttling is preferred to lockout. Throttling progressively increases time delay between successive login attempts.
- Account lockout can leave legitimate users unable to access their accounts and requires access to an account recovery process.
- Account lockout can provide a malicious actor with an easy way to launch a Denial of Service (DoS).
- If using lockout, then allowing 5 to 10 attempts before lockout is recommended.
Use a service to check for compromised passwords before using them [D3-SPP]. For example, “Have I Been Pwned” can be used to check whether a password has been previously compromised without disclosing the potential password.
Change all default credentials [D3-CRO] and disable protocols that use weak authentication (e.g., clear-text passwords or outdated and vulnerable authentication or encryption protocols) or do not support multi-factor authentication [D3-ACH] [D3-ET]. Always configure access controls carefully to ensure that only well-maintained and well-authenticated accounts have access. [13]

IP Camera Mitigations

The following mitigation techniques for IP cameras can be used to defend against this type of malicious activity:

Ensure IP cameras are currently supported. Replace devices that are out of support.
Apply security patches and firmware updates to all IP cameras [D3-SU].
Disable remote access to the IP camera, if unnecessary [D3-ITF].
Ensure cameras are protected by a security appliance, if possible, such as by using a firewall to prevent communication with the camera from IP addresses not on an allowlist [D3-NAM].
If remote access to IP camera feeds is required, ensure authentication is enabled [D3-AA] and use a VPN to connect remotely [D3-ET]. Use MFA for management accounts if supported [D3-MFA].
Disable Universal Plug and Play (UPnP), Peer-to-Peer (P2P), and Anonymous Visit features on IP cameras and routers [D3-NI].
Turn off other ports/services not in use (e.g., FTP, web interface, etc.) [D3-ACH].
If supported, enable authenticated RTSP access only [D3-AA].
Review all authentication activity for remote access to make sure it is valid and expected [D3-UBA]. Investigate any unexpected or unusual activity.
Audit IP camera user accounts to ensure they are an accurate reflection of your organization and that they are being used as expected [D3-UAP].
Configure, tune, and monitor logging—if available—on the IP camera.

Indicators of Compromise (IOCs)

Note: Specific IoCs may no longer be actor controlled, may themselves be compromised infrastructure or email accounts, or may be shared infrastructure such as public VPN or Tor exit nodes. Care should be taken when basing triaging logs or developing detection rules on these indicators. GRU unit 26165 almost certainly uses extensive further infrastructure and TTPs not specifically listed in this report.

Utilities and scripts

Legitimate utilities

Unauthorized or unusual use of the following legitimate utilities can be an indication of a potential compromise:

ntdsutil – A legitimate Windows executable used by threat actors to export contents of Active Directory
wevtutil – A legitimate Windows executable used by threat actors to delete event logs
vssadmin – A legitimate Windows executable possibly used by threat actors to make a copy of the server’s C: drive
ADexplorer – A legitimate window executable to view, edit, and backup Active Directory Certificate Services
OpenSSH – The Windows version of a legitimate open source SSH client
schtasks – A legitimate Windows executable used to create persistence using scheduled tasks
whoami – A legitimate Windows executable used to retrieve the name of the current user
tasklist – A legitimate Windows executable used to retrieve the list of running processes
hostname – A legitimate Windows executable used to retrieve the device name
arp – A legitimate Windows executable used to retrieve the ARP table for mapping the network environment
systeminfo – A legitimate Windows executable used to retrieve a comprehensive summary of device and operating system information
net – A legitimate Windows executable used to retrieve detailed user information
wmic – A legitimate Windows executable used to interact with Windows Management Instrumentation (WMI), such as to retrieve letters assigned to logical partitions on storage drives
cacls – A legitimate Windows executable used to modify permissions on files
icacls – A legitimate Windows executable used to modify permissions to files and handle integrity levels and ownership
ssh – A legitimate Windows executable used to establish network shell connections
reg – A legitimate Windows executable used to add to or modify the system registry

Note: Additional heuristics are needed for effective hunting for these and other living off the land (LOTL) binaries to avoid being overwhelmed by false positives if these legitimate management tools are used regularly. See the joint guide, Identifying and Mitigating Living Off the Land Techniques, for guidance on developing a multifaceted cybersecurity strategy that enables behavior analytics, anomaly detection, and proactive hunting, which are part of a comprehensive approach to mitigating cyber threats that employ LOTL techniques.

Malicious scripts

Certipy – An open source python tool for enumerating and abusing Active Directory Certificate Services
Get-GPPPassword.py – An open source python script for finding insecure passwords stored in Group Policy Preferences
ldap-dump.py – A script for enumerating user accounts and other information in Active Directory
Hikvision backdoor string: “YWRtaW46MTEK”

Suspicious command lines

While the following utilities are legitimate, and using them with the command lines shown may also be legitimate, these command lines are often used during malicious activities and could be an indication of a compromise:

edge.exe “-headless-new -disable-gpu”
ntdsutil.exe “activate instance ntds” ifm “create full C:temp[a-z]{3}” quit quit
ssh -Nf
schtasks /create /xml

Outlook CVE Exploitation IOCs

md-shoeb@alfathdoor[.]com[.]sa
jayam@wizzsolutions[.]com
accounts@regencyservice[.]in
m.salim@tsc-me[.]com
vikram.anand@4ginfosource[.]com
mdelafuente@ukwwfze[.]com
sarah@cosmicgold469[.]co[.]za
franch1.lanka@bplanka[.]com
commerical@vanadrink[.]com
maint@goldenloaduae[.]com
karina@bhpcapital[.]com
tv@coastalareabank[.]com
ashoke.kumar@hbclife[.]in
213[.]32[.]252[.]221
124[.]168[.]91[.]178
194[.]126[.]178[.]8
159[.]196[.]128[.]120

Commonly Used Webmail Providers

portugalmail[.]pt
mail-online[.]dk
email[.]cz
seznam[.]cz

Malicious Archive Filenames Involving CVE-2023-38831

calc.war.zip
news_week_6.zip
Roadmap.zip
SEDE-PV-2023-10-09-1_EN.zip
war.zip
Zeyilname.zip

Brute Forcing IP Addresses

Disclaimer: These IP addresses date June 2024 through August 2024. The authoring agencies recommend organizations investigate or vet these IP addresses prior to taking action, such as blocking.

June 2024	July 2024	August 2024
192[.]162[.]174[.]94	207[.]244[.]71[.]84	31[.]135[.]199[.]145	79[.]184[.]25[.]198	91[.]149[.]253[.]204
103[.]97[.]203[.]29	162[.]210[.]194[.]2	31[.]42[.]4[.]138	79[.]185[.]5[.]142	91[.]149[.]254[.]75
209[.]14[.]71[.]127		46[.]112[.]70[.]252	83[.]10[.]46[.]174	91[.]149[.]255[.]122
109[.]95[.]151[.]207		46[.]248[.]185[.]236	83[.]168[.]66[.]145	91[.]149[.]255[.]19
		64[.]176[.]67[.]117	83[.]168[.]78[.]27	91[.]149[.]255[.]195
		64[.]176[.]69[.]196	83[.]168[.]78[.]31	91[.]221[.]88[.]76
		64[.]176[.]70[.]18	83[.]168[.]78[.]55	93[.]105[.]185[.]139
		64[.]176[.]70[.]238	83[.]23[.]130[.]49	95[.]215[.]76[.]209
		64[.]176[.]71[.]201	83[.]29[.]138[.]115	138[.]199[.]59[.]43
		70[.]34[.]242[.]220	89[.]64[.]70[.]69	147[.]135[.]209[.]245
		70[.]34[.]243[.]226	90[.]156[.]4[.]204	178[.]235[.]191[.]182
		70[.]34[.]244[.]100	91[.]149[.]202[.]215	178[.]37[.]97[.]243
		70[.]34[.]245[.]215	91[.]149[.]203[.]73	185[.]234[.]235[.]69
		70[.]34[.]252[.]168	91[.]149[.]219[.]158	192[.]162[.]174[.]67
		70[.]34[.]252[.]186	91[.]149[.]219[.]23	194[.]187[.]180[.]20
		70[.]34[.]252[.]222	91[.]149[.]223[.]130	212[.]127[.]78[.]170
		70[.]34[.]253[.]13	91[.]149[.]253[.]118	213[.]134[.]184[.]167
		70[.]34[.]253[.]247	91[.]149[.]253[.]198
		70[.]34[.]254[.]245	91[.]149[.]253[.]20

Detections

Customized NTLM listener

rule APT28_NTLM_LISTENER {

meta:

description = "Detects NTLM listeners including APT28's custom one"

strings:

$command_1 = "start-process powershell.exe -WindowStyle hidden"

$command_2 = "New-Object System.Net.HttpListener"

$command_3 = "Prefixes.Add('http://localhost:8080/')"

$command_4 = "-match 'Authorization'"

$command_5 = "GetValues('Authorization')"

$command_6 = "Request.RemoteEndPoint.Address.IPAddressToString"

$command_7 = "@(0x4e,0x54,0x4c,0x4d, 0x53,0x53,0x50,0x00,0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x28,0x00,0x00,0x01,0x82,0x00,0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77,0x88,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)"

$command_8 = ".AllKeys"

$variable_1 = "$NTLMAuthentication" nocase

$variable_2 = "$NTLMType2" nocase

$variable_3 = "$listener" nocase

$variable_4 = "$hostip" nocase

$variable_5 = "$request" nocase

$variable_6 = "$ntlmt2" nocase

$variable_7 = "$NTLMType2Response" nocase

$variable_8 = "$buffer" nocase

condition:

5 of ($command_*)

or

all of ($variable_*)

}

HEADLACE shortcut

rule APT28_HEADLACE_SHORTCUT {

meta:

description = "Detects the HEADLACE backdoor shortcut dropper. Rule is meant for threat hunting."

strings:

$type = "[InternetShortcut]" ascii nocase

$url = "file://"

$edge = "msedge.exe"

$icon = "IconFile"

condition:

all of them

}

HEADLACE credential dialogbox phishing

rule APT28_HEADLACE_CREDENTIALDIALOG {

meta:

description = "Detects scripts used by APT28 to lure user into entering credentials"

strings:

$command_1 = "while($true)"

$command_2 = "Get-Credential $(whoami)"

$command_3 = "Add-Content"

$command_4 = ".UserName"

$command_5 = ".GetNetworkCredential().Password"

$command_6 = "GetNetworkCredential().Password.Length -ne 0"

condition:

5 of them

}

HEADLACE core script

rule APT28_HEADLACE_CORE {

meta:

description = "Detects HEADLACE core batch scripts"

strings:

$chcp = "chcp 65001" ascii

$headless = "start "" msedge --headless=new --disable-gpu" ascii

$command_1 = "taskkill /im msedge.exe /f" ascii

$command_2 = "whoami>"%programdata%" ascii

$command_3 = "timeout" ascii

$command_4 = "copy "%programdata%" ascii

$non_generic_del_1 = "del /q /f "%programdata%" ascii

$non_generic_del_3 = "del /q /f "%userprofile%Downloads" ascii

$generic_del = "del /q /f" ascii

condition:

(

$chcp

and

$headless

)

and

(

1 of ($non_generic_del_*)

or

($generic_del)

or

3 of ($command_*)

)

}

MASEPIE

rule APT28_MASEPIE {

meta:

description = "Detects MASEPIE python script"

strings:

$masepie_unique_1 = "os.popen('whoami').read()"

$masepie_unique_2 = "elif message == 'check'"

$masepie_unique_3 = "elif message == 'send_file':"

$masepie_unique_4 = "elif message == 'get_file'"

$masepie_unique_5 = "enc_mes('ok'"

$masepie_unique_6 = "Bad command!'.encode('ascii'"

$masepie_unique_7 = "{user}{SEPARATOR}{k}"

$masepie_unique_8 = "raise Exception("Reconnect"

condition:

3 of ($masepie_unique_*)

}

STEELHOOK

rule APT28_STEELHOOK {

meta:

description = "Detects APT28's STEELHOOK powershell script"

strings:

$s_1 = "$($env:LOCALAPPDATAGoogleChromeUser DataLocal State)"

$s_2 = "$($env:LOCALAPPDATAGoogleChromeUser DataDefaultLogin Data)"

$s_3 = "$($env:LOCALAPPDATAMicrosoftEdgeUser DataLocal State)"

$s_4 = "$($env:LOCALAPPDATAMicrosoftEdgeUser DataDefaultLogin Data)"

$s_5 = "os_crypt.encrypted_key"

$s_6 = "System.Security.Cryptography.DataProtectionScope"

$s_7 = "[system.security.cryptography.protectdata]::Unprotect"

$s_8 = "Invoke-RestMethod"

condition:

all of them

}

PSEXEC

rule GENERIC_PSEXEC {

meta:

description = "Detects SysInternals PSEXEC executable"

strings:

$sysinternals_1 = "SYSINTERNALS SOFTWARE LICENCE TERMS"

$sysinternals_2 = "/accepteula"

$sysinternals_3 = "SoftwareSysinternals"

$network_1 = "%sIPC$"

$network_2 = "%sADMIN$%s"

$network_3 = "DeviceLanmanRedirector%sipc$"

$psexec_1 = "PSEXESVC"

$psexec_2 = "PSEXEC-{}-"

$psexec_3 = "Copying %s to %s..."

$psexec_4 = "gPSINFSVC"

condition:

(

( uint16( 0x0 ) ==0x5a4d )

and

( uint16( uint32( 0x3c )) == 0x4550 )

)

and

filesize < 1024KB

and

(

( any of ($sysinternals_*) and any of ($psexec_*) )

or

( 2 of ($network_*) and 2 of ($psexec_*))

)

}

The cybersecurity industry provides overlapping cyber threat intelligence, IOCs, and mitigation recommendations related to GRU unit 26165 cyber actors. While not all encompassing, the following are the most notable threat group names related under MITRE ATT&CK G0007 and commonly used within the cybersecurity community:

APT28 [14]
Fancy Bear [14]
Forest Blizzard [14]
Blue Delta [15]

Note: Cybersecurity companies have different methods of tracking and attributing cyber actors, and this may not be a 1:1 correlation to the U.S. government’s understanding for all activity related to these groupings.

Further Reference

To search for the presence of malicious email messages targeting CVE-2023-23397, network defenders may consider using the script published by Microsoft: https://aka.ms/CVE-2023-23397ScriptDoc.

For the Impacket TTP, network defenders may consider using the following publicly available Impacket YARA detection rule:
https://github.com/Neo23x0/signature-base/blob/master/yara/gen_impacket_tools.yar

Works Cited

[1] Microsoft. Defending Ukraine: Early Lessons from the Cyber War. 2022. https://blogs.microsoft.com/on-the-issues/2022/06/22/defending-ukraine-early-lessons-from-the-cyber-war/
[2] FBI et al. Russian Cyber Actors Use Compromised Routers to Facilitate Cyber Operations. 2024. https://media.defense.gov/2024/Feb/27/2003400753/-1/-1/0/CSA-Russian-Actors-Use-Routers-Facilitate-Cyber_Operations.PDF
[3] NSA et al. Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. 2021. https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/0/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF
[4] ANSSI. Campagnes d'attaques du mode opératoire APT28 depuis 2021. 2023. https://cert.ssi.gouv.fr/cti/CERTFR-2023-CTI-009/
[5] ANSSI. Targeting and compromise of french entities using the APT28 intrusion set. 2025. https://cert.ssi.gouv.fr/cti/CERTFR-2025-CTI-007/
[6] Polish Cyber Command. Detecting Malicious Activity Against Microsoft Exchange Servers. 2023. https://www.wojsko-polskie.pl/woc/articles/aktualnosci-w/detecting-malicious-activity-against-microsoft-exchange-servers/
[7] IBM. Israel-Hamas Conflict Lures to Deliver Headlace Malware. 2023. https://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/
[8] CERT-UA. APT28: From Initial Attack to Creating Domain Controller Threats in an Hour. 2023. https://cert.gov.ua/article/6276894
[9] NSA. Embracing a Zero Trust Security Model. 2021. https://media.defense.gov/2021/Feb/25/2002588479/-1/-1/0/CSI_EMBRACING_ZT_SECURITY_MODEL_UOO115131-21.PDF
[10] NSA et al. Keeping PowerShell: Security Measures to Use and Embrace. 2022. https://media.defense.gov/2022/Jun/22/2003021689/-1/-1/0/CSI_KEEPING_POWERSHELL_SECURITY_MEASURES_TO_USE_AND_EMBRACE_20220622.PDF
[11] National Institute of Standards and Technology (NIST). Special Publication 800-63B: Digital Identity Guidelines – Authentication and Lifecycle Management. 2020. https://pages.nist.gov/800-63-3/sp800-63b.html
[12] NSA. Selecting Secure Multi-factor Authentication Solutions. October 16, 2020. https://media.defense.gov/2024/Jul/31/2003515137/-1/-1/0/MULTIFACTOR_AUTHENTICATION_SOLUTIONS_UOO17091520.PDF
[13] NSA and CSA. NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations. 2023. https://media.defense.gov/2023/Oct/05/2003314578/-1/-1/0/JOINT_CSA_TOP_TEN_MISCONFIGURATIONS_TLP-CLEAR.PDF

[14] Department of Justice. Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU). 2024. https://www.justice.gov/archives/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian
[15] Recorded Future. GRU’s BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage Campaigns. 2024. https://go.recordedfuture.com/hubfs/reports/CTA-RU-2024-0530.pdf

Disclaimer of endorsement

The information and opinions contained in this document are provided "as is" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.

Purpose

This document was developed in furtherance of the authoring agencies’ cybersecurity missions, including their responsibilities to identify and disseminate threats and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.

Contact

United States organizations

National Security Agency (NSA)
Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI)
- U.S. organizations are encouraged to reporting suspicious or criminal activity related to information in this advisory to CISA via the agency’s Incident Reporting System, its 24/7 Operations Center (report@cisa.gov or 888-282-0870), or your local FBI field office. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment user for the activity; the name of the submitting company or organization; and a designated point of contact.
Department of Defense Cyber Crime Center (DC3)

United Kingdom organizations

Germany organizations

Czech Republic organizations

Poland organizations

Australian organizations

Visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories.

Canadian organizations

Estonia organizations

French organizations

French organizations are encouraged to report suspicious activity or incident related to information found in this advisory by contacting ANSSI/CERT-FR by email at cert-fr@ssi.gouv.fr or by phone at: 3218 or +33 9 70 83 32 18.

See Table 2 through Table 14 for all the threat actor tactics and techniques referenced in this advisory.

Table 2: Reconnaissance
Tactic/Technique Title	ID	Use
Reconnaissance	TA0043	Conducted reconnaissance on at least one entity involved in the production of ICS components for railway management.
Gather Victim Identity Information: Email Addresses	T1589.002	Conducted contact information reconnaissance to identify additional targets in key positions.
Gather Victim Org Information	T1591	Conducted reconnaissance of the cybersecurity department.
Gather Victim Org Information: Identify Roles	T1591.004	Conducted reconnaissance of individuals responsible for coordinating transport.
Gather Victim Org Information: Business Relationships	T1591.002	Conducted reconnaissance of other companies cooperating with the victim entity.
Gather Victim Host Information	T1592	Attempted to enumerate Real Time Streaming Protocol (RTSP) servers hosting IP cameras.

Table 3: Resource development
Tactic/Technique Title	ID	Use
Compromise Accounts: Email Accounts	T1586.002	Sent phishing emails using compromised accounts.
Compromise Accounts: Cloud Accounts	T1586.003	Sent phishing emails using compromised accounts.

Table 4: Initial Access
Tactic/Technique Title	ID	Use
Trusted Relationship	T1199	Conducted follow-on targeting of additional entities in the transportation sector that had business ties to the primary target, exploiting trust relationships to attempt to gain additional access.
Phishing	T1566	Used spearphishing for credentials and delivering malware to gain initial access to targeted entities.
Phishing: Spearphishing Attachment	T1566.001	Sent emails with malicious attachments.
Phishing: Spearphishing Link	T1566.002	Used spearphishing with included links to fake login pages. Sent emails with embedded hyperlinks that downloaded a malicious archive.
Phishing: Spearphishing Voice	T1566.004	Attempted to use voice phishing to gain access to privileged accounts by impersonating IT staff.
External Remote Services	T1133	Exploited Internet-facing infrastructure, including corporate VPNs, to gain initial access to targeted entities.
Exploit Public-Facing Application	T1190	Exploited public vulnerabilities and SQL injection to gain initial access to targeted entities.
Content Injection	T1659	Leveraged a WinRAR vulnerability allowing for the execution of arbitrary code embedded in an archive.

Table 5: Execution
Tactic/Technique Title	ID	Use
User Execution: Malicious Link	T1204.001	Used malicious links to hosted shortcuts in spearphishing.
User Execution: Malicious File	T1204.002	Delivered malware executables via spearphishing.
Scheduled Task/Job: Scheduled Task	T1053.005	Used scheduled tasks to establish persistence.
Command and Scripting Interpreter	T1059	Delivered scripts in spearphishing. Executed arbitrary shell commands.
Command and Scripting Interpreter: PowerShell	T1059.001	PowerShell commands were often used to prepare data for exfiltration.
Command and Scripting Interpreter: Windows Command Shell	T1059.003	Used BAT script in spearphishing.
Command and Scripting Interpreter: Visual Basic	T1059.005	Used VBScript in spearphishing.
Command and Scripting Interpreter: Python	T1059.006	Installed python on infected machines to enable the execution of Certipy.

Table 6: Persistence
Tactic/Technique Title	ID	Use
Account Manipulation: Additional Email Delegate Permissions	T1098.002	Used manipulation of mailbox permissions to establish sustained email collection.
Modify Authentication Process: Multi-Factor Authentication	T1556.006	Enrolled compromised accounts in MFA mechanisms to increase the trust-level of compromised accounts and enable sustained access.
Hijack Execution Flow: DLL Search Order Hijacking	T1574.001	Used DLL search order hijacking to facilitate malware execution.
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	T1547.001	Used run keys to establish persistence.
Boot or Logon Autostart Execution: Shortcut Modification	T1547.009	Placed malicious shortcuts in the startup folder to establish persistence.

Table 7: Defense Evasion
Tactic/Technique Title	ID	Use
Indicator Removal: Clear Windows Event Logs	T1070.001	Deleted event logs through the wevtutil utility.

Table 8: Credential access
Tactic/Technique Title	ID	Use
Brute Force		Sent requests with Base64-encoded credentials for the RTSP server, which included publicly documented default credentials, and likely were generic attempts to brute force access to the devices.
Brute Force: Password Guessing	T1110.001	Used credential guessing to gain initial access to targeted entities.
Brute Force: Password Spraying	T1110.003	Used brute force to gain initial access to targeted entities. Conducted a brute force password spray via LDAP.
Multi-Factor Authentication Interception		Used multi-stage redirectors to provide MFA relaying capabilities in some campaigns.
Input Capture		Used multi-stage redirectors to provide CAPTCHA relaying capabilities in some campaigns.
Forced Authentication		Used an Outlook NTLM vulnerability to collect NTLM hashes and credentials via specially crafted Outlook calendar appointment invitations.
OS Credential Dumping: NTDS	T1003.003	Attempted to dump Active Directory NTDS.dit domain databases.
Unsecured Credentials: Group Policy Preferences	T1552.006	Retrieved plaintext passwords via Group Policy Preferences using Get-GPPPassword.py.

Table 9: Discovery
Tactic/Technique Title	ID	Use
Account Discovery: Domain Account	T1087.002	Used a modified ldap-dump.py to enumerate the Windows environment.

Table 10: Command and Control
Tactic/Technique Title	ID	Use
Hide Infrastructure	T1665	Abused SOHO devices to facilitate covert cyber operations, as well as proxy malicious activity, via devices with geolocation in proximity to the target.
Proxy: External Proxy	T1090.002	Actor-controlled servers sent RTSP DESCRIBE requests destined for RTSP servers.
Proxy: Multi-hop Proxy	T1090.003	Used Tor and commercial VPNs as part of their anonymization infrastructure
Encrypted Channel	T1573	Connected to victim infrastructure using encrypted TLS.
Multi-Stage Channels	T1104	Used multi-stage redirectors for campaigns.

Table 11: Defense evasion (mobile framework)
Tactic/Technique Title	ID	Use
Execution Guardrails		Used multi-stage redirectors to verify browser fingerprints in some campaigns.
Execution Guardrails: Geofencing	T1627.001	Used multi-stage redirectors to verify IP-geolocation in some campaigns.

Table 12: Lateral movement
Tactic/Technique Title	ID	Use
Lateral Movement		Used native commands and open source tools, such as Impacket and PsExec, to move laterally within the environment.
Remote Services: Remote Desktop Protocol	T1021.001	Moved laterally within the network using RDP.

Table 13: Collection
Tactic/Technique Title	ID	Use
Email Collection		Retrieved sensitive data from email servers.
Email Collection: Remote Email Collection	T1114.002	Used server data exchange protocols and APIs such as Exchange Web Services (EWS) and IMAP to exfiltrate data from email servers.
Automated Collection		Used periodic EWS queries to collect new emails.
Video Capture		Attempted to gain access to the cameras’ feeds.
Archive Collected Data		Accessed files were archived in .zip files prior to exfiltration.
Archive Collected Data: Archive via Utility	T1560.001	Prepared zip archives for upload to the actors’ infrastructure.

Table 14: Exfiltration
Tactic/Technique Title	ID	Use
Exfiltration Over Alternative Protocol		Attempted to exfiltrate archived data via a previously dropped OpenSSH binary.
Scheduled Transfer		Used periodic EWS queries to collect new emails sent and received since the last data exfiltration.

Appendix B: CVEs exploited

Table 15: Exploited CVE information
CVE	Vendor/Product	Details
CVE-2023-38831	RARLAB WinRAR	Allows execution of arbitrary code when a user attempts to view a benign file within a ZIP archive.
CVE-2023-23397	Microsoft Outlook	External actors could send specially crafted emails that cause a connection from the victim to an untrusted location of the actor’s control, leaking the Net-NTLMv2 hash of the victim that the actor could then relay to another service to authenticate as the victim.
CVE-2021-44026	Roundcube Webmail	Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search params.
CVE-2020-35730	Roundcube Webmail	An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16 and 1.4.x before 1.4.10, where a plaintext email message with JavaScript in a link reference element is mishandled by linkref_addindex in rcube_string_replacer.php.
CVE-2020-12641	Roundcube Webmail	Roundcube Webmail before 1.4.4 allows arbitrary code execution via shell metacharacters in a configuration setting for im_convert_path or im_identify_path in rcube_image.php.

Appendix C: MITRE D3FEND Countermeasures

Table 16: MITRE D3FEND countermeasures
Countermeasure Title	ID	Details
Network Isolation		Employ appropriate network segmentation. Disable Universal Plug and Play (UPnP), Peer-to-Peer (P2P), and Anonymous Visit features on IP cameras and routers.
Access Mediation		Limit access and utilize additional attributes (such as device information, environment, and access path) when making access decisions. Configure access controls carefully to ensure that only well-maintained and well-authenticated accounts have access.
Inbound Traffic Filtering		Implement host firewall rules to block connections from other devices on the network, other than from authorized management devices and servers, to prevent lateral movement.
Resource Access Pattern Analysis		Use automated tools to audit access logs for security concerns and identify anomalous access requests.
Outbound Traffic Filtering		Block NTLM/SMB requests to external infrastructure.
Platform Monitoring		Install EDR/logging/cybersecurity solutions onto high value systems with large amounts of sensitive data such as mail servers and domain controllers.
System File Analysis		Collect and monitor Windows logs for certain events, especially for events that indicate that a log was cleared unexpectedly.
Application Hardening		Enable optional security features in Windows to harden endpoints and mitigate initial access techniques.
Application-based Process Isolation		Enable attack surface reduction rules to prevent executable content from email.
Executable Allowlisting		Enable attack surface reduction rules to prevent execution of files from globally writeable directories, such as Downloads or %APPDATA%.
Execution Isolation		Unless users are involved in the development of scripts, limit the execution of scripts (such as batch, JavaScript, and PowerShell) to known scripts.
Application Configuration Hardening		Disable Windows Host Scripting functionality and configure PowerShell to run in Constrained mode. Disable protocols that use weak authentication (e.g., clear-text passwords, or outdated and vulnerable authentication or encryption protocols) or do not support multi-factor authentication. Turn off other ports/services not in use (e.g., FTP, web interface, etc.).
Process Spawn Analysis		Use open source SIGMA rules as a baseline for detecting and alerting on suspicious file execution or command parameters.
URL Reputation Analysis		Use services that provide enhanced browsing services and safe link checking.
Network Access Mediation		Do not allow incoming traffic, especially logins to systems, from public VPN services. Where possible, logins from public VPNs, including exit nodes in the same country as target systems, should be blocked or, if allowed, alerted on for further investigation. Ensure cameras and other Internet of Things devices are protected by a security appliance, if possible.
DNS Denylisting	D3-DNSDL	Do not allow outgoing traffic to hosting and API mocking services frequently used by malicious actors.
Domain Name Reputation Analysis		Heuristic detections for web requests to new subdomains may uncover malicious phishing activity. Logging the requests for each sub-domain requested by users on a network, such as in DNS or firewall logs, may enable system administrators to identify new targeting and victims.
Multi-factor Authentication		Use MFA with strong factors and require regular re-authentication, especially for management accounts.
Job Function Access Pattern Analysis	D3-JFAPA	Implement other mitigations for privileged accounts: including limiting the number of admin accounts, considering using hardware MFA tokens, and regularly reviewing all privileged user accounts.
User Account Permissions		Separate privileged accounts by role and alert on misuse of privileged accounts. Audit user accounts on all devices to ensure they are an accurate reflection of your organization and that they are being used as expected.
Token-based Authentication		Reduce reliance on passwords; instead, consider using services like single sign-on.
Credential Hardening		Do not store passwords in Group Policy Preferences (GPP). Remove all passwords previously included in GPP and change all passwords on the corresponding accounts.
Authentication Event Threshholding		Use account throttling or account lockout. Throttling progressively increases time delay between successive login attempts. If using account lockout, allow between 5 to 10 attempts before lockout.
Strong Password Policy		Use a service to check for compromised passwords before using them.
Credential Rotation		Change all default credentials.
Encrypted Tunnels		Disable protocols that use weak authentication (e.g., clear-text passwords, or outdated and vulnerable authentication or encryption protocols). Use a VPN for remote connections to devices.
Software Update		Apply security patches and firmware updates to all devices. Ensure devices are currently supported. Replace devices that are end-of-life.
Agent Authentication		Ensure authentication is enabled for remote access to devices. If supported on IP cameras, enable authenticated RTSP access only.
User Behavior Analysis		Review all authentication activity for remote access to make sure it is valid and expected. Investigate any unexpected or unusual activity.

MIL OSI USA News -

May 22, 2025

MIL-OSI Europe: Written question – The wreck of the ‘Sea Diamond’ on the seabed of Santorini for 18 years as toxic waste – E-001879/2025

Source: European Parliament

Question for written answer E-001879/2025
to the Commission
Rule 144
Maria Zacharia (NI)

The recent seismic sequence in Santorini coincides with the sad 18-year anniversary of inactivity on the wreck of the ‘Sea Diamond’, which is hanging on a steep slope of the seabed at a depth of 120 metres and at risk of sliding and reaching a depth of 280 metres, with dramatic consequences for the island’s exceptionally beautiful natural environment.

The Commission has been aware of the situation since 2007(!) with colleagues’ oral and written questions nos E-2185/07,[1] E-2274/07,[2] H-0509/07,[3] E-5789/07,[4] E-1944/08,[5] H-0748/08,[6] E-5439/08,[7] E-6685/08,[8] E-4818/09,[9] H-0037/10,[10] E-002071/2011,[11] E-005420/2011,[12] E-003198/2012[13] and E-003650/2012.[14] It is also aware of the case law of the Court of Justice, according to which fuel on board a tanker becomes waste from the moment it leaks into the sea and, therefore, there is a breach of Directive 2006/12/EC on waste and in particular of Article 4 of the Directive, according to which Member States must take the necessary measures to prohibit the abandonment, dumping and uncontrolled disposal of waste.

The Commission, however, disputes the spillage of oil or other toxic waste into the sea, ignoring a study by the Department of Environmental Engineering of the Technical University of Crete from 2011, which has been communicated to it, as have the judicial expert opinions from 2019 and 2020.

Could the Commission justify its services’ decision not to take current scientific data into account?

Submitted: 12.5.2025

[1] https://www.europarl.europa.eu/doceo/document/E-6-2007-2185_EN.html
[2] https://www.europarl.europa.eu/doceo/document/E-6-2007-2274_EN.html
[3] https://www.europarl.europa.eu/doceo/document/H-6-2007-0509_EN.html
[4] https://www.europarl.europa.eu/doceo/document/E-6-2007-5789_EN.html
[5] https://www.europarl.europa.eu/doceo/document/E-6-2008-1944_EN.html
[6] https://www.europarl.europa.eu/doceo/document/H-6-2008-0748_EN.html
[7] https://www.europarl.europa.eu/doceo/document/E-6-2008-5439_EN.html
[8] https://www.europarl.europa.eu/doceo/document/E-6-2008-6685_EN.html
[9] https://www.europarl.europa.eu/doceo/document/E-7-2009-4818_EN.html
[10] https://www.europarl.europa.eu/doceo/document/H-7-2010-0037_EN.html
[11] https://www.europarl.europa.eu/doceo/document/E-7-2011-002071_EN.html
[12] https://www.europarl.europa.eu/doceo/document/E-7-2011-005420_EN.html
[13] https://www.europarl.europa.eu/doceo/document/E-7-2012-003198_EN.html
[14] https://www.europarl.europa.eu/doceo/document/E-7-2012-003650_EN.html

MIL OSI Europe News –

May 22, 2025

MIL-OSI United Nations: Experts of the Committee on the Rights of the Child Commend Romania on Deinstitutionalisation Process, Raise Questions on Corporal Punishment and Segregation in Education

Source: United Nations – Geneva

The Committee on the Rights of the Child today concluded its review of the combined sixth and seventh periodic reports of Romania, with Committee Experts commending the State on the deinstitutionalisation process of alternative care centres, while raising questions on the prevalence of corporal punishment and measures taken to combat segregation in education.

A Committee Expert said she was happy to hear about the programme for the deinstitutionalisation of alternative care centres; this was something Romania should be proud of, as well as all the foster arrangements being made, especially for children with disabilities.

Juliana Scerri Ferrante, Committee Expert and Country Taskforce Member, said there seemed to be a lack of parental education programmes around corporal punishment. How could the views of the child be respected if violence was accepted as a disciplinary measure? Could the Romanian Government take clear steps to train staff and promote child education? Philip Jaffe, Committee Vice-Chair and Country Taskforce Member, also noted that corporal punishment appeared to remain quite widespread despite being banned in 2004. What efforts were being made to lower the prevalence and change attitudes among parents and adults?

Mr. Jaffe asked what was being done to combat school segregation based on disability, special education needs, and family economic status? What improvements were being made to increase the improvement of vocational training for older children who may be leaving the school system? Were there any programmes which specifically targeted economically disadvantaged children?

The delegation said Romanian legislation completely prohibited violence against children, regardless of the environment. However, despite the legislation, which was fully aligned with United Nations Conventions, the State needed to fight against mentalities and traditions and to practically change the minds of parents and caregivers, who believed corporal punishment would discipline children better. Awareness-raising campaigns were being conducted for parents, and mechanisms including hotlines had been developed to support children, including the helpline 119. Authorities were obligated to launch investigations immediately concerning any allegations of violence against children.

The delegation said the Ministry of Education had taken steps to assist children with special educational needs, with the creation of frameworks offering them different kinds of support, based on the type of disability. Adaptive measures had been taken for Roma children, including stimulating their participation in early education and in summer kindergartens, supporting education in their current language, and translating schoolbooks in their mother tongue, among others. An increasing number of contracts between schools and the business sector had been recorded, including around 6,000 contracts in the school year 2023/2024.

Introducing the report, Helena Omna-Raicu, President of the National Authority for the Protection of Child Rights and Adoption of Romania and head of the delegation, said Romania’s path in recent years had been shaped by profound changes and emerging pressures, including the war in Ukraine and the arrival of thousands of children and families fleeing conflict. As a neighbouring country, Romania had mobilised rapidly to provide emergency care, protection, psychosocial support, and schooling to children regardless of their nationality.

Ms. Omna-Raicu said Romania had made significant progress in certain areas, including in the deinstitutionalisation process. Of the 167 residential placement centres operating in 2017, 149 had already been closed by the end of March 2025 and over 6,000 children were now benefiting from family-type alternative care. The remaining 18 placement centres would be closed soon.

In closing remarks, Rinchen Chophel, Committee Expert and Country Taskforce Coordinator, reiterated the Committee’s appreciation for the Government of Romania’s support to Ukrainian refugees, particularly children. Significant progress had been made from the last reporting period to the current one, with many looking forward beyond the dialogue.

In her closing remarks, Ms. Omna-Raicu, expressed deep gratitude for the dialogue. The Committee’s concerns regarding urban disparities were noted. Romania would treat the Committee’s recommendations as an opportunity for deeper transformation.

The delegation of Romania was comprised of representatives from the National Authority for the Protection of Child Rights and Adoption; the Ministry of Education and Research; the Ministry of Justice; the Ministry of Health; the Ministry of Labour, Family, Youth and Social Security; the Ministry of Foreign Affairs; the General Inspectorate of the Romanian Police; the General Inspectorate for Immigration; the National Administration of Penitentiaries; the Prosecutor’s Office; the National Health Insurance Authority; and the Permanent Mission of Romania to the United Nations Office at Geneva.

Summaries of the public meetings of the Committee can be found here, while webcasts of the public meetings can be found here. The programme of work of the Committee’s ninety-ninth session and other documents related to the session can be found here.

The Committee will next meet in public at 3 p.m. on Wednesday, 21 May to begin its consideration of the combined fifth and sixth periodic reports of Qatar (CRC/C/QAT/5-6).

Report

The Committee has before it the combined sixth and seventh periodic reports of Romania (CRC/C/ROU/6-7).

Presentation of Report

HELENA OMNA-RAICU, President of the National Authority for the Protection of Child Rights and Adoption of Romania and head of the delegation, said Romania’s path in recent years had been shaped by profound changes and emerging pressures, including the war in Ukraine and the arrival of thousands of children and families fleeing conflict. As a neighbouring country, Romania had mobilised rapidly to provide emergency care, protection, psychosocial support, and schooling to children regardless of their nationality. The State was proud to have established the first Blue Dot in the region at the border crossing with Ukraine and launched the use of the Child Protection Information Management System Primero in only a couple of months after the onset of the refugee crisis, ensuring registration and case management for almost 40,000 refugee children.

Several new national strategies had been developed for 2021-2027 which aimed to address child poverty and wellbeing, including the national strategy for the protection and promotion of children’s rights “protected children, safe Romania” 2023-2027, and the national strategy on social inclusion and poverty reduction 2022-2027, among others. Romania had also adopted and begun the implementation of the child guarantee national action plan 2023-2030, which aimed to reduce the number of children at risk of poverty or social exclusion by at least 500,000 by 2030. Romania had seen a measurable decline in the proportion of children at risk of poverty and social exclusion from 41.5 per cent in 2022 to 33.8 per cent in 2024.

In April 2024, law 100/2024 was approved which included specific amendments to several laws relevant for social assistance. The new emergency ordinance no. 96/2024, approved in June 2024 regarding the provision of humanitarian support and assistance by the Romanian State to foreign citizens or stateless persons in special situations coming from the area of the armed conflict in Ukraine, established the legal framework providing refugees with access to a wide range of key national statutory services. Another significant legislative change was enacted by amending law 272/2004 in December 2024, which now mandated the participation of children in public decision-making processes.

There had also been several significant programmes launched, including modernising the unique national number 119 for reporting cases of abuse, neglect, exploitation and any other form of violence against children; the development of community services for children and families to prevent separation and support the family reintegration of children from the special protection system; and the development of 200 integrated community centres and 150 daycare centres for children, among others. Despite these advances, challenges remained, including disparities between rural and urban areas.

However, Romania had made significant progress in certain areas, including in the deinstitutionalisation process. Of the 167 residential placement centres operating in 2017, 149 had already been closed by the end of March 2025 and over 6,000 children were now benefiting from family-type alternative care. The remaining 18 placement centres would be closed soon. The use of European Union structural funds had also supported the training of over 11,000 foster carers. A new programme had also been introduced, aimed to scale-up integrated community-services in 2,000 marginalised rural communities, combining social assistance, health, education, and other types of social support. Over 800 million euros of European Social Funds were planned for enhancing access to social services for the most vulnerable, including children and their families.

The State had also expanded support for children at risk of early school leaving by using the early warning mechanism in education, of which around 50,000 participants from 6,950 institutions had completed the training programme. Targeted policies had been developed that supported the reintegration of children who dropped out during the pandemic, and more resources were reaching schools in deprived communities. In health, the role of community nurses and Roma health mediators had grown, and work continued to improve access to services for vulnerable groups.

Pilot projects on mental health for children had laid the groundwork for more systemic change, with mental health services for children and adolescents being expanded. However, challenges remained in ensuring equitable access to quality services in rural and marginalised areas, addressing shortages of specialised personnel, and improving early identification and intervention for children with developmental delays or disabilities.

Romania was committed to reducing the number of children affected by poverty and social exclusion by at least 500,000. The State would also pursue the complete closure of old-type residential centres, with every child in alternative care placed in family-based or community settings. Romania was committed to translating the pledges made during the first-ever global ministerial conference on ending violence against children held at the end of 2024 in Bogota, Columbia, into realities for children.

In education, the State aimed to increase the early childhood education enrolment rate by at least 22 per cent for children aged zero to three and at least 95 per cent for children aged four to six. There would be a focus on improving mental health services for children and linking schools, families, and health providers more effectively, aiming to reduce preventable mortality by 20 per cent compared to 2021 levels for children of all ages. Finally, Romania would ensure that children had a role in shaping systems through participatory budgeting, monitoring, and children and youth-led policy platforms. Romania remained committed to fully implementing the Convention and to contributing to the global effort to advance child rights everywhere.

Questions by Committee Experts

RINCHEN CHOPHEL, Committee Expert and Country Taskforce Coordinator, said Romania had achieved a lot since the last report, which the Committee was happy about. Romania’s assistance to the Ukrainian refugees and children should be noted. There had been significant legislative achievements, particularly the amendments to law 272. What measures were in place to ensure effective implementation of the law? The national strategy on social inclusion and poverty reduction 2022-2027, and the child guarantee national action plan 2023-2030 were very welcome developments. How had these impacted on measures to promote and protect children? Had an assessment been undertaken to evaluate the impact of the national strategy.

While welcoming increased allocations to certain sectors, the Coordinator asked what measures were in place to develop a child-friendly budgeting process? What was the current status of the complaints mechanism in the country for reporting all forms of abuse and violence for children? What had been done to inform children of their right to file a complaint? Had professionals working with children been trained on receiving complaints concerning children and the Convention?

The establishment of the child Ombudsman in 2018 was a crucial step in the right direction, and the Government should be congratulated for that. What was the current status of the institution? How did it connect with children? The Committee noted the State party’s awareness raising activities on the Convention with appreciation, including the translation of the Committee’s general comments into Romanian. How did these efforts extend to rural children?

JULIANA SCERRI FERRANTE, Committee Expert and Country Taskforce Member, asked if the national strategy for school de-segregation been adopted? If not, then when would this occur? What measures had been taken to address hate speech? Did the permanent committee set up in every education unit offer a complaints mechanism to children? If not, how could children complain in schools?

What had been done to decrease discrimination against the Roma population? What efforts had been made to promote the inclusion of Roma in mainstream schooling? How was discrimination against children with disabilities tackled in education? There was concern that Romanian law did not define valid reasons on which minor marriages could be authorised and this was left to the discretion of the authorities. What training was provided to apply the best interests of the child? What approaches had been taken to reduce the preventable mortality of children under five years old? What was the position of the Romanian Government on the proposed amendment to law 272 regarding lesbian, gay, bisexual, transgender and intersex children?

There seemed to be a lack of parental education programmes around corporal punishment. How could the views of the child be respected if violence was accepted as a disciplinary measure? Could the Romanian Government take clear steps to train staff and promote child education? How were child labour laws enforced? How would the Romanian Government establish a child participation mechanism? Were refugee and asylum-seeking children involved in decisions which affected them? Were children provided information on their rights?

What measures were being taken to strengthen the capacity of the social welfare services? How were children with disabilities prioritised in reform measures? What was being done to combat the illicit transfer of children abroad? Had bilateral agreements been conducted in this regard? Was the Romanian Government carrying out measures to understand the impact of prison on children? How were they supported when their parents were incarcerated? What support was available for young people leaving institutional care?

SOPHIE KILADZE, Committee Chair and Country Taskforce Member, said the adoption of law 105/22 providing for automatic birth registration should be considered as positive. Could more information be provided about how the law worked in practice? Were there any plans to introduce a statelessness determination procedure? Was data on statelessness which concerned children disaggregated? What measures were in place to protect children from excessive screen use? How did Romania deal with artificial intelligence as a European Union member? Romania had one of the lowest levels of digital skills in the European Union; what measures were being undertaken to promote digital literacy among children, as well as parents?

PHILIP JAFFE, Committee Vice-Chair and Country Taskforce Member, said it was wonderful that strong pledges had been made at the global ministerial conference on ending violence against children in Bogota. How was Romania implementing its mission as a pathfinding global alliance country? It seemed Romanian children were in need of protection against high levels of physical and sexual violence. One of the pledges made in Bogota was to conduct a prevalence study on sexual abuse; had the State moved forward with this study? Were there dedicated teams drawing up the comprehensive framework and strategy which had been promised? One pledge had been to enhance children’s participation regarding issues of violence. What efforts had the Government made to ensure that there was a clear public understanding that all forms of violence against children needed to be reported?

Corporal punishment appeared to remain quite widespread despite being banned in 2004. What efforts were made to lower the prevalence and change attitudes among parents and adults? It was encouraging that Romania had been one of 40 countries to recently join a statement of the Human Rights Council, expressing children’s right to protection from corporal punishment. How was bullying and cyber bullying being addressed at all levels of legislative policy? Could more information about the child helplines be provided?

Was it true that around seven to eight per cent of girls in Romania were married before the age of 18, with that percentage rising to around 20 per cent in the Roma community? What was being done in response to this? Was it true that charges had been dropped against a 17-year-old boy who entered into a non-formal marriage with an 11-year-old girl? What policy was in practice in the health sector regarding surgical interventions and intersex children? What were the guidelines to protect their bodily integrity until these children were capable of providing consent?

Responses by the Delegation

The delegation said the law on child protection now included clear provisions which made it compulsory for public administrative bodies to involve children in consultations regarding issues which concerned them. The national strategy on children’s rights was recently adopted and another national action plan was elaborated; these plans were complimentary. This was a comprehensive package which would help the Government to better implement all necessary measures. An assessment of the national strategy had been undertaken. The State was now piloting a system which would indicate how to establish a model of financing where children would be considered as a different group that would benefit from a different budget.

The national programme for schooling in Romania ensured children received food support at schools to increase the enrolment rate and participation. School supplies were also provided for all school grades. Two hundred euros were provided for the purchase of technology, and remedial lessons were provided to students coming from disadvantaged communities. Recently, the scholarship system had been extended to encompass more disadvantaged groups.

Funds allocated to primary medical care had registered a continuous annual increase. Just last year, the fund allocated to primary care increased by 24 per cent. The national observatory was a big achievement for Romania and aimed to identify the children most at risk of being separated from their families, based on indicators. Training was being conducted on the use of the observatory to ensure the data provided was reliable.

The hearing of minors in justice proceedings took place in special rooms, and a psychologist was always required to be present. The new national strategy for the development of the judicial system provided for another 10 hearing rooms across the country. There were specially designated prosecutors to handle cases involving minors. The child Ombudsman was fully operational and cooperated with all institutions. It had a functioning complaints mechanism. If an incident was notified to the Ombudsman, an investigation started, which concluded with a set of recommendations sent to the institution responsible to correct the situation.

Civil society representatives were part of the consultative groups established at the national level. A methodology had been issued and piloted regarding identifying and banning segregation within the educational sector. The measures focused on ensuring an inclusive education. Any kind of discrimination on criteria such as ethnicity, religion or sex was completely forbidden within the educational system. Specific places in high schools were allocated for Roma students and students with disabilities. To ensure access to high quality education, educational services had been developed starting from early education to prevent early dropout and absenteeism.

A set of programmes had been introduced, including a monthly allowance for children up to the age of 18, as well as parental leave. There was also a minimum income support which supported families with children. Emergency ordinance no.96 was developed specifically for children from Ukraine and their families.

There was a dedicated intergovernmental group which addressed the subject of forced marriage, with the aim of drafting legislative projects in this regard. Concerning infant mortality and the number of deaths under one year of age, a regionalised system of care had been introduced to ensure each neonate was born in a medical unit which could provide the services necessary for their care, thereby reducing infant mortality. An important national programme was in place which contained around 15 interventions, established in partnership with the United Nations Children’s Fund. Another programme provided 900 neonatal incubators around the country.

A significant number of services had been established to help families in vulnerable situations. A special programme was launched last year on the minimum inclusion income, which focused on how to assist parents within the labour market. The State was aware of a lack of social assistance in rural areas, which was where the most vulnerable communities lived. Interventions were directed, including food packages, and local administrative capacities would be developed.

A programme had been developed which aimed to establish hearing rooms for children in courts, and 29 hearing rooms were completed in April 2024. The rooms were used by the Prosecutors and police officers when they had victims who were minors. The rooms were child-friendly and specially designed with toys. The child did not see the other people participating in the hearing. A new strategy adopted in 2025 provided for the need for an additional 10 hearing rooms in the near future.

All social services were functioning based on a set of minimum quality standards, which were verified by the national agency for social inspection. With the United Nations Children’s Fund, Romania was piloting a project which would identify and train foster families to care specifically for children with disabilities. A child entering the special protection system was prioritised to be reintegrated in a family environment. Adoption was considered the best solution in this regard, and this could only be decided by a court. Priority was offered to domestic adoption, but international adoption could be considered after one year.

Amendments had been made to allow special spaces for visits in prison with children. Such spaces were now available in all prison facilities within the Romanian penitentiary system. There were cooperation protocols in place with the United Nations Children’s Fund and Save the Children which supported parents to develop their parental skills and improve their relationship with their children. The State was aware of the need to develop programmes which addressed the needs of children and adults and improved the relationship within the family.

The Ministry of Education aimed to develop digital competencies among students and parents. During the pandemic, all students were provided with laptops and digital devices to keep up with the educational process. In a new initiative launched in partnership with Microsoft, the Ministry of Education had announced the development of a project concerning artificial intelligence for increasing the school performance of students. A project was also being implemented aimed at improving the digital skills of civil servants.

Romania had a dedicated national child help line. It was toll-free and operational 24/7. Those operating the calls were specialised counsellors who could refer the cases to the relevant authorities. Another helpline just referred cases to social services. The 119 helpline was a recent development, operational from any place in Romania and accessible to children and adults. After the first year, it had been well received and was being regularly used to inform on any situation concerning a child.

Rape of a minor and sexual assault against a minor had been introduced as acts within the Criminal Code. Rape committed by an adult against a minor under the age of 18 was punished by a prison sentence of between seven to 12 years.

Questions by Committee Experts

PHILIP JAFFE, Committee Vice-Chair and Country Taskforce Member, said one in 20 people in Romania held a disability certificate, with around 80,000 being children. What were the difficulties faced by certain groups of children to receive this certificate, including rural children? Were there any awareness-raising campaigns for rural minorities and poor families regarding their entitlement to services? Could more information be provided about Romania’s strategy for persons with disabilities? How were the number and expertise of professionals being scaled up? To what degree had the State embraced a human-rights approach to disability, as opposed to a medical model of disability? How many children were still left in institutions? When would such institutions all be closed?

There were two recent laws on pre-university education and higher education; could more information be provided about the implementation of these laws? What was the level of gross domestic product dedicated to education in Romania? Was there a direct pipeline to hear about the concerns of children within the education system and were these concerns taken seriously? What was being done to combat school segregation based on disability, special education needs, and family economic status? Figures suggested that 40 per cent of children with disabilities had limited access to education. What steps were being made to improve education for children under the age of three? What improvements were being made to increase the improvement of vocational training for older children who may be leaving the school system? Were there any programmes which specifically targeted economically disadvantaged children? What was the mission of the Ministry of Youth?

SOPHIE KILADZE, Committee Chair and Country Taskforce Member, asked if sufficient resources were dedicated to the capacity building of medical personnel? Did all children have access to health care, including health insurance? How were vaccinations promoted in the country? How was breast feeding promoted? Child obesity was an issue of concern; how was this combatted? Was there a hot meals programme?

Mental health was a very important issue. Was data on mental health being disaggregated, including on suicide? Was there a comprehensive strategy and action plan regarding the issue of mental health? Were quality mental health services available in rural and remote areas? According to alarming information, the country had the highest number of adolescent mothers across the European Union. What steps would the State undertake to prevent adolescent pregnancies and subsequent abortions? Would Romania make reproductive education part of the curriculum?

What measures were in place to address drugs or substance abuse? Were there treatments available for children? Romania had made substantial efforts for Ukrainian children and other groups of refugees. How would the State integrate these children long-term? Were there delays in the enrolment of refugee children and their families into the social services system? Would amendments be considered in the asylum law to end the detention of families at the legislative level? Did unaccompanied migrant children have access to services, including psychosocial support and disability services? Were there any barriers which could hinder access to education?

What measures were being undertaken to end child labour, including begging? What was being done to assist children in street situations? How were perpetrators investigated and brought to justice? Were there quality services for child victims of trafficking in place? Was the system of child justice established across the country? Were adequate financial resources allocated to it? Was free legal aid available to children in conflict with the law? Was the detention of children used only as a last resort? If yes, did it comply with international standards?

RINCHEN CHOPHEL, Committee Expert and Country Taskforce Coordinator, said one in five children were affected by severe material and social deprivation, which was concerning. What was the reality on the ground? The minimum social assistance package had been introduced; could more information be provided on it? Romania was increasingly vulnerable to droughts, heatwaves, floods and landslides, and it was also grappling with water pollution. How had the national strategies pertaining to climate change helped to address the challenges of the environment and climate change in the country? What measures were being adopted to take into account children’s needs and views in the development of specific policies, including disaster-preparedness plans? Were child rights impact assessments carried out when dealing with the business sector?

A Committee Expert asked what the national coverage of vaccinations was in the country? Romania had an epidemic of measles; how did the population react to vaccinations? How was confidence being built in vaccines? Were people familiar with the law on rape? What happened once the 30-day limit for registering births had elapsed?

Responses by the Delegation

Romanian legislation completely prohibited violence against children, regardless of the environment. However, despite the legislation, which was fully aligned with United Nations Conventions, the State needed to fight against mentalities and traditions and to practically change the minds of parents and caregivers, who believed corporal punishment would discipline children better. Awareness-raising campaigns were being conducted for parents, and mechanisms including hotlines had been developed to support children, including the helpline 119.

Authorities were obligated to launch investigations immediately concerning any allegations of violence against children. Romania was committed to continuing these efforts and to changing social norms and mentalities. The numbers of cases of violence against children was increasing, which meant people were becoming more aware of the issue and reporting it.

Since 2016, the methodology applied in Romania clearly distinguished between the concept of disability and special education needs. In Romania, the deinstitutionalisation process was one of the most important commitments of the Government, and the process was now concluding. Currently, out of the 167 residential centres operating in 2017, 149 had already been closed, and more than 6,000 children were benefiting from alternative care. The legal framework stated that no placement centre could operate without the approved closure plan. The deinstitutionalisation process also involved finding better alternative and family-based care for children. Only 18 placement centres remained in the process of being closed, and by 2026 no such centre would be operating in Romania. The State was still aiming to find family-style solutions for children with disabilities, and a project was being developed with the United Nations Children’s Fund to this end.

If a birth was declared after the 30-day deadline but less than one year after the birth, the birth certificate could be issued based on approval from the mayor. If the birth declaration was made more than one year after the birth, the certificate needed to be approved by the mayor and other administrative bodies.

More than 2.8 million students were enrolled in the 2023/2024 school year in Romania. For high school, there had been a significant decrease in dropouts from 2.5 per cent in 2017 to 0.8 per cent in 2024. Around 4.5 per cent of the budget was allocated to education. The Ministry of Education had taken steps to assist children with special educational needs, with the creation of frameworks offering them different kinds of support, based on the type of disability. For students with temporary special needs, the law of education presented special measures, including the implementation of schooling hospitals, or schooling at home for those who were required to be in hospital or at home for medical reasons.

Adaptive measures had been taken for Roma children, including stimulating their participation in early education and in summer kindergartens, supporting education in their current language, and translating schoolbooks in their mother tongue, among others. More than 66,000 teachers had been trained in digital and multimedia use. An increasing number of contracts between schools and the business sector had been recorded, around 6,000 contracts in the school year 2023/2024. Most teachers had been trained to create open educational resources. Significant funds had been allocated to modernising rest room facilities in schools.

Any student could submit complaints of discrimination via an established framework. Students benefitted from representation in the school system through several platforms. The national strategy for sustainable development issued the methodology of the “green week programme”, which contributed to preschoolers and students’ competence in understanding basic concepts of climate change, to initiate individual and protective action to protect the environment. Teachers were obliged to obtain 90 transferrable professional credits every five years, through attending courses offered by Romanian training houses.

In recent years, infant mortality had remained relatively stable in Romania. From 2023 to 2024, the number of doctors treating children increased by five per cent. Regarding children’s access to medical services, all children were insured in Romania and benefitted from basic medical services across all sectors of health care. The national health insurance fund also reimbursed certain services. The Ministry of Health had launched a vaccination campaign in partnership with the Red Cross, to raise awareness of parents; this had been accompanied by a “catch-up” vaccination schedule, resulting in 1,500 children being vaccinated. A protocol had been signed with the Orthodox Church to establish an active partnership to create a framework for anyone facing a possible cancer diagnosis, offering support.

World Breastfeeding Week was celebrated in August each year, as breastfeeding remained one of the most effective ways to provide children with the best start in life. Breast feeding recommendations had been developed with partners, including the World Health Organization, and were relayed to medical practitioners at the local level. Around 200 integrated community centres would be restructured, elevated and equipped. A television broadcast had been created to promote the importance of breastfeeding in the first six months of a child’s life.

Information and education campaigns had been carried out for children, parents and teachers about the benefits of a healthy diet and the consequences of unhealthy eating. Around 1,000 people had benefited from the campaign. Substance abuse could be detected by family doctors and psychological services could be recommended. The national health insurance house implemented the national mental health programme, providing treatment for persons with substance abuses, and ensuring specific treatment for patients with depressive disorders.

Questions by Committee Experts

RINCHEN CHOPHEL, Committee Expert and Country Taskforce Coordinator, said the Government had approved a social assistance programme in 2011 which targeted all communes, but was underfinanced; could more information be provided? The Environment Week presented was an excellent initiative; how was it being utilised?

JULIANA SCERRI FERRANTE, Committee Expert and Country Taskforce Member, asked if there were any supervision orders, where children remained with their family but were supervised? Were there age assessment procedures during the asylum procedure? What rights did children applying for asylum have? Could they appeal any decisions?

PHILIP JAFFE, Committee Vice-Chair and Country Taskforce Member, said according to research by the United Nations Children’s Fund, Romanian girls felt much lonelier than Romanian boys. Was there a reason for this gap?

SOPHIE KILADZE, Committee Chair and Country Taskforce Member, asked for clarification on case management coordination?

A Committee Expert noted the prevalence of women among the large delegation and asked if women generally had an important and high-profile position in Romania, or if this only occurred when discussing children? Had there been any programmes to prevent violence? Had the concept of gender been fully institutionalised? Were teachers trained in detecting signs of violence? What was the prevalence of child marriage in the country? What about figures for marriages which were not officially recorded? Had there been any programmes to prevent the phenomenon or sanctions?

Was there any mapping of the at-risk populations in the country of female genital mutilation? Was female genital mutilation prohibited in law? What was the most updated action on sexual exploitation? Was there any cross-border cooperation between Romania and neighbouring countries? Did Ukrainian children born in Romania have access to Romanian citizenship? Did rape victims have access to emergency contraception?

Another Expert asked about vaccinations from children aged zero to 12; was there distrust in the population when it came to vaccines? It seemed that tuberculosis was a public health issue. What was being done in the field of treatment? Were there children whose births had not been declared, particularly among refugees, Roma and migrants?

A Committee Expert asked about the new concept introduced by the Parliament on parental alienation. How had this concept been consulted on, particularly with children? How would the best interests of the child be ensured? What specific measures were being taken to reduce school dropout and improve access to quality education for Roma children? What mechanisms were in place to monitor and support Roma children who were at risk of dropping out?

Another Committee Expert said she was happy to hear about the programme for the deinstitutionalisation of alternative care centres; this was something Romania should be proud of, as well as all the foster arrangements being made, especially for children with disabilities. What was the State doing to support the families of children with disabilities, particularly those with severe disabilities?

Responses by the Delegation

The delegation said emergency contraception was available to those who had experienced sexual assault and could be obtained without a prescription. Adolescent pregnancies were a major concern for the Romanian public health system. Contraceptives and medical devices were provided free of charge through family centres and through gynaecological departments, where abortions were performed upon request. Romania was one of the first European countries to offer non-discriminatory HIV/AIDS treatment.

Refugees were granted a monthly allowance, one-month’s accommodation, and access to education for minors. Legislation in the field of asylum provided for beneficiaries to apply for family reunification when family members were not in Romania. Identity documents needed to be provided to prove family links. Family reunification of unaccompanied minors was carried out with the best interest of the child in mind. Minors from immigrant backgrounds benefitted from the same rights as minors who were Romanian citizens. Romanian language courses provided teaching support, textbooks and workbooks developed on linguistic levels according to the European Union framework. Priority for asylum applications was given to unaccompanied minors.

Medical forensic expertise was used when an asylum applicant could not prove their age and there were serious doubts about their ethnicity. The declared age of the asylum applicant was accepted if their refusal to undergo the medical expertise was based on compelling reasons. The assessment was performed with full respect for the minor’s dignity and in as least invasive way as possible.

Investigations in child and human trafficking were undertaken by specialists with supervision from specialised prosecutors. Through law 229/2024, the Romanian Parliament aimed to discourage sex tourism and the pimping of minors. More than 1,200 criminal cases had been identified regarding child trafficking. The General Inspectorate of Romanian Police organised regular sessions for border police and

non-governmental organizations, with the purpose of identifying victims. More than 125 trainings had been carried out to over 4,000 workers who may encounter trafficking victims through their work. The National Agency against Trafficking in Persons and the Directorate for Investigating Organised Crime had implemented a national action plan in the fight against human trafficking to improve the awareness of at-risk groups.

In 2024, prosecutors from the Directorate for Investigating Organised Crime took part in 35 seminars regarding identifying child victims, compensation for victims, international cooperation, and online sexual exploitation of children, among other topics. A public awareness campaign had been launched relating to sexual acts between adults and minors. The message stated that a sexual act committed against a minor of 16 years or under constituted rape, if the age gap was more than five years, and punishments applied.

According to Romanian legislation, minors benefited from free legal aid, whether they committed a crime, or if they were victims of a crime. The Romanian penal system limited sanctions in regard to minors, and measures for deprivation of liberty were only given as a last resort and could only be ordered by a court.

The integrated social services project aimed to develop the academic knowledge of professionals working in the social assistance field, and to develop concrete measures for vulnerable groups of people.

During “green week”, schools organised activities around several topics relating to the environment. These were uploaded on a specialised platform dedicated to education on climate change and varied from one educational cycle to another. The Ministry of Education had developed a programme, the mechanism of early-living alert, which focused on early education for Roma children.

In Romania, social services were obligated to identify children in a risk situation. Children could remain within families and be monitored by social services until the risks were removed. The parental alienation provision was introduced in all cases relating to violence and neglect. It was recommended that this provision be removed, as these measures should only be applied by the courts. There were many trainings offered to judges on methods relating to children’s rights. Social workers were also trained to provide necessary assistance to visiting parents. Social services could only assist; they could not intervene and solve disputes between parents.

Closing Remarks

RINCHEN CHOPHEL, Committee Expert and Country Taskforce Coordinator, reiterated the Committee’s appreciation for the Government of Romania’s support to Ukrainian refugees, particularly children. The State was encouraged to continue to undertake these activities which were important for solidarity for children. Significant progress had been made from the last reporting period to the current one, with many looking forward beyond the dialogue. This was an indication of the Government’s commitment towards children. As the country moved forward, it was important to put emphasis on implementation and ensure vulnerable children did not miss out.

HELENA OMNA-RAICU, President of the National Authority for the Protection of Child Rights and Adoption of Romania and head of the delegation, expressed deep gratitude for the dialogue. The delegation welcomed the Committee’s emphasis on equality, accountability and sustainability, and would underpin the next stage of the State’s deinstitutionalisation journey. The Committee’s concerns regarding urban disparities were noted. It was recognised that rights delayed were rights denied, and the State was committed to accelerating affirmative action. Romania would treat the Committee’s recommendations as an opportunity for deeper transformation.

SOPHIE KILADZE, Committee Chair, thanked the delegation for the fruitful dialogue and commended its members for their clear and comprehensive answers. Ms. Kiladze extended her best regards to the children of Romania.

___________

Produced by the United Nations Information Service in Geneva for use of the media;
not an official record. English and French versions of our releases are different as they are the product of two separate coverage teams that work independently.

CRC25.013E

MIL OSI United Nations News –

May 22, 2025

MIL-OSI USA: Rep. Peters Thanks EPA Administrator Zeldin for Commitment to Stop Cross-Border Sewage Pollution

Source: United States House of Representatives – Congressman Scott Peters (52nd District of California)

Washington D.C. – Today, at an Energy and Commerce Committee hearing, Representative Scott Peters (CA-50) thanked Environmental Protection Agency (EPA) Administrator Lee Zeldin for touring the U.S.-Mexico border in southern San Diego and for his commitment to address the scourge of cross-border wastewater pollution. This follows a joint announcement from the EPA and U.S. International Border and Water Commission (IBWC) this morning, that both agencies will speed up the first phase of the incremental expansion of the South Bay International Wastewater Treatment Plant (SBIWTP) from two years to 100 days. This phase will increase the plant’s capacity to treat wastewater from 25 to 35 million gallons per day (mgd). The full project to repair and expand the dilapidated plant, for which Representative Peters and the San Diego delegation have secured $360 million in the last 18 months, will double treatment capacity to 50 mgd.

During the hearing, Rep. Peters stated, “I want to thank you for your recent visit to the South Bay and your tour of the Tijuana River Valley. This contamination issue remains, what I believe is one of the worst environmental catastrophes of the hemisphere and we are so encouraged by your commitment to working on a 100% solution… We’ve all worked really hard to get resources here — Republicans and Democrats. You have a partner here, and we’re happy to partner with you.”

During his opening remarks, EPA Administrator Zeldin stated, “[We] have issued immediate action items for Mexico to permanently and urgently end the Tijuana River sewage crisis that has plagued Southern California for decades.”

Last month, EPA Administrator Zeldin toured the South Bay at Rep. Peters’ invitation to see firsthand the ecological, economic, and health harms caused by this crisis.

Further Background:

Representative Peters has, for years, worked to address the cross-border pollution fouling San Diego’s coastal waters, including pushing for additional funding to fix and expand the dilapidated SBIWTP. The following are some recent actions:

2025

In March, Rep. Peters introduced legislation to authorize the International Boundary and Water Commission (IBWC) to accept funding from federal and non-federal entities for wastewater treatment, flood control projects, or other water conservation efforts.

2024

In January, Rep. Peters took to the House floor to demand that the President’s requested $310 million to fix and expand the dilapidated SBIWTP be included in any upcoming spending deal.

In February, Rep. Peters joined members of San Diego’s Congressional delegation to ask U.S. Navy Secretary Carlos Del Toro about the effects of cross-border pollution on Navy operations.

In March, Rep. Peters celebrated the inclusion of $156 million, at his request, for the International Boundary and Water Commission’s (IBWC) construction budget in the Fiscal Year 2024 Appropriations bill. The IBWC is the federal agency tasked with operating and maintaining the SBIWTP.

In May, Rep. Peters joined Rep. Veronica Escobar (TX-16) in a bipartisan request for $278 million for the IBWC’s construction budget in the Fiscal Year 2025 Appropriations bill.

In August, Rep. Peters hosted Deputy Secretary of State Richard Verma on a tour of the broken wastewater treatment plant.

In September, Rep. Peters joined members of San Diego’s Congressional delegation to reiterate their call for a federal state of emergency declaration amid high levels of toxic gases.

In December, Rep. Peters and the Congressional delegation successfully fought to include an additional $250 million to fully repair and expand the capacity of the SBIWTP in the government funding bill. This brought the total amount of funds secured to $650 million.

2023

In June, Rep. Peters led a letter with other members of the San Diego Congressional delegation to the governor of Baja California urging accountability for the Mexican government’s commitments to build wastewater treatment infrastructure.

In July, members of the San Diego congressional delegation requested that the Environmental Protection Agency assist with directing environmental justice funds from the Infrastructure Investment and Jobs Act and the Inflation Reduction Act to help stop the flow of pollutants and urged Secretary of State Antony Blinken to tour the broken plant.

Also in July, they sent a letter to President Biden and submitted an amendment to the National Defense Authorization Act for Fiscal Year 2024, calling on the administration to declare this crisis a federal emergency.

In August, he led two letters to the Office of Management and Budget and to OMB and the State Department, calling for urgent additional funding to confront this crisis.

In September, he proposed an amendment to the Fiscal Year 2024 Interior, Environment, and Related Programs Appropriations Bill to boost U.S.- Mexico Border Water Infrastructure Grant Program funding. Additionally, he proposed two amendments to the Fiscal Year 2024 State, Foreign Operations, and Related Programs Appropriations Bill to boost annual construction funding to the USIBWC to $100 million.

In October, Rep. Peters led a bipartisan letter to the Department of State demanding a complete account of how the SBIWTP fell into such a severe state of disrepair.

In December, he led a letter urging leaders of the U.S. House of Representatives and U.S. Senate to include President Biden’s $310 million supplemental budget request to repair the SBIWTP in any upcoming funding package.

In previous years, Peters and colleagues have secured funding, introduced legislation, called for investigations, and arranged a visit by EPA Administrator Regan in response to the wastewater contamination crisis.

###

MIL OSI USA News –

May 22, 2025

MIL-OSI USA: SPC Tornado Watch 310 Status Reports

Source: US National Oceanic and Atmospheric Administration

Search by city or zip code. Press enter or select the go button to submit request
Local forecast by”City, St” or “ZIP”

SPC on Facebook

@NWSSPC

NCEP Quarterly Newsletter

Home (Classic)SPC Products All SPC Forecasts Current Watches Meso. Discussions Conv. Outlooks Tstm. Outlooks Fire Wx Outlooks RSS Feeds E-Mail AlertsWeather Information Storm Reports Storm Reports Dev. NWS Hazards Map National RADAR Product Archive NOAA Weather RadioResearch Non-op. Products Forecast Tools Svr. Tstm. Events SPC Publications SPC-NSSL HWTEducation & Outreach About the SPC SPC FAQ About Tornadoes About Derechos Video Lecture Series WCM Page Enh. Fujita Page Our History Public ToursMisc. StaffContact Us SPC Feedback

Watch 310 Status Reports

Watch 310 Status Message has not been issued yet.

Top/Watch Issuance Text for Watch 310/All Current Watches/Forecast Products/Home

Weather Topics:Watches, Mesoscale Discussions, Outlooks, Fire Weather, All Products, Contact Us

NOAA / National Weather ServiceNational Centers for Environmental PredictionStorm Prediction Center120 David L. Boren Blvd.Norman, OK 73072 U.S.A.spc.feedback@noaa.govPage last modified: May 21, 2025
DisclaimerInformation QualityHelpGlossary
Privacy PolicyFreedom of Information Act (FOIA)About UsCareer Opportunities

MIL OSI USA News –

May 22, 2025

MIL-OSI USA: Powering New York with Renewable Energy

Source: US State of New York

overnor Kathy Hochul today announced that contracts have been executed for 26 large-scale land-based renewable energy projects that, upon completion, will provide more than 2.5 gigawatts of clean energy, enough to power more than 670,000 homes throughout New York State. These projects are expected to create more than 1,900 near-term, family-supporting jobs and generate more than $6 billion in private investment while reinforcing the State’s commitment to the development of locally-produced clean energy, grid resiliency and economic development.

“New York is creating competitive opportunities for the clean energy industry, and we could not do this without the shared commitment of our private partners,” Governor Hochul said. “The advancement of renewable energy is part of the foundation of New York’s plan to transform to a zero-emission electricity system and continue our green economy’s momentum forward.”

These contracted awards are the result of the New York State Energy Research and Development Authority’s (NYSERDA) 2024 Tier 1 Renewable Energy Standard solicitation. Once constructed, the projects will produce approximately 5,000 gigawatt-hours annually–which is enough to power more than 670,000 homes–provide public health benefits resulting from reduced exposure to harmful air pollutants; and provide more than $300 million in commitments to disadvantaged communities, as defined by the Climate Justice Working Group, from long-term payments to community benefit funds.

New York State Energy Research and Development Authority President and CEO Doreen M. Harris said, “As New York transitions to a clean energy economy, we celebrate these 26 projects and the significant energy they will provide. New York remains an innovator in accelerating clean energy projects, advancing clean energy jobs, and spurring economic development opportunities for businesses and our local communities all across our state.”

Contracted projects include:

Capital Region

Dolan Solar, Washington County
Hawthorn Solar, Rensselaer County
Somers Solar, Washington County
Shepherd’s Run Solar Project, Columbia County

Central New York

Agricola Wind, Cayuga County
Homer Solar Energy Center, Cortland County

Finger Lakes

Highbanks Solar, Livingston County
Horseshoe Solar Energy Center, Livingston and Monroe Counties
Valcour Bliss Windpark, Wyoming County

Mohawk Valley

Dolgeville Hydro, Herkimer County
Flat Creek Solar, Montgomery County
Mill Point Solar I, Montgomery County
Skyline Solar, Oneida County

North Country

ELP Ticonderoga Solar, Essex County
Fort Covington Solar Farm, Franklin County
Lyons Falls Mill Repower, Lewis County
Tracy Solar Energy Center, Jefferson County
Two Rivers Solar Farm, St. Lawrence County
Valcour Altona Windpark, Clinton County
Valcour Clinton Windpark, Clinton County

Southern Tier

High Bridge Wind, Chenango County
Prattsburgh Wind Farm, Steuben County
Yellow Barn Solar, Tompkins County

Western New York

Moraine Solar Energy Center, Allegany County
South Ripley Solar, Chautauqua County
York Run Solar, Chautauqua County

The payments under the contracted projects will only begin once projects are constructed and begin delivering renewable energy to New York after obtaining all required permits and approvals. Several projects have already commenced construction activities. All projects are expected to be operational by 2029.

Additionally, the State will continue to emphasize engagements with the projects’ host communities. NYSERDA offers resources and no-cost technical assistance to help local governments understand how to manage responsible clean energy development in their communities, including step-by-step instructions and tools to guide the coordination of new clean energy projects, permitting processes, property taxes, siting, zoning, and more.

New York State Department of Public Service CEO Rory M. Christian said, “We applaud Governor Hochul’s commitment to move New York State toward a clean energy economy. The projects being announced today will spur the creation of clean energy jobs as well as encouraging economic development opportunities in New York State.”

New York State Department of Environmental Conservation Acting Commissioner Amanda Lefton said, “These large-scale renewable energy projects demonstrate how clean energy and job creation go hand-in-hand to build healthier communities and stronger economies. More than two dozen projects under contracts through NYSERDA will generate renewable power and private investment that helps continue the significant progress underway to reduce polluting power sources.”

New York State Department of Labor Commissioner Roberta Reardon said, “I thank Governor Hochul for maintaining our state’s leadership in the clean energy sector and for continuing to create great career opportunities for New Yorkers statewide. These investments will continue to build a more energy efficient and environmentally friendly future for New York State.”

State Senator Kevin Parker said, “As Chair of the Senate Energy and Telecommunications Committee, I am proud to work alongside NYSERDA, a critical partner in advancing New York’s clean energy future. Their continued leadership in delivering funding awards and innovative programs is essential to meeting the goals of the Climate Leadership and Community Protection Act. Together, we are not only strengthening the state’s electric grid with renewable energy, but also ensuring that disadvantaged communities share in the economic and environmental benefits of this transition.”

New York State AFL-CIO President Mario Cilento said, “Congratulations to Governor Hochul and NYSERDA on another major milestone toward achieving New York’s renewable energy goals while adhering to robust labor standards and protections and Buy American policies. This will create good union jobs while building up the State’s clean energy program.”

New York State Building Trades President Gary LaBarbera said, “Renewable energy projects continue to represent major opportunities for New York to not only achieve the goals set out by CLCPA but also create thousands of family-sustaining union careers and economic stimulus that will reinvigorate our communities and the middle class. The execution of these contracts represents a significant milestone for reaping the benefits of these clean energy initiatives. We thank Governor Hochul and NYSERDA for their continued commitment to pushing forward the development of green infrastructure in New York.”

Alliance for Clean Energy New York Executive Director Marguerite Wells said, “The benefits of locally-produced renewable energy are immense and wide-ranging. We thank Governor Hochul for continuing to guide the state through our clean energy transition, which will not only benefit the New Yorkers of today but also those of generations to come. Today’s announcement shows there is continued enthusiasm from private developers to invest in New York, and New York remains ready to greet them.”

New York League of Conservation Voters President Julie Tighe said, “Climate change is happening now and the impacts will only get worse if we don’t transition off of fossil fuels and deliver on our clean energy future. Today’s announcement of new land-based renewable energy projects will mean fewer greenhouse gas emissions, better air quality, and good union jobs for New Yorkers. We thank Governor Hochul for her environmental leadership and congratulate NYSERDA on this progress toward meeting our clean energy goals.”

Natural Resources Defense Council Power Sector Managing Director Kit Kennedy said, “New York State’s leadership on clean energy is more important now than ever, given the federal government’s efforts to turn back progress. The clean energy projects announced today by Governor Hochul mean more jobs, more economic development for communities, less health-harming air pollution, and lower electricity system costs. This is what leadership means. Let’s keep it coming!”

Citizens Campaign for the Environment Executive Director Adrienne Esposito said, “We are thrilled that NY is taking another significant step forward in our state’s ongoing transition to a clean energy future. As national momentum around renewable energy and climate action stumbles, it’s more important than ever for states like New York to lead. Leadership matters and we need NY to continue on a course of establishing a 21st century energy infrastructure plan we can be proud of! These projects will deliver reliable, locally-produced clean energy to millions of New Yorkers helping to meet the state’s ambitious renewable energy goals while combating climate change, creating jobs, strengthening our economy, and enhancing long-term energy security. CCE commends Governor Hochul and NYSERDA for their commitment to advancing critical renewable energy projects that benefit both our environment and our communities.”

Advanced Energy United New York Policy Lead Kristina Persaud said, “This is an exciting milestone for New York’s clean energy future. These large-scale renewable energy projects will bring real economic benefits to communities across the state. These projects will not only provide clean power, but also quality jobs for New Yorkers. At the same time, they strengthen New York’s leadership in the rapidly growing clean energy sector, positioning the state to compete in a global market and reap the long-term economic benefits of a modern energy economy.”

These projects will add to New York’s robust portfolio of large-scale renewable energy projects, now comprised of nearly 100 solar, land-based wind, hydroelectric and offshore wind projects currently operating or under development that are expected to deliver approximately 10 gigawatts of clean power to the grid — enough to power more than 3.3 million New York homes. Of these nearly 100 projects, more than one gigawatt of capacity is under construction, which once completed will add to the 31 operational projects currently delivering 1.4 gigawatts of clean energy to the grid – now supplying power to nearly half a million New York homes.

New York State’s Climate Agenda

New York State’s climate agenda calls for an affordable and just transition to a clean energy economy that creates family-sustaining jobs, promotes economic growth through green investments, and directs a minimum of 35 percent of the benefits to disadvantaged communities. New York is advancing a suite of efforts to achieve an emissions-free economy by 2050, including in the energy, buildings, transportation, and waste sectors.

MIL OSI USA News –

May 22, 2025

MIL-OSI Global: Clownfish shrink during marine heatwaves – new study

Source: The Conversation – UK – By Theresa Rueger, Senior Lecturer in Tropical Marine Biology, Newcastle University

Clownfish that shrank during heatwaves were more likely to survive them. Morgan Bennett-Smith

As the world contemplates dealing with more extreme temperatures, one coral reef fish has found a novel way to beat the heat: shrinking.

Wanting to know how clownfish cope with changes to their environment, we repeatedly measured 134 wild fish in Kimbe Bay, Papua New Guinea, during a marine heatwave that started in March 2023 and is part of an ongoing global mass coral bleaching event. Clownfish have unique markings, which make it easy to identify and measure them underwater.

To our complete surprise, we found that 100 of the fish we measured shrank during our study from February to August 2023. Those that shrank had a better chance of surviving the heatwave.

The clownfish, Amphiprion percula, lives in small social groups within anemones on coral reefs. As the movie Finding Nemo indicated, clownfish rarely, if ever, leave their host anemone because the anemone offers them protection from predators.

Sadly, this also means that clownfish cannot move to cooler areas as marine heatwaves become more common on coral reefs due to rising global temperatures. Clownfish need other strategies to survive the heat.

Get your news from actual experts, straight to your inbox. Sign up to our daily newsletter to receive all The Conversation UK’s latest coverage of news and research, from politics and business to the arts and sciences.

This is the first time that coral reef fish have been shown to shrink in response to heat stress. And by shrink, we don’t mean getting skinnier – we mean getting shorter.

This is surprising because growth in vertebrates (animals with backbones, like us) is generally considered to be a one-way street. You get larger over time and you might stop growing if stressed or as you reach your maximum length, but it is rare to find vertebrates shrinking, especially over periods as short as a month, and in response to environmental conditions.

It may also seem counter-intuitive to shrink. After all, smaller individuals are more prone to being eaten and they breed less. Here, however, being smaller increased the chances of survival for clownfish, possibly because smaller fish need less food and are typically more efficient at foraging and using oxygen, which is scarcer in hot water.

Orange clownfish in a bleached anemone during the 2023 heatwave in Kimbe Bay, Papua New Guinea.
Morgan Bennett-Smith

If you shrink, I shrink

We found that there is a social component to shrinking and surviving a heatwave.

A remarkable feature of clownfish social groups is that they maintain strict hierarchies based on size. This means growth – and shrinking – don’t just affect the individual in question, but also risks conflict within the group that could force a fish to be evicted, which usually leads to death. So, shrinking is a risky proposition.

On each anemone the biggest clownfish is female, the second biggest is male, and together they form a breeding pair. To avoid fights in the pair, males control their growth to keep a fixed size ratio between the two.

In our study, breeding pairs in which both fish shrank were more likely to survive the heatwave than if only one, or neither, fish shrank.

We also found that those fish who shrank by a lot could catch up and grow rapidly when conditions improved. That means that it’s not just the shrinking that helps, but being able to shrink and grow flexibly to meet your needs.

A breeding pair of clownfish. The large female is on the right and the smaller male on the left.
Theresa Rueger

While not all fish beat the heat and survived, none of the fish that shrank multiple times in our study died, and even shrinking once increased a clownfish’s survival probability during the heatwave by 78%.

Our research didn’t investigate how clownfish do this, but studies on other vertebrates might give us clues. Marine iguanas on the Galápagos Islands for example shrink during El Niño years, when water temperatures in the eastern and central tropical Pacific Ocean warm. This reduces the amount of food and prompts the reptiles to shrink by absorbing part of their bones.

The average size of many marine fish species around the globe is getting smaller according to long-term surveys. This could partly be a result of fishing removing larger fish from populations, as well as the warming climate altering the growth or maximum sizes of fish.

If our finding of adult fish shrinking in response to environmental stress is more widespread, it could be another reason why fish in the world’s ocean are getting smaller.

Don’t have time to read about climate change as much as you’d like?

Get a weekly roundup in your inbox instead. Every Wednesday, The Conversation’s environment editor writes Imagine, a short email that goes a little deeper into just one climate issue. Join the 45,000+ readers who’ve subscribed so far.

Theresa Rueger receives funding from The Leverhulme Trust and the Natural Environment Research Council UK.

Chancey MacDonald receives funding from the Natural Envirnoment Research Council of UKRI.

Melissa Versteeg receives funding from Murray Foundation UK, the Prins Bernard Cultuurfonds, the International Coral Reef Society and the School of Natural and Environmental Sciences at Newcastle University, UK.

– ref. Clownfish shrink during marine heatwaves – new study – https://theconversation.com/clownfish-shrink-during-marine-heatwaves-new-study-257036

MIL OSI – Global Reports –

May 22, 2025

MIL-OSI USA: Griffith Chairs Hearing with EPA Administrator Zeldin

Source: United States House of Representatives – Congressman Morgan Griffith (R-VA)

Congressman Morgan Griffith (R-VA), Chairman of the House Committee on Energy and Commerce Subcommittee on Environment, held a hearing titled “The Fiscal Year 2026 Environmental Protection Agency Budget.” The hearing, which featured Environmental Protection Agency (EPA) Administrator Lee Zeldin, focused on the agency’s budget request for fiscal year 2026.

Chairman Griffith delivered his opening statement on the EPA’s ongoing work to rein in burdensome regulations and advance the “Powering the Great American Comeback” initiative. Click on link below.

Later in the hearing, Chairman Griffith directed questions to Administrator Zeldin on his agency’s work. See below.

BACKGROUND

In the 118^th Congress, Rep. Griffith chaired the House Committee on Energy and Commerce Subcommittee on Oversight & Investigations.

In 2024, Congressman Griffith chaired the hearing, “Fighting the Misuse of Biden’s Green Bank Giveaway.”

Later in 2024, Rep. Griffith helped lead a letter with then-Chairwoman Cathy McMorris Rodgers of the Energy and Commerce Committee pressing the EPA for answers regarding Greenhouse Gas Reduction Fund (GGRF) awards.

On April 11, 2025, Congressman Griffith joined Energy and Commerce Committee Chairman Brett Guthrie and Congressman Gary Palmer in an investigation into eight GGRF grant recipients.

In the 119^th Congress, Congressman Griffith is serving his first term as chairman of the House Committee on Energy and Commerce Subcommittee on Environment.

The Environment Subcommittee’s first two hearings of the year focused on the EPA’s regulation of chemical manufacturing and the administration of the Brownfields Program.

Congressman Griffith recently announced EPA Brownfields grants coming to Virginia’s Ninth District.

###

MIL OSI USA News –

May 22, 2025

MIL-OSI Russia: China publishes plan to protect rivers and lakes

Translation. Region: Russian Federal

Source: People’s Republic of China in Russian – People’s Republic of China in Russian –

Source: People’s Republic of China – State Council News

BEIJING, May 21 (Xinhua) — Chinese authorities have released an action plan to protect and develop beautiful rivers and lakes for the 2025-2027 period, focusing on improving the quality of aquatic ecosystems.

A document jointly released Wednesday by China’s Ministry of Ecology and Environment and other government agencies sets targets to make significant progress in developing beautiful rivers and lakes by 2030 and to generally complete the process by 2035.

The plan aims to promote targeted, science-based and legal pollution control, coordinate water resources management, aquatic environment and aquatic ecology, and establish an integrated environmental management system in the upper and lower reaches of key river basins to improve the health of river and lake ecosystems.

The national list of beautiful rivers and lakes to be protected and developed includes 2,573 rivers and water bodies, including main channels of large rivers, important tributaries, key lakes and reservoirs that perform important ecological functions, have sensitive and fragile ecological environments or attract wide public attention.

The plan contains 19 specific measures aimed at strengthening and deepening the management of the aquatic environment, ensuring basic environmentally safe water use, and comprehensively promoting efforts for protection and development. –0–

MIL OSI Russia News –

May 22, 2025

MIL-OSI Canada: Protecting Albertans from future floods

In June 2013, southern Alberta experienced the costliest natural disaster in Canadian history, causing five deaths, displacing more than 80,000 Albertans and resulting in more than $5 billion in damages. In response, Alberta’s government committed to building SR1 to strengthen flood protection for Calgary and nearby communities.

Construction of the SR1 began in 2022, following robust engagements with the public and First Nations, and a comprehensive regulatory process. Following three years of construction, the SR1 is now complete and can provide communities along the Elbow River with a floodwall of defense against large-scale floods. As a dry reservoir, it will divert, store and then release flood waters back to the Elbow River when it’s safe to do so.

“With flood season now upon us, Calgary and southern Alberta can rest assured that they will be protected from future large-scale floods like that of 2013. SR1’s innovative design will ensure people, communities and businesses are buffered from the most devastating physical and economic impacts of major floods.”

Devin Dreeshen, Minister of Transportation and Economic Corridors

“We are defending Albertans in Calgary and southern Alberta from the risks of floods. The Springbank Off-Stream Reservoir, which is now operational, will help reduce flood risks and protect lives, homes, businesses and the critical infrastructure we all rely on for many years to come.”

Rebecca Schulz, Minister of Environment and Protected Areas

Components include 70.2 million m³ of reinforced concrete for storage capacity, which is about 28,000 Olympic-sized swimming pools. SR1 is the first of its kind in Alberta, using a coordinated approach to engage multiple aspects of flood mitigation infrastructure. SR1 will work in tandem with the Glenmore Reservoir and other flood mitigation infrastructure in and around Calgary to manage downstream water flows and reduce the impacts of floods by temporarily holding water and reducing flows in the Elbow River. As water volume increases and the Elbow River water level rises, SR1’s diversion channel will move water to the off-stream storage reservoir, protecting surrounding areas from flooding.

“The Springbank Reservoir reflects government’s commitment to protecting Albertans, wildlife and the diverse landscapes we all share. This flood mitigation measure will ensure critical habitats are protected, meaning fish and wildlife populations in the region can continue to thrive, while also protecting the outdoor spaces Albertans hold dear.”

Todd Loewen, Minister of Forestry and Parks

SR1 was designed to minimize environmental impacts and by managing downstream river flow, SR1 not only reduces the overall flood risk, it also protects the river, critical habitat, fish and wildlife. Mitigation and monitoring plans were developed during the regulatory process for fish, air quality, surface and groundwater, wildlife and vegetation.

“Calgarians remember all too well the devastation of the 2013 floods. Today marks a turning point. The completion of SR1 means we are better prepared, more resilient and actively protecting people, property and prosperity. I’m proud to see this collaborative investment in long-term safety and sustainability for our region.”

Jyoti Gondek, mayor, City of Calgary

Indigenous monitors were on site during construction, and any items identified as having historical or cultural importance were assessed by an archaeologist and reported to Alberta Culture, in accordance with the Historical Resources Act. Following engagement with First Nations, a land use plan was developed to guide land use when SR1 is not being used for flood mitigation.

Key facts

SR1 is located in Rocky View County, about 15 kilometres west of Calgary on Treaty 7 land.
SR1 is a dry (off-stream) reservoir that will only hold water during a flood emergency, diverting flood water from the Elbow River before releasing it back into the river after the flood risk has passed.
Total cost:
- $849.4 million – total estimated cost, including land purchases
  - $680.9 million – total provincial government cost
  - $168.5 million – federal government contribution
SR1 components:
- 4.7-kilometre long, 24-metre -wide diversion channel
- 29-metre high, 3.8-kilometre long, off-stream earthen storage dam and reservoir
- Includes:
  - 5.2 million m³ of dam infill and 5.6 million m³ of excavated earth were used

Multimedia

Springbank Off-Stream Reservoir conceptual animation

MIL OSI Canada News –

May 22, 2025

MIL-OSI USA: DEP and PGC Host Falcon Banding Livestream Event

Source: US State of Pennsylvania

May 22, 2025 – Harrisburg, PA

ADVISORY – DEP and PGC Host Falcon Banding Livestream Event

The Pennsylvania Department of Environmental Protection (DEP) will host the Pennsylvania Game Commission’s (PGC) banding of the 2025 Rachel Carson State Office Building peregrine falcon nestlings on Thursday, May 22, 2025. The event will be livestreamed at 10 AM on the DEP Facebook page at https://www.facebook.com/PennsylvaniaDEP/ and PAcast at https://pacast.com/live/dep.

“For over two decades, peregrine falcons have nested on the Rachel Carson State Office Building in downtown Harrisburg – the longest active nest site in Pennsylvania,” said DEP Acting Secretary Jessica Shirley. “It’s fitting that so many falcons have been born and raised on the building that bears Rachel Carson’s name.”

Patti Barber, Endangered Bird Specialist with PGC, will lead the team in bringing the nestlings in from the 15th floor ledge. Barber will weigh them, inspect their health, and put light metal bands around their legs for identification. This year there are three nestlings that will be banded. Not all of the falcons will be banded on the livestream.

Falcon banding helps wildlife biologists to track the birds and allows birdwatchers from all over the world an opportunity to learn more about the peregrine’s flight patterns and where they establish new nesting sites. Falcons born on the ledge at the Rachel Carson State Office Building have been identified up and down the Atlantic coast, from Florida to Canada. Birdwatchers can report bands they see to ReportBand.gov.

The peregrine falcon was removed from the federal Endangered Species List in 1999 and the Pennsylvania Threatened List in 2021 but remains federally protected under the Migratory Bird Treaty Act and the Pennsylvania Game and Wildlife Code.

In the coming weeks, the young falcons will begin learning to fly. Volunteers with the Falcon Watch and Rescue monitor the falcons and recover them as they land near the Rachel Carson State Office Building. Anyone interested in joining the Falcon Watch and Rescue volunteers should contact Sue Hannon at hbgfalconwatch@gmail.com.

Since 2002, a total of 90 eggs have hatched, making the Rachel Carson State Office Building nest site the longest, continuously successful nest site in the Commonwealth.

Follow the conversation on X at @FalconChatter.

For more information, visit the Pennsylvania Department of Environmental Protection’s website, or follow DEP on Facebook, X (formerly Twitter), or LinkedIn.

MIL OSI USA News –

May 22, 2025

MIL-OSI United Kingdom: Somerset Prepared Community Resilience Awards – nominations open

Source: United Kingdom – Executive Government & Departments

News story

Somerset Prepared Community Resilience Awards – nominations open

The Somerset Prepared partnership is now taking nominations for its annual awards which celebrate people who help their communities deal with emergencies.

Lucie Reader of Pitcombe and last years’s award winner

The Somerset Prepared partnership, including the Environment Agency, is searching for nominees for its next Community Resilience Awards.

The nomination window opened on Sunday 11 May in celebration of this month’s Somerset Day.

These awards recognise people and groups who have gone above and beyond to help their community be better able to deal with emergencies.

Awards will be presented in two categories:

Group award – for community organisations demonstrating exceptional emergency planning or preparedness
Individual award – for people who have made significant personal contributions to community resilience

Award winners will receive public recognition and vouchers for community activities. The awards will be presented by the Lord Lieutenant of Somerset, Mr Mohammed Saddiq at the annual Somerset Prepared Community Resilience Day, which will be held at Taunton Racecourse on Thursday, 15 October. At the free event, partners welcome local people to celebrate Somerset’s community emergency volunteers, with workshops, presentations, and equipment demonstrations.

The annual Somerset Prepared Community Resilience Day brings together key organisations including the Environment Agency, Somerset Rivers Authority and Somerset Council to help local communities strengthen their resilience against emergencies. Members of the public (or media) can reserve a place at the event by visiting Eventbrite.

Dr Bel Deering, community engagement officer for Somerset Rivers Authority, said:

The incredible work of volunteers who help their communities before and during emergencies deserves our gratitude.

They are our local heroes, and their courage and compassion deserve to be celebrated and shared as stories of hope for all of Somerset.

Last year’s individual winner was Lucie Reader of Pitcombe, whose exceptional leadership led to all homes in her community being flood protected for future emergencies. The group winner was Nunney Parish Council, whose councillors supported their community by proactively working with residents to improve their resilience to flooding.

Emma Giffard, flood resilience engagement advisor for the Environment Agency, said:

On behalf of all the Somerset Prepared partners, we extend our sincere thanks and warmly encourage both groups and individuals to submit their nominations for the awards.

Nominations for the award close on 15 September 2025.

Visit https://www.somersetprepared.org.uk/somerset-community-resilience-awards to submit a nomination.

If you have any questions please contact somersetprepared@somerset.gov.uk or floodwessex@environment-agency.gov.uk.

Background

Somerset Prepared is a multi-agency partnership working closely with communities to deliver advice, support and training to help enhance local resilience to emergencies. The partnership is made up of many organisations able to provide advice, guidance and support to help you develop local initiatives that enhance resilience to emergencies.

Full membership includes:

Avon & Somerset Police
British Red Cross
Community Council for Somerset
Community Representatives
Devon & Somerset Fire & Rescue Service
Environment Agency
Rotary International
Safe South West (Treasurer)
Somerset Council (Chair & Secretariat)
Somerset Rivers Authority
South Western Ambulance Service
Spark Somerset

Published 21 May 2025

MIL OSI United Kingdom –

May 22, 2025

MIL-OSI USA: Protecting the Finger Lakes Watersheds

Source: US State of New York

overnor Kathy Hochul today announced that $42 million will be disbursed to the Eastern Finger Lakes Coalition to begin implementation of priority projects that will help mitigate Harmful Algal Blooms in the Finger Lakes Watershed area. The Coalition will implement on- and off-farm projects that align with federal and State-approved clean water plans and other pollution prevention plans in an effort to further drive down nutrient and sediment runoff in the Eastern Finger Lakes watersheds. The investment is a part of the Governor’s 2024 State of the State commitment to develop on-the-ground actions necessary to address the controllable causes of harmful algal blooms (HABs) and significantly reduce their prevalence while supporting projects that help prevent nutrient and sediment runoff into lakes and improve climate resiliency.

“Protecting New York’s water supply is a top priority for New York State,” Governor Hochul said. “We are moving this funding quickly to accelerate watershed protection and restoration measures that will reduce nutrient inputs to the Finger Lakes, improve water quality, and help reduce the frequency of HABs, while building resilience to support New York’s agricultural industry. Clean water is critical to sustaining the health of our communities, protecting our environment, and supporting local economies in the Finger Lakes.”

In August 2024, New York State announced that $42 million, supported by the Clean Water, Clean Air and Green Jobs Environmental Bond Act of 2022 and other capital resources, was being directed to the Eastern Finger Lakes Coalition to further water quality protections and investments to improve water quality and reduce HABs in the Finger Lakes watershed area. HABs are caused by many factors and impact public health, recreation, and the local economy. The Coalition covers 11 Soil and Water Conservation Districts and seven of New York’s Finger Lakes – Canandaigua, Keuka, Seneca, Cayuga, Owasco, Skaneateles, and Otisco, and their watersheds.

This dedicated funding, scheduled to the Coalition imminently, is supporting innovative agricultural and resilience projects both on and off farms. This critical investment will not only safeguard the health of the Finger Lakes but also support local farmers by providing additional resources to implement best management practices, such as erosion and sediment controls, nutrient management, and stormwater management that will contribute to cleaner water and soil health throughout the region.

This direct support of the Coalition is a part of the Department of Agriculture and Markets (AGM) and Department of Environmental Conservation’s (DEC) partnership, alongside the State Soil and Water Conservation Committee, and the 11 Soil and Water Conservation Districts (SWCDs) in the Eastern Finger Lakes, to accelerate watershed protection and restoration measures to improve water quality and mitigate HABs.

Projects will focus on:

Implementing the Agricultural Environmental Management (AEM) program projects  to help farmers reduce water pollution from agricultural activities;
Enhancing flood resiliency by stabilizing and protecting vulnerable streams, reducing sediment erosion, and upgrading culverts and implementing water control practices in steep road ditches to minimize sedimentation and runoff; and
Supporting nutrient reduction strategies outlined in watershed-based plans.

Department of Environmental Conservation Acting Commissioner Amanda Lefton said, “Governor Hochul’s sustained investments to reduce the frequency of HABs is evident in the ongoing support for the Eastern Finger Lakes Coalition, as well as record infrastructure funding and sustainable farming assistance that helps continue improving the quality of waterbodies statewide. DEC looks forward to collaborating with the Coalition and our many partners on the State and local level to ensure the long-term protection of the lakes and rivers that provide countless environmental, health, and economic contributions to the region’s vibrant communities.”  

State Agriculture Commissioner Richard A. Ball said, “We are proud of the work we are doing to drive down instances of HABs; however, we know that more must be done to address this issue in our watersheds, including in the Finger Lakes. As such, we are developing comprehensive action plans that will not only build on our current work to prevent water pollution, improve nutrient management, and reduce erosion, but will also guide our future goals for a sustainable environment and cleaner waterbodies. This funding will allow our Soil and Water Conservation Districts to work with both our farms and with local government to complete management projects that will have a critical impact on the reduction of sediments and nutrients entering the waterways and protect the water quality for the region now and for the future.”

State Health Commissioner Dr. James McDonald said, “This latest funding demonstrates Governor Hochul’s commitment to addressing water quality improvements and Harmful Algal Blooms in the Finger Lakes Watershed area. The State Health Department will continue our work with local water suppliers and our state partners on infrastructure upgrades and technical assistance to help protect drinking water for years to come.”

Cayuga SWCD Executive Director Doug Kierst said, “Through the continued support of NYS, Soil and Water Conservation Districts of the Eastern Finger Lakes Coalition will continue to get common sense conservation practices on the ground, where they are desperately needed. This dedicated funding will allow local SWCDs to focus on the implementation of an abundance of Best Management Practices that we have identified across the Finger Lakes Region. These important projects, when completed, will facilitate the protection of water quality through the reduction of nutrients and sediments to local waterbodies, support NYS clean water goals and maintain agricultural sustainability.”

New York State SWCC Chair Matthew Brower said, “The NYS Soil and Water Conservation Committee is proud to be a part of the partnership working to improve the water quality of the Finger Lakes. The farming community, the local Soil and Water Conservation Districts and local governments have been working on these issues for many years and it is great that they will be able to continue this work with the funding provided by New York State. The Agricultural Environmental Program (AEM) has been an excellent program to help farmers identify needs on the farm and get the best management practices implemented to address water quality issues.”

HABs Mitigation Efforts

This investment builds on $1.2 million announced by the Governor in July 2024 for the Eastern Finger Lakes Coalition to build professional capacity to address HABs. It also included increased technical support for farmers to implement more cover crops, improve culverts to reduce runoff, enhance soil health, and reduce water quality impairments in the region.

In just over the last five years, AGM has dedicated nearly $125 million— through its Agricultural Nonpoint Source Abatement and Control, Climate Resilient Farming, and Agricultural Environmental Management (AEM) programs— to on-farm projects that protect soil and water quality, conserve natural resources, fight climate change, and reduce the conditions that cause HABs, such as nutrient runoff and soil erosion, and greenhouse gas emissions.

Through various funding streams allocated in the Budget, the Department supports the SWCDs, who work on behalf of New York’s farms to implement better nutrient and sediment control practices. The Department also supports SWCDs in their work with the State’s municipalities to increase stormwater absorption and improve water retention. These are accomplished through best management practices, such as nutrient management through manure storage, vegetative buffers along streams, conservation cover crops, water management, and more.

Since 2020, specific to the Finger Lakes Watershed area, $66 million has been awarded over the last five years to implement best management practices on 370 farms within this region of the state. The projects awarded in the Finger Lakes alone have reduced 32,800 pounds of total phosphorus, 746,000 pounds of total nitrogen, and 43 million pounds of sediment per year. This work has also reduced New York State’s agricultural greenhouse gas emissions by nearly 43,000 metric tons of carbon dioxide equivalent every year and have also made a measurable impact towards keeping HABs out of the State’s waterways.

Since 2017, DEC worked with stakeholders in the Canandaigua, Keuka, Seneca, Owasco, and Skaneateles lake watersheds to develop clean water plans to protect and improve water quality. In addition, DEC has completed Total Maximum Daily Load analysis in Conesus, Honeoye, and Cayuga lakes. In 2018, DEC convened four regional summits to examine the causes of HABs and develop sustainable solutions to reduce impacts. DEC worked with State and local partners to develop and implement  HABs Action Plans for 13 high- priority waterbodies, including several in the Eastern Finger Lakes.

To date, New York State awarded more than $530 million in grants for projects statewide designed to reduce the frequency of algal blooms by targeting phosphorus and nitrogen pollution, factors that trigger HAB occurrences. DEC also created the New York Harmful Algal Bloom System (NYHABS) webpage, which features an interactive map that provides active HAB locations. Members of the public should report suspected HABs so DEC experts can review and identify for accuracy. Because it is hard to tell a HAB from a non-harmful algal bloom, it is best to avoid swimming, boating, otherwise recreating in, or drinking water with a suspected bloom. DEC encourages people to “Know it, Avoid it, Report it!” all year round, especially during the summer. The summer months are the peak time for HABs – warmer weather, calmer conditions, and more sunlight will often contribute to the blooms.

Also, since 2014, DEC awarded more than $55.7 million to 96 projects for water quality improvement planning and implementation within the Eastern Finger Lakes watershed through the Water Quality Improvement Project program and the Non-agricultural Nonpoint Source Planning and MS4 Mapping Grant. Projects funded prepare planning reports or directly improve water quality or habitat, promote flood risk reduction, restoration, and enhanced flood and climate resiliency, or protect a drinking water source. Awards within the Eastern Finger Lakes watershed included land acquisition for source water protection, streambank and road ditch stabilization, wastewater disinfection, sanitary sewer overflow improvements, sediment and erosion control, wetland restoration, riparian buffers, salt storage, and aquatic habitat restoration.

At least $75 million in grants is currently available through DEC’s Water Quality Improvement Project (WQIP) program to support new projects that can help reduce HABs and other actions that directly improve water quality or habitat, promote flood risk reduction, restoration, and enhanced flood and climate resiliency, or protect a drinking water source.

Other recent funding to help protect water quality includes more than $90 million in grants and low-interest financing to the City of Auburn announced by Governor Hochul and the State Environmental Facilities Corporation. This will support planning, design, and construction of wastewater treatment improvements. To help promote buffers that prevent runoff and other water quality impairments, DEC established the 287-acre Cayuga Shores Wildlife Management Area along Cayuga Lake and awarded $1.2 million to the Finger Lakes Land Trust for land acquisitions to protect Owasco Lake water quality.

New York’s Commitment to Water Quality

New York State continues to increase its nation-leading investments in water infrastructure. With an additional $500 million for clean water infrastructure in the 2025-2026 enacted State Budget announced by Governor Hochul, New York will have invested a total of $6 billion in water infrastructure since 2017. In addition, the $4.2 billion Environmental Bond Act is helping State agencies, local governments, and partners access funding to protect water quality, help communities adapt to climate change, improve resiliency, and create green jobs. Bond Act funding will support new and expanded projects across the state to safeguard drinking water sources, reduce pollution, and protect communities and natural resources from climate change.

The Governor also expanded EFC’s Community Assistance Teams to help all communities access assistance, particularly small, rural, and disadvantaged communities so they may leverage this funding and address their clean water infrastructure needs. Any community that needs help with funding its water infrastructure is encouraged to contact EFC.

MIL OSI USA News –

May 22, 2025

MIL-OSI USA: ICYMI: Padilla, Colleagues Highlight Consequences of Senate Republicans’ Attempt to Abuse the CRA and Revoke California’s Clean Air Act Waivers

US Senate News:

Source: United States Senator Alex Padilla (D-Calif.)

ICYMI: Padilla, Colleagues Highlight Consequences of Senate Republicans’ Attempt to Abuse the CRA and Revoke California’s Clean Air Act Waivers

WASHINGTON, D.C. — Today, U.S. Senator Alex Padilla (D-Calif.), Ranking Member of the Senate Committee on Rules and Administration and a member of the Senate Environment and Public Works Committee, highlighted the growing opposition to Republicans’ shortsighted attempts to rescind California’s clean air waivers by going nuclear on the rules and overruling the nonpartisan Senate Parliamentarian’s decision. Senator Padilla, U.S. Senate Democratic Leader Chuck Schumer (D-N.Y.), and U.S. Senator Sheldon Whitehouse (D-R.I.), Ranking Member of the Senate Committee on Environment and Public Works, held the floor yesterday after Majority Leader John Thune (R-S.D.) said that he would move forward this week with a cynical attempt to rescind California’s Clean Air Act waivers with a 50-vote threshold under the Congressional Review Act (CRA), bypassing the filibuster and its 60-vote requirement by overruling the Senate Parliamentarian.

Senators Padilla, Schumer, Whitehouse, Martin Heinrich (D-N.M.), Ron Wyden (D-Ore.), Adam Schiff (D-Calif.), and Edward J. Markey (D-Mass.) all came out strongly against this reckless effort.

In a joint statement, Padilla, Schumer, and Whitehouse condemned the attacks on California’s Clean Air Act waivers:

Padilla, Schumer, Whitehouse Joint Statement Warning Senate Republicans Against Overruling Parliamentarian On Clean Air Act Waivers

“Let us be abundantly clear: if Republicans throw away the rulebook and overrule the Parliamentarian, that would be going nuclear — plain and simple. This move will harm public health and deteriorate air quality for millions of children and people across the country.

“Republicans are overruling a thirty-year tradition of state policies that bolstered a new sector of the economy, helped domestic automakers fend off China’s manufacturing dominance, improved the quality of the air we breathe, reduced planet-warming carbon pollution, and protected the health of American families. Instead of negotiating changes with the states involved, the fossil fuel industry deployed its political operatives in Congress to go nuclear for them.

“If the Trump Administration’s scheme to weaponize the CRA goes forward, the executive branch will control the Senate Floor. Senate Republicans are doing an about face on the filibuster — throwing it aside the first moment it’s convenient and the Senate Floor will not be the same.”

Last night, Padilla, Schumer, and Whitehouse took to the Senate Floor to ask a series of parliamentary inquiries on Senate Republicans’ intention to go nuclear on the California waiver CRAs. Senate Democrats confirmed — on the congressional record — that the Republicans’ plan to move forward would be against the Parliamentarian’s guidance, and thus, the very definition of eliminating the filibuster and going nuclear. The Senators’ remarks and the Presiding Officer’s responses on behalf of the Senate Parliamentarian can be viewed here, and a transcript of the remarks is available here.

Senator Martin Heinrich, Ranking Member of the Senate Energy and Natural Resources Committee, issued a statement emphasizing that once Republicans embrace this significant reversal of precedent and attempt to overturn California’s Clean Air Act waivers, a future Democratic Administration could try to reverse Republicans’ oil and gas priorities, including liquified natural gas (LNG) export terminals.

Heinrich Statement Blasting Senate Republicans’ Plans to Defy the Senate Parliamentarian & Force a Vote to Overturn California’s Clean Energy Air Act Waivers

“If Senate Republicans force a vote on the California Clean Air Act Waivers, they set a precedent that will allow Congress to overturn nearly any agency decision nationwide. I urge my colleagues to reject this gross overreach. If they don’t, Congressional Review Act resolutions will quickly hijack the Senate floor to retroactively invalidate agency permits, adjudications, and licensing decisions – actions that were never previously considered ‘rules.’

“We need a reliable energy permitting and approval system if we are going to meet our growing energy needs. But under Republicans’ proposal, Congress could invalidate permits for new oil and gas wells, established rights of way for transmission lines, and approvals of new LNG export terminals. That includes the Department of Energy’s recent approval of Commonwealth LNG’s application to export liquified natural gas. If not challenged immediately, a future administration could also submit Commonwealth’s authorization as a rule retroactively and halt the project years after it has begun construction.

“By opening this door, Republicans threaten to destroy our permitting and regulatory system, leading to higher energy costs for Americans and making it impossible for new developments to come online. Indeed, nearly every major and minor project the federal government touches could be stalled, creating significant uncertainty if not complete chaos. That is not what the American people want, and it cannot be what Senate Republicans want, either.”

Senator Wyden, Ranking Member of the Senate Finance Committee, warned Republicans against overruling the Senate Parliamentarian and abusing the Congressional Review Act to meddle with California’s clean air policies. He said the Republican plan would backfire if they follow through.

Wyden Warns Republicans that Overruling Parliamentarian to Nix California Clean Air Waiver Will Backfire

“Republicans should think twice before moving ahead with this unprecedented overreach. If they invoke this nuclear option now, they should expect that a future Democratic government will have to revisit decades worth of paltry corporate settlements, deferred prosecution agreements, and tax rulings that were overly favorable to multinationals and ultra-wealthy individuals. That would only be the beginning. These partisan actions cut both ways.”

Senator Schiff delivered remarks on the Senate floor urging Senate Republicans to consider the implications their decision to throw out the Senate Parliamentarian’s ruling will have on their states if they use the CRA against California’s waivers.

WATCH: Sen. Schiff Slams Senate Republicans’ Attempts to Go Nuclear on California’s Clean Air Waivers on the Senate Floor

“I urge my colleagues, and the American people, not be distracted by suggestions that nothing is going on here, nothing new is going on here, no precedent is being set here. Because it is.”

“This week’s vote is short-sighted because it’s going to have devastating impacts for our nation’s health, but it’s more than that. And it should send a chill down the spine of legislators in every state and communities across the country, regardless of their political affiliation because the Senate is now setting a new standard, and one that will haunt us in the future. And it will haunt those states whose Senators vote to go down this path. Make no mistake. Today, it is California and our ability to set our own air quality standards.

“But tomorrow, it can be your own state’s priorities made into a target by this vote to open the Pandora’s Box of the Congressional Review Act.”

Senator Markey criticized Republicans’ attempt to change the Senate rules to overturn California’s waivers, both because it reverses California’s clean air progress and because it violates longstanding Senate rules.

As Senate Republicans Consider Procedural Power Grab, Markey Highlights Seriousness of the Moment

“At a moment when Donald Trump is actively undermining the checks and balances enshrined in our Constitution, Senate Republicans are moving ahead with a dangerous change to Senate rules while rolling back clean air regulations.

“It’s not enough for Republicans to promote chaos and conflict in our economy for the sake of billionaires, they now want to create chaos and conflict in Congress by intentionally trashing guardrails and decisions that protect all members. They don’t care about the rule of law, and they don’t seem to care about the rule of Congress. With this action, Senate Republicans are opening the door for future votes on the countless unlawful and unethical actions carried out by the Trump administration. There will be no putting the genie back in the bottle.”

Senator Padilla has been outspoken in pushing back against Republican attacks on California’s Clean Air Act waivers. Yesterday, Padilla placed a hold on the four pending EPA nominees until Republicans stop their reckless attempts to overrule the Senate Parliamentarian. Earlier this month, Senators Padilla, Schiff, and Whitehouse took to the Senate floor to sound the alarm on Senate Republicans’ consideration of moving forward with their plan to revoke California’s Clean Air Act waivers. Padilla, Whitehouse, and Schumer also led Democratic Ranking Members in strongly warning Majority Leader Thune and Majority Whip John Barrasso (R-Wyo.) of the dangerous and irreparable consequences if Senate Republicans overrule the Senate Parliamentarian’s decision on California’s waivers.

Last month, Senators Padilla, Whitehouse, and Schiff welcomed the Senate Parliamentarian’s decision that the waivers are not subject to the CRA. Padilla also joined Whitehouse and Schiff in blasting Trump and EPA Administrator Lee Zeldin’s weaponization of the EPA after the Government Accountability Office’s (GAO) similar finding. Padilla and Schiff previously slammed the Trump Administration’s intent to roll back dozens of the EPA’s regulations that protect California’s air and water.

MIL OSI USA News –

May 22, 2025

MIL-OSI United Kingdom: Government Taskforce meets on Merseyside to bolster nation’s flood resilience

Source: United Kingdom – Executive Government & Departments

Press release

Government Taskforce meets on Merseyside to bolster nation’s flood resilience

Flood response capabilities on display at Merseyside fire base

The third meeting of the Government’s national Floods Resilience Taskforce convened in Aintree today

Bolstering the nation’s resilience to flooding, including in Merseyside, was top of the agenda as the Government’s national Floods Resilience Taskforce convened in Aintree today (Wednesday 21 May).

The meeting was chaired by Floods Minister Emma Hardy and hosted by Mersey Fire and Rescue Service at their National Resilience Centre of Excellence, one of the UK’s most advanced emergency service training facilities, used to co-ordinate national responses to large scale incidents and provide firefighters with the necessary training and skills to respond to events such as severe flooding.

The Government inherited the nation’s flood defences in their worst condition on record. To ensure the country is protected from the devastating impacts of flooding, more than 1,000 flood defences will be built or repaired through the Plan for Change as part of a record £2.65 billion two-year investment.

Today’s Taskforce meeting brought together partners including Defra, Cabinet Office, the Ministry for Housing, Communities and Local Government, the Environment Agency, the Met Office, Local Resilience Forums, Mayoral Offices, emergency responders, the National Farmers Union, and environmental interest groups.

Floods Minister Emma Hardy said:

The role of any government is to protect its citizens. Having inherited flood defences in disrepair, we are bringing together valued partners through our Floods Resilience Taskforce here in Aintree as we look to speed up and co-ordinate flood preparation and resilience.

Through our Plan for Change, we’re investing a record £2.65 billion to repair and build more than 1,000 flood defences across the country, protecting tens of thousands of homes and businesses including on Merseyside.

The group discussed plans to modernise the UK’s system for flood warnings further, stressing the need for users to understand better how it works for effective decision-making, planning and response. The development of a common warnings framework across the UK will enhance the service and support actions to reduce risks to people, property and livelihoods.

The Taskforce also confirmed plans to improve the way the government identifies individuals vulnerable to flooding. This includes using the risk vulnerability tool, unveiled last month by the Cabinet Office, which will enable thousands of officials to see how vulnerable particular areas are to risks by mapping real time crisis data such as live weather warnings, alongside demographic statistics.

The meeting touched upon the flood recovery framework, which through local authorities in England provides government support in the aftermath of flooding in exceptional circumstances. There was also discussion of the Bellwin scheme, which is used to reimburse local authorities in England for the costs of the actions they take in the immediate aftermath of an emergency or disaster that endangers life or property. It was agreed that further work is required to improve public understanding of flood resilience.

Caroline Douglass, Executive Director for Flood and Coastal Risk Management at the Environment Agency, said:

Protecting communities in England from the devastating impact of flooding is one of our top priorities as climate change brings more extreme weather.

By participating in the Floods Resilience Taskforce, we’re ensuring we share information and co-ordinate our approach to bolster protection for thousands of homes and businesses from the dangers of flooding, preventing billions of pounds worth of damages.

Minister Oppong-Asare, Parliamentary Secretary at the Cabinet Office, said:

The Flood Resilience Taskforce sits at the heart of our work to protect communities from extreme weather and flooding.

Today’s meeting highlighted how digital tools can strengthen our flood response to identify and support those who are most vulnerable to the impacts of flooding.

Through the taskforce, we’re continuing to work closely with key partners to keep people, homes, and businesses safe.

Met Office Services Director Simon Brown said:

Our observations show that the UK is getting wetter, we are seeing more days with over 50mm rainfall in autumn months. A warmer, moister atmosphere increases the capacity for deluges of rain, which can result in serious flooding. A recent study looking at the storms through autumn and winter in 2023/24 found climate change increased the amount of rainfall from these storms, making them about 20% more intense.

A number of recent Met Office attribution studies have shown that some recent heavy rainfall events in the UK associated with flooding can be linked to human-caused climate change. Since 1998 the UK has seen six of the 10 wettest years on record. Events such as the wettest February on record in 2020, are expected to become more frequent by 2100 due to climate change.

The Government’s record investment in flood defences includes around £2.5 million in funding for Merseyside across 2024/25 and 2025/26, including £1 million for a flood alleviation scheme to protect communities near the Pool watercourse at Churchtown in Southport.

Published 21 May 2025

MIL OSI United Kingdom –

May 22, 2025

MIL-OSI United Kingdom: Waste packaging company director pays high price in data fraud

Source: United Kingdom – Executive Government & Departments

News story

Waste packaging company director pays high price in data fraud

A Birmingham-based director and his company has been ordered to pay a Proceeds of Crime confiscation order, fines and costs totalling £476,995.

An officer on inspection duty. Please note the photo is an example of EA’s work not directly from this case.

This follows an Environment Agency investigation into fraudulent entry of waste packaging data.

At Birmingham Crown Court on Friday 16 May 2025, Shaobo Qin, a director of EDU Case Ltd, pleaded guilty to fraud by false representation. He was given a 2 year prison sentence suspended for 18 months.

Qin, age 42, of Sutton Coldfield, West Midlands, was also ordered to pay a Proceeds of Crime confiscation order of £255,057. He must pay within 2 months or face 3 years in prison.

He was also disqualified as a director for 4 years and ordered to do 200 hours of unpaid work.

His company, EDU Case Ltd of Portway Road, Rowley Regis, was fined £200,000. The Environment Agency were also awarded £21,995 in investigation costs.

The court was told Qin’s company was a plastics and recycling exports enterprise. The offences were discovered by the Environment Agency towards the end of 2022.

The company, orchestrated by Qin, was deliberately and systematically entering false data on to the Environment Agency’s National Packaging Waste Database (NPWD) for non-existent waste exports.

This resulted in Qin receiving a benefit for himself and his company in the sum of approx. £255,000. He was arrested on Wednesday 10 January 2024 where he was interviewed by Environment Agency officers.

EDU Case were accredited to carry out plastic packaging exports and able to issue “evidence” of that activity in the form of tonnage figures on the database.

This evidence could be bought by businesses who are obliged to account for their plastic packaging waste under the Producer Responsibility Obligations (Packaging Waste) Regulations 2007.

An audit conducted by Environment Agency officers in 2023 and information following that work identified discrepancies between the amount of waste exported and the amount of evidence issued.

The false entries represented nearly two-thirds of the business’ entire trade in 2022 towards the end of that year.

As part of that audit, a legal notice was served on Qin and the company in September 2023.

This notice required the production of their evidence of plastic waste exports. In response, Qin sent a computer memory stick containing his business’ waste export evidence and a letter explaining a large discrepancy, described as an “overclaim.”

The letter stated that the company had carried out 1,239 metric tonnes of plastic waste exports in 2022, only 453.60 metric was genuine and that the majority of his trading, 785.40 metric tonnes was ‘a mistake.’

In sentencing the judge said this was without doubt deliberate offending and pre-planned. There had been a significant undermining of the regulatory regime.

He accepted that there had been a guilty plea entered at first opportunity and that money had been put aside to repay the financial benefit made. The company was also fined to mark the seriousness of the offending.

Sham Singh, Senior Environmental Crime Officer for the Environment Agency, said:

“This case shows that the Environment Agency will pursue individuals and their enterprises who profit illegally.

“This was a fraud on a large scale and undermines legitimate business and the investment and economic growth that go with it.

“We support legitimate businesses and are proactively supporting them by disrupting and stopping the criminal element backed up by the threat of tough enforcement as in this case.

“If anyone suspects that a company is doing something wrong, please contact the Environment Agency on 0800 80 70 60 or report it anonymously to Crimestoppers on 0800 555 111.”

The Charges

Shaobo Qin

Between 1st January 2022 and 31st January 2023 dishonestly and intending thereby to make a gain for himself or another, or to cause loss to another, or to expose another to the risk of loss, made a false representation to the online National Packaging Waste Database which was and which he knew was, or might be, untrue or misleading, namely, that the 785.4 tonnes of plastic waste that he claimed EDU Case UK Ltd had exported over that period, had all actually been exported when it had not, contrary to Sections 1 and 2 of the Fraud Act 2006.

EDU Case UK Limited (Company No. 08888722)

Between 1st January 2022 and 31st January 2023 dishonestly and intending thereby to make a gain for himself or another, or to cause loss to another, or to expose another to the risk of loss, made a false representation to the online National Packaging Waste Database which was and which he knew was, or might be, untrue or misleading, namely, that the 785.4 tonnes of plastic waste that EDU Case UK Ltd had exported over that period, had all actually been exported when it had not, contrary to Sections 1 and 2 of the Fraud Act 2006.

Background Information

The Packaging Producer Responsibility Regulations were introduced to oblige the producers of waste packaging such as plastic, glass and cardboard (e.g. supermarkets) to contribute towards the financial cost of recycling and the disposal of waste. Any large organisation that meets the criteria for this obligation is required to prove they have made such financial contributions by the purchasing of credits known as Packaging Recovery Notes (PRNs) or Packaging Export Recovery Notes (PERNs) from UK waste reprocessors and waste exporters.

Published 21 May 2025

MIL OSI United Kingdom –

May 22, 2025

MIL-OSI Security: Russian GRU Targeting Western Logistics Entities and Technology Companies

Source: US Department of Homeland Security

Executive Summary

This joint cybersecurity advisory (CSA) highlights a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies. This includes those involved in the coordination, transport, and delivery of foreign assistance to Ukraine. Since 2022, Western logistics entities and IT companies have faced an elevated risk of targeting by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (85th GTsSS), military unit 26165—tracked in the cybersecurity community under several names (see “Cybersecurity Industry Tracking”). The actors’ cyber espionage-oriented campaign, targeting technology companies and logistics entities, uses a mix of previously disclosed tactics, techniques, and procedures (TTPs). The authoring agencies expect similar targeting and TTP use to continue.

Executives and network defenders at logistics entities and technology companies should recognize the elevated threat of unit 26165 targeting, increase monitoring and threat hunting for known TTPs and indicators of compromise (IOCs), and posture network defenses with a presumption of targeting.

This cyber espionage-oriented campaign targeting logistics entities and technology companies uses a mix of previously disclosed TTPs and is likely connected to these actors’ wide scale targeting of IP cameras in Ukraine and bordering NATO nations.

The following authors and co-sealers are releasing this CSA:

United States National Security Agency (NSA)
United States Federal Bureau of Investigation (FBI)
United Kingdom National Cyber Security Centre (NCSC-UK)
Germany Federal Intelligence Service (BND) Bundesnachrichtendienst
Germany Federal Office for Information Security (BSI) Bundesamt für Sicherheit in der Informationstechnik
Germany Federal Office for the Protection of the Constitution (BfV) Bundesamt für Verfassungsschutz
Czech Republic Military Intelligence (VZ) Vojenské zpravodajství
Czech Republic National Cyber and Information Security Agency (NÚKIB) Národní úřad pro kybernetickou a informační bezpečnost
Czech Republic Security Information Service (BIS) Bezpečnostní informační služba
Poland Internal Security Agency (ABW) Agencja Bezpieczeństwa Wewnętrznego
Poland Military Counterintelligence Service (SKW) Służba Kontrwywiadu Wojskowego
United States Cybersecurity and Infrastructure Security Agency (CISA)
United States Department of Defense Cyber Crime Center (DC3)
United States Cyber Command (USCYBERCOM)
Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
Canadian Centre for Cyber Security (CCCS)
Danish Defence Intelligence Service (DDIS) Forsvarets Efterretningstjeneste
Estonian Foreign Intelligence Service (EFIS) Välisluureamet
Estonian National Cyber Security Centre (NCSC-EE) Küberturvalisuse keskus
French Cybersecurity Agency (ANSSI) Agence nationale de la sécurité des systèmes d’information
Netherlands Defence Intelligence and Security Service (MIVD) Militaire Inlichtingen- en Veiligheidsdienst

Download the PDF version of this report:

Russian GRU Targeting Western Logistics Entities and Technology Companies (PDF, 1,081KB)

For a downloadable list of IOCs, visit:

Introduction

For over two years, the Russian GRU 85th GTsSS, military unit 26165—commonly known in the cybersecurity community as APT28, Fancy Bear, Forest Blizzard, BlueDelta, and a variety of other identifiers—has conducted this campaign using a mix of known tactics, techniques, and procedures (TTPs), including reconstituted password spraying capabilities, spearphishing, and modification of Microsoft Exchange mailbox permissions.
In late February 2022, multiple Russian state-sponsored cyber actors increased the variety of cyber operations for purposes of espionage, destruction, and influence—with unit 26165 predominately involved in espionage. [1] As Russian military forces failed to meet their military objectives and Western countries provided aid to support Ukraine’s territorial defense, unit 26165 expanded its targeting of logistics entities and technology companies involved in the delivery of aid. These actors have also targeted Internet-connected cameras at Ukrainian border crossings to monitor and track aid shipments.
Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 17. See Appendix A: MITRE ATT&CK tactics and techniques for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. This advisory uses the MITRE D3FEND® framework, version 1.0.

Description of Targets

The GRU unit 26165 cyber campaign against Western logistics providers and technology companies has targeted dozens of entities, including government organizations and private/commercial entities across virtually all transportation modes: air, sea, and rail. These actors have targeted entities associated with the following verticals within NATO member states, Ukraine, and at international organizations:

Defense Industry
Transportation and Transportation Hubs (ports, airports, etc.)
Maritime
Air Traffic Management
IT Services

In the course of the targeting lifecycle, unit 26165 actors identified and conducted follow-on targeting of additional entities in the transportation sector that had business ties to the primary target, exploiting trust relationships to attempt to gain additional access [T1199].

The actors also conducted reconnaissance on at least one entity involved in the production of industrial control system (ICS) components for railway management, though a successful compromise was not confirmed [TA0043].

The countries with targeted entities include the following, as illustrated in Figure 1:

Bulgaria
Czech Republic
France
Germany
Greece
Italy
Moldova
Netherlands
Poland
Romania
Slovakia
Ukraine
United States

Figure 1: Countries with Targeted Entities

Initial Access TTPs

To gain initial access to targeted entities, unit 26165 actors used several techniques to gain initial access to targeted entities, including (but not limited to):

The actors abused vulnerabilities associated with a range of brands and models of small office/home office (SOHO) devices to facilitate covert cyber operations, as well as proxy malicious activity via devices with geolocation in proximity to the target [T1665]. [2]

Credential Guessing/Brute Force

Unit 26165 actors’ credential guessing [T1110.001] operations in this campaign exhibit some similar characteristics to those disclosed in the previous CSA “Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments.” [3] Based on victim network investigations, the current iteration of this TTP employs a similar blend of anonymization infrastructure, including the use of Tor and commercial VPNs [T1090.003]. The actors frequently rotated the IP addresses used to further hamper detection. All observed connections were made via encrypted TLS [T1573].

Spearphishing

GRU unit 26165 actors’ spearphishing emails included links [T1566.002] leading to fake login pages impersonating a variety of government entities and Western cloud email providers’ webpages. These webpages were typically hosted on free third-party services or compromised SOHO devices and often used legitimate documents associated with thematically similar entities as lures. The subjects of spearphishing emails were diverse and ranged from professional topics to adult themes. Phishing emails were frequently sent via compromised accounts or free webmail accounts [T1586.002, T1586.003]. The emails were typically written in the target’s native language and sent to a single targeted recipient.

Some campaigns employed multi-stage redirectors [T1104] verifying IP-geolocation [T1627.001] and browser fingerprints [T1627] to protect credential harvesting infrastructure or provide multifactor authentication (MFA) [T1111] and CAPTCHA relaying capabilities [T1056]. Connecting endpoints failing the location checks were redirected to a benign URL [T1627], such as msn.com. Redirector services used include:

Webhook[.]site
FrgeIO
InfinityFree
Dynu
Mocky
Pipedream
Mockbin[.]org

The actors also used spearphishing to deliver malware (including HEADLACE and MASEPIE) executables [T1204.002] delivered via third-party services and redirectors [T1566.002], scripts in a mix of languages [T1059] (including BAT [T1059.003] and VBScript [T1059.005]) and links to hosted shortcuts [T1204.001].

CVE Usage

Throughout this campaign, GRU unit 26165 weaponized an Outlook NTLM vulnerability (CVE-2023-23397) to collect NTLM hashes and credentials via specially crafted Outlook calendar appointment invitations [T1187]. [4],[5] These actors also used a series of Roundcube CVEs (CVE-2020-12641, CVE-2020-35730, and CVE-2021-44026) to execute arbitrary shell commands [T1059], gain access to victim email accounts, and retrieve sensitive data from email servers [T1114].

Since at least fall 2023, the actors leveraged a WinRAR vulnerability (CVE-2023-38831) allowing for the execution of arbitrary code embedded in an archive as a means of initial access [T1659]. The actors sent emails with malicious attachments [T1566.001] or embedded hyperlinks [T1566.002] that downloaded a malicious archive prepared using this CVE.

Post-Compromise TTPs

After an initial compromise using one of the above techniques, unit 26165 actors conducted contact information reconnaissance to identify additional targets in key positions [T1589.002]. The actors also conducted reconnaissance of the cybersecurity department [T1591], individuals responsible for coordinating transport [T1591.004], and other companies cooperating with the victim entity [T1591.002].

The actors used native commands and open source tools, such as Impacket and PsExec, to move laterally within the environment [TA0008]. Multiple Impacket scripts were used as .exe files, in addition to the python versions, depending on the victim environment. The actors also moved laterally within the network using Remote Desktop Protocol (RDP) [T1021.001] to access additional hosts and attempt to dump Active Directory NTDS.dit domain databases [T1003.003] using native Active Directory Domain Services commands, such as in Figure 2: Example Active Directory Domain Services command:

C:Windowssystem32ntdsutil.exe "activate instance ntds" ifm "create full C:temp[a-z]{3}" quit quit

Figure 2: Example Active Directory Domain Services command

Additionally, GRU unit 26165 actors used the tools Certipy and ADExplorer.exe to exfiltrate information from the Active Directory. The actors installed python [T1059.006] on infected machines to enable the execution of Certipy. Accessed files were archived in .zip files prior to exfiltration [T1560]. The actors attempted to exfiltrate archived data via a previously dropped OpenSSH binary [T1048].

Incident response investigations revealed that the actors would take steps to locate and exfiltrate lists of Office 365 users and set up sustained email collection. The actors used manipulation of mailbox permissions [T1098.002] to establish sustained email collection at compromised logistics entities, as detailed in a Polish Cybercommand blog. [6]

After initial authentication, unit 26165 actors would change accounts’ folder permissions and enroll compromised accounts in MFA mechanisms to increase the trust-level of compromised accounts and enable sustained access [T1556.006]. The actors leveraged python scripts to retrieve plaintext passwords via Group Policy Preferences [T1552.006] using Get-GPPPassword.py and a modified ldap-dump.py to enumerate the Windows environment [T1087.002] and conduct a brute force password spray [T1110.003] via Lightweight Directory Access Protocol (LDAP). The actors would additionally delete event logs through the wevtutil utility [T1070.001].

After gaining initial access to the network, the actors pursued further access to accounts with access to sensitive information on shipments, such as train schedules and shipping manifests. These accounts contained information on aid shipments to Ukraine, including:

sender,
recipient,
train/plane/ship numbers,
point of departure,
destination,
container registration numbers,
travel route, and
cargo contents.

In at least one instance, the actors attempted to use voice phishing [T1566.004] to gain access to privileged accounts by impersonating IT staff.

Malware

Unit 26165’s use of malware in this campaign ranged from gaining initial access to establishing persistence and exfiltrating data. In some cases, the attack chain resulted in multiple pieces of malware being deployed in succession. The actors used dynamic link library (DLL) search order hijacking [T1574.001] to facilitate malware execution. There were a number of known malware variants tied to this campaign against logistics sector victims, including:

HEADLACE [7]
MASEPIE [8]

While other malware variants, such as OCEANMAP and STEELHOOK, [8] were not directly observed targeting logistics or IT entities, their deployment against victims in other sectors in Ukraine and other Western countries suggest that they could be deployed against logistics and IT entities should the need arise.

Persistence

In addition to the abovementioned mailbox permissions abuse, unit 26165 actors also used scheduled tasks [T1053.005], run keys [T1547.001], and placed malicious shortcuts [T1547.009] in the startup folder to establish persistence.

Exfiltration

GRU unit 26165 actors used a variety of methods for data exfiltration that varied based on the victim environment, including both malware and living off the land binaries. PowerShell commands [T1059.001] were often used to prepare data for exfiltration; for example, the actors prepared zip archives [T1560.001] for upload to their own infrastructure.

The actors also used server data exchange protocols and Application Programming Interfaces (APIs) such as Exchange Web Services (EWS) and Internet Message Access Protocol (IMAP) [T1114.002] to exfiltrate data from email servers. In multiple instances, the actors used periodic EWS queries [T1119] to collect new emails sent and received since the last data exfiltration [T1029]. The actors typically used infrastructure in close geographic proximity to the victim. Long gaps between exfiltration, the use of trusted and legitimate protocols, and the use of local infrastructure allowed for long-term collection of sensitive data to go undetected.

Connections to Targeting of IP Cameras

In addition to targeting logistics entities, unit 26165 actors likely used access to private cameras at key locations, such as near border crossings, military installations, and rail stations, to track the movement of materials into Ukraine. The actors also used legitimate municipal services, such as traffic cams.

The actors targeted Real Time Streaming Protocol (RTSP) servers hosting IP cameras primarily located in Ukraine as early as March 2022 in a large-scale campaign, which included attempts to enumerate devices [T1592] and gain access to the cameras’ feeds [T1125]. Actor-controlled servers sent RTSP DESCRIBE requests destined for RTSP servers, primarily hosting IP cameras [T1090.002]. The DESCRIBE requests were crafted to obtain access to IP cameras located on logically distinct networks from that of the routers that received the request. The requests included Base64-encoded credentials for the RTSP server, which included publicly documented default credentials and likely generic attempts to brute force access to the devices [T1110]. An example of an RTSP request is shown in Figure 3.

DESCRIBE rtsp://[IP ADDRESS] RTSP/1.0

CSeq: 1

Authorization: Basic

User-Agent: WebClient

Accept: application/sdp

DESCRIBE rtsp://[IP ADDRESS] RTSP/1.0

CSeq: 2

Authorization: Digest username="admin", realm="[a-f0-9]{12}", algorithm="MD5", nonce="[a-f0-9]{32}", uri="", response="[a-f0-9]{32}"

User-Agent: WebClient

Accept: application/sdp

Figure 3: Example RTSP request

Successful RTSP 200 OK responses contained a snapshot of the IP camera’s image and IP camera metadata such as video codec, resolution, and other properties depending on the IP camera’s configuration.

From a sample available to the authoring agencies of over 10,000 cameras targeted via this effort, the geographic distribution of victims showed a strong focus on cameras in Ukraine and border countries, as shown in Table 1:

Table 1: Geographic distribution of targeted IP cameras
Country	Percentage of Total Attempts
Ukraine	81.0%
Romania	9.9%
Poland	4.0%
Hungary	2.8%
Slovakia	1.7%
Others	0.6%

Mitigation Actions

General Security Mitigations

Architecture and Configuration

Employ appropriate network segmentation [D3-NI] and restrictions to limit access and utilize additional attributes (such as device information, environment, and access path) when making access decisions [D3-AMED].
- Consider Zero Trust principles when designing systems. Base product choices on how those products can solve specific risks identified as part of the end-to-end design. [9]
Ensure that host firewalls and network security appliances (e.g., firewalls) are configured to only allow legitimately needed data flows between devices and servers to prevent lateral movement [D3-ITF]. Alert on attempts to connect laterally between host devices or other unusual data flows.
Use automated tools to audit access logs for security concerns and identify anomalous access requests [D3-RAPA].
For organizations using on-premises authentication and email services, block and alert on NTLM/SMB requests to external infrastructure [D3-OTF].
Utilize endpoint, detection, and response (EDR) and other cybersecurity solutions on all systems, prioritizing high value systems with large amounts of sensitive data such as mail servers and domain controllers [D3-PM] first.
- Perform threat and attack modeling to understand how sensitive systems may be compromised within an organization’s specific architecture and security controls. Use this to develop a monitoring strategy to detect compromise attempts and select appropriate products to enact this strategy.
Collect and monitor Windows logs for certain events, especially for events that indicate that a log was cleared unexpectedly [D3-SFA].
Enable optional security features in Windows to harden endpoints and mitigate initial access techniques [D3-AH]:
- Enable attack surface reduction rules to prevent executable content from email [D3-ABPI].
- Enable attack surface reduction rules to prevent execution of files from globally writeable directories, such as Downloads or %APPDATA% [D3-EAL].
- Unless users are involved in the development of scripts, limit the local execution of scripts (such as batch scripts, VBScript, JScript/JavaScript, and PowerShell [10]) to known scripts [D3-EI], and audit execution attempts.
- Disable Windows Host Scripting functionality and configure PowerShell to run in Constrained mode [D3-ACH].
Where feasible, implement allowlisting for applications and scripts to limit execution to only those needed for authorized activities, blocking all others by default [D3-EAL].
Consider using open source SIGMA rules as a baseline for detecting and alerting on suspicious file execution or command parameters [D3-PSA].
Use services that provide enhanced browsing services and safe link checking [D3-URA]. Significant reductions in successful spearphishing attempts were noted when email providers began offering link checking and automatic file detonation to block malicious content.
Where possible, block logins from public VPNs, including exit nodes in the same country as target systems, or, if they need to be allowed, alert on them for further investigation. Most organizations should not need to allow incoming traffic, especially logins to systems, from VPN services [D3-NAM].
Educate users to only use approved corporate systems for relevant government and military business and avoid the use of personal accounts on cloud email providers to conduct official business. Network administrators should also audit both email and web request logs to detect such activity.

Many organizations may not need to allow outgoing traffic to hosting and API mocking services, which are frequently used by GRU unit 26165. Organizations should consider alerting on or blocking the following services, with exceptions allowlisted for legitimate activity [D3-DNSDL].

*.000[.]pe
*.1cooldns[.]com
*.42web[.]io
*.4cloud[.]click
*.accesscan[.]org
*.bumbleshrimp[.]com
*.camdvr[.]org
*.casacam[.]net
*.ddnsfree[.]com
*.ddnsgeek[.]com
*.ddnsguru[.]com
*.dynuddns[.]com
*.dynuddns[.]net
*.free[.]nf
*.freeddns[.]org
*.frge[.]io
*.glize[.]com
*.great-site[.]net
*.infinityfreeapp[.]com
*.kesug[.]com
*.loseyourip[.]com
*.lovestoblog[.]com
*.mockbin[.]io
*.mockbin[.]org
*.mocky[.]io
*.mybiolink[.]io
*.mysynology[.]net
*.mywire[.]org
*.ngrok[.]io
*.ooguy[.]com
*.pipedream[.]net
*.rf[.]gd
*.urlbae[.]com
*.webhook[.]site
*.webhookapp[.]com
*.webredirect[.]org
*.wuaze[.]com

Heuristic detections for web requests to new subdomains, including of the above providers, may uncover malicious phishing activity [D3-DNRA]. Logging the requests for each sub-domain requested by users on a network, such as in DNS or firewall logs, may enable system administrators to identify new targeting and victims.

Identity and Access Management

Organizations should take measures to ensure strong access controls and mitigate against common credential theft techniques:

Use MFA with strong factors, such as passkeys or PKI smartcards, and require regular re-authentication [D3-MFA]. [11], [12] Strong authentication factors are not guessable using dictionary techniques, so they resist brute force attempts.
Implement other mitigations for privileged accounts: including limiting the number of admin accounts, considering using hardware MFA tokens, and regularly reviewing all privileged user accounts [D3-JFAPA].
Separate privileged accounts by role and alert on misuse of privileged accounts [D3-UAP]. For example, email administrator accounts should be different from domain administrator accounts.
Reduce reliance on passwords; instead, consider using services like single sign-on [D3-TBA].
- For organizations using on-premises authentication and email services, plan to disable NTLM entirely and migrate to more robust authentication processes such as PKI certificate authentication.
Do not store passwords in Group Policy Preferences (GPP). Remove all passwords previously included in GPP and change all passwords on the corresponding accounts [D3-CH]. [13]
Use account throttling or account lockout [D3-ANET]:
- Throttling is preferred to lockout. Throttling progressively increases time delay between successive login attempts.
- Account lockout can leave legitimate users unable to access their accounts and requires access to an account recovery process.
- Account lockout can provide a malicious actor with an easy way to launch a Denial of Service (DoS).
- If using lockout, then allowing 5 to 10 attempts before lockout is recommended.
Use a service to check for compromised passwords before using them [D3-SPP]. For example, “Have I Been Pwned” can be used to check whether a password has been previously compromised without disclosing the potential password.
Change all default credentials [D3-CRO] and disable protocols that use weak authentication (e.g., clear-text passwords or outdated and vulnerable authentication or encryption protocols) or do not support multi-factor authentication [D3-ACH] [D3-ET]. Always configure access controls carefully to ensure that only well-maintained and well-authenticated accounts have access. [13]

IP Camera Mitigations

The following mitigation techniques for IP cameras can be used to defend against this type of malicious activity:

Ensure IP cameras are currently supported. Replace devices that are out of support.
Apply security patches and firmware updates to all IP cameras [D3-SU].
Disable remote access to the IP camera, if unnecessary [D3-ITF].
Ensure cameras are protected by a security appliance, if possible, such as by using a firewall to prevent communication with the camera from IP addresses not on an allowlist [D3-NAM].
If remote access to IP camera feeds is required, ensure authentication is enabled [D3-AA] and use a VPN to connect remotely [D3-ET]. Use MFA for management accounts if supported [D3-MFA].
Disable Universal Plug and Play (UPnP), Peer-to-Peer (P2P), and Anonymous Visit features on IP cameras and routers [D3-NI].
Turn off other ports/services not in use (e.g., FTP, web interface, etc.) [D3-ACH].
If supported, enable authenticated RTSP access only [D3-AA].
Review all authentication activity for remote access to make sure it is valid and expected [D3-UBA]. Investigate any unexpected or unusual activity.
Audit IP camera user accounts to ensure they are an accurate reflection of your organization and that they are being used as expected [D3-UAP].
Configure, tune, and monitor logging—if available—on the IP camera.

Indicators of Compromise (IOCs)

Note: Specific IoCs may no longer be actor controlled, may themselves be compromised infrastructure or email accounts, or may be shared infrastructure such as public VPN or Tor exit nodes. Care should be taken when basing triaging logs or developing detection rules on these indicators. GRU unit 26165 almost certainly uses extensive further infrastructure and TTPs not specifically listed in this report.

Utilities and scripts

Legitimate utilities

Unauthorized or unusual use of the following legitimate utilities can be an indication of a potential compromise:

ntdsutil – A legitimate Windows executable used by threat actors to export contents of Active Directory
wevtutil – A legitimate Windows executable used by threat actors to delete event logs
vssadmin – A legitimate Windows executable possibly used by threat actors to make a copy of the server’s C: drive
ADexplorer – A legitimate window executable to view, edit, and backup Active Directory Certificate Services
OpenSSH – The Windows version of a legitimate open source SSH client
schtasks – A legitimate Windows executable used to create persistence using scheduled tasks
whoami – A legitimate Windows executable used to retrieve the name of the current user
tasklist – A legitimate Windows executable used to retrieve the list of running processes
hostname – A legitimate Windows executable used to retrieve the device name
arp – A legitimate Windows executable used to retrieve the ARP table for mapping the network environment
systeminfo – A legitimate Windows executable used to retrieve a comprehensive summary of device and operating system information
net – A legitimate Windows executable used to retrieve detailed user information
wmic – A legitimate Windows executable used to interact with Windows Management Instrumentation (WMI), such as to retrieve letters assigned to logical partitions on storage drives
cacls – A legitimate Windows executable used to modify permissions on files
icacls – A legitimate Windows executable used to modify permissions to files and handle integrity levels and ownership
ssh – A legitimate Windows executable used to establish network shell connections
reg – A legitimate Windows executable used to add to or modify the system registry

Note: Additional heuristics are needed for effective hunting for these and other living off the land (LOTL) binaries to avoid being overwhelmed by false positives if these legitimate management tools are used regularly. See the joint guide, Identifying and Mitigating Living Off the Land Techniques, for guidance on developing a multifaceted cybersecurity strategy that enables behavior analytics, anomaly detection, and proactive hunting, which are part of a comprehensive approach to mitigating cyber threats that employ LOTL techniques.

Malicious scripts

Certipy – An open source python tool for enumerating and abusing Active Directory Certificate Services
Get-GPPPassword.py – An open source python script for finding insecure passwords stored in Group Policy Preferences
ldap-dump.py – A script for enumerating user accounts and other information in Active Directory
Hikvision backdoor string: “YWRtaW46MTEK”

Suspicious command lines

While the following utilities are legitimate, and using them with the command lines shown may also be legitimate, these command lines are often used during malicious activities and could be an indication of a compromise:

edge.exe “-headless-new -disable-gpu”
ntdsutil.exe “activate instance ntds” ifm “create full C:temp[a-z]{3}” quit quit
ssh -Nf
schtasks /create /xml

Outlook CVE Exploitation IOCs

md-shoeb@alfathdoor[.]com[.]sa
jayam@wizzsolutions[.]com
accounts@regencyservice[.]in
m.salim@tsc-me[.]com
vikram.anand@4ginfosource[.]com
mdelafuente@ukwwfze[.]com
sarah@cosmicgold469[.]co[.]za
franch1.lanka@bplanka[.]com
commerical@vanadrink[.]com
maint@goldenloaduae[.]com
karina@bhpcapital[.]com
tv@coastalareabank[.]com
ashoke.kumar@hbclife[.]in
213[.]32[.]252[.]221
124[.]168[.]91[.]178
194[.]126[.]178[.]8
159[.]196[.]128[.]120

Commonly Used Webmail Providers

portugalmail[.]pt
mail-online[.]dk
email[.]cz
seznam[.]cz

Malicious Archive Filenames Involving CVE-2023-38831

calc.war.zip
news_week_6.zip
Roadmap.zip
SEDE-PV-2023-10-09-1_EN.zip
war.zip
Zeyilname.zip

Brute Forcing IP Addresses

Disclaimer: These IP addresses date June 2024 through August 2024. The authoring agencies recommend organizations investigate or vet these IP addresses prior to taking action, such as blocking.

June 2024	July 2024	August 2024
192[.]162[.]174[.]94	207[.]244[.]71[.]84	31[.]135[.]199[.]145	79[.]184[.]25[.]198	91[.]149[.]253[.]204
103[.]97[.]203[.]29	162[.]210[.]194[.]2	31[.]42[.]4[.]138	79[.]185[.]5[.]142	91[.]149[.]254[.]75
209[.]14[.]71[.]127		46[.]112[.]70[.]252	83[.]10[.]46[.]174	91[.]149[.]255[.]122
109[.]95[.]151[.]207		46[.]248[.]185[.]236	83[.]168[.]66[.]145	91[.]149[.]255[.]19
		64[.]176[.]67[.]117	83[.]168[.]78[.]27	91[.]149[.]255[.]195
		64[.]176[.]69[.]196	83[.]168[.]78[.]31	91[.]221[.]88[.]76
		64[.]176[.]70[.]18	83[.]168[.]78[.]55	93[.]105[.]185[.]139
		64[.]176[.]70[.]238	83[.]23[.]130[.]49	95[.]215[.]76[.]209
		64[.]176[.]71[.]201	83[.]29[.]138[.]115	138[.]199[.]59[.]43
		70[.]34[.]242[.]220	89[.]64[.]70[.]69	147[.]135[.]209[.]245
		70[.]34[.]243[.]226	90[.]156[.]4[.]204	178[.]235[.]191[.]182
		70[.]34[.]244[.]100	91[.]149[.]202[.]215	178[.]37[.]97[.]243
		70[.]34[.]245[.]215	91[.]149[.]203[.]73	185[.]234[.]235[.]69
		70[.]34[.]252[.]168	91[.]149[.]219[.]158	192[.]162[.]174[.]67
		70[.]34[.]252[.]186	91[.]149[.]219[.]23	194[.]187[.]180[.]20
		70[.]34[.]252[.]222	91[.]149[.]223[.]130	212[.]127[.]78[.]170
		70[.]34[.]253[.]13	91[.]149[.]253[.]118	213[.]134[.]184[.]167
		70[.]34[.]253[.]247	91[.]149[.]253[.]198
		70[.]34[.]254[.]245	91[.]149[.]253[.]20

Detections

Customized NTLM listener

rule APT28_NTLM_LISTENER {

meta:

description = "Detects NTLM listeners including APT28's custom one"

strings:

$command_1 = "start-process powershell.exe -WindowStyle hidden"

$command_2 = "New-Object System.Net.HttpListener"

$command_3 = "Prefixes.Add('http://localhost:8080/')"

$command_4 = "-match 'Authorization'"

$command_5 = "GetValues('Authorization')"

$command_6 = "Request.RemoteEndPoint.Address.IPAddressToString"

$command_7 = "@(0x4e,0x54,0x4c,0x4d, 0x53,0x53,0x50,0x00,0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x28,0x00,0x00,0x01,0x82,0x00,0x00,0x11,0x22,0x33,0x44,0x55,0x66,0x77,0x88,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00)"

$command_8 = ".AllKeys"

$variable_1 = "$NTLMAuthentication" nocase

$variable_2 = "$NTLMType2" nocase

$variable_3 = "$listener" nocase

$variable_4 = "$hostip" nocase

$variable_5 = "$request" nocase

$variable_6 = "$ntlmt2" nocase

$variable_7 = "$NTLMType2Response" nocase

$variable_8 = "$buffer" nocase

condition:

5 of ($command_*)

or

all of ($variable_*)

}

HEADLACE shortcut

rule APT28_HEADLACE_SHORTCUT {

meta:

description = "Detects the HEADLACE backdoor shortcut dropper. Rule is meant for threat hunting."

strings:

$type = "[InternetShortcut]" ascii nocase

$url = "file://"

$edge = "msedge.exe"

$icon = "IconFile"

condition:

all of them

}

HEADLACE credential dialogbox phishing

rule APT28_HEADLACE_CREDENTIALDIALOG {

meta:

description = "Detects scripts used by APT28 to lure user into entering credentials"

strings:

$command_1 = "while($true)"

$command_2 = "Get-Credential $(whoami)"

$command_3 = "Add-Content"

$command_4 = ".UserName"

$command_5 = ".GetNetworkCredential().Password"

$command_6 = "GetNetworkCredential().Password.Length -ne 0"

condition:

5 of them

}

HEADLACE core script

rule APT28_HEADLACE_CORE {

meta:

description = "Detects HEADLACE core batch scripts"

strings:

$chcp = "chcp 65001" ascii

$headless = "start "" msedge --headless=new --disable-gpu" ascii

$command_1 = "taskkill /im msedge.exe /f" ascii

$command_2 = "whoami>"%programdata%" ascii

$command_3 = "timeout" ascii

$command_4 = "copy "%programdata%" ascii

$non_generic_del_1 = "del /q /f "%programdata%" ascii

$non_generic_del_3 = "del /q /f "%userprofile%Downloads" ascii

$generic_del = "del /q /f" ascii

condition:

(

$chcp

and

$headless

)

and

(

1 of ($non_generic_del_*)

or

($generic_del)

or

3 of ($command_*)

)

}

MASEPIE

rule APT28_MASEPIE {

meta:

description = "Detects MASEPIE python script"

strings:

$masepie_unique_1 = "os.popen('whoami').read()"

$masepie_unique_2 = "elif message == 'check'"

$masepie_unique_3 = "elif message == 'send_file':"

$masepie_unique_4 = "elif message == 'get_file'"

$masepie_unique_5 = "enc_mes('ok'"

$masepie_unique_6 = "Bad command!'.encode('ascii'"

$masepie_unique_7 = "{user}{SEPARATOR}{k}"

$masepie_unique_8 = "raise Exception("Reconnect"

condition:

3 of ($masepie_unique_*)

}

STEELHOOK

rule APT28_STEELHOOK {

meta:

description = "Detects APT28's STEELHOOK powershell script"

strings:

$s_1 = "$($env:LOCALAPPDATAGoogleChromeUser DataLocal State)"

$s_2 = "$($env:LOCALAPPDATAGoogleChromeUser DataDefaultLogin Data)"

$s_3 = "$($env:LOCALAPPDATAMicrosoftEdgeUser DataLocal State)"

$s_4 = "$($env:LOCALAPPDATAMicrosoftEdgeUser DataDefaultLogin Data)"

$s_5 = "os_crypt.encrypted_key"

$s_6 = "System.Security.Cryptography.DataProtectionScope"

$s_7 = "[system.security.cryptography.protectdata]::Unprotect"

$s_8 = "Invoke-RestMethod"

condition:

all of them

}

PSEXEC

rule GENERIC_PSEXEC {

meta:

description = "Detects SysInternals PSEXEC executable"

strings:

$sysinternals_1 = "SYSINTERNALS SOFTWARE LICENCE TERMS"

$sysinternals_2 = "/accepteula"

$sysinternals_3 = "SoftwareSysinternals"

$network_1 = "%sIPC$"

$network_2 = "%sADMIN$%s"

$network_3 = "DeviceLanmanRedirector%sipc$"

$psexec_1 = "PSEXESVC"

$psexec_2 = "PSEXEC-{}-"

$psexec_3 = "Copying %s to %s..."

$psexec_4 = "gPSINFSVC"

condition:

(

( uint16( 0x0 ) ==0x5a4d )

and

( uint16( uint32( 0x3c )) == 0x4550 )

)

and

filesize < 1024KB

and

(

( any of ($sysinternals_*) and any of ($psexec_*) )

or

( 2 of ($network_*) and 2 of ($psexec_*))

)

}

The cybersecurity industry provides overlapping cyber threat intelligence, IOCs, and mitigation recommendations related to GRU unit 26165 cyber actors. While not all encompassing, the following are the most notable threat group names related under MITRE ATT&CK G0007 and commonly used within the cybersecurity community:

APT28 [14]
Fancy Bear [14]
Forest Blizzard [14]
Blue Delta [15]

Note: Cybersecurity companies have different methods of tracking and attributing cyber actors, and this may not be a 1:1 correlation to the U.S. government’s understanding for all activity related to these groupings.

Further Reference

To search for the presence of malicious email messages targeting CVE-2023-23397, network defenders may consider using the script published by Microsoft: https://aka.ms/CVE-2023-23397ScriptDoc.

For the Impacket TTP, network defenders may consider using the following publicly available Impacket YARA detection rule:
https://github.com/Neo23x0/signature-base/blob/master/yara/gen_impacket_tools.yar

Works Cited

[1] Microsoft. Defending Ukraine: Early Lessons from the Cyber War. 2022. https://blogs.microsoft.com/on-the-issues/2022/06/22/defending-ukraine-early-lessons-from-the-cyber-war/
[2] FBI et al. Russian Cyber Actors Use Compromised Routers to Facilitate Cyber Operations. 2024. https://media.defense.gov/2024/Feb/27/2003400753/-1/-1/0/CSA-Russian-Actors-Use-Routers-Facilitate-Cyber_Operations.PDF
[3] NSA et al. Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. 2021. https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/0/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF
[4] ANSSI. Campagnes d'attaques du mode opératoire APT28 depuis 2021. 2023. https://cert.ssi.gouv.fr/cti/CERTFR-2023-CTI-009/
[5] ANSSI. Targeting and compromise of french entities using the APT28 intrusion set. 2025. https://cert.ssi.gouv.fr/cti/CERTFR-2025-CTI-007/
[6] Polish Cyber Command. Detecting Malicious Activity Against Microsoft Exchange Servers. 2023. https://www.wojsko-polskie.pl/woc/articles/aktualnosci-w/detecting-malicious-activity-against-microsoft-exchange-servers/
[7] IBM. Israel-Hamas Conflict Lures to Deliver Headlace Malware. 2023. https://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/
[8] CERT-UA. APT28: From Initial Attack to Creating Domain Controller Threats in an Hour. 2023. https://cert.gov.ua/article/6276894
[9] NSA. Embracing a Zero Trust Security Model. 2021. https://media.defense.gov/2021/Feb/25/2002588479/-1/-1/0/CSI_EMBRACING_ZT_SECURITY_MODEL_UOO115131-21.PDF
[10] NSA et al. Keeping PowerShell: Security Measures to Use and Embrace. 2022. https://media.defense.gov/2022/Jun/22/2003021689/-1/-1/0/CSI_KEEPING_POWERSHELL_SECURITY_MEASURES_TO_USE_AND_EMBRACE_20220622.PDF
[11] National Institute of Standards and Technology (NIST). Special Publication 800-63B: Digital Identity Guidelines – Authentication and Lifecycle Management. 2020. https://pages.nist.gov/800-63-3/sp800-63b.html
[12] NSA. Selecting Secure Multi-factor Authentication Solutions. October 16, 2020. https://media.defense.gov/2024/Jul/31/2003515137/-1/-1/0/MULTIFACTOR_AUTHENTICATION_SOLUTIONS_UOO17091520.PDF
[13] NSA and CSA. NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations. 2023. https://media.defense.gov/2023/Oct/05/2003314578/-1/-1/0/JOINT_CSA_TOP_TEN_MISCONFIGURATIONS_TLP-CLEAR.PDF

[14] Department of Justice. Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU). 2024. https://www.justice.gov/archives/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian
[15] Recorded Future. GRU’s BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage Campaigns. 2024. https://go.recordedfuture.com/hubfs/reports/CTA-RU-2024-0530.pdf

Disclaimer of endorsement

The information and opinions contained in this document are provided "as is" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.

Purpose

This document was developed in furtherance of the authoring agencies’ cybersecurity missions, including their responsibilities to identify and disseminate threats and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.

Contact

United States organizations

National Security Agency (NSA)
Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI)
- U.S. organizations are encouraged to reporting suspicious or criminal activity related to information in this advisory to CISA via the agency’s Incident Reporting System, its 24/7 Operations Center (report@cisa.gov or 888-282-0870), or your local FBI field office. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment user for the activity; the name of the submitting company or organization; and a designated point of contact.
Department of Defense Cyber Crime Center (DC3)

United Kingdom organizations

Germany organizations

Czech Republic organizations

Poland organizations

Australian organizations

Visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories.

Canadian organizations

Estonia organizations

French organizations

French organizations are encouraged to report suspicious activity or incident related to information found in this advisory by contacting ANSSI/CERT-FR by email at cert-fr@ssi.gouv.fr or by phone at: 3218 or +33 9 70 83 32 18.

See Table 2 through Table 14 for all the threat actor tactics and techniques referenced in this advisory.

Table 2: Reconnaissance
Tactic/Technique Title	ID	Use
Reconnaissance	TA0043	Conducted reconnaissance on at least one entity involved in the production of ICS components for railway management.
Gather Victim Identity Information: Email Addresses	T1589.002	Conducted contact information reconnaissance to identify additional targets in key positions.
Gather Victim Org Information	T1591	Conducted reconnaissance of the cybersecurity department.
Gather Victim Org Information: Identify Roles	T1591.004	Conducted reconnaissance of individuals responsible for coordinating transport.
Gather Victim Org Information: Business Relationships	T1591.002	Conducted reconnaissance of other companies cooperating with the victim entity.
Gather Victim Host Information	T1592	Attempted to enumerate Real Time Streaming Protocol (RTSP) servers hosting IP cameras.

Table 3: Resource development
Tactic/Technique Title	ID	Use
Compromise Accounts: Email Accounts	T1586.002	Sent phishing emails using compromised accounts.
Compromise Accounts: Cloud Accounts	T1586.003	Sent phishing emails using compromised accounts.

Table 4: Initial Access
Tactic/Technique Title	ID	Use
Trusted Relationship	T1199	Conducted follow-on targeting of additional entities in the transportation sector that had business ties to the primary target, exploiting trust relationships to attempt to gain additional access.
Phishing	T1566	Used spearphishing for credentials and delivering malware to gain initial access to targeted entities.
Phishing: Spearphishing Attachment	T1566.001	Sent emails with malicious attachments.
Phishing: Spearphishing Link	T1566.002	Used spearphishing with included links to fake login pages. Sent emails with embedded hyperlinks that downloaded a malicious archive.
Phishing: Spearphishing Voice	T1566.004	Attempted to use voice phishing to gain access to privileged accounts by impersonating IT staff.
External Remote Services	T1133	Exploited Internet-facing infrastructure, including corporate VPNs, to gain initial access to targeted entities.
Exploit Public-Facing Application	T1190	Exploited public vulnerabilities and SQL injection to gain initial access to targeted entities.
Content Injection	T1659	Leveraged a WinRAR vulnerability allowing for the execution of arbitrary code embedded in an archive.

Table 5: Execution
Tactic/Technique Title	ID	Use
User Execution: Malicious Link	T1204.001	Used malicious links to hosted shortcuts in spearphishing.
User Execution: Malicious File	T1204.002	Delivered malware executables via spearphishing.
Scheduled Task/Job: Scheduled Task	T1053.005	Used scheduled tasks to establish persistence.
Command and Scripting Interpreter	T1059	Delivered scripts in spearphishing. Executed arbitrary shell commands.
Command and Scripting Interpreter: PowerShell	T1059.001	PowerShell commands were often used to prepare data for exfiltration.
Command and Scripting Interpreter: Windows Command Shell	T1059.003	Used BAT script in spearphishing.
Command and Scripting Interpreter: Visual Basic	T1059.005	Used VBScript in spearphishing.
Command and Scripting Interpreter: Python	T1059.006	Installed python on infected machines to enable the execution of Certipy.

Table 6: Persistence
Tactic/Technique Title	ID	Use
Account Manipulation: Additional Email Delegate Permissions	T1098.002	Used manipulation of mailbox permissions to establish sustained email collection.
Modify Authentication Process: Multi-Factor Authentication	T1556.006	Enrolled compromised accounts in MFA mechanisms to increase the trust-level of compromised accounts and enable sustained access.
Hijack Execution Flow: DLL Search Order Hijacking	T1574.001	Used DLL search order hijacking to facilitate malware execution.
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	T1547.001	Used run keys to establish persistence.
Boot or Logon Autostart Execution: Shortcut Modification	T1547.009	Placed malicious shortcuts in the startup folder to establish persistence.

Table 7: Defense Evasion
Tactic/Technique Title	ID	Use
Indicator Removal: Clear Windows Event Logs	T1070.001	Deleted event logs through the wevtutil utility.

Table 8: Credential access
Tactic/Technique Title	ID	Use
Brute Force		Sent requests with Base64-encoded credentials for the RTSP server, which included publicly documented default credentials, and likely were generic attempts to brute force access to the devices.
Brute Force: Password Guessing	T1110.001	Used credential guessing to gain initial access to targeted entities.
Brute Force: Password Spraying	T1110.003	Used brute force to gain initial access to targeted entities. Conducted a brute force password spray via LDAP.
Multi-Factor Authentication Interception		Used multi-stage redirectors to provide MFA relaying capabilities in some campaigns.
Input Capture		Used multi-stage redirectors to provide CAPTCHA relaying capabilities in some campaigns.
Forced Authentication		Used an Outlook NTLM vulnerability to collect NTLM hashes and credentials via specially crafted Outlook calendar appointment invitations.
OS Credential Dumping: NTDS	T1003.003	Attempted to dump Active Directory NTDS.dit domain databases.
Unsecured Credentials: Group Policy Preferences	T1552.006	Retrieved plaintext passwords via Group Policy Preferences using Get-GPPPassword.py.

Table 9: Discovery
Tactic/Technique Title	ID	Use
Account Discovery: Domain Account	T1087.002	Used a modified ldap-dump.py to enumerate the Windows environment.

Table 10: Command and Control
Tactic/Technique Title	ID	Use
Hide Infrastructure	T1665	Abused SOHO devices to facilitate covert cyber operations, as well as proxy malicious activity, via devices with geolocation in proximity to the target.
Proxy: External Proxy	T1090.002	Actor-controlled servers sent RTSP DESCRIBE requests destined for RTSP servers.
Proxy: Multi-hop Proxy	T1090.003	Used Tor and commercial VPNs as part of their anonymization infrastructure
Encrypted Channel	T1573	Connected to victim infrastructure using encrypted TLS.
Multi-Stage Channels	T1104	Used multi-stage redirectors for campaigns.

Table 11: Defense evasion (mobile framework)
Tactic/Technique Title	ID	Use
Execution Guardrails		Used multi-stage redirectors to verify browser fingerprints in some campaigns.
Execution Guardrails: Geofencing	T1627.001	Used multi-stage redirectors to verify IP-geolocation in some campaigns.

Table 12: Lateral movement
Tactic/Technique Title	ID	Use
Lateral Movement		Used native commands and open source tools, such as Impacket and PsExec, to move laterally within the environment.
Remote Services: Remote Desktop Protocol	T1021.001	Moved laterally within the network using RDP.

Table 13: Collection
Tactic/Technique Title	ID	Use
Email Collection		Retrieved sensitive data from email servers.
Email Collection: Remote Email Collection	T1114.002	Used server data exchange protocols and APIs such as Exchange Web Services (EWS) and IMAP to exfiltrate data from email servers.
Automated Collection		Used periodic EWS queries to collect new emails.
Video Capture		Attempted to gain access to the cameras’ feeds.
Archive Collected Data		Accessed files were archived in .zip files prior to exfiltration.
Archive Collected Data: Archive via Utility	T1560.001	Prepared zip archives for upload to the actors’ infrastructure.

Table 14: Exfiltration
Tactic/Technique Title	ID	Use
Exfiltration Over Alternative Protocol		Attempted to exfiltrate archived data via a previously dropped OpenSSH binary.
Scheduled Transfer		Used periodic EWS queries to collect new emails sent and received since the last data exfiltration.

Appendix B: CVEs exploited

Table 15: Exploited CVE information
CVE	Vendor/Product	Details
CVE-2023-38831	RARLAB WinRAR	Allows execution of arbitrary code when a user attempts to view a benign file within a ZIP archive.
CVE-2023-23397	Microsoft Outlook	External actors could send specially crafted emails that cause a connection from the victim to an untrusted location of the actor’s control, leaking the Net-NTLMv2 hash of the victim that the actor could then relay to another service to authenticate as the victim.
CVE-2021-44026	Roundcube Webmail	Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search params.
CVE-2020-35730	Roundcube Webmail	An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16 and 1.4.x before 1.4.10, where a plaintext email message with JavaScript in a link reference element is mishandled by linkref_addindex in rcube_string_replacer.php.
CVE-2020-12641	Roundcube Webmail	Roundcube Webmail before 1.4.4 allows arbitrary code execution via shell metacharacters in a configuration setting for im_convert_path or im_identify_path in rcube_image.php.

Appendix C: MITRE D3FEND Countermeasures

Table 16: MITRE D3FEND countermeasures
Countermeasure Title	ID	Details
Network Isolation		Employ appropriate network segmentation. Disable Universal Plug and Play (UPnP), Peer-to-Peer (P2P), and Anonymous Visit features on IP cameras and routers.
Access Mediation		Limit access and utilize additional attributes (such as device information, environment, and access path) when making access decisions. Configure access controls carefully to ensure that only well-maintained and well-authenticated accounts have access.
Inbound Traffic Filtering		Implement host firewall rules to block connections from other devices on the network, other than from authorized management devices and servers, to prevent lateral movement.
Resource Access Pattern Analysis		Use automated tools to audit access logs for security concerns and identify anomalous access requests.
Outbound Traffic Filtering		Block NTLM/SMB requests to external infrastructure.
Platform Monitoring		Install EDR/logging/cybersecurity solutions onto high value systems with large amounts of sensitive data such as mail servers and domain controllers.
System File Analysis		Collect and monitor Windows logs for certain events, especially for events that indicate that a log was cleared unexpectedly.
Application Hardening		Enable optional security features in Windows to harden endpoints and mitigate initial access techniques.
Application-based Process Isolation		Enable attack surface reduction rules to prevent executable content from email.
Executable Allowlisting		Enable attack surface reduction rules to prevent execution of files from globally writeable directories, such as Downloads or %APPDATA%.
Execution Isolation		Unless users are involved in the development of scripts, limit the execution of scripts (such as batch, JavaScript, and PowerShell) to known scripts.
Application Configuration Hardening		Disable Windows Host Scripting functionality and configure PowerShell to run in Constrained mode. Disable protocols that use weak authentication (e.g., clear-text passwords, or outdated and vulnerable authentication or encryption protocols) or do not support multi-factor authentication. Turn off other ports/services not in use (e.g., FTP, web interface, etc.).
Process Spawn Analysis		Use open source SIGMA rules as a baseline for detecting and alerting on suspicious file execution or command parameters.
URL Reputation Analysis		Use services that provide enhanced browsing services and safe link checking.
Network Access Mediation		Do not allow incoming traffic, especially logins to systems, from public VPN services. Where possible, logins from public VPNs, including exit nodes in the same country as target systems, should be blocked or, if allowed, alerted on for further investigation. Ensure cameras and other Internet of Things devices are protected by a security appliance, if possible.
DNS Denylisting	D3-DNSDL	Do not allow outgoing traffic to hosting and API mocking services frequently used by malicious actors.
Domain Name Reputation Analysis		Heuristic detections for web requests to new subdomains may uncover malicious phishing activity. Logging the requests for each sub-domain requested by users on a network, such as in DNS or firewall logs, may enable system administrators to identify new targeting and victims.
Multi-factor Authentication		Use MFA with strong factors and require regular re-authentication, especially for management accounts.
Job Function Access Pattern Analysis	D3-JFAPA	Implement other mitigations for privileged accounts: including limiting the number of admin accounts, considering using hardware MFA tokens, and regularly reviewing all privileged user accounts.
User Account Permissions		Separate privileged accounts by role and alert on misuse of privileged accounts. Audit user accounts on all devices to ensure they are an accurate reflection of your organization and that they are being used as expected.
Token-based Authentication		Reduce reliance on passwords; instead, consider using services like single sign-on.
Credential Hardening		Do not store passwords in Group Policy Preferences (GPP). Remove all passwords previously included in GPP and change all passwords on the corresponding accounts.
Authentication Event Threshholding		Use account throttling or account lockout. Throttling progressively increases time delay between successive login attempts. If using account lockout, allow between 5 to 10 attempts before lockout.
Strong Password Policy		Use a service to check for compromised passwords before using them.
Credential Rotation		Change all default credentials.
Encrypted Tunnels		Disable protocols that use weak authentication (e.g., clear-text passwords, or outdated and vulnerable authentication or encryption protocols). Use a VPN for remote connections to devices.
Software Update		Apply security patches and firmware updates to all devices. Ensure devices are currently supported. Replace devices that are end-of-life.
Agent Authentication		Ensure authentication is enabled for remote access to devices. If supported on IP cameras, enable authenticated RTSP access only.
User Behavior Analysis		Review all authentication activity for remote access to make sure it is valid and expected. Investigate any unexpected or unusual activity.

MIL Security OSI -

May 22, 2025

MIL-OSI: TMD Energy Limited Announces Strategic Expansion into Oil Waste Collection as Core ESG Initiative

Source: GlobeNewswire (MIL-OSI)

KUALA LUMPUR, MALAYSIA, May 21, 2025 (GLOBE NEWSWIRE) — TMD Energy Limited (the “Company” or “TMDEL”) (NYSE American: TMDE), together with its subsidiaries is a Malaysia and Singapore based services provider engaged in integrated bunkering services which involves ship-to-ship transfer of marine fuels, ship management services and vessel chartering services, today announced a strategic expansion into oil waste collection, marking a significant enhancement of its Environmental, Social, and Governance (ESG) commitments. This initiative aims to collect sludge oil and used cooking oil and sell to third-party partners for processing into biodiesel, which also helps diversify the Company’s revenue streams.

Following a successful Initial Public Offering, the Company is poised to leverage its extensive logistics network and industry expertise to meet the increasing demand for sustainable waste disposal. It plans to collect residual oils from maritime operators and the food industry, facilitating their conversion into cleaner biodiesel. This circular economy approach not only mitigates greenhouse gas emissions but also supports Malaysia’s national commitment to renewable energy adoption.

Leadership in Sustainable Innovation

The biodiesel market in Malaysia, supported by government incentives, presents substantial growth opportunities. TMDEL’s entry into this sector aligns with evolving regulatory frameworks and the corporate demand for eco-conscious partnerships. “Our expansion signifies a strategic shift toward long-term environmental stewardship,” stated Dato’ Sri Kam Choy Ho, Chairman and CEO of the Company. “By collaborating with businesses, agencies and environmental organizations, we aim to redefine waste as a valuable resource—transforming sustainability commitments into actionable and scalable solutions.”

“This initiative reinforces TMDEL’s dual commitment to operational excellence and ecological responsibility. The Company’s established infrastructure ensures efficient collection, and we target to engage in processing and distribution of biodiesel in the near future, so as to position the Company as a key player in Southeast Asia’s green energy transition.”

“Furthermore, this milestone underscores our vision to lead the bio-green industry while upholding our commitment to exceptional service standards,” added Dato’ Sri Kam Choy Ho. “Every step forward is a step toward a future where economic growth and environmental responsibility coexist.”

About TMD Energy Limited

TMD Energy Limited and its subsidiaries (“TMDEL Group”) are principally involved in marine fuel bunkering services specializing in the supply and marketing of marine gas oil and marine fuel oil of which include high sulfur fuel oil, low sulfur fuel oil and very low sulfur fuel oil, to ships and vessels at sea. TMDEL Group is also involved in the provision of ship management services for in-house and external vessels, as well as vessel chartering. As of today, TMDEL Group operates in 19 ports across Malaysia with a fleet of 15 bunkering vessels. For more information, please visit the Company’s website at: www.tmdel.com.

Forward-Looking Statements

Certain statements in this announcement are forward-looking statements, including but not limited to, the Company’s Offering. These forward-looking statements involve known and unknown risks and uncertainties and are based on the Company’s current expectations and projections about future events that the Company believes may affect its financial condition, results of operations, business strategy and financial needs. Investors can identify these forward-looking statements by words or phrases such as “may”, “could”, “will”, “should”, “would”, “expect”, “plan”, “intend”, “anticipate”, “believe”, “estimate”, “predict”, “potential”, “project” or “continue” or the negative of these terms or other comparable terminology. The Company undertakes no obligation to update or revise publicly any forward-looking statements to reflect subsequent occurring events or circumstances, or changes in its expectations, except as may be required by law. Although the Company believes that the expectations expressed in these forward-looking statements are reasonable, it cannot assure you that such expectations will turn out to be correct, and the Company cautions investors that actual results may differ materially from the anticipated results and encourages investors to review other factors that may affect its future results in the Company’s financial results filings with the SEC.

For investor and media inquiries, please contact:
TMD ENERGY LIMITED
e-Mail : corporate@tmdel.com

WFS INVESTOR RELATIONS
e-Mail : services@wealthfsllc.com

The MIL Network –

May 22, 2025

MIL-OSI United Kingdom: New Chair and members of the Joint Nature Conservation Committee appointed

Source: United Kingdom – Executive Government & Departments

News story

New Chair and members of the Joint Nature Conservation Committee appointed

Dr David Cooper named as new Chair; Professor Tom Meagher reappointed and Professor Julia Jones confirmed as new member

Dr David Cooper has been appointed as the Chair of the Joint Nature Conservation Committee (JNCC). The appointment was made in conjunction with the devolved governments and is for a three-year term from 1 June 2025 to 31 May 2028.

Professor Tom Meagher has been reappointed as an independent member of the Committee. Tom’s term will run for four years until 3 April 2029.

Furthermore, Professor Julia Jones has been appointed as an independent member of the Committee. Julia’s term will run for three years until 31 May 2028.

The new appointments have been made on merit and in accordance with the Governance Code on Public Appointments.

As the UK’s statutory advisor on nature, the JNCC provides scientific evidence and advice to the devolved governments of the UK, the UK government, and the UK’s Overseas Territories and Crown Dependencies, to help policymakers turn science into action for nature.

Biographical details

Dr David Cooper

David Cooper is Visiting Fellow at the Oxford Martin School and Honorary Researcher of the Leverhulme Centre for Nature Recovery at the University of Oxford.
David has more than 30 years’ experience in international science and policy, including at the Convention on Biological Diversity and the UN Food and Agriculture Organization. As CBD Deputy Executive Secretary and Acting Executive Secretary, he was instrumental in facilitating the development and adoption of the Kunming-Montreal Global Biodiversity Framework and related agreements.
David has contributed to the work of the Intergovernmental Science-Policy Platform on Biodiversity and Ecosystem Services among other scientific reports and assessments.
He has chaired a number of bodies including the Collaborative Partnership on Sustainable Wildlife Management, the Biodiversity Indicators Partnership, and the Inter-agency liaison group on Invasive Alien Species.

Professor Tom Meagher

Tom Meagher has been a member of the JNCC since April 2021. He is Professor of Plant Biology at the University of St Andrews and served as Director of the St Andrews Global Challenges Forum. He was previously a member of the Defra Science Advisory Council and the Natural Environment Research Council.
Tom leads an international and interdisciplinary initiative developing novel remote sensing technology to aid the assessment and conservation of plant biodiversity. He has also worked with the British Council, the British Embassy Lima, and government agencies in Peru to promote the establishment of a national botanic garden and plant biodiversity initiative.
He has been an active contributor to the Scottish Government’s environmental and conservation science strategy, following his former role as a Trustee of the Royal Botanic Garden Edinburgh.

Julia Jones

Julia Jones is Professor in Conservation Science at Bangor University and currently holds the Prince Bernhard Chair of International Nature Conservation at Utrecht University.
She is a trustee of WWF-UK and is a member of the British Ecological Society and the Society for Conservation Biology. She serves on the advisory board of the Sounds Right initiative, a collaboration between the Museum for the United Nations and the music industry to allow nature to collect royalties from her sounds.
She has previously served as the Director of the Low Carbon Energy and Environment Research Network Wales, and on the Welsh committee of the RSPB.

Published 21 May 2025

MIL OSI United Kingdom –

May 22, 2025

MIL-OSI China: China releases plan to protect rivers, lakes

Source: People’s Republic of China – State Council News

BEIJING, May 21 — China has unveiled an action plan to protect and create beautiful rivers and lakes from 2025 to 2027, with a focus on improving the quality of aquatic ecosystems.

The plan, jointly released by the Ministry of Ecology and Environment and other government organs on Wednesday, set the goals of achieving notable progress in creating beautiful rivers and lakes by 2030 and completing the initiative by 2035.

The plan aims to promote targeted, science-based, and lawful pollution control, coordinate the management of water resources, aquatic environments, and water ecologies, and build an integrated ecological governance system across upstream and downstream areas in key river basins to improve the health of aquatic ecosystems.

A total of 2,573 water bodies have been included in the national list for protecting and creating beautiful rivers and lakes, covering major river trunks, key tributaries, and important lakes and reservoirs with critical ecological functions, fragile environments, or significant public interest.

The plan outlines 19 specific measures, focusing on consolidating and deepening water environment management, guaranteeing basic ecological water use, and comprehensively advancing protection and construction efforts.

MIL OSI China News –

May 22, 2025

MIL-OSI United Kingdom: Flies, crossbows and comics: novel counter terrorism innovation

Source: United Kingdom – Executive Government & Departments

Case study

Flies, crossbows and comics: novel counter terrorism innovation

Nine projects, ranging from whether flies can detect explosives to how comics can reduce radicalism and how much of a risk crossbows are, were showcased.

More than 100 people attended the third University Innovation Concept event exploring ways in which cutting-edge research, often in unexpected areas, can help fight terrorism.

Nine fascinating and thought-provoking projects, ranging from whether flies can detect explosives (yes!) to how comics can reduce radicalism, and how much of a terrorism risk crossbows are, were on display at a showcase at the Open University in Milton Keynes, in which the Accelerated Capability Environment (ACE) was a proud partner.

Researchers and delegates were welcomed by Inspector Liam Cahill, Innovation Domain Lead at the Counter Terrorism Research Lab (CTRL), and Open University professors Arosha K Bandara and Eleanor Crabb. Annette Southgate, Head of ACE, then took to the stage to stress the importance of work and innovative collaboration such as this to “getting ahead of some of the people that are trying to cause us harm”.

Iain Harrison, Director of Digital, Data, Analysis & Technology at Counter Terrorism Policing, explained the rigorous process, supported by ACE, that began with 62 proposals from 28 different universities, which were then reviewed and whittled down to the nine stimulating ideas on display at the showcase event.

Bringing academia and Counter Terrorism Policing together

The projects that had been explored over 12 weeks of intensive research were showcased across three themes:

THEME ONE: Radicalisation and Interventions

First to present were a team from Anglia Ruskin University, on the topic of Exploring the Impact of Critical World Events on Extremist Misinformation Network (2020-24). This involved analysing 240 posts from four major platforms to understand how extremist groups exploit global crises on popular social media platforms, using hashtags and multiple forms of misinformation to amplify uncertainty and try and recruit new audiences. It also looked to pinpoint potential novel ways to intervene in this process.

Next up were a team from Cranfield University, analysing how social media content algorithms respond to user interactions within specific topics, to answer the question of Can Social Media Algorithms Radicalise? This pilot was designed to quantify if user behaviours such as watching or liking videos influenced a popular platform’s algorithm, and to what extent. The conclusion was that the algorithm could be influenced to provide more content around a particular theme, but it is not yet clear how long this influence lasts.

The final presentation in this first session was from the University of Liverpool, exploring the topic of Graphic Novels to Enable Discussion and Promote Critical Thinking. This project involved creating a 46-page book containing four graphic novels on the topic of radicalisation, supported by front-line intervention practitioners, for use in educational strategies to encourage critical thinking. Comics were chosen because they are already popular worldwide, accessible and engaging as a format, and cheap to produce.

THEME TWO: Current Threats, Biosensors and Human Networks

After a break, another team from Cranfield University, that had been drawing big crowds in the breakout sessions for the four crossbows on display at their stand, spoke on their research into Crossbows: A Real and Current Threat. Against a background of increasing use of crossbows, which can legally be bought by anyone over the age of 18, in targeted incidents, this set out to examine the hit probability and wounding potential of four different systems, their reload times, and how these compared to current policing response times. The conclusions, from a variety of tests including depth of penetration and discharge rate, concluded that crossbows need to be considered a real and present threat for a marauding terrorist attack, because all of those tested have potential to cause significant injury, especially to unprotected organs.

Next up was another project that had the audience buzzing – research from a team at The Open University on Fruit Fly Biosensors: Leveraging Olfactory Responses for Detection of Explosives and Toxic Chemicals. This explored if fruit flies, which have exceptional sensitivity, could be used as biosensors to detect toxins, drug precursors and explosives. The answer was potentially yes – experiments with TNT found that exposure to the explosive led to a gradual but clear increase in fly attraction, indicating that fruit flies can detect it. Preliminary lab data also suggests starving the flies may enhance TNT detection speed.

The final project in this session was an explanation of a Dynamic Target Indicator Tool (D-TinT) developed by a team at the University of Exeter. This uses techniques from movement pattern analytics and social network analysis to identify the best indicators of links between nodes in a human network based on movement patterns over time. This enables a statistical and spatial mathematical model to be developed. The Tool also identifies what might be flagged as a vulnerable target – either person or place – which could allow counter terrorism stakeholders to test the impact of possible risk-reduction procedures.

THEME THREE: Emerging Technologies

The final session of a highly enjoyable day started with a team from Robert Gordon University in Aberdeen talking the audience through their research on Leveraging Artificial Intelligence (AI) to Identify and Prevent Terrorism in Prisons: Legislative Gaps and Technological Solutions. This analysed AI’s role in situational awareness and radicalisation prevention, explored how it could support existing counterterrorism efforts, evaluated legal and ethical readiness for AI to be deployed in this way, and proposed technical and legal reforms to enable the responsible use of AI technologies in prison settings. The conclusion of the research was that AI offers significant potential to enhance security and counter-radicalisation efforts in UK prisons.

Next, a scoping study of Augmented Reality and Terrorism was presented by Dr Richard Jones of Edinburgh Law School, part of the University of Edinburgh. Billing augmented reality as a “technology in search of a purpose”, his research explored both potential law enforcement applications, such as head-up real-time navigation and facial recognition of persons of interest, as well as how terrorists could use the same technology, for example to create video footage for propaganda purposes. It also looked at how this technology could evolve in the public domain. The research concluded that feasibility factors include device cost and availability as well as the level of required technological expertise, which is likely to fall, in addition to utility and whether it solves a problem.

The final presentation of the day was by a team from the University of Southampton on Exploiting Vulnerabilities in Autonomous Vehicle Systems for Terrorist Activity – Threats to UK Critical National Infrastructure. This focused on identifying vulnerabilities in autonomous vehicle systems amid increasing reliance on connected and automated vehicles, analysing how terrorists could exploit these to disrupt or control them. This could include by hijacking the vehicle controls or causing collisions via manipulating road signs. The conclusion was that proactive risk mitigation is paramount.

Following the event, Inspector Cahill said: “The University Innovation Concept (UIC) was conceived with the intention of bringing Counter Terrorism Policing and academia closer together to ensure operational decisions made by experienced and knowledgeable personnel are backed by science and academic rigour.

“The one-day showcase was also a fantastic opportunity for attendees to network, learn about ongoing research and potentially take learning back to their operational roles, and feedback has been extremely positive.”

Reflecting on the event, Professor Southgate said: “ACE is proud to support policing colleagues find new and creative ways of solving frontline mission problems through partnership with researchers from across a diversity of backgrounds and institutions.

“Accessing diversity of thought, approach and experience helps us step back and consider more impactful and enduring ways of tackling existing and sometimes long-standing problems.

“We are keen to help identify and shine a light on brilliant academic work that can already help solve today’s mission problems; highlighting the difference this makes, help build relationships and continue encouraging our talented academic community to support frontline policing work.”

Published 21 May 2025

MIL OSI United Kingdom –

May 22, 2025

MIL-OSI Global: Why your electricity bill is so high and what Pennsylvania is doing about it

Source: The Conversation – USA – By Hannah Wiseman, Professor of Law, Penn State

Pennsylvanians can expect 10% to 20% increases in their electricity bills over the next three years. Gregory Rodriguez/iStock via Getty Images

Americans’ electricity bills tend to tick up each year in line with inflation.

But upgrades to electric wires, reinforcing and protecting power lines from severe weather, and changing fuel costs – among other factors – are sending rates soaring.

High electricity consumption from data centers and other sources of rising demand will likely cause further increases in the near future.

The impact on consumers is particularly dramatic in Pennsylvania, where rate hikes are widespread.

For example, the monthly bill for a PECO residential customer who uses 700 kilowatt hours of electricity monthly increased 10% – or US$13.58 – in 2025. These bills will go up another $2.70 each month in 2026.

Retail price adjustments approved by the Pennsylvania Public Utility Commission for most electric distribution utilities effective December 2024 led to higher bills for many customers across the state. In some parts of Pennsylvania, the estimated increases topped an estimated 30%.

As professors who work in the areas of energy law and electricity markets, we know electricity costs are rising in many parts of the U.S.

But Pennsylvania faces distinct challenges related to its electric grid – the maze of wires and generators – that drive both the growing demand for electricity and the limited supply.

PJM and the electric grid

Pennsylvania power plants produce a lot of electricity. In fact, the Keystone State is the the largest exporter of electricity in the U.S. and has been for many years.

But the electricity Pennsylvania produces doesn’t always stay in state.

That’s because Pennsylvania’s electric grid is managed by a company called PJM. PJM coordinates the flow of electricity through all or parts of 13 states and the District of Columbia, and it ensures the wholesale electricity transmission system operates reliably and safely.

Pennsylvania electric utilities, such as PECO or Duquesne Light, then distribute this wholesale electricity to retail customers, including homeowners and renters.

PJM requires the utilities to ensure ahead of time that they can meet their customers’ future electricity demands, including during heat waves and winter storms. This requirement is met using a market called a “capacity auction,” in which electricity suppliers bid to provide physical infrastructure that will generate electricity in the future.

The prices at the 2025-2026 PJM capacity auction were more than 800% higher than the previous year, in part due to the growing demand for electricity within PJM. This amounts to tens of billions of dollars in extra costs.

Power plants in Pennsylvania can’t simply stop exporting electricity and supply more in-state power because they dispatch their power into the regional grid operated by PJM, and the flow of electricity is dictated by the physical structure of this grid.

Pennsylvania shares an electric grid with northern Virginia, considered the largest data center market in the world.
Nathan Howard via Getty Images

Soaring demand from data centers

U.S. electricity demand rose 3% in 2024 and is expected to rise even more rapidly in the coming years.

Much of this new demand comes from data centers, which support everything from AI applications and data storage – think of the thousands of emails and files backed up on our computers – to sports betting, online retailers such as Amazon, and national security applications such as the North American Aerospace Defense Command.

Pennsylvania is on the same electric grid as Virginia, which hosts about a quarter of all data center capacity in the Americas. New data centers are also being built in Pennsylvania.

Rising demand is also driven by the increase in electric vehicles and the replacement of gas- and oil-based furnaces with electric heat pumps. These replacements are ultimately more energy efficient but require electricity.

Bottlenecks in supply

The increase in electricity demand within PJM is happening at the same time that supply is shrinking.

Many old generating plants in the PJM grid are retiring as they near the end of their useful lives and become less profitable for plant operators, particularly as natural gas and solar become more affordable. Some of these older power plants also emit a lot of pollution and are costly to retrofit to meet current pollution limits.

Beyond the challenge of plant retirements, PJM has been slow to allow hundreds of new proposed power plants – most of them solar- and battery-based – to connect to transmission lines.

This long “interconnection queue” prevents new, needed generation from coming online. This is happening even though companies are eager and ready to build more generation and battery storage.

Aging infrastructure and growing weather extremes

One of the primary recent drivers of high consumer electric bills is that the utilities have been slow to upgrade their aging wires.

Many have recently made major investments in new infrastructure and in some cases are burying or strengthening wires to protect them from increasingly extreme weather.

Electricity customers are footing the bill for this work.

Increasing demand, aging power infrastructure and transmission bottlenecks lead to higher electricity rates.
David Espejo/Moment Collection via Getty Images

Response from policymakers

In response to rising electricity prices, Pennsylvania Gov. Josh Shapiro filed a legal complaint with the Federal Energy Regulatory Commission against PJM in December 2024. This complaint blamed PJM’s capacity auction design for creating unnecessary costs for consumers.

According to the settlement reached after the complaint, PJM’s price caps will be 35% lower at the next major capacity auction. This reduction in wholesale prices could limit retail price increases.

But this is at best a temporary fix. It doesn’t address the increasing demand, aging power infrastructure battered by extreme weather, or transmission bottleneck.

In order for Pennsylvania residents to see lower electric bills anytime soon, more changes are needed. For example, many experts previously observed that PJM needs to fix the queue and get online the many power plants that are ready to build and just waiting for a transmission interconnection.

While PJM has reformed its queue process, the queue is still long. New power plants are not going up fast enough, in part due to additional challenges such as local opposition and supply chain and financing issues.

Read more of our stories about Philadelphia and Pennsylvania.

Hannah Wiseman receives or has recently received funding from the Alfred P. Sloan Foundation, Arnold Ventures, U.S. National Science Foundation, U.S. Department of Energy, Center for Rural Pennsylvania, and the Pennsylvania Department of Environmental Protection. She is a member of the Center for Progressive Reform.

Seth Blumsack receives or has recently received funding from the Alfred P. Sloan Foundation, Heising Simons Foundation, U.S. National Science Foundation, U.S. Department of Energy, NASA, U.S. Federal Aviation Administration, Center for Rural Pennsylvania and the Pennsylvania Department of Environmental Protection.

– ref. Why your electricity bill is so high and what Pennsylvania is doing about it – https://theconversation.com/why-your-electricity-bill-is-so-high-and-what-pennsylvania-is-doing-about-it-254562

MIL OSI – Global Reports –

May 22, 2025

MIL-OSI Global: Windows are the No. 1 human threat to birds – an ecologist shares some simple steps to reduce collisions

Source: The Conversation – USA – By Jason Hoeksema, Professor of Ecology, University of Mississippi

Birds are drawn to the mirror effect of windows. That can turn deadly when they think they see trees. CCahill/iStock/Getty Images Plus

When wood thrushes arrive in northern Mississippi on their spring migration and begin to serenade my neighborhood with their ethereal, harmonized song, it’s one of the great joys of the season. It’s also a minor miracle. These small creatures have just flown more than 1,850 miles (3,000 kilometers), all the way from Central America.

Other birds undertake even longer journeys — the Swainson’s thrush, for example, nests as far north as the boreal forests of Alaska and spends the nonbreeding season in northern South America, traveling up to 5,600 miles (9,000 kilometers) each way.

These stunning feats of travel are awe-inspiring, making it that much more tragic when they are cut short by a deadly collision with a glass window.

A wood thrush singing. Shared by the American Bird Conservancy.

This happens with alarming regularity. Two recent scientific studies estimate that more than 1 billion birds – and as many as 5.19 billion – die from collisions with sheet glass each year in the United States alone, sometimes immediately but often from their injuries.

In fact, window collisions are now considered the top human cause of bird deaths. Due to window collisions and other causes, bird populations across North America have declined more than 29% from their 1970 levels, likely with major consequences for the world’s ecosystems.

These collisions occur on every type of building, from homes to skyscrapers. At the University of Mississippi campus, where I teach and conduct research as an ecologist, my colleagues and I have been testing some creative solutions.

Why glass is so often deadly for birds

Most frequently, glass acts as a mirror, reflecting clear sky or habitat. There is no reason for a bird to slow down when there appears to be a welcoming tree or shrub ahead.

These head-on collisions frequently result in brain injuries, to which birds often succumb immediately.

In other cases, birds are stunned by the collision and eventually fly off, but many of those individuals also eventually perish from brain swelling.

Other injuries, to wings or legs, for example, can leave birds unable to fly and vulnerable to cats or other predators. If you find an injured bird, contact a local wildlife rehabilitator.

Which windows are riskiest

Some windows are much worse than others, depending on their proximity to bushes and other bird habitats, what is reflected in them, and how interior lighting exacerbates or diminishes the mirror effect.

On our campus, some buildings with a great deal of glass surface area kill surprisingly few birds, while other small sets of windows are disproportionately deadly.

A stunned Swainson’s thrush sits on the ground in front of a window on campus. The bird, which likely hit the window, eventually recovered and flew away.
Jason Hoeksema/University of Mississippi

One particular elevated walkway with glass on both sides between the chemistry and pharmacy buildings is a notoriously dangerous spot. The glass kills migratory birds each spring and fall as they try to pass between the two buildings on their way to The Grove, the university’s central-campus park area with large old oak trees.

During the pandemic in 2020, student Emma Counce did the heart-heavy work of performing a survey of 11 campus buildings almost daily during spring migration. She found 72 bird fatalities in seven weeks. Five years later, my ornithology students completed a new survey and found 62 mortalities over the course of five weeks in 2025, demonstrating that we still have a lot of work to do to make our campus safe for migratory birds.

Thrushes, perhaps due to their propensity for whizzing through tight spaces in the shady forest understory, have been disproportionately represented among the victims. Others include colorful songbirds – northern parulas, black-and-white warblers, prothonotary warblers, Kentucky warblers, buntings, vireos and tanagers.

How to make windows less dangerous

The good thing is that everyone can do something to lower the risk.

Films, stickers or strings can be added on the exterior of windows, creating dots or lines, 2 to 4 inches apart, that break up reflections to give the appearance of a barrier.

Exterior screens and blinds work great too. Just adding a few predator silhouette stickers is not effective, by the way – the treatment needs to span the whole window.

Putting film with dots on windows, like this one at the University of Mississippi, can help birds spot the glass and stop in time. Without the dots, the reflection can look like more trees are ahead instead of glass and a hallway.
Jason Hoeksema/University of Mississippi

When applied properly, window treatments can make a huge difference. An inspiring example is McCormick Place in Chicago, the country’s largest convention center, which notoriously killed nearly 1,000 birds in a single night in 2023. After workers applied dot film to an area of the building’s windows equivalent to two football fields, bird mortality at the lakeside building has been reduced by 95%.

The Bird Collision Prevention Alliance provides information on options for retrofitting home or office windows to make them more bird friendly.

Options for new windows are also becoming more common. For example, the new Center for Science & Technology Innovation on my campus, which features many windows, mostly used bird-friendly glass with subtle polka dots built into it. This spring, we found that it killed only four birds, despite a very high surface area of glass.

How you can help

When trying to make a difference on your home turf, I suggest starting small. Make note of which specific windows have killed birds in the past, and treat them first.

Use it as an opportunity to learn what approach might work best for you and your building. Either order a product or make something yourself and get it installed.

How to make your windows safer for birds. Shared by Audubon New York and American Bird Conservancy.

Then do another, and tell a friend. At the office, talk to people, find others who care and build a team to make gradual change.

With some creative solutions, anyone can help reduce at least this major risk.

Jason Hoeksema is affiliated with the University of Mississippi, Delta Wind Birds, and the Mississippi Ornithological Society.

– ref. Windows are the No. 1 human threat to birds – an ecologist shares some simple steps to reduce collisions – https://theconversation.com/windows-are-the-no-1-human-threat-to-birds-an-ecologist-shares-some-simple-steps-to-reduce-collisions-255838

MIL OSI – Global Reports –

May 22, 2025

MIL-OSI United Kingdom: Environment Agency secures over £526K in Proceeds of Crime case

Source: United Kingdom – Executive Government & Departments

News story

Environment Agency secures over £526K in Proceeds of Crime case

An illegal enterprise in catalytic converters has brought confiscation orders for £526,215.04, at a Proceeds of Crime Award hearing.

Converters

The case led by the Environment Agency was concluded at Lincoln Crown Court on Friday 16 May 2025.

The ruling was made against Long Sutton-based Platinum Group Metals Recycling Ltd and director Edvars Stancik.

Recorder John Hardy KC ruled that Stancik, 30, had made a benefit of £4,312,925.70 from his criminal activity while his company made a benefit of £4,344,827.60.

The court heard assets of £495,280.88 were available from the company made up of cash in a bank account and seized catalytic converters.

Stancik’s only asset was £30,934.16 from equity in a house he sold before his trial, the court was told.

Recorder Hardy ordered those amounts to be confiscated and ruled that £100,111.65 should be paid to the Environment Agency to cover costs.

At a previous hearing (4 September 2024), the company and Stancik were found guilty of running an illegal waste site at Long Sutton.

The court heard that, between December 2019 and September 2021, Stancik, 30, acted as a director of the company and traded in catalytic convertors on a colossal scale.

A jury heard that neither Stancik nor his company had obtained an environmental permit before buying and selling thousands of catalytic converters.

Stancik stored the devices in containers in Long Sutton and were stored in an irresponsible manner giving rise to health risks.

A warrant for the arrest of Stancik, who is believed to be living in Lithuania, has been issued. He has been given 3 months to pay or face 5 years in jail.

The Environment Agency continues to investigate ways of retrieving further proceeds.

Peter Stark, Environment Agency Enforcement Team Leader, said:

“Waste criminals should be aware how seriously we take their offending, including the benefit they obtain from their illegal activities.

“Offenders won’t get away with concealing information or their assets, and due to the EA’s hard work, justice has been served.

“Waste crime can be a blight on the environment, communities and to legitimate businesses.

“We will continue to work with professional partners like Lincolnshire Police in this case to prevent, disrupt, investigate, and stop waste offending.

“If anyone suspects that a company or its directors are doing something wrong, contact our 24/7 hotline on 0800 80 70 60 or report it anonymously to Crimestoppers on 0800 555 111.”

The charges:

Platinum Group Metals Recycling Ltd.

Operating a regulated facility, namely a waste operation, otherwise than in accordance with an environmental permit, contrary to Regulation 12(1)(a) and 38(1)(a) of the Environmental Permitting (England and Wales) Regulations 2016. (Relating to the site at St Thomas Court, Long Sutton).
Operating a regulated facility, namely a waste operation, otherwise than in accordance with an environmental permit, contrary to Regulation 12(1)(a) and 38(1)(a) of the Environmental Permitting (England and Wales) Regulations 2016. (Relating to the site at Lime Walk, Long Sutton)
Keeping controlled waste contrary to section 33(1)(c) and (6) of the Environmental Protection Act 1990.) (Relating to the site at St Thomas Court, Long Sutton)
Keeping controlled waste contrary to section 33(1)(c) and (6) of the Environmental Protection Act 1990. (Relating to the site at Lime Walk, Long Sutton)

Edvars Stancik

Causing a company to operate a regulated facility otherwise in accordance with an environmental permit contrary to Regulation 12(1)(a) and 38(1)(a) by virtue of Regulation 41(1) and 41(3) of the Environmental Permitting (England and Wales) Regulations 2016. (Relating to the site at St Thomas Court, Long Sutton)
Causing a company to operate a regulated facility otherwise in accordance with an environmental permit contrary to Regulation 12(1)(a) and 38(1)(a) by virtue of Regulation 41(1) and 41(3) of the Environmental Permitting (England and Wales) Regulations 2016. (Relating to the site at Lime Walk, Long Sutton)
Causing a company to commit an offence, contrary to section 33(1)(c), 33(6) by virtue of s157(1) of the Environmental Protection Act 1990. (Relating to the site at St Thomas Court, Long Sutton)
Causing a company to commit an offence, contrary to section 33(1)(c), 33(6) by virtue of s157(1) of the Environmental Protection Act 1990. (Relating to the site at Lime Walk, Long Sutton)

Background Information

Catalytic converters are components in car exhausts. They contain small amounts of precious metals contained within a metal case making them valuable.

However, catalytic converters also contain carcinogenic fibres which, if ingested, can cause serious and irreversible lung disease.

The dangerous fibres can attach to shoes and clothing and be transported from one place to another.

It is therefore extremely important that catalytic converters are handled only under the strict conditions of an environmental permit, supervised by the Environment Agency.

Published 21 May 2025

MIL OSI United Kingdom –

May 22, 2025

MIL-Evening Report: Windows are the No. 1 human threat to birds – an ecologist shares some simple steps to reduce collisions

Source: The Conversation (Au and NZ) – By Jason Hoeksema, Professor of Ecology, University of Mississippi

Birds are drawn to the mirror effect of windows. That can turn deadly when they think they see trees. CCahill/iStock/Getty Images Plus

When wood thrushes arrive in northern Mississippi on their spring migration and begin to serenade my neighborhood with their ethereal, harmonized song, it’s one of the great joys of the season. It’s also a minor miracle. These small creatures have just flown more than 1,850 miles (3,000 kilometers), all the way from Central America.

Other birds undertake even longer journeys — the Swainson’s thrush, for example, nests as far north as the boreal forests of Alaska and spends the nonbreeding season in northern South America, traveling up to 5,600 miles (9,000 kilometers) each way.

These stunning feats of travel are awe-inspiring, making it that much more tragic when they are cut short by a deadly collision with a glass window.

A wood thrush singing. Shared by the American Bird Conservancy.

This happens with alarming regularity. Two recent scientific studies estimate that more than 1 billion birds – and as many as 5.19 billion – die from collisions with sheet glass each year in the United States alone, sometimes immediately but often from their injuries.

In fact, window collisions are now considered the top human cause of bird deaths. Due to window collisions and other causes, bird populations across North America have declined more than 29% from their 1970 levels, likely with major consequences for the world’s ecosystems.

These collisions occur on every type of building, from homes to skyscrapers. At the University of Mississippi campus, where I teach and conduct research as an ecologist, my colleagues and I have been testing some creative solutions.

Why glass is so often deadly for birds

Most frequently, glass acts as a mirror, reflecting clear sky or habitat. There is no reason for a bird to slow down when there appears to be a welcoming tree or shrub ahead.

These head-on collisions frequently result in brain injuries, to which birds often succumb immediately.

In other cases, birds are stunned by the collision and eventually fly off, but many of those individuals also eventually perish from brain swelling.

Other injuries, to wings or legs, for example, can leave birds unable to fly and vulnerable to cats or other predators. If you find an injured bird, contact a local wildlife rehabilitator.

Which windows are riskiest

Some windows are much worse than others, depending on their proximity to bushes and other bird habitats, what is reflected in them, and how interior lighting exacerbates or diminishes the mirror effect.

On our campus, some buildings with a great deal of glass surface area kill surprisingly few birds, while other small sets of windows are disproportionately deadly.

A stunned Swainson’s thrush sits on the ground in front of a window on campus. The bird, which likely hit the window, eventually recovered and flew away.
Jason Hoeksema/University of Mississippi

One particular elevated walkway with glass on both sides between the chemistry and pharmacy buildings is a notoriously dangerous spot. The glass kills migratory birds each spring and fall as they try to pass between the two buildings on their way to The Grove, the university’s central-campus park area with large old oak trees.

During the pandemic in 2020, student Emma Counce did the heart-heavy work of performing a survey of 11 campus buildings almost daily during spring migration. She found 72 bird fatalities in seven weeks. Five years later, my ornithology students completed a new survey and found 62 mortalities over the course of five weeks in 2025, demonstrating that we still have a lot of work to do to make our campus safe for migratory birds.

Thrushes, perhaps due to their propensity for whizzing through tight spaces in the shady forest understory, have been disproportionately represented among the victims. Others include colorful songbirds – northern parulas, black-and-white warblers, prothonotary warblers, Kentucky warblers, buntings, vireos and tanagers.

How to make windows less dangerous

The good thing is that everyone can do something to lower the risk.

Films, stickers or strings can be added on the exterior of windows, creating dots or lines, 2 to 4 inches apart, that break up reflections to give the appearance of a barrier.

Exterior screens and blinds work great too. Just adding a few predator silhouette stickers is not effective, by the way – the treatment needs to span the whole window.

Putting film with dots on windows, like this one at the University of Mississippi, can help birds spot the glass and stop in time. Without the dots, the reflection can look like more trees are ahead instead of glass and a hallway.
Jason Hoeksema/University of Mississippi

When applied properly, window treatments can make a huge difference. An inspiring example is McCormick Place in Chicago, the country’s largest convention center, which notoriously killed nearly 1,000 birds in a single night in 2023. After workers applied dot film to an area of the building’s windows equivalent to two football fields, bird mortality at the lakeside building has been reduced by 95%.

The Bird Collision Prevention Alliance provides information on options for retrofitting home or office windows to make them more bird friendly.

Options for new windows are also becoming more common. For example, the new Center for Science & Technology Innovation on my campus, which features many windows, mostly used bird-friendly glass with subtle polka dots built into it. This spring, we found that it killed only four birds, despite a very high surface area of glass.

How you can help

When trying to make a difference on your home turf, I suggest starting small. Make note of which specific windows have killed birds in the past, and treat them first.

Use it as an opportunity to learn what approach might work best for you and your building. Either order a product or make something yourself and get it installed.

How to make your windows safer for birds. Shared by Audubon New York and American Bird Conservancy.

Then do another, and tell a friend. At the office, talk to people, find others who care and build a team to make gradual change.

With some creative solutions, anyone can help reduce at least this major risk.

Jason Hoeksema is affiliated with the University of Mississippi, Delta Wind Birds, and the Mississippi Ornithological Society.

– ref. Windows are the No. 1 human threat to birds – an ecologist shares some simple steps to reduce collisions – https://theconversation.com/windows-are-the-no-1-human-threat-to-birds-an-ecologist-shares-some-simple-steps-to-reduce-collisions-255838

MIL OSI Analysis – EveningReport.nz –

May 22, 2025

MIL-OSI Australia: Safeguarding Queensland’s iconic Great Barrier Reef and waterways

Source: Tasmania Police

Issued: 20 May 2025

A bold new collaboration is set to transform water quality monitoring, analysis and publication across the Great Barrier Reef and South-east Queensland (SEQ) catchments.

The Queensland Government is teaming up with leading universities to form the new Catchment Water Quality Alliance.

The University of Queensland’s (UQ) Reef Catchments Science Partnership and James Cook University’s (JCU) TropWATER will work with the Queensland Department of the Environment, Tourism, Science and Innovation (DETSI) to safeguard precious waterways, undertaking water quality monitoring across Queensland.

The Alliance aims to assist communities and organisations take better care of Queensland ecosystems. This will be achieved by improving water quality monitoring, innovative data sharing platforms and engaging regional stakeholders.

The water quality monitoring data will be used for a range of purposes including reporting on the health of the waterways, rivers and reef and guiding best practice for improving catchment management initiatives across Queensland.

The collaboration will also allow for a deeper exploration of data that has been collected over the past 20 years.

The efforts of the Alliance will build on work already underway such as the Great Barrier Reef Catchment Loads Monitoring Program (GBRCLMP) and the South East Queensland (SEQ) Catchments Water Quality Monitoring Program.

GBRCLMP involves First Nations, industry and Natural Resource Management (NRM) groups as well as landholders to undergo comprehensive training, equipping them with the skills and knowledge needed to track long-term trends in catchment health, while fostering a deep understanding of local waterways.

The South East Queensland (SEQ) Catchments Water Quality Monitoring Program is essential for identifying sediment and nutrient sources and guiding resource management.

Queensland Chief Scientist Professor Kerrie Wilson said this collaborative initiative will play a vital role in protecting Queensland’s iconic ecosystems and ensure the resilience of the Great Barrier Reef and SEQ catchments for generations to come.

“By harnessing scientific expertise from both government and academia, and using innovative approaches in Reef and SEQ catchment areas, it will help us to stay at the forefront of water quality assessment,” Professor Wilson said.

“The Alliance will help to provide the science and real-world data to inform environmental decision-makers.”

JCU TropWATER Director Professor Damien Burrows said TropWATER brings over three decades of experience working with growers, graziers and governments to monitor and improve water quality in the Great Barrier Reef.

“Being based in North Queensland, close to reef catchments, gives us a unique ability to respond quickly to local weather events to capture critical data that feeds directly into government datasets – building a clearer, more regionally informed picture of water quality issues,” he said.

“Our strength is not just in monitoring, but in how we work with communities. We focus on communicating the science clearly and directly to growers and regional groups, allowing the data to be understood and used where it matters most.

“With Alliance staff based in Townsville, we’re well positioned to connect local insights, water quality science and decision-making. This partnership will enhance how data, communication and collaboration can drive water quality solutions.”

University of Queensland Head of the School of Environment, Professor Steve Chenoweth said UQ is excited to be joining the Alliance.

“It’s a new model for how universities can work more effectively with government,” he said.

“Not only is it an opportunity to focus our world-leading scientific capability on delivering what’s needed for Queensland’s outstanding catchments and reefs, the Alliance also offers unique training opportunities for Queensland’s future environmental scientists who will be better equipped to understand how they can deliver real-world impacts.”

MIL OSI News –

May 22, 2025

Category: Environment

Executive Summary

Introduction

Description of Targets

Initial Access TTPs

Credential Guessing/Brute Force

Spearphishing

CVE Usage

Post-Compromise TTPs

Malware

Persistence

Exfiltration

Connections to Targeting of IP Cameras

Mitigation Actions

General Security Mitigations

IP Camera Mitigations

Indicators of Compromise (IOCs)

Utilities and scripts

Outlook CVE Exploitation IOCs

Commonly Used Webmail Providers

Malicious Archive Filenames Involving CVE-2023-38831

Brute Forcing IP Addresses

Detections

Customized NTLM listener

HEADLACE shortcut

HEADLACE credential dialogbox phishing

HEADLACE core script

MASEPIE

STEELHOOK

PSEXEC

Further Reference

Works Cited

Disclaimer of endorsement

Purpose

Contact

Appendix B: CVEs exploited

Appendix C: MITRE D3FEND Countermeasures

If you shrink, I shrink

Key facts

Multimedia

Somerset Prepared Community Resilience Awards – nominations open

Background

Share this page

Updates to this page

ICYMI: Padilla, Colleagues Highlight Consequences of Senate Republicans’ Attempt to Abuse the CRA and Revoke California’s Clean Air Act Waivers

Government Taskforce meets on Merseyside to bolster nation’s flood resilience

Share this page

Updates to this page

Waste packaging company director pays high price in data fraud

Share this page

Updates to this page

Executive Summary

Introduction

Description of Targets

Initial Access TTPs

Credential Guessing/Brute Force

Spearphishing

CVE Usage

Post-Compromise TTPs

Malware

Persistence

Exfiltration

Connections to Targeting of IP Cameras

Mitigation Actions

General Security Mitigations

IP Camera Mitigations

Indicators of Compromise (IOCs)

Utilities and scripts

Outlook CVE Exploitation IOCs

Commonly Used Webmail Providers

Malicious Archive Filenames Involving CVE-2023-38831

Brute Forcing IP Addresses

Detections

Customized NTLM listener

HEADLACE shortcut

HEADLACE credential dialogbox phishing

HEADLACE core script

MASEPIE

STEELHOOK

PSEXEC